-
Notifications
You must be signed in to change notification settings - Fork 96
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
OCM-7376: Add registry allowlists and cluster registry config
Add a new root endpoint: - Registry allowlist And a new cluster type part - Registry config to both v1 and v2alpha1 model
- Loading branch information
1 parent
4435f3c
commit a912392
Showing
12 changed files
with
446 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,88 @@ | ||
/* | ||
Copyright (c) 2024 Red Hat, Inc. | ||
|
||
Licensed under the Apache License, Version 2.0 (the "License"); | ||
you may not use this file except in compliance with the License. | ||
You may obtain a copy of the License at | ||
|
||
http://www.apache.org/licenses/LICENSE-2.0 | ||
|
||
Unless required by applicable law or agreed to in writing, software | ||
distributed under the License is distributed on an "AS IS" BASIS, | ||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
See the License for the specific language governing permissions and | ||
limitations under the License. | ||
*/ | ||
|
||
// ClusterRegistryConfig describes the configuration of registries for the cluster. | ||
// Its format reflects the OpenShift Image Configuration, for which docs are available on | ||
// [docs.openshift.com](https://docs.openshift.com/container-platform/4.16/openshift_images/image-configuration.html) | ||
// ```json | ||
// { | ||
// "registry_config": { | ||
// "registry_sources": { | ||
// "blocked_registries": [ | ||
// "badregistry.io", | ||
// "badregistry8.io" | ||
// ] | ||
// } | ||
// } | ||
// } | ||
// ``` | ||
// | ||
struct ClusterRegistryConfig { | ||
// Allowlist contains a reference to a RegistryAllowlist which is a list of internal registries | ||
// which needs to be whitelisted for the platform to work. It can be omitted at creation and | ||
// updating and its lifecycle can be managed separately if needed. | ||
Allowlist RegistryAllowlist | ||
// A map containing the registry hostname as the key, and the PEM-encoded certificate as the value, | ||
// for each additional registry CA to trust. | ||
AdditionalTrustedCa [String]String | ||
// AllowedRegistriesForImport limits the container image registries that normal users may import | ||
// images from. Set this list to the registries that you trust to contain valid Docker | ||
// images and that you want applications to be able to import from. Users with | ||
// permission to create Images or ImageStreamMappings via the API are not affected by | ||
// this policy - typically only administrators or system integrations will have those | ||
// permissions. | ||
AllowedRegistriesForImport []RegistryLocation | ||
// RegistrySources contains configuration that determines how the container runtime | ||
// should treat individual registries when accessing images for builds+pods. (e.g. | ||
// whether or not to allow insecure access). It does not contain configuration for the | ||
// internal cluster registry. | ||
RegistrySources RegistrySources | ||
} | ||
|
||
// RegistrySources contains configuration that determines how the container runtime should treat individual | ||
// registries when accessing images for builds and pods. For instance, whether or not to allow insecure access. | ||
// It does not contain configuration for the internal cluster registry. | ||
struct RegistrySources { | ||
// AllowedRegistries: registries for which image pull and push actions are allowed. | ||
// To specify all subdomains, add the asterisk (*) wildcard character as a prefix to the domain name. | ||
// For example, *.example.com. You can specify an individual repository within a registry. | ||
// For example: reg1.io/myrepo/myapp:latest. All other registries are blocked. | ||
// Mutually exclusive with `BlockedRegistries` | ||
AllowedRegistries []String | ||
// BlockedRegistries: registries for which image pull and push actions are denied. | ||
// To specify all subdomains, add the asterisk (*) wildcard character as a prefix to the domain name. | ||
// For example, *.example.com. You can specify an individual repository within a registry. | ||
// For example: reg1.io/myrepo/myapp:latest. All other registries are allowed. | ||
// Mutually exclusive with `AllowedRegistries` | ||
BlockedRegistries []String | ||
// InsecureRegistries are registries which do not have a valid TLS certificate or only support HTTP connections. | ||
// To specify all subdomains, add the asterisk (*) wildcard character as a prefix to the domain name. | ||
// For example, *.example.com. You can specify an individual repository within a registry. | ||
// For example: reg1.io/myrepo/myapp:latest. | ||
InsecureRegistries []String | ||
} | ||
|
||
// RegistryLocation contains a location of the registry specified by the registry domain | ||
// name. The domain name might include wildcards, like '*' or '??'. | ||
struct RegistryLocation { | ||
// domainName specifies a domain name for the registry | ||
// In case the registry use non-standard (80 or 443) port, the port should be included | ||
// in the domain name as well. | ||
DomainName String | ||
// insecure indicates whether the registry is secure (https) or insecure (http) | ||
// By default (if not specified) the registry is assumed as secure. | ||
Insecure Boolean | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
/* | ||
Copyright (c) 2024 Red Hat, Inc. | ||
|
||
Licensed under the Apache License, Version 2.0 (the "License"); | ||
you may not use this file except in compliance with the License. | ||
You may obtain a copy of the License at | ||
|
||
http://www.apache.org/licenses/LICENSE-2.0 | ||
|
||
Unless required by applicable law or agreed to in writing, software | ||
distributed under the License is distributed on an "AS IS" BASIS, | ||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
See the License for the specific language governing permissions and | ||
limitations under the License. | ||
*/ | ||
|
||
// Manages a specific registry allowlist. | ||
resource RegistryAllowlist { | ||
// Retrieves the details of the allowlist. | ||
method Get { | ||
out Body RegistryAllowlist | ||
} | ||
|
||
// Deletes the allowlist. | ||
method Delete { | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
/* | ||
Copyright (c) 2024 Red Hat, Inc. | ||
|
||
Licensed under the Apache License, Version 2.0 (the "License"); | ||
you may not use this file except in compliance with the License. | ||
You may obtain a copy of the License at | ||
|
||
http://www.apache.org/licenses/LICENSE-2.0 | ||
|
||
Unless required by applicable law or agreed to in writing, software | ||
distributed under the License is distributed on an "AS IS" BASIS, | ||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
See the License for the specific language governing permissions and | ||
limitations under the License. | ||
*/ | ||
|
||
// RegistryAllowlist represents a single registry allowlist. | ||
class RegistryAllowlist { | ||
// CreationTimestamp is the date and time when the allow list has been created. | ||
CreationTimestamp Date | ||
// Registries is the list of registries contained in this Allowlist. | ||
Registries []String | ||
// CloudProvider is the cloud provider for which this allowlist is valid. | ||
CloudProvider CloudProvider | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,75 @@ | ||
/* | ||
Copyright (c) 2024 Red Hat, Inc. | ||
|
||
Licensed under the Apache License, Version 2.0 (the "License"); | ||
you may not use this file except in compliance with the License. | ||
You may obtain a copy of the License at | ||
|
||
http://www.apache.org/licenses/LICENSE-2.0 | ||
|
||
Unless required by applicable law or agreed to in writing, software | ||
distributed under the License is distributed on an "AS IS" BASIS, | ||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
See the License for the specific language governing permissions and | ||
limitations under the License. | ||
*/ | ||
|
||
// Manages the registry allowlists. | ||
resource RegistryAllowlists { | ||
// Retrieves the list of registry allowlists. | ||
method List { | ||
// Index of the requested page, where one corresponds to the first page. | ||
in out Page Integer = 1 | ||
|
||
// Number of items contained in the returned page. | ||
in out Size Integer = 100 | ||
|
||
// Search criteria. | ||
// | ||
// The syntax of this parameter is similar to the syntax of the _where_ clause of a | ||
// SQL statement, but using the names of the attributes of the registry allowlists | ||
// instead of the names of the columns of a table. For example, in order to retrieve all | ||
// the credentials with a specific cloud provider and creation time the following is required: | ||
// | ||
// ```sql | ||
// cloud_provider.id='aws' and creation_timestamp > '2023-03-01T00:00:00Z' | ||
// ``` | ||
// | ||
// If the parameter isn't provided, or if the value is empty, then all the | ||
// registry allowlists that the user has permission to see will be returned. | ||
in Search String | ||
|
||
// Order criteria. | ||
// | ||
// The syntax of this parameter is similar to the syntax of the _order by_ clause of | ||
// a SQL statement, but using the names of the attributes of the registry allowlists | ||
// instead of the the names of the columns of a table. For example, in order to sort the | ||
// credentials descending by identifier the value should be: | ||
// | ||
// ```sql | ||
// creation_timestamp desc | ||
// ``` | ||
// | ||
// If the parameter isn't provided, or if the value is empty, then the order of the | ||
// results is undefined. | ||
in Order String | ||
|
||
// Total number of items of the collection. | ||
out Total Integer | ||
|
||
// Retrieved list of registry allowlists. | ||
out Items []RegistryAllowlist | ||
} | ||
|
||
// Adds a new break registry allowlist. | ||
method Add { | ||
// Data of the new registry allowlist. | ||
in out Body RegistryAllowlist | ||
} | ||
|
||
// Reference to the service that manages a specific registry allowlist. | ||
locator RegistryAllowlist { | ||
target RegistryAllowlist | ||
variable ID | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
88 changes: 88 additions & 0 deletions
88
model/clusters_mgmt/v2alpha1/cluster_registry_config_type.model
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,88 @@ | ||
/* | ||
Copyright (c) 2024 Red Hat, Inc. | ||
|
||
Licensed under the Apache License, Version 2.0 (the "License"); | ||
you may not use this file except in compliance with the License. | ||
You may obtain a copy of the License at | ||
|
||
http://www.apache.org/licenses/LICENSE-2.0 | ||
|
||
Unless required by applicable law or agreed to in writing, software | ||
distributed under the License is distributed on an "AS IS" BASIS, | ||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
See the License for the specific language governing permissions and | ||
limitations under the License. | ||
*/ | ||
|
||
// ClusterRegistryConfig describes the configuration of registries for the cluster. | ||
// Its format reflects the OpenShift Image Configuration, for which docs are available on | ||
// [docs.openshift.com](https://docs.openshift.com/container-platform/4.16/openshift_images/image-configuration.html) | ||
// ```json | ||
// { | ||
// "registry_config": { | ||
// "registry_sources": { | ||
// "blocked_registries": [ | ||
// "badregistry.io", | ||
// "badregistry8.io" | ||
// ] | ||
// } | ||
// } | ||
// } | ||
// ``` | ||
// | ||
struct ClusterRegistryConfig { | ||
// Allowlist contains a reference to a RegistryAllowlist which is a list of internal registries | ||
// which needs to be whitelisted for the platform to work. It can be omitted at creation and | ||
// updating and its lifecycle can be managed separately if needed. | ||
Allowlist RegistryAllowlist | ||
// A map containing the registry hostname as the key, and the PEM-encoded certificate as the value, | ||
// for each additional registry CA to trust. | ||
AdditionalTrustedCa [String]String | ||
// AllowedRegistriesForImport limits the container image registries that normal users may import | ||
// images from. Set this list to the registries that you trust to contain valid Docker | ||
// images and that you want applications to be able to import from. Users with | ||
// permission to create Images or ImageStreamMappings via the API are not affected by | ||
// this policy - typically only administrators or system integrations will have those | ||
// permissions. | ||
AllowedRegistriesForImport []RegistryLocation | ||
// RegistrySources contains configuration that determines how the container runtime | ||
// should treat individual registries when accessing images for builds+pods. (e.g. | ||
// whether or not to allow insecure access). It does not contain configuration for the | ||
// internal cluster registry. | ||
RegistrySources RegistrySources | ||
} | ||
|
||
// RegistrySources contains configuration that determines how the container runtime should treat individual | ||
// registries when accessing images for builds and pods. For instance, whether or not to allow insecure access. | ||
// It does not contain configuration for the internal cluster registry. | ||
struct RegistrySources { | ||
// AllowedRegistries: registries for which image pull and push actions are allowed. | ||
// To specify all subdomains, add the asterisk (*) wildcard character as a prefix to the domain name. | ||
// For example, *.example.com. You can specify an individual repository within a registry. | ||
// For example: reg1.io/myrepo/myapp:latest. All other registries are blocked. | ||
// Mutually exclusive with `BlockedRegistries` | ||
AllowedRegistries []String | ||
// BlockedRegistries: registries for which image pull and push actions are denied. | ||
// To specify all subdomains, add the asterisk (*) wildcard character as a prefix to the domain name. | ||
// For example, *.example.com. You can specify an individual repository within a registry. | ||
// For example: reg1.io/myrepo/myapp:latest. All other registries are allowed. | ||
// Mutually exclusive with `AllowedRegistries` | ||
BlockedRegistries []String | ||
// InsecureRegistries are registries which do not have a valid TLS certificate or only support HTTP connections. | ||
// To specify all subdomains, add the asterisk (*) wildcard character as a prefix to the domain name. | ||
// For example, *.example.com. You can specify an individual repository within a registry. | ||
// For example: reg1.io/myrepo/myapp:latest. | ||
InsecureRegistries []String | ||
} | ||
|
||
// RegistryLocation contains a location of the registry specified by the registry domain | ||
// name. The domain name might include wildcards, like '*' or '??'. | ||
struct RegistryLocation { | ||
// domainName specifies a domain name for the registry | ||
// In case the registry use non-standard (80 or 443) port, the port should be included | ||
// in the domain name as well. | ||
DomainName String | ||
// insecure indicates whether the registry is secure (https) or insecure (http) | ||
// By default (if not specified) the registry is assumed as secure. | ||
Insecure Boolean | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
27 changes: 27 additions & 0 deletions
27
model/clusters_mgmt/v2alpha1/registry_allowlist_resource.model
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
/* | ||
Copyright (c) 2024 Red Hat, Inc. | ||
|
||
Licensed under the Apache License, Version 2.0 (the "License"); | ||
you may not use this file except in compliance with the License. | ||
You may obtain a copy of the License at | ||
|
||
http://www.apache.org/licenses/LICENSE-2.0 | ||
|
||
Unless required by applicable law or agreed to in writing, software | ||
distributed under the License is distributed on an "AS IS" BASIS, | ||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
See the License for the specific language governing permissions and | ||
limitations under the License. | ||
*/ | ||
|
||
// Manages a specific registry allowlist. | ||
resource RegistryAllowlist { | ||
// Retrieves the details of the allowlist. | ||
method Get { | ||
out Body RegistryAllowlist | ||
} | ||
|
||
// Deletes the allowlist. | ||
method Delete { | ||
} | ||
} |
25 changes: 25 additions & 0 deletions
25
model/clusters_mgmt/v2alpha1/registry_allowlist_type.model
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
/* | ||
Copyright (c) 2024 Red Hat, Inc. | ||
|
||
Licensed under the Apache License, Version 2.0 (the "License"); | ||
you may not use this file except in compliance with the License. | ||
You may obtain a copy of the License at | ||
|
||
http://www.apache.org/licenses/LICENSE-2.0 | ||
|
||
Unless required by applicable law or agreed to in writing, software | ||
distributed under the License is distributed on an "AS IS" BASIS, | ||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
See the License for the specific language governing permissions and | ||
limitations under the License. | ||
*/ | ||
|
||
// RegistryAllowlist represents a single registry allowlist. | ||
class RegistryAllowlist { | ||
// CreationTimestamp is the date and time when the allow list has been created. | ||
CreationTimestamp Date | ||
// Registries is the list of registries contained in this Allowlist. | ||
Registries []String | ||
// CloudProvider is the cloud provider for which this allowlist is valid. | ||
CloudProvider CloudProvider | ||
} |
Oops, something went wrong.