1 package v1 2 3 import ( 4 corev1 "k8s.io/api/core/v1" 5 "k8s.io/apimachinery/pkg/api/resource" 6 metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 7 "k8s.io/apimachinery/pkg/runtime" 8 9 buildv1 "github.com/openshift/api/build/v1" 10 ) 11 12 type ExtendedArguments map[string][]string 13 14 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 15 16 // NodeConfig is the fully specified config starting an OpenShift node 17 // 18 // Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support. 19 // +openshift:compatibility-gen:level=4 20 // +openshift:compatibility-gen:internal 21 type NodeConfig struct { 22 metav1.TypeMeta `json:",inline"` 23 24 // NodeName is the value used to identify this particular node in the cluster. If possible, this should be your fully qualified hostname. 25 // If you're describing a set of static nodes to the master, this value must match one of the values in the list 26 NodeName string `json:"nodeName"` 27 28 // Node may have multiple IPs, specify the IP to use for pod traffic routing 29 // If not specified, network parse/lookup on the nodeName is performed and the first non-loopback address is used 30 NodeIP string `json:"nodeIP"` 31 32 // ServingInfo describes how to start serving 33 ServingInfo ServingInfo `json:"servingInfo"` 34 35 // MasterKubeConfig is a filename for the .kubeconfig file that describes how to connect this node to the master 36 MasterKubeConfig string `json:"masterKubeConfig"` 37 38 // MasterClientConnectionOverrides provides overrides to the client connection used to connect to the master. 39 MasterClientConnectionOverrides *ClientConnectionOverrides `json:"masterClientConnectionOverrides"` 40 41 // DNSDomain holds the domain suffix that will be used for the DNS search path inside each container. Defaults to 42 // 'cluster.local'. 43 DNSDomain string `json:"dnsDomain"` 44 45 // DNSIP is the IP address that pods will use to access cluster DNS. Defaults to the service IP of the Kubernetes 46 // master. This IP must be listening on port 53 for compatibility with libc resolvers (which cannot be configured 47 // to resolve names from any other port). When running more complex local DNS configurations, this is often set 48 // to the local address of a DNS proxy like dnsmasq, which then will consult either the local DNS (see 49 // dnsBindAddress) or the master DNS. 50 DNSIP string `json:"dnsIP"` 51 52 // DNSBindAddress is the ip:port to serve DNS on. If this is not set, the DNS server will not be started. 53 // Because most DNS resolvers will only listen on port 53, if you select an alternative port you will need 54 // a DNS proxy like dnsmasq to answer queries for containers. A common configuration is dnsmasq configured 55 // on a node IP listening on 53 and delegating queries for dnsDomain to this process, while sending other 56 // queries to the host environments nameservers. 57 DNSBindAddress string `json:"dnsBindAddress"` 58 59 // DNSNameservers is a list of ip:port values of recursive nameservers to forward queries to when running 60 // a local DNS server if dnsBindAddress is set. If this value is empty, the DNS server will default to 61 // the nameservers listed in /etc/resolv.conf. If you have configured dnsmasq or another DNS proxy on the 62 // system, this value should be set to the upstream nameservers dnsmasq resolves with. 63 DNSNameservers []string `json:"dnsNameservers"` 64 65 // DNSRecursiveResolvConf is a path to a resolv.conf file that contains settings for an upstream server. 66 // Only the nameservers and port fields are used. The file must exist and parse correctly. It adds extra 67 // nameservers to DNSNameservers if set. 68 DNSRecursiveResolvConf string `json:"dnsRecursiveResolvConf"` 69 70 // Deprecated and maintained for backward compatibility, use NetworkConfig.NetworkPluginName instead 71 DeprecatedNetworkPluginName string `json:"networkPluginName,omitempty"` 72 73 // NetworkConfig provides network options for the node 74 NetworkConfig NodeNetworkConfig `json:"networkConfig"` 75 76 // VolumeDirectory is the directory that volumes will be stored under 77 VolumeDirectory string `json:"volumeDirectory"` 78 79 // ImageConfig holds options that describe how to build image names for system components 80 ImageConfig ImageConfig `json:"imageConfig"` 81 82 // AllowDisabledDocker if true, the Kubelet will ignore errors from Docker. This means that a node can start on a machine that doesn't have docker started. 83 AllowDisabledDocker bool `json:"allowDisabledDocker"` 84 85 // PodManifestConfig holds the configuration for enabling the Kubelet to 86 // create pods based from a manifest file(s) placed locally on the node 87 PodManifestConfig *PodManifestConfig `json:"podManifestConfig"` 88 89 // AuthConfig holds authn/authz configuration options 90 AuthConfig NodeAuthConfig `json:"authConfig"` 91 92 // DockerConfig holds Docker related configuration options. 93 DockerConfig DockerConfig `json:"dockerConfig"` 94 95 // KubeletArguments are key value pairs that will be passed directly to the Kubelet that match the Kubelet's 96 // command line arguments. These are not migrated or validated, so if you use them they may become invalid. 97 // These values override other settings in NodeConfig which may cause invalid configurations. 98 KubeletArguments ExtendedArguments `json:"kubeletArguments,omitempty"` 99 100 // ProxyArguments are key value pairs that will be passed directly to the Proxy that match the Proxy's 101 // command line arguments. These are not migrated or validated, so if you use them they may become invalid. 102 // These values override other settings in NodeConfig which may cause invalid configurations. 103 ProxyArguments ExtendedArguments `json:"proxyArguments,omitempty"` 104 105 // IPTablesSyncPeriod is how often iptable rules are refreshed 106 IPTablesSyncPeriod string `json:"iptablesSyncPeriod"` 107 108 // EnableUnidling controls whether or not the hybrid unidling proxy will be set up 109 EnableUnidling *bool `json:"enableUnidling"` 110 111 // VolumeConfig contains options for configuring volumes on the node. 112 VolumeConfig NodeVolumeConfig `json:"volumeConfig"` 113 } 114 115 // NodeVolumeConfig contains options for configuring volumes on the node. 116 type NodeVolumeConfig struct { 117 // LocalQuota contains options for controlling local volume quota on the node. 118 LocalQuota LocalQuota `json:"localQuota"` 119 } 120 121 // MasterVolumeConfig contains options for configuring volume plugins in the master node. 122 type MasterVolumeConfig struct { 123 // DynamicProvisioningEnabled is a boolean that toggles dynamic provisioning off when false, defaults to true 124 DynamicProvisioningEnabled *bool `json:"dynamicProvisioningEnabled"` 125 } 126 127 // LocalQuota contains options for controlling local volume quota on the node. 128 type LocalQuota struct { 129 // FSGroup can be specified to enable a quota on local storage use per unique FSGroup ID. 130 // At present this is only implemented for emptyDir volumes, and if the underlying 131 // volumeDirectory is on an XFS filesystem. 132 PerFSGroup *resource.Quantity `json:"perFSGroup"` 133 } 134 135 // NodeAuthConfig holds authn/authz configuration options 136 type NodeAuthConfig struct { 137 // AuthenticationCacheTTL indicates how long an authentication result should be cached. 138 // It takes a valid time duration string (e.g. "5m"). If empty, you get the default timeout. If zero (e.g. "0m"), caching is disabled 139 AuthenticationCacheTTL string `json:"authenticationCacheTTL"` 140 141 // AuthenticationCacheSize indicates how many authentication results should be cached. If 0, the default cache size is used. 142 AuthenticationCacheSize int `json:"authenticationCacheSize"` 143 144 // AuthorizationCacheTTL indicates how long an authorization result should be cached. 145 // It takes a valid time duration string (e.g. "5m"). If empty, you get the default timeout. If zero (e.g. "0m"), caching is disabled 146 AuthorizationCacheTTL string `json:"authorizationCacheTTL"` 147 148 // AuthorizationCacheSize indicates how many authorization results should be cached. If 0, the default cache size is used. 149 AuthorizationCacheSize int `json:"authorizationCacheSize"` 150 } 151 152 // NodeNetworkConfig provides network options for the node 153 type NodeNetworkConfig struct { 154 // NetworkPluginName is a string specifying the networking plugin 155 NetworkPluginName string `json:"networkPluginName"` 156 // Maximum transmission unit for the network packets 157 MTU uint32 `json:"mtu"` 158 } 159 160 // DockerConfig holds Docker related configuration options. 161 type DockerConfig struct { 162 // ExecHandlerName is the name of the handler to use for executing 163 // commands in containers. 164 ExecHandlerName DockerExecHandlerType `json:"execHandlerName"` 165 // DockerShimSocket is the location of the dockershim socket the kubelet uses. 166 // Currently unix socket is supported on Linux, and tcp is supported on windows. 167 // Examples:'unix:///var/run/dockershim.sock', 'tcp://localhost:3735' 168 DockerShimSocket string `json:"dockerShimSocket"` 169 // DockershimRootDirectory is the dockershim root directory. 170 DockershimRootDirectory string `json:"dockerShimRootDirectory"` 171 } 172 173 type DockerExecHandlerType string 174 175 const ( 176 // DockerExecHandlerNative uses Docker's exec API for executing commands in containers. 177 DockerExecHandlerNative DockerExecHandlerType = "native" 178 // DockerExecHandlerNsenter uses nsenter for executing commands in containers. 179 DockerExecHandlerNsenter DockerExecHandlerType = "nsenter" 180 181 // ControllersDisabled indicates no controllers should be enabled. 182 ControllersDisabled = "none" 183 // ControllersAll indicates all controllers should be started. 184 ControllersAll = "*" 185 ) 186 187 // FeatureList contains a set of features 188 type FeatureList []string 189 190 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 191 192 // MasterConfig holds the necessary configuration options for the OpenShift master 193 // 194 // Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support. 195 // +openshift:compatibility-gen:level=4 196 // +openshift:compatibility-gen:internal 197 type MasterConfig struct { 198 metav1.TypeMeta `json:",inline"` 199 200 // ServingInfo describes how to start serving 201 ServingInfo HTTPServingInfo `json:"servingInfo"` 202 203 // AuthConfig configures authentication options in addition to the standard 204 // oauth token and client certificate authenticators 205 AuthConfig MasterAuthConfig `json:"authConfig"` 206 207 // AggregatorConfig has options for configuring the aggregator component of the API server. 208 AggregatorConfig AggregatorConfig `json:"aggregatorConfig"` 209 210 // CORSAllowedOrigins 211 CORSAllowedOrigins []string `json:"corsAllowedOrigins"` 212 213 // APILevels is a list of API levels that should be enabled on startup: v1 as examples 214 APILevels []string `json:"apiLevels"` 215 216 // MasterPublicURL is how clients can access the OpenShift API server 217 MasterPublicURL string `json:"masterPublicURL"` 218 219 // Controllers is a list of the controllers that should be started. If set to "none", no controllers 220 // will start automatically. The default value is "*" which will start all controllers. When 221 // using "*", you may exclude controllers by prepending a "-" in front of their name. No other 222 // values are recognized at this time. 223 Controllers string `json:"controllers"` 224 225 // AdmissionConfig contains admission control plugin configuration. 226 AdmissionConfig AdmissionConfig `json:"admissionConfig"` 227 228 // ControllerConfig holds configuration values for controllers 229 ControllerConfig ControllerConfig `json:"controllerConfig"` 230 231 // EtcdStorageConfig contains information about how API resources are 232 // stored in Etcd. These values are only relevant when etcd is the 233 // backing store for the cluster. 234 EtcdStorageConfig EtcdStorageConfig `json:"etcdStorageConfig"` 235 236 // EtcdClientInfo contains information about how to connect to etcd 237 EtcdClientInfo EtcdConnectionInfo `json:"etcdClientInfo"` 238 // KubeletClientInfo contains information about how to connect to kubelets 239 KubeletClientInfo KubeletConnectionInfo `json:"kubeletClientInfo"` 240 241 // KubernetesMasterConfig, if present start the kubernetes master in this process 242 KubernetesMasterConfig KubernetesMasterConfig `json:"kubernetesMasterConfig"` 243 // EtcdConfig, if present start etcd in this process 244 EtcdConfig *EtcdConfig `json:"etcdConfig"` 245 // OAuthConfig, if present start the /oauth endpoint in this process 246 OAuthConfig *OAuthConfig `json:"oauthConfig"` 247 248 // DNSConfig, if present start the DNS server in this process 249 DNSConfig *DNSConfig `json:"dnsConfig"` 250 251 // ServiceAccountConfig holds options related to service accounts 252 ServiceAccountConfig ServiceAccountConfig `json:"serviceAccountConfig"` 253 254 // MasterClients holds all the client connection information for controllers and other system components 255 MasterClients MasterClients `json:"masterClients"` 256 257 // ImageConfig holds options that describe how to build image names for system components 258 ImageConfig ImageConfig `json:"imageConfig"` 259 260 // ImagePolicyConfig controls limits and behavior for importing images 261 ImagePolicyConfig ImagePolicyConfig `json:"imagePolicyConfig"` 262 263 // PolicyConfig holds information about where to locate critical pieces of bootstrapping policy 264 PolicyConfig PolicyConfig `json:"policyConfig"` 265 266 // ProjectConfig holds information about project creation and defaults 267 ProjectConfig ProjectConfig `json:"projectConfig"` 268 269 // RoutingConfig holds information about routing and route generation 270 RoutingConfig RoutingConfig `json:"routingConfig"` 271 272 // NetworkConfig to be passed to the compiled in network plugin 273 NetworkConfig MasterNetworkConfig `json:"networkConfig"` 274 275 // MasterVolumeConfig contains options for configuring volume plugins in the master node. 276 VolumeConfig MasterVolumeConfig `json:"volumeConfig"` 277 278 // JenkinsPipelineConfig holds information about the default Jenkins template 279 // used for JenkinsPipeline build strategy. 280 JenkinsPipelineConfig JenkinsPipelineConfig `json:"jenkinsPipelineConfig"` 281 282 // AuditConfig holds information related to auditing capabilities. 283 AuditConfig AuditConfig `json:"auditConfig"` 284 285 // DisableOpenAPI avoids starting the openapi endpoint because it is very expensive. 286 // This option will be removed at a later time. It is never serialized. 287 DisableOpenAPI bool `json:"-"` 288 } 289 290 // MasterAuthConfig configures authentication options in addition to the standard 291 // oauth token and client certificate authenticators 292 type MasterAuthConfig struct { 293 // RequestHeader holds options for setting up a front proxy against the API. It is optional. 294 RequestHeader *RequestHeaderAuthenticationOptions `json:"requestHeader"` 295 // WebhookTokenAuthnConfig, if present configures remote token reviewers 296 WebhookTokenAuthenticators []WebhookTokenAuthenticator `json:"webhookTokenAuthenticators"` 297 // OAuthMetadataFile is a path to a file containing the discovery endpoint for OAuth 2.0 Authorization 298 // Server Metadata for an external OAuth server. 299 // See IETF Draft: // https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2 300 // This option is mutually exclusive with OAuthConfig 301 OAuthMetadataFile string `json:"oauthMetadataFile"` 302 } 303 304 // RequestHeaderAuthenticationOptions provides options for setting up a front proxy against the entire 305 // API instead of against the /oauth endpoint. 306 type RequestHeaderAuthenticationOptions struct { 307 // ClientCA is a file with the trusted signer certs. It is required. 308 ClientCA string `json:"clientCA"` 309 // ClientCommonNames is a required list of common names to require a match from. 310 ClientCommonNames []string `json:"clientCommonNames"` 311 312 // UsernameHeaders is the list of headers to check for user information. First hit wins. 313 UsernameHeaders []string `json:"usernameHeaders"` 314 // GroupNameHeader is the set of headers to check for group information. All are unioned. 315 GroupHeaders []string `json:"groupHeaders"` 316 // ExtraHeaderPrefixes is the set of request header prefixes to inspect for user extra. X-Remote-Extra- is suggested. 317 ExtraHeaderPrefixes []string `json:"extraHeaderPrefixes"` 318 } 319 320 // AggregatorConfig holds information required to make the aggregator function. 321 type AggregatorConfig struct { 322 // ProxyClientInfo specifies the client cert/key to use when proxying to aggregated API servers 323 ProxyClientInfo CertInfo `json:"proxyClientInfo"` 324 } 325 326 type LogFormatType string 327 328 type WebHookModeType string 329 330 const ( 331 // LogFormatLegacy saves event in 1-line text format. 332 LogFormatLegacy LogFormatType = "legacy" 333 // LogFormatJson saves event in structured json format. 334 LogFormatJson LogFormatType = "json" 335 336 // WebHookModeBatch indicates that the webhook should buffer audit events 337 // internally, sending batch updates either once a certain number of 338 // events have been received or a certain amount of time has passed. 339 WebHookModeBatch WebHookModeType = "batch" 340 // WebHookModeBlocking causes the webhook to block on every attempt to process 341 // a set of events. This causes requests to the API server to wait for a 342 // round trip to the external audit service before sending a response. 343 WebHookModeBlocking WebHookModeType = "blocking" 344 ) 345 346 // AuditConfig holds configuration for the audit capabilities 347 type AuditConfig struct { 348 // If this flag is set, audit log will be printed in the logs. 349 // The logs contains, method, user and a requested URL. 350 Enabled bool `json:"enabled"` 351 // All requests coming to the apiserver will be logged to this file. 352 AuditFilePath string `json:"auditFilePath"` 353 // Maximum number of days to retain old log files based on the timestamp encoded in their filename. 354 MaximumFileRetentionDays int `json:"maximumFileRetentionDays"` 355 // Maximum number of old log files to retain. 356 MaximumRetainedFiles int `json:"maximumRetainedFiles"` 357 // Maximum size in megabytes of the log file before it gets rotated. Defaults to 100MB. 358 MaximumFileSizeMegabytes int `json:"maximumFileSizeMegabytes"` 359 360 // PolicyFile is a path to the file that defines the audit policy configuration. 361 PolicyFile string `json:"policyFile"` 362 // PolicyConfiguration is an embedded policy configuration object to be used 363 // as the audit policy configuration. If present, it will be used instead of 364 // the path to the policy file. 365 PolicyConfiguration runtime.RawExtension `json:"policyConfiguration"` 366 367 // Format of saved audits (legacy or json). 368 LogFormat LogFormatType `json:"logFormat"` 369 370 // Path to a .kubeconfig formatted file that defines the audit webhook configuration. 371 WebHookKubeConfig string `json:"webHookKubeConfig"` 372 // Strategy for sending audit events (block or batch). 373 WebHookMode WebHookModeType `json:"webHookMode"` 374 } 375 376 // JenkinsPipelineConfig holds configuration for the Jenkins pipeline strategy 377 type JenkinsPipelineConfig struct { 378 // AutoProvisionEnabled determines whether a Jenkins server will be spawned from the provided 379 // template when the first build config in the project with type JenkinsPipeline 380 // is created. When not specified this option defaults to true. 381 AutoProvisionEnabled *bool `json:"autoProvisionEnabled"` 382 // TemplateNamespace contains the namespace name where the Jenkins template is stored 383 TemplateNamespace string `json:"templateNamespace"` 384 // TemplateName is the name of the default Jenkins template 385 TemplateName string `json:"templateName"` 386 // ServiceName is the name of the Jenkins service OpenShift uses to detect 387 // whether a Jenkins pipeline handler has already been installed in a project. 388 // This value *must* match a service name in the provided template. 389 ServiceName string `json:"serviceName"` 390 // Parameters specifies a set of optional parameters to the Jenkins template. 391 Parameters map[string]string `json:"parameters"` 392 } 393 394 // ImagePolicyConfig holds the necessary configuration options for limits and behavior for importing images 395 type ImagePolicyConfig struct { 396 // MaxImagesBulkImportedPerRepository controls the number of images that are imported when a user 397 // does a bulk import of a container repository. This number defaults to 50 to prevent users from 398 // importing large numbers of images accidentally. Set -1 for no limit. 399 MaxImagesBulkImportedPerRepository int `json:"maxImagesBulkImportedPerRepository"` 400 // DisableScheduledImport allows scheduled background import of images to be disabled. 401 DisableScheduledImport bool `json:"disableScheduledImport"` 402 // ScheduledImageImportMinimumIntervalSeconds is the minimum number of seconds that can elapse between when image streams 403 // scheduled for background import are checked against the upstream repository. The default value is 15 minutes. 404 ScheduledImageImportMinimumIntervalSeconds int `json:"scheduledImageImportMinimumIntervalSeconds"` 405 // MaxScheduledImageImportsPerMinute is the maximum number of scheduled image streams that will be imported in the 406 // background per minute. The default value is 60. Set to -1 for unlimited. 407 MaxScheduledImageImportsPerMinute int `json:"maxScheduledImageImportsPerMinute"` 408 // AllowedRegistriesForImport limits the container image registries that normal users may import 409 // images from. Set this list to the registries that you trust to contain valid Docker 410 // images and that you want applications to be able to import from. Users with 411 // permission to create Images or ImageStreamMappings via the API are not affected by 412 // this policy - typically only administrators or system integrations will have those 413 // permissions. 414 AllowedRegistriesForImport *AllowedRegistries `json:"allowedRegistriesForImport,omitempty"` 415 // InternalRegistryHostname sets the hostname for the default internal image 416 // registry. The value must be in "hostname[:port]" format. 417 // For backward compatibility, users can still use OPENSHIFT_DEFAULT_REGISTRY 418 // environment variable but this setting overrides the environment variable. 419 InternalRegistryHostname string `json:"internalRegistryHostname,omitempty"` 420 // ExternalRegistryHostname sets the hostname for the default external image 421 // registry. The external hostname should be set only when the image registry 422 // is exposed externally. The value is used in 'publicDockerImageRepository' 423 // field in ImageStreams. The value must be in "hostname[:port]" format. 424 ExternalRegistryHostname string `json:"externalRegistryHostname,omitempty"` 425 // AdditionalTrustedCA is a path to a pem bundle file containing additional CAs that 426 // should be trusted during imagestream import. 427 AdditionalTrustedCA string `json:"additionalTrustedCA,omitempty"` 428 } 429 430 // AllowedRegistries represents a list of registries allowed for the image import. 431 type AllowedRegistries []RegistryLocation 432 433 // RegistryLocation contains a location of the registry specified by the registry domain 434 // name. The domain name might include wildcards, like '*' or '??'. 435 type RegistryLocation struct { 436 // DomainName specifies a domain name for the registry 437 // In case the registry use non-standard (80 or 443) port, the port should be included 438 // in the domain name as well. 439 DomainName string `json:"domainName"` 440 // Insecure indicates whether the registry is secure (https) or insecure (http) 441 // By default (if not specified) the registry is assumed as secure. 442 Insecure bool `json:"insecure,omitempty"` 443 } 444 445 // holds the necessary configuration options for 446 type ProjectConfig struct { 447 // DefaultNodeSelector holds default project node label selector 448 DefaultNodeSelector string `json:"defaultNodeSelector"` 449 450 // ProjectRequestMessage is the string presented to a user if they are unable to request a project via the projectrequest api endpoint 451 ProjectRequestMessage string `json:"projectRequestMessage"` 452 453 // ProjectRequestTemplate is the template to use for creating projects in response to projectrequest. 454 // It is in the format namespace/template and it is optional. 455 // If it is not specified, a default template is used. 456 ProjectRequestTemplate string `json:"projectRequestTemplate"` 457 458 // SecurityAllocator controls the automatic allocation of UIDs and MCS labels to a project. If nil, allocation is disabled. 459 SecurityAllocator *SecurityAllocator `json:"securityAllocator"` 460 } 461 462 // SecurityAllocator controls the automatic allocation of UIDs and MCS labels to a project. If nil, allocation is disabled. 463 type SecurityAllocator struct { 464 // UIDAllocatorRange defines the total set of Unix user IDs (UIDs) that will be allocated to projects automatically, and the size of the 465 // block each namespace gets. For example, 1000-1999/10 will allocate ten UIDs per namespace, and will be able to allocate up to 100 blocks 466 // before running out of space. The default is to allocate from 1 billion to 2 billion in 10k blocks (which is the expected size of the 467 // ranges container images will use once user namespaces are started). 468 UIDAllocatorRange string `json:"uidAllocatorRange"` 469 // MCSAllocatorRange defines the range of MCS categories that will be assigned to namespaces. The format is 470 // "<prefix>/<numberOfLabels>[,<maxCategory>]". The default is "s0/2" and will allocate from c0 -> c1023, which means a total of 535k labels 471 // are available (1024 choose 2 ~ 535k). If this value is changed after startup, new projects may receive labels that are already allocated 472 // to other projects. Prefix may be any valid SELinux set of terms (including user, role, and type), although leaving them as the default 473 // will allow the server to set them automatically. 474 // 475 // Examples: 476 // * s0:/2 - Allocate labels from s0:c0,c0 to s0:c511,c511 477 // * s0:/2,512 - Allocate labels from s0:c0,c0,c0 to s0:c511,c511,511 478 // 479 MCSAllocatorRange string `json:"mcsAllocatorRange"` 480 // MCSLabelsPerProject defines the number of labels that should be reserved per project. The default is 5 to match the default UID and MCS 481 // ranges (100k namespaces, 535k/5 labels). 482 MCSLabelsPerProject int `json:"mcsLabelsPerProject"` 483 } 484 485 // holds the necessary configuration options for 486 type PolicyConfig struct { 487 // UserAgentMatchingConfig controls how API calls from *voluntarily* identifying clients will be handled. THIS DOES NOT DEFEND AGAINST MALICIOUS CLIENTS! 488 UserAgentMatchingConfig UserAgentMatchingConfig `json:"userAgentMatchingConfig"` 489 } 490 491 // UserAgentMatchingConfig controls how API calls from *voluntarily* identifying clients will be handled. THIS DOES NOT DEFEND AGAINST MALICIOUS CLIENTS! 492 type UserAgentMatchingConfig struct { 493 // If this list is non-empty, then a User-Agent must match one of the UserAgentRegexes to be allowed 494 RequiredClients []UserAgentMatchRule `json:"requiredClients"` 495 496 // If this list is non-empty, then a User-Agent must not match any of the UserAgentRegexes 497 DeniedClients []UserAgentDenyRule `json:"deniedClients"` 498 499 // DefaultRejectionMessage is the message shown when rejecting a client. If it is not a set, a generic message is given. 500 DefaultRejectionMessage string `json:"defaultRejectionMessage"` 501 } 502 503 // UserAgentMatchRule describes how to match a given request based on User-Agent and HTTPVerb 504 type UserAgentMatchRule struct { 505 // UserAgentRegex is a regex that is checked against the User-Agent. 506 // Known variants of oc clients 507 // 1. oc accessing kube resources: oc/v1.2.0 (linux/amd64) kubernetes/bc4550d 508 // 2. oc accessing openshift resources: oc/v1.1.3 (linux/amd64) openshift/b348c2f 509 // 3. openshift kubectl accessing kube resources: openshift/v1.2.0 (linux/amd64) kubernetes/bc4550d 510 // 4. openshift kubectl accessing openshift resources: openshift/v1.1.3 (linux/amd64) openshift/b348c2f 511 // 5. oadm accessing kube resources: oadm/v1.2.0 (linux/amd64) kubernetes/bc4550d 512 // 6. oadm accessing openshift resources: oadm/v1.1.3 (linux/amd64) openshift/b348c2f 513 // 7. openshift cli accessing kube resources: openshift/v1.2.0 (linux/amd64) kubernetes/bc4550d 514 // 8. openshift cli accessing openshift resources: openshift/v1.1.3 (linux/amd64) openshift/b348c2f 515 Regex string `json:"regex"` 516 517 // HTTPVerbs specifies which HTTP verbs should be matched. An empty list means "match all verbs". 518 HTTPVerbs []string `json:"httpVerbs"` 519 } 520 521 // UserAgentDenyRule adds a rejection message that can be used to help a user figure out how to get an approved client 522 type UserAgentDenyRule struct { 523 UserAgentMatchRule `json:",inline"` 524 525 // RejectionMessage is the message shown when rejecting a client. If it is not a set, the default message is used. 526 RejectionMessage string `json:"rejectionMessage"` 527 } 528 529 // RoutingConfig holds the necessary configuration options for routing to subdomains 530 type RoutingConfig struct { 531 // Subdomain is the suffix appended to $service.$namespace. to form the default route hostname 532 // DEPRECATED: This field is being replaced by routers setting their own defaults. This is the 533 // "default" route. 534 Subdomain string `json:"subdomain"` 535 } 536 537 // MasterNetworkConfig to be passed to the compiled in network plugin 538 type MasterNetworkConfig struct { 539 // NetworkPluginName is the name of the network plugin to use 540 NetworkPluginName string `json:"networkPluginName"` 541 // ClusterNetworkCIDR is the CIDR string to specify the global overlay network's L3 space. Deprecated, but maintained for backwards compatibility, use ClusterNetworks instead. 542 DeprecatedClusterNetworkCIDR string `json:"clusterNetworkCIDR,omitempty"` 543 // ClusterNetworks is a list of ClusterNetwork objects that defines the global overlay network's L3 space by specifying a set of CIDR and netmasks that the SDN can allocate addressed from. If this is specified, then ClusterNetworkCIDR and HostSubnetLength may not be set. 544 ClusterNetworks []ClusterNetworkEntry `json:"clusterNetworks"` 545 // HostSubnetLength is the number of bits to allocate to each host's subnet e.g. 8 would mean a /24 network on the host. Deprecated, but maintained for backwards compatibility, use ClusterNetworks instead. 546 DeprecatedHostSubnetLength uint32 `json:"hostSubnetLength,omitempty"` 547 // ServiceNetwork is the CIDR string to specify the service networks 548 ServiceNetworkCIDR string `json:"serviceNetworkCIDR"` 549 // ExternalIPNetworkCIDRs controls what values are acceptable for the service external IP field. If empty, no externalIP 550 // may be set. It may contain a list of CIDRs which are checked for access. If a CIDR is prefixed with !, IPs in that 551 // CIDR will be rejected. Rejections will be applied first, then the IP checked against one of the allowed CIDRs. You 552 // should ensure this range does not overlap with your nodes, pods, or service CIDRs for security reasons. 553 ExternalIPNetworkCIDRs []string `json:"externalIPNetworkCIDRs"` 554 // IngressIPNetworkCIDR controls the range to assign ingress ips from for services of type LoadBalancer on bare 555 // metal. If empty, ingress ips will not be assigned. It may contain a single CIDR that will be allocated from. 556 // For security reasons, you should ensure that this range does not overlap with the CIDRs reserved for external ips, 557 // nodes, pods, or services. 558 IngressIPNetworkCIDR string `json:"ingressIPNetworkCIDR"` 559 // VXLANPort is the VXLAN port used by the cluster defaults. If it is not set, 4789 is the default value 560 VXLANPort uint32 `json:"vxlanPort,omitempty"` 561 } 562 563 // ClusterNetworkEntry defines an individual cluster network. The CIDRs cannot overlap with other cluster network CIDRs, CIDRs reserved for external ips, CIDRs reserved for service networks, and CIDRs reserved for ingress ips. 564 type ClusterNetworkEntry struct { 565 // CIDR defines the total range of a cluster networks address space. 566 CIDR string `json:"cidr"` 567 // HostSubnetLength is the number of bits of the accompanying CIDR address to allocate to each node. eg, 8 would mean that each node would have a /24 slice of the overlay network for its pod. 568 HostSubnetLength uint32 `json:"hostSubnetLength"` 569 } 570 571 // ImageConfig holds the necessary configuration options for building image names for system components 572 type ImageConfig struct { 573 // Format is the format of the name to be built for the system component 574 Format string `json:"format"` 575 // Latest determines if the latest tag will be pulled from the registry 576 Latest bool `json:"latest"` 577 } 578 579 // RemoteConnectionInfo holds information necessary for establishing a remote connection 580 type RemoteConnectionInfo struct { 581 // URL is the remote URL to connect to 582 URL string `json:"url"` 583 // CA is the CA for verifying TLS connections 584 CA string `json:"ca"` 585 // CertInfo is the TLS client cert information to present 586 // this is anonymous so that we can inline it for serialization 587 CertInfo `json:",inline"` 588 } 589 590 // KubeletConnectionInfo holds information necessary for connecting to a kubelet 591 type KubeletConnectionInfo struct { 592 // Port is the port to connect to kubelets on 593 Port uint `json:"port"` 594 // CA is the CA for verifying TLS connections to kubelets 595 CA string `json:"ca"` 596 // CertInfo is the TLS client cert information for securing communication to kubelets 597 // this is anonymous so that we can inline it for serialization 598 CertInfo `json:",inline"` 599 } 600 601 // EtcdConnectionInfo holds information necessary for connecting to an etcd server 602 type EtcdConnectionInfo struct { 603 // URLs are the URLs for etcd 604 URLs []string `json:"urls"` 605 // CA is a file containing trusted roots for the etcd server certificates 606 CA string `json:"ca"` 607 // CertInfo is the TLS client cert information for securing communication to etcd 608 // this is anonymous so that we can inline it for serialization 609 CertInfo `json:",inline"` 610 } 611 612 // EtcdStorageConfig holds the necessary configuration options for the etcd storage underlying OpenShift and Kubernetes 613 type EtcdStorageConfig struct { 614 // KubernetesStorageVersion is the API version that Kube resources in etcd should be 615 // serialized to. This value should *not* be advanced until all clients in the 616 // cluster that read from etcd have code that allows them to read the new version. 617 KubernetesStorageVersion string `json:"kubernetesStorageVersion"` 618 // KubernetesStoragePrefix is the path within etcd that the Kubernetes resources will 619 // be rooted under. This value, if changed, will mean existing objects in etcd will 620 // no longer be located. The default value is 'kubernetes.io'. 621 KubernetesStoragePrefix string `json:"kubernetesStoragePrefix"` 622 // OpenShiftStorageVersion is the API version that OS resources in etcd should be 623 // serialized to. This value should *not* be advanced until all clients in the 624 // cluster that read from etcd have code that allows them to read the new version. 625 OpenShiftStorageVersion string `json:"openShiftStorageVersion"` 626 // OpenShiftStoragePrefix is the path within etcd that the OpenShift resources will 627 // be rooted under. This value, if changed, will mean existing objects in etcd will 628 // no longer be located. The default value is 'openshift.io'. 629 OpenShiftStoragePrefix string `json:"openShiftStoragePrefix"` 630 } 631 632 // ServingInfo holds information about serving web pages 633 type ServingInfo struct { 634 // BindAddress is the ip:port to serve on 635 BindAddress string `json:"bindAddress"` 636 // BindNetwork is the type of network to bind to - defaults to "tcp4", accepts "tcp", 637 // "tcp4", and "tcp6" 638 BindNetwork string `json:"bindNetwork"` 639 // CertInfo is the TLS cert info for serving secure traffic. 640 // this is anonymous so that we can inline it for serialization 641 CertInfo `json:",inline"` 642 // ClientCA is the certificate bundle for all the signers that you'll recognize for incoming client certificates 643 ClientCA string `json:"clientCA"` 644 // NamedCertificates is a list of certificates to use to secure requests to specific hostnames 645 NamedCertificates []NamedCertificate `json:"namedCertificates"` 646 // MinTLSVersion is the minimum TLS version supported. 647 // Values must match version names from https://golang.org/pkg/crypto/tls/#pkg-constants 648 MinTLSVersion string `json:"minTLSVersion,omitempty"` 649 // CipherSuites contains an overridden list of ciphers for the server to support. 650 // Values must match cipher suite IDs from https://golang.org/pkg/crypto/tls/#pkg-constants 651 CipherSuites []string `json:"cipherSuites,omitempty"` 652 } 653 654 // NamedCertificate specifies a certificate/key, and the names it should be served for 655 type NamedCertificate struct { 656 // Names is a list of DNS names this certificate should be used to secure 657 // A name can be a normal DNS name, or can contain leading wildcard segments. 658 Names []string `json:"names"` 659 // CertInfo is the TLS cert info for serving secure traffic 660 CertInfo `json:",inline"` 661 } 662 663 // HTTPServingInfo holds configuration for serving HTTP 664 type HTTPServingInfo struct { 665 // ServingInfo is the HTTP serving information 666 ServingInfo `json:",inline"` 667 // MaxRequestsInFlight is the number of concurrent requests allowed to the server. If zero, no limit. 668 MaxRequestsInFlight int `json:"maxRequestsInFlight"` 669 // RequestTimeoutSeconds is the number of seconds before requests are timed out. The default is 60 minutes, if 670 // -1 there is no limit on requests. 671 RequestTimeoutSeconds int `json:"requestTimeoutSeconds"` 672 } 673 674 // MasterClients holds references to `.kubeconfig` files that qualify master clients for OpenShift and Kubernetes 675 type MasterClients struct { 676 // OpenShiftLoopbackKubeConfig is a .kubeconfig filename for system components to loopback to this master 677 OpenShiftLoopbackKubeConfig string `json:"openshiftLoopbackKubeConfig"` 678 679 // OpenShiftLoopbackClientConnectionOverrides specifies client overrides for system components to loop back to this master. 680 OpenShiftLoopbackClientConnectionOverrides *ClientConnectionOverrides `json:"openshiftLoopbackClientConnectionOverrides"` 681 } 682 683 // ClientConnectionOverrides are a set of overrides to the default client connection settings. 684 type ClientConnectionOverrides struct { 685 // AcceptContentTypes defines the Accept header sent by clients when connecting to a server, overriding the 686 // default value of 'application/json'. This field will control all connections to the server used by a particular 687 // client. 688 AcceptContentTypes string `json:"acceptContentTypes"` 689 // ContentType is the content type used when sending data to the server from this client. 690 ContentType string `json:"contentType"` 691 692 // QPS controls the number of queries per second allowed for this connection. 693 QPS float32 `json:"qps"` 694 // Burst allows extra queries to accumulate when a client is exceeding its rate. 695 Burst int32 `json:"burst"` 696 } 697 698 // DNSConfig holds the necessary configuration options for DNS 699 type DNSConfig struct { 700 // BindAddress is the ip:port to serve DNS on 701 BindAddress string `json:"bindAddress"` 702 // BindNetwork is the type of network to bind to - defaults to "tcp4", accepts "tcp", 703 // "tcp4", and "tcp6" 704 BindNetwork string `json:"bindNetwork"` 705 // AllowRecursiveQueries allows the DNS server on the master to answer queries recursively. Note that open 706 // resolvers can be used for DNS amplification attacks and the master DNS should not be made accessible 707 // to public networks. 708 AllowRecursiveQueries bool `json:"allowRecursiveQueries"` 709 } 710 711 // WebhookTokenAuthenticators holds the necessary configuation options for 712 // external token authenticators 713 type WebhookTokenAuthenticator struct { 714 // ConfigFile is a path to a Kubeconfig file with the webhook configuration 715 ConfigFile string `json:"configFile"` 716 // CacheTTL indicates how long an authentication result should be cached. 717 // It takes a valid time duration string (e.g. "5m"). 718 // If empty, you get a default timeout of 2 minutes. 719 // If zero (e.g. "0m"), caching is disabled 720 CacheTTL string `json:"cacheTTL"` 721 } 722 723 // OAuthConfig holds the necessary configuration options for OAuth authentication 724 type OAuthConfig struct { 725 // MasterCA is the CA for verifying the TLS connection back to the MasterURL. 726 MasterCA *string `json:"masterCA"` 727 728 // MasterURL is used for making server-to-server calls to exchange authorization codes for access tokens 729 MasterURL string `json:"masterURL"` 730 731 // MasterPublicURL is used for building valid client redirect URLs for internal and external access 732 MasterPublicURL string `json:"masterPublicURL"` 733 734 // AssetPublicURL is used for building valid client redirect URLs for external access 735 AssetPublicURL string `json:"assetPublicURL"` 736 737 // AlwaysShowProviderSelection will force the provider selection page to render even when there is only a single provider. 738 AlwaysShowProviderSelection bool `json:"alwaysShowProviderSelection"` 739 740 //IdentityProviders is an ordered list of ways for a user to identify themselves 741 IdentityProviders []IdentityProvider `json:"identityProviders"` 742 743 // GrantConfig describes how to handle grants 744 GrantConfig GrantConfig `json:"grantConfig"` 745 746 // SessionConfig hold information about configuring sessions. 747 SessionConfig *SessionConfig `json:"sessionConfig"` 748 749 // TokenConfig contains options for authorization and access tokens 750 TokenConfig TokenConfig `json:"tokenConfig"` 751 752 // Templates allow you to customize pages like the login page. 753 Templates *OAuthTemplates `json:"templates"` 754 } 755 756 // OAuthTemplates allow for customization of pages like the login page 757 type OAuthTemplates struct { 758 // Login is a path to a file containing a go template used to render the login page. 759 // If unspecified, the default login page is used. 760 Login string `json:"login"` 761 762 // ProviderSelection is a path to a file containing a go template used to render the provider selection page. 763 // If unspecified, the default provider selection page is used. 764 ProviderSelection string `json:"providerSelection"` 765 766 // Error is a path to a file containing a go template used to render error pages during the authentication or grant flow 767 // If unspecified, the default error page is used. 768 Error string `json:"error"` 769 } 770 771 // ServiceAccountConfig holds the necessary configuration options for a service account 772 type ServiceAccountConfig struct { 773 // ManagedNames is a list of service account names that will be auto-created in every namespace. 774 // If no names are specified, the ServiceAccountsController will not be started. 775 ManagedNames []string `json:"managedNames"` 776 777 // LimitSecretReferences controls whether or not to allow a service account to reference any secret in a namespace 778 // without explicitly referencing them 779 LimitSecretReferences bool `json:"limitSecretReferences"` 780 781 // PrivateKeyFile is a file containing a PEM-encoded private RSA key, used to sign service account tokens. 782 // If no private key is specified, the service account TokensController will not be started. 783 PrivateKeyFile string `json:"privateKeyFile"` 784 785 // PublicKeyFiles is a list of files, each containing a PEM-encoded public RSA key. 786 // (If any file contains a private key, the public portion of the key is used) 787 // The list of public keys is used to verify presented service account tokens. 788 // Each key is tried in order until the list is exhausted or verification succeeds. 789 // If no keys are specified, no service account authentication will be available. 790 PublicKeyFiles []string `json:"publicKeyFiles"` 791 792 // MasterCA is the CA for verifying the TLS connection back to the master. The service account controller will automatically 793 // inject the contents of this file into pods so they can verify connections to the master. 794 MasterCA string `json:"masterCA"` 795 } 796 797 // TokenConfig holds the necessary configuration options for authorization and access tokens 798 type TokenConfig struct { 799 // AuthorizeTokenMaxAgeSeconds defines the maximum age of authorize tokens 800 AuthorizeTokenMaxAgeSeconds int32 `json:"authorizeTokenMaxAgeSeconds"` 801 // AccessTokenMaxAgeSeconds defines the maximum age of access tokens 802 AccessTokenMaxAgeSeconds int32 `json:"accessTokenMaxAgeSeconds"` 803 // AccessTokenInactivityTimeoutSeconds defined the default token 804 // inactivity timeout for tokens granted by any client. 805 // Setting it to nil means the feature is completely disabled (default) 806 // The default setting can be overriden on OAuthClient basis. 807 // The value represents the maximum amount of time that can occur between 808 // consecutive uses of the token. Tokens become invalid if they are not 809 // used within this temporal window. The user will need to acquire a new 810 // token to regain access once a token times out. 811 // Valid values are: 812 // - 0: Tokens never time out 813 // - X: Tokens time out if there is no activity for X seconds 814 // The current minimum allowed value for X is 300 (5 minutes) 815 AccessTokenInactivityTimeoutSeconds *int32 `json:"accessTokenInactivityTimeoutSeconds,omitempty"` 816 } 817 818 // SessionConfig specifies options for cookie-based sessions. Used by AuthRequestHandlerSession 819 type SessionConfig struct { 820 // SessionSecretsFile is a reference to a file containing a serialized SessionSecrets object 821 // If no file is specified, a random signing and encryption key are generated at each server start 822 SessionSecretsFile string `json:"sessionSecretsFile"` 823 // SessionMaxAgeSeconds specifies how long created sessions last. Used by AuthRequestHandlerSession 824 SessionMaxAgeSeconds int32 `json:"sessionMaxAgeSeconds"` 825 // SessionName is the cookie name used to store the session 826 SessionName string `json:"sessionName"` 827 } 828 829 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 830 831 // SessionSecrets list the secrets to use to sign/encrypt and authenticate/decrypt created sessions. 832 // 833 // Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support. 834 // +openshift:compatibility-gen:level=4 835 // +openshift:compatibility-gen:internal 836 type SessionSecrets struct { 837 metav1.TypeMeta `json:",inline"` 838 839 // Secrets is a list of secrets 840 // New sessions are signed and encrypted using the first secret. 841 // Existing sessions are decrypted/authenticated by each secret until one succeeds. This allows rotating secrets. 842 Secrets []SessionSecret `json:"secrets"` 843 } 844 845 // SessionSecret is a secret used to authenticate/decrypt cookie-based sessions 846 type SessionSecret struct { 847 // Authentication is used to authenticate sessions using HMAC. Recommended to use a secret with 32 or 64 bytes. 848 Authentication string `json:"authentication"` 849 // Encryption is used to encrypt sessions. Must be 16, 24, or 32 characters long, to select AES-128, AES- 850 Encryption string `json:"encryption"` 851 } 852 853 // IdentityProvider provides identities for users authenticating using credentials 854 type IdentityProvider struct { 855 // Name is used to qualify the identities returned by this provider 856 Name string `json:"name"` 857 // UseAsChallenger indicates whether to issue WWW-Authenticate challenges for this provider 858 UseAsChallenger bool `json:"challenge"` 859 // UseAsLogin indicates whether to use this identity provider for unauthenticated browsers to login against 860 UseAsLogin bool `json:"login"` 861 // MappingMethod determines how identities from this provider are mapped to users 862 MappingMethod string `json:"mappingMethod"` 863 // Provider contains the information about how to set up a specific identity provider 864 Provider runtime.RawExtension `json:"provider"` 865 } 866 867 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 868 869 // BasicAuthPasswordIdentityProvider provides identities for users authenticating using HTTP basic auth credentials 870 // 871 // Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support. 872 // +openshift:compatibility-gen:level=4 873 // +openshift:compatibility-gen:internal 874 type BasicAuthPasswordIdentityProvider struct { 875 metav1.TypeMeta `json:",inline"` 876 877 // RemoteConnectionInfo contains information about how to connect to the external basic auth server 878 RemoteConnectionInfo `json:",inline"` 879 } 880 881 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 882 883 // AllowAllPasswordIdentityProvider provides identities for users authenticating using non-empty passwords 884 // 885 // Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support. 886 // +openshift:compatibility-gen:level=4 887 // +openshift:compatibility-gen:internal 888 type AllowAllPasswordIdentityProvider struct { 889 metav1.TypeMeta `json:",inline"` 890 } 891 892 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 893 894 // DenyAllPasswordIdentityProvider provides no identities for users 895 // 896 // Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support. 897 // +openshift:compatibility-gen:level=4 898 // +openshift:compatibility-gen:internal 899 type DenyAllPasswordIdentityProvider struct { 900 metav1.TypeMeta `json:",inline"` 901 } 902 903 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 904 905 // HTPasswdPasswordIdentityProvider provides identities for users authenticating using htpasswd credentials 906 // 907 // Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support. 908 // +openshift:compatibility-gen:level=4 909 // +openshift:compatibility-gen:internal 910 type HTPasswdPasswordIdentityProvider struct { 911 metav1.TypeMeta `json:",inline"` 912 913 // File is a reference to your htpasswd file 914 File string `json:"file"` 915 } 916 917 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 918 919 // LDAPPasswordIdentityProvider provides identities for users authenticating using LDAP credentials 920 // 921 // Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support. 922 // +openshift:compatibility-gen:level=4 923 // +openshift:compatibility-gen:internal 924 type LDAPPasswordIdentityProvider struct { 925 metav1.TypeMeta `json:",inline"` 926 // URL is an RFC 2255 URL which specifies the LDAP search parameters to use. The syntax of the URL is 927 // ldap://host:port/basedn?attribute?scope?filter 928 URL string `json:"url"` 929 // BindDN is an optional DN to bind with during the search phase. 930 BindDN string `json:"bindDN"` 931 // BindPassword is an optional password to bind with during the search phase. 932 BindPassword StringSource `json:"bindPassword"` 933 934 // Insecure, if true, indicates the connection should not use TLS. 935 // Cannot be set to true with a URL scheme of "ldaps://" 936 // If false, "ldaps://" URLs connect using TLS, and "ldap://" URLs are upgraded to a TLS connection using StartTLS as specified in https://tools.ietf.org/html/rfc2830 937 Insecure bool `json:"insecure"` 938 // CA is the optional trusted certificate authority bundle to use when making requests to the server 939 // If empty, the default system roots are used 940 CA string `json:"ca"` 941 // Attributes maps LDAP attributes to identities 942 Attributes LDAPAttributeMapping `json:"attributes"` 943 } 944 945 // LDAPAttributeMapping maps LDAP attributes to OpenShift identity fields 946 type LDAPAttributeMapping struct { 947 // ID is the list of attributes whose values should be used as the user ID. Required. 948 // LDAP standard identity attribute is "dn" 949 ID []string `json:"id"` 950 // PreferredUsername is the list of attributes whose values should be used as the preferred username. 951 // LDAP standard login attribute is "uid" 952 PreferredUsername []string `json:"preferredUsername"` 953 // Name is the list of attributes whose values should be used as the display name. Optional. 954 // If unspecified, no display name is set for the identity 955 // LDAP standard display name attribute is "cn" 956 Name []string `json:"name"` 957 // Email is the list of attributes whose values should be used as the email address. Optional. 958 // If unspecified, no email is set for the identity 959 Email []string `json:"email"` 960 } 961 962 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 963 964 // KeystonePasswordIdentityProvider provides identities for users authenticating using keystone password credentials 965 // 966 // Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support. 967 // +openshift:compatibility-gen:level=4 968 // +openshift:compatibility-gen:internal 969 type KeystonePasswordIdentityProvider struct { 970 metav1.TypeMeta `json:",inline"` 971 // RemoteConnectionInfo contains information about how to connect to the keystone server 972 RemoteConnectionInfo `json:",inline"` 973 // Domain Name is required for keystone v3 974 DomainName string `json:"domainName"` 975 // UseKeystoneIdentity flag indicates that user should be authenticated by keystone ID, not by username 976 UseKeystoneIdentity bool `json:"useKeystoneIdentity"` 977 } 978 979 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 980 981 // RequestHeaderIdentityProvider provides identities for users authenticating using request header credentials 982 // 983 // Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support. 984 // +openshift:compatibility-gen:level=4 985 // +openshift:compatibility-gen:internal 986 type RequestHeaderIdentityProvider struct { 987 metav1.TypeMeta `json:",inline"` 988 989 // LoginURL is a URL to redirect unauthenticated /authorize requests to 990 // Unauthenticated requests from OAuth clients which expect interactive logins will be redirected here 991 // ${url} is replaced with the current URL, escaped to be safe in a query parameter 992 // https://www.example.com/sso-login?then=${url} 993 // ${query} is replaced with the current query string 994 // https://www.example.com/auth-proxy/oauth/authorize?${query} 995 LoginURL string `json:"loginURL"` 996 997 // ChallengeURL is a URL to redirect unauthenticated /authorize requests to 998 // Unauthenticated requests from OAuth clients which expect WWW-Authenticate challenges will be redirected here 999 // ${url} is replaced with the current URL, escaped to be safe in a query parameter 1000 // https://www.example.com/sso-login?then=${url} 1001 // ${query} is replaced with the current query string 1002 // https://www.example.com/auth-proxy/oauth/authorize?${query} 1003 ChallengeURL string `json:"challengeURL"` 1004 1005 // ClientCA is a file with the trusted signer certs. If empty, no request verification is done, and any direct request to the OAuth server can impersonate any identity from this provider, merely by setting a request header. 1006 ClientCA string `json:"clientCA"` 1007 // ClientCommonNames is an optional list of common names to require a match from. If empty, any client certificate validated against the clientCA bundle is considered authoritative. 1008 ClientCommonNames []string `json:"clientCommonNames"` 1009 1010 // Headers is the set of headers to check for identity information 1011 Headers []string `json:"headers"` 1012 // PreferredUsernameHeaders is the set of headers to check for the preferred username 1013 PreferredUsernameHeaders []string `json:"preferredUsernameHeaders"` 1014 // NameHeaders is the set of headers to check for the display name 1015 NameHeaders []string `json:"nameHeaders"` 1016 // EmailHeaders is the set of headers to check for the email address 1017 EmailHeaders []string `json:"emailHeaders"` 1018 } 1019 1020 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 1021 1022 // GitHubIdentityProvider provides identities for users authenticating using GitHub credentials 1023 // 1024 // Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support. 1025 // +openshift:compatibility-gen:level=4 1026 // +openshift:compatibility-gen:internal 1027 type GitHubIdentityProvider struct { 1028 metav1.TypeMeta `json:",inline"` 1029 1030 // ClientID is the oauth client ID 1031 ClientID string `json:"clientID"` 1032 // ClientSecret is the oauth client secret 1033 ClientSecret StringSource `json:"clientSecret"` 1034 // Organizations optionally restricts which organizations are allowed to log in 1035 Organizations []string `json:"organizations"` 1036 // Teams optionally restricts which teams are allowed to log in. Format is <org>/<team>. 1037 Teams []string `json:"teams"` 1038 // Hostname is the optional domain (e.g. "mycompany.com") for use with a hosted instance of GitHub Enterprise. 1039 // It must match the GitHub Enterprise settings value that is configured at /setup/settings#hostname. 1040 Hostname string `json:"hostname"` 1041 // CA is the optional trusted certificate authority bundle to use when making requests to the server. 1042 // If empty, the default system roots are used. This can only be configured when hostname is set to a non-empty value. 1043 CA string `json:"ca"` 1044 } 1045 1046 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 1047 1048 // GitLabIdentityProvider provides identities for users authenticating using GitLab credentials 1049 // 1050 // Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support. 1051 // +openshift:compatibility-gen:level=4 1052 // +openshift:compatibility-gen:internal 1053 type GitLabIdentityProvider struct { 1054 metav1.TypeMeta `json:",inline"` 1055 1056 // CA is the optional trusted certificate authority bundle to use when making requests to the server 1057 // If empty, the default system roots are used 1058 CA string `json:"ca"` 1059 // URL is the oauth server base URL 1060 URL string `json:"url"` 1061 // ClientID is the oauth client ID 1062 ClientID string `json:"clientID"` 1063 // ClientSecret is the oauth client secret 1064 ClientSecret StringSource `json:"clientSecret"` 1065 // Legacy determines if OAuth2 or OIDC should be used 1066 // If true, OAuth2 is used 1067 // If false, OIDC is used 1068 // If nil and the URL's host is gitlab.com, OIDC is used 1069 // Otherwise, OAuth2 is used 1070 // In a future release, nil will default to using OIDC 1071 // Eventually this flag will be removed and only OIDC will be used 1072 Legacy *bool `json:"legacy,omitempty"` 1073 } 1074 1075 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 1076 1077 // GoogleIdentityProvider provides identities for users authenticating using Google credentials 1078 // 1079 // Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support. 1080 // +openshift:compatibility-gen:level=4 1081 // +openshift:compatibility-gen:internal 1082 type GoogleIdentityProvider struct { 1083 metav1.TypeMeta `json:",inline"` 1084 1085 // ClientID is the oauth client ID 1086 ClientID string `json:"clientID"` 1087 // ClientSecret is the oauth client secret 1088 ClientSecret StringSource `json:"clientSecret"` 1089 1090 // HostedDomain is the optional Google App domain (e.g. "mycompany.com") to restrict logins to 1091 HostedDomain string `json:"hostedDomain"` 1092 } 1093 1094 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 1095 1096 // OpenIDIdentityProvider provides identities for users authenticating using OpenID credentials 1097 // 1098 // Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support. 1099 // +openshift:compatibility-gen:level=4 1100 // +openshift:compatibility-gen:internal 1101 type OpenIDIdentityProvider struct { 1102 metav1.TypeMeta `json:",inline"` 1103 1104 // CA is the optional trusted certificate authority bundle to use when making requests to the server 1105 // If empty, the default system roots are used 1106 CA string `json:"ca"` 1107 1108 // ClientID is the oauth client ID 1109 ClientID string `json:"clientID"` 1110 // ClientSecret is the oauth client secret 1111 ClientSecret StringSource `json:"clientSecret"` 1112 1113 // ExtraScopes are any scopes to request in addition to the standard "openid" scope. 1114 ExtraScopes []string `json:"extraScopes"` 1115 1116 // ExtraAuthorizeParameters are any custom parameters to add to the authorize request. 1117 ExtraAuthorizeParameters map[string]string `json:"extraAuthorizeParameters"` 1118 1119 // URLs to use to authenticate 1120 URLs OpenIDURLs `json:"urls"` 1121 1122 // Claims mappings 1123 Claims OpenIDClaims `json:"claims"` 1124 } 1125 1126 // OpenIDURLs are URLs to use when authenticating with an OpenID identity provider 1127 type OpenIDURLs struct { 1128 // Authorize is the oauth authorization URL 1129 Authorize string `json:"authorize"` 1130 // Token is the oauth token granting URL 1131 Token string `json:"token"` 1132 // UserInfo is the optional userinfo URL. 1133 // If present, a granted access_token is used to request claims 1134 // If empty, a granted id_token is parsed for claims 1135 UserInfo string `json:"userInfo"` 1136 } 1137 1138 // OpenIDClaims contains a list of OpenID claims to use when authenticating with an OpenID identity provider 1139 type OpenIDClaims struct { 1140 // ID is the list of claims whose values should be used as the user ID. Required. 1141 // OpenID standard identity claim is "sub" 1142 ID []string `json:"id"` 1143 // PreferredUsername is the list of claims whose values should be used as the preferred username. 1144 // If unspecified, the preferred username is determined from the value of the id claim 1145 PreferredUsername []string `json:"preferredUsername"` 1146 // Name is the list of claims whose values should be used as the display name. Optional. 1147 // If unspecified, no display name is set for the identity 1148 Name []string `json:"name"` 1149 // Email is the list of claims whose values should be used as the email address. Optional. 1150 // If unspecified, no email is set for the identity 1151 Email []string `json:"email"` 1152 } 1153 1154 // GrantConfig holds the necessary configuration options for grant handlers 1155 type GrantConfig struct { 1156 // Method determines the default strategy to use when an OAuth client requests a grant. 1157 // This method will be used only if the specific OAuth client doesn't provide a strategy 1158 // of their own. Valid grant handling methods are: 1159 // - auto: always approves grant requests, useful for trusted clients 1160 // - prompt: prompts the end user for approval of grant requests, useful for third-party clients 1161 // - deny: always denies grant requests, useful for black-listed clients 1162 Method GrantHandlerType `json:"method"` 1163 1164 // ServiceAccountMethod is used for determining client authorization for service account oauth client. 1165 // It must be either: deny, prompt 1166 ServiceAccountMethod GrantHandlerType `json:"serviceAccountMethod"` 1167 } 1168 1169 type GrantHandlerType string 1170 1171 const ( 1172 // GrantHandlerAuto auto-approves client authorization grant requests 1173 GrantHandlerAuto GrantHandlerType = "auto" 1174 // GrantHandlerPrompt prompts the user to approve new client authorization grant requests 1175 GrantHandlerPrompt GrantHandlerType = "prompt" 1176 // GrantHandlerDeny auto-denies client authorization grant requests 1177 GrantHandlerDeny GrantHandlerType = "deny" 1178 ) 1179 1180 // EtcdConfig holds the necessary configuration options for connecting with an etcd database 1181 type EtcdConfig struct { 1182 // ServingInfo describes how to start serving the etcd master 1183 ServingInfo ServingInfo `json:"servingInfo"` 1184 // Address is the advertised host:port for client connections to etcd 1185 Address string `json:"address"` 1186 // PeerServingInfo describes how to start serving the etcd peer 1187 PeerServingInfo ServingInfo `json:"peerServingInfo"` 1188 // PeerAddress is the advertised host:port for peer connections to etcd 1189 PeerAddress string `json:"peerAddress"` 1190 1191 // StorageDir is the path to the etcd storage directory 1192 StorageDir string `json:"storageDirectory"` 1193 } 1194 1195 // KubernetesMasterConfig holds the necessary configuration options for the Kubernetes master 1196 type KubernetesMasterConfig struct { 1197 // APILevels is a list of API levels that should be enabled on startup: v1 as examples 1198 APILevels []string `json:"apiLevels"` 1199 // DisabledAPIGroupVersions is a map of groups to the versions (or *) that should be disabled. 1200 DisabledAPIGroupVersions map[string][]string `json:"disabledAPIGroupVersions"` 1201 1202 // MasterIP is the public IP address of kubernetes stuff. If empty, the first result from net.InterfaceAddrs will be used. 1203 MasterIP string `json:"masterIP"` 1204 // MasterEndpointReconcileTTL sets the time to live in seconds of an endpoint record recorded by each master. The endpoints are checked 1205 // at an interval that is 2/3 of this value and this value defaults to 15s if unset. In very large clusters, this value may be increased to 1206 // reduce the possibility that the master endpoint record expires (due to other load on the etcd server) and causes masters to drop in and 1207 // out of the kubernetes service record. It is not recommended to set this value below 15s. 1208 MasterEndpointReconcileTTL int `json:"masterEndpointReconcileTTL"` 1209 // ServicesSubnet is the subnet to use for assigning service IPs 1210 ServicesSubnet string `json:"servicesSubnet"` 1211 // ServicesNodePortRange is the range to use for assigning service public ports on a host. 1212 ServicesNodePortRange string `json:"servicesNodePortRange"` 1213 1214 // SchedulerConfigFile points to a file that describes how to set up the scheduler. If empty, you get the default scheduling rules. 1215 SchedulerConfigFile string `json:"schedulerConfigFile"` 1216 1217 // PodEvictionTimeout controls grace period for deleting pods on failed nodes. 1218 // It takes valid time duration string. If empty, you get the default pod eviction timeout. 1219 PodEvictionTimeout string `json:"podEvictionTimeout"` 1220 // ProxyClientInfo specifies the client cert/key to use when proxying to pods 1221 ProxyClientInfo CertInfo `json:"proxyClientInfo"` 1222 1223 // APIServerArguments are key value pairs that will be passed directly to the Kube apiserver that match the apiservers's 1224 // command line arguments. These are not migrated, but if you reference a value that does not exist the server will not 1225 // start. These values may override other settings in KubernetesMasterConfig which may cause invalid configurations. 1226 APIServerArguments ExtendedArguments `json:"apiServerArguments"` 1227 // ControllerArguments are key value pairs that will be passed directly to the Kube controller manager that match the 1228 // controller manager's command line arguments. These are not migrated, but if you reference a value that does not exist 1229 // the server will not start. These values may override other settings in KubernetesMasterConfig which may cause invalid 1230 // configurations. 1231 ControllerArguments ExtendedArguments `json:"controllerArguments"` 1232 // SchedulerArguments are key value pairs that will be passed directly to the Kube scheduler that match the scheduler's 1233 // command line arguments. These are not migrated, but if you reference a value that does not exist the server will not 1234 // start. These values may override other settings in KubernetesMasterConfig which may cause invalid configurations. 1235 SchedulerArguments ExtendedArguments `json:"schedulerArguments"` 1236 } 1237 1238 // CertInfo relates a certificate with a private key 1239 type CertInfo struct { 1240 // CertFile is a file containing a PEM-encoded certificate 1241 CertFile string `json:"certFile"` 1242 // KeyFile is a file containing a PEM-encoded private key for the certificate specified by CertFile 1243 KeyFile string `json:"keyFile"` 1244 } 1245 1246 // PodManifestConfig holds the necessary configuration options for using pod manifests 1247 type PodManifestConfig struct { 1248 // Path specifies the path for the pod manifest file or directory 1249 // If its a directory, its expected to contain on or more manifest files 1250 // This is used by the Kubelet to create pods on the node 1251 Path string `json:"path"` 1252 // FileCheckIntervalSeconds is the interval in seconds for checking the manifest file(s) for new data 1253 // The interval needs to be a positive value 1254 FileCheckIntervalSeconds int64 `json:"fileCheckIntervalSeconds"` 1255 } 1256 1257 // StringSource allows specifying a string inline, or externally via env var or file. 1258 // When it contains only a string value, it marshals to a simple JSON string. 1259 type StringSource struct { 1260 // StringSourceSpec specifies the string value, or external location 1261 StringSourceSpec `json:",inline"` 1262 } 1263 1264 // StringSourceSpec specifies a string value, or external location 1265 type StringSourceSpec struct { 1266 // Value specifies the cleartext value, or an encrypted value if keyFile is specified. 1267 Value string `json:"value"` 1268 1269 // Env specifies an envvar containing the cleartext value, or an encrypted value if the keyFile is specified. 1270 Env string `json:"env"` 1271 1272 // File references a file containing the cleartext value, or an encrypted value if a keyFile is specified. 1273 File string `json:"file"` 1274 1275 // KeyFile references a file containing the key to use to decrypt the value. 1276 KeyFile string `json:"keyFile"` 1277 } 1278 1279 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 1280 1281 // LDAPSyncConfig holds the necessary configuration options to define an LDAP group sync 1282 // 1283 // Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support. 1284 // +openshift:compatibility-gen:level=4 1285 // +openshift:compatibility-gen:internal 1286 type LDAPSyncConfig struct { 1287 metav1.TypeMeta `json:",inline"` 1288 // Host is the scheme, host and port of the LDAP server to connect to: 1289 // scheme://host:port 1290 URL string `json:"url"` 1291 // BindDN is an optional DN to bind to the LDAP server with 1292 BindDN string `json:"bindDN"` 1293 // BindPassword is an optional password to bind with during the search phase. 1294 BindPassword StringSource `json:"bindPassword"` 1295 1296 // Insecure, if true, indicates the connection should not use TLS. 1297 // Cannot be set to true with a URL scheme of "ldaps://" 1298 // If false, "ldaps://" URLs connect using TLS, and "ldap://" URLs are upgraded to a TLS connection using StartTLS as specified in https://tools.ietf.org/html/rfc2830 1299 Insecure bool `json:"insecure"` 1300 // CA is the optional trusted certificate authority bundle to use when making requests to the server 1301 // If empty, the default system roots are used 1302 CA string `json:"ca"` 1303 1304 // LDAPGroupUIDToOpenShiftGroupNameMapping is an optional direct mapping of LDAP group UIDs to 1305 // OpenShift Group names 1306 LDAPGroupUIDToOpenShiftGroupNameMapping map[string]string `json:"groupUIDNameMapping"` 1307 1308 // RFC2307Config holds the configuration for extracting data from an LDAP server set up in a fashion 1309 // similar to RFC2307: first-class group and user entries, with group membership determined by a 1310 // multi-valued attribute on the group entry listing its members 1311 RFC2307Config *RFC2307Config `json:"rfc2307,omitempty"` 1312 1313 // ActiveDirectoryConfig holds the configuration for extracting data from an LDAP server set up in a 1314 // fashion similar to that used in Active Directory: first-class user entries, with group membership 1315 // determined by a multi-valued attribute on members listing groups they are a member of 1316 ActiveDirectoryConfig *ActiveDirectoryConfig `json:"activeDirectory,omitempty"` 1317 1318 // AugmentedActiveDirectoryConfig holds the configuration for extracting data from an LDAP server 1319 // set up in a fashion similar to that used in Active Directory as described above, with one addition: 1320 // first-class group entries exist and are used to hold metadata but not group membership 1321 AugmentedActiveDirectoryConfig *AugmentedActiveDirectoryConfig `json:"augmentedActiveDirectory,omitempty"` 1322 } 1323 1324 // RFC2307Config holds the necessary configuration options to define how an LDAP group sync interacts with an LDAP 1325 // server using the RFC2307 schema 1326 type RFC2307Config struct { 1327 // AllGroupsQuery holds the template for an LDAP query that returns group entries. 1328 AllGroupsQuery LDAPQuery `json:"groupsQuery"` 1329 1330 // GroupUIDAttributes defines which attribute on an LDAP group entry will be interpreted as its unique identifier. 1331 // (ldapGroupUID) 1332 GroupUIDAttribute string `json:"groupUIDAttribute"` 1333 1334 // GroupNameAttributes defines which attributes on an LDAP group entry will be interpreted as its name to use for 1335 // an OpenShift group 1336 GroupNameAttributes []string `json:"groupNameAttributes"` 1337 1338 // GroupMembershipAttributes defines which attributes on an LDAP group entry will be interpreted as its members. 1339 // The values contained in those attributes must be queryable by your UserUIDAttribute 1340 GroupMembershipAttributes []string `json:"groupMembershipAttributes"` 1341 1342 // AllUsersQuery holds the template for an LDAP query that returns user entries. 1343 AllUsersQuery LDAPQuery `json:"usersQuery"` 1344 1345 // UserUIDAttribute defines which attribute on an LDAP user entry will be interpreted as its unique identifier. 1346 // It must correspond to values that will be found from the GroupMembershipAttributes 1347 UserUIDAttribute string `json:"userUIDAttribute"` 1348 1349 // UserNameAttributes defines which attributes on an LDAP user entry will be used, in order, as its OpenShift user name. 1350 // The first attribute with a non-empty value is used. This should match your PreferredUsername setting for your LDAPPasswordIdentityProvider 1351 UserNameAttributes []string `json:"userNameAttributes"` 1352 1353 // TolerateMemberNotFoundErrors determines the behavior of the LDAP sync job when missing user entries are 1354 // encountered. If 'true', an LDAP query for users that doesn't find any will be tolerated and an only 1355 // and error will be logged. If 'false', the LDAP sync job will fail if a query for users doesn't find 1356 // any. The default value is 'false'. Misconfigured LDAP sync jobs with this flag set to 'true' can cause 1357 // group membership to be removed, so it is recommended to use this flag with caution. 1358 TolerateMemberNotFoundErrors bool `json:"tolerateMemberNotFoundErrors"` 1359 1360 // TolerateMemberOutOfScopeErrors determines the behavior of the LDAP sync job when out-of-scope user entries 1361 // are encountered. If 'true', an LDAP query for a user that falls outside of the base DN given for the all 1362 // user query will be tolerated and only an error will be logged. If 'false', the LDAP sync job will fail 1363 // if a user query would search outside of the base DN specified by the all user query. Misconfigured LDAP 1364 // sync jobs with this flag set to 'true' can result in groups missing users, so it is recommended to use 1365 // this flag with caution. 1366 TolerateMemberOutOfScopeErrors bool `json:"tolerateMemberOutOfScopeErrors"` 1367 } 1368 1369 // ActiveDirectoryConfig holds the necessary configuration options to define how an LDAP group sync interacts with an LDAP 1370 // server using the Active Directory schema 1371 type ActiveDirectoryConfig struct { 1372 // AllUsersQuery holds the template for an LDAP query that returns user entries. 1373 AllUsersQuery LDAPQuery `json:"usersQuery"` 1374 1375 // UserNameAttributes defines which attributes on an LDAP user entry will be interpreted as its OpenShift user name. 1376 UserNameAttributes []string `json:"userNameAttributes"` 1377 1378 // GroupMembershipAttributes defines which attributes on an LDAP user entry will be interpreted 1379 // as the groups it is a member of 1380 GroupMembershipAttributes []string `json:"groupMembershipAttributes"` 1381 } 1382 1383 // AugmentedActiveDirectoryConfig holds the necessary configuration options to define how an LDAP group sync interacts with an LDAP 1384 // server using the augmented Active Directory schema 1385 type AugmentedActiveDirectoryConfig struct { 1386 // AllUsersQuery holds the template for an LDAP query that returns user entries. 1387 AllUsersQuery LDAPQuery `json:"usersQuery"` 1388 1389 // UserNameAttributes defines which attributes on an LDAP user entry will be interpreted as its OpenShift user name. 1390 UserNameAttributes []string `json:"userNameAttributes"` 1391 1392 // GroupMembershipAttributes defines which attributes on an LDAP user entry will be interpreted 1393 // as the groups it is a member of 1394 GroupMembershipAttributes []string `json:"groupMembershipAttributes"` 1395 1396 // AllGroupsQuery holds the template for an LDAP query that returns group entries. 1397 AllGroupsQuery LDAPQuery `json:"groupsQuery"` 1398 1399 // GroupUIDAttributes defines which attribute on an LDAP group entry will be interpreted as its unique identifier. 1400 // (ldapGroupUID) 1401 GroupUIDAttribute string `json:"groupUIDAttribute"` 1402 1403 // GroupNameAttributes defines which attributes on an LDAP group entry will be interpreted as its name to use for 1404 // an OpenShift group 1405 GroupNameAttributes []string `json:"groupNameAttributes"` 1406 } 1407 1408 // LDAPQuery holds the options necessary to build an LDAP query 1409 type LDAPQuery struct { 1410 // The DN of the branch of the directory where all searches should start from 1411 BaseDN string `json:"baseDN"` 1412 1413 // The (optional) scope of the search. Can be: 1414 // base: only the base object, 1415 // one: all object on the base level, 1416 // sub: the entire subtree 1417 // Defaults to the entire subtree if not set 1418 Scope string `json:"scope"` 1419 1420 // The (optional) behavior of the search with regards to alisases. Can be: 1421 // never: never dereference aliases, 1422 // search: only dereference in searching, 1423 // base: only dereference in finding the base object, 1424 // always: always dereference 1425 // Defaults to always dereferencing if not set 1426 DerefAliases string `json:"derefAliases"` 1427 1428 // TimeLimit holds the limit of time in seconds that any request to the server can remain outstanding 1429 // before the wait for a response is given up. If this is 0, no client-side limit is imposed 1430 TimeLimit int `json:"timeout"` 1431 1432 // Filter is a valid LDAP search filter that retrieves all relevant entries from the LDAP server with the base DN 1433 Filter string `json:"filter"` 1434 1435 // PageSize is the maximum preferred page size, measured in LDAP entries. A page size of 0 means no paging will be done. 1436 PageSize int `json:"pageSize"` 1437 } 1438 1439 // AdmissionPluginConfig holds the necessary configuration options for admission plugins 1440 type AdmissionPluginConfig struct { 1441 // Location is the path to a configuration file that contains the plugin's 1442 // configuration 1443 Location string `json:"location"` 1444 1445 // Configuration is an embedded configuration object to be used as the plugin's 1446 // configuration. If present, it will be used instead of the path to the configuration file. 1447 Configuration runtime.RawExtension `json:"configuration"` 1448 } 1449 1450 // AdmissionConfig holds the necessary configuration options for admission 1451 type AdmissionConfig struct { 1452 // PluginConfig allows specifying a configuration file per admission control plugin 1453 PluginConfig map[string]*AdmissionPluginConfig `json:"pluginConfig"` 1454 1455 // PluginOrderOverride is a list of admission control plugin names that will be installed 1456 // on the master. Order is significant. If empty, a default list of plugins is used. 1457 PluginOrderOverride []string `json:"pluginOrderOverride,omitempty"` 1458 } 1459 1460 // ControllerConfig holds configuration values for controllers 1461 type ControllerConfig struct { 1462 // Controllers is a list of controllers to enable. '*' enables all on-by-default controllers, 'foo' enables the controller "+ 1463 // named 'foo', '-foo' disables the controller named 'foo'. 1464 // Defaults to "*". 1465 Controllers []string `json:"controllers"` 1466 // Election defines the configuration for electing a controller instance to make changes to 1467 // the cluster. If unspecified, the ControllerTTL value is checked to determine whether the 1468 // legacy direct etcd election code will be used. 1469 Election *ControllerElectionConfig `json:"election"` 1470 // ServiceServingCert holds configuration for service serving cert signer which creates cert/key pairs for 1471 // pods fulfilling a service to serve with. 1472 ServiceServingCert ServiceServingCert `json:"serviceServingCert"` 1473 } 1474 1475 // ControllerElectionConfig contains configuration values for deciding how a controller 1476 // will be elected to act as leader. 1477 type ControllerElectionConfig struct { 1478 // LockName is the resource name used to act as the lock for determining which controller 1479 // instance should lead. 1480 LockName string `json:"lockName"` 1481 // LockNamespace is the resource namespace used to act as the lock for determining which 1482 // controller instance should lead. It defaults to "kube-system" 1483 LockNamespace string `json:"lockNamespace"` 1484 // LockResource is the group and resource name to use to coordinate for the controller lock. 1485 // If unset, defaults to "configmaps". 1486 LockResource GroupResource `json:"lockResource"` 1487 } 1488 1489 // GroupResource points to a resource by its name and API group. 1490 type GroupResource struct { 1491 // Group is the name of an API group 1492 Group string `json:"group"` 1493 // Resource is the name of a resource. 1494 Resource string `json:"resource"` 1495 } 1496 1497 // ServiceServingCert holds configuration for service serving cert signer which creates cert/key pairs for 1498 // pods fulfilling a service to serve with. 1499 type ServiceServingCert struct { 1500 // Signer holds the signing information used to automatically sign serving certificates. 1501 // If this value is nil, then certs are not signed automatically. 1502 Signer *CertInfo `json:"signer"` 1503 } 1504 1505 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 1506 1507 // DefaultAdmissionConfig can be used to enable or disable various admission plugins. 1508 // When this type is present as the `configuration` object under `pluginConfig` and *if* the admission plugin supports it, 1509 // this will cause an "off by default" admission plugin to be enabled 1510 // 1511 // Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support. 1512 // +openshift:compatibility-gen:level=4 1513 // +openshift:compatibility-gen:internal 1514 type DefaultAdmissionConfig struct { 1515 metav1.TypeMeta `json:",inline"` 1516 1517 // Disable turns off an admission plugin that is enabled by default. 1518 Disable bool `json:"disable"` 1519 } 1520 1521 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 1522 1523 // BuildDefaultsConfig controls the default information for Builds 1524 // 1525 // Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support. 1526 // +openshift:compatibility-gen:level=4 1527 // +openshift:compatibility-gen:internal 1528 type BuildDefaultsConfig struct { 1529 metav1.TypeMeta `json:",inline"` 1530 1531 // gitHTTPProxy is the location of the HTTPProxy for Git source 1532 GitHTTPProxy string `json:"gitHTTPProxy,omitempty"` 1533 1534 // gitHTTPSProxy is the location of the HTTPSProxy for Git source 1535 GitHTTPSProxy string `json:"gitHTTPSProxy,omitempty"` 1536 1537 // gitNoProxy is the list of domains for which the proxy should not be used 1538 GitNoProxy string `json:"gitNoProxy,omitempty"` 1539 1540 // env is a set of default environment variables that will be applied to the 1541 // build if the specified variables do not exist on the build 1542 Env []corev1.EnvVar `json:"env,omitempty"` 1543 1544 // sourceStrategyDefaults are default values that apply to builds using the 1545 // source strategy. 1546 SourceStrategyDefaults *SourceStrategyDefaultsConfig `json:"sourceStrategyDefaults,omitempty"` 1547 1548 // imageLabels is a list of labels that are applied to the resulting image. 1549 // User can override a default label by providing a label with the same name in their 1550 // Build/BuildConfig. 1551 ImageLabels []buildv1.ImageLabel `json:"imageLabels,omitempty"` 1552 1553 // nodeSelector is a selector which must be true for the build pod to fit on a node 1554 NodeSelector map[string]string `json:"nodeSelector,omitempty"` 1555 1556 // annotations are annotations that will be added to the build pod 1557 Annotations map[string]string `json:"annotations,omitempty"` 1558 1559 // resources defines resource requirements to execute the build. 1560 Resources corev1.ResourceRequirements `json:"resources,omitempty"` 1561 } 1562 1563 // SourceStrategyDefaultsConfig contains values that apply to builds using the 1564 // source strategy. 1565 type SourceStrategyDefaultsConfig struct { 1566 1567 // incremental indicates if s2i build strategies should perform an incremental 1568 // build or not 1569 Incremental *bool `json:"incremental,omitempty"` 1570 } 1571 1572 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 1573 1574 // BuildOverridesConfig controls override settings for builds 1575 // 1576 // Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support. 1577 // +openshift:compatibility-gen:level=4 1578 // +openshift:compatibility-gen:internal 1579 type BuildOverridesConfig struct { 1580 metav1.TypeMeta `json:",inline"` 1581 1582 // forcePull indicates whether the build strategy should always be set to ForcePull=true 1583 ForcePull bool `json:"forcePull"` 1584 1585 // imageLabels is a list of labels that are applied to the resulting image. 1586 // If user provided a label in their Build/BuildConfig with the same name as one in this 1587 // list, the user's label will be overwritten. 1588 ImageLabels []buildv1.ImageLabel `json:"imageLabels,omitempty"` 1589 1590 // nodeSelector is a selector which must be true for the build pod to fit on a node 1591 NodeSelector map[string]string `json:"nodeSelector,omitempty"` 1592 1593 // annotations are annotations that will be added to the build pod 1594 Annotations map[string]string `json:"annotations,omitempty"` 1595 1596 // tolerations is a list of Tolerations that will override any existing 1597 // tolerations set on a build pod. 1598 Tolerations []corev1.Toleration `json:"tolerations,omitempty"` 1599 } 1600