diff --git a/config/v1/0000_00_cluster-version-operator_01_clusterversion-Default.crd.yaml b/config/v1/0000_00_cluster-version-operator_01_clusterversion-Default.crd.yaml index e9a933dcb0a..6d802f0ca64 100644 --- a/config/v1/0000_00_cluster-version-operator_01_clusterversion-Default.crd.yaml +++ b/config/v1/0000_00_cluster-version-operator_01_clusterversion-Default.crd.yaml @@ -77,6 +77,7 @@ spec: - DeploymentConfig - ImageRegistry - OperatorLifecycleManager + - CloudCredential x-kubernetes-list-type: atomic baselineCapabilitySet: description: baselineCapabilitySet selects an initial set of optional capabilities to enable, which can be extended via additionalEnabledCapabilities. If unset, the cluster will choose a default, and the default may change over time. The current default is vCurrent. @@ -213,6 +214,7 @@ spec: - DeploymentConfig - ImageRegistry - OperatorLifecycleManager + - CloudCredential x-kubernetes-list-type: atomic knownCapabilities: description: knownCapabilities lists all the capabilities known to the current cluster. @@ -234,6 +236,7 @@ spec: - DeploymentConfig - ImageRegistry - OperatorLifecycleManager + - CloudCredential x-kubernetes-list-type: atomic conditionalUpdates: description: conditionalUpdates contains the list of updates that may be recommended for this cluster if it meets specific required conditions. Consumers interested in the set of updates that are actually recommended for this cluster should use availableUpdates. This list may be empty if no updates are recommended, if the update service is unavailable, or if an empty or invalid channel has been specified. diff --git a/config/v1/0000_00_cluster-version-operator_01_clusterversion-TechPreviewNoUpgrade.crd.yaml b/config/v1/0000_00_cluster-version-operator_01_clusterversion-TechPreviewNoUpgrade.crd.yaml index c0e62272ec9..878a71fa6d8 100644 --- a/config/v1/0000_00_cluster-version-operator_01_clusterversion-TechPreviewNoUpgrade.crd.yaml +++ b/config/v1/0000_00_cluster-version-operator_01_clusterversion-TechPreviewNoUpgrade.crd.yaml @@ -155,15 +155,33 @@ spec: - name x-kubernetes-list-type: map signatureStores: - description: "signatureStores contains the upstream URIs to verify release signatures. By default, CVO will use existing signature stores if this property is empty. The CVO will check the release signatures in the local ConfigMaps first. It will search for a valid signature in these stores in parallel only when local ConfigMaps did not include a valid signature. Validation will fail if none of the signature stores reply with valid signature before timeout. Setting signatureStores will replace the default signature stores with custom signature stores. Default stores can be used with custom signature stores by adding them manually. \n Items in this list should be a valid absolute http/https URI of an upstream signature store as per rfc1738. A maximum of 32 signature stores may be configured." + description: "signatureStores contains the upstream URIs to verify release signatures and optional reference to a config map by name containing the PEM-encoded CA bundle. \n By default, CVO will use existing signature stores if this property is empty. The CVO will check the release signatures in the local ConfigMaps first. It will search for a valid signature in these stores in parallel only when local ConfigMaps did not include a valid signature. Validation will fail if none of the signature stores reply with valid signature before timeout. Setting signatureStores will replace the default signature stores with custom signature stores. Default stores can be used with custom signature stores by adding them manually. \n A maximum of 32 signature stores may be configured." type: array maxItems: 32 items: - type: string - x-kubernetes-list-type: set - x-kubernetes-validations: - - rule: self.all(x, isURL(x)) - message: signatureStores must contain only valid absolute URLs per the Go net/url standard + description: SignatureStore represents the URL of custom Signature Store + type: object + required: + - url + properties: + ca: + description: ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. It is used as a trust anchor to validate the TLS certificate presented by the remote server. The key "ca.crt" is used to locate the data. If specified and the config map or expected key is not found, the signature store is not honored. If the specified ca data is not valid, the signature store is not honored. If empty, we fall back to the CA configured via Proxy, which is appended to the default system roots. The namespace for this config map is openshift-config. + type: object + required: + - name + properties: + name: + description: name is the metadata.name of the referenced config map + type: string + url: + description: url contains the upstream custom signature store URL. url should be a valid absolute http/https URI of an upstream signature store as per rfc1738. This must be provided and cannot be empty. + type: string + x-kubernetes-validations: + - rule: isURL(self) + message: url must be a valid absolute URL + x-kubernetes-list-map-keys: + - url + x-kubernetes-list-type: map upstream: description: upstream may be used to specify the preferred update server. By default it will use the appropriate update server for the cluster and region. type: string diff --git a/config/v1/techpreview.clusterversion.testsuite.yaml b/config/v1/techpreview.clusterversion.testsuite.yaml index 243c89ff0c6..71988108e5c 100644 --- a/config/v1/techpreview.clusterversion.testsuite.yaml +++ b/config/v1/techpreview.clusterversion.testsuite.yaml @@ -169,14 +169,14 @@ tests: spec: clusterID: foo signatureStores: - - "https://osus.ocp.com" + - url: "https://osus.ocp.com" expected: | apiVersion: config.openshift.io/v1 kind: ClusterVersion spec: clusterID: foo signatureStores: - - "https://osus.ocp.com" + - url: "https://osus.ocp.com" - name: Should be able to set multiple custom signature store initial: | apiVersion: config.openshift.io/v1 @@ -184,16 +184,16 @@ tests: spec: clusterID: foo signatureStores: - - "https://osus1.ocp.com" - - "https://osus2.ocp.com" + - url: "https://osus1.ocp.com" + - url: "https://osus2.ocp.com" expected: | apiVersion: config.openshift.io/v1 kind: ClusterVersion spec: clusterID: foo signatureStores: - - "https://osus1.ocp.com" - - "https://osus2.ocp.com" + - url: "https://osus1.ocp.com" + - url: "https://osus2.ocp.com" - name: Invalid custom signature store should throw error initial: | apiVersion: config.openshift.io/v1 @@ -201,8 +201,8 @@ tests: spec: clusterID: foo signatureStores: - - "osus1.ocp.com" - expectedError: "signatureStores must contain only valid absolute URLs per the Go net/url standard" + - url: "osus1.ocp.com" + expectedError: "url must be a valid absolute URL" - name: Should be able to unset the signature stores initial: | apiVersion: config.openshift.io/v1 diff --git a/config/v1/types_cluster_version.go b/config/v1/types_cluster_version.go index f9b2d42c60c..93f8021624f 100644 --- a/config/v1/types_cluster_version.go +++ b/config/v1/types_cluster_version.go @@ -88,7 +88,9 @@ type ClusterVersionSpec struct { // +optional Capabilities *ClusterVersionCapabilitiesSpec `json:"capabilities,omitempty"` - // signatureStores contains the upstream URIs to verify release signatures. + // signatureStores contains the upstream URIs to verify release signatures and optional + // reference to a config map by name containing the PEM-encoded CA bundle. + // // By default, CVO will use existing signature stores if this property is empty. // The CVO will check the release signatures in the local ConfigMaps first. It will search for a valid signature // in these stores in parallel only when local ConfigMaps did not include a valid signature. @@ -96,14 +98,13 @@ type ClusterVersionSpec struct { // Setting signatureStores will replace the default signature stores with custom signature stores. // Default stores can be used with custom signature stores by adding them manually. // - // Items in this list should be a valid absolute http/https URI of an upstream signature store as per rfc1738. // A maximum of 32 signature stores may be configured. - // +kubebuilder:validation:XValidation:rule="self.all(x, isURL(x))",message="signatureStores must contain only valid absolute URLs per the Go net/url standard" // +kubebuilder:validation:MaxItems=32 // +openshift:enable:FeatureSets=TechPreviewNoUpgrade - // +listType=set + // +listType=map + // +listMapKey=url // +optional - SignatureStores []string `json:"signatureStores"` + SignatureStores []SignatureStore `json:"signatureStores"` // overrides is list of overides for components that are managed by // cluster version operator. Marking a component unmanaged will prevent @@ -785,3 +786,26 @@ type ClusterVersionList struct { Items []ClusterVersion `json:"items"` } + +// SignatureStore represents the URL of custom Signature Store +type SignatureStore struct { + + // url contains the upstream custom signature store URL. + // url should be a valid absolute http/https URI of an upstream signature store as per rfc1738. + // This must be provided and cannot be empty. + // + // +kubebuilder:validation:Type=string + // +kubebuilder:validation:XValidation:rule="isURL(self)",message="url must be a valid absolute URL" + // +kubebuilder:validation:Required + URL string `json:"url"` + + // ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. + // It is used as a trust anchor to validate the TLS certificate presented by the remote server. + // The key "ca.crt" is used to locate the data. + // If specified and the config map or expected key is not found, the signature store is not honored. + // If the specified ca data is not valid, the signature store is not honored. + // If empty, we fall back to the CA configured via Proxy, which is appended to the default system roots. + // The namespace for this config map is openshift-config. + // +optional + CA ConfigMapNameReference `json:"ca"` +} diff --git a/config/v1/zz_generated.deepcopy.go b/config/v1/zz_generated.deepcopy.go index a004eb68ef0..476602adef9 100644 --- a/config/v1/zz_generated.deepcopy.go +++ b/config/v1/zz_generated.deepcopy.go @@ -1193,7 +1193,7 @@ func (in *ClusterVersionSpec) DeepCopyInto(out *ClusterVersionSpec) { } if in.SignatureStores != nil { in, out := &in.SignatureStores, &out.SignatureStores - *out = make([]string, len(*in)) + *out = make([]SignatureStore, len(*in)) copy(*out, *in) } if in.Overrides != nil { @@ -5257,6 +5257,23 @@ func (in *ServingInfo) DeepCopy() *ServingInfo { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *SignatureStore) DeepCopyInto(out *SignatureStore) { + *out = *in + out.CA = in.CA + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SignatureStore. +func (in *SignatureStore) DeepCopy() *SignatureStore { + if in == nil { + return nil + } + out := new(SignatureStore) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *StringSource) DeepCopyInto(out *StringSource) { *out = *in diff --git a/config/v1/zz_generated.swagger_doc_generated.go b/config/v1/zz_generated.swagger_doc_generated.go index 5c13d13d203..3ea0a78cf08 100644 --- a/config/v1/zz_generated.swagger_doc_generated.go +++ b/config/v1/zz_generated.swagger_doc_generated.go @@ -702,7 +702,7 @@ var map_ClusterVersionSpec = map[string]string{ "upstream": "upstream may be used to specify the preferred update server. By default it will use the appropriate update server for the cluster and region.", "channel": "channel is an identifier for explicitly requesting that a non-default set of updates be applied to this cluster. The default channel will be contain stable updates that are appropriate for production clusters.", "capabilities": "capabilities configures the installation of optional, core cluster components. A null value here is identical to an empty object; see the child properties for default semantics.", - "signatureStores": "signatureStores contains the upstream URIs to verify release signatures. By default, CVO will use existing signature stores if this property is empty. The CVO will check the release signatures in the local ConfigMaps first. It will search for a valid signature in these stores in parallel only when local ConfigMaps did not include a valid signature. Validation will fail if none of the signature stores reply with valid signature before timeout. Setting signatureStores will replace the default signature stores with custom signature stores. Default stores can be used with custom signature stores by adding them manually.\n\nItems in this list should be a valid absolute http/https URI of an upstream signature store as per rfc1738. A maximum of 32 signature stores may be configured.", + "signatureStores": "signatureStores contains the upstream URIs to verify release signatures and optional reference to a config map by name containing the PEM-encoded CA bundle.\n\nBy default, CVO will use existing signature stores if this property is empty. The CVO will check the release signatures in the local ConfigMaps first. It will search for a valid signature in these stores in parallel only when local ConfigMaps did not include a valid signature. Validation will fail if none of the signature stores reply with valid signature before timeout. Setting signatureStores will replace the default signature stores with custom signature stores. Default stores can be used with custom signature stores by adding them manually.\n\nA maximum of 32 signature stores may be configured.", "overrides": "overrides is list of overides for components that are managed by cluster version operator. Marking a component unmanaged will prevent the operator from creating or updating the object.", } @@ -783,6 +783,16 @@ func (Release) SwaggerDoc() map[string]string { return map_Release } +var map_SignatureStore = map[string]string{ + "": "SignatureStore represents the URL of custom Signature Store", + "url": "url contains the upstream custom signature store URL. url should be a valid absolute http/https URI of an upstream signature store as per rfc1738. This must be provided and cannot be empty.", + "ca": "ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. It is used as a trust anchor to validate the TLS certificate presented by the remote server. The key \"ca.crt\" is used to locate the data. If specified and the config map or expected key is not found, the signature store is not honored. If the specified ca data is not valid, the signature store is not honored. If empty, we fall back to the CA configured via Proxy, which is appended to the default system roots. The namespace for this config map is openshift-config.", +} + +func (SignatureStore) SwaggerDoc() map[string]string { + return map_SignatureStore +} + var map_Update = map[string]string{ "": "Update represents an administrator update request.", "architecture": "architecture is an optional field that indicates the desired value of the cluster architecture. In this context cluster architecture means either a single architecture or a multi architecture. architecture can only be set to Multi thereby only allowing updates from single to multi architecture. If architecture is set, image cannot be set and version must be set. Valid values are 'Multi' and empty.", diff --git a/openapi/generated_openapi/zz_generated.openapi.go b/openapi/generated_openapi/zz_generated.openapi.go index d64875b2a80..22559c948fd 100644 --- a/openapi/generated_openapi/zz_generated.openapi.go +++ b/openapi/generated_openapi/zz_generated.openapi.go @@ -363,6 +363,7 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "github.com/openshift/api/config/v1.SchedulerStatus": schema_openshift_api_config_v1_SchedulerStatus(ref), "github.com/openshift/api/config/v1.SecretNameReference": schema_openshift_api_config_v1_SecretNameReference(ref), "github.com/openshift/api/config/v1.ServingInfo": schema_openshift_api_config_v1_ServingInfo(ref), + "github.com/openshift/api/config/v1.SignatureStore": schema_openshift_api_config_v1_SignatureStore(ref), "github.com/openshift/api/config/v1.StringSource": schema_openshift_api_config_v1_StringSource(ref), "github.com/openshift/api/config/v1.StringSourceSpec": schema_openshift_api_config_v1_StringSourceSpec(ref), "github.com/openshift/api/config/v1.TLSProfileSpec": schema_openshift_api_config_v1_TLSProfileSpec(ref), @@ -10272,18 +10273,20 @@ func schema_openshift_api_config_v1_ClusterVersionSpec(ref common.ReferenceCallb "signatureStores": { VendorExtensible: spec.VendorExtensible{ Extensions: spec.Extensions{ - "x-kubernetes-list-type": "set", + "x-kubernetes-list-map-keys": []interface{}{ + "url", + }, + "x-kubernetes-list-type": "map", }, }, SchemaProps: spec.SchemaProps{ - Description: "signatureStores contains the upstream URIs to verify release signatures. By default, CVO will use existing signature stores if this property is empty. The CVO will check the release signatures in the local ConfigMaps first. It will search for a valid signature in these stores in parallel only when local ConfigMaps did not include a valid signature. Validation will fail if none of the signature stores reply with valid signature before timeout. Setting signatureStores will replace the default signature stores with custom signature stores. Default stores can be used with custom signature stores by adding them manually.\n\nItems in this list should be a valid absolute http/https URI of an upstream signature store as per rfc1738. A maximum of 32 signature stores may be configured.", + Description: "signatureStores contains the upstream URIs to verify release signatures and optional reference to a config map by name containing the PEM-encoded CA bundle.\n\nBy default, CVO will use existing signature stores if this property is empty. The CVO will check the release signatures in the local ConfigMaps first. It will search for a valid signature in these stores in parallel only when local ConfigMaps did not include a valid signature. Validation will fail if none of the signature stores reply with valid signature before timeout. Setting signatureStores will replace the default signature stores with custom signature stores. Default stores can be used with custom signature stores by adding them manually.\n\nA maximum of 32 signature stores may be configured.", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1.SignatureStore"), }, }, }, @@ -10319,7 +10322,7 @@ func schema_openshift_api_config_v1_ClusterVersionSpec(ref common.ReferenceCallb }, }, Dependencies: []string{ - "github.com/openshift/api/config/v1.ClusterVersionCapabilitiesSpec", "github.com/openshift/api/config/v1.ComponentOverride", "github.com/openshift/api/config/v1.Update"}, + "github.com/openshift/api/config/v1.ClusterVersionCapabilitiesSpec", "github.com/openshift/api/config/v1.ComponentOverride", "github.com/openshift/api/config/v1.SignatureStore", "github.com/openshift/api/config/v1.Update"}, } } @@ -18015,6 +18018,37 @@ func schema_openshift_api_config_v1_ServingInfo(ref common.ReferenceCallback) co } } +func schema_openshift_api_config_v1_SignatureStore(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "SignatureStore represents the URL of custom Signature Store", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "url": { + SchemaProps: spec.SchemaProps{ + Description: "url contains the upstream custom signature store URL. url should be a valid absolute http/https URI of an upstream signature store as per rfc1738. This must be provided and cannot be empty.", + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + "ca": { + SchemaProps: spec.SchemaProps{ + Description: "ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. It is used as a trust anchor to validate the TLS certificate presented by the remote server. The key \"ca.crt\" is used to locate the data. If specified and the config map or expected key is not found, the signature store is not honored. If the specified ca data is not valid, the signature store is not honored. If empty, we fall back to the CA configured via Proxy, which is appended to the default system roots. The namespace for this config map is openshift-config.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1.ConfigMapNameReference"), + }, + }, + }, + Required: []string{"url"}, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/config/v1.ConfigMapNameReference"}, + } +} + func schema_openshift_api_config_v1_StringSource(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ diff --git a/openapi/openapi.json b/openapi/openapi.json index 9a07183c525..9674cfd4f58 100644 --- a/openapi/openapi.json +++ b/openapi/openapi.json @@ -5260,13 +5260,16 @@ "x-kubernetes-list-type": "map" }, "signatureStores": { - "description": "signatureStores contains the upstream URIs to verify release signatures. By default, CVO will use existing signature stores if this property is empty. The CVO will check the release signatures in the local ConfigMaps first. It will search for a valid signature in these stores in parallel only when local ConfigMaps did not include a valid signature. Validation will fail if none of the signature stores reply with valid signature before timeout. Setting signatureStores will replace the default signature stores with custom signature stores. Default stores can be used with custom signature stores by adding them manually.\n\nItems in this list should be a valid absolute http/https URI of an upstream signature store as per rfc1738. A maximum of 32 signature stores may be configured.", + "description": "signatureStores contains the upstream URIs to verify release signatures and optional reference to a config map by name containing the PEM-encoded CA bundle.\n\nBy default, CVO will use existing signature stores if this property is empty. The CVO will check the release signatures in the local ConfigMaps first. It will search for a valid signature in these stores in parallel only when local ConfigMaps did not include a valid signature. Validation will fail if none of the signature stores reply with valid signature before timeout. Setting signatureStores will replace the default signature stores with custom signature stores. Default stores can be used with custom signature stores by adding them manually.\n\nA maximum of 32 signature stores may be configured.", "type": "array", "items": { - "type": "string", - "default": "" + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.config.v1.SignatureStore" }, - "x-kubernetes-list-type": "set" + "x-kubernetes-list-map-keys": [ + "url" + ], + "x-kubernetes-list-type": "map" }, "upstream": { "description": "upstream may be used to specify the preferred update server. By default it will use the appropriate update server for the cluster and region.", @@ -9839,6 +9842,25 @@ } } }, + "com.github.openshift.api.config.v1.SignatureStore": { + "description": "SignatureStore represents the URL of custom Signature Store", + "type": "object", + "required": [ + "url" + ], + "properties": { + "ca": { + "description": "ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. It is used as a trust anchor to validate the TLS certificate presented by the remote server. The key \"ca.crt\" is used to locate the data. If specified and the config map or expected key is not found, the signature store is not honored. If the specified ca data is not valid, the signature store is not honored. If empty, we fall back to the CA configured via Proxy, which is appended to the default system roots. The namespace for this config map is openshift-config.", + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.config.v1.ConfigMapNameReference" + }, + "url": { + "description": "url contains the upstream custom signature store URL. url should be a valid absolute http/https URI of an upstream signature store as per rfc1738. This must be provided and cannot be empty.", + "type": "string", + "default": "" + } + } + }, "com.github.openshift.api.config.v1.StringSource": { "description": "StringSource allows specifying a string inline, or externally via env var or file. When it contains only a string value, it marshals to a simple JSON string.", "type": "object",