From a9123922d66e4fc34a5dbdbd7921455b9e108fad Mon Sep 17 00:00:00 2001 From: Andrea Decorte Date: Mon, 26 Aug 2024 23:38:29 +0200 Subject: [PATCH] OCM-7376: Add registry allowlists and cluster registry config Add a new root endpoint: - Registry allowlist And a new cluster type part - Registry config to both v1 and v2alpha1 model --- .../v1/cluster_registry_config_type.model | 88 +++++++++++++++++++ model/clusters_mgmt/v1/cluster_type.model | 3 + .../v1/registry_allowlist_resource.model | 27 ++++++ .../v1/registry_allowlist_type.model | 25 ++++++ .../v1/registry_allowlists_resource.model | 75 ++++++++++++++++ model/clusters_mgmt/v1/root_resource.model | 5 ++ .../cluster_registry_config_type.model | 88 +++++++++++++++++++ .../clusters_mgmt/v2alpha1/cluster_type.model | 3 + .../registry_allowlist_resource.model | 27 ++++++ .../v2alpha1/registry_allowlist_type.model | 25 ++++++ .../registry_allowlists_resource.model | 75 ++++++++++++++++ .../v2alpha1/root_resource.model | 5 ++ 12 files changed, 446 insertions(+) create mode 100644 model/clusters_mgmt/v1/cluster_registry_config_type.model create mode 100644 model/clusters_mgmt/v1/registry_allowlist_resource.model create mode 100644 model/clusters_mgmt/v1/registry_allowlist_type.model create mode 100644 model/clusters_mgmt/v1/registry_allowlists_resource.model create mode 100644 model/clusters_mgmt/v2alpha1/cluster_registry_config_type.model create mode 100644 model/clusters_mgmt/v2alpha1/registry_allowlist_resource.model create mode 100644 model/clusters_mgmt/v2alpha1/registry_allowlist_type.model create mode 100644 model/clusters_mgmt/v2alpha1/registry_allowlists_resource.model diff --git a/model/clusters_mgmt/v1/cluster_registry_config_type.model b/model/clusters_mgmt/v1/cluster_registry_config_type.model new file mode 100644 index 00000000..6ff34d7b --- /dev/null +++ b/model/clusters_mgmt/v1/cluster_registry_config_type.model @@ -0,0 +1,88 @@ +/* +Copyright (c) 2024 Red Hat, Inc. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// ClusterRegistryConfig describes the configuration of registries for the cluster. +// Its format reflects the OpenShift Image Configuration, for which docs are available on +// [docs.openshift.com](https://docs.openshift.com/container-platform/4.16/openshift_images/image-configuration.html) +// ```json +// { +// "registry_config": { +// "registry_sources": { +// "blocked_registries": [ +// "badregistry.io", +// "badregistry8.io" +// ] +// } +// } +// } +// ``` +// +struct ClusterRegistryConfig { + // Allowlist contains a reference to a RegistryAllowlist which is a list of internal registries + // which needs to be whitelisted for the platform to work. It can be omitted at creation and + // updating and its lifecycle can be managed separately if needed. + Allowlist RegistryAllowlist + // A map containing the registry hostname as the key, and the PEM-encoded certificate as the value, + // for each additional registry CA to trust. + AdditionalTrustedCa [String]String + // AllowedRegistriesForImport limits the container image registries that normal users may import + // images from. Set this list to the registries that you trust to contain valid Docker + // images and that you want applications to be able to import from. Users with + // permission to create Images or ImageStreamMappings via the API are not affected by + // this policy - typically only administrators or system integrations will have those + // permissions. + AllowedRegistriesForImport []RegistryLocation + // RegistrySources contains configuration that determines how the container runtime + // should treat individual registries when accessing images for builds+pods. (e.g. + // whether or not to allow insecure access). It does not contain configuration for the + // internal cluster registry. + RegistrySources RegistrySources +} + +// RegistrySources contains configuration that determines how the container runtime should treat individual +// registries when accessing images for builds and pods. For instance, whether or not to allow insecure access. +// It does not contain configuration for the internal cluster registry. +struct RegistrySources { + // AllowedRegistries: registries for which image pull and push actions are allowed. + // To specify all subdomains, add the asterisk (*) wildcard character as a prefix to the domain name. + // For example, *.example.com. You can specify an individual repository within a registry. + // For example: reg1.io/myrepo/myapp:latest. All other registries are blocked. + // Mutually exclusive with `BlockedRegistries` + AllowedRegistries []String + // BlockedRegistries: registries for which image pull and push actions are denied. + // To specify all subdomains, add the asterisk (*) wildcard character as a prefix to the domain name. + // For example, *.example.com. You can specify an individual repository within a registry. + // For example: reg1.io/myrepo/myapp:latest. All other registries are allowed. + // Mutually exclusive with `AllowedRegistries` + BlockedRegistries []String + // InsecureRegistries are registries which do not have a valid TLS certificate or only support HTTP connections. + // To specify all subdomains, add the asterisk (*) wildcard character as a prefix to the domain name. + // For example, *.example.com. You can specify an individual repository within a registry. + // For example: reg1.io/myrepo/myapp:latest. + InsecureRegistries []String +} + +// RegistryLocation contains a location of the registry specified by the registry domain +// name. The domain name might include wildcards, like '*' or '??'. +struct RegistryLocation { + // domainName specifies a domain name for the registry + // In case the registry use non-standard (80 or 443) port, the port should be included + // in the domain name as well. + DomainName String + // insecure indicates whether the registry is secure (https) or insecure (http) + // By default (if not specified) the registry is assumed as secure. + Insecure Boolean +} diff --git a/model/clusters_mgmt/v1/cluster_type.model b/model/clusters_mgmt/v1/cluster_type.model index 0e4fcb96..1f7e5737 100644 --- a/model/clusters_mgmt/v1/cluster_type.model +++ b/model/clusters_mgmt/v1/cluster_type.model @@ -242,4 +242,7 @@ class Cluster { // Indicate whether the cluster is enabled for multi arch workers MultiArchEnabled Boolean + + // Registry configuration for the cluster + RegistryConfig ClusterRegistryConfig } diff --git a/model/clusters_mgmt/v1/registry_allowlist_resource.model b/model/clusters_mgmt/v1/registry_allowlist_resource.model new file mode 100644 index 00000000..39906414 --- /dev/null +++ b/model/clusters_mgmt/v1/registry_allowlist_resource.model @@ -0,0 +1,27 @@ +/* +Copyright (c) 2024 Red Hat, Inc. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Manages a specific registry allowlist. +resource RegistryAllowlist { + // Retrieves the details of the allowlist. + method Get { + out Body RegistryAllowlist + } + + // Deletes the allowlist. + method Delete { + } +} diff --git a/model/clusters_mgmt/v1/registry_allowlist_type.model b/model/clusters_mgmt/v1/registry_allowlist_type.model new file mode 100644 index 00000000..993346fc --- /dev/null +++ b/model/clusters_mgmt/v1/registry_allowlist_type.model @@ -0,0 +1,25 @@ +/* +Copyright (c) 2024 Red Hat, Inc. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// RegistryAllowlist represents a single registry allowlist. +class RegistryAllowlist { + // CreationTimestamp is the date and time when the allow list has been created. + CreationTimestamp Date + // Registries is the list of registries contained in this Allowlist. + Registries []String + // CloudProvider is the cloud provider for which this allowlist is valid. + CloudProvider CloudProvider +} diff --git a/model/clusters_mgmt/v1/registry_allowlists_resource.model b/model/clusters_mgmt/v1/registry_allowlists_resource.model new file mode 100644 index 00000000..7a2135bd --- /dev/null +++ b/model/clusters_mgmt/v1/registry_allowlists_resource.model @@ -0,0 +1,75 @@ +/* +Copyright (c) 2024 Red Hat, Inc. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Manages the registry allowlists. +resource RegistryAllowlists { + // Retrieves the list of registry allowlists. + method List { + // Index of the requested page, where one corresponds to the first page. + in out Page Integer = 1 + + // Number of items contained in the returned page. + in out Size Integer = 100 + + // Search criteria. + // + // The syntax of this parameter is similar to the syntax of the _where_ clause of a + // SQL statement, but using the names of the attributes of the registry allowlists + // instead of the names of the columns of a table. For example, in order to retrieve all + // the credentials with a specific cloud provider and creation time the following is required: + // + // ```sql + // cloud_provider.id='aws' and creation_timestamp > '2023-03-01T00:00:00Z' + // ``` + // + // If the parameter isn't provided, or if the value is empty, then all the + // registry allowlists that the user has permission to see will be returned. + in Search String + + // Order criteria. + // + // The syntax of this parameter is similar to the syntax of the _order by_ clause of + // a SQL statement, but using the names of the attributes of the registry allowlists + // instead of the the names of the columns of a table. For example, in order to sort the + // credentials descending by identifier the value should be: + // + // ```sql + // creation_timestamp desc + // ``` + // + // If the parameter isn't provided, or if the value is empty, then the order of the + // results is undefined. + in Order String + + // Total number of items of the collection. + out Total Integer + + // Retrieved list of registry allowlists. + out Items []RegistryAllowlist + } + + // Adds a new break registry allowlist. + method Add { + // Data of the new registry allowlist. + in out Body RegistryAllowlist + } + + // Reference to the service that manages a specific registry allowlist. + locator RegistryAllowlist { + target RegistryAllowlist + variable ID + } +} diff --git a/model/clusters_mgmt/v1/root_resource.model b/model/clusters_mgmt/v1/root_resource.model index 1cd9edfc..9bf394c7 100644 --- a/model/clusters_mgmt/v1/root_resource.model +++ b/model/clusters_mgmt/v1/root_resource.model @@ -131,4 +131,9 @@ resource Root { locator GCP { target GCP } + + // Reference to the resource that manages the collection of registry allowlists. + locator RegistryAllowlists { + target RegistryAllowlists + } } diff --git a/model/clusters_mgmt/v2alpha1/cluster_registry_config_type.model b/model/clusters_mgmt/v2alpha1/cluster_registry_config_type.model new file mode 100644 index 00000000..6ff34d7b --- /dev/null +++ b/model/clusters_mgmt/v2alpha1/cluster_registry_config_type.model @@ -0,0 +1,88 @@ +/* +Copyright (c) 2024 Red Hat, Inc. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// ClusterRegistryConfig describes the configuration of registries for the cluster. +// Its format reflects the OpenShift Image Configuration, for which docs are available on +// [docs.openshift.com](https://docs.openshift.com/container-platform/4.16/openshift_images/image-configuration.html) +// ```json +// { +// "registry_config": { +// "registry_sources": { +// "blocked_registries": [ +// "badregistry.io", +// "badregistry8.io" +// ] +// } +// } +// } +// ``` +// +struct ClusterRegistryConfig { + // Allowlist contains a reference to a RegistryAllowlist which is a list of internal registries + // which needs to be whitelisted for the platform to work. It can be omitted at creation and + // updating and its lifecycle can be managed separately if needed. + Allowlist RegistryAllowlist + // A map containing the registry hostname as the key, and the PEM-encoded certificate as the value, + // for each additional registry CA to trust. + AdditionalTrustedCa [String]String + // AllowedRegistriesForImport limits the container image registries that normal users may import + // images from. Set this list to the registries that you trust to contain valid Docker + // images and that you want applications to be able to import from. Users with + // permission to create Images or ImageStreamMappings via the API are not affected by + // this policy - typically only administrators or system integrations will have those + // permissions. + AllowedRegistriesForImport []RegistryLocation + // RegistrySources contains configuration that determines how the container runtime + // should treat individual registries when accessing images for builds+pods. (e.g. + // whether or not to allow insecure access). It does not contain configuration for the + // internal cluster registry. + RegistrySources RegistrySources +} + +// RegistrySources contains configuration that determines how the container runtime should treat individual +// registries when accessing images for builds and pods. For instance, whether or not to allow insecure access. +// It does not contain configuration for the internal cluster registry. +struct RegistrySources { + // AllowedRegistries: registries for which image pull and push actions are allowed. + // To specify all subdomains, add the asterisk (*) wildcard character as a prefix to the domain name. + // For example, *.example.com. You can specify an individual repository within a registry. + // For example: reg1.io/myrepo/myapp:latest. All other registries are blocked. + // Mutually exclusive with `BlockedRegistries` + AllowedRegistries []String + // BlockedRegistries: registries for which image pull and push actions are denied. + // To specify all subdomains, add the asterisk (*) wildcard character as a prefix to the domain name. + // For example, *.example.com. You can specify an individual repository within a registry. + // For example: reg1.io/myrepo/myapp:latest. All other registries are allowed. + // Mutually exclusive with `AllowedRegistries` + BlockedRegistries []String + // InsecureRegistries are registries which do not have a valid TLS certificate or only support HTTP connections. + // To specify all subdomains, add the asterisk (*) wildcard character as a prefix to the domain name. + // For example, *.example.com. You can specify an individual repository within a registry. + // For example: reg1.io/myrepo/myapp:latest. + InsecureRegistries []String +} + +// RegistryLocation contains a location of the registry specified by the registry domain +// name. The domain name might include wildcards, like '*' or '??'. +struct RegistryLocation { + // domainName specifies a domain name for the registry + // In case the registry use non-standard (80 or 443) port, the port should be included + // in the domain name as well. + DomainName String + // insecure indicates whether the registry is secure (https) or insecure (http) + // By default (if not specified) the registry is assumed as secure. + Insecure Boolean +} diff --git a/model/clusters_mgmt/v2alpha1/cluster_type.model b/model/clusters_mgmt/v2alpha1/cluster_type.model index 507c33bb..f26d1424 100644 --- a/model/clusters_mgmt/v2alpha1/cluster_type.model +++ b/model/clusters_mgmt/v2alpha1/cluster_type.model @@ -242,4 +242,7 @@ class Cluster { // Indicate whether the cluster is enabled for multi arch workers MultiArchEnabled Boolean + + // Registry configuration for the cluster + RegistryConfig ClusterRegistryConfig } diff --git a/model/clusters_mgmt/v2alpha1/registry_allowlist_resource.model b/model/clusters_mgmt/v2alpha1/registry_allowlist_resource.model new file mode 100644 index 00000000..39906414 --- /dev/null +++ b/model/clusters_mgmt/v2alpha1/registry_allowlist_resource.model @@ -0,0 +1,27 @@ +/* +Copyright (c) 2024 Red Hat, Inc. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Manages a specific registry allowlist. +resource RegistryAllowlist { + // Retrieves the details of the allowlist. + method Get { + out Body RegistryAllowlist + } + + // Deletes the allowlist. + method Delete { + } +} diff --git a/model/clusters_mgmt/v2alpha1/registry_allowlist_type.model b/model/clusters_mgmt/v2alpha1/registry_allowlist_type.model new file mode 100644 index 00000000..993346fc --- /dev/null +++ b/model/clusters_mgmt/v2alpha1/registry_allowlist_type.model @@ -0,0 +1,25 @@ +/* +Copyright (c) 2024 Red Hat, Inc. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// RegistryAllowlist represents a single registry allowlist. +class RegistryAllowlist { + // CreationTimestamp is the date and time when the allow list has been created. + CreationTimestamp Date + // Registries is the list of registries contained in this Allowlist. + Registries []String + // CloudProvider is the cloud provider for which this allowlist is valid. + CloudProvider CloudProvider +} diff --git a/model/clusters_mgmt/v2alpha1/registry_allowlists_resource.model b/model/clusters_mgmt/v2alpha1/registry_allowlists_resource.model new file mode 100644 index 00000000..7a2135bd --- /dev/null +++ b/model/clusters_mgmt/v2alpha1/registry_allowlists_resource.model @@ -0,0 +1,75 @@ +/* +Copyright (c) 2024 Red Hat, Inc. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Manages the registry allowlists. +resource RegistryAllowlists { + // Retrieves the list of registry allowlists. + method List { + // Index of the requested page, where one corresponds to the first page. + in out Page Integer = 1 + + // Number of items contained in the returned page. + in out Size Integer = 100 + + // Search criteria. + // + // The syntax of this parameter is similar to the syntax of the _where_ clause of a + // SQL statement, but using the names of the attributes of the registry allowlists + // instead of the names of the columns of a table. For example, in order to retrieve all + // the credentials with a specific cloud provider and creation time the following is required: + // + // ```sql + // cloud_provider.id='aws' and creation_timestamp > '2023-03-01T00:00:00Z' + // ``` + // + // If the parameter isn't provided, or if the value is empty, then all the + // registry allowlists that the user has permission to see will be returned. + in Search String + + // Order criteria. + // + // The syntax of this parameter is similar to the syntax of the _order by_ clause of + // a SQL statement, but using the names of the attributes of the registry allowlists + // instead of the the names of the columns of a table. For example, in order to sort the + // credentials descending by identifier the value should be: + // + // ```sql + // creation_timestamp desc + // ``` + // + // If the parameter isn't provided, or if the value is empty, then the order of the + // results is undefined. + in Order String + + // Total number of items of the collection. + out Total Integer + + // Retrieved list of registry allowlists. + out Items []RegistryAllowlist + } + + // Adds a new break registry allowlist. + method Add { + // Data of the new registry allowlist. + in out Body RegistryAllowlist + } + + // Reference to the service that manages a specific registry allowlist. + locator RegistryAllowlist { + target RegistryAllowlist + variable ID + } +} diff --git a/model/clusters_mgmt/v2alpha1/root_resource.model b/model/clusters_mgmt/v2alpha1/root_resource.model index 41c8cd3b..e69d44a4 100644 --- a/model/clusters_mgmt/v2alpha1/root_resource.model +++ b/model/clusters_mgmt/v2alpha1/root_resource.model @@ -131,4 +131,9 @@ resource Root { locator GCP { target GCP } + + // Reference to the resource that manages the collection of registry allowlists. + locator RegistryAllowlists { + target RegistryAllowlists + } }