Documentation
¶
Overview ¶
Package v1beta1 contains API Schema definitions for the ocgate v1beta1 API group +kubebuilder:object:generate=true +groupName=ocgate.rh-fieldwork.com
Index ¶
Constants ¶
This section is empty.
Variables ¶
View Source
var ( // GroupVersion is group version used to register these objects GroupVersion = schema.GroupVersion{Group: "ocgate.rh-fieldwork.com", Version: "v1beta1"} // SchemeBuilder is used to add go types to the GroupVersionKind scheme SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion} // AddToScheme adds the types in this group-version to the given scheme. AddToScheme = SchemeBuilder.AddToScheme )
Functions ¶
This section is empty.
Types ¶
type GateServer ¶
type GateServer struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`
Spec GateServerSpec `json:"spec,omitempty"`
Status GateServerStatus `json:"status,omitempty"`
}
GateServer is the Schema for the gateservers API
func (*GateServer) DeepCopy ¶
func (in *GateServer) DeepCopy() *GateServer
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GateServer.
func (*GateServer) DeepCopyInto ¶
func (in *GateServer) DeepCopyInto(out *GateServer)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*GateServer) DeepCopyObject ¶
func (in *GateServer) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type GateServerList ¶
type GateServerList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitempty"`
Items []GateServer `json:"items"`
}
GateServerList contains a list of GateServer
func (*GateServerList) DeepCopy ¶
func (in *GateServerList) DeepCopy() *GateServerList
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GateServerList.
func (*GateServerList) DeepCopyInto ¶
func (in *GateServerList) DeepCopyInto(out *GateServerList)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*GateServerList) DeepCopyObject ¶
func (in *GateServerList) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type GateServerSpec ¶
type GateServerSpec struct {
// apiURL is the k8s API url.
// Defalut value is "https://kubernetes.default.svc".
// +kubebuilder:validation:Optional
// +kubebuilder:validation:Type="string"
// +kubebuilder:validation:Pattern="^(http|https)://.*"
// +kubebuilder:validation:MaxLength=1024
// +kubebuilder:default:="https://kubernetes.default.svc"
APIURL string `json:"apiURL,omitempty"`
// route is the the gate proxy server.
// +required
// +kubebuilder:validation:Required
// +kubebuilder:validation:Type="string"
// +kubebuilder:validation:Pattern="^([a-z0-9-_])+[.]([a-z0-9-_])+[.]([a-z0-9-._])+$"
// +kubebuilder:validation:MaxLength=226
Route string `json:"route,omitempty"`
// serviceAccountNamespace of the rule. "*" represents all namespaces.
// Defalut value is "*".
// +kubebuilder:validation:Optional
// +kubebuilder:validation:Type="string"
// +kubebuilder:default:="*"
ServiceAccountNamespace string `json:"serviceAccountNamespace,omitempty"`
// serviceAccountVerbs is a list of Verbs that apply to ALL the ResourceKinds and AttributeRestrictions contained in this rule.
// VerbAll represents all kinds.
// Defalut value is ["get"].
// +kubebuilder:validation:Optional
// +kubebuilder:validation:Type="array"
// +kubebuilder:default:={"get"}
ServiceAccountVerbs []string `json:"serviceAccountVerbs,omitempty"`
// serviceAccountAPIGroups is the name of the APIGroup that contains the resources.
// If multiple API groups are specified, any action requested against one of the enumerated resources in any API group will be allowed.
// APIGroups is the name of the APIGroup that contains the resources.
// If multiple API groups are specified, any action requested against one of the enumerated resources in any API group will be allowed.
// Defalut value is ["subresources.kubevirt.io"].
// +kubebuilder:validation:Optional
// +kubebuilder:validation:Type="array"
// +kubebuilder:default:={"subresources.kubevirt.io"}
ServiceAccountAPIGroups []string `json:"serviceAccountAPIGroups,omitempty"`
// serviceAccountResources is a list of resources this rule applies to. '*' represents all resources in the specified apiGroups.
// '*/foo' represents the subresource 'foo' for all resources in the specified apiGroups.
// APIGroups is the name of the APIGroup that contains the resources.
// If multiple API groups are specified, any action requested against one of the enumerated resources in any API group will be allowed.
// Defalut value is ["virtualmachineinstances","virtualmachineinstances/vnc"].
// +kubebuilder:validation:Optional
// +kubebuilder:validation:Type="array"
// +kubebuilder:default:={"virtualmachineinstances","virtualmachineinstances/vnc"}
ServiceAccountResources []string `json:"serviceAccountResources,omitempty"`
// serviceAccountResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.
// APIGroups is the name of the APIGroup that contains the resources.
// If multiple API groups are specified, any action requested against one of the enumerated resources in any API group will be allowed.
// Defalut value is [].
// +kubebuilder:validation:Optional
// +kubebuilder:validation:Type="array"
ServiceAccountResourceNames []string `json:"serviceAccountResourceNames,omitempty"`
// serviceAccountNonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, final step in the path
// If an action is not a resource API request, then the URL is split on '/' and is checked against the NonResourceURLs to look for a match.
// Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding.
// Rules can either apply to API resources (such as "pods" or "secrets") or non-resource URL paths (such as "/api"), but not both.
// APIGroups is the name of the APIGroup that contains the resources.
// If multiple API groups are specified, any action requested against one of the enumerated resources in any API group will be allowed.
// Defalut value is [].
// +kubebuilder:validation:Optional
// +kubebuilder:validation:Type="array"
ServiceAccountNonResourceURLs []string `json:"serviceAccountNonResourceURLs,omitempty"`
// passThrough determain if the tokens acquired from OAuth2 server directly to k8s API.
// Defalut value is false.
// +optional
// +kubebuilder:validation:Optional
// +kubebuilder:validation:Type="boolean"
// +kubebuilder:default:=false
PassThrough bool `json:"passThrough,omitempty"`
// image is the oc gate proxy image to use.
// Defalut value is "quay.io/rh-fieldwork/kube-gateway".
// +kubebuilder:validation:Optional
// +kubebuilder:validation:Type="string"
// +kubebuilder:validation:MaxLength=1024
// +kubebuilder:default:="quay.io/rh-fieldwork/kube-gateway"
Image string `json:"image,omitempty"`
// webAppImage is the oc gate proxy web application image to use,
// It's an image including the static web application to be served together
// with k8s API.
// The static web application should be in the directory "/data/web/public/"
// and it will be copied to the proxy servers "/web/public/" directory on pproxy
// startup. If left empty, the proxies default web application will not be replaced.
// Defalut value is "quay.io/rh-fieldwork/kube-gateway-web-app-novnc".
// +kubebuilder:validation:Optional
// +kubebuilder:validation:Type="string"
// +kubebuilder:validation:MaxLength=1024
// +kubebuilder:default:="quay.io/rh-fieldwork/kube-gateway-web-app-novnc"
WebAppImage string `json:"webAppImage,omitempty"`
// generateSecret determain if a secrete with public and private keys will be automatically
// generated when the kube-gateway server is created.
// Defalut value is true.
// +optional
// +kubebuilder:validation:Optional
// +kubebuilder:validation:Type="boolean"
// +kubebuilder:default:=true
GenerateSecret bool `json:"generateSecret,omitempty"`
// generateOauthClient determain if oauthclient for Openshifts Oauth2 issuer
// will be created.
// Defalut value is false.
// +optional
// +kubebuilder:validation:Optional
// +kubebuilder:validation:Type="boolean"
// +kubebuilder:default:=false
GenerateOauthClient bool `json:"generateOauthClient,omitempty"`
// generateRoute determain if Openshift route will be created for the proxy service,
// if a route is not created, the operator will try to create k8s ingress for
// proxy service.
// Defalut value is false.
// +optional
// +kubebuilder:validation:Optional
// +kubebuilder:validation:Type="boolean"
// +kubebuilder:default:=false
GenerateRoute bool `json:"generateRoute,omitempty"`
}
GateServerSpec defines the desired state of GateServer
func (*GateServerSpec) DeepCopy ¶
func (in *GateServerSpec) DeepCopy() *GateServerSpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GateServerSpec.
func (*GateServerSpec) DeepCopyInto ¶
func (in *GateServerSpec) DeepCopyInto(out *GateServerSpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type GateServerStatus ¶
type GateServerStatus struct {
// Conditions represent the latest available observations of an object's state
Conditions []metav1.Condition `json:"conditions"`
// Token generation phase (ready|error)
Phase string `json:"phase"`
}
GateServerStatus defines the observed state of GateServer
func (*GateServerStatus) DeepCopy ¶
func (in *GateServerStatus) DeepCopy() *GateServerStatus
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GateServerStatus.
func (*GateServerStatus) DeepCopyInto ¶
func (in *GateServerStatus) DeepCopyInto(out *GateServerStatus)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type GateToken ¶
type GateToken struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`
Spec GateTokenSpec `json:"spec,omitempty"`
Status GateTokenStatus `json:"status,omitempty"`
}
GateToken is the Schema for the gatetokens API
func (*GateToken) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GateToken.
func (*GateToken) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*GateToken) DeepCopyObject ¶
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type GateTokenCache ¶
type GateTokenCache struct {
From string `json:"from"`
Until string `json:"until"`
DurationSec int64 `json:"duration-sec"`
NBf int64 `json:"nbf"`
Exp int64 `json:"exp"`
Alg string `json:"alg"`
Namespace string `json:"namespace,omitempty"`
Verbs []string `json:"verbs,omitempty"`
APIGroups []string `json:"APIGroups,omitempty"`
Resources []string `json:"resources,omitempty"`
ResourceNames []string `json:"resourceNames,omitempty"`
NonResourceURLs []string `json:"nonResourceURLs,omitempty"`
}
GateTokenCache stores initial token data
func (*GateTokenCache) DeepCopy ¶
func (in *GateTokenCache) DeepCopy() *GateTokenCache
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GateTokenCache.
func (*GateTokenCache) DeepCopyInto ¶
func (in *GateTokenCache) DeepCopyInto(out *GateTokenCache)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type GateTokenList ¶
type GateTokenList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitempty"`
Items []GateToken `json:"items"`
}
GateTokenList contains a list of GateToken
func (*GateTokenList) DeepCopy ¶
func (in *GateTokenList) DeepCopy() *GateTokenList
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GateTokenList.
func (*GateTokenList) DeepCopyInto ¶
func (in *GateTokenList) DeepCopyInto(out *GateTokenList)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*GateTokenList) DeepCopyObject ¶
func (in *GateTokenList) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type GateTokenSpec ¶
type GateTokenSpec struct {
// from is time of token invocation, the token will not validate before this time,
// the token duration will start from this time.
// Defalut to token object creation time.
// +kubebuilder:validation:Optional
// +kubebuilder:validation:Type="string"
// +kubebuilder:validation:Format="date-time"
From string `json:"from"`
// durationSec is the duration in sec the token will be validated since it's invocation.
// Defalut value is 3600s (1h).
// +kubebuilder:validation:Optional
// +kubebuilder:validation:Type="integer"
// +kubebuilder:validation:Minimum=0
// +kubebuilder:default:=3600
DurationSec int64 `json:"durationSec"`
// generateServiceAccount determain if the operator will create a service account and
// delever the actual service account token instead of a JWT access key.
// the service account will be generated not before the token is valid
// and will be deleted when the token expires.
// Defalut value is false.
// +optional
// +kubebuilder:validation:Optional
// +kubebuilder:validation:Type="boolean"
// +kubebuilder:default:=false
GenerateServiceAccount bool `json:"generateServiceAccount,omitempty"`
// namespace of the rule. "*" represents all namespaces.
// Defalut value is "*".
// +kubebuilder:validation:Optional
// +kubebuilder:validation:Type="string"
// +kubebuilder:default:="*"
Namespace string `json:"namespace,omitempty"`
// verbs is a list of Verbs that apply to ALL the ResourceKinds and AttributeRestrictions contained in this rule. VerbAll represents all kinds.
// APIGroups is the name of the APIGroup that contains the resources.
// If multiple API groups are specified, any action requested against one of the enumerated resources in any API group will be allowed.
// Defalut value is ["get"].
// +kubebuilder:validation:Optional
// +kubebuilder:validation:Type="array"
// +kubebuilder:default:={"get"}
Verbs []string `json:"verbs,omitempty"`
// APIGroups is the name of the APIGroup that contains the resources.
// If multiple API groups are specified, any action requested against one of the enumerated resources in any API group will be allowed.
// Defalut value is [subresources.kubevirt.io].
// +kubebuilder:validation:Optional
// +kubebuilder:validation:Type="array"
// +kubebuilder:default:={"subresources.kubevirt.io"}
APIGroups []string `json:"APIGroups,omitempty"`
// resources is a list of resources this rule applies to. '*' represents all resources in the specified apiGroups.
// '*/foo' represents the subresource 'foo' for all resources in the specified apiGroups.
// APIGroups is the name of the APIGroup that contains the resources.
// If multiple API groups are specified, any action requested against one of the enumerated resources in any API group will be allowed.
// Defalut value is ["virtualmachineinstances","virtualmachineinstances/vnc"].
// +kubebuilder:validation:Optional
// +kubebuilder:validation:Type="array"
// +kubebuilder:default:={"virtualmachineinstances","virtualmachineinstances/vnc"}
Resources []string `json:"resources,omitempty"`
// resourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.
// APIGroups is the name of the APIGroup that contains the resources.
// If multiple API groups are specified, any action requested against one of the enumerated resources in any API group will be allowed.
// Defalut value is [].
// +kubebuilder:validation:Optional
// +kubebuilder:validation:Type="array"
ResourceNames []string `json:"resourceNames,omitempty"`
// nonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, final step in the path
// If an action is not a resource API request, then the URL is split on '/' and is checked against the NonResourceURLs to look for a match.
// Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding.
// Rules can either apply to API resources (such as "pods" or "secrets") or non-resource URL paths (such as "/api"), but not both.
// APIGroups is the name of the APIGroup that contains the resources.
// If multiple API groups are specified, any action requested against one of the enumerated resources in any API group will be allowed.
// Defalut value is [].
// +kubebuilder:validation:Optional
// +kubebuilder:validation:Type="array"
NonResourceURLs []string `json:"nonResourceURLs,omitempty"`
}
GateTokenSpec defines the desired state of GateToken
func (*GateTokenSpec) DeepCopy ¶
func (in *GateTokenSpec) DeepCopy() *GateTokenSpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GateTokenSpec.
func (*GateTokenSpec) DeepCopyInto ¶
func (in *GateTokenSpec) DeepCopyInto(out *GateTokenSpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type GateTokenStatus ¶
type GateTokenStatus struct {
// Conditions represent the latest available observations of an object's state
Conditions []metav1.Condition `json:"conditions"`
// The generated token
Token string `json:"token"`
// The generated service account name
ServiceAccountName string `json:"service-account-name"`
// Cached data, once created, user can not change this valuse
Data GateTokenCache `json:"data"`
// Token generation phase (pending|ready|expired|error)
Phase string `json:"phase"`
}
GateTokenStatus defines the observed state of GateToken
func (*GateTokenStatus) DeepCopy ¶
func (in *GateTokenStatus) DeepCopy() *GateTokenStatus
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GateTokenStatus.
func (*GateTokenStatus) DeepCopyInto ¶
func (in *GateTokenStatus) DeepCopyInto(out *GateTokenStatus)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
Source Files
Click to show internal directories.
Click to hide internal directories.