v1beta2

package
v2.5.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Apr 26, 2024 License: Apache-2.0 Imports: 16 Imported by: 0

Documentation

Overview

Package v1beta2 contains API Schema definitions for the controlplane v1beta2 API group +gencrdrefdocs:force +groupName=controlplane.cluster.x-k8s.io +k8s:defaulter-gen=TypeMeta

Package v1beta2 contains API Schema definitions for the controlplane v1beta2 API group. +kubebuilder:object:generate=true +groupName=controlplane.cluster.x-k8s.io

Index

Constants

View Source
const (
	// ROSAControlPlaneReadyCondition condition reports on the successful reconciliation of ROSAControlPlane.
	ROSAControlPlaneReadyCondition clusterv1.ConditionType = "ROSAControlPlaneReady"

	// ROSAControlPlaneValidCondition condition reports whether ROSAControlPlane configuration is valid.
	ROSAControlPlaneValidCondition clusterv1.ConditionType = "ROSAControlPlaneValid"

	// ROSAControlPlaneUpgradingCondition condition reports whether ROSAControlPlane is upgrading or not.
	ROSAControlPlaneUpgradingCondition clusterv1.ConditionType = "ROSAControlPlaneUpgrading"

	// ExternalAuthConfiguredCondition condition reports whether external auth has beed correctly configured.
	ExternalAuthConfiguredCondition clusterv1.ConditionType = "ExternalAuthConfigured"

	// ReconciliationFailedReason used to report reconciliation failures.
	ReconciliationFailedReason = "ReconciliationFailed"

	// ROSAControlPlaneDeletionFailedReason used to report failures while deleting ROSAControlPlane.
	ROSAControlPlaneDeletionFailedReason = "DeletionFailed"

	// ROSAControlPlaneInvalidConfigurationReason used to report invalid user input.
	ROSAControlPlaneInvalidConfigurationReason = "InvalidConfiguration"
)

Variables

View Source
var (
	// GroupVersion is group version used to register these objects.
	GroupVersion = schema.GroupVersion{Group: "controlplane.cluster.x-k8s.io", Version: "v1beta2"}

	// SchemeBuilder is used to add go types to the GroupVersionKind scheme.
	SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion}

	// AddToScheme adds the types in this group-version to the given scheme.
	AddToScheme = SchemeBuilder.AddToScheme
)

Functions

func RegisterDefaults added in v2.4.0

func RegisterDefaults(scheme *runtime.Scheme) error

RegisterDefaults adds defaulters functions to the given scheme. Public to allow building arbitrary schemes. All generated defaulters are covering - they call all nested defaulters.

func SetDefaults_RosaControlPlaneSpec added in v2.4.0

func SetDefaults_RosaControlPlaneSpec(s *RosaControlPlaneSpec)

SetDefaults_RosaControlPlaneSpec is used by defaulter-gen.

func SetObjectDefaults_ROSAControlPlane added in v2.4.0

func SetObjectDefaults_ROSAControlPlane(in *ROSAControlPlane)

func SetObjectDefaults_ROSAControlPlaneList added in v2.4.1

func SetObjectDefaults_ROSAControlPlaneList(in *ROSAControlPlaneList)

Types

type AWSRolesRef

type AWSRolesRef struct {
	// The referenced role must have a trust relationship that allows it to be assumed via web identity.
	// https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html.
	// Example:
	// {
	//		"Version": "2012-10-17",
	//		"Statement": [
	//			{
	//				"Effect": "Allow",
	//				"Principal": {
	//					"Federated": "{{ .ProviderARN }}"
	//				},
	//					"Action": "sts:AssumeRoleWithWebIdentity",
	//				"Condition": {
	//					"StringEquals": {
	//						"{{ .ProviderName }}:sub": {{ .ServiceAccounts }}
	//					}
	//				}
	//			}
	//		]
	//	}
	//
	// IngressARN is an ARN value referencing a role appropriate for the Ingress Operator.
	//
	// The following is an example of a valid policy document:
	//
	// {
	//	"Version": "2012-10-17",
	//	"Statement": [
	//		{
	//			"Effect": "Allow",
	//			"Action": [
	//				"elasticloadbalancing:DescribeLoadBalancers",
	//				"tag:GetResources",
	//				"route53:ListHostedZones"
	//			],
	//			"Resource": "*"
	//		},
	//		{
	//			"Effect": "Allow",
	//			"Action": [
	//				"route53:ChangeResourceRecordSets"
	//			],
	//			"Resource": [
	//				"arn:aws:route53:::PUBLIC_ZONE_ID",
	//				"arn:aws:route53:::PRIVATE_ZONE_ID"
	//			]
	//		}
	//	]
	// }
	IngressARN string `json:"ingressARN"`

	// ImageRegistryARN is an ARN value referencing a role appropriate for the Image Registry Operator.
	//
	// The following is an example of a valid policy document:
	//
	// {
	//	"Version": "2012-10-17",
	//	"Statement": [
	//		{
	//			"Effect": "Allow",
	//			"Action": [
	//				"s3:CreateBucket",
	//				"s3:DeleteBucket",
	//				"s3:PutBucketTagging",
	//				"s3:GetBucketTagging",
	//				"s3:PutBucketPublicAccessBlock",
	//				"s3:GetBucketPublicAccessBlock",
	//				"s3:PutEncryptionConfiguration",
	//				"s3:GetEncryptionConfiguration",
	//				"s3:PutLifecycleConfiguration",
	//				"s3:GetLifecycleConfiguration",
	//				"s3:GetBucketLocation",
	//				"s3:ListBucket",
	//				"s3:GetObject",
	//				"s3:PutObject",
	//				"s3:DeleteObject",
	//				"s3:ListBucketMultipartUploads",
	//				"s3:AbortMultipartUpload",
	//				"s3:ListMultipartUploadParts"
	//			],
	//			"Resource": "*"
	//		}
	//	]
	// }
	ImageRegistryARN string `json:"imageRegistryARN"`

	// StorageARN is an ARN value referencing a role appropriate for the Storage Operator.
	//
	// The following is an example of a valid policy document:
	//
	// {
	//	"Version": "2012-10-17",
	//	"Statement": [
	//		{
	//			"Effect": "Allow",
	//			"Action": [
	//				"ec2:AttachVolume",
	//				"ec2:CreateSnapshot",
	//				"ec2:CreateTags",
	//				"ec2:CreateVolume",
	//				"ec2:DeleteSnapshot",
	//				"ec2:DeleteTags",
	//				"ec2:DeleteVolume",
	//				"ec2:DescribeInstances",
	//				"ec2:DescribeSnapshots",
	//				"ec2:DescribeTags",
	//				"ec2:DescribeVolumes",
	//				"ec2:DescribeVolumesModifications",
	//				"ec2:DetachVolume",
	//				"ec2:ModifyVolume"
	//			],
	//			"Resource": "*"
	//		}
	//	]
	// }
	StorageARN string `json:"storageARN"`

	// NetworkARN is an ARN value referencing a role appropriate for the Network Operator.
	//
	// The following is an example of a valid policy document:
	//
	// {
	//	"Version": "2012-10-17",
	//	"Statement": [
	//		{
	//			"Effect": "Allow",
	//			"Action": [
	//				"ec2:DescribeInstances",
	//        "ec2:DescribeInstanceStatus",
	//        "ec2:DescribeInstanceTypes",
	//        "ec2:UnassignPrivateIpAddresses",
	//        "ec2:AssignPrivateIpAddresses",
	//        "ec2:UnassignIpv6Addresses",
	//        "ec2:AssignIpv6Addresses",
	//        "ec2:DescribeSubnets",
	//        "ec2:DescribeNetworkInterfaces"
	//			],
	//			"Resource": "*"
	//		}
	//	]
	// }
	NetworkARN string `json:"networkARN"`

	// KubeCloudControllerARN is an ARN value referencing a role appropriate for the KCM/KCC.
	// Source: https://cloud-provider-aws.sigs.k8s.io/prerequisites/#iam-policies
	//
	// The following is an example of a valid policy document:
	//
	//  {
	//  "Version": "2012-10-17",
	//  "Statement": [
	//    {
	//      "Action": [
	//        "autoscaling:DescribeAutoScalingGroups",
	//        "autoscaling:DescribeLaunchConfigurations",
	//        "autoscaling:DescribeTags",
	//        "ec2:DescribeAvailabilityZones",
	//        "ec2:DescribeInstances",
	//        "ec2:DescribeImages",
	//        "ec2:DescribeRegions",
	//        "ec2:DescribeRouteTables",
	//        "ec2:DescribeSecurityGroups",
	//        "ec2:DescribeSubnets",
	//        "ec2:DescribeVolumes",
	//        "ec2:CreateSecurityGroup",
	//        "ec2:CreateTags",
	//        "ec2:CreateVolume",
	//        "ec2:ModifyInstanceAttribute",
	//        "ec2:ModifyVolume",
	//        "ec2:AttachVolume",
	//        "ec2:AuthorizeSecurityGroupIngress",
	//        "ec2:CreateRoute",
	//        "ec2:DeleteRoute",
	//        "ec2:DeleteSecurityGroup",
	//        "ec2:DeleteVolume",
	//        "ec2:DetachVolume",
	//        "ec2:RevokeSecurityGroupIngress",
	//        "ec2:DescribeVpcs",
	//        "elasticloadbalancing:AddTags",
	//        "elasticloadbalancing:AttachLoadBalancerToSubnets",
	//        "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer",
	//        "elasticloadbalancing:CreateLoadBalancer",
	//        "elasticloadbalancing:CreateLoadBalancerPolicy",
	//        "elasticloadbalancing:CreateLoadBalancerListeners",
	//        "elasticloadbalancing:ConfigureHealthCheck",
	//        "elasticloadbalancing:DeleteLoadBalancer",
	//        "elasticloadbalancing:DeleteLoadBalancerListeners",
	//        "elasticloadbalancing:DescribeLoadBalancers",
	//        "elasticloadbalancing:DescribeLoadBalancerAttributes",
	//        "elasticloadbalancing:DetachLoadBalancerFromSubnets",
	//        "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
	//        "elasticloadbalancing:ModifyLoadBalancerAttributes",
	//        "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
	//        "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer",
	//        "elasticloadbalancing:AddTags",
	//        "elasticloadbalancing:CreateListener",
	//        "elasticloadbalancing:CreateTargetGroup",
	//        "elasticloadbalancing:DeleteListener",
	//        "elasticloadbalancing:DeleteTargetGroup",
	//        "elasticloadbalancing:DeregisterTargets",
	//        "elasticloadbalancing:DescribeListeners",
	//        "elasticloadbalancing:DescribeLoadBalancerPolicies",
	//        "elasticloadbalancing:DescribeTargetGroups",
	//        "elasticloadbalancing:DescribeTargetHealth",
	//        "elasticloadbalancing:ModifyListener",
	//        "elasticloadbalancing:ModifyTargetGroup",
	//        "elasticloadbalancing:RegisterTargets",
	//        "elasticloadbalancing:SetLoadBalancerPoliciesOfListener",
	//        "iam:CreateServiceLinkedRole",
	//        "kms:DescribeKey"
	//      ],
	//      "Resource": [
	//        "*"
	//      ],
	//      "Effect": "Allow"
	//    }
	//  ]
	// }
	// +immutable
	KubeCloudControllerARN string `json:"kubeCloudControllerARN"`

	// NodePoolManagementARN is an ARN value referencing a role appropriate for the CAPI Controller.
	//
	// The following is an example of a valid policy document:
	//
	// {
	//   "Version": "2012-10-17",
	//  "Statement": [
	//    {
	//      "Action": [
	//        "ec2:AssociateRouteTable",
	//        "ec2:AttachInternetGateway",
	//        "ec2:AuthorizeSecurityGroupIngress",
	//        "ec2:CreateInternetGateway",
	//        "ec2:CreateNatGateway",
	//        "ec2:CreateRoute",
	//        "ec2:CreateRouteTable",
	//        "ec2:CreateSecurityGroup",
	//        "ec2:CreateSubnet",
	//        "ec2:CreateTags",
	//        "ec2:DeleteInternetGateway",
	//        "ec2:DeleteNatGateway",
	//        "ec2:DeleteRouteTable",
	//        "ec2:DeleteSecurityGroup",
	//        "ec2:DeleteSubnet",
	//        "ec2:DeleteTags",
	//        "ec2:DescribeAccountAttributes",
	//        "ec2:DescribeAddresses",
	//        "ec2:DescribeAvailabilityZones",
	//        "ec2:DescribeImages",
	//        "ec2:DescribeInstances",
	//        "ec2:DescribeInternetGateways",
	//        "ec2:DescribeNatGateways",
	//        "ec2:DescribeNetworkInterfaces",
	//        "ec2:DescribeNetworkInterfaceAttribute",
	//        "ec2:DescribeRouteTables",
	//        "ec2:DescribeSecurityGroups",
	//        "ec2:DescribeSubnets",
	//        "ec2:DescribeVpcs",
	//        "ec2:DescribeVpcAttribute",
	//        "ec2:DescribeVolumes",
	//        "ec2:DetachInternetGateway",
	//        "ec2:DisassociateRouteTable",
	//        "ec2:DisassociateAddress",
	//        "ec2:ModifyInstanceAttribute",
	//        "ec2:ModifyNetworkInterfaceAttribute",
	//        "ec2:ModifySubnetAttribute",
	//        "ec2:RevokeSecurityGroupIngress",
	//        "ec2:RunInstances",
	//        "ec2:TerminateInstances",
	//        "tag:GetResources",
	//        "ec2:CreateLaunchTemplate",
	//        "ec2:CreateLaunchTemplateVersion",
	//        "ec2:DescribeLaunchTemplates",
	//        "ec2:DescribeLaunchTemplateVersions",
	//        "ec2:DeleteLaunchTemplate",
	//        "ec2:DeleteLaunchTemplateVersions"
	//      ],
	//      "Resource": [
	//        "*"
	//      ],
	//      "Effect": "Allow"
	//    },
	//    {
	//      "Condition": {
	//        "StringLike": {
	//          "iam:AWSServiceName": "elasticloadbalancing.amazonaws.com"
	//        }
	//      },
	//      "Action": [
	//        "iam:CreateServiceLinkedRole"
	//      ],
	//      "Resource": [
	//        "arn:*:iam::*:role/aws-service-role/elasticloadbalancing.amazonaws.com/AWSServiceRoleForElasticLoadBalancing"
	//      ],
	//      "Effect": "Allow"
	//    },
	//    {
	//      "Action": [
	//        "iam:PassRole"
	//      ],
	//      "Resource": [
	//        "arn:*:iam::*:role/*-worker-role"
	//      ],
	//      "Effect": "Allow"
	//    },
	// 	  {
	// 	  	"Effect": "Allow",
	// 	  	"Action": [
	// 	  		"kms:Decrypt",
	// 	  		"kms:ReEncrypt",
	// 	  		"kms:GenerateDataKeyWithoutPlainText",
	// 	  		"kms:DescribeKey"
	// 	  	],
	// 	  	"Resource": "*"
	// 	  },
	// 	  {
	// 	  	"Effect": "Allow",
	// 	  	"Action": [
	// 	  		"kms:CreateGrant"
	// 	  	],
	// 	  	"Resource": "*",
	// 	  	"Condition": {
	// 	  		"Bool": {
	// 	  			"kms:GrantIsForAWSResource": true
	// 	  		}
	// 	  	}
	// 	  }
	//  ]
	// }
	//
	// +immutable
	NodePoolManagementARN string `json:"nodePoolManagementARN"`

	// ControlPlaneOperatorARN  is an ARN value referencing a role appropriate for the Control Plane Operator.
	//
	// The following is an example of a valid policy document:
	//
	// {
	//	"Version": "2012-10-17",
	//	"Statement": [
	//		{
	//			"Effect": "Allow",
	//			"Action": [
	//				"ec2:CreateVpcEndpoint",
	//				"ec2:DescribeVpcEndpoints",
	//				"ec2:ModifyVpcEndpoint",
	//				"ec2:DeleteVpcEndpoints",
	//				"ec2:CreateTags",
	//				"route53:ListHostedZones",
	//				"ec2:CreateSecurityGroup",
	//				"ec2:AuthorizeSecurityGroupIngress",
	//				"ec2:AuthorizeSecurityGroupEgress",
	//				"ec2:DeleteSecurityGroup",
	//				"ec2:RevokeSecurityGroupIngress",
	//				"ec2:RevokeSecurityGroupEgress",
	//				"ec2:DescribeSecurityGroups",
	//				"ec2:DescribeVpcs",
	//			],
	//			"Resource": "*"
	//		},
	//		{
	//			"Effect": "Allow",
	//			"Action": [
	//				"route53:ChangeResourceRecordSets",
	//				"route53:ListResourceRecordSets"
	//			],
	//			"Resource": "arn:aws:route53:::%s"
	//		}
	//	]
	// }
	// +immutable
	ControlPlaneOperatorARN string `json:"controlPlaneOperatorARN"`
	KMSProviderARN          string `json:"kmsProviderARN"`
}

AWSRolesRef contains references to various AWS IAM roles required for operators to make calls against the AWS API.

func (*AWSRolesRef) DeepCopy

func (in *AWSRolesRef) DeepCopy() *AWSRolesRef

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AWSRolesRef.

func (*AWSRolesRef) DeepCopyInto

func (in *AWSRolesRef) DeepCopyInto(out *AWSRolesRef)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type DefaultMachinePoolSpec added in v2.4.1

type DefaultMachinePoolSpec struct {
	// The instance type to use, for example `r5.xlarge`. Instance type ref; https://aws.amazon.com/ec2/instance-types/
	// +optional
	InstanceType string `json:"instanceType,omitempty"`

	// Autoscaling specifies auto scaling behaviour for the default MachinePool. Autoscaling min/max value
	// must be equal or multiple of the availability zones count.
	// +optional
	Autoscaling *expinfrav1.RosaMachinePoolAutoScaling `json:"autoscaling,omitempty"`
}

DefaultMachinePoolSpec defines the configuration for the required worker nodes provisioned as part of the cluster creation.

func (*DefaultMachinePoolSpec) DeepCopy added in v2.4.1

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DefaultMachinePoolSpec.

func (*DefaultMachinePoolSpec) DeepCopyInto added in v2.4.1

func (in *DefaultMachinePoolSpec) DeepCopyInto(out *DefaultMachinePoolSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ExternalAuthProvider added in v2.5.0

type ExternalAuthProvider struct {
	// Name of the OIDC provider
	//
	// +kubebuilder:validation:MinLength=1
	// +kubebuilder:validation:Required
	// +required
	Name string `json:"name"`
	// Issuer describes attributes of the OIDC token issuer
	//
	// +kubebuilder:validation:Required
	// +required
	Issuer TokenIssuer `json:"issuer"`

	// OIDCClients contains configuration for the platform's clients that
	// need to request tokens from the issuer
	//
	// +listType=map
	// +listMapKey=componentNamespace
	// +listMapKey=componentName
	// +kubebuilder:validation:MaxItems=20
	// +optional
	OIDCClients []OIDCClientConfig `json:"oidcClients,omitempty"`

	// ClaimMappings describes rules on how to transform information from an
	// ID token into a cluster identity
	// +optional
	ClaimMappings *TokenClaimMappings `json:"claimMappings,omitempty"`

	// ClaimValidationRules are rules that are applied to validate token claims to authenticate users.
	//
	// +listType=atomic
	ClaimValidationRules []TokenClaimValidationRule `json:"claimValidationRules,omitempty"`
}

ExternalAuthProvider is an external OIDC identity provider that can issue tokens for this cluster

func (*ExternalAuthProvider) DeepCopy added in v2.5.0

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalAuthProvider.

func (*ExternalAuthProvider) DeepCopyInto added in v2.5.0

func (in *ExternalAuthProvider) DeepCopyInto(out *ExternalAuthProvider)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type LocalObjectReference added in v2.5.0

type LocalObjectReference struct {
	// Name is the metadata.name of the referenced object.
	//
	// +kubebuilder:validation:Required
	// +required
	Name string `json:"name"`
}

LocalObjectReference references an object in the same namespace.

func (*LocalObjectReference) DeepCopy added in v2.5.0

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LocalObjectReference.

func (*LocalObjectReference) DeepCopyInto added in v2.5.0

func (in *LocalObjectReference) DeepCopyInto(out *LocalObjectReference)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type NetworkSpec added in v2.4.0

type NetworkSpec struct {
	// IP addresses block used by OpenShift while installing the cluster, for example "10.0.0.0/16".
	// +kubebuilder:validation:Format=cidr
	// +optional
	MachineCIDR string `json:"machineCIDR,omitempty"`

	// IP address block from which to assign pod IP addresses, for example `10.128.0.0/14`.
	// +kubebuilder:validation:Format=cidr
	// +optional
	PodCIDR string `json:"podCIDR,omitempty"`

	// IP address block from which to assign service IP addresses, for example `172.30.0.0/16`.
	// +kubebuilder:validation:Format=cidr
	// +optional
	ServiceCIDR string `json:"serviceCIDR,omitempty"`

	// Network host prefix which is defaulted to `23` if not specified.
	// +kubebuilder:default=23
	// +optional
	HostPrefix int `json:"hostPrefix,omitempty"`

	// The CNI network type default is OVNKubernetes.
	// +kubebuilder:validation:Enum=OVNKubernetes;Other
	// +kubebuilder:default=OVNKubernetes
	// +optional
	NetworkType string `json:"networkType,omitempty"`
}

NetworkSpec for ROSA-HCP.

func (*NetworkSpec) DeepCopy added in v2.4.0

func (in *NetworkSpec) DeepCopy() *NetworkSpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NetworkSpec.

func (*NetworkSpec) DeepCopyInto added in v2.4.0

func (in *NetworkSpec) DeepCopyInto(out *NetworkSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type OIDCClientConfig added in v2.5.0

type OIDCClientConfig struct {
	// ComponentName is the name of the component that is supposed to consume this
	// client configuration
	//
	// +kubebuilder:validation:MinLength=1
	// +kubebuilder:validation:MaxLength=256
	// +kubebuilder:validation:Required
	// +required
	ComponentName string `json:"componentName"`

	// ComponentNamespace is the namespace of the component that is supposed to consume this
	// client configuration
	//
	// +kubebuilder:validation:MinLength=1
	// +kubebuilder:validation:MaxLength=63
	// +kubebuilder:validation:Required
	// +required
	ComponentNamespace string `json:"componentNamespace"`

	// ClientID is the identifier of the OIDC client from the OIDC provider
	//
	// +kubebuilder:validation:MinLength=1
	// +kubebuilder:validation:Required
	// +required
	ClientID string `json:"clientID"`

	// ClientSecret refers to a secret that
	// contains the client secret in the `clientSecret` key of the `.data` field
	ClientSecret LocalObjectReference `json:"clientSecret"`

	// ExtraScopes is an optional set of scopes to request tokens with.
	//
	// +listType=set
	// +optional
	ExtraScopes []string `json:"extraScopes,omitempty"`
}

OIDCClientConfig contains configuration for the platform's client that need to request tokens from the issuer.

func (*OIDCClientConfig) DeepCopy added in v2.5.0

func (in *OIDCClientConfig) DeepCopy() *OIDCClientConfig

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientConfig.

func (*OIDCClientConfig) DeepCopyInto added in v2.5.0

func (in *OIDCClientConfig) DeepCopyInto(out *OIDCClientConfig)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type PrefixedClaimMapping added in v2.5.0

type PrefixedClaimMapping struct {
	// Claim is a JWT token claim to be used in the mapping
	//
	// +kubebuilder:validation:Required
	// +required
	Claim string `json:"claim"`

	// Prefix is a string to prefix the value from the token in the result of the
	// claim mapping.
	//
	// By default, no prefixing occurs.
	//
	// Example: if `prefix` is set to "myoidc:"" and the `claim` in JWT contains
	// an array of strings "a", "b" and  "c", the mapping will result in an
	// array of string "myoidc:a", "myoidc:b" and "myoidc:c".
	Prefix string `json:"prefix,omitempty"`
}

PrefixedClaimMapping defines claims with a prefix.

func (*PrefixedClaimMapping) DeepCopy added in v2.5.0

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PrefixedClaimMapping.

func (*PrefixedClaimMapping) DeepCopyInto added in v2.5.0

func (in *PrefixedClaimMapping) DeepCopyInto(out *PrefixedClaimMapping)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ROSAControlPlane

type ROSAControlPlane struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	Spec   RosaControlPlaneSpec   `json:"spec,omitempty"`
	Status RosaControlPlaneStatus `json:"status,omitempty"`
}

ROSAControlPlane is the Schema for the ROSAControlPlanes API.

func (*ROSAControlPlane) DeepCopy

func (in *ROSAControlPlane) DeepCopy() *ROSAControlPlane

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ROSAControlPlane.

func (*ROSAControlPlane) DeepCopyInto

func (in *ROSAControlPlane) DeepCopyInto(out *ROSAControlPlane)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*ROSAControlPlane) DeepCopyObject

func (in *ROSAControlPlane) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

func (*ROSAControlPlane) Default added in v2.4.1

func (r *ROSAControlPlane) Default()

Default implements admission.Defaulter.

func (*ROSAControlPlane) GetConditions

func (r *ROSAControlPlane) GetConditions() clusterv1.Conditions

GetConditions returns the control planes conditions.

func (*ROSAControlPlane) SetConditions

func (r *ROSAControlPlane) SetConditions(conditions clusterv1.Conditions)

SetConditions sets the status conditions for the AWSManagedControlPlane.

func (*ROSAControlPlane) SetupWebhookWithManager added in v2.4.1

func (r *ROSAControlPlane) SetupWebhookWithManager(mgr ctrl.Manager) error

SetupWebhookWithManager will setup the webhooks for the ROSAControlPlane.

func (*ROSAControlPlane) ValidateCreate added in v2.4.1

func (r *ROSAControlPlane) ValidateCreate() (warnings admission.Warnings, err error)

ValidateCreate implements admission.Validator.

func (*ROSAControlPlane) ValidateDelete added in v2.4.1

func (r *ROSAControlPlane) ValidateDelete() (warnings admission.Warnings, err error)

ValidateDelete implements admission.Validator.

func (*ROSAControlPlane) ValidateUpdate added in v2.4.1

func (r *ROSAControlPlane) ValidateUpdate(old runtime.Object) (warnings admission.Warnings, err error)

ValidateUpdate implements admission.Validator.

type ROSAControlPlaneList

type ROSAControlPlaneList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	Items           []ROSAControlPlane `json:"items"`
}

ROSAControlPlaneList contains a list of ROSAControlPlane.

func (*ROSAControlPlaneList) DeepCopy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ROSAControlPlaneList.

func (*ROSAControlPlaneList) DeepCopyInto

func (in *ROSAControlPlaneList) DeepCopyInto(out *ROSAControlPlaneList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*ROSAControlPlaneList) DeepCopyObject

func (in *ROSAControlPlaneList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type RosaControlPlaneSpec

type RosaControlPlaneSpec struct {
	// Cluster name must be valid DNS-1035 label, so it must consist of lower case alphanumeric
	// characters or '-', start with an alphabetic character, end with an alphanumeric character
	// and have a max length of 54 characters.
	//
	// +immutable
	// +kubebuilder:validation:XValidation:rule="self == oldSelf", message="rosaClusterName is immutable"
	// +kubebuilder:validation:MaxLength:=54
	// +kubebuilder:validation:Pattern:=`^[a-z]([-a-z0-9]*[a-z0-9])?$`
	RosaClusterName string `json:"rosaClusterName"`

	// DomainPrefix is an optional prefix added to the cluster's domain name. It will be used
	// when generating a sub-domain for the cluster on openshiftapps domain. It must be valid DNS-1035 label
	// consisting of lower case alphanumeric characters or '-', start with an alphabetic character
	// end with an alphanumeric character and have a max length of 15 characters.
	//
	// +immutable
	// +kubebuilder:validation:XValidation:rule="self == oldSelf", message="domainPrefix is immutable"
	// +kubebuilder:validation:MaxLength:=15
	// +kubebuilder:validation:Pattern:=`^[a-z]([-a-z0-9]*[a-z0-9])?$`
	// +optional
	DomainPrefix string `json:"domainPrefix,omitempty"`

	// The Subnet IDs to use when installing the cluster.
	// SubnetIDs should come in pairs; two per availability zone, one private and one public.
	Subnets []string `json:"subnets"`

	// AvailabilityZones describe AWS AvailabilityZones of the worker nodes.
	// should match the AvailabilityZones of the provided Subnets.
	// a machinepool will be created for each availabilityZone.
	AvailabilityZones []string `json:"availabilityZones"`

	// The AWS Region the cluster lives in.
	Region string `json:"region"`

	// OpenShift semantic version, for example "4.14.5".
	Version string `json:"version"`

	// AWS IAM roles used to perform credential requests by the openshift operators.
	RolesRef AWSRolesRef `json:"rolesRef"`

	// The ID of the internal OpenID Connect Provider.
	//
	// +kubebuilder:validation:XValidation:rule="self == oldSelf", message="oidcID is immutable"
	OIDCID string `json:"oidcID"`

	// EnableExternalAuthProviders enables external authentication configuration for the cluster.
	//
	// +kubebuilder:default=false
	// +kubebuilder:validation:XValidation:rule="self == oldSelf", message="enableExternalAuthProviders is immutable"
	// +optional
	EnableExternalAuthProviders bool `json:"enableExternalAuthProviders,omitempty"`

	// ExternalAuthProviders are external OIDC identity providers that can issue tokens for this cluster.
	// Can only be set if "enableExternalAuthProviders" is set to "True".
	//
	// At most one provider can be configured.
	//
	// +listType=map
	// +listMapKey=name
	// +kubebuilder:validation:MaxItems=1
	ExternalAuthProviders []ExternalAuthProvider `json:"externalAuthProviders,omitempty"`

	// InstallerRoleARN is an AWS IAM role that OpenShift Cluster Manager will assume to create the cluster..
	InstallerRoleARN string `json:"installerRoleARN"`
	// SupportRoleARN is an AWS IAM role used by Red Hat SREs to enable
	// access to the cluster account in order to provide support.
	SupportRoleARN string `json:"supportRoleARN"`
	// WorkerRoleARN is an AWS IAM role that will be attached to worker instances.
	WorkerRoleARN string `json:"workerRoleARN"`

	// BillingAccount is an optional AWS account to use for billing the subscription fees for ROSA clusters.
	// The cost of running each ROSA cluster will be billed to the infrastructure account in which the cluster
	// is running.
	//
	// +kubebuilder:validation:Optional
	// +kubebuilder:validation:XValidation:rule="self == oldSelf", message="billingAccount is immutable"
	// +kubebuilder:validation:XValidation:rule="self.matches('^[0-9]{12}$')", message="billingAccount must be a valid AWS account ID"
	// +immutable
	// +optional
	BillingAccount string `json:"billingAccount,omitempty"`

	// DefaultMachinePoolSpec defines the configuration for the default machinepool(s) provisioned as part of the cluster creation.
	// One MachinePool will be created with this configuration per AvailabilityZone. Those default machinepools are required for openshift cluster operators
	// to work properly.
	// As these machinepool not created using ROSAMachinePool CR, they will not be visible/managed by ROSA CAPI provider.
	// `rosa list machinepools -c <rosaClusterName>` can be used to view those machinepools.
	//
	// This field will be removed in the future once the current limitation is resolved.
	//
	// +optional
	DefaultMachinePoolSpec DefaultMachinePoolSpec `json:"defaultMachinePoolSpec,omitempty"`

	// Network config for the ROSA HCP cluster.
	// +optional
	Network *NetworkSpec `json:"network,omitempty"`

	// EndpointAccess specifies the publishing scope of cluster endpoints. The
	// default is Public.
	//
	// +kubebuilder:validation:Enum=Public;Private
	// +kubebuilder:default=Public
	// +optional
	EndpointAccess RosaEndpointAccessType `json:"endpointAccess,omitempty"`

	// AdditionalTags are user-defined tags to be added on the AWS resources associated with the control plane.
	// +optional
	AdditionalTags infrav1.Tags `json:"additionalTags,omitempty"`

	// EtcdEncryptionKMSARN is the ARN of the KMS key used to encrypt etcd. The key itself needs to be
	// created out-of-band by the user and tagged with `red-hat:true`.
	// +optional
	EtcdEncryptionKMSARN string `json:"etcdEncryptionKMSARN,omitempty"`

	// AuditLogRoleARN defines the role that is used to forward audit logs to AWS CloudWatch.
	// If not set, audit log forwarding is disabled.
	// +optional
	AuditLogRoleARN string `json:"auditLogRoleARN,omitempty"`

	// ProvisionShardID defines the shard where rosa control plane components will be hosted.
	//
	// +kubebuilder:validation:XValidation:rule="self == oldSelf", message="provisionShardID is immutable"
	// +optional
	ProvisionShardID string `json:"provisionShardID,omitempty"`

	// CredentialsSecretRef references a secret with necessary credentials to connect to the OCM API.
	// The secret should contain the following data keys:
	// - ocmToken: eyJhbGciOiJIUzI1NiIsI....
	// - ocmApiUrl: Optional, defaults to 'https://api.openshift.com'
	// +optional
	CredentialsSecretRef *corev1.LocalObjectReference `json:"credentialsSecretRef,omitempty"`

	// IdentityRef is a reference to an identity to be used when reconciling the managed control plane.
	// If no identity is specified, the default identity for this controller will be used.
	//
	// +optional
	IdentityRef *infrav1.AWSIdentityReference `json:"identityRef,omitempty"`

	// ControlPlaneEndpoint represents the endpoint used to communicate with the control plane.
	// +optional
	ControlPlaneEndpoint clusterv1.APIEndpoint `json:"controlPlaneEndpoint"`
}

RosaControlPlaneSpec defines the desired state of ROSAControlPlane.

func (*RosaControlPlaneSpec) DeepCopy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RosaControlPlaneSpec.

func (*RosaControlPlaneSpec) DeepCopyInto

func (in *RosaControlPlaneSpec) DeepCopyInto(out *RosaControlPlaneSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type RosaControlPlaneStatus

type RosaControlPlaneStatus struct {
	// ExternalManagedControlPlane indicates to cluster-api that the control plane
	// is managed by an external service such as AKS, EKS, GKE, etc.
	// +kubebuilder:default=true
	ExternalManagedControlPlane *bool `json:"externalManagedControlPlane,omitempty"`
	// Initialized denotes whether or not the control plane has the
	// uploaded kubernetes config-map.
	// +optional
	Initialized bool `json:"initialized"`
	// Ready denotes that the ROSAControlPlane API Server is ready to receive requests.
	// +kubebuilder:default=false
	Ready bool `json:"ready"`
	// FailureMessage will be set in the event that there is a terminal problem
	// reconciling the state and will be set to a descriptive error message.
	//
	// This field should not be set for transitive errors that a controller
	// faces that are expected to be fixed automatically over
	// time (like service outages), but instead indicate that something is
	// fundamentally wrong with the spec or the configuration of
	// the controller, and that manual intervention is required.
	//
	// +optional
	FailureMessage *string `json:"failureMessage,omitempty"`
	// Conditions specifies the conditions for the managed control plane
	Conditions clusterv1.Conditions `json:"conditions,omitempty"`

	// ID is the cluster ID given by ROSA.
	ID string `json:"id,omitempty"`
	// ConsoleURL is the url for the openshift console.
	ConsoleURL string `json:"consoleURL,omitempty"`
	// OIDCEndpointURL is the endpoint url for the managed OIDC provider.
	OIDCEndpointURL string `json:"oidcEndpointURL,omitempty"`
}

RosaControlPlaneStatus defines the observed state of ROSAControlPlane.

func (*RosaControlPlaneStatus) DeepCopy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RosaControlPlaneStatus.

func (*RosaControlPlaneStatus) DeepCopyInto

func (in *RosaControlPlaneStatus) DeepCopyInto(out *RosaControlPlaneStatus)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type RosaEndpointAccessType added in v2.4.1

type RosaEndpointAccessType string

RosaEndpointAccessType specifies the publishing scope of cluster endpoints.

const (
	// Public endpoint access allows public API server access and
	// private node communication with the control plane.
	Public RosaEndpointAccessType = "Public"

	// Private endpoint access allows only private API server access and private
	// node communication with the control plane.
	Private RosaEndpointAccessType = "Private"
)

type TokenAudience added in v2.5.0

type TokenAudience string

TokenAudience is the audience that the token was issued for.

+kubebuilder:validation:MinLength=1

type TokenClaimMappings added in v2.5.0

type TokenClaimMappings struct {
	// Username is a name of the claim that should be used to construct
	// usernames for the cluster identity.
	//
	// Default value: "sub"
	// +optional
	Username *UsernameClaimMapping `json:"username,omitempty"`

	// Groups is a name of the claim that should be used to construct
	// groups for the cluster identity.
	// The referenced claim must use array of strings values.
	// +optional
	Groups *PrefixedClaimMapping `json:"groups,omitempty"`
}

TokenClaimMappings describes rules on how to transform information from an ID token into a cluster identity.

func (*TokenClaimMappings) DeepCopy added in v2.5.0

func (in *TokenClaimMappings) DeepCopy() *TokenClaimMappings

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TokenClaimMappings.

func (*TokenClaimMappings) DeepCopyInto added in v2.5.0

func (in *TokenClaimMappings) DeepCopyInto(out *TokenClaimMappings)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type TokenClaimValidationRule added in v2.5.0

type TokenClaimValidationRule struct {
	// Type sets the type of the validation rule
	//
	// +kubebuilder:validation:Enum={"RequiredClaim"}
	// +kubebuilder:default="RequiredClaim"
	Type TokenValidationRuleType `json:"type"`

	// RequiredClaim allows configuring a required claim name and its expected value
	// +kubebuilder:validation:Required
	RequiredClaim TokenRequiredClaim `json:"requiredClaim"`
}

TokenClaimValidationRule validates token claims to authenticate users.

func (*TokenClaimValidationRule) DeepCopy added in v2.5.0

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TokenClaimValidationRule.

func (*TokenClaimValidationRule) DeepCopyInto added in v2.5.0

func (in *TokenClaimValidationRule) DeepCopyInto(out *TokenClaimValidationRule)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type TokenIssuer added in v2.5.0

type TokenIssuer struct {
	// URL is the serving URL of the token issuer.
	// Must use the https:// scheme.
	//
	// +kubebuilder:validation:Pattern=`^https:\/\/[^\s]`
	// +kubebuilder:validation:Required
	// +required
	URL string `json:"issuerURL"`

	// Audiences is an array of audiences that the token was issued for.
	// Valid tokens must include at least one of these values in their
	// "aud" claim.
	// Must be set to exactly one value.
	//
	// +listType=set
	// +kubebuilder:validation:Required
	// +kubebuilder:validation:MinItems=1
	// +kubebuilder:validation:MaxItems=10
	// +required
	Audiences []TokenAudience `json:"audiences"`

	// CertificateAuthority is a reference to a config map in the
	// configuration namespace. The .data of the configMap must contain
	// the "ca-bundle.crt" key.
	// If unset, system trust is used instead.
	CertificateAuthority *LocalObjectReference `json:"issuerCertificateAuthority,omitempty"`
}

TokenIssuer describes attributes of the OIDC token issuer

func (*TokenIssuer) DeepCopy added in v2.5.0

func (in *TokenIssuer) DeepCopy() *TokenIssuer

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TokenIssuer.

func (*TokenIssuer) DeepCopyInto added in v2.5.0

func (in *TokenIssuer) DeepCopyInto(out *TokenIssuer)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type TokenRequiredClaim added in v2.5.0

type TokenRequiredClaim struct {
	// Claim is a name of a required claim. Only claims with string values are
	// supported.
	//
	// +kubebuilder:validation:MinLength=1
	// +kubebuilder:validation:Required
	// +required
	Claim string `json:"claim"`

	// RequiredValue is the required value for the claim.
	//
	// +kubebuilder:validation:MinLength=1
	// +kubebuilder:validation:Required
	// +required
	RequiredValue string `json:"requiredValue"`
}

TokenRequiredClaim allows configuring a required claim name and its expected value.

func (*TokenRequiredClaim) DeepCopy added in v2.5.0

func (in *TokenRequiredClaim) DeepCopy() *TokenRequiredClaim

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TokenRequiredClaim.

func (*TokenRequiredClaim) DeepCopyInto added in v2.5.0

func (in *TokenRequiredClaim) DeepCopyInto(out *TokenRequiredClaim)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type TokenValidationRuleType added in v2.5.0

type TokenValidationRuleType string

TokenValidationRuleType defines the type of the validation rule.

const (
	// TokenValidationRuleTypeRequiredClaim defines the type for RequiredClaim.
	TokenValidationRuleTypeRequiredClaim TokenValidationRuleType = "RequiredClaim"
)

type UsernameClaimMapping added in v2.5.0

type UsernameClaimMapping struct {
	// Claim is a JWT token claim to be used in the mapping
	//
	// +kubebuilder:validation:Required
	// +required
	Claim string `json:"claim"`

	// PrefixPolicy specifies how a prefix should apply.
	//
	// By default, claims other than `email` will be prefixed with the issuer URL to
	// prevent naming clashes with other plugins.
	//
	// Set to "NoPrefix" to disable prefixing.
	//
	// Example:
	//     (1) `prefix` is set to "myoidc:" and `claim` is set to "username".
	//         If the JWT claim `username` contains value `userA`, the resulting
	//         mapped value will be "myoidc:userA".
	//     (2) `prefix` is set to "myoidc:" and `claim` is set to "email". If the
	//         JWT `email` claim contains value "userA@myoidc.tld", the resulting
	//         mapped value will be "myoidc:userA@myoidc.tld".
	//     (3) `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`,
	//         the JWT claims include "username":"userA" and "email":"userA@myoidc.tld",
	//         and `claim` is set to:
	//         (a) "username": the mapped value will be "https://myoidc.tld#userA"
	//         (b) "email": the mapped value will be "userA@myoidc.tld"
	//
	// +kubebuilder:validation:Enum={"", "NoPrefix", "Prefix"}
	// +optional
	PrefixPolicy UsernamePrefixPolicy `json:"prefixPolicy,omitempty"`

	// Prefix is prepended to claim to prevent clashes with existing names.
	//
	// +kubebuilder:validation:MinLength=1
	// +optional
	Prefix *string `json:"prefix,omitempty"`
}

UsernameClaimMapping defines the claim that should be used to construct usernames for the cluster identity.

+kubebuilder:validation:XValidation:rule="self.prefixPolicy == 'Prefix' ? has(self.prefix) : !has(self.prefix)",message="prefix must be set if prefixPolicy is 'Prefix', but must remain unset otherwise"

func (*UsernameClaimMapping) DeepCopy added in v2.5.0

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UsernameClaimMapping.

func (*UsernameClaimMapping) DeepCopyInto added in v2.5.0

func (in *UsernameClaimMapping) DeepCopyInto(out *UsernameClaimMapping)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type UsernamePrefixPolicy added in v2.5.0

type UsernamePrefixPolicy string

UsernamePrefixPolicy specifies how a prefix should apply.

const (
	// NoOpinion let's the cluster assign prefixes.  If the username claim is email, there is no prefix
	// If the username claim is anything else, it is prefixed by the issuerURL
	NoOpinion UsernamePrefixPolicy = ""

	// NoPrefix means the username claim value will not have any  prefix
	NoPrefix UsernamePrefixPolicy = "NoPrefix"

	// Prefix means the prefix value must be specified.  It cannot be empty
	Prefix UsernamePrefixPolicy = "Prefix"
)

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL