From 5d1b05f617b62792dcaf88e90261d5cf7fd01ea6 Mon Sep 17 00:00:00 2001 From: Vadim Rutkovsky Date: Tue, 30 Jul 2024 13:25:59 +0200 Subject: [PATCH 1/3] Bump openshift/api to vrutkovs:feature-short-cert-rotation --- go.mod | 2 + go.sum | 4 +- .../api/{Dockerfile.rhel8 => Dockerfile.ocp} | 0 .../openshift/api/config/v1/types.go | 6 +- .../api/config/v1/types_cluster_version.go | 1 - .../openshift/api/config/v1/types_feature.go | 1 + .../api/config/v1/types_infrastructure.go | 2 +- .../api/config/v1/types_tlssecurityprofile.go | 1 + .../v1/zz_generated.swagger_doc_generated.go | 2 +- .../v1alpha1/types_cluster_image_policy.go | 7 +- .../api/config/v1alpha1/types_image_policy.go | 7 +- ..._generated.featuregated-crd-manifests.yaml | 8 +- .../zz_generated.swagger_doc_generated.go | 4 +- vendor/github.com/openshift/api/features.md | 16 +- .../openshift/api/features/features.go | 96 +- .../api/machine/v1beta1/types_awsprovider.go | 7 + .../api/machine/v1beta1/types_machineset.go | 5 + .../machine/v1beta1/zz_generated.deepcopy.go | 12 + .../zz_generated.swagger_doc_generated.go | 40 +- .../api/operator/v1/types_ingress.go | 133 +- ...ngresscontrollers-CustomNoUpgrade.crd.yaml | 2710 +++++++++++++++++ ...ss_00_ingresscontrollers-Default.crd.yaml} | 61 + ...sscontrollers-DevPreviewNoUpgrade.crd.yaml | 2710 +++++++++++++++++ ...scontrollers-TechPreviewNoUpgrade.crd.yaml | 2710 +++++++++++++++++ .../api/operator/v1/zz_generated.deepcopy.go | 45 +- ..._generated.featuregated-crd-manifests.yaml | 4 +- .../v1/zz_generated.swagger_doc_generated.go | 15 +- vendor/modules.txt | 3 +- 28 files changed, 8544 insertions(+), 68 deletions(-) rename vendor/github.com/openshift/api/{Dockerfile.rhel8 => Dockerfile.ocp} (100%) create mode 100644 vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-CustomNoUpgrade.crd.yaml rename vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/{0000_50_ingress_00_ingresscontrollers.crd.yaml => 0000_50_ingress_00_ingresscontrollers-Default.crd.yaml} (97%) create mode 100644 vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-DevPreviewNoUpgrade.crd.yaml create mode 100644 vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-TechPreviewNoUpgrade.crd.yaml diff --git a/go.mod b/go.mod index 1ba8cf7815..1ff808bdc0 100644 --- a/go.mod +++ b/go.mod @@ -125,3 +125,5 @@ require ( sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect sigs.k8s.io/yaml v1.3.0 // indirect ) + +replace github.com/openshift/api => github.com/vrutkovs/api v0.0.0-20240730110716-670935b00022 diff --git a/go.sum b/go.sum index f329379a57..35b28142dc 100644 --- a/go.sum +++ b/go.sum @@ -150,8 +150,6 @@ github.com/onsi/ginkgo/v2 v2.15.0 h1:79HwNRBAZHOEwrczrgSOPy+eFTTlIGELKy5as+ClttY github.com/onsi/ginkgo/v2 v2.15.0/go.mod h1:HlxMHtYF57y6Dpf+mc5529KKmSq9h2FpCF+/ZkwUxKM= github.com/onsi/gomega v1.31.0 h1:54UJxxj6cPInHS3a35wm6BK/F9nHYueZ1NVujHDrnXE= github.com/onsi/gomega v1.31.0/go.mod h1:DW9aCi7U6Yi40wNVAvT6kzFnEVEI5n3DloYBiKiT6zk= -github.com/openshift/api v0.0.0-20240527133614-ba11c1587003 h1:ewhIvyXCcvH6m3U02bMFtd/DfsmOSbOCuVzon+zGu7g= -github.com/openshift/api v0.0.0-20240527133614-ba11c1587003/go.mod h1:OOh6Qopf21pSzqNVCB5gomomBXb8o5sGKZxG2KNpaXM= github.com/openshift/build-machinery-go v0.0.0-20240419090851-af9c868bcf52 h1:bqBwrXG7sbJUqP1Og1bR8FvVh7qb7CrMgy9saKmOZFs= github.com/openshift/build-machinery-go v0.0.0-20240419090851-af9c868bcf52/go.mod h1:b1BuldmJlbA/xYtdZvKi+7j5YGB44qJUJDZ9zwiNCfE= github.com/openshift/client-go v0.0.0-20240528061634-b054aa794d87 h1:JtLhaGpSEconE+1IKmIgCOof/Len5ceG6H1pk43yv5U= @@ -200,6 +198,8 @@ github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcU github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= github.com/tmc/grpc-websocket-proxy v0.0.0-20220101234140-673ab2c3ae75 h1:6fotK7otjonDflCTK0BCfls4SPy3NcCVb5dqqmbRknE= github.com/tmc/grpc-websocket-proxy v0.0.0-20220101234140-673ab2c3ae75/go.mod h1:KO6IkyS8Y3j8OdNO85qEYBsRPuteD+YciPomcXdrMnk= +github.com/vrutkovs/api v0.0.0-20240730110716-670935b00022 h1:wb052woPOJWxXR1rIcST2OhuRAWtnWzH0OnCP8b9WNI= +github.com/vrutkovs/api v0.0.0-20240730110716-670935b00022/go.mod h1:OOh6Qopf21pSzqNVCB5gomomBXb8o5sGKZxG2KNpaXM= github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2 h1:eY9dn8+vbi4tKz5Qo6v2eYzo7kUS51QINcR5jNpbZS8= github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU= github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= diff --git a/vendor/github.com/openshift/api/Dockerfile.rhel8 b/vendor/github.com/openshift/api/Dockerfile.ocp similarity index 100% rename from vendor/github.com/openshift/api/Dockerfile.rhel8 rename to vendor/github.com/openshift/api/Dockerfile.ocp diff --git a/vendor/github.com/openshift/api/config/v1/types.go b/vendor/github.com/openshift/api/config/v1/types.go index 6fb1b9adc9..d4d09e7fee 100644 --- a/vendor/github.com/openshift/api/config/v1/types.go +++ b/vendor/github.com/openshift/api/config/v1/types.go @@ -401,7 +401,7 @@ const ( // IBMCloudServiceName contains a value specifying the name of an IBM Cloud Service, // which are used by MAPI, CIRO, CIO, Installer, etc. -// +kubebuilder:validation:Enum=CIS;COS;DNSServices;GlobalSearch;GlobalTagging;HyperProtect;IAM;KeyProtect;ResourceController;ResourceManager;VPC +// +kubebuilder:validation:Enum=CIS;COS;COSConfig;DNSServices;GlobalCatalog;GlobalSearch;GlobalTagging;HyperProtect;IAM;KeyProtect;ResourceController;ResourceManager;VPC type IBMCloudServiceName string const ( @@ -409,8 +409,12 @@ const ( IBMCloudServiceCIS IBMCloudServiceName = "CIS" // IBMCloudServiceCOS is the name for IBM Cloud COS. IBMCloudServiceCOS IBMCloudServiceName = "COS" + // IBMCloudServiceCOSConfig is the name for IBM Cloud COS Config service. + IBMCloudServiceCOSConfig IBMCloudServiceName = "COSConfig" // IBMCloudServiceDNSServices is the name for IBM Cloud DNS Services. IBMCloudServiceDNSServices IBMCloudServiceName = "DNSServices" + // IBMCloudServiceGlobalCatalog is the name for IBM Cloud Global Catalog service. + IBMCloudServiceGlobalCatalog IBMCloudServiceName = "GlobalCatalog" // IBMCloudServiceGlobalSearch is the name for IBM Cloud Global Search. IBMCloudServiceGlobalSearch IBMCloudServiceName = "GlobalSearch" // IBMCloudServiceGlobalTagging is the name for IBM Cloud Global Tagging. diff --git a/vendor/github.com/openshift/api/config/v1/types_cluster_version.go b/vendor/github.com/openshift/api/config/v1/types_cluster_version.go index 2b8c302134..707af9d848 100644 --- a/vendor/github.com/openshift/api/config/v1/types_cluster_version.go +++ b/vendor/github.com/openshift/api/config/v1/types_cluster_version.go @@ -18,7 +18,6 @@ import ( // +kubebuilder:object:root=true // +kubebuilder:subresource:status // +kubebuilder:resource:path=clusterversions,scope=Cluster -// +kubebuilder:validation:XValidation:rule="has(self.spec.capabilities) && has(self.spec.capabilities.additionalEnabledCapabilities) && self.spec.capabilities.baselineCapabilitySet == 'None' && 'baremetal' in self.spec.capabilities.additionalEnabledCapabilities ? 'MachineAPI' in self.spec.capabilities.additionalEnabledCapabilities || (has(self.status) && has(self.status.capabilities) && has(self.status.capabilities.enabledCapabilities) && 'MachineAPI' in self.status.capabilities.enabledCapabilities) : true",message="the `baremetal` capability requires the `MachineAPI` capability, which is neither explicitly or implicitly enabled in this cluster, please enable the `MachineAPI` capability" // +kubebuilder:validation:XValidation:rule="has(self.spec.capabilities) && has(self.spec.capabilities.additionalEnabledCapabilities) && self.spec.capabilities.baselineCapabilitySet == 'None' && 'marketplace' in self.spec.capabilities.additionalEnabledCapabilities ? 'OperatorLifecycleManager' in self.spec.capabilities.additionalEnabledCapabilities || (has(self.status) && has(self.status.capabilities) && has(self.status.capabilities.enabledCapabilities) && 'OperatorLifecycleManager' in self.status.capabilities.enabledCapabilities) : true",message="the `marketplace` capability requires the `OperatorLifecycleManager` capability, which is neither explicitly or implicitly enabled in this cluster, please enable the `OperatorLifecycleManager` capability" // +kubebuilder:printcolumn:name=Version,JSONPath=.status.history[?(@.state=="Completed")].version,type=string // +kubebuilder:printcolumn:name=Available,JSONPath=.status.conditions[?(@.type=="Available")].status,type=string diff --git a/vendor/github.com/openshift/api/config/v1/types_feature.go b/vendor/github.com/openshift/api/config/v1/types_feature.go index 2769ba35aa..99d99f5b5f 100644 --- a/vendor/github.com/openshift/api/config/v1/types_feature.go +++ b/vendor/github.com/openshift/api/config/v1/types_feature.go @@ -28,6 +28,7 @@ type FeatureGate struct { // spec holds user settable values for configuration // +kubebuilder:validation:Required // +required + // +kubebuilder:validation:XValidation:rule="has(oldSelf.featureSet) ? has(self.featureSet) : true",message=".spec.featureSet cannot be removed" Spec FeatureGateSpec `json:"spec"` // status holds observed values from the cluster. They may not be overridden. // +optional diff --git a/vendor/github.com/openshift/api/config/v1/types_infrastructure.go b/vendor/github.com/openshift/api/config/v1/types_infrastructure.go index 8e50008eaa..e5ff5fc619 100644 --- a/vendor/github.com/openshift/api/config/v1/types_infrastructure.go +++ b/vendor/github.com/openshift/api/config/v1/types_infrastructure.go @@ -1473,7 +1473,7 @@ type VSpherePlatformStatus struct { // override existing defaults of IBM Cloud Services. type IBMCloudServiceEndpoint struct { // name is the name of the IBM Cloud service. - // Possible values are: CIS, COS, DNSServices, GlobalSearch, GlobalTagging, HyperProtect, IAM, KeyProtect, ResourceController, ResourceManager, or VPC. + // Possible values are: CIS, COS, COSConfig, DNSServices, GlobalCatalog, GlobalSearch, GlobalTagging, HyperProtect, IAM, KeyProtect, ResourceController, ResourceManager, or VPC. // For example, the IBM Cloud Private IAM service could be configured with the // service `name` of `IAM` and `url` of `https://private.iam.cloud.ibm.com` // Whereas the IBM Cloud Private VPC service for US South (Dallas) could be configured diff --git a/vendor/github.com/openshift/api/config/v1/types_tlssecurityprofile.go b/vendor/github.com/openshift/api/config/v1/types_tlssecurityprofile.go index c5dea1a032..b18ef647c2 100644 --- a/vendor/github.com/openshift/api/config/v1/types_tlssecurityprofile.go +++ b/vendor/github.com/openshift/api/config/v1/types_tlssecurityprofile.go @@ -211,6 +211,7 @@ type TLSProfileSpec struct { // ciphers: // - DES-CBC3-SHA // + // +listType=atomic Ciphers []string `json:"ciphers"` // minTLSVersion is used to specify the minimal version of the TLS protocol // that is negotiated during the TLS handshake. For example, to use TLS diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go b/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go index fcb4fb9a42..e5e9bdb897 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go @@ -1439,7 +1439,7 @@ func (IBMCloudPlatformStatus) SwaggerDoc() map[string]string { var map_IBMCloudServiceEndpoint = map[string]string{ "": "IBMCloudServiceEndpoint stores the configuration of a custom url to override existing defaults of IBM Cloud Services.", - "name": "name is the name of the IBM Cloud service. Possible values are: CIS, COS, DNSServices, GlobalSearch, GlobalTagging, HyperProtect, IAM, KeyProtect, ResourceController, ResourceManager, or VPC. For example, the IBM Cloud Private IAM service could be configured with the service `name` of `IAM` and `url` of `https://private.iam.cloud.ibm.com` Whereas the IBM Cloud Private VPC service for US South (Dallas) could be configured with the service `name` of `VPC` and `url` of `https://us.south.private.iaas.cloud.ibm.com`", + "name": "name is the name of the IBM Cloud service. Possible values are: CIS, COS, COSConfig, DNSServices, GlobalCatalog, GlobalSearch, GlobalTagging, HyperProtect, IAM, KeyProtect, ResourceController, ResourceManager, or VPC. For example, the IBM Cloud Private IAM service could be configured with the service `name` of `IAM` and `url` of `https://private.iam.cloud.ibm.com` Whereas the IBM Cloud Private VPC service for US South (Dallas) could be configured with the service `name` of `VPC` and `url` of `https://us.south.private.iaas.cloud.ibm.com`", "url": "url is fully qualified URI with scheme https, that overrides the default generated endpoint for a client. This must be provided and cannot be empty.", } diff --git a/vendor/github.com/openshift/api/config/v1alpha1/types_cluster_image_policy.go b/vendor/github.com/openshift/api/config/v1alpha1/types_cluster_image_policy.go index c503fdeab6..e3670f03e8 100644 --- a/vendor/github.com/openshift/api/config/v1alpha1/types_cluster_image_policy.go +++ b/vendor/github.com/openshift/api/config/v1alpha1/types_cluster_image_policy.go @@ -14,7 +14,7 @@ import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" // +kubebuilder:subresource:status // +openshift:api-approved.openshift.io=https://github.com/openshift/api/pull/1457 // +openshift:file-pattern=cvoRunLevel=0000_10,operatorName=config-operator,operatorOrdering=01 -// +openshift:enable:FeatureGate=ImagePolicy +// +openshift:enable:FeatureGate=SigstoreImageVerification // +openshift:compatibility-gen:level=4 type ClusterImagePolicy struct { metav1.TypeMeta `json:",inline"` @@ -38,8 +38,9 @@ type ClusterImagePolicySpec struct { // More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository // namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). // Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. - // Please be aware that the scopes should not be nested under the repositories of OpenShift Container Platform images. - // If configured, the policies for OpenShift Container Platform repositories will not be in effect. + // If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. + // In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories + // quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. // For additional details about the format, please refer to the document explaining the docker transport field, // which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker // +kubebuilder:validation:Required diff --git a/vendor/github.com/openshift/api/config/v1alpha1/types_image_policy.go b/vendor/github.com/openshift/api/config/v1alpha1/types_image_policy.go index 247bab2184..7031110ff1 100644 --- a/vendor/github.com/openshift/api/config/v1alpha1/types_image_policy.go +++ b/vendor/github.com/openshift/api/config/v1alpha1/types_image_policy.go @@ -13,7 +13,7 @@ import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" // +kubebuilder:subresource:status // +openshift:api-approved.openshift.io=https://github.com/openshift/api/pull/1457 // +openshift:file-pattern=cvoRunLevel=0000_10,operatorName=config-operator,operatorOrdering=01 -// +openshift:enable:FeatureGate=ImagePolicy +// +openshift:enable:FeatureGate=SigstoreImageVerification // +openshift:compatibility-gen:level=4 type ImagePolicy struct { metav1.TypeMeta `json:",inline"` @@ -37,8 +37,9 @@ type ImagePolicySpec struct { // More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository // namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). // Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. - // Please be aware that the scopes should not be nested under the repositories of OpenShift Container Platform images. - // If configured, the policies for OpenShift Container Platform repositories will not be in effect. + // If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. + // In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories + // quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. // For additional details about the format, please refer to the document explaining the docker transport field, // which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker // +kubebuilder:validation:Required diff --git a/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.featuregated-crd-manifests.yaml b/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.featuregated-crd-manifests.yaml index 9b5744d4a0..393365b41c 100644 --- a/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.featuregated-crd-manifests.yaml +++ b/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.featuregated-crd-manifests.yaml @@ -28,7 +28,7 @@ clusterimagepolicies.config.openshift.io: Capability: "" Category: "" FeatureGates: - - ImagePolicy + - SigstoreImageVerification FilenameOperatorName: config-operator FilenameOperatorOrdering: "01" FilenameRunLevel: "0000_10" @@ -41,7 +41,7 @@ clusterimagepolicies.config.openshift.io: Scope: Cluster ShortNames: null TopLevelFeatureGates: - - ImagePolicy + - SigstoreImageVerification Version: v1alpha1 imagepolicies.config.openshift.io: @@ -51,7 +51,7 @@ imagepolicies.config.openshift.io: Capability: "" Category: "" FeatureGates: - - ImagePolicy + - SigstoreImageVerification FilenameOperatorName: config-operator FilenameOperatorOrdering: "01" FilenameRunLevel: "0000_10" @@ -64,7 +64,7 @@ imagepolicies.config.openshift.io: Scope: Namespaced ShortNames: null TopLevelFeatureGates: - - ImagePolicy + - SigstoreImageVerification Version: v1alpha1 insightsdatagathers.config.openshift.io: diff --git a/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.swagger_doc_generated.go b/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.swagger_doc_generated.go index efaac4fa2a..9da086efc5 100644 --- a/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.swagger_doc_generated.go +++ b/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.swagger_doc_generated.go @@ -102,7 +102,7 @@ func (ClusterImagePolicyList) SwaggerDoc() map[string]string { var map_ClusterImagePolicySpec = map[string]string{ "": "CLusterImagePolicySpec is the specification of the ClusterImagePolicy custom resource.", - "scopes": "scopes defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the \"Docker Registry HTTP API V2\". Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. Please be aware that the scopes should not be nested under the repositories of OpenShift Container Platform images. If configured, the policies for OpenShift Container Platform repositories will not be in effect. For additional details about the format, please refer to the document explaining the docker transport field, which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker", + "scopes": "scopes defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the \"Docker Registry HTTP API V2\". Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. For additional details about the format, please refer to the document explaining the docker transport field, which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker", "policy": "policy contains configuration to allow scopes to be verified, and defines how images not matching the verification policy will be treated.", } @@ -151,7 +151,7 @@ func (ImagePolicyList) SwaggerDoc() map[string]string { var map_ImagePolicySpec = map[string]string{ "": "ImagePolicySpec is the specification of the ImagePolicy CRD.", - "scopes": "scopes defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the \"Docker Registry HTTP API V2\". Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. Please be aware that the scopes should not be nested under the repositories of OpenShift Container Platform images. If configured, the policies for OpenShift Container Platform repositories will not be in effect. For additional details about the format, please refer to the document explaining the docker transport field, which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker", + "scopes": "scopes defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the \"Docker Registry HTTP API V2\". Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. For additional details about the format, please refer to the document explaining the docker transport field, which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker", "policy": "policy contains configuration to allow scopes to be verified, and defines how images not matching the verification policy will be treated.", } diff --git a/vendor/github.com/openshift/api/features.md b/vendor/github.com/openshift/api/features.md index e7848c6303..4079ffb9dd 100644 --- a/vendor/github.com/openshift/api/features.md +++ b/vendor/github.com/openshift/api/features.md @@ -1,17 +1,23 @@ | FeatureGate | Default on Hypershift | Default on SelfManagedHA | DevPreviewNoUpgrade on Hypershift | DevPreviewNoUpgrade on SelfManagedHA | TechPreviewNoUpgrade on Hypershift | TechPreviewNoUpgrade on SelfManagedHA | | ------ | --- | --- | --- | --- | --- | --- | | ClusterAPIInstall| | | | | | | -| ClusterAPIInstallAzure| | | | | | | | ClusterAPIInstallIBMCloud| | | | | | | | EventedPLEG| | | | | | | | MachineAPIMigration| | | | | | | | MachineAPIOperatorDisableMachineHealthCheckController| | | | | | | +| MultiArchInstallAWS| | | | | | | +| MultiArchInstallAzure| | | | | | | +| MultiArchInstallGCP| | | | | | | | GatewayAPI| | | Enabled | Enabled | | | +| ShortCertRotation| | | Enabled | Enabled | | | | AutomatedEtcdBackup| | | Enabled | Enabled | Enabled | Enabled | +| BootcNodeManagement| | | Enabled | Enabled | Enabled | Enabled | | CSIDriverSharedResource| | | Enabled | Enabled | Enabled | Enabled | | ChunkSizeMiB| | | Enabled | Enabled | Enabled | Enabled | +| ClusterAPIInstallAzure| | | Enabled | Enabled | Enabled | Enabled | | ClusterAPIInstallGCP| | | Enabled | Enabled | Enabled | Enabled | | ClusterAPIInstallPowerVS| | | Enabled | Enabled | Enabled | Enabled | +| ClusterMonitoringConfig| | | Enabled | Enabled | Enabled | Enabled | | DNSNameResolver| | | Enabled | Enabled | Enabled | Enabled | | DynamicResourceAllocation| | | Enabled | Enabled | Enabled | Enabled | | EtcdBackendQuota| | | Enabled | Enabled | Enabled | Enabled | @@ -19,7 +25,7 @@ | ExternalRouteCertificate| | | Enabled | Enabled | Enabled | Enabled | | GCPClusterHostedDNS| | | Enabled | Enabled | Enabled | Enabled | | GCPLabelsTags| | | Enabled | Enabled | Enabled | Enabled | -| ImagePolicy| | | Enabled | Enabled | Enabled | Enabled | +| IngressControllerLBSubnetsAWS| | | Enabled | Enabled | Enabled | Enabled | | InsightsConfig| | | Enabled | Enabled | Enabled | Enabled | | InsightsConfigAPI| | | Enabled | Enabled | Enabled | Enabled | | InsightsOnDemandDataGather| | | Enabled | Enabled | Enabled | Enabled | @@ -27,19 +33,21 @@ | MachineAPIProviderOpenStack| | | Enabled | Enabled | Enabled | Enabled | | MachineConfigNodes| | | Enabled | Enabled | Enabled | Enabled | | ManagedBootImages| | | Enabled | Enabled | Enabled | Enabled | +| ManagedBootImagesAWS| | | Enabled | Enabled | Enabled | Enabled | | MaxUnavailableStatefulSet| | | Enabled | Enabled | Enabled | Enabled | | MetricsCollectionProfiles| | | Enabled | Enabled | Enabled | Enabled | | MixedCPUsAllocation| | | Enabled | Enabled | Enabled | Enabled | +| NetworkSegmentation| | | Enabled | Enabled | Enabled | Enabled | | NewOLM| | | Enabled | Enabled | Enabled | Enabled | | NodeDisruptionPolicy| | | Enabled | Enabled | Enabled | Enabled | | NodeSwap| | | Enabled | Enabled | Enabled | Enabled | | OnClusterBuild| | | Enabled | Enabled | Enabled | Enabled | +| PersistentIPsForVirtualization| | | Enabled | Enabled | Enabled | Enabled | | PinnedImages| | | Enabled | Enabled | Enabled | Enabled | | PlatformOperators| | | Enabled | Enabled | Enabled | Enabled | | RouteExternalCertificate| | | Enabled | Enabled | Enabled | Enabled | | ServiceAccountTokenNodeBinding| | | Enabled | Enabled | Enabled | Enabled | -| ServiceAccountTokenNodeBindingValidation| | | Enabled | Enabled | Enabled | Enabled | -| ServiceAccountTokenPodNodeInfo| | | Enabled | Enabled | Enabled | Enabled | +| SetEIPForNLBIngressController| | | Enabled | Enabled | Enabled | Enabled | | SignatureStores| | | Enabled | Enabled | Enabled | Enabled | | SigstoreImageVerification| | | Enabled | Enabled | Enabled | Enabled | | TranslateStreamCloseWebsocketRequests| | | Enabled | Enabled | Enabled | Enabled | diff --git a/vendor/github.com/openshift/api/features/features.go b/vendor/github.com/openshift/api/features/features.go index 95eff57746..6430a39229 100644 --- a/vendor/github.com/openshift/api/features/features.go +++ b/vendor/github.com/openshift/api/features/features.go @@ -36,13 +36,6 @@ func AllFeatureSets() map[ClusterProfileName]map[configv1.FeatureSet]*FeatureGat var ( allFeatureGates = map[ClusterProfileName]map[configv1.FeatureSet]*FeatureGateEnabledDisabled{} - FeatureGateServiceAccountTokenNodeBindingValidation = newFeatureGate("ServiceAccountTokenNodeBindingValidation"). - reportProblemsToJiraComponent("apiserver-auth"). - contactPerson("stlaz"). - productScope(kubernetes). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). - mustRegister() - FeatureGateServiceAccountTokenNodeBinding = newFeatureGate("ServiceAccountTokenNodeBinding"). reportProblemsToJiraComponent("apiserver-auth"). contactPerson("stlaz"). @@ -50,13 +43,6 @@ var ( enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() - FeatureGateServiceAccountTokenPodNodeInfo = newFeatureGate("ServiceAccountTokenPodNodeInfo"). - reportProblemsToJiraComponent("apiserver-auth"). - contactPerson("stlaz"). - productScope(kubernetes). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). - mustRegister() - FeatureGateValidatingAdmissionPolicy = newFeatureGate("ValidatingAdmissionPolicy"). reportProblemsToJiraComponent("kube-apiserver"). contactPerson("benluddy"). @@ -71,6 +57,13 @@ var ( enableIn(configv1.DevPreviewNoUpgrade). mustRegister() + FeatureGateSetEIPForNLBIngressController = newFeatureGate("SetEIPForNLBIngressController"). + reportProblemsToJiraComponent("Networking / router"). + contactPerson("miheer"). + productScope(ocpSpecific). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + mustRegister() + FeatureGateOpenShiftPodSecurityAdmission = newFeatureGate("OpenShiftPodSecurityAdmission"). reportProblemsToJiraComponent("auth"). contactPerson("stlaz"). @@ -231,6 +224,13 @@ var ( enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() + FeatureGateNetworkSegmentation = newFeatureGate("NetworkSegmentation"). + reportProblemsToJiraComponent("Networking/ovn-kubernetes"). + contactPerson("tssurya"). + productScope(ocpSpecific). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + mustRegister() + FeatureGateNetworkLiveMigration = newFeatureGate("NetworkLiveMigration"). reportProblemsToJiraComponent("Networking/ovn-kubernetes"). contactPerson("pliu"). @@ -334,6 +334,13 @@ var ( enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() + FeatureGateManagedBootImagesAWS = newFeatureGate("ManagedBootImagesAWS"). + reportProblemsToJiraComponent("MachineConfigOperator"). + contactPerson("djoshy"). + productScope(ocpSpecific). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + mustRegister() + FeatureGateDisableKubeletCloudCredentialProviders = newFeatureGate("DisableKubeletCloudCredentialProviders"). reportProblemsToJiraComponent("cloud-provider"). contactPerson("jspeed"). @@ -348,6 +355,13 @@ var ( enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() + FeatureGateBootcNodeManagement = newFeatureGate("BootcNodeManagement"). + reportProblemsToJiraComponent("MachineConfigOperator"). + contactPerson("inesqyx"). + productScope(ocpSpecific). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + mustRegister() + FeatureGateSignatureStores = newFeatureGate("SignatureStores"). reportProblemsToJiraComponent("Cluster Version Operator"). contactPerson("lmohanty"). @@ -447,13 +461,6 @@ var ( enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() - FeatureGateImagePolicy = newFeatureGate("ImagePolicy"). - reportProblemsToJiraComponent("node"). - contactPerson("rphillips"). - productScope(ocpSpecific). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). - mustRegister() - FeatureGateNodeDisruptionPolicy = newFeatureGate("NodeDisruptionPolicy"). reportProblemsToJiraComponent("MachineConfigOperator"). contactPerson("jerzhang"). @@ -486,6 +493,7 @@ var ( reportProblemsToJiraComponent("Installer"). contactPerson("jhixson74"). productScope(ocpSpecific). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() FeatureGateClusterAPIInstallGCP = newFeatureGate("ClusterAPIInstallGCP"). @@ -541,4 +549,50 @@ var ( contactPerson("jspeed"). productScope(ocpSpecific). mustRegister() + + FeatureGatePersistentIPsForVirtualization = newFeatureGate("PersistentIPsForVirtualization"). + reportProblemsToJiraComponent("CNV Network"). + contactPerson("mduarted"). + productScope(ocpSpecific). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + mustRegister() + + FeatureGateClusterMonitoringConfig = newFeatureGate("ClusterMonitoringConfig"). + reportProblemsToJiraComponent("Monitoring"). + contactPerson("marioferh"). + productScope(ocpSpecific). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + mustRegister() + + FeatureGateMultiArchInstallAWS = newFeatureGate("MultiArchInstallAWS"). + reportProblemsToJiraComponent("Installer"). + contactPerson("r4f4"). + productScope(ocpSpecific). + mustRegister() + + FeatureGateMultiArchInstallAzure = newFeatureGate("MultiArchInstallAzure"). + reportProblemsToJiraComponent("Installer"). + contactPerson("r4f4"). + productScope(ocpSpecific). + mustRegister() + + FeatureGateMultiArchInstallGCP = newFeatureGate("MultiArchInstallGCP"). + reportProblemsToJiraComponent("Installer"). + contactPerson("r4f4"). + productScope(ocpSpecific). + mustRegister() + + FeatureGateIngressControllerLBSubnetsAWS = newFeatureGate("IngressControllerLBSubnetsAWS"). + reportProblemsToJiraComponent("Routing"). + contactPerson("miciah"). + productScope(ocpSpecific). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + mustRegister() + + FeatureShortCertRotation = newFeatureGate("ShortCertRotation"). + reportProblemsToJiraComponent("kube-apiserver"). + contactPerson("vrutkovs"). + productScope(ocpSpecific). + enableIn(configv1.DevPreviewNoUpgrade). + mustRegister() ) diff --git a/vendor/github.com/openshift/api/machine/v1beta1/types_awsprovider.go b/vendor/github.com/openshift/api/machine/v1beta1/types_awsprovider.go index f3853579bd..66b76ec8f9 100644 --- a/vendor/github.com/openshift/api/machine/v1beta1/types_awsprovider.go +++ b/vendor/github.com/openshift/api/machine/v1beta1/types_awsprovider.go @@ -84,6 +84,13 @@ type AWSMachineProviderConfig struct { // When omitted, no placement group is used when creating the EC2 instance. // +optional PlacementGroupName string `json:"placementGroupName,omitempty"` + // placementGroupPartition is the partition number within the placement group in which to launch the instance. + // This must be an integer value between 1 and 7. It is only valid if the placement group, referred in + // `PlacementGroupName` was created with strategy set to partition. + // +kubebuilder:validation:Minimum:=1 + // +kubebuilder:validation:Maximum:=7 + // +optional + PlacementGroupPartition *int32 `json:"placementGroupPartition,omitempty"` } // BlockDeviceMappingSpec describes a block device mapping diff --git a/vendor/github.com/openshift/api/machine/v1beta1/types_machineset.go b/vendor/github.com/openshift/api/machine/v1beta1/types_machineset.go index e8488833e7..8e7810deb0 100644 --- a/vendor/github.com/openshift/api/machine/v1beta1/types_machineset.go +++ b/vendor/github.com/openshift/api/machine/v1beta1/types_machineset.go @@ -150,6 +150,11 @@ type MachineSetStatus struct { // +optional ErrorMessage *string `json:"errorMessage,omitempty"` + // Conditions defines the current state of the MachineSet + // +listType=map + // +listMapKey=type + Conditions []Condition `json:"conditions,omitempty"` + // authoritativeAPI is the API that is authoritative for this resource. // Valid values are MachineAPI, ClusterAPI and Migrating. // This value is updated by the migration controller to reflect the authoritative API. diff --git a/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.deepcopy.go b/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.deepcopy.go index 3e9eebf6b7..d37ac11e6a 100644 --- a/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.deepcopy.go +++ b/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.deepcopy.go @@ -75,6 +75,11 @@ func (in *AWSMachineProviderConfig) DeepCopyInto(out *AWSMachineProviderConfig) (*in).DeepCopyInto(*out) } out.MetadataServiceOptions = in.MetadataServiceOptions + if in.PlacementGroupPartition != nil { + in, out := &in.PlacementGroupPartition, &out.PlacementGroupPartition + *out = new(int32) + **out = **in + } return } @@ -1265,6 +1270,13 @@ func (in *MachineSetStatus) DeepCopyInto(out *MachineSetStatus) { *out = new(string) **out = **in } + if in.Conditions != nil { + in, out := &in.Conditions, &out.Conditions + *out = make([]Condition, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } return } diff --git a/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.swagger_doc_generated.go b/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.swagger_doc_generated.go index 55044bce3e..f2173537c9 100644 --- a/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.swagger_doc_generated.go +++ b/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.swagger_doc_generated.go @@ -12,25 +12,26 @@ package v1beta1 // AUTO-GENERATED FUNCTIONS START HERE var map_AWSMachineProviderConfig = map[string]string{ - "": "AWSMachineProviderConfig is the Schema for the awsmachineproviderconfigs API Compatibility level 2: Stable within a major release for a minimum of 9 months or 3 minor releases (whichever is longer).", - "ami": "AMI is the reference to the AMI from which to create the machine instance.", - "instanceType": "InstanceType is the type of instance to create. Example: m4.xlarge", - "tags": "Tags is the set of tags to add to apply to an instance, in addition to the ones added by default by the actuator. These tags are additive. The actuator will ensure these tags are present, but will not remove any other tags that may exist on the instance.", - "iamInstanceProfile": "IAMInstanceProfile is a reference to an IAM role to assign to the instance", - "userDataSecret": "UserDataSecret contains a local reference to a secret that contains the UserData to apply to the instance", - "credentialsSecret": "CredentialsSecret is a reference to the secret with AWS credentials. Otherwise, defaults to permissions provided by attached IAM role where the actuator is running.", - "keyName": "KeyName is the name of the KeyPair to use for SSH", - "deviceIndex": "DeviceIndex is the index of the device on the instance for the network interface attachment. Defaults to 0.", - "publicIp": "PublicIP specifies whether the instance should get a public IP. If not present, it should use the default of its subnet.", - "networkInterfaceType": "NetworkInterfaceType specifies the type of network interface to be used for the primary network interface. Valid values are \"ENA\", \"EFA\", and omitted, which means no opinion and the platform chooses a good default which may change over time. The current default value is \"ENA\". Please visit https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/efa.html to learn more about the AWS Elastic Fabric Adapter interface option.", - "securityGroups": "SecurityGroups is an array of references to security groups that should be applied to the instance.", - "subnet": "Subnet is a reference to the subnet to use for this instance", - "placement": "Placement specifies where to create the instance in AWS", - "loadBalancers": "LoadBalancers is the set of load balancers to which the new instance should be added once it is created.", - "blockDevices": "BlockDevices is the set of block device mapping associated to this instance, block device without a name will be used as a root device and only one device without a name is allowed https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/block-device-mapping-concepts.html", - "spotMarketOptions": "SpotMarketOptions allows users to configure instances to be run using AWS Spot instances.", - "metadataServiceOptions": "MetadataServiceOptions allows users to configure instance metadata service interaction options. If nothing specified, default AWS IMDS settings will be applied. https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_InstanceMetadataOptionsRequest.html", - "placementGroupName": "PlacementGroupName specifies the name of the placement group in which to launch the instance. The placement group must already be created and may use any placement strategy. When omitted, no placement group is used when creating the EC2 instance.", + "": "AWSMachineProviderConfig is the Schema for the awsmachineproviderconfigs API Compatibility level 2: Stable within a major release for a minimum of 9 months or 3 minor releases (whichever is longer).", + "ami": "AMI is the reference to the AMI from which to create the machine instance.", + "instanceType": "InstanceType is the type of instance to create. Example: m4.xlarge", + "tags": "Tags is the set of tags to add to apply to an instance, in addition to the ones added by default by the actuator. These tags are additive. The actuator will ensure these tags are present, but will not remove any other tags that may exist on the instance.", + "iamInstanceProfile": "IAMInstanceProfile is a reference to an IAM role to assign to the instance", + "userDataSecret": "UserDataSecret contains a local reference to a secret that contains the UserData to apply to the instance", + "credentialsSecret": "CredentialsSecret is a reference to the secret with AWS credentials. Otherwise, defaults to permissions provided by attached IAM role where the actuator is running.", + "keyName": "KeyName is the name of the KeyPair to use for SSH", + "deviceIndex": "DeviceIndex is the index of the device on the instance for the network interface attachment. Defaults to 0.", + "publicIp": "PublicIP specifies whether the instance should get a public IP. If not present, it should use the default of its subnet.", + "networkInterfaceType": "NetworkInterfaceType specifies the type of network interface to be used for the primary network interface. Valid values are \"ENA\", \"EFA\", and omitted, which means no opinion and the platform chooses a good default which may change over time. The current default value is \"ENA\". Please visit https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/efa.html to learn more about the AWS Elastic Fabric Adapter interface option.", + "securityGroups": "SecurityGroups is an array of references to security groups that should be applied to the instance.", + "subnet": "Subnet is a reference to the subnet to use for this instance", + "placement": "Placement specifies where to create the instance in AWS", + "loadBalancers": "LoadBalancers is the set of load balancers to which the new instance should be added once it is created.", + "blockDevices": "BlockDevices is the set of block device mapping associated to this instance, block device without a name will be used as a root device and only one device without a name is allowed https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/block-device-mapping-concepts.html", + "spotMarketOptions": "SpotMarketOptions allows users to configure instances to be run using AWS Spot instances.", + "metadataServiceOptions": "MetadataServiceOptions allows users to configure instance metadata service interaction options. If nothing specified, default AWS IMDS settings will be applied. https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_InstanceMetadataOptionsRequest.html", + "placementGroupName": "PlacementGroupName specifies the name of the placement group in which to launch the instance. The placement group must already be created and may use any placement strategy. When omitted, no placement group is used when creating the EC2 instance.", + "placementGroupPartition": "placementGroupPartition is the partition number within the placement group in which to launch the instance. This must be an integer value between 1 and 7. It is only valid if the placement group, referred in `PlacementGroupName` was created with strategy set to partition.", } func (AWSMachineProviderConfig) SwaggerDoc() map[string]string { @@ -692,6 +693,7 @@ var map_MachineSetStatus = map[string]string{ "availableReplicas": "The number of available replicas (ready for at least minReadySeconds) for this MachineSet.", "observedGeneration": "ObservedGeneration reflects the generation of the most recently observed MachineSet.", "errorReason": "In the event that there is a terminal problem reconciling the replicas, both ErrorReason and ErrorMessage will be set. ErrorReason will be populated with a succinct value suitable for machine interpretation, while ErrorMessage will contain a more verbose string suitable for logging and human consumption.\n\nThese fields should not be set for transitive errors that a controller faces that are expected to be fixed automatically over time (like service outages), but instead indicate that something is fundamentally wrong with the MachineTemplate's spec or the configuration of the machine controller, and that manual intervention is required. Examples of terminal errors would be invalid combinations of settings in the spec, values that are unsupported by the machine controller, or the responsible machine controller itself being critically misconfigured.\n\nAny transient errors that occur during the reconciliation of Machines can be added as events to the MachineSet object and/or logged in the controller's output.", + "conditions": "Conditions defines the current state of the MachineSet", "authoritativeAPI": "authoritativeAPI is the API that is authoritative for this resource. Valid values are MachineAPI, ClusterAPI and Migrating. This value is updated by the migration controller to reflect the authoritative API. Machine API and Cluster API controllers use this value to determine whether or not to reconcile the resource. When set to Migrating, the migration controller is currently performing the handover of authority from one API to the other.", "synchronizedGeneration": "synchronizedGeneration is the generation of the authoritative resource that the non-authoritative resource is synchronised with. This field is set when the authoritative resource is updated and the sync controller has updated the non-authoritative resource to match.", } diff --git a/vendor/github.com/openshift/api/operator/v1/types_ingress.go b/vendor/github.com/openshift/api/operator/v1/types_ingress.go index 64419ddfc0..33ae3ec8db 100644 --- a/vendor/github.com/openshift/api/operator/v1/types_ingress.go +++ b/vendor/github.com/openshift/api/operator/v1/types_ingress.go @@ -342,6 +342,7 @@ type NodePlacement struct { // See https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ // // +optional + // +listType=atomic Tolerations []corev1.Toleration `json:"tolerations,omitempty"` } @@ -390,6 +391,7 @@ var ( type CIDR string // LoadBalancerStrategy holds parameters for a load balancer. +// +kubebuilder:validation:XValidation:rule="!has(self.scope) || self.scope != 'Internal' || !has(self.providerParameters) || !has(self.providerParameters.aws) || !has(self.providerParameters.aws.networkLoadBalancer) || !has(self.providerParameters.aws.networkLoadBalancer.eipAllocations)",message="eipAllocations are forbidden when the scope is Internal." type LoadBalancerStrategy struct { // scope indicates the scope at which the load balancer is exposed. // Possible values are "External" and "Internal". @@ -413,6 +415,7 @@ type LoadBalancerStrategy struct { // // +nullable // +optional + // +listType=atomic AllowedSourceRanges []CIDR `json:"allowedSourceRanges,omitempty"` // providerParameters holds desired load balancer information specific to @@ -556,6 +559,52 @@ const ( AWSNetworkLoadBalancer AWSLoadBalancerType = "NLB" ) +// AWSSubnets contains a list of references to AWS subnets by +// ID or name. +// +kubebuilder:validation:XValidation:rule=`has(self.ids) && has(self.names) ? size(self.ids + self.names) <= 10 : true`,message="the total number of subnets cannot exceed 10" +// +kubebuilder:validation:XValidation:rule=`has(self.ids) && self.ids.size() > 0 || has(self.names) && self.names.size() > 0`,message="must specify at least 1 subnet name or id" +type AWSSubnets struct { + // ids specifies a list of AWS subnets by subnet ID. + // Subnet IDs must start with "subnet-", consist only + // of alphanumeric characters, must be exactly 24 + // characters long, must be unique, and the total + // number of subnets specified by ids and names + // must not exceed 10. + // + // +optional + // +listType=atomic + // +kubebuilder:validation:XValidation:rule=`self.all(x, self.exists_one(y, x == y))`,message="subnet ids cannot contain duplicates" + // + Note: Though it may seem redundant, MaxItems is necessary to prevent exceeding of the cost budget for the validation rules. + // +kubebuilder:validation:MaxItems=10 + IDs []AWSSubnetID `json:"ids,omitempty"` + + // names specifies a list of AWS subnets by subnet name. + // Subnet names must not start with "subnet-", must not + // include commas, must be under 256 characters in length, + // must be unique, and the total number of subnets + // specified by ids and names must not exceed 10. + // + // +optional + // +listType=atomic + // +kubebuilder:validation:XValidation:rule=`self.all(x, self.exists_one(y, x == y))`,message="subnet names cannot contain duplicates" + // + Note: Though it may seem redundant, MaxItems is necessary to prevent exceeding of the cost budget for the validation rules. + // +kubebuilder:validation:MaxItems=10 + Names []AWSSubnetName `json:"names,omitempty"` +} + +// AWSSubnetID is a reference to an AWS subnet ID. +// +kubebuilder:validation:MinLength=24 +// +kubebuilder:validation:MaxLength=24 +// +kubebuilder:validation:Pattern=`^subnet-[0-9A-Za-z]+$` +type AWSSubnetID string + +// AWSSubnetName is a reference to an AWS subnet name. +// +kubebuilder:validation:MinLength=1 +// +kubebuilder:validation:MaxLength=256 +// +kubebuilder:validation:XValidation:rule=`!self.contains(',')`,message="subnet name cannot contain a comma" +// +kubebuilder:validation:XValidation:rule=`!self.startsWith('subnet-')`,message="subnet name cannot start with 'subnet-'" +type AWSSubnetName string + // GCPLoadBalancerParameters provides configuration settings that are // specific to GCP load balancers. type GCPLoadBalancerParameters struct { @@ -630,13 +679,89 @@ type AWSClassicLoadBalancerParameters struct { // +kubebuilder:validation:Format=duration // +optional ConnectionIdleTimeout metav1.Duration `json:"connectionIdleTimeout,omitempty"` + + // subnets specifies the subnets to which the load balancer will + // attach. The subnets may be specified by either their + // ID or name. The total number of subnets is limited to 10. + // + // In order for the load balancer to be provisioned with subnets, + // each subnet must exist, each subnet must be from a different + // availability zone, and the load balancer service must be + // recreated to pick up new values. + // + // When omitted from the spec, the subnets will be auto-discovered + // for each availability zone. Auto-discovered subnets are not reported + // in the status of the IngressController object. + // + // +optional + // +openshift:enable:FeatureGate=IngressControllerLBSubnetsAWS + Subnets *AWSSubnets `json:"subnets,omitempty"` } // AWSNetworkLoadBalancerParameters holds configuration parameters for an -// AWS Network load balancer. +// AWS Network load balancer. For Example: Setting AWS EIPs https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html +// +kubebuilder:validation:XValidation:rule=`has(self.subnets) && has(self.subnets.ids) && has(self.subnets.names) && has(self.eipAllocations) ? size(self.subnets.ids + self.subnets.names) == size(self.eipAllocations) : true`,message="number of subnets must be equal to number of eipAllocations" +// +kubebuilder:validation:XValidation:rule=`has(self.subnets) && has(self.subnets.ids) && !has(self.subnets.names) && has(self.eipAllocations) ? size(self.subnets.ids) == size(self.eipAllocations) : true`,message="number of subnets must be equal to number of eipAllocations" +// +kubebuilder:validation:XValidation:rule=`has(self.subnets) && has(self.subnets.names) && !has(self.subnets.ids) && has(self.eipAllocations) ? size(self.subnets.names) == size(self.eipAllocations) : true`,message="number of subnets must be equal to number of eipAllocations" type AWSNetworkLoadBalancerParameters struct { + // subnets specifies the subnets to which the load balancer will + // attach. The subnets may be specified by either their + // ID or name. The total number of subnets is limited to 10. + // + // In order for the load balancer to be provisioned with subnets, + // each subnet must exist, each subnet must be from a different + // availability zone, and the load balancer service must be + // recreated to pick up new values. + // + // When omitted from the spec, the subnets will be auto-discovered + // for each availability zone. Auto-discovered subnets are not reported + // in the status of the IngressController object. + // + // +optional + // +openshift:enable:FeatureGate=IngressControllerLBSubnetsAWS + Subnets *AWSSubnets `json:"subnets,omitempty"` + + // eipAllocations is a list of IDs for Elastic IP (EIP) addresses that + // are assigned to the Network Load Balancer. + // The following restrictions apply: + // + // eipAllocations can only be used with external scope, not internal. + // An EIP can be allocated to only a single IngressController. + // The number of EIP allocations must match the number of subnets that are used for the load balancer. + // Each EIP allocation must be unique. + // A maximum of 10 EIP allocations are permitted. + // + // See https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html for general + // information about configuration, characteristics, and limitations of Elastic IP addresses. + // + // +openshift:enable:FeatureGate=SetEIPForNLBIngressController + // +optional + // +listType=atomic + // +kubebuilder:validation:XValidation:rule=`self.all(x, self.exists_one(y, x == y))`,message="eipAllocations cannot contain duplicates" + // +kubebuilder:validation:MaxItems=10 + EIPAllocations []EIPAllocation `json:"eipAllocations"` } +// EIPAllocation is an ID for an Elastic IP (EIP) address that can be allocated to an ELB in the AWS environment. +// Values must begin with `eipalloc-` followed by exactly 17 hexadecimal (`[0-9a-fA-F]`) characters. +// + Explanation of the regex `^eipalloc-[0-9a-fA-F]{17}$` for validating value of the EIPAllocation: +// + ^eipalloc- ensures the string starts with "eipalloc-". +// + [0-9a-fA-F]{17} matches exactly 17 hexadecimal characters (0-9, a-f, A-F). +// + $ ensures the string ends after the 17 hexadecimal characters. +// + Example of Valid and Invalid values: +// + eipalloc-1234567890abcdef1 is valid. +// + eipalloc-1234567890abcde is not valid (too short). +// + eipalloc-1234567890abcdefg is not valid (contains a non-hex character 'g'). +// + Max length is calculated as follows: +// + eipalloc- = 9 chars and 17 hexadecimal chars after `-` +// + So, total is 17 + 9 = 26 chars required for value of an EIPAllocation. +// +// +kubebuilder:validation:MinLength=26 +// +kubebuilder:validation:MaxLength=26 +// +kubebuilder:validation:XValidation:rule=`self.startsWith('eipalloc-')`,message="eipAllocations should start with 'eipalloc-'" +// +kubebuilder:validation:XValidation:rule=`self.split("-", 2)[1].matches('[0-9a-fA-F]{17}$')`,message="eipAllocations must be 'eipalloc-' followed by exactly 17 hexadecimal characters (0-9, a-f, A-F)" +type EIPAllocation string + // HostNetworkStrategy holds parameters for the HostNetwork endpoint publishing // strategy. type HostNetworkStrategy struct { @@ -1129,6 +1254,7 @@ type IngressControllerCaptureHTTPHeaders struct { // // +nullable // +optional + // +listType=atomic Request []IngressControllerCaptureHTTPHeader `json:"request,omitempty"` // response specifies which HTTP response headers to capture. @@ -1137,6 +1263,7 @@ type IngressControllerCaptureHTTPHeaders struct { // // +nullable // +optional + // +listType=atomic Response []IngressControllerCaptureHTTPHeader `json:"response,omitempty"` } @@ -1263,6 +1390,7 @@ type AccessLogging struct { // +nullable // +optional // +kubebuilder:validation:MaxItems=1 + // +listType=atomic HTTPCaptureCookies []IngressControllerCaptureHTTPCookie `json:"httpCaptureCookies,omitempty"` // logEmptyRequests specifies how connections on which no request is @@ -1402,6 +1530,7 @@ type IngressControllerHTTPHeaders struct { // // +nullable // +optional + // +listType=atomic HeaderNameCaseAdjustments []IngressControllerHTTPHeaderNameCaseAdjustment `json:"headerNameCaseAdjustments,omitempty"` // actions specifies options for modifying headers and their values. @@ -1865,6 +1994,8 @@ type IngressControllerStatus struct { // * DNS is managed. // * DNS records have been successfully created. // - False if any of those conditions are unsatisfied. + // +listType=map + // +listMapKey=type Conditions []OperatorCondition `json:"conditions,omitempty"` // tlsProfile is the TLS connection configuration that is in effect. diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-CustomNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-CustomNoUpgrade.crd.yaml new file mode 100644 index 0000000000..4c5814e376 --- /dev/null +++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-CustomNoUpgrade.crd.yaml @@ -0,0 +1,2710 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/616 + api.openshift.io/merged-by-featuregates: "true" + capability.openshift.io/name: Ingress + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: CustomNoUpgrade + name: ingresscontrollers.operator.openshift.io +spec: + group: operator.openshift.io + names: + kind: IngressController + listKind: IngressControllerList + plural: ingresscontrollers + singular: ingresscontroller + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: "IngressController describes a managed ingress controller for + the cluster. The controller can service OpenShift Route and Kubernetes Ingress + resources. \n When an IngressController is created, a new ingress controller + deployment is created to allow external traffic to reach the services that + expose Ingress or Route resources. Updating this resource may lead to disruption + for public facing network connections as a new ingress controller revision + may be rolled out. \n https://kubernetes.io/docs/concepts/services-networking/ingress-controllers + \n Whenever possible, sensible defaults for the platform are used. See each + field for more details. \n Compatibility level 1: Stable within a major + release for a minimum of 12 months or 3 minor releases (whichever is longer)." + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: spec is the specification of the desired behavior of the + IngressController. + properties: + clientTLS: + description: clientTLS specifies settings for requesting and verifying + client certificates, which can be used to enable mutual TLS for + edge-terminated and reencrypt routes. + properties: + allowedSubjectPatterns: + description: allowedSubjectPatterns specifies a list of regular + expressions that should be matched against the distinguished + name on a valid client certificate to filter requests. The + regular expressions must use PCRE syntax. If this list is empty, + no filtering is performed. If the list is nonempty, then at + least one pattern must match a client certificate's distinguished + name or else the ingress controller rejects the certificate + and denies the connection. + items: + type: string + type: array + x-kubernetes-list-type: atomic + clientCA: + description: clientCA specifies a configmap containing the PEM-encoded + CA certificate bundle that should be used to verify a client's + certificate. The administrator must create this configmap in + the openshift-config namespace. + properties: + name: + description: name is the metadata.name of the referenced config + map + type: string + required: + - name + type: object + clientCertificatePolicy: + description: "clientCertificatePolicy specifies whether the ingress + controller requires clients to provide certificates. This field + accepts the values \"Required\" or \"Optional\". \n Note that + the ingress controller only checks client certificates for edge-terminated + and reencrypt TLS routes; it cannot check certificates for cleartext + HTTP or passthrough TLS routes." + enum: + - "" + - Required + - Optional + type: string + required: + - clientCA + - clientCertificatePolicy + type: object + defaultCertificate: + description: "defaultCertificate is a reference to a secret containing + the default certificate served by the ingress controller. When Routes + don't specify their own certificate, defaultCertificate is used. + \n The secret must contain the following keys and data: \n tls.crt: + certificate file contents tls.key: key file contents \n If unset, + a wildcard certificate is automatically generated and used. The + certificate is valid for the ingress controller domain (and subdomains) + and the generated certificate's CA will be automatically integrated + with the cluster's trust store. \n If a wildcard certificate is + used and shared by multiple HTTP/2 enabled routes (which implies + ALPN) then clients (i.e., notably browsers) are at liberty to reuse + open connections. This means a client can reuse a connection to + another route and that is likely to fail. This behaviour is generally + known as connection coalescing. \n The in-use certificate (whether + generated or user-specified) will be automatically integrated with + OpenShift's built-in OAuth server." + properties: + name: + default: "" + description: 'Name of the referent. This field is effectively + required, but due to backwards compatibility is allowed to be + empty. Instances of this type with an empty value here are almost + certainly wrong. TODO: Add other useful fields. apiVersion, + kind, uid? More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn''t + need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.' + type: string + type: object + x-kubernetes-map-type: atomic + domain: + description: "domain is a DNS name serviced by the ingress controller + and is used to configure multiple features: \n * For the LoadBalancerService + endpoint publishing strategy, domain is used to configure DNS records. + See endpointPublishingStrategy. \n * When using a generated default + certificate, the certificate will be valid for domain and its subdomains. + See defaultCertificate. \n * The value is published to individual + Route statuses so that end-users know where to target external DNS + records. \n domain must be unique among all IngressControllers, + and cannot be updated. \n If empty, defaults to ingress.config.openshift.io/cluster + .spec.domain." + type: string + endpointPublishingStrategy: + description: "endpointPublishingStrategy is used to publish the ingress + controller endpoints to other networks, enable load balancer integrations, + etc. \n If unset, the default is based on infrastructure.config.openshift.io/cluster + .status.platform: \n AWS: LoadBalancerService (with External + scope) Azure: LoadBalancerService (with External scope) GCP: + \ LoadBalancerService (with External scope) IBMCloud: LoadBalancerService + (with External scope) AlibabaCloud: LoadBalancerService (with External + scope) Libvirt: HostNetwork \n Any other platform types (including + None) default to HostNetwork. \n endpointPublishingStrategy cannot + be updated." + properties: + hostNetwork: + description: hostNetwork holds parameters for the HostNetwork + endpoint publishing strategy. Present only if type is HostNetwork. + properties: + httpPort: + default: 80 + description: httpPort is the port on the host which should + be used to listen for HTTP requests. This field should be + set when port 80 is already in use. The value should not + coincide with the NodePort range of the cluster. When the + value is 0 or is not specified it defaults to 80. + format: int32 + maximum: 65535 + minimum: 0 + type: integer + httpsPort: + default: 443 + description: httpsPort is the port on the host which should + be used to listen for HTTPS requests. This field should + be set when port 443 is already in use. The value should + not coincide with the NodePort range of the cluster. When + the value is 0 or is not specified it defaults to 443. + format: int32 + maximum: 65535 + minimum: 0 + type: integer + protocol: + description: "protocol specifies whether the IngressController + expects incoming connections to use plain TCP or whether + the IngressController expects PROXY protocol. \n PROXY protocol + can be used with load balancers that support it to communicate + the source addresses of client connections when forwarding + those connections to the IngressController. Using PROXY + protocol enables the IngressController to report those source + addresses instead of reporting the load balancer's address + in HTTP headers and logs. Note that enabling PROXY protocol + on the IngressController will cause connections to fail + if you are not using a load balancer that uses PROXY protocol + to forward connections to the IngressController. See http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt + for information about PROXY protocol. \n The following values + are valid for this field: \n * The empty string. * \"TCP\". + * \"PROXY\". \n The empty string specifies the default, + which is TCP without PROXY protocol. Note that the default + is subject to change." + enum: + - "" + - TCP + - PROXY + type: string + statsPort: + default: 1936 + description: statsPort is the port on the host where the stats + from the router are published. The value should not coincide + with the NodePort range of the cluster. If an external load + balancer is configured to forward connections to this IngressController, + the load balancer should use this port for health checks. + The load balancer can send HTTP probes on this port on a + given node, with the path /healthz/ready to determine if + the ingress controller is ready to receive traffic on the + node. For proper operation the load balancer must not forward + traffic to a node until the health check reports ready. + The load balancer should also stop forwarding requests within + a maximum of 45 seconds after /healthz/ready starts reporting + not-ready. Probing every 5 to 10 seconds, with a 5-second + timeout and with a threshold of two successful or failed + requests to become healthy or unhealthy respectively, are + well-tested values. When the value is 0 or is not specified + it defaults to 1936. + format: int32 + maximum: 65535 + minimum: 0 + type: integer + type: object + loadBalancer: + description: loadBalancer holds parameters for the load balancer. + Present only if type is LoadBalancerService. + properties: + allowedSourceRanges: + description: "allowedSourceRanges specifies an allowlist of + IP address ranges to which access to the load balancer should + be restricted. Each range must be specified using CIDR + notation (e.g. \"10.0.0.0/8\" or \"fd00::/8\"). If no range + is specified, \"0.0.0.0/0\" for IPv4 and \"::/0\" for IPv6 + are used by default, which allows all source addresses. + \n To facilitate migration from earlier versions of OpenShift + that did not have the allowedSourceRanges field, you may + set the service.beta.kubernetes.io/load-balancer-source-ranges + annotation on the \"router-\" service + in the \"openshift-ingress\" namespace, and this annotation + will take effect if allowedSourceRanges is empty on OpenShift + 4.12." + items: + description: CIDR is an IP address range in CIDR notation + (for example, "10.0.0.0/8" or "fd00::/8"). + pattern: (^(([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])/([0-9]|[12][0-9]|3[0-2])$)|(^s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:)))(%.+)?s*(\/(12[0-8]|1[0-1][0-9]|[1-9][0-9]|[0-9]))$) + type: string + nullable: true + type: array + x-kubernetes-list-type: atomic + dnsManagementPolicy: + default: Managed + description: 'dnsManagementPolicy indicates if the lifecycle + of the wildcard DNS record associated with the load balancer + service will be managed by the ingress operator. It defaults + to Managed. Valid values are: Managed and Unmanaged.' + enum: + - Managed + - Unmanaged + type: string + providerParameters: + description: "providerParameters holds desired load balancer + information specific to the underlying infrastructure provider. + \n If empty, defaults will be applied. See specific providerParameters + fields for details about their defaults." + properties: + aws: + description: "aws provides configuration settings that + are specific to AWS load balancers. \n If empty, defaults + will be applied. See specific aws fields for details + about their defaults." + properties: + classicLoadBalancer: + description: classicLoadBalancerParameters holds configuration + parameters for an AWS classic load balancer. Present + only if type is Classic. + properties: + connectionIdleTimeout: + description: connectionIdleTimeout specifies the + maximum time period that a connection may be + idle before the load balancer closes the connection. The + value must be parseable as a time duration value; + see . A + nil or zero value means no opinion, in which + case a default value is used. The default value + for this field is 60s. This default is subject + to change. + format: duration + type: string + subnets: + description: "subnets specifies the subnets to + which the load balancer will attach. The subnets + may be specified by either their ID or name. + The total number of subnets is limited to 10. + \n In order for the load balancer to be provisioned + with subnets, each subnet must exist, each subnet + must be from a different availability zone, + and the load balancer service must be recreated + to pick up new values. \n When omitted from + the spec, the subnets will be auto-discovered + for each availability zone. Auto-discovered + subnets are not reported in the status of the + IngressController object." + properties: + ids: + description: ids specifies a list of AWS subnets + by subnet ID. Subnet IDs must start with + "subnet-", consist only of alphanumeric + characters, must be exactly 24 characters + long, must be unique, and the total number + of subnets specified by ids and names must + not exceed 10. + items: + description: AWSSubnetID is a reference + to an AWS subnet ID. + maxLength: 24 + minLength: 24 + pattern: ^subnet-[0-9A-Za-z]+$ + type: string + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: subnet ids cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == + y)) + names: + description: names specifies a list of AWS + subnets by subnet name. Subnet names must + not start with "subnet-", must not include + commas, must be under 256 characters in + length, must be unique, and the total number + of subnets specified by ids and names must + not exceed 10. + items: + description: AWSSubnetName is a reference + to an AWS subnet name. + maxLength: 256 + minLength: 1 + type: string + x-kubernetes-validations: + - message: subnet name cannot contain a + comma + rule: '!self.contains('','')' + - message: subnet name cannot start with + 'subnet-' + rule: '!self.startsWith(''subnet-'')' + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: subnet names cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == + y)) + type: object + x-kubernetes-validations: + - message: the total number of subnets cannot + exceed 10 + rule: 'has(self.ids) && has(self.names) ? size(self.ids + + self.names) <= 10 : true' + - message: must specify at least 1 subnet name + or id + rule: has(self.ids) && self.ids.size() > 0 || + has(self.names) && self.names.size() > 0 + type: object + networkLoadBalancer: + description: networkLoadBalancerParameters holds configuration + parameters for an AWS network load balancer. Present + only if type is NLB. + properties: + eipAllocations: + description: "eipAllocations is a list of IDs + for Elastic IP (EIP) addresses that are assigned + to the Network Load Balancer. The following + restrictions apply: \n eipAllocations can only + be used with external scope, not internal. An + EIP can be allocated to only a single IngressController. + The number of EIP allocations must match the + number of subnets that are used for the load + balancer. Each EIP allocation must be unique. + A maximum of 10 EIP allocations are permitted. + \n See https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html + for general information about configuration, + characteristics, and limitations of Elastic + IP addresses." + items: + description: EIPAllocation is an ID for an Elastic + IP (EIP) address that can be allocated to + an ELB in the AWS environment. Values must + begin with `eipalloc-` followed by exactly + 17 hexadecimal (`[0-9a-fA-F]`) characters. + maxLength: 26 + minLength: 26 + type: string + x-kubernetes-validations: + - message: eipAllocations should start with + 'eipalloc-' + rule: self.startsWith('eipalloc-') + - message: eipAllocations must be 'eipalloc-' + followed by exactly 17 hexadecimal characters + (0-9, a-f, A-F) + rule: self.split("-", 2)[1].matches('[0-9a-fA-F]{17}$') + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: eipAllocations cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == y)) + subnets: + description: "subnets specifies the subnets to + which the load balancer will attach. The subnets + may be specified by either their ID or name. + The total number of subnets is limited to 10. + \n In order for the load balancer to be provisioned + with subnets, each subnet must exist, each subnet + must be from a different availability zone, + and the load balancer service must be recreated + to pick up new values. \n When omitted from + the spec, the subnets will be auto-discovered + for each availability zone. Auto-discovered + subnets are not reported in the status of the + IngressController object." + properties: + ids: + description: ids specifies a list of AWS subnets + by subnet ID. Subnet IDs must start with + "subnet-", consist only of alphanumeric + characters, must be exactly 24 characters + long, must be unique, and the total number + of subnets specified by ids and names must + not exceed 10. + items: + description: AWSSubnetID is a reference + to an AWS subnet ID. + maxLength: 24 + minLength: 24 + pattern: ^subnet-[0-9A-Za-z]+$ + type: string + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: subnet ids cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == + y)) + names: + description: names specifies a list of AWS + subnets by subnet name. Subnet names must + not start with "subnet-", must not include + commas, must be under 256 characters in + length, must be unique, and the total number + of subnets specified by ids and names must + not exceed 10. + items: + description: AWSSubnetName is a reference + to an AWS subnet name. + maxLength: 256 + minLength: 1 + type: string + x-kubernetes-validations: + - message: subnet name cannot contain a + comma + rule: '!self.contains('','')' + - message: subnet name cannot start with + 'subnet-' + rule: '!self.startsWith(''subnet-'')' + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: subnet names cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == + y)) + type: object + x-kubernetes-validations: + - message: the total number of subnets cannot + exceed 10 + rule: 'has(self.ids) && has(self.names) ? size(self.ids + + self.names) <= 10 : true' + - message: must specify at least 1 subnet name + or id + rule: has(self.ids) && self.ids.size() > 0 || + has(self.names) && self.names.size() > 0 + type: object + x-kubernetes-validations: + - message: number of subnets must be equal to number + of eipAllocations + rule: 'has(self.subnets) && has(self.subnets.ids) + && has(self.subnets.names) && has(self.eipAllocations) + ? size(self.subnets.ids + self.subnets.names) + == size(self.eipAllocations) : true' + - message: number of subnets must be equal to number + of eipAllocations + rule: 'has(self.subnets) && has(self.subnets.ids) + && !has(self.subnets.names) && has(self.eipAllocations) + ? size(self.subnets.ids) == size(self.eipAllocations) + : true' + - message: number of subnets must be equal to number + of eipAllocations + rule: 'has(self.subnets) && has(self.subnets.names) + && !has(self.subnets.ids) && has(self.eipAllocations) + ? size(self.subnets.names) == size(self.eipAllocations) + : true' + type: + description: "type is the type of AWS load balancer + to instantiate for an ingresscontroller. \n Valid + values are: \n * \"Classic\": A Classic Load Balancer + that makes routing decisions at either the transport + layer (TCP/SSL) or the application layer (HTTP/HTTPS). + See the following for additional details: \n https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#clb + \n * \"NLB\": A Network Load Balancer that makes + routing decisions at the transport layer (TCP/SSL). + See the following for additional details: \n https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#nlb" + enum: + - Classic + - NLB + type: string + required: + - type + type: object + gcp: + description: "gcp provides configuration settings that + are specific to GCP load balancers. \n If empty, defaults + will be applied. See specific gcp fields for details + about their defaults." + properties: + clientAccess: + description: "clientAccess describes how client access + is restricted for internal load balancers. \n Valid + values are: * \"Global\": Specifying an internal + load balancer with Global client access allows clients + from any region within the VPC to communicate with + the load balancer. \n https://cloud.google.com/kubernetes-engine/docs/how-to/internal-load-balancing#global_access + \n * \"Local\": Specifying an internal load balancer + with Local client access means only clients within + the same region (and VPC) as the GCP load balancer + can communicate with the load balancer. Note that + this is the default behavior. \n https://cloud.google.com/load-balancing/docs/internal#client_access" + enum: + - Global + - Local + type: string + type: object + ibm: + description: "ibm provides configuration settings that + are specific to IBM Cloud load balancers. \n If empty, + defaults will be applied. See specific ibm fields for + details about their defaults." + properties: + protocol: + description: "protocol specifies whether the load + balancer uses PROXY protocol to forward connections + to the IngressController. See \"service.kubernetes.io/ibm-load-balancer-cloud-provider-enable-features: + \"proxy-protocol\"\" at https://cloud.ibm.com/docs/containers?topic=containers-vpc-lbaas\" + \n PROXY protocol can be used with load balancers + that support it to communicate the source addresses + of client connections when forwarding those connections + to the IngressController. Using PROXY protocol + enables the IngressController to report those source + addresses instead of reporting the load balancer's + address in HTTP headers and logs. Note that enabling + PROXY protocol on the IngressController will cause + connections to fail if you are not using a load + balancer that uses PROXY protocol to forward connections + to the IngressController. See http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt + for information about PROXY protocol. \n Valid values + for protocol are TCP, PROXY and omitted. When omitted, + this means no opinion and the platform is left to + choose a reasonable default, which is subject to + change over time. The current default is TCP, without + the proxy protocol enabled." + enum: + - "" + - TCP + - PROXY + type: string + type: object + type: + description: type is the underlying infrastructure provider + for the load balancer. Allowed values are "AWS", "Azure", + "BareMetal", "GCP", "IBM", "Nutanix", "OpenStack", and + "VSphere". + enum: + - AWS + - Azure + - BareMetal + - GCP + - Nutanix + - OpenStack + - VSphere + - IBM + type: string + required: + - type + type: object + scope: + description: scope indicates the scope at which the load balancer + is exposed. Possible values are "External" and "Internal". + enum: + - Internal + - External + type: string + required: + - dnsManagementPolicy + - scope + type: object + x-kubernetes-validations: + - message: eipAllocations are forbidden when the scope is Internal. + rule: '!has(self.scope) || self.scope != ''Internal'' || !has(self.providerParameters) + || !has(self.providerParameters.aws) || !has(self.providerParameters.aws.networkLoadBalancer) + || !has(self.providerParameters.aws.networkLoadBalancer.eipAllocations)' + nodePort: + description: nodePort holds parameters for the NodePortService + endpoint publishing strategy. Present only if type is NodePortService. + properties: + protocol: + description: "protocol specifies whether the IngressController + expects incoming connections to use plain TCP or whether + the IngressController expects PROXY protocol. \n PROXY protocol + can be used with load balancers that support it to communicate + the source addresses of client connections when forwarding + those connections to the IngressController. Using PROXY + protocol enables the IngressController to report those source + addresses instead of reporting the load balancer's address + in HTTP headers and logs. Note that enabling PROXY protocol + on the IngressController will cause connections to fail + if you are not using a load balancer that uses PROXY protocol + to forward connections to the IngressController. See http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt + for information about PROXY protocol. \n The following values + are valid for this field: \n * The empty string. * \"TCP\". + * \"PROXY\". \n The empty string specifies the default, + which is TCP without PROXY protocol. Note that the default + is subject to change." + enum: + - "" + - TCP + - PROXY + type: string + type: object + private: + description: private holds parameters for the Private endpoint + publishing strategy. Present only if type is Private. + properties: + protocol: + description: "protocol specifies whether the IngressController + expects incoming connections to use plain TCP or whether + the IngressController expects PROXY protocol. \n PROXY protocol + can be used with load balancers that support it to communicate + the source addresses of client connections when forwarding + those connections to the IngressController. Using PROXY + protocol enables the IngressController to report those source + addresses instead of reporting the load balancer's address + in HTTP headers and logs. Note that enabling PROXY protocol + on the IngressController will cause connections to fail + if you are not using a load balancer that uses PROXY protocol + to forward connections to the IngressController. See http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt + for information about PROXY protocol. \n The following values + are valid for this field: \n * The empty string. * \"TCP\". + * \"PROXY\". \n The empty string specifies the default, + which is TCP without PROXY protocol. Note that the default + is subject to change." + enum: + - "" + - TCP + - PROXY + type: string + type: object + type: + description: "type is the publishing strategy to use. Valid values + are: \n * LoadBalancerService \n Publishes the ingress controller + using a Kubernetes LoadBalancer Service. \n In this configuration, + the ingress controller deployment uses container networking. + A LoadBalancer Service is created to publish the deployment. + \n See: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer + \n If domain is set, a wildcard DNS record will be managed to + point at the LoadBalancer Service's external name. DNS records + are managed only in DNS zones defined by dns.config.openshift.io/cluster + .spec.publicZone and .spec.privateZone. \n Wildcard DNS management + is currently supported only on the AWS, Azure, and GCP platforms. + \n * HostNetwork \n Publishes the ingress controller on node + ports where the ingress controller is deployed. \n In this configuration, + the ingress controller deployment uses host networking, bound + to node ports 80 and 443. The user is responsible for configuring + an external load balancer to publish the ingress controller + via the node ports. \n * Private \n Does not publish the ingress + controller. \n In this configuration, the ingress controller + deployment uses container networking, and is not explicitly + published. The user must manually publish the ingress controller. + \n * NodePortService \n Publishes the ingress controller using + a Kubernetes NodePort Service. \n In this configuration, the + ingress controller deployment uses container networking. A NodePort + Service is created to publish the deployment. The specific node + ports are dynamically allocated by OpenShift; however, to support + static port allocations, user changes to the node port field + of the managed NodePort Service will preserved." + enum: + - LoadBalancerService + - HostNetwork + - Private + - NodePortService + type: string + required: + - type + type: object + httpCompression: + description: httpCompression defines a policy for HTTP traffic compression. + By default, there is no HTTP compression. + properties: + mimeTypes: + description: "mimeTypes is a list of MIME types that should have + compression applied. This list can be empty, in which case the + ingress controller does not apply compression. \n Note: Not + all MIME types benefit from compression, but HAProxy will still + use resources to try to compress if instructed to. Generally + speaking, text (html, css, js, etc.) formats benefit from compression, + but formats that are already compressed (image, audio, video, + etc.) benefit little in exchange for the time and cpu spent + on compressing again. See https://joehonton.medium.com/the-gzip-penalty-d31bd697f1a2" + items: + description: "CompressionMIMEType defines the format of a single + MIME type. E.g. \"text/css; charset=utf-8\", \"text/html\", + \"text/*\", \"image/svg+xml\", \"application/octet-stream\", + \"X-custom/customsub\", etc. \n The format should follow the + Content-Type definition in RFC 1341: Content-Type := type + \"/\" subtype *[\";\" parameter] - The type in Content-Type + can be one of: application, audio, image, message, multipart, + text, video, or a custom type preceded by \"X-\" and followed + by a token as defined below. - The token is a string of at + least one character, and not containing white space, control + characters, or any of the characters in the tspecials set. + - The tspecials set contains the characters ()<>@,;:\\\"/[]?.= + - The subtype in Content-Type is also a token. - The optional + parameter/s following the subtype are defined as: token \"=\" + (token / quoted-string) - The quoted-string, as defined in + RFC 822, is surrounded by double quotes and can contain white + space plus any character EXCEPT \\, \", and CR. It can also + contain any single ASCII character as long as it is escaped + by \\." + pattern: ^(?i)(x-[^][ ()\\<>@,;:"/?.=\x00-\x1F\x7F]+|application|audio|image|message|multipart|text|video)/[^][ + ()\\<>@,;:"/?.=\x00-\x1F\x7F]+(; *[^][ ()\\<>@,;:"/?.=\x00-\x1F\x7F]+=([^][ + ()\\<>@,;:"/?.=\x00-\x1F\x7F]+|"(\\[\x00-\x7F]|[^\x0D"\\])*"))*$ + type: string + type: array + x-kubernetes-list-type: set + type: object + httpEmptyRequestsPolicy: + default: Respond + description: "httpEmptyRequestsPolicy describes how HTTP connections + should be handled if the connection times out before a request is + received. Allowed values for this field are \"Respond\" and \"Ignore\". + \ If the field is set to \"Respond\", the ingress controller sends + an HTTP 400 or 408 response, logs the connection (if access logging + is enabled), and counts the connection in the appropriate metrics. + \ If the field is set to \"Ignore\", the ingress controller closes + the connection without sending a response, logging the connection, + or incrementing metrics. The default value is \"Respond\". \n Typically, + these connections come from load balancers' health probes or Web + browsers' speculative connections (\"preconnect\") and can be safely + ignored. However, these requests may also be caused by network + errors, and so setting this field to \"Ignore\" may impede detection + and diagnosis of problems. In addition, these requests may be caused + by port scans, in which case logging empty requests may aid in detecting + intrusion attempts." + enum: + - Respond + - Ignore + type: string + httpErrorCodePages: + description: httpErrorCodePages specifies a configmap with custom + error pages. The administrator must create this configmap in the + openshift-config namespace. This configmap should have keys in the + format "error-page-.http", where is an + HTTP error code. For example, "error-page-503.http" defines an error + page for HTTP 503 responses. Currently only error pages for 503 + and 404 responses can be customized. Each value in the configmap + should be the full response, including HTTP headers. Eg- https://raw.githubusercontent.com/openshift/router/fadab45747a9b30cc3f0a4b41ad2871f95827a93/images/router/haproxy/conf/error-page-503.http + If this field is empty, the ingress controller uses the default + error pages. + properties: + name: + description: name is the metadata.name of the referenced config + map + type: string + required: + - name + type: object + httpHeaders: + description: "httpHeaders defines policy for HTTP headers. \n If this + field is empty, the default values are used." + properties: + actions: + description: 'actions specifies options for modifying headers + and their values. Note that this option only applies to cleartext + HTTP connections and to secure HTTP connections for which the + ingress controller terminates encryption (that is, edge-terminated + or reencrypt connections). Headers cannot be modified for TLS + passthrough connections. Setting the HSTS (`Strict-Transport-Security`) + header is not supported via actions. `Strict-Transport-Security` + may only be configured using the "haproxy.router.openshift.io/hsts_header" + route annotation, and only in accordance with the policy specified + in Ingress.Spec.RequiredHSTSPolicies. Any actions defined here + are applied after any actions related to the following other + fields: cache-control, spec.clientTLS, spec.httpHeaders.forwardedHeaderPolicy, + spec.httpHeaders.uniqueId, and spec.httpHeaders.headerNameCaseAdjustments. + In case of HTTP request headers, the actions specified in spec.httpHeaders.actions + on the Route will be executed after the actions specified in + the IngressController''s spec.httpHeaders.actions field. In + case of HTTP response headers, the actions specified in spec.httpHeaders.actions + on the IngressController will be executed after the actions + specified in the Route''s spec.httpHeaders.actions field. Headers + set using this API cannot be captured for use in access logs. + The following header names are reserved and may not be modified + via this API: Strict-Transport-Security, Proxy, Host, Cookie, + Set-Cookie. Note that the total size of all net added headers + *after* interpolating dynamic values must not exceed the value + of spec.tuningOptions.headerBufferMaxRewriteBytes on the IngressController. + Please refer to the documentation for that API field for more + details.' + properties: + request: + description: 'request is a list of HTTP request headers to + modify. Actions defined here will modify the request headers + of all requests passing through an ingress controller. These + actions are applied to all Routes i.e. for all connections + handled by the ingress controller defined within a cluster. + IngressController actions for request headers will be executed + before Route actions. Currently, actions may define to either + `Set` or `Delete` headers values. Actions are applied in + sequence as defined in this list. A maximum of 20 request + header actions may be configured. Sample fetchers allowed + are "req.hdr" and "ssl_c_der". Converters allowed are "lower" + and "base64". Example header values: "%[req.hdr(X-target),lower]", + "%{+Q}[ssl_c_der,base64]".' + items: + description: IngressControllerHTTPHeader specifies configuration + for setting or deleting an HTTP header. + properties: + action: + description: action specifies actions to perform on + headers, such as setting or deleting headers. + properties: + set: + description: set specifies how the HTTP header should + be set. This field is required when type is Set + and forbidden otherwise. + properties: + value: + description: value specifies a header value. + Dynamic values can be added. The value will + be interpreted as an HAProxy format string + as defined in http://cbonte.github.io/haproxy-dconv/2.6/configuration.html#8.2.6 and + may use HAProxy's %[] syntax and otherwise + must be a valid HTTP header value as defined + in https://datatracker.ietf.org/doc/html/rfc7230#section-3.2. + The value of this field must be no more than + 16384 characters in length. Note that the + total size of all net added headers *after* + interpolating dynamic values must not exceed + the value of spec.tuningOptions.headerBufferMaxRewriteBytes + on the IngressController. + maxLength: 16384 + minLength: 1 + type: string + required: + - value + type: object + type: + description: type defines the type of the action + to be applied on the header. Possible values are + Set or Delete. Set allows you to set HTTP request + and response headers. Delete allows you to delete + HTTP request and response headers. + enum: + - Set + - Delete + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: set is required when type is Set, and forbidden + otherwise + rule: 'has(self.type) && self.type == ''Set'' ? has(self.set) + : !has(self.set)' + name: + description: 'name specifies the name of a header on + which to perform an action. Its value must be a valid + HTTP header name as defined in RFC 2616 section 4.2. + The name must consist only of alphanumeric and the + following special characters, "-!#$%&''*+.^_`". The + following header names are reserved and may not be + modified via this API: Strict-Transport-Security, + Proxy, Host, Cookie, Set-Cookie. It must be no more + than 255 characters in length. Header name must be + unique.' + maxLength: 255 + minLength: 1 + pattern: ^[-!#$%&'*+.0-9A-Z^_`a-z|~]+$ + type: string + x-kubernetes-validations: + - message: strict-transport-security header may not + be modified via header actions + rule: self.lowerAscii() != 'strict-transport-security' + - message: proxy header may not be modified via header + actions + rule: self.lowerAscii() != 'proxy' + - message: host header may not be modified via header + actions + rule: self.lowerAscii() != 'host' + - message: cookie header may not be modified via header + actions + rule: self.lowerAscii() != 'cookie' + - message: set-cookie header may not be modified via + header actions + rule: self.lowerAscii() != 'set-cookie' + required: + - action + - name + type: object + maxItems: 20 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: Either the header value provided is not in correct + format or the sample fetcher/converter specified is not + allowed. The dynamic header value will be interpreted + as an HAProxy format string as defined in http://cbonte.github.io/haproxy-dconv/2.6/configuration.html#8.2.6 + and may use HAProxy's %[] syntax and otherwise must be + a valid HTTP header value as defined in https://datatracker.ietf.org/doc/html/rfc7230#section-3.2. + Sample fetchers allowed are req.hdr, ssl_c_der. Converters + allowed are lower, base64. + rule: self.all(key, key.action.type == "Delete" || (has(key.action.set) + && key.action.set.value.matches('^(?:%(?:%|(?:\\{[-+]?[QXE](?:,[-+]?[QXE])*\\})?\\[(?:req\\.hdr\\([0-9A-Za-z-]+\\)|ssl_c_der)(?:,(?:lower|base64))*\\])|[^%[:cntrl:]])+$'))) + response: + description: 'response is a list of HTTP response headers + to modify. Actions defined here will modify the response + headers of all requests passing through an ingress controller. + These actions are applied to all Routes i.e. for all connections + handled by the ingress controller defined within a cluster. + IngressController actions for response headers will be executed + after Route actions. Currently, actions may define to either + `Set` or `Delete` headers values. Actions are applied in + sequence as defined in this list. A maximum of 20 response + header actions may be configured. Sample fetchers allowed + are "res.hdr" and "ssl_c_der". Converters allowed are "lower" + and "base64". Example header values: "%[res.hdr(X-target),lower]", + "%{+Q}[ssl_c_der,base64]".' + items: + description: IngressControllerHTTPHeader specifies configuration + for setting or deleting an HTTP header. + properties: + action: + description: action specifies actions to perform on + headers, such as setting or deleting headers. + properties: + set: + description: set specifies how the HTTP header should + be set. This field is required when type is Set + and forbidden otherwise. + properties: + value: + description: value specifies a header value. + Dynamic values can be added. The value will + be interpreted as an HAProxy format string + as defined in http://cbonte.github.io/haproxy-dconv/2.6/configuration.html#8.2.6 and + may use HAProxy's %[] syntax and otherwise + must be a valid HTTP header value as defined + in https://datatracker.ietf.org/doc/html/rfc7230#section-3.2. + The value of this field must be no more than + 16384 characters in length. Note that the + total size of all net added headers *after* + interpolating dynamic values must not exceed + the value of spec.tuningOptions.headerBufferMaxRewriteBytes + on the IngressController. + maxLength: 16384 + minLength: 1 + type: string + required: + - value + type: object + type: + description: type defines the type of the action + to be applied on the header. Possible values are + Set or Delete. Set allows you to set HTTP request + and response headers. Delete allows you to delete + HTTP request and response headers. + enum: + - Set + - Delete + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: set is required when type is Set, and forbidden + otherwise + rule: 'has(self.type) && self.type == ''Set'' ? has(self.set) + : !has(self.set)' + name: + description: 'name specifies the name of a header on + which to perform an action. Its value must be a valid + HTTP header name as defined in RFC 2616 section 4.2. + The name must consist only of alphanumeric and the + following special characters, "-!#$%&''*+.^_`". The + following header names are reserved and may not be + modified via this API: Strict-Transport-Security, + Proxy, Host, Cookie, Set-Cookie. It must be no more + than 255 characters in length. Header name must be + unique.' + maxLength: 255 + minLength: 1 + pattern: ^[-!#$%&'*+.0-9A-Z^_`a-z|~]+$ + type: string + x-kubernetes-validations: + - message: strict-transport-security header may not + be modified via header actions + rule: self.lowerAscii() != 'strict-transport-security' + - message: proxy header may not be modified via header + actions + rule: self.lowerAscii() != 'proxy' + - message: host header may not be modified via header + actions + rule: self.lowerAscii() != 'host' + - message: cookie header may not be modified via header + actions + rule: self.lowerAscii() != 'cookie' + - message: set-cookie header may not be modified via + header actions + rule: self.lowerAscii() != 'set-cookie' + required: + - action + - name + type: object + maxItems: 20 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: Either the header value provided is not in correct + format or the sample fetcher/converter specified is not + allowed. The dynamic header value will be interpreted + as an HAProxy format string as defined in http://cbonte.github.io/haproxy-dconv/2.6/configuration.html#8.2.6 + and may use HAProxy's %[] syntax and otherwise must be + a valid HTTP header value as defined in https://datatracker.ietf.org/doc/html/rfc7230#section-3.2. + Sample fetchers allowed are res.hdr, ssl_c_der. Converters + allowed are lower, base64. + rule: self.all(key, key.action.type == "Delete" || (has(key.action.set) + && key.action.set.value.matches('^(?:%(?:%|(?:\\{[-+]?[QXE](?:,[-+]?[QXE])*\\})?\\[(?:res\\.hdr\\([0-9A-Za-z-]+\\)|ssl_c_der)(?:,(?:lower|base64))*\\])|[^%[:cntrl:]])+$'))) + type: object + forwardedHeaderPolicy: + description: "forwardedHeaderPolicy specifies when and how the + IngressController sets the Forwarded, X-Forwarded-For, X-Forwarded-Host, + X-Forwarded-Port, X-Forwarded-Proto, and X-Forwarded-Proto-Version + HTTP headers. The value may be one of the following: \n * \"Append\", + which specifies that the IngressController appends the headers, + preserving existing headers. \n * \"Replace\", which specifies + that the IngressController sets the headers, replacing any existing + Forwarded or X-Forwarded-* headers. \n * \"IfNone\", which specifies + that the IngressController sets the headers if they are not + already set. \n * \"Never\", which specifies that the IngressController + never sets the headers, preserving any existing headers. \n + By default, the policy is \"Append\"." + enum: + - Append + - Replace + - IfNone + - Never + type: string + headerNameCaseAdjustments: + description: "headerNameCaseAdjustments specifies case adjustments + that can be applied to HTTP header names. Each adjustment is + specified as an HTTP header name with the desired capitalization. + \ For example, specifying \"X-Forwarded-For\" indicates that + the \"x-forwarded-for\" HTTP header should be adjusted to have + the specified capitalization. \n These adjustments are only + applied to cleartext, edge-terminated, and re-encrypt routes, + and only when using HTTP/1. \n For request headers, these adjustments + are applied only for routes that have the haproxy.router.openshift.io/h1-adjust-case=true + annotation. For response headers, these adjustments are applied + to all HTTP responses. \n If this field is empty, no request + headers are adjusted." + items: + description: IngressControllerHTTPHeaderNameCaseAdjustment is + the name of an HTTP header (for example, "X-Forwarded-For") + in the desired capitalization. The value must be a valid + HTTP header name as defined in RFC 2616 section 4.2. + maxLength: 1024 + minLength: 0 + pattern: ^$|^[-!#$%&'*+.0-9A-Z^_`a-z|~]+$ + type: string + nullable: true + type: array + x-kubernetes-list-type: atomic + uniqueId: + description: "uniqueId describes configuration for a custom HTTP + header that the ingress controller should inject into incoming + HTTP requests. Typically, this header is configured to have + a value that is unique to the HTTP request. The header can + be used by applications or included in access logs to facilitate + tracing individual HTTP requests. \n If this field is empty, + no such header is injected into requests." + properties: + format: + description: 'format specifies the format for the injected + HTTP header''s value. This field has no effect unless name + is specified. For the HAProxy-based ingress controller + implementation, this format uses the same syntax as the + HTTP log format. If the field is empty, the default value + is "%{+X}o\\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid"; see the corresponding + HAProxy documentation: http://cbonte.github.io/haproxy-dconv/2.0/configuration.html#8.2.3' + maxLength: 1024 + minLength: 0 + pattern: ^(%(%|(\{[-+]?[QXE](,[-+]?[QXE])*\})?([A-Za-z]+|\[[.0-9A-Z_a-z]+(\([^)]+\))?(,[.0-9A-Z_a-z]+(\([^)]+\))?)*\]))|[^%[:cntrl:]])*$ + type: string + name: + description: name specifies the name of the HTTP header (for + example, "unique-id") that the ingress controller should + inject into HTTP requests. The field's value must be a + valid HTTP header name as defined in RFC 2616 section 4.2. If + the field is empty, no header is injected. + maxLength: 1024 + minLength: 0 + pattern: ^$|^[-!#$%&'*+.0-9A-Z^_`a-z|~]+$ + type: string + type: object + type: object + logging: + description: logging defines parameters for what should be logged + where. If this field is empty, operational logs are enabled but + access logs are disabled. + properties: + access: + description: "access describes how the client requests should + be logged. \n If this field is empty, access logging is disabled." + properties: + destination: + description: destination is where access logs go. + properties: + container: + description: container holds parameters for the Container + logging destination. Present only if type is Container. + properties: + maxLength: + default: 1024 + description: "maxLength is the maximum length of the + log message. \n Valid values are integers in the + range 480 to 8192, inclusive. \n When omitted, the + default value is 1024." + format: int32 + maximum: 8192 + minimum: 480 + type: integer + type: object + syslog: + description: syslog holds parameters for a syslog endpoint. Present + only if type is Syslog. + oneOf: + - properties: + address: + format: ipv4 + - properties: + address: + format: ipv6 + properties: + address: + description: address is the IP address of the syslog + endpoint that receives log messages. + type: string + facility: + description: "facility specifies the syslog facility + of log messages. \n If this field is empty, the + facility is \"local1\"." + enum: + - kern + - user + - mail + - daemon + - auth + - syslog + - lpr + - news + - uucp + - cron + - auth2 + - ftp + - ntp + - audit + - alert + - cron2 + - local0 + - local1 + - local2 + - local3 + - local4 + - local5 + - local6 + - local7 + type: string + maxLength: + default: 1024 + description: "maxLength is the maximum length of the + log message. \n Valid values are integers in the + range 480 to 4096, inclusive. \n When omitted, the + default value is 1024." + format: int32 + maximum: 4096 + minimum: 480 + type: integer + port: + description: port is the UDP port number of the syslog + endpoint that receives log messages. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - address + - port + type: object + type: + description: "type is the type of destination for logs. + \ It must be one of the following: \n * Container \n + The ingress operator configures the sidecar container + named \"logs\" on the ingress controller pod and configures + the ingress controller to write logs to the sidecar. + \ The logs are then available as container logs. The + expectation is that the administrator configures a custom + logging solution that reads logs from this sidecar. + \ Note that using container logs means that logs may + be dropped if the rate of logs exceeds the container + runtime's or the custom logging solution's capacity. + \n * Syslog \n Logs are sent to a syslog endpoint. The + administrator must specify an endpoint that can receive + syslog messages. The expectation is that the administrator + has configured a custom syslog instance." + enum: + - Container + - Syslog + type: string + required: + - type + type: object + httpCaptureCookies: + description: httpCaptureCookies specifies HTTP cookies that + should be captured in access logs. If this field is empty, + no cookies are captured. + items: + description: IngressControllerCaptureHTTPCookie describes + an HTTP cookie that should be captured. + properties: + matchType: + description: matchType specifies the type of match to + be performed on the cookie name. Allowed values are + "Exact" for an exact string match and "Prefix" for + a string prefix match. If "Exact" is specified, a + name must be specified in the name field. If "Prefix" + is provided, a prefix must be specified in the namePrefix + field. For example, specifying matchType "Prefix" + and namePrefix "foo" will capture a cookie named "foo" + or "foobar" but not one named "bar". The first matching + cookie is captured. + enum: + - Exact + - Prefix + type: string + maxLength: + description: maxLength specifies a maximum length of + the string that will be logged, which includes the + cookie name, cookie value, and one-character delimiter. If + the log entry exceeds this length, the value will + be truncated in the log message. Note that the ingress + controller may impose a separate bound on the total + length of HTTP headers in a request. + maximum: 1024 + minimum: 1 + type: integer + name: + description: name specifies a cookie name. Its value + must be a valid HTTP cookie name as defined in RFC + 6265 section 4.1. + maxLength: 1024 + minLength: 0 + pattern: ^[-!#$%&'*+.0-9A-Z^_`a-z|~]*$ + type: string + namePrefix: + description: namePrefix specifies a cookie name prefix. Its + value must be a valid HTTP cookie name as defined + in RFC 6265 section 4.1. + maxLength: 1024 + minLength: 0 + pattern: ^[-!#$%&'*+.0-9A-Z^_`a-z|~]*$ + type: string + required: + - matchType + - maxLength + type: object + maxItems: 1 + nullable: true + type: array + x-kubernetes-list-type: atomic + httpCaptureHeaders: + description: "httpCaptureHeaders defines HTTP headers that + should be captured in access logs. If this field is empty, + no headers are captured. \n Note that this option only applies + to cleartext HTTP connections and to secure HTTP connections + for which the ingress controller terminates encryption (that + is, edge-terminated or reencrypt connections). Headers + cannot be captured for TLS passthrough connections." + properties: + request: + description: "request specifies which HTTP request headers + to capture. \n If this field is empty, no request headers + are captured." + items: + description: IngressControllerCaptureHTTPHeader describes + an HTTP header that should be captured. + properties: + maxLength: + description: maxLength specifies a maximum length + for the header value. If a header value exceeds + this length, the value will be truncated in the + log message. Note that the ingress controller + may impose a separate bound on the total length + of HTTP headers in a request. + minimum: 1 + type: integer + name: + description: name specifies a header name. Its + value must be a valid HTTP header name as defined + in RFC 2616 section 4.2. + pattern: ^[-!#$%&'*+.0-9A-Z^_`a-z|~]+$ + type: string + required: + - maxLength + - name + type: object + nullable: true + type: array + x-kubernetes-list-type: atomic + response: + description: "response specifies which HTTP response headers + to capture. \n If this field is empty, no response headers + are captured." + items: + description: IngressControllerCaptureHTTPHeader describes + an HTTP header that should be captured. + properties: + maxLength: + description: maxLength specifies a maximum length + for the header value. If a header value exceeds + this length, the value will be truncated in the + log message. Note that the ingress controller + may impose a separate bound on the total length + of HTTP headers in a request. + minimum: 1 + type: integer + name: + description: name specifies a header name. Its + value must be a valid HTTP header name as defined + in RFC 2616 section 4.2. + pattern: ^[-!#$%&'*+.0-9A-Z^_`a-z|~]+$ + type: string + required: + - maxLength + - name + type: object + nullable: true + type: array + x-kubernetes-list-type: atomic + type: object + httpLogFormat: + description: "httpLogFormat specifies the format of the log + message for an HTTP request. \n If this field is empty, + log messages use the implementation's default HTTP log format. + \ For HAProxy's default HTTP log format, see the HAProxy + documentation: http://cbonte.github.io/haproxy-dconv/2.0/configuration.html#8.2.3 + \n Note that this format only applies to cleartext HTTP + connections and to secure HTTP connections for which the + ingress controller terminates encryption (that is, edge-terminated + or reencrypt connections). It does not affect the log format + for TLS passthrough connections." + type: string + logEmptyRequests: + default: Log + description: logEmptyRequests specifies how connections on + which no request is received should be logged. Typically, + these empty requests come from load balancers' health probes + or Web browsers' speculative connections ("preconnect"), + in which case logging these requests may be undesirable. However, + these requests may also be caused by network errors, in + which case logging empty requests may be useful for diagnosing + the errors. In addition, these requests may be caused by + port scans, in which case logging empty requests may aid + in detecting intrusion attempts. Allowed values for this + field are "Log" and "Ignore". The default value is "Log". + enum: + - Log + - Ignore + type: string + required: + - destination + type: object + type: object + namespaceSelector: + description: "namespaceSelector is used to filter the set of namespaces + serviced by the ingress controller. This is useful for implementing + shards. \n If unset, the default is no filtering." + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the key + and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship to + a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + nodePlacement: + description: "nodePlacement enables explicit control over the scheduling + of the ingress controller. \n If unset, defaults are used. See NodePlacement + for more details." + properties: + nodeSelector: + description: "nodeSelector is the node selector applied to ingress + controller deployments. \n If set, the specified selector is + used and replaces the default. \n If unset, the default depends + on the value of the defaultPlacement field in the cluster config.openshift.io/v1/ingresses + status. \n When defaultPlacement is Workers, the default is: + \n kubernetes.io/os: linux node-role.kubernetes.io/worker: '' + \n When defaultPlacement is ControlPlane, the default is: \n + kubernetes.io/os: linux node-role.kubernetes.io/master: '' \n + These defaults are subject to change. \n Note that using nodeSelector.matchExpressions + is not supported. Only nodeSelector.matchLabels may be used. + \ This is a limitation of the Kubernetes API: the pod spec does + not allow complex expressions for node selectors." + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If + the operator is In or NotIn, the values array must + be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced + during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A + single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field is "key", + the operator is "In", and the values array contains only + "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + tolerations: + description: "tolerations is a list of tolerations applied to + ingress controller deployments. \n The default is an empty list. + \n See https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/" + items: + description: The pod this Toleration is attached to tolerates + any taint that matches the triple using + the matching operator . + properties: + effect: + description: Effect indicates the taint effect to match. + Empty means match all taint effects. When specified, allowed + values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: Key is the taint key that the toleration applies + to. Empty means match all taint keys. If the key is empty, + operator must be Exists; this combination means to match + all values and all keys. + type: string + operator: + description: Operator represents a key's relationship to + the value. Valid operators are Exists and Equal. Defaults + to Equal. Exists is equivalent to wildcard for value, + so that a pod can tolerate all taints of a particular + category. + type: string + tolerationSeconds: + description: TolerationSeconds represents the period of + time the toleration (which must be of effect NoExecute, + otherwise this field is ignored) tolerates the taint. + By default, it is not set, which means tolerate the taint + forever (do not evict). Zero and negative values will + be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: Value is the taint value the toleration matches + to. If the operator is Exists, the value should be empty, + otherwise just a regular string. + type: string + type: object + type: array + x-kubernetes-list-type: atomic + type: object + replicas: + description: "replicas is the desired number of ingress controller + replicas. If unset, the default depends on the value of the defaultPlacement + field in the cluster config.openshift.io/v1/ingresses status. \n + The value of replicas is set based on the value of a chosen field + in the Infrastructure CR. If defaultPlacement is set to ControlPlane, + the chosen field will be controlPlaneTopology. If it is set to Workers + the chosen field will be infrastructureTopology. Replicas will then + be set to 1 or 2 based whether the chosen field's value is SingleReplica + or HighlyAvailable, respectively. \n These defaults are subject + to change." + format: int32 + type: integer + routeAdmission: + description: "routeAdmission defines a policy for handling new route + claims (for example, to allow or deny claims across namespaces). + \n If empty, defaults will be applied. See specific routeAdmission + fields for details about their defaults." + properties: + namespaceOwnership: + description: "namespaceOwnership describes how host name claims + across namespaces should be handled. \n Value must be one of: + \n - Strict: Do not allow routes in different namespaces to + claim the same host. \n - InterNamespaceAllowed: Allow routes + to claim different paths of the same host name across namespaces. + \n If empty, the default is Strict." + enum: + - InterNamespaceAllowed + - Strict + type: string + wildcardPolicy: + description: "wildcardPolicy describes how routes with wildcard + policies should be handled for the ingress controller. WildcardPolicy + controls use of routes [1] exposed by the ingress controller + based on the route's wildcard policy. \n [1] https://github.com/openshift/api/blob/master/route/v1/types.go + \n Note: Updating WildcardPolicy from WildcardsAllowed to WildcardsDisallowed + will cause admitted routes with a wildcard policy of Subdomain + to stop working. These routes must be updated to a wildcard + policy of None to be readmitted by the ingress controller. \n + WildcardPolicy supports WildcardsAllowed and WildcardsDisallowed + values. \n If empty, defaults to \"WildcardsDisallowed\"." + enum: + - WildcardsAllowed + - WildcardsDisallowed + type: string + type: object + routeSelector: + description: "routeSelector is used to filter the set of Routes serviced + by the ingress controller. This is useful for implementing shards. + \n If unset, the default is no filtering." + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the key + and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship to + a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + tlsSecurityProfile: + description: "tlsSecurityProfile specifies settings for TLS connections + for ingresscontrollers. \n If unset, the default is based on the + apiservers.config.openshift.io/cluster resource. \n Note that when + using the Old, Intermediate, and Modern profile types, the effective + profile configuration is subject to change between releases. For + example, given a specification to use the Intermediate profile deployed + on release X.Y.Z, an upgrade to release X.Y.Z+1 may cause a new + profile configuration to be applied to the ingress controller, resulting + in a rollout." + properties: + custom: + description: "custom is a user-defined TLS security profile. Be + extremely careful using a custom profile as invalid configurations + can be catastrophic. An example custom profile looks like this: + \n ciphers: \n - ECDHE-ECDSA-CHACHA20-POLY1305 \n - ECDHE-RSA-CHACHA20-POLY1305 + \n - ECDHE-RSA-AES128-GCM-SHA256 \n - ECDHE-ECDSA-AES128-GCM-SHA256 + \n minTLSVersion: VersionTLS11" + nullable: true + properties: + ciphers: + description: "ciphers is used to specify the cipher algorithms + that are negotiated during the TLS handshake. Operators + may remove entries their operands do not support. For example, + to use DES-CBC3-SHA (yaml): \n ciphers: - DES-CBC3-SHA" + items: + type: string + type: array + x-kubernetes-list-type: atomic + minTLSVersion: + description: "minTLSVersion is used to specify the minimal + version of the TLS protocol that is negotiated during the + TLS handshake. For example, to use TLS versions 1.1, 1.2 + and 1.3 (yaml): \n minTLSVersion: VersionTLS11 \n NOTE: + currently the highest minTLSVersion allowed is VersionTLS12" + enum: + - VersionTLS10 + - VersionTLS11 + - VersionTLS12 + - VersionTLS13 + type: string + type: object + intermediate: + description: "intermediate is a TLS security profile based on: + \n https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29 + \n and looks like this (yaml): \n ciphers: \n - TLS_AES_128_GCM_SHA256 + \n - TLS_AES_256_GCM_SHA384 \n - TLS_CHACHA20_POLY1305_SHA256 + \n - ECDHE-ECDSA-AES128-GCM-SHA256 \n - ECDHE-RSA-AES128-GCM-SHA256 + \n - ECDHE-ECDSA-AES256-GCM-SHA384 \n - ECDHE-RSA-AES256-GCM-SHA384 + \n - ECDHE-ECDSA-CHACHA20-POLY1305 \n - ECDHE-RSA-CHACHA20-POLY1305 + \n - DHE-RSA-AES128-GCM-SHA256 \n - DHE-RSA-AES256-GCM-SHA384 + \n minTLSVersion: VersionTLS12" + nullable: true + type: object + modern: + description: "modern is a TLS security profile based on: \n https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility + \n and looks like this (yaml): \n ciphers: \n - TLS_AES_128_GCM_SHA256 + \n - TLS_AES_256_GCM_SHA384 \n - TLS_CHACHA20_POLY1305_SHA256 + \n minTLSVersion: VersionTLS13" + nullable: true + type: object + old: + description: "old is a TLS security profile based on: \n https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility + \n and looks like this (yaml): \n ciphers: \n - TLS_AES_128_GCM_SHA256 + \n - TLS_AES_256_GCM_SHA384 \n - TLS_CHACHA20_POLY1305_SHA256 + \n - ECDHE-ECDSA-AES128-GCM-SHA256 \n - ECDHE-RSA-AES128-GCM-SHA256 + \n - ECDHE-ECDSA-AES256-GCM-SHA384 \n - ECDHE-RSA-AES256-GCM-SHA384 + \n - ECDHE-ECDSA-CHACHA20-POLY1305 \n - ECDHE-RSA-CHACHA20-POLY1305 + \n - DHE-RSA-AES128-GCM-SHA256 \n - DHE-RSA-AES256-GCM-SHA384 + \n - DHE-RSA-CHACHA20-POLY1305 \n - ECDHE-ECDSA-AES128-SHA256 + \n - ECDHE-RSA-AES128-SHA256 \n - ECDHE-ECDSA-AES128-SHA \n + - ECDHE-RSA-AES128-SHA \n - ECDHE-ECDSA-AES256-SHA384 \n - ECDHE-RSA-AES256-SHA384 + \n - ECDHE-ECDSA-AES256-SHA \n - ECDHE-RSA-AES256-SHA \n - DHE-RSA-AES128-SHA256 + \n - DHE-RSA-AES256-SHA256 \n - AES128-GCM-SHA256 \n - AES256-GCM-SHA384 + \n - AES128-SHA256 \n - AES256-SHA256 \n - AES128-SHA \n - AES256-SHA + \n - DES-CBC3-SHA \n minTLSVersion: VersionTLS10" + nullable: true + type: object + type: + description: "type is one of Old, Intermediate, Modern or Custom. + Custom provides the ability to specify individual TLS security + profile parameters. Old, Intermediate and Modern are TLS security + profiles based on: \n https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations + \n The profiles are intent based, so they may change over time + as new ciphers are developed and existing ciphers are found + to be insecure. Depending on precisely which ciphers are available + to a process, the list may be reduced. \n Note that the Modern + profile is currently not supported because it is not yet well + adopted by common software libraries." + enum: + - Old + - Intermediate + - Modern + - Custom + type: string + type: object + tuningOptions: + anyOf: + - properties: + maxConnections: + enum: + - -1 + - 0 + - properties: + maxConnections: + format: int32 + maximum: 2000000 + minimum: 2000 + description: "tuningOptions defines parameters for adjusting the performance + of ingress controller pods. All fields are optional and will use + their respective defaults if not set. See specific tuningOptions + fields for more details. \n Setting fields within tuningOptions + is generally not recommended. The default values are suitable for + most configurations." + properties: + clientFinTimeout: + description: "clientFinTimeout defines how long a connection will + be held open while waiting for the client response to the server/backend + closing the connection. \n If unset, the default timeout is + 1s" + format: duration + type: string + clientTimeout: + description: "clientTimeout defines how long a connection will + be held open while waiting for a client response. \n If unset, + the default timeout is 30s" + format: duration + type: string + connectTimeout: + description: "ConnectTimeout defines the maximum time to wait + for a connection attempt to a server/backend to succeed. \n + This field expects an unsigned duration string of decimal numbers, + each with optional fraction and a unit suffix, e.g. \"300ms\", + \"1.5h\" or \"2h45m\". Valid time units are \"ns\", \"us\" (or + \"µs\" U+00B5 or \"μs\" U+03BC), \"ms\", \"s\", \"m\", \"h\". + \n When omitted, this means the user has no opinion and the + platform is left to choose a reasonable default. This default + is subject to change over time. The current default is 5s." + pattern: ^(0|([0-9]+(\.[0-9]+)?(ns|us|µs|μs|ms|s|m|h))+)$ + type: string + headerBufferBytes: + description: "headerBufferBytes describes how much memory should + be reserved (in bytes) for IngressController connection sessions. + Note that this value must be at least 16384 if HTTP/2 is enabled + for the IngressController (https://tools.ietf.org/html/rfc7540). + If this field is empty, the IngressController will use a default + value of 32768 bytes. \n Setting this field is generally not + recommended as headerBufferBytes values that are too small may + break the IngressController and headerBufferBytes values that + are too large could cause the IngressController to use significantly + more memory than necessary." + format: int32 + minimum: 16384 + type: integer + headerBufferMaxRewriteBytes: + description: "headerBufferMaxRewriteBytes describes how much memory + should be reserved (in bytes) from headerBufferBytes for HTTP + header rewriting and appending for IngressController connection + sessions. Note that incoming HTTP requests will be limited to + (headerBufferBytes - headerBufferMaxRewriteBytes) bytes, meaning + headerBufferBytes must be greater than headerBufferMaxRewriteBytes. + If this field is empty, the IngressController will use a default + value of 8192 bytes. \n Setting this field is generally not + recommended as headerBufferMaxRewriteBytes values that are too + small may break the IngressController and headerBufferMaxRewriteBytes + values that are too large could cause the IngressController + to use significantly more memory than necessary." + format: int32 + minimum: 4096 + type: integer + healthCheckInterval: + description: "healthCheckInterval defines how long the router + waits between two consecutive health checks on its configured + backends. This value is applied globally as a default for all + routes, but may be overridden per-route by the route annotation + \"router.openshift.io/haproxy.health.check.interval\". \n Expects + an unsigned duration string of decimal numbers, each with optional + fraction and a unit suffix, eg \"300ms\", \"1.5h\" or \"2h45m\". + Valid time units are \"ns\", \"us\" (or \"µs\" U+00B5 or \"μs\" + U+03BC), \"ms\", \"s\", \"m\", \"h\". \n Setting this to less + than 5s can cause excess traffic due to too frequent TCP health + checks and accompanying SYN packet storms. Alternatively, setting + this too high can result in increased latency, due to backend + servers that are no longer available, but haven't yet been detected + as such. \n An empty or zero healthCheckInterval means no opinion + and IngressController chooses a default, which is subject to + change over time. Currently the default healthCheckInterval + value is 5s. \n Currently the minimum allowed value is 1s and + the maximum allowed value is 2147483647ms (24.85 days). Both + are subject to change over time." + pattern: ^(0|([0-9]+(\.[0-9]+)?(ns|us|µs|μs|ms|s|m|h))+)$ + type: string + maxConnections: + description: "maxConnections defines the maximum number of simultaneous + connections that can be established per HAProxy process. Increasing + this value allows each ingress controller pod to handle more + connections but at the cost of additional system resources being + consumed. \n Permitted values are: empty, 0, -1, and the range + 2000-2000000. \n If this field is empty or 0, the IngressController + will use the default value of 50000, but the default is subject + to change in future releases. \n If the value is -1 then HAProxy + will dynamically compute a maximum value based on the available + ulimits in the running container. Selecting -1 (i.e., auto) + will result in a large value being computed (~520000 on OpenShift + >=4.10 clusters) and therefore each HAProxy process will incur + significant memory usage compared to the current default of + 50000. \n Setting a value that is greater than the current operating + system limit will prevent the HAProxy process from starting. + \n If you choose a discrete value (e.g., 750000) and the router + pod is migrated to a new node, there's no guarantee that that + new node has identical ulimits configured. In such a scenario + the pod would fail to start. If you have nodes with different + ulimits configured (e.g., different tuned profiles) and you + choose a discrete value then the guidance is to use -1 and let + the value be computed dynamically at runtime. \n You can monitor + memory usage for router containers with the following metric: + 'container_memory_working_set_bytes{container=\"router\",namespace=\"openshift-ingress\"}'. + \n You can monitor memory usage of individual HAProxy processes + in router containers with the following metric: 'container_memory_working_set_bytes{container=\"router\",namespace=\"openshift-ingress\"}/container_processes{container=\"router\",namespace=\"openshift-ingress\"}'." + format: int32 + type: integer + reloadInterval: + description: "reloadInterval defines the minimum interval at which + the router is allowed to reload to accept new changes. Increasing + this value can prevent the accumulation of HAProxy processes, + depending on the scenario. Increasing this interval can also + lessen load imbalance on a backend's servers when using the + roundrobin balancing algorithm. Alternatively, decreasing this + value may decrease latency since updates to HAProxy's configuration + can take effect more quickly. \n The value must be a time duration + value; see . Currently, + the minimum value allowed is 1s, and the maximum allowed value + is 120s. Minimum and maximum allowed values may change in future + versions of OpenShift. Note that if a duration outside of these + bounds is provided, the value of reloadInterval will be capped/floored + and not rejected (e.g. a duration of over 120s will be capped + to 120s; the IngressController will not reject and replace this + disallowed value with the default). \n A zero value for reloadInterval + tells the IngressController to choose the default, which is + currently 5s and subject to change without notice. \n This field + expects an unsigned duration string of decimal numbers, each + with optional fraction and a unit suffix, e.g. \"300ms\", \"1.5h\" + or \"2h45m\". Valid time units are \"ns\", \"us\" (or \"µs\" + U+00B5 or \"μs\" U+03BC), \"ms\", \"s\", \"m\", \"h\". \n Note: + Setting a value significantly larger than the default of 5s + can cause latency in observing updates to routes and their endpoints. + HAProxy's configuration will be reloaded less frequently, and + newly created routes will not be served until the subsequent + reload." + pattern: ^(0|([0-9]+(\.[0-9]+)?(ns|us|µs|μs|ms|s|m|h))+)$ + type: string + serverFinTimeout: + description: "serverFinTimeout defines how long a connection will + be held open while waiting for the server/backend response to + the client closing the connection. \n If unset, the default + timeout is 1s" + format: duration + type: string + serverTimeout: + description: "serverTimeout defines how long a connection will + be held open while waiting for a server/backend response. \n + If unset, the default timeout is 30s" + format: duration + type: string + threadCount: + description: "threadCount defines the number of threads created + per HAProxy process. Creating more threads allows each ingress + controller pod to handle more connections, at the cost of more + system resources being used. HAProxy currently supports up to + 64 threads. If this field is empty, the IngressController will + use the default value. The current default is 4 threads, but + this may change in future releases. \n Setting this field is + generally not recommended. Increasing the number of HAProxy + threads allows ingress controller pods to utilize more CPU time + under load, potentially starving other pods if set too high. + Reducing the number of threads may cause the ingress controller + to perform poorly." + format: int32 + maximum: 64 + minimum: 1 + type: integer + tlsInspectDelay: + description: "tlsInspectDelay defines how long the router can + hold data to find a matching route. \n Setting this too short + can cause the router to fall back to the default certificate + for edge-terminated or reencrypt routes even when a better matching + certificate could be used. \n If unset, the default inspect + delay is 5s" + format: duration + type: string + tunnelTimeout: + description: "tunnelTimeout defines how long a tunnel connection + (including websockets) will be held open while the tunnel is + idle. \n If unset, the default timeout is 1h" + format: duration + type: string + type: object + unsupportedConfigOverrides: + description: unsupportedConfigOverrides allows specifying unsupported + configuration options. Its use is unsupported. + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + status: + description: status is the most recently observed status of the IngressController. + properties: + availableReplicas: + description: availableReplicas is number of observed available replicas + according to the ingress controller deployment. + format: int32 + type: integer + conditions: + description: "conditions is a list of conditions and their status. + \n Available means the ingress controller deployment is available + and servicing route and ingress resources (i.e, .status.availableReplicas + equals .spec.replicas) \n There are additional conditions which + indicate the status of other ingress controller features and capabilities. + \n * LoadBalancerManaged - True if the following conditions are + met: * The endpoint publishing strategy requires a service load + balancer. - False if any of those conditions are unsatisfied. \n + * LoadBalancerReady - True if the following conditions are met: + * A load balancer is managed. * The load balancer is ready. - False + if any of those conditions are unsatisfied. \n * DNSManaged - True + if the following conditions are met: * The endpoint publishing strategy + and platform support DNS. * The ingress controller domain is set. + * dns.config.openshift.io/cluster configures DNS zones. - False + if any of those conditions are unsatisfied. \n * DNSReady - True + if the following conditions are met: * DNS is managed. * DNS records + have been successfully created. - False if any of those conditions + are unsatisfied." + items: + description: OperatorCondition is just the standard condition fields. + properties: + lastTransitionTime: + format: date-time + type: string + message: + type: string + reason: + type: string + status: + type: string + type: + type: string + required: + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + domain: + description: domain is the actual domain in use. + type: string + endpointPublishingStrategy: + description: endpointPublishingStrategy is the actual strategy in + use. + properties: + hostNetwork: + description: hostNetwork holds parameters for the HostNetwork + endpoint publishing strategy. Present only if type is HostNetwork. + properties: + httpPort: + default: 80 + description: httpPort is the port on the host which should + be used to listen for HTTP requests. This field should be + set when port 80 is already in use. The value should not + coincide with the NodePort range of the cluster. When the + value is 0 or is not specified it defaults to 80. + format: int32 + maximum: 65535 + minimum: 0 + type: integer + httpsPort: + default: 443 + description: httpsPort is the port on the host which should + be used to listen for HTTPS requests. This field should + be set when port 443 is already in use. The value should + not coincide with the NodePort range of the cluster. When + the value is 0 or is not specified it defaults to 443. + format: int32 + maximum: 65535 + minimum: 0 + type: integer + protocol: + description: "protocol specifies whether the IngressController + expects incoming connections to use plain TCP or whether + the IngressController expects PROXY protocol. \n PROXY protocol + can be used with load balancers that support it to communicate + the source addresses of client connections when forwarding + those connections to the IngressController. Using PROXY + protocol enables the IngressController to report those source + addresses instead of reporting the load balancer's address + in HTTP headers and logs. Note that enabling PROXY protocol + on the IngressController will cause connections to fail + if you are not using a load balancer that uses PROXY protocol + to forward connections to the IngressController. See http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt + for information about PROXY protocol. \n The following values + are valid for this field: \n * The empty string. * \"TCP\". + * \"PROXY\". \n The empty string specifies the default, + which is TCP without PROXY protocol. Note that the default + is subject to change." + enum: + - "" + - TCP + - PROXY + type: string + statsPort: + default: 1936 + description: statsPort is the port on the host where the stats + from the router are published. The value should not coincide + with the NodePort range of the cluster. If an external load + balancer is configured to forward connections to this IngressController, + the load balancer should use this port for health checks. + The load balancer can send HTTP probes on this port on a + given node, with the path /healthz/ready to determine if + the ingress controller is ready to receive traffic on the + node. For proper operation the load balancer must not forward + traffic to a node until the health check reports ready. + The load balancer should also stop forwarding requests within + a maximum of 45 seconds after /healthz/ready starts reporting + not-ready. Probing every 5 to 10 seconds, with a 5-second + timeout and with a threshold of two successful or failed + requests to become healthy or unhealthy respectively, are + well-tested values. When the value is 0 or is not specified + it defaults to 1936. + format: int32 + maximum: 65535 + minimum: 0 + type: integer + type: object + loadBalancer: + description: loadBalancer holds parameters for the load balancer. + Present only if type is LoadBalancerService. + properties: + allowedSourceRanges: + description: "allowedSourceRanges specifies an allowlist of + IP address ranges to which access to the load balancer should + be restricted. Each range must be specified using CIDR + notation (e.g. \"10.0.0.0/8\" or \"fd00::/8\"). If no range + is specified, \"0.0.0.0/0\" for IPv4 and \"::/0\" for IPv6 + are used by default, which allows all source addresses. + \n To facilitate migration from earlier versions of OpenShift + that did not have the allowedSourceRanges field, you may + set the service.beta.kubernetes.io/load-balancer-source-ranges + annotation on the \"router-\" service + in the \"openshift-ingress\" namespace, and this annotation + will take effect if allowedSourceRanges is empty on OpenShift + 4.12." + items: + description: CIDR is an IP address range in CIDR notation + (for example, "10.0.0.0/8" or "fd00::/8"). + pattern: (^(([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])/([0-9]|[12][0-9]|3[0-2])$)|(^s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:)))(%.+)?s*(\/(12[0-8]|1[0-1][0-9]|[1-9][0-9]|[0-9]))$) + type: string + nullable: true + type: array + x-kubernetes-list-type: atomic + dnsManagementPolicy: + default: Managed + description: 'dnsManagementPolicy indicates if the lifecycle + of the wildcard DNS record associated with the load balancer + service will be managed by the ingress operator. It defaults + to Managed. Valid values are: Managed and Unmanaged.' + enum: + - Managed + - Unmanaged + type: string + providerParameters: + description: "providerParameters holds desired load balancer + information specific to the underlying infrastructure provider. + \n If empty, defaults will be applied. See specific providerParameters + fields for details about their defaults." + properties: + aws: + description: "aws provides configuration settings that + are specific to AWS load balancers. \n If empty, defaults + will be applied. See specific aws fields for details + about their defaults." + properties: + classicLoadBalancer: + description: classicLoadBalancerParameters holds configuration + parameters for an AWS classic load balancer. Present + only if type is Classic. + properties: + connectionIdleTimeout: + description: connectionIdleTimeout specifies the + maximum time period that a connection may be + idle before the load balancer closes the connection. The + value must be parseable as a time duration value; + see . A + nil or zero value means no opinion, in which + case a default value is used. The default value + for this field is 60s. This default is subject + to change. + format: duration + type: string + subnets: + description: "subnets specifies the subnets to + which the load balancer will attach. The subnets + may be specified by either their ID or name. + The total number of subnets is limited to 10. + \n In order for the load balancer to be provisioned + with subnets, each subnet must exist, each subnet + must be from a different availability zone, + and the load balancer service must be recreated + to pick up new values. \n When omitted from + the spec, the subnets will be auto-discovered + for each availability zone. Auto-discovered + subnets are not reported in the status of the + IngressController object." + properties: + ids: + description: ids specifies a list of AWS subnets + by subnet ID. Subnet IDs must start with + "subnet-", consist only of alphanumeric + characters, must be exactly 24 characters + long, must be unique, and the total number + of subnets specified by ids and names must + not exceed 10. + items: + description: AWSSubnetID is a reference + to an AWS subnet ID. + maxLength: 24 + minLength: 24 + pattern: ^subnet-[0-9A-Za-z]+$ + type: string + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: subnet ids cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == + y)) + names: + description: names specifies a list of AWS + subnets by subnet name. Subnet names must + not start with "subnet-", must not include + commas, must be under 256 characters in + length, must be unique, and the total number + of subnets specified by ids and names must + not exceed 10. + items: + description: AWSSubnetName is a reference + to an AWS subnet name. + maxLength: 256 + minLength: 1 + type: string + x-kubernetes-validations: + - message: subnet name cannot contain a + comma + rule: '!self.contains('','')' + - message: subnet name cannot start with + 'subnet-' + rule: '!self.startsWith(''subnet-'')' + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: subnet names cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == + y)) + type: object + x-kubernetes-validations: + - message: the total number of subnets cannot + exceed 10 + rule: 'has(self.ids) && has(self.names) ? size(self.ids + + self.names) <= 10 : true' + - message: must specify at least 1 subnet name + or id + rule: has(self.ids) && self.ids.size() > 0 || + has(self.names) && self.names.size() > 0 + type: object + networkLoadBalancer: + description: networkLoadBalancerParameters holds configuration + parameters for an AWS network load balancer. Present + only if type is NLB. + properties: + eipAllocations: + description: "eipAllocations is a list of IDs + for Elastic IP (EIP) addresses that are assigned + to the Network Load Balancer. The following + restrictions apply: \n eipAllocations can only + be used with external scope, not internal. An + EIP can be allocated to only a single IngressController. + The number of EIP allocations must match the + number of subnets that are used for the load + balancer. Each EIP allocation must be unique. + A maximum of 10 EIP allocations are permitted. + \n See https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html + for general information about configuration, + characteristics, and limitations of Elastic + IP addresses." + items: + description: EIPAllocation is an ID for an Elastic + IP (EIP) address that can be allocated to + an ELB in the AWS environment. Values must + begin with `eipalloc-` followed by exactly + 17 hexadecimal (`[0-9a-fA-F]`) characters. + maxLength: 26 + minLength: 26 + type: string + x-kubernetes-validations: + - message: eipAllocations should start with + 'eipalloc-' + rule: self.startsWith('eipalloc-') + - message: eipAllocations must be 'eipalloc-' + followed by exactly 17 hexadecimal characters + (0-9, a-f, A-F) + rule: self.split("-", 2)[1].matches('[0-9a-fA-F]{17}$') + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: eipAllocations cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == y)) + subnets: + description: "subnets specifies the subnets to + which the load balancer will attach. The subnets + may be specified by either their ID or name. + The total number of subnets is limited to 10. + \n In order for the load balancer to be provisioned + with subnets, each subnet must exist, each subnet + must be from a different availability zone, + and the load balancer service must be recreated + to pick up new values. \n When omitted from + the spec, the subnets will be auto-discovered + for each availability zone. Auto-discovered + subnets are not reported in the status of the + IngressController object." + properties: + ids: + description: ids specifies a list of AWS subnets + by subnet ID. Subnet IDs must start with + "subnet-", consist only of alphanumeric + characters, must be exactly 24 characters + long, must be unique, and the total number + of subnets specified by ids and names must + not exceed 10. + items: + description: AWSSubnetID is a reference + to an AWS subnet ID. + maxLength: 24 + minLength: 24 + pattern: ^subnet-[0-9A-Za-z]+$ + type: string + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: subnet ids cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == + y)) + names: + description: names specifies a list of AWS + subnets by subnet name. Subnet names must + not start with "subnet-", must not include + commas, must be under 256 characters in + length, must be unique, and the total number + of subnets specified by ids and names must + not exceed 10. + items: + description: AWSSubnetName is a reference + to an AWS subnet name. + maxLength: 256 + minLength: 1 + type: string + x-kubernetes-validations: + - message: subnet name cannot contain a + comma + rule: '!self.contains('','')' + - message: subnet name cannot start with + 'subnet-' + rule: '!self.startsWith(''subnet-'')' + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: subnet names cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == + y)) + type: object + x-kubernetes-validations: + - message: the total number of subnets cannot + exceed 10 + rule: 'has(self.ids) && has(self.names) ? size(self.ids + + self.names) <= 10 : true' + - message: must specify at least 1 subnet name + or id + rule: has(self.ids) && self.ids.size() > 0 || + has(self.names) && self.names.size() > 0 + type: object + x-kubernetes-validations: + - message: number of subnets must be equal to number + of eipAllocations + rule: 'has(self.subnets) && has(self.subnets.ids) + && has(self.subnets.names) && has(self.eipAllocations) + ? size(self.subnets.ids + self.subnets.names) + == size(self.eipAllocations) : true' + - message: number of subnets must be equal to number + of eipAllocations + rule: 'has(self.subnets) && has(self.subnets.ids) + && !has(self.subnets.names) && has(self.eipAllocations) + ? size(self.subnets.ids) == size(self.eipAllocations) + : true' + - message: number of subnets must be equal to number + of eipAllocations + rule: 'has(self.subnets) && has(self.subnets.names) + && !has(self.subnets.ids) && has(self.eipAllocations) + ? size(self.subnets.names) == size(self.eipAllocations) + : true' + type: + description: "type is the type of AWS load balancer + to instantiate for an ingresscontroller. \n Valid + values are: \n * \"Classic\": A Classic Load Balancer + that makes routing decisions at either the transport + layer (TCP/SSL) or the application layer (HTTP/HTTPS). + See the following for additional details: \n https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#clb + \n * \"NLB\": A Network Load Balancer that makes + routing decisions at the transport layer (TCP/SSL). + See the following for additional details: \n https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#nlb" + enum: + - Classic + - NLB + type: string + required: + - type + type: object + gcp: + description: "gcp provides configuration settings that + are specific to GCP load balancers. \n If empty, defaults + will be applied. See specific gcp fields for details + about their defaults." + properties: + clientAccess: + description: "clientAccess describes how client access + is restricted for internal load balancers. \n Valid + values are: * \"Global\": Specifying an internal + load balancer with Global client access allows clients + from any region within the VPC to communicate with + the load balancer. \n https://cloud.google.com/kubernetes-engine/docs/how-to/internal-load-balancing#global_access + \n * \"Local\": Specifying an internal load balancer + with Local client access means only clients within + the same region (and VPC) as the GCP load balancer + can communicate with the load balancer. Note that + this is the default behavior. \n https://cloud.google.com/load-balancing/docs/internal#client_access" + enum: + - Global + - Local + type: string + type: object + ibm: + description: "ibm provides configuration settings that + are specific to IBM Cloud load balancers. \n If empty, + defaults will be applied. See specific ibm fields for + details about their defaults." + properties: + protocol: + description: "protocol specifies whether the load + balancer uses PROXY protocol to forward connections + to the IngressController. See \"service.kubernetes.io/ibm-load-balancer-cloud-provider-enable-features: + \"proxy-protocol\"\" at https://cloud.ibm.com/docs/containers?topic=containers-vpc-lbaas\" + \n PROXY protocol can be used with load balancers + that support it to communicate the source addresses + of client connections when forwarding those connections + to the IngressController. Using PROXY protocol + enables the IngressController to report those source + addresses instead of reporting the load balancer's + address in HTTP headers and logs. Note that enabling + PROXY protocol on the IngressController will cause + connections to fail if you are not using a load + balancer that uses PROXY protocol to forward connections + to the IngressController. See http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt + for information about PROXY protocol. \n Valid values + for protocol are TCP, PROXY and omitted. When omitted, + this means no opinion and the platform is left to + choose a reasonable default, which is subject to + change over time. The current default is TCP, without + the proxy protocol enabled." + enum: + - "" + - TCP + - PROXY + type: string + type: object + type: + description: type is the underlying infrastructure provider + for the load balancer. Allowed values are "AWS", "Azure", + "BareMetal", "GCP", "IBM", "Nutanix", "OpenStack", and + "VSphere". + enum: + - AWS + - Azure + - BareMetal + - GCP + - Nutanix + - OpenStack + - VSphere + - IBM + type: string + required: + - type + type: object + scope: + description: scope indicates the scope at which the load balancer + is exposed. Possible values are "External" and "Internal". + enum: + - Internal + - External + type: string + required: + - dnsManagementPolicy + - scope + type: object + x-kubernetes-validations: + - message: eipAllocations are forbidden when the scope is Internal. + rule: '!has(self.scope) || self.scope != ''Internal'' || !has(self.providerParameters) + || !has(self.providerParameters.aws) || !has(self.providerParameters.aws.networkLoadBalancer) + || !has(self.providerParameters.aws.networkLoadBalancer.eipAllocations)' + nodePort: + description: nodePort holds parameters for the NodePortService + endpoint publishing strategy. Present only if type is NodePortService. + properties: + protocol: + description: "protocol specifies whether the IngressController + expects incoming connections to use plain TCP or whether + the IngressController expects PROXY protocol. \n PROXY protocol + can be used with load balancers that support it to communicate + the source addresses of client connections when forwarding + those connections to the IngressController. Using PROXY + protocol enables the IngressController to report those source + addresses instead of reporting the load balancer's address + in HTTP headers and logs. Note that enabling PROXY protocol + on the IngressController will cause connections to fail + if you are not using a load balancer that uses PROXY protocol + to forward connections to the IngressController. See http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt + for information about PROXY protocol. \n The following values + are valid for this field: \n * The empty string. * \"TCP\". + * \"PROXY\". \n The empty string specifies the default, + which is TCP without PROXY protocol. Note that the default + is subject to change." + enum: + - "" + - TCP + - PROXY + type: string + type: object + private: + description: private holds parameters for the Private endpoint + publishing strategy. Present only if type is Private. + properties: + protocol: + description: "protocol specifies whether the IngressController + expects incoming connections to use plain TCP or whether + the IngressController expects PROXY protocol. \n PROXY protocol + can be used with load balancers that support it to communicate + the source addresses of client connections when forwarding + those connections to the IngressController. Using PROXY + protocol enables the IngressController to report those source + addresses instead of reporting the load balancer's address + in HTTP headers and logs. Note that enabling PROXY protocol + on the IngressController will cause connections to fail + if you are not using a load balancer that uses PROXY protocol + to forward connections to the IngressController. See http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt + for information about PROXY protocol. \n The following values + are valid for this field: \n * The empty string. * \"TCP\". + * \"PROXY\". \n The empty string specifies the default, + which is TCP without PROXY protocol. Note that the default + is subject to change." + enum: + - "" + - TCP + - PROXY + type: string + type: object + type: + description: "type is the publishing strategy to use. Valid values + are: \n * LoadBalancerService \n Publishes the ingress controller + using a Kubernetes LoadBalancer Service. \n In this configuration, + the ingress controller deployment uses container networking. + A LoadBalancer Service is created to publish the deployment. + \n See: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer + \n If domain is set, a wildcard DNS record will be managed to + point at the LoadBalancer Service's external name. DNS records + are managed only in DNS zones defined by dns.config.openshift.io/cluster + .spec.publicZone and .spec.privateZone. \n Wildcard DNS management + is currently supported only on the AWS, Azure, and GCP platforms. + \n * HostNetwork \n Publishes the ingress controller on node + ports where the ingress controller is deployed. \n In this configuration, + the ingress controller deployment uses host networking, bound + to node ports 80 and 443. The user is responsible for configuring + an external load balancer to publish the ingress controller + via the node ports. \n * Private \n Does not publish the ingress + controller. \n In this configuration, the ingress controller + deployment uses container networking, and is not explicitly + published. The user must manually publish the ingress controller. + \n * NodePortService \n Publishes the ingress controller using + a Kubernetes NodePort Service. \n In this configuration, the + ingress controller deployment uses container networking. A NodePort + Service is created to publish the deployment. The specific node + ports are dynamically allocated by OpenShift; however, to support + static port allocations, user changes to the node port field + of the managed NodePort Service will preserved." + enum: + - LoadBalancerService + - HostNetwork + - Private + - NodePortService + type: string + required: + - type + type: object + namespaceSelector: + description: namespaceSelector is the actual namespaceSelector in + use. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the key + and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship to + a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + observedGeneration: + description: observedGeneration is the most recent generation observed. + format: int64 + type: integer + routeSelector: + description: routeSelector is the actual routeSelector in use. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the key + and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship to + a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + selector: + description: selector is a label selector, in string format, for ingress + controller pods corresponding to the IngressController. The number + of matching pods should equal the value of availableReplicas. + type: string + tlsProfile: + description: tlsProfile is the TLS connection configuration that is + in effect. + properties: + ciphers: + description: "ciphers is used to specify the cipher algorithms + that are negotiated during the TLS handshake. Operators may + remove entries their operands do not support. For example, + to use DES-CBC3-SHA (yaml): \n ciphers: - DES-CBC3-SHA" + items: + type: string + type: array + x-kubernetes-list-type: atomic + minTLSVersion: + description: "minTLSVersion is used to specify the minimal version + of the TLS protocol that is negotiated during the TLS handshake. + For example, to use TLS versions 1.1, 1.2 and 1.3 (yaml): \n + minTLSVersion: VersionTLS11 \n NOTE: currently the highest minTLSVersion + allowed is VersionTLS12" + enum: + - VersionTLS10 + - VersionTLS11 + - VersionTLS12 + - VersionTLS13 + type: string + type: object + type: object + type: object + served: true + storage: true + subresources: + scale: + labelSelectorPath: .status.selector + specReplicasPath: .spec.replicas + statusReplicasPath: .status.availableReplicas + status: {} diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers.crd.yaml b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-Default.crd.yaml similarity index 97% rename from vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers.crd.yaml rename to vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-Default.crd.yaml index 5069cbea49..8c4ecc8964 100644 --- a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers.crd.yaml +++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-Default.crd.yaml @@ -7,6 +7,7 @@ metadata: capability.openshift.io/name: Ingress include.release.openshift.io/ibm-cloud-managed: "true" include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: Default name: ingresscontrollers.operator.openshift.io spec: group: operator.openshift.io @@ -246,6 +247,7 @@ spec: type: string nullable: true type: array + x-kubernetes-list-type: atomic dnsManagementPolicy: default: Managed description: 'dnsManagementPolicy indicates if the lifecycle @@ -291,6 +293,25 @@ spec: parameters for an AWS network load balancer. Present only if type is NLB. type: object + x-kubernetes-validations: + - message: number of subnets must be equal to number + of eipAllocations + rule: 'has(self.subnets) && has(self.subnets.ids) + && has(self.subnets.names) && has(self.eipAllocations) + ? size(self.subnets.ids + self.subnets.names) + == size(self.eipAllocations) : true' + - message: number of subnets must be equal to number + of eipAllocations + rule: 'has(self.subnets) && has(self.subnets.ids) + && !has(self.subnets.names) && has(self.eipAllocations) + ? size(self.subnets.ids) == size(self.eipAllocations) + : true' + - message: number of subnets must be equal to number + of eipAllocations + rule: 'has(self.subnets) && has(self.subnets.names) + && !has(self.subnets.ids) && has(self.eipAllocations) + ? size(self.subnets.names) == size(self.eipAllocations) + : true' type: description: "type is the type of AWS load balancer to instantiate for an ingresscontroller. \n Valid @@ -394,6 +415,11 @@ spec: - dnsManagementPolicy - scope type: object + x-kubernetes-validations: + - message: eipAllocations are forbidden when the scope is Internal. + rule: '!has(self.scope) || self.scope != ''Internal'' || !has(self.providerParameters) + || !has(self.providerParameters.aws) || !has(self.providerParameters.aws.networkLoadBalancer) + || !has(self.providerParameters.aws.networkLoadBalancer.eipAllocations)' nodePort: description: nodePort holds parameters for the NodePortService endpoint publishing strategy. Present only if type is NodePortService. @@ -878,6 +904,7 @@ spec: type: string nullable: true type: array + x-kubernetes-list-type: atomic uniqueId: description: "uniqueId describes configuration for a custom HTTP header that the ingress controller should inject into incoming @@ -1084,6 +1111,7 @@ spec: maxItems: 1 nullable: true type: array + x-kubernetes-list-type: atomic httpCaptureHeaders: description: "httpCaptureHeaders defines HTTP headers that should be captured in access logs. If this field is empty, @@ -1122,6 +1150,7 @@ spec: type: object nullable: true type: array + x-kubernetes-list-type: atomic response: description: "response specifies which HTTP response headers to capture. \n If this field is empty, no response headers @@ -1151,6 +1180,7 @@ spec: type: object nullable: true type: array + x-kubernetes-list-type: atomic type: object httpLogFormat: description: "httpLogFormat specifies the format of the log @@ -1340,6 +1370,7 @@ spec: type: string type: object type: array + x-kubernetes-list-type: atomic type: object replicas: description: "replicas is the desired number of ingress controller @@ -1464,6 +1495,7 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic minTLSVersion: description: "minTLSVersion is used to specify the minimal version of the TLS protocol that is negotiated during the @@ -1784,6 +1816,9 @@ spec: - type type: object type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map domain: description: domain is the actual domain in use. type: string @@ -1889,6 +1924,7 @@ spec: type: string nullable: true type: array + x-kubernetes-list-type: atomic dnsManagementPolicy: default: Managed description: 'dnsManagementPolicy indicates if the lifecycle @@ -1934,6 +1970,25 @@ spec: parameters for an AWS network load balancer. Present only if type is NLB. type: object + x-kubernetes-validations: + - message: number of subnets must be equal to number + of eipAllocations + rule: 'has(self.subnets) && has(self.subnets.ids) + && has(self.subnets.names) && has(self.eipAllocations) + ? size(self.subnets.ids + self.subnets.names) + == size(self.eipAllocations) : true' + - message: number of subnets must be equal to number + of eipAllocations + rule: 'has(self.subnets) && has(self.subnets.ids) + && !has(self.subnets.names) && has(self.eipAllocations) + ? size(self.subnets.ids) == size(self.eipAllocations) + : true' + - message: number of subnets must be equal to number + of eipAllocations + rule: 'has(self.subnets) && has(self.subnets.names) + && !has(self.subnets.ids) && has(self.eipAllocations) + ? size(self.subnets.names) == size(self.eipAllocations) + : true' type: description: "type is the type of AWS load balancer to instantiate for an ingresscontroller. \n Valid @@ -2037,6 +2092,11 @@ spec: - dnsManagementPolicy - scope type: object + x-kubernetes-validations: + - message: eipAllocations are forbidden when the scope is Internal. + rule: '!has(self.scope) || self.scope != ''Internal'' || !has(self.providerParameters) + || !has(self.providerParameters.aws) || !has(self.providerParameters.aws.networkLoadBalancer) + || !has(self.providerParameters.aws.networkLoadBalancer.eipAllocations)' nodePort: description: nodePort holds parameters for the NodePortService endpoint publishing strategy. Present only if type is NodePortService. @@ -2246,6 +2306,7 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic minTLSVersion: description: "minTLSVersion is used to specify the minimal version of the TLS protocol that is negotiated during the TLS handshake. diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-DevPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-DevPreviewNoUpgrade.crd.yaml new file mode 100644 index 0000000000..8f6814700a --- /dev/null +++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-DevPreviewNoUpgrade.crd.yaml @@ -0,0 +1,2710 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/616 + api.openshift.io/merged-by-featuregates: "true" + capability.openshift.io/name: Ingress + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: DevPreviewNoUpgrade + name: ingresscontrollers.operator.openshift.io +spec: + group: operator.openshift.io + names: + kind: IngressController + listKind: IngressControllerList + plural: ingresscontrollers + singular: ingresscontroller + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: "IngressController describes a managed ingress controller for + the cluster. The controller can service OpenShift Route and Kubernetes Ingress + resources. \n When an IngressController is created, a new ingress controller + deployment is created to allow external traffic to reach the services that + expose Ingress or Route resources. Updating this resource may lead to disruption + for public facing network connections as a new ingress controller revision + may be rolled out. \n https://kubernetes.io/docs/concepts/services-networking/ingress-controllers + \n Whenever possible, sensible defaults for the platform are used. See each + field for more details. \n Compatibility level 1: Stable within a major + release for a minimum of 12 months or 3 minor releases (whichever is longer)." + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: spec is the specification of the desired behavior of the + IngressController. + properties: + clientTLS: + description: clientTLS specifies settings for requesting and verifying + client certificates, which can be used to enable mutual TLS for + edge-terminated and reencrypt routes. + properties: + allowedSubjectPatterns: + description: allowedSubjectPatterns specifies a list of regular + expressions that should be matched against the distinguished + name on a valid client certificate to filter requests. The + regular expressions must use PCRE syntax. If this list is empty, + no filtering is performed. If the list is nonempty, then at + least one pattern must match a client certificate's distinguished + name or else the ingress controller rejects the certificate + and denies the connection. + items: + type: string + type: array + x-kubernetes-list-type: atomic + clientCA: + description: clientCA specifies a configmap containing the PEM-encoded + CA certificate bundle that should be used to verify a client's + certificate. The administrator must create this configmap in + the openshift-config namespace. + properties: + name: + description: name is the metadata.name of the referenced config + map + type: string + required: + - name + type: object + clientCertificatePolicy: + description: "clientCertificatePolicy specifies whether the ingress + controller requires clients to provide certificates. This field + accepts the values \"Required\" or \"Optional\". \n Note that + the ingress controller only checks client certificates for edge-terminated + and reencrypt TLS routes; it cannot check certificates for cleartext + HTTP or passthrough TLS routes." + enum: + - "" + - Required + - Optional + type: string + required: + - clientCA + - clientCertificatePolicy + type: object + defaultCertificate: + description: "defaultCertificate is a reference to a secret containing + the default certificate served by the ingress controller. When Routes + don't specify their own certificate, defaultCertificate is used. + \n The secret must contain the following keys and data: \n tls.crt: + certificate file contents tls.key: key file contents \n If unset, + a wildcard certificate is automatically generated and used. The + certificate is valid for the ingress controller domain (and subdomains) + and the generated certificate's CA will be automatically integrated + with the cluster's trust store. \n If a wildcard certificate is + used and shared by multiple HTTP/2 enabled routes (which implies + ALPN) then clients (i.e., notably browsers) are at liberty to reuse + open connections. This means a client can reuse a connection to + another route and that is likely to fail. This behaviour is generally + known as connection coalescing. \n The in-use certificate (whether + generated or user-specified) will be automatically integrated with + OpenShift's built-in OAuth server." + properties: + name: + default: "" + description: 'Name of the referent. This field is effectively + required, but due to backwards compatibility is allowed to be + empty. Instances of this type with an empty value here are almost + certainly wrong. TODO: Add other useful fields. apiVersion, + kind, uid? More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn''t + need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.' + type: string + type: object + x-kubernetes-map-type: atomic + domain: + description: "domain is a DNS name serviced by the ingress controller + and is used to configure multiple features: \n * For the LoadBalancerService + endpoint publishing strategy, domain is used to configure DNS records. + See endpointPublishingStrategy. \n * When using a generated default + certificate, the certificate will be valid for domain and its subdomains. + See defaultCertificate. \n * The value is published to individual + Route statuses so that end-users know where to target external DNS + records. \n domain must be unique among all IngressControllers, + and cannot be updated. \n If empty, defaults to ingress.config.openshift.io/cluster + .spec.domain." + type: string + endpointPublishingStrategy: + description: "endpointPublishingStrategy is used to publish the ingress + controller endpoints to other networks, enable load balancer integrations, + etc. \n If unset, the default is based on infrastructure.config.openshift.io/cluster + .status.platform: \n AWS: LoadBalancerService (with External + scope) Azure: LoadBalancerService (with External scope) GCP: + \ LoadBalancerService (with External scope) IBMCloud: LoadBalancerService + (with External scope) AlibabaCloud: LoadBalancerService (with External + scope) Libvirt: HostNetwork \n Any other platform types (including + None) default to HostNetwork. \n endpointPublishingStrategy cannot + be updated." + properties: + hostNetwork: + description: hostNetwork holds parameters for the HostNetwork + endpoint publishing strategy. Present only if type is HostNetwork. + properties: + httpPort: + default: 80 + description: httpPort is the port on the host which should + be used to listen for HTTP requests. This field should be + set when port 80 is already in use. The value should not + coincide with the NodePort range of the cluster. When the + value is 0 or is not specified it defaults to 80. + format: int32 + maximum: 65535 + minimum: 0 + type: integer + httpsPort: + default: 443 + description: httpsPort is the port on the host which should + be used to listen for HTTPS requests. This field should + be set when port 443 is already in use. The value should + not coincide with the NodePort range of the cluster. When + the value is 0 or is not specified it defaults to 443. + format: int32 + maximum: 65535 + minimum: 0 + type: integer + protocol: + description: "protocol specifies whether the IngressController + expects incoming connections to use plain TCP or whether + the IngressController expects PROXY protocol. \n PROXY protocol + can be used with load balancers that support it to communicate + the source addresses of client connections when forwarding + those connections to the IngressController. Using PROXY + protocol enables the IngressController to report those source + addresses instead of reporting the load balancer's address + in HTTP headers and logs. Note that enabling PROXY protocol + on the IngressController will cause connections to fail + if you are not using a load balancer that uses PROXY protocol + to forward connections to the IngressController. See http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt + for information about PROXY protocol. \n The following values + are valid for this field: \n * The empty string. * \"TCP\". + * \"PROXY\". \n The empty string specifies the default, + which is TCP without PROXY protocol. Note that the default + is subject to change." + enum: + - "" + - TCP + - PROXY + type: string + statsPort: + default: 1936 + description: statsPort is the port on the host where the stats + from the router are published. The value should not coincide + with the NodePort range of the cluster. If an external load + balancer is configured to forward connections to this IngressController, + the load balancer should use this port for health checks. + The load balancer can send HTTP probes on this port on a + given node, with the path /healthz/ready to determine if + the ingress controller is ready to receive traffic on the + node. For proper operation the load balancer must not forward + traffic to a node until the health check reports ready. + The load balancer should also stop forwarding requests within + a maximum of 45 seconds after /healthz/ready starts reporting + not-ready. Probing every 5 to 10 seconds, with a 5-second + timeout and with a threshold of two successful or failed + requests to become healthy or unhealthy respectively, are + well-tested values. When the value is 0 or is not specified + it defaults to 1936. + format: int32 + maximum: 65535 + minimum: 0 + type: integer + type: object + loadBalancer: + description: loadBalancer holds parameters for the load balancer. + Present only if type is LoadBalancerService. + properties: + allowedSourceRanges: + description: "allowedSourceRanges specifies an allowlist of + IP address ranges to which access to the load balancer should + be restricted. Each range must be specified using CIDR + notation (e.g. \"10.0.0.0/8\" or \"fd00::/8\"). If no range + is specified, \"0.0.0.0/0\" for IPv4 and \"::/0\" for IPv6 + are used by default, which allows all source addresses. + \n To facilitate migration from earlier versions of OpenShift + that did not have the allowedSourceRanges field, you may + set the service.beta.kubernetes.io/load-balancer-source-ranges + annotation on the \"router-\" service + in the \"openshift-ingress\" namespace, and this annotation + will take effect if allowedSourceRanges is empty on OpenShift + 4.12." + items: + description: CIDR is an IP address range in CIDR notation + (for example, "10.0.0.0/8" or "fd00::/8"). + pattern: (^(([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])/([0-9]|[12][0-9]|3[0-2])$)|(^s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:)))(%.+)?s*(\/(12[0-8]|1[0-1][0-9]|[1-9][0-9]|[0-9]))$) + type: string + nullable: true + type: array + x-kubernetes-list-type: atomic + dnsManagementPolicy: + default: Managed + description: 'dnsManagementPolicy indicates if the lifecycle + of the wildcard DNS record associated with the load balancer + service will be managed by the ingress operator. It defaults + to Managed. Valid values are: Managed and Unmanaged.' + enum: + - Managed + - Unmanaged + type: string + providerParameters: + description: "providerParameters holds desired load balancer + information specific to the underlying infrastructure provider. + \n If empty, defaults will be applied. See specific providerParameters + fields for details about their defaults." + properties: + aws: + description: "aws provides configuration settings that + are specific to AWS load balancers. \n If empty, defaults + will be applied. See specific aws fields for details + about their defaults." + properties: + classicLoadBalancer: + description: classicLoadBalancerParameters holds configuration + parameters for an AWS classic load balancer. Present + only if type is Classic. + properties: + connectionIdleTimeout: + description: connectionIdleTimeout specifies the + maximum time period that a connection may be + idle before the load balancer closes the connection. The + value must be parseable as a time duration value; + see . A + nil or zero value means no opinion, in which + case a default value is used. The default value + for this field is 60s. This default is subject + to change. + format: duration + type: string + subnets: + description: "subnets specifies the subnets to + which the load balancer will attach. The subnets + may be specified by either their ID or name. + The total number of subnets is limited to 10. + \n In order for the load balancer to be provisioned + with subnets, each subnet must exist, each subnet + must be from a different availability zone, + and the load balancer service must be recreated + to pick up new values. \n When omitted from + the spec, the subnets will be auto-discovered + for each availability zone. Auto-discovered + subnets are not reported in the status of the + IngressController object." + properties: + ids: + description: ids specifies a list of AWS subnets + by subnet ID. Subnet IDs must start with + "subnet-", consist only of alphanumeric + characters, must be exactly 24 characters + long, must be unique, and the total number + of subnets specified by ids and names must + not exceed 10. + items: + description: AWSSubnetID is a reference + to an AWS subnet ID. + maxLength: 24 + minLength: 24 + pattern: ^subnet-[0-9A-Za-z]+$ + type: string + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: subnet ids cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == + y)) + names: + description: names specifies a list of AWS + subnets by subnet name. Subnet names must + not start with "subnet-", must not include + commas, must be under 256 characters in + length, must be unique, and the total number + of subnets specified by ids and names must + not exceed 10. + items: + description: AWSSubnetName is a reference + to an AWS subnet name. + maxLength: 256 + minLength: 1 + type: string + x-kubernetes-validations: + - message: subnet name cannot contain a + comma + rule: '!self.contains('','')' + - message: subnet name cannot start with + 'subnet-' + rule: '!self.startsWith(''subnet-'')' + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: subnet names cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == + y)) + type: object + x-kubernetes-validations: + - message: the total number of subnets cannot + exceed 10 + rule: 'has(self.ids) && has(self.names) ? size(self.ids + + self.names) <= 10 : true' + - message: must specify at least 1 subnet name + or id + rule: has(self.ids) && self.ids.size() > 0 || + has(self.names) && self.names.size() > 0 + type: object + networkLoadBalancer: + description: networkLoadBalancerParameters holds configuration + parameters for an AWS network load balancer. Present + only if type is NLB. + properties: + eipAllocations: + description: "eipAllocations is a list of IDs + for Elastic IP (EIP) addresses that are assigned + to the Network Load Balancer. The following + restrictions apply: \n eipAllocations can only + be used with external scope, not internal. An + EIP can be allocated to only a single IngressController. + The number of EIP allocations must match the + number of subnets that are used for the load + balancer. Each EIP allocation must be unique. + A maximum of 10 EIP allocations are permitted. + \n See https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html + for general information about configuration, + characteristics, and limitations of Elastic + IP addresses." + items: + description: EIPAllocation is an ID for an Elastic + IP (EIP) address that can be allocated to + an ELB in the AWS environment. Values must + begin with `eipalloc-` followed by exactly + 17 hexadecimal (`[0-9a-fA-F]`) characters. + maxLength: 26 + minLength: 26 + type: string + x-kubernetes-validations: + - message: eipAllocations should start with + 'eipalloc-' + rule: self.startsWith('eipalloc-') + - message: eipAllocations must be 'eipalloc-' + followed by exactly 17 hexadecimal characters + (0-9, a-f, A-F) + rule: self.split("-", 2)[1].matches('[0-9a-fA-F]{17}$') + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: eipAllocations cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == y)) + subnets: + description: "subnets specifies the subnets to + which the load balancer will attach. The subnets + may be specified by either their ID or name. + The total number of subnets is limited to 10. + \n In order for the load balancer to be provisioned + with subnets, each subnet must exist, each subnet + must be from a different availability zone, + and the load balancer service must be recreated + to pick up new values. \n When omitted from + the spec, the subnets will be auto-discovered + for each availability zone. Auto-discovered + subnets are not reported in the status of the + IngressController object." + properties: + ids: + description: ids specifies a list of AWS subnets + by subnet ID. Subnet IDs must start with + "subnet-", consist only of alphanumeric + characters, must be exactly 24 characters + long, must be unique, and the total number + of subnets specified by ids and names must + not exceed 10. + items: + description: AWSSubnetID is a reference + to an AWS subnet ID. + maxLength: 24 + minLength: 24 + pattern: ^subnet-[0-9A-Za-z]+$ + type: string + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: subnet ids cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == + y)) + names: + description: names specifies a list of AWS + subnets by subnet name. Subnet names must + not start with "subnet-", must not include + commas, must be under 256 characters in + length, must be unique, and the total number + of subnets specified by ids and names must + not exceed 10. + items: + description: AWSSubnetName is a reference + to an AWS subnet name. + maxLength: 256 + minLength: 1 + type: string + x-kubernetes-validations: + - message: subnet name cannot contain a + comma + rule: '!self.contains('','')' + - message: subnet name cannot start with + 'subnet-' + rule: '!self.startsWith(''subnet-'')' + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: subnet names cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == + y)) + type: object + x-kubernetes-validations: + - message: the total number of subnets cannot + exceed 10 + rule: 'has(self.ids) && has(self.names) ? size(self.ids + + self.names) <= 10 : true' + - message: must specify at least 1 subnet name + or id + rule: has(self.ids) && self.ids.size() > 0 || + has(self.names) && self.names.size() > 0 + type: object + x-kubernetes-validations: + - message: number of subnets must be equal to number + of eipAllocations + rule: 'has(self.subnets) && has(self.subnets.ids) + && has(self.subnets.names) && has(self.eipAllocations) + ? size(self.subnets.ids + self.subnets.names) + == size(self.eipAllocations) : true' + - message: number of subnets must be equal to number + of eipAllocations + rule: 'has(self.subnets) && has(self.subnets.ids) + && !has(self.subnets.names) && has(self.eipAllocations) + ? size(self.subnets.ids) == size(self.eipAllocations) + : true' + - message: number of subnets must be equal to number + of eipAllocations + rule: 'has(self.subnets) && has(self.subnets.names) + && !has(self.subnets.ids) && has(self.eipAllocations) + ? size(self.subnets.names) == size(self.eipAllocations) + : true' + type: + description: "type is the type of AWS load balancer + to instantiate for an ingresscontroller. \n Valid + values are: \n * \"Classic\": A Classic Load Balancer + that makes routing decisions at either the transport + layer (TCP/SSL) or the application layer (HTTP/HTTPS). + See the following for additional details: \n https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#clb + \n * \"NLB\": A Network Load Balancer that makes + routing decisions at the transport layer (TCP/SSL). + See the following for additional details: \n https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#nlb" + enum: + - Classic + - NLB + type: string + required: + - type + type: object + gcp: + description: "gcp provides configuration settings that + are specific to GCP load balancers. \n If empty, defaults + will be applied. See specific gcp fields for details + about their defaults." + properties: + clientAccess: + description: "clientAccess describes how client access + is restricted for internal load balancers. \n Valid + values are: * \"Global\": Specifying an internal + load balancer with Global client access allows clients + from any region within the VPC to communicate with + the load balancer. \n https://cloud.google.com/kubernetes-engine/docs/how-to/internal-load-balancing#global_access + \n * \"Local\": Specifying an internal load balancer + with Local client access means only clients within + the same region (and VPC) as the GCP load balancer + can communicate with the load balancer. Note that + this is the default behavior. \n https://cloud.google.com/load-balancing/docs/internal#client_access" + enum: + - Global + - Local + type: string + type: object + ibm: + description: "ibm provides configuration settings that + are specific to IBM Cloud load balancers. \n If empty, + defaults will be applied. See specific ibm fields for + details about their defaults." + properties: + protocol: + description: "protocol specifies whether the load + balancer uses PROXY protocol to forward connections + to the IngressController. See \"service.kubernetes.io/ibm-load-balancer-cloud-provider-enable-features: + \"proxy-protocol\"\" at https://cloud.ibm.com/docs/containers?topic=containers-vpc-lbaas\" + \n PROXY protocol can be used with load balancers + that support it to communicate the source addresses + of client connections when forwarding those connections + to the IngressController. Using PROXY protocol + enables the IngressController to report those source + addresses instead of reporting the load balancer's + address in HTTP headers and logs. Note that enabling + PROXY protocol on the IngressController will cause + connections to fail if you are not using a load + balancer that uses PROXY protocol to forward connections + to the IngressController. See http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt + for information about PROXY protocol. \n Valid values + for protocol are TCP, PROXY and omitted. When omitted, + this means no opinion and the platform is left to + choose a reasonable default, which is subject to + change over time. The current default is TCP, without + the proxy protocol enabled." + enum: + - "" + - TCP + - PROXY + type: string + type: object + type: + description: type is the underlying infrastructure provider + for the load balancer. Allowed values are "AWS", "Azure", + "BareMetal", "GCP", "IBM", "Nutanix", "OpenStack", and + "VSphere". + enum: + - AWS + - Azure + - BareMetal + - GCP + - Nutanix + - OpenStack + - VSphere + - IBM + type: string + required: + - type + type: object + scope: + description: scope indicates the scope at which the load balancer + is exposed. Possible values are "External" and "Internal". + enum: + - Internal + - External + type: string + required: + - dnsManagementPolicy + - scope + type: object + x-kubernetes-validations: + - message: eipAllocations are forbidden when the scope is Internal. + rule: '!has(self.scope) || self.scope != ''Internal'' || !has(self.providerParameters) + || !has(self.providerParameters.aws) || !has(self.providerParameters.aws.networkLoadBalancer) + || !has(self.providerParameters.aws.networkLoadBalancer.eipAllocations)' + nodePort: + description: nodePort holds parameters for the NodePortService + endpoint publishing strategy. Present only if type is NodePortService. + properties: + protocol: + description: "protocol specifies whether the IngressController + expects incoming connections to use plain TCP or whether + the IngressController expects PROXY protocol. \n PROXY protocol + can be used with load balancers that support it to communicate + the source addresses of client connections when forwarding + those connections to the IngressController. Using PROXY + protocol enables the IngressController to report those source + addresses instead of reporting the load balancer's address + in HTTP headers and logs. Note that enabling PROXY protocol + on the IngressController will cause connections to fail + if you are not using a load balancer that uses PROXY protocol + to forward connections to the IngressController. See http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt + for information about PROXY protocol. \n The following values + are valid for this field: \n * The empty string. * \"TCP\". + * \"PROXY\". \n The empty string specifies the default, + which is TCP without PROXY protocol. Note that the default + is subject to change." + enum: + - "" + - TCP + - PROXY + type: string + type: object + private: + description: private holds parameters for the Private endpoint + publishing strategy. Present only if type is Private. + properties: + protocol: + description: "protocol specifies whether the IngressController + expects incoming connections to use plain TCP or whether + the IngressController expects PROXY protocol. \n PROXY protocol + can be used with load balancers that support it to communicate + the source addresses of client connections when forwarding + those connections to the IngressController. Using PROXY + protocol enables the IngressController to report those source + addresses instead of reporting the load balancer's address + in HTTP headers and logs. Note that enabling PROXY protocol + on the IngressController will cause connections to fail + if you are not using a load balancer that uses PROXY protocol + to forward connections to the IngressController. See http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt + for information about PROXY protocol. \n The following values + are valid for this field: \n * The empty string. * \"TCP\". + * \"PROXY\". \n The empty string specifies the default, + which is TCP without PROXY protocol. Note that the default + is subject to change." + enum: + - "" + - TCP + - PROXY + type: string + type: object + type: + description: "type is the publishing strategy to use. Valid values + are: \n * LoadBalancerService \n Publishes the ingress controller + using a Kubernetes LoadBalancer Service. \n In this configuration, + the ingress controller deployment uses container networking. + A LoadBalancer Service is created to publish the deployment. + \n See: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer + \n If domain is set, a wildcard DNS record will be managed to + point at the LoadBalancer Service's external name. DNS records + are managed only in DNS zones defined by dns.config.openshift.io/cluster + .spec.publicZone and .spec.privateZone. \n Wildcard DNS management + is currently supported only on the AWS, Azure, and GCP platforms. + \n * HostNetwork \n Publishes the ingress controller on node + ports where the ingress controller is deployed. \n In this configuration, + the ingress controller deployment uses host networking, bound + to node ports 80 and 443. The user is responsible for configuring + an external load balancer to publish the ingress controller + via the node ports. \n * Private \n Does not publish the ingress + controller. \n In this configuration, the ingress controller + deployment uses container networking, and is not explicitly + published. The user must manually publish the ingress controller. + \n * NodePortService \n Publishes the ingress controller using + a Kubernetes NodePort Service. \n In this configuration, the + ingress controller deployment uses container networking. A NodePort + Service is created to publish the deployment. The specific node + ports are dynamically allocated by OpenShift; however, to support + static port allocations, user changes to the node port field + of the managed NodePort Service will preserved." + enum: + - LoadBalancerService + - HostNetwork + - Private + - NodePortService + type: string + required: + - type + type: object + httpCompression: + description: httpCompression defines a policy for HTTP traffic compression. + By default, there is no HTTP compression. + properties: + mimeTypes: + description: "mimeTypes is a list of MIME types that should have + compression applied. This list can be empty, in which case the + ingress controller does not apply compression. \n Note: Not + all MIME types benefit from compression, but HAProxy will still + use resources to try to compress if instructed to. Generally + speaking, text (html, css, js, etc.) formats benefit from compression, + but formats that are already compressed (image, audio, video, + etc.) benefit little in exchange for the time and cpu spent + on compressing again. See https://joehonton.medium.com/the-gzip-penalty-d31bd697f1a2" + items: + description: "CompressionMIMEType defines the format of a single + MIME type. E.g. \"text/css; charset=utf-8\", \"text/html\", + \"text/*\", \"image/svg+xml\", \"application/octet-stream\", + \"X-custom/customsub\", etc. \n The format should follow the + Content-Type definition in RFC 1341: Content-Type := type + \"/\" subtype *[\";\" parameter] - The type in Content-Type + can be one of: application, audio, image, message, multipart, + text, video, or a custom type preceded by \"X-\" and followed + by a token as defined below. - The token is a string of at + least one character, and not containing white space, control + characters, or any of the characters in the tspecials set. + - The tspecials set contains the characters ()<>@,;:\\\"/[]?.= + - The subtype in Content-Type is also a token. - The optional + parameter/s following the subtype are defined as: token \"=\" + (token / quoted-string) - The quoted-string, as defined in + RFC 822, is surrounded by double quotes and can contain white + space plus any character EXCEPT \\, \", and CR. It can also + contain any single ASCII character as long as it is escaped + by \\." + pattern: ^(?i)(x-[^][ ()\\<>@,;:"/?.=\x00-\x1F\x7F]+|application|audio|image|message|multipart|text|video)/[^][ + ()\\<>@,;:"/?.=\x00-\x1F\x7F]+(; *[^][ ()\\<>@,;:"/?.=\x00-\x1F\x7F]+=([^][ + ()\\<>@,;:"/?.=\x00-\x1F\x7F]+|"(\\[\x00-\x7F]|[^\x0D"\\])*"))*$ + type: string + type: array + x-kubernetes-list-type: set + type: object + httpEmptyRequestsPolicy: + default: Respond + description: "httpEmptyRequestsPolicy describes how HTTP connections + should be handled if the connection times out before a request is + received. Allowed values for this field are \"Respond\" and \"Ignore\". + \ If the field is set to \"Respond\", the ingress controller sends + an HTTP 400 or 408 response, logs the connection (if access logging + is enabled), and counts the connection in the appropriate metrics. + \ If the field is set to \"Ignore\", the ingress controller closes + the connection without sending a response, logging the connection, + or incrementing metrics. The default value is \"Respond\". \n Typically, + these connections come from load balancers' health probes or Web + browsers' speculative connections (\"preconnect\") and can be safely + ignored. However, these requests may also be caused by network + errors, and so setting this field to \"Ignore\" may impede detection + and diagnosis of problems. In addition, these requests may be caused + by port scans, in which case logging empty requests may aid in detecting + intrusion attempts." + enum: + - Respond + - Ignore + type: string + httpErrorCodePages: + description: httpErrorCodePages specifies a configmap with custom + error pages. The administrator must create this configmap in the + openshift-config namespace. This configmap should have keys in the + format "error-page-.http", where is an + HTTP error code. For example, "error-page-503.http" defines an error + page for HTTP 503 responses. Currently only error pages for 503 + and 404 responses can be customized. Each value in the configmap + should be the full response, including HTTP headers. Eg- https://raw.githubusercontent.com/openshift/router/fadab45747a9b30cc3f0a4b41ad2871f95827a93/images/router/haproxy/conf/error-page-503.http + If this field is empty, the ingress controller uses the default + error pages. + properties: + name: + description: name is the metadata.name of the referenced config + map + type: string + required: + - name + type: object + httpHeaders: + description: "httpHeaders defines policy for HTTP headers. \n If this + field is empty, the default values are used." + properties: + actions: + description: 'actions specifies options for modifying headers + and their values. Note that this option only applies to cleartext + HTTP connections and to secure HTTP connections for which the + ingress controller terminates encryption (that is, edge-terminated + or reencrypt connections). Headers cannot be modified for TLS + passthrough connections. Setting the HSTS (`Strict-Transport-Security`) + header is not supported via actions. `Strict-Transport-Security` + may only be configured using the "haproxy.router.openshift.io/hsts_header" + route annotation, and only in accordance with the policy specified + in Ingress.Spec.RequiredHSTSPolicies. Any actions defined here + are applied after any actions related to the following other + fields: cache-control, spec.clientTLS, spec.httpHeaders.forwardedHeaderPolicy, + spec.httpHeaders.uniqueId, and spec.httpHeaders.headerNameCaseAdjustments. + In case of HTTP request headers, the actions specified in spec.httpHeaders.actions + on the Route will be executed after the actions specified in + the IngressController''s spec.httpHeaders.actions field. In + case of HTTP response headers, the actions specified in spec.httpHeaders.actions + on the IngressController will be executed after the actions + specified in the Route''s spec.httpHeaders.actions field. Headers + set using this API cannot be captured for use in access logs. + The following header names are reserved and may not be modified + via this API: Strict-Transport-Security, Proxy, Host, Cookie, + Set-Cookie. Note that the total size of all net added headers + *after* interpolating dynamic values must not exceed the value + of spec.tuningOptions.headerBufferMaxRewriteBytes on the IngressController. + Please refer to the documentation for that API field for more + details.' + properties: + request: + description: 'request is a list of HTTP request headers to + modify. Actions defined here will modify the request headers + of all requests passing through an ingress controller. These + actions are applied to all Routes i.e. for all connections + handled by the ingress controller defined within a cluster. + IngressController actions for request headers will be executed + before Route actions. Currently, actions may define to either + `Set` or `Delete` headers values. Actions are applied in + sequence as defined in this list. A maximum of 20 request + header actions may be configured. Sample fetchers allowed + are "req.hdr" and "ssl_c_der". Converters allowed are "lower" + and "base64". Example header values: "%[req.hdr(X-target),lower]", + "%{+Q}[ssl_c_der,base64]".' + items: + description: IngressControllerHTTPHeader specifies configuration + for setting or deleting an HTTP header. + properties: + action: + description: action specifies actions to perform on + headers, such as setting or deleting headers. + properties: + set: + description: set specifies how the HTTP header should + be set. This field is required when type is Set + and forbidden otherwise. + properties: + value: + description: value specifies a header value. + Dynamic values can be added. The value will + be interpreted as an HAProxy format string + as defined in http://cbonte.github.io/haproxy-dconv/2.6/configuration.html#8.2.6 and + may use HAProxy's %[] syntax and otherwise + must be a valid HTTP header value as defined + in https://datatracker.ietf.org/doc/html/rfc7230#section-3.2. + The value of this field must be no more than + 16384 characters in length. Note that the + total size of all net added headers *after* + interpolating dynamic values must not exceed + the value of spec.tuningOptions.headerBufferMaxRewriteBytes + on the IngressController. + maxLength: 16384 + minLength: 1 + type: string + required: + - value + type: object + type: + description: type defines the type of the action + to be applied on the header. Possible values are + Set or Delete. Set allows you to set HTTP request + and response headers. Delete allows you to delete + HTTP request and response headers. + enum: + - Set + - Delete + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: set is required when type is Set, and forbidden + otherwise + rule: 'has(self.type) && self.type == ''Set'' ? has(self.set) + : !has(self.set)' + name: + description: 'name specifies the name of a header on + which to perform an action. Its value must be a valid + HTTP header name as defined in RFC 2616 section 4.2. + The name must consist only of alphanumeric and the + following special characters, "-!#$%&''*+.^_`". The + following header names are reserved and may not be + modified via this API: Strict-Transport-Security, + Proxy, Host, Cookie, Set-Cookie. It must be no more + than 255 characters in length. Header name must be + unique.' + maxLength: 255 + minLength: 1 + pattern: ^[-!#$%&'*+.0-9A-Z^_`a-z|~]+$ + type: string + x-kubernetes-validations: + - message: strict-transport-security header may not + be modified via header actions + rule: self.lowerAscii() != 'strict-transport-security' + - message: proxy header may not be modified via header + actions + rule: self.lowerAscii() != 'proxy' + - message: host header may not be modified via header + actions + rule: self.lowerAscii() != 'host' + - message: cookie header may not be modified via header + actions + rule: self.lowerAscii() != 'cookie' + - message: set-cookie header may not be modified via + header actions + rule: self.lowerAscii() != 'set-cookie' + required: + - action + - name + type: object + maxItems: 20 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: Either the header value provided is not in correct + format or the sample fetcher/converter specified is not + allowed. The dynamic header value will be interpreted + as an HAProxy format string as defined in http://cbonte.github.io/haproxy-dconv/2.6/configuration.html#8.2.6 + and may use HAProxy's %[] syntax and otherwise must be + a valid HTTP header value as defined in https://datatracker.ietf.org/doc/html/rfc7230#section-3.2. + Sample fetchers allowed are req.hdr, ssl_c_der. Converters + allowed are lower, base64. + rule: self.all(key, key.action.type == "Delete" || (has(key.action.set) + && key.action.set.value.matches('^(?:%(?:%|(?:\\{[-+]?[QXE](?:,[-+]?[QXE])*\\})?\\[(?:req\\.hdr\\([0-9A-Za-z-]+\\)|ssl_c_der)(?:,(?:lower|base64))*\\])|[^%[:cntrl:]])+$'))) + response: + description: 'response is a list of HTTP response headers + to modify. Actions defined here will modify the response + headers of all requests passing through an ingress controller. + These actions are applied to all Routes i.e. for all connections + handled by the ingress controller defined within a cluster. + IngressController actions for response headers will be executed + after Route actions. Currently, actions may define to either + `Set` or `Delete` headers values. Actions are applied in + sequence as defined in this list. A maximum of 20 response + header actions may be configured. Sample fetchers allowed + are "res.hdr" and "ssl_c_der". Converters allowed are "lower" + and "base64". Example header values: "%[res.hdr(X-target),lower]", + "%{+Q}[ssl_c_der,base64]".' + items: + description: IngressControllerHTTPHeader specifies configuration + for setting or deleting an HTTP header. + properties: + action: + description: action specifies actions to perform on + headers, such as setting or deleting headers. + properties: + set: + description: set specifies how the HTTP header should + be set. This field is required when type is Set + and forbidden otherwise. + properties: + value: + description: value specifies a header value. + Dynamic values can be added. The value will + be interpreted as an HAProxy format string + as defined in http://cbonte.github.io/haproxy-dconv/2.6/configuration.html#8.2.6 and + may use HAProxy's %[] syntax and otherwise + must be a valid HTTP header value as defined + in https://datatracker.ietf.org/doc/html/rfc7230#section-3.2. + The value of this field must be no more than + 16384 characters in length. Note that the + total size of all net added headers *after* + interpolating dynamic values must not exceed + the value of spec.tuningOptions.headerBufferMaxRewriteBytes + on the IngressController. + maxLength: 16384 + minLength: 1 + type: string + required: + - value + type: object + type: + description: type defines the type of the action + to be applied on the header. Possible values are + Set or Delete. Set allows you to set HTTP request + and response headers. Delete allows you to delete + HTTP request and response headers. + enum: + - Set + - Delete + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: set is required when type is Set, and forbidden + otherwise + rule: 'has(self.type) && self.type == ''Set'' ? has(self.set) + : !has(self.set)' + name: + description: 'name specifies the name of a header on + which to perform an action. Its value must be a valid + HTTP header name as defined in RFC 2616 section 4.2. + The name must consist only of alphanumeric and the + following special characters, "-!#$%&''*+.^_`". The + following header names are reserved and may not be + modified via this API: Strict-Transport-Security, + Proxy, Host, Cookie, Set-Cookie. It must be no more + than 255 characters in length. Header name must be + unique.' + maxLength: 255 + minLength: 1 + pattern: ^[-!#$%&'*+.0-9A-Z^_`a-z|~]+$ + type: string + x-kubernetes-validations: + - message: strict-transport-security header may not + be modified via header actions + rule: self.lowerAscii() != 'strict-transport-security' + - message: proxy header may not be modified via header + actions + rule: self.lowerAscii() != 'proxy' + - message: host header may not be modified via header + actions + rule: self.lowerAscii() != 'host' + - message: cookie header may not be modified via header + actions + rule: self.lowerAscii() != 'cookie' + - message: set-cookie header may not be modified via + header actions + rule: self.lowerAscii() != 'set-cookie' + required: + - action + - name + type: object + maxItems: 20 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: Either the header value provided is not in correct + format or the sample fetcher/converter specified is not + allowed. The dynamic header value will be interpreted + as an HAProxy format string as defined in http://cbonte.github.io/haproxy-dconv/2.6/configuration.html#8.2.6 + and may use HAProxy's %[] syntax and otherwise must be + a valid HTTP header value as defined in https://datatracker.ietf.org/doc/html/rfc7230#section-3.2. + Sample fetchers allowed are res.hdr, ssl_c_der. Converters + allowed are lower, base64. + rule: self.all(key, key.action.type == "Delete" || (has(key.action.set) + && key.action.set.value.matches('^(?:%(?:%|(?:\\{[-+]?[QXE](?:,[-+]?[QXE])*\\})?\\[(?:res\\.hdr\\([0-9A-Za-z-]+\\)|ssl_c_der)(?:,(?:lower|base64))*\\])|[^%[:cntrl:]])+$'))) + type: object + forwardedHeaderPolicy: + description: "forwardedHeaderPolicy specifies when and how the + IngressController sets the Forwarded, X-Forwarded-For, X-Forwarded-Host, + X-Forwarded-Port, X-Forwarded-Proto, and X-Forwarded-Proto-Version + HTTP headers. The value may be one of the following: \n * \"Append\", + which specifies that the IngressController appends the headers, + preserving existing headers. \n * \"Replace\", which specifies + that the IngressController sets the headers, replacing any existing + Forwarded or X-Forwarded-* headers. \n * \"IfNone\", which specifies + that the IngressController sets the headers if they are not + already set. \n * \"Never\", which specifies that the IngressController + never sets the headers, preserving any existing headers. \n + By default, the policy is \"Append\"." + enum: + - Append + - Replace + - IfNone + - Never + type: string + headerNameCaseAdjustments: + description: "headerNameCaseAdjustments specifies case adjustments + that can be applied to HTTP header names. Each adjustment is + specified as an HTTP header name with the desired capitalization. + \ For example, specifying \"X-Forwarded-For\" indicates that + the \"x-forwarded-for\" HTTP header should be adjusted to have + the specified capitalization. \n These adjustments are only + applied to cleartext, edge-terminated, and re-encrypt routes, + and only when using HTTP/1. \n For request headers, these adjustments + are applied only for routes that have the haproxy.router.openshift.io/h1-adjust-case=true + annotation. For response headers, these adjustments are applied + to all HTTP responses. \n If this field is empty, no request + headers are adjusted." + items: + description: IngressControllerHTTPHeaderNameCaseAdjustment is + the name of an HTTP header (for example, "X-Forwarded-For") + in the desired capitalization. The value must be a valid + HTTP header name as defined in RFC 2616 section 4.2. + maxLength: 1024 + minLength: 0 + pattern: ^$|^[-!#$%&'*+.0-9A-Z^_`a-z|~]+$ + type: string + nullable: true + type: array + x-kubernetes-list-type: atomic + uniqueId: + description: "uniqueId describes configuration for a custom HTTP + header that the ingress controller should inject into incoming + HTTP requests. Typically, this header is configured to have + a value that is unique to the HTTP request. The header can + be used by applications or included in access logs to facilitate + tracing individual HTTP requests. \n If this field is empty, + no such header is injected into requests." + properties: + format: + description: 'format specifies the format for the injected + HTTP header''s value. This field has no effect unless name + is specified. For the HAProxy-based ingress controller + implementation, this format uses the same syntax as the + HTTP log format. If the field is empty, the default value + is "%{+X}o\\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid"; see the corresponding + HAProxy documentation: http://cbonte.github.io/haproxy-dconv/2.0/configuration.html#8.2.3' + maxLength: 1024 + minLength: 0 + pattern: ^(%(%|(\{[-+]?[QXE](,[-+]?[QXE])*\})?([A-Za-z]+|\[[.0-9A-Z_a-z]+(\([^)]+\))?(,[.0-9A-Z_a-z]+(\([^)]+\))?)*\]))|[^%[:cntrl:]])*$ + type: string + name: + description: name specifies the name of the HTTP header (for + example, "unique-id") that the ingress controller should + inject into HTTP requests. The field's value must be a + valid HTTP header name as defined in RFC 2616 section 4.2. If + the field is empty, no header is injected. + maxLength: 1024 + minLength: 0 + pattern: ^$|^[-!#$%&'*+.0-9A-Z^_`a-z|~]+$ + type: string + type: object + type: object + logging: + description: logging defines parameters for what should be logged + where. If this field is empty, operational logs are enabled but + access logs are disabled. + properties: + access: + description: "access describes how the client requests should + be logged. \n If this field is empty, access logging is disabled." + properties: + destination: + description: destination is where access logs go. + properties: + container: + description: container holds parameters for the Container + logging destination. Present only if type is Container. + properties: + maxLength: + default: 1024 + description: "maxLength is the maximum length of the + log message. \n Valid values are integers in the + range 480 to 8192, inclusive. \n When omitted, the + default value is 1024." + format: int32 + maximum: 8192 + minimum: 480 + type: integer + type: object + syslog: + description: syslog holds parameters for a syslog endpoint. Present + only if type is Syslog. + oneOf: + - properties: + address: + format: ipv4 + - properties: + address: + format: ipv6 + properties: + address: + description: address is the IP address of the syslog + endpoint that receives log messages. + type: string + facility: + description: "facility specifies the syslog facility + of log messages. \n If this field is empty, the + facility is \"local1\"." + enum: + - kern + - user + - mail + - daemon + - auth + - syslog + - lpr + - news + - uucp + - cron + - auth2 + - ftp + - ntp + - audit + - alert + - cron2 + - local0 + - local1 + - local2 + - local3 + - local4 + - local5 + - local6 + - local7 + type: string + maxLength: + default: 1024 + description: "maxLength is the maximum length of the + log message. \n Valid values are integers in the + range 480 to 4096, inclusive. \n When omitted, the + default value is 1024." + format: int32 + maximum: 4096 + minimum: 480 + type: integer + port: + description: port is the UDP port number of the syslog + endpoint that receives log messages. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - address + - port + type: object + type: + description: "type is the type of destination for logs. + \ It must be one of the following: \n * Container \n + The ingress operator configures the sidecar container + named \"logs\" on the ingress controller pod and configures + the ingress controller to write logs to the sidecar. + \ The logs are then available as container logs. The + expectation is that the administrator configures a custom + logging solution that reads logs from this sidecar. + \ Note that using container logs means that logs may + be dropped if the rate of logs exceeds the container + runtime's or the custom logging solution's capacity. + \n * Syslog \n Logs are sent to a syslog endpoint. The + administrator must specify an endpoint that can receive + syslog messages. The expectation is that the administrator + has configured a custom syslog instance." + enum: + - Container + - Syslog + type: string + required: + - type + type: object + httpCaptureCookies: + description: httpCaptureCookies specifies HTTP cookies that + should be captured in access logs. If this field is empty, + no cookies are captured. + items: + description: IngressControllerCaptureHTTPCookie describes + an HTTP cookie that should be captured. + properties: + matchType: + description: matchType specifies the type of match to + be performed on the cookie name. Allowed values are + "Exact" for an exact string match and "Prefix" for + a string prefix match. If "Exact" is specified, a + name must be specified in the name field. If "Prefix" + is provided, a prefix must be specified in the namePrefix + field. For example, specifying matchType "Prefix" + and namePrefix "foo" will capture a cookie named "foo" + or "foobar" but not one named "bar". The first matching + cookie is captured. + enum: + - Exact + - Prefix + type: string + maxLength: + description: maxLength specifies a maximum length of + the string that will be logged, which includes the + cookie name, cookie value, and one-character delimiter. If + the log entry exceeds this length, the value will + be truncated in the log message. Note that the ingress + controller may impose a separate bound on the total + length of HTTP headers in a request. + maximum: 1024 + minimum: 1 + type: integer + name: + description: name specifies a cookie name. Its value + must be a valid HTTP cookie name as defined in RFC + 6265 section 4.1. + maxLength: 1024 + minLength: 0 + pattern: ^[-!#$%&'*+.0-9A-Z^_`a-z|~]*$ + type: string + namePrefix: + description: namePrefix specifies a cookie name prefix. Its + value must be a valid HTTP cookie name as defined + in RFC 6265 section 4.1. + maxLength: 1024 + minLength: 0 + pattern: ^[-!#$%&'*+.0-9A-Z^_`a-z|~]*$ + type: string + required: + - matchType + - maxLength + type: object + maxItems: 1 + nullable: true + type: array + x-kubernetes-list-type: atomic + httpCaptureHeaders: + description: "httpCaptureHeaders defines HTTP headers that + should be captured in access logs. If this field is empty, + no headers are captured. \n Note that this option only applies + to cleartext HTTP connections and to secure HTTP connections + for which the ingress controller terminates encryption (that + is, edge-terminated or reencrypt connections). Headers + cannot be captured for TLS passthrough connections." + properties: + request: + description: "request specifies which HTTP request headers + to capture. \n If this field is empty, no request headers + are captured." + items: + description: IngressControllerCaptureHTTPHeader describes + an HTTP header that should be captured. + properties: + maxLength: + description: maxLength specifies a maximum length + for the header value. If a header value exceeds + this length, the value will be truncated in the + log message. Note that the ingress controller + may impose a separate bound on the total length + of HTTP headers in a request. + minimum: 1 + type: integer + name: + description: name specifies a header name. Its + value must be a valid HTTP header name as defined + in RFC 2616 section 4.2. + pattern: ^[-!#$%&'*+.0-9A-Z^_`a-z|~]+$ + type: string + required: + - maxLength + - name + type: object + nullable: true + type: array + x-kubernetes-list-type: atomic + response: + description: "response specifies which HTTP response headers + to capture. \n If this field is empty, no response headers + are captured." + items: + description: IngressControllerCaptureHTTPHeader describes + an HTTP header that should be captured. + properties: + maxLength: + description: maxLength specifies a maximum length + for the header value. If a header value exceeds + this length, the value will be truncated in the + log message. Note that the ingress controller + may impose a separate bound on the total length + of HTTP headers in a request. + minimum: 1 + type: integer + name: + description: name specifies a header name. Its + value must be a valid HTTP header name as defined + in RFC 2616 section 4.2. + pattern: ^[-!#$%&'*+.0-9A-Z^_`a-z|~]+$ + type: string + required: + - maxLength + - name + type: object + nullable: true + type: array + x-kubernetes-list-type: atomic + type: object + httpLogFormat: + description: "httpLogFormat specifies the format of the log + message for an HTTP request. \n If this field is empty, + log messages use the implementation's default HTTP log format. + \ For HAProxy's default HTTP log format, see the HAProxy + documentation: http://cbonte.github.io/haproxy-dconv/2.0/configuration.html#8.2.3 + \n Note that this format only applies to cleartext HTTP + connections and to secure HTTP connections for which the + ingress controller terminates encryption (that is, edge-terminated + or reencrypt connections). It does not affect the log format + for TLS passthrough connections." + type: string + logEmptyRequests: + default: Log + description: logEmptyRequests specifies how connections on + which no request is received should be logged. Typically, + these empty requests come from load balancers' health probes + or Web browsers' speculative connections ("preconnect"), + in which case logging these requests may be undesirable. However, + these requests may also be caused by network errors, in + which case logging empty requests may be useful for diagnosing + the errors. In addition, these requests may be caused by + port scans, in which case logging empty requests may aid + in detecting intrusion attempts. Allowed values for this + field are "Log" and "Ignore". The default value is "Log". + enum: + - Log + - Ignore + type: string + required: + - destination + type: object + type: object + namespaceSelector: + description: "namespaceSelector is used to filter the set of namespaces + serviced by the ingress controller. This is useful for implementing + shards. \n If unset, the default is no filtering." + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the key + and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship to + a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + nodePlacement: + description: "nodePlacement enables explicit control over the scheduling + of the ingress controller. \n If unset, defaults are used. See NodePlacement + for more details." + properties: + nodeSelector: + description: "nodeSelector is the node selector applied to ingress + controller deployments. \n If set, the specified selector is + used and replaces the default. \n If unset, the default depends + on the value of the defaultPlacement field in the cluster config.openshift.io/v1/ingresses + status. \n When defaultPlacement is Workers, the default is: + \n kubernetes.io/os: linux node-role.kubernetes.io/worker: '' + \n When defaultPlacement is ControlPlane, the default is: \n + kubernetes.io/os: linux node-role.kubernetes.io/master: '' \n + These defaults are subject to change. \n Note that using nodeSelector.matchExpressions + is not supported. Only nodeSelector.matchLabels may be used. + \ This is a limitation of the Kubernetes API: the pod spec does + not allow complex expressions for node selectors." + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If + the operator is In or NotIn, the values array must + be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced + during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A + single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field is "key", + the operator is "In", and the values array contains only + "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + tolerations: + description: "tolerations is a list of tolerations applied to + ingress controller deployments. \n The default is an empty list. + \n See https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/" + items: + description: The pod this Toleration is attached to tolerates + any taint that matches the triple using + the matching operator . + properties: + effect: + description: Effect indicates the taint effect to match. + Empty means match all taint effects. When specified, allowed + values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: Key is the taint key that the toleration applies + to. Empty means match all taint keys. If the key is empty, + operator must be Exists; this combination means to match + all values and all keys. + type: string + operator: + description: Operator represents a key's relationship to + the value. Valid operators are Exists and Equal. Defaults + to Equal. Exists is equivalent to wildcard for value, + so that a pod can tolerate all taints of a particular + category. + type: string + tolerationSeconds: + description: TolerationSeconds represents the period of + time the toleration (which must be of effect NoExecute, + otherwise this field is ignored) tolerates the taint. + By default, it is not set, which means tolerate the taint + forever (do not evict). Zero and negative values will + be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: Value is the taint value the toleration matches + to. If the operator is Exists, the value should be empty, + otherwise just a regular string. + type: string + type: object + type: array + x-kubernetes-list-type: atomic + type: object + replicas: + description: "replicas is the desired number of ingress controller + replicas. If unset, the default depends on the value of the defaultPlacement + field in the cluster config.openshift.io/v1/ingresses status. \n + The value of replicas is set based on the value of a chosen field + in the Infrastructure CR. If defaultPlacement is set to ControlPlane, + the chosen field will be controlPlaneTopology. If it is set to Workers + the chosen field will be infrastructureTopology. Replicas will then + be set to 1 or 2 based whether the chosen field's value is SingleReplica + or HighlyAvailable, respectively. \n These defaults are subject + to change." + format: int32 + type: integer + routeAdmission: + description: "routeAdmission defines a policy for handling new route + claims (for example, to allow or deny claims across namespaces). + \n If empty, defaults will be applied. See specific routeAdmission + fields for details about their defaults." + properties: + namespaceOwnership: + description: "namespaceOwnership describes how host name claims + across namespaces should be handled. \n Value must be one of: + \n - Strict: Do not allow routes in different namespaces to + claim the same host. \n - InterNamespaceAllowed: Allow routes + to claim different paths of the same host name across namespaces. + \n If empty, the default is Strict." + enum: + - InterNamespaceAllowed + - Strict + type: string + wildcardPolicy: + description: "wildcardPolicy describes how routes with wildcard + policies should be handled for the ingress controller. WildcardPolicy + controls use of routes [1] exposed by the ingress controller + based on the route's wildcard policy. \n [1] https://github.com/openshift/api/blob/master/route/v1/types.go + \n Note: Updating WildcardPolicy from WildcardsAllowed to WildcardsDisallowed + will cause admitted routes with a wildcard policy of Subdomain + to stop working. These routes must be updated to a wildcard + policy of None to be readmitted by the ingress controller. \n + WildcardPolicy supports WildcardsAllowed and WildcardsDisallowed + values. \n If empty, defaults to \"WildcardsDisallowed\"." + enum: + - WildcardsAllowed + - WildcardsDisallowed + type: string + type: object + routeSelector: + description: "routeSelector is used to filter the set of Routes serviced + by the ingress controller. This is useful for implementing shards. + \n If unset, the default is no filtering." + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the key + and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship to + a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + tlsSecurityProfile: + description: "tlsSecurityProfile specifies settings for TLS connections + for ingresscontrollers. \n If unset, the default is based on the + apiservers.config.openshift.io/cluster resource. \n Note that when + using the Old, Intermediate, and Modern profile types, the effective + profile configuration is subject to change between releases. For + example, given a specification to use the Intermediate profile deployed + on release X.Y.Z, an upgrade to release X.Y.Z+1 may cause a new + profile configuration to be applied to the ingress controller, resulting + in a rollout." + properties: + custom: + description: "custom is a user-defined TLS security profile. Be + extremely careful using a custom profile as invalid configurations + can be catastrophic. An example custom profile looks like this: + \n ciphers: \n - ECDHE-ECDSA-CHACHA20-POLY1305 \n - ECDHE-RSA-CHACHA20-POLY1305 + \n - ECDHE-RSA-AES128-GCM-SHA256 \n - ECDHE-ECDSA-AES128-GCM-SHA256 + \n minTLSVersion: VersionTLS11" + nullable: true + properties: + ciphers: + description: "ciphers is used to specify the cipher algorithms + that are negotiated during the TLS handshake. Operators + may remove entries their operands do not support. For example, + to use DES-CBC3-SHA (yaml): \n ciphers: - DES-CBC3-SHA" + items: + type: string + type: array + x-kubernetes-list-type: atomic + minTLSVersion: + description: "minTLSVersion is used to specify the minimal + version of the TLS protocol that is negotiated during the + TLS handshake. For example, to use TLS versions 1.1, 1.2 + and 1.3 (yaml): \n minTLSVersion: VersionTLS11 \n NOTE: + currently the highest minTLSVersion allowed is VersionTLS12" + enum: + - VersionTLS10 + - VersionTLS11 + - VersionTLS12 + - VersionTLS13 + type: string + type: object + intermediate: + description: "intermediate is a TLS security profile based on: + \n https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29 + \n and looks like this (yaml): \n ciphers: \n - TLS_AES_128_GCM_SHA256 + \n - TLS_AES_256_GCM_SHA384 \n - TLS_CHACHA20_POLY1305_SHA256 + \n - ECDHE-ECDSA-AES128-GCM-SHA256 \n - ECDHE-RSA-AES128-GCM-SHA256 + \n - ECDHE-ECDSA-AES256-GCM-SHA384 \n - ECDHE-RSA-AES256-GCM-SHA384 + \n - ECDHE-ECDSA-CHACHA20-POLY1305 \n - ECDHE-RSA-CHACHA20-POLY1305 + \n - DHE-RSA-AES128-GCM-SHA256 \n - DHE-RSA-AES256-GCM-SHA384 + \n minTLSVersion: VersionTLS12" + nullable: true + type: object + modern: + description: "modern is a TLS security profile based on: \n https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility + \n and looks like this (yaml): \n ciphers: \n - TLS_AES_128_GCM_SHA256 + \n - TLS_AES_256_GCM_SHA384 \n - TLS_CHACHA20_POLY1305_SHA256 + \n minTLSVersion: VersionTLS13" + nullable: true + type: object + old: + description: "old is a TLS security profile based on: \n https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility + \n and looks like this (yaml): \n ciphers: \n - TLS_AES_128_GCM_SHA256 + \n - TLS_AES_256_GCM_SHA384 \n - TLS_CHACHA20_POLY1305_SHA256 + \n - ECDHE-ECDSA-AES128-GCM-SHA256 \n - ECDHE-RSA-AES128-GCM-SHA256 + \n - ECDHE-ECDSA-AES256-GCM-SHA384 \n - ECDHE-RSA-AES256-GCM-SHA384 + \n - ECDHE-ECDSA-CHACHA20-POLY1305 \n - ECDHE-RSA-CHACHA20-POLY1305 + \n - DHE-RSA-AES128-GCM-SHA256 \n - DHE-RSA-AES256-GCM-SHA384 + \n - DHE-RSA-CHACHA20-POLY1305 \n - ECDHE-ECDSA-AES128-SHA256 + \n - ECDHE-RSA-AES128-SHA256 \n - ECDHE-ECDSA-AES128-SHA \n + - ECDHE-RSA-AES128-SHA \n - ECDHE-ECDSA-AES256-SHA384 \n - ECDHE-RSA-AES256-SHA384 + \n - ECDHE-ECDSA-AES256-SHA \n - ECDHE-RSA-AES256-SHA \n - DHE-RSA-AES128-SHA256 + \n - DHE-RSA-AES256-SHA256 \n - AES128-GCM-SHA256 \n - AES256-GCM-SHA384 + \n - AES128-SHA256 \n - AES256-SHA256 \n - AES128-SHA \n - AES256-SHA + \n - DES-CBC3-SHA \n minTLSVersion: VersionTLS10" + nullable: true + type: object + type: + description: "type is one of Old, Intermediate, Modern or Custom. + Custom provides the ability to specify individual TLS security + profile parameters. Old, Intermediate and Modern are TLS security + profiles based on: \n https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations + \n The profiles are intent based, so they may change over time + as new ciphers are developed and existing ciphers are found + to be insecure. Depending on precisely which ciphers are available + to a process, the list may be reduced. \n Note that the Modern + profile is currently not supported because it is not yet well + adopted by common software libraries." + enum: + - Old + - Intermediate + - Modern + - Custom + type: string + type: object + tuningOptions: + anyOf: + - properties: + maxConnections: + enum: + - -1 + - 0 + - properties: + maxConnections: + format: int32 + maximum: 2000000 + minimum: 2000 + description: "tuningOptions defines parameters for adjusting the performance + of ingress controller pods. All fields are optional and will use + their respective defaults if not set. See specific tuningOptions + fields for more details. \n Setting fields within tuningOptions + is generally not recommended. The default values are suitable for + most configurations." + properties: + clientFinTimeout: + description: "clientFinTimeout defines how long a connection will + be held open while waiting for the client response to the server/backend + closing the connection. \n If unset, the default timeout is + 1s" + format: duration + type: string + clientTimeout: + description: "clientTimeout defines how long a connection will + be held open while waiting for a client response. \n If unset, + the default timeout is 30s" + format: duration + type: string + connectTimeout: + description: "ConnectTimeout defines the maximum time to wait + for a connection attempt to a server/backend to succeed. \n + This field expects an unsigned duration string of decimal numbers, + each with optional fraction and a unit suffix, e.g. \"300ms\", + \"1.5h\" or \"2h45m\". Valid time units are \"ns\", \"us\" (or + \"µs\" U+00B5 or \"μs\" U+03BC), \"ms\", \"s\", \"m\", \"h\". + \n When omitted, this means the user has no opinion and the + platform is left to choose a reasonable default. This default + is subject to change over time. The current default is 5s." + pattern: ^(0|([0-9]+(\.[0-9]+)?(ns|us|µs|μs|ms|s|m|h))+)$ + type: string + headerBufferBytes: + description: "headerBufferBytes describes how much memory should + be reserved (in bytes) for IngressController connection sessions. + Note that this value must be at least 16384 if HTTP/2 is enabled + for the IngressController (https://tools.ietf.org/html/rfc7540). + If this field is empty, the IngressController will use a default + value of 32768 bytes. \n Setting this field is generally not + recommended as headerBufferBytes values that are too small may + break the IngressController and headerBufferBytes values that + are too large could cause the IngressController to use significantly + more memory than necessary." + format: int32 + minimum: 16384 + type: integer + headerBufferMaxRewriteBytes: + description: "headerBufferMaxRewriteBytes describes how much memory + should be reserved (in bytes) from headerBufferBytes for HTTP + header rewriting and appending for IngressController connection + sessions. Note that incoming HTTP requests will be limited to + (headerBufferBytes - headerBufferMaxRewriteBytes) bytes, meaning + headerBufferBytes must be greater than headerBufferMaxRewriteBytes. + If this field is empty, the IngressController will use a default + value of 8192 bytes. \n Setting this field is generally not + recommended as headerBufferMaxRewriteBytes values that are too + small may break the IngressController and headerBufferMaxRewriteBytes + values that are too large could cause the IngressController + to use significantly more memory than necessary." + format: int32 + minimum: 4096 + type: integer + healthCheckInterval: + description: "healthCheckInterval defines how long the router + waits between two consecutive health checks on its configured + backends. This value is applied globally as a default for all + routes, but may be overridden per-route by the route annotation + \"router.openshift.io/haproxy.health.check.interval\". \n Expects + an unsigned duration string of decimal numbers, each with optional + fraction and a unit suffix, eg \"300ms\", \"1.5h\" or \"2h45m\". + Valid time units are \"ns\", \"us\" (or \"µs\" U+00B5 or \"μs\" + U+03BC), \"ms\", \"s\", \"m\", \"h\". \n Setting this to less + than 5s can cause excess traffic due to too frequent TCP health + checks and accompanying SYN packet storms. Alternatively, setting + this too high can result in increased latency, due to backend + servers that are no longer available, but haven't yet been detected + as such. \n An empty or zero healthCheckInterval means no opinion + and IngressController chooses a default, which is subject to + change over time. Currently the default healthCheckInterval + value is 5s. \n Currently the minimum allowed value is 1s and + the maximum allowed value is 2147483647ms (24.85 days). Both + are subject to change over time." + pattern: ^(0|([0-9]+(\.[0-9]+)?(ns|us|µs|μs|ms|s|m|h))+)$ + type: string + maxConnections: + description: "maxConnections defines the maximum number of simultaneous + connections that can be established per HAProxy process. Increasing + this value allows each ingress controller pod to handle more + connections but at the cost of additional system resources being + consumed. \n Permitted values are: empty, 0, -1, and the range + 2000-2000000. \n If this field is empty or 0, the IngressController + will use the default value of 50000, but the default is subject + to change in future releases. \n If the value is -1 then HAProxy + will dynamically compute a maximum value based on the available + ulimits in the running container. Selecting -1 (i.e., auto) + will result in a large value being computed (~520000 on OpenShift + >=4.10 clusters) and therefore each HAProxy process will incur + significant memory usage compared to the current default of + 50000. \n Setting a value that is greater than the current operating + system limit will prevent the HAProxy process from starting. + \n If you choose a discrete value (e.g., 750000) and the router + pod is migrated to a new node, there's no guarantee that that + new node has identical ulimits configured. In such a scenario + the pod would fail to start. If you have nodes with different + ulimits configured (e.g., different tuned profiles) and you + choose a discrete value then the guidance is to use -1 and let + the value be computed dynamically at runtime. \n You can monitor + memory usage for router containers with the following metric: + 'container_memory_working_set_bytes{container=\"router\",namespace=\"openshift-ingress\"}'. + \n You can monitor memory usage of individual HAProxy processes + in router containers with the following metric: 'container_memory_working_set_bytes{container=\"router\",namespace=\"openshift-ingress\"}/container_processes{container=\"router\",namespace=\"openshift-ingress\"}'." + format: int32 + type: integer + reloadInterval: + description: "reloadInterval defines the minimum interval at which + the router is allowed to reload to accept new changes. Increasing + this value can prevent the accumulation of HAProxy processes, + depending on the scenario. Increasing this interval can also + lessen load imbalance on a backend's servers when using the + roundrobin balancing algorithm. Alternatively, decreasing this + value may decrease latency since updates to HAProxy's configuration + can take effect more quickly. \n The value must be a time duration + value; see . Currently, + the minimum value allowed is 1s, and the maximum allowed value + is 120s. Minimum and maximum allowed values may change in future + versions of OpenShift. Note that if a duration outside of these + bounds is provided, the value of reloadInterval will be capped/floored + and not rejected (e.g. a duration of over 120s will be capped + to 120s; the IngressController will not reject and replace this + disallowed value with the default). \n A zero value for reloadInterval + tells the IngressController to choose the default, which is + currently 5s and subject to change without notice. \n This field + expects an unsigned duration string of decimal numbers, each + with optional fraction and a unit suffix, e.g. \"300ms\", \"1.5h\" + or \"2h45m\". Valid time units are \"ns\", \"us\" (or \"µs\" + U+00B5 or \"μs\" U+03BC), \"ms\", \"s\", \"m\", \"h\". \n Note: + Setting a value significantly larger than the default of 5s + can cause latency in observing updates to routes and their endpoints. + HAProxy's configuration will be reloaded less frequently, and + newly created routes will not be served until the subsequent + reload." + pattern: ^(0|([0-9]+(\.[0-9]+)?(ns|us|µs|μs|ms|s|m|h))+)$ + type: string + serverFinTimeout: + description: "serverFinTimeout defines how long a connection will + be held open while waiting for the server/backend response to + the client closing the connection. \n If unset, the default + timeout is 1s" + format: duration + type: string + serverTimeout: + description: "serverTimeout defines how long a connection will + be held open while waiting for a server/backend response. \n + If unset, the default timeout is 30s" + format: duration + type: string + threadCount: + description: "threadCount defines the number of threads created + per HAProxy process. Creating more threads allows each ingress + controller pod to handle more connections, at the cost of more + system resources being used. HAProxy currently supports up to + 64 threads. If this field is empty, the IngressController will + use the default value. The current default is 4 threads, but + this may change in future releases. \n Setting this field is + generally not recommended. Increasing the number of HAProxy + threads allows ingress controller pods to utilize more CPU time + under load, potentially starving other pods if set too high. + Reducing the number of threads may cause the ingress controller + to perform poorly." + format: int32 + maximum: 64 + minimum: 1 + type: integer + tlsInspectDelay: + description: "tlsInspectDelay defines how long the router can + hold data to find a matching route. \n Setting this too short + can cause the router to fall back to the default certificate + for edge-terminated or reencrypt routes even when a better matching + certificate could be used. \n If unset, the default inspect + delay is 5s" + format: duration + type: string + tunnelTimeout: + description: "tunnelTimeout defines how long a tunnel connection + (including websockets) will be held open while the tunnel is + idle. \n If unset, the default timeout is 1h" + format: duration + type: string + type: object + unsupportedConfigOverrides: + description: unsupportedConfigOverrides allows specifying unsupported + configuration options. Its use is unsupported. + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + status: + description: status is the most recently observed status of the IngressController. + properties: + availableReplicas: + description: availableReplicas is number of observed available replicas + according to the ingress controller deployment. + format: int32 + type: integer + conditions: + description: "conditions is a list of conditions and their status. + \n Available means the ingress controller deployment is available + and servicing route and ingress resources (i.e, .status.availableReplicas + equals .spec.replicas) \n There are additional conditions which + indicate the status of other ingress controller features and capabilities. + \n * LoadBalancerManaged - True if the following conditions are + met: * The endpoint publishing strategy requires a service load + balancer. - False if any of those conditions are unsatisfied. \n + * LoadBalancerReady - True if the following conditions are met: + * A load balancer is managed. * The load balancer is ready. - False + if any of those conditions are unsatisfied. \n * DNSManaged - True + if the following conditions are met: * The endpoint publishing strategy + and platform support DNS. * The ingress controller domain is set. + * dns.config.openshift.io/cluster configures DNS zones. - False + if any of those conditions are unsatisfied. \n * DNSReady - True + if the following conditions are met: * DNS is managed. * DNS records + have been successfully created. - False if any of those conditions + are unsatisfied." + items: + description: OperatorCondition is just the standard condition fields. + properties: + lastTransitionTime: + format: date-time + type: string + message: + type: string + reason: + type: string + status: + type: string + type: + type: string + required: + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + domain: + description: domain is the actual domain in use. + type: string + endpointPublishingStrategy: + description: endpointPublishingStrategy is the actual strategy in + use. + properties: + hostNetwork: + description: hostNetwork holds parameters for the HostNetwork + endpoint publishing strategy. Present only if type is HostNetwork. + properties: + httpPort: + default: 80 + description: httpPort is the port on the host which should + be used to listen for HTTP requests. This field should be + set when port 80 is already in use. The value should not + coincide with the NodePort range of the cluster. When the + value is 0 or is not specified it defaults to 80. + format: int32 + maximum: 65535 + minimum: 0 + type: integer + httpsPort: + default: 443 + description: httpsPort is the port on the host which should + be used to listen for HTTPS requests. This field should + be set when port 443 is already in use. The value should + not coincide with the NodePort range of the cluster. When + the value is 0 or is not specified it defaults to 443. + format: int32 + maximum: 65535 + minimum: 0 + type: integer + protocol: + description: "protocol specifies whether the IngressController + expects incoming connections to use plain TCP or whether + the IngressController expects PROXY protocol. \n PROXY protocol + can be used with load balancers that support it to communicate + the source addresses of client connections when forwarding + those connections to the IngressController. Using PROXY + protocol enables the IngressController to report those source + addresses instead of reporting the load balancer's address + in HTTP headers and logs. Note that enabling PROXY protocol + on the IngressController will cause connections to fail + if you are not using a load balancer that uses PROXY protocol + to forward connections to the IngressController. See http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt + for information about PROXY protocol. \n The following values + are valid for this field: \n * The empty string. * \"TCP\". + * \"PROXY\". \n The empty string specifies the default, + which is TCP without PROXY protocol. Note that the default + is subject to change." + enum: + - "" + - TCP + - PROXY + type: string + statsPort: + default: 1936 + description: statsPort is the port on the host where the stats + from the router are published. The value should not coincide + with the NodePort range of the cluster. If an external load + balancer is configured to forward connections to this IngressController, + the load balancer should use this port for health checks. + The load balancer can send HTTP probes on this port on a + given node, with the path /healthz/ready to determine if + the ingress controller is ready to receive traffic on the + node. For proper operation the load balancer must not forward + traffic to a node until the health check reports ready. + The load balancer should also stop forwarding requests within + a maximum of 45 seconds after /healthz/ready starts reporting + not-ready. Probing every 5 to 10 seconds, with a 5-second + timeout and with a threshold of two successful or failed + requests to become healthy or unhealthy respectively, are + well-tested values. When the value is 0 or is not specified + it defaults to 1936. + format: int32 + maximum: 65535 + minimum: 0 + type: integer + type: object + loadBalancer: + description: loadBalancer holds parameters for the load balancer. + Present only if type is LoadBalancerService. + properties: + allowedSourceRanges: + description: "allowedSourceRanges specifies an allowlist of + IP address ranges to which access to the load balancer should + be restricted. Each range must be specified using CIDR + notation (e.g. \"10.0.0.0/8\" or \"fd00::/8\"). If no range + is specified, \"0.0.0.0/0\" for IPv4 and \"::/0\" for IPv6 + are used by default, which allows all source addresses. + \n To facilitate migration from earlier versions of OpenShift + that did not have the allowedSourceRanges field, you may + set the service.beta.kubernetes.io/load-balancer-source-ranges + annotation on the \"router-\" service + in the \"openshift-ingress\" namespace, and this annotation + will take effect if allowedSourceRanges is empty on OpenShift + 4.12." + items: + description: CIDR is an IP address range in CIDR notation + (for example, "10.0.0.0/8" or "fd00::/8"). + pattern: (^(([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])/([0-9]|[12][0-9]|3[0-2])$)|(^s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:)))(%.+)?s*(\/(12[0-8]|1[0-1][0-9]|[1-9][0-9]|[0-9]))$) + type: string + nullable: true + type: array + x-kubernetes-list-type: atomic + dnsManagementPolicy: + default: Managed + description: 'dnsManagementPolicy indicates if the lifecycle + of the wildcard DNS record associated with the load balancer + service will be managed by the ingress operator. It defaults + to Managed. Valid values are: Managed and Unmanaged.' + enum: + - Managed + - Unmanaged + type: string + providerParameters: + description: "providerParameters holds desired load balancer + information specific to the underlying infrastructure provider. + \n If empty, defaults will be applied. See specific providerParameters + fields for details about their defaults." + properties: + aws: + description: "aws provides configuration settings that + are specific to AWS load balancers. \n If empty, defaults + will be applied. See specific aws fields for details + about their defaults." + properties: + classicLoadBalancer: + description: classicLoadBalancerParameters holds configuration + parameters for an AWS classic load balancer. Present + only if type is Classic. + properties: + connectionIdleTimeout: + description: connectionIdleTimeout specifies the + maximum time period that a connection may be + idle before the load balancer closes the connection. The + value must be parseable as a time duration value; + see . A + nil or zero value means no opinion, in which + case a default value is used. The default value + for this field is 60s. This default is subject + to change. + format: duration + type: string + subnets: + description: "subnets specifies the subnets to + which the load balancer will attach. The subnets + may be specified by either their ID or name. + The total number of subnets is limited to 10. + \n In order for the load balancer to be provisioned + with subnets, each subnet must exist, each subnet + must be from a different availability zone, + and the load balancer service must be recreated + to pick up new values. \n When omitted from + the spec, the subnets will be auto-discovered + for each availability zone. Auto-discovered + subnets are not reported in the status of the + IngressController object." + properties: + ids: + description: ids specifies a list of AWS subnets + by subnet ID. Subnet IDs must start with + "subnet-", consist only of alphanumeric + characters, must be exactly 24 characters + long, must be unique, and the total number + of subnets specified by ids and names must + not exceed 10. + items: + description: AWSSubnetID is a reference + to an AWS subnet ID. + maxLength: 24 + minLength: 24 + pattern: ^subnet-[0-9A-Za-z]+$ + type: string + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: subnet ids cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == + y)) + names: + description: names specifies a list of AWS + subnets by subnet name. Subnet names must + not start with "subnet-", must not include + commas, must be under 256 characters in + length, must be unique, and the total number + of subnets specified by ids and names must + not exceed 10. + items: + description: AWSSubnetName is a reference + to an AWS subnet name. + maxLength: 256 + minLength: 1 + type: string + x-kubernetes-validations: + - message: subnet name cannot contain a + comma + rule: '!self.contains('','')' + - message: subnet name cannot start with + 'subnet-' + rule: '!self.startsWith(''subnet-'')' + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: subnet names cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == + y)) + type: object + x-kubernetes-validations: + - message: the total number of subnets cannot + exceed 10 + rule: 'has(self.ids) && has(self.names) ? size(self.ids + + self.names) <= 10 : true' + - message: must specify at least 1 subnet name + or id + rule: has(self.ids) && self.ids.size() > 0 || + has(self.names) && self.names.size() > 0 + type: object + networkLoadBalancer: + description: networkLoadBalancerParameters holds configuration + parameters for an AWS network load balancer. Present + only if type is NLB. + properties: + eipAllocations: + description: "eipAllocations is a list of IDs + for Elastic IP (EIP) addresses that are assigned + to the Network Load Balancer. The following + restrictions apply: \n eipAllocations can only + be used with external scope, not internal. An + EIP can be allocated to only a single IngressController. + The number of EIP allocations must match the + number of subnets that are used for the load + balancer. Each EIP allocation must be unique. + A maximum of 10 EIP allocations are permitted. + \n See https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html + for general information about configuration, + characteristics, and limitations of Elastic + IP addresses." + items: + description: EIPAllocation is an ID for an Elastic + IP (EIP) address that can be allocated to + an ELB in the AWS environment. Values must + begin with `eipalloc-` followed by exactly + 17 hexadecimal (`[0-9a-fA-F]`) characters. + maxLength: 26 + minLength: 26 + type: string + x-kubernetes-validations: + - message: eipAllocations should start with + 'eipalloc-' + rule: self.startsWith('eipalloc-') + - message: eipAllocations must be 'eipalloc-' + followed by exactly 17 hexadecimal characters + (0-9, a-f, A-F) + rule: self.split("-", 2)[1].matches('[0-9a-fA-F]{17}$') + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: eipAllocations cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == y)) + subnets: + description: "subnets specifies the subnets to + which the load balancer will attach. The subnets + may be specified by either their ID or name. + The total number of subnets is limited to 10. + \n In order for the load balancer to be provisioned + with subnets, each subnet must exist, each subnet + must be from a different availability zone, + and the load balancer service must be recreated + to pick up new values. \n When omitted from + the spec, the subnets will be auto-discovered + for each availability zone. Auto-discovered + subnets are not reported in the status of the + IngressController object." + properties: + ids: + description: ids specifies a list of AWS subnets + by subnet ID. Subnet IDs must start with + "subnet-", consist only of alphanumeric + characters, must be exactly 24 characters + long, must be unique, and the total number + of subnets specified by ids and names must + not exceed 10. + items: + description: AWSSubnetID is a reference + to an AWS subnet ID. + maxLength: 24 + minLength: 24 + pattern: ^subnet-[0-9A-Za-z]+$ + type: string + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: subnet ids cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == + y)) + names: + description: names specifies a list of AWS + subnets by subnet name. Subnet names must + not start with "subnet-", must not include + commas, must be under 256 characters in + length, must be unique, and the total number + of subnets specified by ids and names must + not exceed 10. + items: + description: AWSSubnetName is a reference + to an AWS subnet name. + maxLength: 256 + minLength: 1 + type: string + x-kubernetes-validations: + - message: subnet name cannot contain a + comma + rule: '!self.contains('','')' + - message: subnet name cannot start with + 'subnet-' + rule: '!self.startsWith(''subnet-'')' + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: subnet names cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == + y)) + type: object + x-kubernetes-validations: + - message: the total number of subnets cannot + exceed 10 + rule: 'has(self.ids) && has(self.names) ? size(self.ids + + self.names) <= 10 : true' + - message: must specify at least 1 subnet name + or id + rule: has(self.ids) && self.ids.size() > 0 || + has(self.names) && self.names.size() > 0 + type: object + x-kubernetes-validations: + - message: number of subnets must be equal to number + of eipAllocations + rule: 'has(self.subnets) && has(self.subnets.ids) + && has(self.subnets.names) && has(self.eipAllocations) + ? size(self.subnets.ids + self.subnets.names) + == size(self.eipAllocations) : true' + - message: number of subnets must be equal to number + of eipAllocations + rule: 'has(self.subnets) && has(self.subnets.ids) + && !has(self.subnets.names) && has(self.eipAllocations) + ? size(self.subnets.ids) == size(self.eipAllocations) + : true' + - message: number of subnets must be equal to number + of eipAllocations + rule: 'has(self.subnets) && has(self.subnets.names) + && !has(self.subnets.ids) && has(self.eipAllocations) + ? size(self.subnets.names) == size(self.eipAllocations) + : true' + type: + description: "type is the type of AWS load balancer + to instantiate for an ingresscontroller. \n Valid + values are: \n * \"Classic\": A Classic Load Balancer + that makes routing decisions at either the transport + layer (TCP/SSL) or the application layer (HTTP/HTTPS). + See the following for additional details: \n https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#clb + \n * \"NLB\": A Network Load Balancer that makes + routing decisions at the transport layer (TCP/SSL). + See the following for additional details: \n https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#nlb" + enum: + - Classic + - NLB + type: string + required: + - type + type: object + gcp: + description: "gcp provides configuration settings that + are specific to GCP load balancers. \n If empty, defaults + will be applied. See specific gcp fields for details + about their defaults." + properties: + clientAccess: + description: "clientAccess describes how client access + is restricted for internal load balancers. \n Valid + values are: * \"Global\": Specifying an internal + load balancer with Global client access allows clients + from any region within the VPC to communicate with + the load balancer. \n https://cloud.google.com/kubernetes-engine/docs/how-to/internal-load-balancing#global_access + \n * \"Local\": Specifying an internal load balancer + with Local client access means only clients within + the same region (and VPC) as the GCP load balancer + can communicate with the load balancer. Note that + this is the default behavior. \n https://cloud.google.com/load-balancing/docs/internal#client_access" + enum: + - Global + - Local + type: string + type: object + ibm: + description: "ibm provides configuration settings that + are specific to IBM Cloud load balancers. \n If empty, + defaults will be applied. See specific ibm fields for + details about their defaults." + properties: + protocol: + description: "protocol specifies whether the load + balancer uses PROXY protocol to forward connections + to the IngressController. See \"service.kubernetes.io/ibm-load-balancer-cloud-provider-enable-features: + \"proxy-protocol\"\" at https://cloud.ibm.com/docs/containers?topic=containers-vpc-lbaas\" + \n PROXY protocol can be used with load balancers + that support it to communicate the source addresses + of client connections when forwarding those connections + to the IngressController. Using PROXY protocol + enables the IngressController to report those source + addresses instead of reporting the load balancer's + address in HTTP headers and logs. Note that enabling + PROXY protocol on the IngressController will cause + connections to fail if you are not using a load + balancer that uses PROXY protocol to forward connections + to the IngressController. See http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt + for information about PROXY protocol. \n Valid values + for protocol are TCP, PROXY and omitted. When omitted, + this means no opinion and the platform is left to + choose a reasonable default, which is subject to + change over time. The current default is TCP, without + the proxy protocol enabled." + enum: + - "" + - TCP + - PROXY + type: string + type: object + type: + description: type is the underlying infrastructure provider + for the load balancer. Allowed values are "AWS", "Azure", + "BareMetal", "GCP", "IBM", "Nutanix", "OpenStack", and + "VSphere". + enum: + - AWS + - Azure + - BareMetal + - GCP + - Nutanix + - OpenStack + - VSphere + - IBM + type: string + required: + - type + type: object + scope: + description: scope indicates the scope at which the load balancer + is exposed. Possible values are "External" and "Internal". + enum: + - Internal + - External + type: string + required: + - dnsManagementPolicy + - scope + type: object + x-kubernetes-validations: + - message: eipAllocations are forbidden when the scope is Internal. + rule: '!has(self.scope) || self.scope != ''Internal'' || !has(self.providerParameters) + || !has(self.providerParameters.aws) || !has(self.providerParameters.aws.networkLoadBalancer) + || !has(self.providerParameters.aws.networkLoadBalancer.eipAllocations)' + nodePort: + description: nodePort holds parameters for the NodePortService + endpoint publishing strategy. Present only if type is NodePortService. + properties: + protocol: + description: "protocol specifies whether the IngressController + expects incoming connections to use plain TCP or whether + the IngressController expects PROXY protocol. \n PROXY protocol + can be used with load balancers that support it to communicate + the source addresses of client connections when forwarding + those connections to the IngressController. Using PROXY + protocol enables the IngressController to report those source + addresses instead of reporting the load balancer's address + in HTTP headers and logs. Note that enabling PROXY protocol + on the IngressController will cause connections to fail + if you are not using a load balancer that uses PROXY protocol + to forward connections to the IngressController. See http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt + for information about PROXY protocol. \n The following values + are valid for this field: \n * The empty string. * \"TCP\". + * \"PROXY\". \n The empty string specifies the default, + which is TCP without PROXY protocol. Note that the default + is subject to change." + enum: + - "" + - TCP + - PROXY + type: string + type: object + private: + description: private holds parameters for the Private endpoint + publishing strategy. Present only if type is Private. + properties: + protocol: + description: "protocol specifies whether the IngressController + expects incoming connections to use plain TCP or whether + the IngressController expects PROXY protocol. \n PROXY protocol + can be used with load balancers that support it to communicate + the source addresses of client connections when forwarding + those connections to the IngressController. Using PROXY + protocol enables the IngressController to report those source + addresses instead of reporting the load balancer's address + in HTTP headers and logs. Note that enabling PROXY protocol + on the IngressController will cause connections to fail + if you are not using a load balancer that uses PROXY protocol + to forward connections to the IngressController. See http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt + for information about PROXY protocol. \n The following values + are valid for this field: \n * The empty string. * \"TCP\". + * \"PROXY\". \n The empty string specifies the default, + which is TCP without PROXY protocol. Note that the default + is subject to change." + enum: + - "" + - TCP + - PROXY + type: string + type: object + type: + description: "type is the publishing strategy to use. Valid values + are: \n * LoadBalancerService \n Publishes the ingress controller + using a Kubernetes LoadBalancer Service. \n In this configuration, + the ingress controller deployment uses container networking. + A LoadBalancer Service is created to publish the deployment. + \n See: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer + \n If domain is set, a wildcard DNS record will be managed to + point at the LoadBalancer Service's external name. DNS records + are managed only in DNS zones defined by dns.config.openshift.io/cluster + .spec.publicZone and .spec.privateZone. \n Wildcard DNS management + is currently supported only on the AWS, Azure, and GCP platforms. + \n * HostNetwork \n Publishes the ingress controller on node + ports where the ingress controller is deployed. \n In this configuration, + the ingress controller deployment uses host networking, bound + to node ports 80 and 443. The user is responsible for configuring + an external load balancer to publish the ingress controller + via the node ports. \n * Private \n Does not publish the ingress + controller. \n In this configuration, the ingress controller + deployment uses container networking, and is not explicitly + published. The user must manually publish the ingress controller. + \n * NodePortService \n Publishes the ingress controller using + a Kubernetes NodePort Service. \n In this configuration, the + ingress controller deployment uses container networking. A NodePort + Service is created to publish the deployment. The specific node + ports are dynamically allocated by OpenShift; however, to support + static port allocations, user changes to the node port field + of the managed NodePort Service will preserved." + enum: + - LoadBalancerService + - HostNetwork + - Private + - NodePortService + type: string + required: + - type + type: object + namespaceSelector: + description: namespaceSelector is the actual namespaceSelector in + use. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the key + and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship to + a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + observedGeneration: + description: observedGeneration is the most recent generation observed. + format: int64 + type: integer + routeSelector: + description: routeSelector is the actual routeSelector in use. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the key + and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship to + a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + selector: + description: selector is a label selector, in string format, for ingress + controller pods corresponding to the IngressController. The number + of matching pods should equal the value of availableReplicas. + type: string + tlsProfile: + description: tlsProfile is the TLS connection configuration that is + in effect. + properties: + ciphers: + description: "ciphers is used to specify the cipher algorithms + that are negotiated during the TLS handshake. Operators may + remove entries their operands do not support. For example, + to use DES-CBC3-SHA (yaml): \n ciphers: - DES-CBC3-SHA" + items: + type: string + type: array + x-kubernetes-list-type: atomic + minTLSVersion: + description: "minTLSVersion is used to specify the minimal version + of the TLS protocol that is negotiated during the TLS handshake. + For example, to use TLS versions 1.1, 1.2 and 1.3 (yaml): \n + minTLSVersion: VersionTLS11 \n NOTE: currently the highest minTLSVersion + allowed is VersionTLS12" + enum: + - VersionTLS10 + - VersionTLS11 + - VersionTLS12 + - VersionTLS13 + type: string + type: object + type: object + type: object + served: true + storage: true + subresources: + scale: + labelSelectorPath: .status.selector + specReplicasPath: .spec.replicas + statusReplicasPath: .status.availableReplicas + status: {} diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-TechPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-TechPreviewNoUpgrade.crd.yaml new file mode 100644 index 0000000000..9ea55a41c7 --- /dev/null +++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-TechPreviewNoUpgrade.crd.yaml @@ -0,0 +1,2710 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/616 + api.openshift.io/merged-by-featuregates: "true" + capability.openshift.io/name: Ingress + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: TechPreviewNoUpgrade + name: ingresscontrollers.operator.openshift.io +spec: + group: operator.openshift.io + names: + kind: IngressController + listKind: IngressControllerList + plural: ingresscontrollers + singular: ingresscontroller + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: "IngressController describes a managed ingress controller for + the cluster. The controller can service OpenShift Route and Kubernetes Ingress + resources. \n When an IngressController is created, a new ingress controller + deployment is created to allow external traffic to reach the services that + expose Ingress or Route resources. Updating this resource may lead to disruption + for public facing network connections as a new ingress controller revision + may be rolled out. \n https://kubernetes.io/docs/concepts/services-networking/ingress-controllers + \n Whenever possible, sensible defaults for the platform are used. See each + field for more details. \n Compatibility level 1: Stable within a major + release for a minimum of 12 months or 3 minor releases (whichever is longer)." + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: spec is the specification of the desired behavior of the + IngressController. + properties: + clientTLS: + description: clientTLS specifies settings for requesting and verifying + client certificates, which can be used to enable mutual TLS for + edge-terminated and reencrypt routes. + properties: + allowedSubjectPatterns: + description: allowedSubjectPatterns specifies a list of regular + expressions that should be matched against the distinguished + name on a valid client certificate to filter requests. The + regular expressions must use PCRE syntax. If this list is empty, + no filtering is performed. If the list is nonempty, then at + least one pattern must match a client certificate's distinguished + name or else the ingress controller rejects the certificate + and denies the connection. + items: + type: string + type: array + x-kubernetes-list-type: atomic + clientCA: + description: clientCA specifies a configmap containing the PEM-encoded + CA certificate bundle that should be used to verify a client's + certificate. The administrator must create this configmap in + the openshift-config namespace. + properties: + name: + description: name is the metadata.name of the referenced config + map + type: string + required: + - name + type: object + clientCertificatePolicy: + description: "clientCertificatePolicy specifies whether the ingress + controller requires clients to provide certificates. This field + accepts the values \"Required\" or \"Optional\". \n Note that + the ingress controller only checks client certificates for edge-terminated + and reencrypt TLS routes; it cannot check certificates for cleartext + HTTP or passthrough TLS routes." + enum: + - "" + - Required + - Optional + type: string + required: + - clientCA + - clientCertificatePolicy + type: object + defaultCertificate: + description: "defaultCertificate is a reference to a secret containing + the default certificate served by the ingress controller. When Routes + don't specify their own certificate, defaultCertificate is used. + \n The secret must contain the following keys and data: \n tls.crt: + certificate file contents tls.key: key file contents \n If unset, + a wildcard certificate is automatically generated and used. The + certificate is valid for the ingress controller domain (and subdomains) + and the generated certificate's CA will be automatically integrated + with the cluster's trust store. \n If a wildcard certificate is + used and shared by multiple HTTP/2 enabled routes (which implies + ALPN) then clients (i.e., notably browsers) are at liberty to reuse + open connections. This means a client can reuse a connection to + another route and that is likely to fail. This behaviour is generally + known as connection coalescing. \n The in-use certificate (whether + generated or user-specified) will be automatically integrated with + OpenShift's built-in OAuth server." + properties: + name: + default: "" + description: 'Name of the referent. This field is effectively + required, but due to backwards compatibility is allowed to be + empty. Instances of this type with an empty value here are almost + certainly wrong. TODO: Add other useful fields. apiVersion, + kind, uid? More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn''t + need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.' + type: string + type: object + x-kubernetes-map-type: atomic + domain: + description: "domain is a DNS name serviced by the ingress controller + and is used to configure multiple features: \n * For the LoadBalancerService + endpoint publishing strategy, domain is used to configure DNS records. + See endpointPublishingStrategy. \n * When using a generated default + certificate, the certificate will be valid for domain and its subdomains. + See defaultCertificate. \n * The value is published to individual + Route statuses so that end-users know where to target external DNS + records. \n domain must be unique among all IngressControllers, + and cannot be updated. \n If empty, defaults to ingress.config.openshift.io/cluster + .spec.domain." + type: string + endpointPublishingStrategy: + description: "endpointPublishingStrategy is used to publish the ingress + controller endpoints to other networks, enable load balancer integrations, + etc. \n If unset, the default is based on infrastructure.config.openshift.io/cluster + .status.platform: \n AWS: LoadBalancerService (with External + scope) Azure: LoadBalancerService (with External scope) GCP: + \ LoadBalancerService (with External scope) IBMCloud: LoadBalancerService + (with External scope) AlibabaCloud: LoadBalancerService (with External + scope) Libvirt: HostNetwork \n Any other platform types (including + None) default to HostNetwork. \n endpointPublishingStrategy cannot + be updated." + properties: + hostNetwork: + description: hostNetwork holds parameters for the HostNetwork + endpoint publishing strategy. Present only if type is HostNetwork. + properties: + httpPort: + default: 80 + description: httpPort is the port on the host which should + be used to listen for HTTP requests. This field should be + set when port 80 is already in use. The value should not + coincide with the NodePort range of the cluster. When the + value is 0 or is not specified it defaults to 80. + format: int32 + maximum: 65535 + minimum: 0 + type: integer + httpsPort: + default: 443 + description: httpsPort is the port on the host which should + be used to listen for HTTPS requests. This field should + be set when port 443 is already in use. The value should + not coincide with the NodePort range of the cluster. When + the value is 0 or is not specified it defaults to 443. + format: int32 + maximum: 65535 + minimum: 0 + type: integer + protocol: + description: "protocol specifies whether the IngressController + expects incoming connections to use plain TCP or whether + the IngressController expects PROXY protocol. \n PROXY protocol + can be used with load balancers that support it to communicate + the source addresses of client connections when forwarding + those connections to the IngressController. Using PROXY + protocol enables the IngressController to report those source + addresses instead of reporting the load balancer's address + in HTTP headers and logs. Note that enabling PROXY protocol + on the IngressController will cause connections to fail + if you are not using a load balancer that uses PROXY protocol + to forward connections to the IngressController. See http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt + for information about PROXY protocol. \n The following values + are valid for this field: \n * The empty string. * \"TCP\". + * \"PROXY\". \n The empty string specifies the default, + which is TCP without PROXY protocol. Note that the default + is subject to change." + enum: + - "" + - TCP + - PROXY + type: string + statsPort: + default: 1936 + description: statsPort is the port on the host where the stats + from the router are published. The value should not coincide + with the NodePort range of the cluster. If an external load + balancer is configured to forward connections to this IngressController, + the load balancer should use this port for health checks. + The load balancer can send HTTP probes on this port on a + given node, with the path /healthz/ready to determine if + the ingress controller is ready to receive traffic on the + node. For proper operation the load balancer must not forward + traffic to a node until the health check reports ready. + The load balancer should also stop forwarding requests within + a maximum of 45 seconds after /healthz/ready starts reporting + not-ready. Probing every 5 to 10 seconds, with a 5-second + timeout and with a threshold of two successful or failed + requests to become healthy or unhealthy respectively, are + well-tested values. When the value is 0 or is not specified + it defaults to 1936. + format: int32 + maximum: 65535 + minimum: 0 + type: integer + type: object + loadBalancer: + description: loadBalancer holds parameters for the load balancer. + Present only if type is LoadBalancerService. + properties: + allowedSourceRanges: + description: "allowedSourceRanges specifies an allowlist of + IP address ranges to which access to the load balancer should + be restricted. Each range must be specified using CIDR + notation (e.g. \"10.0.0.0/8\" or \"fd00::/8\"). If no range + is specified, \"0.0.0.0/0\" for IPv4 and \"::/0\" for IPv6 + are used by default, which allows all source addresses. + \n To facilitate migration from earlier versions of OpenShift + that did not have the allowedSourceRanges field, you may + set the service.beta.kubernetes.io/load-balancer-source-ranges + annotation on the \"router-\" service + in the \"openshift-ingress\" namespace, and this annotation + will take effect if allowedSourceRanges is empty on OpenShift + 4.12." + items: + description: CIDR is an IP address range in CIDR notation + (for example, "10.0.0.0/8" or "fd00::/8"). + pattern: (^(([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])/([0-9]|[12][0-9]|3[0-2])$)|(^s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:)))(%.+)?s*(\/(12[0-8]|1[0-1][0-9]|[1-9][0-9]|[0-9]))$) + type: string + nullable: true + type: array + x-kubernetes-list-type: atomic + dnsManagementPolicy: + default: Managed + description: 'dnsManagementPolicy indicates if the lifecycle + of the wildcard DNS record associated with the load balancer + service will be managed by the ingress operator. It defaults + to Managed. Valid values are: Managed and Unmanaged.' + enum: + - Managed + - Unmanaged + type: string + providerParameters: + description: "providerParameters holds desired load balancer + information specific to the underlying infrastructure provider. + \n If empty, defaults will be applied. See specific providerParameters + fields for details about their defaults." + properties: + aws: + description: "aws provides configuration settings that + are specific to AWS load balancers. \n If empty, defaults + will be applied. See specific aws fields for details + about their defaults." + properties: + classicLoadBalancer: + description: classicLoadBalancerParameters holds configuration + parameters for an AWS classic load balancer. Present + only if type is Classic. + properties: + connectionIdleTimeout: + description: connectionIdleTimeout specifies the + maximum time period that a connection may be + idle before the load balancer closes the connection. The + value must be parseable as a time duration value; + see . A + nil or zero value means no opinion, in which + case a default value is used. The default value + for this field is 60s. This default is subject + to change. + format: duration + type: string + subnets: + description: "subnets specifies the subnets to + which the load balancer will attach. The subnets + may be specified by either their ID or name. + The total number of subnets is limited to 10. + \n In order for the load balancer to be provisioned + with subnets, each subnet must exist, each subnet + must be from a different availability zone, + and the load balancer service must be recreated + to pick up new values. \n When omitted from + the spec, the subnets will be auto-discovered + for each availability zone. Auto-discovered + subnets are not reported in the status of the + IngressController object." + properties: + ids: + description: ids specifies a list of AWS subnets + by subnet ID. Subnet IDs must start with + "subnet-", consist only of alphanumeric + characters, must be exactly 24 characters + long, must be unique, and the total number + of subnets specified by ids and names must + not exceed 10. + items: + description: AWSSubnetID is a reference + to an AWS subnet ID. + maxLength: 24 + minLength: 24 + pattern: ^subnet-[0-9A-Za-z]+$ + type: string + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: subnet ids cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == + y)) + names: + description: names specifies a list of AWS + subnets by subnet name. Subnet names must + not start with "subnet-", must not include + commas, must be under 256 characters in + length, must be unique, and the total number + of subnets specified by ids and names must + not exceed 10. + items: + description: AWSSubnetName is a reference + to an AWS subnet name. + maxLength: 256 + minLength: 1 + type: string + x-kubernetes-validations: + - message: subnet name cannot contain a + comma + rule: '!self.contains('','')' + - message: subnet name cannot start with + 'subnet-' + rule: '!self.startsWith(''subnet-'')' + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: subnet names cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == + y)) + type: object + x-kubernetes-validations: + - message: the total number of subnets cannot + exceed 10 + rule: 'has(self.ids) && has(self.names) ? size(self.ids + + self.names) <= 10 : true' + - message: must specify at least 1 subnet name + or id + rule: has(self.ids) && self.ids.size() > 0 || + has(self.names) && self.names.size() > 0 + type: object + networkLoadBalancer: + description: networkLoadBalancerParameters holds configuration + parameters for an AWS network load balancer. Present + only if type is NLB. + properties: + eipAllocations: + description: "eipAllocations is a list of IDs + for Elastic IP (EIP) addresses that are assigned + to the Network Load Balancer. The following + restrictions apply: \n eipAllocations can only + be used with external scope, not internal. An + EIP can be allocated to only a single IngressController. + The number of EIP allocations must match the + number of subnets that are used for the load + balancer. Each EIP allocation must be unique. + A maximum of 10 EIP allocations are permitted. + \n See https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html + for general information about configuration, + characteristics, and limitations of Elastic + IP addresses." + items: + description: EIPAllocation is an ID for an Elastic + IP (EIP) address that can be allocated to + an ELB in the AWS environment. Values must + begin with `eipalloc-` followed by exactly + 17 hexadecimal (`[0-9a-fA-F]`) characters. + maxLength: 26 + minLength: 26 + type: string + x-kubernetes-validations: + - message: eipAllocations should start with + 'eipalloc-' + rule: self.startsWith('eipalloc-') + - message: eipAllocations must be 'eipalloc-' + followed by exactly 17 hexadecimal characters + (0-9, a-f, A-F) + rule: self.split("-", 2)[1].matches('[0-9a-fA-F]{17}$') + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: eipAllocations cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == y)) + subnets: + description: "subnets specifies the subnets to + which the load balancer will attach. The subnets + may be specified by either their ID or name. + The total number of subnets is limited to 10. + \n In order for the load balancer to be provisioned + with subnets, each subnet must exist, each subnet + must be from a different availability zone, + and the load balancer service must be recreated + to pick up new values. \n When omitted from + the spec, the subnets will be auto-discovered + for each availability zone. Auto-discovered + subnets are not reported in the status of the + IngressController object." + properties: + ids: + description: ids specifies a list of AWS subnets + by subnet ID. Subnet IDs must start with + "subnet-", consist only of alphanumeric + characters, must be exactly 24 characters + long, must be unique, and the total number + of subnets specified by ids and names must + not exceed 10. + items: + description: AWSSubnetID is a reference + to an AWS subnet ID. + maxLength: 24 + minLength: 24 + pattern: ^subnet-[0-9A-Za-z]+$ + type: string + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: subnet ids cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == + y)) + names: + description: names specifies a list of AWS + subnets by subnet name. Subnet names must + not start with "subnet-", must not include + commas, must be under 256 characters in + length, must be unique, and the total number + of subnets specified by ids and names must + not exceed 10. + items: + description: AWSSubnetName is a reference + to an AWS subnet name. + maxLength: 256 + minLength: 1 + type: string + x-kubernetes-validations: + - message: subnet name cannot contain a + comma + rule: '!self.contains('','')' + - message: subnet name cannot start with + 'subnet-' + rule: '!self.startsWith(''subnet-'')' + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: subnet names cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == + y)) + type: object + x-kubernetes-validations: + - message: the total number of subnets cannot + exceed 10 + rule: 'has(self.ids) && has(self.names) ? size(self.ids + + self.names) <= 10 : true' + - message: must specify at least 1 subnet name + or id + rule: has(self.ids) && self.ids.size() > 0 || + has(self.names) && self.names.size() > 0 + type: object + x-kubernetes-validations: + - message: number of subnets must be equal to number + of eipAllocations + rule: 'has(self.subnets) && has(self.subnets.ids) + && has(self.subnets.names) && has(self.eipAllocations) + ? size(self.subnets.ids + self.subnets.names) + == size(self.eipAllocations) : true' + - message: number of subnets must be equal to number + of eipAllocations + rule: 'has(self.subnets) && has(self.subnets.ids) + && !has(self.subnets.names) && has(self.eipAllocations) + ? size(self.subnets.ids) == size(self.eipAllocations) + : true' + - message: number of subnets must be equal to number + of eipAllocations + rule: 'has(self.subnets) && has(self.subnets.names) + && !has(self.subnets.ids) && has(self.eipAllocations) + ? size(self.subnets.names) == size(self.eipAllocations) + : true' + type: + description: "type is the type of AWS load balancer + to instantiate for an ingresscontroller. \n Valid + values are: \n * \"Classic\": A Classic Load Balancer + that makes routing decisions at either the transport + layer (TCP/SSL) or the application layer (HTTP/HTTPS). + See the following for additional details: \n https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#clb + \n * \"NLB\": A Network Load Balancer that makes + routing decisions at the transport layer (TCP/SSL). + See the following for additional details: \n https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#nlb" + enum: + - Classic + - NLB + type: string + required: + - type + type: object + gcp: + description: "gcp provides configuration settings that + are specific to GCP load balancers. \n If empty, defaults + will be applied. See specific gcp fields for details + about their defaults." + properties: + clientAccess: + description: "clientAccess describes how client access + is restricted for internal load balancers. \n Valid + values are: * \"Global\": Specifying an internal + load balancer with Global client access allows clients + from any region within the VPC to communicate with + the load balancer. \n https://cloud.google.com/kubernetes-engine/docs/how-to/internal-load-balancing#global_access + \n * \"Local\": Specifying an internal load balancer + with Local client access means only clients within + the same region (and VPC) as the GCP load balancer + can communicate with the load balancer. Note that + this is the default behavior. \n https://cloud.google.com/load-balancing/docs/internal#client_access" + enum: + - Global + - Local + type: string + type: object + ibm: + description: "ibm provides configuration settings that + are specific to IBM Cloud load balancers. \n If empty, + defaults will be applied. See specific ibm fields for + details about their defaults." + properties: + protocol: + description: "protocol specifies whether the load + balancer uses PROXY protocol to forward connections + to the IngressController. See \"service.kubernetes.io/ibm-load-balancer-cloud-provider-enable-features: + \"proxy-protocol\"\" at https://cloud.ibm.com/docs/containers?topic=containers-vpc-lbaas\" + \n PROXY protocol can be used with load balancers + that support it to communicate the source addresses + of client connections when forwarding those connections + to the IngressController. Using PROXY protocol + enables the IngressController to report those source + addresses instead of reporting the load balancer's + address in HTTP headers and logs. Note that enabling + PROXY protocol on the IngressController will cause + connections to fail if you are not using a load + balancer that uses PROXY protocol to forward connections + to the IngressController. See http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt + for information about PROXY protocol. \n Valid values + for protocol are TCP, PROXY and omitted. When omitted, + this means no opinion and the platform is left to + choose a reasonable default, which is subject to + change over time. The current default is TCP, without + the proxy protocol enabled." + enum: + - "" + - TCP + - PROXY + type: string + type: object + type: + description: type is the underlying infrastructure provider + for the load balancer. Allowed values are "AWS", "Azure", + "BareMetal", "GCP", "IBM", "Nutanix", "OpenStack", and + "VSphere". + enum: + - AWS + - Azure + - BareMetal + - GCP + - Nutanix + - OpenStack + - VSphere + - IBM + type: string + required: + - type + type: object + scope: + description: scope indicates the scope at which the load balancer + is exposed. Possible values are "External" and "Internal". + enum: + - Internal + - External + type: string + required: + - dnsManagementPolicy + - scope + type: object + x-kubernetes-validations: + - message: eipAllocations are forbidden when the scope is Internal. + rule: '!has(self.scope) || self.scope != ''Internal'' || !has(self.providerParameters) + || !has(self.providerParameters.aws) || !has(self.providerParameters.aws.networkLoadBalancer) + || !has(self.providerParameters.aws.networkLoadBalancer.eipAllocations)' + nodePort: + description: nodePort holds parameters for the NodePortService + endpoint publishing strategy. Present only if type is NodePortService. + properties: + protocol: + description: "protocol specifies whether the IngressController + expects incoming connections to use plain TCP or whether + the IngressController expects PROXY protocol. \n PROXY protocol + can be used with load balancers that support it to communicate + the source addresses of client connections when forwarding + those connections to the IngressController. Using PROXY + protocol enables the IngressController to report those source + addresses instead of reporting the load balancer's address + in HTTP headers and logs. Note that enabling PROXY protocol + on the IngressController will cause connections to fail + if you are not using a load balancer that uses PROXY protocol + to forward connections to the IngressController. See http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt + for information about PROXY protocol. \n The following values + are valid for this field: \n * The empty string. * \"TCP\". + * \"PROXY\". \n The empty string specifies the default, + which is TCP without PROXY protocol. Note that the default + is subject to change." + enum: + - "" + - TCP + - PROXY + type: string + type: object + private: + description: private holds parameters for the Private endpoint + publishing strategy. Present only if type is Private. + properties: + protocol: + description: "protocol specifies whether the IngressController + expects incoming connections to use plain TCP or whether + the IngressController expects PROXY protocol. \n PROXY protocol + can be used with load balancers that support it to communicate + the source addresses of client connections when forwarding + those connections to the IngressController. Using PROXY + protocol enables the IngressController to report those source + addresses instead of reporting the load balancer's address + in HTTP headers and logs. Note that enabling PROXY protocol + on the IngressController will cause connections to fail + if you are not using a load balancer that uses PROXY protocol + to forward connections to the IngressController. See http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt + for information about PROXY protocol. \n The following values + are valid for this field: \n * The empty string. * \"TCP\". + * \"PROXY\". \n The empty string specifies the default, + which is TCP without PROXY protocol. Note that the default + is subject to change." + enum: + - "" + - TCP + - PROXY + type: string + type: object + type: + description: "type is the publishing strategy to use. Valid values + are: \n * LoadBalancerService \n Publishes the ingress controller + using a Kubernetes LoadBalancer Service. \n In this configuration, + the ingress controller deployment uses container networking. + A LoadBalancer Service is created to publish the deployment. + \n See: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer + \n If domain is set, a wildcard DNS record will be managed to + point at the LoadBalancer Service's external name. DNS records + are managed only in DNS zones defined by dns.config.openshift.io/cluster + .spec.publicZone and .spec.privateZone. \n Wildcard DNS management + is currently supported only on the AWS, Azure, and GCP platforms. + \n * HostNetwork \n Publishes the ingress controller on node + ports where the ingress controller is deployed. \n In this configuration, + the ingress controller deployment uses host networking, bound + to node ports 80 and 443. The user is responsible for configuring + an external load balancer to publish the ingress controller + via the node ports. \n * Private \n Does not publish the ingress + controller. \n In this configuration, the ingress controller + deployment uses container networking, and is not explicitly + published. The user must manually publish the ingress controller. + \n * NodePortService \n Publishes the ingress controller using + a Kubernetes NodePort Service. \n In this configuration, the + ingress controller deployment uses container networking. A NodePort + Service is created to publish the deployment. The specific node + ports are dynamically allocated by OpenShift; however, to support + static port allocations, user changes to the node port field + of the managed NodePort Service will preserved." + enum: + - LoadBalancerService + - HostNetwork + - Private + - NodePortService + type: string + required: + - type + type: object + httpCompression: + description: httpCompression defines a policy for HTTP traffic compression. + By default, there is no HTTP compression. + properties: + mimeTypes: + description: "mimeTypes is a list of MIME types that should have + compression applied. This list can be empty, in which case the + ingress controller does not apply compression. \n Note: Not + all MIME types benefit from compression, but HAProxy will still + use resources to try to compress if instructed to. Generally + speaking, text (html, css, js, etc.) formats benefit from compression, + but formats that are already compressed (image, audio, video, + etc.) benefit little in exchange for the time and cpu spent + on compressing again. See https://joehonton.medium.com/the-gzip-penalty-d31bd697f1a2" + items: + description: "CompressionMIMEType defines the format of a single + MIME type. E.g. \"text/css; charset=utf-8\", \"text/html\", + \"text/*\", \"image/svg+xml\", \"application/octet-stream\", + \"X-custom/customsub\", etc. \n The format should follow the + Content-Type definition in RFC 1341: Content-Type := type + \"/\" subtype *[\";\" parameter] - The type in Content-Type + can be one of: application, audio, image, message, multipart, + text, video, or a custom type preceded by \"X-\" and followed + by a token as defined below. - The token is a string of at + least one character, and not containing white space, control + characters, or any of the characters in the tspecials set. + - The tspecials set contains the characters ()<>@,;:\\\"/[]?.= + - The subtype in Content-Type is also a token. - The optional + parameter/s following the subtype are defined as: token \"=\" + (token / quoted-string) - The quoted-string, as defined in + RFC 822, is surrounded by double quotes and can contain white + space plus any character EXCEPT \\, \", and CR. It can also + contain any single ASCII character as long as it is escaped + by \\." + pattern: ^(?i)(x-[^][ ()\\<>@,;:"/?.=\x00-\x1F\x7F]+|application|audio|image|message|multipart|text|video)/[^][ + ()\\<>@,;:"/?.=\x00-\x1F\x7F]+(; *[^][ ()\\<>@,;:"/?.=\x00-\x1F\x7F]+=([^][ + ()\\<>@,;:"/?.=\x00-\x1F\x7F]+|"(\\[\x00-\x7F]|[^\x0D"\\])*"))*$ + type: string + type: array + x-kubernetes-list-type: set + type: object + httpEmptyRequestsPolicy: + default: Respond + description: "httpEmptyRequestsPolicy describes how HTTP connections + should be handled if the connection times out before a request is + received. Allowed values for this field are \"Respond\" and \"Ignore\". + \ If the field is set to \"Respond\", the ingress controller sends + an HTTP 400 or 408 response, logs the connection (if access logging + is enabled), and counts the connection in the appropriate metrics. + \ If the field is set to \"Ignore\", the ingress controller closes + the connection without sending a response, logging the connection, + or incrementing metrics. The default value is \"Respond\". \n Typically, + these connections come from load balancers' health probes or Web + browsers' speculative connections (\"preconnect\") and can be safely + ignored. However, these requests may also be caused by network + errors, and so setting this field to \"Ignore\" may impede detection + and diagnosis of problems. In addition, these requests may be caused + by port scans, in which case logging empty requests may aid in detecting + intrusion attempts." + enum: + - Respond + - Ignore + type: string + httpErrorCodePages: + description: httpErrorCodePages specifies a configmap with custom + error pages. The administrator must create this configmap in the + openshift-config namespace. This configmap should have keys in the + format "error-page-.http", where is an + HTTP error code. For example, "error-page-503.http" defines an error + page for HTTP 503 responses. Currently only error pages for 503 + and 404 responses can be customized. Each value in the configmap + should be the full response, including HTTP headers. Eg- https://raw.githubusercontent.com/openshift/router/fadab45747a9b30cc3f0a4b41ad2871f95827a93/images/router/haproxy/conf/error-page-503.http + If this field is empty, the ingress controller uses the default + error pages. + properties: + name: + description: name is the metadata.name of the referenced config + map + type: string + required: + - name + type: object + httpHeaders: + description: "httpHeaders defines policy for HTTP headers. \n If this + field is empty, the default values are used." + properties: + actions: + description: 'actions specifies options for modifying headers + and their values. Note that this option only applies to cleartext + HTTP connections and to secure HTTP connections for which the + ingress controller terminates encryption (that is, edge-terminated + or reencrypt connections). Headers cannot be modified for TLS + passthrough connections. Setting the HSTS (`Strict-Transport-Security`) + header is not supported via actions. `Strict-Transport-Security` + may only be configured using the "haproxy.router.openshift.io/hsts_header" + route annotation, and only in accordance with the policy specified + in Ingress.Spec.RequiredHSTSPolicies. Any actions defined here + are applied after any actions related to the following other + fields: cache-control, spec.clientTLS, spec.httpHeaders.forwardedHeaderPolicy, + spec.httpHeaders.uniqueId, and spec.httpHeaders.headerNameCaseAdjustments. + In case of HTTP request headers, the actions specified in spec.httpHeaders.actions + on the Route will be executed after the actions specified in + the IngressController''s spec.httpHeaders.actions field. In + case of HTTP response headers, the actions specified in spec.httpHeaders.actions + on the IngressController will be executed after the actions + specified in the Route''s spec.httpHeaders.actions field. Headers + set using this API cannot be captured for use in access logs. + The following header names are reserved and may not be modified + via this API: Strict-Transport-Security, Proxy, Host, Cookie, + Set-Cookie. Note that the total size of all net added headers + *after* interpolating dynamic values must not exceed the value + of spec.tuningOptions.headerBufferMaxRewriteBytes on the IngressController. + Please refer to the documentation for that API field for more + details.' + properties: + request: + description: 'request is a list of HTTP request headers to + modify. Actions defined here will modify the request headers + of all requests passing through an ingress controller. These + actions are applied to all Routes i.e. for all connections + handled by the ingress controller defined within a cluster. + IngressController actions for request headers will be executed + before Route actions. Currently, actions may define to either + `Set` or `Delete` headers values. Actions are applied in + sequence as defined in this list. A maximum of 20 request + header actions may be configured. Sample fetchers allowed + are "req.hdr" and "ssl_c_der". Converters allowed are "lower" + and "base64". Example header values: "%[req.hdr(X-target),lower]", + "%{+Q}[ssl_c_der,base64]".' + items: + description: IngressControllerHTTPHeader specifies configuration + for setting or deleting an HTTP header. + properties: + action: + description: action specifies actions to perform on + headers, such as setting or deleting headers. + properties: + set: + description: set specifies how the HTTP header should + be set. This field is required when type is Set + and forbidden otherwise. + properties: + value: + description: value specifies a header value. + Dynamic values can be added. The value will + be interpreted as an HAProxy format string + as defined in http://cbonte.github.io/haproxy-dconv/2.6/configuration.html#8.2.6 and + may use HAProxy's %[] syntax and otherwise + must be a valid HTTP header value as defined + in https://datatracker.ietf.org/doc/html/rfc7230#section-3.2. + The value of this field must be no more than + 16384 characters in length. Note that the + total size of all net added headers *after* + interpolating dynamic values must not exceed + the value of spec.tuningOptions.headerBufferMaxRewriteBytes + on the IngressController. + maxLength: 16384 + minLength: 1 + type: string + required: + - value + type: object + type: + description: type defines the type of the action + to be applied on the header. Possible values are + Set or Delete. Set allows you to set HTTP request + and response headers. Delete allows you to delete + HTTP request and response headers. + enum: + - Set + - Delete + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: set is required when type is Set, and forbidden + otherwise + rule: 'has(self.type) && self.type == ''Set'' ? has(self.set) + : !has(self.set)' + name: + description: 'name specifies the name of a header on + which to perform an action. Its value must be a valid + HTTP header name as defined in RFC 2616 section 4.2. + The name must consist only of alphanumeric and the + following special characters, "-!#$%&''*+.^_`". The + following header names are reserved and may not be + modified via this API: Strict-Transport-Security, + Proxy, Host, Cookie, Set-Cookie. It must be no more + than 255 characters in length. Header name must be + unique.' + maxLength: 255 + minLength: 1 + pattern: ^[-!#$%&'*+.0-9A-Z^_`a-z|~]+$ + type: string + x-kubernetes-validations: + - message: strict-transport-security header may not + be modified via header actions + rule: self.lowerAscii() != 'strict-transport-security' + - message: proxy header may not be modified via header + actions + rule: self.lowerAscii() != 'proxy' + - message: host header may not be modified via header + actions + rule: self.lowerAscii() != 'host' + - message: cookie header may not be modified via header + actions + rule: self.lowerAscii() != 'cookie' + - message: set-cookie header may not be modified via + header actions + rule: self.lowerAscii() != 'set-cookie' + required: + - action + - name + type: object + maxItems: 20 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: Either the header value provided is not in correct + format or the sample fetcher/converter specified is not + allowed. The dynamic header value will be interpreted + as an HAProxy format string as defined in http://cbonte.github.io/haproxy-dconv/2.6/configuration.html#8.2.6 + and may use HAProxy's %[] syntax and otherwise must be + a valid HTTP header value as defined in https://datatracker.ietf.org/doc/html/rfc7230#section-3.2. + Sample fetchers allowed are req.hdr, ssl_c_der. Converters + allowed are lower, base64. + rule: self.all(key, key.action.type == "Delete" || (has(key.action.set) + && key.action.set.value.matches('^(?:%(?:%|(?:\\{[-+]?[QXE](?:,[-+]?[QXE])*\\})?\\[(?:req\\.hdr\\([0-9A-Za-z-]+\\)|ssl_c_der)(?:,(?:lower|base64))*\\])|[^%[:cntrl:]])+$'))) + response: + description: 'response is a list of HTTP response headers + to modify. Actions defined here will modify the response + headers of all requests passing through an ingress controller. + These actions are applied to all Routes i.e. for all connections + handled by the ingress controller defined within a cluster. + IngressController actions for response headers will be executed + after Route actions. Currently, actions may define to either + `Set` or `Delete` headers values. Actions are applied in + sequence as defined in this list. A maximum of 20 response + header actions may be configured. Sample fetchers allowed + are "res.hdr" and "ssl_c_der". Converters allowed are "lower" + and "base64". Example header values: "%[res.hdr(X-target),lower]", + "%{+Q}[ssl_c_der,base64]".' + items: + description: IngressControllerHTTPHeader specifies configuration + for setting or deleting an HTTP header. + properties: + action: + description: action specifies actions to perform on + headers, such as setting or deleting headers. + properties: + set: + description: set specifies how the HTTP header should + be set. This field is required when type is Set + and forbidden otherwise. + properties: + value: + description: value specifies a header value. + Dynamic values can be added. The value will + be interpreted as an HAProxy format string + as defined in http://cbonte.github.io/haproxy-dconv/2.6/configuration.html#8.2.6 and + may use HAProxy's %[] syntax and otherwise + must be a valid HTTP header value as defined + in https://datatracker.ietf.org/doc/html/rfc7230#section-3.2. + The value of this field must be no more than + 16384 characters in length. Note that the + total size of all net added headers *after* + interpolating dynamic values must not exceed + the value of spec.tuningOptions.headerBufferMaxRewriteBytes + on the IngressController. + maxLength: 16384 + minLength: 1 + type: string + required: + - value + type: object + type: + description: type defines the type of the action + to be applied on the header. Possible values are + Set or Delete. Set allows you to set HTTP request + and response headers. Delete allows you to delete + HTTP request and response headers. + enum: + - Set + - Delete + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: set is required when type is Set, and forbidden + otherwise + rule: 'has(self.type) && self.type == ''Set'' ? has(self.set) + : !has(self.set)' + name: + description: 'name specifies the name of a header on + which to perform an action. Its value must be a valid + HTTP header name as defined in RFC 2616 section 4.2. + The name must consist only of alphanumeric and the + following special characters, "-!#$%&''*+.^_`". The + following header names are reserved and may not be + modified via this API: Strict-Transport-Security, + Proxy, Host, Cookie, Set-Cookie. It must be no more + than 255 characters in length. Header name must be + unique.' + maxLength: 255 + minLength: 1 + pattern: ^[-!#$%&'*+.0-9A-Z^_`a-z|~]+$ + type: string + x-kubernetes-validations: + - message: strict-transport-security header may not + be modified via header actions + rule: self.lowerAscii() != 'strict-transport-security' + - message: proxy header may not be modified via header + actions + rule: self.lowerAscii() != 'proxy' + - message: host header may not be modified via header + actions + rule: self.lowerAscii() != 'host' + - message: cookie header may not be modified via header + actions + rule: self.lowerAscii() != 'cookie' + - message: set-cookie header may not be modified via + header actions + rule: self.lowerAscii() != 'set-cookie' + required: + - action + - name + type: object + maxItems: 20 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: Either the header value provided is not in correct + format or the sample fetcher/converter specified is not + allowed. The dynamic header value will be interpreted + as an HAProxy format string as defined in http://cbonte.github.io/haproxy-dconv/2.6/configuration.html#8.2.6 + and may use HAProxy's %[] syntax and otherwise must be + a valid HTTP header value as defined in https://datatracker.ietf.org/doc/html/rfc7230#section-3.2. + Sample fetchers allowed are res.hdr, ssl_c_der. Converters + allowed are lower, base64. + rule: self.all(key, key.action.type == "Delete" || (has(key.action.set) + && key.action.set.value.matches('^(?:%(?:%|(?:\\{[-+]?[QXE](?:,[-+]?[QXE])*\\})?\\[(?:res\\.hdr\\([0-9A-Za-z-]+\\)|ssl_c_der)(?:,(?:lower|base64))*\\])|[^%[:cntrl:]])+$'))) + type: object + forwardedHeaderPolicy: + description: "forwardedHeaderPolicy specifies when and how the + IngressController sets the Forwarded, X-Forwarded-For, X-Forwarded-Host, + X-Forwarded-Port, X-Forwarded-Proto, and X-Forwarded-Proto-Version + HTTP headers. The value may be one of the following: \n * \"Append\", + which specifies that the IngressController appends the headers, + preserving existing headers. \n * \"Replace\", which specifies + that the IngressController sets the headers, replacing any existing + Forwarded or X-Forwarded-* headers. \n * \"IfNone\", which specifies + that the IngressController sets the headers if they are not + already set. \n * \"Never\", which specifies that the IngressController + never sets the headers, preserving any existing headers. \n + By default, the policy is \"Append\"." + enum: + - Append + - Replace + - IfNone + - Never + type: string + headerNameCaseAdjustments: + description: "headerNameCaseAdjustments specifies case adjustments + that can be applied to HTTP header names. Each adjustment is + specified as an HTTP header name with the desired capitalization. + \ For example, specifying \"X-Forwarded-For\" indicates that + the \"x-forwarded-for\" HTTP header should be adjusted to have + the specified capitalization. \n These adjustments are only + applied to cleartext, edge-terminated, and re-encrypt routes, + and only when using HTTP/1. \n For request headers, these adjustments + are applied only for routes that have the haproxy.router.openshift.io/h1-adjust-case=true + annotation. For response headers, these adjustments are applied + to all HTTP responses. \n If this field is empty, no request + headers are adjusted." + items: + description: IngressControllerHTTPHeaderNameCaseAdjustment is + the name of an HTTP header (for example, "X-Forwarded-For") + in the desired capitalization. The value must be a valid + HTTP header name as defined in RFC 2616 section 4.2. + maxLength: 1024 + minLength: 0 + pattern: ^$|^[-!#$%&'*+.0-9A-Z^_`a-z|~]+$ + type: string + nullable: true + type: array + x-kubernetes-list-type: atomic + uniqueId: + description: "uniqueId describes configuration for a custom HTTP + header that the ingress controller should inject into incoming + HTTP requests. Typically, this header is configured to have + a value that is unique to the HTTP request. The header can + be used by applications or included in access logs to facilitate + tracing individual HTTP requests. \n If this field is empty, + no such header is injected into requests." + properties: + format: + description: 'format specifies the format for the injected + HTTP header''s value. This field has no effect unless name + is specified. For the HAProxy-based ingress controller + implementation, this format uses the same syntax as the + HTTP log format. If the field is empty, the default value + is "%{+X}o\\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid"; see the corresponding + HAProxy documentation: http://cbonte.github.io/haproxy-dconv/2.0/configuration.html#8.2.3' + maxLength: 1024 + minLength: 0 + pattern: ^(%(%|(\{[-+]?[QXE](,[-+]?[QXE])*\})?([A-Za-z]+|\[[.0-9A-Z_a-z]+(\([^)]+\))?(,[.0-9A-Z_a-z]+(\([^)]+\))?)*\]))|[^%[:cntrl:]])*$ + type: string + name: + description: name specifies the name of the HTTP header (for + example, "unique-id") that the ingress controller should + inject into HTTP requests. The field's value must be a + valid HTTP header name as defined in RFC 2616 section 4.2. If + the field is empty, no header is injected. + maxLength: 1024 + minLength: 0 + pattern: ^$|^[-!#$%&'*+.0-9A-Z^_`a-z|~]+$ + type: string + type: object + type: object + logging: + description: logging defines parameters for what should be logged + where. If this field is empty, operational logs are enabled but + access logs are disabled. + properties: + access: + description: "access describes how the client requests should + be logged. \n If this field is empty, access logging is disabled." + properties: + destination: + description: destination is where access logs go. + properties: + container: + description: container holds parameters for the Container + logging destination. Present only if type is Container. + properties: + maxLength: + default: 1024 + description: "maxLength is the maximum length of the + log message. \n Valid values are integers in the + range 480 to 8192, inclusive. \n When omitted, the + default value is 1024." + format: int32 + maximum: 8192 + minimum: 480 + type: integer + type: object + syslog: + description: syslog holds parameters for a syslog endpoint. Present + only if type is Syslog. + oneOf: + - properties: + address: + format: ipv4 + - properties: + address: + format: ipv6 + properties: + address: + description: address is the IP address of the syslog + endpoint that receives log messages. + type: string + facility: + description: "facility specifies the syslog facility + of log messages. \n If this field is empty, the + facility is \"local1\"." + enum: + - kern + - user + - mail + - daemon + - auth + - syslog + - lpr + - news + - uucp + - cron + - auth2 + - ftp + - ntp + - audit + - alert + - cron2 + - local0 + - local1 + - local2 + - local3 + - local4 + - local5 + - local6 + - local7 + type: string + maxLength: + default: 1024 + description: "maxLength is the maximum length of the + log message. \n Valid values are integers in the + range 480 to 4096, inclusive. \n When omitted, the + default value is 1024." + format: int32 + maximum: 4096 + minimum: 480 + type: integer + port: + description: port is the UDP port number of the syslog + endpoint that receives log messages. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - address + - port + type: object + type: + description: "type is the type of destination for logs. + \ It must be one of the following: \n * Container \n + The ingress operator configures the sidecar container + named \"logs\" on the ingress controller pod and configures + the ingress controller to write logs to the sidecar. + \ The logs are then available as container logs. The + expectation is that the administrator configures a custom + logging solution that reads logs from this sidecar. + \ Note that using container logs means that logs may + be dropped if the rate of logs exceeds the container + runtime's or the custom logging solution's capacity. + \n * Syslog \n Logs are sent to a syslog endpoint. The + administrator must specify an endpoint that can receive + syslog messages. The expectation is that the administrator + has configured a custom syslog instance." + enum: + - Container + - Syslog + type: string + required: + - type + type: object + httpCaptureCookies: + description: httpCaptureCookies specifies HTTP cookies that + should be captured in access logs. If this field is empty, + no cookies are captured. + items: + description: IngressControllerCaptureHTTPCookie describes + an HTTP cookie that should be captured. + properties: + matchType: + description: matchType specifies the type of match to + be performed on the cookie name. Allowed values are + "Exact" for an exact string match and "Prefix" for + a string prefix match. If "Exact" is specified, a + name must be specified in the name field. If "Prefix" + is provided, a prefix must be specified in the namePrefix + field. For example, specifying matchType "Prefix" + and namePrefix "foo" will capture a cookie named "foo" + or "foobar" but not one named "bar". The first matching + cookie is captured. + enum: + - Exact + - Prefix + type: string + maxLength: + description: maxLength specifies a maximum length of + the string that will be logged, which includes the + cookie name, cookie value, and one-character delimiter. If + the log entry exceeds this length, the value will + be truncated in the log message. Note that the ingress + controller may impose a separate bound on the total + length of HTTP headers in a request. + maximum: 1024 + minimum: 1 + type: integer + name: + description: name specifies a cookie name. Its value + must be a valid HTTP cookie name as defined in RFC + 6265 section 4.1. + maxLength: 1024 + minLength: 0 + pattern: ^[-!#$%&'*+.0-9A-Z^_`a-z|~]*$ + type: string + namePrefix: + description: namePrefix specifies a cookie name prefix. Its + value must be a valid HTTP cookie name as defined + in RFC 6265 section 4.1. + maxLength: 1024 + minLength: 0 + pattern: ^[-!#$%&'*+.0-9A-Z^_`a-z|~]*$ + type: string + required: + - matchType + - maxLength + type: object + maxItems: 1 + nullable: true + type: array + x-kubernetes-list-type: atomic + httpCaptureHeaders: + description: "httpCaptureHeaders defines HTTP headers that + should be captured in access logs. If this field is empty, + no headers are captured. \n Note that this option only applies + to cleartext HTTP connections and to secure HTTP connections + for which the ingress controller terminates encryption (that + is, edge-terminated or reencrypt connections). Headers + cannot be captured for TLS passthrough connections." + properties: + request: + description: "request specifies which HTTP request headers + to capture. \n If this field is empty, no request headers + are captured." + items: + description: IngressControllerCaptureHTTPHeader describes + an HTTP header that should be captured. + properties: + maxLength: + description: maxLength specifies a maximum length + for the header value. If a header value exceeds + this length, the value will be truncated in the + log message. Note that the ingress controller + may impose a separate bound on the total length + of HTTP headers in a request. + minimum: 1 + type: integer + name: + description: name specifies a header name. Its + value must be a valid HTTP header name as defined + in RFC 2616 section 4.2. + pattern: ^[-!#$%&'*+.0-9A-Z^_`a-z|~]+$ + type: string + required: + - maxLength + - name + type: object + nullable: true + type: array + x-kubernetes-list-type: atomic + response: + description: "response specifies which HTTP response headers + to capture. \n If this field is empty, no response headers + are captured." + items: + description: IngressControllerCaptureHTTPHeader describes + an HTTP header that should be captured. + properties: + maxLength: + description: maxLength specifies a maximum length + for the header value. If a header value exceeds + this length, the value will be truncated in the + log message. Note that the ingress controller + may impose a separate bound on the total length + of HTTP headers in a request. + minimum: 1 + type: integer + name: + description: name specifies a header name. Its + value must be a valid HTTP header name as defined + in RFC 2616 section 4.2. + pattern: ^[-!#$%&'*+.0-9A-Z^_`a-z|~]+$ + type: string + required: + - maxLength + - name + type: object + nullable: true + type: array + x-kubernetes-list-type: atomic + type: object + httpLogFormat: + description: "httpLogFormat specifies the format of the log + message for an HTTP request. \n If this field is empty, + log messages use the implementation's default HTTP log format. + \ For HAProxy's default HTTP log format, see the HAProxy + documentation: http://cbonte.github.io/haproxy-dconv/2.0/configuration.html#8.2.3 + \n Note that this format only applies to cleartext HTTP + connections and to secure HTTP connections for which the + ingress controller terminates encryption (that is, edge-terminated + or reencrypt connections). It does not affect the log format + for TLS passthrough connections." + type: string + logEmptyRequests: + default: Log + description: logEmptyRequests specifies how connections on + which no request is received should be logged. Typically, + these empty requests come from load balancers' health probes + or Web browsers' speculative connections ("preconnect"), + in which case logging these requests may be undesirable. However, + these requests may also be caused by network errors, in + which case logging empty requests may be useful for diagnosing + the errors. In addition, these requests may be caused by + port scans, in which case logging empty requests may aid + in detecting intrusion attempts. Allowed values for this + field are "Log" and "Ignore". The default value is "Log". + enum: + - Log + - Ignore + type: string + required: + - destination + type: object + type: object + namespaceSelector: + description: "namespaceSelector is used to filter the set of namespaces + serviced by the ingress controller. This is useful for implementing + shards. \n If unset, the default is no filtering." + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the key + and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship to + a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + nodePlacement: + description: "nodePlacement enables explicit control over the scheduling + of the ingress controller. \n If unset, defaults are used. See NodePlacement + for more details." + properties: + nodeSelector: + description: "nodeSelector is the node selector applied to ingress + controller deployments. \n If set, the specified selector is + used and replaces the default. \n If unset, the default depends + on the value of the defaultPlacement field in the cluster config.openshift.io/v1/ingresses + status. \n When defaultPlacement is Workers, the default is: + \n kubernetes.io/os: linux node-role.kubernetes.io/worker: '' + \n When defaultPlacement is ControlPlane, the default is: \n + kubernetes.io/os: linux node-role.kubernetes.io/master: '' \n + These defaults are subject to change. \n Note that using nodeSelector.matchExpressions + is not supported. Only nodeSelector.matchLabels may be used. + \ This is a limitation of the Kubernetes API: the pod spec does + not allow complex expressions for node selectors." + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If + the operator is In or NotIn, the values array must + be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced + during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A + single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field is "key", + the operator is "In", and the values array contains only + "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + tolerations: + description: "tolerations is a list of tolerations applied to + ingress controller deployments. \n The default is an empty list. + \n See https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/" + items: + description: The pod this Toleration is attached to tolerates + any taint that matches the triple using + the matching operator . + properties: + effect: + description: Effect indicates the taint effect to match. + Empty means match all taint effects. When specified, allowed + values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: Key is the taint key that the toleration applies + to. Empty means match all taint keys. If the key is empty, + operator must be Exists; this combination means to match + all values and all keys. + type: string + operator: + description: Operator represents a key's relationship to + the value. Valid operators are Exists and Equal. Defaults + to Equal. Exists is equivalent to wildcard for value, + so that a pod can tolerate all taints of a particular + category. + type: string + tolerationSeconds: + description: TolerationSeconds represents the period of + time the toleration (which must be of effect NoExecute, + otherwise this field is ignored) tolerates the taint. + By default, it is not set, which means tolerate the taint + forever (do not evict). Zero and negative values will + be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: Value is the taint value the toleration matches + to. If the operator is Exists, the value should be empty, + otherwise just a regular string. + type: string + type: object + type: array + x-kubernetes-list-type: atomic + type: object + replicas: + description: "replicas is the desired number of ingress controller + replicas. If unset, the default depends on the value of the defaultPlacement + field in the cluster config.openshift.io/v1/ingresses status. \n + The value of replicas is set based on the value of a chosen field + in the Infrastructure CR. If defaultPlacement is set to ControlPlane, + the chosen field will be controlPlaneTopology. If it is set to Workers + the chosen field will be infrastructureTopology. Replicas will then + be set to 1 or 2 based whether the chosen field's value is SingleReplica + or HighlyAvailable, respectively. \n These defaults are subject + to change." + format: int32 + type: integer + routeAdmission: + description: "routeAdmission defines a policy for handling new route + claims (for example, to allow or deny claims across namespaces). + \n If empty, defaults will be applied. See specific routeAdmission + fields for details about their defaults." + properties: + namespaceOwnership: + description: "namespaceOwnership describes how host name claims + across namespaces should be handled. \n Value must be one of: + \n - Strict: Do not allow routes in different namespaces to + claim the same host. \n - InterNamespaceAllowed: Allow routes + to claim different paths of the same host name across namespaces. + \n If empty, the default is Strict." + enum: + - InterNamespaceAllowed + - Strict + type: string + wildcardPolicy: + description: "wildcardPolicy describes how routes with wildcard + policies should be handled for the ingress controller. WildcardPolicy + controls use of routes [1] exposed by the ingress controller + based on the route's wildcard policy. \n [1] https://github.com/openshift/api/blob/master/route/v1/types.go + \n Note: Updating WildcardPolicy from WildcardsAllowed to WildcardsDisallowed + will cause admitted routes with a wildcard policy of Subdomain + to stop working. These routes must be updated to a wildcard + policy of None to be readmitted by the ingress controller. \n + WildcardPolicy supports WildcardsAllowed and WildcardsDisallowed + values. \n If empty, defaults to \"WildcardsDisallowed\"." + enum: + - WildcardsAllowed + - WildcardsDisallowed + type: string + type: object + routeSelector: + description: "routeSelector is used to filter the set of Routes serviced + by the ingress controller. This is useful for implementing shards. + \n If unset, the default is no filtering." + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the key + and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship to + a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + tlsSecurityProfile: + description: "tlsSecurityProfile specifies settings for TLS connections + for ingresscontrollers. \n If unset, the default is based on the + apiservers.config.openshift.io/cluster resource. \n Note that when + using the Old, Intermediate, and Modern profile types, the effective + profile configuration is subject to change between releases. For + example, given a specification to use the Intermediate profile deployed + on release X.Y.Z, an upgrade to release X.Y.Z+1 may cause a new + profile configuration to be applied to the ingress controller, resulting + in a rollout." + properties: + custom: + description: "custom is a user-defined TLS security profile. Be + extremely careful using a custom profile as invalid configurations + can be catastrophic. An example custom profile looks like this: + \n ciphers: \n - ECDHE-ECDSA-CHACHA20-POLY1305 \n - ECDHE-RSA-CHACHA20-POLY1305 + \n - ECDHE-RSA-AES128-GCM-SHA256 \n - ECDHE-ECDSA-AES128-GCM-SHA256 + \n minTLSVersion: VersionTLS11" + nullable: true + properties: + ciphers: + description: "ciphers is used to specify the cipher algorithms + that are negotiated during the TLS handshake. Operators + may remove entries their operands do not support. For example, + to use DES-CBC3-SHA (yaml): \n ciphers: - DES-CBC3-SHA" + items: + type: string + type: array + x-kubernetes-list-type: atomic + minTLSVersion: + description: "minTLSVersion is used to specify the minimal + version of the TLS protocol that is negotiated during the + TLS handshake. For example, to use TLS versions 1.1, 1.2 + and 1.3 (yaml): \n minTLSVersion: VersionTLS11 \n NOTE: + currently the highest minTLSVersion allowed is VersionTLS12" + enum: + - VersionTLS10 + - VersionTLS11 + - VersionTLS12 + - VersionTLS13 + type: string + type: object + intermediate: + description: "intermediate is a TLS security profile based on: + \n https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29 + \n and looks like this (yaml): \n ciphers: \n - TLS_AES_128_GCM_SHA256 + \n - TLS_AES_256_GCM_SHA384 \n - TLS_CHACHA20_POLY1305_SHA256 + \n - ECDHE-ECDSA-AES128-GCM-SHA256 \n - ECDHE-RSA-AES128-GCM-SHA256 + \n - ECDHE-ECDSA-AES256-GCM-SHA384 \n - ECDHE-RSA-AES256-GCM-SHA384 + \n - ECDHE-ECDSA-CHACHA20-POLY1305 \n - ECDHE-RSA-CHACHA20-POLY1305 + \n - DHE-RSA-AES128-GCM-SHA256 \n - DHE-RSA-AES256-GCM-SHA384 + \n minTLSVersion: VersionTLS12" + nullable: true + type: object + modern: + description: "modern is a TLS security profile based on: \n https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility + \n and looks like this (yaml): \n ciphers: \n - TLS_AES_128_GCM_SHA256 + \n - TLS_AES_256_GCM_SHA384 \n - TLS_CHACHA20_POLY1305_SHA256 + \n minTLSVersion: VersionTLS13" + nullable: true + type: object + old: + description: "old is a TLS security profile based on: \n https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility + \n and looks like this (yaml): \n ciphers: \n - TLS_AES_128_GCM_SHA256 + \n - TLS_AES_256_GCM_SHA384 \n - TLS_CHACHA20_POLY1305_SHA256 + \n - ECDHE-ECDSA-AES128-GCM-SHA256 \n - ECDHE-RSA-AES128-GCM-SHA256 + \n - ECDHE-ECDSA-AES256-GCM-SHA384 \n - ECDHE-RSA-AES256-GCM-SHA384 + \n - ECDHE-ECDSA-CHACHA20-POLY1305 \n - ECDHE-RSA-CHACHA20-POLY1305 + \n - DHE-RSA-AES128-GCM-SHA256 \n - DHE-RSA-AES256-GCM-SHA384 + \n - DHE-RSA-CHACHA20-POLY1305 \n - ECDHE-ECDSA-AES128-SHA256 + \n - ECDHE-RSA-AES128-SHA256 \n - ECDHE-ECDSA-AES128-SHA \n + - ECDHE-RSA-AES128-SHA \n - ECDHE-ECDSA-AES256-SHA384 \n - ECDHE-RSA-AES256-SHA384 + \n - ECDHE-ECDSA-AES256-SHA \n - ECDHE-RSA-AES256-SHA \n - DHE-RSA-AES128-SHA256 + \n - DHE-RSA-AES256-SHA256 \n - AES128-GCM-SHA256 \n - AES256-GCM-SHA384 + \n - AES128-SHA256 \n - AES256-SHA256 \n - AES128-SHA \n - AES256-SHA + \n - DES-CBC3-SHA \n minTLSVersion: VersionTLS10" + nullable: true + type: object + type: + description: "type is one of Old, Intermediate, Modern or Custom. + Custom provides the ability to specify individual TLS security + profile parameters. Old, Intermediate and Modern are TLS security + profiles based on: \n https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations + \n The profiles are intent based, so they may change over time + as new ciphers are developed and existing ciphers are found + to be insecure. Depending on precisely which ciphers are available + to a process, the list may be reduced. \n Note that the Modern + profile is currently not supported because it is not yet well + adopted by common software libraries." + enum: + - Old + - Intermediate + - Modern + - Custom + type: string + type: object + tuningOptions: + anyOf: + - properties: + maxConnections: + enum: + - -1 + - 0 + - properties: + maxConnections: + format: int32 + maximum: 2000000 + minimum: 2000 + description: "tuningOptions defines parameters for adjusting the performance + of ingress controller pods. All fields are optional and will use + their respective defaults if not set. See specific tuningOptions + fields for more details. \n Setting fields within tuningOptions + is generally not recommended. The default values are suitable for + most configurations." + properties: + clientFinTimeout: + description: "clientFinTimeout defines how long a connection will + be held open while waiting for the client response to the server/backend + closing the connection. \n If unset, the default timeout is + 1s" + format: duration + type: string + clientTimeout: + description: "clientTimeout defines how long a connection will + be held open while waiting for a client response. \n If unset, + the default timeout is 30s" + format: duration + type: string + connectTimeout: + description: "ConnectTimeout defines the maximum time to wait + for a connection attempt to a server/backend to succeed. \n + This field expects an unsigned duration string of decimal numbers, + each with optional fraction and a unit suffix, e.g. \"300ms\", + \"1.5h\" or \"2h45m\". Valid time units are \"ns\", \"us\" (or + \"µs\" U+00B5 or \"μs\" U+03BC), \"ms\", \"s\", \"m\", \"h\". + \n When omitted, this means the user has no opinion and the + platform is left to choose a reasonable default. This default + is subject to change over time. The current default is 5s." + pattern: ^(0|([0-9]+(\.[0-9]+)?(ns|us|µs|μs|ms|s|m|h))+)$ + type: string + headerBufferBytes: + description: "headerBufferBytes describes how much memory should + be reserved (in bytes) for IngressController connection sessions. + Note that this value must be at least 16384 if HTTP/2 is enabled + for the IngressController (https://tools.ietf.org/html/rfc7540). + If this field is empty, the IngressController will use a default + value of 32768 bytes. \n Setting this field is generally not + recommended as headerBufferBytes values that are too small may + break the IngressController and headerBufferBytes values that + are too large could cause the IngressController to use significantly + more memory than necessary." + format: int32 + minimum: 16384 + type: integer + headerBufferMaxRewriteBytes: + description: "headerBufferMaxRewriteBytes describes how much memory + should be reserved (in bytes) from headerBufferBytes for HTTP + header rewriting and appending for IngressController connection + sessions. Note that incoming HTTP requests will be limited to + (headerBufferBytes - headerBufferMaxRewriteBytes) bytes, meaning + headerBufferBytes must be greater than headerBufferMaxRewriteBytes. + If this field is empty, the IngressController will use a default + value of 8192 bytes. \n Setting this field is generally not + recommended as headerBufferMaxRewriteBytes values that are too + small may break the IngressController and headerBufferMaxRewriteBytes + values that are too large could cause the IngressController + to use significantly more memory than necessary." + format: int32 + minimum: 4096 + type: integer + healthCheckInterval: + description: "healthCheckInterval defines how long the router + waits between two consecutive health checks on its configured + backends. This value is applied globally as a default for all + routes, but may be overridden per-route by the route annotation + \"router.openshift.io/haproxy.health.check.interval\". \n Expects + an unsigned duration string of decimal numbers, each with optional + fraction and a unit suffix, eg \"300ms\", \"1.5h\" or \"2h45m\". + Valid time units are \"ns\", \"us\" (or \"µs\" U+00B5 or \"μs\" + U+03BC), \"ms\", \"s\", \"m\", \"h\". \n Setting this to less + than 5s can cause excess traffic due to too frequent TCP health + checks and accompanying SYN packet storms. Alternatively, setting + this too high can result in increased latency, due to backend + servers that are no longer available, but haven't yet been detected + as such. \n An empty or zero healthCheckInterval means no opinion + and IngressController chooses a default, which is subject to + change over time. Currently the default healthCheckInterval + value is 5s. \n Currently the minimum allowed value is 1s and + the maximum allowed value is 2147483647ms (24.85 days). Both + are subject to change over time." + pattern: ^(0|([0-9]+(\.[0-9]+)?(ns|us|µs|μs|ms|s|m|h))+)$ + type: string + maxConnections: + description: "maxConnections defines the maximum number of simultaneous + connections that can be established per HAProxy process. Increasing + this value allows each ingress controller pod to handle more + connections but at the cost of additional system resources being + consumed. \n Permitted values are: empty, 0, -1, and the range + 2000-2000000. \n If this field is empty or 0, the IngressController + will use the default value of 50000, but the default is subject + to change in future releases. \n If the value is -1 then HAProxy + will dynamically compute a maximum value based on the available + ulimits in the running container. Selecting -1 (i.e., auto) + will result in a large value being computed (~520000 on OpenShift + >=4.10 clusters) and therefore each HAProxy process will incur + significant memory usage compared to the current default of + 50000. \n Setting a value that is greater than the current operating + system limit will prevent the HAProxy process from starting. + \n If you choose a discrete value (e.g., 750000) and the router + pod is migrated to a new node, there's no guarantee that that + new node has identical ulimits configured. In such a scenario + the pod would fail to start. If you have nodes with different + ulimits configured (e.g., different tuned profiles) and you + choose a discrete value then the guidance is to use -1 and let + the value be computed dynamically at runtime. \n You can monitor + memory usage for router containers with the following metric: + 'container_memory_working_set_bytes{container=\"router\",namespace=\"openshift-ingress\"}'. + \n You can monitor memory usage of individual HAProxy processes + in router containers with the following metric: 'container_memory_working_set_bytes{container=\"router\",namespace=\"openshift-ingress\"}/container_processes{container=\"router\",namespace=\"openshift-ingress\"}'." + format: int32 + type: integer + reloadInterval: + description: "reloadInterval defines the minimum interval at which + the router is allowed to reload to accept new changes. Increasing + this value can prevent the accumulation of HAProxy processes, + depending on the scenario. Increasing this interval can also + lessen load imbalance on a backend's servers when using the + roundrobin balancing algorithm. Alternatively, decreasing this + value may decrease latency since updates to HAProxy's configuration + can take effect more quickly. \n The value must be a time duration + value; see . Currently, + the minimum value allowed is 1s, and the maximum allowed value + is 120s. Minimum and maximum allowed values may change in future + versions of OpenShift. Note that if a duration outside of these + bounds is provided, the value of reloadInterval will be capped/floored + and not rejected (e.g. a duration of over 120s will be capped + to 120s; the IngressController will not reject and replace this + disallowed value with the default). \n A zero value for reloadInterval + tells the IngressController to choose the default, which is + currently 5s and subject to change without notice. \n This field + expects an unsigned duration string of decimal numbers, each + with optional fraction and a unit suffix, e.g. \"300ms\", \"1.5h\" + or \"2h45m\". Valid time units are \"ns\", \"us\" (or \"µs\" + U+00B5 or \"μs\" U+03BC), \"ms\", \"s\", \"m\", \"h\". \n Note: + Setting a value significantly larger than the default of 5s + can cause latency in observing updates to routes and their endpoints. + HAProxy's configuration will be reloaded less frequently, and + newly created routes will not be served until the subsequent + reload." + pattern: ^(0|([0-9]+(\.[0-9]+)?(ns|us|µs|μs|ms|s|m|h))+)$ + type: string + serverFinTimeout: + description: "serverFinTimeout defines how long a connection will + be held open while waiting for the server/backend response to + the client closing the connection. \n If unset, the default + timeout is 1s" + format: duration + type: string + serverTimeout: + description: "serverTimeout defines how long a connection will + be held open while waiting for a server/backend response. \n + If unset, the default timeout is 30s" + format: duration + type: string + threadCount: + description: "threadCount defines the number of threads created + per HAProxy process. Creating more threads allows each ingress + controller pod to handle more connections, at the cost of more + system resources being used. HAProxy currently supports up to + 64 threads. If this field is empty, the IngressController will + use the default value. The current default is 4 threads, but + this may change in future releases. \n Setting this field is + generally not recommended. Increasing the number of HAProxy + threads allows ingress controller pods to utilize more CPU time + under load, potentially starving other pods if set too high. + Reducing the number of threads may cause the ingress controller + to perform poorly." + format: int32 + maximum: 64 + minimum: 1 + type: integer + tlsInspectDelay: + description: "tlsInspectDelay defines how long the router can + hold data to find a matching route. \n Setting this too short + can cause the router to fall back to the default certificate + for edge-terminated or reencrypt routes even when a better matching + certificate could be used. \n If unset, the default inspect + delay is 5s" + format: duration + type: string + tunnelTimeout: + description: "tunnelTimeout defines how long a tunnel connection + (including websockets) will be held open while the tunnel is + idle. \n If unset, the default timeout is 1h" + format: duration + type: string + type: object + unsupportedConfigOverrides: + description: unsupportedConfigOverrides allows specifying unsupported + configuration options. Its use is unsupported. + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + status: + description: status is the most recently observed status of the IngressController. + properties: + availableReplicas: + description: availableReplicas is number of observed available replicas + according to the ingress controller deployment. + format: int32 + type: integer + conditions: + description: "conditions is a list of conditions and their status. + \n Available means the ingress controller deployment is available + and servicing route and ingress resources (i.e, .status.availableReplicas + equals .spec.replicas) \n There are additional conditions which + indicate the status of other ingress controller features and capabilities. + \n * LoadBalancerManaged - True if the following conditions are + met: * The endpoint publishing strategy requires a service load + balancer. - False if any of those conditions are unsatisfied. \n + * LoadBalancerReady - True if the following conditions are met: + * A load balancer is managed. * The load balancer is ready. - False + if any of those conditions are unsatisfied. \n * DNSManaged - True + if the following conditions are met: * The endpoint publishing strategy + and platform support DNS. * The ingress controller domain is set. + * dns.config.openshift.io/cluster configures DNS zones. - False + if any of those conditions are unsatisfied. \n * DNSReady - True + if the following conditions are met: * DNS is managed. * DNS records + have been successfully created. - False if any of those conditions + are unsatisfied." + items: + description: OperatorCondition is just the standard condition fields. + properties: + lastTransitionTime: + format: date-time + type: string + message: + type: string + reason: + type: string + status: + type: string + type: + type: string + required: + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + domain: + description: domain is the actual domain in use. + type: string + endpointPublishingStrategy: + description: endpointPublishingStrategy is the actual strategy in + use. + properties: + hostNetwork: + description: hostNetwork holds parameters for the HostNetwork + endpoint publishing strategy. Present only if type is HostNetwork. + properties: + httpPort: + default: 80 + description: httpPort is the port on the host which should + be used to listen for HTTP requests. This field should be + set when port 80 is already in use. The value should not + coincide with the NodePort range of the cluster. When the + value is 0 or is not specified it defaults to 80. + format: int32 + maximum: 65535 + minimum: 0 + type: integer + httpsPort: + default: 443 + description: httpsPort is the port on the host which should + be used to listen for HTTPS requests. This field should + be set when port 443 is already in use. The value should + not coincide with the NodePort range of the cluster. When + the value is 0 or is not specified it defaults to 443. + format: int32 + maximum: 65535 + minimum: 0 + type: integer + protocol: + description: "protocol specifies whether the IngressController + expects incoming connections to use plain TCP or whether + the IngressController expects PROXY protocol. \n PROXY protocol + can be used with load balancers that support it to communicate + the source addresses of client connections when forwarding + those connections to the IngressController. Using PROXY + protocol enables the IngressController to report those source + addresses instead of reporting the load balancer's address + in HTTP headers and logs. Note that enabling PROXY protocol + on the IngressController will cause connections to fail + if you are not using a load balancer that uses PROXY protocol + to forward connections to the IngressController. See http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt + for information about PROXY protocol. \n The following values + are valid for this field: \n * The empty string. * \"TCP\". + * \"PROXY\". \n The empty string specifies the default, + which is TCP without PROXY protocol. Note that the default + is subject to change." + enum: + - "" + - TCP + - PROXY + type: string + statsPort: + default: 1936 + description: statsPort is the port on the host where the stats + from the router are published. The value should not coincide + with the NodePort range of the cluster. If an external load + balancer is configured to forward connections to this IngressController, + the load balancer should use this port for health checks. + The load balancer can send HTTP probes on this port on a + given node, with the path /healthz/ready to determine if + the ingress controller is ready to receive traffic on the + node. For proper operation the load balancer must not forward + traffic to a node until the health check reports ready. + The load balancer should also stop forwarding requests within + a maximum of 45 seconds after /healthz/ready starts reporting + not-ready. Probing every 5 to 10 seconds, with a 5-second + timeout and with a threshold of two successful or failed + requests to become healthy or unhealthy respectively, are + well-tested values. When the value is 0 or is not specified + it defaults to 1936. + format: int32 + maximum: 65535 + minimum: 0 + type: integer + type: object + loadBalancer: + description: loadBalancer holds parameters for the load balancer. + Present only if type is LoadBalancerService. + properties: + allowedSourceRanges: + description: "allowedSourceRanges specifies an allowlist of + IP address ranges to which access to the load balancer should + be restricted. Each range must be specified using CIDR + notation (e.g. \"10.0.0.0/8\" or \"fd00::/8\"). If no range + is specified, \"0.0.0.0/0\" for IPv4 and \"::/0\" for IPv6 + are used by default, which allows all source addresses. + \n To facilitate migration from earlier versions of OpenShift + that did not have the allowedSourceRanges field, you may + set the service.beta.kubernetes.io/load-balancer-source-ranges + annotation on the \"router-\" service + in the \"openshift-ingress\" namespace, and this annotation + will take effect if allowedSourceRanges is empty on OpenShift + 4.12." + items: + description: CIDR is an IP address range in CIDR notation + (for example, "10.0.0.0/8" or "fd00::/8"). + pattern: (^(([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])/([0-9]|[12][0-9]|3[0-2])$)|(^s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:)))(%.+)?s*(\/(12[0-8]|1[0-1][0-9]|[1-9][0-9]|[0-9]))$) + type: string + nullable: true + type: array + x-kubernetes-list-type: atomic + dnsManagementPolicy: + default: Managed + description: 'dnsManagementPolicy indicates if the lifecycle + of the wildcard DNS record associated with the load balancer + service will be managed by the ingress operator. It defaults + to Managed. Valid values are: Managed and Unmanaged.' + enum: + - Managed + - Unmanaged + type: string + providerParameters: + description: "providerParameters holds desired load balancer + information specific to the underlying infrastructure provider. + \n If empty, defaults will be applied. See specific providerParameters + fields for details about their defaults." + properties: + aws: + description: "aws provides configuration settings that + are specific to AWS load balancers. \n If empty, defaults + will be applied. See specific aws fields for details + about their defaults." + properties: + classicLoadBalancer: + description: classicLoadBalancerParameters holds configuration + parameters for an AWS classic load balancer. Present + only if type is Classic. + properties: + connectionIdleTimeout: + description: connectionIdleTimeout specifies the + maximum time period that a connection may be + idle before the load balancer closes the connection. The + value must be parseable as a time duration value; + see . A + nil or zero value means no opinion, in which + case a default value is used. The default value + for this field is 60s. This default is subject + to change. + format: duration + type: string + subnets: + description: "subnets specifies the subnets to + which the load balancer will attach. The subnets + may be specified by either their ID or name. + The total number of subnets is limited to 10. + \n In order for the load balancer to be provisioned + with subnets, each subnet must exist, each subnet + must be from a different availability zone, + and the load balancer service must be recreated + to pick up new values. \n When omitted from + the spec, the subnets will be auto-discovered + for each availability zone. Auto-discovered + subnets are not reported in the status of the + IngressController object." + properties: + ids: + description: ids specifies a list of AWS subnets + by subnet ID. Subnet IDs must start with + "subnet-", consist only of alphanumeric + characters, must be exactly 24 characters + long, must be unique, and the total number + of subnets specified by ids and names must + not exceed 10. + items: + description: AWSSubnetID is a reference + to an AWS subnet ID. + maxLength: 24 + minLength: 24 + pattern: ^subnet-[0-9A-Za-z]+$ + type: string + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: subnet ids cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == + y)) + names: + description: names specifies a list of AWS + subnets by subnet name. Subnet names must + not start with "subnet-", must not include + commas, must be under 256 characters in + length, must be unique, and the total number + of subnets specified by ids and names must + not exceed 10. + items: + description: AWSSubnetName is a reference + to an AWS subnet name. + maxLength: 256 + minLength: 1 + type: string + x-kubernetes-validations: + - message: subnet name cannot contain a + comma + rule: '!self.contains('','')' + - message: subnet name cannot start with + 'subnet-' + rule: '!self.startsWith(''subnet-'')' + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: subnet names cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == + y)) + type: object + x-kubernetes-validations: + - message: the total number of subnets cannot + exceed 10 + rule: 'has(self.ids) && has(self.names) ? size(self.ids + + self.names) <= 10 : true' + - message: must specify at least 1 subnet name + or id + rule: has(self.ids) && self.ids.size() > 0 || + has(self.names) && self.names.size() > 0 + type: object + networkLoadBalancer: + description: networkLoadBalancerParameters holds configuration + parameters for an AWS network load balancer. Present + only if type is NLB. + properties: + eipAllocations: + description: "eipAllocations is a list of IDs + for Elastic IP (EIP) addresses that are assigned + to the Network Load Balancer. The following + restrictions apply: \n eipAllocations can only + be used with external scope, not internal. An + EIP can be allocated to only a single IngressController. + The number of EIP allocations must match the + number of subnets that are used for the load + balancer. Each EIP allocation must be unique. + A maximum of 10 EIP allocations are permitted. + \n See https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html + for general information about configuration, + characteristics, and limitations of Elastic + IP addresses." + items: + description: EIPAllocation is an ID for an Elastic + IP (EIP) address that can be allocated to + an ELB in the AWS environment. Values must + begin with `eipalloc-` followed by exactly + 17 hexadecimal (`[0-9a-fA-F]`) characters. + maxLength: 26 + minLength: 26 + type: string + x-kubernetes-validations: + - message: eipAllocations should start with + 'eipalloc-' + rule: self.startsWith('eipalloc-') + - message: eipAllocations must be 'eipalloc-' + followed by exactly 17 hexadecimal characters + (0-9, a-f, A-F) + rule: self.split("-", 2)[1].matches('[0-9a-fA-F]{17}$') + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: eipAllocations cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == y)) + subnets: + description: "subnets specifies the subnets to + which the load balancer will attach. The subnets + may be specified by either their ID or name. + The total number of subnets is limited to 10. + \n In order for the load balancer to be provisioned + with subnets, each subnet must exist, each subnet + must be from a different availability zone, + and the load balancer service must be recreated + to pick up new values. \n When omitted from + the spec, the subnets will be auto-discovered + for each availability zone. Auto-discovered + subnets are not reported in the status of the + IngressController object." + properties: + ids: + description: ids specifies a list of AWS subnets + by subnet ID. Subnet IDs must start with + "subnet-", consist only of alphanumeric + characters, must be exactly 24 characters + long, must be unique, and the total number + of subnets specified by ids and names must + not exceed 10. + items: + description: AWSSubnetID is a reference + to an AWS subnet ID. + maxLength: 24 + minLength: 24 + pattern: ^subnet-[0-9A-Za-z]+$ + type: string + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: subnet ids cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == + y)) + names: + description: names specifies a list of AWS + subnets by subnet name. Subnet names must + not start with "subnet-", must not include + commas, must be under 256 characters in + length, must be unique, and the total number + of subnets specified by ids and names must + not exceed 10. + items: + description: AWSSubnetName is a reference + to an AWS subnet name. + maxLength: 256 + minLength: 1 + type: string + x-kubernetes-validations: + - message: subnet name cannot contain a + comma + rule: '!self.contains('','')' + - message: subnet name cannot start with + 'subnet-' + rule: '!self.startsWith(''subnet-'')' + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: subnet names cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == + y)) + type: object + x-kubernetes-validations: + - message: the total number of subnets cannot + exceed 10 + rule: 'has(self.ids) && has(self.names) ? size(self.ids + + self.names) <= 10 : true' + - message: must specify at least 1 subnet name + or id + rule: has(self.ids) && self.ids.size() > 0 || + has(self.names) && self.names.size() > 0 + type: object + x-kubernetes-validations: + - message: number of subnets must be equal to number + of eipAllocations + rule: 'has(self.subnets) && has(self.subnets.ids) + && has(self.subnets.names) && has(self.eipAllocations) + ? size(self.subnets.ids + self.subnets.names) + == size(self.eipAllocations) : true' + - message: number of subnets must be equal to number + of eipAllocations + rule: 'has(self.subnets) && has(self.subnets.ids) + && !has(self.subnets.names) && has(self.eipAllocations) + ? size(self.subnets.ids) == size(self.eipAllocations) + : true' + - message: number of subnets must be equal to number + of eipAllocations + rule: 'has(self.subnets) && has(self.subnets.names) + && !has(self.subnets.ids) && has(self.eipAllocations) + ? size(self.subnets.names) == size(self.eipAllocations) + : true' + type: + description: "type is the type of AWS load balancer + to instantiate for an ingresscontroller. \n Valid + values are: \n * \"Classic\": A Classic Load Balancer + that makes routing decisions at either the transport + layer (TCP/SSL) or the application layer (HTTP/HTTPS). + See the following for additional details: \n https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#clb + \n * \"NLB\": A Network Load Balancer that makes + routing decisions at the transport layer (TCP/SSL). + See the following for additional details: \n https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#nlb" + enum: + - Classic + - NLB + type: string + required: + - type + type: object + gcp: + description: "gcp provides configuration settings that + are specific to GCP load balancers. \n If empty, defaults + will be applied. See specific gcp fields for details + about their defaults." + properties: + clientAccess: + description: "clientAccess describes how client access + is restricted for internal load balancers. \n Valid + values are: * \"Global\": Specifying an internal + load balancer with Global client access allows clients + from any region within the VPC to communicate with + the load balancer. \n https://cloud.google.com/kubernetes-engine/docs/how-to/internal-load-balancing#global_access + \n * \"Local\": Specifying an internal load balancer + with Local client access means only clients within + the same region (and VPC) as the GCP load balancer + can communicate with the load balancer. Note that + this is the default behavior. \n https://cloud.google.com/load-balancing/docs/internal#client_access" + enum: + - Global + - Local + type: string + type: object + ibm: + description: "ibm provides configuration settings that + are specific to IBM Cloud load balancers. \n If empty, + defaults will be applied. See specific ibm fields for + details about their defaults." + properties: + protocol: + description: "protocol specifies whether the load + balancer uses PROXY protocol to forward connections + to the IngressController. See \"service.kubernetes.io/ibm-load-balancer-cloud-provider-enable-features: + \"proxy-protocol\"\" at https://cloud.ibm.com/docs/containers?topic=containers-vpc-lbaas\" + \n PROXY protocol can be used with load balancers + that support it to communicate the source addresses + of client connections when forwarding those connections + to the IngressController. Using PROXY protocol + enables the IngressController to report those source + addresses instead of reporting the load balancer's + address in HTTP headers and logs. Note that enabling + PROXY protocol on the IngressController will cause + connections to fail if you are not using a load + balancer that uses PROXY protocol to forward connections + to the IngressController. See http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt + for information about PROXY protocol. \n Valid values + for protocol are TCP, PROXY and omitted. When omitted, + this means no opinion and the platform is left to + choose a reasonable default, which is subject to + change over time. The current default is TCP, without + the proxy protocol enabled." + enum: + - "" + - TCP + - PROXY + type: string + type: object + type: + description: type is the underlying infrastructure provider + for the load balancer. Allowed values are "AWS", "Azure", + "BareMetal", "GCP", "IBM", "Nutanix", "OpenStack", and + "VSphere". + enum: + - AWS + - Azure + - BareMetal + - GCP + - Nutanix + - OpenStack + - VSphere + - IBM + type: string + required: + - type + type: object + scope: + description: scope indicates the scope at which the load balancer + is exposed. Possible values are "External" and "Internal". + enum: + - Internal + - External + type: string + required: + - dnsManagementPolicy + - scope + type: object + x-kubernetes-validations: + - message: eipAllocations are forbidden when the scope is Internal. + rule: '!has(self.scope) || self.scope != ''Internal'' || !has(self.providerParameters) + || !has(self.providerParameters.aws) || !has(self.providerParameters.aws.networkLoadBalancer) + || !has(self.providerParameters.aws.networkLoadBalancer.eipAllocations)' + nodePort: + description: nodePort holds parameters for the NodePortService + endpoint publishing strategy. Present only if type is NodePortService. + properties: + protocol: + description: "protocol specifies whether the IngressController + expects incoming connections to use plain TCP or whether + the IngressController expects PROXY protocol. \n PROXY protocol + can be used with load balancers that support it to communicate + the source addresses of client connections when forwarding + those connections to the IngressController. Using PROXY + protocol enables the IngressController to report those source + addresses instead of reporting the load balancer's address + in HTTP headers and logs. Note that enabling PROXY protocol + on the IngressController will cause connections to fail + if you are not using a load balancer that uses PROXY protocol + to forward connections to the IngressController. See http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt + for information about PROXY protocol. \n The following values + are valid for this field: \n * The empty string. * \"TCP\". + * \"PROXY\". \n The empty string specifies the default, + which is TCP without PROXY protocol. Note that the default + is subject to change." + enum: + - "" + - TCP + - PROXY + type: string + type: object + private: + description: private holds parameters for the Private endpoint + publishing strategy. Present only if type is Private. + properties: + protocol: + description: "protocol specifies whether the IngressController + expects incoming connections to use plain TCP or whether + the IngressController expects PROXY protocol. \n PROXY protocol + can be used with load balancers that support it to communicate + the source addresses of client connections when forwarding + those connections to the IngressController. Using PROXY + protocol enables the IngressController to report those source + addresses instead of reporting the load balancer's address + in HTTP headers and logs. Note that enabling PROXY protocol + on the IngressController will cause connections to fail + if you are not using a load balancer that uses PROXY protocol + to forward connections to the IngressController. See http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt + for information about PROXY protocol. \n The following values + are valid for this field: \n * The empty string. * \"TCP\". + * \"PROXY\". \n The empty string specifies the default, + which is TCP without PROXY protocol. Note that the default + is subject to change." + enum: + - "" + - TCP + - PROXY + type: string + type: object + type: + description: "type is the publishing strategy to use. Valid values + are: \n * LoadBalancerService \n Publishes the ingress controller + using a Kubernetes LoadBalancer Service. \n In this configuration, + the ingress controller deployment uses container networking. + A LoadBalancer Service is created to publish the deployment. + \n See: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer + \n If domain is set, a wildcard DNS record will be managed to + point at the LoadBalancer Service's external name. DNS records + are managed only in DNS zones defined by dns.config.openshift.io/cluster + .spec.publicZone and .spec.privateZone. \n Wildcard DNS management + is currently supported only on the AWS, Azure, and GCP platforms. + \n * HostNetwork \n Publishes the ingress controller on node + ports where the ingress controller is deployed. \n In this configuration, + the ingress controller deployment uses host networking, bound + to node ports 80 and 443. The user is responsible for configuring + an external load balancer to publish the ingress controller + via the node ports. \n * Private \n Does not publish the ingress + controller. \n In this configuration, the ingress controller + deployment uses container networking, and is not explicitly + published. The user must manually publish the ingress controller. + \n * NodePortService \n Publishes the ingress controller using + a Kubernetes NodePort Service. \n In this configuration, the + ingress controller deployment uses container networking. A NodePort + Service is created to publish the deployment. The specific node + ports are dynamically allocated by OpenShift; however, to support + static port allocations, user changes to the node port field + of the managed NodePort Service will preserved." + enum: + - LoadBalancerService + - HostNetwork + - Private + - NodePortService + type: string + required: + - type + type: object + namespaceSelector: + description: namespaceSelector is the actual namespaceSelector in + use. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the key + and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship to + a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + observedGeneration: + description: observedGeneration is the most recent generation observed. + format: int64 + type: integer + routeSelector: + description: routeSelector is the actual routeSelector in use. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the key + and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship to + a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + selector: + description: selector is a label selector, in string format, for ingress + controller pods corresponding to the IngressController. The number + of matching pods should equal the value of availableReplicas. + type: string + tlsProfile: + description: tlsProfile is the TLS connection configuration that is + in effect. + properties: + ciphers: + description: "ciphers is used to specify the cipher algorithms + that are negotiated during the TLS handshake. Operators may + remove entries their operands do not support. For example, + to use DES-CBC3-SHA (yaml): \n ciphers: - DES-CBC3-SHA" + items: + type: string + type: array + x-kubernetes-list-type: atomic + minTLSVersion: + description: "minTLSVersion is used to specify the minimal version + of the TLS protocol that is negotiated during the TLS handshake. + For example, to use TLS versions 1.1, 1.2 and 1.3 (yaml): \n + minTLSVersion: VersionTLS11 \n NOTE: currently the highest minTLSVersion + allowed is VersionTLS12" + enum: + - VersionTLS10 + - VersionTLS11 + - VersionTLS12 + - VersionTLS13 + type: string + type: object + type: object + type: object + served: true + storage: true + subresources: + scale: + labelSelectorPath: .status.selector + specReplicasPath: .spec.replicas + statusReplicasPath: .status.availableReplicas + status: {} diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.deepcopy.go b/vendor/github.com/openshift/api/operator/v1/zz_generated.deepcopy.go index da3ce4e107..24be801a17 100644 --- a/vendor/github.com/openshift/api/operator/v1/zz_generated.deepcopy.go +++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.deepcopy.go @@ -33,6 +33,11 @@ func (in *AWSCSIDriverConfigSpec) DeepCopy() *AWSCSIDriverConfigSpec { func (in *AWSClassicLoadBalancerParameters) DeepCopyInto(out *AWSClassicLoadBalancerParameters) { *out = *in out.ConnectionIdleTimeout = in.ConnectionIdleTimeout + if in.Subnets != nil { + in, out := &in.Subnets, &out.Subnets + *out = new(AWSSubnets) + (*in).DeepCopyInto(*out) + } return } @@ -52,12 +57,12 @@ func (in *AWSLoadBalancerParameters) DeepCopyInto(out *AWSLoadBalancerParameters if in.ClassicLoadBalancerParameters != nil { in, out := &in.ClassicLoadBalancerParameters, &out.ClassicLoadBalancerParameters *out = new(AWSClassicLoadBalancerParameters) - **out = **in + (*in).DeepCopyInto(*out) } if in.NetworkLoadBalancerParameters != nil { in, out := &in.NetworkLoadBalancerParameters, &out.NetworkLoadBalancerParameters *out = new(AWSNetworkLoadBalancerParameters) - **out = **in + (*in).DeepCopyInto(*out) } return } @@ -75,6 +80,16 @@ func (in *AWSLoadBalancerParameters) DeepCopy() *AWSLoadBalancerParameters { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *AWSNetworkLoadBalancerParameters) DeepCopyInto(out *AWSNetworkLoadBalancerParameters) { *out = *in + if in.Subnets != nil { + in, out := &in.Subnets, &out.Subnets + *out = new(AWSSubnets) + (*in).DeepCopyInto(*out) + } + if in.EIPAllocations != nil { + in, out := &in.EIPAllocations, &out.EIPAllocations + *out = make([]EIPAllocation, len(*in)) + copy(*out, *in) + } return } @@ -88,6 +103,32 @@ func (in *AWSNetworkLoadBalancerParameters) DeepCopy() *AWSNetworkLoadBalancerPa return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *AWSSubnets) DeepCopyInto(out *AWSSubnets) { + *out = *in + if in.IDs != nil { + in, out := &in.IDs, &out.IDs + *out = make([]AWSSubnetID, len(*in)) + copy(*out, *in) + } + if in.Names != nil { + in, out := &in.Names, &out.Names + *out = make([]AWSSubnetName, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AWSSubnets. +func (in *AWSSubnets) DeepCopy() *AWSSubnets { + if in == nil { + return nil + } + out := new(AWSSubnets) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *AccessLogging) DeepCopyInto(out *AccessLogging) { *out = *in diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.featuregated-crd-manifests.yaml b/vendor/github.com/openshift/api/operator/v1/zz_generated.featuregated-crd-manifests.yaml index a8c2213cff..595f49e276 100644 --- a/vendor/github.com/openshift/api/operator/v1/zz_generated.featuregated-crd-manifests.yaml +++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.featuregated-crd-manifests.yaml @@ -176,7 +176,9 @@ ingresscontrollers.operator.openshift.io: CRDName: ingresscontrollers.operator.openshift.io Capability: Ingress Category: "" - FeatureGates: [] + FeatureGates: + - IngressControllerLBSubnetsAWS + - SetEIPForNLBIngressController FilenameOperatorName: ingress FilenameOperatorOrdering: "00" FilenameRunLevel: "0000_50" diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.swagger_doc_generated.go b/vendor/github.com/openshift/api/operator/v1/zz_generated.swagger_doc_generated.go index 1b8b18e3f5..3700f2bd01 100644 --- a/vendor/github.com/openshift/api/operator/v1/zz_generated.swagger_doc_generated.go +++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.swagger_doc_generated.go @@ -722,6 +722,7 @@ func (EtcdSpec) SwaggerDoc() map[string]string { var map_AWSClassicLoadBalancerParameters = map[string]string{ "": "AWSClassicLoadBalancerParameters holds configuration parameters for an AWS Classic load balancer.", "connectionIdleTimeout": "connectionIdleTimeout specifies the maximum time period that a connection may be idle before the load balancer closes the connection. The value must be parseable as a time duration value; see . A nil or zero value means no opinion, in which case a default value is used. The default value for this field is 60s. This default is subject to change.", + "subnets": "subnets specifies the subnets to which the load balancer will attach. The subnets may be specified by either their ID or name. The total number of subnets is limited to 10.\n\nIn order for the load balancer to be provisioned with subnets, each subnet must exist, each subnet must be from a different availability zone, and the load balancer service must be recreated to pick up new values.\n\nWhen omitted from the spec, the subnets will be auto-discovered for each availability zone. Auto-discovered subnets are not reported in the status of the IngressController object.", } func (AWSClassicLoadBalancerParameters) SwaggerDoc() map[string]string { @@ -740,13 +741,25 @@ func (AWSLoadBalancerParameters) SwaggerDoc() map[string]string { } var map_AWSNetworkLoadBalancerParameters = map[string]string{ - "": "AWSNetworkLoadBalancerParameters holds configuration parameters for an AWS Network load balancer.", + "": "AWSNetworkLoadBalancerParameters holds configuration parameters for an AWS Network load balancer. For Example: Setting AWS EIPs https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html", + "subnets": "subnets specifies the subnets to which the load balancer will attach. The subnets may be specified by either their ID or name. The total number of subnets is limited to 10.\n\nIn order for the load balancer to be provisioned with subnets, each subnet must exist, each subnet must be from a different availability zone, and the load balancer service must be recreated to pick up new values.\n\nWhen omitted from the spec, the subnets will be auto-discovered for each availability zone. Auto-discovered subnets are not reported in the status of the IngressController object.", + "eipAllocations": "eipAllocations is a list of IDs for Elastic IP (EIP) addresses that are assigned to the Network Load Balancer. The following restrictions apply:\n\neipAllocations can only be used with external scope, not internal. An EIP can be allocated to only a single IngressController. The number of EIP allocations must match the number of subnets that are used for the load balancer. Each EIP allocation must be unique. A maximum of 10 EIP allocations are permitted.\n\nSee https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html for general information about configuration, characteristics, and limitations of Elastic IP addresses.", } func (AWSNetworkLoadBalancerParameters) SwaggerDoc() map[string]string { return map_AWSNetworkLoadBalancerParameters } +var map_AWSSubnets = map[string]string{ + "": "AWSSubnets contains a list of references to AWS subnets by ID or name.", + "ids": "ids specifies a list of AWS subnets by subnet ID. Subnet IDs must start with \"subnet-\", consist only of alphanumeric characters, must be exactly 24 characters long, must be unique, and the total number of subnets specified by ids and names must not exceed 10.", + "names": "names specifies a list of AWS subnets by subnet name. Subnet names must not start with \"subnet-\", must not include commas, must be under 256 characters in length, must be unique, and the total number of subnets specified by ids and names must not exceed 10.", +} + +func (AWSSubnets) SwaggerDoc() map[string]string { + return map_AWSSubnets +} + var map_AccessLogging = map[string]string{ "": "AccessLogging describes how client requests should be logged.", "destination": "destination is where access logs go.", diff --git a/vendor/modules.txt b/vendor/modules.txt index a36e7ddb3c..8addf5513e 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -205,7 +205,7 @@ github.com/modern-go/reflect2 # github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 ## explicit github.com/munnerz/goautoneg -# github.com/openshift/api v0.0.0-20240527133614-ba11c1587003 +# github.com/openshift/api v0.0.0-20240527133614-ba11c1587003 => github.com/vrutkovs/api v0.0.0-20240730110716-670935b00022 ## explicit; go 1.22.0 github.com/openshift/api github.com/openshift/api/annotations @@ -1492,3 +1492,4 @@ sigs.k8s.io/structured-merge-diff/v4/value # sigs.k8s.io/yaml v1.3.0 ## explicit; go 1.12 sigs.k8s.io/yaml +# github.com/openshift/api => github.com/vrutkovs/api v0.0.0-20240730110716-670935b00022 From 2a62ab182a93f3887f3ef7c8c10ef92fb5d4afd0 Mon Sep 17 00:00:00 2001 From: Vadim Rutkovsky Date: Tue, 30 Jul 2024 14:07:23 +0200 Subject: [PATCH 2/3] certrotationcontroller: use minutes instead of days when FeatureShortCertRotation is enabled --- pkg/cmd/certregenerationcontroller/cmd.go | 32 +++++++++++++++---- .../certrotationcontroller.go | 29 +++++++++-------- pkg/operator/starter.go | 8 +---- 3 files changed, 41 insertions(+), 28 deletions(-) diff --git a/pkg/cmd/certregenerationcontroller/cmd.go b/pkg/cmd/certregenerationcontroller/cmd.go index 153f45035a..bc19bf9537 100644 --- a/pkg/cmd/certregenerationcontroller/cmd.go +++ b/pkg/cmd/certregenerationcontroller/cmd.go @@ -6,6 +6,7 @@ import ( "time" "github.com/spf13/cobra" + "k8s.io/klog/v2" "k8s.io/client-go/kubernetes" @@ -13,8 +14,9 @@ import ( configeversionedclient "github.com/openshift/client-go/config/clientset/versioned" configexternalinformers "github.com/openshift/client-go/config/informers/externalversions" "github.com/openshift/library-go/pkg/controller/controllercmd" - "github.com/openshift/library-go/pkg/operator/certrotation" + "github.com/openshift/library-go/pkg/operator/configobserver/featuregates" "github.com/openshift/library-go/pkg/operator/genericoperatorclient" + "github.com/openshift/library-go/pkg/operator/status" "github.com/openshift/library-go/pkg/operator/v1helpers" "github.com/openshift/cluster-kube-apiserver-operator/pkg/operator/certrotationcontroller" @@ -84,6 +86,23 @@ func (o *Options) Run(ctx context.Context) error { configInformers := configexternalinformers.NewSharedInformerFactory(configClient, 10*time.Minute) + desiredVersion := status.VersionForOperatorFromEnv() + missingVersion := "0.0.1-snapshot" + featureGateAccessor := featuregates.NewFeatureGateAccess( + desiredVersion, missingVersion, + configInformers.Config().V1().ClusterVersions(), configInformers.Config().V1().FeatureGates(), + o.controllerContext.EventRecorder, + ) + + select { + case <-featureGateAccessor.InitialFeatureGatesObserved(): + featureGates, _ := featureGateAccessor.CurrentFeatureGates() + klog.Infof("FeatureGates initialized: knownFeatureGates=%v", featureGates.KnownFeatures()) + case <-time.After(1 * time.Minute): + klog.Errorf("timed out waiting for FeatureGate detection") + return fmt.Errorf("timed out waiting for FeatureGate detection") + } + kubeAPIServerInformersForNamespaces := v1helpers.NewKubeInformersForNamespaces( kubeClient, operatorclient.GlobalMachineSpecifiedConfigNamespace, @@ -97,18 +116,13 @@ func (o *Options) Run(ctx context.Context) error { return err } - certRotationScale, err := certrotation.GetCertRotationScale(ctx, kubeClient, operatorclient.GlobalUserSpecifiedConfigNamespace) - if err != nil { - return err - } - kubeAPIServerCertRotationController, err := certrotationcontroller.NewCertRotationControllerOnlyWhenExpired( kubeClient, operatorClient, configInformers, kubeAPIServerInformersForNamespaces, o.controllerContext.EventRecorder, - certRotationScale, + featureGateAccessor, ) if err != nil { return err @@ -139,6 +153,10 @@ func (o *Options) Run(ctx context.Context) error { caBundleController.Run(ctx) }() + go func() { + featureGateAccessor.Run(ctx) + }() + <-ctx.Done() return nil diff --git a/pkg/operator/certrotationcontroller/certrotationcontroller.go b/pkg/operator/certrotationcontroller/certrotationcontroller.go index 3bc505ac7b..6dd5ae1977 100644 --- a/pkg/operator/certrotationcontroller/certrotationcontroller.go +++ b/pkg/operator/certrotationcontroller/certrotationcontroller.go @@ -14,12 +14,14 @@ import ( "k8s.io/client-go/util/workqueue" "k8s.io/klog/v2" + features "github.com/openshift/api/features" configinformers "github.com/openshift/client-go/config/informers/externalversions" configlisterv1 "github.com/openshift/client-go/config/listers/config/v1" "github.com/openshift/cluster-kube-apiserver-operator/pkg/operator/operatorclient" - "github.com/openshift/library-go/pkg/controller/factory" + "github.com/openshift/library-go/pkg/controller/factory" "github.com/openshift/library-go/pkg/operator/certrotation" + "github.com/openshift/library-go/pkg/operator/configobserver/featuregates" "github.com/openshift/library-go/pkg/operator/events" "github.com/openshift/library-go/pkg/operator/v1helpers" ) @@ -53,7 +55,7 @@ func NewCertRotationController( configInformer configinformers.SharedInformerFactory, kubeInformersForNamespaces v1helpers.KubeInformersForNamespaces, eventRecorder events.Recorder, - day time.Duration, + featureGateAccessor featuregates.FeatureGateAccess, ) (*CertRotationController, error) { return newCertRotationController( kubeClient, @@ -61,7 +63,7 @@ func NewCertRotationController( configInformer, kubeInformersForNamespaces, eventRecorder, - day, + featureGateAccessor, false, ) } @@ -72,7 +74,7 @@ func NewCertRotationControllerOnlyWhenExpired( configInformer configinformers.SharedInformerFactory, kubeInformersForNamespaces v1helpers.KubeInformersForNamespaces, eventRecorder events.Recorder, - day time.Duration, + featureGateAccessor featuregates.FeatureGateAccess, ) (*CertRotationController, error) { return newCertRotationController( kubeClient, @@ -80,7 +82,7 @@ func NewCertRotationControllerOnlyWhenExpired( configInformer, kubeInformersForNamespaces, eventRecorder, - day, + featureGateAccessor, true, ) } @@ -91,7 +93,7 @@ func newCertRotationController( configInformer configinformers.SharedInformerFactory, kubeInformersForNamespaces v1helpers.KubeInformersForNamespaces, eventRecorder events.Recorder, - day time.Duration, + featureGateAccessor featuregates.FeatureGateAccess, refreshOnlyWhenExpired bool, ) (*CertRotationController, error) { ret := &CertRotationController{ @@ -118,14 +120,13 @@ func newCertRotationController( configInformer.Config().V1().Infrastructures().Informer().AddEventHandler(ret.externalLoadBalancerHostnameEventHandler()) rotationDay := defaultRotationDay - if day != time.Duration(0) { - rotationDay = day - klog.Warningf("!!! UNSUPPORTED VALUE SET !!!") - klog.Warningf("Certificate rotation base set to %q", rotationDay) - } else { - // for the development cycle, make the rotation 60 times faster (every twelve hours or so). - // This must be reverted before we ship - rotationDay = rotationDay / 60 + featureGates, err := featureGateAccessor.CurrentFeatureGates() + if err != nil { + return nil, fmt.Errorf("unable to get FeatureGates: %w", err) + } + + if featureGates.Enabled(features.FeatureShortCertRotation) { + rotationDay = time.Minute } certRotator := certrotation.NewCertRotationController( diff --git a/pkg/operator/starter.go b/pkg/operator/starter.go index f887e59962..de929552d5 100644 --- a/pkg/operator/starter.go +++ b/pkg/operator/starter.go @@ -39,7 +39,6 @@ import ( "github.com/openshift/cluster-kube-apiserver-operator/pkg/operator/webhooksupportabilitycontroller" "github.com/openshift/library-go/pkg/controller/controllercmd" "github.com/openshift/library-go/pkg/operator/apiserver/controller/auditpolicy" - "github.com/openshift/library-go/pkg/operator/certrotation" "github.com/openshift/library-go/pkg/operator/configobserver/featuregates" "github.com/openshift/library-go/pkg/operator/encryption" "github.com/openshift/library-go/pkg/operator/encryption/controllers/migrators" @@ -331,18 +330,13 @@ func RunOperator(ctx context.Context, controllerContext *controllercmd.Controlle controllerContext.EventRecorder, ) - certRotationScale, err := certrotation.GetCertRotationScale(ctx, kubeClient, operatorclient.GlobalUserSpecifiedConfigNamespace) - if err != nil { - return err - } - certRotationController, err := certrotationcontroller.NewCertRotationController( kubeClient, operatorClient, configInformers, kubeInformersForNamespaces, controllerContext.EventRecorder.WithComponentSuffix("cert-rotation-controller"), - certRotationScale, + featureGateAccessor, ) if err != nil { return err From 643c5301c915258fcaeb011448baf89e79fb9bef Mon Sep 17 00:00:00 2001 From: Vadim Rutkovsky Date: Mon, 5 Aug 2024 13:59:53 +0200 Subject: [PATCH 3/3] certrotationcontroller: use custom periods when ShortCertRotation is enabled --- .../certrotationcontroller.go | 108 +++++++++--------- 1 file changed, 55 insertions(+), 53 deletions(-) diff --git a/pkg/operator/certrotationcontroller/certrotationcontroller.go b/pkg/operator/certrotationcontroller/certrotationcontroller.go index 6dd5ae1977..eba1b433d4 100644 --- a/pkg/operator/certrotationcontroller/certrotationcontroller.go +++ b/pkg/operator/certrotationcontroller/certrotationcontroller.go @@ -26,9 +26,6 @@ import ( "github.com/openshift/library-go/pkg/operator/v1helpers" ) -// defaultRotationDay is the default rotation base for all cert rotation operations. -const defaultRotationDay = 24 * time.Hour - type CertRotationController struct { certRotators []factory.Controller @@ -119,14 +116,19 @@ func newCertRotationController( configInformer.Config().V1().Networks().Informer().AddEventHandler(ret.serviceHostnameEventHandler()) configInformer.Config().V1().Infrastructures().Informer().AddEventHandler(ret.externalLoadBalancerHostnameEventHandler()) - rotationDay := defaultRotationDay + monthPeriod := time.Hour * 24 * 30 + yearPeriod := monthPeriod * 12 + tenMonthPeriod := monthPeriod * 10 + featureGates, err := featureGateAccessor.CurrentFeatureGates() if err != nil { return nil, fmt.Errorf("unable to get FeatureGates: %w", err) } if featureGates.Enabled(features.FeatureShortCertRotation) { - rotationDay = time.Minute + monthPeriod = 30 * time.Minute + yearPeriod = 60 * time.Minute + tenMonthPeriod = 45 * time.Minute } certRotator := certrotation.NewCertRotationController( @@ -137,8 +139,8 @@ func newCertRotationController( AdditionalAnnotations: certrotation.AdditionalAnnotations{ JiraComponent: "kube-apiserver", }, - Validity: 30 * rotationDay, - Refresh: 15 * rotationDay, + Validity: monthPeriod, + Refresh: monthPeriod / 2, RefreshOnlyWhenExpired: refreshOnlyWhenExpired, Informer: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().Secrets(), Lister: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().Secrets().Lister(), @@ -166,8 +168,8 @@ func newCertRotationController( AdditionalAnnotations: certrotation.AdditionalAnnotations{ JiraComponent: "kube-apiserver", }, - Validity: 30 * rotationDay, - Refresh: 15 * rotationDay, + Validity: monthPeriod, + Refresh: monthPeriod / 2, RefreshOnlyWhenExpired: refreshOnlyWhenExpired, CertCreator: &certrotation.ClientRotation{ UserInfo: &user.DefaultInfo{Name: "system:openshift-aggregator"}, @@ -194,10 +196,10 @@ func newCertRotationController( AdditionalAnnotations: certrotation.AdditionalAnnotations{ JiraComponent: "kube-apiserver", }, - Validity: 1 * 365 * defaultRotationDay, // this comes from the installer + Validity: yearPeriod, // this comes from the installer // Refresh set to 80% of the validity. // This range is consistent with most other signers defined in this pkg. - Refresh: 292 * defaultRotationDay, + Refresh: tenMonthPeriod, RefreshOnlyWhenExpired: refreshOnlyWhenExpired, Informer: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().Secrets(), Lister: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().Secrets().Lister(), @@ -225,8 +227,8 @@ func newCertRotationController( AdditionalAnnotations: certrotation.AdditionalAnnotations{ JiraComponent: "kube-apiserver", }, - Validity: 30 * rotationDay, - Refresh: 15 * rotationDay, + Validity: monthPeriod, + Refresh: monthPeriod / 2, RefreshOnlyWhenExpired: refreshOnlyWhenExpired, CertCreator: &certrotation.ClientRotation{ UserInfo: &user.DefaultInfo{Name: "system:kube-apiserver", Groups: []string{"kube-master"}}, @@ -253,12 +255,12 @@ func newCertRotationController( AdditionalAnnotations: certrotation.AdditionalAnnotations{ JiraComponent: "kube-apiserver", }, - Validity: 10 * 365 * defaultRotationDay, // this comes from the installer + Validity: 10 * yearPeriod, // this comes from the installer // Refresh set to 80% of the validity. // This range is consistent with most other signers defined in this pkg. // Given that in this case rotation will be after 8y, // it means we effectively do not rotate. - Refresh: 8 * 365 * defaultRotationDay, + Refresh: 8 * yearPeriod, RefreshOnlyWhenExpired: refreshOnlyWhenExpired, Informer: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().Secrets(), Lister: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().Secrets().Lister(), @@ -286,8 +288,8 @@ func newCertRotationController( AdditionalAnnotations: certrotation.AdditionalAnnotations{ JiraComponent: "kube-apiserver", }, - Validity: 30 * rotationDay, - Refresh: 15 * rotationDay, + Validity: monthPeriod, + Refresh: monthPeriod / 2, RefreshOnlyWhenExpired: refreshOnlyWhenExpired, CertCreator: &certrotation.ServingRotation{ Hostnames: func() []string { return []string{"localhost", "127.0.0.1"} }, @@ -314,12 +316,12 @@ func newCertRotationController( AdditionalAnnotations: certrotation.AdditionalAnnotations{ JiraComponent: "kube-apiserver", }, - Validity: 10 * 365 * defaultRotationDay, // this comes from the installer + Validity: 10 * yearPeriod, // this comes from the installer // Refresh set to 80% of the validity. // This range is consistent with most other signers defined in this pkg. // Given that in this case rotation will be after 8y, // it means we effectively do not rotate. - Refresh: 8 * 365 * defaultRotationDay, + Refresh: 8 * yearPeriod, RefreshOnlyWhenExpired: refreshOnlyWhenExpired, Informer: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().Secrets(), Lister: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().Secrets().Lister(), @@ -347,8 +349,8 @@ func newCertRotationController( AdditionalAnnotations: certrotation.AdditionalAnnotations{ JiraComponent: "kube-apiserver", }, - Validity: 30 * rotationDay, - Refresh: 15 * rotationDay, + Validity: monthPeriod, + Refresh: monthPeriod / 2, RefreshOnlyWhenExpired: refreshOnlyWhenExpired, CertCreator: &certrotation.ServingRotation{ Hostnames: ret.serviceNetwork.GetHostnames, @@ -376,12 +378,12 @@ func newCertRotationController( AdditionalAnnotations: certrotation.AdditionalAnnotations{ JiraComponent: "kube-apiserver", }, - Validity: 10 * 365 * defaultRotationDay, // this comes from the installer + Validity: 10 * yearPeriod, // this comes from the installer // Refresh set to 80% of the validity. // This range is consistent with most other signers defined in this pkg. // Given that in this case rotation will be after 8y, // it means we effectively do not rotate. - Refresh: 8 * 365 * defaultRotationDay, + Refresh: 8 * yearPeriod, RefreshOnlyWhenExpired: refreshOnlyWhenExpired, Informer: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().Secrets(), Lister: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().Secrets().Lister(), @@ -409,8 +411,8 @@ func newCertRotationController( AdditionalAnnotations: certrotation.AdditionalAnnotations{ JiraComponent: "kube-apiserver", }, - Validity: 30 * rotationDay, - Refresh: 15 * rotationDay, + Validity: monthPeriod, + Refresh: monthPeriod / 2, RefreshOnlyWhenExpired: refreshOnlyWhenExpired, CertCreator: &certrotation.ServingRotation{ Hostnames: ret.externalLoadBalancer.GetHostnames, @@ -438,12 +440,12 @@ func newCertRotationController( AdditionalAnnotations: certrotation.AdditionalAnnotations{ JiraComponent: "kube-apiserver", }, - Validity: 10 * 365 * defaultRotationDay, // this comes from the installer + Validity: 10 * yearPeriod, // this comes from the installer // Refresh set to 80% of the validity. // This range is consistent with most other signers defined in this pkg. // Given that in this case rotation will be after 8y, // it means we effectively do not rotate. - Refresh: 8 * 365 * defaultRotationDay, + Refresh: 8 * yearPeriod, RefreshOnlyWhenExpired: refreshOnlyWhenExpired, Informer: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().Secrets(), Lister: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().Secrets().Lister(), @@ -471,8 +473,8 @@ func newCertRotationController( AdditionalAnnotations: certrotation.AdditionalAnnotations{ JiraComponent: "kube-apiserver", }, - Validity: 30 * rotationDay, - Refresh: 15 * rotationDay, + Validity: monthPeriod, + Refresh: monthPeriod / 2, RefreshOnlyWhenExpired: refreshOnlyWhenExpired, CertCreator: &certrotation.ServingRotation{ Hostnames: ret.internalLoadBalancer.GetHostnames, @@ -500,12 +502,12 @@ func newCertRotationController( AdditionalAnnotations: certrotation.AdditionalAnnotations{ JiraComponent: "kube-apiserver", }, - Validity: 10 * 365 * defaultRotationDay, // this comes from the installer + Validity: 10 * yearPeriod, // this comes from the installer // Refresh set to 80% of the validity. // This range is consistent with most other signers defined in this pkg. // Given that in this case rotation will be after 8y, // it means we effectively do not rotate. - Refresh: 8 * 365 * defaultRotationDay, + Refresh: 8 * yearPeriod, Informer: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().Secrets(), Lister: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().Secrets().Lister(), Client: kubeClient.CoreV1(), @@ -532,12 +534,12 @@ func newCertRotationController( AdditionalAnnotations: certrotation.AdditionalAnnotations{ JiraComponent: "kube-apiserver", }, - Validity: 10 * 365 * defaultRotationDay, + Validity: 10 * yearPeriod, // Refresh set to 80% of the validity. // This range is consistent with most other signers defined in this pkg. // Given that in this case rotation will be after 8y, // it means we effectively do not rotate. - Refresh: 8 * 365 * defaultRotationDay, + Refresh: 8 * yearPeriod, CertCreator: &certrotation.ServingRotation{ Hostnames: func() []string { return []string{"localhost-recovery"} }, }, @@ -563,8 +565,8 @@ func newCertRotationController( AdditionalAnnotations: certrotation.AdditionalAnnotations{ JiraComponent: "kube-apiserver", }, - Validity: 60 * defaultRotationDay, - Refresh: 30 * defaultRotationDay, + Validity: 2 * monthPeriod, + Refresh: monthPeriod, RefreshOnlyWhenExpired: refreshOnlyWhenExpired, Informer: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().Secrets(), Lister: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().Secrets().Lister(), @@ -592,8 +594,8 @@ func newCertRotationController( AdditionalAnnotations: certrotation.AdditionalAnnotations{ JiraComponent: "kube-apiserver", }, - Validity: 30 * rotationDay, - Refresh: 15 * rotationDay, + Validity: monthPeriod, + Refresh: monthPeriod / 2, RefreshOnlyWhenExpired: refreshOnlyWhenExpired, CertCreator: &certrotation.ClientRotation{ UserInfo: &user.DefaultInfo{Name: "system:kube-controller-manager"}, @@ -620,8 +622,8 @@ func newCertRotationController( AdditionalAnnotations: certrotation.AdditionalAnnotations{ JiraComponent: "kube-apiserver", }, - Validity: 60 * defaultRotationDay, - Refresh: 30 * defaultRotationDay, + Validity: 2 * monthPeriod, + Refresh: monthPeriod, RefreshOnlyWhenExpired: refreshOnlyWhenExpired, Informer: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().Secrets(), Lister: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().Secrets().Lister(), @@ -649,8 +651,8 @@ func newCertRotationController( AdditionalAnnotations: certrotation.AdditionalAnnotations{ JiraComponent: "kube-apiserver", }, - Validity: 30 * rotationDay, - Refresh: 15 * rotationDay, + Validity: monthPeriod, + Refresh: monthPeriod / 2, RefreshOnlyWhenExpired: refreshOnlyWhenExpired, CertCreator: &certrotation.ClientRotation{ UserInfo: &user.DefaultInfo{Name: "system:kube-scheduler"}, @@ -677,8 +679,8 @@ func newCertRotationController( AdditionalAnnotations: certrotation.AdditionalAnnotations{ JiraComponent: "kube-apiserver", }, - Validity: 60 * defaultRotationDay, - Refresh: 30 * defaultRotationDay, + Validity: 2 * monthPeriod, + Refresh: monthPeriod, RefreshOnlyWhenExpired: refreshOnlyWhenExpired, Informer: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().Secrets(), Lister: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().Secrets().Lister(), @@ -706,8 +708,8 @@ func newCertRotationController( AdditionalAnnotations: certrotation.AdditionalAnnotations{ JiraComponent: "kube-apiserver", }, - Validity: 30 * rotationDay, - Refresh: 15 * rotationDay, + Validity: monthPeriod, + Refresh: monthPeriod / 2, RefreshOnlyWhenExpired: refreshOnlyWhenExpired, CertCreator: &certrotation.ClientRotation{ UserInfo: &user.DefaultInfo{Name: "system:control-plane-node-admin", Groups: []string{"system:masters"}}, @@ -734,8 +736,8 @@ func newCertRotationController( AdditionalAnnotations: certrotation.AdditionalAnnotations{ JiraComponent: "kube-apiserver", }, - Validity: 60 * defaultRotationDay, - Refresh: 30 * defaultRotationDay, + Validity: 2 * monthPeriod, + Refresh: monthPeriod, RefreshOnlyWhenExpired: refreshOnlyWhenExpired, Informer: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().Secrets(), Lister: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().Secrets().Lister(), @@ -763,8 +765,8 @@ func newCertRotationController( AdditionalAnnotations: certrotation.AdditionalAnnotations{ JiraComponent: "kube-apiserver", }, - Validity: 30 * rotationDay, - Refresh: 15 * rotationDay, + Validity: monthPeriod, + Refresh: monthPeriod / 2, RefreshOnlyWhenExpired: refreshOnlyWhenExpired, CertCreator: &certrotation.ClientRotation{ UserInfo: &user.DefaultInfo{Name: "system:serviceaccount:openshift-kube-apiserver:check-endpoints"}, @@ -791,10 +793,10 @@ func newCertRotationController( AdditionalAnnotations: certrotation.AdditionalAnnotations{ JiraComponent: "kube-apiserver", }, - Validity: 1 * 365 * defaultRotationDay, + Validity: yearPeriod, // Refresh set to 80% of the validity. // This range is consistent with most other signers defined in this pkg. - Refresh: 292 * defaultRotationDay, + Refresh: tenMonthPeriod, RefreshOnlyWhenExpired: refreshOnlyWhenExpired, Informer: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().Secrets(), Lister: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().Secrets().Lister(), @@ -825,9 +827,9 @@ func newCertRotationController( // This needs to live longer then control plane certs so there is high chance that if a cluster breaks // because of expired certs these are still valid to use for collecting data using localhost-recovery // endpoint with long lived serving certs for localhost. - Validity: 2 * 365 * defaultRotationDay, + Validity: 2 * yearPeriod, // We rotate sooner so certs are always valid for 90 days (30 days more then kube-control-plane-signer) - Refresh: 30 * defaultRotationDay, + Refresh: monthPeriod, RefreshOnlyWhenExpired: refreshOnlyWhenExpired, CertCreator: &certrotation.ClientRotation{ UserInfo: &user.DefaultInfo{