Skip to content

Commit

Permalink
Add cluster registry config
Browse files Browse the repository at this point in the history 
Signed-off-by: melserngawy <melserng@redhat.com>
  • Loading branch information
@serngawy
serngawy committed Oct 10, 2024
1 parent 2fe1c84 commit 1babc6e
Show file tree
Hide file tree
Showing 7 changed files with 629 additions and 72 deletions.
67 changes: 67 additions & 0 deletions config/crd/bases/controlplane.cluster.x-k8s.io_rosacontrolplanes.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -82,6 +82,73 @@ spec:
rule: self == oldSelf
- message: billingAccount must be a valid AWS account ID
rule: self.matches('^[0-9]{12}$')
clusterRegistryConfig:
description: ClusterRegistryConfig represents registry config used
with the cluster.
properties:
additionalTrustedCa:
additionalProperties:
type: string
description: |-
AdditionalTrustedCa containing the registry hostname as the key, and the PEM-encoded certificate as the value,
for each additional registry CA to trust.
type: object
allowedRegistriesForImport:
description: |-
AllowedRegistriesForImport limits the container image registries that normal users may import
images from. Set this list to the registries that you trust to contain valid Docker
images and that you want applications to be able to import from.
items:
description: RegistryLocation contains a location of the registry
specified by the registry domain name.
properties:
domainName:
description: |-
domainName specifies a domain name for the registry. The domain name might include wildcards, like '*' or '??'.
In case the registry use non-standard (80 or 443) port, the port should be included in the domain name as well.
type: string
insecure:
default: false
description: insecure indicates whether the registry is
secure (https) or insecure (http), default is secured.
type: boolean
type: object
type: array
registrySources:
description: |-
RegistrySources contains configuration that determines how the container runtime
should treat individual registries when accessing images. It does not contain configuration
for the internal cluster registry. AllowedRegistries, BlockedRegistries are mutually exclusive.
properties:
allowedRegistries:
description: |-
AllowedRegistries: registries for which image pull and push actions are allowed.
To specify all subdomains, add the asterisk (*) wildcard character as a prefix to the domain name.
For example, *.example.com. You can specify an individual repository within a registry.
For example: reg1.io/myrepo/myapp:latest. All other registries are blocked.
items:
type: string
type: array
blockedRegistries:
description: |-
BlockedRegistries: registries for which image pull and push actions are denied.
To specify all subdomains, add the asterisk (*) wildcard character as a prefix to the domain name.
For example, *.example.com. You can specify an individual repository within a registry.
For example: reg1.io/myrepo/myapp:latest. All other registries are allowed.
items:
type: string
type: array
insecureRegistries:
description: |-
InsecureRegistries are registries which do not have a valid TLS certificate or only support HTTP connections.
To specify all subdomains, add the asterisk (*) wildcard character as a prefix to the domain name.
For example, *.example.com. You can specify an individual repository within a registry.
For example: reg1.io/myrepo/myapp:latest.
items:
type: string
type: array
type: object
type: object
controlPlaneEndpoint:
description: ControlPlaneEndpoint represents the endpoint used to
communicate with the control plane.
Expand Down
61 changes: 61 additions & 0 deletions controlplane/rosa/api/v1beta2/rosacontrolplane_types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -180,6 +180,67 @@ type RosaControlPlaneSpec struct { //nolint: maligned
// ControlPlaneEndpoint represents the endpoint used to communicate with the control plane.
// +optional
ControlPlaneEndpoint clusterv1.APIEndpoint `json:"controlPlaneEndpoint"`

// ClusterRegistryConfig represents registry config used with the cluster.
// +optional
ClusterRegistryConfig *RegistryConfig `json:"clusterRegistryConfig,omitempty"`
}

// RegistryConfig for ROSA-HCP cluster
type RegistryConfig struct {
// AdditionalTrustedCa containing the registry hostname as the key, and the PEM-encoded certificate as the value,
// for each additional registry CA to trust.
// +optional
AdditionalTrustedCa map[string]string `json:"additionalTrustedCa,omitempty"`

// AllowedRegistriesForImport limits the container image registries that normal users may import
// images from. Set this list to the registries that you trust to contain valid Docker
// images and that you want applications to be able to import from.
// +optional
AllowedRegistriesForImport []RegistryLocation `json:"allowedRegistriesForImport,omitempty"`

// RegistrySources contains configuration that determines how the container runtime
// should treat individual registries when accessing images. It does not contain configuration
// for the internal cluster registry. AllowedRegistries, BlockedRegistries are mutually exclusive.
// +optional
RegistrySources *RegistrySources `json:"registrySources,omitempty"`
}

// RegistryLocation contains a location of the registry specified by the registry domain name.
type RegistryLocation struct {
// domainName specifies a domain name for the registry. The domain name might include wildcards, like '*' or '??'.
// In case the registry use non-standard (80 or 443) port, the port should be included in the domain name as well.
// +optional
DomainName string `json:"domainName,omitempty"`

// insecure indicates whether the registry is secure (https) or insecure (http), default is secured.
// +kubebuilder:default=false
// +optional
Insecure bool `json:"insecure,omitempty"`
}

// RegistrySources contains registries configuration.
type RegistrySources struct {
// AllowedRegistries: registries for which image pull and push actions are allowed.
// To specify all subdomains, add the asterisk (*) wildcard character as a prefix to the domain name.
// For example, *.example.com. You can specify an individual repository within a registry.
// For example: reg1.io/myrepo/myapp:latest. All other registries are blocked.
// +optional
AllowedRegistries []string `json:"allowedRegistries,omitempty"`

// BlockedRegistries: registries for which image pull and push actions are denied.
// To specify all subdomains, add the asterisk (*) wildcard character as a prefix to the domain name.
// For example, *.example.com. You can specify an individual repository within a registry.
// For example: reg1.io/myrepo/myapp:latest. All other registries are allowed.
// +optional
BlockedRegistries []string `json:"blockedRegistries,omitempty"`

// InsecureRegistries are registries which do not have a valid TLS certificate or only support HTTP connections.
// To specify all subdomains, add the asterisk (*) wildcard character as a prefix to the domain name.
// For example, *.example.com. You can specify an individual repository within a registry.
// For example: reg1.io/myrepo/myapp:latest.
// +optional
InsecureRegistries []string `json:"insecureRegistries,omitempty"`
}

// NetworkSpec for ROSA-HCP.
Expand Down
82 changes: 82 additions & 0 deletions controlplane/rosa/api/v1beta2/zz_generated.deepcopy.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading

0 comments on commit 1babc6e

Please sign in to comment.