1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
|
package v1
import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"
)
// ConfigMapFileReference references a config map in a specific namespace.
// The namespace must be specified at the point of use.
type ConfigMapFileReference struct {
Name string `json:"name"`
// Key allows pointing to a specific key/value inside of the configmap. This is useful for logical file references.
Key string `json:"key,omitempty"`
}
// ConfigMapNameReference references a config map in a specific namespace.
// The namespace must be specified at the point of use.
type ConfigMapNameReference struct {
// name is the metadata.name of the referenced config map
// +kubebuilder:validation:Required
// +required
Name string `json:"name"`
}
// SecretNameReference references a secret in a specific namespace.
// The namespace must be specified at the point of use.
type SecretNameReference struct {
// name is the metadata.name of the referenced secret
// +kubebuilder:validation:Required
// +required
Name string `json:"name"`
}
// HTTPServingInfo holds configuration for serving HTTP
type HTTPServingInfo struct {
// ServingInfo is the HTTP serving information
ServingInfo `json:",inline"`
// MaxRequestsInFlight is the number of concurrent requests allowed to the server. If zero, no limit.
MaxRequestsInFlight int64 `json:"maxRequestsInFlight"`
// RequestTimeoutSeconds is the number of seconds before requests are timed out. The default is 60 minutes, if
// -1 there is no limit on requests.
RequestTimeoutSeconds int64 `json:"requestTimeoutSeconds"`
}
// ServingInfo holds information about serving web pages
type ServingInfo struct {
// BindAddress is the ip:port to serve on
BindAddress string `json:"bindAddress"`
// BindNetwork is the type of network to bind to - defaults to "tcp4", accepts "tcp",
// "tcp4", and "tcp6"
BindNetwork string `json:"bindNetwork"`
// CertInfo is the TLS cert info for serving secure traffic.
// this is anonymous so that we can inline it for serialization
CertInfo `json:",inline"`
// ClientCA is the certificate bundle for all the signers that you'll recognize for incoming client certificates
// +optional
ClientCA string `json:"clientCA,omitempty"`
// NamedCertificates is a list of certificates to use to secure requests to specific hostnames
NamedCertificates []NamedCertificate `json:"namedCertificates,omitempty"`
// MinTLSVersion is the minimum TLS version supported.
// Values must match version names from https://golang.org/pkg/crypto/tls/#pkg-constants
MinTLSVersion string `json:"minTLSVersion,omitempty"`
// CipherSuites contains an overridden list of ciphers for the server to support.
// Values must match cipher suite IDs from https://golang.org/pkg/crypto/tls/#pkg-constants
CipherSuites []string `json:"cipherSuites,omitempty"`
}
// CertInfo relates a certificate with a private key
type CertInfo struct {
// CertFile is a file containing a PEM-encoded certificate
CertFile string `json:"certFile"`
// KeyFile is a file containing a PEM-encoded private key for the certificate specified by CertFile
KeyFile string `json:"keyFile"`
}
// NamedCertificate specifies a certificate/key, and the names it should be served for
type NamedCertificate struct {
// Names is a list of DNS names this certificate should be used to secure
// A name can be a normal DNS name, or can contain leading wildcard segments.
Names []string `json:"names,omitempty"`
// CertInfo is the TLS cert info for serving secure traffic
CertInfo `json:",inline"`
}
// LeaderElection provides information to elect a leader
type LeaderElection struct {
// disable allows leader election to be suspended while allowing a fully defaulted "normal" startup case.
Disable bool `json:"disable,omitempty"`
// namespace indicates which namespace the resource is in
Namespace string `json:"namespace,omitempty"`
// name indicates what name to use for the resource
Name string `json:"name,omitempty"`
// leaseDuration is the duration that non-leader candidates will wait
// after observing a leadership renewal until attempting to acquire
// leadership of a led but unrenewed leader slot. This is effectively the
// maximum duration that a leader can be stopped before it is replaced
// by another candidate. This is only applicable if leader election is
// enabled.
// +nullable
LeaseDuration metav1.Duration `json:"leaseDuration"`
// renewDeadline is the interval between attempts by the acting master to
// renew a leadership slot before it stops leading. This must be less
// than or equal to the lease duration. This is only applicable if leader
// election is enabled.
// +nullable
RenewDeadline metav1.Duration `json:"renewDeadline"`
// retryPeriod is the duration the clients should wait between attempting
// acquisition and renewal of a leadership. This is only applicable if
// leader election is enabled.
// +nullable
RetryPeriod metav1.Duration `json:"retryPeriod"`
}
// StringSource allows specifying a string inline, or externally via env var or file.
// When it contains only a string value, it marshals to a simple JSON string.
type StringSource struct {
// StringSourceSpec specifies the string value, or external location
StringSourceSpec `json:",inline"`
}
// StringSourceSpec specifies a string value, or external location
type StringSourceSpec struct {
// Value specifies the cleartext value, or an encrypted value if keyFile is specified.
Value string `json:"value"`
// Env specifies an envvar containing the cleartext value, or an encrypted value if the keyFile is specified.
Env string `json:"env"`
// File references a file containing the cleartext value, or an encrypted value if a keyFile is specified.
File string `json:"file"`
// KeyFile references a file containing the key to use to decrypt the value.
KeyFile string `json:"keyFile"`
}
// RemoteConnectionInfo holds information necessary for establishing a remote connection
type RemoteConnectionInfo struct {
// URL is the remote URL to connect to
URL string `json:"url"`
// CA is the CA for verifying TLS connections
CA string `json:"ca"`
// CertInfo is the TLS client cert information to present
// this is anonymous so that we can inline it for serialization
CertInfo `json:",inline"`
}
type AdmissionConfig struct {
PluginConfig map[string]AdmissionPluginConfig `json:"pluginConfig,omitempty"`
// enabledPlugins is a list of admission plugins that must be on in addition to the default list.
// Some admission plugins are disabled by default, but certain configurations require them. This is fairly uncommon
// and can result in performance penalties and unexpected behavior.
EnabledAdmissionPlugins []string `json:"enabledPlugins,omitempty"`
// disabledPlugins is a list of admission plugins that must be off. Putting something in this list
// is almost always a mistake and likely to result in cluster instability.
DisabledAdmissionPlugins []string `json:"disabledPlugins,omitempty"`
}
// AdmissionPluginConfig holds the necessary configuration options for admission plugins
type AdmissionPluginConfig struct {
// Location is the path to a configuration file that contains the plugin's
// configuration
Location string `json:"location"`
// Configuration is an embedded configuration object to be used as the plugin's
// configuration. If present, it will be used instead of the path to the configuration file.
// +nullable
Configuration runtime.RawExtension `json:"configuration"`
}
type LogFormatType string
type WebHookModeType string
const (
// LogFormatLegacy saves event in 1-line text format.
LogFormatLegacy LogFormatType = "legacy"
// LogFormatJson saves event in structured json format.
LogFormatJson LogFormatType = "json"
// WebHookModeBatch indicates that the webhook should buffer audit events
// internally, sending batch updates either once a certain number of
// events have been received or a certain amount of time has passed.
WebHookModeBatch WebHookModeType = "batch"
// WebHookModeBlocking causes the webhook to block on every attempt to process
// a set of events. This causes requests to the API server to wait for a
// round trip to the external audit service before sending a response.
WebHookModeBlocking WebHookModeType = "blocking"
)
// AuditConfig holds configuration for the audit capabilities
type AuditConfig struct {
// If this flag is set, audit log will be printed in the logs.
// The logs contains, method, user and a requested URL.
Enabled bool `json:"enabled"`
// All requests coming to the apiserver will be logged to this file.
AuditFilePath string `json:"auditFilePath"`
// Maximum number of days to retain old log files based on the timestamp encoded in their filename.
MaximumFileRetentionDays int32 `json:"maximumFileRetentionDays"`
// Maximum number of old log files to retain.
MaximumRetainedFiles int32 `json:"maximumRetainedFiles"`
// Maximum size in megabytes of the log file before it gets rotated. Defaults to 100MB.
MaximumFileSizeMegabytes int32 `json:"maximumFileSizeMegabytes"`
// PolicyFile is a path to the file that defines the audit policy configuration.
PolicyFile string `json:"policyFile"`
// PolicyConfiguration is an embedded policy configuration object to be used
// as the audit policy configuration. If present, it will be used instead of
// the path to the policy file.
// +nullable
PolicyConfiguration runtime.RawExtension `json:"policyConfiguration"`
// Format of saved audits (legacy or json).
LogFormat LogFormatType `json:"logFormat"`
// Path to a .kubeconfig formatted file that defines the audit webhook configuration.
WebHookKubeConfig string `json:"webHookKubeConfig"`
// Strategy for sending audit events (block or batch).
WebHookMode WebHookModeType `json:"webHookMode"`
}
// EtcdConnectionInfo holds information necessary for connecting to an etcd server
type EtcdConnectionInfo struct {
// URLs are the URLs for etcd
URLs []string `json:"urls,omitempty"`
// CA is a file containing trusted roots for the etcd server certificates
CA string `json:"ca"`
// CertInfo is the TLS client cert information for securing communication to etcd
// this is anonymous so that we can inline it for serialization
CertInfo `json:",inline"`
}
type EtcdStorageConfig struct {
EtcdConnectionInfo `json:",inline"`
// StoragePrefix is the path within etcd that the OpenShift resources will
// be rooted under. This value, if changed, will mean existing objects in etcd will
// no longer be located.
StoragePrefix string `json:"storagePrefix"`
}
// GenericAPIServerConfig is an inline-able struct for aggregated apiservers that need to store data in etcd
type GenericAPIServerConfig struct {
// servingInfo describes how to start serving
ServingInfo HTTPServingInfo `json:"servingInfo"`
// corsAllowedOrigins
CORSAllowedOrigins []string `json:"corsAllowedOrigins"`
// auditConfig describes how to configure audit information
AuditConfig AuditConfig `json:"auditConfig"`
// storageConfig contains information about how to use
StorageConfig EtcdStorageConfig `json:"storageConfig"`
// admissionConfig holds information about how to configure admission.
AdmissionConfig AdmissionConfig `json:"admission"`
KubeClientConfig KubeClientConfig `json:"kubeClientConfig"`
}
type KubeClientConfig struct {
// kubeConfig is a .kubeconfig filename for going to the owning kube-apiserver. Empty uses an in-cluster-config
KubeConfig string `json:"kubeConfig"`
// connectionOverrides specifies client overrides for system components to loop back to this master.
ConnectionOverrides ClientConnectionOverrides `json:"connectionOverrides"`
}
type ClientConnectionOverrides struct {
// acceptContentTypes defines the Accept header sent by clients when connecting to a server, overriding the
// default value of 'application/json'. This field will control all connections to the server used by a particular
// client.
AcceptContentTypes string `json:"acceptContentTypes"`
// contentType is the content type used when sending data to the server from this client.
ContentType string `json:"contentType"`
// qps controls the number of queries per second allowed for this connection.
QPS float32 `json:"qps"`
// burst allows extra queries to accumulate when a client is exceeding its rate.
Burst int32 `json:"burst"`
}
// GenericControllerConfig provides information to configure a controller
type GenericControllerConfig struct {
// ServingInfo is the HTTP serving information for the controller's endpoints
ServingInfo HTTPServingInfo `json:"servingInfo"`
// leaderElection provides information to elect a leader. Only override this if you have a specific need
LeaderElection LeaderElection `json:"leaderElection"`
// authentication allows configuration of authentication for the endpoints
Authentication DelegatedAuthentication `json:"authentication"`
// authorization allows configuration of authentication for the endpoints
Authorization DelegatedAuthorization `json:"authorization"`
}
// DelegatedAuthentication allows authentication to be disabled.
type DelegatedAuthentication struct {
// disabled indicates that authentication should be disabled. By default it will use delegated authentication.
Disabled bool `json:"disabled,omitempty"`
}
// DelegatedAuthorization allows authorization to be disabled.
type DelegatedAuthorization struct {
// disabled indicates that authorization should be disabled. By default it will use delegated authorization.
Disabled bool `json:"disabled,omitempty"`
}
|
