-
Notifications
You must be signed in to change notification settings - Fork 23
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Signed-off-by: Peefy <[email protected]>
- Loading branch information
Showing
36 changed files
with
27,337 additions
and
936 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Large diffs are not rendered by default.
Oops, something went wrong.
Large diffs are not rendered by default.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,209 @@ | ||
""" | ||
This file was generated by the KCL auto-gen tool. DO NOT EDIT. | ||
Editing this file might prove futile when you re-run the KCL auto-gen generate command. | ||
""" | ||
import k8s.apimachinery.pkg.apis.meta.v1 | ||
|
||
|
||
schema APIServer: | ||
r""" | ||
APIServer holds configuration (like serving certificates, client CA and CORS domains) shared by all API servers in the system, among them especially kube-apiserver and openshift-apiserver. The canonical name of an instance is 'cluster'. | ||
|
||
Attributes | ||
---------- | ||
apiVersion : str, default is "config.openshift.io/v1", required | ||
APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources | ||
kind : str, default is "APIServer", required | ||
Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds | ||
metadata : v1.ObjectMeta, default is Undefined, optional | ||
metadata | ||
spec : ConfigOpenshiftIoV1APIServerSpec, default is Undefined, required | ||
spec | ||
status : any, default is Undefined, optional | ||
status | ||
""" | ||
|
||
|
||
apiVersion: "config.openshift.io/v1" = "config.openshift.io/v1" | ||
|
||
kind: "APIServer" = "APIServer" | ||
|
||
metadata?: v1.ObjectMeta | ||
|
||
spec: ConfigOpenshiftIoV1APIServerSpec | ||
|
||
status?: any | ||
|
||
|
||
schema ConfigOpenshiftIoV1APIServerSpec: | ||
r""" | ||
config openshift io v1 API server spec | ||
|
||
Attributes | ||
---------- | ||
additionalCORSAllowedOrigins : [str], default is Undefined, optional | ||
additionalCORSAllowedOrigins lists additional, user-defined regular expressions describing hosts for which the API server allows access using the CORS headers. This may be needed to access the API and the integrated OAuth server from JavaScript applications. The values are regular expressions that correspond to the Golang regular expression language. | ||
clientCA : ConfigOpenshiftIoV1APIServerSpecClientCA, default is Undefined, optional | ||
client c a | ||
encryption : ConfigOpenshiftIoV1APIServerSpecEncryption, default is Undefined, optional | ||
encryption | ||
servingCerts : ConfigOpenshiftIoV1APIServerSpecServingCerts, default is Undefined, optional | ||
serving certs | ||
tlsSecurityProfile : ConfigOpenshiftIoV1APIServerSpecTLSSecurityProfile, default is Undefined, optional | ||
tls security profile | ||
""" | ||
|
||
|
||
additionalCORSAllowedOrigins?: [str] | ||
|
||
clientCA?: ConfigOpenshiftIoV1APIServerSpecClientCA | ||
|
||
encryption?: ConfigOpenshiftIoV1APIServerSpecEncryption | ||
|
||
servingCerts?: ConfigOpenshiftIoV1APIServerSpecServingCerts | ||
|
||
tlsSecurityProfile?: ConfigOpenshiftIoV1APIServerSpecTLSSecurityProfile | ||
|
||
|
||
schema ConfigOpenshiftIoV1APIServerSpecClientCA: | ||
r""" | ||
clientCA references a ConfigMap containing a certificate bundle for the signers that will be recognized for incoming client certificates in addition to the operator managed signers. If this is empty, then only operator managed signers are valid. You usually only have to set this if you have your own PKI you wish to honor client certificates from. The ConfigMap must exist in the openshift-config namespace and contain the following required fields: - ConfigMap.Data["ca-bundle.crt"] - CA bundle. | ||
|
||
Attributes | ||
---------- | ||
name : str, default is Undefined, required | ||
name is the metadata.name of the referenced config map | ||
""" | ||
|
||
|
||
name: str | ||
|
||
|
||
schema ConfigOpenshiftIoV1APIServerSpecEncryption: | ||
r""" | ||
encryption allows the configuration of encryption of resources at the datastore layer. | ||
|
||
Attributes | ||
---------- | ||
$type : str, default is Undefined, optional | ||
type defines what encryption type should be used to encrypt resources at the datastore layer. When this field is unset (i.e. when it is set to the empty string), identity is implied. The behavior of unset can and will change over time. Even if encryption is enabled by default, the meaning of unset may change to a different encryption type based on changes in best practices. | ||
When encryption is enabled, all sensitive resources shipped with the platform are encrypted. This list of sensitive resources can and will change over time. The current authoritative list is: | ||
1. secrets 2. configmaps 3. routes.route.openshift.io 4. oauthaccesstokens.oauth.openshift.io 5. oauthauthorizetokens.oauth.openshift.io | ||
""" | ||
|
||
|
||
$type?: "" | "identity" | "aescbc" | ||
|
||
|
||
schema ConfigOpenshiftIoV1APIServerSpecServingCerts: | ||
r""" | ||
servingCert is the TLS cert info for serving secure traffic. If not specified, operator managed certificates will be used for serving secure traffic. | ||
|
||
Attributes | ||
---------- | ||
namedCertificates : [ConfigOpenshiftIoV1APIServerSpecServingCertsNamedCertificatesItems0], default is Undefined, optional | ||
namedCertificates references secrets containing the TLS cert info for serving secure traffic to specific hostnames. If no named certificates are provided, or no named certificates match the server name as understood by a client, the defaultServingCertificate will be used. | ||
""" | ||
|
||
|
||
namedCertificates?: [ConfigOpenshiftIoV1APIServerSpecServingCertsNamedCertificatesItems0] | ||
|
||
|
||
schema ConfigOpenshiftIoV1APIServerSpecServingCertsNamedCertificatesItems0: | ||
r""" | ||
APIServerNamedServingCert maps a server DNS name, as understood by a client, to a certificate. | ||
|
||
Attributes | ||
---------- | ||
names : [str], default is Undefined, optional | ||
names is a optional list of explicit DNS names (leading wildcards allowed) that should use this certificate to serve secure traffic. If no names are provided, the implicit names will be extracted from the certificates. Exact names trump over wildcard names. Explicit names defined here trump over extracted implicit names. | ||
servingCertificate : ConfigOpenshiftIoV1APIServerSpecServingCertsNamedCertificatesItems0ServingCertificate, default is Undefined, optional | ||
serving certificate | ||
""" | ||
|
||
|
||
names?: [str] | ||
|
||
servingCertificate?: ConfigOpenshiftIoV1APIServerSpecServingCertsNamedCertificatesItems0ServingCertificate | ||
|
||
|
||
schema ConfigOpenshiftIoV1APIServerSpecServingCertsNamedCertificatesItems0ServingCertificate: | ||
r""" | ||
servingCertificate references a kubernetes.io/tls type secret containing the TLS cert info for serving secure traffic. The secret must exist in the openshift-config namespace and contain the following required fields: - Secret.Data["tls.key"] - TLS private key. - Secret.Data["tls.crt"] - TLS certificate. | ||
|
||
Attributes | ||
---------- | ||
name : str, default is Undefined, required | ||
name is the metadata.name of the referenced secret | ||
""" | ||
|
||
|
||
name: str | ||
|
||
|
||
schema ConfigOpenshiftIoV1APIServerSpecTLSSecurityProfile: | ||
r""" | ||
tlsSecurityProfile specifies settings for TLS connections for externally exposed servers. | ||
If unset, a default (which may change between releases) is chosen. Note that only Old and Intermediate profiles are currently supported, and the maximum available MinTLSVersions is VersionTLS12. | ||
|
||
Attributes | ||
---------- | ||
custom : ConfigOpenshiftIoV1APIServerSpecTLSSecurityProfileCustom, default is Undefined, optional | ||
custom | ||
intermediate : any, default is Undefined, optional | ||
intermediate is a TLS security profile based on: | ||
https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29 | ||
and looks like this (yaml): | ||
ciphers: - TLS_AES_128_GCM_SHA256 - TLS_AES_256_GCM_SHA384 - TLS_CHACHA20_POLY1305_SHA256 - ECDHE-ECDSA-AES128-GCM-SHA256 - ECDHE-RSA-AES128-GCM-SHA256 - ECDHE-ECDSA-AES256-GCM-SHA384 - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - DHE-RSA-AES128-GCM-SHA256 - DHE-RSA-AES256-GCM-SHA384 minTLSVersion: TLSv1.2 | ||
modern : any, default is Undefined, optional | ||
modern is a TLS security profile based on: | ||
https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility | ||
and looks like this (yaml): | ||
ciphers: - TLS_AES_128_GCM_SHA256 - TLS_AES_256_GCM_SHA384 - TLS_CHACHA20_POLY1305_SHA256 minTLSVersion: TLSv1.3 | ||
NOTE: Currently unsupported. | ||
old : any, default is Undefined, optional | ||
old is a TLS security profile based on: | ||
https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility | ||
and looks like this (yaml): | ||
ciphers: - TLS_AES_128_GCM_SHA256 - TLS_AES_256_GCM_SHA384 - TLS_CHACHA20_POLY1305_SHA256 - ECDHE-ECDSA-AES128-GCM-SHA256 - ECDHE-RSA-AES128-GCM-SHA256 - ECDHE-ECDSA-AES256-GCM-SHA384 - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - DHE-RSA-AES128-GCM-SHA256 - DHE-RSA-AES256-GCM-SHA384 - DHE-RSA-CHACHA20-POLY1305 - ECDHE-ECDSA-AES128-SHA256 - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES128-SHA - ECDHE-ECDSA-AES256-SHA384 - ECDHE-RSA-AES256-SHA384 - ECDHE-ECDSA-AES256-SHA - ECDHE-RSA-AES256-SHA - DHE-RSA-AES128-SHA256 - DHE-RSA-AES256-SHA256 - AES128-GCM-SHA256 - AES256-GCM-SHA384 - AES128-SHA256 - AES256-SHA256 - AES128-SHA - AES256-SHA - DES-CBC3-SHA minTLSVersion: TLSv1.0 | ||
$type : str, default is Undefined, optional | ||
type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters. Old, Intermediate and Modern are TLS security profiles based on: | ||
https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations | ||
The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be reduced. | ||
Note that the Modern profile is currently not supported because it is not yet well adopted by common software libraries. | ||
""" | ||
|
||
|
||
custom?: ConfigOpenshiftIoV1APIServerSpecTLSSecurityProfileCustom | ||
|
||
intermediate?: any | ||
|
||
modern?: any | ||
|
||
old?: any | ||
|
||
$type?: str | ||
|
||
|
||
schema ConfigOpenshiftIoV1APIServerSpecTLSSecurityProfileCustom: | ||
r""" | ||
custom is a user-defined TLS security profile. Be extremely careful using a custom profile as invalid configurations can be catastrophic. An example custom profile looks like this: | ||
ciphers: - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - ECDHE-RSA-AES128-GCM-SHA256 - ECDHE-ECDSA-AES128-GCM-SHA256 minTLSVersion: TLSv1.1 | ||
|
||
Attributes | ||
---------- | ||
ciphers : [str], default is Undefined, optional | ||
ciphers is used to specify the cipher algorithms that are negotiated during the TLS handshake. Operators may remove entries their operands do not support. For example, to use DES-CBC3-SHA (yaml): | ||
ciphers: - DES-CBC3-SHA | ||
minTLSVersion : str, default is Undefined, optional | ||
minTLSVersion is used to specify the minimal version of the TLS protocol that is negotiated during the TLS handshake. For example, to use TLS versions 1.1, 1.2 and 1.3 (yaml): | ||
minTLSVersion: TLSv1.1 | ||
NOTE: currently the highest minTLSVersion allowed is VersionTLS12 | ||
""" | ||
|
||
|
||
ciphers?: [str] | ||
|
||
minTLSVersion?: str | ||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,129 @@ | ||
""" | ||
This file was generated by the KCL auto-gen tool. DO NOT EDIT. | ||
Editing this file might prove futile when you re-run the KCL auto-gen generate command. | ||
""" | ||
import k8s.apimachinery.pkg.apis.meta.v1 | ||
|
||
|
||
schema ConfigAuthentication: | ||
r""" | ||
Authentication specifies cluster-wide settings for authentication (like OAuth and webhook token authenticators). The canonical name of an instance is `cluster`. | ||
|
||
Attributes | ||
---------- | ||
apiVersion : str, default is "config.openshift.io/v1", required | ||
APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources | ||
kind : str, default is "Authentication", required | ||
Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds | ||
metadata : v1.ObjectMeta, default is Undefined, optional | ||
metadata | ||
spec : ConfigOpenshiftIoV1AuthenticationSpec, default is Undefined, required | ||
spec | ||
status : ConfigOpenshiftIoV1AuthenticationStatus, default is Undefined, optional | ||
status | ||
""" | ||
|
||
|
||
apiVersion: "config.openshift.io/v1" = "config.openshift.io/v1" | ||
|
||
kind: "Authentication" = "Authentication" | ||
|
||
metadata?: v1.ObjectMeta | ||
|
||
spec: ConfigOpenshiftIoV1AuthenticationSpec | ||
|
||
status?: ConfigOpenshiftIoV1AuthenticationStatus | ||
|
||
|
||
schema ConfigOpenshiftIoV1AuthenticationSpec: | ||
r""" | ||
spec holds user settable values for configuration | ||
|
||
Attributes | ||
---------- | ||
oauthMetadata : ConfigOpenshiftIoV1AuthenticationSpecOauthMetadata, default is Undefined, optional | ||
oauth metadata | ||
$type : str, default is Undefined, optional | ||
type identifies the cluster managed, user facing authentication mode in use. Specifically, it manages the component that responds to login attempts. The default is IntegratedOAuth. | ||
webhookTokenAuthenticators : [ConfigOpenshiftIoV1AuthenticationSpecWebhookTokenAuthenticatorsItems0], default is Undefined, optional | ||
webhookTokenAuthenticators configures remote token reviewers. These remote authentication webhooks can be used to verify bearer tokens via the tokenreviews.authentication.k8s.io REST API. This is required to honor bearer tokens that are provisioned by an external authentication service. The namespace for these secrets is openshift-config. | ||
""" | ||
|
||
|
||
oauthMetadata?: ConfigOpenshiftIoV1AuthenticationSpecOauthMetadata | ||
|
||
$type?: str | ||
|
||
webhookTokenAuthenticators?: [ConfigOpenshiftIoV1AuthenticationSpecWebhookTokenAuthenticatorsItems0] | ||
|
||
|
||
schema ConfigOpenshiftIoV1AuthenticationSpecOauthMetadata: | ||
r""" | ||
oauthMetadata contains the discovery endpoint data for OAuth 2.0 Authorization Server Metadata for an external OAuth server. This discovery document can be viewed from its served location: oc get --raw '/.well-known/oauth-authorization-server' For further details, see the IETF Draft: https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2 If oauthMetadata.name is non-empty, this value has precedence over any metadata reference stored in status. The key "oauthMetadata" is used to locate the data. If specified and the config map or expected key is not found, no metadata is served. If the specified metadata is not valid, no metadata is served. The namespace for this config map is openshift-config. | ||
|
||
Attributes | ||
---------- | ||
name : str, default is Undefined, required | ||
name is the metadata.name of the referenced config map | ||
""" | ||
|
||
|
||
name: str | ||
|
||
|
||
schema ConfigOpenshiftIoV1AuthenticationSpecWebhookTokenAuthenticatorsItems0: | ||
r""" | ||
webhookTokenAuthenticator holds the necessary configuration options for a remote token authenticator | ||
|
||
Attributes | ||
---------- | ||
kubeConfig : ConfigOpenshiftIoV1AuthenticationSpecWebhookTokenAuthenticatorsItems0KubeConfig, default is Undefined, optional | ||
kube config | ||
""" | ||
|
||
|
||
kubeConfig?: ConfigOpenshiftIoV1AuthenticationSpecWebhookTokenAuthenticatorsItems0KubeConfig | ||
|
||
|
||
schema ConfigOpenshiftIoV1AuthenticationSpecWebhookTokenAuthenticatorsItems0KubeConfig: | ||
r""" | ||
kubeConfig contains kube config file data which describes how to access the remote webhook service. For further details, see: https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication The key "kubeConfig" is used to locate the data. If the secret or expected key is not found, the webhook is not honored. If the specified kube config data is not valid, the webhook is not honored. The namespace for this secret is determined by the point of use. | ||
|
||
Attributes | ||
---------- | ||
name : str, default is Undefined, required | ||
name is the metadata.name of the referenced secret | ||
""" | ||
|
||
|
||
name: str | ||
|
||
|
||
schema ConfigOpenshiftIoV1AuthenticationStatus: | ||
r""" | ||
status holds observed values from the cluster. They may not be overridden. | ||
|
||
Attributes | ||
---------- | ||
integratedOAuthMetadata : ConfigOpenshiftIoV1AuthenticationStatusIntegratedOAuthMetadata, default is Undefined, optional | ||
integrated o auth metadata | ||
""" | ||
|
||
|
||
integratedOAuthMetadata?: ConfigOpenshiftIoV1AuthenticationStatusIntegratedOAuthMetadata | ||
|
||
|
||
schema ConfigOpenshiftIoV1AuthenticationStatusIntegratedOAuthMetadata: | ||
r""" | ||
integratedOAuthMetadata contains the discovery endpoint data for OAuth 2.0 Authorization Server Metadata for the in-cluster integrated OAuth server. This discovery document can be viewed from its served location: oc get --raw '/.well-known/oauth-authorization-server' For further details, see the IETF Draft: https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2 This contains the observed value based on cluster state. An explicitly set value in spec.oauthMetadata has precedence over this field. This field has no meaning if authentication spec.type is not set to IntegratedOAuth. The key "oauthMetadata" is used to locate the data. If the config map or expected key is not found, no metadata is served. If the specified metadata is not valid, no metadata is served. The namespace for this config map is openshift-config-managed. | ||
|
||
Attributes | ||
---------- | ||
name : str, default is Undefined, required | ||
name is the metadata.name of the referenced config map | ||
""" | ||
|
||
|
||
name: str | ||
|
||
|
Oops, something went wrong.