diff --git a/config/v1/tests/apiservers.config.openshift.io/HTTP01ChallengeProxy.yaml b/config/v1/tests/apiservers.config.openshift.io/HTTP01ChallengeProxy.yaml
new file mode 100644
index 00000000000..f3fce9920e5
--- /dev/null
+++ b/config/v1/tests/apiservers.config.openshift.io/HTTP01ChallengeProxy.yaml
@@ -0,0 +1,137 @@
+apiVersion: apiextensions.k8s.io/v1 # Hack because controller-gen complains if we don't have this
+name: "APIServer"
+crdName: apiservers.config.openshift.io
+featureGates:
+ - HTTP01ChallengeProxy
+tests:
+ onCreate:
+ - name: Should be able to create with HTTP01ChallengeProxy DefaultDeployment mode
+ initial: |
+ apiVersion: config.openshift.io/v1
+ kind: APIServer
+ spec:
+ http01ChallengeProxy:
+ mode: DefaultDeployment
+ expected: |
+ apiVersion: config.openshift.io/v1
+ kind: APIServer
+ spec:
+ audit:
+ profile: Default
+ http01ChallengeProxy:
+ mode: DefaultDeployment
+ - name: Should be able to create with HTTP01ChallengeProxy CustomDeployment mode with port 8888
+ initial: |
+ apiVersion: config.openshift.io/v1
+ kind: APIServer
+ spec:
+ http01ChallengeProxy:
+ mode: CustomDeployment
+ customDeployment:
+ internalPort: 8888
+ expected: |
+ apiVersion: config.openshift.io/v1
+ kind: APIServer
+ spec:
+ audit:
+ profile: Default
+ http01ChallengeProxy:
+ mode: CustomDeployment
+ customDeployment:
+ internalPort: 8888
+ - name: Should be able to create with HTTP01ChallengeProxy CustomDeployment mode with minimum port 1024
+ initial: |
+ apiVersion: config.openshift.io/v1
+ kind: APIServer
+ spec:
+ http01ChallengeProxy:
+ mode: CustomDeployment
+ customDeployment:
+ internalPort: 1024
+ expected: |
+ apiVersion: config.openshift.io/v1
+ kind: APIServer
+ spec:
+ audit:
+ profile: Default
+ http01ChallengeProxy:
+ mode: CustomDeployment
+ customDeployment:
+ internalPort: 1024
+ - name: Should be able to create with HTTP01ChallengeProxy CustomDeployment mode with maximum port 65535
+ initial: |
+ apiVersion: config.openshift.io/v1
+ kind: APIServer
+ spec:
+ http01ChallengeProxy:
+ mode: CustomDeployment
+ customDeployment:
+ internalPort: 65535
+ expected: |
+ apiVersion: config.openshift.io/v1
+ kind: APIServer
+ spec:
+ audit:
+ profile: Default
+ http01ChallengeProxy:
+ mode: CustomDeployment
+ customDeployment:
+ internalPort: 65535
+ - name: Should be able to create with HTTP01ChallengeProxy CustomDeployment mode with valid port 9999
+ initial: |
+ apiVersion: config.openshift.io/v1
+ kind: APIServer
+ spec:
+ http01ChallengeProxy:
+ mode: CustomDeployment
+ customDeployment:
+ internalPort: 9999
+ expected: |
+ apiVersion: config.openshift.io/v1
+ kind: APIServer
+ spec:
+ audit:
+ profile: Default
+ http01ChallengeProxy:
+ mode: CustomDeployment
+ customDeployment:
+ internalPort: 9999
+ - name: Should reject DefaultDeployment mode with customDeployment field
+ initial: |
+ apiVersion: config.openshift.io/v1
+ kind: APIServer
+ spec:
+ http01ChallengeProxy:
+ mode: DefaultDeployment
+ customDeployment:
+ internalPort: 8888
+ expectedError: "customDeployment is required when mode is CustomDeployment and forbidden otherwise"
+ - name: Should reject CustomDeployment mode without internalPort
+ initial: |
+ apiVersion: config.openshift.io/v1
+ kind: APIServer
+ spec:
+ http01ChallengeProxy:
+ mode: CustomDeployment
+ customDeployment: {}
+ expectedError: "spec.http01ChallengeProxy.customDeployment.internalPort: Required value"
+ - name: Should reject CustomDeployment mode with port below minimum 1023
+ initial: |
+ apiVersion: config.openshift.io/v1
+ kind: APIServer
+ spec:
+ http01ChallengeProxy:
+ mode: CustomDeployment
+ customDeployment:
+ internalPort: 1023
+ expectedError: "Invalid value: 1023: spec.http01ChallengeProxy.customDeployment.internalPort in body should be greater than or equal to 1024"
+ - name: Should reject CustomDeployment mode with port above maximum 65536
+ initial: |
+ apiVersion: config.openshift.io/v1
+ kind: APIServer
+ spec:
+ http01ChallengeProxy:
+ mode: CustomDeployment
+ customDeployment:
+ internalPort: 65536
+ expectedError: "should be less than or equal to 65535"
diff --git a/config/v1/types_apiserver.go b/config/v1/types_apiserver.go
index e1a98cb2677..c79bef82976 100644
--- a/config/v1/types_apiserver.go
+++ b/config/v1/types_apiserver.go
@@ -68,6 +68,12 @@ type APIServerSpec struct {
// +optional
// +kubebuilder:default={profile: Default}
Audit Audit `json:"audit"`
+ // http01ChallengeProxy contains configuration for the HTTP01 challenge proxy
+ // that redirects traffic from the API endpoint on port 80 to ingress routers.
+ // This enables cert-manager to perform HTTP01 ACME challenges for API endpoint certificates.
+ // +openshift:enable:FeatureGate=HTTP01ChallengeProxy
+ // +optional
+ HTTP01ChallengeProxy HTTP01ChallengeProxySpec `json:"http01ChallengeProxy,omitzero,omitempty"`
}
// AuditProfileType defines the audit policy profile type.
@@ -114,6 +120,7 @@ type Audit struct {
// If unset, the 'Default' profile is used as the default.
//
// +kubebuilder:default=Default
+ // +optional
Profile AuditProfileType `json:"profile,omitempty"`
// customRules specify profiles per group. These profile take precedence over the
// top-level profile field if they apply. They are evaluation from top to bottom and
@@ -234,6 +241,45 @@ const (
EncryptionTypeKMS EncryptionType = "KMS"
)
+// HTTP01ChallengeProxyMode defines how the HTTP01 challenge proxy should be deployed.
+// +kubebuilder:validation:Enum=DefaultDeployment;CustomDeployment
+type HTTP01ChallengeProxyMode string
+
+const (
+ // HTTP01ChallengeProxyModeDefaultDeployment enables the proxy with default configuration.
+ HTTP01ChallengeProxyModeDefaultDeployment HTTP01ChallengeProxyMode = "DefaultDeployment"
+ // HTTP01ChallengeProxyModeCustomDeployment enables the proxy with user-specified configuration.
+ HTTP01ChallengeProxyModeCustomDeployment HTTP01ChallengeProxyMode = "CustomDeployment"
+)
+
+// +union
+// +kubebuilder:validation:XValidation:rule="self.mode == 'CustomDeployment' ? has(self.customDeployment) : !has(self.customDeployment)",message="customDeployment is required when mode is CustomDeployment and forbidden otherwise"
+type HTTP01ChallengeProxySpec struct {
+ // mode controls whether the HTTP01 challenge proxy is active and how it should be deployed.
+ // DefaultDeployment enables the proxy with default configuration.
+ // CustomDeployment enables the proxy with user-specified configuration.
+ // +required
+ // +unionDiscriminator
+ Mode HTTP01ChallengeProxyMode `json:"mode,omitempty"`
+
+ // customDeployment contains configuration options when mode is CustomDeployment.
+ // This field is only valid when mode is CustomDeployment.
+ // +optional
+ // +unionMember
+ CustomDeployment HTTP01ChallengeProxyCustomDeploymentSpec `json:"customDeployment,omitzero,omitempty"`
+}
+
+type HTTP01ChallengeProxyCustomDeploymentSpec struct {
+ // internalPort specifies the internal port used by the proxy service.
+ // Valid values are 1024-65535.
+ // When not specified for CustomDeployment mode, users should ensure their chosen port
+ // does not conflict with other workloads on the host.
+ // +kubebuilder:validation:Minimum=1024
+ // +kubebuilder:validation:Maximum=65535
+ // +required
+ InternalPort int32 `json:"internalPort,omitempty"`
+}
+
type APIServerStatus struct {
}
diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml
index b10b46c6fbe..153f106af80 100644
--- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml
+++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml
@@ -249,6 +249,47 @@ spec:
forbidden otherwise
rule: 'has(self.type) && self.type == ''KMS'' ? has(self.kms) :
!has(self.kms)'
+ http01ChallengeProxy:
+ description: |-
+ http01ChallengeProxy contains configuration for the HTTP01 challenge proxy
+ that redirects traffic from the API endpoint on port 80 to ingress routers.
+ This enables cert-manager to perform HTTP01 ACME challenges for API endpoint certificates.
+ properties:
+ customDeployment:
+ description: |-
+ customDeployment contains configuration options when mode is CustomDeployment.
+ This field is only valid when mode is CustomDeployment.
+ properties:
+ internalPort:
+ description: |-
+ internalPort specifies the internal port used by the proxy service.
+ Valid values are 1024-65535.
+ When not specified for CustomDeployment mode, users should ensure their chosen port
+ does not conflict with other workloads on the host.
+ format: int32
+ maximum: 65535
+ minimum: 1024
+ type: integer
+ required:
+ - internalPort
+ type: object
+ mode:
+ description: |-
+ mode controls whether the HTTP01 challenge proxy is active and how it should be deployed.
+ DefaultDeployment enables the proxy with default configuration.
+ CustomDeployment enables the proxy with user-specified configuration.
+ enum:
+ - DefaultDeployment
+ - CustomDeployment
+ type: string
+ required:
+ - mode
+ type: object
+ x-kubernetes-validations:
+ - message: customDeployment is required when mode is CustomDeployment
+ and forbidden otherwise
+ rule: 'self.mode == ''CustomDeployment'' ? has(self.customDeployment)
+ : !has(self.customDeployment)'
servingCerts:
description: |-
servingCert is the TLS cert info for serving secure traffic. If not specified, operator managed certificates
diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml
index 843984380b1..04dafb4bb78 100644
--- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml
+++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml
@@ -249,6 +249,47 @@ spec:
forbidden otherwise
rule: 'has(self.type) && self.type == ''KMS'' ? has(self.kms) :
!has(self.kms)'
+ http01ChallengeProxy:
+ description: |-
+ http01ChallengeProxy contains configuration for the HTTP01 challenge proxy
+ that redirects traffic from the API endpoint on port 80 to ingress routers.
+ This enables cert-manager to perform HTTP01 ACME challenges for API endpoint certificates.
+ properties:
+ customDeployment:
+ description: |-
+ customDeployment contains configuration options when mode is CustomDeployment.
+ This field is only valid when mode is CustomDeployment.
+ properties:
+ internalPort:
+ description: |-
+ internalPort specifies the internal port used by the proxy service.
+ Valid values are 1024-65535.
+ When not specified for CustomDeployment mode, users should ensure their chosen port
+ does not conflict with other workloads on the host.
+ format: int32
+ maximum: 65535
+ minimum: 1024
+ type: integer
+ required:
+ - internalPort
+ type: object
+ mode:
+ description: |-
+ mode controls whether the HTTP01 challenge proxy is active and how it should be deployed.
+ DefaultDeployment enables the proxy with default configuration.
+ CustomDeployment enables the proxy with user-specified configuration.
+ enum:
+ - DefaultDeployment
+ - CustomDeployment
+ type: string
+ required:
+ - mode
+ type: object
+ x-kubernetes-validations:
+ - message: customDeployment is required when mode is CustomDeployment
+ and forbidden otherwise
+ rule: 'self.mode == ''CustomDeployment'' ? has(self.customDeployment)
+ : !has(self.customDeployment)'
servingCerts:
description: |-
servingCert is the TLS cert info for serving secure traffic. If not specified, operator managed certificates
diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml
index 808e11aac3f..b0765cb3b80 100644
--- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml
+++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml
@@ -249,6 +249,47 @@ spec:
forbidden otherwise
rule: 'has(self.type) && self.type == ''KMS'' ? has(self.kms) :
!has(self.kms)'
+ http01ChallengeProxy:
+ description: |-
+ http01ChallengeProxy contains configuration for the HTTP01 challenge proxy
+ that redirects traffic from the API endpoint on port 80 to ingress routers.
+ This enables cert-manager to perform HTTP01 ACME challenges for API endpoint certificates.
+ properties:
+ customDeployment:
+ description: |-
+ customDeployment contains configuration options when mode is CustomDeployment.
+ This field is only valid when mode is CustomDeployment.
+ properties:
+ internalPort:
+ description: |-
+ internalPort specifies the internal port used by the proxy service.
+ Valid values are 1024-65535.
+ When not specified for CustomDeployment mode, users should ensure their chosen port
+ does not conflict with other workloads on the host.
+ format: int32
+ maximum: 65535
+ minimum: 1024
+ type: integer
+ required:
+ - internalPort
+ type: object
+ mode:
+ description: |-
+ mode controls whether the HTTP01 challenge proxy is active and how it should be deployed.
+ DefaultDeployment enables the proxy with default configuration.
+ CustomDeployment enables the proxy with user-specified configuration.
+ enum:
+ - DefaultDeployment
+ - CustomDeployment
+ type: string
+ required:
+ - mode
+ type: object
+ x-kubernetes-validations:
+ - message: customDeployment is required when mode is CustomDeployment
+ and forbidden otherwise
+ rule: 'self.mode == ''CustomDeployment'' ? has(self.customDeployment)
+ : !has(self.customDeployment)'
servingCerts:
description: |-
servingCert is the TLS cert info for serving secure traffic. If not specified, operator managed certificates
diff --git a/config/v1/zz_generated.deepcopy.go b/config/v1/zz_generated.deepcopy.go
index 788e10479b6..b0096a62abe 100644
--- a/config/v1/zz_generated.deepcopy.go
+++ b/config/v1/zz_generated.deepcopy.go
@@ -155,6 +155,7 @@ func (in *APIServerSpec) DeepCopyInto(out *APIServerSpec) {
(*in).DeepCopyInto(*out)
}
in.Audit.DeepCopyInto(&out.Audit)
+ out.HTTP01ChallengeProxy = in.HTTP01ChallengeProxy
return
}
@@ -2593,6 +2594,39 @@ func (in *HTPasswdIdentityProvider) DeepCopy() *HTPasswdIdentityProvider {
return out
}
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *HTTP01ChallengeProxyCustomDeploymentSpec) DeepCopyInto(out *HTTP01ChallengeProxyCustomDeploymentSpec) {
+ *out = *in
+ return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HTTP01ChallengeProxyCustomDeploymentSpec.
+func (in *HTTP01ChallengeProxyCustomDeploymentSpec) DeepCopy() *HTTP01ChallengeProxyCustomDeploymentSpec {
+ if in == nil {
+ return nil
+ }
+ out := new(HTTP01ChallengeProxyCustomDeploymentSpec)
+ in.DeepCopyInto(out)
+ return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *HTTP01ChallengeProxySpec) DeepCopyInto(out *HTTP01ChallengeProxySpec) {
+ *out = *in
+ out.CustomDeployment = in.CustomDeployment
+ return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HTTP01ChallengeProxySpec.
+func (in *HTTP01ChallengeProxySpec) DeepCopy() *HTTP01ChallengeProxySpec {
+ if in == nil {
+ return nil
+ }
+ out := new(HTTP01ChallengeProxySpec)
+ in.DeepCopyInto(out)
+ return out
+}
+
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *HTTPServingInfo) DeepCopyInto(out *HTTPServingInfo) {
*out = *in
diff --git a/config/v1/zz_generated.featuregated-crd-manifests.yaml b/config/v1/zz_generated.featuregated-crd-manifests.yaml
index 6d756e8f904..e2dd4b31ecf 100644
--- a/config/v1/zz_generated.featuregated-crd-manifests.yaml
+++ b/config/v1/zz_generated.featuregated-crd-manifests.yaml
@@ -6,6 +6,7 @@ apiservers.config.openshift.io:
Capability: ""
Category: ""
FeatureGates:
+ - HTTP01ChallengeProxy
- KMSEncryptionProvider
FilenameOperatorName: config-operator
FilenameOperatorOrdering: "01"
diff --git a/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/HTTP01ChallengeProxy.yaml b/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/HTTP01ChallengeProxy.yaml
new file mode 100644
index 00000000000..d0a766b2cd0
--- /dev/null
+++ b/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/HTTP01ChallengeProxy.yaml
@@ -0,0 +1,474 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ api-approved.openshift.io: https://github.com/openshift/api/pull/470
+ api.openshift.io/filename-cvo-runlevel: "0000_10"
+ api.openshift.io/filename-operator: config-operator
+ api.openshift.io/filename-ordering: "01"
+ feature-gate.release.openshift.io/HTTP01ChallengeProxy: "true"
+ release.openshift.io/bootstrap-required: "true"
+ name: apiservers.config.openshift.io
+spec:
+ group: config.openshift.io
+ names:
+ kind: APIServer
+ listKind: APIServerList
+ plural: apiservers
+ singular: apiserver
+ scope: Cluster
+ versions:
+ - name: v1
+ schema:
+ openAPIV3Schema:
+ description: |-
+ APIServer holds configuration (like serving certificates, client CA and CORS domains)
+ shared by all API servers in the system, among them especially kube-apiserver
+ and openshift-apiserver. The canonical name of an instance is 'cluster'.
+
+ Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: spec holds user settable values for configuration
+ properties:
+ additionalCORSAllowedOrigins:
+ description: |-
+ additionalCORSAllowedOrigins lists additional, user-defined regular expressions describing hosts for which the
+ API server allows access using the CORS headers. This may be needed to access the API and the integrated OAuth
+ server from JavaScript applications.
+ The values are regular expressions that correspond to the Golang regular expression language.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ audit:
+ default:
+ profile: Default
+ description: |-
+ audit specifies the settings for audit configuration to be applied to all OpenShift-provided
+ API servers in the cluster.
+ properties:
+ customRules:
+ description: |-
+ customRules specify profiles per group. These profile take precedence over the
+ top-level profile field if they apply. They are evaluation from top to bottom and
+ the first one that matches, applies.
+ items:
+ description: |-
+ AuditCustomRule describes a custom rule for an audit profile that takes precedence over
+ the top-level profile.
+ properties:
+ group:
+ description: group is a name of group a request user must
+ be member of in order to this profile to apply.
+ minLength: 1
+ type: string
+ profile:
+ description: |-
+ profile specifies the name of the desired audit policy configuration to be deployed to
+ all OpenShift-provided API servers in the cluster.
+
+ The following profiles are provided:
+ - Default: the existing default policy.
+ - WriteRequestBodies: like 'Default', but logs request and response HTTP payloads for
+ write requests (create, update, patch).
+ - AllRequestBodies: like 'WriteRequestBodies', but also logs request and response
+ HTTP payloads for read requests (get, list).
+ - None: no requests are logged at all, not even oauthaccesstokens and oauthauthorizetokens.
+
+ If unset, the 'Default' profile is used as the default.
+ enum:
+ - Default
+ - WriteRequestBodies
+ - AllRequestBodies
+ - None
+ type: string
+ required:
+ - group
+ - profile
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - group
+ x-kubernetes-list-type: map
+ profile:
+ default: Default
+ description: |-
+ profile specifies the name of the desired top-level audit profile to be applied to all requests
+ sent to any of the OpenShift-provided API servers in the cluster (kube-apiserver,
+ openshift-apiserver and oauth-apiserver), with the exception of those requests that match
+ one or more of the customRules.
+
+ The following profiles are provided:
+ - Default: default policy which means MetaData level logging with the exception of events
+ (not logged at all), oauthaccesstokens and oauthauthorizetokens (both logged at RequestBody
+ level).
+ - WriteRequestBodies: like 'Default', but logs request and response HTTP payloads for
+ write requests (create, update, patch).
+ - AllRequestBodies: like 'WriteRequestBodies', but also logs request and response
+ HTTP payloads for read requests (get, list).
+ - None: no requests are logged at all, not even oauthaccesstokens and oauthauthorizetokens.
+
+ Warning: It is not recommended to disable audit logging by using the `None` profile unless you
+ are fully aware of the risks of not logging data that can be beneficial when troubleshooting issues.
+ If you disable audit logging and a support situation arises, you might need to enable audit logging
+ and reproduce the issue in order to troubleshoot properly.
+
+ If unset, the 'Default' profile is used as the default.
+ enum:
+ - Default
+ - WriteRequestBodies
+ - AllRequestBodies
+ - None
+ type: string
+ type: object
+ clientCA:
+ description: |-
+ clientCA references a ConfigMap containing a certificate bundle for the signers that will be recognized for
+ incoming client certificates in addition to the operator managed signers. If this is empty, then only operator managed signers are valid.
+ You usually only have to set this if you have your own PKI you wish to honor client certificates from.
+ The ConfigMap must exist in the openshift-config namespace and contain the following required fields:
+ - ConfigMap.Data["ca-bundle.crt"] - CA bundle.
+ properties:
+ name:
+ description: name is the metadata.name of the referenced config
+ map
+ type: string
+ required:
+ - name
+ type: object
+ encryption:
+ description: encryption allows the configuration of encryption of
+ resources at the datastore layer.
+ properties:
+ type:
+ description: |-
+ type defines what encryption type should be used to encrypt resources at the datastore layer.
+ When this field is unset (i.e. when it is set to the empty string), identity is implied.
+ The behavior of unset can and will change over time. Even if encryption is enabled by default,
+ the meaning of unset may change to a different encryption type based on changes in best practices.
+
+ When encryption is enabled, all sensitive resources shipped with the platform are encrypted.
+ This list of sensitive resources can and will change over time. The current authoritative list is:
+
+ 1. secrets
+ 2. configmaps
+ 3. routes.route.openshift.io
+ 4. oauthaccesstokens.oauth.openshift.io
+ 5. oauthauthorizetokens.oauth.openshift.io
+ type: string
+ type: object
+ http01ChallengeProxy:
+ description: |-
+ http01ChallengeProxy contains configuration for the HTTP01 challenge proxy
+ that redirects traffic from the API endpoint on port 80 to ingress routers.
+ This enables cert-manager to perform HTTP01 ACME challenges for API endpoint certificates.
+ properties:
+ customDeployment:
+ description: |-
+ customDeployment contains configuration options when mode is CustomDeployment.
+ This field is only valid when mode is CustomDeployment.
+ properties:
+ internalPort:
+ description: |-
+ internalPort specifies the internal port used by the proxy service.
+ Valid values are 1024-65535.
+ When not specified for CustomDeployment mode, users should ensure their chosen port
+ does not conflict with other workloads on the host.
+ format: int32
+ maximum: 65535
+ minimum: 1024
+ type: integer
+ required:
+ - internalPort
+ type: object
+ mode:
+ description: |-
+ mode controls whether the HTTP01 challenge proxy is active and how it should be deployed.
+ DefaultDeployment enables the proxy with default configuration.
+ CustomDeployment enables the proxy with user-specified configuration.
+ enum:
+ - DefaultDeployment
+ - CustomDeployment
+ type: string
+ required:
+ - mode
+ type: object
+ x-kubernetes-validations:
+ - message: customDeployment is required when mode is CustomDeployment
+ and forbidden otherwise
+ rule: 'self.mode == ''CustomDeployment'' ? has(self.customDeployment)
+ : !has(self.customDeployment)'
+ servingCerts:
+ description: |-
+ servingCert is the TLS cert info for serving secure traffic. If not specified, operator managed certificates
+ will be used for serving secure traffic.
+ properties:
+ namedCertificates:
+ description: |-
+ namedCertificates references secrets containing the TLS cert info for serving secure traffic to specific hostnames.
+ If no named certificates are provided, or no named certificates match the server name as understood by a client,
+ the defaultServingCertificate will be used.
+ items:
+ description: APIServerNamedServingCert maps a server DNS name,
+ as understood by a client, to a certificate.
+ properties:
+ names:
+ description: |-
+ names is a optional list of explicit DNS names (leading wildcards allowed) that should use this certificate to
+ serve secure traffic. If no names are provided, the implicit names will be extracted from the certificates.
+ Exact names trump over wildcard names. Explicit names defined here trump over extracted implicit names.
+ items:
+ type: string
+ maxItems: 64
+ type: array
+ x-kubernetes-list-type: atomic
+ servingCertificate:
+ description: |-
+ servingCertificate references a kubernetes.io/tls type secret containing the TLS cert info for serving secure traffic.
+ The secret must exist in the openshift-config namespace and contain the following required fields:
+ - Secret.Data["tls.key"] - TLS private key.
+ - Secret.Data["tls.crt"] - TLS certificate.
+ properties:
+ name:
+ description: name is the metadata.name of the referenced
+ secret
+ type: string
+ required:
+ - name
+ type: object
+ type: object
+ maxItems: 32
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ tlsSecurityProfile:
+ description: |-
+ tlsSecurityProfile specifies settings for TLS connections for externally exposed servers.
+
+ If unset, a default (which may change between releases) is chosen. Note that only Old,
+ Intermediate and Custom profiles are currently supported, and the maximum available
+ minTLSVersion is VersionTLS12.
+ properties:
+ custom:
+ description: |-
+ custom is a user-defined TLS security profile. Be extremely careful using a custom
+ profile as invalid configurations can be catastrophic. An example custom profile
+ looks like this:
+
+ ciphers:
+
+ - ECDHE-ECDSA-CHACHA20-POLY1305
+
+ - ECDHE-RSA-CHACHA20-POLY1305
+
+ - ECDHE-RSA-AES128-GCM-SHA256
+
+ - ECDHE-ECDSA-AES128-GCM-SHA256
+
+ minTLSVersion: VersionTLS11
+ nullable: true
+ properties:
+ ciphers:
+ description: |-
+ ciphers is used to specify the cipher algorithms that are negotiated
+ during the TLS handshake. Operators may remove entries their operands
+ do not support. For example, to use DES-CBC3-SHA (yaml):
+
+ ciphers:
+ - DES-CBC3-SHA
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ minTLSVersion:
+ description: |-
+ minTLSVersion is used to specify the minimal version of the TLS protocol
+ that is negotiated during the TLS handshake. For example, to use TLS
+ versions 1.1, 1.2 and 1.3 (yaml):
+
+ minTLSVersion: VersionTLS11
+
+ NOTE: currently the highest minTLSVersion allowed is VersionTLS12
+ enum:
+ - VersionTLS10
+ - VersionTLS11
+ - VersionTLS12
+ - VersionTLS13
+ type: string
+ type: object
+ intermediate:
+ description: |-
+ intermediate is a TLS security profile based on:
+
+ https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29
+
+ and looks like this (yaml):
+
+ ciphers:
+
+ - TLS_AES_128_GCM_SHA256
+
+ - TLS_AES_256_GCM_SHA384
+
+ - TLS_CHACHA20_POLY1305_SHA256
+
+ - ECDHE-ECDSA-AES128-GCM-SHA256
+
+ - ECDHE-RSA-AES128-GCM-SHA256
+
+ - ECDHE-ECDSA-AES256-GCM-SHA384
+
+ - ECDHE-RSA-AES256-GCM-SHA384
+
+ - ECDHE-ECDSA-CHACHA20-POLY1305
+
+ - ECDHE-RSA-CHACHA20-POLY1305
+
+ - DHE-RSA-AES128-GCM-SHA256
+
+ - DHE-RSA-AES256-GCM-SHA384
+
+ minTLSVersion: VersionTLS12
+ nullable: true
+ type: object
+ modern:
+ description: |-
+ modern is a TLS security profile based on:
+
+ https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility
+
+ and looks like this (yaml):
+
+ ciphers:
+
+ - TLS_AES_128_GCM_SHA256
+
+ - TLS_AES_256_GCM_SHA384
+
+ - TLS_CHACHA20_POLY1305_SHA256
+
+ minTLSVersion: VersionTLS13
+ nullable: true
+ type: object
+ old:
+ description: |-
+ old is a TLS security profile based on:
+
+ https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility
+
+ and looks like this (yaml):
+
+ ciphers:
+
+ - TLS_AES_128_GCM_SHA256
+
+ - TLS_AES_256_GCM_SHA384
+
+ - TLS_CHACHA20_POLY1305_SHA256
+
+ - ECDHE-ECDSA-AES128-GCM-SHA256
+
+ - ECDHE-RSA-AES128-GCM-SHA256
+
+ - ECDHE-ECDSA-AES256-GCM-SHA384
+
+ - ECDHE-RSA-AES256-GCM-SHA384
+
+ - ECDHE-ECDSA-CHACHA20-POLY1305
+
+ - ECDHE-RSA-CHACHA20-POLY1305
+
+ - DHE-RSA-AES128-GCM-SHA256
+
+ - DHE-RSA-AES256-GCM-SHA384
+
+ - DHE-RSA-CHACHA20-POLY1305
+
+ - ECDHE-ECDSA-AES128-SHA256
+
+ - ECDHE-RSA-AES128-SHA256
+
+ - ECDHE-ECDSA-AES128-SHA
+
+ - ECDHE-RSA-AES128-SHA
+
+ - ECDHE-ECDSA-AES256-SHA384
+
+ - ECDHE-RSA-AES256-SHA384
+
+ - ECDHE-ECDSA-AES256-SHA
+
+ - ECDHE-RSA-AES256-SHA
+
+ - DHE-RSA-AES128-SHA256
+
+ - DHE-RSA-AES256-SHA256
+
+ - AES128-GCM-SHA256
+
+ - AES256-GCM-SHA384
+
+ - AES128-SHA256
+
+ - AES256-SHA256
+
+ - AES128-SHA
+
+ - AES256-SHA
+
+ - DES-CBC3-SHA
+
+ minTLSVersion: VersionTLS10
+ nullable: true
+ type: object
+ type:
+ description: |-
+ type is one of Old, Intermediate, Modern or Custom. Custom provides
+ the ability to specify individual TLS security profile parameters.
+ Old, Intermediate and Modern are TLS security profiles based on:
+
+ https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations
+
+ The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers
+ are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be
+ reduced.
+
+ Note that the Modern profile is currently not supported because it is not
+ yet well adopted by common software libraries.
+ enum:
+ - Old
+ - Intermediate
+ - Modern
+ - Custom
+ type: string
+ type: object
+ type: object
+ status:
+ description: status holds observed values from the cluster. They may not
+ be overridden.
+ type: object
+ required:
+ - spec
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
diff --git a/config/v1/zz_generated.swagger_doc_generated.go b/config/v1/zz_generated.swagger_doc_generated.go
index 13ae075da99..61cd13f03af 100644
--- a/config/v1/zz_generated.swagger_doc_generated.go
+++ b/config/v1/zz_generated.swagger_doc_generated.go
@@ -320,6 +320,7 @@ var map_APIServerSpec = map[string]string{
"encryption": "encryption allows the configuration of encryption of resources at the datastore layer.",
"tlsSecurityProfile": "tlsSecurityProfile specifies settings for TLS connections for externally exposed servers.\n\nIf unset, a default (which may change between releases) is chosen. Note that only Old, Intermediate and Custom profiles are currently supported, and the maximum available minTLSVersion is VersionTLS12.",
"audit": "audit specifies the settings for audit configuration to be applied to all OpenShift-provided API servers in the cluster.",
+ "http01ChallengeProxy": "http01ChallengeProxy contains configuration for the HTTP01 challenge proxy that redirects traffic from the API endpoint on port 80 to ingress routers. This enables cert-manager to perform HTTP01 ACME challenges for API endpoint certificates.",
}
func (APIServerSpec) SwaggerDoc() map[string]string {
@@ -345,6 +346,23 @@ func (AuditCustomRule) SwaggerDoc() map[string]string {
return map_AuditCustomRule
}
+var map_HTTP01ChallengeProxyCustomDeploymentSpec = map[string]string{
+ "internalPort": "internalPort specifies the internal port used by the proxy service. Valid values are 1024-65535. When not specified for CustomDeployment mode, users should ensure their chosen port does not conflict with other workloads on the host.",
+}
+
+func (HTTP01ChallengeProxyCustomDeploymentSpec) SwaggerDoc() map[string]string {
+ return map_HTTP01ChallengeProxyCustomDeploymentSpec
+}
+
+var map_HTTP01ChallengeProxySpec = map[string]string{
+ "mode": "mode controls whether the HTTP01 challenge proxy is active and how it should be deployed. DefaultDeployment enables the proxy with default configuration. CustomDeployment enables the proxy with user-specified configuration.",
+ "customDeployment": "customDeployment contains configuration options when mode is CustomDeployment. This field is only valid when mode is CustomDeployment.",
+}
+
+func (HTTP01ChallengeProxySpec) SwaggerDoc() map[string]string {
+ return map_HTTP01ChallengeProxySpec
+}
+
var map_Authentication = map[string]string{
"": "Authentication specifies cluster-wide settings for authentication (like OAuth and webhook token authenticators). The canonical name of an instance is `cluster`.\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).",
"metadata": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
diff --git a/features.md b/features.md
index 35ba08c3961..6cb1f0dd4f1 100644
--- a/features.md
+++ b/features.md
@@ -38,6 +38,7 @@
| GCPClusterHostedDNSInstall| | | Enabled | Enabled | Enabled | Enabled |
| GCPCustomAPIEndpoints| | | Enabled | Enabled | Enabled | Enabled |
| GCPCustomAPIEndpointsInstall| | | Enabled | Enabled | Enabled | Enabled |
+| HTTP01ChallengeProxy| | | Enabled | Enabled | Enabled | Enabled |
| ImageModeStatusReporting| | | Enabled | Enabled | Enabled | Enabled |
| ImageStreamImportMode| | | Enabled | Enabled | Enabled | Enabled |
| IngressControllerDynamicConfigurationManager| | | Enabled | Enabled | Enabled | Enabled |
diff --git a/features/features.go b/features/features.go
index 711dd25f224..bf15cd013b8 100644
--- a/features/features.go
+++ b/features/features.go
@@ -848,4 +848,12 @@ var (
enhancementPR("https://github.com/openshift/enhancements/pull/1785").
enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
mustRegister()
+
+ FeatureGateHTTP01ChallengeProxy = newFeatureGate("HTTP01ChallengeProxy").
+ reportProblemsToJiraComponent("kube-apiserver").
+ contactPerson("sebrandon1").
+ productScope(ocpSpecific).
+ enhancementPR("https://github.com/openshift/enhancements/pull/1773").
+ enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
+ mustRegister()
)
diff --git a/openapi/generated_openapi/zz_generated.openapi.go b/openapi/generated_openapi/zz_generated.openapi.go
index ca03cb5450f..1edb4d9a2b8 100644
--- a/openapi/generated_openapi/zz_generated.openapi.go
+++ b/openapi/generated_openapi/zz_generated.openapi.go
@@ -253,6 +253,8 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA
"github.com/openshift/api/config/v1.GitLabIdentityProvider": schema_openshift_api_config_v1_GitLabIdentityProvider(ref),
"github.com/openshift/api/config/v1.GoogleIdentityProvider": schema_openshift_api_config_v1_GoogleIdentityProvider(ref),
"github.com/openshift/api/config/v1.HTPasswdIdentityProvider": schema_openshift_api_config_v1_HTPasswdIdentityProvider(ref),
+ "github.com/openshift/api/config/v1.HTTP01ChallengeProxyCustomDeploymentSpec": schema_openshift_api_config_v1_HTTP01ChallengeProxyCustomDeploymentSpec(ref),
+ "github.com/openshift/api/config/v1.HTTP01ChallengeProxySpec": schema_openshift_api_config_v1_HTTP01ChallengeProxySpec(ref),
"github.com/openshift/api/config/v1.HTTPServingInfo": schema_openshift_api_config_v1_HTTPServingInfo(ref),
"github.com/openshift/api/config/v1.HubSource": schema_openshift_api_config_v1_HubSource(ref),
"github.com/openshift/api/config/v1.HubSourceStatus": schema_openshift_api_config_v1_HubSourceStatus(ref),
@@ -8550,11 +8552,18 @@ func schema_openshift_api_config_v1_APIServerSpec(ref common.ReferenceCallback)
Ref: ref("github.com/openshift/api/config/v1.Audit"),
},
},
+ "http01ChallengeProxy": {
+ SchemaProps: spec.SchemaProps{
+ Description: "http01ChallengeProxy contains configuration for the HTTP01 challenge proxy that redirects traffic from the API endpoint on port 80 to ingress routers. This enables cert-manager to perform HTTP01 ACME challenges for API endpoint certificates.",
+ Default: map[string]interface{}{},
+ Ref: ref("github.com/openshift/api/config/v1.HTTP01ChallengeProxySpec"),
+ },
+ },
},
},
},
Dependencies: []string{
- "github.com/openshift/api/config/v1.APIServerEncryption", "github.com/openshift/api/config/v1.APIServerServingCerts", "github.com/openshift/api/config/v1.Audit", "github.com/openshift/api/config/v1.ConfigMapNameReference", "github.com/openshift/api/config/v1.TLSSecurityProfile"},
+ "github.com/openshift/api/config/v1.APIServerEncryption", "github.com/openshift/api/config/v1.APIServerServingCerts", "github.com/openshift/api/config/v1.Audit", "github.com/openshift/api/config/v1.ConfigMapNameReference", "github.com/openshift/api/config/v1.HTTP01ChallengeProxySpec", "github.com/openshift/api/config/v1.TLSSecurityProfile"},
}
}
@@ -13251,6 +13260,67 @@ func schema_openshift_api_config_v1_HTPasswdIdentityProvider(ref common.Referenc
}
}
+func schema_openshift_api_config_v1_HTTP01ChallengeProxyCustomDeploymentSpec(ref common.ReferenceCallback) common.OpenAPIDefinition {
+ return common.OpenAPIDefinition{
+ Schema: spec.Schema{
+ SchemaProps: spec.SchemaProps{
+ Type: []string{"object"},
+ Properties: map[string]spec.Schema{
+ "internalPort": {
+ SchemaProps: spec.SchemaProps{
+ Description: "internalPort specifies the internal port used by the proxy service. Valid values are 1024-65535. When not specified for CustomDeployment mode, users should ensure their chosen port does not conflict with other workloads on the host.",
+ Type: []string{"integer"},
+ Format: "int32",
+ },
+ },
+ },
+ Required: []string{"internalPort"},
+ },
+ },
+ }
+}
+
+func schema_openshift_api_config_v1_HTTP01ChallengeProxySpec(ref common.ReferenceCallback) common.OpenAPIDefinition {
+ return common.OpenAPIDefinition{
+ Schema: spec.Schema{
+ SchemaProps: spec.SchemaProps{
+ Type: []string{"object"},
+ Properties: map[string]spec.Schema{
+ "mode": {
+ SchemaProps: spec.SchemaProps{
+ Description: "mode controls whether the HTTP01 challenge proxy is active and how it should be deployed. DefaultDeployment enables the proxy with default configuration. CustomDeployment enables the proxy with user-specified configuration.",
+ Type: []string{"string"},
+ Format: "",
+ },
+ },
+ "customDeployment": {
+ SchemaProps: spec.SchemaProps{
+ Description: "customDeployment contains configuration options when mode is CustomDeployment. This field is only valid when mode is CustomDeployment.",
+ Default: map[string]interface{}{},
+ Ref: ref("github.com/openshift/api/config/v1.HTTP01ChallengeProxyCustomDeploymentSpec"),
+ },
+ },
+ },
+ Required: []string{"mode"},
+ },
+ VendorExtensible: spec.VendorExtensible{
+ Extensions: spec.Extensions{
+ "x-kubernetes-unions": []interface{}{
+ map[string]interface{}{
+ "discriminator": "mode",
+ "fields-to-discriminateBy": map[string]interface{}{
+ "customDeployment": "CustomDeployment",
+ },
+ },
+ },
+ },
+ },
+ },
+ Dependencies: []string{
+ "github.com/openshift/api/config/v1.HTTP01ChallengeProxyCustomDeploymentSpec"},
+ }
+}
+
func schema_openshift_api_config_v1_HTTPServingInfo(ref common.ReferenceCallback) common.OpenAPIDefinition {
return common.OpenAPIDefinition{
Schema: spec.Schema{
diff --git a/openapi/openapi.json b/openapi/openapi.json
index 42ee6c97da5..de44d33763f 100644
--- a/openapi/openapi.json
+++ b/openapi/openapi.json
@@ -4131,6 +4131,11 @@
"default": {},
"$ref": "#/definitions/com.github.openshift.api.config.v1.APIServerEncryption"
},
+ "http01ChallengeProxy": {
+ "description": "http01ChallengeProxy contains configuration for the HTTP01 challenge proxy that redirects traffic from the API endpoint on port 80 to ingress routers. This enables cert-manager to perform HTTP01 ACME challenges for API endpoint certificates.",
+ "default": {},
+ "$ref": "#/definitions/com.github.openshift.api.config.v1.HTTP01ChallengeProxySpec"
+ },
"servingCerts": {
"description": "servingCert is the TLS cert info for serving secure traffic. If not specified, operator managed certificates will be used for serving secure traffic.",
"default": {},
@@ -6887,6 +6892,44 @@
}
}
},
+ "com.github.openshift.api.config.v1.HTTP01ChallengeProxyCustomDeploymentSpec": {
+ "type": "object",
+ "required": [
+ "internalPort"
+ ],
+ "properties": {
+ "internalPort": {
+ "description": "internalPort specifies the internal port used by the proxy service. Valid values are 1024-65535. When not specified for CustomDeployment mode, users should ensure their chosen port does not conflict with other workloads on the host.",
+ "type": "integer",
+ "format": "int32"
+ }
+ }
+ },
+ "com.github.openshift.api.config.v1.HTTP01ChallengeProxySpec": {
+ "type": "object",
+ "required": [
+ "mode"
+ ],
+ "properties": {
+ "customDeployment": {
+ "description": "customDeployment contains configuration options when mode is CustomDeployment. This field is only valid when mode is CustomDeployment.",
+ "default": {},
+ "$ref": "#/definitions/com.github.openshift.api.config.v1.HTTP01ChallengeProxyCustomDeploymentSpec"
+ },
+ "mode": {
+ "description": "mode controls whether the HTTP01 challenge proxy is active and how it should be deployed. DefaultDeployment enables the proxy with default configuration. CustomDeployment enables the proxy with user-specified configuration.",
+ "type": "string"
+ }
+ },
+ "x-kubernetes-unions": [
+ {
+ "discriminator": "mode",
+ "fields-to-discriminateBy": {
+ "customDeployment": "CustomDeployment"
+ }
+ }
+ ]
+ },
"com.github.openshift.api.config.v1.HTTPServingInfo": {
"description": "HTTPServingInfo holds configuration for serving HTTP",
"type": "object",
diff --git a/payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml
index b10b46c6fbe..153f106af80 100644
--- a/payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml
+++ b/payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml
@@ -249,6 +249,47 @@ spec:
forbidden otherwise
rule: 'has(self.type) && self.type == ''KMS'' ? has(self.kms) :
!has(self.kms)'
+ http01ChallengeProxy:
+ description: |-
+ http01ChallengeProxy contains configuration for the HTTP01 challenge proxy
+ that redirects traffic from the API endpoint on port 80 to ingress routers.
+ This enables cert-manager to perform HTTP01 ACME challenges for API endpoint certificates.
+ properties:
+ customDeployment:
+ description: |-
+ customDeployment contains configuration options when mode is CustomDeployment.
+ This field is only valid when mode is CustomDeployment.
+ properties:
+ internalPort:
+ description: |-
+ internalPort specifies the internal port used by the proxy service.
+ Valid values are 1024-65535.
+ When not specified for CustomDeployment mode, users should ensure their chosen port
+ does not conflict with other workloads on the host.
+ format: int32
+ maximum: 65535
+ minimum: 1024
+ type: integer
+ required:
+ - internalPort
+ type: object
+ mode:
+ description: |-
+ mode controls whether the HTTP01 challenge proxy is active and how it should be deployed.
+ DefaultDeployment enables the proxy with default configuration.
+ CustomDeployment enables the proxy with user-specified configuration.
+ enum:
+ - DefaultDeployment
+ - CustomDeployment
+ type: string
+ required:
+ - mode
+ type: object
+ x-kubernetes-validations:
+ - message: customDeployment is required when mode is CustomDeployment
+ and forbidden otherwise
+ rule: 'self.mode == ''CustomDeployment'' ? has(self.customDeployment)
+ : !has(self.customDeployment)'
servingCerts:
description: |-
servingCert is the TLS cert info for serving secure traffic. If not specified, operator managed certificates
diff --git a/payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml
index 843984380b1..04dafb4bb78 100644
--- a/payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml
+++ b/payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml
@@ -249,6 +249,47 @@ spec:
forbidden otherwise
rule: 'has(self.type) && self.type == ''KMS'' ? has(self.kms) :
!has(self.kms)'
+ http01ChallengeProxy:
+ description: |-
+ http01ChallengeProxy contains configuration for the HTTP01 challenge proxy
+ that redirects traffic from the API endpoint on port 80 to ingress routers.
+ This enables cert-manager to perform HTTP01 ACME challenges for API endpoint certificates.
+ properties:
+ customDeployment:
+ description: |-
+ customDeployment contains configuration options when mode is CustomDeployment.
+ This field is only valid when mode is CustomDeployment.
+ properties:
+ internalPort:
+ description: |-
+ internalPort specifies the internal port used by the proxy service.
+ Valid values are 1024-65535.
+ When not specified for CustomDeployment mode, users should ensure their chosen port
+ does not conflict with other workloads on the host.
+ format: int32
+ maximum: 65535
+ minimum: 1024
+ type: integer
+ required:
+ - internalPort
+ type: object
+ mode:
+ description: |-
+ mode controls whether the HTTP01 challenge proxy is active and how it should be deployed.
+ DefaultDeployment enables the proxy with default configuration.
+ CustomDeployment enables the proxy with user-specified configuration.
+ enum:
+ - DefaultDeployment
+ - CustomDeployment
+ type: string
+ required:
+ - mode
+ type: object
+ x-kubernetes-validations:
+ - message: customDeployment is required when mode is CustomDeployment
+ and forbidden otherwise
+ rule: 'self.mode == ''CustomDeployment'' ? has(self.customDeployment)
+ : !has(self.customDeployment)'
servingCerts:
description: |-
servingCert is the TLS cert info for serving secure traffic. If not specified, operator managed certificates
diff --git a/payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml
index 808e11aac3f..b0765cb3b80 100644
--- a/payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml
+++ b/payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml
@@ -249,6 +249,47 @@ spec:
forbidden otherwise
rule: 'has(self.type) && self.type == ''KMS'' ? has(self.kms) :
!has(self.kms)'
+ http01ChallengeProxy:
+ description: |-
+ http01ChallengeProxy contains configuration for the HTTP01 challenge proxy
+ that redirects traffic from the API endpoint on port 80 to ingress routers.
+ This enables cert-manager to perform HTTP01 ACME challenges for API endpoint certificates.
+ properties:
+ customDeployment:
+ description: |-
+ customDeployment contains configuration options when mode is CustomDeployment.
+ This field is only valid when mode is CustomDeployment.
+ properties:
+ internalPort:
+ description: |-
+ internalPort specifies the internal port used by the proxy service.
+ Valid values are 1024-65535.
+ When not specified for CustomDeployment mode, users should ensure their chosen port
+ does not conflict with other workloads on the host.
+ format: int32
+ maximum: 65535
+ minimum: 1024
+ type: integer
+ required:
+ - internalPort
+ type: object
+ mode:
+ description: |-
+ mode controls whether the HTTP01 challenge proxy is active and how it should be deployed.
+ DefaultDeployment enables the proxy with default configuration.
+ CustomDeployment enables the proxy with user-specified configuration.
+ enum:
+ - DefaultDeployment
+ - CustomDeployment
+ type: string
+ required:
+ - mode
+ type: object
+ x-kubernetes-validations:
+ - message: customDeployment is required when mode is CustomDeployment
+ and forbidden otherwise
+ rule: 'self.mode == ''CustomDeployment'' ? has(self.customDeployment)
+ : !has(self.customDeployment)'
servingCerts:
description: |-
servingCert is the TLS cert info for serving secure traffic. If not specified, operator managed certificates
diff --git a/payload-manifests/featuregates/featureGate-Hypershift-Default.yaml b/payload-manifests/featuregates/featureGate-Hypershift-Default.yaml
index 726dcb4ad3c..b0b6a768ab7 100644
--- a/payload-manifests/featuregates/featureGate-Hypershift-Default.yaml
+++ b/payload-manifests/featuregates/featureGate-Hypershift-Default.yaml
@@ -97,6 +97,9 @@
{
"name": "GCPCustomAPIEndpointsInstall"
},
+ {
+ "name": "HTTP01ChallengeProxy"
+ },
{
"name": "ImageModeStatusReporting"
},
diff --git a/payload-manifests/featuregates/featureGate-Hypershift-DevPreviewNoUpgrade.yaml b/payload-manifests/featuregates/featureGate-Hypershift-DevPreviewNoUpgrade.yaml
index 4bda8c655cc..e86129591fe 100644
--- a/payload-manifests/featuregates/featureGate-Hypershift-DevPreviewNoUpgrade.yaml
+++ b/payload-manifests/featuregates/featureGate-Hypershift-DevPreviewNoUpgrade.yaml
@@ -158,6 +158,9 @@
{
"name": "GatewayAPIController"
},
+ {
+ "name": "HTTP01ChallengeProxy"
+ },
{
"name": "HighlyAvailableArbiter"
},
diff --git a/payload-manifests/featuregates/featureGate-Hypershift-TechPreviewNoUpgrade.yaml b/payload-manifests/featuregates/featureGate-Hypershift-TechPreviewNoUpgrade.yaml
index b2a922dbba3..783d807b995 100644
--- a/payload-manifests/featuregates/featureGate-Hypershift-TechPreviewNoUpgrade.yaml
+++ b/payload-manifests/featuregates/featureGate-Hypershift-TechPreviewNoUpgrade.yaml
@@ -161,6 +161,9 @@
{
"name": "GatewayAPIController"
},
+ {
+ "name": "HTTP01ChallengeProxy"
+ },
{
"name": "HighlyAvailableArbiter"
},
diff --git a/payload-manifests/featuregates/featureGate-SelfManagedHA-Default.yaml b/payload-manifests/featuregates/featureGate-SelfManagedHA-Default.yaml
index d7fb0a66339..5275da46b82 100644
--- a/payload-manifests/featuregates/featureGate-SelfManagedHA-Default.yaml
+++ b/payload-manifests/featuregates/featureGate-SelfManagedHA-Default.yaml
@@ -100,6 +100,9 @@
{
"name": "GCPCustomAPIEndpointsInstall"
},
+ {
+ "name": "HTTP01ChallengeProxy"
+ },
{
"name": "ImageModeStatusReporting"
},
diff --git a/payload-manifests/featuregates/featureGate-SelfManagedHA-DevPreviewNoUpgrade.yaml b/payload-manifests/featuregates/featureGate-SelfManagedHA-DevPreviewNoUpgrade.yaml
index 5b5a5a99a31..cfd4f1a8951 100644
--- a/payload-manifests/featuregates/featureGate-SelfManagedHA-DevPreviewNoUpgrade.yaml
+++ b/payload-manifests/featuregates/featureGate-SelfManagedHA-DevPreviewNoUpgrade.yaml
@@ -140,6 +140,9 @@
{
"name": "GatewayAPIController"
},
+ {
+ "name": "HTTP01ChallengeProxy"
+ },
{
"name": "HighlyAvailableArbiter"
},
diff --git a/payload-manifests/featuregates/featureGate-SelfManagedHA-TechPreviewNoUpgrade.yaml b/payload-manifests/featuregates/featureGate-SelfManagedHA-TechPreviewNoUpgrade.yaml
index 6ae25223ecb..629ffa66136 100644
--- a/payload-manifests/featuregates/featureGate-SelfManagedHA-TechPreviewNoUpgrade.yaml
+++ b/payload-manifests/featuregates/featureGate-SelfManagedHA-TechPreviewNoUpgrade.yaml
@@ -143,6 +143,9 @@
{
"name": "GatewayAPIController"
},
+ {
+ "name": "HTTP01ChallengeProxy"
+ },
{
"name": "HighlyAvailableArbiter"
},