Documentation ¶
Overview ¶
Package v1beta2 contains API Schema definitions for the controlplane v1beta2 API group +gencrdrefdocs:force +groupName=controlplane.cluster.x-k8s.io +k8s:defaulter-gen=TypeMeta
Package v1beta2 contains API Schema definitions for the controlplane v1beta2 API group. +kubebuilder:object:generate=true +groupName=controlplane.cluster.x-k8s.io
Index ¶
- Constants
- Variables
- func RegisterDefaults(scheme *runtime.Scheme) error
- func SetDefaults_RosaControlPlaneSpec(s *RosaControlPlaneSpec)
- func SetObjectDefaults_ROSAControlPlane(in *ROSAControlPlane)
- func SetObjectDefaults_ROSAControlPlaneList(in *ROSAControlPlaneList)
- type AWSRolesRef
- type DefaultMachinePoolSpec
- type ExternalAuthProvider
- type LocalObjectReference
- type NetworkSpec
- type OIDCClientConfig
- type PrefixedClaimMapping
- type ROSAControlPlane
- func (in *ROSAControlPlane) DeepCopy() *ROSAControlPlane
- func (in *ROSAControlPlane) DeepCopyInto(out *ROSAControlPlane)
- func (in *ROSAControlPlane) DeepCopyObject() runtime.Object
- func (r *ROSAControlPlane) Default()
- func (r *ROSAControlPlane) GetConditions() clusterv1.Conditions
- func (r *ROSAControlPlane) SetConditions(conditions clusterv1.Conditions)
- func (r *ROSAControlPlane) SetupWebhookWithManager(mgr ctrl.Manager) error
- func (r *ROSAControlPlane) ValidateCreate() (warnings admission.Warnings, err error)
- func (r *ROSAControlPlane) ValidateDelete() (warnings admission.Warnings, err error)
- func (r *ROSAControlPlane) ValidateUpdate(old runtime.Object) (warnings admission.Warnings, err error)
- type ROSAControlPlaneList
- type RosaControlPlaneSpec
- type RosaControlPlaneStatus
- type RosaEndpointAccessType
- type TokenAudience
- type TokenClaimMappings
- type TokenClaimValidationRule
- type TokenIssuer
- type TokenRequiredClaim
- type TokenValidationRuleType
- type UsernameClaimMapping
- type UsernamePrefixPolicy
Constants ¶
const ( // ROSAControlPlaneReadyCondition condition reports on the successful reconciliation of ROSAControlPlane. ROSAControlPlaneReadyCondition clusterv1.ConditionType = "ROSAControlPlaneReady" // ROSAControlPlaneValidCondition condition reports whether ROSAControlPlane configuration is valid. ROSAControlPlaneValidCondition clusterv1.ConditionType = "ROSAControlPlaneValid" // ROSAControlPlaneUpgradingCondition condition reports whether ROSAControlPlane is upgrading or not. ROSAControlPlaneUpgradingCondition clusterv1.ConditionType = "ROSAControlPlaneUpgrading" // ExternalAuthConfiguredCondition condition reports whether external auth has beed correctly configured. ExternalAuthConfiguredCondition clusterv1.ConditionType = "ExternalAuthConfigured" // ReconciliationFailedReason used to report reconciliation failures. ReconciliationFailedReason = "ReconciliationFailed" // ROSAControlPlaneDeletionFailedReason used to report failures while deleting ROSAControlPlane. ROSAControlPlaneDeletionFailedReason = "DeletionFailed" // ROSAControlPlaneInvalidConfigurationReason used to report invalid user input. ROSAControlPlaneInvalidConfigurationReason = "InvalidConfiguration" )
Variables ¶
var ( // GroupVersion is group version used to register these objects. GroupVersion = schema.GroupVersion{Group: "controlplane.cluster.x-k8s.io", Version: "v1beta2"} // SchemeBuilder is used to add go types to the GroupVersionKind scheme. SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion} // AddToScheme adds the types in this group-version to the given scheme. AddToScheme = SchemeBuilder.AddToScheme )
Functions ¶
func RegisterDefaults ¶ added in v2.4.0
RegisterDefaults adds defaulters functions to the given scheme. Public to allow building arbitrary schemes. All generated defaulters are covering - they call all nested defaulters.
func SetDefaults_RosaControlPlaneSpec ¶ added in v2.4.0
func SetDefaults_RosaControlPlaneSpec(s *RosaControlPlaneSpec)
SetDefaults_RosaControlPlaneSpec is used by defaulter-gen.
func SetObjectDefaults_ROSAControlPlane ¶ added in v2.4.0
func SetObjectDefaults_ROSAControlPlane(in *ROSAControlPlane)
func SetObjectDefaults_ROSAControlPlaneList ¶ added in v2.4.1
func SetObjectDefaults_ROSAControlPlaneList(in *ROSAControlPlaneList)
Types ¶
type AWSRolesRef ¶
type AWSRolesRef struct { // The referenced role must have a trust relationship that allows it to be assumed via web identity. // https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html. // Example: // { // "Version": "2012-10-17", // "Statement": [ // { // "Effect": "Allow", // "Principal": { // "Federated": "{{ .ProviderARN }}" // }, // "Action": "sts:AssumeRoleWithWebIdentity", // "Condition": { // "StringEquals": { // "{{ .ProviderName }}:sub": {{ .ServiceAccounts }} // } // } // } // ] // } // // IngressARN is an ARN value referencing a role appropriate for the Ingress Operator. // // The following is an example of a valid policy document: // // { // "Version": "2012-10-17", // "Statement": [ // { // "Effect": "Allow", // "Action": [ // "elasticloadbalancing:DescribeLoadBalancers", // "tag:GetResources", // "route53:ListHostedZones" // ], // "Resource": "*" // }, // { // "Effect": "Allow", // "Action": [ // "route53:ChangeResourceRecordSets" // ], // "Resource": [ // "arn:aws:route53:::PUBLIC_ZONE_ID", // "arn:aws:route53:::PRIVATE_ZONE_ID" // ] // } // ] // } IngressARN string `json:"ingressARN"` // ImageRegistryARN is an ARN value referencing a role appropriate for the Image Registry Operator. // // The following is an example of a valid policy document: // // { // "Version": "2012-10-17", // "Statement": [ // { // "Effect": "Allow", // "Action": [ // "s3:CreateBucket", // "s3:DeleteBucket", // "s3:PutBucketTagging", // "s3:GetBucketTagging", // "s3:PutBucketPublicAccessBlock", // "s3:GetBucketPublicAccessBlock", // "s3:PutEncryptionConfiguration", // "s3:GetEncryptionConfiguration", // "s3:PutLifecycleConfiguration", // "s3:GetLifecycleConfiguration", // "s3:GetBucketLocation", // "s3:ListBucket", // "s3:GetObject", // "s3:PutObject", // "s3:DeleteObject", // "s3:ListBucketMultipartUploads", // "s3:AbortMultipartUpload", // "s3:ListMultipartUploadParts" // ], // "Resource": "*" // } // ] // } ImageRegistryARN string `json:"imageRegistryARN"` // StorageARN is an ARN value referencing a role appropriate for the Storage Operator. // // The following is an example of a valid policy document: // // { // "Version": "2012-10-17", // "Statement": [ // { // "Effect": "Allow", // "Action": [ // "ec2:AttachVolume", // "ec2:CreateSnapshot", // "ec2:CreateTags", // "ec2:CreateVolume", // "ec2:DeleteSnapshot", // "ec2:DeleteTags", // "ec2:DeleteVolume", // "ec2:DescribeInstances", // "ec2:DescribeSnapshots", // "ec2:DescribeTags", // "ec2:DescribeVolumes", // "ec2:DescribeVolumesModifications", // "ec2:DetachVolume", // "ec2:ModifyVolume" // ], // "Resource": "*" // } // ] // } StorageARN string `json:"storageARN"` // NetworkARN is an ARN value referencing a role appropriate for the Network Operator. // // The following is an example of a valid policy document: // // { // "Version": "2012-10-17", // "Statement": [ // { // "Effect": "Allow", // "Action": [ // "ec2:DescribeInstances", // "ec2:DescribeInstanceStatus", // "ec2:DescribeInstanceTypes", // "ec2:UnassignPrivateIpAddresses", // "ec2:AssignPrivateIpAddresses", // "ec2:UnassignIpv6Addresses", // "ec2:AssignIpv6Addresses", // "ec2:DescribeSubnets", // "ec2:DescribeNetworkInterfaces" // ], // "Resource": "*" // } // ] // } NetworkARN string `json:"networkARN"` // KubeCloudControllerARN is an ARN value referencing a role appropriate for the KCM/KCC. // Source: https://cloud-provider-aws.sigs.k8s.io/prerequisites/#iam-policies // // The following is an example of a valid policy document: // // { // "Version": "2012-10-17", // "Statement": [ // { // "Action": [ // "autoscaling:DescribeAutoScalingGroups", // "autoscaling:DescribeLaunchConfigurations", // "autoscaling:DescribeTags", // "ec2:DescribeAvailabilityZones", // "ec2:DescribeInstances", // "ec2:DescribeImages", // "ec2:DescribeRegions", // "ec2:DescribeRouteTables", // "ec2:DescribeSecurityGroups", // "ec2:DescribeSubnets", // "ec2:DescribeVolumes", // "ec2:CreateSecurityGroup", // "ec2:CreateTags", // "ec2:CreateVolume", // "ec2:ModifyInstanceAttribute", // "ec2:ModifyVolume", // "ec2:AttachVolume", // "ec2:AuthorizeSecurityGroupIngress", // "ec2:CreateRoute", // "ec2:DeleteRoute", // "ec2:DeleteSecurityGroup", // "ec2:DeleteVolume", // "ec2:DetachVolume", // "ec2:RevokeSecurityGroupIngress", // "ec2:DescribeVpcs", // "elasticloadbalancing:AddTags", // "elasticloadbalancing:AttachLoadBalancerToSubnets", // "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", // "elasticloadbalancing:CreateLoadBalancer", // "elasticloadbalancing:CreateLoadBalancerPolicy", // "elasticloadbalancing:CreateLoadBalancerListeners", // "elasticloadbalancing:ConfigureHealthCheck", // "elasticloadbalancing:DeleteLoadBalancer", // "elasticloadbalancing:DeleteLoadBalancerListeners", // "elasticloadbalancing:DescribeLoadBalancers", // "elasticloadbalancing:DescribeLoadBalancerAttributes", // "elasticloadbalancing:DetachLoadBalancerFromSubnets", // "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", // "elasticloadbalancing:ModifyLoadBalancerAttributes", // "elasticloadbalancing:RegisterInstancesWithLoadBalancer", // "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", // "elasticloadbalancing:AddTags", // "elasticloadbalancing:CreateListener", // "elasticloadbalancing:CreateTargetGroup", // "elasticloadbalancing:DeleteListener", // "elasticloadbalancing:DeleteTargetGroup", // "elasticloadbalancing:DeregisterTargets", // "elasticloadbalancing:DescribeListeners", // "elasticloadbalancing:DescribeLoadBalancerPolicies", // "elasticloadbalancing:DescribeTargetGroups", // "elasticloadbalancing:DescribeTargetHealth", // "elasticloadbalancing:ModifyListener", // "elasticloadbalancing:ModifyTargetGroup", // "elasticloadbalancing:RegisterTargets", // "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", // "iam:CreateServiceLinkedRole", // "kms:DescribeKey" // ], // "Resource": [ // "*" // ], // "Effect": "Allow" // } // ] // } // +immutable KubeCloudControllerARN string `json:"kubeCloudControllerARN"` // NodePoolManagementARN is an ARN value referencing a role appropriate for the CAPI Controller. // // The following is an example of a valid policy document: // // { // "Version": "2012-10-17", // "Statement": [ // { // "Action": [ // "ec2:AssociateRouteTable", // "ec2:AttachInternetGateway", // "ec2:AuthorizeSecurityGroupIngress", // "ec2:CreateInternetGateway", // "ec2:CreateNatGateway", // "ec2:CreateRoute", // "ec2:CreateRouteTable", // "ec2:CreateSecurityGroup", // "ec2:CreateSubnet", // "ec2:CreateTags", // "ec2:DeleteInternetGateway", // "ec2:DeleteNatGateway", // "ec2:DeleteRouteTable", // "ec2:DeleteSecurityGroup", // "ec2:DeleteSubnet", // "ec2:DeleteTags", // "ec2:DescribeAccountAttributes", // "ec2:DescribeAddresses", // "ec2:DescribeAvailabilityZones", // "ec2:DescribeImages", // "ec2:DescribeInstances", // "ec2:DescribeInternetGateways", // "ec2:DescribeNatGateways", // "ec2:DescribeNetworkInterfaces", // "ec2:DescribeNetworkInterfaceAttribute", // "ec2:DescribeRouteTables", // "ec2:DescribeSecurityGroups", // "ec2:DescribeSubnets", // "ec2:DescribeVpcs", // "ec2:DescribeVpcAttribute", // "ec2:DescribeVolumes", // "ec2:DetachInternetGateway", // "ec2:DisassociateRouteTable", // "ec2:DisassociateAddress", // "ec2:ModifyInstanceAttribute", // "ec2:ModifyNetworkInterfaceAttribute", // "ec2:ModifySubnetAttribute", // "ec2:RevokeSecurityGroupIngress", // "ec2:RunInstances", // "ec2:TerminateInstances", // "tag:GetResources", // "ec2:CreateLaunchTemplate", // "ec2:CreateLaunchTemplateVersion", // "ec2:DescribeLaunchTemplates", // "ec2:DescribeLaunchTemplateVersions", // "ec2:DeleteLaunchTemplate", // "ec2:DeleteLaunchTemplateVersions" // ], // "Resource": [ // "*" // ], // "Effect": "Allow" // }, // { // "Condition": { // "StringLike": { // "iam:AWSServiceName": "elasticloadbalancing.amazonaws.com" // } // }, // "Action": [ // "iam:CreateServiceLinkedRole" // ], // "Resource": [ // "arn:*:iam::*:role/aws-service-role/elasticloadbalancing.amazonaws.com/AWSServiceRoleForElasticLoadBalancing" // ], // "Effect": "Allow" // }, // { // "Action": [ // "iam:PassRole" // ], // "Resource": [ // "arn:*:iam::*:role/*-worker-role" // ], // "Effect": "Allow" // }, // { // "Effect": "Allow", // "Action": [ // "kms:Decrypt", // "kms:ReEncrypt", // "kms:GenerateDataKeyWithoutPlainText", // "kms:DescribeKey" // ], // "Resource": "*" // }, // { // "Effect": "Allow", // "Action": [ // "kms:CreateGrant" // ], // "Resource": "*", // "Condition": { // "Bool": { // "kms:GrantIsForAWSResource": true // } // } // } // ] // } // // +immutable NodePoolManagementARN string `json:"nodePoolManagementARN"` // ControlPlaneOperatorARN is an ARN value referencing a role appropriate for the Control Plane Operator. // // The following is an example of a valid policy document: // // { // "Version": "2012-10-17", // "Statement": [ // { // "Effect": "Allow", // "Action": [ // "ec2:CreateVpcEndpoint", // "ec2:DescribeVpcEndpoints", // "ec2:ModifyVpcEndpoint", // "ec2:DeleteVpcEndpoints", // "ec2:CreateTags", // "route53:ListHostedZones", // "ec2:CreateSecurityGroup", // "ec2:AuthorizeSecurityGroupIngress", // "ec2:AuthorizeSecurityGroupEgress", // "ec2:DeleteSecurityGroup", // "ec2:RevokeSecurityGroupIngress", // "ec2:RevokeSecurityGroupEgress", // "ec2:DescribeSecurityGroups", // "ec2:DescribeVpcs", // ], // "Resource": "*" // }, // { // "Effect": "Allow", // "Action": [ // "route53:ChangeResourceRecordSets", // "route53:ListResourceRecordSets" // ], // "Resource": "arn:aws:route53:::%s" // } // ] // } // +immutable ControlPlaneOperatorARN string `json:"controlPlaneOperatorARN"` KMSProviderARN string `json:"kmsProviderARN"` }
AWSRolesRef contains references to various AWS IAM roles required for operators to make calls against the AWS API.
func (*AWSRolesRef) DeepCopy ¶
func (in *AWSRolesRef) DeepCopy() *AWSRolesRef
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AWSRolesRef.
func (*AWSRolesRef) DeepCopyInto ¶
func (in *AWSRolesRef) DeepCopyInto(out *AWSRolesRef)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type DefaultMachinePoolSpec ¶ added in v2.4.1
type DefaultMachinePoolSpec struct { // The instance type to use, for example `r5.xlarge`. Instance type ref; https://aws.amazon.com/ec2/instance-types/ // +optional InstanceType string `json:"instanceType,omitempty"` // Autoscaling specifies auto scaling behaviour for the default MachinePool. Autoscaling min/max value // must be equal or multiple of the availability zones count. // +optional Autoscaling *expinfrav1.RosaMachinePoolAutoScaling `json:"autoscaling,omitempty"` }
DefaultMachinePoolSpec defines the configuration for the required worker nodes provisioned as part of the cluster creation.
func (*DefaultMachinePoolSpec) DeepCopy ¶ added in v2.4.1
func (in *DefaultMachinePoolSpec) DeepCopy() *DefaultMachinePoolSpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DefaultMachinePoolSpec.
func (*DefaultMachinePoolSpec) DeepCopyInto ¶ added in v2.4.1
func (in *DefaultMachinePoolSpec) DeepCopyInto(out *DefaultMachinePoolSpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type ExternalAuthProvider ¶ added in v2.5.0
type ExternalAuthProvider struct { // Name of the OIDC provider // // +kubebuilder:validation:MinLength=1 // +kubebuilder:validation:Required // +required Name string `json:"name"` // Issuer describes attributes of the OIDC token issuer // // +kubebuilder:validation:Required // +required Issuer TokenIssuer `json:"issuer"` // OIDCClients contains configuration for the platform's clients that // need to request tokens from the issuer // // +listType=map // +listMapKey=componentNamespace // +listMapKey=componentName // +kubebuilder:validation:MaxItems=20 // +optional OIDCClients []OIDCClientConfig `json:"oidcClients,omitempty"` // ClaimMappings describes rules on how to transform information from an // ID token into a cluster identity // +optional ClaimMappings *TokenClaimMappings `json:"claimMappings,omitempty"` // ClaimValidationRules are rules that are applied to validate token claims to authenticate users. // // +listType=atomic ClaimValidationRules []TokenClaimValidationRule `json:"claimValidationRules,omitempty"` }
ExternalAuthProvider is an external OIDC identity provider that can issue tokens for this cluster
func (*ExternalAuthProvider) DeepCopy ¶ added in v2.5.0
func (in *ExternalAuthProvider) DeepCopy() *ExternalAuthProvider
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalAuthProvider.
func (*ExternalAuthProvider) DeepCopyInto ¶ added in v2.5.0
func (in *ExternalAuthProvider) DeepCopyInto(out *ExternalAuthProvider)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type LocalObjectReference ¶ added in v2.5.0
type LocalObjectReference struct { // Name is the metadata.name of the referenced object. // // +kubebuilder:validation:Required // +required Name string `json:"name"` }
LocalObjectReference references an object in the same namespace.
func (*LocalObjectReference) DeepCopy ¶ added in v2.5.0
func (in *LocalObjectReference) DeepCopy() *LocalObjectReference
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LocalObjectReference.
func (*LocalObjectReference) DeepCopyInto ¶ added in v2.5.0
func (in *LocalObjectReference) DeepCopyInto(out *LocalObjectReference)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type NetworkSpec ¶ added in v2.4.0
type NetworkSpec struct { // IP addresses block used by OpenShift while installing the cluster, for example "10.0.0.0/16". // +kubebuilder:validation:Format=cidr // +optional MachineCIDR string `json:"machineCIDR,omitempty"` // IP address block from which to assign pod IP addresses, for example `10.128.0.0/14`. // +kubebuilder:validation:Format=cidr // +optional PodCIDR string `json:"podCIDR,omitempty"` // IP address block from which to assign service IP addresses, for example `172.30.0.0/16`. // +kubebuilder:validation:Format=cidr // +optional ServiceCIDR string `json:"serviceCIDR,omitempty"` // Network host prefix which is defaulted to `23` if not specified. // +kubebuilder:default=23 // +optional HostPrefix int `json:"hostPrefix,omitempty"` // The CNI network type default is OVNKubernetes. // +kubebuilder:validation:Enum=OVNKubernetes;Other // +kubebuilder:default=OVNKubernetes // +optional NetworkType string `json:"networkType,omitempty"` }
NetworkSpec for ROSA-HCP.
func (*NetworkSpec) DeepCopy ¶ added in v2.4.0
func (in *NetworkSpec) DeepCopy() *NetworkSpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NetworkSpec.
func (*NetworkSpec) DeepCopyInto ¶ added in v2.4.0
func (in *NetworkSpec) DeepCopyInto(out *NetworkSpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type OIDCClientConfig ¶ added in v2.5.0
type OIDCClientConfig struct { // ComponentName is the name of the component that is supposed to consume this // client configuration // // +kubebuilder:validation:MinLength=1 // +kubebuilder:validation:MaxLength=256 // +kubebuilder:validation:Required // +required ComponentName string `json:"componentName"` // ComponentNamespace is the namespace of the component that is supposed to consume this // client configuration // // +kubebuilder:validation:MinLength=1 // +kubebuilder:validation:MaxLength=63 // +kubebuilder:validation:Required // +required ComponentNamespace string `json:"componentNamespace"` // ClientID is the identifier of the OIDC client from the OIDC provider // // +kubebuilder:validation:MinLength=1 // +kubebuilder:validation:Required // +required ClientID string `json:"clientID"` // ClientSecret refers to a secret that // contains the client secret in the `clientSecret` key of the `.data` field ClientSecret LocalObjectReference `json:"clientSecret"` // ExtraScopes is an optional set of scopes to request tokens with. // // +listType=set // +optional ExtraScopes []string `json:"extraScopes,omitempty"` }
OIDCClientConfig contains configuration for the platform's client that need to request tokens from the issuer.
func (*OIDCClientConfig) DeepCopy ¶ added in v2.5.0
func (in *OIDCClientConfig) DeepCopy() *OIDCClientConfig
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientConfig.
func (*OIDCClientConfig) DeepCopyInto ¶ added in v2.5.0
func (in *OIDCClientConfig) DeepCopyInto(out *OIDCClientConfig)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type PrefixedClaimMapping ¶ added in v2.5.0
type PrefixedClaimMapping struct { // Claim is a JWT token claim to be used in the mapping // // +kubebuilder:validation:Required // +required Claim string `json:"claim"` // Prefix is a string to prefix the value from the token in the result of the // claim mapping. // // By default, no prefixing occurs. // // Example: if `prefix` is set to "myoidc:"" and the `claim` in JWT contains // an array of strings "a", "b" and "c", the mapping will result in an // array of string "myoidc:a", "myoidc:b" and "myoidc:c". Prefix string `json:"prefix,omitempty"` }
PrefixedClaimMapping defines claims with a prefix.
func (*PrefixedClaimMapping) DeepCopy ¶ added in v2.5.0
func (in *PrefixedClaimMapping) DeepCopy() *PrefixedClaimMapping
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PrefixedClaimMapping.
func (*PrefixedClaimMapping) DeepCopyInto ¶ added in v2.5.0
func (in *PrefixedClaimMapping) DeepCopyInto(out *PrefixedClaimMapping)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type ROSAControlPlane ¶
type ROSAControlPlane struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` Spec RosaControlPlaneSpec `json:"spec,omitempty"` Status RosaControlPlaneStatus `json:"status,omitempty"` }
ROSAControlPlane is the Schema for the ROSAControlPlanes API.
func (*ROSAControlPlane) DeepCopy ¶
func (in *ROSAControlPlane) DeepCopy() *ROSAControlPlane
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ROSAControlPlane.
func (*ROSAControlPlane) DeepCopyInto ¶
func (in *ROSAControlPlane) DeepCopyInto(out *ROSAControlPlane)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*ROSAControlPlane) DeepCopyObject ¶
func (in *ROSAControlPlane) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (*ROSAControlPlane) Default ¶ added in v2.4.1
func (r *ROSAControlPlane) Default()
Default implements admission.Defaulter.
func (*ROSAControlPlane) GetConditions ¶
func (r *ROSAControlPlane) GetConditions() clusterv1.Conditions
GetConditions returns the control planes conditions.
func (*ROSAControlPlane) SetConditions ¶
func (r *ROSAControlPlane) SetConditions(conditions clusterv1.Conditions)
SetConditions sets the status conditions for the AWSManagedControlPlane.
func (*ROSAControlPlane) SetupWebhookWithManager ¶ added in v2.4.1
func (r *ROSAControlPlane) SetupWebhookWithManager(mgr ctrl.Manager) error
SetupWebhookWithManager will setup the webhooks for the ROSAControlPlane.
func (*ROSAControlPlane) ValidateCreate ¶ added in v2.4.1
func (r *ROSAControlPlane) ValidateCreate() (warnings admission.Warnings, err error)
ValidateCreate implements admission.Validator.
func (*ROSAControlPlane) ValidateDelete ¶ added in v2.4.1
func (r *ROSAControlPlane) ValidateDelete() (warnings admission.Warnings, err error)
ValidateDelete implements admission.Validator.
func (*ROSAControlPlane) ValidateUpdate ¶ added in v2.4.1
func (r *ROSAControlPlane) ValidateUpdate(old runtime.Object) (warnings admission.Warnings, err error)
ValidateUpdate implements admission.Validator.
type ROSAControlPlaneList ¶
type ROSAControlPlaneList struct { metav1.TypeMeta `json:",inline"` metav1.ListMeta `json:"metadata,omitempty"` Items []ROSAControlPlane `json:"items"` }
ROSAControlPlaneList contains a list of ROSAControlPlane.
func (*ROSAControlPlaneList) DeepCopy ¶
func (in *ROSAControlPlaneList) DeepCopy() *ROSAControlPlaneList
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ROSAControlPlaneList.
func (*ROSAControlPlaneList) DeepCopyInto ¶
func (in *ROSAControlPlaneList) DeepCopyInto(out *ROSAControlPlaneList)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*ROSAControlPlaneList) DeepCopyObject ¶
func (in *ROSAControlPlaneList) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type RosaControlPlaneSpec ¶
type RosaControlPlaneSpec struct { // Cluster name must be valid DNS-1035 label, so it must consist of lower case alphanumeric // characters or '-', start with an alphabetic character, end with an alphanumeric character // and have a max length of 54 characters. // // +immutable // +kubebuilder:validation:XValidation:rule="self == oldSelf", message="rosaClusterName is immutable" // +kubebuilder:validation:MaxLength:=54 // +kubebuilder:validation:Pattern:=`^[a-z]([-a-z0-9]*[a-z0-9])?$` RosaClusterName string `json:"rosaClusterName"` // DomainPrefix is an optional prefix added to the cluster's domain name. It will be used // when generating a sub-domain for the cluster on openshiftapps domain. It must be valid DNS-1035 label // consisting of lower case alphanumeric characters or '-', start with an alphabetic character // end with an alphanumeric character and have a max length of 15 characters. // // +immutable // +kubebuilder:validation:XValidation:rule="self == oldSelf", message="domainPrefix is immutable" // +kubebuilder:validation:MaxLength:=15 // +kubebuilder:validation:Pattern:=`^[a-z]([-a-z0-9]*[a-z0-9])?$` // +optional DomainPrefix string `json:"domainPrefix,omitempty"` // The Subnet IDs to use when installing the cluster. // SubnetIDs should come in pairs; two per availability zone, one private and one public. Subnets []string `json:"subnets"` // AvailabilityZones describe AWS AvailabilityZones of the worker nodes. // should match the AvailabilityZones of the provided Subnets. // a machinepool will be created for each availabilityZone. AvailabilityZones []string `json:"availabilityZones"` // The AWS Region the cluster lives in. Region string `json:"region"` // OpenShift semantic version, for example "4.14.5". Version string `json:"version"` // AWS IAM roles used to perform credential requests by the openshift operators. RolesRef AWSRolesRef `json:"rolesRef"` // The ID of the internal OpenID Connect Provider. // // +kubebuilder:validation:XValidation:rule="self == oldSelf", message="oidcID is immutable" OIDCID string `json:"oidcID"` // EnableExternalAuthProviders enables external authentication configuration for the cluster. // // +kubebuilder:default=false // +kubebuilder:validation:XValidation:rule="self == oldSelf", message="enableExternalAuthProviders is immutable" // +optional EnableExternalAuthProviders bool `json:"enableExternalAuthProviders,omitempty"` // ExternalAuthProviders are external OIDC identity providers that can issue tokens for this cluster. // Can only be set if "enableExternalAuthProviders" is set to "True". // // At most one provider can be configured. // // +listType=map // +listMapKey=name // +kubebuilder:validation:MaxItems=1 ExternalAuthProviders []ExternalAuthProvider `json:"externalAuthProviders,omitempty"` // InstallerRoleARN is an AWS IAM role that OpenShift Cluster Manager will assume to create the cluster.. InstallerRoleARN string `json:"installerRoleARN"` // SupportRoleARN is an AWS IAM role used by Red Hat SREs to enable // access to the cluster account in order to provide support. SupportRoleARN string `json:"supportRoleARN"` // WorkerRoleARN is an AWS IAM role that will be attached to worker instances. WorkerRoleARN string `json:"workerRoleARN"` // BillingAccount is an optional AWS account to use for billing the subscription fees for ROSA clusters. // The cost of running each ROSA cluster will be billed to the infrastructure account in which the cluster // is running. // // +kubebuilder:validation:Optional // +kubebuilder:validation:XValidation:rule="self == oldSelf", message="billingAccount is immutable" // +kubebuilder:validation:XValidation:rule="self.matches('^[0-9]{12}$')", message="billingAccount must be a valid AWS account ID" // +immutable // +optional BillingAccount string `json:"billingAccount,omitempty"` // DefaultMachinePoolSpec defines the configuration for the default machinepool(s) provisioned as part of the cluster creation. // One MachinePool will be created with this configuration per AvailabilityZone. Those default machinepools are required for openshift cluster operators // to work properly. // As these machinepool not created using ROSAMachinePool CR, they will not be visible/managed by ROSA CAPI provider. // `rosa list machinepools -c <rosaClusterName>` can be used to view those machinepools. // // This field will be removed in the future once the current limitation is resolved. // // +optional DefaultMachinePoolSpec DefaultMachinePoolSpec `json:"defaultMachinePoolSpec,omitempty"` // Network config for the ROSA HCP cluster. // +optional Network *NetworkSpec `json:"network,omitempty"` // EndpointAccess specifies the publishing scope of cluster endpoints. The // default is Public. // // +kubebuilder:validation:Enum=Public;Private // +kubebuilder:default=Public // +optional EndpointAccess RosaEndpointAccessType `json:"endpointAccess,omitempty"` // AdditionalTags are user-defined tags to be added on the AWS resources associated with the control plane. // +optional AdditionalTags infrav1.Tags `json:"additionalTags,omitempty"` // EtcdEncryptionKMSARN is the ARN of the KMS key used to encrypt etcd. The key itself needs to be // created out-of-band by the user and tagged with `red-hat:true`. // +optional EtcdEncryptionKMSARN string `json:"etcdEncryptionKMSARN,omitempty"` // AuditLogRoleARN defines the role that is used to forward audit logs to AWS CloudWatch. // If not set, audit log forwarding is disabled. // +optional AuditLogRoleARN string `json:"auditLogRoleARN,omitempty"` // ProvisionShardID defines the shard where rosa control plane components will be hosted. // // +kubebuilder:validation:XValidation:rule="self == oldSelf", message="provisionShardID is immutable" // +optional ProvisionShardID string `json:"provisionShardID,omitempty"` // CredentialsSecretRef references a secret with necessary credentials to connect to the OCM API. // The secret should contain the following data keys: // - ocmToken: eyJhbGciOiJIUzI1NiIsI.... // - ocmApiUrl: Optional, defaults to 'https://api.openshift.com' // +optional CredentialsSecretRef *corev1.LocalObjectReference `json:"credentialsSecretRef,omitempty"` // IdentityRef is a reference to an identity to be used when reconciling the managed control plane. // If no identity is specified, the default identity for this controller will be used. // // +optional IdentityRef *infrav1.AWSIdentityReference `json:"identityRef,omitempty"` // ControlPlaneEndpoint represents the endpoint used to communicate with the control plane. // +optional ControlPlaneEndpoint clusterv1.APIEndpoint `json:"controlPlaneEndpoint"` }
RosaControlPlaneSpec defines the desired state of ROSAControlPlane.
func (*RosaControlPlaneSpec) DeepCopy ¶
func (in *RosaControlPlaneSpec) DeepCopy() *RosaControlPlaneSpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RosaControlPlaneSpec.
func (*RosaControlPlaneSpec) DeepCopyInto ¶
func (in *RosaControlPlaneSpec) DeepCopyInto(out *RosaControlPlaneSpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type RosaControlPlaneStatus ¶
type RosaControlPlaneStatus struct { // ExternalManagedControlPlane indicates to cluster-api that the control plane // is managed by an external service such as AKS, EKS, GKE, etc. // +kubebuilder:default=true ExternalManagedControlPlane *bool `json:"externalManagedControlPlane,omitempty"` // Initialized denotes whether or not the control plane has the // uploaded kubernetes config-map. // +optional Initialized bool `json:"initialized"` // Ready denotes that the ROSAControlPlane API Server is ready to receive requests. // +kubebuilder:default=false Ready bool `json:"ready"` // FailureMessage will be set in the event that there is a terminal problem // reconciling the state and will be set to a descriptive error message. // // This field should not be set for transitive errors that a controller // faces that are expected to be fixed automatically over // time (like service outages), but instead indicate that something is // fundamentally wrong with the spec or the configuration of // the controller, and that manual intervention is required. // // +optional FailureMessage *string `json:"failureMessage,omitempty"` // Conditions specifies the conditions for the managed control plane Conditions clusterv1.Conditions `json:"conditions,omitempty"` // ID is the cluster ID given by ROSA. ID string `json:"id,omitempty"` // ConsoleURL is the url for the openshift console. ConsoleURL string `json:"consoleURL,omitempty"` // OIDCEndpointURL is the endpoint url for the managed OIDC provider. OIDCEndpointURL string `json:"oidcEndpointURL,omitempty"` }
RosaControlPlaneStatus defines the observed state of ROSAControlPlane.
func (*RosaControlPlaneStatus) DeepCopy ¶
func (in *RosaControlPlaneStatus) DeepCopy() *RosaControlPlaneStatus
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RosaControlPlaneStatus.
func (*RosaControlPlaneStatus) DeepCopyInto ¶
func (in *RosaControlPlaneStatus) DeepCopyInto(out *RosaControlPlaneStatus)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type RosaEndpointAccessType ¶ added in v2.4.1
type RosaEndpointAccessType string
RosaEndpointAccessType specifies the publishing scope of cluster endpoints.
const ( // Public endpoint access allows public API server access and // private node communication with the control plane. Public RosaEndpointAccessType = "Public" // Private endpoint access allows only private API server access and private // node communication with the control plane. Private RosaEndpointAccessType = "Private" )
type TokenAudience ¶ added in v2.5.0
type TokenAudience string
TokenAudience is the audience that the token was issued for.
+kubebuilder:validation:MinLength=1
type TokenClaimMappings ¶ added in v2.5.0
type TokenClaimMappings struct { // Username is a name of the claim that should be used to construct // usernames for the cluster identity. // // Default value: "sub" // +optional Username *UsernameClaimMapping `json:"username,omitempty"` // Groups is a name of the claim that should be used to construct // groups for the cluster identity. // The referenced claim must use array of strings values. // +optional Groups *PrefixedClaimMapping `json:"groups,omitempty"` }
TokenClaimMappings describes rules on how to transform information from an ID token into a cluster identity.
func (*TokenClaimMappings) DeepCopy ¶ added in v2.5.0
func (in *TokenClaimMappings) DeepCopy() *TokenClaimMappings
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TokenClaimMappings.
func (*TokenClaimMappings) DeepCopyInto ¶ added in v2.5.0
func (in *TokenClaimMappings) DeepCopyInto(out *TokenClaimMappings)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type TokenClaimValidationRule ¶ added in v2.5.0
type TokenClaimValidationRule struct { // Type sets the type of the validation rule // // +kubebuilder:validation:Enum={"RequiredClaim"} // +kubebuilder:default="RequiredClaim" Type TokenValidationRuleType `json:"type"` // RequiredClaim allows configuring a required claim name and its expected value // +kubebuilder:validation:Required RequiredClaim TokenRequiredClaim `json:"requiredClaim"` }
TokenClaimValidationRule validates token claims to authenticate users.
func (*TokenClaimValidationRule) DeepCopy ¶ added in v2.5.0
func (in *TokenClaimValidationRule) DeepCopy() *TokenClaimValidationRule
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TokenClaimValidationRule.
func (*TokenClaimValidationRule) DeepCopyInto ¶ added in v2.5.0
func (in *TokenClaimValidationRule) DeepCopyInto(out *TokenClaimValidationRule)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type TokenIssuer ¶ added in v2.5.0
type TokenIssuer struct { // URL is the serving URL of the token issuer. // Must use the https:// scheme. // // +kubebuilder:validation:Pattern=`^https:\/\/[^\s]` // +kubebuilder:validation:Required // +required URL string `json:"issuerURL"` // Audiences is an array of audiences that the token was issued for. // Valid tokens must include at least one of these values in their // "aud" claim. // Must be set to exactly one value. // // +listType=set // +kubebuilder:validation:Required // +kubebuilder:validation:MinItems=1 // +kubebuilder:validation:MaxItems=10 // +required Audiences []TokenAudience `json:"audiences"` // CertificateAuthority is a reference to a config map in the // configuration namespace. The .data of the configMap must contain // the "ca-bundle.crt" key. // If unset, system trust is used instead. CertificateAuthority *LocalObjectReference `json:"issuerCertificateAuthority,omitempty"` }
TokenIssuer describes attributes of the OIDC token issuer
func (*TokenIssuer) DeepCopy ¶ added in v2.5.0
func (in *TokenIssuer) DeepCopy() *TokenIssuer
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TokenIssuer.
func (*TokenIssuer) DeepCopyInto ¶ added in v2.5.0
func (in *TokenIssuer) DeepCopyInto(out *TokenIssuer)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type TokenRequiredClaim ¶ added in v2.5.0
type TokenRequiredClaim struct { // Claim is a name of a required claim. Only claims with string values are // supported. // // +kubebuilder:validation:MinLength=1 // +kubebuilder:validation:Required // +required Claim string `json:"claim"` // RequiredValue is the required value for the claim. // // +kubebuilder:validation:MinLength=1 // +kubebuilder:validation:Required // +required RequiredValue string `json:"requiredValue"` }
TokenRequiredClaim allows configuring a required claim name and its expected value.
func (*TokenRequiredClaim) DeepCopy ¶ added in v2.5.0
func (in *TokenRequiredClaim) DeepCopy() *TokenRequiredClaim
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TokenRequiredClaim.
func (*TokenRequiredClaim) DeepCopyInto ¶ added in v2.5.0
func (in *TokenRequiredClaim) DeepCopyInto(out *TokenRequiredClaim)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type TokenValidationRuleType ¶ added in v2.5.0
type TokenValidationRuleType string
TokenValidationRuleType defines the type of the validation rule.
const ( // TokenValidationRuleTypeRequiredClaim defines the type for RequiredClaim. TokenValidationRuleTypeRequiredClaim TokenValidationRuleType = "RequiredClaim" )
type UsernameClaimMapping ¶ added in v2.5.0
type UsernameClaimMapping struct { // Claim is a JWT token claim to be used in the mapping // // +kubebuilder:validation:Required // +required Claim string `json:"claim"` // PrefixPolicy specifies how a prefix should apply. // // By default, claims other than `email` will be prefixed with the issuer URL to // prevent naming clashes with other plugins. // // Set to "NoPrefix" to disable prefixing. // // Example: // (1) `prefix` is set to "myoidc:" and `claim` is set to "username". // If the JWT claim `username` contains value `userA`, the resulting // mapped value will be "myoidc:userA". // (2) `prefix` is set to "myoidc:" and `claim` is set to "email". If the // JWT `email` claim contains value "userA@myoidc.tld", the resulting // mapped value will be "myoidc:userA@myoidc.tld". // (3) `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, // the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", // and `claim` is set to: // (a) "username": the mapped value will be "https://myoidc.tld#userA" // (b) "email": the mapped value will be "userA@myoidc.tld" // // +kubebuilder:validation:Enum={"", "NoPrefix", "Prefix"} // +optional PrefixPolicy UsernamePrefixPolicy `json:"prefixPolicy,omitempty"` // Prefix is prepended to claim to prevent clashes with existing names. // // +kubebuilder:validation:MinLength=1 // +optional Prefix *string `json:"prefix,omitempty"` }
UsernameClaimMapping defines the claim that should be used to construct usernames for the cluster identity.
+kubebuilder:validation:XValidation:rule="self.prefixPolicy == 'Prefix' ? has(self.prefix) : !has(self.prefix)",message="prefix must be set if prefixPolicy is 'Prefix', but must remain unset otherwise"
func (*UsernameClaimMapping) DeepCopy ¶ added in v2.5.0
func (in *UsernameClaimMapping) DeepCopy() *UsernameClaimMapping
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UsernameClaimMapping.
func (*UsernameClaimMapping) DeepCopyInto ¶ added in v2.5.0
func (in *UsernameClaimMapping) DeepCopyInto(out *UsernameClaimMapping)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type UsernamePrefixPolicy ¶ added in v2.5.0
type UsernamePrefixPolicy string
UsernamePrefixPolicy specifies how a prefix should apply.
const ( // NoOpinion let's the cluster assign prefixes. If the username claim is email, there is no prefix // If the username claim is anything else, it is prefixed by the issuerURL NoOpinion UsernamePrefixPolicy = "" // NoPrefix means the username claim value will not have any prefix NoPrefix UsernamePrefixPolicy = "NoPrefix" // Prefix means the prefix value must be specified. It cannot be empty Prefix UsernamePrefixPolicy = "Prefix" )