CNF-13731: Add HTTP01ChallengeProxy

Author: sebrandon1

config/v1/tests/apiservers.config.openshift.io/HTTP01ChallengeProxy.yaml

@@ -0,0 +1,105 @@
+apiVersion: apiextensions.k8s.io/v1 # Hack because controller-gen complains if we don't have this
+name: "APIServer"
+crdName: apiservers.config.openshift.io
+featureGate: HTTP01ChallengeProxy
+tests:
+  onCreate:
+    - name: Should be able to create with HTTP01ChallengeProxy DefaultDeployment mode
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: APIServer
+        spec:
+          http01ChallengeProxy:
+            mode: DefaultDeployment
+      expected: |
+        apiVersion: config.openshift.io/v1
+        kind: APIServer
+        spec:
+          audit:
+            profile: Default
+          http01ChallengeProxy:
+            mode: DefaultDeployment
+    - name: Should be able to create with HTTP01ChallengeProxy CustomDeployment mode
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: APIServer
+        spec:
+          http01ChallengeProxy:
+            mode: CustomDeployment
+            customDeployment:
+              internalPort: 8888
+      expected: |
+        apiVersion: config.openshift.io/v1
+        kind: APIServer
+        spec:
+          audit:
+            profile: Default
+          http01ChallengeProxy:
+            mode: CustomDeployment
+            customDeployment:
+              internalPort: 8888
+    - name: Should be able to create with HTTP01ChallengeProxy CustomDeployment mode with custom port
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: APIServer
+        spec:
+          http01ChallengeProxy:
+            mode: CustomDeployment
+            customDeployment:
+              internalPort: 9999
+      expected: |
+        apiVersion: config.openshift.io/v1
+        kind: APIServer
+        spec:
+          audit:
+            profile: Default
+          http01ChallengeProxy:
+            mode: CustomDeployment
+            customDeployment:
+              internalPort: 9999
+    - name: Should reject CustomDeployment mode without customDeployment field
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: APIServer
+        spec:
+          http01ChallengeProxy:
+            mode: CustomDeployment
+      expectedError: "customDeployment is required when mode is CustomDeployment and forbidden otherwise"
+    - name: Should reject DefaultDeployment mode with customDeployment field
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: APIServer
+        spec:
+          http01ChallengeProxy:
+            mode: DefaultDeployment
+            customDeployment:
+              internalPort: 8888
+      expectedError: "customDeployment is required when mode is CustomDeployment and forbidden otherwise"
+    - name: Should reject invalid mode
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: APIServer
+        spec:
+          http01ChallengeProxy:
+            mode: InvalidMode
+      expectedError: "spec.http01ChallengeProxy.mode: Unsupported value: \"InvalidMode\": supported values: \"DefaultDeployment\", \"CustomDeployment\""
+    - name: Should reject port below minimum
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: APIServer
+        spec:
+          http01ChallengeProxy:
+            mode: CustomDeployment
+            customDeployment:
+              internalPort: 1023
+      expectedError: "spec.http01ChallengeProxy.customDeployment.internalPort: Invalid value: 1023: spec.http01ChallengeProxy.customDeployment.internalPort in body should be greater than or equal to 1024"
+    - name: Should reject port above maximum
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: APIServer
+        spec:
+          http01ChallengeProxy:
+            mode: CustomDeployment
+            customDeployment:
+              internalPort: 65536
+      expectedError: "spec.http01ChallengeProxy.customDeployment.internalPort: Invalid value: 65536: spec.http01ChallengeProxy.customDeployment.internalPort in body should be less than or equal to 65535"

config/v1/types_apiserver.go

@@ -68,6 +68,12 @@ type APIServerSpec struct {
 	// +optional
 	// +kubebuilder:default={profile: Default}
 	Audit Audit `json:"audit"`
+	// http01ChallengeProxy contains configuration for the HTTP01 challenge proxy
+	// that redirects traffic from the API endpoint on port 80 to ingress routers.
+	// This enables cert-manager to perform HTTP01 ACME challenges for API endpoint certificates.
+	// +openshift:enable:FeatureGate=HTTP01ChallengeProxy
+	// +optional
+	HTTP01ChallengeProxy *HTTP01ChallengeProxySpec `json:"http01ChallengeProxy,omitempty"`
 }
 
 // AuditProfileType defines the audit policy profile type.
@@ -234,6 +240,36 @@ const (
 	EncryptionTypeKMS EncryptionType = "KMS"
 )
 
+// +union
+// +kubebuilder:validation:XValidation:rule="self.mode == 'CustomDeployment' ? has(self.customDeployment) : !has(self.customDeployment)",message="customDeployment is required when mode is CustomDeployment and forbidden otherwise"
+type HTTP01ChallengeProxySpec struct {
+	// mode controls whether the HTTP01 challenge proxy is active and how it should be deployed.
+	// DefaultDeployment enables the proxy with default configuration.
+	// CustomDeployment enables the proxy with user-specified configuration.
+	// +kubebuilder:validation:Enum=DefaultDeployment;CustomDeployment
+	// +required
+	// +unionDiscriminator
+	Mode string `json:"mode,omitempty"`
+
+	// customDeployment contains configuration options when mode is CustomDeployment.
+	// This field is only valid when mode is CustomDeployment.
+	// +optional
+	// +unionMember
+	CustomDeployment *HTTP01ChallengeProxyCustomDeploymentSpec `json:"customDeployment,omitempty"`
+}
+
+// +kubebuilder:validation:MinProperties=1
+type HTTP01ChallengeProxyCustomDeploymentSpec struct {
+	// internalPort specifies the internal port used by the proxy service.
+	// Valid values are 1024-65535. Defaults to 8888.
+	// This port is used to avoid conflicts with other workloads that may require port 8888 on the host.
+	// +kubebuilder:validation:Minimum=1024
+	// +kubebuilder:validation:Maximum=65535
+	// +kubebuilder:default=8888
+	// +optional
+	InternalPort int32 `json:"internalPort,omitempty"`
+}
+
 type APIServerStatus struct {
 }
 

features/features.go

@@ -866,4 +866,12 @@ var (
 						enhancementPR("https://github.com/openshift/enhancements/pull/1492").
 						enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
 						mustRegister()
+
+	FeatureGateHTTP01ChallengeProxy = newFeatureGate("HTTP01ChallengeProxy").
+					reportProblemsToJiraComponent("kube-apiserver").
+					contactPerson("sebrandon1").
+					productScope(ocpSpecific).
+					enhancementPR("https://github.com/openshift/enhancements/pull/1773").
+					enableIn(configv1.TechPreviewNoUpgrade).
+					mustRegister()
 )