✨ Add cluster registry config

config/crd/bases/controlplane.cluster.x-k8s.io_rosacontrolplanes.yaml

@@ -82,6 +82,75 @@ spec:
                   rule: self == oldSelf
                 - message: billingAccount must be a valid AWS account ID
                   rule: self.matches('^[0-9]{12}$')
+              clusterRegistryConfig:
+                description: ClusterRegistryConfig represents registry config used
+                  with the cluster.
+                properties:
+                  additionalTrustedCAs:
+                    additionalProperties:
+                      type: string
+                    description: |-
+                      AdditionalTrustedCAs containing the registry hostname as the key, and the PEM-encoded certificate as the value,
+                      for each additional registry CA to trust.
+                    type: object
+                  allowedRegistriesForImport:
+                    description: |-
+                      AllowedRegistriesForImport limits the container image registries that normal users may import
+                      images from. Set this list to the registries that you trust to contain valid Docker
+                      images and that you want applications to be able to import from.
+                    items:
+                      description: RegistryLocation contains a location of the registry
+                        specified by the registry domain name.
+                      properties:
+                        domainName:
+                          description: |-
+                            domainName specifies a domain name for the registry. The domain name might include wildcards, like '*' or '??'.
+                            In case the registry use non-standard (80 or 443) port, the port should be included in the domain name as well.
+                          type: string
+                        insecure:
+                          default: false
+                          description: insecure indicates whether the registry is
+                            secure (https) or insecure (http), default is secured.
+                          type: boolean
+                      type: object
+                    type: array
+                  registrySources:
+                    description: |-
+                      RegistrySources contains configuration that determines how the container runtime
+                      should treat individual registries when accessing images. It does not contain configuration
+                      for the internal cluster registry. AllowedRegistries, BlockedRegistries are mutually exclusive.
+                    properties:
+                      allowedRegistries:
+                        description: |-
+                          AllowedRegistries are the registries for which image pull and push actions are allowed.
+                          To specify all subdomains, add the asterisk (*) wildcard character as a prefix to the domain name,
+                          For example, *.example.com.
+                          You can specify an individual repository within a registry, For example: reg1.io/myrepo/myapp:latest.
+                          All other registries are blocked.
+                        items:
+                          type: string
+                        type: array
+                      blockedRegistries:
+                        description: |-
+                          BlockedRegistries are the registries for which image pull and push actions are denied.
+                          To specify all subdomains, add the asterisk (*) wildcard character as a prefix to the domain name,
+                          For example, *.example.com.
+                          You can specify an individual repository within a registry, For example: reg1.io/myrepo/myapp:latest.
+                          All other registries are allowed.
+                        items:
+                          type: string
+                        type: array
+                      insecureRegistries:
+                        description: |-
+                          InsecureRegistries are registries which do not have a valid TLS certificate or only support HTTP connections.
+                          To specify all subdomains, add the asterisk (*) wildcard character as a prefix to the domain name,
+                          For example, *.example.com.
+                          You can specify an individual repository within a registry, For example: reg1.io/myrepo/myapp:latest.
+                        items:
+                          type: string
+                        type: array
+                    type: object
+                type: object
               controlPlaneEndpoint:
                 description: ControlPlaneEndpoint represents the endpoint used to
                   communicate with the control plane.

controlplane/rosa/api/v1beta2/rosacontrolplane_types.go

@@ -180,6 +180,69 @@ type RosaControlPlaneSpec struct { //nolint: maligned
 	// ControlPlaneEndpoint represents the endpoint used to communicate with the control plane.
 	// +optional
 	ControlPlaneEndpoint clusterv1.APIEndpoint `json:"controlPlaneEndpoint"`
+
+	// ClusterRegistryConfig represents registry config used with the cluster.
+	// +optional
+	ClusterRegistryConfig *RegistryConfig `json:"clusterRegistryConfig,omitempty"`
+}
+
+// RegistryConfig for ROSA-HCP cluster
+type RegistryConfig struct {
+	// AdditionalTrustedCAs containing the registry hostname as the key, and the PEM-encoded certificate as the value,
+	// for each additional registry CA to trust.
+	// +optional
+	AdditionalTrustedCAs map[string]string `json:"additionalTrustedCAs,omitempty"`
+
+	// AllowedRegistriesForImport limits the container image registries that normal users may import
+	// images from. Set this list to the registries that you trust to contain valid Docker
+	// images and that you want applications to be able to import from.
+	// +optional
+	AllowedRegistriesForImport []RegistryLocation `json:"allowedRegistriesForImport,omitempty"`
+
+	// RegistrySources contains configuration that determines how the container runtime
+	// should treat individual registries when accessing images. It does not contain configuration
+	// for the internal cluster registry. AllowedRegistries, BlockedRegistries are mutually exclusive.
+	// +optional
+	RegistrySources *RegistrySources `json:"registrySources,omitempty"`
+}
+
+// RegistryLocation contains a location of the registry specified by the registry domain name.
+type RegistryLocation struct {
+	// domainName specifies a domain name for the registry. The domain name might include wildcards, like '*' or '??'.
+	// In case the registry use non-standard (80 or 443) port, the port should be included in the domain name as well.
+	// +optional
+	DomainName string `json:"domainName,omitempty"`
+
+	// insecure indicates whether the registry is secure (https) or insecure (http), default is secured.
+	// +kubebuilder:default=false
+	// +optional
+	Insecure bool `json:"insecure,omitempty"`
+}
+
+// RegistrySources contains registries configuration.
+type RegistrySources struct {
+	// AllowedRegistries are the registries for which image pull and push actions are allowed.
+	// To specify all subdomains, add the asterisk (*) wildcard character as a prefix to the domain name,
+	// For example, *.example.com.
+	// You can specify an individual repository within a registry, For example: reg1.io/myrepo/myapp:latest.
+	// All other registries are blocked.
+	// +optional
+	AllowedRegistries []string `json:"allowedRegistries,omitempty"`
+
+	// BlockedRegistries are the registries for which image pull and push actions are denied.
+	// To specify all subdomains, add the asterisk (*) wildcard character as a prefix to the domain name,
+	// For example, *.example.com.
+	// You can specify an individual repository within a registry, For example: reg1.io/myrepo/myapp:latest.
+	// All other registries are allowed.
+	// +optional
+	BlockedRegistries []string `json:"blockedRegistries,omitempty"`
+
+	// InsecureRegistries are registries which do not have a valid TLS certificate or only support HTTP connections.
+	// To specify all subdomains, add the asterisk (*) wildcard character as a prefix to the domain name,
+	// For example, *.example.com.
+	// You can specify an individual repository within a registry, For example: reg1.io/myrepo/myapp:latest.
+	// +optional
+	InsecureRegistries []string `json:"insecureRegistries,omitempty"`
 }
 
 // NetworkSpec for ROSA-HCP.

controlplane/rosa/api/v1beta2/rosacontrolplane_webhook.go

@@ -42,6 +42,10 @@ func (r *ROSAControlPlane) ValidateCreate() (warnings admission.Warnings, err er
 		allErrs = append(allErrs, err)
 	}
 
+	if err := r.validateClusterRegistryConfig(); err != nil {
+		allErrs = append(allErrs, err)
+	}
+
 	allErrs = append(allErrs, r.validateNetwork()...)
 	allErrs = append(allErrs, r.Spec.AdditionalTags.Validate()...)
 
@@ -56,6 +60,18 @@ func (r *ROSAControlPlane) ValidateCreate() (warnings admission.Warnings, err er
 	)
 }
 
+func (r *ROSAControlPlane) validateClusterRegistryConfig() *field.Error {
+	if r.Spec.ClusterRegistryConfig != nil {
+		if r.Spec.ClusterRegistryConfig.RegistrySources != nil {
+			if len(r.Spec.ClusterRegistryConfig.RegistrySources.AllowedRegistries) > 0 && len(r.Spec.ClusterRegistryConfig.RegistrySources.BlockedRegistries) > 0 {
+				return field.Invalid(field.NewPath("spec.clusterRegistryConfig.registrySources"), r.Spec.ClusterRegistryConfig.RegistrySources, "allowedRegistries and blockedRegistries are mutually exclusive fields")
+			}
+		}
+	}
+
+	return nil
+}
+
 // ValidateUpdate implements admission.Validator.
 func (r *ROSAControlPlane) ValidateUpdate(old runtime.Object) (warnings admission.Warnings, err error) {
 	var allErrs field.ErrorList