1 package v1 2 3 import ( 4 corev1 "k8s.io/api/core/v1" 5 metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 6 7 buildv1 "github.com/openshift/api/build/v1" 8 configv1 "github.com/openshift/api/config/v1" 9 ) 10 11 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 12 13 // Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support. 14 // +openshift:compatibility-gen:level=4 15 // +openshift:compatibility-gen:internal 16 type OpenShiftAPIServerConfig struct { 17 metav1.TypeMeta `json:",inline"` 18 19 // provides the standard apiserver configuration 20 configv1.GenericAPIServerConfig `json:",inline"` 21 22 // aggregatorConfig contains information about how to verify the aggregator front proxy 23 AggregatorConfig FrontProxyConfig `json:"aggregatorConfig"` 24 25 // imagePolicyConfig feeds the image policy admission plugin 26 ImagePolicyConfig ImagePolicyConfig `json:"imagePolicyConfig"` 27 28 // projectConfig feeds an admission plugin 29 ProjectConfig ProjectConfig `json:"projectConfig"` 30 31 // routingConfig holds information about routing and route generation 32 RoutingConfig RoutingConfig `json:"routingConfig"` 33 34 // serviceAccountOAuthGrantMethod is used for determining client authorization for service account oauth client. 35 // It must be either: deny, prompt, or "" 36 ServiceAccountOAuthGrantMethod GrantHandlerType `json:"serviceAccountOAuthGrantMethod"` 37 38 // jenkinsPipelineConfig holds information about the default Jenkins template 39 // used for JenkinsPipeline build strategy. 40 // TODO this needs to become a normal plugin config 41 JenkinsPipelineConfig JenkinsPipelineConfig `json:"jenkinsPipelineConfig"` 42 43 // cloudProviderFile points to the cloud config file 44 // TODO this needs to become a normal plugin config 45 CloudProviderFile string `json:"cloudProviderFile"` 46 47 // TODO this needs to be removed. 48 APIServerArguments map[string][]string `json:"apiServerArguments"` 49 } 50 51 type FrontProxyConfig struct { 52 // clientCA is a path to the CA bundle to use to verify the common name of the front proxy's client cert 53 ClientCA string `json:"clientCA"` 54 // allowedNames is an optional list of common names to require a match from. 55 AllowedNames []string `json:"allowedNames"` 56 57 // usernameHeaders is the set of headers to check for the username 58 UsernameHeaders []string `json:"usernameHeaders"` 59 // groupHeaders is the set of headers to check for groups 60 GroupHeaders []string `json:"groupHeaders"` 61 // extraHeaderPrefixes is the set of header prefixes to check for user extra 62 ExtraHeaderPrefixes []string `json:"extraHeaderPrefixes"` 63 } 64 65 type GrantHandlerType string 66 67 const ( 68 // GrantHandlerAuto auto-approves client authorization grant requests 69 GrantHandlerAuto GrantHandlerType = "auto" 70 // GrantHandlerPrompt prompts the user to approve new client authorization grant requests 71 GrantHandlerPrompt GrantHandlerType = "prompt" 72 // GrantHandlerDeny auto-denies client authorization grant requests 73 GrantHandlerDeny GrantHandlerType = "deny" 74 ) 75 76 // RoutingConfig holds the necessary configuration options for routing to subdomains 77 type RoutingConfig struct { 78 // subdomain is the suffix appended to $service.$namespace. to form the default route hostname 79 // DEPRECATED: This field is being replaced by routers setting their own defaults. This is the 80 // "default" route. 81 Subdomain string `json:"subdomain"` 82 } 83 84 type ImagePolicyConfig struct { 85 // maxImagesBulkImportedPerRepository controls the number of images that are imported when a user 86 // does a bulk import of a container repository. This number is set low to prevent users from 87 // importing large numbers of images accidentally. Set -1 for no limit. 88 MaxImagesBulkImportedPerRepository int `json:"maxImagesBulkImportedPerRepository"` 89 // allowedRegistriesForImport limits the container image registries that normal users may import 90 // images from. Set this list to the registries that you trust to contain valid Docker 91 // images and that you want applications to be able to import from. Users with 92 // permission to create Images or ImageStreamMappings via the API are not affected by 93 // this policy - typically only administrators or system integrations will have those 94 // permissions. 95 AllowedRegistriesForImport AllowedRegistries `json:"allowedRegistriesForImport"` 96 97 // internalRegistryHostname sets the hostname for the default internal image 98 // registry. The value must be in "hostname[:port]" format. 99 // For backward compatibility, users can still use OPENSHIFT_DEFAULT_REGISTRY 100 // environment variable but this setting overrides the environment variable. 101 InternalRegistryHostname string `json:"internalRegistryHostname"` 102 // externalRegistryHostnames provides the hostnames for the default external image 103 // registry. The external hostname should be set only when the image registry 104 // is exposed externally. The first value is used in 'publicDockerImageRepository' 105 // field in ImageStreams. The value must be in "hostname[:port]" format. 106 ExternalRegistryHostnames []string `json:"externalRegistryHostnames"` 107 108 // additionalTrustedCA is a path to a pem bundle file containing additional CAs that 109 // should be trusted during imagestream import. 110 AdditionalTrustedCA string `json:"additionalTrustedCA"` 111 } 112 113 // AllowedRegistries represents a list of registries allowed for the image import. 114 type AllowedRegistries []RegistryLocation 115 116 // RegistryLocation contains a location of the registry specified by the registry domain 117 // name. The domain name might include wildcards, like '*' or '??'. 118 type RegistryLocation struct { 119 // DomainName specifies a domain name for the registry 120 // In case the registry use non-standard (80 or 443) port, the port should be included 121 // in the domain name as well. 122 DomainName string `json:"domainName"` 123 // Insecure indicates whether the registry is secure (https) or insecure (http) 124 // By default (if not specified) the registry is assumed as secure. 125 Insecure bool `json:"insecure,omitempty"` 126 } 127 128 type ProjectConfig struct { 129 // defaultNodeSelector holds default project node label selector 130 DefaultNodeSelector string `json:"defaultNodeSelector"` 131 132 // projectRequestMessage is the string presented to a user if they are unable to request a project via the projectrequest api endpoint 133 ProjectRequestMessage string `json:"projectRequestMessage"` 134 135 // projectRequestTemplate is the template to use for creating projects in response to projectrequest. 136 // It is in the format namespace/template and it is optional. 137 // If it is not specified, a default template is used. 138 ProjectRequestTemplate string `json:"projectRequestTemplate"` 139 } 140 141 // JenkinsPipelineConfig holds configuration for the Jenkins pipeline strategy 142 type JenkinsPipelineConfig struct { 143 // autoProvisionEnabled determines whether a Jenkins server will be spawned from the provided 144 // template when the first build config in the project with type JenkinsPipeline 145 // is created. When not specified this option defaults to true. 146 AutoProvisionEnabled *bool `json:"autoProvisionEnabled"` 147 // templateNamespace contains the namespace name where the Jenkins template is stored 148 TemplateNamespace string `json:"templateNamespace"` 149 // templateName is the name of the default Jenkins template 150 TemplateName string `json:"templateName"` 151 // serviceName is the name of the Jenkins service OpenShift uses to detect 152 // whether a Jenkins pipeline handler has already been installed in a project. 153 // This value *must* match a service name in the provided template. 154 ServiceName string `json:"serviceName"` 155 // parameters specifies a set of optional parameters to the Jenkins template. 156 Parameters map[string]string `json:"parameters"` 157 } 158 159 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 160 161 // Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support. 162 // +openshift:compatibility-gen:level=4 163 // +openshift:compatibility-gen:internal 164 type OpenShiftControllerManagerConfig struct { 165 metav1.TypeMeta `json:",inline"` 166 167 KubeClientConfig configv1.KubeClientConfig `json:"kubeClientConfig"` 168 169 // servingInfo describes how to start serving 170 ServingInfo *configv1.HTTPServingInfo `json:"servingInfo"` 171 172 // leaderElection defines the configuration for electing a controller instance to make changes to 173 // the cluster. If unspecified, the ControllerTTL value is checked to determine whether the 174 // legacy direct etcd election code will be used. 175 LeaderElection configv1.LeaderElection `json:"leaderElection"` 176 177 // controllers is a list of controllers to enable. '*' enables all on-by-default controllers, 'foo' enables the controller "+ 178 // named 'foo', '-foo' disables the controller named 'foo'. 179 // Defaults to "*". 180 Controllers []string `json:"controllers"` 181 182 ResourceQuota ResourceQuotaControllerConfig `json:"resourceQuota"` 183 ServiceServingCert ServiceServingCert `json:"serviceServingCert"` 184 Deployer DeployerControllerConfig `json:"deployer"` 185 Build BuildControllerConfig `json:"build"` 186 ServiceAccount ServiceAccountControllerConfig `json:"serviceAccount"` 187 DockerPullSecret DockerPullSecretControllerConfig `json:"dockerPullSecret"` 188 Network NetworkControllerConfig `json:"network"` 189 Ingress IngressControllerConfig `json:"ingress"` 190 ImageImport ImageImportControllerConfig `json:"imageImport"` 191 SecurityAllocator SecurityAllocator `json:"securityAllocator"` 192 193 // featureGates are the set of extra OpenShift feature gates for openshift-controller-manager. 194 // These feature gates can be used to enable features that are tech preview or otherwise not available on 195 // OpenShift by default. 196 FeatureGates []string `json:"featureGates"` 197 } 198 199 type DeployerControllerConfig struct { 200 ImageTemplateFormat ImageConfig `json:"imageTemplateFormat"` 201 } 202 203 type BuildControllerConfig struct { 204 ImageTemplateFormat ImageConfig `json:"imageTemplateFormat"` 205 206 BuildDefaults *BuildDefaultsConfig `json:"buildDefaults"` 207 BuildOverrides *BuildOverridesConfig `json:"buildOverrides"` 208 209 // additionalTrustedCA is a path to a pem bundle file containing additional CAs that 210 // should be trusted for image pushes and pulls during builds. 211 AdditionalTrustedCA string `json:"additionalTrustedCA"` 212 } 213 214 type ResourceQuotaControllerConfig struct { 215 ConcurrentSyncs int32 `json:"concurrentSyncs"` 216 SyncPeriod metav1.Duration `json:"syncPeriod"` 217 MinResyncPeriod metav1.Duration `json:"minResyncPeriod"` 218 } 219 220 type IngressControllerConfig struct { 221 // ingressIPNetworkCIDR controls the range to assign ingress ips from for services of type LoadBalancer on bare 222 // metal. If empty, ingress ips will not be assigned. It may contain a single CIDR that will be allocated from. 223 // For security reasons, you should ensure that this range does not overlap with the CIDRs reserved for external ips, 224 // nodes, pods, or services. 225 IngressIPNetworkCIDR string `json:"ingressIPNetworkCIDR"` 226 } 227 228 // MasterNetworkConfig to be passed to the compiled in network plugin 229 type NetworkControllerConfig struct { 230 NetworkPluginName string `json:"networkPluginName"` 231 // clusterNetworks contains a list of cluster networks that defines the global overlay networks L3 space. 232 ClusterNetworks []ClusterNetworkEntry `json:"clusterNetworks"` 233 ServiceNetworkCIDR string `json:"serviceNetworkCIDR"` 234 VXLANPort uint32 `json:"vxlanPort"` 235 } 236 237 type ServiceAccountControllerConfig struct { 238 // managedNames is a list of service account names that will be auto-created in every namespace. 239 // If no names are specified, the ServiceAccountsController will not be started. 240 ManagedNames []string `json:"managedNames"` 241 } 242 243 type DockerPullSecretControllerConfig struct { 244 // registryURLs is a list of urls that the docker pull secrets should be valid for. 245 RegistryURLs []string `json:"registryURLs"` 246 247 // internalRegistryHostname is the hostname for the default internal image 248 // registry. The value must be in "hostname[:port]" format. Docker pull secrets 249 // will be generated for this registry. 250 InternalRegistryHostname string `json:"internalRegistryHostname"` 251 } 252 253 type ImageImportControllerConfig struct { 254 // maxScheduledImageImportsPerMinute is the maximum number of image streams that will be imported in the background per minute. 255 // The default value is 60. Set to -1 for unlimited. 256 MaxScheduledImageImportsPerMinute int `json:"maxScheduledImageImportsPerMinute"` 257 // disableScheduledImport allows scheduled background import of images to be disabled. 258 DisableScheduledImport bool `json:"disableScheduledImport"` 259 // scheduledImageImportMinimumIntervalSeconds is the minimum number of seconds that can elapse between when image streams 260 // scheduled for background import are checked against the upstream repository. The default value is 15 minutes. 261 ScheduledImageImportMinimumIntervalSeconds int `json:"scheduledImageImportMinimumIntervalSeconds"` 262 } 263 264 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 265 266 // BuildDefaultsConfig controls the default information for Builds 267 // 268 // Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support. 269 // +openshift:compatibility-gen:level=4 270 // +openshift:compatibility-gen:internal 271 type BuildDefaultsConfig struct { 272 metav1.TypeMeta `json:",inline"` 273 274 // gitHTTPProxy is the location of the HTTPProxy for Git source 275 GitHTTPProxy string `json:"gitHTTPProxy,omitempty"` 276 277 // gitHTTPSProxy is the location of the HTTPSProxy for Git source 278 GitHTTPSProxy string `json:"gitHTTPSProxy,omitempty"` 279 280 // gitNoProxy is the list of domains for which the proxy should not be used 281 GitNoProxy string `json:"gitNoProxy,omitempty"` 282 283 // env is a set of default environment variables that will be applied to the 284 // build if the specified variables do not exist on the build 285 Env []corev1.EnvVar `json:"env,omitempty"` 286 287 // sourceStrategyDefaults are default values that apply to builds using the 288 // source strategy. 289 SourceStrategyDefaults *SourceStrategyDefaultsConfig `json:"sourceStrategyDefaults,omitempty"` 290 291 // imageLabels is a list of labels that are applied to the resulting image. 292 // User can override a default label by providing a label with the same name in their 293 // Build/BuildConfig. 294 ImageLabels []buildv1.ImageLabel `json:"imageLabels,omitempty"` 295 296 // nodeSelector is a selector which must be true for the build pod to fit on a node 297 NodeSelector map[string]string `json:"nodeSelector,omitempty"` 298 299 // annotations are annotations that will be added to the build pod 300 Annotations map[string]string `json:"annotations,omitempty"` 301 302 // resources defines resource requirements to execute the build. 303 Resources corev1.ResourceRequirements `json:"resources,omitempty"` 304 } 305 306 // SourceStrategyDefaultsConfig contains values that apply to builds using the 307 // source strategy. 308 type SourceStrategyDefaultsConfig struct { 309 310 // incremental indicates if s2i build strategies should perform an incremental 311 // build or not 312 Incremental *bool `json:"incremental,omitempty"` 313 } 314 315 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 316 317 // BuildOverridesConfig controls override settings for builds 318 // 319 // Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support. 320 // +openshift:compatibility-gen:level=4 321 // +openshift:compatibility-gen:internal 322 type BuildOverridesConfig struct { 323 metav1.TypeMeta `json:",inline"` 324 325 // forcePull overrides, if set, the equivalent value in the builds, 326 // i.e. false disables force pull for all builds, 327 // true enables force pull for all builds, 328 // independently of what each build specifies itself 329 // +optional 330 ForcePull *bool `json:"forcePull,omitempty"` 331 332 // imageLabels is a list of labels that are applied to the resulting image. 333 // If user provided a label in their Build/BuildConfig with the same name as one in this 334 // list, the user's label will be overwritten. 335 ImageLabels []buildv1.ImageLabel `json:"imageLabels,omitempty"` 336 337 // nodeSelector is a selector which must be true for the build pod to fit on a node 338 NodeSelector map[string]string `json:"nodeSelector,omitempty"` 339 340 // annotations are annotations that will be added to the build pod 341 Annotations map[string]string `json:"annotations,omitempty"` 342 343 // tolerations is a list of Tolerations that will override any existing 344 // tolerations set on a build pod. 345 Tolerations []corev1.Toleration `json:"tolerations,omitempty"` 346 } 347 348 // ImageConfig holds the necessary configuration options for building image names for system components 349 type ImageConfig struct { 350 // Format is the format of the name to be built for the system component 351 Format string `json:"format"` 352 // Latest determines if the latest tag will be pulled from the registry 353 Latest bool `json:"latest"` 354 } 355 356 // ServiceServingCert holds configuration for service serving cert signer which creates cert/key pairs for 357 // pods fulfilling a service to serve with. 358 type ServiceServingCert struct { 359 // Signer holds the signing information used to automatically sign serving certificates. 360 // If this value is nil, then certs are not signed automatically. 361 Signer *configv1.CertInfo `json:"signer"` 362 } 363 364 // ClusterNetworkEntry defines an individual cluster network. The CIDRs cannot overlap with other cluster network CIDRs, CIDRs reserved for external ips, CIDRs reserved for service networks, and CIDRs reserved for ingress ips. 365 type ClusterNetworkEntry struct { 366 // CIDR defines the total range of a cluster networks address space. 367 CIDR string `json:"cidr"` 368 // HostSubnetLength is the number of bits of the accompanying CIDR address to allocate to each node. eg, 8 would mean that each node would have a /24 slice of the overlay network for its pod. 369 HostSubnetLength uint32 `json:"hostSubnetLength"` 370 } 371 372 // SecurityAllocator controls the automatic allocation of UIDs and MCS labels to a project. If nil, allocation is disabled. 373 type SecurityAllocator struct { 374 // UIDAllocatorRange defines the total set of Unix user IDs (UIDs) that will be allocated to projects automatically, and the size of the 375 // block each namespace gets. For example, 1000-1999/10 will allocate ten UIDs per namespace, and will be able to allocate up to 100 blocks 376 // before running out of space. The default is to allocate from 1 billion to 2 billion in 10k blocks (which is the expected size of the 377 // ranges container images will use once user namespaces are started). 378 UIDAllocatorRange string `json:"uidAllocatorRange"` 379 // MCSAllocatorRange defines the range of MCS categories that will be assigned to namespaces. The format is 380 // "<prefix>/<numberOfLabels>[,<maxCategory>]". The default is "s0/2" and will allocate from c0 -> c1023, which means a total of 535k labels 381 // are available (1024 choose 2 ~ 535k). If this value is changed after startup, new projects may receive labels that are already allocated 382 // to other projects. Prefix may be any valid SELinux set of terms (including user, role, and type), although leaving them as the default 383 // will allow the server to set them automatically. 384 // 385 // Examples: 386 // * s0:/2 - Allocate labels from s0:c0,c0 to s0:c511,c511 387 // * s0:/2,512 - Allocate labels from s0:c0,c0,c0 to s0:c511,c511,511 388 // 389 MCSAllocatorRange string `json:"mcsAllocatorRange"` 390 // MCSLabelsPerProject defines the number of labels that should be reserved per project. The default is 5 to match the default UID and MCS 391 // ranges (100k namespaces, 535k/5 labels). 392 MCSLabelsPerProject int `json:"mcsLabelsPerProject"` 393 } 394