diff --git a/go.mod b/go.mod index 3981898754..54a4ed5cbd 100644 --- a/go.mod +++ b/go.mod @@ -11,12 +11,12 @@ require ( github.com/onsi/ginkgo/v2 v2.27.2 github.com/onsi/gomega v1.38.2 github.com/openshift-eng/openshift-tests-extension v0.0.0-20260408205138-ec501c2bf4a5 - github.com/openshift/api v0.0.0-20260521125114-09730f85d883 + github.com/openshift/api v0.0.0-20260615110019-261e3a0546f3 github.com/openshift/build-machinery-go v0.0.0-20251023084048-5d77c1a5e5af github.com/openshift/client-go v0.0.0-20260512113608-deb4dc54551a github.com/openshift/library-go v0.0.0-20260612181855-acbfa3c5590f github.com/openshift/multi-operator-manager v0.0.0-20241205181422-20aa3906b99d - github.com/openshift/oauth-apiserver v0.0.0-20260430140618-160ac7fb4ea6 + github.com/openshift/oauth-apiserver v0.0.0-20260520145010-97a820bd5412 github.com/spf13/cobra v1.10.0 github.com/spf13/pflag v1.0.9 github.com/stretchr/testify v1.11.1 diff --git a/go.sum b/go.sum index f0284f417c..6ad786f2a8 100644 --- a/go.sum +++ b/go.sum @@ -146,8 +146,8 @@ github.com/onsi/gomega v1.38.2 h1:eZCjf2xjZAqe+LeWvKb5weQ+NcPwX84kqJ0cZNxok2A= github.com/onsi/gomega v1.38.2/go.mod h1:W2MJcYxRGV63b418Ai34Ud0hEdTVXq9NW9+Sx6uXf3k= github.com/openshift-eng/openshift-tests-extension v0.0.0-20260408205138-ec501c2bf4a5 h1:FJmsOMCeFpAakgnVhHUoITcHLLW9/DrJJSAY1CZaLCA= github.com/openshift-eng/openshift-tests-extension v0.0.0-20260408205138-ec501c2bf4a5/go.mod h1:6gkP5f2HL0meusT0Aim8icAspcD1cG055xxBZ9yC68M= -github.com/openshift/api v0.0.0-20260521125114-09730f85d883 h1:So9yxVJRY+F1aVBjcDw6N3M4h30wyH/GpkazK8xT4TI= -github.com/openshift/api v0.0.0-20260521125114-09730f85d883/go.mod h1:pyVjK0nZ4sRs4fuQVQ4rubsJdahI1PB94LnQ8sGdvxo= +github.com/openshift/api v0.0.0-20260615110019-261e3a0546f3 h1:ywnB6YgTcJlxYpnZ5xMWcvJoiC8eeCJrrolr06KlzeQ= +github.com/openshift/api v0.0.0-20260615110019-261e3a0546f3/go.mod h1:pyVjK0nZ4sRs4fuQVQ4rubsJdahI1PB94LnQ8sGdvxo= github.com/openshift/build-machinery-go v0.0.0-20251023084048-5d77c1a5e5af h1:UiYYMi/CCV+kwWrXuXfuUSOY2yNXOpWpNVgHc6aLQlE= github.com/openshift/build-machinery-go v0.0.0-20251023084048-5d77c1a5e5af/go.mod h1:8jcm8UPtg2mCAsxfqKil1xrmRMI3a+XU2TZ9fF8A7TE= github.com/openshift/client-go v0.0.0-20260512113608-deb4dc54551a h1:EKx2XhOKehd1C5ptY7IrLl4WV35E8kP0pRPnG5BUZXk= @@ -156,8 +156,8 @@ github.com/openshift/library-go v0.0.0-20260612181855-acbfa3c5590f h1:1wVATH1wpP github.com/openshift/library-go v0.0.0-20260612181855-acbfa3c5590f/go.mod h1:/HBhy6jm/igWI3Y1vYFwFG3ZCcXmnNsKUT6VBpPyM9A= github.com/openshift/multi-operator-manager v0.0.0-20241205181422-20aa3906b99d h1:Rzx23P63JFNNz5D23ubhC0FCN5rK8CeJhKcq5QKcdyU= github.com/openshift/multi-operator-manager v0.0.0-20241205181422-20aa3906b99d/go.mod h1:iVi9Bopa5cLhjG5ie9DoZVVqkH8BGb1FQVTtecOLn4I= -github.com/openshift/oauth-apiserver v0.0.0-20260430140618-160ac7fb4ea6 h1:WvXToDt/IVTXb4NxbqEjY0cuPpVadTK6ATu75mlVM/s= -github.com/openshift/oauth-apiserver v0.0.0-20260430140618-160ac7fb4ea6/go.mod h1:VsfvQ75bRfxT1dBSh1zROlnpDHNUYuSxgUV6vTXtOqs= +github.com/openshift/oauth-apiserver v0.0.0-20260520145010-97a820bd5412 h1:oDB0GmUXLp8y85fWz+LGRE0hM5JqbXTfNPi5GjEqiX0= +github.com/openshift/oauth-apiserver v0.0.0-20260520145010-97a820bd5412/go.mod h1:qPt46oOj0jFGgpabBjMazsgQXwrJ7KYBDwAuaesJLdE= github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251001123353-fd5b1fb35db1 h1:PMTgifBcBRLJJiM+LgSzPDTk9/Rx4qS09OUrfpY6GBQ= github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251001123353-fd5b1fb35db1/go.mod h1:7Du3c42kxCUegi0IImZ1wUQzMBVecgIHjR1C+NkhLQo= github.com/orisano/pixelmatch v0.0.0-20220722002657-fb0b55479cde/go.mod h1:nZgzbfBr3hhjoZnS66nKrHmduYNpc34ny7RK4z5/HM0= diff --git a/pkg/controllers/externaloidc/generation/oauthapiserver/generate.go b/pkg/controllers/externaloidc/generation/oauthapiserver/generate.go index 83d9e10eb2..262d05c714 100644 --- a/pkg/controllers/externaloidc/generation/oauthapiserver/generate.go +++ b/pkg/controllers/externaloidc/generation/oauthapiserver/generate.go @@ -20,6 +20,7 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/util/sets" authenticationcel "k8s.io/apiserver/pkg/authentication/cel" corev1listers "k8s.io/client-go/listers/core/v1" "k8s.io/client-go/util/cert" @@ -128,6 +129,15 @@ func generateJWTForProvider(provider configv1.OIDCProvider, configMapLister core out.UserValidationRules = userValidationRules } + if featureGates.Enabled(features.FeatureGateExternalOIDCExternalClaimsSourcing) { + externalClaimsSources, err := generateExternalClaimsSources(configMapLister, secretLister, provider.ExternalClaimsSources...) + if err != nil { + return authenticationv1alpha1.JWTAuthenticator{}, fmt.Errorf("generating externalClaimsSources for provider %q: %v", provider.Name, err) + } + + out.ExternalClaimsSources = externalClaimsSources + } + out.Issuer = &issuer out.ClaimMappings = &claimMappings out.ClaimValidationRules = claimValidationRules @@ -752,3 +762,296 @@ func isConstField(exp *exprpb.Expr, field string) bool { c := exp.GetConstExpr() return c != nil && c.GetStringValue() == field } + +func generateExternalClaimsSources(cmLister corev1listers.ConfigMapLister, secretLister corev1listers.SecretLister, sources ...configv1.ExternalClaimsSource) ([]authenticationv1alpha1.ExternalClaimsSource, error) { + out := []authenticationv1alpha1.ExternalClaimsSource{} + seenClaimNames := sets.New[string]() + for _, source := range sources { + source, err := generateExternalClaimsSource(source, cmLister, secretLister, seenClaimNames) + if err != nil { + return nil, err + } + + if source != nil { + out = append(out, *source) + } + } + + return out, nil +} + +func generateExternalClaimsSource(source configv1.ExternalClaimsSource, cmLister corev1listers.ConfigMapLister, secretLister corev1listers.SecretLister, seenClaimNames sets.Set[string]) (*authenticationv1alpha1.ExternalClaimsSource, error) { + authentication, err := generateExternalClaimsSourceAuthentication(source.Authentication, secretLister, cmLister) + if err != nil { + return nil, err + } + + tls, err := generateExternalClaimsSourceTLS(source.TLS, cmLister) + if err != nil { + return nil, err + } + + url, err := generateExternalClaimsSourceURL(source.URL) + if err != nil { + return nil, err + } + + mappings, err := generateExternalClaimsSourceMappings(seenClaimNames, source.Mappings...) + if err != nil { + return nil, err + } + + conditions, err := generateExternalClaimsSourceConditions(source.Predicates...) + if err != nil { + return nil, err + } + + return &authenticationv1alpha1.ExternalClaimsSource{ + Authentication: authentication, + TLS: tls, + URL: url, + Mappings: mappings, + Conditions: conditions, + }, nil +} + +func generateExternalClaimsSourceAuthentication(externalSourceAuthentication configv1.ExternalSourceAuthentication, secretLister corev1listers.SecretLister, cmLister corev1listers.ConfigMapLister) (*authenticationv1alpha1.Authentication, error) { + switch externalSourceAuthentication.Type { + case "": // signals the omitted case which is valid and means to use anonymous auth. This means we should omit it as well so anonymous auth takes place. + return nil, nil + case configv1.ExternalSourceAuthenticationTypeRequestProvidedToken: + return &authenticationv1alpha1.Authentication{ + Type: ptr.To(authenticationv1alpha1.AuthenticationTypeRequestProvidedToken), + }, nil + case configv1.ExternalSourceAuthenticationTypeClientCredential: + cc, err := generateExternalClaimsSourceAuthenticationClientCredential(externalSourceAuthentication.ClientCredential, secretLister, cmLister) + if err != nil { + return nil, fmt.Errorf("generating client credentials configuration: %w", err) + } + + return &authenticationv1alpha1.Authentication{ + Type: ptr.To(authenticationv1alpha1.AuthenticationTypeClientCredential), + ClientCredential: cc, + }, nil + default: + return nil, fmt.Errorf("unknown external source authentication type %q", externalSourceAuthentication.Type) + } +} + +func generateExternalClaimsSourceAuthenticationClientCredential(clientCredentialConfig configv1.ClientCredentialConfig, secretLister corev1listers.SecretLister, cmLister corev1listers.ConfigMapLister) (*authenticationv1alpha1.ClientCredentialConfig, error) { + // TODO: enable validation when it is possible to do so. Currently blocked + // due to oauth-apiserver not being rebased on 1.35 and the KAS library changes + // not existing in the 1.35 branch. + // The following jira tickets track the work necessary to eventually enable this validation: + // 1. https://redhat.atlassian.net/browse/CNTRLPLANE-3491 + // 2. https://redhat.atlassian.net/browse/CNTRLPLANE-3492 + // 3. https://redhat.atlassian.net/browse/CNTRLPLANE-3493 + /* + if err := validation.ValidateClientCredentialConfigClientID(clientCredentialConfig.ClientID, field.NewPath("")); err != nil { + return nil, fmt.Errorf("validating client id: %w", kubeErrorListToGoError(err)) + } + + if err := validation.ValidateTokenEndpoint(clientCredentialConfig.TokenEndpoint, field.NewPath("")); err != nil { + return nil, fmt.Errorf("validating token endpoint: %w", kubeErrorListToGoError(err)) + } + */ + + clientSecret, err := getClientSecretFromSecret(clientCredentialConfig.ClientSecret.Name, secretLister) + if err != nil { + return nil, fmt.Errorf("getting client secret: %w", err) + } + + // TODO: enable validation when it is possible to do so. Currently blocked + // due to oauth-apiserver not being rebased on 1.35 and the KAS library changes + // not existing in the 1.35 branch. + // The following jira tickets track the work necessary to eventually enable this validation: + // 1. https://redhat.atlassian.net/browse/CNTRLPLANE-3491 + // 2. https://redhat.atlassian.net/browse/CNTRLPLANE-3492 + // 3. https://redhat.atlassian.net/browse/CNTRLPLANE-3493 + /* + if err := validation.ValidateClientCredentialConfigClientSecret(clientSecret, field.NewPath("")); err != nil { + return nil, fmt.Errorf("validating client secret: %w", kubeErrorListToGoError(err)) + } + */ + + scopes, err := generateClientCredentialScopes(clientCredentialConfig.Scopes...) + if err != nil { + return nil, fmt.Errorf("generating scopes: %w", err) + } + + var certificateAuthority *string = nil + if len(clientCredentialConfig.TLS.CertificateAuthority.Name) > 0 { + ca, err := getCertificateAuthorityFromConfigMap(clientCredentialConfig.TLS.CertificateAuthority.Name, cmLister) + if err != nil { + return nil, fmt.Errorf("getting certificate authority: %w", err) + } + + certificateAuthority = &ca + } + + return &authenticationv1alpha1.ClientCredentialConfig{ + ClientID: clientCredentialConfig.ClientID, + ClientSecret: clientSecret, + TokenEndpoint: clientCredentialConfig.TokenEndpoint, + Scopes: scopes, + TLS: &authenticationv1alpha1.TLS{ + CertificateAuthority: certificateAuthority, + }, + }, nil +} + +func generateClientCredentialScopes(scopes ...configv1.OAuth2Scope) ([]string, error) { + out := make([]string, 0, len(scopes)) + errs := []error{} + for _, scope := range scopes { + // TODO: enable validation when it is possible to do so. Currently blocked + // due to oauth-apiserver not being rebased on 1.35 and the KAS library changes + // not existing in the 1.35 branch. + // The following jira tickets track the work necessary to eventually enable this validation: + // 1. https://redhat.atlassian.net/browse/CNTRLPLANE-3491 + // 2. https://redhat.atlassian.net/browse/CNTRLPLANE-3492 + // 3. https://redhat.atlassian.net/browse/CNTRLPLANE-3493 + /* + err := validation.ValidateClientCredentialConfigScope(string(scope), field.NewPath("")) + if err != nil { + errs = append(errs, fmt.Errorf("validating scopes[%s]: %w", i, kubeErrorListToGoError(err))) + continue + } + */ + + out = append(out, string(scope)) + } + + return out, errors.Join(errs...) +} + +func getClientSecretFromSecret(name string, secretLister corev1listers.SecretLister) (string, error) { + secret, err := secretLister.Secrets(configNamespace).Get(name) + if err != nil { + return "", fmt.Errorf("could not retrieve auth secret %s/%s to get client secret: %v", configNamespace, name, err) + } + + clientSecret, ok := secret.Data["client-secret"] + if !ok || len(clientSecret) == 0 { + return "", fmt.Errorf("secret %s/%s key \"client-secret\" missing or empty", configNamespace, name) + } + + return string(clientSecret), nil +} + +func generateExternalClaimsSourceTLS(externalSourceTLS configv1.ExternalSourceTLS, cmLister corev1listers.ConfigMapLister) (*authenticationv1alpha1.TLS, error) { + caData, err := getCertificateAuthorityFromConfigMap(externalSourceTLS.CertificateAuthority.Name, cmLister) + if err != nil { + return nil, fmt.Errorf("getting certificate authority for external source: %w", err) + } + + return &authenticationv1alpha1.TLS{ + CertificateAuthority: &caData, + }, nil +} + +func generateExternalClaimsSourceURL(sourceURL configv1.SourceURL) (*authenticationv1alpha1.SourceURL, error) { + // TODO: enable validation when it is possible to do so. Currently blocked + // due to oauth-apiserver not being rebased on 1.35 and the KAS library changes + // not existing in the 1.35 branch. + // The following jira tickets track the work necessary to eventually enable this validation: + // 1. https://redhat.atlassian.net/browse/CNTRLPLANE-3491 + // 2. https://redhat.atlassian.net/browse/CNTRLPLANE-3492 + // 3. https://redhat.atlassian.net/browse/CNTRLPLANE-3493 + /* + if err := validation.ValidateExternalClaimsSourceURLHostname(&sourceURL.Hostname, field.NewPath("")); err != nil { + return nil, fmt.Errorf("validating hostname: %w", kubeErrorListToGoError(err)) + } + + if err := validation.ValidateExternalClaimsSourceURLPathExpression(externaloidccel.NewCompiler(), &sourceURL.PathExpression, field.NewPath("")); err != nil { + return nil, fmt.Errorf("validating path expression: %w", kubeErrorListToGoError(err)) + } + */ + + return &authenticationv1alpha1.SourceURL{ + Hostname: &sourceURL.Hostname, + PathExpression: &sourceURL.PathExpression, + }, nil +} + +func generateExternalClaimsSourceMappings(seenClaimNames sets.Set[string], sourcedClaimMappings ...configv1.SourcedClaimMapping) ([]authenticationv1alpha1.SourcedClaimMapping, error) { + out := make([]authenticationv1alpha1.SourcedClaimMapping, 0, len(sourcedClaimMappings)) + + errs := []error{} + for _, sourcedClaimMapping := range sourcedClaimMappings { + // TODO: enable validation when it is possible to do so. Currently blocked + // due to oauth-apiserver not being rebased on 1.35 and the KAS library changes + // not existing in the 1.35 branch. + // The following jira tickets track the work necessary to eventually enable this validation: + // 1. https://redhat.atlassian.net/browse/CNTRLPLANE-3491 + // 2. https://redhat.atlassian.net/browse/CNTRLPLANE-3492 + // 3. https://redhat.atlassian.net/browse/CNTRLPLANE-3493 + /* + if err := validation.ValidateExternalClaimsSourceMappingName(&sourcedClaimMapping.Name, seenClaimNames, field.NewPath("")); err != nil { + errs = append(errs, fmt.Errorf("validating mappings[%d]: validating name %q: %w", i, sourcedClaimMapping.Name, kubeErrorListToGoError(err))) + continue + } + + if err := validation.ValidateExternalClaimsSourceMappingExpression(externaloidccel.NewCompiler(), &sourcedClaimMapping.Expression, field.NewPath("")); err != nil { + errs = append(errs, fmt.Errorf("validating mappings[%d]: validating expression %q: %w", i, sourcedClaimMapping.Expression, kubeErrorListToGoError(err))) + continue + } + */ + + out = append(out, authenticationv1alpha1.SourcedClaimMapping{ + Name: &sourcedClaimMapping.Name, + Expression: &sourcedClaimMapping.Expression, + }) + } + + return out, errors.Join(errs...) +} + +func generateExternalClaimsSourceConditions(externalSourcePredicates ...configv1.ExternalSourcePredicate) ([]authenticationv1alpha1.ExternalSourceCondition, error) { + out := make([]authenticationv1alpha1.ExternalSourceCondition, 0, len(externalSourcePredicates)) + + errs := []error{} + // seenConditions := sets.New[string]() + for _, predicate := range externalSourcePredicates { + // TODO: enable validation when it is possible to do so. Currently blocked + // due to oauth-apiserver not being rebased on 1.35 and the KAS library changes + // not existing in the 1.35 branch. + // The following jira tickets track the work necessary to eventually enable this validation: + // 1. https://redhat.atlassian.net/browse/CNTRLPLANE-3491 + // 2. https://redhat.atlassian.net/browse/CNTRLPLANE-3492 + // 3. https://redhat.atlassian.net/browse/CNTRLPLANE-3493 + /* + cond := authentication.ExternalSourceCondition{ + Expression: &predicate.Expression, + } + + if err := validation.ValidateExternalSourceCondition(externaloidccel.NewCompiler(), cond, seenConditions, field.NewPath("")); err != nil { + errs = append(errs, fmt.Errorf("validating predicates[%d]: validating expression %q: %w", i, predicate.Expression, kubeErrorListToGoError(err))) + } + */ + + out = append(out, authenticationv1alpha1.ExternalSourceCondition{ + Expression: &predicate.Expression, + }) + } + + return out, errors.Join(errs...) +} + +// TODO: enable validation when it is possible to do so. Currently blocked +// due to oauth-apiserver not being rebased on 1.35 and the KAS library changes +// not existing in the 1.35 branch. +// The following jira tickets track the work necessary to eventually enable this validation: +// 1. https://redhat.atlassian.net/browse/CNTRLPLANE-3491 +// 2. https://redhat.atlassian.net/browse/CNTRLPLANE-3492 +// 3. https://redhat.atlassian.net/browse/CNTRLPLANE-3493 +/* +func kubeErrorListToGoError(list field.ErrorList) error { + errs := make([]error, 0, len(list)) + for _, err := range list { + errs = append(errs, errors.New(fmt.Sprintf("%s: %s", err.Type.String(), err.Detail))) + } + + return errors.Join(errs...) +} +*/ diff --git a/pkg/controllers/externaloidc/generation/oauthapiserver/generate_test.go b/pkg/controllers/externaloidc/generation/oauthapiserver/generate_test.go index 9ddc7dc797..cf116718ad 100644 --- a/pkg/controllers/externaloidc/generation/oauthapiserver/generate_test.go +++ b/pkg/controllers/externaloidc/generation/oauthapiserver/generate_test.go @@ -1233,6 +1233,570 @@ func TestAuthenticationConfigurationGeneratorGenerateAuthenticationConfiguration }, ), }, + { + name: "valid auth config with external claims source using request provided token auth and conditions, success", + caBundleConfigMap: &baseCABundleConfigMap, + configMapIndexer: func() cache.Indexer { + idx := cache.NewIndexer(cache.MetaNamespaceKeyFunc, cache.Indexers{}) + idx.Add(&corev1.ConfigMap{ + ObjectMeta: metav1.ObjectMeta{ + Name: "ext-source-ca-bundle", + Namespace: configNamespace, + }, + Data: map[string]string{ + "ca-bundle.crt": testCertData, + }, + }) + return idx + }(), + auth: *authWithUpdates(baseAuthResource, []func(auth *configv1.Authentication){ + func(auth *configv1.Authentication) { + for i := range auth.Spec.OIDCProviders { + auth.Spec.OIDCProviders[i].Issuer.URL = "https://example.com" + auth.Spec.OIDCProviders[i].ExternalClaimsSources = []configv1.ExternalClaimsSource{ + { + Authentication: configv1.ExternalSourceAuthentication{ + Type: configv1.ExternalSourceAuthenticationTypeRequestProvidedToken, + }, + TLS: configv1.ExternalSourceTLS{ + CertificateAuthority: configv1.ExternalSourceCertificateAuthorityConfigMapReference{ + Name: "ext-source-ca-bundle", + }, + }, + URL: configv1.SourceURL{ + Hostname: "claims.example.com", + PathExpression: "claims.sub", + }, + Mappings: []configv1.SourcedClaimMapping{ + { + Name: "custom_claim", + Expression: "response.custom_claim", + }, + }, + Predicates: []configv1.ExternalSourcePredicate{ + { + Expression: "has(claims.sub)", + }, + }, + }, + } + } + }, + }), + expectedAuthConfig: authConfigWithUpdates(baseAuthConfig, []func(authConfig *authenticationv1alpha1.AuthenticationConfiguration){ + func(authConfig *authenticationv1alpha1.AuthenticationConfiguration) { + for i := range authConfig.JWT { + authConfig.JWT[i].Issuer.URL = "https://example.com" + authConfig.JWT[i].ExternalClaimsSources = []authenticationv1alpha1.ExternalClaimsSource{ + { + Authentication: &authenticationv1alpha1.Authentication{ + Type: ptr.To(authenticationv1alpha1.AuthenticationTypeRequestProvidedToken), + }, + TLS: &authenticationv1alpha1.TLS{ + CertificateAuthority: ptr.To(testCertData), + }, + URL: &authenticationv1alpha1.SourceURL{ + Hostname: ptr.To("claims.example.com"), + PathExpression: ptr.To("claims.sub"), + }, + Mappings: []authenticationv1alpha1.SourcedClaimMapping{ + { + Name: ptr.To("custom_claim"), + Expression: ptr.To("response.custom_claim"), + }, + }, + Conditions: []authenticationv1alpha1.ExternalSourceCondition{ + { + Expression: ptr.To("has(claims.sub)"), + }, + }, + }, + } + } + }, + }), + expectError: false, + featureGates: featuregates.NewFeatureGate( + []configv1.FeatureGateName{ + features.FeatureGateExternalOIDCExternalClaimsSourcing, + }, + []configv1.FeatureGateName{ + features.FeatureGateExternalOIDCWithAdditionalClaimMappings, + features.FeatureGateExternalOIDCWithUpstreamParity, + }, + ), + }, + { + name: "valid auth config with external claims source using anonymous auth, success", + caBundleConfigMap: &baseCABundleConfigMap, + configMapIndexer: func() cache.Indexer { + idx := cache.NewIndexer(cache.MetaNamespaceKeyFunc, cache.Indexers{}) + idx.Add(&corev1.ConfigMap{ + ObjectMeta: metav1.ObjectMeta{ + Name: "ext-source-ca-bundle", + Namespace: configNamespace, + }, + Data: map[string]string{ + "ca-bundle.crt": testCertData, + }, + }) + return idx + }(), + auth: *authWithUpdates(baseAuthResource, []func(auth *configv1.Authentication){ + func(auth *configv1.Authentication) { + for i := range auth.Spec.OIDCProviders { + auth.Spec.OIDCProviders[i].Issuer.URL = "https://example.com" + auth.Spec.OIDCProviders[i].ExternalClaimsSources = []configv1.ExternalClaimsSource{ + { + TLS: configv1.ExternalSourceTLS{ + CertificateAuthority: configv1.ExternalSourceCertificateAuthorityConfigMapReference{ + Name: "ext-source-ca-bundle", + }, + }, + URL: configv1.SourceURL{ + Hostname: "claims.example.com", + PathExpression: "claims.sub", + }, + Mappings: []configv1.SourcedClaimMapping{ + { + Name: "custom_claim", + Expression: "response.custom_claim", + }, + }, + }, + } + } + }, + }), + expectedAuthConfig: authConfigWithUpdates(baseAuthConfig, []func(authConfig *authenticationv1alpha1.AuthenticationConfiguration){ + func(authConfig *authenticationv1alpha1.AuthenticationConfiguration) { + for i := range authConfig.JWT { + authConfig.JWT[i].Issuer.URL = "https://example.com" + authConfig.JWT[i].ExternalClaimsSources = []authenticationv1alpha1.ExternalClaimsSource{ + { + TLS: &authenticationv1alpha1.TLS{ + CertificateAuthority: ptr.To(testCertData), + }, + URL: &authenticationv1alpha1.SourceURL{ + Hostname: ptr.To("claims.example.com"), + PathExpression: ptr.To("claims.sub"), + }, + Mappings: []authenticationv1alpha1.SourcedClaimMapping{ + { + Name: ptr.To("custom_claim"), + Expression: ptr.To("response.custom_claim"), + }, + }, + }, + } + } + }, + }), + expectError: false, + featureGates: featuregates.NewFeatureGate( + []configv1.FeatureGateName{ + features.FeatureGateExternalOIDCExternalClaimsSourcing, + }, + []configv1.FeatureGateName{ + features.FeatureGateExternalOIDCWithAdditionalClaimMappings, + features.FeatureGateExternalOIDCWithUpstreamParity, + }, + ), + }, + { + name: "valid auth config with external claims source using client credential auth", + caBundleConfigMap: &baseCABundleConfigMap, + configMapIndexer: func() cache.Indexer { + idx := cache.NewIndexer(cache.MetaNamespaceKeyFunc, cache.Indexers{}) + idx.Add(&corev1.ConfigMap{ + ObjectMeta: metav1.ObjectMeta{ + Name: "ext-source-ca-bundle", + Namespace: configNamespace, + }, + Data: map[string]string{ + "ca-bundle.crt": testCertData, + }, + }) + idx.Add(&corev1.ConfigMap{ + ObjectMeta: metav1.ObjectMeta{ + Name: "cc-tls-ca-bundle", + Namespace: configNamespace, + }, + Data: map[string]string{ + "ca-bundle.crt": testCertData, + }, + }) + return idx + }(), + secretIndexer: func() cache.Indexer { + idx := cache.NewIndexer(cache.MetaNamespaceKeyFunc, cache.Indexers{}) + idx.Add(&corev1.Secret{ + ObjectMeta: metav1.ObjectMeta{ + Name: "client-secret-ref", + Namespace: configNamespace, + }, + Data: map[string][]byte{ + "client-secret": []byte("my-secret-value"), + }, + }) + return idx + }(), + auth: *authWithUpdates(baseAuthResource, []func(auth *configv1.Authentication){ + func(auth *configv1.Authentication) { + for i := range auth.Spec.OIDCProviders { + auth.Spec.OIDCProviders[i].Issuer.URL = "https://example.com" + auth.Spec.OIDCProviders[i].ExternalClaimsSources = []configv1.ExternalClaimsSource{ + { + Authentication: configv1.ExternalSourceAuthentication{ + Type: configv1.ExternalSourceAuthenticationTypeClientCredential, + ClientCredential: configv1.ClientCredentialConfig{ + ClientID: "my-client-id", + ClientSecret: configv1.ClientSecretSecretReference{ + Name: "client-secret-ref", + }, + TokenEndpoint: "https://idp.example.com/oauth2/token", + Scopes: []configv1.OAuth2Scope{"openid", "profile"}, + TLS: configv1.ExternalSourceTLS{ + CertificateAuthority: configv1.ExternalSourceCertificateAuthorityConfigMapReference{ + Name: "cc-tls-ca-bundle", + }, + }, + }, + }, + TLS: configv1.ExternalSourceTLS{ + CertificateAuthority: configv1.ExternalSourceCertificateAuthorityConfigMapReference{ + Name: "ext-source-ca-bundle", + }, + }, + URL: configv1.SourceURL{ + Hostname: "claims.example.com", + PathExpression: "claims.sub", + }, + Mappings: []configv1.SourcedClaimMapping{ + { + Name: "custom_claim", + Expression: "response.custom_claim", + }, + }, + }, + } + } + }, + }), + expectedAuthConfig: authConfigWithUpdates(baseAuthConfig, []func(authConfig *authenticationv1alpha1.AuthenticationConfiguration){ + func(authConfig *authenticationv1alpha1.AuthenticationConfiguration) { + for i := range authConfig.JWT { + authConfig.JWT[i].Issuer.URL = "https://example.com" + authConfig.JWT[i].ExternalClaimsSources = []authenticationv1alpha1.ExternalClaimsSource{ + { + Authentication: &authenticationv1alpha1.Authentication{ + Type: ptr.To(authenticationv1alpha1.AuthenticationTypeClientCredential), + ClientCredential: &authenticationv1alpha1.ClientCredentialConfig{ + ClientID: "my-client-id", + ClientSecret: "my-secret-value", + TokenEndpoint: "https://idp.example.com/oauth2/token", + Scopes: []string{"openid", "profile"}, + TLS: &authenticationv1alpha1.TLS{ + CertificateAuthority: ptr.To(testCertData), + }, + }, + }, + TLS: &authenticationv1alpha1.TLS{ + CertificateAuthority: ptr.To(testCertData), + }, + URL: &authenticationv1alpha1.SourceURL{ + Hostname: ptr.To("claims.example.com"), + PathExpression: ptr.To("claims.sub"), + }, + Mappings: []authenticationv1alpha1.SourcedClaimMapping{ + { + Name: ptr.To("custom_claim"), + Expression: ptr.To("response.custom_claim"), + }, + }, + }, + } + } + }, + }), + expectError: false, + featureGates: featuregates.NewFeatureGate( + []configv1.FeatureGateName{ + features.FeatureGateExternalOIDCExternalClaimsSourcing, + }, + []configv1.FeatureGateName{ + features.FeatureGateExternalOIDCWithAdditionalClaimMappings, + features.FeatureGateExternalOIDCWithUpstreamParity, + }, + ), + }, + { + name: "auth config with external claims source with unknown auth type, error", + caBundleConfigMap: &baseCABundleConfigMap, + auth: *authWithUpdates(baseAuthResource, []func(auth *configv1.Authentication){ + func(auth *configv1.Authentication) { + for i := range auth.Spec.OIDCProviders { + auth.Spec.OIDCProviders[i].Issuer.URL = "https://example.com" + auth.Spec.OIDCProviders[i].ExternalClaimsSources = []configv1.ExternalClaimsSource{ + { + Authentication: configv1.ExternalSourceAuthentication{ + Type: configv1.ExternalSourceAuthenticationType("UnknownType"), + }, + TLS: configv1.ExternalSourceTLS{ + CertificateAuthority: configv1.ExternalSourceCertificateAuthorityConfigMapReference{ + Name: "ext-source-ca-bundle", + }, + }, + URL: configv1.SourceURL{ + Hostname: "claims.example.com", + PathExpression: "claims.sub", + }, + Mappings: []configv1.SourcedClaimMapping{ + { + Name: "custom_claim", + Expression: "response.custom_claim", + }, + }, + }, + } + } + }, + }), + expectError: true, + featureGates: featuregates.NewFeatureGate( + []configv1.FeatureGateName{ + features.FeatureGateExternalOIDCExternalClaimsSourcing, + }, + []configv1.FeatureGateName{ + features.FeatureGateExternalOIDCWithAdditionalClaimMappings, + features.FeatureGateExternalOIDCWithUpstreamParity, + }, + ), + }, + { + name: "auth config with external claims source with missing TLS CA configmap, error", + caBundleConfigMap: &baseCABundleConfigMap, + auth: *authWithUpdates(baseAuthResource, []func(auth *configv1.Authentication){ + func(auth *configv1.Authentication) { + for i := range auth.Spec.OIDCProviders { + auth.Spec.OIDCProviders[i].Issuer.URL = "https://example.com" + auth.Spec.OIDCProviders[i].ExternalClaimsSources = []configv1.ExternalClaimsSource{ + { + Authentication: configv1.ExternalSourceAuthentication{ + Type: configv1.ExternalSourceAuthenticationTypeRequestProvidedToken, + }, + TLS: configv1.ExternalSourceTLS{ + CertificateAuthority: configv1.ExternalSourceCertificateAuthorityConfigMapReference{ + Name: "nonexistent-ca-bundle", + }, + }, + URL: configv1.SourceURL{ + Hostname: "claims.example.com", + PathExpression: "claims.sub", + }, + Mappings: []configv1.SourcedClaimMapping{ + { + Name: "custom_claim", + Expression: "response.custom_claim", + }, + }, + }, + } + } + }, + }), + expectError: true, + featureGates: featuregates.NewFeatureGate( + []configv1.FeatureGateName{ + features.FeatureGateExternalOIDCExternalClaimsSourcing, + }, + []configv1.FeatureGateName{ + features.FeatureGateExternalOIDCWithAdditionalClaimMappings, + features.FeatureGateExternalOIDCWithUpstreamParity, + }, + ), + }, + { + name: "auth config with external claims source with client secret key missing in secret, error", + caBundleConfigMap: &baseCABundleConfigMap, + secretIndexer: func() cache.Indexer { + idx := cache.NewIndexer(cache.MetaNamespaceKeyFunc, cache.Indexers{}) + idx.Add(&corev1.Secret{ + ObjectMeta: metav1.ObjectMeta{ + Name: "client-secret-ref", + Namespace: configNamespace, + }, + Data: map[string][]byte{ + "wrong-key": []byte("my-secret-value"), + }, + }) + return idx + }(), + auth: *authWithUpdates(baseAuthResource, []func(auth *configv1.Authentication){ + func(auth *configv1.Authentication) { + for i := range auth.Spec.OIDCProviders { + auth.Spec.OIDCProviders[i].Issuer.URL = "https://example.com" + auth.Spec.OIDCProviders[i].ExternalClaimsSources = []configv1.ExternalClaimsSource{ + { + Authentication: configv1.ExternalSourceAuthentication{ + Type: configv1.ExternalSourceAuthenticationTypeClientCredential, + ClientCredential: configv1.ClientCredentialConfig{ + ClientID: "my-client-id", + ClientSecret: configv1.ClientSecretSecretReference{ + Name: "client-secret-ref", + }, + TokenEndpoint: "https://idp.example.com/oauth2/token", + }, + }, + TLS: configv1.ExternalSourceTLS{ + CertificateAuthority: configv1.ExternalSourceCertificateAuthorityConfigMapReference{ + Name: "ext-source-ca-bundle", + }, + }, + URL: configv1.SourceURL{ + Hostname: "claims.example.com", + PathExpression: "claims.sub", + }, + Mappings: []configv1.SourcedClaimMapping{ + { + Name: "custom_claim", + Expression: "response.custom_claim", + }, + }, + }, + } + } + }, + }), + expectError: true, + featureGates: featuregates.NewFeatureGate( + []configv1.FeatureGateName{ + features.FeatureGateExternalOIDCExternalClaimsSourcing, + }, + []configv1.FeatureGateName{ + features.FeatureGateExternalOIDCWithAdditionalClaimMappings, + features.FeatureGateExternalOIDCWithUpstreamParity, + }, + ), + }, + + { + name: "auth config with external claims source configured but feature gate disabled", + caBundleConfigMap: &baseCABundleConfigMap, + auth: *authWithUpdates(baseAuthResource, []func(auth *configv1.Authentication){ + func(auth *configv1.Authentication) { + for i := range auth.Spec.OIDCProviders { + auth.Spec.OIDCProviders[i].Issuer.URL = "https://example.com" + auth.Spec.OIDCProviders[i].ExternalClaimsSources = []configv1.ExternalClaimsSource{ + { + Authentication: configv1.ExternalSourceAuthentication{ + Type: configv1.ExternalSourceAuthenticationTypeRequestProvidedToken, + }, + }, + } + } + }, + }), + expectedAuthConfig: authConfigWithUpdates(baseAuthConfig, []func(authConfig *authenticationv1alpha1.AuthenticationConfiguration){ + func(authConfig *authenticationv1alpha1.AuthenticationConfiguration) { + for i := range authConfig.JWT { + authConfig.JWT[i].Issuer.URL = "https://example.com" + } + }, + }), + expectError: false, + featureGates: featuregates.NewFeatureGate( + []configv1.FeatureGateName{}, + []configv1.FeatureGateName{ + features.FeatureGateExternalOIDCWithAdditionalClaimMappings, + features.FeatureGateExternalOIDCWithUpstreamParity, + features.FeatureGateExternalOIDCExternalClaimsSourcing, + }, + ), + }, + // TODO: Add tests for validating currently unvalidated fields due to dependency issues (CEL expression validation) + // The following jira tickets track the work necessary to eventually enable this validation: + // 1. https://redhat.atlassian.net/browse/CNTRLPLANE-3491 + // 2. https://redhat.atlassian.net/browse/CNTRLPLANE-3492 + // 3. https://redhat.atlassian.net/browse/CNTRLPLANE-3493 + /* + { + name: "auth config with duplicate mapping names across external claims sources", + caBundleConfigMap: &baseCABundleConfigMap, + configMapIndexer: func() cache.Indexer { + idx := cache.NewIndexer(cache.MetaNamespaceKeyFunc, cache.Indexers{}) + idx.Add(&corev1.ConfigMap{ + ObjectMeta: metav1.ObjectMeta{ + Name: "ext-source-ca-bundle", + Namespace: configNamespace, + }, + Data: map[string]string{ + "ca-bundle.crt": testCertData, + }, + }) + return idx + }(), + auth: *authWithUpdates(baseAuthResource, []func(auth *configv1.Authentication){ + func(auth *configv1.Authentication) { + for i := range auth.Spec.OIDCProviders { + auth.Spec.OIDCProviders[i].Issuer.URL = "https://example.com" + auth.Spec.OIDCProviders[i].ExternalClaimsSources = []configv1.ExternalClaimsSource{ + { + Authentication: configv1.ExternalSourceAuthentication{ + Type: configv1.ExternalSourceAuthenticationTypeRequestProvidedToken, + }, + TLS: configv1.ExternalSourceTLS{ + CertificateAuthority: configv1.ExternalSourceCertificateAuthorityConfigMapReference{ + Name: "ext-source-ca-bundle", + }, + }, + URL: configv1.SourceURL{ + Hostname: "source-one.example.com", + PathExpression: "claims.sub", + }, + Mappings: []configv1.SourcedClaimMapping{ + { + Name: "custom_claim", + Expression: "response.custom_claim", + }, + }, + }, + { + Authentication: configv1.ExternalSourceAuthentication{ + Type: configv1.ExternalSourceAuthenticationTypeRequestProvidedToken, + }, + TLS: configv1.ExternalSourceTLS{ + CertificateAuthority: configv1.ExternalSourceCertificateAuthorityConfigMapReference{ + Name: "ext-source-ca-bundle", + }, + }, + URL: configv1.SourceURL{ + Hostname: "source-two.example.com", + PathExpression: "claims.sub", + }, + Mappings: []configv1.SourcedClaimMapping{ + { + Name: "custom_claim", + Expression: "response.other_claim", + }, + }, + }, + } + } + }, + }), + expectError: true, + featureGates: featuregates.NewFeatureGate( + []configv1.FeatureGateName{ + features.FeatureGateExternalOIDCExternalClaimsSourcing, + }, + []configv1.FeatureGateName{ + features.FeatureGateExternalOIDCWithAdditionalClaimMappings, + features.FeatureGateExternalOIDCWithUpstreamParity, + }, + ), + }, + */ } { t.Run(tt.name, func(t *testing.T) { if tt.configMapIndexer == nil { diff --git a/vendor/github.com/openshift/api/.ci-operator.yaml b/vendor/github.com/openshift/api/.ci-operator.yaml index a3628cf240..1d88a59fdf 100644 --- a/vendor/github.com/openshift/api/.ci-operator.yaml +++ b/vendor/github.com/openshift/api/.ci-operator.yaml @@ -1,4 +1,4 @@ build_root_image: name: release namespace: openshift - tag: rhel-9-release-golang-1.25-openshift-4.22 + tag: rhel-9-release-golang-1.26-openshift-5.0 diff --git a/vendor/github.com/openshift/api/Dockerfile.ocp b/vendor/github.com/openshift/api/Dockerfile.ocp index e04ec9fbc1..98870518c2 100644 --- a/vendor/github.com/openshift/api/Dockerfile.ocp +++ b/vendor/github.com/openshift/api/Dockerfile.ocp @@ -1,10 +1,10 @@ -FROM registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.25-openshift-4.22 AS builder +FROM registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.26-openshift-5.0 AS builder WORKDIR /go/src/github.com/openshift/api COPY . . ENV GO_PACKAGE github.com/openshift/api RUN make build --warn-undefined-variables -FROM registry.ci.openshift.org/ocp/4.22:base-rhel9 +FROM registry.ci.openshift.org/ocp/5.0:base-rhel9 # copy the built binaries to /usr/bin COPY --from=builder /go/src/github.com/openshift/api/render /usr/bin/ diff --git a/vendor/github.com/openshift/api/Makefile b/vendor/github.com/openshift/api/Makefile index ac20137fad..8b85144eaf 100644 --- a/vendor/github.com/openshift/api/Makefile +++ b/vendor/github.com/openshift/api/Makefile @@ -179,6 +179,27 @@ generate-with-container: integration: make -C tests integration +# Run API review evals. Requires claude CLI. +# EVAL_RUNS=5 Number of runs per test case (default: 1) +# EVAL_THRESHOLD=0.8 Minimum pass rate (default: 0.8) +# EVAL_GOLDEN_MODEL=... Model for golden tests (default: sonnet) +# EVAL_INTEGRATION_MODEL=... Model for integration tests (default: opus) +# EVAL_JUDGE_MODEL=... Model for judging results (default: haiku) +# EVAL_GOLDEN_PROCS=4 Max parallel golden tests (default: 4) +# EVAL_INTEGRATION_PROCS=2 Max parallel integration tests (default: 2) +# EVAL_GINKGO_ARGS=... Extra ginkgo args +.PHONY: eval +eval: + $(MAKE) -C tests eval + +.PHONY: eval-golden +eval-golden: + $(MAKE) -C tests eval-golden + +.PHONY: eval-integration +eval-integration: + $(MAKE) -C tests eval-integration + tests-vendor: make -C tests vendor diff --git a/vendor/github.com/openshift/api/config/v1/types_authentication.go b/vendor/github.com/openshift/api/config/v1/types_authentication.go index 1a036bbb67..348ee04010 100644 --- a/vendor/github.com/openshift/api/config/v1/types_authentication.go +++ b/vendor/github.com/openshift/api/config/v1/types_authentication.go @@ -5,7 +5,7 @@ import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" // +genclient // +genclient:nonNamespaced // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object -// +openshift:validation:FeatureGateAwareXValidation:featureGate=ExternalOIDC;ExternalOIDCWithUIDAndExtraClaimMappings;ExternalOIDCWithUpstreamParity,rule="!has(self.spec.oidcProviders) || self.spec.oidcProviders.all(p, !has(p.oidcClients) || p.oidcClients.all(specC, self.status.oidcClients.exists(statusC, statusC.componentNamespace == specC.componentNamespace && statusC.componentName == specC.componentName) || (has(oldSelf.spec.oidcProviders) && oldSelf.spec.oidcProviders.exists(oldP, oldP.name == p.name && has(oldP.oidcClients) && oldP.oidcClients.exists(oldC, oldC.componentNamespace == specC.componentNamespace && oldC.componentName == specC.componentName)))))",message="all oidcClients in the oidcProviders must match their componentName and componentNamespace to either a previously configured oidcClient or they must exist in the status.oidcClients" +// +openshift:validation:FeatureGateAwareXValidation:featureGate=ExternalOIDC;ExternalOIDCWithUIDAndExtraClaimMappings;ExternalOIDCWithUpstreamParity;ExternalOIDCExternalClaimsSourcing,rule="!has(self.spec.oidcProviders) || self.spec.oidcProviders.all(p, !has(p.oidcClients) || p.oidcClients.all(specC, self.status.oidcClients.exists(statusC, statusC.componentNamespace == specC.componentNamespace && statusC.componentName == specC.componentName) || (has(oldSelf.spec.oidcProviders) && oldSelf.spec.oidcProviders.exists(oldP, oldP.name == p.name && has(oldP.oidcClients) && oldP.oidcClients.exists(oldC, oldC.componentNamespace == specC.componentNamespace && oldC.componentName == specC.componentName)))))",message="all oidcClients in the oidcProviders must match their componentName and componentNamespace to either a previously configured oidcClient or they must exist in the status.oidcClients" // Authentication specifies cluster-wide settings for authentication (like OAuth and // webhook token authenticators). The canonical name of an instance is `cluster`. @@ -91,6 +91,7 @@ type AuthenticationSpec struct { // +openshift:enable:FeatureGate=ExternalOIDC // +openshift:enable:FeatureGate=ExternalOIDCWithUIDAndExtraClaimMappings // +openshift:enable:FeatureGate=ExternalOIDCWithUpstreamParity + // +openshift:enable:FeatureGate=ExternalOIDCExternalClaimsSourcing // +optional OIDCProviders []OIDCProvider `json:"oidcProviders,omitempty"` } @@ -245,6 +246,36 @@ type OIDCProvider struct { // +optional // +openshift:enable:FeatureGate=ExternalOIDCWithUpstreamParity UserValidationRules []TokenUserValidationRule `json:"userValidationRules,omitempty"` + + // externalClaimsSources is an optional field that can be used to configure + // sources, external to the token provided in a request, in which claims + // should be fetched from and made available to the claim mapping process + // that is used to build the identity of a token holder. + // + // For example, fetching additional user metadata from an OIDC provider's UserInfo endpoint. + // + // When not specified, only claims present in the token itself will be available + // in the claim mapping process. + // + // When specified, at least one external claim source must be specified and no more than 5 + // sources may be specified. + // All external claim sources must have unique claim mappings. + // When an external source responds and resolves additional claims successfully, they will + // be made available as claims during the claim mapping process. + // Externally sourced claims with the same name as a claim existing within the token will + // overwrite the claim data from the token with the externally sourced information. + // If an external source does not respond, responds with an error, or the additional + // claim data cannot be resolved from the response successfully it will not be + // included in the claim data passed to the claim mapping process. + // + // +openshift:enable:FeatureGate=ExternalOIDCExternalClaimsSourcing + // + // +optional + // +kubebuilder:validation:MinItems=1 + // +kubebuilder:validation:MaxItems=5 + // +kubebuilder:validation:XValidation:rule="self.all(s, s.mappings.all(m, self.filter(s2, s2.mappings.exists(m2, m2.name == m.name)).size() == 1))",message="mapping names must be unique across all external claim sources." + // +listType=atomic + ExternalClaimsSources []ExternalClaimsSource `json:"externalClaimsSources,omitempty"` } // +kubebuilder:validation:MinLength=1 @@ -831,3 +862,355 @@ type TokenUserValidationRule struct { // +kubebuilder:validation:MaxLength=256 Message string `json:"message,omitempty"` } + +// ExternalClaimsSource provides the configuration for a single external claim source. +type ExternalClaimsSource struct { + // authentication is an optional field that configures how the apiserver authenticates with an external claims source. + // When not specified, anonymous authentication is used which means no 'Authorization' header + // is sent in the HTTP request to fetch the external claims. + // + // +optional + Authentication ExternalSourceAuthentication `json:"authentication,omitzero"` + + // tls is an optional field that configures the http client TLS + // settings when fetching external claims from this source. + // + // When omitted, system default TLS settings will be used + // for fetching claims from the external source. + // + // +optional + TLS ExternalSourceTLS `json:"tls,omitzero"` + + // url is a required configuration of the URL + // for which the external claims are located. + // + // +required + URL SourceURL `json:"url,omitzero"` + + // mappings is a required list of the claim + // and response handling expression pairs + // that produces the claims from the external source. + // mappings must have at least 1 entry and must not exceed 16 entries. + // Entries must have a unique name across all external claim sources. + // + // +required + // +listType=map + // +listMapKey=name + // +kubebuilder:validation:MinItems=1 + // +kubebuilder:validation:MaxItems=16 + Mappings []SourcedClaimMapping `json:"mappings,omitempty"` + + // predicates is an optional list of constraints in + // which claims should attempt to be fetched from this + // external source. + // + // When omitted, claims are always fetched + // from this external source. + // + // When specified, all predicates must evaluate to 'true' + // before claims are attempted to be fetched from this external source. + // predicates must have at least 1 entry and must not exceed 16 entries. + // Entries must have unique expressions. + // + // +optional + // +listType=map + // +listMapKey=expression + // +kubebuilder:validation:MinItems=1 + // +kubebuilder:validation:MaxItems=16 + Predicates []ExternalSourcePredicate `json:"predicates,omitempty"` +} + +// ExternalSourceAuthenticationType is the type of authentication that should be used +// when fetching claims from an external source. +// +// +enum +// +kubebuilder:validation:Enum=RequestProvidedToken;ClientCredential +type ExternalSourceAuthenticationType string + +const ( + // ExternalSourceAuthenticationTypeRequestProvidedToken is an ExternalSourceAuthenticationType + // that represents that the token being evaluated for authentication + // should be used for authenticating with the external claims source. + // This is useful for scenarios where a token has multiple audiences + // and scopes so that it can be used to access both the cluster and + // the UserInfo endpoint that contains additional information about the + // user not present in the token. + ExternalSourceAuthenticationTypeRequestProvidedToken ExternalSourceAuthenticationType = "RequestProvidedToken" + + // ExternalSourceAuthenticationTypeClientCredential is an ExternalSourceAuthenticationType + // that represents that the authenticator should use the OAuth2 + // client credentials grant flow to obtain an access token for + // authenticating with the external claims source. + // This is useful for scenarios such as fetching user information + // from Microsoft's Graph API where a separate client credential + // is needed to access the API. + ExternalSourceAuthenticationTypeClientCredential ExternalSourceAuthenticationType = "ClientCredential" +) + +// ExternalSourceAuthentication configures how the apiserver should attempt +// to authenticate with an external claims source. +// +// +kubebuilder:validation:XValidation:rule="self.type == 'ClientCredential' ? has(self.clientCredential) : !has(self.clientCredential)",message="clientCredential is required when type is ClientCredential, and forbidden otherwise" +type ExternalSourceAuthentication struct { + // type is a required field that sets the type of + // authentication method used by the authenticator + // when fetching external claims. + // + // Allowed values are 'RequestProvidedToken' and 'ClientCredential'. + // + // When set to 'RequestProvidedToken', the authenticator will + // use the token provided to the kube-apiserver as part of the + // request to authenticate with the external claims source. + // + // When set to 'ClientCredential', the authenticator will + // use the configured client-id, client-secret, and token endpoint + // to fetch an access token using the OAuth2 client credentials grant + // flow. The fetched access token will then be used to authenticate + // with the external claims source. + // + // +required + Type ExternalSourceAuthenticationType `json:"type,omitempty"` + + // clientCredential configures the client credentials + // and token endpoint to use to get an access token. + // clientCredential is required when type is 'ClientCredential', and forbidden otherwise. + // + // +optional + ClientCredential ClientCredentialConfig `json:"clientCredential,omitzero"` +} + +// ExternalSourceTLS configures the TLS options that the apiserver uses as a client +// when making a request to the external claim source. +type ExternalSourceTLS struct { + // certificateAuthority is a required reference to a ConfigMap in the openshift-config + // namespace that contains the CA certificate to use to validate TLS connections with the external claims source. + // The key "ca-bundle.crt" must be present in the referenced ConfigMap and must contain the CA certificate to be used + // to verify the external source's TLS certificate. + // + // +required + CertificateAuthority ExternalSourceCertificateAuthorityConfigMapReference `json:"certificateAuthority,omitzero"` +} + +// ClientCredentialConfig configures the client credentials and token endpoint +// to use to get an access token via the OAuth2 client credentials grant flow. +type ClientCredentialConfig struct { + // clientID is a required client identifier to use during the OAuth2 client credentials flow. + // clientID must be at least 1 character in length, must not exceed 256 characters in length, + // and must only contain printable ASCII characters. + // + // +required + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=256 + // +kubebuilder:validation:XValidation:rule="self.matches('^[[:print:]]+$')",message="clientID must only contain printable ASCII characters" + ClientID string `json:"clientID,omitempty"` + + // clientSecret is a required reference to a Secret in the openshift-config namespace to be used + // as the client secret during the OAuth2 client credentials flow. + // + // The key 'client-secret' is used to locate the client secret data in the Secret. + // + // +required + ClientSecret ClientSecretSecretReference `json:"clientSecret,omitzero"` + + // tokenEndpoint is a required URL to query for an access token using + // the client credential OAuth2 flow. + // tokenEndpoint must be at least 1 character in length and must not exceed 2048 characters in length. + // tokenEndpoint must be a valid HTTPS URL. + // tokenEndpoint must have a host and a path. + // tokenEndpoint must not contain query parameters, fragments, + // or user information (e.g., "user:password@host"). + // + // +required + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=2048 + // +kubebuilder:validation:XValidation:rule="isURL(self)",message="tokenEndpoint must be a valid HTTPS url" + // +kubebuilder:validation:XValidation:rule="isURL(self) && url(self).getScheme() == 'https'",message="tokenEndpoint must be a valid HTTPS url" + // +kubebuilder:validation:XValidation:rule="isURL(self) && url(self).getHost() != ''",message="tokenEndpoint must have a hostname" + // +kubebuilder:validation:XValidation:rule="isURL(self) && url(self).getEscapedPath() != ''",message="tokenEndpoint must have a path" + // +kubebuilder:validation:XValidation:rule="isURL(self) && url(self).getQuery() == {}",message="tokenEndpoint must not have query parameters" + // +kubebuilder:validation:XValidation:rule="isURL(self) && self.find('#(.+)$') == ''",message="tokenEndpoint must not have a fragment" + // +kubebuilder:validation:XValidation:rule="isURL(self) && !self.matches('^https://[^/]+@.+$')",message="tokenEndpoint must not have user info" + TokenEndpoint string `json:"tokenEndpoint,omitempty"` + + // scopes is an optional list of OAuth2 scopes to request when obtaining + // an access token. + // + // If not specified, the token endpoint's default scopes + // will be used. + // + // When specified, there must be at least 1 entry and must not exceed 16 entries. + // Each entry must be at least 1 character in length and must not exceed 256 characters in length. + // Each entry must only contain printable ASCII characters, excluding spaces, double quotes and backslashes. + // Entries must be unique. + // + // +optional + // +kubebuilder:validation:MinItems=1 + // +kubebuilder:validation:MaxItems=16 + // +listType=set + Scopes []OAuth2Scope `json:"scopes,omitempty"` + + // tls is an optional field that allows configuring the TLS + // settings used to interact with the identity provider + // as an OAuth2 client. + // + // When omitted, system default TLS settings will be used + // for the OAuth2 client. + // + // +optional + TLS ExternalSourceTLS `json:"tls,omitzero"` +} + +// OAuth2Scope is a string alias that represents an OAuth2 Scope as defined by https://datatracker.ietf.org/doc/html/rfc6749#appendix-A.4 +// Must be at least 1 character in length, must not exceed 256 characters in length and must only contain printable ASCII characters, excluding spaces, double quotes and backslashes. +// +// +kubebuilder:validation:XValidation:rule="self.matches('^[!#-[\\\\]-~]+$')",message="scopes must only contain printable ASCII characters excluding spaces, double quotes and backslashes" +// +kubebuilder:validation:MinLength=1 +// +kubebuilder:validation:MaxLength=256 +type OAuth2Scope string + +// SourceURL configures the options used to build the URL that is queried for external claims. +type SourceURL struct { + // hostname is a required hostname for which the external claims are located. + // + // It must be a valid DNS subdomain name as per RFC1123. + // + // This means that it must start and end with a lowercase alphanumeric character, + // must only consist of lowercase alphanumeric characters, '-', and '.'. + // hostname may optionally specify a port in the format ':{port}'. + // If a port is specified it must not exceed 65535. + // + // hostname must be at least 1 character in length. + // When specifying a port, hostname must not exceed 259 characters in length. + // When not specifying a port, hostname must not exceed 253 characters in length. + // + // +required + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=259 + // +kubebuilder:validation:XValidation:rule="isURL('https://'+self)",message="hostname must be a valid hostname" + // +kubebuilder:validation:XValidation:rule="!format.dns1123Subdomain().validate(self.split(':')[0]).hasValue()",message="hostname before port must start and end with a lowercase alphanumeric character, and must only contain lowercase alphanumeric characters, '-' or '.'" + // +kubebuilder:validation:XValidation:rule="self.split(':').size() > 1 ? int(self.split(':')[1]) <= 65535 : true",message="port must not exceed 65535" + Hostname string `json:"hostname,omitempty"` + + // pathExpression is a required CEL expression that returns a list + // of string values used to construct the URL path. + // Claims from the token used for the request to the kube-apiserver + // are made available via the `claims` variable. + // expression must be at least 1 character in length and must not exceed 1024 characters in length. + // + // Values in the returned list will be joined with the hostname using a forward slash + // (`/`) as a separator. Values in the returned list do not need to include the forward slash. + // If a forward slash is included in a returned value, it will be encoded as `%2F`. + // + // Example of a static path configuration: + // + // pathExpression: ['realms', 'k8s', 'protocol', 'openid-connect', 'userinfo'] + // + // The above example would resolve to the path: '/realms/k8s/protocol/openid-connect/userinfo' + // + // Example of a dynamic path configuration: + // + // pathExpression: "['admin', 'realms', 'k8s', 'users'] + [claims.sub] + ['groups']" + // + // Assuming 'claims.sub' is set to '12345', the above example would resolve to the path: '/admin/realms/k8s/users/12345/groups' + // + // +required + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=1024 + PathExpression string `json:"pathExpression,omitempty"` +} + +// SourcedClaimMapping configures the mapping behavior for a single external claim +// from the response the apiserver received from the external claim source. +type SourcedClaimMapping struct { + // name is a required name of the claim that + // will be produced and made available during + // the claim-to-identity mapping process. + // name must consist of only lowercase alpha characters and underscores ('_'). + // name must be at least 1 character and must not exceed 256 characters in length. + // + // +required + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=256 + // +kubebuilder:validation:XValidation:rule="self.matches('^[a-z_]+$')",message="name must consist of only lowercase alpha characters and underscores" + Name string `json:"name,omitempty"` + + // expression is a required CEL expression that + // will produce a value to be assigned to the claim. + // The full response body from the request to the + // external claim source is provided via the + // `response.body` variable. + // + // The contents of the `response.body` variable varies based on the response received + // from the external source. It is the responsibility of those configuring + // this expression to understand what is returned from the external source. + // + // expression must be at least 1 character and must not exceed 1024 characters in length. + // + // +required + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=1024 + Expression string `json:"expression,omitempty"` +} + +// ExternalSourcePredicate configures a singular condition +// that must return true before the external source is queried +// to retrieve external claims. +type ExternalSourcePredicate struct { + // expression is a required CEL expression that + // is used to determine whether or not an external + // source should be used to fetch external claims. + // + // The expression must return a boolean value, + // where true means that the source should be consulted + // and false means that it should not. + // + // Claims from the token used for the request to the kube-apiserver + // are made available via the `claims` variable. + // + // The contents of the `claims` variable varies based on the claims that are + // present in the token being validated. It is the responsibility of those configuring this + // field to understand what claims the identity provider includes when issuing tokens. + // + // expression must be at least 1 character and must not exceed 1024 characters in length. + // + // +required + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=1024 + Expression string `json:"expression,omitempty"` +} + +// ExternalSourceCertificateAuthorityConfigMapReference is a reference to a ConfigMap in the openshift-config +// namespace that should be used for configuring the certificate authority to be +// used when sourcing claims from external sources. +type ExternalSourceCertificateAuthorityConfigMapReference struct { + // name is the required name of the ConfigMap that exists in the openshift-config namespace. + // The key "ca-bundle.crt" must be present and must contain the CA certificate to be used + // to verify the external source's TLS certificate. + // + // It must be at least 1 character in length, must not exceed 253 characters in length, + // must start and end with a lowercase alphanumeric character, and must only contain + // lowercase alphanumeric characters, '-' or '.'. + // + // +required + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=253 + // +kubebuilder:validation:XValidation:rule="!format.dns1123Subdomain().validate(self).hasValue()",message="name must start and end with a lowercase alphanumeric character, and must only contain lowercase alphanumeric characters, '-' or '.'" + Name string `json:"name,omitempty"` +} + +// ClientSecretSecretReference is a reference to a Secret in the openshift-config +// namespace that should be used for configuring the client secret to be +// used when sourcing claims from external sources with the client credential authentication flow. +type ClientSecretSecretReference struct { + // name is the required name of the Secret that exists in the openshift-config namespace. + // + // It must be at least 1 character in length, must not exceed 253 characters in length, + // must start and end with a lowercase alphanumeric character, and must only contain + // lowercase alphanumeric characters, '-' or '.'. + // + // +required + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=253 + // +kubebuilder:validation:XValidation:rule="!format.dns1123Subdomain().validate(self).hasValue()",message="name must start and end with a lowercase alphanumeric character, and must only contain lowercase alphanumeric characters, '-' or '.'" + Name string `json:"name,omitempty"` +} diff --git a/vendor/github.com/openshift/api/config/v1/types_tlssecurityprofile.go b/vendor/github.com/openshift/api/config/v1/types_tlssecurityprofile.go index 48657b0894..2e9be97aeb 100644 --- a/vendor/github.com/openshift/api/config/v1/types_tlssecurityprofile.go +++ b/vendor/github.com/openshift/api/config/v1/types_tlssecurityprofile.go @@ -7,10 +7,16 @@ type TLSSecurityProfile struct { // type is one of Old, Intermediate, Modern or Custom. Custom provides the // ability to specify individual TLS security profile parameters. // - // The profiles are based on version 5.7 of the Mozilla Server Side TLS - // configuration guidelines. The cipher lists consist of the configuration's - // "ciphersuites" followed by the Go-specific "ciphers" from the guidelines. - // See: https://ssl-config.mozilla.org/guidelines/5.7.json + // The cipher and groups lists in these profiles are based on version 5.8 of the + // Mozilla Server Side TLS configuration guidelines. + // See: https://ssl-config.mozilla.org/guidelines/5.8.json + // + // The groups are listed in suggested preference order, with the most preferred group first. + // Note that not all platform components honor the ordering: Go-based components use Go's + // internal preference order and treat this list as a filter of allowed groups rather than + // an ordered preference. + // Note that X25519MLKEM768 is a post-quantum hybrid group that is not + // FIPS-approved and should be ignored by components running in FIPS mode. // // The profiles are intent based, so they may change over time as new ciphers are // developed and existing ciphers are found to be insecure. Depending on @@ -23,6 +29,10 @@ type TLSSecurityProfile struct { // old is a TLS profile for use when services need to be accessed by very old // clients or libraries and should be used only as a last resort. // + // The supported groups list includes by default the following groups + // in suggested preference order (ordering may not be honored by all implementations): + // X25519MLKEM768, X25519, secp256r1, secp384r1. + // // This profile is equivalent to a Custom profile specified as: // minTLSVersion: VersionTLS10 // ciphers: @@ -39,11 +49,14 @@ type TLSSecurityProfile struct { // - ECDHE-RSA-AES128-SHA256 // - ECDHE-ECDSA-AES128-SHA // - ECDHE-RSA-AES128-SHA + // - ECDHE-ECDSA-AES256-SHA384 + // - ECDHE-RSA-AES256-SHA384 // - ECDHE-ECDSA-AES256-SHA // - ECDHE-RSA-AES256-SHA // - AES128-GCM-SHA256 // - AES256-GCM-SHA384 // - AES128-SHA256 + // - AES256-SHA256 // - AES128-SHA // - AES256-SHA // - DES-CBC3-SHA @@ -56,6 +69,10 @@ type TLSSecurityProfile struct { // legacy clients and want to remain highly secure while being compatible with // most clients currently in use. // + // The supported groups list includes by default the following groups + // in suggested preference order (ordering may not be honored by all implementations): + // X25519MLKEM768, X25519, secp256r1, secp384r1. + // // This profile is equivalent to a Custom profile specified as: // minTLSVersion: VersionTLS12 // ciphers: @@ -75,7 +92,9 @@ type TLSSecurityProfile struct { // modern is a TLS security profile for use with clients that support TLS 1.3 and // do not need backward compatibility for older clients. - // + // The supported groups list includes by default the following groups + // in suggested preference order (ordering may not be honored by all implementations): + // X25519MLKEM768, X25519, secp256r1, secp384r1. // This profile is equivalent to a Custom profile specified as: // minTLSVersion: VersionTLS13 // ciphers: @@ -88,8 +107,11 @@ type TLSSecurityProfile struct { Modern *ModernTLSProfile `json:"modern,omitempty"` // custom is a user-defined TLS security profile. Be extremely careful using a custom - // profile as invalid configurations can be catastrophic. An example custom profile - // looks like this: + // profile as invalid configurations can be catastrophic. + // + // The supported groups list for this profile is empty by default. + // + // An example custom profile looks like this: // // minTLSVersion: VersionTLS11 // ciphers: @@ -142,6 +164,33 @@ const ( TLSProfileCustomType TLSProfileType = "Custom" ) +// TLSGroup is a supported group identifier that can be used in TLSProfile.Groups. +// There is a one-to-one mapping between these names and the group IDs defined +// in Go's crypto/tls package based on IANA's "TLS Supported Groups" registry: +// https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8 +// Note that X25519MLKEM768 is a post-quantum hybrid group that is not +// FIPS-approved and should be ignored by components running in FIPS mode. +// +// +kubebuilder:validation:Enum=X25519;secp256r1;secp384r1;secp521r1;X25519MLKEM768;SecP256r1MLKEM768;SecP384r1MLKEM1024 +type TLSGroup string + +const ( + // TLSGroupX25519 represents X25519. + TLSGroupX25519 TLSGroup = "X25519" + // TLSGroupSecP256r1 represents P-256 (secp256r1). + TLSGroupSecP256r1 TLSGroup = "secp256r1" + // TLSGroupSecP384r1 represents P-384 (secp384r1). + TLSGroupSecP384r1 TLSGroup = "secp384r1" + // TLSGroupSecP521r1 represents P-521 (secp521r1). + TLSGroupSecP521r1 TLSGroup = "secp521r1" + // TLSGroupX25519MLKEM768 represents X25519MLKEM768. + TLSGroupX25519MLKEM768 TLSGroup = "X25519MLKEM768" + // TLSGroupSecP256r1MLKEM768 represents SecP256r1MLKEM768. + TLSGroupSecP256r1MLKEM768 TLSGroup = "SecP256r1MLKEM768" + // TLSGroupSecP384r1MLKEM1024 represents SecP384r1MLKEM1024. + TLSGroupSecP384r1MLKEM1024 TLSGroup = "SecP384r1MLKEM1024" +) + // TLSProfileSpec is the desired behavior of a TLSSecurityProfile. type TLSProfileSpec struct { // ciphers is used to specify the cipher algorithms that are negotiated @@ -155,6 +204,30 @@ type TLSProfileSpec struct { // and are always enabled when TLS 1.3 is negotiated. // +listType=atomic Ciphers []string `json:"ciphers"` + // groups is an optional, ordered field used to specify the supported groups (formerly known as + // elliptic curves) that are used during the TLS handshake. The order of the groups represents + // a suggested preference, with the most preferred group first. Note that not all platform + // components honor the ordering: Go-based components use Go's internal preference order and + // treat this list as a filter of allowed groups rather than an ordered preference. + // Operators may remove entries their operands do not support. + // + // When omitted, this means no opinion and the platform is left to choose reasonable defaults which are + // subject to change over time and may be different per platform component depending on the underlying TLS + // libraries they use. If specified, the list must contain at least one and at most 7 groups, + // and each group must be unique. + // + // For example, to use X25519 and secp256r1 (yaml): + // + // groups: + // - X25519 + // - secp256r1 + // + // +optional + // +listType=set + // +kubebuilder:validation:MaxItems=7 + // +kubebuilder:validation:MinItems=1 + // +openshift:enable:FeatureGate=TLSGroupPreferences + Groups []TLSGroup `json:"groups,omitempty"` // minTLSVersion is used to specify the minimal version of the TLS protocol // that is negotiated during the TLS handshake. For example, to use TLS // versions 1.1, 1.2 and 1.3 (yaml): @@ -187,16 +260,22 @@ const ( // TLSProfiles contains a map of TLSProfileType names to TLSProfileSpec. // -// These profiles are based on version 5.7 of the Mozilla Server Side TLS -// configuration guidelines. See: https://ssl-config.mozilla.org/guidelines/5.7.json +// The cipher and groups lists in these profiles are based on version 5.8 of the +// Mozilla Server Side TLS configuration guidelines. +// See: https://ssl-config.mozilla.org/guidelines/5.8.json // // Each Ciphers slice is the configuration's "ciphersuites" followed by the -// Go-specific "ciphers" from the guidelines JSON. +// "ciphers" from the guidelines JSON. +// +// Groups are listed in suggested preference order, though Go-based components may use +// their own internal ordering. TLSProfiles Old, Intermediate, Modern include by default +// the following groups: X25519MLKEM768, X25519, secp256r1, secp384r1 // // NOTE: The caller needs to make sure to check that these constants are valid // for their binary. Not all entries map to values for all binaries. In the case // of ties, the kube-apiserver wins. Do not fail, just be sure to include only -// valid entries and everything will be ok. +// valid entries and everything will be ok. In particular, X25519MLKEM768 is +// not FIPS-approved and must be omitted by components running in FIPS mode. var TLSProfiles = map[TLSProfileType]*TLSProfileSpec{ TLSProfileOldType: { Ciphers: []string{ @@ -213,15 +292,24 @@ var TLSProfiles = map[TLSProfileType]*TLSProfileSpec{ "ECDHE-RSA-AES128-SHA256", "ECDHE-ECDSA-AES128-SHA", "ECDHE-RSA-AES128-SHA", + "ECDHE-ECDSA-AES256-SHA384", + "ECDHE-RSA-AES256-SHA384", "ECDHE-ECDSA-AES256-SHA", "ECDHE-RSA-AES256-SHA", "AES128-GCM-SHA256", "AES256-GCM-SHA384", "AES128-SHA256", + "AES256-SHA256", "AES128-SHA", "AES256-SHA", "DES-CBC3-SHA", }, + Groups: []TLSGroup{ + TLSGroupX25519MLKEM768, + TLSGroupX25519, + TLSGroupSecP256r1, + TLSGroupSecP384r1, + }, MinTLSVersion: VersionTLS10, }, TLSProfileIntermediateType: { @@ -236,6 +324,12 @@ var TLSProfiles = map[TLSProfileType]*TLSProfileSpec{ "ECDHE-ECDSA-CHACHA20-POLY1305", "ECDHE-RSA-CHACHA20-POLY1305", }, + Groups: []TLSGroup{ + TLSGroupX25519MLKEM768, + TLSGroupX25519, + TLSGroupSecP256r1, + TLSGroupSecP384r1, + }, MinTLSVersion: VersionTLS12, }, TLSProfileModernType: { @@ -244,6 +338,12 @@ var TLSProfiles = map[TLSProfileType]*TLSProfileSpec{ "TLS_AES_256_GCM_SHA384", "TLS_CHACHA20_POLY1305_SHA256", }, + Groups: []TLSGroup{ + TLSGroupX25519MLKEM768, + TLSGroupX25519, + TLSGroupSecP256r1, + TLSGroupSecP384r1, + }, MinTLSVersion: VersionTLS13, }, } diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go b/vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go index 1a562b8582..13f1bc390d 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go @@ -936,6 +936,45 @@ func (in *ClientConnectionOverrides) DeepCopy() *ClientConnectionOverrides { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ClientCredentialConfig) DeepCopyInto(out *ClientCredentialConfig) { + *out = *in + out.ClientSecret = in.ClientSecret + if in.Scopes != nil { + in, out := &in.Scopes, &out.Scopes + *out = make([]OAuth2Scope, len(*in)) + copy(*out, *in) + } + out.TLS = in.TLS + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClientCredentialConfig. +func (in *ClientCredentialConfig) DeepCopy() *ClientCredentialConfig { + if in == nil { + return nil + } + out := new(ClientCredentialConfig) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ClientSecretSecretReference) DeepCopyInto(out *ClientSecretSecretReference) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClientSecretSecretReference. +func (in *ClientSecretSecretReference) DeepCopy() *ClientSecretSecretReference { + if in == nil { + return nil + } + out := new(ClientSecretSecretReference) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *CloudControllerManagerStatus) DeepCopyInto(out *CloudControllerManagerStatus) { *out = *in @@ -2083,6 +2122,35 @@ func (in *EtcdStorageConfig) DeepCopy() *EtcdStorageConfig { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ExternalClaimsSource) DeepCopyInto(out *ExternalClaimsSource) { + *out = *in + in.Authentication.DeepCopyInto(&out.Authentication) + out.TLS = in.TLS + out.URL = in.URL + if in.Mappings != nil { + in, out := &in.Mappings, &out.Mappings + *out = make([]SourcedClaimMapping, len(*in)) + copy(*out, *in) + } + if in.Predicates != nil { + in, out := &in.Predicates, &out.Predicates + *out = make([]ExternalSourcePredicate, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalClaimsSource. +func (in *ExternalClaimsSource) DeepCopy() *ExternalClaimsSource { + if in == nil { + return nil + } + out := new(ExternalClaimsSource) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ExternalIPConfig) DeepCopyInto(out *ExternalIPConfig) { *out = *in @@ -2168,6 +2236,72 @@ func (in *ExternalPlatformStatus) DeepCopy() *ExternalPlatformStatus { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ExternalSourceAuthentication) DeepCopyInto(out *ExternalSourceAuthentication) { + *out = *in + in.ClientCredential.DeepCopyInto(&out.ClientCredential) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalSourceAuthentication. +func (in *ExternalSourceAuthentication) DeepCopy() *ExternalSourceAuthentication { + if in == nil { + return nil + } + out := new(ExternalSourceAuthentication) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ExternalSourceCertificateAuthorityConfigMapReference) DeepCopyInto(out *ExternalSourceCertificateAuthorityConfigMapReference) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalSourceCertificateAuthorityConfigMapReference. +func (in *ExternalSourceCertificateAuthorityConfigMapReference) DeepCopy() *ExternalSourceCertificateAuthorityConfigMapReference { + if in == nil { + return nil + } + out := new(ExternalSourceCertificateAuthorityConfigMapReference) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ExternalSourcePredicate) DeepCopyInto(out *ExternalSourcePredicate) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalSourcePredicate. +func (in *ExternalSourcePredicate) DeepCopy() *ExternalSourcePredicate { + if in == nil { + return nil + } + out := new(ExternalSourcePredicate) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ExternalSourceTLS) DeepCopyInto(out *ExternalSourceTLS) { + *out = *in + out.CertificateAuthority = in.CertificateAuthority + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalSourceTLS. +func (in *ExternalSourceTLS) DeepCopy() *ExternalSourceTLS { + if in == nil { + return nil + } + out := new(ExternalSourceTLS) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ExtraMapping) DeepCopyInto(out *ExtraMapping) { *out = *in @@ -4841,6 +4975,13 @@ func (in *OIDCProvider) DeepCopyInto(out *OIDCProvider) { *out = make([]TokenUserValidationRule, len(*in)) copy(*out, *in) } + if in.ExternalClaimsSources != nil { + in, out := &in.ExternalClaimsSources, &out.ExternalClaimsSources + *out = make([]ExternalClaimsSource, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } return } @@ -6181,6 +6322,38 @@ func (in *SignatureStore) DeepCopy() *SignatureStore { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *SourceURL) DeepCopyInto(out *SourceURL) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SourceURL. +func (in *SourceURL) DeepCopy() *SourceURL { + if in == nil { + return nil + } + out := new(SourceURL) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *SourcedClaimMapping) DeepCopyInto(out *SourcedClaimMapping) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SourcedClaimMapping. +func (in *SourcedClaimMapping) DeepCopy() *SourcedClaimMapping { + if in == nil { + return nil + } + out := new(SourcedClaimMapping) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *Storage) DeepCopyInto(out *Storage) { *out = *in @@ -6239,6 +6412,11 @@ func (in *TLSProfileSpec) DeepCopyInto(out *TLSProfileSpec) { *out = make([]string, len(*in)) copy(*out, *in) } + if in.Groups != nil { + in, out := &in.Groups, &out.Groups + *out = make([]TLSGroup, len(*in)) + copy(*out, *in) + } return } diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml index 9415f6bbd7..13635bff49 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml @@ -8,6 +8,7 @@ apiservers.config.openshift.io: FeatureGates: - KMSEncryption - TLSAdherence + - TLSGroupPreferences FilenameOperatorName: config-operator FilenameOperatorOrdering: "01" FilenameRunLevel: "0000_10" @@ -31,6 +32,7 @@ authentications.config.openshift.io: Category: "" FeatureGates: - ExternalOIDC + - ExternalOIDCExternalClaimsSourcing - ExternalOIDCWithUIDAndExtraClaimMappings - ExternalOIDCWithUpstreamParity FilenameOperatorName: config-operator diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go b/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go index b4afc2b962..1e9c65bf86 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go @@ -388,6 +388,28 @@ func (AuthenticationStatus) SwaggerDoc() map[string]string { return map_AuthenticationStatus } +var map_ClientCredentialConfig = map[string]string{ + "": "ClientCredentialConfig configures the client credentials and token endpoint to use to get an access token via the OAuth2 client credentials grant flow.", + "clientID": "clientID is a required client identifier to use during the OAuth2 client credentials flow. clientID must be at least 1 character in length, must not exceed 256 characters in length, and must only contain printable ASCII characters.", + "clientSecret": "clientSecret is a required reference to a Secret in the openshift-config namespace to be used as the client secret during the OAuth2 client credentials flow.\n\nThe key 'client-secret' is used to locate the client secret data in the Secret.", + "tokenEndpoint": "tokenEndpoint is a required URL to query for an access token using the client credential OAuth2 flow. tokenEndpoint must be at least 1 character in length and must not exceed 2048 characters in length. tokenEndpoint must be a valid HTTPS URL. tokenEndpoint must have a host and a path. tokenEndpoint must not contain query parameters, fragments, or user information (e.g., \"user:password@host\").", + "scopes": "scopes is an optional list of OAuth2 scopes to request when obtaining an access token.\n\nIf not specified, the token endpoint's default scopes will be used.\n\nWhen specified, there must be at least 1 entry and must not exceed 16 entries. Each entry must be at least 1 character in length and must not exceed 256 characters in length. Each entry must only contain printable ASCII characters, excluding spaces, double quotes and backslashes. Entries must be unique.", + "tls": "tls is an optional field that allows configuring the TLS settings used to interact with the identity provider as an OAuth2 client.\n\nWhen omitted, system default TLS settings will be used for the OAuth2 client.", +} + +func (ClientCredentialConfig) SwaggerDoc() map[string]string { + return map_ClientCredentialConfig +} + +var map_ClientSecretSecretReference = map[string]string{ + "": "ClientSecretSecretReference is a reference to a Secret in the openshift-config namespace that should be used for configuring the client secret to be used when sourcing claims from external sources with the client credential authentication flow.", + "name": "name is the required name of the Secret that exists in the openshift-config namespace.\n\nIt must be at least 1 character in length, must not exceed 253 characters in length, must start and end with a lowercase alphanumeric character, and must only contain lowercase alphanumeric characters, '-' or '.'.", +} + +func (ClientSecretSecretReference) SwaggerDoc() map[string]string { + return map_ClientSecretSecretReference +} + var map_DeprecatedWebhookTokenAuthenticator = map[string]string{ "": "deprecatedWebhookTokenAuthenticator holds the necessary configuration options for a remote token authenticator. It's the same as WebhookTokenAuthenticator but it's missing the 'required' validation on KubeConfig field.", "kubeConfig": "kubeConfig contains kube config file data which describes how to access the remote webhook service. For further details, see: https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication The key \"kubeConfig\" is used to locate the data. If the secret or expected key is not found, the webhook is not honored. If the specified kube config data is not valid, the webhook is not honored. The namespace for this secret is determined by the point of use.", @@ -397,6 +419,56 @@ func (DeprecatedWebhookTokenAuthenticator) SwaggerDoc() map[string]string { return map_DeprecatedWebhookTokenAuthenticator } +var map_ExternalClaimsSource = map[string]string{ + "": "ExternalClaimsSource provides the configuration for a single external claim source.", + "authentication": "authentication is an optional field that configures how the apiserver authenticates with an external claims source. When not specified, anonymous authentication is used which means no 'Authorization' header is sent in the HTTP request to fetch the external claims.", + "tls": "tls is an optional field that configures the http client TLS settings when fetching external claims from this source.\n\nWhen omitted, system default TLS settings will be used for fetching claims from the external source.", + "url": "url is a required configuration of the URL for which the external claims are located.", + "mappings": "mappings is a required list of the claim and response handling expression pairs that produces the claims from the external source. mappings must have at least 1 entry and must not exceed 16 entries. Entries must have a unique name across all external claim sources.", + "predicates": "predicates is an optional list of constraints in which claims should attempt to be fetched from this external source.\n\nWhen omitted, claims are always fetched from this external source.\n\nWhen specified, all predicates must evaluate to 'true' before claims are attempted to be fetched from this external source. predicates must have at least 1 entry and must not exceed 16 entries. Entries must have unique expressions.", +} + +func (ExternalClaimsSource) SwaggerDoc() map[string]string { + return map_ExternalClaimsSource +} + +var map_ExternalSourceAuthentication = map[string]string{ + "": "ExternalSourceAuthentication configures how the apiserver should attempt to authenticate with an external claims source.", + "type": "type is a required field that sets the type of authentication method used by the authenticator when fetching external claims.\n\nAllowed values are 'RequestProvidedToken' and 'ClientCredential'.\n\nWhen set to 'RequestProvidedToken', the authenticator will use the token provided to the kube-apiserver as part of the request to authenticate with the external claims source.\n\nWhen set to 'ClientCredential', the authenticator will use the configured client-id, client-secret, and token endpoint to fetch an access token using the OAuth2 client credentials grant flow. The fetched access token will then be used to authenticate with the external claims source.", + "clientCredential": "clientCredential configures the client credentials and token endpoint to use to get an access token. clientCredential is required when type is 'ClientCredential', and forbidden otherwise.", +} + +func (ExternalSourceAuthentication) SwaggerDoc() map[string]string { + return map_ExternalSourceAuthentication +} + +var map_ExternalSourceCertificateAuthorityConfigMapReference = map[string]string{ + "": "ExternalSourceCertificateAuthorityConfigMapReference is a reference to a ConfigMap in the openshift-config namespace that should be used for configuring the certificate authority to be used when sourcing claims from external sources.", + "name": "name is the required name of the ConfigMap that exists in the openshift-config namespace. The key \"ca-bundle.crt\" must be present and must contain the CA certificate to be used to verify the external source's TLS certificate.\n\nIt must be at least 1 character in length, must not exceed 253 characters in length, must start and end with a lowercase alphanumeric character, and must only contain lowercase alphanumeric characters, '-' or '.'.", +} + +func (ExternalSourceCertificateAuthorityConfigMapReference) SwaggerDoc() map[string]string { + return map_ExternalSourceCertificateAuthorityConfigMapReference +} + +var map_ExternalSourcePredicate = map[string]string{ + "": "ExternalSourcePredicate configures a singular condition that must return true before the external source is queried to retrieve external claims.", + "expression": "expression is a required CEL expression that is used to determine whether or not an external source should be used to fetch external claims.\n\nThe expression must return a boolean value, where true means that the source should be consulted and false means that it should not.\n\nClaims from the token used for the request to the kube-apiserver are made available via the `claims` variable.\n\nThe contents of the `claims` variable varies based on the claims that are present in the token being validated. It is the responsibility of those configuring this field to understand what claims the identity provider includes when issuing tokens.\n\nexpression must be at least 1 character and must not exceed 1024 characters in length.", +} + +func (ExternalSourcePredicate) SwaggerDoc() map[string]string { + return map_ExternalSourcePredicate +} + +var map_ExternalSourceTLS = map[string]string{ + "": "ExternalSourceTLS configures the TLS options that the apiserver uses as a client when making a request to the external claim source.", + "certificateAuthority": "certificateAuthority is a required reference to a ConfigMap in the openshift-config namespace that contains the CA certificate to use to validate TLS connections with the external claims source. The key \"ca-bundle.crt\" must be present in the referenced ConfigMap and must contain the CA certificate to be used to verify the external source's TLS certificate.", +} + +func (ExternalSourceTLS) SwaggerDoc() map[string]string { + return map_ExternalSourceTLS +} + var map_ExtraMapping = map[string]string{ "": "ExtraMapping allows specifying a key and CEL expression to evaluate the keys' value. It is used to create additional mappings and attributes added to a cluster identity from a provided authentication token.", "key": "key is a required field that specifies the string to use as the extra attribute key.\n\nkey must be a domain-prefix path (e.g 'example.org/foo'). key must not exceed 510 characters in length. key must contain the '/' character, separating the domain and path characters. key must not be empty.\n\nThe domain portion of the key (string of characters prior to the '/') must be a valid RFC1123 subdomain. It must not exceed 253 characters in length. It must start and end with an alphanumeric character. It must only contain lower case alphanumeric characters and '-' or '.'. It must not use the reserved domains, or be subdomains of, \"kubernetes.io\", \"k8s.io\", and \"openshift.io\".\n\nThe path portion of the key (string of characters after the '/') must not be empty and must consist of at least one alphanumeric character, percent-encoded octets, '-', '.', '_', '~', '!', '$', '&', ''', '(', ')', '*', '+', ',', ';', '=', and ':'. It must not exceed 256 characters in length.", @@ -445,12 +517,13 @@ func (OIDCClientStatus) SwaggerDoc() map[string]string { } var map_OIDCProvider = map[string]string{ - "name": "name is a required field that configures the unique human-readable identifier associated with the identity provider. It is used to distinguish between multiple identity providers and has no impact on token validation or authentication mechanics.\n\nname must not be an empty string (\"\").", - "issuer": "issuer is a required field that configures how the platform interacts with the identity provider and how tokens issued from the identity provider are evaluated by the Kubernetes API server.", - "oidcClients": "oidcClients is an optional field that configures how on-cluster, platform clients should request tokens from the identity provider. oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs.", - "claimMappings": "claimMappings is a required field that configures the rules to be used by the Kubernetes API server for translating claims in a JWT token, issued by the identity provider, to a cluster identity.", - "claimValidationRules": "claimValidationRules is an optional field that configures the rules to be used by the Kubernetes API server for validating the claims in a JWT token issued by the identity provider.\n\nValidation rules are joined via an AND operation.", - "userValidationRules": "userValidationRules is an optional field that configures the set of rules used to validate the cluster user identity that was constructed via mapping token claims to user identity attributes. Rules are CEL expressions that must evaluate to 'true' for authentication to succeed. If any rule in the chain of rules evaluates to 'false', authentication will fail. When specified, at least one rule must be specified and no more than 64 rules may be specified.", + "name": "name is a required field that configures the unique human-readable identifier associated with the identity provider. It is used to distinguish between multiple identity providers and has no impact on token validation or authentication mechanics.\n\nname must not be an empty string (\"\").", + "issuer": "issuer is a required field that configures how the platform interacts with the identity provider and how tokens issued from the identity provider are evaluated by the Kubernetes API server.", + "oidcClients": "oidcClients is an optional field that configures how on-cluster, platform clients should request tokens from the identity provider. oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs.", + "claimMappings": "claimMappings is a required field that configures the rules to be used by the Kubernetes API server for translating claims in a JWT token, issued by the identity provider, to a cluster identity.", + "claimValidationRules": "claimValidationRules is an optional field that configures the rules to be used by the Kubernetes API server for validating the claims in a JWT token issued by the identity provider.\n\nValidation rules are joined via an AND operation.", + "userValidationRules": "userValidationRules is an optional field that configures the set of rules used to validate the cluster user identity that was constructed via mapping token claims to user identity attributes. Rules are CEL expressions that must evaluate to 'true' for authentication to succeed. If any rule in the chain of rules evaluates to 'false', authentication will fail. When specified, at least one rule must be specified and no more than 64 rules may be specified.", + "externalClaimsSources": "externalClaimsSources is an optional field that can be used to configure sources, external to the token provided in a request, in which claims should be fetched from and made available to the claim mapping process that is used to build the identity of a token holder.\n\nFor example, fetching additional user metadata from an OIDC provider's UserInfo endpoint.\n\nWhen not specified, only claims present in the token itself will be available in the claim mapping process.\n\nWhen specified, at least one external claim source must be specified and no more than 5 sources may be specified. All external claim sources must have unique claim mappings. When an external source responds and resolves additional claims successfully, they will be made available as claims during the claim mapping process. Externally sourced claims with the same name as a claim existing within the token will overwrite the claim data from the token with the externally sourced information. If an external source does not respond, responds with an error, or the additional claim data cannot be resolved from the response successfully it will not be included in the claim data passed to the claim mapping process.", } func (OIDCProvider) SwaggerDoc() map[string]string { @@ -466,6 +539,26 @@ func (PrefixedClaimMapping) SwaggerDoc() map[string]string { return map_PrefixedClaimMapping } +var map_SourceURL = map[string]string{ + "": "SourceURL configures the options used to build the URL that is queried for external claims.", + "hostname": "hostname is a required hostname for which the external claims are located.\n\nIt must be a valid DNS subdomain name as per RFC1123.\n\nThis means that it must start and end with a lowercase alphanumeric character, must only consist of lowercase alphanumeric characters, '-', and '.'. hostname may optionally specify a port in the format ':{port}'. If a port is specified it must not exceed 65535.\n\nhostname must be at least 1 character in length. When specifying a port, hostname must not exceed 259 characters in length. When not specifying a port, hostname must not exceed 253 characters in length.", + "pathExpression": "pathExpression is a required CEL expression that returns a list of string values used to construct the URL path. Claims from the token used for the request to the kube-apiserver are made available via the `claims` variable. expression must be at least 1 character in length and must not exceed 1024 characters in length.\n\nValues in the returned list will be joined with the hostname using a forward slash (`/`) as a separator. Values in the returned list do not need to include the forward slash. If a forward slash is included in a returned value, it will be encoded as `%2F`.\n\nExample of a static path configuration:\n\n pathExpression: ['realms', 'k8s', 'protocol', 'openid-connect', 'userinfo']\n\nThe above example would resolve to the path: '/realms/k8s/protocol/openid-connect/userinfo'\n\nExample of a dynamic path configuration:\n\n pathExpression: \"['admin', 'realms', 'k8s', 'users'] + [claims.sub] + ['groups']\"\n\nAssuming 'claims.sub' is set to '12345', the above example would resolve to the path: '/admin/realms/k8s/users/12345/groups'", +} + +func (SourceURL) SwaggerDoc() map[string]string { + return map_SourceURL +} + +var map_SourcedClaimMapping = map[string]string{ + "": "SourcedClaimMapping configures the mapping behavior for a single external claim from the response the apiserver received from the external claim source.", + "name": "name is a required name of the claim that will be produced and made available during the claim-to-identity mapping process. name must consist of only lowercase alpha characters and underscores ('_'). name must be at least 1 character and must not exceed 256 characters in length.", + "expression": "expression is a required CEL expression that will produce a value to be assigned to the claim. The full response body from the request to the external claim source is provided via the `response.body` variable.\n\nThe contents of the `response.body` variable varies based on the response received from the external source. It is the responsibility of those configuring this expression to understand what is returned from the external source.\n\nexpression must be at least 1 character and must not exceed 1024 characters in length.", +} + +func (SourcedClaimMapping) SwaggerDoc() map[string]string { + return map_SourcedClaimMapping +} + var map_TokenClaimMapping = map[string]string{ "": "TokenClaimMapping allows specifying a JWT token claim to be used when mapping claims from an authentication token to cluster identities.", "claim": "claim is an optional field for specifying the JWT token claim that is used in the mapping. The value of this claim will be assigned to the field in which this mapping is associated. claim must not exceed 256 characters in length. When set to the empty string `\"\"`, this means that no named claim should be used for the group mapping. claim is required when the ExternalOIDCWithUpstreamParity feature gate is not enabled.", @@ -3071,6 +3164,7 @@ func (OldTLSProfile) SwaggerDoc() map[string]string { var map_TLSProfileSpec = map[string]string{ "": "TLSProfileSpec is the desired behavior of a TLSSecurityProfile.", "ciphers": "ciphers is used to specify the cipher algorithms that are negotiated during the TLS handshake. Operators may remove entries that their operands do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml):\n\n ciphers:\n - ECDHE-RSA-AES128-GCM-SHA256\n\nTLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable and are always enabled when TLS 1.3 is negotiated.", + "groups": "groups is an optional, ordered field used to specify the supported groups (formerly known as elliptic curves) that are used during the TLS handshake. The order of the groups represents a suggested preference, with the most preferred group first. Note that not all platform components honor the ordering: Go-based components use Go's internal preference order and treat this list as a filter of allowed groups rather than an ordered preference. Operators may remove entries their operands do not support.\n\nWhen omitted, this means no opinion and the platform is left to choose reasonable defaults which are subject to change over time and may be different per platform component depending on the underlying TLS libraries they use. If specified, the list must contain at least one and at most 7 groups, and each group must be unique.\n\nFor example, to use X25519 and secp256r1 (yaml):\n\n groups:\n - X25519\n - secp256r1", "minTLSVersion": "minTLSVersion is used to specify the minimal version of the TLS protocol that is negotiated during the TLS handshake. For example, to use TLS versions 1.1, 1.2 and 1.3 (yaml):\n\n minTLSVersion: VersionTLS11", } @@ -3080,11 +3174,11 @@ func (TLSProfileSpec) SwaggerDoc() map[string]string { var map_TLSSecurityProfile = map[string]string{ "": "TLSSecurityProfile defines the schema for a TLS security profile. This object is used by operators to apply TLS security settings to operands.", - "type": "type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters.\n\nThe profiles are based on version 5.7 of the Mozilla Server Side TLS configuration guidelines. The cipher lists consist of the configuration's \"ciphersuites\" followed by the Go-specific \"ciphers\" from the guidelines. See: https://ssl-config.mozilla.org/guidelines/5.7.json\n\nThe profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be reduced.", - "old": "old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort.\n\nThis profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS10\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES256-GCM-SHA384\n - ECDHE-RSA-AES256-GCM-SHA384\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305\n - ECDHE-ECDSA-AES128-SHA256\n - ECDHE-RSA-AES128-SHA256\n - ECDHE-ECDSA-AES128-SHA\n - ECDHE-RSA-AES128-SHA\n - ECDHE-ECDSA-AES256-SHA\n - ECDHE-RSA-AES256-SHA\n - AES128-GCM-SHA256\n - AES256-GCM-SHA384\n - AES128-SHA256\n - AES128-SHA\n - AES256-SHA\n - DES-CBC3-SHA", - "intermediate": "intermediate is a TLS profile for use when you do not need compatibility with legacy clients and want to remain highly secure while being compatible with most clients currently in use.\n\nThis profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS12\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES256-GCM-SHA384\n - ECDHE-RSA-AES256-GCM-SHA384\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305", - "modern": "modern is a TLS security profile for use with clients that support TLS 1.3 and do not need backward compatibility for older clients.\n\nThis profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS13\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256", - "custom": "custom is a user-defined TLS security profile. Be extremely careful using a custom profile as invalid configurations can be catastrophic. An example custom profile looks like this:\n\n minTLSVersion: VersionTLS11\n ciphers:\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256", + "type": "type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters.\n\nThe cipher and groups lists in these profiles are based on version 5.8 of the Mozilla Server Side TLS configuration guidelines. See: https://ssl-config.mozilla.org/guidelines/5.8.json\n\nThe groups are listed in suggested preference order, with the most preferred group first. Note that not all platform components honor the ordering: Go-based components use Go's internal preference order and treat this list as a filter of allowed groups rather than an ordered preference. Note that X25519MLKEM768 is a post-quantum hybrid group that is not FIPS-approved and should be ignored by components running in FIPS mode.\n\nThe profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be reduced.", + "old": "old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort.\n\nThe supported groups list includes by default the following groups in suggested preference order (ordering may not be honored by all implementations): X25519MLKEM768, X25519, secp256r1, secp384r1.\n\nThis profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS10\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES256-GCM-SHA384\n - ECDHE-RSA-AES256-GCM-SHA384\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305\n - ECDHE-ECDSA-AES128-SHA256\n - ECDHE-RSA-AES128-SHA256\n - ECDHE-ECDSA-AES128-SHA\n - ECDHE-RSA-AES128-SHA\n - ECDHE-ECDSA-AES256-SHA384\n - ECDHE-RSA-AES256-SHA384\n - ECDHE-ECDSA-AES256-SHA\n - ECDHE-RSA-AES256-SHA\n - AES128-GCM-SHA256\n - AES256-GCM-SHA384\n - AES128-SHA256\n - AES256-SHA256\n - AES128-SHA\n - AES256-SHA\n - DES-CBC3-SHA", + "intermediate": "intermediate is a TLS profile for use when you do not need compatibility with legacy clients and want to remain highly secure while being compatible with most clients currently in use.\n\nThe supported groups list includes by default the following groups in suggested preference order (ordering may not be honored by all implementations): X25519MLKEM768, X25519, secp256r1, secp384r1.\n\nThis profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS12\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES256-GCM-SHA384\n - ECDHE-RSA-AES256-GCM-SHA384\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305", + "modern": "modern is a TLS security profile for use with clients that support TLS 1.3 and do not need backward compatibility for older clients. The supported groups list includes by default the following groups in suggested preference order (ordering may not be honored by all implementations): X25519MLKEM768, X25519, secp256r1, secp384r1. This profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS13\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256", + "custom": "custom is a user-defined TLS security profile. Be extremely careful using a custom profile as invalid configurations can be catastrophic.\n\nThe supported groups list for this profile is empty by default.\n\nAn example custom profile looks like this:\n\n minTLSVersion: VersionTLS11\n ciphers:\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256", } func (TLSSecurityProfile) SwaggerDoc() map[string]string { diff --git a/vendor/github.com/openshift/api/config/v1alpha1/types_cluster_monitoring.go b/vendor/github.com/openshift/api/config/v1alpha1/types_cluster_monitoring.go index b532c84602..ca2f0216a9 100644 --- a/vendor/github.com/openshift/api/config/v1alpha1/types_cluster_monitoring.go +++ b/vendor/github.com/openshift/api/config/v1alpha1/types_cluster_monitoring.go @@ -158,6 +158,12 @@ type ClusterMonitoringSpec struct { // When set, at least one field must be specified within monitoringPluginConfig. // +optional MonitoringPluginConfig MonitoringPluginConfig `json:"monitoringPluginConfig,omitempty,omitzero"` + // kubeStateMetricsConfig is an optional field that can be used to configure the kube-state-metrics + // agent that runs in the openshift-monitoring namespace. kube-state-metrics generates metrics about + // the state of Kubernetes objects such as Deployments, Nodes, and Pods. + // When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. + // +optional + KubeStateMetricsConfig KubeStateMetricsConfig `json:"kubeStateMetricsConfig,omitempty,omitzero"` } // OpenShiftStateMetricsConfig provides configuration options for the openshift-state-metrics agent @@ -796,12 +802,43 @@ type AlertmanagerConfig struct { CustomConfig AlertmanagerCustomConfig `json:"customConfig,omitempty,omitzero"` } +// UserAlertmanagerConfigSelection controls whether the platform Alertmanager selects +// AlertmanagerConfig resources from user-defined namespaces. +// +enum +type UserAlertmanagerConfigSelection string + +const ( + // UserAlertmanagerConfigSelectionSelectable enables user-defined namespaces to be selected + // for AlertmanagerConfig lookups on the platform Alertmanager. + UserAlertmanagerConfigSelectionSelectable UserAlertmanagerConfigSelection = "Selectable" + // UserAlertmanagerConfigSelectionNone disables user-defined namespaces from being selected + // for AlertmanagerConfig lookups on the platform Alertmanager. + UserAlertmanagerConfigSelectionNone UserAlertmanagerConfigSelection = "None" +) + // AlertmanagerCustomConfig represents the configuration for a custom Alertmanager deployment. // alertmanagerCustomConfig provides configuration options for the default Alertmanager instance // that runs in the `openshift-monitoring` namespace. Use this configuration to control -// whether the default Alertmanager is deployed, how it logs, and how its pods are scheduled. +// whether user-defined namespaces are selected for AlertmanagerConfig lookups, how it logs, +// and how its pods are scheduled. // +kubebuilder:validation:MinProperties=1 type AlertmanagerCustomConfig struct { + // userAlertmanagerConfigSelection is an optional field that controls whether user-defined + // namespaces can be selected for AlertmanagerConfig lookups on the platform Alertmanager + // instance in the `openshift-monitoring` namespace. + // Valid values are Selectable and None. + // When set to Selectable, the platform Alertmanager discovers AlertmanagerConfig resources + // in user-defined namespaces. This is equivalent to `enableUserAlertmanagerConfig: true` in + // the cluster-monitoring-config ConfigMap. + // When set to None, user-defined namespaces are not selected for AlertmanagerConfig lookups + // on the platform Alertmanager. This is equivalent to `enableUserAlertmanagerConfig: false` + // in the cluster-monitoring-config ConfigMap. + // This setting only applies when the user-workload monitoring Alertmanager is not enabled. + // When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. + // The current default value is `None`. + // +optional + // +kubebuilder:validation:Enum=Selectable;None + UserAlertmanagerConfigSelection UserAlertmanagerConfigSelection `json:"userAlertmanagerConfigSelection,omitempty"` // logLevel defines the verbosity of logs emitted by Alertmanager. // This field allows users to control the amount and severity of logs generated, which can be useful // for debugging issues or reducing noise in production environments. @@ -1340,7 +1377,7 @@ type PrometheusConfig struct { // +kubebuilder:validation:MinItems=1 Resources []ContainerResource `json:"resources,omitempty"` // retention configures how long Prometheus retains metrics data and how much storage it can use. - // When omitted, the platform chooses reasonable defaults (currently 15 days retention, no size limit). + // When omitted, the platform chooses reasonable defaults (currently 15d retention, no size limit). // +optional Retention Retention `json:"retention,omitempty,omitzero"` // tolerations defines tolerations for the pods. @@ -2235,26 +2272,63 @@ type SecretKeySelector struct { // Retention configures how long Prometheus retains metrics data and how much storage it can use. // +kubebuilder:validation:MinProperties=1 type Retention struct { + // TOMBSTONE: This field has been tombstoned in favor of the `duration` field. This tombstone will be dropped when promoting this API to v1. + // --- // durationInDays specifies how many days Prometheus will retain metrics data. // Prometheus automatically deletes data older than this duration. // When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. // The default value is 15. // Minimum value is 1 day. // Maximum value is 365 days (1 year). - // +kubebuilder:validation:Minimum=1 - // +kubebuilder:validation:Maximum=365 - // +optional - DurationInDays int32 `json:"durationInDays,omitempty"` + // Former marker: kubebuilder:validation:Minimum=1 + // Former marker: kubebuilder:validation:Maximum=365 + // Former marker: optional + // DurationInDays int32 `json:"durationInDays,omitempty"` + + // TOMBSTONE: This field has been tombstoned in favor of the `size` field. This tombstone will be dropped when promoting this API to v1. + // --- // sizeInGiB specifies the maximum storage size in gibibytes (GiB) that Prometheus // can use for data blocks and the write-ahead log (WAL). // When the limit is reached, Prometheus will delete oldest data first. // When omitted, no size limit is enforced and Prometheus uses available PersistentVolume capacity. // Minimum value is 1 GiB. // Maximum value is 16384 GiB (16 TiB). - // +kubebuilder:validation:Minimum=1 - // +kubebuilder:validation:Maximum=16384 + // Former marker: kubebuilder:validation:Minimum=1 + // Former marker: kubebuilder:validation:Maximum=16384 + // Former marker: optional + // SizeInGiB int32 `json:"sizeInGiB,omitempty"` + + // duration is an optional field that specifies how long Prometheus retains metrics data. + // Valid values are Prometheus-style duration strings with unit suffixes y, w, d, h, m, s, or ms + // (for example, "15d", "24h", or "5d1h30m"). Each unit value must be a positive integer. + // Composite durations must follow the fixed unit order y, w, d, h, m, s, ms. + // Must be at least 1 character and at most 64 characters. + // When set to "0", time-based retention is disabled. This is the only supported form for disabling + // time-based retention; other zero-duration representations such as "0d", "0h", or "0y" are rejected. + // Prometheus automatically deletes data older than this duration. + // When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. + // The current default value is `15d`. + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=64 + // +kubebuilder:validation:XValidation:rule=`self == "0" || self.matches('^([1-9][0-9]*y)?([1-9][0-9]*w)?([1-9][0-9]*d)?([1-9][0-9]*h)?([1-9][0-9]*m)?([1-9][0-9]*s)?([1-9][0-9]*ms)?$')`,message=`must be "0" to disable time-based retention, or a duration string with only positive unit values` + // +optional + Duration string `json:"duration,omitempty"` + + // size is an optional field that specifies the maximum storage size that Prometheus + // can use for data blocks and the write-ahead log (WAL). + // Valid values are byte-size strings with an optional decimal prefix and a unit suffix B, KB, MB, GB, + // TB, EB, PB, or their binary equivalents KiB, MiB, GiB, TiB, EiB, PiB (for example, "500MiB", "10GiB"). + // The numeric value must be greater than zero. + // Must be at least 1 character and at most 32 characters. + // When set to "0", no size limit is enforced. This is the only supported form for disabling size-based + // retention; other zero-size representations such as "0B" or "0MiB" are rejected. + // When the limit is reached, Prometheus deletes oldest data first. + // When omitted, no size limit is enforced and Prometheus uses available PersistentVolume capacity. + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=32 + // +kubebuilder:validation:XValidation:rule=`self == "0" || self.matches('^([1-9][0-9]*([.][0-9]+)?|[0-9]*[.][1-9][0-9]*)((K|M|G|T|E|P)i?)?B$')`,message=`must be "0" to disable size-based retention, or a positive byte-size string` // +optional - SizeInGiB int32 `json:"sizeInGiB,omitempty"` + Size string `json:"size,omitempty"` } // RelabelAction defines the action to perform in a relabeling rule. @@ -2377,6 +2451,34 @@ type TelemeterClientConfig struct { // At least one field must be specified; an empty thanosQuerierConfig object is not allowed. // +kubebuilder:validation:MinProperties=1 type ThanosQuerierConfig struct { + // logLevel defines the verbosity of logs emitted by Thanos Querier. + // logLevel is optional. + // Allowed values are Error, Warn, Info, and Debug. + // When set to Error, only errors will be logged. + // When set to Warn, both warnings and errors will be logged. + // When set to Info, general information, warnings, and errors will all be logged. + // When set to Debug, detailed debugging information will be logged. + // When omitted, this means no opinion and the platform is left to choose a reasonable default, that is subject to change over time. + // The current default value is `Info`. + // +optional + LogLevel LogLevel `json:"logLevel,omitempty"` + // requestLogging configures request logging for Thanos Querier. + // requestLogging is optional. + // When provided, the policy field within is required. + // When omitted, this means no opinion and the platform is left to choose a reasonable default, that is subject to change over time. + // The current default behavior is to not log any requests. + // +optional + RequestLogging ThanosQuerierRequestLoggingConfig `json:"requestLogging,omitempty,omitzero"` + // crossOriginRequestPolicy configures the CORS (Cross-Origin Resource Sharing) policy + // for Thanos Querier's HTTP endpoints. + // crossOriginRequestPolicy is optional. + // Valid values are "AllowAll" and "DenyAll". + // When set to "AllowAll", CORS headers are added to responses, allowing cross-origin requests from any domain. + // When set to "DenyAll", no CORS headers are added and cross-origin requests are rejected by the browser. + // When omitted, this means no opinion and the platform is left to choose a reasonable default, that is subject to change over time. + // The current default value is "DenyAll". + // +optional + CrossOriginRequestPolicy CrossOriginRequestPolicy `json:"crossOriginRequestPolicy,omitempty"` // nodeSelector defines the nodes on which the Pods are scheduled. // nodeSelector is optional. // @@ -2445,6 +2547,42 @@ type ThanosQuerierConfig struct { TopologySpreadConstraints []v1.TopologySpreadConstraint `json:"topologySpreadConstraints,omitempty"` } +// ThanosQuerierRequestLoggingConfig configures request logging for Thanos Querier. +type ThanosQuerierRequestLoggingConfig struct { + // policy determines which HTTP and gRPC requests are logged by Thanos Querier. + // Valid values are "AllRequests" and "NoRequests". + // When set to "AllRequests", every request received by Thanos Querier is logged with method, path, and response status. + // The log level for request logs is derived from the logLevel field. + // When set to "NoRequests", request logging is turned off. + // +required + Policy RequestLoggingPolicy `json:"policy,omitempty"` +} + +// RequestLoggingPolicy controls which HTTP and gRPC requests are logged. +// Valid values are "AllRequests" and "NoRequests". +// +kubebuilder:validation:Enum=AllRequests;NoRequests +type RequestLoggingPolicy string + +const ( + // RequestLoggingPolicyAllRequests enables logging of all incoming requests. + RequestLoggingPolicyAllRequests RequestLoggingPolicy = "AllRequests" + // RequestLoggingPolicyNoRequests disables request logging. + RequestLoggingPolicyNoRequests RequestLoggingPolicy = "NoRequests" +) + +// CrossOriginRequestPolicy controls the CORS (Cross-Origin Resource Sharing) policy +// for Thanos Querier's HTTP endpoints. +// Valid values are "AllowAll" and "DenyAll". +// +kubebuilder:validation:Enum=AllowAll;DenyAll +type CrossOriginRequestPolicy string + +const ( + // CrossOriginRequestPolicyAllowAll sets CORS headers allowing requests from any origin. + CrossOriginRequestPolicyAllowAll CrossOriginRequestPolicy = "AllowAll" + // CrossOriginRequestPolicyDenyAll does not set CORS headers, rejecting cross-origin requests. + CrossOriginRequestPolicyDenyAll CrossOriginRequestPolicy = "DenyAll" +) + // AuditProfile defines the audit log level for the Metrics Server. // +kubebuilder:validation:Enum=None;Metadata;Request;RequestResponse type AuditProfile string @@ -2510,3 +2648,154 @@ type Audit struct { // +required Profile AuditProfile `json:"profile,omitempty"` } + +// KubeStateMetricsConfig provides configuration options for the kube-state-metrics agent +// that runs in the `openshift-monitoring` namespace. kube-state-metrics generates metrics +// about the state of Kubernetes objects such as Deployments, Nodes, and Pods. +// +kubebuilder:validation:MinProperties=1 +type KubeStateMetricsConfig struct { + // nodeSelector defines the nodes on which the Pods are scheduled. + // nodeSelector is optional. + // + // When omitted, this means the user has no opinion and the platform is left + // to choose reasonable defaults. These defaults are subject to change over time. + // The current default value is `kubernetes.io/os: linux`. + // When specified, nodeSelector must contain at least 1 entry and must not contain more than 10 entries. + // +optional + // +kubebuilder:validation:MinProperties=1 + // +kubebuilder:validation:MaxProperties=10 + NodeSelector map[string]string `json:"nodeSelector,omitempty"` + // resources defines the compute resource requests and limits for the kube-state-metrics container. + // This includes CPU, memory and HugePages constraints to help control scheduling and resource usage. + // When not specified, defaults are used by the platform. Requests cannot exceed limits. + // This field is optional. + // More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + // This is a simplified API that maps to Kubernetes ResourceRequirements. + // The current default values are: + // resources: + // - name: cpu + // request: 4m + // limit: null + // - name: memory + // request: 40Mi + // limit: null + // Maximum length for this list is 5. + // Minimum length for this list is 1. + // Each resource name must be unique within this list. + // +optional + // +listType=map + // +listMapKey=name + // +kubebuilder:validation:MaxItems=5 + // +kubebuilder:validation:MinItems=1 + Resources []ContainerResource `json:"resources,omitempty"` + // tolerations defines tolerations for the pods. + // tolerations is optional. + // + // When omitted, no tolerations are applied. This default is subject to change over time. + // When specified, tolerations must contain at least 1 entry and must not contain more than 10 entries. + // Each toleration's operator, when specified, must be either "Exists" or "Equal". + // Each toleration's effect, when specified, must be one of "NoSchedule", "PreferNoSchedule", or "NoExecute". + // An empty or unset effect means match all effects. + // +kubebuilder:validation:MaxItems=10 + // +kubebuilder:validation:MinItems=1 + // +listType=atomic + // +kubebuilder:validation:XValidation:rule="self.all(t, !has(t.operator) || t.operator == 'Exists' || t.operator == 'Equal')",message="operator must be either Exists or Equal" + // +kubebuilder:validation:XValidation:rule="self.all(t, !has(t.effect) || t.effect == 'NoSchedule' || t.effect == 'PreferNoSchedule' || t.effect == 'NoExecute' || t.effect == '')",message="effect must be NoSchedule, PreferNoSchedule, NoExecute, or empty" + // +optional + Tolerations []v1.Toleration `json:"tolerations,omitempty"` + // topologySpreadConstraints defines rules for how kube-state-metrics Pods should be distributed + // across topology domains such as zones, nodes, or other user-defined labels. + // topologySpreadConstraints is optional. + // This helps improve high availability and resource efficiency by avoiding placing + // too many replicas in the same failure domain. + // + // This field maps directly to the `topologySpreadConstraints` field in the Pod spec. + // When omitted, no topology spread constraints are applied. This default is subject to change over time. + // When specified, topologySpreadConstraints must contain at least 1 entry and must not contain more than 10 entries. + // Entries must have unique topologyKey and whenUnsatisfiable pairs. + // Each entry's whenUnsatisfiable must be either "DoNotSchedule" or "ScheduleAnyway". + // Each entry's maxSkew must be at least 1. + // When minDomains is specified, it must be at least 1 and whenUnsatisfiable must be "DoNotSchedule". + // +kubebuilder:validation:MaxItems=10 + // +kubebuilder:validation:MinItems=1 + // +listType=map + // +listMapKey=topologyKey + // +listMapKey=whenUnsatisfiable + // +kubebuilder:validation:XValidation:rule="self.all(c, c.whenUnsatisfiable == 'DoNotSchedule' || c.whenUnsatisfiable == 'ScheduleAnyway')",message="whenUnsatisfiable must be either DoNotSchedule or ScheduleAnyway" + // +kubebuilder:validation:XValidation:rule="self.all(c, c.maxSkew >= 1)",message="maxSkew must be at least 1" + // +kubebuilder:validation:XValidation:rule="self.all(c, !has(c.minDomains) || c.minDomains >= 1)",message="minDomains must be at least 1" + // +kubebuilder:validation:XValidation:rule="self.all(c, !has(c.minDomains) || c.whenUnsatisfiable == 'DoNotSchedule')",message="minDomains can only be used when whenUnsatisfiable is DoNotSchedule" + // +optional + TopologySpreadConstraints []v1.TopologySpreadConstraint `json:"topologySpreadConstraints,omitempty"` + // additionalResourceLabels defines additional Kubernetes resource labels to expose as metrics + // in kube-state-metrics. + // Currently, only "Job" and "CronJob" resources are supported due to cardinality concerns. + // Each entry specifies a resource name and a list of Kubernetes label names to expose. + // Use "*" in the labels list to expose all labels for a given resource. + // additionalResourceLabels is optional. + // When omitted, no additional Kubernetes object labels are exposed as metrics + // by kube-state-metrics beyond its built-in metric labels (e.g. namespace, job_name). + // Use this field to opt in to exposing specific Kubernetes labels as metric labels + // for the supported resource types. + // Minimum length for this list is 1. + // Maximum length for this list is 2. + // Each resource name must be unique within this list. + // +optional + // +kubebuilder:validation:MaxItems=2 + // +kubebuilder:validation:MinItems=1 + // +listType=map + // +listMapKey=resource + AdditionalResourceLabels []KubeStateMetricsResourceLabels `json:"additionalResourceLabels,omitempty"` +} + +// KubeStateMetricsResourceName is the name of a Kubernetes resource whose labels can be exposed +// as metrics by kube-state-metrics. Currently, only "Job" and "CronJob" are supported +// due to cardinality concerns. +// Valid values are "Job" and "CronJob". +// +kubebuilder:validation:Enum=Job;CronJob +type KubeStateMetricsResourceName string + +const ( + // KubeStateMetricsResourceJob indicates the Kubernetes Job resource. + KubeStateMetricsResourceJob KubeStateMetricsResourceName = "Job" + // KubeStateMetricsResourceCronJob indicates the Kubernetes CronJob resource. + KubeStateMetricsResourceCronJob KubeStateMetricsResourceName = "CronJob" +) + +// KubeStateMetricsLabelName is the name of a Kubernetes label to expose as a metric +// via kube-state-metrics. Use "*" to expose all labels for a resource. +// Must be either the wildcard "*" or a valid Kubernetes label key. +// A valid label key has an optional DNS subdomain prefix followed by a "/" and a name segment, +// or just a name segment without a prefix. The name segment must be 63 characters or fewer, +// beginning and ending with an alphanumeric character, with dashes, underscores, dots, and +// alphanumerics in between. +// Must be at least 1 character and at most 253 characters in length. +// +kubebuilder:validation:MinLength=1 +// +kubebuilder:validation:MaxLength=253 +// +kubebuilder:validation:XValidation:rule="self == '*' || !format.qualifiedName().validate(self).hasValue()",message="must be a valid Kubernetes label key or the wildcard '*'" +type KubeStateMetricsLabelName string + +// KubeStateMetricsResourceLabels defines which Kubernetes labels to expose as metrics +// for a given resource type in kube-state-metrics. +type KubeStateMetricsResourceLabels struct { + // resource is the Kubernetes resource name whose labels should be exposed as metrics. + // Currently, only "Job" and "CronJob" are supported due to cardinality concerns. + // Valid values are "Job" and "CronJob". + // This field is required. + // +required + Resource KubeStateMetricsResourceName `json:"resource,omitempty"` + // labels is the list of Kubernetes label names to expose as metrics for this resource. + // Use "*" to expose all labels for the specified resource. + // When "*" is specified, it must be the only entry in the list; mixing "*" with + // specific label names is not allowed. + // This field is required. + // Each label name must be unique within this list. + // Minimum length for this list is 1. + // Maximum length for this list is 50. + // +required + // +kubebuilder:validation:MinItems=1 + // +kubebuilder:validation:MaxItems=50 + // +listType=set + // +kubebuilder:validation:XValidation:rule="!self.exists(l, l == '*') || self.size() == 1",message="when '*' is specified, no other labels may be listed" + Labels []KubeStateMetricsLabelName `json:"labels,omitempty"` +} diff --git a/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.deepcopy.go b/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.deepcopy.go index efc8bf3399..7313338a3b 100644 --- a/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.deepcopy.go +++ b/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.deepcopy.go @@ -451,6 +451,7 @@ func (in *ClusterMonitoringSpec) DeepCopyInto(out *ClusterMonitoringSpec) { in.ThanosQuerierConfig.DeepCopyInto(&out.ThanosQuerierConfig) in.NodeExporterConfig.DeepCopyInto(&out.NodeExporterConfig) in.MonitoringPluginConfig.DeepCopyInto(&out.MonitoringPluginConfig) + in.KubeStateMetricsConfig.DeepCopyInto(&out.KubeStateMetricsConfig) return } @@ -751,6 +752,78 @@ func (in *KeyConfig) DeepCopy() *KeyConfig { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *KubeStateMetricsConfig) DeepCopyInto(out *KubeStateMetricsConfig) { + *out = *in + if in.NodeSelector != nil { + in, out := &in.NodeSelector, &out.NodeSelector + *out = make(map[string]string, len(*in)) + for key, val := range *in { + (*out)[key] = val + } + } + if in.Resources != nil { + in, out := &in.Resources, &out.Resources + *out = make([]ContainerResource, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + if in.Tolerations != nil { + in, out := &in.Tolerations, &out.Tolerations + *out = make([]v1.Toleration, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + if in.TopologySpreadConstraints != nil { + in, out := &in.TopologySpreadConstraints, &out.TopologySpreadConstraints + *out = make([]v1.TopologySpreadConstraint, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + if in.AdditionalResourceLabels != nil { + in, out := &in.AdditionalResourceLabels, &out.AdditionalResourceLabels + *out = make([]KubeStateMetricsResourceLabels, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KubeStateMetricsConfig. +func (in *KubeStateMetricsConfig) DeepCopy() *KubeStateMetricsConfig { + if in == nil { + return nil + } + out := new(KubeStateMetricsConfig) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *KubeStateMetricsResourceLabels) DeepCopyInto(out *KubeStateMetricsResourceLabels) { + *out = *in + if in.Labels != nil { + in, out := &in.Labels, &out.Labels + *out = make([]KubeStateMetricsLabelName, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KubeStateMetricsResourceLabels. +func (in *KubeStateMetricsResourceLabels) DeepCopy() *KubeStateMetricsResourceLabels { + if in == nil { + return nil + } + out := new(KubeStateMetricsResourceLabels) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *Label) DeepCopyInto(out *Label) { *out = *in @@ -1954,6 +2027,7 @@ func (in *TelemeterClientConfig) DeepCopy() *TelemeterClientConfig { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ThanosQuerierConfig) DeepCopyInto(out *ThanosQuerierConfig) { *out = *in + out.RequestLogging = in.RequestLogging if in.NodeSelector != nil { in, out := &in.NodeSelector, &out.NodeSelector *out = make(map[string]string, len(*in)) @@ -1995,6 +2069,22 @@ func (in *ThanosQuerierConfig) DeepCopy() *ThanosQuerierConfig { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ThanosQuerierRequestLoggingConfig) DeepCopyInto(out *ThanosQuerierRequestLoggingConfig) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ThanosQuerierRequestLoggingConfig. +func (in *ThanosQuerierRequestLoggingConfig) DeepCopy() *ThanosQuerierRequestLoggingConfig { + if in == nil { + return nil + } + out := new(ThanosQuerierRequestLoggingConfig) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *UppercaseActionConfig) DeepCopyInto(out *UppercaseActionConfig) { *out = *in diff --git a/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.swagger_doc_generated.go b/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.swagger_doc_generated.go index 8c79eb0678..2194d79def 100644 --- a/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.swagger_doc_generated.go +++ b/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.swagger_doc_generated.go @@ -106,14 +106,15 @@ func (AlertmanagerConfig) SwaggerDoc() map[string]string { } var map_AlertmanagerCustomConfig = map[string]string{ - "": "AlertmanagerCustomConfig represents the configuration for a custom Alertmanager deployment. alertmanagerCustomConfig provides configuration options for the default Alertmanager instance that runs in the `openshift-monitoring` namespace. Use this configuration to control whether the default Alertmanager is deployed, how it logs, and how its pods are scheduled.", - "logLevel": "logLevel defines the verbosity of logs emitted by Alertmanager. This field allows users to control the amount and severity of logs generated, which can be useful for debugging issues or reducing noise in production environments. Allowed values are Error, Warn, Info, and Debug. When set to Error, only errors will be logged. When set to Warn, both warnings and errors will be logged. When set to Info, general information, warnings, and errors will all be logged. When set to Debug, detailed debugging information will be logged. When omitted, this means no opinion and the platform is left to choose a reasonable default, that is subject to change over time. The current default value is `Info`.", - "nodeSelector": "nodeSelector defines the nodes on which the Pods are scheduled nodeSelector is optional.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time. The current default value is `kubernetes.io/os: linux`.", - "resources": "resources defines the compute resource requests and limits for the Alertmanager container. This includes CPU, memory and HugePages constraints to help control scheduling and resource usage. When not specified, defaults are used by the platform. Requests cannot exceed limits. This field is optional. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ This is a simplified API that maps to Kubernetes ResourceRequirements. The current default values are:\n resources:\n - name: cpu\n request: 4m\n limit: null\n - name: memory\n request: 40Mi\n limit: null\nMaximum length for this list is 5. Minimum length for this list is 1. Each resource name must be unique within this list.", - "secrets": "secrets defines a list of secrets that need to be mounted into the Alertmanager. The secrets must reside within the same namespace as the Alertmanager object. They will be added as volumes named secret- and mounted at /etc/alertmanager/secrets/ within the 'alertmanager' container of the Alertmanager Pods.\n\nThese secrets can be used to authenticate Alertmanager with endpoint receivers. For example, you can use secrets to: - Provide certificates for TLS authentication with receivers that require private CA certificates - Store credentials for Basic HTTP authentication with receivers that require password-based auth - Store any other authentication credentials needed by your alert receivers\n\nThis field is optional. Maximum length for this list is 10. Minimum length for this list is 1. Entries in this list must be unique.", - "tolerations": "tolerations defines tolerations for the pods. tolerations is optional.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time. Defaults are empty/unset. Maximum length for this list is 10. Minimum length for this list is 1.", - "topologySpreadConstraints": "topologySpreadConstraints defines rules for how Alertmanager Pods should be distributed across topology domains such as zones, nodes, or other user-defined labels. topologySpreadConstraints is optional. This helps improve high availability and resource efficiency by avoiding placing too many replicas in the same failure domain.\n\nWhen omitted, this means no opinion and the platform is left to choose a default, which is subject to change over time. This field maps directly to the `topologySpreadConstraints` field in the Pod spec. Default is empty list. Maximum length for this list is 10. Minimum length for this list is 1. Entries must have unique topologyKey and whenUnsatisfiable pairs.", - "volumeClaimTemplate": "volumeClaimTemplate defines persistent storage for Alertmanager. Use this setting to configure the persistent volume claim, including storage class and volume size. If omitted, the Pod uses ephemeral storage and alert data will not persist across restarts.", + "": "AlertmanagerCustomConfig represents the configuration for a custom Alertmanager deployment. alertmanagerCustomConfig provides configuration options for the default Alertmanager instance that runs in the `openshift-monitoring` namespace. Use this configuration to control whether user-defined namespaces are selected for AlertmanagerConfig lookups, how it logs, and how its pods are scheduled.", + "userAlertmanagerConfigSelection": "userAlertmanagerConfigSelection is an optional field that controls whether user-defined namespaces can be selected for AlertmanagerConfig lookups on the platform Alertmanager instance in the `openshift-monitoring` namespace. Valid values are Selectable and None. When set to Selectable, the platform Alertmanager discovers AlertmanagerConfig resources in user-defined namespaces. This is equivalent to `enableUserAlertmanagerConfig: true` in the cluster-monitoring-config ConfigMap. When set to None, user-defined namespaces are not selected for AlertmanagerConfig lookups on the platform Alertmanager. This is equivalent to `enableUserAlertmanagerConfig: false` in the cluster-monitoring-config ConfigMap. This setting only applies when the user-workload monitoring Alertmanager is not enabled. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default value is `None`.", + "logLevel": "logLevel defines the verbosity of logs emitted by Alertmanager. This field allows users to control the amount and severity of logs generated, which can be useful for debugging issues or reducing noise in production environments. Allowed values are Error, Warn, Info, and Debug. When set to Error, only errors will be logged. When set to Warn, both warnings and errors will be logged. When set to Info, general information, warnings, and errors will all be logged. When set to Debug, detailed debugging information will be logged. When omitted, this means no opinion and the platform is left to choose a reasonable default, that is subject to change over time. The current default value is `Info`.", + "nodeSelector": "nodeSelector defines the nodes on which the Pods are scheduled nodeSelector is optional.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time. The current default value is `kubernetes.io/os: linux`.", + "resources": "resources defines the compute resource requests and limits for the Alertmanager container. This includes CPU, memory and HugePages constraints to help control scheduling and resource usage. When not specified, defaults are used by the platform. Requests cannot exceed limits. This field is optional. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ This is a simplified API that maps to Kubernetes ResourceRequirements. The current default values are:\n resources:\n - name: cpu\n request: 4m\n limit: null\n - name: memory\n request: 40Mi\n limit: null\nMaximum length for this list is 5. Minimum length for this list is 1. Each resource name must be unique within this list.", + "secrets": "secrets defines a list of secrets that need to be mounted into the Alertmanager. The secrets must reside within the same namespace as the Alertmanager object. They will be added as volumes named secret- and mounted at /etc/alertmanager/secrets/ within the 'alertmanager' container of the Alertmanager Pods.\n\nThese secrets can be used to authenticate Alertmanager with endpoint receivers. For example, you can use secrets to: - Provide certificates for TLS authentication with receivers that require private CA certificates - Store credentials for Basic HTTP authentication with receivers that require password-based auth - Store any other authentication credentials needed by your alert receivers\n\nThis field is optional. Maximum length for this list is 10. Minimum length for this list is 1. Entries in this list must be unique.", + "tolerations": "tolerations defines tolerations for the pods. tolerations is optional.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time. Defaults are empty/unset. Maximum length for this list is 10. Minimum length for this list is 1.", + "topologySpreadConstraints": "topologySpreadConstraints defines rules for how Alertmanager Pods should be distributed across topology domains such as zones, nodes, or other user-defined labels. topologySpreadConstraints is optional. This helps improve high availability and resource efficiency by avoiding placing too many replicas in the same failure domain.\n\nWhen omitted, this means no opinion and the platform is left to choose a default, which is subject to change over time. This field maps directly to the `topologySpreadConstraints` field in the Pod spec. Default is empty list. Maximum length for this list is 10. Minimum length for this list is 1. Entries must have unique topologyKey and whenUnsatisfiable pairs.", + "volumeClaimTemplate": "volumeClaimTemplate defines persistent storage for Alertmanager. Use this setting to configure the persistent volume claim, including storage class and volume size. If omitted, the Pod uses ephemeral storage and alert data will not persist across restarts.", } func (AlertmanagerCustomConfig) SwaggerDoc() map[string]string { @@ -183,6 +184,7 @@ var map_ClusterMonitoringSpec = map[string]string{ "thanosQuerierConfig": "thanosQuerierConfig is an optional field that can be used to configure the Thanos Querier component that runs in the openshift-monitoring namespace. The Thanos Querier provides a global query view by aggregating and deduplicating metrics from multiple Prometheus instances. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default deploys the Thanos Querier on linux nodes with 5m CPU and 12Mi memory requests, and no custom tolerations or topology spread constraints. When set, at least one field must be specified within thanosQuerierConfig.", "nodeExporterConfig": "nodeExporterConfig is an optional field that can be used to configure the node-exporter agent that runs as a DaemonSet in the openshift-monitoring namespace. The node-exporter agent collects hardware and OS-level metrics from every node in the cluster. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time.", "monitoringPluginConfig": "monitoringPluginConfig is an optional field that can be used to configure the monitoring plugin that runs as a dynamic plugin of the OpenShift web console. The monitoring plugin provides the monitoring UI in the OpenShift web console for visualizing metrics, alerts, and dashboards. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default deploys the monitoring-plugin as a single-replica Deployment on linux nodes with 10m CPU and 50Mi memory requests, and no custom tolerations or topology spread constraints. When set, at least one field must be specified within monitoringPluginConfig.", + "kubeStateMetricsConfig": "kubeStateMetricsConfig is an optional field that can be used to configure the kube-state-metrics agent that runs in the openshift-monitoring namespace. kube-state-metrics generates metrics about the state of Kubernetes objects such as Deployments, Nodes, and Pods. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time.", } func (ClusterMonitoringSpec) SwaggerDoc() map[string]string { @@ -236,6 +238,29 @@ func (KeepEqualActionConfig) SwaggerDoc() map[string]string { return map_KeepEqualActionConfig } +var map_KubeStateMetricsConfig = map[string]string{ + "": "KubeStateMetricsConfig provides configuration options for the kube-state-metrics agent that runs in the `openshift-monitoring` namespace. kube-state-metrics generates metrics about the state of Kubernetes objects such as Deployments, Nodes, and Pods.", + "nodeSelector": "nodeSelector defines the nodes on which the Pods are scheduled. nodeSelector is optional.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time. The current default value is `kubernetes.io/os: linux`. When specified, nodeSelector must contain at least 1 entry and must not contain more than 10 entries.", + "resources": "resources defines the compute resource requests and limits for the kube-state-metrics container. This includes CPU, memory and HugePages constraints to help control scheduling and resource usage. When not specified, defaults are used by the platform. Requests cannot exceed limits. This field is optional. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ This is a simplified API that maps to Kubernetes ResourceRequirements. The current default values are:\n resources:\n - name: cpu\n request: 4m\n limit: null\n - name: memory\n request: 40Mi\n limit: null\nMaximum length for this list is 5. Minimum length for this list is 1. Each resource name must be unique within this list.", + "tolerations": "tolerations defines tolerations for the pods. tolerations is optional.\n\nWhen omitted, no tolerations are applied. This default is subject to change over time. When specified, tolerations must contain at least 1 entry and must not contain more than 10 entries. Each toleration's operator, when specified, must be either \"Exists\" or \"Equal\". Each toleration's effect, when specified, must be one of \"NoSchedule\", \"PreferNoSchedule\", or \"NoExecute\". An empty or unset effect means match all effects.", + "topologySpreadConstraints": "topologySpreadConstraints defines rules for how kube-state-metrics Pods should be distributed across topology domains such as zones, nodes, or other user-defined labels. topologySpreadConstraints is optional. This helps improve high availability and resource efficiency by avoiding placing too many replicas in the same failure domain.\n\nThis field maps directly to the `topologySpreadConstraints` field in the Pod spec. When omitted, no topology spread constraints are applied. This default is subject to change over time. When specified, topologySpreadConstraints must contain at least 1 entry and must not contain more than 10 entries. Entries must have unique topologyKey and whenUnsatisfiable pairs. Each entry's whenUnsatisfiable must be either \"DoNotSchedule\" or \"ScheduleAnyway\". Each entry's maxSkew must be at least 1. When minDomains is specified, it must be at least 1 and whenUnsatisfiable must be \"DoNotSchedule\".", + "additionalResourceLabels": "additionalResourceLabels defines additional Kubernetes resource labels to expose as metrics in kube-state-metrics. Currently, only \"Job\" and \"CronJob\" resources are supported due to cardinality concerns. Each entry specifies a resource name and a list of Kubernetes label names to expose. Use \"*\" in the labels list to expose all labels for a given resource. additionalResourceLabels is optional. When omitted, no additional Kubernetes object labels are exposed as metrics by kube-state-metrics beyond its built-in metric labels (e.g. namespace, job_name). Use this field to opt in to exposing specific Kubernetes labels as metric labels for the supported resource types. Minimum length for this list is 1. Maximum length for this list is 2. Each resource name must be unique within this list.", +} + +func (KubeStateMetricsConfig) SwaggerDoc() map[string]string { + return map_KubeStateMetricsConfig +} + +var map_KubeStateMetricsResourceLabels = map[string]string{ + "": "KubeStateMetricsResourceLabels defines which Kubernetes labels to expose as metrics for a given resource type in kube-state-metrics.", + "resource": "resource is the Kubernetes resource name whose labels should be exposed as metrics. Currently, only \"Job\" and \"CronJob\" are supported due to cardinality concerns. Valid values are \"Job\" and \"CronJob\". This field is required.", + "labels": "labels is the list of Kubernetes label names to expose as metrics for this resource. Use \"*\" to expose all labels for the specified resource. When \"*\" is specified, it must be the only entry in the list; mixing \"*\" with specific label names is not allowed. This field is required. Each label name must be unique within this list. Minimum length for this list is 1. Maximum length for this list is 50.", +} + +func (KubeStateMetricsResourceLabels) SwaggerDoc() map[string]string { + return map_KubeStateMetricsResourceLabels +} + var map_Label = map[string]string{ "": "Label represents a key/value pair for external labels.", "key": "key is the name of the label. Prometheus supports UTF-8 label names, so any valid UTF-8 string is allowed. Must be between 1 and 128 characters in length.", @@ -504,7 +529,7 @@ var map_PrometheusConfig = map[string]string{ "queryLogFile": "queryLogFile specifies the file to which PromQL queries are logged. This setting can be either a filename, in which case the queries are saved to an `emptyDir` volume at `/var/log/prometheus`, or a full path to a location where an `emptyDir` volume will be mounted and the queries saved. Writing to `/dev/stderr`, `/dev/stdout` or `/dev/null` is supported, but writing to any other `/dev/` path is not supported. Relative paths are also not supported. By default, PromQL queries are not logged. Must be an absolute path starting with `/` or a simple filename without path separators. Must not contain consecutive slashes, end with a slash, or include '..' path traversal. Must contain only alphanumeric characters, '.', '_', '-', or '/'. Must be between 1 and 255 characters in length.", "remoteWrite": "remoteWrite defines the remote write configuration, including URL, authentication, and relabeling settings. Remote write allows Prometheus to send metrics it collects to external long-term storage systems. When omitted, no remote write endpoints are configured. When provided, at least one configuration must be specified (minimum 1, maximum 10 items). Entries must have unique names (name is the list key).", "resources": "resources defines the compute resource requests and limits for the Prometheus container. This includes CPU, memory and HugePages constraints to help control scheduling and resource usage. When not specified, defaults are used by the platform. Requests cannot exceed limits. This field is optional. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ This is a simplified API that maps to Kubernetes ResourceRequirements. The current default values are:\n resources:\n - name: cpu\n request: 4m\n limit: null\n - name: memory\n request: 40Mi\n limit: null\nMaximum length for this list is 5. Minimum length for this list is 1. Each resource name must be unique within this list.", - "retention": "retention configures how long Prometheus retains metrics data and how much storage it can use. When omitted, the platform chooses reasonable defaults (currently 15 days retention, no size limit).", + "retention": "retention configures how long Prometheus retains metrics data and how much storage it can use. When omitted, the platform chooses reasonable defaults (currently 15d retention, no size limit).", "tolerations": "tolerations defines tolerations for the pods. tolerations is optional.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time. Defaults are empty/unset. Maximum length for this list is 10 Minimum length for this list is 1", "topologySpreadConstraints": "topologySpreadConstraints defines rules for how Prometheus Pods should be distributed across topology domains such as zones, nodes, or other user-defined labels. topologySpreadConstraints is optional. This helps improve high availability and resource efficiency by avoiding placing too many replicas in the same failure domain.\n\nWhen omitted, this means no opinion and the platform is left to choose a default, which is subject to change over time. This field maps directly to the `topologySpreadConstraints` field in the Pod spec. Default is empty list. Maximum length for this list is 10. Minimum length for this list is 1 Entries must have unique topologyKey and whenUnsatisfiable pairs.", "collectionProfile": "collectionProfile defines the metrics collection profile that Prometheus uses to collect metrics from the platform components. Supported values are `Full` or `Minimal`. In the `Full` profile (default), Prometheus collects all metrics that are exposed by the platform components. In the `Minimal` profile, Prometheus only collects metrics necessary for the default platform alerts, recording rules, telemetry and console dashboards. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The default value is `Full`.", @@ -637,9 +662,9 @@ func (ReplaceActionConfig) SwaggerDoc() map[string]string { } var map_Retention = map[string]string{ - "": "Retention configures how long Prometheus retains metrics data and how much storage it can use.", - "durationInDays": "durationInDays specifies how many days Prometheus will retain metrics data. Prometheus automatically deletes data older than this duration. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The default value is 15. Minimum value is 1 day. Maximum value is 365 days (1 year).", - "sizeInGiB": "sizeInGiB specifies the maximum storage size in gibibytes (GiB) that Prometheus can use for data blocks and the write-ahead log (WAL). When the limit is reached, Prometheus will delete oldest data first. When omitted, no size limit is enforced and Prometheus uses available PersistentVolume capacity. Minimum value is 1 GiB. Maximum value is 16384 GiB (16 TiB).", + "": "Retention configures how long Prometheus retains metrics data and how much storage it can use.", + "duration": "duration is an optional field that specifies how long Prometheus retains metrics data. Valid values are Prometheus-style duration strings with unit suffixes y, w, d, h, m, s, or ms (for example, \"15d\", \"24h\", or \"5d1h30m\"). Each unit value must be a positive integer. Composite durations must follow the fixed unit order y, w, d, h, m, s, ms. Must be at least 1 character and at most 64 characters. When set to \"0\", time-based retention is disabled. This is the only supported form for disabling time-based retention; other zero-duration representations such as \"0d\", \"0h\", or \"0y\" are rejected. Prometheus automatically deletes data older than this duration. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default value is `15d`.", + "size": "size is an optional field that specifies the maximum storage size that Prometheus can use for data blocks and the write-ahead log (WAL). Valid values are byte-size strings with an optional decimal prefix and a unit suffix B, KB, MB, GB, TB, EB, PB, or their binary equivalents KiB, MiB, GiB, TiB, EiB, PiB (for example, \"500MiB\", \"10GiB\"). The numeric value must be greater than zero. Must be at least 1 character and at most 32 characters. When set to \"0\", no size limit is enforced. This is the only supported form for disabling size-based retention; other zero-size representations such as \"0B\" or \"0MiB\" are rejected. When the limit is reached, Prometheus deletes oldest data first. When omitted, no size limit is enforced and Prometheus uses available PersistentVolume capacity.", } func (Retention) SwaggerDoc() map[string]string { @@ -696,6 +721,9 @@ func (TelemeterClientConfig) SwaggerDoc() map[string]string { var map_ThanosQuerierConfig = map[string]string{ "": "ThanosQuerierConfig provides configuration options for the Thanos Querier component that runs in the `openshift-monitoring` namespace. At least one field must be specified; an empty thanosQuerierConfig object is not allowed.", + "logLevel": "logLevel defines the verbosity of logs emitted by Thanos Querier. logLevel is optional. Allowed values are Error, Warn, Info, and Debug. When set to Error, only errors will be logged. When set to Warn, both warnings and errors will be logged. When set to Info, general information, warnings, and errors will all be logged. When set to Debug, detailed debugging information will be logged. When omitted, this means no opinion and the platform is left to choose a reasonable default, that is subject to change over time. The current default value is `Info`.", + "requestLogging": "requestLogging configures request logging for Thanos Querier. requestLogging is optional. When provided, the policy field within is required. When omitted, this means no opinion and the platform is left to choose a reasonable default, that is subject to change over time. The current default behavior is to not log any requests.", + "crossOriginRequestPolicy": "crossOriginRequestPolicy configures the CORS (Cross-Origin Resource Sharing) policy for Thanos Querier's HTTP endpoints. crossOriginRequestPolicy is optional. Valid values are \"AllowAll\" and \"DenyAll\". When set to \"AllowAll\", CORS headers are added to responses, allowing cross-origin requests from any domain. When set to \"DenyAll\", no CORS headers are added and cross-origin requests are rejected by the browser. When omitted, this means no opinion and the platform is left to choose a reasonable default, that is subject to change over time. The current default value is \"DenyAll\".", "nodeSelector": "nodeSelector defines the nodes on which the Pods are scheduled. nodeSelector is optional.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time. The current default value is `kubernetes.io/os: linux`. When specified, nodeSelector must contain at least 1 entry and must not contain more than 10 entries.", "resources": "resources defines the compute resource requests and limits for the Thanos Querier container. resources is optional.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time. Requests cannot exceed limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ This is a simplified API that maps to Kubernetes ResourceRequirements. The current default values are:\n resources:\n - name: cpu\n request: 5m\n - name: memory\n request: 12Mi\nMaximum length for this list is 5. Minimum length for this list is 1. Each resource name must be unique within this list.", "tolerations": "tolerations defines tolerations for the pods. tolerations is optional.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time. Defaults are empty/unset. Maximum length for this list is 10. Minimum length for this list is 1.", @@ -706,6 +734,15 @@ func (ThanosQuerierConfig) SwaggerDoc() map[string]string { return map_ThanosQuerierConfig } +var map_ThanosQuerierRequestLoggingConfig = map[string]string{ + "": "ThanosQuerierRequestLoggingConfig configures request logging for Thanos Querier.", + "policy": "policy determines which HTTP and gRPC requests are logged by Thanos Querier. Valid values are \"AllRequests\" and \"NoRequests\". When set to \"AllRequests\", every request received by Thanos Querier is logged with method, path, and response status. The log level for request logs is derived from the logLevel field. When set to \"NoRequests\", request logging is turned off.", +} + +func (ThanosQuerierRequestLoggingConfig) SwaggerDoc() map[string]string { + return map_ThanosQuerierRequestLoggingConfig +} + var map_UppercaseActionConfig = map[string]string{ "": "UppercaseActionConfig configures the Uppercase action. Maps the concatenated source_labels to their upper case and writes to target_label. Requires Prometheus >= v2.36.0.", "targetLabel": "targetLabel is the label name where the upper-cased value is written. Must be between 1 and 128 characters in length.", diff --git a/vendor/github.com/openshift/api/features.md b/vendor/github.com/openshift/api/features.md index 750b68d62f..b7ee33cfce 100644 --- a/vendor/github.com/openshift/api/features.md +++ b/vendor/github.com/openshift/api/features.md @@ -3,9 +3,14 @@ | ClientsAllowCBOR| | | | | | | | | | ClusterAPIInstall| | | | | | | | | | EventedPLEG| | | | | | | | | +| MachineAPIMigrationAzure| | | | | | | | | +| MachineAPIMigrationBareMetal| | | | | | | | | +| MachineAPIMigrationGCP| | | | | | | | | +| MachineAPIMigrationPowerVS| | | | | | | | | | MachineAPIOperatorDisableMachineHealthCheckController| | | | | | | | | | MultiArchInstallAzure| | | | | | | | | | ShortCertRotation| | | | | | | | | +| MutableTopology| | | | Enabled | | | | | | ClusterAPIComputeInstall| | | Enabled | Enabled | | | | | | ClusterAPIControlPlaneInstall| | | Enabled | Enabled | | | | | | ClusterUpdatePreflight| | | Enabled | Enabled | | | | | @@ -77,16 +82,17 @@ | NewOLMWebhookProviderOpenshiftServiceCA| | Enabled | | Enabled | | Enabled | | Enabled | | NoOverlayMode| | | Enabled | Enabled | | | Enabled | Enabled | | NutanixMultiSubnets| | | Enabled | Enabled | | | Enabled | Enabled | -| OSStreams| | | Enabled | Enabled | | | Enabled | Enabled | | OVNObservability| | | Enabled | Enabled | | | Enabled | Enabled | | OnPremDNSRecords| | | Enabled | Enabled | | | Enabled | Enabled | | SELinuxMount| | | Enabled | Enabled | | | Enabled | Enabled | | SignatureStores| | | Enabled | Enabled | | | Enabled | Enabled | | TLSAdherence| | | Enabled | Enabled | | | Enabled | Enabled | +| TLSGroupPreferences| | | Enabled | Enabled | | | Enabled | Enabled | | VSphereConfigurableMaxAllowedBlockVolumesPerNode| | | Enabled | Enabled | | | Enabled | Enabled | | VSphereMixedNodeEnv| | | Enabled | Enabled | | | Enabled | Enabled | | VolumeGroupSnapshot| | | Enabled | Enabled | | | Enabled | Enabled | | AWSServiceLBNetworkSecurityGroup| | Enabled | Enabled | Enabled | | Enabled | Enabled | Enabled | +| OSStreams| | Enabled | Enabled | Enabled | | Enabled | Enabled | Enabled | | AzureClusterHostedDNSInstall| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | AzureWorkloadIdentity| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | BootImageSkewEnforcement| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | @@ -106,6 +112,7 @@ | MutableCSINodeAllocatableCount| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | MutatingAdmissionPolicy| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | OpenShiftPodSecurityAdmission| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | +| RouteExternalCertificate| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | ServiceAccountTokenNodeBinding| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | SigstoreImageVerification| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | SigstoreImageVerificationPKI| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | diff --git a/vendor/github.com/openshift/api/features/features.go b/vendor/github.com/openshift/api/features/features.go index c17075aa86..de530fa66b 100644 --- a/vendor/github.com/openshift/api/features/features.go +++ b/vendor/github.com/openshift/api/features/features.go @@ -178,6 +178,14 @@ var ( enable(inDefault(), inOKD(), inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()). mustRegister() + FeatureGateRouteExternalCertificate = newFeatureGate("RouteExternalCertificate"). + reportProblemsToJiraComponent("router"). + contactPerson("chiragkyal"). + productScope(ocpSpecific). + enhancementPR(legacyFeatureGateWithoutEnhancement). + enable(inDefault(), inOKD(), inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()). + mustRegister() + FeatureGateNetworkConnect = newFeatureGate("NetworkConnect"). reportProblemsToJiraComponent("Networking/ovn-kubernetes"). contactPerson("tssurya"). @@ -457,12 +465,12 @@ var ( mustRegister() FeatureGateOLMLifecycleAndCompatibility = newFeatureGate("OLMLifecycleAndCompatibility"). - reportProblemsToJiraComponent("olm"). - contactPerson("joelanford"). - productScope(ocpSpecific). - enhancementPR("https://github.com/openshift/enhancements/pull/1991"). - enable(inClusterProfile(SelfManaged), inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()). - mustRegister() + reportProblemsToJiraComponent("olm"). + contactPerson("joelanford"). + productScope(ocpSpecific). + enhancementPR("https://github.com/openshift/enhancements/pull/1991"). + enable(inClusterProfile(SelfManaged), inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()). + mustRegister() FeatureGateInsightsOnDemandDataGather = newFeatureGate("InsightsOnDemandDataGather"). reportProblemsToJiraComponent("insights"). @@ -527,6 +535,34 @@ var ( enable(inDevPreviewNoUpgrade()). mustRegister() + FeatureGateMachineAPIMigrationAzure = newFeatureGate("MachineAPIMigrationAzure"). + reportProblemsToJiraComponent("Cloud Compute / Cluster API Providers"). + contactPerson("ddonati"). + productScope(ocpSpecific). + enhancementPR("https://github.com/openshift/enhancements/pull/1465"). + mustRegister() + + FeatureGateMachineAPIMigrationBareMetal = newFeatureGate("MachineAPIMigrationBareMetal"). + reportProblemsToJiraComponent("Cloud Compute / BareMetal Provider"). + contactPerson("ddonati"). + productScope(ocpSpecific). + enhancementPR("https://github.com/openshift/enhancements/pull/1465"). + mustRegister() + + FeatureGateMachineAPIMigrationGCP = newFeatureGate("MachineAPIMigrationGCP"). + reportProblemsToJiraComponent("Cloud Compute / Cluster API Providers"). + contactPerson("ddonati"). + productScope(ocpSpecific). + enhancementPR("https://github.com/openshift/enhancements/pull/1465"). + mustRegister() + + FeatureGateMachineAPIMigrationPowerVS = newFeatureGate("MachineAPIMigrationPowerVS"). + reportProblemsToJiraComponent("Cloud Compute / IBM Provider"). + contactPerson("ddonati"). + productScope(ocpSpecific). + enhancementPR("https://github.com/openshift/enhancements/pull/1465"). + mustRegister() + FeatureGateClusterAPIMachineManagement = newFeatureGate("ClusterAPIMachineManagement"). reportProblemsToJiraComponent("Cloud Compute / Cluster API Providers"). contactPerson("ddonati"). @@ -880,7 +916,8 @@ var ( contactPerson("pabrodri"). productScope(ocpSpecific). enhancementPR("https://github.com/openshift/enhancements/pull/1874"). - enable(inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()). + enable(inClusterProfile(SelfManaged), inDevPreviewNoUpgrade(), inTechPreviewNoUpgrade(), inDefault(), inOKD()). + enable(inClusterProfile(Hypershift), inDevPreviewNoUpgrade(), inTechPreviewNoUpgrade()). mustRegister() FeatureGateCRDCompatibilityRequirementOperator = newFeatureGate("CRDCompatibilityRequirementOperator"). @@ -976,4 +1013,20 @@ var ( enhancementPR("https://github.com/openshift/enhancements/pull/1908"). enable(inDevPreviewNoUpgrade(), inTechPreviewNoUpgrade()). mustRegister() + + FeatureGateTLSGroupPreferences = newFeatureGate("TLSGroupPreferences"). + reportProblemsToJiraComponent("Networking / router"). + contactPerson("davidesalerno"). + productScope(ocpSpecific). + enhancementPR("https://github.com/openshift/enhancements/pull/1894"). + enable(inDevPreviewNoUpgrade(), inTechPreviewNoUpgrade()). + mustRegister() + + FeatureGateMutableTopology = newFeatureGate("MutableTopology"). + reportProblemsToJiraComponent("Mutable Topology"). + contactPerson("jaypoulz"). + productScope(ocpSpecific). + enhancementPR("https://github.com/openshift/enhancements/pull/2008"). + enable(inClusterProfile(SelfManaged), inDevPreviewNoUpgrade()). + mustRegister() ) diff --git a/vendor/github.com/openshift/api/features/legacyfeaturegates.go b/vendor/github.com/openshift/api/features/legacyfeaturegates.go index 53b8962a28..a82089b9f7 100644 --- a/vendor/github.com/openshift/api/features/legacyfeaturegates.go +++ b/vendor/github.com/openshift/api/features/legacyfeaturegates.go @@ -83,6 +83,8 @@ var legacyFeatureGates = sets.New( // never add to this list, if you think you have an exception ask @deads2k "PrivateHostedZoneAWS", // never add to this list, if you think you have an exception ask @deads2k + "RouteExternalCertificate", + // never add to this list, if you think you have an exception ask @deads2k "SetEIPForNLBIngressController", // never add to this list, if you think you have an exception ask @deads2k "SignatureStores", diff --git a/vendor/github.com/openshift/api/operator/v1/types_etcd.go b/vendor/github.com/openshift/api/operator/v1/types_etcd.go index 252f3b3990..f2f1131036 100644 --- a/vendor/github.com/openshift/api/operator/v1/types_etcd.go +++ b/vendor/github.com/openshift/api/operator/v1/types_etcd.go @@ -42,11 +42,11 @@ type EtcdSpec struct { HardwareSpeed ControlPlaneHardwareSpeed `json:"controlPlaneHardwareSpeed"` // backendQuotaGiB sets the etcd backend storage size limit in gibibytes. - // The value should be an integer not less than 8 and not more than 32. + // The value should be an integer not less than 8 and not more than 16. // When not specified, the default value is 8. // +kubebuilder:default:=8 // +kubebuilder:validation:Minimum=8 - // +kubebuilder:validation:Maximum=32 + // +kubebuilder:validation:Maximum=16 // +kubebuilder:validation:XValidation:rule="self>=oldSelf",message="etcd backendQuotaGiB may not be decreased" // +openshift:enable:FeatureGate=EtcdBackendQuota // +default=8 diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_12_etcd_01_etcds-CustomNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_12_etcd_01_etcds-CustomNoUpgrade.crd.yaml index 1f58ced4e0..1feb64cbb5 100644 --- a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_12_etcd_01_etcds-CustomNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_12_etcd_01_etcds-CustomNoUpgrade.crd.yaml @@ -50,10 +50,10 @@ spec: default: 8 description: |- backendQuotaGiB sets the etcd backend storage size limit in gibibytes. - The value should be an integer not less than 8 and not more than 32. + The value should be an integer not less than 8 and not more than 16. When not specified, the default value is 8. format: int32 - maximum: 32 + maximum: 16 minimum: 8 type: integer x-kubernetes-validations: diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_12_etcd_01_etcds-DevPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_12_etcd_01_etcds-DevPreviewNoUpgrade.crd.yaml index 76d63711f7..2c32b9c964 100644 --- a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_12_etcd_01_etcds-DevPreviewNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_12_etcd_01_etcds-DevPreviewNoUpgrade.crd.yaml @@ -50,10 +50,10 @@ spec: default: 8 description: |- backendQuotaGiB sets the etcd backend storage size limit in gibibytes. - The value should be an integer not less than 8 and not more than 32. + The value should be an integer not less than 8 and not more than 16. When not specified, the default value is 8. format: int32 - maximum: 32 + maximum: 16 minimum: 8 type: integer x-kubernetes-validations: diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_12_etcd_01_etcds-TechPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_12_etcd_01_etcds-TechPreviewNoUpgrade.crd.yaml index 7433b66d36..b74dfb9893 100644 --- a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_12_etcd_01_etcds-TechPreviewNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_12_etcd_01_etcds-TechPreviewNoUpgrade.crd.yaml @@ -50,10 +50,10 @@ spec: default: 8 description: |- backendQuotaGiB sets the etcd backend storage size limit in gibibytes. - The value should be an integer not less than 8 and not more than 32. + The value should be an integer not less than 8 and not more than 16. When not specified, the default value is 8. format: int32 - maximum: 32 + maximum: 16 minimum: 8 type: integer x-kubernetes-validations: diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-CustomNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-CustomNoUpgrade.crd.yaml index fdf10772dd..bc5f0147d9 100644 --- a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-CustomNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-CustomNoUpgrade.crd.yaml @@ -1993,8 +1993,11 @@ spec: custom: description: |- custom is a user-defined TLS security profile. Be extremely careful using a custom - profile as invalid configurations can be catastrophic. An example custom profile - looks like this: + profile as invalid configurations can be catastrophic. + + The supported groups list for this profile is empty by default. + + An example custom profile looks like this: minTLSVersion: VersionTLS11 ciphers: @@ -2019,6 +2022,46 @@ spec: type: string type: array x-kubernetes-list-type: atomic + groups: + description: |- + groups is an optional, ordered field used to specify the supported groups (formerly known as + elliptic curves) that are used during the TLS handshake. The order of the groups represents + a suggested preference, with the most preferred group first. Note that not all platform + components honor the ordering: Go-based components use Go's internal preference order and + treat this list as a filter of allowed groups rather than an ordered preference. + Operators may remove entries their operands do not support. + + When omitted, this means no opinion and the platform is left to choose reasonable defaults which are + subject to change over time and may be different per platform component depending on the underlying TLS + libraries they use. If specified, the list must contain at least one and at most 7 groups, + and each group must be unique. + + For example, to use X25519 and secp256r1 (yaml): + + groups: + - X25519 + - secp256r1 + items: + description: |- + TLSGroup is a supported group identifier that can be used in TLSProfile.Groups. + There is a one-to-one mapping between these names and the group IDs defined + in Go's crypto/tls package based on IANA's "TLS Supported Groups" registry: + https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8 + Note that X25519MLKEM768 is a post-quantum hybrid group that is not + FIPS-approved and should be ignored by components running in FIPS mode. + enum: + - X25519 + - secp256r1 + - secp384r1 + - secp521r1 + - X25519MLKEM768 + - SecP256r1MLKEM768 + - SecP384r1MLKEM1024 + type: string + maxItems: 7 + minItems: 1 + type: array + x-kubernetes-list-type: set minTLSVersion: description: |- minTLSVersion is used to specify the minimal version of the TLS protocol @@ -2039,6 +2082,10 @@ spec: legacy clients and want to remain highly secure while being compatible with most clients currently in use. + The supported groups list includes by default the following groups + in suggested preference order (ordering may not be honored by all implementations): + X25519MLKEM768, X25519, secp256r1, secp384r1. + This profile is equivalent to a Custom profile specified as: minTLSVersion: VersionTLS12 ciphers: @@ -2057,7 +2104,9 @@ spec: description: |- modern is a TLS security profile for use with clients that support TLS 1.3 and do not need backward compatibility for older clients. - + The supported groups list includes by default the following groups + in suggested preference order (ordering may not be honored by all implementations): + X25519MLKEM768, X25519, secp256r1, secp384r1. This profile is equivalent to a Custom profile specified as: minTLSVersion: VersionTLS13 ciphers: @@ -2071,6 +2120,10 @@ spec: old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort. + The supported groups list includes by default the following groups + in suggested preference order (ordering may not be honored by all implementations): + X25519MLKEM768, X25519, secp256r1, secp384r1. + This profile is equivalent to a Custom profile specified as: minTLSVersion: VersionTLS10 ciphers: @@ -2087,11 +2140,14 @@ spec: - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES128-SHA + - ECDHE-ECDSA-AES256-SHA384 + - ECDHE-RSA-AES256-SHA384 - ECDHE-ECDSA-AES256-SHA - ECDHE-RSA-AES256-SHA - AES128-GCM-SHA256 - AES256-GCM-SHA384 - AES128-SHA256 + - AES256-SHA256 - AES128-SHA - AES256-SHA - DES-CBC3-SHA @@ -2102,10 +2158,16 @@ spec: type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters. - The profiles are based on version 5.7 of the Mozilla Server Side TLS - configuration guidelines. The cipher lists consist of the configuration's - "ciphersuites" followed by the Go-specific "ciphers" from the guidelines. - See: https://ssl-config.mozilla.org/guidelines/5.7.json + The cipher and groups lists in these profiles are based on version 5.8 of the + Mozilla Server Side TLS configuration guidelines. + See: https://ssl-config.mozilla.org/guidelines/5.8.json + + The groups are listed in suggested preference order, with the most preferred group first. + Note that not all platform components honor the ordering: Go-based components use Go's + internal preference order and treat this list as a filter of allowed groups rather than + an ordered preference. + Note that X25519MLKEM768 is a post-quantum hybrid group that is not + FIPS-approved and should be ignored by components running in FIPS mode. The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on @@ -3286,6 +3348,46 @@ spec: type: string type: array x-kubernetes-list-type: atomic + groups: + description: |- + groups is an optional, ordered field used to specify the supported groups (formerly known as + elliptic curves) that are used during the TLS handshake. The order of the groups represents + a suggested preference, with the most preferred group first. Note that not all platform + components honor the ordering: Go-based components use Go's internal preference order and + treat this list as a filter of allowed groups rather than an ordered preference. + Operators may remove entries their operands do not support. + + When omitted, this means no opinion and the platform is left to choose reasonable defaults which are + subject to change over time and may be different per platform component depending on the underlying TLS + libraries they use. If specified, the list must contain at least one and at most 7 groups, + and each group must be unique. + + For example, to use X25519 and secp256r1 (yaml): + + groups: + - X25519 + - secp256r1 + items: + description: |- + TLSGroup is a supported group identifier that can be used in TLSProfile.Groups. + There is a one-to-one mapping between these names and the group IDs defined + in Go's crypto/tls package based on IANA's "TLS Supported Groups" registry: + https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8 + Note that X25519MLKEM768 is a post-quantum hybrid group that is not + FIPS-approved and should be ignored by components running in FIPS mode. + enum: + - X25519 + - secp256r1 + - secp384r1 + - secp521r1 + - X25519MLKEM768 + - SecP256r1MLKEM768 + - SecP384r1MLKEM1024 + type: string + maxItems: 7 + minItems: 1 + type: array + x-kubernetes-list-type: set minTLSVersion: description: |- minTLSVersion is used to specify the minimal version of the TLS protocol diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-Default.crd.yaml b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-Default.crd.yaml index 97c3ca8c40..914cfb48e0 100644 --- a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-Default.crd.yaml +++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-Default.crd.yaml @@ -1993,8 +1993,11 @@ spec: custom: description: |- custom is a user-defined TLS security profile. Be extremely careful using a custom - profile as invalid configurations can be catastrophic. An example custom profile - looks like this: + profile as invalid configurations can be catastrophic. + + The supported groups list for this profile is empty by default. + + An example custom profile looks like this: minTLSVersion: VersionTLS11 ciphers: @@ -2039,6 +2042,10 @@ spec: legacy clients and want to remain highly secure while being compatible with most clients currently in use. + The supported groups list includes by default the following groups + in suggested preference order (ordering may not be honored by all implementations): + X25519MLKEM768, X25519, secp256r1, secp384r1. + This profile is equivalent to a Custom profile specified as: minTLSVersion: VersionTLS12 ciphers: @@ -2057,7 +2064,9 @@ spec: description: |- modern is a TLS security profile for use with clients that support TLS 1.3 and do not need backward compatibility for older clients. - + The supported groups list includes by default the following groups + in suggested preference order (ordering may not be honored by all implementations): + X25519MLKEM768, X25519, secp256r1, secp384r1. This profile is equivalent to a Custom profile specified as: minTLSVersion: VersionTLS13 ciphers: @@ -2071,6 +2080,10 @@ spec: old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort. + The supported groups list includes by default the following groups + in suggested preference order (ordering may not be honored by all implementations): + X25519MLKEM768, X25519, secp256r1, secp384r1. + This profile is equivalent to a Custom profile specified as: minTLSVersion: VersionTLS10 ciphers: @@ -2087,11 +2100,14 @@ spec: - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES128-SHA + - ECDHE-ECDSA-AES256-SHA384 + - ECDHE-RSA-AES256-SHA384 - ECDHE-ECDSA-AES256-SHA - ECDHE-RSA-AES256-SHA - AES128-GCM-SHA256 - AES256-GCM-SHA384 - AES128-SHA256 + - AES256-SHA256 - AES128-SHA - AES256-SHA - DES-CBC3-SHA @@ -2102,10 +2118,16 @@ spec: type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters. - The profiles are based on version 5.7 of the Mozilla Server Side TLS - configuration guidelines. The cipher lists consist of the configuration's - "ciphersuites" followed by the Go-specific "ciphers" from the guidelines. - See: https://ssl-config.mozilla.org/guidelines/5.7.json + The cipher and groups lists in these profiles are based on version 5.8 of the + Mozilla Server Side TLS configuration guidelines. + See: https://ssl-config.mozilla.org/guidelines/5.8.json + + The groups are listed in suggested preference order, with the most preferred group first. + Note that not all platform components honor the ordering: Go-based components use Go's + internal preference order and treat this list as a filter of allowed groups rather than + an ordered preference. + Note that X25519MLKEM768 is a post-quantum hybrid group that is not + FIPS-approved and should be ignored by components running in FIPS mode. The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-DevPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-DevPreviewNoUpgrade.crd.yaml index 89c366cda4..25e3ed651a 100644 --- a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-DevPreviewNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-DevPreviewNoUpgrade.crd.yaml @@ -1993,8 +1993,11 @@ spec: custom: description: |- custom is a user-defined TLS security profile. Be extremely careful using a custom - profile as invalid configurations can be catastrophic. An example custom profile - looks like this: + profile as invalid configurations can be catastrophic. + + The supported groups list for this profile is empty by default. + + An example custom profile looks like this: minTLSVersion: VersionTLS11 ciphers: @@ -2019,6 +2022,46 @@ spec: type: string type: array x-kubernetes-list-type: atomic + groups: + description: |- + groups is an optional, ordered field used to specify the supported groups (formerly known as + elliptic curves) that are used during the TLS handshake. The order of the groups represents + a suggested preference, with the most preferred group first. Note that not all platform + components honor the ordering: Go-based components use Go's internal preference order and + treat this list as a filter of allowed groups rather than an ordered preference. + Operators may remove entries their operands do not support. + + When omitted, this means no opinion and the platform is left to choose reasonable defaults which are + subject to change over time and may be different per platform component depending on the underlying TLS + libraries they use. If specified, the list must contain at least one and at most 7 groups, + and each group must be unique. + + For example, to use X25519 and secp256r1 (yaml): + + groups: + - X25519 + - secp256r1 + items: + description: |- + TLSGroup is a supported group identifier that can be used in TLSProfile.Groups. + There is a one-to-one mapping between these names and the group IDs defined + in Go's crypto/tls package based on IANA's "TLS Supported Groups" registry: + https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8 + Note that X25519MLKEM768 is a post-quantum hybrid group that is not + FIPS-approved and should be ignored by components running in FIPS mode. + enum: + - X25519 + - secp256r1 + - secp384r1 + - secp521r1 + - X25519MLKEM768 + - SecP256r1MLKEM768 + - SecP384r1MLKEM1024 + type: string + maxItems: 7 + minItems: 1 + type: array + x-kubernetes-list-type: set minTLSVersion: description: |- minTLSVersion is used to specify the minimal version of the TLS protocol @@ -2039,6 +2082,10 @@ spec: legacy clients and want to remain highly secure while being compatible with most clients currently in use. + The supported groups list includes by default the following groups + in suggested preference order (ordering may not be honored by all implementations): + X25519MLKEM768, X25519, secp256r1, secp384r1. + This profile is equivalent to a Custom profile specified as: minTLSVersion: VersionTLS12 ciphers: @@ -2057,7 +2104,9 @@ spec: description: |- modern is a TLS security profile for use with clients that support TLS 1.3 and do not need backward compatibility for older clients. - + The supported groups list includes by default the following groups + in suggested preference order (ordering may not be honored by all implementations): + X25519MLKEM768, X25519, secp256r1, secp384r1. This profile is equivalent to a Custom profile specified as: minTLSVersion: VersionTLS13 ciphers: @@ -2071,6 +2120,10 @@ spec: old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort. + The supported groups list includes by default the following groups + in suggested preference order (ordering may not be honored by all implementations): + X25519MLKEM768, X25519, secp256r1, secp384r1. + This profile is equivalent to a Custom profile specified as: minTLSVersion: VersionTLS10 ciphers: @@ -2087,11 +2140,14 @@ spec: - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES128-SHA + - ECDHE-ECDSA-AES256-SHA384 + - ECDHE-RSA-AES256-SHA384 - ECDHE-ECDSA-AES256-SHA - ECDHE-RSA-AES256-SHA - AES128-GCM-SHA256 - AES256-GCM-SHA384 - AES128-SHA256 + - AES256-SHA256 - AES128-SHA - AES256-SHA - DES-CBC3-SHA @@ -2102,10 +2158,16 @@ spec: type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters. - The profiles are based on version 5.7 of the Mozilla Server Side TLS - configuration guidelines. The cipher lists consist of the configuration's - "ciphersuites" followed by the Go-specific "ciphers" from the guidelines. - See: https://ssl-config.mozilla.org/guidelines/5.7.json + The cipher and groups lists in these profiles are based on version 5.8 of the + Mozilla Server Side TLS configuration guidelines. + See: https://ssl-config.mozilla.org/guidelines/5.8.json + + The groups are listed in suggested preference order, with the most preferred group first. + Note that not all platform components honor the ordering: Go-based components use Go's + internal preference order and treat this list as a filter of allowed groups rather than + an ordered preference. + Note that X25519MLKEM768 is a post-quantum hybrid group that is not + FIPS-approved and should be ignored by components running in FIPS mode. The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on @@ -3286,6 +3348,46 @@ spec: type: string type: array x-kubernetes-list-type: atomic + groups: + description: |- + groups is an optional, ordered field used to specify the supported groups (formerly known as + elliptic curves) that are used during the TLS handshake. The order of the groups represents + a suggested preference, with the most preferred group first. Note that not all platform + components honor the ordering: Go-based components use Go's internal preference order and + treat this list as a filter of allowed groups rather than an ordered preference. + Operators may remove entries their operands do not support. + + When omitted, this means no opinion and the platform is left to choose reasonable defaults which are + subject to change over time and may be different per platform component depending on the underlying TLS + libraries they use. If specified, the list must contain at least one and at most 7 groups, + and each group must be unique. + + For example, to use X25519 and secp256r1 (yaml): + + groups: + - X25519 + - secp256r1 + items: + description: |- + TLSGroup is a supported group identifier that can be used in TLSProfile.Groups. + There is a one-to-one mapping between these names and the group IDs defined + in Go's crypto/tls package based on IANA's "TLS Supported Groups" registry: + https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8 + Note that X25519MLKEM768 is a post-quantum hybrid group that is not + FIPS-approved and should be ignored by components running in FIPS mode. + enum: + - X25519 + - secp256r1 + - secp384r1 + - secp521r1 + - X25519MLKEM768 + - SecP256r1MLKEM768 + - SecP384r1MLKEM1024 + type: string + maxItems: 7 + minItems: 1 + type: array + x-kubernetes-list-type: set minTLSVersion: description: |- minTLSVersion is used to specify the minimal version of the TLS protocol diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-OKD.crd.yaml b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-OKD.crd.yaml index 535ddf0bc8..ec1366e6c6 100644 --- a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-OKD.crd.yaml +++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-OKD.crd.yaml @@ -1993,8 +1993,11 @@ spec: custom: description: |- custom is a user-defined TLS security profile. Be extremely careful using a custom - profile as invalid configurations can be catastrophic. An example custom profile - looks like this: + profile as invalid configurations can be catastrophic. + + The supported groups list for this profile is empty by default. + + An example custom profile looks like this: minTLSVersion: VersionTLS11 ciphers: @@ -2039,6 +2042,10 @@ spec: legacy clients and want to remain highly secure while being compatible with most clients currently in use. + The supported groups list includes by default the following groups + in suggested preference order (ordering may not be honored by all implementations): + X25519MLKEM768, X25519, secp256r1, secp384r1. + This profile is equivalent to a Custom profile specified as: minTLSVersion: VersionTLS12 ciphers: @@ -2057,7 +2064,9 @@ spec: description: |- modern is a TLS security profile for use with clients that support TLS 1.3 and do not need backward compatibility for older clients. - + The supported groups list includes by default the following groups + in suggested preference order (ordering may not be honored by all implementations): + X25519MLKEM768, X25519, secp256r1, secp384r1. This profile is equivalent to a Custom profile specified as: minTLSVersion: VersionTLS13 ciphers: @@ -2071,6 +2080,10 @@ spec: old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort. + The supported groups list includes by default the following groups + in suggested preference order (ordering may not be honored by all implementations): + X25519MLKEM768, X25519, secp256r1, secp384r1. + This profile is equivalent to a Custom profile specified as: minTLSVersion: VersionTLS10 ciphers: @@ -2087,11 +2100,14 @@ spec: - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES128-SHA + - ECDHE-ECDSA-AES256-SHA384 + - ECDHE-RSA-AES256-SHA384 - ECDHE-ECDSA-AES256-SHA - ECDHE-RSA-AES256-SHA - AES128-GCM-SHA256 - AES256-GCM-SHA384 - AES128-SHA256 + - AES256-SHA256 - AES128-SHA - AES256-SHA - DES-CBC3-SHA @@ -2102,10 +2118,16 @@ spec: type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters. - The profiles are based on version 5.7 of the Mozilla Server Side TLS - configuration guidelines. The cipher lists consist of the configuration's - "ciphersuites" followed by the Go-specific "ciphers" from the guidelines. - See: https://ssl-config.mozilla.org/guidelines/5.7.json + The cipher and groups lists in these profiles are based on version 5.8 of the + Mozilla Server Side TLS configuration guidelines. + See: https://ssl-config.mozilla.org/guidelines/5.8.json + + The groups are listed in suggested preference order, with the most preferred group first. + Note that not all platform components honor the ordering: Go-based components use Go's + internal preference order and treat this list as a filter of allowed groups rather than + an ordered preference. + Note that X25519MLKEM768 is a post-quantum hybrid group that is not + FIPS-approved and should be ignored by components running in FIPS mode. The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-TechPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-TechPreviewNoUpgrade.crd.yaml index 2fbc3cd4e3..8b8156f537 100644 --- a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-TechPreviewNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-TechPreviewNoUpgrade.crd.yaml @@ -1993,8 +1993,11 @@ spec: custom: description: |- custom is a user-defined TLS security profile. Be extremely careful using a custom - profile as invalid configurations can be catastrophic. An example custom profile - looks like this: + profile as invalid configurations can be catastrophic. + + The supported groups list for this profile is empty by default. + + An example custom profile looks like this: minTLSVersion: VersionTLS11 ciphers: @@ -2019,6 +2022,46 @@ spec: type: string type: array x-kubernetes-list-type: atomic + groups: + description: |- + groups is an optional, ordered field used to specify the supported groups (formerly known as + elliptic curves) that are used during the TLS handshake. The order of the groups represents + a suggested preference, with the most preferred group first. Note that not all platform + components honor the ordering: Go-based components use Go's internal preference order and + treat this list as a filter of allowed groups rather than an ordered preference. + Operators may remove entries their operands do not support. + + When omitted, this means no opinion and the platform is left to choose reasonable defaults which are + subject to change over time and may be different per platform component depending on the underlying TLS + libraries they use. If specified, the list must contain at least one and at most 7 groups, + and each group must be unique. + + For example, to use X25519 and secp256r1 (yaml): + + groups: + - X25519 + - secp256r1 + items: + description: |- + TLSGroup is a supported group identifier that can be used in TLSProfile.Groups. + There is a one-to-one mapping between these names and the group IDs defined + in Go's crypto/tls package based on IANA's "TLS Supported Groups" registry: + https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8 + Note that X25519MLKEM768 is a post-quantum hybrid group that is not + FIPS-approved and should be ignored by components running in FIPS mode. + enum: + - X25519 + - secp256r1 + - secp384r1 + - secp521r1 + - X25519MLKEM768 + - SecP256r1MLKEM768 + - SecP384r1MLKEM1024 + type: string + maxItems: 7 + minItems: 1 + type: array + x-kubernetes-list-type: set minTLSVersion: description: |- minTLSVersion is used to specify the minimal version of the TLS protocol @@ -2039,6 +2082,10 @@ spec: legacy clients and want to remain highly secure while being compatible with most clients currently in use. + The supported groups list includes by default the following groups + in suggested preference order (ordering may not be honored by all implementations): + X25519MLKEM768, X25519, secp256r1, secp384r1. + This profile is equivalent to a Custom profile specified as: minTLSVersion: VersionTLS12 ciphers: @@ -2057,7 +2104,9 @@ spec: description: |- modern is a TLS security profile for use with clients that support TLS 1.3 and do not need backward compatibility for older clients. - + The supported groups list includes by default the following groups + in suggested preference order (ordering may not be honored by all implementations): + X25519MLKEM768, X25519, secp256r1, secp384r1. This profile is equivalent to a Custom profile specified as: minTLSVersion: VersionTLS13 ciphers: @@ -2071,6 +2120,10 @@ spec: old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort. + The supported groups list includes by default the following groups + in suggested preference order (ordering may not be honored by all implementations): + X25519MLKEM768, X25519, secp256r1, secp384r1. + This profile is equivalent to a Custom profile specified as: minTLSVersion: VersionTLS10 ciphers: @@ -2087,11 +2140,14 @@ spec: - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES128-SHA + - ECDHE-ECDSA-AES256-SHA384 + - ECDHE-RSA-AES256-SHA384 - ECDHE-ECDSA-AES256-SHA - ECDHE-RSA-AES256-SHA - AES128-GCM-SHA256 - AES256-GCM-SHA384 - AES128-SHA256 + - AES256-SHA256 - AES128-SHA - AES256-SHA - DES-CBC3-SHA @@ -2102,10 +2158,16 @@ spec: type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters. - The profiles are based on version 5.7 of the Mozilla Server Side TLS - configuration guidelines. The cipher lists consist of the configuration's - "ciphersuites" followed by the Go-specific "ciphers" from the guidelines. - See: https://ssl-config.mozilla.org/guidelines/5.7.json + The cipher and groups lists in these profiles are based on version 5.8 of the + Mozilla Server Side TLS configuration guidelines. + See: https://ssl-config.mozilla.org/guidelines/5.8.json + + The groups are listed in suggested preference order, with the most preferred group first. + Note that not all platform components honor the ordering: Go-based components use Go's + internal preference order and treat this list as a filter of allowed groups rather than + an ordered preference. + Note that X25519MLKEM768 is a post-quantum hybrid group that is not + FIPS-approved and should be ignored by components running in FIPS mode. The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on @@ -3286,6 +3348,46 @@ spec: type: string type: array x-kubernetes-list-type: atomic + groups: + description: |- + groups is an optional, ordered field used to specify the supported groups (formerly known as + elliptic curves) that are used during the TLS handshake. The order of the groups represents + a suggested preference, with the most preferred group first. Note that not all platform + components honor the ordering: Go-based components use Go's internal preference order and + treat this list as a filter of allowed groups rather than an ordered preference. + Operators may remove entries their operands do not support. + + When omitted, this means no opinion and the platform is left to choose reasonable defaults which are + subject to change over time and may be different per platform component depending on the underlying TLS + libraries they use. If specified, the list must contain at least one and at most 7 groups, + and each group must be unique. + + For example, to use X25519 and secp256r1 (yaml): + + groups: + - X25519 + - secp256r1 + items: + description: |- + TLSGroup is a supported group identifier that can be used in TLSProfile.Groups. + There is a one-to-one mapping between these names and the group IDs defined + in Go's crypto/tls package based on IANA's "TLS Supported Groups" registry: + https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8 + Note that X25519MLKEM768 is a post-quantum hybrid group that is not + FIPS-approved and should be ignored by components running in FIPS mode. + enum: + - X25519 + - secp256r1 + - secp384r1 + - secp521r1 + - X25519MLKEM768 + - SecP256r1MLKEM768 + - SecP384r1MLKEM1024 + type: string + maxItems: 7 + minItems: 1 + type: array + x-kubernetes-list-type: set minTLSVersion: description: |- minTLSVersion is used to specify the minimal version of the TLS protocol diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.featuregated-crd-manifests.yaml b/vendor/github.com/openshift/api/operator/v1/zz_generated.featuregated-crd-manifests.yaml index aaf0972908..29b4d13d02 100644 --- a/vendor/github.com/openshift/api/operator/v1/zz_generated.featuregated-crd-manifests.yaml +++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.featuregated-crd-manifests.yaml @@ -178,6 +178,7 @@ ingresscontrollers.operator.openshift.io: Category: "" FeatureGates: - IngressControllerDynamicConfigurationManager + - TLSGroupPreferences FilenameOperatorName: ingress FilenameOperatorOrdering: "00" FilenameRunLevel: "0000_50" diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.swagger_doc_generated.go b/vendor/github.com/openshift/api/operator/v1/zz_generated.swagger_doc_generated.go index c3ed726028..0b82b1ac66 100644 --- a/vendor/github.com/openshift/api/operator/v1/zz_generated.swagger_doc_generated.go +++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.swagger_doc_generated.go @@ -798,7 +798,7 @@ func (EtcdList) SwaggerDoc() map[string]string { var map_EtcdSpec = map[string]string{ "controlPlaneHardwareSpeed": "HardwareSpeed allows user to change the etcd tuning profile which configures the latency parameters for heartbeat interval and leader election timeouts allowing the cluster to tolerate longer round-trip-times between etcd members. Valid values are \"\", \"Standard\" and \"Slower\".\n\t\"\" means no opinion and the platform is left to choose a reasonable default\n\twhich is subject to change without notice.", - "backendQuotaGiB": "backendQuotaGiB sets the etcd backend storage size limit in gibibytes. The value should be an integer not less than 8 and not more than 32. When not specified, the default value is 8.", + "backendQuotaGiB": "backendQuotaGiB sets the etcd backend storage size limit in gibibytes. The value should be an integer not less than 8 and not more than 16. When not specified, the default value is 8.", } func (EtcdSpec) SwaggerDoc() map[string]string { diff --git a/vendor/github.com/openshift/api/route/v1/generated.proto b/vendor/github.com/openshift/api/route/v1/generated.proto index 28f8c311ee..85018b16b7 100644 --- a/vendor/github.com/openshift/api/route/v1/generated.proto +++ b/vendor/github.com/openshift/api/route/v1/generated.proto @@ -411,7 +411,7 @@ message RouterShard { // TLSConfig defines config used to secure a route and provide termination // // +kubebuilder:validation:XValidation:rule="has(self.termination) && has(self.insecureEdgeTerminationPolicy) ? !((self.termination=='passthrough') && (self.insecureEdgeTerminationPolicy=='Allow')) : true", message="cannot have both spec.tls.termination: passthrough and spec.tls.insecureEdgeTerminationPolicy: Allow" -// +kubebuilder:validation:XValidation:rule="!(has(self.certificate) && has(self.externalCertificate))", message="cannot have both spec.tls.certificate and spec.tls.externalCertificate" +// +openshift:validation:FeatureGateAwareXValidation:featureGate=RouteExternalCertificate,rule="!(has(self.certificate) && has(self.externalCertificate))", message="cannot have both spec.tls.certificate and spec.tls.externalCertificate" message TLSConfig { // termination indicates the TLS termination type. // @@ -464,6 +464,7 @@ message TLSConfig { // The router service account needs to be granted with read-only access to this secret, // please refer to openshift docs for additional details. // + // +openshift:enable:FeatureGate=RouteExternalCertificate // +optional optional LocalObjectReference externalCertificate = 7; } diff --git a/vendor/github.com/openshift/api/route/v1/types.go b/vendor/github.com/openshift/api/route/v1/types.go index 41f362fdf4..35c4064825 100644 --- a/vendor/github.com/openshift/api/route/v1/types.go +++ b/vendor/github.com/openshift/api/route/v1/types.go @@ -422,7 +422,7 @@ type RouterShard struct { // TLSConfig defines config used to secure a route and provide termination // // +kubebuilder:validation:XValidation:rule="has(self.termination) && has(self.insecureEdgeTerminationPolicy) ? !((self.termination=='passthrough') && (self.insecureEdgeTerminationPolicy=='Allow')) : true", message="cannot have both spec.tls.termination: passthrough and spec.tls.insecureEdgeTerminationPolicy: Allow" -// +kubebuilder:validation:XValidation:rule="!(has(self.certificate) && has(self.externalCertificate))", message="cannot have both spec.tls.certificate and spec.tls.externalCertificate" +// +openshift:validation:FeatureGateAwareXValidation:featureGate=RouteExternalCertificate,rule="!(has(self.certificate) && has(self.externalCertificate))", message="cannot have both spec.tls.certificate and spec.tls.externalCertificate" type TLSConfig struct { // termination indicates the TLS termination type. // @@ -475,6 +475,7 @@ type TLSConfig struct { // The router service account needs to be granted with read-only access to this secret, // please refer to openshift docs for additional details. // + // +openshift:enable:FeatureGate=RouteExternalCertificate // +optional ExternalCertificate *LocalObjectReference `json:"externalCertificate,omitempty" protobuf:"bytes,7,opt,name=externalCertificate"` } diff --git a/vendor/github.com/openshift/api/route/v1/zz_generated.featuregated-crd-manifests.yaml b/vendor/github.com/openshift/api/route/v1/zz_generated.featuregated-crd-manifests.yaml index 33666eba4b..0277ba2f32 100644 --- a/vendor/github.com/openshift/api/route/v1/zz_generated.featuregated-crd-manifests.yaml +++ b/vendor/github.com/openshift/api/route/v1/zz_generated.featuregated-crd-manifests.yaml @@ -4,7 +4,8 @@ routes.route.openshift.io: CRDName: routes.route.openshift.io Capability: "" Category: "" - FeatureGates: [] + FeatureGates: + - RouteExternalCertificate FilenameOperatorName: "" FilenameOperatorOrdering: "" FilenameRunLevel: "" diff --git a/vendor/github.com/openshift/oauth-apiserver/pkg/externaloidc/apis/authentication/types.go b/vendor/github.com/openshift/oauth-apiserver/pkg/externaloidc/apis/authentication/types.go index 34dcc153d7..43ea0cffe3 100644 --- a/vendor/github.com/openshift/oauth-apiserver/pkg/externaloidc/apis/authentication/types.go +++ b/vendor/github.com/openshift/oauth-apiserver/pkg/externaloidc/apis/authentication/types.go @@ -62,6 +62,15 @@ type JWTAuthenticator struct { // The validation rules are logically ANDed together and must all return true for the validation to pass. // +optional UserValidationRules []UserValidationRule + + // externalClaimSources is an optional field that can be used to configure + // sources, external to the token provided in a request, in which claims + // should be fetched from and made available to the claim mapping process + // that is used to build the identity of a token holder. + // For example, fetching additional user metadata from an OIDC provider's UserInfo endpoint. + // externalClaimSources must not exceed 5 entries. + // +optional + ExternalClaimsSources []ExternalClaimsSource } // Issuer provides the configuration for an external provider's specific settings. @@ -337,3 +346,210 @@ type UserValidationRule struct { // +optional Message string } + +// ExternalClaimsSource provides the configuration for a single external claim source. +type ExternalClaimsSource struct { + // authentication is an optional field that configures how the apiserver authenticates with an external claims source. + // When not specified, anonymous authentication is used. + // +optional + Authentication *Authentication + // tls is an optional field that configures the http client TLS + // settings when fetching external claims from this source. + // At least one subfield must be set when this field is specified. + // +optional + TLS *TLS + // url is a required configuration of the URL + // for which the external claims are located. + // +required + URL *SourceURL + // mappings is a required list of the claim + // and response handling expression pairs + // that produces the claims from the external source. + // mappings must have at least 1 entry and must not exceed 16 entries. + // Entries must have a unique name across all external claim sources. + // + // WARNING: claims sourced using these mappings will override any claims + // that exist within the token during the claim-to-identity mapping + // process. Use caution when sourcing external claims to avoid unintentionally + // overriding token claims. To help guard against this, sourcing + // external claims can have guard conditions defined in the 'conditions' + // field. + // + // +required + Mappings []SourcedClaimMapping + // conditions is an optional list of conditions in + // which claims should attempt to be fetched from this + // external source. + // When omitted or empty, claims are always attempted to be fetched + // from this external source. + // When specified, all conditions must evaluate to 'true' + // before claims are attempted to be fetched from this external source. + // conditions must not exceed 16 entries. + // Entries must have unique expressions. + // +optional + Conditions []ExternalSourceCondition +} + +// TLS configures the TLS options that the apiserver uses as a client +// when making a request to the external claim source. +// At least one field must be set when specified. +type TLS struct { + // certificateAuthority is an optional field that configures the certificate authority + // used to validate TLS connections with the external claims source. + // Must not be empty and must be a valid PEM-encoded certificate. + // +optional + CertificateAuthority *string +} + +func (t *TLS) IsZero() bool { + return t.CertificateAuthority == nil +} + +// Authentication configures how the apiserver should attempt to authenticate +// with an external claims source. +type Authentication struct { + // type is a required field that sets the type of + // authentication method used by the authenticator + // when fetching external claims. + // + // Allowed values are 'RequestProvidedToken' and 'ClientCredential'. + // + // When set to 'RequestProvidedToken', the authenticator will + // use the token provided to the kube-apiserver as part of the + // request to authenticate with the external claims source. + // + // When set to 'ClientCredential', the authenticator will + // use the configured client-id, client-secret, and token endpoint + // to fetch an access token using the OAuth2 client credentials grant + // flow. The fetched access token will then be used to authenticate + // with the external claims source. + // +required + Type *AuthenticationType + + // clientCredential configures the client credentials + // and token endpoint to use to get an access token. + // This field must be set when type is ClientCredential. + // This field must not be set when type is not ClientCredential. + // +optional + ClientCredential *ClientCredentialConfig +} + +// AuthenticationType is the type of authentication that should be used +// when fetching claims from an external source. +type AuthenticationType string + +const ( + // AuthenticationTypeRequestProvidedToken is an AuthenticationType + // that represents that the token being evaluated for authentication + // should be used for authenticating with the external claims source. + // This is useful for scenarios where a token has multiple audiences + // and scopes so that it can be used to access both the cluster and + // the UserInfo endpoint that contains additional information about the + // user not present in the token. + AuthenticationTypeRequestProvidedToken AuthenticationType = "RequestProvidedToken" + + // AuthenticationTypeClientCredential is an AuthenticationType + // that represents that the authenticator should use the OAuth2 + // client credentials grant flow to obtain an access token for + // authenticating with the external claims source. + // This is useful for scenarios such as fetching user information + // from Microsoft's Graph API where a separate client credential + // is needed to access the API. + AuthenticationTypeClientCredential AuthenticationType = "ClientCredential" +) + +// ClientCredentialConfig configures the client credentials and token endpoint +// to use to get an access token via the OAuth2 client credentials grant flow. +type ClientCredentialConfig struct { + // clientID is the client identifier to use during the OAuth2 client credentials flow. + // clientID must not be an empty string (""). + // clientID must only contain printable ASCII characters. + // +required + ClientID string + + // clientSecret is the client secret to use during the OAuth2 client credentials flow. + // clientSecret is the literal string value of the client secret. + // clientSecret must not be an empty string (""). + // clientSecret must only contain printable ASCII characters. + // +required + ClientSecret string + + // tokenEndpoint is a required URL to query for an access token using + // the client credential OAuth2 flow. + // tokenEndpoint must not be an empty string (""). + // tokenEndpoint must be a valid HTTPS URL. + // tokenEndpoint must have a host and a path. + // tokenEndpoint must not contain query parameters, fragments, + // or user information (e.g., "user:password@host"). + // +required + TokenEndpoint string + + // scopes is an optional list of OAuth2 scopes to request when obtaining + // an access token. If not specified, the token endpoint's default scopes + // will be used. Each scope must not be an empty string (""). + // +optional + Scopes []string + + // tls is an optional field that configures the http client TLS + // settings when fetching an access token for this source. + // At least one subfield must be set when this field is specified. + // +optional + TLS *TLS +} + +// SourceURL configures the options used to build the URL that is queried for external claims. +type SourceURL struct { + // hostname is a required hostname for which the external claims are located. + // It must be a valid DNS subdomain name as per RFC1123. + // This means that it must start and end with a lowercase alphanumeric character, + // must only consist of lowercase alphanumeric characters, '-', and '.'. + // hostname must not be an empty string ("") and must not exceed 253 characters in length. + // hostname may optionally specify a port in the format ':{port}'. + // +required + Hostname *string + // pathExpression is a required CEL expression that returns a list + // of string values used to construct the URL path. + // Claims from the token used for the request to the kube-apiserver + // are made available via the `claims` variable. + // expression must not be an empty string (""). + // +required + PathExpression *string +} + +// SourcedClaimMapping configures the mapping behavior for a single external claim +// from the response the apiserver received from the external claim source. +type SourcedClaimMapping struct { + // name is a required name of the claim that + // will be produced and made available during + // the claim-to-identity mapping process. + // name must consist of only lowercase alpha characters and underscores ('_'). + // name must not be an empty string ("") and must not exceed 256 characters in length. + // +required + Name *string + + // expression is a required CEL expression that + // will produce a value to be assigned to the claim. + // The full response body from the request to the + // external claim source is provided via the + // `response` variable. + // expression must not be an empty string (""). + // +required + Expression *string +} + +// ExternalSourceCondition configures a singular condition +// that must return true before the external source is queried +// to retrieve external claims. +type ExternalSourceCondition struct { + // expression is a required CEL expression that + // is used to determine whether or not an external + // source should be used to fetch external claims. + // The expression must return a boolean value, + // where true means that the source should be consulted + // and false means that it should not. + // Claims from the token used for the request to the kube-apiserver + // are made available via the `claims` variable. + // expression must not be an empty string (""). + // +required + Expression *string +} diff --git a/vendor/github.com/openshift/oauth-apiserver/pkg/externaloidc/apis/authentication/v1alpha1/types.go b/vendor/github.com/openshift/oauth-apiserver/pkg/externaloidc/apis/authentication/v1alpha1/types.go index 4493db0c19..e354e81ad0 100644 --- a/vendor/github.com/openshift/oauth-apiserver/pkg/externaloidc/apis/authentication/v1alpha1/types.go +++ b/vendor/github.com/openshift/oauth-apiserver/pkg/externaloidc/apis/authentication/v1alpha1/types.go @@ -62,6 +62,15 @@ type JWTAuthenticator struct { // The validation rules are logically ANDed together and must all return true for the validation to pass. // +optional UserValidationRules []UserValidationRule `json:"userValidationRules,omitempty"` + + // externalClaimSources is an optional field that can be used to configure + // sources, external to the token provided in a request, in which claims + // should be fetched from and made available to the claim mapping process + // that is used to build the identity of a token holder. + // For example, fetching additional user metadata from an OIDC provider's UserInfo endpoint. + // externalClaimSources must not exceed 5 entries. + // +optional + ExternalClaimsSources []ExternalClaimsSource `json:"externalClaimsSources,omitempty"` } // Issuer provides the configuration for an external provider's specific settings. @@ -337,3 +346,207 @@ type UserValidationRule struct { // +optional Message string `json:"message,omitempty"` } + +// ExternalClaimsSource provides the configuration for a single external claim source. +type ExternalClaimsSource struct { + // authentication is an optional field that configures how the apiserver authenticates with an external claims source. + // When not specified, anonymous authentication is used. + // +optional + Authentication *Authentication `json:"authentication,omitempty"` + // tls is an optional field that configures the http client TLS + // settings when fetching external claims from this source. + // At least one subfield must be set when this field is specified. + // +optional + TLS *TLS `json:"tls,omitempty"` + // url is a required configuration of the URL + // for which the external claims are located. + // +required + URL *SourceURL `json:"url,omitempty"` + // mappings is a required list of the claim + // and response handling expression pairs + // that produces the claims from the external source. + // + // mappings must have at least 1 entry and must not exceed 16 entries. + // Entries must have a unique name across all external claim sources. + // + // WARNING: claims sourced using these mappings will override any claims + // that exist within the token during the claim-to-identity mapping + // process. Use caution when sourcing external claims to avoid unintentionally + // overriding token claims. To help guard against this, sourcing + // external claims can have guard conditions defined in the 'conditions' + // field. + // + // +required + Mappings []SourcedClaimMapping `json:"mappings,omitempty"` + // conditions is an optional list of conditions in + // which claims should attempt to be fetched from this + // external source. + // When omitted or empty, claims are always attempted to be fetched + // from this external source. + // When specified, all conditions must evaluate to 'true' + // before claims are attempted to be fetched from this external source. + // conditions must not exceed 16 entries. + // Entries must have unique expressions. + // +optional + Conditions []ExternalSourceCondition `json:"conditions,omitempty"` +} + +// TLS configures the TLS options that the apiserver uses as a client +// when making a request to the external claim source. +// At least one field must be set when specified. +type TLS struct { + // certificateAuthority is an optional field that configures the certificate authority + // used to validate TLS connections with the external claims source. + // Must not be empty and must be a valid PEM-encoded certificate. + // +optional + CertificateAuthority *string `json:"certificateAuthority,omitempty"` +} + +// Authentication configures how the apiserver should attempt to authenticate +// with an external claims source. +type Authentication struct { + // type is a required field that sets the type of + // authentication method used by the authenticator + // when fetching external claims. + // + // Allowed values are 'RequestProvidedToken' and 'ClientCredential'. + // + // When set to 'RequestProvidedToken', the authenticator will + // use the token provided to the kube-apiserver as part of the + // request to authenticate with the external claims source. + // + // When set to 'ClientCredential', the authenticator will + // use the configured client-id, client-secret, and token endpoint + // to fetch an access token using the OAuth2 client credentials grant + // flow. The fetched access token will then be used to authenticate + // with the external claims source. + // +required + Type *AuthenticationType `json:"type,omitempty"` + + // clientCredential configures the client credentials + // and token endpoint to use to get an access token. + // This field must be set when type is ClientCredential. + // This field must not be set when type is not ClientCredential. + // +optional + ClientCredential *ClientCredentialConfig `json:"clientCredential,omitempty"` +} + +// AuthenticationType is the type of authentication that should be used +// when fetching claims from an external source. +type AuthenticationType string + +const ( + // AuthenticationTypeRequestProvidedToken is an AuthenticationType + // that represents that the token being evaluated for authentication + // should be used for authenticating with the external claims source. + // This is useful for scenarios where a token has multiple audiences + // and scopes so that it can be used to access both the cluster and + // the UserInfo endpoint that contains additional information about the + // user not present in the token. + AuthenticationTypeRequestProvidedToken AuthenticationType = "RequestProvidedToken" + + // AuthenticationTypeClientCredential is an AuthenticationType + // that represents that the authenticator should use the OAuth2 + // client credentials grant flow to obtain an access token for + // authenticating with the external claims source. + // This is useful for scenarios such as fetching user information + // from Microsoft's Graph API where a separate client credential + // is needed to access the API. + AuthenticationTypeClientCredential AuthenticationType = "ClientCredential" +) + +// ClientCredentialConfig configures the client credentials and token endpoint +// to use to get an access token via the OAuth2 client credentials grant flow. +type ClientCredentialConfig struct { + // clientID is the client identifier to use during the OAuth2 client credentials flow. + // clientID must not be an empty string (""). + // clientID must only contain printable ASCII characters. + // +required + ClientID string `json:"clientID,omitempty"` + + // clientSecret is the client secret to use during the OAuth2 client credentials flow. + // clientSecret is the literal string value of the client secret. + // clientSecret must not be an empty string (""). + // clientSecret must only contain printable ASCII characters. + // +required + ClientSecret string `json:"clientSecret,omitempty"` + + // tokenEndpoint is a required URL to query for an access token using + // the client credential OAuth2 flow. + // tokenEndpoint must not be an empty string (""). + // tokenEndpoint must be a valid HTTPS URL. + // tokenEndpoint must have a host and a path. + // tokenEndpoint must not contain query parameters, fragments, + // or user information (e.g., "user:password@host"). + // +required + TokenEndpoint string `json:"tokenEndpoint,omitempty"` + + // scopes is an optional list of OAuth2 scopes to request when obtaining + // an access token. If not specified, the token endpoint's default scopes + // will be used. Each scope must not be an empty string (""). + // +optional + Scopes []string `json:"scopes,omitempty"` + + // tls is an optional field that configures the http client TLS + // settings when fetching an access token for this source. + // At least one subfield must be set when this field is specified. + // +optional + TLS *TLS `json:"tls,omitempty"` +} + +// SourceURL configures the options used to build the URL that is queried for external claims. +type SourceURL struct { + // hostname is a required hostname for which the external claims are located. + // It must be a valid DNS subdomain name as per RFC1123. + // This means that it must start and end with a lowercase alphanumeric character, + // must only consist of lowercase alphanumeric characters, '-', and '.'. + // hostname must not be an empty string ("") and must not exceed 253 characters in length. + // hostname may optionally specify a port in the format ':{port}'. + // +required + Hostname *string `json:"hostname,omitempty"` + // pathExpression is a required CEL expression that returns a list + // of string values used to construct the URL path. + // Claims from the token used for the request to the kube-apiserver + // are made available via the `claims` variable. + // expression must not be an empty string (""). + // +required + PathExpression *string `json:"pathExpression,omitempty"` +} + +// SourcedClaimMapping configures the mapping behavior for a single external claim +// from the response the apiserver received from the external claim source. +type SourcedClaimMapping struct { + // name is a required name of the claim that + // will be produced and made available during + // the claim-to-identity mapping process. + // name must consist of only lowercase alpha characters and underscores ('_'). + // name must not be an empty string ("") and must not exceed 256 characters in length. + // +required + Name *string `json:"name,omitempty"` + + // expression is a required CEL expression that + // will produce a value to be assigned to the claim. + // The full response body from the request to the + // external claim source is provided via the + // `response` variable. + // expression must not be an empty string (""). + // +required + Expression *string `json:"expression,omitempty"` +} + +// ExternalSourceCondition configures a singular condition +// that must return true before the external source is queried +// to retrieve external claims. +type ExternalSourceCondition struct { + // expression is a required CEL expression that + // is used to determine whether or not an external + // source should be used to fetch external claims. + // The expression must return a boolean value, + // where true means that the source should be consulted + // and false means that it should not. + // Claims from the token used for the request to the kube-apiserver + // are made available via the `claims` variable. + // expression must not be an empty string (""). + // +required + Expression *string `json:"expression,omitempty"` +} diff --git a/vendor/github.com/openshift/oauth-apiserver/pkg/externaloidc/apis/authentication/v1alpha1/zz_generated.conversion.go b/vendor/github.com/openshift/oauth-apiserver/pkg/externaloidc/apis/authentication/v1alpha1/zz_generated.conversion.go index 8e0c14e7a6..307f5a47d3 100644 --- a/vendor/github.com/openshift/oauth-apiserver/pkg/externaloidc/apis/authentication/v1alpha1/zz_generated.conversion.go +++ b/vendor/github.com/openshift/oauth-apiserver/pkg/externaloidc/apis/authentication/v1alpha1/zz_generated.conversion.go @@ -20,6 +20,16 @@ func init() { // RegisterConversions adds conversion functions to the given scheme. // Public to allow building arbitrary schemes. func RegisterConversions(s *runtime.Scheme) error { + if err := s.AddGeneratedConversionFunc((*Authentication)(nil), (*authentication.Authentication)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1alpha1_Authentication_To_authentication_Authentication(a.(*Authentication), b.(*authentication.Authentication), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*authentication.Authentication)(nil), (*Authentication)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_authentication_Authentication_To_v1alpha1_Authentication(a.(*authentication.Authentication), b.(*Authentication), scope) + }); err != nil { + return err + } if err := s.AddGeneratedConversionFunc((*AuthenticationConfiguration)(nil), (*authentication.AuthenticationConfiguration)(nil), func(a, b interface{}, scope conversion.Scope) error { return Convert_v1alpha1_AuthenticationConfiguration_To_authentication_AuthenticationConfiguration(a.(*AuthenticationConfiguration), b.(*authentication.AuthenticationConfiguration), scope) }); err != nil { @@ -60,6 +70,36 @@ func RegisterConversions(s *runtime.Scheme) error { }); err != nil { return err } + if err := s.AddGeneratedConversionFunc((*ClientCredentialConfig)(nil), (*authentication.ClientCredentialConfig)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1alpha1_ClientCredentialConfig_To_authentication_ClientCredentialConfig(a.(*ClientCredentialConfig), b.(*authentication.ClientCredentialConfig), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*authentication.ClientCredentialConfig)(nil), (*ClientCredentialConfig)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_authentication_ClientCredentialConfig_To_v1alpha1_ClientCredentialConfig(a.(*authentication.ClientCredentialConfig), b.(*ClientCredentialConfig), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*ExternalClaimsSource)(nil), (*authentication.ExternalClaimsSource)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1alpha1_ExternalClaimsSource_To_authentication_ExternalClaimsSource(a.(*ExternalClaimsSource), b.(*authentication.ExternalClaimsSource), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*authentication.ExternalClaimsSource)(nil), (*ExternalClaimsSource)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_authentication_ExternalClaimsSource_To_v1alpha1_ExternalClaimsSource(a.(*authentication.ExternalClaimsSource), b.(*ExternalClaimsSource), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*ExternalSourceCondition)(nil), (*authentication.ExternalSourceCondition)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1alpha1_ExternalSourceCondition_To_authentication_ExternalSourceCondition(a.(*ExternalSourceCondition), b.(*authentication.ExternalSourceCondition), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*authentication.ExternalSourceCondition)(nil), (*ExternalSourceCondition)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_authentication_ExternalSourceCondition_To_v1alpha1_ExternalSourceCondition(a.(*authentication.ExternalSourceCondition), b.(*ExternalSourceCondition), scope) + }); err != nil { + return err + } if err := s.AddGeneratedConversionFunc((*ExtraMapping)(nil), (*authentication.ExtraMapping)(nil), func(a, b interface{}, scope conversion.Scope) error { return Convert_v1alpha1_ExtraMapping_To_authentication_ExtraMapping(a.(*ExtraMapping), b.(*authentication.ExtraMapping), scope) }); err != nil { @@ -100,6 +140,36 @@ func RegisterConversions(s *runtime.Scheme) error { }); err != nil { return err } + if err := s.AddGeneratedConversionFunc((*SourceURL)(nil), (*authentication.SourceURL)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1alpha1_SourceURL_To_authentication_SourceURL(a.(*SourceURL), b.(*authentication.SourceURL), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*authentication.SourceURL)(nil), (*SourceURL)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_authentication_SourceURL_To_v1alpha1_SourceURL(a.(*authentication.SourceURL), b.(*SourceURL), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*SourcedClaimMapping)(nil), (*authentication.SourcedClaimMapping)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1alpha1_SourcedClaimMapping_To_authentication_SourcedClaimMapping(a.(*SourcedClaimMapping), b.(*authentication.SourcedClaimMapping), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*authentication.SourcedClaimMapping)(nil), (*SourcedClaimMapping)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_authentication_SourcedClaimMapping_To_v1alpha1_SourcedClaimMapping(a.(*authentication.SourcedClaimMapping), b.(*SourcedClaimMapping), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*TLS)(nil), (*authentication.TLS)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1alpha1_TLS_To_authentication_TLS(a.(*TLS), b.(*authentication.TLS), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*authentication.TLS)(nil), (*TLS)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_authentication_TLS_To_v1alpha1_TLS(a.(*authentication.TLS), b.(*TLS), scope) + }); err != nil { + return err + } if err := s.AddGeneratedConversionFunc((*UserValidationRule)(nil), (*authentication.UserValidationRule)(nil), func(a, b interface{}, scope conversion.Scope) error { return Convert_v1alpha1_UserValidationRule_To_authentication_UserValidationRule(a.(*UserValidationRule), b.(*authentication.UserValidationRule), scope) }); err != nil { @@ -113,6 +183,28 @@ func RegisterConversions(s *runtime.Scheme) error { return nil } +func autoConvert_v1alpha1_Authentication_To_authentication_Authentication(in *Authentication, out *authentication.Authentication, s conversion.Scope) error { + out.Type = (*authentication.AuthenticationType)(unsafe.Pointer(in.Type)) + out.ClientCredential = (*authentication.ClientCredentialConfig)(unsafe.Pointer(in.ClientCredential)) + return nil +} + +// Convert_v1alpha1_Authentication_To_authentication_Authentication is an autogenerated conversion function. +func Convert_v1alpha1_Authentication_To_authentication_Authentication(in *Authentication, out *authentication.Authentication, s conversion.Scope) error { + return autoConvert_v1alpha1_Authentication_To_authentication_Authentication(in, out, s) +} + +func autoConvert_authentication_Authentication_To_v1alpha1_Authentication(in *authentication.Authentication, out *Authentication, s conversion.Scope) error { + out.Type = (*AuthenticationType)(unsafe.Pointer(in.Type)) + out.ClientCredential = (*ClientCredentialConfig)(unsafe.Pointer(in.ClientCredential)) + return nil +} + +// Convert_authentication_Authentication_To_v1alpha1_Authentication is an autogenerated conversion function. +func Convert_authentication_Authentication_To_v1alpha1_Authentication(in *authentication.Authentication, out *Authentication, s conversion.Scope) error { + return autoConvert_authentication_Authentication_To_v1alpha1_Authentication(in, out, s) +} + func autoConvert_v1alpha1_AuthenticationConfiguration_To_authentication_AuthenticationConfiguration(in *AuthenticationConfiguration, out *authentication.AuthenticationConfiguration, s conversion.Scope) error { out.JWT = *(*[]authentication.JWTAuthenticator)(unsafe.Pointer(&in.JWT)) return nil @@ -219,6 +311,82 @@ func Convert_authentication_ClaimValidationRule_To_v1alpha1_ClaimValidationRule( return autoConvert_authentication_ClaimValidationRule_To_v1alpha1_ClaimValidationRule(in, out, s) } +func autoConvert_v1alpha1_ClientCredentialConfig_To_authentication_ClientCredentialConfig(in *ClientCredentialConfig, out *authentication.ClientCredentialConfig, s conversion.Scope) error { + out.ClientID = in.ClientID + out.ClientSecret = in.ClientSecret + out.TokenEndpoint = in.TokenEndpoint + out.Scopes = *(*[]string)(unsafe.Pointer(&in.Scopes)) + out.TLS = (*authentication.TLS)(unsafe.Pointer(in.TLS)) + return nil +} + +// Convert_v1alpha1_ClientCredentialConfig_To_authentication_ClientCredentialConfig is an autogenerated conversion function. +func Convert_v1alpha1_ClientCredentialConfig_To_authentication_ClientCredentialConfig(in *ClientCredentialConfig, out *authentication.ClientCredentialConfig, s conversion.Scope) error { + return autoConvert_v1alpha1_ClientCredentialConfig_To_authentication_ClientCredentialConfig(in, out, s) +} + +func autoConvert_authentication_ClientCredentialConfig_To_v1alpha1_ClientCredentialConfig(in *authentication.ClientCredentialConfig, out *ClientCredentialConfig, s conversion.Scope) error { + out.ClientID = in.ClientID + out.ClientSecret = in.ClientSecret + out.TokenEndpoint = in.TokenEndpoint + out.Scopes = *(*[]string)(unsafe.Pointer(&in.Scopes)) + out.TLS = (*TLS)(unsafe.Pointer(in.TLS)) + return nil +} + +// Convert_authentication_ClientCredentialConfig_To_v1alpha1_ClientCredentialConfig is an autogenerated conversion function. +func Convert_authentication_ClientCredentialConfig_To_v1alpha1_ClientCredentialConfig(in *authentication.ClientCredentialConfig, out *ClientCredentialConfig, s conversion.Scope) error { + return autoConvert_authentication_ClientCredentialConfig_To_v1alpha1_ClientCredentialConfig(in, out, s) +} + +func autoConvert_v1alpha1_ExternalClaimsSource_To_authentication_ExternalClaimsSource(in *ExternalClaimsSource, out *authentication.ExternalClaimsSource, s conversion.Scope) error { + out.Authentication = (*authentication.Authentication)(unsafe.Pointer(in.Authentication)) + out.TLS = (*authentication.TLS)(unsafe.Pointer(in.TLS)) + out.URL = (*authentication.SourceURL)(unsafe.Pointer(in.URL)) + out.Mappings = *(*[]authentication.SourcedClaimMapping)(unsafe.Pointer(&in.Mappings)) + out.Conditions = *(*[]authentication.ExternalSourceCondition)(unsafe.Pointer(&in.Conditions)) + return nil +} + +// Convert_v1alpha1_ExternalClaimsSource_To_authentication_ExternalClaimsSource is an autogenerated conversion function. +func Convert_v1alpha1_ExternalClaimsSource_To_authentication_ExternalClaimsSource(in *ExternalClaimsSource, out *authentication.ExternalClaimsSource, s conversion.Scope) error { + return autoConvert_v1alpha1_ExternalClaimsSource_To_authentication_ExternalClaimsSource(in, out, s) +} + +func autoConvert_authentication_ExternalClaimsSource_To_v1alpha1_ExternalClaimsSource(in *authentication.ExternalClaimsSource, out *ExternalClaimsSource, s conversion.Scope) error { + out.Authentication = (*Authentication)(unsafe.Pointer(in.Authentication)) + out.TLS = (*TLS)(unsafe.Pointer(in.TLS)) + out.URL = (*SourceURL)(unsafe.Pointer(in.URL)) + out.Mappings = *(*[]SourcedClaimMapping)(unsafe.Pointer(&in.Mappings)) + out.Conditions = *(*[]ExternalSourceCondition)(unsafe.Pointer(&in.Conditions)) + return nil +} + +// Convert_authentication_ExternalClaimsSource_To_v1alpha1_ExternalClaimsSource is an autogenerated conversion function. +func Convert_authentication_ExternalClaimsSource_To_v1alpha1_ExternalClaimsSource(in *authentication.ExternalClaimsSource, out *ExternalClaimsSource, s conversion.Scope) error { + return autoConvert_authentication_ExternalClaimsSource_To_v1alpha1_ExternalClaimsSource(in, out, s) +} + +func autoConvert_v1alpha1_ExternalSourceCondition_To_authentication_ExternalSourceCondition(in *ExternalSourceCondition, out *authentication.ExternalSourceCondition, s conversion.Scope) error { + out.Expression = (*string)(unsafe.Pointer(in.Expression)) + return nil +} + +// Convert_v1alpha1_ExternalSourceCondition_To_authentication_ExternalSourceCondition is an autogenerated conversion function. +func Convert_v1alpha1_ExternalSourceCondition_To_authentication_ExternalSourceCondition(in *ExternalSourceCondition, out *authentication.ExternalSourceCondition, s conversion.Scope) error { + return autoConvert_v1alpha1_ExternalSourceCondition_To_authentication_ExternalSourceCondition(in, out, s) +} + +func autoConvert_authentication_ExternalSourceCondition_To_v1alpha1_ExternalSourceCondition(in *authentication.ExternalSourceCondition, out *ExternalSourceCondition, s conversion.Scope) error { + out.Expression = (*string)(unsafe.Pointer(in.Expression)) + return nil +} + +// Convert_authentication_ExternalSourceCondition_To_v1alpha1_ExternalSourceCondition is an autogenerated conversion function. +func Convert_authentication_ExternalSourceCondition_To_v1alpha1_ExternalSourceCondition(in *authentication.ExternalSourceCondition, out *ExternalSourceCondition, s conversion.Scope) error { + return autoConvert_authentication_ExternalSourceCondition_To_v1alpha1_ExternalSourceCondition(in, out, s) +} + func autoConvert_v1alpha1_ExtraMapping_To_authentication_ExtraMapping(in *ExtraMapping, out *authentication.ExtraMapping, s conversion.Scope) error { out.Key = in.Key out.ValueExpression = in.ValueExpression @@ -274,6 +442,7 @@ func autoConvert_v1alpha1_JWTAuthenticator_To_authentication_JWTAuthenticator(in out.ClaimValidationRules = *(*[]authentication.ClaimValidationRule)(unsafe.Pointer(&in.ClaimValidationRules)) out.ClaimMappings = (*authentication.ClaimMappings)(unsafe.Pointer(in.ClaimMappings)) out.UserValidationRules = *(*[]authentication.UserValidationRule)(unsafe.Pointer(&in.UserValidationRules)) + out.ExternalClaimsSources = *(*[]authentication.ExternalClaimsSource)(unsafe.Pointer(&in.ExternalClaimsSources)) return nil } @@ -287,6 +456,7 @@ func autoConvert_authentication_JWTAuthenticator_To_v1alpha1_JWTAuthenticator(in out.ClaimValidationRules = *(*[]ClaimValidationRule)(unsafe.Pointer(&in.ClaimValidationRules)) out.ClaimMappings = (*ClaimMappings)(unsafe.Pointer(in.ClaimMappings)) out.UserValidationRules = *(*[]UserValidationRule)(unsafe.Pointer(&in.UserValidationRules)) + out.ExternalClaimsSources = *(*[]ExternalClaimsSource)(unsafe.Pointer(&in.ExternalClaimsSources)) return nil } @@ -319,6 +489,70 @@ func Convert_authentication_PrefixedClaimOrExpression_To_v1alpha1_PrefixedClaimO return autoConvert_authentication_PrefixedClaimOrExpression_To_v1alpha1_PrefixedClaimOrExpression(in, out, s) } +func autoConvert_v1alpha1_SourceURL_To_authentication_SourceURL(in *SourceURL, out *authentication.SourceURL, s conversion.Scope) error { + out.Hostname = (*string)(unsafe.Pointer(in.Hostname)) + out.PathExpression = (*string)(unsafe.Pointer(in.PathExpression)) + return nil +} + +// Convert_v1alpha1_SourceURL_To_authentication_SourceURL is an autogenerated conversion function. +func Convert_v1alpha1_SourceURL_To_authentication_SourceURL(in *SourceURL, out *authentication.SourceURL, s conversion.Scope) error { + return autoConvert_v1alpha1_SourceURL_To_authentication_SourceURL(in, out, s) +} + +func autoConvert_authentication_SourceURL_To_v1alpha1_SourceURL(in *authentication.SourceURL, out *SourceURL, s conversion.Scope) error { + out.Hostname = (*string)(unsafe.Pointer(in.Hostname)) + out.PathExpression = (*string)(unsafe.Pointer(in.PathExpression)) + return nil +} + +// Convert_authentication_SourceURL_To_v1alpha1_SourceURL is an autogenerated conversion function. +func Convert_authentication_SourceURL_To_v1alpha1_SourceURL(in *authentication.SourceURL, out *SourceURL, s conversion.Scope) error { + return autoConvert_authentication_SourceURL_To_v1alpha1_SourceURL(in, out, s) +} + +func autoConvert_v1alpha1_SourcedClaimMapping_To_authentication_SourcedClaimMapping(in *SourcedClaimMapping, out *authentication.SourcedClaimMapping, s conversion.Scope) error { + out.Name = (*string)(unsafe.Pointer(in.Name)) + out.Expression = (*string)(unsafe.Pointer(in.Expression)) + return nil +} + +// Convert_v1alpha1_SourcedClaimMapping_To_authentication_SourcedClaimMapping is an autogenerated conversion function. +func Convert_v1alpha1_SourcedClaimMapping_To_authentication_SourcedClaimMapping(in *SourcedClaimMapping, out *authentication.SourcedClaimMapping, s conversion.Scope) error { + return autoConvert_v1alpha1_SourcedClaimMapping_To_authentication_SourcedClaimMapping(in, out, s) +} + +func autoConvert_authentication_SourcedClaimMapping_To_v1alpha1_SourcedClaimMapping(in *authentication.SourcedClaimMapping, out *SourcedClaimMapping, s conversion.Scope) error { + out.Name = (*string)(unsafe.Pointer(in.Name)) + out.Expression = (*string)(unsafe.Pointer(in.Expression)) + return nil +} + +// Convert_authentication_SourcedClaimMapping_To_v1alpha1_SourcedClaimMapping is an autogenerated conversion function. +func Convert_authentication_SourcedClaimMapping_To_v1alpha1_SourcedClaimMapping(in *authentication.SourcedClaimMapping, out *SourcedClaimMapping, s conversion.Scope) error { + return autoConvert_authentication_SourcedClaimMapping_To_v1alpha1_SourcedClaimMapping(in, out, s) +} + +func autoConvert_v1alpha1_TLS_To_authentication_TLS(in *TLS, out *authentication.TLS, s conversion.Scope) error { + out.CertificateAuthority = (*string)(unsafe.Pointer(in.CertificateAuthority)) + return nil +} + +// Convert_v1alpha1_TLS_To_authentication_TLS is an autogenerated conversion function. +func Convert_v1alpha1_TLS_To_authentication_TLS(in *TLS, out *authentication.TLS, s conversion.Scope) error { + return autoConvert_v1alpha1_TLS_To_authentication_TLS(in, out, s) +} + +func autoConvert_authentication_TLS_To_v1alpha1_TLS(in *authentication.TLS, out *TLS, s conversion.Scope) error { + out.CertificateAuthority = (*string)(unsafe.Pointer(in.CertificateAuthority)) + return nil +} + +// Convert_authentication_TLS_To_v1alpha1_TLS is an autogenerated conversion function. +func Convert_authentication_TLS_To_v1alpha1_TLS(in *authentication.TLS, out *TLS, s conversion.Scope) error { + return autoConvert_authentication_TLS_To_v1alpha1_TLS(in, out, s) +} + func autoConvert_v1alpha1_UserValidationRule_To_authentication_UserValidationRule(in *UserValidationRule, out *authentication.UserValidationRule, s conversion.Scope) error { out.Expression = in.Expression out.Message = in.Message diff --git a/vendor/github.com/openshift/oauth-apiserver/pkg/externaloidc/apis/authentication/v1alpha1/zz_generated.deepcopy.go b/vendor/github.com/openshift/oauth-apiserver/pkg/externaloidc/apis/authentication/v1alpha1/zz_generated.deepcopy.go index 1212676a04..d62e0272ee 100644 --- a/vendor/github.com/openshift/oauth-apiserver/pkg/externaloidc/apis/authentication/v1alpha1/zz_generated.deepcopy.go +++ b/vendor/github.com/openshift/oauth-apiserver/pkg/externaloidc/apis/authentication/v1alpha1/zz_generated.deepcopy.go @@ -9,6 +9,32 @@ import ( runtime "k8s.io/apimachinery/pkg/runtime" ) +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *Authentication) DeepCopyInto(out *Authentication) { + *out = *in + if in.Type != nil { + in, out := &in.Type, &out.Type + *out = new(AuthenticationType) + **out = **in + } + if in.ClientCredential != nil { + in, out := &in.ClientCredential, &out.ClientCredential + *out = new(ClientCredentialConfig) + (*in).DeepCopyInto(*out) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Authentication. +func (in *Authentication) DeepCopy() *Authentication { + if in == nil { + return nil + } + out := new(Authentication) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *AuthenticationConfiguration) DeepCopyInto(out *AuthenticationConfiguration) { *out = *in @@ -97,6 +123,98 @@ func (in *ClaimValidationRule) DeepCopy() *ClaimValidationRule { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ClientCredentialConfig) DeepCopyInto(out *ClientCredentialConfig) { + *out = *in + if in.Scopes != nil { + in, out := &in.Scopes, &out.Scopes + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.TLS != nil { + in, out := &in.TLS, &out.TLS + *out = new(TLS) + (*in).DeepCopyInto(*out) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClientCredentialConfig. +func (in *ClientCredentialConfig) DeepCopy() *ClientCredentialConfig { + if in == nil { + return nil + } + out := new(ClientCredentialConfig) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ExternalClaimsSource) DeepCopyInto(out *ExternalClaimsSource) { + *out = *in + if in.Authentication != nil { + in, out := &in.Authentication, &out.Authentication + *out = new(Authentication) + (*in).DeepCopyInto(*out) + } + if in.TLS != nil { + in, out := &in.TLS, &out.TLS + *out = new(TLS) + (*in).DeepCopyInto(*out) + } + if in.URL != nil { + in, out := &in.URL, &out.URL + *out = new(SourceURL) + (*in).DeepCopyInto(*out) + } + if in.Mappings != nil { + in, out := &in.Mappings, &out.Mappings + *out = make([]SourcedClaimMapping, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + if in.Conditions != nil { + in, out := &in.Conditions, &out.Conditions + *out = make([]ExternalSourceCondition, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalClaimsSource. +func (in *ExternalClaimsSource) DeepCopy() *ExternalClaimsSource { + if in == nil { + return nil + } + out := new(ExternalClaimsSource) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ExternalSourceCondition) DeepCopyInto(out *ExternalSourceCondition) { + *out = *in + if in.Expression != nil { + in, out := &in.Expression, &out.Expression + *out = new(string) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalSourceCondition. +func (in *ExternalSourceCondition) DeepCopy() *ExternalSourceCondition { + if in == nil { + return nil + } + out := new(ExternalSourceCondition) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ExtraMapping) DeepCopyInto(out *ExtraMapping) { *out = *in @@ -157,6 +275,13 @@ func (in *JWTAuthenticator) DeepCopyInto(out *JWTAuthenticator) { *out = make([]UserValidationRule, len(*in)) copy(*out, *in) } + if in.ExternalClaimsSources != nil { + in, out := &in.ExternalClaimsSources, &out.ExternalClaimsSources + *out = make([]ExternalClaimsSource, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } return } @@ -191,6 +316,79 @@ func (in *PrefixedClaimOrExpression) DeepCopy() *PrefixedClaimOrExpression { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *SourceURL) DeepCopyInto(out *SourceURL) { + *out = *in + if in.Hostname != nil { + in, out := &in.Hostname, &out.Hostname + *out = new(string) + **out = **in + } + if in.PathExpression != nil { + in, out := &in.PathExpression, &out.PathExpression + *out = new(string) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SourceURL. +func (in *SourceURL) DeepCopy() *SourceURL { + if in == nil { + return nil + } + out := new(SourceURL) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *SourcedClaimMapping) DeepCopyInto(out *SourcedClaimMapping) { + *out = *in + if in.Name != nil { + in, out := &in.Name, &out.Name + *out = new(string) + **out = **in + } + if in.Expression != nil { + in, out := &in.Expression, &out.Expression + *out = new(string) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SourcedClaimMapping. +func (in *SourcedClaimMapping) DeepCopy() *SourcedClaimMapping { + if in == nil { + return nil + } + out := new(SourcedClaimMapping) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *TLS) DeepCopyInto(out *TLS) { + *out = *in + if in.CertificateAuthority != nil { + in, out := &in.CertificateAuthority, &out.CertificateAuthority + *out = new(string) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TLS. +func (in *TLS) DeepCopy() *TLS { + if in == nil { + return nil + } + out := new(TLS) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *UserValidationRule) DeepCopyInto(out *UserValidationRule) { *out = *in diff --git a/vendor/github.com/openshift/oauth-apiserver/pkg/externaloidc/apis/authentication/zz_generated.deepcopy.go b/vendor/github.com/openshift/oauth-apiserver/pkg/externaloidc/apis/authentication/zz_generated.deepcopy.go index 51841b827d..1332d28cb1 100644 --- a/vendor/github.com/openshift/oauth-apiserver/pkg/externaloidc/apis/authentication/zz_generated.deepcopy.go +++ b/vendor/github.com/openshift/oauth-apiserver/pkg/externaloidc/apis/authentication/zz_generated.deepcopy.go @@ -9,6 +9,32 @@ import ( runtime "k8s.io/apimachinery/pkg/runtime" ) +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *Authentication) DeepCopyInto(out *Authentication) { + *out = *in + if in.Type != nil { + in, out := &in.Type, &out.Type + *out = new(AuthenticationType) + **out = **in + } + if in.ClientCredential != nil { + in, out := &in.ClientCredential, &out.ClientCredential + *out = new(ClientCredentialConfig) + (*in).DeepCopyInto(*out) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Authentication. +func (in *Authentication) DeepCopy() *Authentication { + if in == nil { + return nil + } + out := new(Authentication) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *AuthenticationConfiguration) DeepCopyInto(out *AuthenticationConfiguration) { *out = *in @@ -97,6 +123,98 @@ func (in *ClaimValidationRule) DeepCopy() *ClaimValidationRule { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ClientCredentialConfig) DeepCopyInto(out *ClientCredentialConfig) { + *out = *in + if in.Scopes != nil { + in, out := &in.Scopes, &out.Scopes + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.TLS != nil { + in, out := &in.TLS, &out.TLS + *out = new(TLS) + (*in).DeepCopyInto(*out) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClientCredentialConfig. +func (in *ClientCredentialConfig) DeepCopy() *ClientCredentialConfig { + if in == nil { + return nil + } + out := new(ClientCredentialConfig) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ExternalClaimsSource) DeepCopyInto(out *ExternalClaimsSource) { + *out = *in + if in.Authentication != nil { + in, out := &in.Authentication, &out.Authentication + *out = new(Authentication) + (*in).DeepCopyInto(*out) + } + if in.TLS != nil { + in, out := &in.TLS, &out.TLS + *out = new(TLS) + (*in).DeepCopyInto(*out) + } + if in.URL != nil { + in, out := &in.URL, &out.URL + *out = new(SourceURL) + (*in).DeepCopyInto(*out) + } + if in.Mappings != nil { + in, out := &in.Mappings, &out.Mappings + *out = make([]SourcedClaimMapping, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + if in.Conditions != nil { + in, out := &in.Conditions, &out.Conditions + *out = make([]ExternalSourceCondition, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalClaimsSource. +func (in *ExternalClaimsSource) DeepCopy() *ExternalClaimsSource { + if in == nil { + return nil + } + out := new(ExternalClaimsSource) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ExternalSourceCondition) DeepCopyInto(out *ExternalSourceCondition) { + *out = *in + if in.Expression != nil { + in, out := &in.Expression, &out.Expression + *out = new(string) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalSourceCondition. +func (in *ExternalSourceCondition) DeepCopy() *ExternalSourceCondition { + if in == nil { + return nil + } + out := new(ExternalSourceCondition) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ExtraMapping) DeepCopyInto(out *ExtraMapping) { *out = *in @@ -157,6 +275,13 @@ func (in *JWTAuthenticator) DeepCopyInto(out *JWTAuthenticator) { *out = make([]UserValidationRule, len(*in)) copy(*out, *in) } + if in.ExternalClaimsSources != nil { + in, out := &in.ExternalClaimsSources, &out.ExternalClaimsSources + *out = make([]ExternalClaimsSource, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } return } @@ -191,6 +316,79 @@ func (in *PrefixedClaimOrExpression) DeepCopy() *PrefixedClaimOrExpression { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *SourceURL) DeepCopyInto(out *SourceURL) { + *out = *in + if in.Hostname != nil { + in, out := &in.Hostname, &out.Hostname + *out = new(string) + **out = **in + } + if in.PathExpression != nil { + in, out := &in.PathExpression, &out.PathExpression + *out = new(string) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SourceURL. +func (in *SourceURL) DeepCopy() *SourceURL { + if in == nil { + return nil + } + out := new(SourceURL) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *SourcedClaimMapping) DeepCopyInto(out *SourcedClaimMapping) { + *out = *in + if in.Name != nil { + in, out := &in.Name, &out.Name + *out = new(string) + **out = **in + } + if in.Expression != nil { + in, out := &in.Expression, &out.Expression + *out = new(string) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SourcedClaimMapping. +func (in *SourcedClaimMapping) DeepCopy() *SourcedClaimMapping { + if in == nil { + return nil + } + out := new(SourcedClaimMapping) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *TLS) DeepCopyInto(out *TLS) { + *out = *in + if in.CertificateAuthority != nil { + in, out := &in.CertificateAuthority, &out.CertificateAuthority + *out = new(string) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TLS. +func (in *TLS) DeepCopy() *TLS { + if in == nil { + return nil + } + out := new(TLS) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *UserValidationRule) DeepCopyInto(out *UserValidationRule) { *out = *in diff --git a/vendor/modules.txt b/vendor/modules.txt index 41fbf45faf..004cf146df 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -227,7 +227,7 @@ github.com/openshift-eng/openshift-tests-extension/pkg/ginkgo github.com/openshift-eng/openshift-tests-extension/pkg/junit github.com/openshift-eng/openshift-tests-extension/pkg/util/sets github.com/openshift-eng/openshift-tests-extension/pkg/version -# github.com/openshift/api v0.0.0-20260521125114-09730f85d883 +# github.com/openshift/api v0.0.0-20260615110019-261e3a0546f3 ## explicit; go 1.25.0 github.com/openshift/api github.com/openshift/api/annotations @@ -466,7 +466,7 @@ github.com/openshift/multi-operator-manager/pkg/flagtypes github.com/openshift/multi-operator-manager/pkg/library/libraryapplyconfiguration github.com/openshift/multi-operator-manager/pkg/library/libraryinputresources github.com/openshift/multi-operator-manager/pkg/library/libraryoutputresources -# github.com/openshift/oauth-apiserver v0.0.0-20260430140618-160ac7fb4ea6 +# github.com/openshift/oauth-apiserver v0.0.0-20260520145010-97a820bd5412 ## explicit; go 1.24.0 github.com/openshift/oauth-apiserver/pkg/externaloidc/apis/authentication github.com/openshift/oauth-apiserver/pkg/externaloidc/apis/authentication/v1alpha1