From aef739d7e835aef9b29f08f78f83a214c358c824 Mon Sep 17 00:00:00 2001 From: Brandon Palm Date: Wed, 6 Aug 2025 11:08:37 -0500 Subject: [PATCH] CNF-13731: Add HTTP01ChallengeProxy Fix HTTP01ChallengeProxy integration test structure and enable feature gate in TechPreviewNoUpgrade - Fixed test file structure to include required crdName metadata for integration tests - Enabled HTTP01ChallengeProxy feature gate in both DevPreviewNoUpgrade and TechPreviewNoUpgrade - Regenerated feature gate manifests via make update - Resolved CI failure: missing required field crdName in test spec Make internalPort optional to resolve API compatibility error - Changed internalPort from required to optional (*int32 with omitempty) - This resolves the NoNewRequiredFields API compatibility violation - Updated test case to reflect optional field behavior - Users can now omit internalPort for custom deployments - Regenerated deepcopy functions and OpenAPI schemas Address comments 1 Update codegen crds Adjust back to required Remove pointer Address comments for linter --- .../HTTP01ChallengeProxy.yaml | 137 +++++ config/v1/types_apiserver.go | 46 ++ ...tor_01_apiservers-CustomNoUpgrade.crd.yaml | 41 ++ ...01_apiservers-DevPreviewNoUpgrade.crd.yaml | 41 ++ ...1_apiservers-TechPreviewNoUpgrade.crd.yaml | 41 ++ config/v1/zz_generated.deepcopy.go | 34 ++ ..._generated.featuregated-crd-manifests.yaml | 1 + .../HTTP01ChallengeProxy.yaml | 474 ++++++++++++++++++ .../v1/zz_generated.swagger_doc_generated.go | 18 + features.md | 1 + features/features.go | 8 + .../generated_openapi/zz_generated.openapi.go | 72 ++- openapi/openapi.json | 43 ++ ...tor_01_apiservers-CustomNoUpgrade.crd.yaml | 41 ++ ...01_apiservers-DevPreviewNoUpgrade.crd.yaml | 41 ++ ...1_apiservers-TechPreviewNoUpgrade.crd.yaml | 41 ++ .../featureGate-Hypershift-Default.yaml | 3 + ...reGate-Hypershift-DevPreviewNoUpgrade.yaml | 3 + ...eGate-Hypershift-TechPreviewNoUpgrade.yaml | 3 + .../featureGate-SelfManagedHA-Default.yaml | 3 + ...ate-SelfManagedHA-DevPreviewNoUpgrade.yaml | 3 + ...te-SelfManagedHA-TechPreviewNoUpgrade.yaml | 3 + 22 files changed, 1097 insertions(+), 1 deletion(-) create mode 100644 config/v1/tests/apiservers.config.openshift.io/HTTP01ChallengeProxy.yaml create mode 100644 config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/HTTP01ChallengeProxy.yaml diff --git a/config/v1/tests/apiservers.config.openshift.io/HTTP01ChallengeProxy.yaml b/config/v1/tests/apiservers.config.openshift.io/HTTP01ChallengeProxy.yaml new file mode 100644 index 00000000000..f3fce9920e5 --- /dev/null +++ b/config/v1/tests/apiservers.config.openshift.io/HTTP01ChallengeProxy.yaml @@ -0,0 +1,137 @@ +apiVersion: apiextensions.k8s.io/v1 # Hack because controller-gen complains if we don't have this +name: "APIServer" +crdName: apiservers.config.openshift.io +featureGates: + - HTTP01ChallengeProxy +tests: + onCreate: + - name: Should be able to create with HTTP01ChallengeProxy DefaultDeployment mode + initial: | + apiVersion: config.openshift.io/v1 + kind: APIServer + spec: + http01ChallengeProxy: + mode: DefaultDeployment + expected: | + apiVersion: config.openshift.io/v1 + kind: APIServer + spec: + audit: + profile: Default + http01ChallengeProxy: + mode: DefaultDeployment + - name: Should be able to create with HTTP01ChallengeProxy CustomDeployment mode with port 8888 + initial: | + apiVersion: config.openshift.io/v1 + kind: APIServer + spec: + http01ChallengeProxy: + mode: CustomDeployment + customDeployment: + internalPort: 8888 + expected: | + apiVersion: config.openshift.io/v1 + kind: APIServer + spec: + audit: + profile: Default + http01ChallengeProxy: + mode: CustomDeployment + customDeployment: + internalPort: 8888 + - name: Should be able to create with HTTP01ChallengeProxy CustomDeployment mode with minimum port 1024 + initial: | + apiVersion: config.openshift.io/v1 + kind: APIServer + spec: + http01ChallengeProxy: + mode: CustomDeployment + customDeployment: + internalPort: 1024 + expected: | + apiVersion: config.openshift.io/v1 + kind: APIServer + spec: + audit: + profile: Default + http01ChallengeProxy: + mode: CustomDeployment + customDeployment: + internalPort: 1024 + - name: Should be able to create with HTTP01ChallengeProxy CustomDeployment mode with maximum port 65535 + initial: | + apiVersion: config.openshift.io/v1 + kind: APIServer + spec: + http01ChallengeProxy: + mode: CustomDeployment + customDeployment: + internalPort: 65535 + expected: | + apiVersion: config.openshift.io/v1 + kind: APIServer + spec: + audit: + profile: Default + http01ChallengeProxy: + mode: CustomDeployment + customDeployment: + internalPort: 65535 + - name: Should be able to create with HTTP01ChallengeProxy CustomDeployment mode with valid port 9999 + initial: | + apiVersion: config.openshift.io/v1 + kind: APIServer + spec: + http01ChallengeProxy: + mode: CustomDeployment + customDeployment: + internalPort: 9999 + expected: | + apiVersion: config.openshift.io/v1 + kind: APIServer + spec: + audit: + profile: Default + http01ChallengeProxy: + mode: CustomDeployment + customDeployment: + internalPort: 9999 + - name: Should reject DefaultDeployment mode with customDeployment field + initial: | + apiVersion: config.openshift.io/v1 + kind: APIServer + spec: + http01ChallengeProxy: + mode: DefaultDeployment + customDeployment: + internalPort: 8888 + expectedError: "customDeployment is required when mode is CustomDeployment and forbidden otherwise" + - name: Should reject CustomDeployment mode without internalPort + initial: | + apiVersion: config.openshift.io/v1 + kind: APIServer + spec: + http01ChallengeProxy: + mode: CustomDeployment + customDeployment: {} + expectedError: "spec.http01ChallengeProxy.customDeployment.internalPort: Required value" + - name: Should reject CustomDeployment mode with port below minimum 1023 + initial: | + apiVersion: config.openshift.io/v1 + kind: APIServer + spec: + http01ChallengeProxy: + mode: CustomDeployment + customDeployment: + internalPort: 1023 + expectedError: "Invalid value: 1023: spec.http01ChallengeProxy.customDeployment.internalPort in body should be greater than or equal to 1024" + - name: Should reject CustomDeployment mode with port above maximum 65536 + initial: | + apiVersion: config.openshift.io/v1 + kind: APIServer + spec: + http01ChallengeProxy: + mode: CustomDeployment + customDeployment: + internalPort: 65536 + expectedError: "should be less than or equal to 65535" diff --git a/config/v1/types_apiserver.go b/config/v1/types_apiserver.go index e1a98cb2677..c79bef82976 100644 --- a/config/v1/types_apiserver.go +++ b/config/v1/types_apiserver.go @@ -68,6 +68,12 @@ type APIServerSpec struct { // +optional // +kubebuilder:default={profile: Default} Audit Audit `json:"audit"` + // http01ChallengeProxy contains configuration for the HTTP01 challenge proxy + // that redirects traffic from the API endpoint on port 80 to ingress routers. + // This enables cert-manager to perform HTTP01 ACME challenges for API endpoint certificates. + // +openshift:enable:FeatureGate=HTTP01ChallengeProxy + // +optional + HTTP01ChallengeProxy HTTP01ChallengeProxySpec `json:"http01ChallengeProxy,omitzero,omitempty"` } // AuditProfileType defines the audit policy profile type. @@ -114,6 +120,7 @@ type Audit struct { // If unset, the 'Default' profile is used as the default. // // +kubebuilder:default=Default + // +optional Profile AuditProfileType `json:"profile,omitempty"` // customRules specify profiles per group. These profile take precedence over the // top-level profile field if they apply. They are evaluation from top to bottom and @@ -234,6 +241,45 @@ const ( EncryptionTypeKMS EncryptionType = "KMS" ) +// HTTP01ChallengeProxyMode defines how the HTTP01 challenge proxy should be deployed. +// +kubebuilder:validation:Enum=DefaultDeployment;CustomDeployment +type HTTP01ChallengeProxyMode string + +const ( + // HTTP01ChallengeProxyModeDefaultDeployment enables the proxy with default configuration. + HTTP01ChallengeProxyModeDefaultDeployment HTTP01ChallengeProxyMode = "DefaultDeployment" + // HTTP01ChallengeProxyModeCustomDeployment enables the proxy with user-specified configuration. + HTTP01ChallengeProxyModeCustomDeployment HTTP01ChallengeProxyMode = "CustomDeployment" +) + +// +union +// +kubebuilder:validation:XValidation:rule="self.mode == 'CustomDeployment' ? has(self.customDeployment) : !has(self.customDeployment)",message="customDeployment is required when mode is CustomDeployment and forbidden otherwise" +type HTTP01ChallengeProxySpec struct { + // mode controls whether the HTTP01 challenge proxy is active and how it should be deployed. + // DefaultDeployment enables the proxy with default configuration. + // CustomDeployment enables the proxy with user-specified configuration. + // +required + // +unionDiscriminator + Mode HTTP01ChallengeProxyMode `json:"mode,omitempty"` + + // customDeployment contains configuration options when mode is CustomDeployment. + // This field is only valid when mode is CustomDeployment. + // +optional + // +unionMember + CustomDeployment HTTP01ChallengeProxyCustomDeploymentSpec `json:"customDeployment,omitzero,omitempty"` +} + +type HTTP01ChallengeProxyCustomDeploymentSpec struct { + // internalPort specifies the internal port used by the proxy service. + // Valid values are 1024-65535. + // When not specified for CustomDeployment mode, users should ensure their chosen port + // does not conflict with other workloads on the host. + // +kubebuilder:validation:Minimum=1024 + // +kubebuilder:validation:Maximum=65535 + // +required + InternalPort int32 `json:"internalPort,omitempty"` +} + type APIServerStatus struct { } diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml index b10b46c6fbe..153f106af80 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml @@ -249,6 +249,47 @@ spec: forbidden otherwise rule: 'has(self.type) && self.type == ''KMS'' ? has(self.kms) : !has(self.kms)' + http01ChallengeProxy: + description: |- + http01ChallengeProxy contains configuration for the HTTP01 challenge proxy + that redirects traffic from the API endpoint on port 80 to ingress routers. + This enables cert-manager to perform HTTP01 ACME challenges for API endpoint certificates. + properties: + customDeployment: + description: |- + customDeployment contains configuration options when mode is CustomDeployment. + This field is only valid when mode is CustomDeployment. + properties: + internalPort: + description: |- + internalPort specifies the internal port used by the proxy service. + Valid values are 1024-65535. + When not specified for CustomDeployment mode, users should ensure their chosen port + does not conflict with other workloads on the host. + format: int32 + maximum: 65535 + minimum: 1024 + type: integer + required: + - internalPort + type: object + mode: + description: |- + mode controls whether the HTTP01 challenge proxy is active and how it should be deployed. + DefaultDeployment enables the proxy with default configuration. + CustomDeployment enables the proxy with user-specified configuration. + enum: + - DefaultDeployment + - CustomDeployment + type: string + required: + - mode + type: object + x-kubernetes-validations: + - message: customDeployment is required when mode is CustomDeployment + and forbidden otherwise + rule: 'self.mode == ''CustomDeployment'' ? has(self.customDeployment) + : !has(self.customDeployment)' servingCerts: description: |- servingCert is the TLS cert info for serving secure traffic. If not specified, operator managed certificates diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml index 843984380b1..04dafb4bb78 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml @@ -249,6 +249,47 @@ spec: forbidden otherwise rule: 'has(self.type) && self.type == ''KMS'' ? has(self.kms) : !has(self.kms)' + http01ChallengeProxy: + description: |- + http01ChallengeProxy contains configuration for the HTTP01 challenge proxy + that redirects traffic from the API endpoint on port 80 to ingress routers. + This enables cert-manager to perform HTTP01 ACME challenges for API endpoint certificates. + properties: + customDeployment: + description: |- + customDeployment contains configuration options when mode is CustomDeployment. + This field is only valid when mode is CustomDeployment. + properties: + internalPort: + description: |- + internalPort specifies the internal port used by the proxy service. + Valid values are 1024-65535. + When not specified for CustomDeployment mode, users should ensure their chosen port + does not conflict with other workloads on the host. + format: int32 + maximum: 65535 + minimum: 1024 + type: integer + required: + - internalPort + type: object + mode: + description: |- + mode controls whether the HTTP01 challenge proxy is active and how it should be deployed. + DefaultDeployment enables the proxy with default configuration. + CustomDeployment enables the proxy with user-specified configuration. + enum: + - DefaultDeployment + - CustomDeployment + type: string + required: + - mode + type: object + x-kubernetes-validations: + - message: customDeployment is required when mode is CustomDeployment + and forbidden otherwise + rule: 'self.mode == ''CustomDeployment'' ? has(self.customDeployment) + : !has(self.customDeployment)' servingCerts: description: |- servingCert is the TLS cert info for serving secure traffic. If not specified, operator managed certificates diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml index 808e11aac3f..b0765cb3b80 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml @@ -249,6 +249,47 @@ spec: forbidden otherwise rule: 'has(self.type) && self.type == ''KMS'' ? has(self.kms) : !has(self.kms)' + http01ChallengeProxy: + description: |- + http01ChallengeProxy contains configuration for the HTTP01 challenge proxy + that redirects traffic from the API endpoint on port 80 to ingress routers. + This enables cert-manager to perform HTTP01 ACME challenges for API endpoint certificates. + properties: + customDeployment: + description: |- + customDeployment contains configuration options when mode is CustomDeployment. + This field is only valid when mode is CustomDeployment. + properties: + internalPort: + description: |- + internalPort specifies the internal port used by the proxy service. + Valid values are 1024-65535. + When not specified for CustomDeployment mode, users should ensure their chosen port + does not conflict with other workloads on the host. + format: int32 + maximum: 65535 + minimum: 1024 + type: integer + required: + - internalPort + type: object + mode: + description: |- + mode controls whether the HTTP01 challenge proxy is active and how it should be deployed. + DefaultDeployment enables the proxy with default configuration. + CustomDeployment enables the proxy with user-specified configuration. + enum: + - DefaultDeployment + - CustomDeployment + type: string + required: + - mode + type: object + x-kubernetes-validations: + - message: customDeployment is required when mode is CustomDeployment + and forbidden otherwise + rule: 'self.mode == ''CustomDeployment'' ? has(self.customDeployment) + : !has(self.customDeployment)' servingCerts: description: |- servingCert is the TLS cert info for serving secure traffic. If not specified, operator managed certificates diff --git a/config/v1/zz_generated.deepcopy.go b/config/v1/zz_generated.deepcopy.go index 788e10479b6..b0096a62abe 100644 --- a/config/v1/zz_generated.deepcopy.go +++ b/config/v1/zz_generated.deepcopy.go @@ -155,6 +155,7 @@ func (in *APIServerSpec) DeepCopyInto(out *APIServerSpec) { (*in).DeepCopyInto(*out) } in.Audit.DeepCopyInto(&out.Audit) + out.HTTP01ChallengeProxy = in.HTTP01ChallengeProxy return } @@ -2593,6 +2594,39 @@ func (in *HTPasswdIdentityProvider) DeepCopy() *HTPasswdIdentityProvider { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *HTTP01ChallengeProxyCustomDeploymentSpec) DeepCopyInto(out *HTTP01ChallengeProxyCustomDeploymentSpec) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HTTP01ChallengeProxyCustomDeploymentSpec. +func (in *HTTP01ChallengeProxyCustomDeploymentSpec) DeepCopy() *HTTP01ChallengeProxyCustomDeploymentSpec { + if in == nil { + return nil + } + out := new(HTTP01ChallengeProxyCustomDeploymentSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *HTTP01ChallengeProxySpec) DeepCopyInto(out *HTTP01ChallengeProxySpec) { + *out = *in + out.CustomDeployment = in.CustomDeployment + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HTTP01ChallengeProxySpec. +func (in *HTTP01ChallengeProxySpec) DeepCopy() *HTTP01ChallengeProxySpec { + if in == nil { + return nil + } + out := new(HTTP01ChallengeProxySpec) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *HTTPServingInfo) DeepCopyInto(out *HTTPServingInfo) { *out = *in diff --git a/config/v1/zz_generated.featuregated-crd-manifests.yaml b/config/v1/zz_generated.featuregated-crd-manifests.yaml index 6d756e8f904..e2dd4b31ecf 100644 --- a/config/v1/zz_generated.featuregated-crd-manifests.yaml +++ b/config/v1/zz_generated.featuregated-crd-manifests.yaml @@ -6,6 +6,7 @@ apiservers.config.openshift.io: Capability: "" Category: "" FeatureGates: + - HTTP01ChallengeProxy - KMSEncryptionProvider FilenameOperatorName: config-operator FilenameOperatorOrdering: "01" diff --git a/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/HTTP01ChallengeProxy.yaml b/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/HTTP01ChallengeProxy.yaml new file mode 100644 index 00000000000..d0a766b2cd0 --- /dev/null +++ b/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/HTTP01ChallengeProxy.yaml @@ -0,0 +1,474 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/470 + api.openshift.io/filename-cvo-runlevel: "0000_10" + api.openshift.io/filename-operator: config-operator + api.openshift.io/filename-ordering: "01" + feature-gate.release.openshift.io/HTTP01ChallengeProxy: "true" + release.openshift.io/bootstrap-required: "true" + name: apiservers.config.openshift.io +spec: + group: config.openshift.io + names: + kind: APIServer + listKind: APIServerList + plural: apiservers + singular: apiserver + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + APIServer holds configuration (like serving certificates, client CA and CORS domains) + shared by all API servers in the system, among them especially kube-apiserver + and openshift-apiserver. The canonical name of an instance is 'cluster'. + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec holds user settable values for configuration + properties: + additionalCORSAllowedOrigins: + description: |- + additionalCORSAllowedOrigins lists additional, user-defined regular expressions describing hosts for which the + API server allows access using the CORS headers. This may be needed to access the API and the integrated OAuth + server from JavaScript applications. + The values are regular expressions that correspond to the Golang regular expression language. + items: + type: string + type: array + x-kubernetes-list-type: atomic + audit: + default: + profile: Default + description: |- + audit specifies the settings for audit configuration to be applied to all OpenShift-provided + API servers in the cluster. + properties: + customRules: + description: |- + customRules specify profiles per group. These profile take precedence over the + top-level profile field if they apply. They are evaluation from top to bottom and + the first one that matches, applies. + items: + description: |- + AuditCustomRule describes a custom rule for an audit profile that takes precedence over + the top-level profile. + properties: + group: + description: group is a name of group a request user must + be member of in order to this profile to apply. + minLength: 1 + type: string + profile: + description: |- + profile specifies the name of the desired audit policy configuration to be deployed to + all OpenShift-provided API servers in the cluster. + + The following profiles are provided: + - Default: the existing default policy. + - WriteRequestBodies: like 'Default', but logs request and response HTTP payloads for + write requests (create, update, patch). + - AllRequestBodies: like 'WriteRequestBodies', but also logs request and response + HTTP payloads for read requests (get, list). + - None: no requests are logged at all, not even oauthaccesstokens and oauthauthorizetokens. + + If unset, the 'Default' profile is used as the default. + enum: + - Default + - WriteRequestBodies + - AllRequestBodies + - None + type: string + required: + - group + - profile + type: object + type: array + x-kubernetes-list-map-keys: + - group + x-kubernetes-list-type: map + profile: + default: Default + description: |- + profile specifies the name of the desired top-level audit profile to be applied to all requests + sent to any of the OpenShift-provided API servers in the cluster (kube-apiserver, + openshift-apiserver and oauth-apiserver), with the exception of those requests that match + one or more of the customRules. + + The following profiles are provided: + - Default: default policy which means MetaData level logging with the exception of events + (not logged at all), oauthaccesstokens and oauthauthorizetokens (both logged at RequestBody + level). + - WriteRequestBodies: like 'Default', but logs request and response HTTP payloads for + write requests (create, update, patch). + - AllRequestBodies: like 'WriteRequestBodies', but also logs request and response + HTTP payloads for read requests (get, list). + - None: no requests are logged at all, not even oauthaccesstokens and oauthauthorizetokens. + + Warning: It is not recommended to disable audit logging by using the `None` profile unless you + are fully aware of the risks of not logging data that can be beneficial when troubleshooting issues. + If you disable audit logging and a support situation arises, you might need to enable audit logging + and reproduce the issue in order to troubleshoot properly. + + If unset, the 'Default' profile is used as the default. + enum: + - Default + - WriteRequestBodies + - AllRequestBodies + - None + type: string + type: object + clientCA: + description: |- + clientCA references a ConfigMap containing a certificate bundle for the signers that will be recognized for + incoming client certificates in addition to the operator managed signers. If this is empty, then only operator managed signers are valid. + You usually only have to set this if you have your own PKI you wish to honor client certificates from. + The ConfigMap must exist in the openshift-config namespace and contain the following required fields: + - ConfigMap.Data["ca-bundle.crt"] - CA bundle. + properties: + name: + description: name is the metadata.name of the referenced config + map + type: string + required: + - name + type: object + encryption: + description: encryption allows the configuration of encryption of + resources at the datastore layer. + properties: + type: + description: |- + type defines what encryption type should be used to encrypt resources at the datastore layer. + When this field is unset (i.e. when it is set to the empty string), identity is implied. + The behavior of unset can and will change over time. Even if encryption is enabled by default, + the meaning of unset may change to a different encryption type based on changes in best practices. + + When encryption is enabled, all sensitive resources shipped with the platform are encrypted. + This list of sensitive resources can and will change over time. The current authoritative list is: + + 1. secrets + 2. configmaps + 3. routes.route.openshift.io + 4. oauthaccesstokens.oauth.openshift.io + 5. oauthauthorizetokens.oauth.openshift.io + type: string + type: object + http01ChallengeProxy: + description: |- + http01ChallengeProxy contains configuration for the HTTP01 challenge proxy + that redirects traffic from the API endpoint on port 80 to ingress routers. + This enables cert-manager to perform HTTP01 ACME challenges for API endpoint certificates. + properties: + customDeployment: + description: |- + customDeployment contains configuration options when mode is CustomDeployment. + This field is only valid when mode is CustomDeployment. + properties: + internalPort: + description: |- + internalPort specifies the internal port used by the proxy service. + Valid values are 1024-65535. + When not specified for CustomDeployment mode, users should ensure their chosen port + does not conflict with other workloads on the host. + format: int32 + maximum: 65535 + minimum: 1024 + type: integer + required: + - internalPort + type: object + mode: + description: |- + mode controls whether the HTTP01 challenge proxy is active and how it should be deployed. + DefaultDeployment enables the proxy with default configuration. + CustomDeployment enables the proxy with user-specified configuration. + enum: + - DefaultDeployment + - CustomDeployment + type: string + required: + - mode + type: object + x-kubernetes-validations: + - message: customDeployment is required when mode is CustomDeployment + and forbidden otherwise + rule: 'self.mode == ''CustomDeployment'' ? has(self.customDeployment) + : !has(self.customDeployment)' + servingCerts: + description: |- + servingCert is the TLS cert info for serving secure traffic. If not specified, operator managed certificates + will be used for serving secure traffic. + properties: + namedCertificates: + description: |- + namedCertificates references secrets containing the TLS cert info for serving secure traffic to specific hostnames. + If no named certificates are provided, or no named certificates match the server name as understood by a client, + the defaultServingCertificate will be used. + items: + description: APIServerNamedServingCert maps a server DNS name, + as understood by a client, to a certificate. + properties: + names: + description: |- + names is a optional list of explicit DNS names (leading wildcards allowed) that should use this certificate to + serve secure traffic. If no names are provided, the implicit names will be extracted from the certificates. + Exact names trump over wildcard names. Explicit names defined here trump over extracted implicit names. + items: + type: string + maxItems: 64 + type: array + x-kubernetes-list-type: atomic + servingCertificate: + description: |- + servingCertificate references a kubernetes.io/tls type secret containing the TLS cert info for serving secure traffic. + The secret must exist in the openshift-config namespace and contain the following required fields: + - Secret.Data["tls.key"] - TLS private key. + - Secret.Data["tls.crt"] - TLS certificate. + properties: + name: + description: name is the metadata.name of the referenced + secret + type: string + required: + - name + type: object + type: object + maxItems: 32 + type: array + x-kubernetes-list-type: atomic + type: object + tlsSecurityProfile: + description: |- + tlsSecurityProfile specifies settings for TLS connections for externally exposed servers. + + If unset, a default (which may change between releases) is chosen. Note that only Old, + Intermediate and Custom profiles are currently supported, and the maximum available + minTLSVersion is VersionTLS12. + properties: + custom: + description: |- + custom is a user-defined TLS security profile. Be extremely careful using a custom + profile as invalid configurations can be catastrophic. An example custom profile + looks like this: + + ciphers: + + - ECDHE-ECDSA-CHACHA20-POLY1305 + + - ECDHE-RSA-CHACHA20-POLY1305 + + - ECDHE-RSA-AES128-GCM-SHA256 + + - ECDHE-ECDSA-AES128-GCM-SHA256 + + minTLSVersion: VersionTLS11 + nullable: true + properties: + ciphers: + description: |- + ciphers is used to specify the cipher algorithms that are negotiated + during the TLS handshake. Operators may remove entries their operands + do not support. For example, to use DES-CBC3-SHA (yaml): + + ciphers: + - DES-CBC3-SHA + items: + type: string + type: array + x-kubernetes-list-type: atomic + minTLSVersion: + description: |- + minTLSVersion is used to specify the minimal version of the TLS protocol + that is negotiated during the TLS handshake. For example, to use TLS + versions 1.1, 1.2 and 1.3 (yaml): + + minTLSVersion: VersionTLS11 + + NOTE: currently the highest minTLSVersion allowed is VersionTLS12 + enum: + - VersionTLS10 + - VersionTLS11 + - VersionTLS12 + - VersionTLS13 + type: string + type: object + intermediate: + description: |- + intermediate is a TLS security profile based on: + + https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29 + + and looks like this (yaml): + + ciphers: + + - TLS_AES_128_GCM_SHA256 + + - TLS_AES_256_GCM_SHA384 + + - TLS_CHACHA20_POLY1305_SHA256 + + - ECDHE-ECDSA-AES128-GCM-SHA256 + + - ECDHE-RSA-AES128-GCM-SHA256 + + - ECDHE-ECDSA-AES256-GCM-SHA384 + + - ECDHE-RSA-AES256-GCM-SHA384 + + - ECDHE-ECDSA-CHACHA20-POLY1305 + + - ECDHE-RSA-CHACHA20-POLY1305 + + - DHE-RSA-AES128-GCM-SHA256 + + - DHE-RSA-AES256-GCM-SHA384 + + minTLSVersion: VersionTLS12 + nullable: true + type: object + modern: + description: |- + modern is a TLS security profile based on: + + https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility + + and looks like this (yaml): + + ciphers: + + - TLS_AES_128_GCM_SHA256 + + - TLS_AES_256_GCM_SHA384 + + - TLS_CHACHA20_POLY1305_SHA256 + + minTLSVersion: VersionTLS13 + nullable: true + type: object + old: + description: |- + old is a TLS security profile based on: + + https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility + + and looks like this (yaml): + + ciphers: + + - TLS_AES_128_GCM_SHA256 + + - TLS_AES_256_GCM_SHA384 + + - TLS_CHACHA20_POLY1305_SHA256 + + - ECDHE-ECDSA-AES128-GCM-SHA256 + + - ECDHE-RSA-AES128-GCM-SHA256 + + - ECDHE-ECDSA-AES256-GCM-SHA384 + + - ECDHE-RSA-AES256-GCM-SHA384 + + - ECDHE-ECDSA-CHACHA20-POLY1305 + + - ECDHE-RSA-CHACHA20-POLY1305 + + - DHE-RSA-AES128-GCM-SHA256 + + - DHE-RSA-AES256-GCM-SHA384 + + - DHE-RSA-CHACHA20-POLY1305 + + - ECDHE-ECDSA-AES128-SHA256 + + - ECDHE-RSA-AES128-SHA256 + + - ECDHE-ECDSA-AES128-SHA + + - ECDHE-RSA-AES128-SHA + + - ECDHE-ECDSA-AES256-SHA384 + + - ECDHE-RSA-AES256-SHA384 + + - ECDHE-ECDSA-AES256-SHA + + - ECDHE-RSA-AES256-SHA + + - DHE-RSA-AES128-SHA256 + + - DHE-RSA-AES256-SHA256 + + - AES128-GCM-SHA256 + + - AES256-GCM-SHA384 + + - AES128-SHA256 + + - AES256-SHA256 + + - AES128-SHA + + - AES256-SHA + + - DES-CBC3-SHA + + minTLSVersion: VersionTLS10 + nullable: true + type: object + type: + description: |- + type is one of Old, Intermediate, Modern or Custom. Custom provides + the ability to specify individual TLS security profile parameters. + Old, Intermediate and Modern are TLS security profiles based on: + + https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations + + The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers + are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be + reduced. + + Note that the Modern profile is currently not supported because it is not + yet well adopted by common software libraries. + enum: + - Old + - Intermediate + - Modern + - Custom + type: string + type: object + type: object + status: + description: status holds observed values from the cluster. They may not + be overridden. + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/config/v1/zz_generated.swagger_doc_generated.go b/config/v1/zz_generated.swagger_doc_generated.go index 13ae075da99..61cd13f03af 100644 --- a/config/v1/zz_generated.swagger_doc_generated.go +++ b/config/v1/zz_generated.swagger_doc_generated.go @@ -320,6 +320,7 @@ var map_APIServerSpec = map[string]string{ "encryption": "encryption allows the configuration of encryption of resources at the datastore layer.", "tlsSecurityProfile": "tlsSecurityProfile specifies settings for TLS connections for externally exposed servers.\n\nIf unset, a default (which may change between releases) is chosen. Note that only Old, Intermediate and Custom profiles are currently supported, and the maximum available minTLSVersion is VersionTLS12.", "audit": "audit specifies the settings for audit configuration to be applied to all OpenShift-provided API servers in the cluster.", + "http01ChallengeProxy": "http01ChallengeProxy contains configuration for the HTTP01 challenge proxy that redirects traffic from the API endpoint on port 80 to ingress routers. This enables cert-manager to perform HTTP01 ACME challenges for API endpoint certificates.", } func (APIServerSpec) SwaggerDoc() map[string]string { @@ -345,6 +346,23 @@ func (AuditCustomRule) SwaggerDoc() map[string]string { return map_AuditCustomRule } +var map_HTTP01ChallengeProxyCustomDeploymentSpec = map[string]string{ + "internalPort": "internalPort specifies the internal port used by the proxy service. Valid values are 1024-65535. When not specified for CustomDeployment mode, users should ensure their chosen port does not conflict with other workloads on the host.", +} + +func (HTTP01ChallengeProxyCustomDeploymentSpec) SwaggerDoc() map[string]string { + return map_HTTP01ChallengeProxyCustomDeploymentSpec +} + +var map_HTTP01ChallengeProxySpec = map[string]string{ + "mode": "mode controls whether the HTTP01 challenge proxy is active and how it should be deployed. DefaultDeployment enables the proxy with default configuration. CustomDeployment enables the proxy with user-specified configuration.", + "customDeployment": "customDeployment contains configuration options when mode is CustomDeployment. This field is only valid when mode is CustomDeployment.", +} + +func (HTTP01ChallengeProxySpec) SwaggerDoc() map[string]string { + return map_HTTP01ChallengeProxySpec +} + var map_Authentication = map[string]string{ "": "Authentication specifies cluster-wide settings for authentication (like OAuth and webhook token authenticators). The canonical name of an instance is `cluster`.\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", "metadata": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", diff --git a/features.md b/features.md index 35ba08c3961..6cb1f0dd4f1 100644 --- a/features.md +++ b/features.md @@ -38,6 +38,7 @@ | GCPClusterHostedDNSInstall| | | Enabled | Enabled | Enabled | Enabled | | GCPCustomAPIEndpoints| | | Enabled | Enabled | Enabled | Enabled | | GCPCustomAPIEndpointsInstall| | | Enabled | Enabled | Enabled | Enabled | +| HTTP01ChallengeProxy| | | Enabled | Enabled | Enabled | Enabled | | ImageModeStatusReporting| | | Enabled | Enabled | Enabled | Enabled | | ImageStreamImportMode| | | Enabled | Enabled | Enabled | Enabled | | IngressControllerDynamicConfigurationManager| | | Enabled | Enabled | Enabled | Enabled | diff --git a/features/features.go b/features/features.go index 711dd25f224..bf15cd013b8 100644 --- a/features/features.go +++ b/features/features.go @@ -848,4 +848,12 @@ var ( enhancementPR("https://github.com/openshift/enhancements/pull/1785"). enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() + + FeatureGateHTTP01ChallengeProxy = newFeatureGate("HTTP01ChallengeProxy"). + reportProblemsToJiraComponent("kube-apiserver"). + contactPerson("sebrandon1"). + productScope(ocpSpecific). + enhancementPR("https://github.com/openshift/enhancements/pull/1773"). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + mustRegister() ) diff --git a/openapi/generated_openapi/zz_generated.openapi.go b/openapi/generated_openapi/zz_generated.openapi.go index ca03cb5450f..1edb4d9a2b8 100644 --- a/openapi/generated_openapi/zz_generated.openapi.go +++ b/openapi/generated_openapi/zz_generated.openapi.go @@ -253,6 +253,8 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "github.com/openshift/api/config/v1.GitLabIdentityProvider": schema_openshift_api_config_v1_GitLabIdentityProvider(ref), "github.com/openshift/api/config/v1.GoogleIdentityProvider": schema_openshift_api_config_v1_GoogleIdentityProvider(ref), "github.com/openshift/api/config/v1.HTPasswdIdentityProvider": schema_openshift_api_config_v1_HTPasswdIdentityProvider(ref), + "github.com/openshift/api/config/v1.HTTP01ChallengeProxyCustomDeploymentSpec": schema_openshift_api_config_v1_HTTP01ChallengeProxyCustomDeploymentSpec(ref), + "github.com/openshift/api/config/v1.HTTP01ChallengeProxySpec": schema_openshift_api_config_v1_HTTP01ChallengeProxySpec(ref), "github.com/openshift/api/config/v1.HTTPServingInfo": schema_openshift_api_config_v1_HTTPServingInfo(ref), "github.com/openshift/api/config/v1.HubSource": schema_openshift_api_config_v1_HubSource(ref), "github.com/openshift/api/config/v1.HubSourceStatus": schema_openshift_api_config_v1_HubSourceStatus(ref), @@ -8550,11 +8552,18 @@ func schema_openshift_api_config_v1_APIServerSpec(ref common.ReferenceCallback) Ref: ref("github.com/openshift/api/config/v1.Audit"), }, }, + "http01ChallengeProxy": { + SchemaProps: spec.SchemaProps{ + Description: "http01ChallengeProxy contains configuration for the HTTP01 challenge proxy that redirects traffic from the API endpoint on port 80 to ingress routers. This enables cert-manager to perform HTTP01 ACME challenges for API endpoint certificates.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1.HTTP01ChallengeProxySpec"), + }, + }, }, }, }, Dependencies: []string{ - "github.com/openshift/api/config/v1.APIServerEncryption", "github.com/openshift/api/config/v1.APIServerServingCerts", "github.com/openshift/api/config/v1.Audit", "github.com/openshift/api/config/v1.ConfigMapNameReference", "github.com/openshift/api/config/v1.TLSSecurityProfile"}, + "github.com/openshift/api/config/v1.APIServerEncryption", "github.com/openshift/api/config/v1.APIServerServingCerts", "github.com/openshift/api/config/v1.Audit", "github.com/openshift/api/config/v1.ConfigMapNameReference", "github.com/openshift/api/config/v1.HTTP01ChallengeProxySpec", "github.com/openshift/api/config/v1.TLSSecurityProfile"}, } } @@ -13251,6 +13260,67 @@ func schema_openshift_api_config_v1_HTPasswdIdentityProvider(ref common.Referenc } } +func schema_openshift_api_config_v1_HTTP01ChallengeProxyCustomDeploymentSpec(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "internalPort": { + SchemaProps: spec.SchemaProps{ + Description: "internalPort specifies the internal port used by the proxy service. Valid values are 1024-65535. When not specified for CustomDeployment mode, users should ensure their chosen port does not conflict with other workloads on the host.", + Type: []string{"integer"}, + Format: "int32", + }, + }, + }, + Required: []string{"internalPort"}, + }, + }, + } +} + +func schema_openshift_api_config_v1_HTTP01ChallengeProxySpec(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "mode": { + SchemaProps: spec.SchemaProps{ + Description: "mode controls whether the HTTP01 challenge proxy is active and how it should be deployed. DefaultDeployment enables the proxy with default configuration. CustomDeployment enables the proxy with user-specified configuration.", + Type: []string{"string"}, + Format: "", + }, + }, + "customDeployment": { + SchemaProps: spec.SchemaProps{ + Description: "customDeployment contains configuration options when mode is CustomDeployment. This field is only valid when mode is CustomDeployment.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1.HTTP01ChallengeProxyCustomDeploymentSpec"), + }, + }, + }, + Required: []string{"mode"}, + }, + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-unions": []interface{}{ + map[string]interface{}{ + "discriminator": "mode", + "fields-to-discriminateBy": map[string]interface{}{ + "customDeployment": "CustomDeployment", + }, + }, + }, + }, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/config/v1.HTTP01ChallengeProxyCustomDeploymentSpec"}, + } +} + func schema_openshift_api_config_v1_HTTPServingInfo(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ diff --git a/openapi/openapi.json b/openapi/openapi.json index 42ee6c97da5..de44d33763f 100644 --- a/openapi/openapi.json +++ b/openapi/openapi.json @@ -4131,6 +4131,11 @@ "default": {}, "$ref": "#/definitions/com.github.openshift.api.config.v1.APIServerEncryption" }, + "http01ChallengeProxy": { + "description": "http01ChallengeProxy contains configuration for the HTTP01 challenge proxy that redirects traffic from the API endpoint on port 80 to ingress routers. This enables cert-manager to perform HTTP01 ACME challenges for API endpoint certificates.", + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.config.v1.HTTP01ChallengeProxySpec" + }, "servingCerts": { "description": "servingCert is the TLS cert info for serving secure traffic. If not specified, operator managed certificates will be used for serving secure traffic.", "default": {}, @@ -6887,6 +6892,44 @@ } } }, + "com.github.openshift.api.config.v1.HTTP01ChallengeProxyCustomDeploymentSpec": { + "type": "object", + "required": [ + "internalPort" + ], + "properties": { + "internalPort": { + "description": "internalPort specifies the internal port used by the proxy service. Valid values are 1024-65535. When not specified for CustomDeployment mode, users should ensure their chosen port does not conflict with other workloads on the host.", + "type": "integer", + "format": "int32" + } + } + }, + "com.github.openshift.api.config.v1.HTTP01ChallengeProxySpec": { + "type": "object", + "required": [ + "mode" + ], + "properties": { + "customDeployment": { + "description": "customDeployment contains configuration options when mode is CustomDeployment. This field is only valid when mode is CustomDeployment.", + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.config.v1.HTTP01ChallengeProxyCustomDeploymentSpec" + }, + "mode": { + "description": "mode controls whether the HTTP01 challenge proxy is active and how it should be deployed. DefaultDeployment enables the proxy with default configuration. CustomDeployment enables the proxy with user-specified configuration.", + "type": "string" + } + }, + "x-kubernetes-unions": [ + { + "discriminator": "mode", + "fields-to-discriminateBy": { + "customDeployment": "CustomDeployment" + } + } + ] + }, "com.github.openshift.api.config.v1.HTTPServingInfo": { "description": "HTTPServingInfo holds configuration for serving HTTP", "type": "object", diff --git a/payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml index b10b46c6fbe..153f106af80 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml @@ -249,6 +249,47 @@ spec: forbidden otherwise rule: 'has(self.type) && self.type == ''KMS'' ? has(self.kms) : !has(self.kms)' + http01ChallengeProxy: + description: |- + http01ChallengeProxy contains configuration for the HTTP01 challenge proxy + that redirects traffic from the API endpoint on port 80 to ingress routers. + This enables cert-manager to perform HTTP01 ACME challenges for API endpoint certificates. + properties: + customDeployment: + description: |- + customDeployment contains configuration options when mode is CustomDeployment. + This field is only valid when mode is CustomDeployment. + properties: + internalPort: + description: |- + internalPort specifies the internal port used by the proxy service. + Valid values are 1024-65535. + When not specified for CustomDeployment mode, users should ensure their chosen port + does not conflict with other workloads on the host. + format: int32 + maximum: 65535 + minimum: 1024 + type: integer + required: + - internalPort + type: object + mode: + description: |- + mode controls whether the HTTP01 challenge proxy is active and how it should be deployed. + DefaultDeployment enables the proxy with default configuration. + CustomDeployment enables the proxy with user-specified configuration. + enum: + - DefaultDeployment + - CustomDeployment + type: string + required: + - mode + type: object + x-kubernetes-validations: + - message: customDeployment is required when mode is CustomDeployment + and forbidden otherwise + rule: 'self.mode == ''CustomDeployment'' ? has(self.customDeployment) + : !has(self.customDeployment)' servingCerts: description: |- servingCert is the TLS cert info for serving secure traffic. If not specified, operator managed certificates diff --git a/payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml index 843984380b1..04dafb4bb78 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml @@ -249,6 +249,47 @@ spec: forbidden otherwise rule: 'has(self.type) && self.type == ''KMS'' ? has(self.kms) : !has(self.kms)' + http01ChallengeProxy: + description: |- + http01ChallengeProxy contains configuration for the HTTP01 challenge proxy + that redirects traffic from the API endpoint on port 80 to ingress routers. + This enables cert-manager to perform HTTP01 ACME challenges for API endpoint certificates. + properties: + customDeployment: + description: |- + customDeployment contains configuration options when mode is CustomDeployment. + This field is only valid when mode is CustomDeployment. + properties: + internalPort: + description: |- + internalPort specifies the internal port used by the proxy service. + Valid values are 1024-65535. + When not specified for CustomDeployment mode, users should ensure their chosen port + does not conflict with other workloads on the host. + format: int32 + maximum: 65535 + minimum: 1024 + type: integer + required: + - internalPort + type: object + mode: + description: |- + mode controls whether the HTTP01 challenge proxy is active and how it should be deployed. + DefaultDeployment enables the proxy with default configuration. + CustomDeployment enables the proxy with user-specified configuration. + enum: + - DefaultDeployment + - CustomDeployment + type: string + required: + - mode + type: object + x-kubernetes-validations: + - message: customDeployment is required when mode is CustomDeployment + and forbidden otherwise + rule: 'self.mode == ''CustomDeployment'' ? has(self.customDeployment) + : !has(self.customDeployment)' servingCerts: description: |- servingCert is the TLS cert info for serving secure traffic. If not specified, operator managed certificates diff --git a/payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml index 808e11aac3f..b0765cb3b80 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml @@ -249,6 +249,47 @@ spec: forbidden otherwise rule: 'has(self.type) && self.type == ''KMS'' ? has(self.kms) : !has(self.kms)' + http01ChallengeProxy: + description: |- + http01ChallengeProxy contains configuration for the HTTP01 challenge proxy + that redirects traffic from the API endpoint on port 80 to ingress routers. + This enables cert-manager to perform HTTP01 ACME challenges for API endpoint certificates. + properties: + customDeployment: + description: |- + customDeployment contains configuration options when mode is CustomDeployment. + This field is only valid when mode is CustomDeployment. + properties: + internalPort: + description: |- + internalPort specifies the internal port used by the proxy service. + Valid values are 1024-65535. + When not specified for CustomDeployment mode, users should ensure their chosen port + does not conflict with other workloads on the host. + format: int32 + maximum: 65535 + minimum: 1024 + type: integer + required: + - internalPort + type: object + mode: + description: |- + mode controls whether the HTTP01 challenge proxy is active and how it should be deployed. + DefaultDeployment enables the proxy with default configuration. + CustomDeployment enables the proxy with user-specified configuration. + enum: + - DefaultDeployment + - CustomDeployment + type: string + required: + - mode + type: object + x-kubernetes-validations: + - message: customDeployment is required when mode is CustomDeployment + and forbidden otherwise + rule: 'self.mode == ''CustomDeployment'' ? has(self.customDeployment) + : !has(self.customDeployment)' servingCerts: description: |- servingCert is the TLS cert info for serving secure traffic. If not specified, operator managed certificates diff --git a/payload-manifests/featuregates/featureGate-Hypershift-Default.yaml b/payload-manifests/featuregates/featureGate-Hypershift-Default.yaml index 726dcb4ad3c..b0b6a768ab7 100644 --- a/payload-manifests/featuregates/featureGate-Hypershift-Default.yaml +++ b/payload-manifests/featuregates/featureGate-Hypershift-Default.yaml @@ -97,6 +97,9 @@ { "name": "GCPCustomAPIEndpointsInstall" }, + { + "name": "HTTP01ChallengeProxy" + }, { "name": "ImageModeStatusReporting" }, diff --git a/payload-manifests/featuregates/featureGate-Hypershift-DevPreviewNoUpgrade.yaml b/payload-manifests/featuregates/featureGate-Hypershift-DevPreviewNoUpgrade.yaml index 4bda8c655cc..e86129591fe 100644 --- a/payload-manifests/featuregates/featureGate-Hypershift-DevPreviewNoUpgrade.yaml +++ b/payload-manifests/featuregates/featureGate-Hypershift-DevPreviewNoUpgrade.yaml @@ -158,6 +158,9 @@ { "name": "GatewayAPIController" }, + { + "name": "HTTP01ChallengeProxy" + }, { "name": "HighlyAvailableArbiter" }, diff --git a/payload-manifests/featuregates/featureGate-Hypershift-TechPreviewNoUpgrade.yaml b/payload-manifests/featuregates/featureGate-Hypershift-TechPreviewNoUpgrade.yaml index b2a922dbba3..783d807b995 100644 --- a/payload-manifests/featuregates/featureGate-Hypershift-TechPreviewNoUpgrade.yaml +++ b/payload-manifests/featuregates/featureGate-Hypershift-TechPreviewNoUpgrade.yaml @@ -161,6 +161,9 @@ { "name": "GatewayAPIController" }, + { + "name": "HTTP01ChallengeProxy" + }, { "name": "HighlyAvailableArbiter" }, diff --git a/payload-manifests/featuregates/featureGate-SelfManagedHA-Default.yaml b/payload-manifests/featuregates/featureGate-SelfManagedHA-Default.yaml index d7fb0a66339..5275da46b82 100644 --- a/payload-manifests/featuregates/featureGate-SelfManagedHA-Default.yaml +++ b/payload-manifests/featuregates/featureGate-SelfManagedHA-Default.yaml @@ -100,6 +100,9 @@ { "name": "GCPCustomAPIEndpointsInstall" }, + { + "name": "HTTP01ChallengeProxy" + }, { "name": "ImageModeStatusReporting" }, diff --git a/payload-manifests/featuregates/featureGate-SelfManagedHA-DevPreviewNoUpgrade.yaml b/payload-manifests/featuregates/featureGate-SelfManagedHA-DevPreviewNoUpgrade.yaml index 5b5a5a99a31..cfd4f1a8951 100644 --- a/payload-manifests/featuregates/featureGate-SelfManagedHA-DevPreviewNoUpgrade.yaml +++ b/payload-manifests/featuregates/featureGate-SelfManagedHA-DevPreviewNoUpgrade.yaml @@ -140,6 +140,9 @@ { "name": "GatewayAPIController" }, + { + "name": "HTTP01ChallengeProxy" + }, { "name": "HighlyAvailableArbiter" }, diff --git a/payload-manifests/featuregates/featureGate-SelfManagedHA-TechPreviewNoUpgrade.yaml b/payload-manifests/featuregates/featureGate-SelfManagedHA-TechPreviewNoUpgrade.yaml index 6ae25223ecb..629ffa66136 100644 --- a/payload-manifests/featuregates/featureGate-SelfManagedHA-TechPreviewNoUpgrade.yaml +++ b/payload-manifests/featuregates/featureGate-SelfManagedHA-TechPreviewNoUpgrade.yaml @@ -143,6 +143,9 @@ { "name": "GatewayAPIController" }, + { + "name": "HTTP01ChallengeProxy" + }, { "name": "HighlyAvailableArbiter" },