CNF-13731: Add HTTP01ChallengeProxy

config/v1/tests/apiservers.config.openshift.io/HTTP01ChallengeProxy.yaml

@@ -0,0 +1,137 @@
+apiVersion: apiextensions.k8s.io/v1 # Hack because controller-gen complains if we don't have this
+name: "APIServer"
+crdName: apiservers.config.openshift.io
+featureGates:
+  - HTTP01ChallengeProxy
+tests:
+  onCreate:
+    - name: Should be able to create with HTTP01ChallengeProxy DefaultDeployment mode
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: APIServer
+        spec:
+          http01ChallengeProxy:
+            mode: DefaultDeployment
+      expected: |
+        apiVersion: config.openshift.io/v1
+        kind: APIServer
+        spec:
+          audit:
+            profile: Default
+          http01ChallengeProxy:
+            mode: DefaultDeployment
+    - name: Should be able to create with HTTP01ChallengeProxy CustomDeployment mode with port 8888
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: APIServer
+        spec:
+          http01ChallengeProxy:
+            mode: CustomDeployment
+            customDeployment:
+              internalPort: 8888
+      expected: |
+        apiVersion: config.openshift.io/v1
+        kind: APIServer
+        spec:
+          audit:
+            profile: Default
+          http01ChallengeProxy:
+            mode: CustomDeployment
+            customDeployment:
+              internalPort: 8888
+    - name: Should be able to create with HTTP01ChallengeProxy CustomDeployment mode with minimum port 1024
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: APIServer
+        spec:
+          http01ChallengeProxy:
+            mode: CustomDeployment
+            customDeployment:
+              internalPort: 1024
+      expected: |
+        apiVersion: config.openshift.io/v1
+        kind: APIServer
+        spec:
+          audit:
+            profile: Default
+          http01ChallengeProxy:
+            mode: CustomDeployment
+            customDeployment:
+              internalPort: 1024
+    - name: Should be able to create with HTTP01ChallengeProxy CustomDeployment mode with maximum port 65535
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: APIServer
+        spec:
+          http01ChallengeProxy:
+            mode: CustomDeployment
+            customDeployment:
+              internalPort: 65535
+      expected: |
+        apiVersion: config.openshift.io/v1
+        kind: APIServer
+        spec:
+          audit:
+            profile: Default
+          http01ChallengeProxy:
+            mode: CustomDeployment
+            customDeployment:
+              internalPort: 65535
+    - name: Should be able to create with HTTP01ChallengeProxy CustomDeployment mode with valid port 9999
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: APIServer
+        spec:
+          http01ChallengeProxy:
+            mode: CustomDeployment
+            customDeployment:
+              internalPort: 9999
+      expected: |
+        apiVersion: config.openshift.io/v1
+        kind: APIServer
+        spec:
+          audit:
+            profile: Default
+          http01ChallengeProxy:
+            mode: CustomDeployment
+            customDeployment:
+              internalPort: 9999
+    - name: Should reject DefaultDeployment mode with customDeployment field
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: APIServer
+        spec:
+          http01ChallengeProxy:
+            mode: DefaultDeployment
+            customDeployment:
+              internalPort: 8888
+      expectedError: "customDeployment is required when mode is CustomDeployment and forbidden otherwise"
+    - name: Should reject CustomDeployment mode without internalPort
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: APIServer
+        spec:
+          http01ChallengeProxy:
+            mode: CustomDeployment
+            customDeployment: {}
+      expectedError: "spec.http01ChallengeProxy.customDeployment.internalPort: Required value"
+    - name: Should reject CustomDeployment mode with port below minimum 1023
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: APIServer
+        spec:
+          http01ChallengeProxy:
+            mode: CustomDeployment
+            customDeployment:
+              internalPort: 1023
+      expectedError: "Invalid value: 1023: spec.http01ChallengeProxy.customDeployment.internalPort in body should be greater than or equal to 1024"
+    - name: Should reject CustomDeployment mode with port above maximum 65536
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: APIServer
+        spec:
+          http01ChallengeProxy:
+            mode: CustomDeployment
+            customDeployment:
+              internalPort: 65536
+      expectedError: "should be less than or equal to 65535"

config/v1/types_apiserver.go

@@ -68,6 +68,12 @@ type APIServerSpec struct {
 	// +optional
 	// +kubebuilder:default={profile: Default}
 	Audit Audit `json:"audit"`
+	// http01ChallengeProxy contains configuration for the HTTP01 challenge proxy
+	// that redirects traffic from the API endpoint on port 80 to ingress routers.
+	// This enables cert-manager to perform HTTP01 ACME challenges for API endpoint certificates.
+	// +openshift:enable:FeatureGate=HTTP01ChallengeProxy
+	// +optional
+	HTTP01ChallengeProxy HTTP01ChallengeProxySpec `json:"http01ChallengeProxy,omitzero,omitempty"`
 }
 
 // AuditProfileType defines the audit policy profile type.
@@ -114,6 +120,7 @@ type Audit struct {
 	// If unset, the 'Default' profile is used as the default.
 	//
 	// +kubebuilder:default=Default
+	// +optional
 	Profile AuditProfileType `json:"profile,omitempty"`
 	// customRules specify profiles per group. These profile take precedence over the
 	// top-level profile field if they apply. They are evaluation from top to bottom and
@@ -234,6 +241,45 @@ const (
 	EncryptionTypeKMS EncryptionType = "KMS"
 )
 
+// HTTP01ChallengeProxyMode defines how the HTTP01 challenge proxy should be deployed.
+// +kubebuilder:validation:Enum=DefaultDeployment;CustomDeployment
+type HTTP01ChallengeProxyMode string
+
+const (
+	// HTTP01ChallengeProxyModeDefaultDeployment enables the proxy with default configuration.
+	HTTP01ChallengeProxyModeDefaultDeployment HTTP01ChallengeProxyMode = "DefaultDeployment"
+	// HTTP01ChallengeProxyModeCustomDeployment enables the proxy with user-specified configuration.
+	HTTP01ChallengeProxyModeCustomDeployment HTTP01ChallengeProxyMode = "CustomDeployment"
+)
+
+// +union
+// +kubebuilder:validation:XValidation:rule="self.mode == 'CustomDeployment' ? has(self.customDeployment) : !has(self.customDeployment)",message="customDeployment is required when mode is CustomDeployment and forbidden otherwise"
+type HTTP01ChallengeProxySpec struct {
+	// mode controls whether the HTTP01 challenge proxy is active and how it should be deployed.
+	// DefaultDeployment enables the proxy with default configuration.
+	// CustomDeployment enables the proxy with user-specified configuration.
+	// +required
+	// +unionDiscriminator
+	Mode HTTP01ChallengeProxyMode `json:"mode,omitempty"`
+
+	// customDeployment contains configuration options when mode is CustomDeployment.
+	// This field is only valid when mode is CustomDeployment.
+	// +optional
+	// +unionMember
+	CustomDeployment HTTP01ChallengeProxyCustomDeploymentSpec `json:"customDeployment,omitzero,omitempty"`
+}
+
+type HTTP01ChallengeProxyCustomDeploymentSpec struct {
+	// internalPort specifies the internal port used by the proxy service.
+	// Valid values are 1024-65535.
+	// When not specified for CustomDeployment mode, users should ensure their chosen port
+	// does not conflict with other workloads on the host.
+	// +kubebuilder:validation:Minimum=1024
+	// +kubebuilder:validation:Maximum=65535
+	// +required
+	InternalPort int32 `json:"internalPort,omitempty"`
+}
+
 type APIServerStatus struct {
 }
 

config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml

@@ -249,6 +249,47 @@ spec:
                     forbidden otherwise
                   rule: 'has(self.type) && self.type == ''KMS'' ?  has(self.kms) :
                     !has(self.kms)'
+              http01ChallengeProxy:
+                description: |-
+                  http01ChallengeProxy contains configuration for the HTTP01 challenge proxy
+                  that redirects traffic from the API endpoint on port 80 to ingress routers.
+                  This enables cert-manager to perform HTTP01 ACME challenges for API endpoint certificates.
+                properties:
+                  customDeployment:
+                    description: |-
+                      customDeployment contains configuration options when mode is CustomDeployment.
+                      This field is only valid when mode is CustomDeployment.
+                    properties:
+                      internalPort:
+                        description: |-
+                          internalPort specifies the internal port used by the proxy service.
+                          Valid values are 1024-65535.
+                          When not specified for CustomDeployment mode, users should ensure their chosen port
+                          does not conflict with other workloads on the host.
+                        format: int32
+                        maximum: 65535
+                        minimum: 1024
+                        type: integer
+                    required:
+                    - internalPort
+                    type: object
+                  mode:
+                    description: |-
+                      mode controls whether the HTTP01 challenge proxy is active and how it should be deployed.
+                      DefaultDeployment enables the proxy with default configuration.
+                      CustomDeployment enables the proxy with user-specified configuration.
+                    enum:
+                    - DefaultDeployment
+                    - CustomDeployment
+                    type: string
+                required:
+                - mode
+                type: object
+                x-kubernetes-validations:
+                - message: customDeployment is required when mode is CustomDeployment
+                    and forbidden otherwise
+                  rule: 'self.mode == ''CustomDeployment'' ? has(self.customDeployment)
+                    : !has(self.customDeployment)'
               servingCerts:
                 description: |-
                   servingCert is the TLS cert info for serving secure traffic. If not specified, operator managed certificates

config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml

@@ -249,6 +249,47 @@ spec:
                     forbidden otherwise
                   rule: 'has(self.type) && self.type == ''KMS'' ?  has(self.kms) :
                     !has(self.kms)'
+              http01ChallengeProxy:
+                description: |-
+                  http01ChallengeProxy contains configuration for the HTTP01 challenge proxy
+                  that redirects traffic from the API endpoint on port 80 to ingress routers.
+                  This enables cert-manager to perform HTTP01 ACME challenges for API endpoint certificates.
+                properties:
+                  customDeployment:
+                    description: |-
+                      customDeployment contains configuration options when mode is CustomDeployment.
+                      This field is only valid when mode is CustomDeployment.
+                    properties:
+                      internalPort:
+                        description: |-
+                          internalPort specifies the internal port used by the proxy service.
+                          Valid values are 1024-65535.
+                          When not specified for CustomDeployment mode, users should ensure their chosen port
+                          does not conflict with other workloads on the host.
+                        format: int32
+                        maximum: 65535
+                        minimum: 1024
+                        type: integer
+                    required:
+                    - internalPort
+                    type: object
+                  mode:
+                    description: |-
+                      mode controls whether the HTTP01 challenge proxy is active and how it should be deployed.
+                      DefaultDeployment enables the proxy with default configuration.
+                      CustomDeployment enables the proxy with user-specified configuration.
+                    enum:
+                    - DefaultDeployment
+                    - CustomDeployment
+                    type: string
+                required:
+                - mode
+                type: object
+                x-kubernetes-validations:
+                - message: customDeployment is required when mode is CustomDeployment
+                    and forbidden otherwise
+                  rule: 'self.mode == ''CustomDeployment'' ? has(self.customDeployment)
+                    : !has(self.customDeployment)'
               servingCerts:
                 description: |-
                   servingCert is the TLS cert info for serving secure traffic. If not specified, operator managed certificates

config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml

@@ -249,6 +249,47 @@ spec:
                     forbidden otherwise
                   rule: 'has(self.type) && self.type == ''KMS'' ?  has(self.kms) :
                     !has(self.kms)'
+              http01ChallengeProxy:
+                description: |-
+                  http01ChallengeProxy contains configuration for the HTTP01 challenge proxy
+                  that redirects traffic from the API endpoint on port 80 to ingress routers.
+                  This enables cert-manager to perform HTTP01 ACME challenges for API endpoint certificates.
+                properties:
+                  customDeployment:
+                    description: |-
+                      customDeployment contains configuration options when mode is CustomDeployment.
+                      This field is only valid when mode is CustomDeployment.
+                    properties:
+                      internalPort:
+                        description: |-
+                          internalPort specifies the internal port used by the proxy service.
+                          Valid values are 1024-65535.
+                          When not specified for CustomDeployment mode, users should ensure their chosen port
+                          does not conflict with other workloads on the host.
+                        format: int32
+                        maximum: 65535
+                        minimum: 1024
+                        type: integer
+                    required:
+                    - internalPort
+                    type: object
+                  mode:
+                    description: |-
+                      mode controls whether the HTTP01 challenge proxy is active and how it should be deployed.
+                      DefaultDeployment enables the proxy with default configuration.
+                      CustomDeployment enables the proxy with user-specified configuration.
+                    enum:
+                    - DefaultDeployment
+                    - CustomDeployment
+                    type: string
+                required:
+                - mode
+                type: object
+                x-kubernetes-validations:
+                - message: customDeployment is required when mode is CustomDeployment
+                    and forbidden otherwise
+                  rule: 'self.mode == ''CustomDeployment'' ? has(self.customDeployment)
+                    : !has(self.customDeployment)'
               servingCerts:
                 description: |-
                   servingCert is the TLS cert info for serving secure traffic. If not specified, operator managed certificates