CNF-13731: Add HTTP01ChallengeProxy

Author: sebrandon1

config/v1/tests/apiservers.config.openshift.io/HTTP01ChallengeProxy.yaml

@@ -0,0 +1,86 @@
+apiVersion: config.openshift.io/v1
+kind: APIServer
+metadata:
+  name: cluster
+spec:
+  http01ChallengeProxy:
+    mode: DefaultDeployment
+---
+apiVersion: config.openshift.io/v1
+kind: APIServer
+metadata:
+  name: cluster
+spec:
+  http01ChallengeProxy:
+    mode: CustomDeployment
+    customDeployment:
+      internalPort: 8888
+---
+apiVersion: config.openshift.io/v1
+kind: APIServer
+metadata:
+  name: cluster
+spec:
+  http01ChallengeProxy:
+    mode: CustomDeployment
+    customDeployment:
+      internalPort: 1024
+---
+apiVersion: config.openshift.io/v1
+kind: APIServer
+metadata:
+  name: cluster
+spec:
+  http01ChallengeProxy:
+    mode: CustomDeployment
+    customDeployment:
+      internalPort: 65535
+---
+apiVersion: config.openshift.io/v1
+kind: APIServer
+metadata:
+  name: cluster
+spec:
+  http01ChallengeProxy:
+    mode: CustomDeployment
+    customDeployment:
+      internalPort: 9999
+---
+apiVersion: config.openshift.io/v1
+kind: APIServer
+metadata:
+  name: cluster
+spec:
+  http01ChallengeProxy:
+    mode: DefaultDeployment
+    customDeployment:
+      internalPort: 8888
+---
+apiVersion: config.openshift.io/v1
+kind: APIServer
+metadata:
+  name: cluster
+spec:
+  http01ChallengeProxy:
+    mode: CustomDeployment
+    customDeployment: {}
+---
+apiVersion: config.openshift.io/v1
+kind: APIServer
+metadata:
+  name: cluster
+spec:
+  http01ChallengeProxy:
+    mode: CustomDeployment
+    customDeployment:
+      internalPort: 1023
+---
+apiVersion: config.openshift.io/v1
+kind: APIServer
+metadata:
+  name: cluster
+spec:
+  http01ChallengeProxy:
+    mode: CustomDeployment
+    customDeployment:
+      internalPort: 65536 

config/v1/types_apiserver.go

@@ -68,6 +68,12 @@ type APIServerSpec struct {
 	// +optional
 	// +kubebuilder:default={profile: Default}
 	Audit Audit `json:"audit"`
+	// http01ChallengeProxy contains configuration for the HTTP01 challenge proxy
+	// that redirects traffic from the API endpoint on port 80 to ingress routers.
+	// This enables cert-manager to perform HTTP01 ACME challenges for API endpoint certificates.
+	// +openshift:enable:FeatureGate=HTTP01ChallengeProxy
+	// +optional
+	HTTP01ChallengeProxy *HTTP01ChallengeProxySpec `json:"http01ChallengeProxy,omitempty"`
 }
 
 // AuditProfileType defines the audit policy profile type.
@@ -234,6 +240,36 @@ const (
 	EncryptionTypeKMS EncryptionType = "KMS"
 )
 
+// +union
+// +kubebuilder:validation:XValidation:rule="self.mode == 'CustomDeployment' ? has(self.customDeployment) : !has(self.customDeployment)",message="customDeployment is required when mode is CustomDeployment and forbidden otherwise"
+type HTTP01ChallengeProxySpec struct {
+	// mode controls whether the HTTP01 challenge proxy is active and how it should be deployed.
+	// DefaultDeployment enables the proxy with default configuration.
+	// CustomDeployment enables the proxy with user-specified configuration.
+	// +kubebuilder:validation:Enum=DefaultDeployment;CustomDeployment
+	// +kubebuilder:default=DefaultDeployment
+	// +optional
+	// +unionDiscriminator
+	Mode string `json:"mode,omitempty"`
+
+	// customDeployment contains configuration options when mode is CustomDeployment.
+	// This field is only valid when mode is CustomDeployment.
+	// +optional
+	// +unionMember
+	CustomDeployment HTTP01ChallengeProxyCustomDeploymentSpec `json:"customDeployment,omitzero,omitempty"`
+}
+
+// +kubebuilder:validation:MinProperties=1
+type HTTP01ChallengeProxyCustomDeploymentSpec struct {
+	// internalPort specifies the internal port used by the proxy service.
+	// Valid values are 1024-65535.
+	// This port must be specified to avoid conflicts with other workloads on the host.
+	// +kubebuilder:validation:Minimum=1024
+	// +kubebuilder:validation:Maximum=65535
+	// +required
+	InternalPort int32 `json:"internalPort"`
+}
+
 type APIServerStatus struct {
 }
 

config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml

@@ -249,6 +249,46 @@ spec:
                     forbidden otherwise
                   rule: 'has(self.type) && self.type == ''KMS'' ?  has(self.kms) :
                     !has(self.kms)'
+              http01ChallengeProxy:
+                description: |-
+                  http01ChallengeProxy contains configuration for the HTTP01 challenge proxy
+                  that redirects traffic from the API endpoint on port 80 to ingress routers.
+                  This enables cert-manager to perform HTTP01 ACME challenges for API endpoint certificates.
+                properties:
+                  customDeployment:
+                    description: |-
+                      customDeployment contains configuration options when mode is CustomDeployment.
+                      This field is only valid when mode is CustomDeployment.
+                    minProperties: 1
+                    properties:
+                      internalPort:
+                        description: |-
+                          internalPort specifies the internal port used by the proxy service.
+                          Valid values are 1024-65535.
+                          This port must be specified to avoid conflicts with other workloads on the host.
+                        format: int32
+                        maximum: 65535
+                        minimum: 1024
+                        type: integer
+                    required:
+                    - internalPort
+                    type: object
+                  mode:
+                    default: DefaultDeployment
+                    description: |-
+                      mode controls whether the HTTP01 challenge proxy is active and how it should be deployed.
+                      DefaultDeployment enables the proxy with default configuration.
+                      CustomDeployment enables the proxy with user-specified configuration.
+                    enum:
+                    - DefaultDeployment
+                    - CustomDeployment
+                    type: string
+                type: object
+                x-kubernetes-validations:
+                - message: customDeployment is required when mode is CustomDeployment
+                    and forbidden otherwise
+                  rule: 'self.mode == ''CustomDeployment'' ? has(self.customDeployment)
+                    : !has(self.customDeployment)'
               servingCerts:
                 description: |-
                   servingCert is the TLS cert info for serving secure traffic. If not specified, operator managed certificates

config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml

@@ -249,6 +249,46 @@ spec:
                     forbidden otherwise
                   rule: 'has(self.type) && self.type == ''KMS'' ?  has(self.kms) :
                     !has(self.kms)'
+              http01ChallengeProxy:
+                description: |-
+                  http01ChallengeProxy contains configuration for the HTTP01 challenge proxy
+                  that redirects traffic from the API endpoint on port 80 to ingress routers.
+                  This enables cert-manager to perform HTTP01 ACME challenges for API endpoint certificates.
+                properties:
+                  customDeployment:
+                    description: |-
+                      customDeployment contains configuration options when mode is CustomDeployment.
+                      This field is only valid when mode is CustomDeployment.
+                    minProperties: 1
+                    properties:
+                      internalPort:
+                        description: |-
+                          internalPort specifies the internal port used by the proxy service.
+                          Valid values are 1024-65535.
+                          This port must be specified to avoid conflicts with other workloads on the host.
+                        format: int32
+                        maximum: 65535
+                        minimum: 1024
+                        type: integer
+                    required:
+                    - internalPort
+                    type: object
+                  mode:
+                    default: DefaultDeployment
+                    description: |-
+                      mode controls whether the HTTP01 challenge proxy is active and how it should be deployed.
+                      DefaultDeployment enables the proxy with default configuration.
+                      CustomDeployment enables the proxy with user-specified configuration.
+                    enum:
+                    - DefaultDeployment
+                    - CustomDeployment
+                    type: string
+                type: object
+                x-kubernetes-validations:
+                - message: customDeployment is required when mode is CustomDeployment
+                    and forbidden otherwise
+                  rule: 'self.mode == ''CustomDeployment'' ? has(self.customDeployment)
+                    : !has(self.customDeployment)'
               servingCerts:
                 description: |-
                   servingCert is the TLS cert info for serving secure traffic. If not specified, operator managed certificates

config/v1/zz_generated.deepcopy.go

@@ -6,6 +6,7 @@ apiservers.config.openshift.io:
   Capability: ""
   Category: ""
   FeatureGates:
+  - HTTP01ChallengeProxy
   - KMSEncryptionProvider
   FilenameOperatorName: config-operator
   FilenameOperatorOrdering: "01"