diff --git a/config/v1alpha1/manifests/pki-certificate-override-validation.yaml b/config/v1alpha1/manifests/pki-certificate-override-validation.yaml new file mode 100644 index 00000000000..ab7ca7bbe26 --- /dev/null +++ b/config/v1alpha1/manifests/pki-certificate-override-validation.yaml @@ -0,0 +1,80 @@ +--- +# ValidatingAdmissionPolicy that dynamically validates PKI certificate override names +# against registered PKICertificateDefinition resources +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicy +metadata: + name: validate-pki-certificate-overrides.config.openshift.io +spec: + # Only validate PKI resources during CREATE/UPDATE + matchConstraints: + resourceRules: + - apiGroups: ["config.openshift.io"] + apiVersions: ["v1alpha1"] + operations: ["CREATE", "UPDATE"] + resources: ["pkis"] + + # Use PKICertificateDefinition resources as the parameter source + paramKind: + apiVersion: config.openshift.io/v1alpha1 + kind: PKICertificateDefinition + + # Validate each certificate override references a registered certificate name + validations: + # Skip validation if no overrides are present + - expression: "!has(object.spec.certificateManagement.custom.overrides) || size(object.spec.certificateManagement.custom.overrides) == 0" + reason: Skip + + # Build list of all valid certificate names from all PKICertificateDefinition resources + - expression: | + has(params) && has(params.spec) && has(params.spec.certificates) ? + params.spec.certificates.map(cert, cert.name) : [] + messageExpression: "'No PKICertificateDefinition found for component ' + (has(params.spec) ? params.spec.component : 'unknown')" + reason: Invalid + + # Validate each override.certificateName exists in a PKICertificateDefinition + - expression: | + !has(object.spec.certificateManagement.custom.overrides) || + object.spec.certificateManagement.custom.overrides.all(override, + params.exists(p, + has(p.spec) && has(p.spec.certificates) && + p.spec.certificates.exists(cert, cert.name == override.certificateName) + ) + ) + message: "certificateName in overrides must reference a certificate registered in a PKICertificateDefinition resource" + reason: Invalid + + # Validate that certificate names follow DNS subdomain rules + - expression: | + !has(object.spec.certificateManagement.custom.overrides) || + object.spec.certificateManagement.custom.overrides.all(override, + override.certificateName.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') + ) + message: "certificateName must be a valid DNS subdomain (lowercase alphanumeric with hyphens)" + reason: Invalid + +--- +# ValidatingAdmissionPolicyBinding that applies the validation policy +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicyBinding +metadata: + name: validate-pki-certificate-overrides.config.openshift.io +spec: + policyName: validate-pki-certificate-overrides.config.openshift.io + validationActions: ["Deny"] + + # Bind to all PKICertificateDefinition resources in openshift-config namespace + paramRef: + name: "" # Empty means all resources of the paramKind + namespace: openshift-config + # If no PKICertificateDefinition resources exist, allow the PKI resource + # This prevents blocking PKI resource creation before any components have registered + parameterNotFoundAction: Allow + + # Match all PKI resources + matchResources: + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: In + values: [""] # Empty string matches cluster-scoped resources \ No newline at end of file diff --git a/config/v1alpha1/register.go b/config/v1alpha1/register.go index 4b30ea380b1..0d923fb1e87 100644 --- a/config/v1alpha1/register.go +++ b/config/v1alpha1/register.go @@ -40,6 +40,8 @@ func addKnownTypes(scheme *runtime.Scheme) error { &ImagePolicyList{}, &ClusterImagePolicy{}, &ClusterImagePolicyList{}, + &PKI{}, + &PKIList{}, ) metav1.AddToGroupVersion(scheme, GroupVersion) return nil diff --git a/config/v1alpha1/tests/pkis.config.openshift.io/ConfigurablePKI.yaml b/config/v1alpha1/tests/pkis.config.openshift.io/ConfigurablePKI.yaml new file mode 100644 index 00000000000..288de5f2a72 --- /dev/null +++ b/config/v1alpha1/tests/pkis.config.openshift.io/ConfigurablePKI.yaml @@ -0,0 +1,325 @@ +apiVersion: apiextensions.k8s.io/v1 # Hack because controller-gen complains if we don't have this +name: "PKI" +crdName: pkis.config.openshift.io +featureGates: +- ConfigurablePKI +tests: + onCreate: + - name: Should be able to create a PKI with mode Unmanaged + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: PKI + metadata: + name: cluster + spec: + certificateManagement: + mode: Unmanaged + expected: | + apiVersion: config.openshift.io/v1alpha1 + kind: PKI + metadata: + name: cluster + spec: + certificateManagement: + mode: Unmanaged + - name: Should be able to create a PKI with mode Default + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: PKI + metadata: + name: cluster + spec: + certificateManagement: + mode: Default + expected: | + apiVersion: config.openshift.io/v1alpha1 + kind: PKI + metadata: + name: cluster + spec: + certificateManagement: + mode: Default + - name: Should be able to create a PKI with mode Custom with minimal config + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: PKI + metadata: + name: cluster + spec: + certificateManagement: + mode: Custom + custom: + defaults: + key: + algorithm: RSA + rsa: + keySize: 2048 + expected: | + apiVersion: config.openshift.io/v1alpha1 + kind: PKI + metadata: + name: cluster + spec: + certificateManagement: + mode: Custom + custom: + defaults: + key: + algorithm: RSA + rsa: + keySize: 2048 + - name: Should be able to create a PKI with mode Custom with ECDSA + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: PKI + metadata: + name: cluster + spec: + certificateManagement: + mode: Custom + custom: + defaults: + key: + algorithm: ECDSA + ecdsa: + curve: P384 + expected: | + apiVersion: config.openshift.io/v1alpha1 + kind: PKI + metadata: + name: cluster + spec: + certificateManagement: + mode: Custom + custom: + defaults: + key: + algorithm: ECDSA + ecdsa: + curve: P384 + - name: Should be able to create a PKI with mode Custom with full hierarchy + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: PKI + metadata: + name: cluster + spec: + certificateManagement: + mode: Custom + custom: + defaults: + key: + algorithm: RSA + rsa: + keySize: 2048 + categories: + - category: SignerCertificate + certificate: + key: + algorithm: RSA + rsa: + keySize: 4096 + - category: ServingCertificate + certificate: + key: + algorithm: ECDSA + ecdsa: + curve: P256 + overrides: + - certificateName: kube-apiserver-to-kubelet-signer + certificate: + key: + algorithm: RSA + rsa: + keySize: 4096 + expected: | + apiVersion: config.openshift.io/v1alpha1 + kind: PKI + metadata: + name: cluster + spec: + certificateManagement: + mode: Custom + custom: + defaults: + key: + algorithm: RSA + rsa: + keySize: 2048 + categories: + - category: SignerCertificate + certificate: + key: + algorithm: RSA + rsa: + keySize: 4096 + - category: ServingCertificate + certificate: + key: + algorithm: ECDSA + ecdsa: + curve: P256 + overrides: + - certificateName: kube-apiserver-to-kubelet-signer + certificate: + key: + algorithm: RSA + rsa: + keySize: 4096 + - name: Should not allow mode Unmanaged with custom field set + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: PKI + metadata: + name: cluster + spec: + certificateManagement: + mode: Unmanaged + custom: + defaults: + key: + algorithm: RSA + rsa: + keySize: 2048 + expectedError: "spec.certificateManagement: Invalid value: \"object\": custom is required when mode is Custom, and forbidden otherwise" + - name: Should not allow mode Default with custom field set + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: PKI + metadata: + name: cluster + spec: + certificateManagement: + mode: Default + custom: + defaults: + key: + algorithm: RSA + rsa: + keySize: 2048 + expectedError: "spec.certificateManagement: Invalid value: \"object\": custom is required when mode is Custom, and forbidden otherwise" + - name: Should not allow mode Custom without custom field + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: PKI + metadata: + name: cluster + spec: + certificateManagement: + mode: Custom + expectedError: "spec.certificateManagement: Invalid value: \"object\": custom is required when mode is Custom, and forbidden otherwise" + - name: Should not allow mode missing + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: PKI + metadata: + name: cluster + spec: + certificateManagement: {} + expectedError: "spec.certificateManagement.mode: Required value" + onUpdate: + - name: Should allow transition from Unmanaged to Default + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: PKI + metadata: + name: cluster + spec: + certificateManagement: + mode: Unmanaged + updated: | + apiVersion: config.openshift.io/v1alpha1 + kind: PKI + metadata: + name: cluster + spec: + certificateManagement: + mode: Default + expected: | + apiVersion: config.openshift.io/v1alpha1 + kind: PKI + metadata: + name: cluster + spec: + certificateManagement: + mode: Default + - name: Should allow transition from Default to Custom + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: PKI + metadata: + name: cluster + spec: + certificateManagement: + mode: Default + updated: | + apiVersion: config.openshift.io/v1alpha1 + kind: PKI + metadata: + name: cluster + spec: + certificateManagement: + mode: Custom + custom: + defaults: + key: + algorithm: RSA + rsa: + keySize: 4096 + expected: | + apiVersion: config.openshift.io/v1alpha1 + kind: PKI + metadata: + name: cluster + spec: + certificateManagement: + mode: Custom + custom: + defaults: + key: + algorithm: RSA + rsa: + keySize: 4096 + - name: Should allow updating custom configuration + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: PKI + metadata: + name: cluster + spec: + certificateManagement: + mode: Custom + custom: + defaults: + key: + algorithm: RSA + rsa: + keySize: 2048 + updated: | + apiVersion: config.openshift.io/v1alpha1 + kind: PKI + metadata: + name: cluster + spec: + certificateManagement: + mode: Custom + custom: + defaults: + key: + algorithm: ECDSA + ecdsa: + curve: P384 + expected: | + apiVersion: config.openshift.io/v1alpha1 + kind: PKI + metadata: + name: cluster + spec: + certificateManagement: + mode: Custom + custom: + defaults: + key: + algorithm: ECDSA + ecdsa: + curve: P384 diff --git a/config/v1alpha1/types_pki.go b/config/v1alpha1/types_pki.go new file mode 100644 index 00000000000..65d6e477705 --- /dev/null +++ b/config/v1alpha1/types_pki.go @@ -0,0 +1,275 @@ +package v1alpha1 + +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +// PKI configures cryptographic parameters for certificates generated +// internally by OpenShift components. +// +// Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support. +// +// +genclient +// +genclient:nonNamespaced +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +// +kubebuilder:object:root=true +// +kubebuilder:resource:path=pkis,scope=Cluster +// +openshift:api-approved.openshift.io=https://github.com/openshift/api/pull/2645 +// +openshift:file-pattern=cvoRunLevel=0000_10,operatorName=config-operator,operatorOrdering=01 +// +openshift:enable:FeatureGate=ConfigurablePKI +// +openshift:compatibility-gen:level=4 +type PKI struct { + metav1.TypeMeta `json:",inline"` + + // metadata is the standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metav1.ObjectMeta `json:"metadata,omitempty"` + + // spec holds user settable values for configuration + // +required + Spec PKISpec `json:"spec,omitzero"` +} + +// PKISpec holds the specification for PKI configuration. +type PKISpec struct { + // certificateManagement specifies how PKI configuration is managed for internally-generated certificates. + // This controls the certificate generation approach for all OpenShift components that create + // certificates internally, including certificate authorities, serving certificates, and client certificates. + // + // +required + CertificateManagement PKICertificateManagement `json:"certificateManagement,omitzero"` +} + +// PKICertificateManagement determines whether components use hardcoded defaults (Unmanaged), follow +// OpenShift best practices (Default), or use administrator-specified cryptographic parameters (Custom). +// This provides flexibility for organizations with specific compliance requirements or security policies +// while maintaining backwards compatibility for existing clusters. +// +// +kubebuilder:validation:XValidation:rule="self.mode == 'Custom' ? has(self.custom) : !has(self.custom)",message="custom is required when mode is Custom, and forbidden otherwise" +// +union +type PKICertificateManagement struct { + // mode determines how PKI configuration is managed. + // Valid values are "Unmanaged", "Default", and "Custom". + // + // When set to Unmanaged, components use their existing hardcoded certificate + // generation behavior, exactly as if this feature did not exist. Each component + // generates certificates using whatever parameters it was using before this + // feature. While most components use RSA 2048, some may use different + // parameters. Use of this mode might prevent upgrading to the next major + // OpenShift release. + // + // When set to Default, OpenShift-recommended best practices for certificate + // generation are applied. The specific parameters may evolve across OpenShift + // releases to adopt improved cryptographic standards. In the initial release, + // this matches Unmanaged behavior for each component. In future releases, this + // may adopt ECDSA or larger RSA keys based on industry best practices. + // Recommended for most customers who want to benefit from security improvements + // automatically. + // + // When set to Custom, the certificate management parameters can be set + // explicitly. Use the custom field to specify certificate generation parameters. + // + // +required + // +unionDiscriminator + Mode PKICertificateManagementMode `json:"mode,omitempty"` + + // custom contains administrator-specified cryptographic configuration. + // Use the defaults, categories, and overrides fields to specify certificate generation parameters. + // Required when mode is Custom, and forbidden otherwise. + // + // +optional + // +unionMember + Custom CustomPKIPolicy `json:"custom,omitzero"` +} + +// CustomPKIPolicy contains administrator-specified cryptographic configuration. +// Administrators can specify defaults for all certificates, configure specific categories +// (SignerCertificate, ServingCertificate, ClientCertificate), or override specific named certificates. +type CustomPKIPolicy struct { + PKIProfile `json:",inline"` +} + +// +kubebuilder:validation:Enum=Unmanaged;Default;Custom +type PKICertificateManagementMode string + +const ( + // PKICertificateManagementModeUnmanaged uses hardcoded defaults (RSA 2048) for all certificates. + // Behavior is frozen and will never change across OpenShift releases. + PKICertificateManagementModeUnmanaged PKICertificateManagementMode = "Unmanaged" + + // PKICertificateManagementModeDefault uses OpenShift-recommended best practices. + // Specific parameters may evolve across OpenShift releases. + PKICertificateManagementModeDefault PKICertificateManagementMode = "Default" + + // PKICertificateManagementModeCustom uses administrator-specified configuration. + PKICertificateManagementModeCustom PKICertificateManagementMode = "Custom" +) + +// PKIProfile defines the certificate generation parameters that OpenShift components use +// to create certificates. Configuration can be specified at three hierarchical levels: +// defaults apply to all certificates, categories apply to certificate types (SignerCertificate, +// ServingCertificate, ClientCertificate), and overrides apply to specific named certificates. +// More specific levels take precedence over general ones. +// +kubebuilder:validation:MinProperties=1 +type PKIProfile struct { + // defaults specifies the default certificate configuration + // for all certificates unless overridden by category or specific + // certificate configuration. + // If not specified, uses platform defaults (typically RSA 2048). + // + // +optional + Defaults CertificateConfig `json:"defaults,omitzero"` + + // categories allows configuration of certificate parameters + // for categories of certificates (SignerCertificate, ServingCertificate, ClientCertificate). + // Category configuration takes precedence over defaults. + // + // +optional + // +listType=map + // +listMapKey=category + // +kubebuilder:validation:MaxItems=3 + Categories []CategoryCertificateConfig `json:"categories,omitempty"` + + // overrides allows configuration of certificate parameters + // for specific named certificates. + // Override configuration takes precedence over both category + // and default configuration. + // + // +optional + // +listType=map + // +listMapKey=certificateName + // +kubebuilder:validation:MaxItems=256 + Overrides []CertificateOverride `json:"overrides,omitempty"` +} + +// CertificateConfig specifies configuration parameters for certificates. +// +kubebuilder:validation:MinProperties=1 +type CertificateConfig struct { + // key specifies the cryptographic parameters for the certificate's key pair. + // +optional + Key KeyConfig `json:"key,omitempty,omitzero"` + + // Future extensibility: fields like Lifetime, Rotation, Extensions + // can be added here without restructuring the API. +} + +// KeyConfig specifies cryptographic parameters for key generation. +// +// +kubebuilder:validation:XValidation:rule="has(self.algorithm) && self.algorithm == 'RSA' ? has(self.rsa) : !has(self.rsa)",message="rsa is required when algorithm is RSA, and forbidden otherwise" +// +kubebuilder:validation:XValidation:rule="has(self.algorithm) && self.algorithm == 'ECDSA' ? has(self.ecdsa) : !has(self.ecdsa)",message="ecdsa is required when algorithm is ECDSA, and forbidden otherwise" +// +union +type KeyConfig struct { + // algorithm specifies the key generation algorithm. + // Valid values are "RSA" and "ECDSA". + // +required + // +unionDiscriminator + Algorithm KeyAlgorithm `json:"algorithm,omitempty"` + + // rsa specifies RSA key parameters. + // Required when algorithm is RSA, and forbidden otherwise. + // +optional + // +unionMember + RSA RSAKeyConfig `json:"rsa,omitzero"` + + // ecdsa specifies ECDSA key parameters. + // Required when algorithm is ECDSA, and forbidden otherwise. + // +optional + // +unionMember + ECDSA ECDSAKeyConfig `json:"ecdsa,omitzero"` +} + +// RSAKeyConfig specifies parameters for RSA key generation. +type RSAKeyConfig struct { + // keySize specifies the size of RSA keys in bits. + // Valid values are multiples of 1024 from 2048 to 8192. + // +required + // +kubebuilder:validation:Minimum=2048 + // +kubebuilder:validation:Maximum=8192 + // +kubebuilder:validation:MultipleOf=1024 + // +kubebuilder:default=2048 + KeySize int32 `json:"keySize,omitempty"` +} + +// ECDSAKeyConfig specifies parameters for ECDSA key generation. +type ECDSAKeyConfig struct { + // curve specifies the elliptic curve for ECDSA keys. + // Valid values are "P256", "P384", and "P521". + // +required + Curve ECDSACurve `json:"curve,omitempty"` +} + +type CategoryCertificateConfig struct { + // category identifies the certificate category. + // Valid values are "SignerCertificate", "ServingCertificate", and "ClientCertificate". + // + // When set to SignerCertificate, the configuration applies to certificate authority (CA) certificates + // that sign other certificates. + // + // When set to ServingCertificate, the configuration applies to TLS server certificates + // used to serve HTTPS endpoints. + // + // When set to ClientCertificate, the configuration applies to client authentication certificates + // used to authenticate to servers. + // + // +required + Category CertificateCategory `json:"category,omitempty"` + + // certificate specifies the configuration for this category + // +required + Certificate CertificateConfig `json:"certificate,omitzero"` +} + +// CertificateOverride allows configuration of certificate parameters for specific named certificates. +// Certificate names must be registered via a PKICertificateDefinition resource. +type CertificateOverride struct { + // certificateName identifies a specific certificate to configure. + // The name must match a certificate registered in a PKICertificateDefinition resource. + // +required + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=253 + // +kubebuilder:validation:Pattern=`^[a-z0-9]([-a-z0-9]*[a-z0-9])?$` + CertificateName string `json:"certificateName,omitempty"` + + // certificate specifies the configuration for this certificate + // +required + Certificate CertificateConfig `json:"certificate,omitzero"` +} + +// +kubebuilder:validation:Enum=RSA;ECDSA +type KeyAlgorithm string + +const ( + KeyAlgorithmRSA KeyAlgorithm = "RSA" + KeyAlgorithmECDSA KeyAlgorithm = "ECDSA" +) + +// +kubebuilder:validation:Enum=P256;P384;P521 +type ECDSACurve string + +const ( + ECDSACurveP256 ECDSACurve = "P256" + ECDSACurveP384 ECDSACurve = "P384" + ECDSACurveP521 ECDSACurve = "P521" +) + +// +kubebuilder:validation:Enum=SignerCertificate;ServingCertificate;ClientCertificate +type CertificateCategory string + +const ( + CertificateCategorySignerCertificate CertificateCategory = "SignerCertificate" + CertificateCategoryServingCertificate CertificateCategory = "ServingCertificate" + CertificateCategoryClientCertificate CertificateCategory = "ClientCertificate" +) + +// PKIList is a collection of PKI resources. +// +// Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support. +// +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +// +openshift:compatibility-gen:level=4 +type PKIList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + + // items is a list of PKI resources + Items []PKI `json:"items"` +} diff --git a/config/v1alpha1/types_pkicertificatedefinition.go b/config/v1alpha1/types_pkicertificatedefinition.go new file mode 100644 index 00000000000..ec2a085da1e --- /dev/null +++ b/config/v1alpha1/types_pkicertificatedefinition.go @@ -0,0 +1,110 @@ +package v1alpha1 + +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +// PKICertificateDefinition registers certificates managed by a component, +// enabling dynamic validation of certificate names in PKI overrides. +// Components create PKICertificateDefinition resources to declare which +// certificates they manage, allowing administrators to configure those +// certificates via the PKI resource. +// +// Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support. +// +// +genclient +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +// +kubebuilder:object:root=true +// +kubebuilder:resource:path=pkicertificatedefinitions,scope=Namespaced +// +kubebuilder:subresource:status +// +kubebuilder:validation:XValidation:rule="self.metadata.namespace == 'openshift-config'",message="pkicertificatedefinitions must be created in the openshift-config namespace" +// +openshift:api-approved.openshift.io=https://github.com/openshift/api/pull/2645 +// +openshift:file-pattern=cvoRunLevel=0000_10,operatorName=config-operator,operatorOrdering=01 +// +openshift:enable:FeatureGate=ConfigurablePKI +// +openshift:compatibility-gen:level=4 +type PKICertificateDefinition struct { + metav1.TypeMeta `json:",inline"` + + // metadata is the standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metav1.ObjectMeta `json:"metadata,omitempty"` + + // spec holds the certificate registration specification + // +required + Spec PKICertificateDefinitionSpec `json:"spec,omitzero"` + + // status holds observed state + // +optional + Status PKICertificateDefinitionStatus `json:"status,omitempty"` +} + +// PKICertificateDefinitionSpec defines certificates managed by a component. +type PKICertificateDefinitionSpec struct { + // component identifies the operator or component managing these certificates. + // This should typically be the name of the operator (e.g., "etcd-operator", "kube-apiserver-operator"). + // +required + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=253 + Component string `json:"component,omitempty"` + + // certificates is a list of certificate definitions managed by this component. + // Each certificate must have a unique name within the cluster. + // +required + // +kubebuilder:validation:MinItems=1 + // +kubebuilder:validation:MaxItems=256 + // +listType=map + // +listMapKey=name + Certificates []CertificateDefinition `json:"certificates,omitempty"` +} + +// CertificateDefinition describes a single certificate managed by a component. +// +kubebuilder:validation:XValidation:rule="self.name.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$')",message="name must be a valid DNS subdomain (lowercase alphanumeric with hyphens)" +type CertificateDefinition struct { + // name is the unique identifier for this certificate. + // This name is used in PKI.spec.overrides[].certificateName to configure this certificate. + // Must be a valid DNS subdomain (lowercase letters, numbers, and hyphens). + // +required + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=253 + // +kubebuilder:validation:Pattern=`^[a-z0-9]([-a-z0-9]*[a-z0-9])?$` + Name string `json:"name,omitempty"` + + // category specifies the certificate category. + // This helps administrators understand the certificate's role and select appropriate + // cryptographic parameters. + // +required + Category CertificateCategory `json:"category,omitempty"` + + // description provides a human-readable explanation of this certificate's purpose. + // Examples: "CA for etcd peer and server certificates", "Server certificate for API server localhost endpoint" + // +required + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=256 + Description string `json:"description,omitempty"` +} + +// PKICertificateDefinitionStatus contains observed state of the certificate registration. +type PKICertificateDefinitionStatus struct { + // conditions represent the latest available observations of the PKICertificateDefinition's state. + // +optional + // +listType=map + // +listMapKey=type + Conditions []metav1.Condition `json:"conditions,omitempty"` + + // registeredAt is the timestamp when this definition was first successfully validated. + // +optional + RegisteredAt *metav1.Time `json:"registeredAt,omitempty"` +} + +// PKICertificateDefinitionList is a collection of PKICertificateDefinition resources. +// +// Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support. +// +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +// +openshift:compatibility-gen:level=4 +type PKICertificateDefinitionList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + + // items is a list of PKICertificateDefinition resources + Items []PKICertificateDefinition `json:"items"` +} diff --git a/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_pkicertificatedefinitions-CustomNoUpgrade.crd.yaml b/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_pkicertificatedefinitions-CustomNoUpgrade.crd.yaml new file mode 100644 index 00000000000..e1a02110ca0 --- /dev/null +++ b/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_pkicertificatedefinitions-CustomNoUpgrade.crd.yaml @@ -0,0 +1,192 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/2645 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: CustomNoUpgrade + name: pkicertificatedefinitions.config.openshift.io +spec: + group: config.openshift.io + names: + kind: PKICertificateDefinition + listKind: PKICertificateDefinitionList + plural: pkicertificatedefinitions + singular: pkicertificatedefinition + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + PKICertificateDefinition registers certificates managed by a component, + enabling dynamic validation of certificate names in PKI overrides. + Components create PKICertificateDefinition resources to declare which + certificates they manage, allowing administrators to configure those + certificates via the PKI resource. + + Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec holds the certificate registration specification + properties: + certificates: + description: |- + certificates is a list of certificate definitions managed by this component. + Each certificate must have a unique name within the cluster. + items: + description: CertificateDefinition describes a single certificate + managed by a component. + properties: + category: + description: |- + category specifies the certificate category. + This helps administrators understand the certificate's role and select appropriate + cryptographic parameters. + enum: + - SignerCertificate + - ServingCertificate + - ClientCertificate + type: string + description: + description: |- + description provides a human-readable explanation of this certificate's purpose. + Examples: "CA for etcd peer and server certificates", "Server certificate for API server localhost endpoint" + maxLength: 256 + minLength: 1 + type: string + name: + description: |- + name is the unique identifier for this certificate. + This name is used in PKI.spec.overrides[].certificateName to configure this certificate. + Must be a valid DNS subdomain (lowercase letters, numbers, and hyphens). + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - category + - description + - name + type: object + x-kubernetes-validations: + - message: name must be a valid DNS subdomain (lowercase alphanumeric + with hyphens) + rule: self.name.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') + maxItems: 256 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + component: + description: |- + component identifies the operator or component managing these certificates. + This should typically be the name of the operator (e.g., "etcd-operator", "kube-apiserver-operator"). + maxLength: 253 + minLength: 1 + type: string + required: + - certificates + - component + type: object + status: + description: status holds observed state + properties: + conditions: + description: conditions represent the latest available observations + of the PKICertificateDefinition's state. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + registeredAt: + description: registeredAt is the timestamp when this definition was + first successfully validated. + format: date-time + type: string + type: object + required: + - spec + type: object + x-kubernetes-validations: + - message: pkicertificatedefinitions must be created in the openshift-config + namespace + rule: self.metadata.namespace == 'openshift-config' + served: true + storage: true + subresources: + status: {} diff --git a/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_pkicertificatedefinitions-DevPreviewNoUpgrade.crd.yaml b/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_pkicertificatedefinitions-DevPreviewNoUpgrade.crd.yaml new file mode 100644 index 00000000000..f5bd730b436 --- /dev/null +++ b/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_pkicertificatedefinitions-DevPreviewNoUpgrade.crd.yaml @@ -0,0 +1,192 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/2645 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: DevPreviewNoUpgrade + name: pkicertificatedefinitions.config.openshift.io +spec: + group: config.openshift.io + names: + kind: PKICertificateDefinition + listKind: PKICertificateDefinitionList + plural: pkicertificatedefinitions + singular: pkicertificatedefinition + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + PKICertificateDefinition registers certificates managed by a component, + enabling dynamic validation of certificate names in PKI overrides. + Components create PKICertificateDefinition resources to declare which + certificates they manage, allowing administrators to configure those + certificates via the PKI resource. + + Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec holds the certificate registration specification + properties: + certificates: + description: |- + certificates is a list of certificate definitions managed by this component. + Each certificate must have a unique name within the cluster. + items: + description: CertificateDefinition describes a single certificate + managed by a component. + properties: + category: + description: |- + category specifies the certificate category. + This helps administrators understand the certificate's role and select appropriate + cryptographic parameters. + enum: + - SignerCertificate + - ServingCertificate + - ClientCertificate + type: string + description: + description: |- + description provides a human-readable explanation of this certificate's purpose. + Examples: "CA for etcd peer and server certificates", "Server certificate for API server localhost endpoint" + maxLength: 256 + minLength: 1 + type: string + name: + description: |- + name is the unique identifier for this certificate. + This name is used in PKI.spec.overrides[].certificateName to configure this certificate. + Must be a valid DNS subdomain (lowercase letters, numbers, and hyphens). + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - category + - description + - name + type: object + x-kubernetes-validations: + - message: name must be a valid DNS subdomain (lowercase alphanumeric + with hyphens) + rule: self.name.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') + maxItems: 256 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + component: + description: |- + component identifies the operator or component managing these certificates. + This should typically be the name of the operator (e.g., "etcd-operator", "kube-apiserver-operator"). + maxLength: 253 + minLength: 1 + type: string + required: + - certificates + - component + type: object + status: + description: status holds observed state + properties: + conditions: + description: conditions represent the latest available observations + of the PKICertificateDefinition's state. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + registeredAt: + description: registeredAt is the timestamp when this definition was + first successfully validated. + format: date-time + type: string + type: object + required: + - spec + type: object + x-kubernetes-validations: + - message: pkicertificatedefinitions must be created in the openshift-config + namespace + rule: self.metadata.namespace == 'openshift-config' + served: true + storage: true + subresources: + status: {} diff --git a/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_pkicertificatedefinitions-TechPreviewNoUpgrade.crd.yaml b/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_pkicertificatedefinitions-TechPreviewNoUpgrade.crd.yaml new file mode 100644 index 00000000000..48bd8dfb52e --- /dev/null +++ b/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_pkicertificatedefinitions-TechPreviewNoUpgrade.crd.yaml @@ -0,0 +1,192 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/2645 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: TechPreviewNoUpgrade + name: pkicertificatedefinitions.config.openshift.io +spec: + group: config.openshift.io + names: + kind: PKICertificateDefinition + listKind: PKICertificateDefinitionList + plural: pkicertificatedefinitions + singular: pkicertificatedefinition + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + PKICertificateDefinition registers certificates managed by a component, + enabling dynamic validation of certificate names in PKI overrides. + Components create PKICertificateDefinition resources to declare which + certificates they manage, allowing administrators to configure those + certificates via the PKI resource. + + Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec holds the certificate registration specification + properties: + certificates: + description: |- + certificates is a list of certificate definitions managed by this component. + Each certificate must have a unique name within the cluster. + items: + description: CertificateDefinition describes a single certificate + managed by a component. + properties: + category: + description: |- + category specifies the certificate category. + This helps administrators understand the certificate's role and select appropriate + cryptographic parameters. + enum: + - SignerCertificate + - ServingCertificate + - ClientCertificate + type: string + description: + description: |- + description provides a human-readable explanation of this certificate's purpose. + Examples: "CA for etcd peer and server certificates", "Server certificate for API server localhost endpoint" + maxLength: 256 + minLength: 1 + type: string + name: + description: |- + name is the unique identifier for this certificate. + This name is used in PKI.spec.overrides[].certificateName to configure this certificate. + Must be a valid DNS subdomain (lowercase letters, numbers, and hyphens). + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - category + - description + - name + type: object + x-kubernetes-validations: + - message: name must be a valid DNS subdomain (lowercase alphanumeric + with hyphens) + rule: self.name.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') + maxItems: 256 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + component: + description: |- + component identifies the operator or component managing these certificates. + This should typically be the name of the operator (e.g., "etcd-operator", "kube-apiserver-operator"). + maxLength: 253 + minLength: 1 + type: string + required: + - certificates + - component + type: object + status: + description: status holds observed state + properties: + conditions: + description: conditions represent the latest available observations + of the PKICertificateDefinition's state. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + registeredAt: + description: registeredAt is the timestamp when this definition was + first successfully validated. + format: date-time + type: string + type: object + required: + - spec + type: object + x-kubernetes-validations: + - message: pkicertificatedefinitions must be created in the openshift-config + namespace + rule: self.metadata.namespace == 'openshift-config' + served: true + storage: true + subresources: + status: {} diff --git a/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_pkis-CustomNoUpgrade.crd.yaml b/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_pkis-CustomNoUpgrade.crd.yaml new file mode 100644 index 00000000000..68214ab1f64 --- /dev/null +++ b/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_pkis-CustomNoUpgrade.crd.yaml @@ -0,0 +1,363 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/2645 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: CustomNoUpgrade + name: pkis.config.openshift.io +spec: + group: config.openshift.io + names: + kind: PKI + listKind: PKIList + plural: pkis + singular: pki + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + PKI configures cryptographic parameters for certificates generated + internally by OpenShift components. + + Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec holds user settable values for configuration + properties: + certificateManagement: + description: |- + certificateManagement specifies how PKI configuration is managed for internally-generated certificates. + This controls the certificate generation approach for all OpenShift components that create + certificates internally, including certificate authorities, serving certificates, and client certificates. + properties: + custom: + description: |- + custom contains administrator-specified cryptographic configuration. + Use the defaults, categories, and overrides fields to specify certificate generation parameters. + Required when mode is Custom, and forbidden otherwise. + minProperties: 1 + properties: + categories: + description: |- + categories allows configuration of certificate parameters + for categories of certificates (SignerCertificate, ServingCertificate, ClientCertificate). + Category configuration takes precedence over defaults. + items: + properties: + category: + description: |- + category identifies the certificate category. + Valid values are "SignerCertificate", "ServingCertificate", and "ClientCertificate". + + When set to SignerCertificate, the configuration applies to certificate authority (CA) certificates + that sign other certificates. + + When set to ServingCertificate, the configuration applies to TLS server certificates + used to serve HTTPS endpoints. + + When set to ClientCertificate, the configuration applies to client authentication certificates + used to authenticate to servers. + enum: + - SignerCertificate + - ServingCertificate + - ClientCertificate + type: string + certificate: + description: certificate specifies the configuration + for this category + minProperties: 1 + properties: + key: + description: key specifies the cryptographic parameters + for the certificate's key pair. + properties: + algorithm: + description: |- + algorithm specifies the key generation algorithm. + Valid values are "RSA" and "ECDSA". + enum: + - RSA + - ECDSA + type: string + ecdsa: + description: |- + ecdsa specifies ECDSA key parameters. + Required when algorithm is ECDSA, and forbidden otherwise. + properties: + curve: + description: |- + curve specifies the elliptic curve for ECDSA keys. + Valid values are "P256", "P384", and "P521". + enum: + - P256 + - P384 + - P521 + type: string + required: + - curve + type: object + rsa: + description: |- + rsa specifies RSA key parameters. + Required when algorithm is RSA, and forbidden otherwise. + properties: + keySize: + default: 2048 + description: |- + keySize specifies the size of RSA keys in bits. + Valid values are multiples of 1024 from 2048 to 8192. + format: int32 + maximum: 8192 + minimum: 2048 + multipleOf: 1024 + type: integer + required: + - keySize + type: object + required: + - algorithm + type: object + x-kubernetes-validations: + - message: rsa is required when algorithm is RSA, + and forbidden otherwise + rule: 'has(self.algorithm) && self.algorithm == + ''RSA'' ? has(self.rsa) : !has(self.rsa)' + - message: ecdsa is required when algorithm is ECDSA, + and forbidden otherwise + rule: 'has(self.algorithm) && self.algorithm == + ''ECDSA'' ? has(self.ecdsa) : !has(self.ecdsa)' + type: object + required: + - category + - certificate + type: object + maxItems: 3 + type: array + x-kubernetes-list-map-keys: + - category + x-kubernetes-list-type: map + defaults: + description: |- + defaults specifies the default certificate configuration + for all certificates unless overridden by category or specific + certificate configuration. + If not specified, uses platform defaults (typically RSA 2048). + minProperties: 1 + properties: + key: + description: key specifies the cryptographic parameters + for the certificate's key pair. + properties: + algorithm: + description: |- + algorithm specifies the key generation algorithm. + Valid values are "RSA" and "ECDSA". + enum: + - RSA + - ECDSA + type: string + ecdsa: + description: |- + ecdsa specifies ECDSA key parameters. + Required when algorithm is ECDSA, and forbidden otherwise. + properties: + curve: + description: |- + curve specifies the elliptic curve for ECDSA keys. + Valid values are "P256", "P384", and "P521". + enum: + - P256 + - P384 + - P521 + type: string + required: + - curve + type: object + rsa: + description: |- + rsa specifies RSA key parameters. + Required when algorithm is RSA, and forbidden otherwise. + properties: + keySize: + default: 2048 + description: |- + keySize specifies the size of RSA keys in bits. + Valid values are multiples of 1024 from 2048 to 8192. + format: int32 + maximum: 8192 + minimum: 2048 + multipleOf: 1024 + type: integer + required: + - keySize + type: object + required: + - algorithm + type: object + x-kubernetes-validations: + - message: rsa is required when algorithm is RSA, and + forbidden otherwise + rule: 'has(self.algorithm) && self.algorithm == ''RSA'' + ? has(self.rsa) : !has(self.rsa)' + - message: ecdsa is required when algorithm is ECDSA, + and forbidden otherwise + rule: 'has(self.algorithm) && self.algorithm == ''ECDSA'' + ? has(self.ecdsa) : !has(self.ecdsa)' + type: object + overrides: + description: |- + overrides allows configuration of certificate parameters + for specific named certificates. + Override configuration takes precedence over both category + and default configuration. + items: + description: |- + CertificateOverride allows configuration of certificate parameters for specific named certificates. + Certificate names must be registered via a PKICertificateDefinition resource. + properties: + certificate: + description: certificate specifies the configuration + for this certificate + minProperties: 1 + properties: + key: + description: key specifies the cryptographic parameters + for the certificate's key pair. + properties: + algorithm: + description: |- + algorithm specifies the key generation algorithm. + Valid values are "RSA" and "ECDSA". + enum: + - RSA + - ECDSA + type: string + ecdsa: + description: |- + ecdsa specifies ECDSA key parameters. + Required when algorithm is ECDSA, and forbidden otherwise. + properties: + curve: + description: |- + curve specifies the elliptic curve for ECDSA keys. + Valid values are "P256", "P384", and "P521". + enum: + - P256 + - P384 + - P521 + type: string + required: + - curve + type: object + rsa: + description: |- + rsa specifies RSA key parameters. + Required when algorithm is RSA, and forbidden otherwise. + properties: + keySize: + default: 2048 + description: |- + keySize specifies the size of RSA keys in bits. + Valid values are multiples of 1024 from 2048 to 8192. + format: int32 + maximum: 8192 + minimum: 2048 + multipleOf: 1024 + type: integer + required: + - keySize + type: object + required: + - algorithm + type: object + x-kubernetes-validations: + - message: rsa is required when algorithm is RSA, + and forbidden otherwise + rule: 'has(self.algorithm) && self.algorithm == + ''RSA'' ? has(self.rsa) : !has(self.rsa)' + - message: ecdsa is required when algorithm is ECDSA, + and forbidden otherwise + rule: 'has(self.algorithm) && self.algorithm == + ''ECDSA'' ? has(self.ecdsa) : !has(self.ecdsa)' + type: object + certificateName: + description: |- + certificateName identifies a specific certificate to configure. + The name must match a certificate registered in a PKICertificateDefinition resource. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - certificate + - certificateName + type: object + maxItems: 256 + type: array + x-kubernetes-list-map-keys: + - certificateName + x-kubernetes-list-type: map + type: object + mode: + description: |- + mode determines how PKI configuration is managed. + Valid values are "Unmanaged", "Default", and "Custom". + + When set to Unmanaged, components use their existing hardcoded certificate + generation behavior, exactly as if this feature did not exist. Each component + generates certificates using whatever parameters it was using before this + feature. While most components use RSA 2048, some may use different + parameters. Use of this mode might prevent upgrading to the next major + OpenShift release. + + When set to Default, OpenShift-recommended best practices for certificate + generation are applied. The specific parameters may evolve across OpenShift + releases to adopt improved cryptographic standards. In the initial release, + this matches Unmanaged behavior for each component. In future releases, this + may adopt ECDSA or larger RSA keys based on industry best practices. + Recommended for most customers who want to benefit from security improvements + automatically. + + When set to Custom, the certificate management parameters can be set + explicitly. Use the custom field to specify certificate generation parameters. + enum: + - Unmanaged + - Default + - Custom + type: string + required: + - mode + type: object + x-kubernetes-validations: + - message: custom is required when mode is Custom, and forbidden otherwise + rule: 'self.mode == ''Custom'' ? has(self.custom) : !has(self.custom)' + required: + - certificateManagement + type: object + required: + - spec + type: object + served: true + storage: true diff --git a/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_pkis-DevPreviewNoUpgrade.crd.yaml b/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_pkis-DevPreviewNoUpgrade.crd.yaml new file mode 100644 index 00000000000..01a2add6548 --- /dev/null +++ b/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_pkis-DevPreviewNoUpgrade.crd.yaml @@ -0,0 +1,363 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/2645 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: DevPreviewNoUpgrade + name: pkis.config.openshift.io +spec: + group: config.openshift.io + names: + kind: PKI + listKind: PKIList + plural: pkis + singular: pki + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + PKI configures cryptographic parameters for certificates generated + internally by OpenShift components. + + Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec holds user settable values for configuration + properties: + certificateManagement: + description: |- + certificateManagement specifies how PKI configuration is managed for internally-generated certificates. + This controls the certificate generation approach for all OpenShift components that create + certificates internally, including certificate authorities, serving certificates, and client certificates. + properties: + custom: + description: |- + custom contains administrator-specified cryptographic configuration. + Use the defaults, categories, and overrides fields to specify certificate generation parameters. + Required when mode is Custom, and forbidden otherwise. + minProperties: 1 + properties: + categories: + description: |- + categories allows configuration of certificate parameters + for categories of certificates (SignerCertificate, ServingCertificate, ClientCertificate). + Category configuration takes precedence over defaults. + items: + properties: + category: + description: |- + category identifies the certificate category. + Valid values are "SignerCertificate", "ServingCertificate", and "ClientCertificate". + + When set to SignerCertificate, the configuration applies to certificate authority (CA) certificates + that sign other certificates. + + When set to ServingCertificate, the configuration applies to TLS server certificates + used to serve HTTPS endpoints. + + When set to ClientCertificate, the configuration applies to client authentication certificates + used to authenticate to servers. + enum: + - SignerCertificate + - ServingCertificate + - ClientCertificate + type: string + certificate: + description: certificate specifies the configuration + for this category + minProperties: 1 + properties: + key: + description: key specifies the cryptographic parameters + for the certificate's key pair. + properties: + algorithm: + description: |- + algorithm specifies the key generation algorithm. + Valid values are "RSA" and "ECDSA". + enum: + - RSA + - ECDSA + type: string + ecdsa: + description: |- + ecdsa specifies ECDSA key parameters. + Required when algorithm is ECDSA, and forbidden otherwise. + properties: + curve: + description: |- + curve specifies the elliptic curve for ECDSA keys. + Valid values are "P256", "P384", and "P521". + enum: + - P256 + - P384 + - P521 + type: string + required: + - curve + type: object + rsa: + description: |- + rsa specifies RSA key parameters. + Required when algorithm is RSA, and forbidden otherwise. + properties: + keySize: + default: 2048 + description: |- + keySize specifies the size of RSA keys in bits. + Valid values are multiples of 1024 from 2048 to 8192. + format: int32 + maximum: 8192 + minimum: 2048 + multipleOf: 1024 + type: integer + required: + - keySize + type: object + required: + - algorithm + type: object + x-kubernetes-validations: + - message: rsa is required when algorithm is RSA, + and forbidden otherwise + rule: 'has(self.algorithm) && self.algorithm == + ''RSA'' ? has(self.rsa) : !has(self.rsa)' + - message: ecdsa is required when algorithm is ECDSA, + and forbidden otherwise + rule: 'has(self.algorithm) && self.algorithm == + ''ECDSA'' ? has(self.ecdsa) : !has(self.ecdsa)' + type: object + required: + - category + - certificate + type: object + maxItems: 3 + type: array + x-kubernetes-list-map-keys: + - category + x-kubernetes-list-type: map + defaults: + description: |- + defaults specifies the default certificate configuration + for all certificates unless overridden by category or specific + certificate configuration. + If not specified, uses platform defaults (typically RSA 2048). + minProperties: 1 + properties: + key: + description: key specifies the cryptographic parameters + for the certificate's key pair. + properties: + algorithm: + description: |- + algorithm specifies the key generation algorithm. + Valid values are "RSA" and "ECDSA". + enum: + - RSA + - ECDSA + type: string + ecdsa: + description: |- + ecdsa specifies ECDSA key parameters. + Required when algorithm is ECDSA, and forbidden otherwise. + properties: + curve: + description: |- + curve specifies the elliptic curve for ECDSA keys. + Valid values are "P256", "P384", and "P521". + enum: + - P256 + - P384 + - P521 + type: string + required: + - curve + type: object + rsa: + description: |- + rsa specifies RSA key parameters. + Required when algorithm is RSA, and forbidden otherwise. + properties: + keySize: + default: 2048 + description: |- + keySize specifies the size of RSA keys in bits. + Valid values are multiples of 1024 from 2048 to 8192. + format: int32 + maximum: 8192 + minimum: 2048 + multipleOf: 1024 + type: integer + required: + - keySize + type: object + required: + - algorithm + type: object + x-kubernetes-validations: + - message: rsa is required when algorithm is RSA, and + forbidden otherwise + rule: 'has(self.algorithm) && self.algorithm == ''RSA'' + ? has(self.rsa) : !has(self.rsa)' + - message: ecdsa is required when algorithm is ECDSA, + and forbidden otherwise + rule: 'has(self.algorithm) && self.algorithm == ''ECDSA'' + ? has(self.ecdsa) : !has(self.ecdsa)' + type: object + overrides: + description: |- + overrides allows configuration of certificate parameters + for specific named certificates. + Override configuration takes precedence over both category + and default configuration. + items: + description: |- + CertificateOverride allows configuration of certificate parameters for specific named certificates. + Certificate names must be registered via a PKICertificateDefinition resource. + properties: + certificate: + description: certificate specifies the configuration + for this certificate + minProperties: 1 + properties: + key: + description: key specifies the cryptographic parameters + for the certificate's key pair. + properties: + algorithm: + description: |- + algorithm specifies the key generation algorithm. + Valid values are "RSA" and "ECDSA". + enum: + - RSA + - ECDSA + type: string + ecdsa: + description: |- + ecdsa specifies ECDSA key parameters. + Required when algorithm is ECDSA, and forbidden otherwise. + properties: + curve: + description: |- + curve specifies the elliptic curve for ECDSA keys. + Valid values are "P256", "P384", and "P521". + enum: + - P256 + - P384 + - P521 + type: string + required: + - curve + type: object + rsa: + description: |- + rsa specifies RSA key parameters. + Required when algorithm is RSA, and forbidden otherwise. + properties: + keySize: + default: 2048 + description: |- + keySize specifies the size of RSA keys in bits. + Valid values are multiples of 1024 from 2048 to 8192. + format: int32 + maximum: 8192 + minimum: 2048 + multipleOf: 1024 + type: integer + required: + - keySize + type: object + required: + - algorithm + type: object + x-kubernetes-validations: + - message: rsa is required when algorithm is RSA, + and forbidden otherwise + rule: 'has(self.algorithm) && self.algorithm == + ''RSA'' ? has(self.rsa) : !has(self.rsa)' + - message: ecdsa is required when algorithm is ECDSA, + and forbidden otherwise + rule: 'has(self.algorithm) && self.algorithm == + ''ECDSA'' ? has(self.ecdsa) : !has(self.ecdsa)' + type: object + certificateName: + description: |- + certificateName identifies a specific certificate to configure. + The name must match a certificate registered in a PKICertificateDefinition resource. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - certificate + - certificateName + type: object + maxItems: 256 + type: array + x-kubernetes-list-map-keys: + - certificateName + x-kubernetes-list-type: map + type: object + mode: + description: |- + mode determines how PKI configuration is managed. + Valid values are "Unmanaged", "Default", and "Custom". + + When set to Unmanaged, components use their existing hardcoded certificate + generation behavior, exactly as if this feature did not exist. Each component + generates certificates using whatever parameters it was using before this + feature. While most components use RSA 2048, some may use different + parameters. Use of this mode might prevent upgrading to the next major + OpenShift release. + + When set to Default, OpenShift-recommended best practices for certificate + generation are applied. The specific parameters may evolve across OpenShift + releases to adopt improved cryptographic standards. In the initial release, + this matches Unmanaged behavior for each component. In future releases, this + may adopt ECDSA or larger RSA keys based on industry best practices. + Recommended for most customers who want to benefit from security improvements + automatically. + + When set to Custom, the certificate management parameters can be set + explicitly. Use the custom field to specify certificate generation parameters. + enum: + - Unmanaged + - Default + - Custom + type: string + required: + - mode + type: object + x-kubernetes-validations: + - message: custom is required when mode is Custom, and forbidden otherwise + rule: 'self.mode == ''Custom'' ? has(self.custom) : !has(self.custom)' + required: + - certificateManagement + type: object + required: + - spec + type: object + served: true + storage: true diff --git a/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_pkis-TechPreviewNoUpgrade.crd.yaml b/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_pkis-TechPreviewNoUpgrade.crd.yaml new file mode 100644 index 00000000000..457003b05bb --- /dev/null +++ b/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_pkis-TechPreviewNoUpgrade.crd.yaml @@ -0,0 +1,363 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/2645 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: TechPreviewNoUpgrade + name: pkis.config.openshift.io +spec: + group: config.openshift.io + names: + kind: PKI + listKind: PKIList + plural: pkis + singular: pki + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + PKI configures cryptographic parameters for certificates generated + internally by OpenShift components. + + Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec holds user settable values for configuration + properties: + certificateManagement: + description: |- + certificateManagement specifies how PKI configuration is managed for internally-generated certificates. + This controls the certificate generation approach for all OpenShift components that create + certificates internally, including certificate authorities, serving certificates, and client certificates. + properties: + custom: + description: |- + custom contains administrator-specified cryptographic configuration. + Use the defaults, categories, and overrides fields to specify certificate generation parameters. + Required when mode is Custom, and forbidden otherwise. + minProperties: 1 + properties: + categories: + description: |- + categories allows configuration of certificate parameters + for categories of certificates (SignerCertificate, ServingCertificate, ClientCertificate). + Category configuration takes precedence over defaults. + items: + properties: + category: + description: |- + category identifies the certificate category. + Valid values are "SignerCertificate", "ServingCertificate", and "ClientCertificate". + + When set to SignerCertificate, the configuration applies to certificate authority (CA) certificates + that sign other certificates. + + When set to ServingCertificate, the configuration applies to TLS server certificates + used to serve HTTPS endpoints. + + When set to ClientCertificate, the configuration applies to client authentication certificates + used to authenticate to servers. + enum: + - SignerCertificate + - ServingCertificate + - ClientCertificate + type: string + certificate: + description: certificate specifies the configuration + for this category + minProperties: 1 + properties: + key: + description: key specifies the cryptographic parameters + for the certificate's key pair. + properties: + algorithm: + description: |- + algorithm specifies the key generation algorithm. + Valid values are "RSA" and "ECDSA". + enum: + - RSA + - ECDSA + type: string + ecdsa: + description: |- + ecdsa specifies ECDSA key parameters. + Required when algorithm is ECDSA, and forbidden otherwise. + properties: + curve: + description: |- + curve specifies the elliptic curve for ECDSA keys. + Valid values are "P256", "P384", and "P521". + enum: + - P256 + - P384 + - P521 + type: string + required: + - curve + type: object + rsa: + description: |- + rsa specifies RSA key parameters. + Required when algorithm is RSA, and forbidden otherwise. + properties: + keySize: + default: 2048 + description: |- + keySize specifies the size of RSA keys in bits. + Valid values are multiples of 1024 from 2048 to 8192. + format: int32 + maximum: 8192 + minimum: 2048 + multipleOf: 1024 + type: integer + required: + - keySize + type: object + required: + - algorithm + type: object + x-kubernetes-validations: + - message: rsa is required when algorithm is RSA, + and forbidden otherwise + rule: 'has(self.algorithm) && self.algorithm == + ''RSA'' ? has(self.rsa) : !has(self.rsa)' + - message: ecdsa is required when algorithm is ECDSA, + and forbidden otherwise + rule: 'has(self.algorithm) && self.algorithm == + ''ECDSA'' ? has(self.ecdsa) : !has(self.ecdsa)' + type: object + required: + - category + - certificate + type: object + maxItems: 3 + type: array + x-kubernetes-list-map-keys: + - category + x-kubernetes-list-type: map + defaults: + description: |- + defaults specifies the default certificate configuration + for all certificates unless overridden by category or specific + certificate configuration. + If not specified, uses platform defaults (typically RSA 2048). + minProperties: 1 + properties: + key: + description: key specifies the cryptographic parameters + for the certificate's key pair. + properties: + algorithm: + description: |- + algorithm specifies the key generation algorithm. + Valid values are "RSA" and "ECDSA". + enum: + - RSA + - ECDSA + type: string + ecdsa: + description: |- + ecdsa specifies ECDSA key parameters. + Required when algorithm is ECDSA, and forbidden otherwise. + properties: + curve: + description: |- + curve specifies the elliptic curve for ECDSA keys. + Valid values are "P256", "P384", and "P521". + enum: + - P256 + - P384 + - P521 + type: string + required: + - curve + type: object + rsa: + description: |- + rsa specifies RSA key parameters. + Required when algorithm is RSA, and forbidden otherwise. + properties: + keySize: + default: 2048 + description: |- + keySize specifies the size of RSA keys in bits. + Valid values are multiples of 1024 from 2048 to 8192. + format: int32 + maximum: 8192 + minimum: 2048 + multipleOf: 1024 + type: integer + required: + - keySize + type: object + required: + - algorithm + type: object + x-kubernetes-validations: + - message: rsa is required when algorithm is RSA, and + forbidden otherwise + rule: 'has(self.algorithm) && self.algorithm == ''RSA'' + ? has(self.rsa) : !has(self.rsa)' + - message: ecdsa is required when algorithm is ECDSA, + and forbidden otherwise + rule: 'has(self.algorithm) && self.algorithm == ''ECDSA'' + ? has(self.ecdsa) : !has(self.ecdsa)' + type: object + overrides: + description: |- + overrides allows configuration of certificate parameters + for specific named certificates. + Override configuration takes precedence over both category + and default configuration. + items: + description: |- + CertificateOverride allows configuration of certificate parameters for specific named certificates. + Certificate names must be registered via a PKICertificateDefinition resource. + properties: + certificate: + description: certificate specifies the configuration + for this certificate + minProperties: 1 + properties: + key: + description: key specifies the cryptographic parameters + for the certificate's key pair. + properties: + algorithm: + description: |- + algorithm specifies the key generation algorithm. + Valid values are "RSA" and "ECDSA". + enum: + - RSA + - ECDSA + type: string + ecdsa: + description: |- + ecdsa specifies ECDSA key parameters. + Required when algorithm is ECDSA, and forbidden otherwise. + properties: + curve: + description: |- + curve specifies the elliptic curve for ECDSA keys. + Valid values are "P256", "P384", and "P521". + enum: + - P256 + - P384 + - P521 + type: string + required: + - curve + type: object + rsa: + description: |- + rsa specifies RSA key parameters. + Required when algorithm is RSA, and forbidden otherwise. + properties: + keySize: + default: 2048 + description: |- + keySize specifies the size of RSA keys in bits. + Valid values are multiples of 1024 from 2048 to 8192. + format: int32 + maximum: 8192 + minimum: 2048 + multipleOf: 1024 + type: integer + required: + - keySize + type: object + required: + - algorithm + type: object + x-kubernetes-validations: + - message: rsa is required when algorithm is RSA, + and forbidden otherwise + rule: 'has(self.algorithm) && self.algorithm == + ''RSA'' ? has(self.rsa) : !has(self.rsa)' + - message: ecdsa is required when algorithm is ECDSA, + and forbidden otherwise + rule: 'has(self.algorithm) && self.algorithm == + ''ECDSA'' ? has(self.ecdsa) : !has(self.ecdsa)' + type: object + certificateName: + description: |- + certificateName identifies a specific certificate to configure. + The name must match a certificate registered in a PKICertificateDefinition resource. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - certificate + - certificateName + type: object + maxItems: 256 + type: array + x-kubernetes-list-map-keys: + - certificateName + x-kubernetes-list-type: map + type: object + mode: + description: |- + mode determines how PKI configuration is managed. + Valid values are "Unmanaged", "Default", and "Custom". + + When set to Unmanaged, components use their existing hardcoded certificate + generation behavior, exactly as if this feature did not exist. Each component + generates certificates using whatever parameters it was using before this + feature. While most components use RSA 2048, some may use different + parameters. Use of this mode might prevent upgrading to the next major + OpenShift release. + + When set to Default, OpenShift-recommended best practices for certificate + generation are applied. The specific parameters may evolve across OpenShift + releases to adopt improved cryptographic standards. In the initial release, + this matches Unmanaged behavior for each component. In future releases, this + may adopt ECDSA or larger RSA keys based on industry best practices. + Recommended for most customers who want to benefit from security improvements + automatically. + + When set to Custom, the certificate management parameters can be set + explicitly. Use the custom field to specify certificate generation parameters. + enum: + - Unmanaged + - Default + - Custom + type: string + required: + - mode + type: object + x-kubernetes-validations: + - message: custom is required when mode is Custom, and forbidden otherwise + rule: 'self.mode == ''Custom'' ? has(self.custom) : !has(self.custom)' + required: + - certificateManagement + type: object + required: + - spec + type: object + served: true + storage: true diff --git a/config/v1alpha1/zz_generated.deepcopy.go b/config/v1alpha1/zz_generated.deepcopy.go index 9ead6aba26b..99a142131b3 100644 --- a/config/v1alpha1/zz_generated.deepcopy.go +++ b/config/v1alpha1/zz_generated.deepcopy.go @@ -192,6 +192,73 @@ func (in *BackupStatus) DeepCopy() *BackupStatus { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *CategoryCertificateConfig) DeepCopyInto(out *CategoryCertificateConfig) { + *out = *in + out.Certificate = in.Certificate + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CategoryCertificateConfig. +func (in *CategoryCertificateConfig) DeepCopy() *CategoryCertificateConfig { + if in == nil { + return nil + } + out := new(CategoryCertificateConfig) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *CertificateConfig) DeepCopyInto(out *CertificateConfig) { + *out = *in + out.Key = in.Key + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateConfig. +func (in *CertificateConfig) DeepCopy() *CertificateConfig { + if in == nil { + return nil + } + out := new(CertificateConfig) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *CertificateDefinition) DeepCopyInto(out *CertificateDefinition) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateDefinition. +func (in *CertificateDefinition) DeepCopy() *CertificateDefinition { + if in == nil { + return nil + } + out := new(CertificateDefinition) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *CertificateOverride) DeepCopyInto(out *CertificateOverride) { + *out = *in + out.Certificate = in.Certificate + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateOverride. +func (in *CertificateOverride) DeepCopy() *CertificateOverride { + if in == nil { + return nil + } + out := new(CertificateOverride) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ClusterImagePolicy) DeepCopyInto(out *ClusterImagePolicy) { *out = *in @@ -412,6 +479,39 @@ func (in *ContainerResource) DeepCopy() *ContainerResource { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *CustomPKIPolicy) DeepCopyInto(out *CustomPKIPolicy) { + *out = *in + in.PKIProfile.DeepCopyInto(&out.PKIProfile) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CustomPKIPolicy. +func (in *CustomPKIPolicy) DeepCopy() *CustomPKIPolicy { + if in == nil { + return nil + } + out := new(CustomPKIPolicy) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ECDSAKeyConfig) DeepCopyInto(out *ECDSAKeyConfig) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ECDSAKeyConfig. +func (in *ECDSAKeyConfig) DeepCopy() *ECDSAKeyConfig { + if in == nil { + return nil + } + out := new(ECDSAKeyConfig) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *EtcdBackupSpec) DeepCopyInto(out *EtcdBackupSpec) { *out = *in @@ -753,6 +853,24 @@ func (in *InsightsDataGatherStatus) DeepCopy() *InsightsDataGatherStatus { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *KeyConfig) DeepCopyInto(out *KeyConfig) { + *out = *in + out.RSA = in.RSA + out.ECDSA = in.ECDSA + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KeyConfig. +func (in *KeyConfig) DeepCopy() *KeyConfig { + if in == nil { + return nil + } + out := new(KeyConfig) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *MetricsServerConfig) DeepCopyInto(out *MetricsServerConfig) { *out = *in @@ -798,6 +916,159 @@ func (in *MetricsServerConfig) DeepCopy() *MetricsServerConfig { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PKI) DeepCopyInto(out *PKI) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PKI. +func (in *PKI) DeepCopy() *PKI { + if in == nil { + return nil + } + out := new(PKI) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *PKI) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PKICertificateDefinition) DeepCopyInto(out *PKICertificateDefinition) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + in.Status.DeepCopyInto(&out.Status) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PKICertificateDefinition. +func (in *PKICertificateDefinition) DeepCopy() *PKICertificateDefinition { + if in == nil { + return nil + } + out := new(PKICertificateDefinition) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *PKICertificateDefinition) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PKICertificateDefinitionList) DeepCopyInto(out *PKICertificateDefinitionList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]PKICertificateDefinition, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PKICertificateDefinitionList. +func (in *PKICertificateDefinitionList) DeepCopy() *PKICertificateDefinitionList { + if in == nil { + return nil + } + out := new(PKICertificateDefinitionList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *PKICertificateDefinitionList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PKICertificateDefinitionSpec) DeepCopyInto(out *PKICertificateDefinitionSpec) { + *out = *in + if in.Certificates != nil { + in, out := &in.Certificates, &out.Certificates + *out = make([]CertificateDefinition, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PKICertificateDefinitionSpec. +func (in *PKICertificateDefinitionSpec) DeepCopy() *PKICertificateDefinitionSpec { + if in == nil { + return nil + } + out := new(PKICertificateDefinitionSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PKICertificateDefinitionStatus) DeepCopyInto(out *PKICertificateDefinitionStatus) { + *out = *in + if in.Conditions != nil { + in, out := &in.Conditions, &out.Conditions + *out = make([]metav1.Condition, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + if in.RegisteredAt != nil { + in, out := &in.RegisteredAt, &out.RegisteredAt + *out = (*in).DeepCopy() + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PKICertificateDefinitionStatus. +func (in *PKICertificateDefinitionStatus) DeepCopy() *PKICertificateDefinitionStatus { + if in == nil { + return nil + } + out := new(PKICertificateDefinitionStatus) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PKICertificateManagement) DeepCopyInto(out *PKICertificateManagement) { + *out = *in + in.Custom.DeepCopyInto(&out.Custom) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PKICertificateManagement. +func (in *PKICertificateManagement) DeepCopy() *PKICertificateManagement { + if in == nil { + return nil + } + out := new(PKICertificateManagement) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *PKICertificateSubject) DeepCopyInto(out *PKICertificateSubject) { *out = *in @@ -814,6 +1085,83 @@ func (in *PKICertificateSubject) DeepCopy() *PKICertificateSubject { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PKIList) DeepCopyInto(out *PKIList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]PKI, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PKIList. +func (in *PKIList) DeepCopy() *PKIList { + if in == nil { + return nil + } + out := new(PKIList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *PKIList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PKIProfile) DeepCopyInto(out *PKIProfile) { + *out = *in + out.Defaults = in.Defaults + if in.Categories != nil { + in, out := &in.Categories, &out.Categories + *out = make([]CategoryCertificateConfig, len(*in)) + copy(*out, *in) + } + if in.Overrides != nil { + in, out := &in.Overrides, &out.Overrides + *out = make([]CertificateOverride, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PKIProfile. +func (in *PKIProfile) DeepCopy() *PKIProfile { + if in == nil { + return nil + } + out := new(PKIProfile) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PKISpec) DeepCopyInto(out *PKISpec) { + *out = *in + in.CertificateManagement.DeepCopyInto(&out.CertificateManagement) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PKISpec. +func (in *PKISpec) DeepCopy() *PKISpec { + if in == nil { + return nil + } + out := new(PKISpec) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *PersistentVolumeClaimReference) DeepCopyInto(out *PersistentVolumeClaimReference) { *out = *in @@ -952,6 +1300,22 @@ func (in *PolicyRootOfTrust) DeepCopy() *PolicyRootOfTrust { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *RSAKeyConfig) DeepCopyInto(out *RSAKeyConfig) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RSAKeyConfig. +func (in *RSAKeyConfig) DeepCopy() *RSAKeyConfig { + if in == nil { + return nil + } + out := new(RSAKeyConfig) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *RetentionNumberConfig) DeepCopyInto(out *RetentionNumberConfig) { *out = *in diff --git a/config/v1alpha1/zz_generated.featuregated-crd-manifests.yaml b/config/v1alpha1/zz_generated.featuregated-crd-manifests.yaml index 2f79f801dd4..27485982e59 100644 --- a/config/v1alpha1/zz_generated.featuregated-crd-manifests.yaml +++ b/config/v1alpha1/zz_generated.featuregated-crd-manifests.yaml @@ -116,3 +116,49 @@ insightsdatagathers.config.openshift.io: - InsightsConfig Version: v1alpha1 +pkis.config.openshift.io: + Annotations: {} + ApprovedPRNumber: https://github.com/openshift/api/pull/2645 + CRDName: pkis.config.openshift.io + Capability: "" + Category: "" + FeatureGates: + - ConfigurablePKI + FilenameOperatorName: config-operator + FilenameOperatorOrdering: "01" + FilenameRunLevel: "0000_10" + GroupName: config.openshift.io + HasStatus: false + KindName: PKI + Labels: {} + PluralName: pkis + PrinterColumns: [] + Scope: Cluster + ShortNames: null + TopLevelFeatureGates: + - ConfigurablePKI + Version: v1alpha1 + +pkicertificatedefinitions.config.openshift.io: + Annotations: {} + ApprovedPRNumber: https://github.com/openshift/api/pull/2645 + CRDName: pkicertificatedefinitions.config.openshift.io + Capability: "" + Category: "" + FeatureGates: + - ConfigurablePKI + FilenameOperatorName: config-operator + FilenameOperatorOrdering: "01" + FilenameRunLevel: "0000_10" + GroupName: config.openshift.io + HasStatus: true + KindName: PKICertificateDefinition + Labels: {} + PluralName: pkicertificatedefinitions + PrinterColumns: [] + Scope: Namespaced + ShortNames: null + TopLevelFeatureGates: + - ConfigurablePKI + Version: v1alpha1 + diff --git a/config/v1alpha1/zz_generated.featuregated-crd-manifests/pkicertificatedefinitions.config.openshift.io/ConfigurablePKI.yaml b/config/v1alpha1/zz_generated.featuregated-crd-manifests/pkicertificatedefinitions.config.openshift.io/ConfigurablePKI.yaml new file mode 100644 index 00000000000..b3b3ccd7ade --- /dev/null +++ b/config/v1alpha1/zz_generated.featuregated-crd-manifests/pkicertificatedefinitions.config.openshift.io/ConfigurablePKI.yaml @@ -0,0 +1,192 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/2645 + api.openshift.io/filename-cvo-runlevel: "0000_10" + api.openshift.io/filename-operator: config-operator + api.openshift.io/filename-ordering: "01" + feature-gate.release.openshift.io/ConfigurablePKI: "true" + name: pkicertificatedefinitions.config.openshift.io +spec: + group: config.openshift.io + names: + kind: PKICertificateDefinition + listKind: PKICertificateDefinitionList + plural: pkicertificatedefinitions + singular: pkicertificatedefinition + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + PKICertificateDefinition registers certificates managed by a component, + enabling dynamic validation of certificate names in PKI overrides. + Components create PKICertificateDefinition resources to declare which + certificates they manage, allowing administrators to configure those + certificates via the PKI resource. + + Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec holds the certificate registration specification + properties: + certificates: + description: |- + certificates is a list of certificate definitions managed by this component. + Each certificate must have a unique name within the cluster. + items: + description: CertificateDefinition describes a single certificate + managed by a component. + properties: + category: + description: |- + category specifies the certificate category. + This helps administrators understand the certificate's role and select appropriate + cryptographic parameters. + enum: + - SignerCertificate + - ServingCertificate + - ClientCertificate + type: string + description: + description: |- + description provides a human-readable explanation of this certificate's purpose. + Examples: "CA for etcd peer and server certificates", "Server certificate for API server localhost endpoint" + maxLength: 256 + minLength: 1 + type: string + name: + description: |- + name is the unique identifier for this certificate. + This name is used in PKI.spec.overrides[].certificateName to configure this certificate. + Must be a valid DNS subdomain (lowercase letters, numbers, and hyphens). + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - category + - description + - name + type: object + x-kubernetes-validations: + - message: name must be a valid DNS subdomain (lowercase alphanumeric + with hyphens) + rule: self.name.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') + maxItems: 256 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + component: + description: |- + component identifies the operator or component managing these certificates. + This should typically be the name of the operator (e.g., "etcd-operator", "kube-apiserver-operator"). + maxLength: 253 + minLength: 1 + type: string + required: + - certificates + - component + type: object + status: + description: status holds observed state + properties: + conditions: + description: conditions represent the latest available observations + of the PKICertificateDefinition's state. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + registeredAt: + description: registeredAt is the timestamp when this definition was + first successfully validated. + format: date-time + type: string + type: object + required: + - spec + type: object + x-kubernetes-validations: + - message: pkicertificatedefinitions must be created in the openshift-config + namespace + rule: self.metadata.namespace == 'openshift-config' + served: true + storage: true + subresources: + status: {} diff --git a/config/v1alpha1/zz_generated.featuregated-crd-manifests/pkis.config.openshift.io/ConfigurablePKI.yaml b/config/v1alpha1/zz_generated.featuregated-crd-manifests/pkis.config.openshift.io/ConfigurablePKI.yaml new file mode 100644 index 00000000000..dcfc5e69715 --- /dev/null +++ b/config/v1alpha1/zz_generated.featuregated-crd-manifests/pkis.config.openshift.io/ConfigurablePKI.yaml @@ -0,0 +1,363 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/2645 + api.openshift.io/filename-cvo-runlevel: "0000_10" + api.openshift.io/filename-operator: config-operator + api.openshift.io/filename-ordering: "01" + feature-gate.release.openshift.io/ConfigurablePKI: "true" + name: pkis.config.openshift.io +spec: + group: config.openshift.io + names: + kind: PKI + listKind: PKIList + plural: pkis + singular: pki + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + PKI configures cryptographic parameters for certificates generated + internally by OpenShift components. + + Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec holds user settable values for configuration + properties: + certificateManagement: + description: |- + certificateManagement specifies how PKI configuration is managed for internally-generated certificates. + This controls the certificate generation approach for all OpenShift components that create + certificates internally, including certificate authorities, serving certificates, and client certificates. + properties: + custom: + description: |- + custom contains administrator-specified cryptographic configuration. + Use the defaults, categories, and overrides fields to specify certificate generation parameters. + Required when mode is Custom, and forbidden otherwise. + minProperties: 1 + properties: + categories: + description: |- + categories allows configuration of certificate parameters + for categories of certificates (SignerCertificate, ServingCertificate, ClientCertificate). + Category configuration takes precedence over defaults. + items: + properties: + category: + description: |- + category identifies the certificate category. + Valid values are "SignerCertificate", "ServingCertificate", and "ClientCertificate". + + When set to SignerCertificate, the configuration applies to certificate authority (CA) certificates + that sign other certificates. + + When set to ServingCertificate, the configuration applies to TLS server certificates + used to serve HTTPS endpoints. + + When set to ClientCertificate, the configuration applies to client authentication certificates + used to authenticate to servers. + enum: + - SignerCertificate + - ServingCertificate + - ClientCertificate + type: string + certificate: + description: certificate specifies the configuration + for this category + minProperties: 1 + properties: + key: + description: key specifies the cryptographic parameters + for the certificate's key pair. + properties: + algorithm: + description: |- + algorithm specifies the key generation algorithm. + Valid values are "RSA" and "ECDSA". + enum: + - RSA + - ECDSA + type: string + ecdsa: + description: |- + ecdsa specifies ECDSA key parameters. + Required when algorithm is ECDSA, and forbidden otherwise. + properties: + curve: + description: |- + curve specifies the elliptic curve for ECDSA keys. + Valid values are "P256", "P384", and "P521". + enum: + - P256 + - P384 + - P521 + type: string + required: + - curve + type: object + rsa: + description: |- + rsa specifies RSA key parameters. + Required when algorithm is RSA, and forbidden otherwise. + properties: + keySize: + default: 2048 + description: |- + keySize specifies the size of RSA keys in bits. + Valid values are multiples of 1024 from 2048 to 8192. + format: int32 + maximum: 8192 + minimum: 2048 + multipleOf: 1024 + type: integer + required: + - keySize + type: object + required: + - algorithm + type: object + x-kubernetes-validations: + - message: rsa is required when algorithm is RSA, + and forbidden otherwise + rule: 'has(self.algorithm) && self.algorithm == + ''RSA'' ? has(self.rsa) : !has(self.rsa)' + - message: ecdsa is required when algorithm is ECDSA, + and forbidden otherwise + rule: 'has(self.algorithm) && self.algorithm == + ''ECDSA'' ? has(self.ecdsa) : !has(self.ecdsa)' + type: object + required: + - category + - certificate + type: object + maxItems: 3 + type: array + x-kubernetes-list-map-keys: + - category + x-kubernetes-list-type: map + defaults: + description: |- + defaults specifies the default certificate configuration + for all certificates unless overridden by category or specific + certificate configuration. + If not specified, uses platform defaults (typically RSA 2048). + minProperties: 1 + properties: + key: + description: key specifies the cryptographic parameters + for the certificate's key pair. + properties: + algorithm: + description: |- + algorithm specifies the key generation algorithm. + Valid values are "RSA" and "ECDSA". + enum: + - RSA + - ECDSA + type: string + ecdsa: + description: |- + ecdsa specifies ECDSA key parameters. + Required when algorithm is ECDSA, and forbidden otherwise. + properties: + curve: + description: |- + curve specifies the elliptic curve for ECDSA keys. + Valid values are "P256", "P384", and "P521". + enum: + - P256 + - P384 + - P521 + type: string + required: + - curve + type: object + rsa: + description: |- + rsa specifies RSA key parameters. + Required when algorithm is RSA, and forbidden otherwise. + properties: + keySize: + default: 2048 + description: |- + keySize specifies the size of RSA keys in bits. + Valid values are multiples of 1024 from 2048 to 8192. + format: int32 + maximum: 8192 + minimum: 2048 + multipleOf: 1024 + type: integer + required: + - keySize + type: object + required: + - algorithm + type: object + x-kubernetes-validations: + - message: rsa is required when algorithm is RSA, and + forbidden otherwise + rule: 'has(self.algorithm) && self.algorithm == ''RSA'' + ? has(self.rsa) : !has(self.rsa)' + - message: ecdsa is required when algorithm is ECDSA, + and forbidden otherwise + rule: 'has(self.algorithm) && self.algorithm == ''ECDSA'' + ? has(self.ecdsa) : !has(self.ecdsa)' + type: object + overrides: + description: |- + overrides allows configuration of certificate parameters + for specific named certificates. + Override configuration takes precedence over both category + and default configuration. + items: + description: |- + CertificateOverride allows configuration of certificate parameters for specific named certificates. + Certificate names must be registered via a PKICertificateDefinition resource. + properties: + certificate: + description: certificate specifies the configuration + for this certificate + minProperties: 1 + properties: + key: + description: key specifies the cryptographic parameters + for the certificate's key pair. + properties: + algorithm: + description: |- + algorithm specifies the key generation algorithm. + Valid values are "RSA" and "ECDSA". + enum: + - RSA + - ECDSA + type: string + ecdsa: + description: |- + ecdsa specifies ECDSA key parameters. + Required when algorithm is ECDSA, and forbidden otherwise. + properties: + curve: + description: |- + curve specifies the elliptic curve for ECDSA keys. + Valid values are "P256", "P384", and "P521". + enum: + - P256 + - P384 + - P521 + type: string + required: + - curve + type: object + rsa: + description: |- + rsa specifies RSA key parameters. + Required when algorithm is RSA, and forbidden otherwise. + properties: + keySize: + default: 2048 + description: |- + keySize specifies the size of RSA keys in bits. + Valid values are multiples of 1024 from 2048 to 8192. + format: int32 + maximum: 8192 + minimum: 2048 + multipleOf: 1024 + type: integer + required: + - keySize + type: object + required: + - algorithm + type: object + x-kubernetes-validations: + - message: rsa is required when algorithm is RSA, + and forbidden otherwise + rule: 'has(self.algorithm) && self.algorithm == + ''RSA'' ? has(self.rsa) : !has(self.rsa)' + - message: ecdsa is required when algorithm is ECDSA, + and forbidden otherwise + rule: 'has(self.algorithm) && self.algorithm == + ''ECDSA'' ? has(self.ecdsa) : !has(self.ecdsa)' + type: object + certificateName: + description: |- + certificateName identifies a specific certificate to configure. + The name must match a certificate registered in a PKICertificateDefinition resource. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - certificate + - certificateName + type: object + maxItems: 256 + type: array + x-kubernetes-list-map-keys: + - certificateName + x-kubernetes-list-type: map + type: object + mode: + description: |- + mode determines how PKI configuration is managed. + Valid values are "Unmanaged", "Default", and "Custom". + + When set to Unmanaged, components use their existing hardcoded certificate + generation behavior, exactly as if this feature did not exist. Each component + generates certificates using whatever parameters it was using before this + feature. While most components use RSA 2048, some may use different + parameters. Use of this mode might prevent upgrading to the next major + OpenShift release. + + When set to Default, OpenShift-recommended best practices for certificate + generation are applied. The specific parameters may evolve across OpenShift + releases to adopt improved cryptographic standards. In the initial release, + this matches Unmanaged behavior for each component. In future releases, this + may adopt ECDSA or larger RSA keys based on industry best practices. + Recommended for most customers who want to benefit from security improvements + automatically. + + When set to Custom, the certificate management parameters can be set + explicitly. Use the custom field to specify certificate generation parameters. + enum: + - Unmanaged + - Default + - Custom + type: string + required: + - mode + type: object + x-kubernetes-validations: + - message: custom is required when mode is Custom, and forbidden otherwise + rule: 'self.mode == ''Custom'' ? has(self.custom) : !has(self.custom)' + required: + - certificateManagement + type: object + required: + - spec + type: object + served: true + storage: true diff --git a/config/v1alpha1/zz_generated.swagger_doc_generated.go b/config/v1alpha1/zz_generated.swagger_doc_generated.go index 59a5b370856..e98c2d073d7 100644 --- a/config/v1alpha1/zz_generated.swagger_doc_generated.go +++ b/config/v1alpha1/zz_generated.swagger_doc_generated.go @@ -434,4 +434,169 @@ func (Storage) SwaggerDoc() map[string]string { return map_Storage } +var map_CategoryCertificateConfig = map[string]string{ + "category": "category identifies the certificate category. Valid values are \"SignerCertificate\", \"ServingCertificate\", and \"ClientCertificate\".\n\nWhen set to SignerCertificate, the configuration applies to certificate authority (CA) certificates that sign other certificates.\n\nWhen set to ServingCertificate, the configuration applies to TLS server certificates used to serve HTTPS endpoints.\n\nWhen set to ClientCertificate, the configuration applies to client authentication certificates used to authenticate to servers.", + "certificate": "certificate specifies the configuration for this category", +} + +func (CategoryCertificateConfig) SwaggerDoc() map[string]string { + return map_CategoryCertificateConfig +} + +var map_CertificateConfig = map[string]string{ + "": "CertificateConfig specifies configuration parameters for certificates.", + "key": "key specifies the cryptographic parameters for the certificate's key pair.", +} + +func (CertificateConfig) SwaggerDoc() map[string]string { + return map_CertificateConfig +} + +var map_CertificateOverride = map[string]string{ + "": "CertificateOverride allows configuration of certificate parameters for specific named certificates. Certificate names must be registered via a PKICertificateDefinition resource.", + "certificateName": "certificateName identifies a specific certificate to configure. The name must match a certificate registered in a PKICertificateDefinition resource.", + "certificate": "certificate specifies the configuration for this certificate", +} + +func (CertificateOverride) SwaggerDoc() map[string]string { + return map_CertificateOverride +} + +var map_CustomPKIPolicy = map[string]string{ + "": "CustomPKIPolicy contains administrator-specified cryptographic configuration. Administrators can specify defaults for all certificates, configure specific categories (SignerCertificate, ServingCertificate, ClientCertificate), or override specific named certificates.", +} + +func (CustomPKIPolicy) SwaggerDoc() map[string]string { + return map_CustomPKIPolicy +} + +var map_ECDSAKeyConfig = map[string]string{ + "": "ECDSAKeyConfig specifies parameters for ECDSA key generation.", + "curve": "curve specifies the elliptic curve for ECDSA keys. Valid values are \"P256\", \"P384\", and \"P521\".", +} + +func (ECDSAKeyConfig) SwaggerDoc() map[string]string { + return map_ECDSAKeyConfig +} + +var map_KeyConfig = map[string]string{ + "": "KeyConfig specifies cryptographic parameters for key generation.", + "algorithm": "algorithm specifies the key generation algorithm. Valid values are \"RSA\" and \"ECDSA\".", + "rsa": "rsa specifies RSA key parameters. Required when algorithm is RSA, and forbidden otherwise.", + "ecdsa": "ecdsa specifies ECDSA key parameters. Required when algorithm is ECDSA, and forbidden otherwise.", +} + +func (KeyConfig) SwaggerDoc() map[string]string { + return map_KeyConfig +} + +var map_PKI = map[string]string{ + "": "PKI configures cryptographic parameters for certificates generated internally by OpenShift components.\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", + "metadata": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + "spec": "spec holds user settable values for configuration", +} + +func (PKI) SwaggerDoc() map[string]string { + return map_PKI +} + +var map_PKICertificateManagement = map[string]string{ + "": "PKICertificateManagement determines whether components use hardcoded defaults (Unmanaged), follow OpenShift best practices (Default), or use administrator-specified cryptographic parameters (Custom). This provides flexibility for organizations with specific compliance requirements or security policies while maintaining backwards compatibility for existing clusters.", + "mode": "mode determines how PKI configuration is managed. Valid values are \"Unmanaged\", \"Default\", and \"Custom\".\n\nWhen set to Unmanaged, components use their existing hardcoded certificate generation behavior, exactly as if this feature did not exist. Each component generates certificates using whatever parameters it was using before this feature. While most components use RSA 2048, some may use different parameters. Use of this mode might prevent upgrading to the next major OpenShift release.\n\nWhen set to Default, OpenShift-recommended best practices for certificate generation are applied. The specific parameters may evolve across OpenShift releases to adopt improved cryptographic standards. In the initial release, this matches Unmanaged behavior for each component. In future releases, this may adopt ECDSA or larger RSA keys based on industry best practices. Recommended for most customers who want to benefit from security improvements automatically.\n\nWhen set to Custom, the certificate management parameters can be set explicitly. Use the custom field to specify certificate generation parameters.", + "custom": "custom contains administrator-specified cryptographic configuration. Use the defaults, categories, and overrides fields to specify certificate generation parameters. Required when mode is Custom, and forbidden otherwise.", +} + +func (PKICertificateManagement) SwaggerDoc() map[string]string { + return map_PKICertificateManagement +} + +var map_PKIList = map[string]string{ + "": "PKIList is a collection of PKI resources.\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", + "items": "items is a list of PKI resources", +} + +func (PKIList) SwaggerDoc() map[string]string { + return map_PKIList +} + +var map_PKIProfile = map[string]string{ + "": "PKIProfile defines the certificate generation parameters that OpenShift components use to create certificates. Configuration can be specified at three hierarchical levels: defaults apply to all certificates, categories apply to certificate types (SignerCertificate, ServingCertificate, ClientCertificate), and overrides apply to specific named certificates. More specific levels take precedence over general ones.", + "defaults": "defaults specifies the default certificate configuration for all certificates unless overridden by category or specific certificate configuration. If not specified, uses platform defaults (typically RSA 2048).", + "categories": "categories allows configuration of certificate parameters for categories of certificates (SignerCertificate, ServingCertificate, ClientCertificate). Category configuration takes precedence over defaults.", + "overrides": "overrides allows configuration of certificate parameters for specific named certificates. Override configuration takes precedence over both category and default configuration.", +} + +func (PKIProfile) SwaggerDoc() map[string]string { + return map_PKIProfile +} + +var map_PKISpec = map[string]string{ + "": "PKISpec holds the specification for PKI configuration.", + "certificateManagement": "certificateManagement specifies how PKI configuration is managed for internally-generated certificates. This controls the certificate generation approach for all OpenShift components that create certificates internally, including certificate authorities, serving certificates, and client certificates.", +} + +func (PKISpec) SwaggerDoc() map[string]string { + return map_PKISpec +} + +var map_RSAKeyConfig = map[string]string{ + "": "RSAKeyConfig specifies parameters for RSA key generation.", + "keySize": "keySize specifies the size of RSA keys in bits. Valid values are multiples of 1024 from 2048 to 8192.", +} + +func (RSAKeyConfig) SwaggerDoc() map[string]string { + return map_RSAKeyConfig +} + +var map_CertificateDefinition = map[string]string{ + "": "CertificateDefinition describes a single certificate managed by a component.", + "name": "name is the unique identifier for this certificate. This name is used in PKI.spec.overrides[].certificateName to configure this certificate. Must be a valid DNS subdomain (lowercase letters, numbers, and hyphens).", + "category": "category specifies the certificate category. This helps administrators understand the certificate's role and select appropriate cryptographic parameters.", + "description": "description provides a human-readable explanation of this certificate's purpose. Examples: \"CA for etcd peer and server certificates\", \"Server certificate for API server localhost endpoint\"", +} + +func (CertificateDefinition) SwaggerDoc() map[string]string { + return map_CertificateDefinition +} + +var map_PKICertificateDefinition = map[string]string{ + "": "PKICertificateDefinition registers certificates managed by a component, enabling dynamic validation of certificate names in PKI overrides. Components create PKICertificateDefinition resources to declare which certificates they manage, allowing administrators to configure those certificates via the PKI resource.\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", + "metadata": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + "spec": "spec holds the certificate registration specification", + "status": "status holds observed state", +} + +func (PKICertificateDefinition) SwaggerDoc() map[string]string { + return map_PKICertificateDefinition +} + +var map_PKICertificateDefinitionList = map[string]string{ + "": "PKICertificateDefinitionList is a collection of PKICertificateDefinition resources.\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", + "items": "items is a list of PKICertificateDefinition resources", +} + +func (PKICertificateDefinitionList) SwaggerDoc() map[string]string { + return map_PKICertificateDefinitionList +} + +var map_PKICertificateDefinitionSpec = map[string]string{ + "": "PKICertificateDefinitionSpec defines certificates managed by a component.", + "component": "component identifies the operator or component managing these certificates. This should typically be the name of the operator (e.g., \"etcd-operator\", \"kube-apiserver-operator\").", + "certificates": "certificates is a list of certificate definitions managed by this component. Each certificate must have a unique name within the cluster.", +} + +func (PKICertificateDefinitionSpec) SwaggerDoc() map[string]string { + return map_PKICertificateDefinitionSpec +} + +var map_PKICertificateDefinitionStatus = map[string]string{ + "": "PKICertificateDefinitionStatus contains observed state of the certificate registration.", + "conditions": "conditions represent the latest available observations of the PKICertificateDefinition's state.", + "registeredAt": "registeredAt is the timestamp when this definition was first successfully validated.", +} + +func (PKICertificateDefinitionStatus) SwaggerDoc() map[string]string { + return map_PKICertificateDefinitionStatus +} + // AUTO-GENERATED FUNCTIONS END HERE diff --git a/openapi/generated_openapi/zz_generated.openapi.go b/openapi/generated_openapi/zz_generated.openapi.go index f29c06e82fb..417bfcb56d0 100644 --- a/openapi/generated_openapi/zz_generated.openapi.go +++ b/openapi/generated_openapi/zz_generated.openapi.go @@ -452,6 +452,10 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "github.com/openshift/api/config/v1alpha1.BackupList": schema_openshift_api_config_v1alpha1_BackupList(ref), "github.com/openshift/api/config/v1alpha1.BackupSpec": schema_openshift_api_config_v1alpha1_BackupSpec(ref), "github.com/openshift/api/config/v1alpha1.BackupStatus": schema_openshift_api_config_v1alpha1_BackupStatus(ref), + "github.com/openshift/api/config/v1alpha1.CategoryCertificateConfig": schema_openshift_api_config_v1alpha1_CategoryCertificateConfig(ref), + "github.com/openshift/api/config/v1alpha1.CertificateConfig": schema_openshift_api_config_v1alpha1_CertificateConfig(ref), + "github.com/openshift/api/config/v1alpha1.CertificateDefinition": schema_openshift_api_config_v1alpha1_CertificateDefinition(ref), + "github.com/openshift/api/config/v1alpha1.CertificateOverride": schema_openshift_api_config_v1alpha1_CertificateOverride(ref), "github.com/openshift/api/config/v1alpha1.ClusterImagePolicy": schema_openshift_api_config_v1alpha1_ClusterImagePolicy(ref), "github.com/openshift/api/config/v1alpha1.ClusterImagePolicyList": schema_openshift_api_config_v1alpha1_ClusterImagePolicyList(ref), "github.com/openshift/api/config/v1alpha1.ClusterImagePolicySpec": schema_openshift_api_config_v1alpha1_ClusterImagePolicySpec(ref), @@ -461,6 +465,8 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "github.com/openshift/api/config/v1alpha1.ClusterMonitoringSpec": schema_openshift_api_config_v1alpha1_ClusterMonitoringSpec(ref), "github.com/openshift/api/config/v1alpha1.ClusterMonitoringStatus": schema_openshift_api_config_v1alpha1_ClusterMonitoringStatus(ref), "github.com/openshift/api/config/v1alpha1.ContainerResource": schema_openshift_api_config_v1alpha1_ContainerResource(ref), + "github.com/openshift/api/config/v1alpha1.CustomPKIPolicy": schema_openshift_api_config_v1alpha1_CustomPKIPolicy(ref), + "github.com/openshift/api/config/v1alpha1.ECDSAKeyConfig": schema_openshift_api_config_v1alpha1_ECDSAKeyConfig(ref), "github.com/openshift/api/config/v1alpha1.EtcdBackupSpec": schema_openshift_api_config_v1alpha1_EtcdBackupSpec(ref), "github.com/openshift/api/config/v1alpha1.GatherConfig": schema_openshift_api_config_v1alpha1_GatherConfig(ref), "github.com/openshift/api/config/v1alpha1.ImagePolicy": schema_openshift_api_config_v1alpha1_ImagePolicy(ref), @@ -475,8 +481,18 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "github.com/openshift/api/config/v1alpha1.InsightsDataGatherList": schema_openshift_api_config_v1alpha1_InsightsDataGatherList(ref), "github.com/openshift/api/config/v1alpha1.InsightsDataGatherSpec": schema_openshift_api_config_v1alpha1_InsightsDataGatherSpec(ref), "github.com/openshift/api/config/v1alpha1.InsightsDataGatherStatus": schema_openshift_api_config_v1alpha1_InsightsDataGatherStatus(ref), + "github.com/openshift/api/config/v1alpha1.KeyConfig": schema_openshift_api_config_v1alpha1_KeyConfig(ref), "github.com/openshift/api/config/v1alpha1.MetricsServerConfig": schema_openshift_api_config_v1alpha1_MetricsServerConfig(ref), + "github.com/openshift/api/config/v1alpha1.PKI": schema_openshift_api_config_v1alpha1_PKI(ref), + "github.com/openshift/api/config/v1alpha1.PKICertificateDefinition": schema_openshift_api_config_v1alpha1_PKICertificateDefinition(ref), + "github.com/openshift/api/config/v1alpha1.PKICertificateDefinitionList": schema_openshift_api_config_v1alpha1_PKICertificateDefinitionList(ref), + "github.com/openshift/api/config/v1alpha1.PKICertificateDefinitionSpec": schema_openshift_api_config_v1alpha1_PKICertificateDefinitionSpec(ref), + "github.com/openshift/api/config/v1alpha1.PKICertificateDefinitionStatus": schema_openshift_api_config_v1alpha1_PKICertificateDefinitionStatus(ref), + "github.com/openshift/api/config/v1alpha1.PKICertificateManagement": schema_openshift_api_config_v1alpha1_PKICertificateManagement(ref), "github.com/openshift/api/config/v1alpha1.PKICertificateSubject": schema_openshift_api_config_v1alpha1_PKICertificateSubject(ref), + "github.com/openshift/api/config/v1alpha1.PKIList": schema_openshift_api_config_v1alpha1_PKIList(ref), + "github.com/openshift/api/config/v1alpha1.PKIProfile": schema_openshift_api_config_v1alpha1_PKIProfile(ref), + "github.com/openshift/api/config/v1alpha1.PKISpec": schema_openshift_api_config_v1alpha1_PKISpec(ref), "github.com/openshift/api/config/v1alpha1.PersistentVolumeClaimReference": schema_openshift_api_config_v1alpha1_PersistentVolumeClaimReference(ref), "github.com/openshift/api/config/v1alpha1.PersistentVolumeConfig": schema_openshift_api_config_v1alpha1_PersistentVolumeConfig(ref), "github.com/openshift/api/config/v1alpha1.PolicyFulcioSubject": schema_openshift_api_config_v1alpha1_PolicyFulcioSubject(ref), @@ -484,6 +500,7 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "github.com/openshift/api/config/v1alpha1.PolicyMatchExactRepository": schema_openshift_api_config_v1alpha1_PolicyMatchExactRepository(ref), "github.com/openshift/api/config/v1alpha1.PolicyMatchRemapIdentity": schema_openshift_api_config_v1alpha1_PolicyMatchRemapIdentity(ref), "github.com/openshift/api/config/v1alpha1.PolicyRootOfTrust": schema_openshift_api_config_v1alpha1_PolicyRootOfTrust(ref), + "github.com/openshift/api/config/v1alpha1.RSAKeyConfig": schema_openshift_api_config_v1alpha1_RSAKeyConfig(ref), "github.com/openshift/api/config/v1alpha1.RetentionNumberConfig": schema_openshift_api_config_v1alpha1_RetentionNumberConfig(ref), "github.com/openshift/api/config/v1alpha1.RetentionPolicy": schema_openshift_api_config_v1alpha1_RetentionPolicy(ref), "github.com/openshift/api/config/v1alpha1.RetentionSizeConfig": schema_openshift_api_config_v1alpha1_RetentionSizeConfig(ref), @@ -22621,6 +22638,122 @@ func schema_openshift_api_config_v1alpha1_BackupStatus(ref common.ReferenceCallb } } +func schema_openshift_api_config_v1alpha1_CategoryCertificateConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "category": { + SchemaProps: spec.SchemaProps{ + Description: "category identifies the certificate category. Valid values are \"SignerCertificate\", \"ServingCertificate\", and \"ClientCertificate\".\n\nWhen set to SignerCertificate, the configuration applies to certificate authority (CA) certificates that sign other certificates.\n\nWhen set to ServingCertificate, the configuration applies to TLS server certificates used to serve HTTPS endpoints.\n\nWhen set to ClientCertificate, the configuration applies to client authentication certificates used to authenticate to servers.", + Type: []string{"string"}, + Format: "", + }, + }, + "certificate": { + SchemaProps: spec.SchemaProps{ + Description: "certificate specifies the configuration for this category", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1alpha1.CertificateConfig"), + }, + }, + }, + Required: []string{"category", "certificate"}, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/config/v1alpha1.CertificateConfig"}, + } +} + +func schema_openshift_api_config_v1alpha1_CertificateConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "CertificateConfig specifies configuration parameters for certificates.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "key": { + SchemaProps: spec.SchemaProps{ + Description: "key specifies the cryptographic parameters for the certificate's key pair.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1alpha1.KeyConfig"), + }, + }, + }, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/config/v1alpha1.KeyConfig"}, + } +} + +func schema_openshift_api_config_v1alpha1_CertificateDefinition(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "CertificateDefinition describes a single certificate managed by a component.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "name": { + SchemaProps: spec.SchemaProps{ + Description: "name is the unique identifier for this certificate. This name is used in PKI.spec.overrides[].certificateName to configure this certificate. Must be a valid DNS subdomain (lowercase letters, numbers, and hyphens).", + Type: []string{"string"}, + Format: "", + }, + }, + "category": { + SchemaProps: spec.SchemaProps{ + Description: "category specifies the certificate category. This helps administrators understand the certificate's role and select appropriate cryptographic parameters.", + Type: []string{"string"}, + Format: "", + }, + }, + "description": { + SchemaProps: spec.SchemaProps{ + Description: "description provides a human-readable explanation of this certificate's purpose. Examples: \"CA for etcd peer and server certificates\", \"Server certificate for API server localhost endpoint\"", + Type: []string{"string"}, + Format: "", + }, + }, + }, + Required: []string{"name", "category", "description"}, + }, + }, + } +} + +func schema_openshift_api_config_v1alpha1_CertificateOverride(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "CertificateOverride allows configuration of certificate parameters for specific named certificates. Certificate names must be registered via a PKICertificateDefinition resource.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "certificateName": { + SchemaProps: spec.SchemaProps{ + Description: "certificateName identifies a specific certificate to configure. The name must match a certificate registered in a PKICertificateDefinition resource.", + Type: []string{"string"}, + Format: "", + }, + }, + "certificate": { + SchemaProps: spec.SchemaProps{ + Description: "certificate specifies the configuration for this certificate", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1alpha1.CertificateConfig"), + }, + }, + }, + Required: []string{"certificateName", "certificate"}, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/config/v1alpha1.CertificateConfig"}, + } +} + func schema_openshift_api_config_v1alpha1_ClusterImagePolicy(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ @@ -22984,6 +23117,93 @@ func schema_openshift_api_config_v1alpha1_ContainerResource(ref common.Reference } } +func schema_openshift_api_config_v1alpha1_CustomPKIPolicy(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "CustomPKIPolicy contains administrator-specified cryptographic configuration. Administrators can specify defaults for all certificates, configure specific categories (SignerCertificate, ServingCertificate, ClientCertificate), or override specific named certificates.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "defaults": { + SchemaProps: spec.SchemaProps{ + Description: "defaults specifies the default certificate configuration for all certificates unless overridden by category or specific certificate configuration. If not specified, uses platform defaults (typically RSA 2048).", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1alpha1.CertificateConfig"), + }, + }, + "categories": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-map-keys": []interface{}{ + "category", + }, + "x-kubernetes-list-type": "map", + }, + }, + SchemaProps: spec.SchemaProps{ + Description: "categories allows configuration of certificate parameters for categories of certificates (SignerCertificate, ServingCertificate, ClientCertificate). Category configuration takes precedence over defaults.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1alpha1.CategoryCertificateConfig"), + }, + }, + }, + }, + }, + "overrides": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-map-keys": []interface{}{ + "certificateName", + }, + "x-kubernetes-list-type": "map", + }, + }, + SchemaProps: spec.SchemaProps{ + Description: "overrides allows configuration of certificate parameters for specific named certificates. Override configuration takes precedence over both category and default configuration.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1alpha1.CertificateOverride"), + }, + }, + }, + }, + }, + }, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/config/v1alpha1.CategoryCertificateConfig", "github.com/openshift/api/config/v1alpha1.CertificateConfig", "github.com/openshift/api/config/v1alpha1.CertificateOverride"}, + } +} + +func schema_openshift_api_config_v1alpha1_ECDSAKeyConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "ECDSAKeyConfig specifies parameters for ECDSA key generation.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "curve": { + SchemaProps: spec.SchemaProps{ + Description: "curve specifies the elliptic curve for ECDSA keys. Valid values are \"P256\", \"P384\", and \"P521\".", + Type: []string{"string"}, + Format: "", + }, + }, + }, + Required: []string{"curve"}, + }, + }, + } +} + func schema_openshift_api_config_v1alpha1_EtcdBackupSpec(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ @@ -23517,6 +23737,56 @@ func schema_openshift_api_config_v1alpha1_InsightsDataGatherStatus(ref common.Re } } +func schema_openshift_api_config_v1alpha1_KeyConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "KeyConfig specifies cryptographic parameters for key generation.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "algorithm": { + SchemaProps: spec.SchemaProps{ + Description: "algorithm specifies the key generation algorithm. Valid values are \"RSA\" and \"ECDSA\".", + Type: []string{"string"}, + Format: "", + }, + }, + "rsa": { + SchemaProps: spec.SchemaProps{ + Description: "rsa specifies RSA key parameters. Required when algorithm is RSA, and forbidden otherwise.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1alpha1.RSAKeyConfig"), + }, + }, + "ecdsa": { + SchemaProps: spec.SchemaProps{ + Description: "ecdsa specifies ECDSA key parameters. Required when algorithm is ECDSA, and forbidden otherwise.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1alpha1.ECDSAKeyConfig"), + }, + }, + }, + Required: []string{"algorithm"}, + }, + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-unions": []interface{}{ + map[string]interface{}{ + "discriminator": "algorithm", + "fields-to-discriminateBy": map[string]interface{}{ + "ecdsa": "ECDSA", + "rsa": "RSA", + }, + }, + }, + }, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/config/v1alpha1.ECDSAKeyConfig", "github.com/openshift/api/config/v1alpha1.RSAKeyConfig"}, + } +} + func schema_openshift_api_config_v1alpha1_MetricsServerConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ @@ -23626,56 +23896,470 @@ func schema_openshift_api_config_v1alpha1_MetricsServerConfig(ref common.Referen } } -func schema_openshift_api_config_v1alpha1_PKICertificateSubject(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_config_v1alpha1_PKI(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "PKICertificateSubject defines the requirements imposed on the subject to which the certificate was issued.", + Description: "PKI configures cryptographic parameters for certificates generated internally by OpenShift components.\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "email": { + "kind": { SchemaProps: spec.SchemaProps{ - Description: "email specifies the expected email address imposed on the subject to which the certificate was issued, and must match the email address listed in the Subject Alternative Name (SAN) field of the certificate. The email should be a valid email address and at most 320 characters in length.", + Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", Type: []string{"string"}, Format: "", }, }, - "hostname": { + "apiVersion": { SchemaProps: spec.SchemaProps{ - Description: "hostname specifies the expected hostname imposed on the subject to which the certificate was issued, and it must match the hostname listed in the Subject Alternative Name (SAN) DNS field of the certificate. The hostname should be a valid dns 1123 subdomain name, optionally prefixed by '*.', and at most 253 characters in length. It should consist only of lowercase alphanumeric characters, hyphens, periods and the optional preceding asterisk.", + Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", Type: []string{"string"}, Format: "", }, }, + "metadata": { + SchemaProps: spec.SchemaProps{ + Description: "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + Default: map[string]interface{}{}, + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"), + }, + }, + "spec": { + SchemaProps: spec.SchemaProps{ + Description: "spec holds user settable values for configuration", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1alpha1.PKISpec"), + }, + }, }, + Required: []string{"spec"}, }, }, + Dependencies: []string{ + "github.com/openshift/api/config/v1alpha1.PKISpec", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"}, } } -func schema_openshift_api_config_v1alpha1_PersistentVolumeClaimReference(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_config_v1alpha1_PKICertificateDefinition(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "persistentVolumeClaimReference is a reference to a PersistentVolumeClaim.", + Description: "PKICertificateDefinition registers certificates managed by a component, enabling dynamic validation of certificate names in PKI overrides. Components create PKICertificateDefinition resources to declare which certificates they manage, allowing administrators to configure those certificates via the PKI resource.\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", Type: []string{"object"}, Properties: map[string]spec.Schema{ - "name": { + "kind": { SchemaProps: spec.SchemaProps{ - Description: "name is a string that follows the DNS1123 subdomain format. It must be at most 253 characters in length, and must consist only of lower case alphanumeric characters, '-' and '.', and must start and end with an alphanumeric character.", - Default: "", + Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + Type: []string{"string"}, + Format: "", + }, + }, + "apiVersion": { + SchemaProps: spec.SchemaProps{ + Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", Type: []string{"string"}, Format: "", }, }, + "metadata": { + SchemaProps: spec.SchemaProps{ + Description: "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + Default: map[string]interface{}{}, + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"), + }, + }, + "spec": { + SchemaProps: spec.SchemaProps{ + Description: "spec holds the certificate registration specification", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1alpha1.PKICertificateDefinitionSpec"), + }, + }, + "status": { + SchemaProps: spec.SchemaProps{ + Description: "status holds observed state", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1alpha1.PKICertificateDefinitionStatus"), + }, + }, }, - Required: []string{"name"}, + Required: []string{"spec"}, }, }, + Dependencies: []string{ + "github.com/openshift/api/config/v1alpha1.PKICertificateDefinitionSpec", "github.com/openshift/api/config/v1alpha1.PKICertificateDefinitionStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"}, } } -func schema_openshift_api_config_v1alpha1_PersistentVolumeConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { +func schema_openshift_api_config_v1alpha1_PKICertificateDefinitionList(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "PKICertificateDefinitionList is a collection of PKICertificateDefinition resources.\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "kind": { + SchemaProps: spec.SchemaProps{ + Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + Type: []string{"string"}, + Format: "", + }, + }, + "apiVersion": { + SchemaProps: spec.SchemaProps{ + Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + Type: []string{"string"}, + Format: "", + }, + }, + "metadata": { + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"), + }, + }, + "items": { + SchemaProps: spec.SchemaProps{ + Description: "items is a list of PKICertificateDefinition resources", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1alpha1.PKICertificateDefinition"), + }, + }, + }, + }, + }, + }, + Required: []string{"items"}, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/config/v1alpha1.PKICertificateDefinition", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"}, + } +} + +func schema_openshift_api_config_v1alpha1_PKICertificateDefinitionSpec(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "PKICertificateDefinitionSpec defines certificates managed by a component.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "component": { + SchemaProps: spec.SchemaProps{ + Description: "component identifies the operator or component managing these certificates. This should typically be the name of the operator (e.g., \"etcd-operator\", \"kube-apiserver-operator\").", + Type: []string{"string"}, + Format: "", + }, + }, + "certificates": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-map-keys": []interface{}{ + "name", + }, + "x-kubernetes-list-type": "map", + }, + }, + SchemaProps: spec.SchemaProps{ + Description: "certificates is a list of certificate definitions managed by this component. Each certificate must have a unique name within the cluster.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1alpha1.CertificateDefinition"), + }, + }, + }, + }, + }, + }, + Required: []string{"component", "certificates"}, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/config/v1alpha1.CertificateDefinition"}, + } +} + +func schema_openshift_api_config_v1alpha1_PKICertificateDefinitionStatus(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "PKICertificateDefinitionStatus contains observed state of the certificate registration.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "conditions": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-map-keys": []interface{}{ + "type", + }, + "x-kubernetes-list-type": "map", + }, + }, + SchemaProps: spec.SchemaProps{ + Description: "conditions represent the latest available observations of the PKICertificateDefinition's state.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.Condition"), + }, + }, + }, + }, + }, + "registeredAt": { + SchemaProps: spec.SchemaProps{ + Description: "registeredAt is the timestamp when this definition was first successfully validated.", + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"), + }, + }, + }, + }, + }, + Dependencies: []string{ + "k8s.io/apimachinery/pkg/apis/meta/v1.Condition", "k8s.io/apimachinery/pkg/apis/meta/v1.Time"}, + } +} + +func schema_openshift_api_config_v1alpha1_PKICertificateManagement(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "PKICertificateManagement determines whether components use hardcoded defaults (Unmanaged), follow OpenShift best practices (Default), or use administrator-specified cryptographic parameters (Custom). This provides flexibility for organizations with specific compliance requirements or security policies while maintaining backwards compatibility for existing clusters.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "mode": { + SchemaProps: spec.SchemaProps{ + Description: "mode determines how PKI configuration is managed. Valid values are \"Unmanaged\", \"Default\", and \"Custom\".\n\nWhen set to Unmanaged, components use their existing hardcoded certificate generation behavior, exactly as if this feature did not exist. Each component generates certificates using whatever parameters it was using before this feature. While most components use RSA 2048, some may use different parameters. Use of this mode might prevent upgrading to the next major OpenShift release.\n\nWhen set to Default, OpenShift-recommended best practices for certificate generation are applied. The specific parameters may evolve across OpenShift releases to adopt improved cryptographic standards. In the initial release, this matches Unmanaged behavior for each component. In future releases, this may adopt ECDSA or larger RSA keys based on industry best practices. Recommended for most customers who want to benefit from security improvements automatically.\n\nWhen set to Custom, the certificate management parameters can be set explicitly. Use the custom field to specify certificate generation parameters.", + Type: []string{"string"}, + Format: "", + }, + }, + "custom": { + SchemaProps: spec.SchemaProps{ + Description: "custom contains administrator-specified cryptographic configuration. Use the defaults, categories, and overrides fields to specify certificate generation parameters. Required when mode is Custom, and forbidden otherwise.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1alpha1.CustomPKIPolicy"), + }, + }, + }, + Required: []string{"mode"}, + }, + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-unions": []interface{}{ + map[string]interface{}{ + "discriminator": "mode", + "fields-to-discriminateBy": map[string]interface{}{ + "custom": "Custom", + }, + }, + }, + }, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/config/v1alpha1.CustomPKIPolicy"}, + } +} + +func schema_openshift_api_config_v1alpha1_PKICertificateSubject(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "PKICertificateSubject defines the requirements imposed on the subject to which the certificate was issued.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "email": { + SchemaProps: spec.SchemaProps{ + Description: "email specifies the expected email address imposed on the subject to which the certificate was issued, and must match the email address listed in the Subject Alternative Name (SAN) field of the certificate. The email should be a valid email address and at most 320 characters in length.", + Type: []string{"string"}, + Format: "", + }, + }, + "hostname": { + SchemaProps: spec.SchemaProps{ + Description: "hostname specifies the expected hostname imposed on the subject to which the certificate was issued, and it must match the hostname listed in the Subject Alternative Name (SAN) DNS field of the certificate. The hostname should be a valid dns 1123 subdomain name, optionally prefixed by '*.', and at most 253 characters in length. It should consist only of lowercase alphanumeric characters, hyphens, periods and the optional preceding asterisk.", + Type: []string{"string"}, + Format: "", + }, + }, + }, + }, + }, + } +} + +func schema_openshift_api_config_v1alpha1_PKIList(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "PKIList is a collection of PKI resources.\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "kind": { + SchemaProps: spec.SchemaProps{ + Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + Type: []string{"string"}, + Format: "", + }, + }, + "apiVersion": { + SchemaProps: spec.SchemaProps{ + Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + Type: []string{"string"}, + Format: "", + }, + }, + "metadata": { + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"), + }, + }, + "items": { + SchemaProps: spec.SchemaProps{ + Description: "items is a list of PKI resources", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1alpha1.PKI"), + }, + }, + }, + }, + }, + }, + Required: []string{"items"}, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/config/v1alpha1.PKI", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"}, + } +} + +func schema_openshift_api_config_v1alpha1_PKIProfile(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "PKIProfile defines the certificate generation parameters that OpenShift components use to create certificates. Configuration can be specified at three hierarchical levels: defaults apply to all certificates, categories apply to certificate types (SignerCertificate, ServingCertificate, ClientCertificate), and overrides apply to specific named certificates. More specific levels take precedence over general ones.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "defaults": { + SchemaProps: spec.SchemaProps{ + Description: "defaults specifies the default certificate configuration for all certificates unless overridden by category or specific certificate configuration. If not specified, uses platform defaults (typically RSA 2048).", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1alpha1.CertificateConfig"), + }, + }, + "categories": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-map-keys": []interface{}{ + "category", + }, + "x-kubernetes-list-type": "map", + }, + }, + SchemaProps: spec.SchemaProps{ + Description: "categories allows configuration of certificate parameters for categories of certificates (SignerCertificate, ServingCertificate, ClientCertificate). Category configuration takes precedence over defaults.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1alpha1.CategoryCertificateConfig"), + }, + }, + }, + }, + }, + "overrides": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-map-keys": []interface{}{ + "certificateName", + }, + "x-kubernetes-list-type": "map", + }, + }, + SchemaProps: spec.SchemaProps{ + Description: "overrides allows configuration of certificate parameters for specific named certificates. Override configuration takes precedence over both category and default configuration.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1alpha1.CertificateOverride"), + }, + }, + }, + }, + }, + }, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/config/v1alpha1.CategoryCertificateConfig", "github.com/openshift/api/config/v1alpha1.CertificateConfig", "github.com/openshift/api/config/v1alpha1.CertificateOverride"}, + } +} + +func schema_openshift_api_config_v1alpha1_PKISpec(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "PKISpec holds the specification for PKI configuration.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "certificateManagement": { + SchemaProps: spec.SchemaProps{ + Description: "certificateManagement specifies how PKI configuration is managed for internally-generated certificates. This controls the certificate generation approach for all OpenShift components that create certificates internally, including certificate authorities, serving certificates, and client certificates.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1alpha1.PKICertificateManagement"), + }, + }, + }, + Required: []string{"certificateManagement"}, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/config/v1alpha1.PKICertificateManagement"}, + } +} + +func schema_openshift_api_config_v1alpha1_PersistentVolumeClaimReference(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "persistentVolumeClaimReference is a reference to a PersistentVolumeClaim.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "name": { + SchemaProps: spec.SchemaProps{ + Description: "name is a string that follows the DNS1123 subdomain format. It must be at most 253 characters in length, and must consist only of lower case alphanumeric characters, '-' and '.', and must start and end with an alphanumeric character.", + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, + Required: []string{"name"}, + }, + }, + } +} + +func schema_openshift_api_config_v1alpha1_PersistentVolumeConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ @@ -23890,6 +24574,27 @@ func schema_openshift_api_config_v1alpha1_PolicyRootOfTrust(ref common.Reference } } +func schema_openshift_api_config_v1alpha1_RSAKeyConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "RSAKeyConfig specifies parameters for RSA key generation.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "keySize": { + SchemaProps: spec.SchemaProps{ + Description: "keySize specifies the size of RSA keys in bits. Valid values are multiples of 1024 from 2048 to 8192.", + Type: []string{"integer"}, + Format: "int32", + }, + }, + }, + Required: []string{"keySize"}, + }, + }, + } +} + func schema_openshift_api_config_v1alpha1_RetentionNumberConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{