openshift
diff --git a/‎config/v1/tests/apiservers.config.openshift.io/HTTP01ChallengeProxy.yaml
Lines changed: 135 additions & 0 deletions b/‎config/v1/tests/apiservers.config.openshift.io/HTTP01ChallengeProxy.yaml
Lines changed: 135 additions & 0 deletions
diff --git a/‎config/v1/types_apiserver.go
Lines changed: 36 additions & 0 deletions b/‎config/v1/types_apiserver.go
Lines changed: 36 additions & 0 deletions
diff --git a/‎config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml
Lines changed: 40 additions & 0 deletions b/‎config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml
Lines changed: 40 additions & 0 deletions
diff --git a/‎config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml
Lines changed: 40 additions & 0 deletions b/‎config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml
Lines changed: 40 additions & 0 deletions
diff --git a/‎config/v1/zz_generated.deepcopy.go
Lines changed: 38 additions & 0 deletions b/‎config/v1/zz_generated.deepcopy.go
Lines changed: 38 additions & 0 deletions
diff --git a/‎config/v1/zz_generated.featuregated-crd-manifests.yaml
Lines changed: 1 addition & 0 deletions b/‎config/v1/zz_generated.featuregated-crd-manifests.yaml
Lines changed: 1 addition & 0 deletions
@@ -0,0 +1,135 @@
+apiVersion: apiextensions.k8s.io/v1 # Hack because controller-gen complains if we don't have this
+name: "APIServer"
+crdName: apiservers.config.openshift.io
+tests:
+  onCreate:
+    - name: Should be able to create with HTTP01ChallengeProxy DefaultDeployment mode
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: APIServer
+        spec:
+          http01ChallengeProxy:
+            mode: DefaultDeployment
+      expected: |
+        apiVersion: config.openshift.io/v1
+        kind: APIServer
+        spec:
+          audit:
+            profile: Default
+          http01ChallengeProxy:
+            mode: DefaultDeployment
+    - name: Should be able to create with HTTP01ChallengeProxy CustomDeployment mode with port 8888
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: APIServer
+        spec:
+          http01ChallengeProxy:
+            mode: CustomDeployment
+            customDeployment:
+              internalPort: 8888
+      expected: |
+        apiVersion: config.openshift.io/v1
+        kind: APIServer
+        spec:
+          audit:
+            profile: Default
+          http01ChallengeProxy:
+            mode: CustomDeployment
+            customDeployment:
+              internalPort: 8888
+    - name: Should be able to create with HTTP01ChallengeProxy CustomDeployment mode with minimum port 1024
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: APIServer
+        spec:
+          http01ChallengeProxy:
+            mode: CustomDeployment
+            customDeployment:
+              internalPort: 1024
+      expected: |
+        apiVersion: config.openshift.io/v1
+        kind: APIServer
+        spec:
+          audit:
+            profile: Default
+          http01ChallengeProxy:
+            mode: CustomDeployment
+            customDeployment:
+              internalPort: 1024
+    - name: Should be able to create with HTTP01ChallengeProxy CustomDeployment mode with maximum port 65535
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: APIServer
+        spec:
+          http01ChallengeProxy:
+            mode: CustomDeployment
+            customDeployment:
+              internalPort: 65535
+      expected: |
+        apiVersion: config.openshift.io/v1
+        kind: APIServer
+        spec:
+          audit:
+            profile: Default
+          http01ChallengeProxy:
+            mode: CustomDeployment
+            customDeployment:
+              internalPort: 65535
+    - name: Should be able to create with HTTP01ChallengeProxy CustomDeployment mode with valid port 9999
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: APIServer
+        spec:
+          http01ChallengeProxy:
+            mode: CustomDeployment
+            customDeployment:
+              internalPort: 9999
+      expected: |
+        apiVersion: config.openshift.io/v1
+        kind: APIServer
+        spec:
+          audit:
+            profile: Default
+          http01ChallengeProxy:
+            mode: CustomDeployment
+            customDeployment:
+              internalPort: 9999
+    - name: Should reject DefaultDeployment mode with customDeployment field
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: APIServer
+        spec:
+          http01ChallengeProxy:
+            mode: DefaultDeployment
+            customDeployment:
+              internalPort: 8888
+      expectedError: "customDeployment is required when mode is CustomDeployment and forbidden otherwise"
+    - name: Should reject CustomDeployment mode with customDeployment but missing internalPort
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: APIServer
+        spec:
+          http01ChallengeProxy:
+            mode: CustomDeployment
+            customDeployment: {}
+      expectedError: "spec.http01ChallengeProxy.customDeployment.internalPort: Required value"
+    - name: Should reject CustomDeployment mode with port below minimum 1023
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: APIServer
+        spec:
+          http01ChallengeProxy:
+            mode: CustomDeployment
+            customDeployment:
+              internalPort: 1023
+      expectedError: "spec.http01ChallengeProxy.customDeployment.internalPort: Invalid value: 1023: must be greater than or equal to 1024"
+    - name: Should reject CustomDeployment mode with port above maximum 65536
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: APIServer
+        spec:
+          http01ChallengeProxy:
+            mode: CustomDeployment
+            customDeployment:
+              internalPort: 65536
+      expectedError: "spec.http01ChallengeProxy.customDeployment.internalPort: Invalid value: 65536: must be less than or equal to 65535"
@@ -68,6 +68,12 @@ type APIServerSpec struct {
 	// +optional
 	// +kubebuilder:default={profile: Default}
 	Audit Audit `json:"audit"`
+	// http01ChallengeProxy contains configuration for the HTTP01 challenge proxy
+	// that redirects traffic from the API endpoint on port 80 to ingress routers.
+	// This enables cert-manager to perform HTTP01 ACME challenges for API endpoint certificates.
+	// +openshift:enable:FeatureGate=HTTP01ChallengeProxy
+	// +optional
+	HTTP01ChallengeProxy *HTTP01ChallengeProxySpec `json:"http01ChallengeProxy,omitempty"`
 }
 
 // AuditProfileType defines the audit policy profile type.
@@ -234,6 +240,36 @@ const (
 	EncryptionTypeKMS EncryptionType = "KMS"
 )
 
+// +union
+// +kubebuilder:validation:XValidation:rule="self.mode == 'CustomDeployment' ? has(self.customDeployment) : !has(self.customDeployment)",message="customDeployment is required when mode is CustomDeployment and forbidden otherwise"
+type HTTP01ChallengeProxySpec struct {
+	// mode controls whether the HTTP01 challenge proxy is active and how it should be deployed.
+	// DefaultDeployment enables the proxy with default configuration.
+	// CustomDeployment enables the proxy with user-specified configuration.
+	// +kubebuilder:validation:Enum=DefaultDeployment;CustomDeployment
+	// +kubebuilder:default=DefaultDeployment
+	// +optional
+	// +unionDiscriminator
+	Mode string `json:"mode,omitempty"`
+
+	// customDeployment contains configuration options when mode is CustomDeployment.
+	// This field is only valid when mode is CustomDeployment.
+	// +optional
+	// +unionMember
+	CustomDeployment HTTP01ChallengeProxyCustomDeploymentSpec `json:"customDeployment,omitzero,omitempty"`
+}
+
+// +kubebuilder:validation:MinProperties=1
+type HTTP01ChallengeProxyCustomDeploymentSpec struct {
+	// internalPort specifies the internal port used by the proxy service.
+	// Valid values are 1024-65535.
+	// This port must be specified to avoid conflicts with other workloads on the host.
+	// +kubebuilder:validation:Minimum=1024
+	// +kubebuilder:validation:Maximum=65535
+	// +required
+	InternalPort int32 `json:"internalPort"`
+}
+
 type APIServerStatus struct {
 }
 
 
@@ -249,6 +249,46 @@ spec:
                     forbidden otherwise
                   rule: 'has(self.type) && self.type == ''KMS'' ?  has(self.kms) :
                     !has(self.kms)'
+              http01ChallengeProxy:
+                description: |-
+                  http01ChallengeProxy contains configuration for the HTTP01 challenge proxy
+                  that redirects traffic from the API endpoint on port 80 to ingress routers.
+                  This enables cert-manager to perform HTTP01 ACME challenges for API endpoint certificates.
+                properties:
+                  customDeployment:
+                    description: |-
+                      customDeployment contains configuration options when mode is CustomDeployment.
+                      This field is only valid when mode is CustomDeployment.
+                    minProperties: 1
+                    properties:
+                      internalPort:
+                        description: |-
+                          internalPort specifies the internal port used by the proxy service.
+                          Valid values are 1024-65535.
+                          This port must be specified to avoid conflicts with other workloads on the host.
+                        format: int32
+                        maximum: 65535
+                        minimum: 1024
+                        type: integer
+                    required:
+                    - internalPort
+                    type: object
+                  mode:
+                    default: DefaultDeployment
+                    description: |-
+                      mode controls whether the HTTP01 challenge proxy is active and how it should be deployed.
+                      DefaultDeployment enables the proxy with default configuration.
+                      CustomDeployment enables the proxy with user-specified configuration.
+                    enum:
+                    - DefaultDeployment
+                    - CustomDeployment
+                    type: string
+                type: object
+                x-kubernetes-validations:
+                - message: customDeployment is required when mode is CustomDeployment
+                    and forbidden otherwise
+                  rule: 'self.mode == ''CustomDeployment'' ? has(self.customDeployment)
+                    : !has(self.customDeployment)'
               servingCerts:
                 description: |-
                   servingCert is the TLS cert info for serving secure traffic. If not specified, operator managed certificates
 
@@ -249,6 +249,46 @@ spec:
                     forbidden otherwise
                   rule: 'has(self.type) && self.type == ''KMS'' ?  has(self.kms) :
                     !has(self.kms)'
+              http01ChallengeProxy:
+                description: |-
+                  http01ChallengeProxy contains configuration for the HTTP01 challenge proxy
+                  that redirects traffic from the API endpoint on port 80 to ingress routers.
+                  This enables cert-manager to perform HTTP01 ACME challenges for API endpoint certificates.
+                properties:
+                  customDeployment:
+                    description: |-
+                      customDeployment contains configuration options when mode is CustomDeployment.
+                      This field is only valid when mode is CustomDeployment.
+                    minProperties: 1
+                    properties:
+                      internalPort:
+                        description: |-
+                          internalPort specifies the internal port used by the proxy service.
+                          Valid values are 1024-65535.
+                          This port must be specified to avoid conflicts with other workloads on the host.
+                        format: int32
+                        maximum: 65535
+                        minimum: 1024
+                        type: integer
+                    required:
+                    - internalPort
+                    type: object
+                  mode:
+                    default: DefaultDeployment
+                    description: |-
+                      mode controls whether the HTTP01 challenge proxy is active and how it should be deployed.
+                      DefaultDeployment enables the proxy with default configuration.
+                      CustomDeployment enables the proxy with user-specified configuration.
+                    enum:
+                    - DefaultDeployment
+                    - CustomDeployment
+                    type: string
+                type: object
+                x-kubernetes-validations:
+                - message: customDeployment is required when mode is CustomDeployment
+                    and forbidden otherwise
+                  rule: 'self.mode == ''CustomDeployment'' ? has(self.customDeployment)
+                    : !has(self.customDeployment)'
               servingCerts:
                 description: |-
                   servingCert is the TLS cert info for serving secure traffic. If not specified, operator managed certificates
 
@@ -6,6 +6,7 @@ apiservers.config.openshift.io:
   Capability: ""
   Category: ""
   FeatureGates:
+  - HTTP01ChallengeProxy
   - KMSEncryptionProvider
   FilenameOperatorName: config-operator
   FilenameOperatorOrdering: "01"