Documentation
¶
Overview ¶
Package v1beta2 contains API Schema definitions for the controlplane v1beta2 API group +gencrdrefdocs:force +groupName=controlplane.cluster.x-k8s.io +k8s:defaulter-gen=TypeMeta
Package v1beta2 contains API Schema definitions for the controlplane v1beta2 API group. +kubebuilder:object:generate=true +groupName=controlplane.cluster.x-k8s.io
Index ¶
- Constants
- Variables
- func RegisterDefaults(scheme *runtime.Scheme) error
- func SetDefaults_RosaControlPlaneSpec(s *RosaControlPlaneSpec)
- func SetObjectDefaults_ROSAControlPlane(in *ROSAControlPlane)
- func SetObjectDefaults_ROSAControlPlaneList(in *ROSAControlPlaneList)
- type AWSRolesRef
- type DefaultMachinePoolSpec
- type ExternalAuthProvider
- type LocalObjectReference
- type NetworkSpec
- type OIDCClientConfig
- type PrefixedClaimMapping
- type ROSAControlPlane
- func (in *ROSAControlPlane) DeepCopy() *ROSAControlPlane
- func (in *ROSAControlPlane) DeepCopyInto(out *ROSAControlPlane)
- func (in *ROSAControlPlane) DeepCopyObject() runtime.Object
- func (r *ROSAControlPlane) Default()
- func (r *ROSAControlPlane) GetConditions() clusterv1.Conditions
- func (r *ROSAControlPlane) SetConditions(conditions clusterv1.Conditions)
- func (r *ROSAControlPlane) SetupWebhookWithManager(mgr ctrl.Manager) error
- func (r *ROSAControlPlane) ValidateCreate() (warnings admission.Warnings, err error)
- func (r *ROSAControlPlane) ValidateDelete() (warnings admission.Warnings, err error)
- func (r *ROSAControlPlane) ValidateUpdate(old runtime.Object) (warnings admission.Warnings, err error)
- type ROSAControlPlaneList
- type RosaControlPlaneSpec
- type RosaControlPlaneStatus
- type RosaEndpointAccessType
- type TokenAudience
- type TokenClaimMappings
- type TokenClaimValidationRule
- type TokenIssuer
- type TokenRequiredClaim
- type TokenValidationRuleType
- type UsernameClaimMapping
- type UsernamePrefixPolicy
Constants ¶
View Source
const ( // ROSAControlPlaneReadyCondition condition reports on the successful reconciliation of ROSAControlPlane. ROSAControlPlaneReadyCondition clusterv1.ConditionType = "ROSAControlPlaneReady" // ROSAControlPlaneValidCondition condition reports whether ROSAControlPlane configuration is valid. ROSAControlPlaneValidCondition clusterv1.ConditionType = "ROSAControlPlaneValid" // ROSAControlPlaneUpgradingCondition condition reports whether ROSAControlPlane is upgrading or not. ROSAControlPlaneUpgradingCondition clusterv1.ConditionType = "ROSAControlPlaneUpgrading" // ExternalAuthConfiguredCondition condition reports whether external auth has beed correctly configured. ExternalAuthConfiguredCondition clusterv1.ConditionType = "ExternalAuthConfigured" // ReconciliationFailedReason used to report reconciliation failures. ReconciliationFailedReason = "ReconciliationFailed" // ROSAControlPlaneDeletionFailedReason used to report failures while deleting ROSAControlPlane. ROSAControlPlaneDeletionFailedReason = "DeletionFailed" // ROSAControlPlaneInvalidConfigurationReason used to report invalid user input. ROSAControlPlaneInvalidConfigurationReason = "InvalidConfiguration" )
Variables ¶
View Source
var ( // GroupVersion is group version used to register these objects. GroupVersion = schema.GroupVersion{Group: "controlplane.cluster.x-k8s.io", Version: "v1beta2"} // SchemeBuilder is used to add go types to the GroupVersionKind scheme. SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion} // AddToScheme adds the types in this group-version to the given scheme. AddToScheme = SchemeBuilder.AddToScheme )
Functions ¶
func RegisterDefaults ¶ added in v2.4.0
RegisterDefaults adds defaulters functions to the given scheme. Public to allow building arbitrary schemes. All generated defaulters are covering - they call all nested defaulters.
func SetDefaults_RosaControlPlaneSpec ¶ added in v2.4.0
func SetDefaults_RosaControlPlaneSpec(s *RosaControlPlaneSpec)
SetDefaults_RosaControlPlaneSpec is used by defaulter-gen.
func SetObjectDefaults_ROSAControlPlane ¶ added in v2.4.0
func SetObjectDefaults_ROSAControlPlane(in *ROSAControlPlane)
func SetObjectDefaults_ROSAControlPlaneList ¶ added in v2.4.1
func SetObjectDefaults_ROSAControlPlaneList(in *ROSAControlPlaneList)
Types ¶
type AWSRolesRef ¶
type AWSRolesRef struct {
// The referenced role must have a trust relationship that allows it to be assumed via web identity.
// https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html.
// Example:
// {
// "Version": "2012-10-17",
// "Statement": [
// {
// "Effect": "Allow",
// "Principal": {
// "Federated": "{{ .ProviderARN }}"
// },
// "Action": "sts:AssumeRoleWithWebIdentity",
// "Condition": {
// "StringEquals": {
// "{{ .ProviderName }}:sub": {{ .ServiceAccounts }}
// }
// }
// }
// ]
// }
//
// IngressARN is an ARN value referencing a role appropriate for the Ingress Operator.
//
// The following is an example of a valid policy document:
//
// {
// "Version": "2012-10-17",
// "Statement": [
// {
// "Effect": "Allow",
// "Action": [
// "elasticloadbalancing:DescribeLoadBalancers",
// "tag:GetResources",
// "route53:ListHostedZones"
// ],
// "Resource": "*"
// },
// {
// "Effect": "Allow",
// "Action": [
// "route53:ChangeResourceRecordSets"
// ],
// "Resource": [
// "arn:aws:route53:::PUBLIC_ZONE_ID",
// "arn:aws:route53:::PRIVATE_ZONE_ID"
// ]
// }
// ]
// }
IngressARN string `json:"ingressARN"`
// ImageRegistryARN is an ARN value referencing a role appropriate for the Image Registry Operator.
//
// The following is an example of a valid policy document:
//
// {
// "Version": "2012-10-17",
// "Statement": [
// {
// "Effect": "Allow",
// "Action": [
// "s3:CreateBucket",
// "s3:DeleteBucket",
// "s3:PutBucketTagging",
// "s3:GetBucketTagging",
// "s3:PutBucketPublicAccessBlock",
// "s3:GetBucketPublicAccessBlock",
// "s3:PutEncryptionConfiguration",
// "s3:GetEncryptionConfiguration",
// "s3:PutLifecycleConfiguration",
// "s3:GetLifecycleConfiguration",
// "s3:GetBucketLocation",
// "s3:ListBucket",
// "s3:GetObject",
// "s3:PutObject",
// "s3:DeleteObject",
// "s3:ListBucketMultipartUploads",
// "s3:AbortMultipartUpload",
// "s3:ListMultipartUploadParts"
// ],
// "Resource": "*"
// }
// ]
// }
ImageRegistryARN string `json:"imageRegistryARN"`
// StorageARN is an ARN value referencing a role appropriate for the Storage Operator.
//
// The following is an example of a valid policy document:
//
// {
// "Version": "2012-10-17",
// "Statement": [
// {
// "Effect": "Allow",
// "Action": [
// "ec2:AttachVolume",
// "ec2:CreateSnapshot",
// "ec2:CreateTags",
// "ec2:CreateVolume",
// "ec2:DeleteSnapshot",
// "ec2:DeleteTags",
// "ec2:DeleteVolume",
// "ec2:DescribeInstances",
// "ec2:DescribeSnapshots",
// "ec2:DescribeTags",
// "ec2:DescribeVolumes",
// "ec2:DescribeVolumesModifications",
// "ec2:DetachVolume",
// "ec2:ModifyVolume"
// ],
// "Resource": "*"
// }
// ]
// }
StorageARN string `json:"storageARN"`
// NetworkARN is an ARN value referencing a role appropriate for the Network Operator.
//
// The following is an example of a valid policy document:
//
// {
// "Version": "2012-10-17",
// "Statement": [
// {
// "Effect": "Allow",
// "Action": [
// "ec2:DescribeInstances",
// "ec2:DescribeInstanceStatus",
// "ec2:DescribeInstanceTypes",
// "ec2:UnassignPrivateIpAddresses",
// "ec2:AssignPrivateIpAddresses",
// "ec2:UnassignIpv6Addresses",
// "ec2:AssignIpv6Addresses",
// "ec2:DescribeSubnets",
// "ec2:DescribeNetworkInterfaces"
// ],
// "Resource": "*"
// }
// ]
// }
NetworkARN string `json:"networkARN"`
// KubeCloudControllerARN is an ARN value referencing a role appropriate for the KCM/KCC.
// Source: https://cloud-provider-aws.sigs.k8s.io/prerequisites/#iam-policies
//
// The following is an example of a valid policy document:
//
// {
// "Version": "2012-10-17",
// "Statement": [
// {
// "Action": [
// "autoscaling:DescribeAutoScalingGroups",
// "autoscaling:DescribeLaunchConfigurations",
// "autoscaling:DescribeTags",
// "ec2:DescribeAvailabilityZones",
// "ec2:DescribeInstances",
// "ec2:DescribeImages",
// "ec2:DescribeRegions",
// "ec2:DescribeRouteTables",
// "ec2:DescribeSecurityGroups",
// "ec2:DescribeSubnets",
// "ec2:DescribeVolumes",
// "ec2:CreateSecurityGroup",
// "ec2:CreateTags",
// "ec2:CreateVolume",
// "ec2:ModifyInstanceAttribute",
// "ec2:ModifyVolume",
// "ec2:AttachVolume",
// "ec2:AuthorizeSecurityGroupIngress",
// "ec2:CreateRoute",
// "ec2:DeleteRoute",
// "ec2:DeleteSecurityGroup",
// "ec2:DeleteVolume",
// "ec2:DetachVolume",
// "ec2:RevokeSecurityGroupIngress",
// "ec2:DescribeVpcs",
// "elasticloadbalancing:AddTags",
// "elasticloadbalancing:AttachLoadBalancerToSubnets",
// "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer",
// "elasticloadbalancing:CreateLoadBalancer",
// "elasticloadbalancing:CreateLoadBalancerPolicy",
// "elasticloadbalancing:CreateLoadBalancerListeners",
// "elasticloadbalancing:ConfigureHealthCheck",
// "elasticloadbalancing:DeleteLoadBalancer",
// "elasticloadbalancing:DeleteLoadBalancerListeners",
// "elasticloadbalancing:DescribeLoadBalancers",
// "elasticloadbalancing:DescribeLoadBalancerAttributes",
// "elasticloadbalancing:DetachLoadBalancerFromSubnets",
// "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
// "elasticloadbalancing:ModifyLoadBalancerAttributes",
// "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
// "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer",
// "elasticloadbalancing:AddTags",
// "elasticloadbalancing:CreateListener",
// "elasticloadbalancing:CreateTargetGroup",
// "elasticloadbalancing:DeleteListener",
// "elasticloadbalancing:DeleteTargetGroup",
// "elasticloadbalancing:DeregisterTargets",
// "elasticloadbalancing:DescribeListeners",
// "elasticloadbalancing:DescribeLoadBalancerPolicies",
// "elasticloadbalancing:DescribeTargetGroups",
// "elasticloadbalancing:DescribeTargetHealth",
// "elasticloadbalancing:ModifyListener",
// "elasticloadbalancing:ModifyTargetGroup",
// "elasticloadbalancing:RegisterTargets",
// "elasticloadbalancing:SetLoadBalancerPoliciesOfListener",
// "iam:CreateServiceLinkedRole",
// "kms:DescribeKey"
// ],
// "Resource": [
// "*"
// ],
// "Effect": "Allow"
// }
// ]
// }
// +immutable
KubeCloudControllerARN string `json:"kubeCloudControllerARN"`
// NodePoolManagementARN is an ARN value referencing a role appropriate for the CAPI Controller.
//
// The following is an example of a valid policy document:
//
// {
// "Version": "2012-10-17",
// "Statement": [
// {
// "Action": [
// "ec2:AssociateRouteTable",
// "ec2:AttachInternetGateway",
// "ec2:AuthorizeSecurityGroupIngress",
// "ec2:CreateInternetGateway",
// "ec2:CreateNatGateway",
// "ec2:CreateRoute",
// "ec2:CreateRouteTable",
// "ec2:CreateSecurityGroup",
// "ec2:CreateSubnet",
// "ec2:CreateTags",
// "ec2:DeleteInternetGateway",
// "ec2:DeleteNatGateway",
// "ec2:DeleteRouteTable",
// "ec2:DeleteSecurityGroup",
// "ec2:DeleteSubnet",
// "ec2:DeleteTags",
// "ec2:DescribeAccountAttributes",
// "ec2:DescribeAddresses",
// "ec2:DescribeAvailabilityZones",
// "ec2:DescribeImages",
// "ec2:DescribeInstances",
// "ec2:DescribeInternetGateways",
// "ec2:DescribeNatGateways",
// "ec2:DescribeNetworkInterfaces",
// "ec2:DescribeNetworkInterfaceAttribute",
// "ec2:DescribeRouteTables",
// "ec2:DescribeSecurityGroups",
// "ec2:DescribeSubnets",
// "ec2:DescribeVpcs",
// "ec2:DescribeVpcAttribute",
// "ec2:DescribeVolumes",
// "ec2:DetachInternetGateway",
// "ec2:DisassociateRouteTable",
// "ec2:DisassociateAddress",
// "ec2:ModifyInstanceAttribute",
// "ec2:ModifyNetworkInterfaceAttribute",
// "ec2:ModifySubnetAttribute",
// "ec2:RevokeSecurityGroupIngress",
// "ec2:RunInstances",
// "ec2:TerminateInstances",
// "tag:GetResources",
// "ec2:CreateLaunchTemplate",
// "ec2:CreateLaunchTemplateVersion",
// "ec2:DescribeLaunchTemplates",
// "ec2:DescribeLaunchTemplateVersions",
// "ec2:DeleteLaunchTemplate",
// "ec2:DeleteLaunchTemplateVersions"
// ],
// "Resource": [
// "*"
// ],
// "Effect": "Allow"
// },
// {
// "Condition": {
// "StringLike": {
// "iam:AWSServiceName": "elasticloadbalancing.amazonaws.com"
// }
// },
// "Action": [
// "iam:CreateServiceLinkedRole"
// ],
// "Resource": [
// "arn:*:iam::*:role/aws-service-role/elasticloadbalancing.amazonaws.com/AWSServiceRoleForElasticLoadBalancing"
// ],
// "Effect": "Allow"
// },
// {
// "Action": [
// "iam:PassRole"
// ],
// "Resource": [
// "arn:*:iam::*:role/*-worker-role"
// ],
// "Effect": "Allow"
// },
// {
// "Effect": "Allow",
// "Action": [
// "kms:Decrypt",
// "kms:ReEncrypt",
// "kms:GenerateDataKeyWithoutPlainText",
// "kms:DescribeKey"
// ],
// "Resource": "*"
// },
// {
// "Effect": "Allow",
// "Action": [
// "kms:CreateGrant"
// ],
// "Resource": "*",
// "Condition": {
// "Bool": {
// "kms:GrantIsForAWSResource": true
// }
// }
// }
// ]
// }
//
// +immutable
NodePoolManagementARN string `json:"nodePoolManagementARN"`
// ControlPlaneOperatorARN is an ARN value referencing a role appropriate for the Control Plane Operator.
//
// The following is an example of a valid policy document:
//
// {
// "Version": "2012-10-17",
// "Statement": [
// {
// "Effect": "Allow",
// "Action": [
// "ec2:CreateVpcEndpoint",
// "ec2:DescribeVpcEndpoints",
// "ec2:ModifyVpcEndpoint",
// "ec2:DeleteVpcEndpoints",
// "ec2:CreateTags",
// "route53:ListHostedZones",
// "ec2:CreateSecurityGroup",
// "ec2:AuthorizeSecurityGroupIngress",
// "ec2:AuthorizeSecurityGroupEgress",
// "ec2:DeleteSecurityGroup",
// "ec2:RevokeSecurityGroupIngress",
// "ec2:RevokeSecurityGroupEgress",
// "ec2:DescribeSecurityGroups",
// "ec2:DescribeVpcs",
// ],
// "Resource": "*"
// },
// {
// "Effect": "Allow",
// "Action": [
// "route53:ChangeResourceRecordSets",
// "route53:ListResourceRecordSets"
// ],
// "Resource": "arn:aws:route53:::%s"
// }
// ]
// }
// +immutable
ControlPlaneOperatorARN string `json:"controlPlaneOperatorARN"`
KMSProviderARN string `json:"kmsProviderARN"`
}
AWSRolesRef contains references to various AWS IAM roles required for operators to make calls against the AWS API.
func (*AWSRolesRef) DeepCopy ¶
func (in *AWSRolesRef) DeepCopy() *AWSRolesRef
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AWSRolesRef.
func (*AWSRolesRef) DeepCopyInto ¶
func (in *AWSRolesRef) DeepCopyInto(out *AWSRolesRef)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type DefaultMachinePoolSpec ¶ added in v2.4.1
type DefaultMachinePoolSpec struct {
// The instance type to use, for example `r5.xlarge`. Instance type ref; https://aws.amazon.com/ec2/instance-types/
// +optional
InstanceType string `json:"instanceType,omitempty"`
// Autoscaling specifies auto scaling behaviour for the default MachinePool. Autoscaling min/max value
// must be equal or multiple of the availability zones count.
// +optional
Autoscaling *expinfrav1.RosaMachinePoolAutoScaling `json:"autoscaling,omitempty"`
}
DefaultMachinePoolSpec defines the configuration for the required worker nodes provisioned as part of the cluster creation.
func (*DefaultMachinePoolSpec) DeepCopy ¶ added in v2.4.1
func (in *DefaultMachinePoolSpec) DeepCopy() *DefaultMachinePoolSpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DefaultMachinePoolSpec.
func (*DefaultMachinePoolSpec) DeepCopyInto ¶ added in v2.4.1
func (in *DefaultMachinePoolSpec) DeepCopyInto(out *DefaultMachinePoolSpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type ExternalAuthProvider ¶ added in v2.5.0
type ExternalAuthProvider struct {
// Name of the OIDC provider
//
// +kubebuilder:validation:MinLength=1
// +kubebuilder:validation:Required
// +required
Name string `json:"name"`
// Issuer describes attributes of the OIDC token issuer
//
// +kubebuilder:validation:Required
// +required
Issuer TokenIssuer `json:"issuer"`
// OIDCClients contains configuration for the platform's clients that
// need to request tokens from the issuer
//
// +listType=map
// +listMapKey=componentNamespace
// +listMapKey=componentName
// +kubebuilder:validation:MaxItems=20
// +optional
OIDCClients []OIDCClientConfig `json:"oidcClients,omitempty"`
// ClaimMappings describes rules on how to transform information from an
// ID token into a cluster identity
// +optional
ClaimMappings *TokenClaimMappings `json:"claimMappings,omitempty"`
// ClaimValidationRules are rules that are applied to validate token claims to authenticate users.
//
// +listType=atomic
ClaimValidationRules []TokenClaimValidationRule `json:"claimValidationRules,omitempty"`
}
ExternalAuthProvider is an external OIDC identity provider that can issue tokens for this cluster
func (*ExternalAuthProvider) DeepCopy ¶ added in v2.5.0
func (in *ExternalAuthProvider) DeepCopy() *ExternalAuthProvider
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalAuthProvider.
func (*ExternalAuthProvider) DeepCopyInto ¶ added in v2.5.0
func (in *ExternalAuthProvider) DeepCopyInto(out *ExternalAuthProvider)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type LocalObjectReference ¶ added in v2.5.0
type LocalObjectReference struct {
// Name is the metadata.name of the referenced object.
//
// +kubebuilder:validation:Required
// +required
Name string `json:"name"`
}
LocalObjectReference references an object in the same namespace.
func (*LocalObjectReference) DeepCopy ¶ added in v2.5.0
func (in *LocalObjectReference) DeepCopy() *LocalObjectReference
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LocalObjectReference.
func (*LocalObjectReference) DeepCopyInto ¶ added in v2.5.0
func (in *LocalObjectReference) DeepCopyInto(out *LocalObjectReference)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type NetworkSpec ¶ added in v2.4.0
type NetworkSpec struct {
// IP addresses block used by OpenShift while installing the cluster, for example "10.0.0.0/16".
// +kubebuilder:validation:Format=cidr
// +optional
MachineCIDR string `json:"machineCIDR,omitempty"`
// IP address block from which to assign pod IP addresses, for example `10.128.0.0/14`.
// +kubebuilder:validation:Format=cidr
// +optional
PodCIDR string `json:"podCIDR,omitempty"`
// IP address block from which to assign service IP addresses, for example `172.30.0.0/16`.
// +kubebuilder:validation:Format=cidr
// +optional
ServiceCIDR string `json:"serviceCIDR,omitempty"`
// Network host prefix which is defaulted to `23` if not specified.
// +kubebuilder:default=23
// +optional
HostPrefix int `json:"hostPrefix,omitempty"`
// The CNI network type default is OVNKubernetes.
// +kubebuilder:validation:Enum=OVNKubernetes;Other
// +kubebuilder:default=OVNKubernetes
// +optional
NetworkType string `json:"networkType,omitempty"`
}
NetworkSpec for ROSA-HCP.
func (*NetworkSpec) DeepCopy ¶ added in v2.4.0
func (in *NetworkSpec) DeepCopy() *NetworkSpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NetworkSpec.
func (*NetworkSpec) DeepCopyInto ¶ added in v2.4.0
func (in *NetworkSpec) DeepCopyInto(out *NetworkSpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type OIDCClientConfig ¶ added in v2.5.0
type OIDCClientConfig struct {
// ComponentName is the name of the component that is supposed to consume this
// client configuration
//
// +kubebuilder:validation:MinLength=1
// +kubebuilder:validation:MaxLength=256
// +kubebuilder:validation:Required
// +required
ComponentName string `json:"componentName"`
// ComponentNamespace is the namespace of the component that is supposed to consume this
// client configuration
//
// +kubebuilder:validation:MinLength=1
// +kubebuilder:validation:MaxLength=63
// +kubebuilder:validation:Required
// +required
ComponentNamespace string `json:"componentNamespace"`
// ClientID is the identifier of the OIDC client from the OIDC provider
//
// +kubebuilder:validation:MinLength=1
// +kubebuilder:validation:Required
// +required
ClientID string `json:"clientID"`
// ClientSecret refers to a secret that
// contains the client secret in the `clientSecret` key of the `.data` field
ClientSecret LocalObjectReference `json:"clientSecret"`
// ExtraScopes is an optional set of scopes to request tokens with.
//
// +listType=set
// +optional
ExtraScopes []string `json:"extraScopes,omitempty"`
}
OIDCClientConfig contains configuration for the platform's client that need to request tokens from the issuer.
func (*OIDCClientConfig) DeepCopy ¶ added in v2.5.0
func (in *OIDCClientConfig) DeepCopy() *OIDCClientConfig
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClientConfig.
func (*OIDCClientConfig) DeepCopyInto ¶ added in v2.5.0
func (in *OIDCClientConfig) DeepCopyInto(out *OIDCClientConfig)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type PrefixedClaimMapping ¶ added in v2.5.0
type PrefixedClaimMapping struct {
// Claim is a JWT token claim to be used in the mapping
//
// +kubebuilder:validation:Required
// +required
Claim string `json:"claim"`
// Prefix is a string to prefix the value from the token in the result of the
// claim mapping.
//
// By default, no prefixing occurs.
//
// Example: if `prefix` is set to "myoidc:"" and the `claim` in JWT contains
// an array of strings "a", "b" and "c", the mapping will result in an
// array of string "myoidc:a", "myoidc:b" and "myoidc:c".
Prefix string `json:"prefix,omitempty"`
}
PrefixedClaimMapping defines claims with a prefix.
func (*PrefixedClaimMapping) DeepCopy ¶ added in v2.5.0
func (in *PrefixedClaimMapping) DeepCopy() *PrefixedClaimMapping
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PrefixedClaimMapping.
func (*PrefixedClaimMapping) DeepCopyInto ¶ added in v2.5.0
func (in *PrefixedClaimMapping) DeepCopyInto(out *PrefixedClaimMapping)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type ROSAControlPlane ¶
type ROSAControlPlane struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`
Spec RosaControlPlaneSpec `json:"spec,omitempty"`
Status RosaControlPlaneStatus `json:"status,omitempty"`
}
ROSAControlPlane is the Schema for the ROSAControlPlanes API.
func (*ROSAControlPlane) DeepCopy ¶
func (in *ROSAControlPlane) DeepCopy() *ROSAControlPlane
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ROSAControlPlane.
func (*ROSAControlPlane) DeepCopyInto ¶
func (in *ROSAControlPlane) DeepCopyInto(out *ROSAControlPlane)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*ROSAControlPlane) DeepCopyObject ¶
func (in *ROSAControlPlane) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (*ROSAControlPlane) Default ¶ added in v2.4.1
func (r *ROSAControlPlane) Default()
Default implements admission.Defaulter.
func (*ROSAControlPlane) GetConditions ¶
func (r *ROSAControlPlane) GetConditions() clusterv1.Conditions
GetConditions returns the control planes conditions.
func (*ROSAControlPlane) SetConditions ¶
func (r *ROSAControlPlane) SetConditions(conditions clusterv1.Conditions)
SetConditions sets the status conditions for the AWSManagedControlPlane.
func (*ROSAControlPlane) SetupWebhookWithManager ¶ added in v2.4.1
func (r *ROSAControlPlane) SetupWebhookWithManager(mgr ctrl.Manager) error
SetupWebhookWithManager will setup the webhooks for the ROSAControlPlane.
func (*ROSAControlPlane) ValidateCreate ¶ added in v2.4.1
func (r *ROSAControlPlane) ValidateCreate() (warnings admission.Warnings, err error)
ValidateCreate implements admission.Validator.
func (*ROSAControlPlane) ValidateDelete ¶ added in v2.4.1
func (r *ROSAControlPlane) ValidateDelete() (warnings admission.Warnings, err error)
ValidateDelete implements admission.Validator.
func (*ROSAControlPlane) ValidateUpdate ¶ added in v2.4.1
func (r *ROSAControlPlane) ValidateUpdate(old runtime.Object) (warnings admission.Warnings, err error)
ValidateUpdate implements admission.Validator.
type ROSAControlPlaneList ¶
type ROSAControlPlaneList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitempty"`
Items []ROSAControlPlane `json:"items"`
}
ROSAControlPlaneList contains a list of ROSAControlPlane.
func (*ROSAControlPlaneList) DeepCopy ¶
func (in *ROSAControlPlaneList) DeepCopy() *ROSAControlPlaneList
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ROSAControlPlaneList.
func (*ROSAControlPlaneList) DeepCopyInto ¶
func (in *ROSAControlPlaneList) DeepCopyInto(out *ROSAControlPlaneList)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*ROSAControlPlaneList) DeepCopyObject ¶
func (in *ROSAControlPlaneList) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type RosaControlPlaneSpec ¶
type RosaControlPlaneSpec struct {
// Cluster name must be valid DNS-1035 label, so it must consist of lower case alphanumeric
// characters or '-', start with an alphabetic character, end with an alphanumeric character
// and have a max length of 54 characters.
//
// +immutable
// +kubebuilder:validation:XValidation:rule="self == oldSelf", message="rosaClusterName is immutable"
// +kubebuilder:validation:MaxLength:=54
// +kubebuilder:validation:Pattern:=`^[a-z]([-a-z0-9]*[a-z0-9])?$`
RosaClusterName string `json:"rosaClusterName"`
// DomainPrefix is an optional prefix added to the cluster's domain name. It will be used
// when generating a sub-domain for the cluster on openshiftapps domain. It must be valid DNS-1035 label
// consisting of lower case alphanumeric characters or '-', start with an alphabetic character
// end with an alphanumeric character and have a max length of 15 characters.
//
// +immutable
// +kubebuilder:validation:XValidation:rule="self == oldSelf", message="domainPrefix is immutable"
// +kubebuilder:validation:MaxLength:=15
// +kubebuilder:validation:Pattern:=`^[a-z]([-a-z0-9]*[a-z0-9])?$`
// +optional
DomainPrefix string `json:"domainPrefix,omitempty"`
// The Subnet IDs to use when installing the cluster.
// SubnetIDs should come in pairs; two per availability zone, one private and one public.
Subnets []string `json:"subnets"`
// AvailabilityZones describe AWS AvailabilityZones of the worker nodes.
// should match the AvailabilityZones of the provided Subnets.
// a machinepool will be created for each availabilityZone.
AvailabilityZones []string `json:"availabilityZones"`
// The AWS Region the cluster lives in.
Region string `json:"region"`
// OpenShift semantic version, for example "4.14.5".
Version string `json:"version"`
// AWS IAM roles used to perform credential requests by the openshift operators.
RolesRef AWSRolesRef `json:"rolesRef"`
// The ID of the internal OpenID Connect Provider.
//
// +kubebuilder:validation:XValidation:rule="self == oldSelf", message="oidcID is immutable"
OIDCID string `json:"oidcID"`
// EnableExternalAuthProviders enables external authentication configuration for the cluster.
//
// +kubebuilder:default=false
// +kubebuilder:validation:XValidation:rule="self == oldSelf", message="enableExternalAuthProviders is immutable"
// +optional
EnableExternalAuthProviders bool `json:"enableExternalAuthProviders,omitempty"`
// ExternalAuthProviders are external OIDC identity providers that can issue tokens for this cluster.
// Can only be set if "enableExternalAuthProviders" is set to "True".
//
// At most one provider can be configured.
//
// +listType=map
// +listMapKey=name
// +kubebuilder:validation:MaxItems=1
ExternalAuthProviders []ExternalAuthProvider `json:"externalAuthProviders,omitempty"`
// InstallerRoleARN is an AWS IAM role that OpenShift Cluster Manager will assume to create the cluster..
InstallerRoleARN string `json:"installerRoleARN"`
// SupportRoleARN is an AWS IAM role used by Red Hat SREs to enable
// access to the cluster account in order to provide support.
SupportRoleARN string `json:"supportRoleARN"`
// WorkerRoleARN is an AWS IAM role that will be attached to worker instances.
WorkerRoleARN string `json:"workerRoleARN"`
// BillingAccount is an optional AWS account to use for billing the subscription fees for ROSA clusters.
// The cost of running each ROSA cluster will be billed to the infrastructure account in which the cluster
// is running.
//
// +kubebuilder:validation:Optional
// +kubebuilder:validation:XValidation:rule="self == oldSelf", message="billingAccount is immutable"
// +kubebuilder:validation:XValidation:rule="self.matches('^[0-9]{12}$')", message="billingAccount must be a valid AWS account ID"
// +immutable
// +optional
BillingAccount string `json:"billingAccount,omitempty"`
// DefaultMachinePoolSpec defines the configuration for the default machinepool(s) provisioned as part of the cluster creation.
// One MachinePool will be created with this configuration per AvailabilityZone. Those default machinepools are required for openshift cluster operators
// to work properly.
// As these machinepool not created using ROSAMachinePool CR, they will not be visible/managed by ROSA CAPI provider.
// `rosa list machinepools -c <rosaClusterName>` can be used to view those machinepools.
//
// This field will be removed in the future once the current limitation is resolved.
//
// +optional
DefaultMachinePoolSpec DefaultMachinePoolSpec `json:"defaultMachinePoolSpec,omitempty"`
// Network config for the ROSA HCP cluster.
// +optional
Network *NetworkSpec `json:"network,omitempty"`
// EndpointAccess specifies the publishing scope of cluster endpoints. The
// default is Public.
//
// +kubebuilder:validation:Enum=Public;Private
// +kubebuilder:default=Public
// +optional
EndpointAccess RosaEndpointAccessType `json:"endpointAccess,omitempty"`
// AdditionalTags are user-defined tags to be added on the AWS resources associated with the control plane.
// +optional
AdditionalTags infrav1.Tags `json:"additionalTags,omitempty"`
// EtcdEncryptionKMSARN is the ARN of the KMS key used to encrypt etcd. The key itself needs to be
// created out-of-band by the user and tagged with `red-hat:true`.
// +optional
EtcdEncryptionKMSARN string `json:"etcdEncryptionKMSARN,omitempty"`
// AuditLogRoleARN defines the role that is used to forward audit logs to AWS CloudWatch.
// If not set, audit log forwarding is disabled.
// +optional
AuditLogRoleARN string `json:"auditLogRoleARN,omitempty"`
// ProvisionShardID defines the shard where rosa control plane components will be hosted.
//
// +kubebuilder:validation:XValidation:rule="self == oldSelf", message="provisionShardID is immutable"
// +optional
ProvisionShardID string `json:"provisionShardID,omitempty"`
// CredentialsSecretRef references a secret with necessary credentials to connect to the OCM API.
// The secret should contain the following data keys:
// - ocmToken: eyJhbGciOiJIUzI1NiIsI....
// - ocmApiUrl: Optional, defaults to 'https://api.openshift.com'
// +optional
CredentialsSecretRef *corev1.LocalObjectReference `json:"credentialsSecretRef,omitempty"`
// IdentityRef is a reference to an identity to be used when reconciling the managed control plane.
// If no identity is specified, the default identity for this controller will be used.
//
// +optional
IdentityRef *infrav1.AWSIdentityReference `json:"identityRef,omitempty"`
// ControlPlaneEndpoint represents the endpoint used to communicate with the control plane.
// +optional
ControlPlaneEndpoint clusterv1.APIEndpoint `json:"controlPlaneEndpoint"`
}
RosaControlPlaneSpec defines the desired state of ROSAControlPlane.
func (*RosaControlPlaneSpec) DeepCopy ¶
func (in *RosaControlPlaneSpec) DeepCopy() *RosaControlPlaneSpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RosaControlPlaneSpec.
func (*RosaControlPlaneSpec) DeepCopyInto ¶
func (in *RosaControlPlaneSpec) DeepCopyInto(out *RosaControlPlaneSpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type RosaControlPlaneStatus ¶
type RosaControlPlaneStatus struct {
// ExternalManagedControlPlane indicates to cluster-api that the control plane
// is managed by an external service such as AKS, EKS, GKE, etc.
// +kubebuilder:default=true
ExternalManagedControlPlane *bool `json:"externalManagedControlPlane,omitempty"`
// Initialized denotes whether or not the control plane has the
// uploaded kubernetes config-map.
// +optional
Initialized bool `json:"initialized"`
// Ready denotes that the ROSAControlPlane API Server is ready to receive requests.
// +kubebuilder:default=false
Ready bool `json:"ready"`
// FailureMessage will be set in the event that there is a terminal problem
// reconciling the state and will be set to a descriptive error message.
//
// This field should not be set for transitive errors that a controller
// faces that are expected to be fixed automatically over
// time (like service outages), but instead indicate that something is
// fundamentally wrong with the spec or the configuration of
// the controller, and that manual intervention is required.
//
// +optional
FailureMessage *string `json:"failureMessage,omitempty"`
// Conditions specifies the conditions for the managed control plane
Conditions clusterv1.Conditions `json:"conditions,omitempty"`
// ID is the cluster ID given by ROSA.
ID string `json:"id,omitempty"`
// ConsoleURL is the url for the openshift console.
ConsoleURL string `json:"consoleURL,omitempty"`
// OIDCEndpointURL is the endpoint url for the managed OIDC provider.
OIDCEndpointURL string `json:"oidcEndpointURL,omitempty"`
}
RosaControlPlaneStatus defines the observed state of ROSAControlPlane.
func (*RosaControlPlaneStatus) DeepCopy ¶
func (in *RosaControlPlaneStatus) DeepCopy() *RosaControlPlaneStatus
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RosaControlPlaneStatus.
func (*RosaControlPlaneStatus) DeepCopyInto ¶
func (in *RosaControlPlaneStatus) DeepCopyInto(out *RosaControlPlaneStatus)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type RosaEndpointAccessType ¶ added in v2.4.1
type RosaEndpointAccessType string
RosaEndpointAccessType specifies the publishing scope of cluster endpoints.
const ( // Public endpoint access allows public API server access and // private node communication with the control plane. Public RosaEndpointAccessType = "Public" // Private endpoint access allows only private API server access and private // node communication with the control plane. Private RosaEndpointAccessType = "Private" )
type TokenAudience ¶ added in v2.5.0
type TokenAudience string
TokenAudience is the audience that the token was issued for.
+kubebuilder:validation:MinLength=1
type TokenClaimMappings ¶ added in v2.5.0
type TokenClaimMappings struct {
// Username is a name of the claim that should be used to construct
// usernames for the cluster identity.
//
// Default value: "sub"
// +optional
Username *UsernameClaimMapping `json:"username,omitempty"`
// Groups is a name of the claim that should be used to construct
// groups for the cluster identity.
// The referenced claim must use array of strings values.
// +optional
Groups *PrefixedClaimMapping `json:"groups,omitempty"`
}
TokenClaimMappings describes rules on how to transform information from an ID token into a cluster identity.
func (*TokenClaimMappings) DeepCopy ¶ added in v2.5.0
func (in *TokenClaimMappings) DeepCopy() *TokenClaimMappings
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TokenClaimMappings.
func (*TokenClaimMappings) DeepCopyInto ¶ added in v2.5.0
func (in *TokenClaimMappings) DeepCopyInto(out *TokenClaimMappings)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type TokenClaimValidationRule ¶ added in v2.5.0
type TokenClaimValidationRule struct {
// Type sets the type of the validation rule
//
// +kubebuilder:validation:Enum={"RequiredClaim"}
// +kubebuilder:default="RequiredClaim"
Type TokenValidationRuleType `json:"type"`
// RequiredClaim allows configuring a required claim name and its expected value
// +kubebuilder:validation:Required
RequiredClaim TokenRequiredClaim `json:"requiredClaim"`
}
TokenClaimValidationRule validates token claims to authenticate users.
func (*TokenClaimValidationRule) DeepCopy ¶ added in v2.5.0
func (in *TokenClaimValidationRule) DeepCopy() *TokenClaimValidationRule
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TokenClaimValidationRule.
func (*TokenClaimValidationRule) DeepCopyInto ¶ added in v2.5.0
func (in *TokenClaimValidationRule) DeepCopyInto(out *TokenClaimValidationRule)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type TokenIssuer ¶ added in v2.5.0
type TokenIssuer struct {
// URL is the serving URL of the token issuer.
// Must use the https:// scheme.
//
// +kubebuilder:validation:Pattern=`^https:\/\/[^\s]`
// +kubebuilder:validation:Required
// +required
URL string `json:"issuerURL"`
// Audiences is an array of audiences that the token was issued for.
// Valid tokens must include at least one of these values in their
// "aud" claim.
// Must be set to exactly one value.
//
// +listType=set
// +kubebuilder:validation:Required
// +kubebuilder:validation:MinItems=1
// +kubebuilder:validation:MaxItems=10
// +required
Audiences []TokenAudience `json:"audiences"`
// CertificateAuthority is a reference to a config map in the
// configuration namespace. The .data of the configMap must contain
// the "ca-bundle.crt" key.
// If unset, system trust is used instead.
CertificateAuthority *LocalObjectReference `json:"issuerCertificateAuthority,omitempty"`
}
TokenIssuer describes attributes of the OIDC token issuer
func (*TokenIssuer) DeepCopy ¶ added in v2.5.0
func (in *TokenIssuer) DeepCopy() *TokenIssuer
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TokenIssuer.
func (*TokenIssuer) DeepCopyInto ¶ added in v2.5.0
func (in *TokenIssuer) DeepCopyInto(out *TokenIssuer)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type TokenRequiredClaim ¶ added in v2.5.0
type TokenRequiredClaim struct {
// Claim is a name of a required claim. Only claims with string values are
// supported.
//
// +kubebuilder:validation:MinLength=1
// +kubebuilder:validation:Required
// +required
Claim string `json:"claim"`
// RequiredValue is the required value for the claim.
//
// +kubebuilder:validation:MinLength=1
// +kubebuilder:validation:Required
// +required
RequiredValue string `json:"requiredValue"`
}
TokenRequiredClaim allows configuring a required claim name and its expected value.
func (*TokenRequiredClaim) DeepCopy ¶ added in v2.5.0
func (in *TokenRequiredClaim) DeepCopy() *TokenRequiredClaim
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TokenRequiredClaim.
func (*TokenRequiredClaim) DeepCopyInto ¶ added in v2.5.0
func (in *TokenRequiredClaim) DeepCopyInto(out *TokenRequiredClaim)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type TokenValidationRuleType ¶ added in v2.5.0
type TokenValidationRuleType string
TokenValidationRuleType defines the type of the validation rule.
const ( // TokenValidationRuleTypeRequiredClaim defines the type for RequiredClaim. TokenValidationRuleTypeRequiredClaim TokenValidationRuleType = "RequiredClaim" )
type UsernameClaimMapping ¶ added in v2.5.0
type UsernameClaimMapping struct {
// Claim is a JWT token claim to be used in the mapping
//
// +kubebuilder:validation:Required
// +required
Claim string `json:"claim"`
// PrefixPolicy specifies how a prefix should apply.
//
// By default, claims other than `email` will be prefixed with the issuer URL to
// prevent naming clashes with other plugins.
//
// Set to "NoPrefix" to disable prefixing.
//
// Example:
// (1) `prefix` is set to "myoidc:" and `claim` is set to "username".
// If the JWT claim `username` contains value `userA`, the resulting
// mapped value will be "myoidc:userA".
// (2) `prefix` is set to "myoidc:" and `claim` is set to "email". If the
// JWT `email` claim contains value "userA@myoidc.tld", the resulting
// mapped value will be "myoidc:userA@myoidc.tld".
// (3) `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`,
// the JWT claims include "username":"userA" and "email":"userA@myoidc.tld",
// and `claim` is set to:
// (a) "username": the mapped value will be "https://myoidc.tld#userA"
// (b) "email": the mapped value will be "userA@myoidc.tld"
//
// +kubebuilder:validation:Enum={"", "NoPrefix", "Prefix"}
// +optional
PrefixPolicy UsernamePrefixPolicy `json:"prefixPolicy,omitempty"`
// Prefix is prepended to claim to prevent clashes with existing names.
//
// +kubebuilder:validation:MinLength=1
// +optional
Prefix *string `json:"prefix,omitempty"`
}
UsernameClaimMapping defines the claim that should be used to construct usernames for the cluster identity.
+kubebuilder:validation:XValidation:rule="self.prefixPolicy == 'Prefix' ? has(self.prefix) : !has(self.prefix)",message="prefix must be set if prefixPolicy is 'Prefix', but must remain unset otherwise"
func (*UsernameClaimMapping) DeepCopy ¶ added in v2.5.0
func (in *UsernameClaimMapping) DeepCopy() *UsernameClaimMapping
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UsernameClaimMapping.
func (*UsernameClaimMapping) DeepCopyInto ¶ added in v2.5.0
func (in *UsernameClaimMapping) DeepCopyInto(out *UsernameClaimMapping)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type UsernamePrefixPolicy ¶ added in v2.5.0
type UsernamePrefixPolicy string
UsernamePrefixPolicy specifies how a prefix should apply.
const ( // NoOpinion let's the cluster assign prefixes. If the username claim is email, there is no prefix // If the username claim is anything else, it is prefixed by the issuerURL NoOpinion UsernamePrefixPolicy = "" // NoPrefix means the username claim value will not have any prefix NoPrefix UsernamePrefixPolicy = "NoPrefix" // Prefix means the prefix value must be specified. It cannot be empty Prefix UsernamePrefixPolicy = "Prefix" )
Source Files
Click to show internal directories.
Click to hide internal directories.