From c5591479f77abe8f237cc3b9f7f6bdc8ea4ea4e0 Mon Sep 17 00:00:00 2001 From: Swarup Ghosh Date: Mon, 9 Dec 2024 21:12:34 +0530 Subject: [PATCH 1/2] [FeatureGate/KMSEncryptionProvider] APIServer config for AWS KMS Signed-off-by: Swarup Ghosh --- .../KMSEncryptionProvider.yaml | 137 ++++++++++++++++++ config/v1/types_apiserver.go | 27 +++- config/v1/types_kmsencryption.go | 55 +++++++ 3 files changed, 218 insertions(+), 1 deletion(-) create mode 100644 config/v1/tests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml create mode 100644 config/v1/types_kmsencryption.go diff --git a/config/v1/tests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml b/config/v1/tests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml new file mode 100644 index 00000000000..1125b8e31e1 --- /dev/null +++ b/config/v1/tests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml @@ -0,0 +1,137 @@ +apiVersion: apiextensions.k8s.io/v1 # Hack because controller-gen complains if we don't have this +name: "APIServer" +crdName: apiservers.config.openshift.io +featureGates: +- KMSEncryptionProvider +tests: + onCreate: + - name: Should be able to create encrypt with KMS for AWS with valid values + initial: | + apiVersion: config.openshift.io/v1 + kind: APIServer + spec: + encryption: + type: KMS + kms: + type: AWS + aws: + keyARN: arn:aws:kms:us-east-1:101010101010:key/9a512e29-0d9c-4cf5-8174-fc1a5b22cd6a + region: us-east-1 + expected: | + apiVersion: config.openshift.io/v1 + kind: APIServer + spec: + audit: + profile: Default + encryption: + type: KMS + kms: + type: AWS + aws: + keyARN: arn:aws:kms:us-east-1:101010101010:key/9a512e29-0d9c-4cf5-8174-fc1a5b22cd6a + region: us-east-1 + - name: Should be able to create encrypt with KMS for AWS without region + initial: | + apiVersion: config.openshift.io/v1 + kind: APIServer + spec: + encryption: + type: KMS + kms: + type: AWS + aws: + keyARN: arn:aws:kms:us-east-1:101010101010:key/9a512e29-0d9c-4cf5-8174-fc1a5b22cd6a + expected: | + apiVersion: config.openshift.io/v1 + kind: APIServer + spec: + audit: + profile: Default + encryption: + type: KMS + kms: + type: AWS + aws: + keyARN: arn:aws:kms:us-east-1:101010101010:key/9a512e29-0d9c-4cf5-8174-fc1a5b22cd6a + - name: Should not allow kms config with encrypt aescbc + initial: | + apiVersion: config.openshift.io/v1 + kind: APIServer + spec: + encryption: + type: aescbc + kms: + type: AWS + aws: + keyARN: arn:aws:kms:us-east-1:101010101010:key/9a512e29-0d9c-4cf5-8174-fc1a5b22cd6a + expectedError: "kms config is required when encryption type is KMS, and forbidden otherwise" + - name: Should fail to create with an empty KMS config + initial: | + apiVersion: config.openshift.io/v1 + kind: APIServer + spec: + encryption: + type: KMS + kms: {} + expectedError: "spec.encryption.kms.type: Required value" + - name: Should fail to create with kms type AWS but without aws config + initial: | + apiVersion: config.openshift.io/v1 + kind: APIServer + spec: + encryption: + type: KMS + kms: + type: AWS + expectedError: "aws config is required when kms provider type is AWS, and forbidden otherwise" + - name: Should fail to create AWS KMS without a keyARN + initial: | + apiVersion: config.openshift.io/v1 + kind: APIServer + spec: + encryption: + type: KMS + kms: + type: AWS + aws: + region: us-east-1 + expectedError: "spec.encryption.kms.aws.keyARN: Required value" + - name: Should fail to create AWS KMS with invalid keyARN format + initial: | + apiVersion: config.openshift.io/v1 + kind: APIServer + spec: + encryption: + type: KMS + kms: + type: AWS + aws: + keyARN: not-a-kms-arn + region: us-east-1 + expectedError: "keyARN must follow the format `arn:aws:kms:::key/`. The account ID must be a 12 digit number and the region and key ID should consist only of lowercase hexadecimal characters and hyphens (-)." + - name: Should fail to create AWS KMS with empty region + initial: | + apiVersion: config.openshift.io/v1 + kind: APIServer + spec: + encryption: + type: KMS + kms: + type: AWS + aws: + keyARN: arn:aws:kms:us-east-1:101010101010:key/9a512e29-0d9c-4cf5-8174-fc1a5b22cd6a + region: "" + expectedError: "spec.encryption.kms.aws.region in body should be at least 1 chars long" + - name: Should fail to create AWS KMS with invalid region format + initial: | + apiVersion: config.openshift.io/v1 + kind: APIServer + spec: + encryption: + type: KMS + kms: + type: AWS + aws: + keyARN: arn:aws:kms:us-east-1:101010101010:key/9a512e29-0d9c-4cf5-8174-fc1a5b22cd6a + region: "INVALID-REGION" + expectedError: "region must be a valid AWS region, consisting of lowercase characters, digits and hyphens (-) only." diff --git a/config/v1/types_apiserver.go b/config/v1/types_apiserver.go index 75b647f745c..38322b95d54 100644 --- a/config/v1/types_apiserver.go +++ b/config/v1/types_apiserver.go @@ -51,6 +51,7 @@ type APIServerSpec struct { // server from JavaScript applications. // The values are regular expressions that correspond to the Golang regular expression language. // +optional + // +listType=atomic AdditionalCORSAllowedOrigins []string `json:"additionalCORSAllowedOrigins,omitempty"` // encryption allows the configuration of encryption of resources at the datastore layer. // +optional @@ -153,6 +154,7 @@ type APIServerServingCerts struct { // If no named certificates are provided, or no named certificates match the server name as understood by a client, // the defaultServingCertificate will be used. // +optional + // +listType=atomic NamedCertificates []APIServerNamedServingCert `json:"namedCertificates,omitempty"` } @@ -162,6 +164,7 @@ type APIServerNamedServingCert struct { // serve secure traffic. If no names are provided, the implicit names will be extracted from the certificates. // Exact names trump over wildcard names. Explicit names defined here trump over extracted implicit names. // +optional + // +listType=atomic Names []string `json:"names,omitempty"` // servingCertificate references a kubernetes.io/tls type secret containing the TLS cert info for serving secure traffic. // The secret must exist in the openshift-config namespace and contain the following required fields: @@ -170,6 +173,9 @@ type APIServerNamedServingCert struct { ServingCertificate SecretNameReference `json:"servingCertificate"` } +// APIServerEncryption is used to encrypt sensitive resources on the cluster. +// +openshift:validation:FeatureGateAwareXValidation:featureGate=KMSEncryptionProvider,rule="has(self.type) && self.type == 'KMS' ? has(self.kms) : !has(self.kms)",message="kms config is required when encryption type is KMS, and forbidden otherwise" +// +union type APIServerEncryption struct { // type defines what encryption type should be used to encrypt resources at the datastore layer. // When this field is unset (i.e. when it is set to the empty string), identity is implied. @@ -188,9 +194,23 @@ type APIServerEncryption struct { // +unionDiscriminator // +optional Type EncryptionType `json:"type,omitempty"` + + // kms defines the configuration for the external KMS instance that manages the encryption keys, + // when KMS encryption is enabled sensitive resources will be encrypted using keys managed by an + // externally configured KMS instance. + // + // The Key Management Service (KMS) instance provides symmetric encryption and is responsible for + // managing the lifecyle of the encryption keys outside of the control plane. + // This allows integration with an external provider to manage the data encryption keys securely. + // + // +openshift:enable:FeatureGate=KMSEncryptionProvider + // +unionMember + // +optional + KMS *KMSConfig `json:"kms,omitempty"` } -// +kubebuilder:validation:Enum="";identity;aescbc;aesgcm +// +openshift:validation:FeatureGateAwareEnum:featureGate="",enum="";identity;aescbc;aesgcm +// +openshift:validation:FeatureGateAwareEnum:featureGate=KMSEncryptionProvider,enum="";identity;aescbc;aesgcm;KMS type EncryptionType string const ( @@ -205,6 +225,11 @@ const ( // aesgcm refers to a type where AES-GCM with random nonce and a 32-byte key // is used to perform encryption at the datastore layer. EncryptionTypeAESGCM EncryptionType = "aesgcm" + + // kms refers to a type of encryption where the encryption keys are managed + // outside the control plane in a Key Management Service instance, + // encryption is still performed at the datastore layer. + EncryptionTypeKMS EncryptionType = "KMS" ) type APIServerStatus struct { diff --git a/config/v1/types_kmsencryption.go b/config/v1/types_kmsencryption.go new file mode 100644 index 00000000000..cbd796bc6d5 --- /dev/null +++ b/config/v1/types_kmsencryption.go @@ -0,0 +1,55 @@ +package v1 + +// KMSConfig defines the configuration for the KMS instance +// that will be used with KMSEncryptionProvider encryption +// +kubebuilder:validation:XValidation:rule="has(self.type) && self.type == 'AWS' ? has(self.aws) : !has(self.aws)",message="aws config is required when kms provider type is AWS, and forbidden otherwise" +// +union +type KMSConfig struct { + // type defines the kind of platform for the KMS provider. + // Available provider types are AWS only. + // + // +unionDiscriminator + // +required + Type KMSProviderType `json:"type"` + + // aws defines the key config for using an AWS KMS instance + // for the encryption. The AWS KMS instance is managed + // by the user outside the purview of the control plane. + // + // +unionMember + // +optional + AWS *AWSKMSConfig `json:"aws,omitempty"` +} + +// AWSKMSConfig defines the KMS config specific to AWS KMS provider +type AWSKMSConfig struct { + // keyARN specifies the Amazon Resource Name (ARN) of the AWS KMS key used for encryption. + // The value must adhere to the format `arn:aws:kms:::key/`, where: + // - `` is the AWS region consisting of lowercase letters and hyphens followed by a number. + // - `` is a 12-digit numeric identifier for the AWS account. + // - `` is a unique identifier for the KMS key, consisting of lowercase hexadecimal characters and hyphens. + // + // +kubebuilder:validation:MaxLength=128 + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:XValidation:rule="self.matches('^arn:aws:kms:[a-z0-9-]+:[0-9]{12}:key/[a-f0-9-]+$')",message="keyARN must follow the format `arn:aws:kms:::key/`. The account ID must be a 12 digit number and the region and key ID should consist only of lowercase hexadecimal characters and hyphens (-)." + // +required + KeyARN string `json:"keyARN"` + // region specifies the AWS region where the KMS instance exists, and follows the format + // `--`, e.g.: `us-east-1`. + // Only lowercase letters and hyphens followed by numbers are allowed. + // + // +kubebuilder:validation:MaxLength=64 + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:XValidation:rule="self.matches('^[a-z0-9]+(-[a-z0-9]+)*$')",message="region must be a valid AWS region, consisting of lowercase characters, digits and hyphens (-) only." + // +optional + Region string `json:"region"` +} + +// KMSProviderType is a specific supported KMS provider +// +kubebuilder:validation:Enum=AWS +type KMSProviderType string + +const ( + // AWSKMSProvider represents a supported KMS provider for use with AWS KMS + AWSKMSProvider KMSProviderType = "AWS" +) From 470263ae3a58bca0fdec3427365bdd1c241f16b0 Mon Sep 17 00:00:00 2001 From: Swarup Ghosh Date: Wed, 11 Dec 2024 01:22:42 +0530 Subject: [PATCH 2/2] make update Signed-off-by: Swarup Ghosh --- ...tor_01_apiservers-CustomNoUpgrade.crd.yaml | 504 ++++++++++++++++++ ...g-operator_01_apiservers-Default.crd.yaml} | 4 + ...01_apiservers-DevPreviewNoUpgrade.crd.yaml | 504 ++++++++++++++++++ ...1_apiservers-TechPreviewNoUpgrade.crd.yaml | 504 ++++++++++++++++++ config/v1/zz_generated.deepcopy.go | 44 +- ..._generated.featuregated-crd-manifests.yaml | 3 +- .../AAA_ungated.yaml | 3 + .../KMSEncryptionProvider.yaml | 504 ++++++++++++++++++ .../v1/zz_generated.swagger_doc_generated.go | 22 + .../generated_openapi/zz_generated.openapi.go | 112 +++- openapi/openapi.json | 69 ++- ...tor_01_apiservers-CustomNoUpgrade.crd.yaml | 504 ++++++++++++++++++ ...g-operator_01_apiservers-Default.crd.yaml} | 4 + ...01_apiservers-DevPreviewNoUpgrade.crd.yaml | 504 ++++++++++++++++++ ...1_apiservers-TechPreviewNoUpgrade.crd.yaml | 504 ++++++++++++++++++ 15 files changed, 3782 insertions(+), 7 deletions(-) create mode 100644 config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml rename config/v1/zz_generated.crd-manifests/{0000_10_config-operator_01_apiservers.crd.yaml => 0000_10_config-operator_01_apiservers-Default.crd.yaml} (98%) create mode 100644 config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml create mode 100644 config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml create mode 100644 config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml create mode 100644 payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml rename payload-manifests/crds/{0000_10_config-operator_01_apiservers.crd.yaml => 0000_10_config-operator_01_apiservers-Default.crd.yaml} (98%) create mode 100644 payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml create mode 100644 payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml new file mode 100644 index 00000000000..c1b2c9f3721 --- /dev/null +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml @@ -0,0 +1,504 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/470 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/bootstrap-required: "true" + release.openshift.io/feature-set: CustomNoUpgrade + name: apiservers.config.openshift.io +spec: + group: config.openshift.io + names: + kind: APIServer + listKind: APIServerList + plural: apiservers + singular: apiserver + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + APIServer holds configuration (like serving certificates, client CA and CORS domains) + shared by all API servers in the system, among them especially kube-apiserver + and openshift-apiserver. The canonical name of an instance is 'cluster'. + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec holds user settable values for configuration + properties: + additionalCORSAllowedOrigins: + description: |- + additionalCORSAllowedOrigins lists additional, user-defined regular expressions describing hosts for which the + API server allows access using the CORS headers. This may be needed to access the API and the integrated OAuth + server from JavaScript applications. + The values are regular expressions that correspond to the Golang regular expression language. + items: + type: string + type: array + x-kubernetes-list-type: atomic + audit: + default: + profile: Default + description: |- + audit specifies the settings for audit configuration to be applied to all OpenShift-provided + API servers in the cluster. + properties: + customRules: + description: |- + customRules specify profiles per group. These profile take precedence over the + top-level profile field if they apply. They are evaluation from top to bottom and + the first one that matches, applies. + items: + description: |- + AuditCustomRule describes a custom rule for an audit profile that takes precedence over + the top-level profile. + properties: + group: + description: group is a name of group a request user must + be member of in order to this profile to apply. + minLength: 1 + type: string + profile: + description: |- + profile specifies the name of the desired audit policy configuration to be deployed to + all OpenShift-provided API servers in the cluster. + + The following profiles are provided: + - Default: the existing default policy. + - WriteRequestBodies: like 'Default', but logs request and response HTTP payloads for + write requests (create, update, patch). + - AllRequestBodies: like 'WriteRequestBodies', but also logs request and response + HTTP payloads for read requests (get, list). + - None: no requests are logged at all, not even oauthaccesstokens and oauthauthorizetokens. + + If unset, the 'Default' profile is used as the default. + enum: + - Default + - WriteRequestBodies + - AllRequestBodies + - None + type: string + required: + - group + - profile + type: object + type: array + x-kubernetes-list-map-keys: + - group + x-kubernetes-list-type: map + profile: + default: Default + description: |- + profile specifies the name of the desired top-level audit profile to be applied to all requests + sent to any of the OpenShift-provided API servers in the cluster (kube-apiserver, + openshift-apiserver and oauth-apiserver), with the exception of those requests that match + one or more of the customRules. + + The following profiles are provided: + - Default: default policy which means MetaData level logging with the exception of events + (not logged at all), oauthaccesstokens and oauthauthorizetokens (both logged at RequestBody + level). + - WriteRequestBodies: like 'Default', but logs request and response HTTP payloads for + write requests (create, update, patch). + - AllRequestBodies: like 'WriteRequestBodies', but also logs request and response + HTTP payloads for read requests (get, list). + - None: no requests are logged at all, not even oauthaccesstokens and oauthauthorizetokens. + + Warning: It is not recommended to disable audit logging by using the `None` profile unless you + are fully aware of the risks of not logging data that can be beneficial when troubleshooting issues. + If you disable audit logging and a support situation arises, you might need to enable audit logging + and reproduce the issue in order to troubleshoot properly. + + If unset, the 'Default' profile is used as the default. + enum: + - Default + - WriteRequestBodies + - AllRequestBodies + - None + type: string + type: object + clientCA: + description: |- + clientCA references a ConfigMap containing a certificate bundle for the signers that will be recognized for + incoming client certificates in addition to the operator managed signers. If this is empty, then only operator managed signers are valid. + You usually only have to set this if you have your own PKI you wish to honor client certificates from. + The ConfigMap must exist in the openshift-config namespace and contain the following required fields: + - ConfigMap.Data["ca-bundle.crt"] - CA bundle. + properties: + name: + description: name is the metadata.name of the referenced config + map + type: string + required: + - name + type: object + encryption: + description: encryption allows the configuration of encryption of + resources at the datastore layer. + properties: + kms: + description: |- + kms defines the configuration for the external KMS instance that manages the encryption keys, + when KMS encryption is enabled sensitive resources will be encrypted using keys managed by an + externally configured KMS instance. + + The Key Management Service (KMS) instance provides symmetric encryption and is responsible for + managing the lifecyle of the encryption keys outside of the control plane. + This allows integration with an external provider to manage the data encryption keys securely. + properties: + aws: + description: |- + aws defines the key config for using an AWS KMS instance + for the encryption. The AWS KMS instance is managed + by the user outside the purview of the control plane. + properties: + keyARN: + description: |- + keyARN specifies the Amazon Resource Name (ARN) of the AWS KMS key used for encryption. + The value must adhere to the format `arn:aws:kms:::key/`, where: + - `` is the AWS region consisting of lowercase letters and hyphens followed by a number. + - `` is a 12-digit numeric identifier for the AWS account. + - `` is a unique identifier for the KMS key, consisting of lowercase hexadecimal characters and hyphens. + maxLength: 128 + minLength: 1 + type: string + x-kubernetes-validations: + - message: keyARN must follow the format `arn:aws:kms:::key/`. + The account ID must be a 12 digit number and the region + and key ID should consist only of lowercase hexadecimal + characters and hyphens (-). + rule: self.matches('^arn:aws:kms:[a-z0-9-]+:[0-9]{12}:key/[a-f0-9-]+$') + region: + description: |- + region specifies the AWS region where the KMS instance exists, and follows the format + `--`, e.g.: `us-east-1`. + Only lowercase letters and hyphens followed by numbers are allowed. + maxLength: 64 + minLength: 1 + type: string + x-kubernetes-validations: + - message: region must be a valid AWS region, consisting + of lowercase characters, digits and hyphens (-) only. + rule: self.matches('^[a-z0-9]+(-[a-z0-9]+)*$') + required: + - keyARN + type: object + type: + description: |- + type defines the kind of platform for the KMS provider. + Available provider types are AWS only. + enum: + - AWS + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: aws config is required when kms provider type is AWS, + and forbidden otherwise + rule: 'has(self.type) && self.type == ''AWS'' ? has(self.aws) + : !has(self.aws)' + type: + description: |- + type defines what encryption type should be used to encrypt resources at the datastore layer. + When this field is unset (i.e. when it is set to the empty string), identity is implied. + The behavior of unset can and will change over time. Even if encryption is enabled by default, + the meaning of unset may change to a different encryption type based on changes in best practices. + + When encryption is enabled, all sensitive resources shipped with the platform are encrypted. + This list of sensitive resources can and will change over time. The current authoritative list is: + + 1. secrets + 2. configmaps + 3. routes.route.openshift.io + 4. oauthaccesstokens.oauth.openshift.io + 5. oauthauthorizetokens.oauth.openshift.io + enum: + - "" + - identity + - aescbc + - aesgcm + - KMS + type: string + type: object + x-kubernetes-validations: + - message: kms config is required when encryption type is KMS, and + forbidden otherwise + rule: 'has(self.type) && self.type == ''KMS'' ? has(self.kms) : + !has(self.kms)' + servingCerts: + description: |- + servingCert is the TLS cert info for serving secure traffic. If not specified, operator managed certificates + will be used for serving secure traffic. + properties: + namedCertificates: + description: |- + namedCertificates references secrets containing the TLS cert info for serving secure traffic to specific hostnames. + If no named certificates are provided, or no named certificates match the server name as understood by a client, + the defaultServingCertificate will be used. + items: + description: APIServerNamedServingCert maps a server DNS name, + as understood by a client, to a certificate. + properties: + names: + description: |- + names is a optional list of explicit DNS names (leading wildcards allowed) that should use this certificate to + serve secure traffic. If no names are provided, the implicit names will be extracted from the certificates. + Exact names trump over wildcard names. Explicit names defined here trump over extracted implicit names. + items: + type: string + type: array + x-kubernetes-list-type: atomic + servingCertificate: + description: |- + servingCertificate references a kubernetes.io/tls type secret containing the TLS cert info for serving secure traffic. + The secret must exist in the openshift-config namespace and contain the following required fields: + - Secret.Data["tls.key"] - TLS private key. + - Secret.Data["tls.crt"] - TLS certificate. + properties: + name: + description: name is the metadata.name of the referenced + secret + type: string + required: + - name + type: object + type: object + type: array + x-kubernetes-list-type: atomic + type: object + tlsSecurityProfile: + description: |- + tlsSecurityProfile specifies settings for TLS connections for externally exposed servers. + + If unset, a default (which may change between releases) is chosen. Note that only Old, + Intermediate and Custom profiles are currently supported, and the maximum available + minTLSVersion is VersionTLS12. + properties: + custom: + description: |- + custom is a user-defined TLS security profile. Be extremely careful using a custom + profile as invalid configurations can be catastrophic. An example custom profile + looks like this: + + ciphers: + + - ECDHE-ECDSA-CHACHA20-POLY1305 + + - ECDHE-RSA-CHACHA20-POLY1305 + + - ECDHE-RSA-AES128-GCM-SHA256 + + - ECDHE-ECDSA-AES128-GCM-SHA256 + + minTLSVersion: VersionTLS11 + nullable: true + properties: + ciphers: + description: |- + ciphers is used to specify the cipher algorithms that are negotiated + during the TLS handshake. Operators may remove entries their operands + do not support. For example, to use DES-CBC3-SHA (yaml): + + ciphers: + - DES-CBC3-SHA + items: + type: string + type: array + x-kubernetes-list-type: atomic + minTLSVersion: + description: |- + minTLSVersion is used to specify the minimal version of the TLS protocol + that is negotiated during the TLS handshake. For example, to use TLS + versions 1.1, 1.2 and 1.3 (yaml): + + minTLSVersion: VersionTLS11 + + NOTE: currently the highest minTLSVersion allowed is VersionTLS12 + enum: + - VersionTLS10 + - VersionTLS11 + - VersionTLS12 + - VersionTLS13 + type: string + type: object + intermediate: + description: |- + intermediate is a TLS security profile based on: + + https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29 + + and looks like this (yaml): + + ciphers: + + - TLS_AES_128_GCM_SHA256 + + - TLS_AES_256_GCM_SHA384 + + - TLS_CHACHA20_POLY1305_SHA256 + + - ECDHE-ECDSA-AES128-GCM-SHA256 + + - ECDHE-RSA-AES128-GCM-SHA256 + + - ECDHE-ECDSA-AES256-GCM-SHA384 + + - ECDHE-RSA-AES256-GCM-SHA384 + + - ECDHE-ECDSA-CHACHA20-POLY1305 + + - ECDHE-RSA-CHACHA20-POLY1305 + + - DHE-RSA-AES128-GCM-SHA256 + + - DHE-RSA-AES256-GCM-SHA384 + + minTLSVersion: VersionTLS12 + nullable: true + type: object + modern: + description: |- + modern is a TLS security profile based on: + + https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility + + and looks like this (yaml): + + ciphers: + + - TLS_AES_128_GCM_SHA256 + + - TLS_AES_256_GCM_SHA384 + + - TLS_CHACHA20_POLY1305_SHA256 + + minTLSVersion: VersionTLS13 + nullable: true + type: object + old: + description: |- + old is a TLS security profile based on: + + https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility + + and looks like this (yaml): + + ciphers: + + - TLS_AES_128_GCM_SHA256 + + - TLS_AES_256_GCM_SHA384 + + - TLS_CHACHA20_POLY1305_SHA256 + + - ECDHE-ECDSA-AES128-GCM-SHA256 + + - ECDHE-RSA-AES128-GCM-SHA256 + + - ECDHE-ECDSA-AES256-GCM-SHA384 + + - ECDHE-RSA-AES256-GCM-SHA384 + + - ECDHE-ECDSA-CHACHA20-POLY1305 + + - ECDHE-RSA-CHACHA20-POLY1305 + + - DHE-RSA-AES128-GCM-SHA256 + + - DHE-RSA-AES256-GCM-SHA384 + + - DHE-RSA-CHACHA20-POLY1305 + + - ECDHE-ECDSA-AES128-SHA256 + + - ECDHE-RSA-AES128-SHA256 + + - ECDHE-ECDSA-AES128-SHA + + - ECDHE-RSA-AES128-SHA + + - ECDHE-ECDSA-AES256-SHA384 + + - ECDHE-RSA-AES256-SHA384 + + - ECDHE-ECDSA-AES256-SHA + + - ECDHE-RSA-AES256-SHA + + - DHE-RSA-AES128-SHA256 + + - DHE-RSA-AES256-SHA256 + + - AES128-GCM-SHA256 + + - AES256-GCM-SHA384 + + - AES128-SHA256 + + - AES256-SHA256 + + - AES128-SHA + + - AES256-SHA + + - DES-CBC3-SHA + + minTLSVersion: VersionTLS10 + nullable: true + type: object + type: + description: |- + type is one of Old, Intermediate, Modern or Custom. Custom provides + the ability to specify individual TLS security profile parameters. + Old, Intermediate and Modern are TLS security profiles based on: + + https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations + + The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers + are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be + reduced. + + Note that the Modern profile is currently not supported because it is not + yet well adopted by common software libraries. + enum: + - Old + - Intermediate + - Modern + - Custom + type: string + type: object + type: object + status: + description: status holds observed values from the cluster. They may not + be overridden. + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-Default.crd.yaml similarity index 98% rename from config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers.crd.yaml rename to config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-Default.crd.yaml index 8dd63a32891..c5206c23cbf 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-Default.crd.yaml @@ -7,6 +7,7 @@ metadata: include.release.openshift.io/ibm-cloud-managed: "true" include.release.openshift.io/self-managed-high-availability: "true" release.openshift.io/bootstrap-required: "true" + release.openshift.io/feature-set: Default name: apiservers.config.openshift.io spec: group: config.openshift.io @@ -56,6 +57,7 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic audit: default: profile: Default @@ -200,6 +202,7 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic servingCertificate: description: |- servingCertificate references a kubernetes.io/tls type secret containing the TLS cert info for serving secure traffic. @@ -216,6 +219,7 @@ spec: type: object type: object type: array + x-kubernetes-list-type: atomic type: object tlsSecurityProfile: description: |- diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml new file mode 100644 index 00000000000..1b82ffd357f --- /dev/null +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml @@ -0,0 +1,504 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/470 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/bootstrap-required: "true" + release.openshift.io/feature-set: DevPreviewNoUpgrade + name: apiservers.config.openshift.io +spec: + group: config.openshift.io + names: + kind: APIServer + listKind: APIServerList + plural: apiservers + singular: apiserver + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + APIServer holds configuration (like serving certificates, client CA and CORS domains) + shared by all API servers in the system, among them especially kube-apiserver + and openshift-apiserver. The canonical name of an instance is 'cluster'. + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec holds user settable values for configuration + properties: + additionalCORSAllowedOrigins: + description: |- + additionalCORSAllowedOrigins lists additional, user-defined regular expressions describing hosts for which the + API server allows access using the CORS headers. This may be needed to access the API and the integrated OAuth + server from JavaScript applications. + The values are regular expressions that correspond to the Golang regular expression language. + items: + type: string + type: array + x-kubernetes-list-type: atomic + audit: + default: + profile: Default + description: |- + audit specifies the settings for audit configuration to be applied to all OpenShift-provided + API servers in the cluster. + properties: + customRules: + description: |- + customRules specify profiles per group. These profile take precedence over the + top-level profile field if they apply. They are evaluation from top to bottom and + the first one that matches, applies. + items: + description: |- + AuditCustomRule describes a custom rule for an audit profile that takes precedence over + the top-level profile. + properties: + group: + description: group is a name of group a request user must + be member of in order to this profile to apply. + minLength: 1 + type: string + profile: + description: |- + profile specifies the name of the desired audit policy configuration to be deployed to + all OpenShift-provided API servers in the cluster. + + The following profiles are provided: + - Default: the existing default policy. + - WriteRequestBodies: like 'Default', but logs request and response HTTP payloads for + write requests (create, update, patch). + - AllRequestBodies: like 'WriteRequestBodies', but also logs request and response + HTTP payloads for read requests (get, list). + - None: no requests are logged at all, not even oauthaccesstokens and oauthauthorizetokens. + + If unset, the 'Default' profile is used as the default. + enum: + - Default + - WriteRequestBodies + - AllRequestBodies + - None + type: string + required: + - group + - profile + type: object + type: array + x-kubernetes-list-map-keys: + - group + x-kubernetes-list-type: map + profile: + default: Default + description: |- + profile specifies the name of the desired top-level audit profile to be applied to all requests + sent to any of the OpenShift-provided API servers in the cluster (kube-apiserver, + openshift-apiserver and oauth-apiserver), with the exception of those requests that match + one or more of the customRules. + + The following profiles are provided: + - Default: default policy which means MetaData level logging with the exception of events + (not logged at all), oauthaccesstokens and oauthauthorizetokens (both logged at RequestBody + level). + - WriteRequestBodies: like 'Default', but logs request and response HTTP payloads for + write requests (create, update, patch). + - AllRequestBodies: like 'WriteRequestBodies', but also logs request and response + HTTP payloads for read requests (get, list). + - None: no requests are logged at all, not even oauthaccesstokens and oauthauthorizetokens. + + Warning: It is not recommended to disable audit logging by using the `None` profile unless you + are fully aware of the risks of not logging data that can be beneficial when troubleshooting issues. + If you disable audit logging and a support situation arises, you might need to enable audit logging + and reproduce the issue in order to troubleshoot properly. + + If unset, the 'Default' profile is used as the default. + enum: + - Default + - WriteRequestBodies + - AllRequestBodies + - None + type: string + type: object + clientCA: + description: |- + clientCA references a ConfigMap containing a certificate bundle for the signers that will be recognized for + incoming client certificates in addition to the operator managed signers. If this is empty, then only operator managed signers are valid. + You usually only have to set this if you have your own PKI you wish to honor client certificates from. + The ConfigMap must exist in the openshift-config namespace and contain the following required fields: + - ConfigMap.Data["ca-bundle.crt"] - CA bundle. + properties: + name: + description: name is the metadata.name of the referenced config + map + type: string + required: + - name + type: object + encryption: + description: encryption allows the configuration of encryption of + resources at the datastore layer. + properties: + kms: + description: |- + kms defines the configuration for the external KMS instance that manages the encryption keys, + when KMS encryption is enabled sensitive resources will be encrypted using keys managed by an + externally configured KMS instance. + + The Key Management Service (KMS) instance provides symmetric encryption and is responsible for + managing the lifecyle of the encryption keys outside of the control plane. + This allows integration with an external provider to manage the data encryption keys securely. + properties: + aws: + description: |- + aws defines the key config for using an AWS KMS instance + for the encryption. The AWS KMS instance is managed + by the user outside the purview of the control plane. + properties: + keyARN: + description: |- + keyARN specifies the Amazon Resource Name (ARN) of the AWS KMS key used for encryption. + The value must adhere to the format `arn:aws:kms:::key/`, where: + - `` is the AWS region consisting of lowercase letters and hyphens followed by a number. + - `` is a 12-digit numeric identifier for the AWS account. + - `` is a unique identifier for the KMS key, consisting of lowercase hexadecimal characters and hyphens. + maxLength: 128 + minLength: 1 + type: string + x-kubernetes-validations: + - message: keyARN must follow the format `arn:aws:kms:::key/`. + The account ID must be a 12 digit number and the region + and key ID should consist only of lowercase hexadecimal + characters and hyphens (-). + rule: self.matches('^arn:aws:kms:[a-z0-9-]+:[0-9]{12}:key/[a-f0-9-]+$') + region: + description: |- + region specifies the AWS region where the KMS instance exists, and follows the format + `--`, e.g.: `us-east-1`. + Only lowercase letters and hyphens followed by numbers are allowed. + maxLength: 64 + minLength: 1 + type: string + x-kubernetes-validations: + - message: region must be a valid AWS region, consisting + of lowercase characters, digits and hyphens (-) only. + rule: self.matches('^[a-z0-9]+(-[a-z0-9]+)*$') + required: + - keyARN + type: object + type: + description: |- + type defines the kind of platform for the KMS provider. + Available provider types are AWS only. + enum: + - AWS + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: aws config is required when kms provider type is AWS, + and forbidden otherwise + rule: 'has(self.type) && self.type == ''AWS'' ? has(self.aws) + : !has(self.aws)' + type: + description: |- + type defines what encryption type should be used to encrypt resources at the datastore layer. + When this field is unset (i.e. when it is set to the empty string), identity is implied. + The behavior of unset can and will change over time. Even if encryption is enabled by default, + the meaning of unset may change to a different encryption type based on changes in best practices. + + When encryption is enabled, all sensitive resources shipped with the platform are encrypted. + This list of sensitive resources can and will change over time. The current authoritative list is: + + 1. secrets + 2. configmaps + 3. routes.route.openshift.io + 4. oauthaccesstokens.oauth.openshift.io + 5. oauthauthorizetokens.oauth.openshift.io + enum: + - "" + - identity + - aescbc + - aesgcm + - KMS + type: string + type: object + x-kubernetes-validations: + - message: kms config is required when encryption type is KMS, and + forbidden otherwise + rule: 'has(self.type) && self.type == ''KMS'' ? has(self.kms) : + !has(self.kms)' + servingCerts: + description: |- + servingCert is the TLS cert info for serving secure traffic. If not specified, operator managed certificates + will be used for serving secure traffic. + properties: + namedCertificates: + description: |- + namedCertificates references secrets containing the TLS cert info for serving secure traffic to specific hostnames. + If no named certificates are provided, or no named certificates match the server name as understood by a client, + the defaultServingCertificate will be used. + items: + description: APIServerNamedServingCert maps a server DNS name, + as understood by a client, to a certificate. + properties: + names: + description: |- + names is a optional list of explicit DNS names (leading wildcards allowed) that should use this certificate to + serve secure traffic. If no names are provided, the implicit names will be extracted from the certificates. + Exact names trump over wildcard names. Explicit names defined here trump over extracted implicit names. + items: + type: string + type: array + x-kubernetes-list-type: atomic + servingCertificate: + description: |- + servingCertificate references a kubernetes.io/tls type secret containing the TLS cert info for serving secure traffic. + The secret must exist in the openshift-config namespace and contain the following required fields: + - Secret.Data["tls.key"] - TLS private key. + - Secret.Data["tls.crt"] - TLS certificate. + properties: + name: + description: name is the metadata.name of the referenced + secret + type: string + required: + - name + type: object + type: object + type: array + x-kubernetes-list-type: atomic + type: object + tlsSecurityProfile: + description: |- + tlsSecurityProfile specifies settings for TLS connections for externally exposed servers. + + If unset, a default (which may change between releases) is chosen. Note that only Old, + Intermediate and Custom profiles are currently supported, and the maximum available + minTLSVersion is VersionTLS12. + properties: + custom: + description: |- + custom is a user-defined TLS security profile. Be extremely careful using a custom + profile as invalid configurations can be catastrophic. An example custom profile + looks like this: + + ciphers: + + - ECDHE-ECDSA-CHACHA20-POLY1305 + + - ECDHE-RSA-CHACHA20-POLY1305 + + - ECDHE-RSA-AES128-GCM-SHA256 + + - ECDHE-ECDSA-AES128-GCM-SHA256 + + minTLSVersion: VersionTLS11 + nullable: true + properties: + ciphers: + description: |- + ciphers is used to specify the cipher algorithms that are negotiated + during the TLS handshake. Operators may remove entries their operands + do not support. For example, to use DES-CBC3-SHA (yaml): + + ciphers: + - DES-CBC3-SHA + items: + type: string + type: array + x-kubernetes-list-type: atomic + minTLSVersion: + description: |- + minTLSVersion is used to specify the minimal version of the TLS protocol + that is negotiated during the TLS handshake. For example, to use TLS + versions 1.1, 1.2 and 1.3 (yaml): + + minTLSVersion: VersionTLS11 + + NOTE: currently the highest minTLSVersion allowed is VersionTLS12 + enum: + - VersionTLS10 + - VersionTLS11 + - VersionTLS12 + - VersionTLS13 + type: string + type: object + intermediate: + description: |- + intermediate is a TLS security profile based on: + + https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29 + + and looks like this (yaml): + + ciphers: + + - TLS_AES_128_GCM_SHA256 + + - TLS_AES_256_GCM_SHA384 + + - TLS_CHACHA20_POLY1305_SHA256 + + - ECDHE-ECDSA-AES128-GCM-SHA256 + + - ECDHE-RSA-AES128-GCM-SHA256 + + - ECDHE-ECDSA-AES256-GCM-SHA384 + + - ECDHE-RSA-AES256-GCM-SHA384 + + - ECDHE-ECDSA-CHACHA20-POLY1305 + + - ECDHE-RSA-CHACHA20-POLY1305 + + - DHE-RSA-AES128-GCM-SHA256 + + - DHE-RSA-AES256-GCM-SHA384 + + minTLSVersion: VersionTLS12 + nullable: true + type: object + modern: + description: |- + modern is a TLS security profile based on: + + https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility + + and looks like this (yaml): + + ciphers: + + - TLS_AES_128_GCM_SHA256 + + - TLS_AES_256_GCM_SHA384 + + - TLS_CHACHA20_POLY1305_SHA256 + + minTLSVersion: VersionTLS13 + nullable: true + type: object + old: + description: |- + old is a TLS security profile based on: + + https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility + + and looks like this (yaml): + + ciphers: + + - TLS_AES_128_GCM_SHA256 + + - TLS_AES_256_GCM_SHA384 + + - TLS_CHACHA20_POLY1305_SHA256 + + - ECDHE-ECDSA-AES128-GCM-SHA256 + + - ECDHE-RSA-AES128-GCM-SHA256 + + - ECDHE-ECDSA-AES256-GCM-SHA384 + + - ECDHE-RSA-AES256-GCM-SHA384 + + - ECDHE-ECDSA-CHACHA20-POLY1305 + + - ECDHE-RSA-CHACHA20-POLY1305 + + - DHE-RSA-AES128-GCM-SHA256 + + - DHE-RSA-AES256-GCM-SHA384 + + - DHE-RSA-CHACHA20-POLY1305 + + - ECDHE-ECDSA-AES128-SHA256 + + - ECDHE-RSA-AES128-SHA256 + + - ECDHE-ECDSA-AES128-SHA + + - ECDHE-RSA-AES128-SHA + + - ECDHE-ECDSA-AES256-SHA384 + + - ECDHE-RSA-AES256-SHA384 + + - ECDHE-ECDSA-AES256-SHA + + - ECDHE-RSA-AES256-SHA + + - DHE-RSA-AES128-SHA256 + + - DHE-RSA-AES256-SHA256 + + - AES128-GCM-SHA256 + + - AES256-GCM-SHA384 + + - AES128-SHA256 + + - AES256-SHA256 + + - AES128-SHA + + - AES256-SHA + + - DES-CBC3-SHA + + minTLSVersion: VersionTLS10 + nullable: true + type: object + type: + description: |- + type is one of Old, Intermediate, Modern or Custom. Custom provides + the ability to specify individual TLS security profile parameters. + Old, Intermediate and Modern are TLS security profiles based on: + + https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations + + The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers + are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be + reduced. + + Note that the Modern profile is currently not supported because it is not + yet well adopted by common software libraries. + enum: + - Old + - Intermediate + - Modern + - Custom + type: string + type: object + type: object + status: + description: status holds observed values from the cluster. They may not + be overridden. + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml new file mode 100644 index 00000000000..5c8bfb70275 --- /dev/null +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml @@ -0,0 +1,504 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/470 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/bootstrap-required: "true" + release.openshift.io/feature-set: TechPreviewNoUpgrade + name: apiservers.config.openshift.io +spec: + group: config.openshift.io + names: + kind: APIServer + listKind: APIServerList + plural: apiservers + singular: apiserver + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + APIServer holds configuration (like serving certificates, client CA and CORS domains) + shared by all API servers in the system, among them especially kube-apiserver + and openshift-apiserver. The canonical name of an instance is 'cluster'. + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec holds user settable values for configuration + properties: + additionalCORSAllowedOrigins: + description: |- + additionalCORSAllowedOrigins lists additional, user-defined regular expressions describing hosts for which the + API server allows access using the CORS headers. This may be needed to access the API and the integrated OAuth + server from JavaScript applications. + The values are regular expressions that correspond to the Golang regular expression language. + items: + type: string + type: array + x-kubernetes-list-type: atomic + audit: + default: + profile: Default + description: |- + audit specifies the settings for audit configuration to be applied to all OpenShift-provided + API servers in the cluster. + properties: + customRules: + description: |- + customRules specify profiles per group. These profile take precedence over the + top-level profile field if they apply. They are evaluation from top to bottom and + the first one that matches, applies. + items: + description: |- + AuditCustomRule describes a custom rule for an audit profile that takes precedence over + the top-level profile. + properties: + group: + description: group is a name of group a request user must + be member of in order to this profile to apply. + minLength: 1 + type: string + profile: + description: |- + profile specifies the name of the desired audit policy configuration to be deployed to + all OpenShift-provided API servers in the cluster. + + The following profiles are provided: + - Default: the existing default policy. + - WriteRequestBodies: like 'Default', but logs request and response HTTP payloads for + write requests (create, update, patch). + - AllRequestBodies: like 'WriteRequestBodies', but also logs request and response + HTTP payloads for read requests (get, list). + - None: no requests are logged at all, not even oauthaccesstokens and oauthauthorizetokens. + + If unset, the 'Default' profile is used as the default. + enum: + - Default + - WriteRequestBodies + - AllRequestBodies + - None + type: string + required: + - group + - profile + type: object + type: array + x-kubernetes-list-map-keys: + - group + x-kubernetes-list-type: map + profile: + default: Default + description: |- + profile specifies the name of the desired top-level audit profile to be applied to all requests + sent to any of the OpenShift-provided API servers in the cluster (kube-apiserver, + openshift-apiserver and oauth-apiserver), with the exception of those requests that match + one or more of the customRules. + + The following profiles are provided: + - Default: default policy which means MetaData level logging with the exception of events + (not logged at all), oauthaccesstokens and oauthauthorizetokens (both logged at RequestBody + level). + - WriteRequestBodies: like 'Default', but logs request and response HTTP payloads for + write requests (create, update, patch). + - AllRequestBodies: like 'WriteRequestBodies', but also logs request and response + HTTP payloads for read requests (get, list). + - None: no requests are logged at all, not even oauthaccesstokens and oauthauthorizetokens. + + Warning: It is not recommended to disable audit logging by using the `None` profile unless you + are fully aware of the risks of not logging data that can be beneficial when troubleshooting issues. + If you disable audit logging and a support situation arises, you might need to enable audit logging + and reproduce the issue in order to troubleshoot properly. + + If unset, the 'Default' profile is used as the default. + enum: + - Default + - WriteRequestBodies + - AllRequestBodies + - None + type: string + type: object + clientCA: + description: |- + clientCA references a ConfigMap containing a certificate bundle for the signers that will be recognized for + incoming client certificates in addition to the operator managed signers. If this is empty, then only operator managed signers are valid. + You usually only have to set this if you have your own PKI you wish to honor client certificates from. + The ConfigMap must exist in the openshift-config namespace and contain the following required fields: + - ConfigMap.Data["ca-bundle.crt"] - CA bundle. + properties: + name: + description: name is the metadata.name of the referenced config + map + type: string + required: + - name + type: object + encryption: + description: encryption allows the configuration of encryption of + resources at the datastore layer. + properties: + kms: + description: |- + kms defines the configuration for the external KMS instance that manages the encryption keys, + when KMS encryption is enabled sensitive resources will be encrypted using keys managed by an + externally configured KMS instance. + + The Key Management Service (KMS) instance provides symmetric encryption and is responsible for + managing the lifecyle of the encryption keys outside of the control plane. + This allows integration with an external provider to manage the data encryption keys securely. + properties: + aws: + description: |- + aws defines the key config for using an AWS KMS instance + for the encryption. The AWS KMS instance is managed + by the user outside the purview of the control plane. + properties: + keyARN: + description: |- + keyARN specifies the Amazon Resource Name (ARN) of the AWS KMS key used for encryption. + The value must adhere to the format `arn:aws:kms:::key/`, where: + - `` is the AWS region consisting of lowercase letters and hyphens followed by a number. + - `` is a 12-digit numeric identifier for the AWS account. + - `` is a unique identifier for the KMS key, consisting of lowercase hexadecimal characters and hyphens. + maxLength: 128 + minLength: 1 + type: string + x-kubernetes-validations: + - message: keyARN must follow the format `arn:aws:kms:::key/`. + The account ID must be a 12 digit number and the region + and key ID should consist only of lowercase hexadecimal + characters and hyphens (-). + rule: self.matches('^arn:aws:kms:[a-z0-9-]+:[0-9]{12}:key/[a-f0-9-]+$') + region: + description: |- + region specifies the AWS region where the KMS instance exists, and follows the format + `--`, e.g.: `us-east-1`. + Only lowercase letters and hyphens followed by numbers are allowed. + maxLength: 64 + minLength: 1 + type: string + x-kubernetes-validations: + - message: region must be a valid AWS region, consisting + of lowercase characters, digits and hyphens (-) only. + rule: self.matches('^[a-z0-9]+(-[a-z0-9]+)*$') + required: + - keyARN + type: object + type: + description: |- + type defines the kind of platform for the KMS provider. + Available provider types are AWS only. + enum: + - AWS + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: aws config is required when kms provider type is AWS, + and forbidden otherwise + rule: 'has(self.type) && self.type == ''AWS'' ? has(self.aws) + : !has(self.aws)' + type: + description: |- + type defines what encryption type should be used to encrypt resources at the datastore layer. + When this field is unset (i.e. when it is set to the empty string), identity is implied. + The behavior of unset can and will change over time. Even if encryption is enabled by default, + the meaning of unset may change to a different encryption type based on changes in best practices. + + When encryption is enabled, all sensitive resources shipped with the platform are encrypted. + This list of sensitive resources can and will change over time. The current authoritative list is: + + 1. secrets + 2. configmaps + 3. routes.route.openshift.io + 4. oauthaccesstokens.oauth.openshift.io + 5. oauthauthorizetokens.oauth.openshift.io + enum: + - "" + - identity + - aescbc + - aesgcm + - KMS + type: string + type: object + x-kubernetes-validations: + - message: kms config is required when encryption type is KMS, and + forbidden otherwise + rule: 'has(self.type) && self.type == ''KMS'' ? has(self.kms) : + !has(self.kms)' + servingCerts: + description: |- + servingCert is the TLS cert info for serving secure traffic. If not specified, operator managed certificates + will be used for serving secure traffic. + properties: + namedCertificates: + description: |- + namedCertificates references secrets containing the TLS cert info for serving secure traffic to specific hostnames. + If no named certificates are provided, or no named certificates match the server name as understood by a client, + the defaultServingCertificate will be used. + items: + description: APIServerNamedServingCert maps a server DNS name, + as understood by a client, to a certificate. + properties: + names: + description: |- + names is a optional list of explicit DNS names (leading wildcards allowed) that should use this certificate to + serve secure traffic. If no names are provided, the implicit names will be extracted from the certificates. + Exact names trump over wildcard names. Explicit names defined here trump over extracted implicit names. + items: + type: string + type: array + x-kubernetes-list-type: atomic + servingCertificate: + description: |- + servingCertificate references a kubernetes.io/tls type secret containing the TLS cert info for serving secure traffic. + The secret must exist in the openshift-config namespace and contain the following required fields: + - Secret.Data["tls.key"] - TLS private key. + - Secret.Data["tls.crt"] - TLS certificate. + properties: + name: + description: name is the metadata.name of the referenced + secret + type: string + required: + - name + type: object + type: object + type: array + x-kubernetes-list-type: atomic + type: object + tlsSecurityProfile: + description: |- + tlsSecurityProfile specifies settings for TLS connections for externally exposed servers. + + If unset, a default (which may change between releases) is chosen. Note that only Old, + Intermediate and Custom profiles are currently supported, and the maximum available + minTLSVersion is VersionTLS12. + properties: + custom: + description: |- + custom is a user-defined TLS security profile. Be extremely careful using a custom + profile as invalid configurations can be catastrophic. An example custom profile + looks like this: + + ciphers: + + - ECDHE-ECDSA-CHACHA20-POLY1305 + + - ECDHE-RSA-CHACHA20-POLY1305 + + - ECDHE-RSA-AES128-GCM-SHA256 + + - ECDHE-ECDSA-AES128-GCM-SHA256 + + minTLSVersion: VersionTLS11 + nullable: true + properties: + ciphers: + description: |- + ciphers is used to specify the cipher algorithms that are negotiated + during the TLS handshake. Operators may remove entries their operands + do not support. For example, to use DES-CBC3-SHA (yaml): + + ciphers: + - DES-CBC3-SHA + items: + type: string + type: array + x-kubernetes-list-type: atomic + minTLSVersion: + description: |- + minTLSVersion is used to specify the minimal version of the TLS protocol + that is negotiated during the TLS handshake. For example, to use TLS + versions 1.1, 1.2 and 1.3 (yaml): + + minTLSVersion: VersionTLS11 + + NOTE: currently the highest minTLSVersion allowed is VersionTLS12 + enum: + - VersionTLS10 + - VersionTLS11 + - VersionTLS12 + - VersionTLS13 + type: string + type: object + intermediate: + description: |- + intermediate is a TLS security profile based on: + + https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29 + + and looks like this (yaml): + + ciphers: + + - TLS_AES_128_GCM_SHA256 + + - TLS_AES_256_GCM_SHA384 + + - TLS_CHACHA20_POLY1305_SHA256 + + - ECDHE-ECDSA-AES128-GCM-SHA256 + + - ECDHE-RSA-AES128-GCM-SHA256 + + - ECDHE-ECDSA-AES256-GCM-SHA384 + + - ECDHE-RSA-AES256-GCM-SHA384 + + - ECDHE-ECDSA-CHACHA20-POLY1305 + + - ECDHE-RSA-CHACHA20-POLY1305 + + - DHE-RSA-AES128-GCM-SHA256 + + - DHE-RSA-AES256-GCM-SHA384 + + minTLSVersion: VersionTLS12 + nullable: true + type: object + modern: + description: |- + modern is a TLS security profile based on: + + https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility + + and looks like this (yaml): + + ciphers: + + - TLS_AES_128_GCM_SHA256 + + - TLS_AES_256_GCM_SHA384 + + - TLS_CHACHA20_POLY1305_SHA256 + + minTLSVersion: VersionTLS13 + nullable: true + type: object + old: + description: |- + old is a TLS security profile based on: + + https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility + + and looks like this (yaml): + + ciphers: + + - TLS_AES_128_GCM_SHA256 + + - TLS_AES_256_GCM_SHA384 + + - TLS_CHACHA20_POLY1305_SHA256 + + - ECDHE-ECDSA-AES128-GCM-SHA256 + + - ECDHE-RSA-AES128-GCM-SHA256 + + - ECDHE-ECDSA-AES256-GCM-SHA384 + + - ECDHE-RSA-AES256-GCM-SHA384 + + - ECDHE-ECDSA-CHACHA20-POLY1305 + + - ECDHE-RSA-CHACHA20-POLY1305 + + - DHE-RSA-AES128-GCM-SHA256 + + - DHE-RSA-AES256-GCM-SHA384 + + - DHE-RSA-CHACHA20-POLY1305 + + - ECDHE-ECDSA-AES128-SHA256 + + - ECDHE-RSA-AES128-SHA256 + + - ECDHE-ECDSA-AES128-SHA + + - ECDHE-RSA-AES128-SHA + + - ECDHE-ECDSA-AES256-SHA384 + + - ECDHE-RSA-AES256-SHA384 + + - ECDHE-ECDSA-AES256-SHA + + - ECDHE-RSA-AES256-SHA + + - DHE-RSA-AES128-SHA256 + + - DHE-RSA-AES256-SHA256 + + - AES128-GCM-SHA256 + + - AES256-GCM-SHA384 + + - AES128-SHA256 + + - AES256-SHA256 + + - AES128-SHA + + - AES256-SHA + + - DES-CBC3-SHA + + minTLSVersion: VersionTLS10 + nullable: true + type: object + type: + description: |- + type is one of Old, Intermediate, Modern or Custom. Custom provides + the ability to specify individual TLS security profile parameters. + Old, Intermediate and Modern are TLS security profiles based on: + + https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations + + The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers + are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be + reduced. + + Note that the Modern profile is currently not supported because it is not + yet well adopted by common software libraries. + enum: + - Old + - Intermediate + - Modern + - Custom + type: string + type: object + type: object + status: + description: status holds observed values from the cluster. They may not + be overridden. + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/config/v1/zz_generated.deepcopy.go b/config/v1/zz_generated.deepcopy.go index b013d4595ed..4ebd4f29b08 100644 --- a/config/v1/zz_generated.deepcopy.go +++ b/config/v1/zz_generated.deepcopy.go @@ -42,6 +42,11 @@ func (in *APIServer) DeepCopyObject() runtime.Object { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *APIServerEncryption) DeepCopyInto(out *APIServerEncryption) { *out = *in + if in.KMS != nil { + in, out := &in.KMS, &out.KMS + *out = new(KMSConfig) + (*in).DeepCopyInto(*out) + } return } @@ -143,7 +148,7 @@ func (in *APIServerSpec) DeepCopyInto(out *APIServerSpec) { *out = make([]string, len(*in)) copy(*out, *in) } - out.Encryption = in.Encryption + in.Encryption.DeepCopyInto(&out.Encryption) if in.TLSSecurityProfile != nil { in, out := &in.TLSSecurityProfile, &out.TLSSecurityProfile *out = new(TLSSecurityProfile) @@ -211,6 +216,22 @@ func (in *AWSIngressSpec) DeepCopy() *AWSIngressSpec { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *AWSKMSConfig) DeepCopyInto(out *AWSKMSConfig) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AWSKMSConfig. +func (in *AWSKMSConfig) DeepCopy() *AWSKMSConfig { + if in == nil { + return nil + } + out := new(AWSKMSConfig) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *AWSPlatformSpec) DeepCopyInto(out *AWSPlatformSpec) { *out = *in @@ -3279,6 +3300,27 @@ func (in *IntermediateTLSProfile) DeepCopy() *IntermediateTLSProfile { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *KMSConfig) DeepCopyInto(out *KMSConfig) { + *out = *in + if in.AWS != nil { + in, out := &in.AWS, &out.AWS + *out = new(AWSKMSConfig) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KMSConfig. +func (in *KMSConfig) DeepCopy() *KMSConfig { + if in == nil { + return nil + } + out := new(KMSConfig) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *KeystoneIdentityProvider) DeepCopyInto(out *KeystoneIdentityProvider) { *out = *in diff --git a/config/v1/zz_generated.featuregated-crd-manifests.yaml b/config/v1/zz_generated.featuregated-crd-manifests.yaml index b2bc82e1a9f..771aef86e25 100644 --- a/config/v1/zz_generated.featuregated-crd-manifests.yaml +++ b/config/v1/zz_generated.featuregated-crd-manifests.yaml @@ -5,7 +5,8 @@ apiservers.config.openshift.io: CRDName: apiservers.config.openshift.io Capability: "" Category: "" - FeatureGates: [] + FeatureGates: + - KMSEncryptionProvider FilenameOperatorName: config-operator FilenameOperatorOrdering: "01" FilenameRunLevel: "0000_10" diff --git a/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/AAA_ungated.yaml b/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/AAA_ungated.yaml index b23006b1058..1f338ed9f02 100644 --- a/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/AAA_ungated.yaml +++ b/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/AAA_ungated.yaml @@ -57,6 +57,7 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic audit: default: profile: Default @@ -201,6 +202,7 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic servingCertificate: description: |- servingCertificate references a kubernetes.io/tls type secret containing the TLS cert info for serving secure traffic. @@ -217,6 +219,7 @@ spec: type: object type: object type: array + x-kubernetes-list-type: atomic type: object tlsSecurityProfile: description: |- diff --git a/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml b/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml new file mode 100644 index 00000000000..8cd20874a81 --- /dev/null +++ b/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml @@ -0,0 +1,504 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/470 + api.openshift.io/filename-cvo-runlevel: "0000_10" + api.openshift.io/filename-operator: config-operator + api.openshift.io/filename-ordering: "01" + feature-gate.release.openshift.io/KMSEncryptionProvider: "true" + release.openshift.io/bootstrap-required: "true" + name: apiservers.config.openshift.io +spec: + group: config.openshift.io + names: + kind: APIServer + listKind: APIServerList + plural: apiservers + singular: apiserver + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + APIServer holds configuration (like serving certificates, client CA and CORS domains) + shared by all API servers in the system, among them especially kube-apiserver + and openshift-apiserver. The canonical name of an instance is 'cluster'. + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec holds user settable values for configuration + properties: + additionalCORSAllowedOrigins: + description: |- + additionalCORSAllowedOrigins lists additional, user-defined regular expressions describing hosts for which the + API server allows access using the CORS headers. This may be needed to access the API and the integrated OAuth + server from JavaScript applications. + The values are regular expressions that correspond to the Golang regular expression language. + items: + type: string + type: array + x-kubernetes-list-type: atomic + audit: + default: + profile: Default + description: |- + audit specifies the settings for audit configuration to be applied to all OpenShift-provided + API servers in the cluster. + properties: + customRules: + description: |- + customRules specify profiles per group. These profile take precedence over the + top-level profile field if they apply. They are evaluation from top to bottom and + the first one that matches, applies. + items: + description: |- + AuditCustomRule describes a custom rule for an audit profile that takes precedence over + the top-level profile. + properties: + group: + description: group is a name of group a request user must + be member of in order to this profile to apply. + minLength: 1 + type: string + profile: + description: |- + profile specifies the name of the desired audit policy configuration to be deployed to + all OpenShift-provided API servers in the cluster. + + The following profiles are provided: + - Default: the existing default policy. + - WriteRequestBodies: like 'Default', but logs request and response HTTP payloads for + write requests (create, update, patch). + - AllRequestBodies: like 'WriteRequestBodies', but also logs request and response + HTTP payloads for read requests (get, list). + - None: no requests are logged at all, not even oauthaccesstokens and oauthauthorizetokens. + + If unset, the 'Default' profile is used as the default. + enum: + - Default + - WriteRequestBodies + - AllRequestBodies + - None + type: string + required: + - group + - profile + type: object + type: array + x-kubernetes-list-map-keys: + - group + x-kubernetes-list-type: map + profile: + default: Default + description: |- + profile specifies the name of the desired top-level audit profile to be applied to all requests + sent to any of the OpenShift-provided API servers in the cluster (kube-apiserver, + openshift-apiserver and oauth-apiserver), with the exception of those requests that match + one or more of the customRules. + + The following profiles are provided: + - Default: default policy which means MetaData level logging with the exception of events + (not logged at all), oauthaccesstokens and oauthauthorizetokens (both logged at RequestBody + level). + - WriteRequestBodies: like 'Default', but logs request and response HTTP payloads for + write requests (create, update, patch). + - AllRequestBodies: like 'WriteRequestBodies', but also logs request and response + HTTP payloads for read requests (get, list). + - None: no requests are logged at all, not even oauthaccesstokens and oauthauthorizetokens. + + Warning: It is not recommended to disable audit logging by using the `None` profile unless you + are fully aware of the risks of not logging data that can be beneficial when troubleshooting issues. + If you disable audit logging and a support situation arises, you might need to enable audit logging + and reproduce the issue in order to troubleshoot properly. + + If unset, the 'Default' profile is used as the default. + enum: + - Default + - WriteRequestBodies + - AllRequestBodies + - None + type: string + type: object + clientCA: + description: |- + clientCA references a ConfigMap containing a certificate bundle for the signers that will be recognized for + incoming client certificates in addition to the operator managed signers. If this is empty, then only operator managed signers are valid. + You usually only have to set this if you have your own PKI you wish to honor client certificates from. + The ConfigMap must exist in the openshift-config namespace and contain the following required fields: + - ConfigMap.Data["ca-bundle.crt"] - CA bundle. + properties: + name: + description: name is the metadata.name of the referenced config + map + type: string + required: + - name + type: object + encryption: + description: encryption allows the configuration of encryption of + resources at the datastore layer. + properties: + kms: + description: |- + kms defines the configuration for the external KMS instance that manages the encryption keys, + when KMS encryption is enabled sensitive resources will be encrypted using keys managed by an + externally configured KMS instance. + + The Key Management Service (KMS) instance provides symmetric encryption and is responsible for + managing the lifecyle of the encryption keys outside of the control plane. + This allows integration with an external provider to manage the data encryption keys securely. + properties: + aws: + description: |- + aws defines the key config for using an AWS KMS instance + for the encryption. The AWS KMS instance is managed + by the user outside the purview of the control plane. + properties: + keyARN: + description: |- + keyARN specifies the Amazon Resource Name (ARN) of the AWS KMS key used for encryption. + The value must adhere to the format `arn:aws:kms:::key/`, where: + - `` is the AWS region consisting of lowercase letters and hyphens followed by a number. + - `` is a 12-digit numeric identifier for the AWS account. + - `` is a unique identifier for the KMS key, consisting of lowercase hexadecimal characters and hyphens. + maxLength: 128 + minLength: 1 + type: string + x-kubernetes-validations: + - message: keyARN must follow the format `arn:aws:kms:::key/`. + The account ID must be a 12 digit number and the region + and key ID should consist only of lowercase hexadecimal + characters and hyphens (-). + rule: self.matches('^arn:aws:kms:[a-z0-9-]+:[0-9]{12}:key/[a-f0-9-]+$') + region: + description: |- + region specifies the AWS region where the KMS instance exists, and follows the format + `--`, e.g.: `us-east-1`. + Only lowercase letters and hyphens followed by numbers are allowed. + maxLength: 64 + minLength: 1 + type: string + x-kubernetes-validations: + - message: region must be a valid AWS region, consisting + of lowercase characters, digits and hyphens (-) only. + rule: self.matches('^[a-z0-9]+(-[a-z0-9]+)*$') + required: + - keyARN + type: object + type: + description: |- + type defines the kind of platform for the KMS provider. + Available provider types are AWS only. + enum: + - AWS + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: aws config is required when kms provider type is AWS, + and forbidden otherwise + rule: 'has(self.type) && self.type == ''AWS'' ? has(self.aws) + : !has(self.aws)' + type: + description: |- + type defines what encryption type should be used to encrypt resources at the datastore layer. + When this field is unset (i.e. when it is set to the empty string), identity is implied. + The behavior of unset can and will change over time. Even if encryption is enabled by default, + the meaning of unset may change to a different encryption type based on changes in best practices. + + When encryption is enabled, all sensitive resources shipped with the platform are encrypted. + This list of sensitive resources can and will change over time. The current authoritative list is: + + 1. secrets + 2. configmaps + 3. routes.route.openshift.io + 4. oauthaccesstokens.oauth.openshift.io + 5. oauthauthorizetokens.oauth.openshift.io + enum: + - "" + - identity + - aescbc + - aesgcm + - KMS + type: string + type: object + x-kubernetes-validations: + - message: kms config is required when encryption type is KMS, and + forbidden otherwise + rule: 'has(self.type) && self.type == ''KMS'' ? has(self.kms) : + !has(self.kms)' + servingCerts: + description: |- + servingCert is the TLS cert info for serving secure traffic. If not specified, operator managed certificates + will be used for serving secure traffic. + properties: + namedCertificates: + description: |- + namedCertificates references secrets containing the TLS cert info for serving secure traffic to specific hostnames. + If no named certificates are provided, or no named certificates match the server name as understood by a client, + the defaultServingCertificate will be used. + items: + description: APIServerNamedServingCert maps a server DNS name, + as understood by a client, to a certificate. + properties: + names: + description: |- + names is a optional list of explicit DNS names (leading wildcards allowed) that should use this certificate to + serve secure traffic. If no names are provided, the implicit names will be extracted from the certificates. + Exact names trump over wildcard names. Explicit names defined here trump over extracted implicit names. + items: + type: string + type: array + x-kubernetes-list-type: atomic + servingCertificate: + description: |- + servingCertificate references a kubernetes.io/tls type secret containing the TLS cert info for serving secure traffic. + The secret must exist in the openshift-config namespace and contain the following required fields: + - Secret.Data["tls.key"] - TLS private key. + - Secret.Data["tls.crt"] - TLS certificate. + properties: + name: + description: name is the metadata.name of the referenced + secret + type: string + required: + - name + type: object + type: object + type: array + x-kubernetes-list-type: atomic + type: object + tlsSecurityProfile: + description: |- + tlsSecurityProfile specifies settings for TLS connections for externally exposed servers. + + If unset, a default (which may change between releases) is chosen. Note that only Old, + Intermediate and Custom profiles are currently supported, and the maximum available + minTLSVersion is VersionTLS12. + properties: + custom: + description: |- + custom is a user-defined TLS security profile. Be extremely careful using a custom + profile as invalid configurations can be catastrophic. An example custom profile + looks like this: + + ciphers: + + - ECDHE-ECDSA-CHACHA20-POLY1305 + + - ECDHE-RSA-CHACHA20-POLY1305 + + - ECDHE-RSA-AES128-GCM-SHA256 + + - ECDHE-ECDSA-AES128-GCM-SHA256 + + minTLSVersion: VersionTLS11 + nullable: true + properties: + ciphers: + description: |- + ciphers is used to specify the cipher algorithms that are negotiated + during the TLS handshake. Operators may remove entries their operands + do not support. For example, to use DES-CBC3-SHA (yaml): + + ciphers: + - DES-CBC3-SHA + items: + type: string + type: array + x-kubernetes-list-type: atomic + minTLSVersion: + description: |- + minTLSVersion is used to specify the minimal version of the TLS protocol + that is negotiated during the TLS handshake. For example, to use TLS + versions 1.1, 1.2 and 1.3 (yaml): + + minTLSVersion: VersionTLS11 + + NOTE: currently the highest minTLSVersion allowed is VersionTLS12 + enum: + - VersionTLS10 + - VersionTLS11 + - VersionTLS12 + - VersionTLS13 + type: string + type: object + intermediate: + description: |- + intermediate is a TLS security profile based on: + + https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29 + + and looks like this (yaml): + + ciphers: + + - TLS_AES_128_GCM_SHA256 + + - TLS_AES_256_GCM_SHA384 + + - TLS_CHACHA20_POLY1305_SHA256 + + - ECDHE-ECDSA-AES128-GCM-SHA256 + + - ECDHE-RSA-AES128-GCM-SHA256 + + - ECDHE-ECDSA-AES256-GCM-SHA384 + + - ECDHE-RSA-AES256-GCM-SHA384 + + - ECDHE-ECDSA-CHACHA20-POLY1305 + + - ECDHE-RSA-CHACHA20-POLY1305 + + - DHE-RSA-AES128-GCM-SHA256 + + - DHE-RSA-AES256-GCM-SHA384 + + minTLSVersion: VersionTLS12 + nullable: true + type: object + modern: + description: |- + modern is a TLS security profile based on: + + https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility + + and looks like this (yaml): + + ciphers: + + - TLS_AES_128_GCM_SHA256 + + - TLS_AES_256_GCM_SHA384 + + - TLS_CHACHA20_POLY1305_SHA256 + + minTLSVersion: VersionTLS13 + nullable: true + type: object + old: + description: |- + old is a TLS security profile based on: + + https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility + + and looks like this (yaml): + + ciphers: + + - TLS_AES_128_GCM_SHA256 + + - TLS_AES_256_GCM_SHA384 + + - TLS_CHACHA20_POLY1305_SHA256 + + - ECDHE-ECDSA-AES128-GCM-SHA256 + + - ECDHE-RSA-AES128-GCM-SHA256 + + - ECDHE-ECDSA-AES256-GCM-SHA384 + + - ECDHE-RSA-AES256-GCM-SHA384 + + - ECDHE-ECDSA-CHACHA20-POLY1305 + + - ECDHE-RSA-CHACHA20-POLY1305 + + - DHE-RSA-AES128-GCM-SHA256 + + - DHE-RSA-AES256-GCM-SHA384 + + - DHE-RSA-CHACHA20-POLY1305 + + - ECDHE-ECDSA-AES128-SHA256 + + - ECDHE-RSA-AES128-SHA256 + + - ECDHE-ECDSA-AES128-SHA + + - ECDHE-RSA-AES128-SHA + + - ECDHE-ECDSA-AES256-SHA384 + + - ECDHE-RSA-AES256-SHA384 + + - ECDHE-ECDSA-AES256-SHA + + - ECDHE-RSA-AES256-SHA + + - DHE-RSA-AES128-SHA256 + + - DHE-RSA-AES256-SHA256 + + - AES128-GCM-SHA256 + + - AES256-GCM-SHA384 + + - AES128-SHA256 + + - AES256-SHA256 + + - AES128-SHA + + - AES256-SHA + + - DES-CBC3-SHA + + minTLSVersion: VersionTLS10 + nullable: true + type: object + type: + description: |- + type is one of Old, Intermediate, Modern or Custom. Custom provides + the ability to specify individual TLS security profile parameters. + Old, Intermediate and Modern are TLS security profiles based on: + + https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations + + The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers + are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be + reduced. + + Note that the Modern profile is currently not supported because it is not + yet well adopted by common software libraries. + enum: + - Old + - Intermediate + - Modern + - Custom + type: string + type: object + type: object + status: + description: status holds observed values from the cluster. They may not + be overridden. + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/config/v1/zz_generated.swagger_doc_generated.go b/config/v1/zz_generated.swagger_doc_generated.go index 0ac9c7ccd2b..248136a6694 100644 --- a/config/v1/zz_generated.swagger_doc_generated.go +++ b/config/v1/zz_generated.swagger_doc_generated.go @@ -277,7 +277,9 @@ func (APIServer) SwaggerDoc() map[string]string { } var map_APIServerEncryption = map[string]string{ + "": "APIServerEncryption is used to encrypt sensitive resources on the cluster.", "type": "type defines what encryption type should be used to encrypt resources at the datastore layer. When this field is unset (i.e. when it is set to the empty string), identity is implied. The behavior of unset can and will change over time. Even if encryption is enabled by default, the meaning of unset may change to a different encryption type based on changes in best practices.\n\nWhen encryption is enabled, all sensitive resources shipped with the platform are encrypted. This list of sensitive resources can and will change over time. The current authoritative list is:\n\n 1. secrets\n 2. configmaps\n 3. routes.route.openshift.io\n 4. oauthaccesstokens.oauth.openshift.io\n 5. oauthauthorizetokens.oauth.openshift.io", + "kms": "kms defines the configuration for the external KMS instance that manages the encryption keys, when KMS encryption is enabled sensitive resources will be encrypted using keys managed by an externally configured KMS instance.\n\nThe Key Management Service (KMS) instance provides symmetric encryption and is responsible for managing the lifecyle of the encryption keys outside of the control plane. This allows integration with an external provider to manage the data encryption keys securely.", } func (APIServerEncryption) SwaggerDoc() map[string]string { @@ -1962,6 +1964,26 @@ func (LoadBalancer) SwaggerDoc() map[string]string { return map_LoadBalancer } +var map_AWSKMSConfig = map[string]string{ + "": "AWSKMSConfig defines the KMS config specific to AWS KMS provider", + "keyARN": "keyARN specifies the Amazon Resource Name (ARN) of the AWS KMS key used for encryption. The value must adhere to the format `arn:aws:kms:::key/`, where: - `` is the AWS region consisting of lowercase letters and hyphens followed by a number. - `` is a 12-digit numeric identifier for the AWS account. - `` is a unique identifier for the KMS key, consisting of lowercase hexadecimal characters and hyphens.", + "region": "region specifies the AWS region where the KMS instance exists, and follows the format `--`, e.g.: `us-east-1`. Only lowercase letters and hyphens followed by numbers are allowed.", +} + +func (AWSKMSConfig) SwaggerDoc() map[string]string { + return map_AWSKMSConfig +} + +var map_KMSConfig = map[string]string{ + "": "KMSConfig defines the configuration for the KMS instance that will be used with KMSEncryptionProvider encryption", + "type": "type defines the kind of platform for the KMS provider. Available provider types are AWS only.", + "aws": "aws defines the key config for using an AWS KMS instance for the encryption. The AWS KMS instance is managed by the user outside the purview of the control plane.", +} + +func (KMSConfig) SwaggerDoc() map[string]string { + return map_KMSConfig +} + var map_ClusterNetworkEntry = map[string]string{ "": "ClusterNetworkEntry is a contiguous block of IP addresses from which pod IPs are allocated.", "cidr": "The complete block for pod IPs.", diff --git a/openapi/generated_openapi/zz_generated.openapi.go b/openapi/generated_openapi/zz_generated.openapi.go index 5f93c398466..a5cc8c43a34 100644 --- a/openapi/generated_openapi/zz_generated.openapi.go +++ b/openapi/generated_openapi/zz_generated.openapi.go @@ -150,6 +150,7 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "github.com/openshift/api/config/v1.APIServerStatus": schema_openshift_api_config_v1_APIServerStatus(ref), "github.com/openshift/api/config/v1.AWSDNSSpec": schema_openshift_api_config_v1_AWSDNSSpec(ref), "github.com/openshift/api/config/v1.AWSIngressSpec": schema_openshift_api_config_v1_AWSIngressSpec(ref), + "github.com/openshift/api/config/v1.AWSKMSConfig": schema_openshift_api_config_v1_AWSKMSConfig(ref), "github.com/openshift/api/config/v1.AWSPlatformSpec": schema_openshift_api_config_v1_AWSPlatformSpec(ref), "github.com/openshift/api/config/v1.AWSPlatformStatus": schema_openshift_api_config_v1_AWSPlatformStatus(ref), "github.com/openshift/api/config/v1.AWSResourceTag": schema_openshift_api_config_v1_AWSResourceTag(ref), @@ -281,6 +282,7 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "github.com/openshift/api/config/v1.IngressSpec": schema_openshift_api_config_v1_IngressSpec(ref), "github.com/openshift/api/config/v1.IngressStatus": schema_openshift_api_config_v1_IngressStatus(ref), "github.com/openshift/api/config/v1.IntermediateTLSProfile": schema_openshift_api_config_v1_IntermediateTLSProfile(ref), + "github.com/openshift/api/config/v1.KMSConfig": schema_openshift_api_config_v1_KMSConfig(ref), "github.com/openshift/api/config/v1.KeystoneIdentityProvider": schema_openshift_api_config_v1_KeystoneIdentityProvider(ref), "github.com/openshift/api/config/v1.KubeClientConfig": schema_openshift_api_config_v1_KubeClientConfig(ref), "github.com/openshift/api/config/v1.KubevirtPlatformSpec": schema_openshift_api_config_v1_KubevirtPlatformSpec(ref), @@ -8268,7 +8270,8 @@ func schema_openshift_api_config_v1_APIServerEncryption(ref common.ReferenceCall return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Type: []string{"object"}, + Description: "APIServerEncryption is used to encrypt sensitive resources on the cluster.", + Type: []string{"object"}, Properties: map[string]spec.Schema{ "type": { SchemaProps: spec.SchemaProps{ @@ -8277,9 +8280,29 @@ func schema_openshift_api_config_v1_APIServerEncryption(ref common.ReferenceCall Format: "", }, }, + "kms": { + SchemaProps: spec.SchemaProps{ + Description: "kms defines the configuration for the external KMS instance that manages the encryption keys, when KMS encryption is enabled sensitive resources will be encrypted using keys managed by an externally configured KMS instance.\n\nThe Key Management Service (KMS) instance provides symmetric encryption and is responsible for managing the lifecyle of the encryption keys outside of the control plane. This allows integration with an external provider to manage the data encryption keys securely.", + Ref: ref("github.com/openshift/api/config/v1.KMSConfig"), + }, + }, + }, + }, + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-unions": []interface{}{ + map[string]interface{}{ + "discriminator": "type", + "fields-to-discriminateBy": map[string]interface{}{ + "kms": "KMS", + }, + }, + }, }, }, }, + Dependencies: []string{ + "github.com/openshift/api/config/v1.KMSConfig"}, } } @@ -8341,6 +8364,11 @@ func schema_openshift_api_config_v1_APIServerNamedServingCert(ref common.Referen Type: []string{"object"}, Properties: map[string]spec.Schema{ "names": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "atomic", + }, + }, SchemaProps: spec.SchemaProps{ Description: "names is a optional list of explicit DNS names (leading wildcards allowed) that should use this certificate to serve secure traffic. If no names are provided, the implicit names will be extracted from the certificates. Exact names trump over wildcard names. Explicit names defined here trump over extracted implicit names.", Type: []string{"array"}, @@ -8378,6 +8406,11 @@ func schema_openshift_api_config_v1_APIServerServingCerts(ref common.ReferenceCa Type: []string{"object"}, Properties: map[string]spec.Schema{ "namedCertificates": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "atomic", + }, + }, SchemaProps: spec.SchemaProps{ Description: "namedCertificates references secrets containing the TLS cert info for serving secure traffic to specific hostnames. If no named certificates are provided, or no named certificates match the server name as understood by a client, the defaultServingCertificate will be used.", Type: []string{"array"}, @@ -8420,6 +8453,11 @@ func schema_openshift_api_config_v1_APIServerSpec(ref common.ReferenceCallback) }, }, "additionalCORSAllowedOrigins": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "atomic", + }, + }, SchemaProps: spec.SchemaProps{ Description: "additionalCORSAllowedOrigins lists additional, user-defined regular expressions describing hosts for which the API server allows access using the CORS headers. This may be needed to access the API and the integrated OAuth server from JavaScript applications. The values are regular expressions that correspond to the Golang regular expression language.", Type: []string{"array"}, @@ -8524,6 +8562,36 @@ func schema_openshift_api_config_v1_AWSIngressSpec(ref common.ReferenceCallback) } } +func schema_openshift_api_config_v1_AWSKMSConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "AWSKMSConfig defines the KMS config specific to AWS KMS provider", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "keyARN": { + SchemaProps: spec.SchemaProps{ + Description: "keyARN specifies the Amazon Resource Name (ARN) of the AWS KMS key used for encryption. The value must adhere to the format `arn:aws:kms:::key/`, where: - `` is the AWS region consisting of lowercase letters and hyphens followed by a number. - `` is a 12-digit numeric identifier for the AWS account. - `` is a unique identifier for the KMS key, consisting of lowercase hexadecimal characters and hyphens.", + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + "region": { + SchemaProps: spec.SchemaProps{ + Description: "region specifies the AWS region where the KMS instance exists, and follows the format `--`, e.g.: `us-east-1`. Only lowercase letters and hyphens followed by numbers are allowed.", + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, + Required: []string{"keyARN"}, + }, + }, + } +} + func schema_openshift_api_config_v1_AWSPlatformSpec(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ @@ -14524,6 +14592,48 @@ func schema_openshift_api_config_v1_IntermediateTLSProfile(ref common.ReferenceC } } +func schema_openshift_api_config_v1_KMSConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "KMSConfig defines the configuration for the KMS instance that will be used with KMSEncryptionProvider encryption", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "type": { + SchemaProps: spec.SchemaProps{ + Description: "type defines the kind of platform for the KMS provider. Available provider types are AWS only.", + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + "aws": { + SchemaProps: spec.SchemaProps{ + Description: "aws defines the key config for using an AWS KMS instance for the encryption. The AWS KMS instance is managed by the user outside the purview of the control plane.", + Ref: ref("github.com/openshift/api/config/v1.AWSKMSConfig"), + }, + }, + }, + Required: []string{"type"}, + }, + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-unions": []interface{}{ + map[string]interface{}{ + "discriminator": "type", + "fields-to-discriminateBy": map[string]interface{}{ + "aws": "AWS", + }, + }, + }, + }, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/config/v1.AWSKMSConfig"}, + } +} + func schema_openshift_api_config_v1_KeystoneIdentityProvider(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ diff --git a/openapi/openapi.json b/openapi/openapi.json index f6177210af5..fc6dc0b6641 100644 --- a/openapi/openapi.json +++ b/openapi/openapi.json @@ -4026,13 +4026,26 @@ } }, "com.github.openshift.api.config.v1.APIServerEncryption": { + "description": "APIServerEncryption is used to encrypt sensitive resources on the cluster.", "type": "object", "properties": { + "kms": { + "description": "kms defines the configuration for the external KMS instance that manages the encryption keys, when KMS encryption is enabled sensitive resources will be encrypted using keys managed by an externally configured KMS instance.\n\nThe Key Management Service (KMS) instance provides symmetric encryption and is responsible for managing the lifecyle of the encryption keys outside of the control plane. This allows integration with an external provider to manage the data encryption keys securely.", + "$ref": "#/definitions/com.github.openshift.api.config.v1.KMSConfig" + }, "type": { "description": "type defines what encryption type should be used to encrypt resources at the datastore layer. When this field is unset (i.e. when it is set to the empty string), identity is implied. The behavior of unset can and will change over time. Even if encryption is enabled by default, the meaning of unset may change to a different encryption type based on changes in best practices.\n\nWhen encryption is enabled, all sensitive resources shipped with the platform are encrypted. This list of sensitive resources can and will change over time. The current authoritative list is:\n\n 1. secrets\n 2. configmaps\n 3. routes.route.openshift.io\n 4. oauthaccesstokens.oauth.openshift.io\n 5. oauthauthorizetokens.oauth.openshift.io", "type": "string" } - } + }, + "x-kubernetes-unions": [ + { + "discriminator": "type", + "fields-to-discriminateBy": { + "kms": "KMS" + } + } + ] }, "com.github.openshift.api.config.v1.APIServerList": { "description": "Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", @@ -4077,7 +4090,8 @@ "items": { "type": "string", "default": "" - } + }, + "x-kubernetes-list-type": "atomic" }, "servingCertificate": { "description": "servingCertificate references a kubernetes.io/tls type secret containing the TLS cert info for serving secure traffic. The secret must exist in the openshift-config namespace and contain the following required fields: - Secret.Data[\"tls.key\"] - TLS private key. - Secret.Data[\"tls.crt\"] - TLS certificate.", @@ -4095,7 +4109,8 @@ "items": { "default": {}, "$ref": "#/definitions/com.github.openshift.api.config.v1.APIServerNamedServingCert" - } + }, + "x-kubernetes-list-type": "atomic" } } }, @@ -4108,7 +4123,8 @@ "items": { "type": "string", "default": "" - } + }, + "x-kubernetes-list-type": "atomic" }, "audit": { "description": "audit specifies the settings for audit configuration to be applied to all OpenShift-provided API servers in the cluster.", @@ -4169,6 +4185,25 @@ } ] }, + "com.github.openshift.api.config.v1.AWSKMSConfig": { + "description": "AWSKMSConfig defines the KMS config specific to AWS KMS provider", + "type": "object", + "required": [ + "keyARN" + ], + "properties": { + "keyARN": { + "description": "keyARN specifies the Amazon Resource Name (ARN) of the AWS KMS key used for encryption. The value must adhere to the format `arn:aws:kms:::key/`, where: - `` is the AWS region consisting of lowercase letters and hyphens followed by a number. - `` is a 12-digit numeric identifier for the AWS account. - `` is a unique identifier for the KMS key, consisting of lowercase hexadecimal characters and hyphens.", + "type": "string", + "default": "" + }, + "region": { + "description": "region specifies the AWS region where the KMS instance exists, and follows the format `--`, e.g.: `us-east-1`. Only lowercase letters and hyphens followed by numbers are allowed.", + "type": "string", + "default": "" + } + } + }, "com.github.openshift.api.config.v1.AWSPlatformSpec": { "description": "AWSPlatformSpec holds the desired state of the Amazon Web Services infrastructure provider. This only includes fields that can be modified in the cluster.", "type": "object", @@ -7684,6 +7719,32 @@ "description": "IntermediateTLSProfile is a TLS security profile based on: https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29", "type": "object" }, + "com.github.openshift.api.config.v1.KMSConfig": { + "description": "KMSConfig defines the configuration for the KMS instance that will be used with KMSEncryptionProvider encryption", + "type": "object", + "required": [ + "type" + ], + "properties": { + "aws": { + "description": "aws defines the key config for using an AWS KMS instance for the encryption. The AWS KMS instance is managed by the user outside the purview of the control plane.", + "$ref": "#/definitions/com.github.openshift.api.config.v1.AWSKMSConfig" + }, + "type": { + "description": "type defines the kind of platform for the KMS provider. Available provider types are AWS only.", + "type": "string", + "default": "" + } + }, + "x-kubernetes-unions": [ + { + "discriminator": "type", + "fields-to-discriminateBy": { + "aws": "AWS" + } + } + ] + }, "com.github.openshift.api.config.v1.KeystoneIdentityProvider": { "description": "KeystonePasswordIdentityProvider provides identities for users authenticating using keystone password credentials", "type": "object", diff --git a/payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml new file mode 100644 index 00000000000..c1b2c9f3721 --- /dev/null +++ b/payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml @@ -0,0 +1,504 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/470 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/bootstrap-required: "true" + release.openshift.io/feature-set: CustomNoUpgrade + name: apiservers.config.openshift.io +spec: + group: config.openshift.io + names: + kind: APIServer + listKind: APIServerList + plural: apiservers + singular: apiserver + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + APIServer holds configuration (like serving certificates, client CA and CORS domains) + shared by all API servers in the system, among them especially kube-apiserver + and openshift-apiserver. The canonical name of an instance is 'cluster'. + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec holds user settable values for configuration + properties: + additionalCORSAllowedOrigins: + description: |- + additionalCORSAllowedOrigins lists additional, user-defined regular expressions describing hosts for which the + API server allows access using the CORS headers. This may be needed to access the API and the integrated OAuth + server from JavaScript applications. + The values are regular expressions that correspond to the Golang regular expression language. + items: + type: string + type: array + x-kubernetes-list-type: atomic + audit: + default: + profile: Default + description: |- + audit specifies the settings for audit configuration to be applied to all OpenShift-provided + API servers in the cluster. + properties: + customRules: + description: |- + customRules specify profiles per group. These profile take precedence over the + top-level profile field if they apply. They are evaluation from top to bottom and + the first one that matches, applies. + items: + description: |- + AuditCustomRule describes a custom rule for an audit profile that takes precedence over + the top-level profile. + properties: + group: + description: group is a name of group a request user must + be member of in order to this profile to apply. + minLength: 1 + type: string + profile: + description: |- + profile specifies the name of the desired audit policy configuration to be deployed to + all OpenShift-provided API servers in the cluster. + + The following profiles are provided: + - Default: the existing default policy. + - WriteRequestBodies: like 'Default', but logs request and response HTTP payloads for + write requests (create, update, patch). + - AllRequestBodies: like 'WriteRequestBodies', but also logs request and response + HTTP payloads for read requests (get, list). + - None: no requests are logged at all, not even oauthaccesstokens and oauthauthorizetokens. + + If unset, the 'Default' profile is used as the default. + enum: + - Default + - WriteRequestBodies + - AllRequestBodies + - None + type: string + required: + - group + - profile + type: object + type: array + x-kubernetes-list-map-keys: + - group + x-kubernetes-list-type: map + profile: + default: Default + description: |- + profile specifies the name of the desired top-level audit profile to be applied to all requests + sent to any of the OpenShift-provided API servers in the cluster (kube-apiserver, + openshift-apiserver and oauth-apiserver), with the exception of those requests that match + one or more of the customRules. + + The following profiles are provided: + - Default: default policy which means MetaData level logging with the exception of events + (not logged at all), oauthaccesstokens and oauthauthorizetokens (both logged at RequestBody + level). + - WriteRequestBodies: like 'Default', but logs request and response HTTP payloads for + write requests (create, update, patch). + - AllRequestBodies: like 'WriteRequestBodies', but also logs request and response + HTTP payloads for read requests (get, list). + - None: no requests are logged at all, not even oauthaccesstokens and oauthauthorizetokens. + + Warning: It is not recommended to disable audit logging by using the `None` profile unless you + are fully aware of the risks of not logging data that can be beneficial when troubleshooting issues. + If you disable audit logging and a support situation arises, you might need to enable audit logging + and reproduce the issue in order to troubleshoot properly. + + If unset, the 'Default' profile is used as the default. + enum: + - Default + - WriteRequestBodies + - AllRequestBodies + - None + type: string + type: object + clientCA: + description: |- + clientCA references a ConfigMap containing a certificate bundle for the signers that will be recognized for + incoming client certificates in addition to the operator managed signers. If this is empty, then only operator managed signers are valid. + You usually only have to set this if you have your own PKI you wish to honor client certificates from. + The ConfigMap must exist in the openshift-config namespace and contain the following required fields: + - ConfigMap.Data["ca-bundle.crt"] - CA bundle. + properties: + name: + description: name is the metadata.name of the referenced config + map + type: string + required: + - name + type: object + encryption: + description: encryption allows the configuration of encryption of + resources at the datastore layer. + properties: + kms: + description: |- + kms defines the configuration for the external KMS instance that manages the encryption keys, + when KMS encryption is enabled sensitive resources will be encrypted using keys managed by an + externally configured KMS instance. + + The Key Management Service (KMS) instance provides symmetric encryption and is responsible for + managing the lifecyle of the encryption keys outside of the control plane. + This allows integration with an external provider to manage the data encryption keys securely. + properties: + aws: + description: |- + aws defines the key config for using an AWS KMS instance + for the encryption. The AWS KMS instance is managed + by the user outside the purview of the control plane. + properties: + keyARN: + description: |- + keyARN specifies the Amazon Resource Name (ARN) of the AWS KMS key used for encryption. + The value must adhere to the format `arn:aws:kms:::key/`, where: + - `` is the AWS region consisting of lowercase letters and hyphens followed by a number. + - `` is a 12-digit numeric identifier for the AWS account. + - `` is a unique identifier for the KMS key, consisting of lowercase hexadecimal characters and hyphens. + maxLength: 128 + minLength: 1 + type: string + x-kubernetes-validations: + - message: keyARN must follow the format `arn:aws:kms:::key/`. + The account ID must be a 12 digit number and the region + and key ID should consist only of lowercase hexadecimal + characters and hyphens (-). + rule: self.matches('^arn:aws:kms:[a-z0-9-]+:[0-9]{12}:key/[a-f0-9-]+$') + region: + description: |- + region specifies the AWS region where the KMS instance exists, and follows the format + `--`, e.g.: `us-east-1`. + Only lowercase letters and hyphens followed by numbers are allowed. + maxLength: 64 + minLength: 1 + type: string + x-kubernetes-validations: + - message: region must be a valid AWS region, consisting + of lowercase characters, digits and hyphens (-) only. + rule: self.matches('^[a-z0-9]+(-[a-z0-9]+)*$') + required: + - keyARN + type: object + type: + description: |- + type defines the kind of platform for the KMS provider. + Available provider types are AWS only. + enum: + - AWS + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: aws config is required when kms provider type is AWS, + and forbidden otherwise + rule: 'has(self.type) && self.type == ''AWS'' ? has(self.aws) + : !has(self.aws)' + type: + description: |- + type defines what encryption type should be used to encrypt resources at the datastore layer. + When this field is unset (i.e. when it is set to the empty string), identity is implied. + The behavior of unset can and will change over time. Even if encryption is enabled by default, + the meaning of unset may change to a different encryption type based on changes in best practices. + + When encryption is enabled, all sensitive resources shipped with the platform are encrypted. + This list of sensitive resources can and will change over time. The current authoritative list is: + + 1. secrets + 2. configmaps + 3. routes.route.openshift.io + 4. oauthaccesstokens.oauth.openshift.io + 5. oauthauthorizetokens.oauth.openshift.io + enum: + - "" + - identity + - aescbc + - aesgcm + - KMS + type: string + type: object + x-kubernetes-validations: + - message: kms config is required when encryption type is KMS, and + forbidden otherwise + rule: 'has(self.type) && self.type == ''KMS'' ? has(self.kms) : + !has(self.kms)' + servingCerts: + description: |- + servingCert is the TLS cert info for serving secure traffic. If not specified, operator managed certificates + will be used for serving secure traffic. + properties: + namedCertificates: + description: |- + namedCertificates references secrets containing the TLS cert info for serving secure traffic to specific hostnames. + If no named certificates are provided, or no named certificates match the server name as understood by a client, + the defaultServingCertificate will be used. + items: + description: APIServerNamedServingCert maps a server DNS name, + as understood by a client, to a certificate. + properties: + names: + description: |- + names is a optional list of explicit DNS names (leading wildcards allowed) that should use this certificate to + serve secure traffic. If no names are provided, the implicit names will be extracted from the certificates. + Exact names trump over wildcard names. Explicit names defined here trump over extracted implicit names. + items: + type: string + type: array + x-kubernetes-list-type: atomic + servingCertificate: + description: |- + servingCertificate references a kubernetes.io/tls type secret containing the TLS cert info for serving secure traffic. + The secret must exist in the openshift-config namespace and contain the following required fields: + - Secret.Data["tls.key"] - TLS private key. + - Secret.Data["tls.crt"] - TLS certificate. + properties: + name: + description: name is the metadata.name of the referenced + secret + type: string + required: + - name + type: object + type: object + type: array + x-kubernetes-list-type: atomic + type: object + tlsSecurityProfile: + description: |- + tlsSecurityProfile specifies settings for TLS connections for externally exposed servers. + + If unset, a default (which may change between releases) is chosen. Note that only Old, + Intermediate and Custom profiles are currently supported, and the maximum available + minTLSVersion is VersionTLS12. + properties: + custom: + description: |- + custom is a user-defined TLS security profile. Be extremely careful using a custom + profile as invalid configurations can be catastrophic. An example custom profile + looks like this: + + ciphers: + + - ECDHE-ECDSA-CHACHA20-POLY1305 + + - ECDHE-RSA-CHACHA20-POLY1305 + + - ECDHE-RSA-AES128-GCM-SHA256 + + - ECDHE-ECDSA-AES128-GCM-SHA256 + + minTLSVersion: VersionTLS11 + nullable: true + properties: + ciphers: + description: |- + ciphers is used to specify the cipher algorithms that are negotiated + during the TLS handshake. Operators may remove entries their operands + do not support. For example, to use DES-CBC3-SHA (yaml): + + ciphers: + - DES-CBC3-SHA + items: + type: string + type: array + x-kubernetes-list-type: atomic + minTLSVersion: + description: |- + minTLSVersion is used to specify the minimal version of the TLS protocol + that is negotiated during the TLS handshake. For example, to use TLS + versions 1.1, 1.2 and 1.3 (yaml): + + minTLSVersion: VersionTLS11 + + NOTE: currently the highest minTLSVersion allowed is VersionTLS12 + enum: + - VersionTLS10 + - VersionTLS11 + - VersionTLS12 + - VersionTLS13 + type: string + type: object + intermediate: + description: |- + intermediate is a TLS security profile based on: + + https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29 + + and looks like this (yaml): + + ciphers: + + - TLS_AES_128_GCM_SHA256 + + - TLS_AES_256_GCM_SHA384 + + - TLS_CHACHA20_POLY1305_SHA256 + + - ECDHE-ECDSA-AES128-GCM-SHA256 + + - ECDHE-RSA-AES128-GCM-SHA256 + + - ECDHE-ECDSA-AES256-GCM-SHA384 + + - ECDHE-RSA-AES256-GCM-SHA384 + + - ECDHE-ECDSA-CHACHA20-POLY1305 + + - ECDHE-RSA-CHACHA20-POLY1305 + + - DHE-RSA-AES128-GCM-SHA256 + + - DHE-RSA-AES256-GCM-SHA384 + + minTLSVersion: VersionTLS12 + nullable: true + type: object + modern: + description: |- + modern is a TLS security profile based on: + + https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility + + and looks like this (yaml): + + ciphers: + + - TLS_AES_128_GCM_SHA256 + + - TLS_AES_256_GCM_SHA384 + + - TLS_CHACHA20_POLY1305_SHA256 + + minTLSVersion: VersionTLS13 + nullable: true + type: object + old: + description: |- + old is a TLS security profile based on: + + https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility + + and looks like this (yaml): + + ciphers: + + - TLS_AES_128_GCM_SHA256 + + - TLS_AES_256_GCM_SHA384 + + - TLS_CHACHA20_POLY1305_SHA256 + + - ECDHE-ECDSA-AES128-GCM-SHA256 + + - ECDHE-RSA-AES128-GCM-SHA256 + + - ECDHE-ECDSA-AES256-GCM-SHA384 + + - ECDHE-RSA-AES256-GCM-SHA384 + + - ECDHE-ECDSA-CHACHA20-POLY1305 + + - ECDHE-RSA-CHACHA20-POLY1305 + + - DHE-RSA-AES128-GCM-SHA256 + + - DHE-RSA-AES256-GCM-SHA384 + + - DHE-RSA-CHACHA20-POLY1305 + + - ECDHE-ECDSA-AES128-SHA256 + + - ECDHE-RSA-AES128-SHA256 + + - ECDHE-ECDSA-AES128-SHA + + - ECDHE-RSA-AES128-SHA + + - ECDHE-ECDSA-AES256-SHA384 + + - ECDHE-RSA-AES256-SHA384 + + - ECDHE-ECDSA-AES256-SHA + + - ECDHE-RSA-AES256-SHA + + - DHE-RSA-AES128-SHA256 + + - DHE-RSA-AES256-SHA256 + + - AES128-GCM-SHA256 + + - AES256-GCM-SHA384 + + - AES128-SHA256 + + - AES256-SHA256 + + - AES128-SHA + + - AES256-SHA + + - DES-CBC3-SHA + + minTLSVersion: VersionTLS10 + nullable: true + type: object + type: + description: |- + type is one of Old, Intermediate, Modern or Custom. Custom provides + the ability to specify individual TLS security profile parameters. + Old, Intermediate and Modern are TLS security profiles based on: + + https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations + + The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers + are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be + reduced. + + Note that the Modern profile is currently not supported because it is not + yet well adopted by common software libraries. + enum: + - Old + - Intermediate + - Modern + - Custom + type: string + type: object + type: object + status: + description: status holds observed values from the cluster. They may not + be overridden. + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/payload-manifests/crds/0000_10_config-operator_01_apiservers.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_apiservers-Default.crd.yaml similarity index 98% rename from payload-manifests/crds/0000_10_config-operator_01_apiservers.crd.yaml rename to payload-manifests/crds/0000_10_config-operator_01_apiservers-Default.crd.yaml index 8dd63a32891..c5206c23cbf 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_apiservers.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_apiservers-Default.crd.yaml @@ -7,6 +7,7 @@ metadata: include.release.openshift.io/ibm-cloud-managed: "true" include.release.openshift.io/self-managed-high-availability: "true" release.openshift.io/bootstrap-required: "true" + release.openshift.io/feature-set: Default name: apiservers.config.openshift.io spec: group: config.openshift.io @@ -56,6 +57,7 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic audit: default: profile: Default @@ -200,6 +202,7 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic servingCertificate: description: |- servingCertificate references a kubernetes.io/tls type secret containing the TLS cert info for serving secure traffic. @@ -216,6 +219,7 @@ spec: type: object type: object type: array + x-kubernetes-list-type: atomic type: object tlsSecurityProfile: description: |- diff --git a/payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml new file mode 100644 index 00000000000..1b82ffd357f --- /dev/null +++ b/payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml @@ -0,0 +1,504 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/470 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/bootstrap-required: "true" + release.openshift.io/feature-set: DevPreviewNoUpgrade + name: apiservers.config.openshift.io +spec: + group: config.openshift.io + names: + kind: APIServer + listKind: APIServerList + plural: apiservers + singular: apiserver + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + APIServer holds configuration (like serving certificates, client CA and CORS domains) + shared by all API servers in the system, among them especially kube-apiserver + and openshift-apiserver. The canonical name of an instance is 'cluster'. + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec holds user settable values for configuration + properties: + additionalCORSAllowedOrigins: + description: |- + additionalCORSAllowedOrigins lists additional, user-defined regular expressions describing hosts for which the + API server allows access using the CORS headers. This may be needed to access the API and the integrated OAuth + server from JavaScript applications. + The values are regular expressions that correspond to the Golang regular expression language. + items: + type: string + type: array + x-kubernetes-list-type: atomic + audit: + default: + profile: Default + description: |- + audit specifies the settings for audit configuration to be applied to all OpenShift-provided + API servers in the cluster. + properties: + customRules: + description: |- + customRules specify profiles per group. These profile take precedence over the + top-level profile field if they apply. They are evaluation from top to bottom and + the first one that matches, applies. + items: + description: |- + AuditCustomRule describes a custom rule for an audit profile that takes precedence over + the top-level profile. + properties: + group: + description: group is a name of group a request user must + be member of in order to this profile to apply. + minLength: 1 + type: string + profile: + description: |- + profile specifies the name of the desired audit policy configuration to be deployed to + all OpenShift-provided API servers in the cluster. + + The following profiles are provided: + - Default: the existing default policy. + - WriteRequestBodies: like 'Default', but logs request and response HTTP payloads for + write requests (create, update, patch). + - AllRequestBodies: like 'WriteRequestBodies', but also logs request and response + HTTP payloads for read requests (get, list). + - None: no requests are logged at all, not even oauthaccesstokens and oauthauthorizetokens. + + If unset, the 'Default' profile is used as the default. + enum: + - Default + - WriteRequestBodies + - AllRequestBodies + - None + type: string + required: + - group + - profile + type: object + type: array + x-kubernetes-list-map-keys: + - group + x-kubernetes-list-type: map + profile: + default: Default + description: |- + profile specifies the name of the desired top-level audit profile to be applied to all requests + sent to any of the OpenShift-provided API servers in the cluster (kube-apiserver, + openshift-apiserver and oauth-apiserver), with the exception of those requests that match + one or more of the customRules. + + The following profiles are provided: + - Default: default policy which means MetaData level logging with the exception of events + (not logged at all), oauthaccesstokens and oauthauthorizetokens (both logged at RequestBody + level). + - WriteRequestBodies: like 'Default', but logs request and response HTTP payloads for + write requests (create, update, patch). + - AllRequestBodies: like 'WriteRequestBodies', but also logs request and response + HTTP payloads for read requests (get, list). + - None: no requests are logged at all, not even oauthaccesstokens and oauthauthorizetokens. + + Warning: It is not recommended to disable audit logging by using the `None` profile unless you + are fully aware of the risks of not logging data that can be beneficial when troubleshooting issues. + If you disable audit logging and a support situation arises, you might need to enable audit logging + and reproduce the issue in order to troubleshoot properly. + + If unset, the 'Default' profile is used as the default. + enum: + - Default + - WriteRequestBodies + - AllRequestBodies + - None + type: string + type: object + clientCA: + description: |- + clientCA references a ConfigMap containing a certificate bundle for the signers that will be recognized for + incoming client certificates in addition to the operator managed signers. If this is empty, then only operator managed signers are valid. + You usually only have to set this if you have your own PKI you wish to honor client certificates from. + The ConfigMap must exist in the openshift-config namespace and contain the following required fields: + - ConfigMap.Data["ca-bundle.crt"] - CA bundle. + properties: + name: + description: name is the metadata.name of the referenced config + map + type: string + required: + - name + type: object + encryption: + description: encryption allows the configuration of encryption of + resources at the datastore layer. + properties: + kms: + description: |- + kms defines the configuration for the external KMS instance that manages the encryption keys, + when KMS encryption is enabled sensitive resources will be encrypted using keys managed by an + externally configured KMS instance. + + The Key Management Service (KMS) instance provides symmetric encryption and is responsible for + managing the lifecyle of the encryption keys outside of the control plane. + This allows integration with an external provider to manage the data encryption keys securely. + properties: + aws: + description: |- + aws defines the key config for using an AWS KMS instance + for the encryption. The AWS KMS instance is managed + by the user outside the purview of the control plane. + properties: + keyARN: + description: |- + keyARN specifies the Amazon Resource Name (ARN) of the AWS KMS key used for encryption. + The value must adhere to the format `arn:aws:kms:::key/`, where: + - `` is the AWS region consisting of lowercase letters and hyphens followed by a number. + - `` is a 12-digit numeric identifier for the AWS account. + - `` is a unique identifier for the KMS key, consisting of lowercase hexadecimal characters and hyphens. + maxLength: 128 + minLength: 1 + type: string + x-kubernetes-validations: + - message: keyARN must follow the format `arn:aws:kms:::key/`. + The account ID must be a 12 digit number and the region + and key ID should consist only of lowercase hexadecimal + characters and hyphens (-). + rule: self.matches('^arn:aws:kms:[a-z0-9-]+:[0-9]{12}:key/[a-f0-9-]+$') + region: + description: |- + region specifies the AWS region where the KMS instance exists, and follows the format + `--`, e.g.: `us-east-1`. + Only lowercase letters and hyphens followed by numbers are allowed. + maxLength: 64 + minLength: 1 + type: string + x-kubernetes-validations: + - message: region must be a valid AWS region, consisting + of lowercase characters, digits and hyphens (-) only. + rule: self.matches('^[a-z0-9]+(-[a-z0-9]+)*$') + required: + - keyARN + type: object + type: + description: |- + type defines the kind of platform for the KMS provider. + Available provider types are AWS only. + enum: + - AWS + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: aws config is required when kms provider type is AWS, + and forbidden otherwise + rule: 'has(self.type) && self.type == ''AWS'' ? has(self.aws) + : !has(self.aws)' + type: + description: |- + type defines what encryption type should be used to encrypt resources at the datastore layer. + When this field is unset (i.e. when it is set to the empty string), identity is implied. + The behavior of unset can and will change over time. Even if encryption is enabled by default, + the meaning of unset may change to a different encryption type based on changes in best practices. + + When encryption is enabled, all sensitive resources shipped with the platform are encrypted. + This list of sensitive resources can and will change over time. The current authoritative list is: + + 1. secrets + 2. configmaps + 3. routes.route.openshift.io + 4. oauthaccesstokens.oauth.openshift.io + 5. oauthauthorizetokens.oauth.openshift.io + enum: + - "" + - identity + - aescbc + - aesgcm + - KMS + type: string + type: object + x-kubernetes-validations: + - message: kms config is required when encryption type is KMS, and + forbidden otherwise + rule: 'has(self.type) && self.type == ''KMS'' ? has(self.kms) : + !has(self.kms)' + servingCerts: + description: |- + servingCert is the TLS cert info for serving secure traffic. If not specified, operator managed certificates + will be used for serving secure traffic. + properties: + namedCertificates: + description: |- + namedCertificates references secrets containing the TLS cert info for serving secure traffic to specific hostnames. + If no named certificates are provided, or no named certificates match the server name as understood by a client, + the defaultServingCertificate will be used. + items: + description: APIServerNamedServingCert maps a server DNS name, + as understood by a client, to a certificate. + properties: + names: + description: |- + names is a optional list of explicit DNS names (leading wildcards allowed) that should use this certificate to + serve secure traffic. If no names are provided, the implicit names will be extracted from the certificates. + Exact names trump over wildcard names. Explicit names defined here trump over extracted implicit names. + items: + type: string + type: array + x-kubernetes-list-type: atomic + servingCertificate: + description: |- + servingCertificate references a kubernetes.io/tls type secret containing the TLS cert info for serving secure traffic. + The secret must exist in the openshift-config namespace and contain the following required fields: + - Secret.Data["tls.key"] - TLS private key. + - Secret.Data["tls.crt"] - TLS certificate. + properties: + name: + description: name is the metadata.name of the referenced + secret + type: string + required: + - name + type: object + type: object + type: array + x-kubernetes-list-type: atomic + type: object + tlsSecurityProfile: + description: |- + tlsSecurityProfile specifies settings for TLS connections for externally exposed servers. + + If unset, a default (which may change between releases) is chosen. Note that only Old, + Intermediate and Custom profiles are currently supported, and the maximum available + minTLSVersion is VersionTLS12. + properties: + custom: + description: |- + custom is a user-defined TLS security profile. Be extremely careful using a custom + profile as invalid configurations can be catastrophic. An example custom profile + looks like this: + + ciphers: + + - ECDHE-ECDSA-CHACHA20-POLY1305 + + - ECDHE-RSA-CHACHA20-POLY1305 + + - ECDHE-RSA-AES128-GCM-SHA256 + + - ECDHE-ECDSA-AES128-GCM-SHA256 + + minTLSVersion: VersionTLS11 + nullable: true + properties: + ciphers: + description: |- + ciphers is used to specify the cipher algorithms that are negotiated + during the TLS handshake. Operators may remove entries their operands + do not support. For example, to use DES-CBC3-SHA (yaml): + + ciphers: + - DES-CBC3-SHA + items: + type: string + type: array + x-kubernetes-list-type: atomic + minTLSVersion: + description: |- + minTLSVersion is used to specify the minimal version of the TLS protocol + that is negotiated during the TLS handshake. For example, to use TLS + versions 1.1, 1.2 and 1.3 (yaml): + + minTLSVersion: VersionTLS11 + + NOTE: currently the highest minTLSVersion allowed is VersionTLS12 + enum: + - VersionTLS10 + - VersionTLS11 + - VersionTLS12 + - VersionTLS13 + type: string + type: object + intermediate: + description: |- + intermediate is a TLS security profile based on: + + https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29 + + and looks like this (yaml): + + ciphers: + + - TLS_AES_128_GCM_SHA256 + + - TLS_AES_256_GCM_SHA384 + + - TLS_CHACHA20_POLY1305_SHA256 + + - ECDHE-ECDSA-AES128-GCM-SHA256 + + - ECDHE-RSA-AES128-GCM-SHA256 + + - ECDHE-ECDSA-AES256-GCM-SHA384 + + - ECDHE-RSA-AES256-GCM-SHA384 + + - ECDHE-ECDSA-CHACHA20-POLY1305 + + - ECDHE-RSA-CHACHA20-POLY1305 + + - DHE-RSA-AES128-GCM-SHA256 + + - DHE-RSA-AES256-GCM-SHA384 + + minTLSVersion: VersionTLS12 + nullable: true + type: object + modern: + description: |- + modern is a TLS security profile based on: + + https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility + + and looks like this (yaml): + + ciphers: + + - TLS_AES_128_GCM_SHA256 + + - TLS_AES_256_GCM_SHA384 + + - TLS_CHACHA20_POLY1305_SHA256 + + minTLSVersion: VersionTLS13 + nullable: true + type: object + old: + description: |- + old is a TLS security profile based on: + + https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility + + and looks like this (yaml): + + ciphers: + + - TLS_AES_128_GCM_SHA256 + + - TLS_AES_256_GCM_SHA384 + + - TLS_CHACHA20_POLY1305_SHA256 + + - ECDHE-ECDSA-AES128-GCM-SHA256 + + - ECDHE-RSA-AES128-GCM-SHA256 + + - ECDHE-ECDSA-AES256-GCM-SHA384 + + - ECDHE-RSA-AES256-GCM-SHA384 + + - ECDHE-ECDSA-CHACHA20-POLY1305 + + - ECDHE-RSA-CHACHA20-POLY1305 + + - DHE-RSA-AES128-GCM-SHA256 + + - DHE-RSA-AES256-GCM-SHA384 + + - DHE-RSA-CHACHA20-POLY1305 + + - ECDHE-ECDSA-AES128-SHA256 + + - ECDHE-RSA-AES128-SHA256 + + - ECDHE-ECDSA-AES128-SHA + + - ECDHE-RSA-AES128-SHA + + - ECDHE-ECDSA-AES256-SHA384 + + - ECDHE-RSA-AES256-SHA384 + + - ECDHE-ECDSA-AES256-SHA + + - ECDHE-RSA-AES256-SHA + + - DHE-RSA-AES128-SHA256 + + - DHE-RSA-AES256-SHA256 + + - AES128-GCM-SHA256 + + - AES256-GCM-SHA384 + + - AES128-SHA256 + + - AES256-SHA256 + + - AES128-SHA + + - AES256-SHA + + - DES-CBC3-SHA + + minTLSVersion: VersionTLS10 + nullable: true + type: object + type: + description: |- + type is one of Old, Intermediate, Modern or Custom. Custom provides + the ability to specify individual TLS security profile parameters. + Old, Intermediate and Modern are TLS security profiles based on: + + https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations + + The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers + are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be + reduced. + + Note that the Modern profile is currently not supported because it is not + yet well adopted by common software libraries. + enum: + - Old + - Intermediate + - Modern + - Custom + type: string + type: object + type: object + status: + description: status holds observed values from the cluster. They may not + be overridden. + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml new file mode 100644 index 00000000000..5c8bfb70275 --- /dev/null +++ b/payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml @@ -0,0 +1,504 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/470 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/bootstrap-required: "true" + release.openshift.io/feature-set: TechPreviewNoUpgrade + name: apiservers.config.openshift.io +spec: + group: config.openshift.io + names: + kind: APIServer + listKind: APIServerList + plural: apiservers + singular: apiserver + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + APIServer holds configuration (like serving certificates, client CA and CORS domains) + shared by all API servers in the system, among them especially kube-apiserver + and openshift-apiserver. The canonical name of an instance is 'cluster'. + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec holds user settable values for configuration + properties: + additionalCORSAllowedOrigins: + description: |- + additionalCORSAllowedOrigins lists additional, user-defined regular expressions describing hosts for which the + API server allows access using the CORS headers. This may be needed to access the API and the integrated OAuth + server from JavaScript applications. + The values are regular expressions that correspond to the Golang regular expression language. + items: + type: string + type: array + x-kubernetes-list-type: atomic + audit: + default: + profile: Default + description: |- + audit specifies the settings for audit configuration to be applied to all OpenShift-provided + API servers in the cluster. + properties: + customRules: + description: |- + customRules specify profiles per group. These profile take precedence over the + top-level profile field if they apply. They are evaluation from top to bottom and + the first one that matches, applies. + items: + description: |- + AuditCustomRule describes a custom rule for an audit profile that takes precedence over + the top-level profile. + properties: + group: + description: group is a name of group a request user must + be member of in order to this profile to apply. + minLength: 1 + type: string + profile: + description: |- + profile specifies the name of the desired audit policy configuration to be deployed to + all OpenShift-provided API servers in the cluster. + + The following profiles are provided: + - Default: the existing default policy. + - WriteRequestBodies: like 'Default', but logs request and response HTTP payloads for + write requests (create, update, patch). + - AllRequestBodies: like 'WriteRequestBodies', but also logs request and response + HTTP payloads for read requests (get, list). + - None: no requests are logged at all, not even oauthaccesstokens and oauthauthorizetokens. + + If unset, the 'Default' profile is used as the default. + enum: + - Default + - WriteRequestBodies + - AllRequestBodies + - None + type: string + required: + - group + - profile + type: object + type: array + x-kubernetes-list-map-keys: + - group + x-kubernetes-list-type: map + profile: + default: Default + description: |- + profile specifies the name of the desired top-level audit profile to be applied to all requests + sent to any of the OpenShift-provided API servers in the cluster (kube-apiserver, + openshift-apiserver and oauth-apiserver), with the exception of those requests that match + one or more of the customRules. + + The following profiles are provided: + - Default: default policy which means MetaData level logging with the exception of events + (not logged at all), oauthaccesstokens and oauthauthorizetokens (both logged at RequestBody + level). + - WriteRequestBodies: like 'Default', but logs request and response HTTP payloads for + write requests (create, update, patch). + - AllRequestBodies: like 'WriteRequestBodies', but also logs request and response + HTTP payloads for read requests (get, list). + - None: no requests are logged at all, not even oauthaccesstokens and oauthauthorizetokens. + + Warning: It is not recommended to disable audit logging by using the `None` profile unless you + are fully aware of the risks of not logging data that can be beneficial when troubleshooting issues. + If you disable audit logging and a support situation arises, you might need to enable audit logging + and reproduce the issue in order to troubleshoot properly. + + If unset, the 'Default' profile is used as the default. + enum: + - Default + - WriteRequestBodies + - AllRequestBodies + - None + type: string + type: object + clientCA: + description: |- + clientCA references a ConfigMap containing a certificate bundle for the signers that will be recognized for + incoming client certificates in addition to the operator managed signers. If this is empty, then only operator managed signers are valid. + You usually only have to set this if you have your own PKI you wish to honor client certificates from. + The ConfigMap must exist in the openshift-config namespace and contain the following required fields: + - ConfigMap.Data["ca-bundle.crt"] - CA bundle. + properties: + name: + description: name is the metadata.name of the referenced config + map + type: string + required: + - name + type: object + encryption: + description: encryption allows the configuration of encryption of + resources at the datastore layer. + properties: + kms: + description: |- + kms defines the configuration for the external KMS instance that manages the encryption keys, + when KMS encryption is enabled sensitive resources will be encrypted using keys managed by an + externally configured KMS instance. + + The Key Management Service (KMS) instance provides symmetric encryption and is responsible for + managing the lifecyle of the encryption keys outside of the control plane. + This allows integration with an external provider to manage the data encryption keys securely. + properties: + aws: + description: |- + aws defines the key config for using an AWS KMS instance + for the encryption. The AWS KMS instance is managed + by the user outside the purview of the control plane. + properties: + keyARN: + description: |- + keyARN specifies the Amazon Resource Name (ARN) of the AWS KMS key used for encryption. + The value must adhere to the format `arn:aws:kms:::key/`, where: + - `` is the AWS region consisting of lowercase letters and hyphens followed by a number. + - `` is a 12-digit numeric identifier for the AWS account. + - `` is a unique identifier for the KMS key, consisting of lowercase hexadecimal characters and hyphens. + maxLength: 128 + minLength: 1 + type: string + x-kubernetes-validations: + - message: keyARN must follow the format `arn:aws:kms:::key/`. + The account ID must be a 12 digit number and the region + and key ID should consist only of lowercase hexadecimal + characters and hyphens (-). + rule: self.matches('^arn:aws:kms:[a-z0-9-]+:[0-9]{12}:key/[a-f0-9-]+$') + region: + description: |- + region specifies the AWS region where the KMS instance exists, and follows the format + `--`, e.g.: `us-east-1`. + Only lowercase letters and hyphens followed by numbers are allowed. + maxLength: 64 + minLength: 1 + type: string + x-kubernetes-validations: + - message: region must be a valid AWS region, consisting + of lowercase characters, digits and hyphens (-) only. + rule: self.matches('^[a-z0-9]+(-[a-z0-9]+)*$') + required: + - keyARN + type: object + type: + description: |- + type defines the kind of platform for the KMS provider. + Available provider types are AWS only. + enum: + - AWS + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: aws config is required when kms provider type is AWS, + and forbidden otherwise + rule: 'has(self.type) && self.type == ''AWS'' ? has(self.aws) + : !has(self.aws)' + type: + description: |- + type defines what encryption type should be used to encrypt resources at the datastore layer. + When this field is unset (i.e. when it is set to the empty string), identity is implied. + The behavior of unset can and will change over time. Even if encryption is enabled by default, + the meaning of unset may change to a different encryption type based on changes in best practices. + + When encryption is enabled, all sensitive resources shipped with the platform are encrypted. + This list of sensitive resources can and will change over time. The current authoritative list is: + + 1. secrets + 2. configmaps + 3. routes.route.openshift.io + 4. oauthaccesstokens.oauth.openshift.io + 5. oauthauthorizetokens.oauth.openshift.io + enum: + - "" + - identity + - aescbc + - aesgcm + - KMS + type: string + type: object + x-kubernetes-validations: + - message: kms config is required when encryption type is KMS, and + forbidden otherwise + rule: 'has(self.type) && self.type == ''KMS'' ? has(self.kms) : + !has(self.kms)' + servingCerts: + description: |- + servingCert is the TLS cert info for serving secure traffic. If not specified, operator managed certificates + will be used for serving secure traffic. + properties: + namedCertificates: + description: |- + namedCertificates references secrets containing the TLS cert info for serving secure traffic to specific hostnames. + If no named certificates are provided, or no named certificates match the server name as understood by a client, + the defaultServingCertificate will be used. + items: + description: APIServerNamedServingCert maps a server DNS name, + as understood by a client, to a certificate. + properties: + names: + description: |- + names is a optional list of explicit DNS names (leading wildcards allowed) that should use this certificate to + serve secure traffic. If no names are provided, the implicit names will be extracted from the certificates. + Exact names trump over wildcard names. Explicit names defined here trump over extracted implicit names. + items: + type: string + type: array + x-kubernetes-list-type: atomic + servingCertificate: + description: |- + servingCertificate references a kubernetes.io/tls type secret containing the TLS cert info for serving secure traffic. + The secret must exist in the openshift-config namespace and contain the following required fields: + - Secret.Data["tls.key"] - TLS private key. + - Secret.Data["tls.crt"] - TLS certificate. + properties: + name: + description: name is the metadata.name of the referenced + secret + type: string + required: + - name + type: object + type: object + type: array + x-kubernetes-list-type: atomic + type: object + tlsSecurityProfile: + description: |- + tlsSecurityProfile specifies settings for TLS connections for externally exposed servers. + + If unset, a default (which may change between releases) is chosen. Note that only Old, + Intermediate and Custom profiles are currently supported, and the maximum available + minTLSVersion is VersionTLS12. + properties: + custom: + description: |- + custom is a user-defined TLS security profile. Be extremely careful using a custom + profile as invalid configurations can be catastrophic. An example custom profile + looks like this: + + ciphers: + + - ECDHE-ECDSA-CHACHA20-POLY1305 + + - ECDHE-RSA-CHACHA20-POLY1305 + + - ECDHE-RSA-AES128-GCM-SHA256 + + - ECDHE-ECDSA-AES128-GCM-SHA256 + + minTLSVersion: VersionTLS11 + nullable: true + properties: + ciphers: + description: |- + ciphers is used to specify the cipher algorithms that are negotiated + during the TLS handshake. Operators may remove entries their operands + do not support. For example, to use DES-CBC3-SHA (yaml): + + ciphers: + - DES-CBC3-SHA + items: + type: string + type: array + x-kubernetes-list-type: atomic + minTLSVersion: + description: |- + minTLSVersion is used to specify the minimal version of the TLS protocol + that is negotiated during the TLS handshake. For example, to use TLS + versions 1.1, 1.2 and 1.3 (yaml): + + minTLSVersion: VersionTLS11 + + NOTE: currently the highest minTLSVersion allowed is VersionTLS12 + enum: + - VersionTLS10 + - VersionTLS11 + - VersionTLS12 + - VersionTLS13 + type: string + type: object + intermediate: + description: |- + intermediate is a TLS security profile based on: + + https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29 + + and looks like this (yaml): + + ciphers: + + - TLS_AES_128_GCM_SHA256 + + - TLS_AES_256_GCM_SHA384 + + - TLS_CHACHA20_POLY1305_SHA256 + + - ECDHE-ECDSA-AES128-GCM-SHA256 + + - ECDHE-RSA-AES128-GCM-SHA256 + + - ECDHE-ECDSA-AES256-GCM-SHA384 + + - ECDHE-RSA-AES256-GCM-SHA384 + + - ECDHE-ECDSA-CHACHA20-POLY1305 + + - ECDHE-RSA-CHACHA20-POLY1305 + + - DHE-RSA-AES128-GCM-SHA256 + + - DHE-RSA-AES256-GCM-SHA384 + + minTLSVersion: VersionTLS12 + nullable: true + type: object + modern: + description: |- + modern is a TLS security profile based on: + + https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility + + and looks like this (yaml): + + ciphers: + + - TLS_AES_128_GCM_SHA256 + + - TLS_AES_256_GCM_SHA384 + + - TLS_CHACHA20_POLY1305_SHA256 + + minTLSVersion: VersionTLS13 + nullable: true + type: object + old: + description: |- + old is a TLS security profile based on: + + https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility + + and looks like this (yaml): + + ciphers: + + - TLS_AES_128_GCM_SHA256 + + - TLS_AES_256_GCM_SHA384 + + - TLS_CHACHA20_POLY1305_SHA256 + + - ECDHE-ECDSA-AES128-GCM-SHA256 + + - ECDHE-RSA-AES128-GCM-SHA256 + + - ECDHE-ECDSA-AES256-GCM-SHA384 + + - ECDHE-RSA-AES256-GCM-SHA384 + + - ECDHE-ECDSA-CHACHA20-POLY1305 + + - ECDHE-RSA-CHACHA20-POLY1305 + + - DHE-RSA-AES128-GCM-SHA256 + + - DHE-RSA-AES256-GCM-SHA384 + + - DHE-RSA-CHACHA20-POLY1305 + + - ECDHE-ECDSA-AES128-SHA256 + + - ECDHE-RSA-AES128-SHA256 + + - ECDHE-ECDSA-AES128-SHA + + - ECDHE-RSA-AES128-SHA + + - ECDHE-ECDSA-AES256-SHA384 + + - ECDHE-RSA-AES256-SHA384 + + - ECDHE-ECDSA-AES256-SHA + + - ECDHE-RSA-AES256-SHA + + - DHE-RSA-AES128-SHA256 + + - DHE-RSA-AES256-SHA256 + + - AES128-GCM-SHA256 + + - AES256-GCM-SHA384 + + - AES128-SHA256 + + - AES256-SHA256 + + - AES128-SHA + + - AES256-SHA + + - DES-CBC3-SHA + + minTLSVersion: VersionTLS10 + nullable: true + type: object + type: + description: |- + type is one of Old, Intermediate, Modern or Custom. Custom provides + the ability to specify individual TLS security profile parameters. + Old, Intermediate and Modern are TLS security profiles based on: + + https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations + + The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers + are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be + reduced. + + Note that the Modern profile is currently not supported because it is not + yet well adopted by common software libraries. + enum: + - Old + - Intermediate + - Modern + - Custom + type: string + type: object + type: object + status: + description: status holds observed values from the cluster. They may not + be overridden. + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {}