diff --git a/config/v1/tests/apiservers.config.openshift.io/KMSEncryption.yaml b/config/v1/tests/apiservers.config.openshift.io/KMSEncryption.yaml index 3b50252dc02..4d7310fb023 100644 --- a/config/v1/tests/apiservers.config.openshift.io/KMSEncryption.yaml +++ b/config/v1/tests/apiservers.config.openshift.io/KMSEncryption.yaml @@ -3,7 +3,6 @@ name: "APIServer" crdName: apiservers.config.openshift.io featureGates: - KMSEncryption -- -KMSEncryptionProvider tests: onCreate: - name: Should be able to create with KMS type without kms config diff --git a/config/v1/tests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml b/config/v1/tests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml deleted file mode 100644 index 77ad4950fd9..00000000000 --- a/config/v1/tests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml +++ /dev/null @@ -1,127 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 # Hack because controller-gen complains if we don't have this -name: "APIServer" -crdName: apiservers.config.openshift.io -featureGates: - - KMSEncryptionProvider -tests: - onCreate: - - name: Should be able to create encrypt with KMS for AWS with valid values - initial: | - apiVersion: config.openshift.io/v1 - kind: APIServer - spec: - encryption: - type: KMS - kms: - type: AWS - aws: - keyARN: arn:aws:kms:us-east-1:101010101010:key/9a512e29-0d9c-4cf5-8174-fc1a5b22cd6a - region: us-east-1 - expected: | - apiVersion: config.openshift.io/v1 - kind: APIServer - spec: - audit: - profile: Default - encryption: - type: KMS - kms: - type: AWS - aws: - keyARN: arn:aws:kms:us-east-1:101010101010:key/9a512e29-0d9c-4cf5-8174-fc1a5b22cd6a - region: us-east-1 - - name: Should fail to create encrypt with KMS for AWS without region - initial: | - apiVersion: config.openshift.io/v1 - kind: APIServer - spec: - encryption: - type: KMS - kms: - type: AWS - aws: - keyARN: arn:aws:kms:us-east-1:101010101010:key/9a512e29-0d9c-4cf5-8174-fc1a5b22cd6a - expectedError: "spec.encryption.kms.aws.region: Required value" - - name: Should not allow kms config with encrypt aescbc - initial: | - apiVersion: config.openshift.io/v1 - kind: APIServer - spec: - encryption: - type: aescbc - kms: - type: AWS - aws: - keyARN: arn:aws:kms:us-east-1:101010101010:key/9a512e29-0d9c-4cf5-8174-fc1a5b22cd6a - region: us-east-1 - expectedError: "kms config is required when encryption type is KMS, and forbidden otherwise" - - name: Should fail to create with an empty KMS config - initial: | - apiVersion: config.openshift.io/v1 - kind: APIServer - spec: - encryption: - type: KMS - kms: {} - expectedError: "spec.encryption.kms.type: Required value" - - name: Should fail to create with kms type AWS but without aws config - initial: | - apiVersion: config.openshift.io/v1 - kind: APIServer - spec: - encryption: - type: KMS - kms: - type: AWS - expectedError: "aws config is required when kms provider type is AWS, and forbidden otherwise" - - name: Should fail to create AWS KMS without a keyARN - initial: | - apiVersion: config.openshift.io/v1 - kind: APIServer - spec: - encryption: - type: KMS - kms: - type: AWS - aws: - region: us-east-1 - expectedError: "spec.encryption.kms.aws.keyARN: Required value" - - name: Should fail to create AWS KMS with invalid keyARN format - initial: | - apiVersion: config.openshift.io/v1 - kind: APIServer - spec: - encryption: - type: KMS - kms: - type: AWS - aws: - keyARN: not-a-kms-arn - region: us-east-1 - expectedError: "keyARN must follow the format `arn:aws:kms:::key/`. The account ID must be a 12 digit number and the region and key ID should consist only of lowercase hexadecimal characters and hyphens (-)." - - name: Should fail to create AWS KMS with empty region - initial: | - apiVersion: config.openshift.io/v1 - kind: APIServer - spec: - encryption: - type: KMS - kms: - type: AWS - aws: - keyARN: arn:aws:kms:us-east-1:101010101010:key/9a512e29-0d9c-4cf5-8174-fc1a5b22cd6a - region: "" - expectedError: "spec.encryption.kms.aws.region in body should be at least 1 chars long" - - name: Should fail to create AWS KMS with invalid region format - initial: | - apiVersion: config.openshift.io/v1 - kind: APIServer - spec: - encryption: - type: KMS - kms: - type: AWS - aws: - keyARN: arn:aws:kms:us-east-1:101010101010:key/9a512e29-0d9c-4cf5-8174-fc1a5b22cd6a - region: "INVALID-REGION" - expectedError: "region must be a valid AWS region, consisting of lowercase characters, digits and hyphens (-) only." diff --git a/config/v1/types_apiserver.go b/config/v1/types_apiserver.go index b8a4399dbc3..7bce6e7a9b4 100644 --- a/config/v1/types_apiserver.go +++ b/config/v1/types_apiserver.go @@ -209,7 +209,7 @@ type APIServerNamedServingCert struct { } // APIServerEncryption is used to encrypt sensitive resources on the cluster. -// +openshift:validation:FeatureGateAwareXValidation:featureGate=KMSEncryptionProvider,rule="has(self.type) && self.type == 'KMS' ? has(self.kms) : !has(self.kms)",message="kms config is required when encryption type is KMS, and forbidden otherwise" +// +openshift:validation:FeatureGateAwareXValidation:featureGate=KMSEncryption,rule="has(self.type) && self.type == 'KMS' ? has(self.kms) : !has(self.kms)",message="kms config is required when encryption type is KMS and KMSEncryption feature gate is enabled, and forbidden otherwise" // +union type APIServerEncryption struct { // type defines what encryption type should be used to encrypt resources at the datastore layer. @@ -238,14 +238,13 @@ type APIServerEncryption struct { // managing the lifecyle of the encryption keys outside of the control plane. // This allows integration with an external provider to manage the data encryption keys securely. // - // +openshift:enable:FeatureGate=KMSEncryptionProvider + // +openshift:enable:FeatureGate=KMSEncryption // +unionMember // +optional KMS *KMSConfig `json:"kms,omitempty"` } // +openshift:validation:FeatureGateAwareEnum:featureGate="",enum="";identity;aescbc;aesgcm -// +openshift:validation:FeatureGateAwareEnum:featureGate=KMSEncryptionProvider,enum="";identity;aescbc;aesgcm;KMS // +openshift:validation:FeatureGateAwareEnum:featureGate=KMSEncryption,enum="";identity;aescbc;aesgcm;KMS type EncryptionType string diff --git a/config/v1/types_kmsencryption.go b/config/v1/types_kmsencryption.go index 3293204fa4e..853f119d770 100644 --- a/config/v1/types_kmsencryption.go +++ b/config/v1/types_kmsencryption.go @@ -1,55 +1,144 @@ package v1 // KMSConfig defines the configuration for the KMS instance -// that will be used with KMSEncryptionProvider encryption -// +kubebuilder:validation:XValidation:rule="has(self.type) && self.type == 'AWS' ? has(self.aws) : !has(self.aws)",message="aws config is required when kms provider type is AWS, and forbidden otherwise" +// that will be used with KMS encryption +// +openshift:validation:FeatureGateAwareXValidation:featureGate=KMSEncryption,rule="has(self.type) && self.type == 'Vault' ? (has(self.vault) && self.vault.vaultAddress != \"\") : !has(self.vault)",message="vault config is required when kms provider type is Vault, and forbidden otherwise" // +union type KMSConfig struct { // type defines the kind of platform for the KMS provider. - // Available provider types are AWS only. + // Valid values are: + // - "Vault": HashiCorp Vault KMS (available when KMSEncryption feature gate is enabled) // // +unionDiscriminator // +required Type KMSProviderType `json:"type"` - // aws defines the key config for using an AWS KMS instance - // for the encryption. The AWS KMS instance is managed + // vault defines the configuration for the Vault KMS plugin. + // The plugin connects to a Vault Enterprise server that is managed // by the user outside the purview of the control plane. + // This field must be set when type is Vault, and must be unset otherwise. // + // +openshift:enable:FeatureGate=KMSEncryption // +unionMember // +optional - AWS *AWSKMSConfig `json:"aws,omitempty"` + Vault *VaultKMSConfig `json:"vault,omitempty,omitzero"` } -// AWSKMSConfig defines the KMS config specific to AWS KMS provider -type AWSKMSConfig struct { - // keyARN specifies the Amazon Resource Name (ARN) of the AWS KMS key used for encryption. - // The value must adhere to the format `arn:aws:kms:::key/`, where: - // - `` is the AWS region consisting of lowercase letters and hyphens followed by a number. - // - `` is a 12-digit numeric identifier for the AWS account. - // - `` is a unique identifier for the KMS key, consisting of lowercase hexadecimal characters and hyphens. +// KMSProviderType is a specific supported KMS provider +// +openshift:validation:FeatureGateAwareEnum:featureGate=KMSEncryption,enum=Vault +type KMSProviderType string + +const ( + // VaultKMSProvider represents a supported KMS provider for use with HashiCorp Vault + VaultKMSProvider KMSProviderType = "Vault" +) + +// VaultKMSConfig defines the KMS plugin configuration specific to Vault KMS +type VaultKMSConfig struct { + // kmsPluginImage specifies the container image for the HashiCorp Vault KMS plugin. + // The image must be specified using a digest reference (not a tag). + // + // Consult the OpenShift documentation for compatible plugin versions with your cluster version, + // then obtain the image digest for that version from HashiCorp's container registry. + // + // For disconnected environments, mirror the plugin image to an accessible registry and + // reference the mirrored location with its digest. + // + // The minimum length is 75 characters (e.g., "r/i@sha256:" + 64 hex characters). + // The maximum length is 512 characters to accommodate long registry names and repository paths. + // + // +kubebuilder:validation:XValidation:rule="self.matches(r'^([a-zA-Z0-9.-]+)(:[0-9]+)?/[a-zA-Z0-9._/-]+@sha256:[a-f0-9]{64}$')",message="vaultKMSPluginImage must be a valid image reference with a SHA256 digest (e.g., 'registry.example.com/vault-plugin@sha256:0123...abcd'). Use '@sha256:<64-character-hex-digest>' instead of image tags like ':latest' or ':v1.0.0'." + // +kubebuilder:validation:MinLength=75 + // +kubebuilder:validation:MaxLength=512 + // +required + KMSPluginImage string `json:"kmsPluginImage,omitempty"` + + // vaultAddress specifies the address of the HashiCorp Vault instance. + // The value must be a valid URL with scheme (https://) and can be up to 512 characters. + // Example: https://vault.example.com:8200 // - // +kubebuilder:validation:MaxLength=128 + // +kubebuilder:validation:XValidation:rule="self.matches('^https://')",message="vaultAddress must be a valid URL starting with 'https://' (e.g., 'https://vault.example.com:8200')." + // +kubebuilder:validation:MaxLength=512 // +kubebuilder:validation:MinLength=1 - // +kubebuilder:validation:XValidation:rule="self.matches('^arn:aws:kms:[a-z0-9-]+:[0-9]{12}:key/[a-f0-9-]+$')",message="keyARN must follow the format `arn:aws:kms:::key/`. The account ID must be a 12 digit number and the region and key ID should consist only of lowercase hexadecimal characters and hyphens (-)." // +required - KeyARN string `json:"keyARN"` - // region specifies the AWS region where the KMS instance exists, and follows the format - // `--`, e.g.: `us-east-1`. - // Only lowercase letters and hyphens followed by numbers are allowed. + VaultAddress string `json:"vaultAddress,omitempty"` + + // vaultNamespace specifies the Vault namespace where the Transit secrets engine is mounted. + // This is only applicable for Vault Enterprise installations. + // The value can be between 1 and 4096 characters. + // When this field is not set, no namespace is used. // - // +kubebuilder:validation:MaxLength=64 // +kubebuilder:validation:MinLength=1 - // +kubebuilder:validation:XValidation:rule="self.matches('^[a-z0-9]+(-[a-z0-9]+)*$')",message="region must be a valid AWS region, consisting of lowercase characters, digits and hyphens (-) only." + // +kubebuilder:validation:MaxLength=4096 + // +optional + VaultNamespace string `json:"vaultNamespace,omitempty"` + + // tls contains the TLS configuration for connecting to the Vault server. + // When this field is not set, system default TLS settings are used. + // +optional + TLS *VaultTLSConfig `json:"tls,omitempty"` + + // approleSecretRef references a secret in the openshift-config namespace containing + // the AppRole credentials used to authenticate with Vault. + // The secret must contain the following keys: + // - "roleID": The AppRole Role ID + // - "secretID": The AppRole Secret ID + // + // The namespace for the secret referenced by approleSecretRef is openshift-config. + // // +required - Region string `json:"region"` + ApproleSecretRef SecretNameReference `json:"approleSecretRef,omitempty"` + + // transitMount specifies the mount path of the Vault Transit engine. + // The value can be between 1 and 1024 characters. + // When this field is not set, it defaults to "transit". + // + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=1024 + // +kubebuilder:default="transit" + // +optional + TransitMount string `json:"transitMount,omitempty"` + + // transitKey specifies the name of the encryption key in Vault's Transit engine. + // This key is used to encrypt and decrypt data. + // The value must be between 1 and 512 characters. + // + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=512 + // +required + TransitKey string `json:"transitKey,omitempty"` } -// KMSProviderType is a specific supported KMS provider -// +kubebuilder:validation:Enum=AWS -type KMSProviderType string +// VaultTLSConfig contains TLS configuration for connecting to Vault. +type VaultTLSConfig struct { + // caBundle references a ConfigMap in the openshift-config namespace containing + // the CA certificate bundle used to verify the TLS connection to the Vault server. + // The ConfigMap must contain the CA bundle in the key "ca-bundle.crt". + // When this field is not set, the system's trusted CA certificates are used. + // + // The namespace for the ConfigMap is openshift-config. + // + // Example ConfigMap: + // apiVersion: v1 + // kind: ConfigMap + // metadata: + // name: vault-ca-bundle + // namespace: openshift-config + // data: + // ca-bundle.crt: | + // -----BEGIN CERTIFICATE----- + // ... + // -----END CERTIFICATE----- + // + // +optional + CABundle ConfigMapNameReference `json:"caBundle,omitempty"` -const ( - // AWSKMSProvider represents a supported KMS provider for use with AWS KMS - AWSKMSProvider KMSProviderType = "AWS" -) + // serverName specifies the Server Name Indication (SNI) to use when connecting to Vault via TLS. + // This is useful when the Vault server's hostname doesn't match its TLS certificate. + // When this field is not set, the hostname from vaultAddress is used for SNI. + // + // +kubebuilder:validation:MaxLength=253 + // +kubebuilder:validation:MinLength=1 + // +optional + ServerName string `json:"serverName,omitempty"` +} diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml index d2ba7fc3253..48778ca0fcc 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml @@ -168,59 +168,154 @@ spec: managing the lifecyle of the encryption keys outside of the control plane. This allows integration with an external provider to manage the data encryption keys securely. properties: - aws: + type: description: |- - aws defines the key config for using an AWS KMS instance - for the encryption. The AWS KMS instance is managed + type defines the kind of platform for the KMS provider. + Valid values are: + - "Vault": HashiCorp Vault KMS (available when KMSEncryption feature gate is enabled) + enum: + - Vault + type: string + vault: + description: |- + vault defines the configuration for the Vault KMS plugin. + The plugin connects to a Vault Enterprise server that is managed by the user outside the purview of the control plane. + This field must be set when type is Vault, and must be unset otherwise. properties: - keyARN: + approleSecretRef: description: |- - keyARN specifies the Amazon Resource Name (ARN) of the AWS KMS key used for encryption. - The value must adhere to the format `arn:aws:kms:::key/`, where: - - `` is the AWS region consisting of lowercase letters and hyphens followed by a number. - - `` is a 12-digit numeric identifier for the AWS account. - - `` is a unique identifier for the KMS key, consisting of lowercase hexadecimal characters and hyphens. - maxLength: 128 - minLength: 1 + approleSecretRef references a secret in the openshift-config namespace containing + the AppRole credentials used to authenticate with Vault. + The secret must contain the following keys: + - "roleID": The AppRole Role ID + - "secretID": The AppRole Secret ID + + The namespace for the secret referenced by approleSecretRef is openshift-config. + properties: + name: + description: name is the metadata.name of the referenced + secret + type: string + required: + - name + type: object + kmsPluginImage: + description: |- + kmsPluginImage specifies the container image for the HashiCorp Vault KMS plugin. + The image must be specified using a digest reference (not a tag). + + Consult the OpenShift documentation for compatible plugin versions with your cluster version, + then obtain the image digest for that version from HashiCorp's container registry. + + For disconnected environments, mirror the plugin image to an accessible registry and + reference the mirrored location with its digest. + + The minimum length is 75 characters (e.g., "r/i@sha256:" + 64 hex characters). + The maximum length is 512 characters to accommodate long registry names and repository paths. + maxLength: 512 + minLength: 75 type: string x-kubernetes-validations: - - message: keyARN must follow the format `arn:aws:kms:::key/`. - The account ID must be a 12 digit number and the region - and key ID should consist only of lowercase hexadecimal - characters and hyphens (-). - rule: self.matches('^arn:aws:kms:[a-z0-9-]+:[0-9]{12}:key/[a-f0-9-]+$') - region: + - message: vaultKMSPluginImage must be a valid image reference + with a SHA256 digest (e.g., 'registry.example.com/vault-plugin@sha256:0123...abcd'). + Use '@sha256:<64-character-hex-digest>' instead of + image tags like ':latest' or ':v1.0.0'. + rule: self.matches(r'^([a-zA-Z0-9.-]+)(:[0-9]+)?/[a-zA-Z0-9._/-]+@sha256:[a-f0-9]{64}$') + tls: + description: |- + tls contains the TLS configuration for connecting to the Vault server. + When this field is not set, system default TLS settings are used. + properties: + caBundle: + description: |- + caBundle references a ConfigMap in the openshift-config namespace containing + the CA certificate bundle used to verify the TLS connection to the Vault server. + The ConfigMap must contain the CA bundle in the key "ca-bundle.crt". + When this field is not set, the system's trusted CA certificates are used. + + The namespace for the ConfigMap is openshift-config. + + Example ConfigMap: + apiVersion: v1 + kind: ConfigMap + metadata: + name: vault-ca-bundle + namespace: openshift-config + data: + ca-bundle.crt: | + -----BEGIN CERTIFICATE----- + ... + -----END CERTIFICATE----- + properties: + name: + description: name is the metadata.name of the + referenced config map + type: string + required: + - name + type: object + serverName: + description: |- + serverName specifies the Server Name Indication (SNI) to use when connecting to Vault via TLS. + This is useful when the Vault server's hostname doesn't match its TLS certificate. + When this field is not set, the hostname from vaultAddress is used for SNI. + maxLength: 253 + minLength: 1 + type: string + type: object + transitKey: description: |- - region specifies the AWS region where the KMS instance exists, and follows the format - `--`, e.g.: `us-east-1`. - Only lowercase letters and hyphens followed by numbers are allowed. - maxLength: 64 + transitKey specifies the name of the encryption key in Vault's Transit engine. + This key is used to encrypt and decrypt data. + The value must be between 1 and 512 characters. + maxLength: 512 + minLength: 1 + type: string + transitMount: + default: transit + description: |- + transitMount specifies the mount path of the Vault Transit engine. + The value can be between 1 and 1024 characters. + When this field is not set, it defaults to "transit". + maxLength: 1024 + minLength: 1 + type: string + vaultAddress: + description: |- + vaultAddress specifies the address of the HashiCorp Vault instance. + The value must be a valid URL with scheme (https://) and can be up to 512 characters. + Example: https://vault.example.com:8200 + maxLength: 512 minLength: 1 type: string x-kubernetes-validations: - - message: region must be a valid AWS region, consisting - of lowercase characters, digits and hyphens (-) only. - rule: self.matches('^[a-z0-9]+(-[a-z0-9]+)*$') + - message: vaultAddress must be a valid URL starting with + 'https://' (e.g., 'https://vault.example.com:8200'). + rule: self.matches('^https://') + vaultNamespace: + description: |- + vaultNamespace specifies the Vault namespace where the Transit secrets engine is mounted. + This is only applicable for Vault Enterprise installations. + The value can be between 1 and 4096 characters. + When this field is not set, no namespace is used. + maxLength: 4096 + minLength: 1 + type: string required: - - keyARN - - region + - approleSecretRef + - kmsPluginImage + - transitKey + - vaultAddress type: object - type: - description: |- - type defines the kind of platform for the KMS provider. - Available provider types are AWS only. - enum: - - AWS - type: string required: - type type: object x-kubernetes-validations: - - message: aws config is required when kms provider type is AWS, - and forbidden otherwise - rule: 'has(self.type) && self.type == ''AWS'' ? has(self.aws) - : !has(self.aws)' + - message: vault config is required when kms provider type is + Vault, and forbidden otherwise + rule: 'has(self.type) && self.type == ''Vault'' ? (has(self.vault) + && self.vault.vaultAddress != "") : !has(self.vault)' type: description: |- type defines what encryption type should be used to encrypt resources at the datastore layer. @@ -245,8 +340,8 @@ spec: type: string type: object x-kubernetes-validations: - - message: kms config is required when encryption type is KMS, and - forbidden otherwise + - message: kms config is required when encryption type is KMS and + KMSEncryption feature gate is enabled, and forbidden otherwise rule: 'has(self.type) && self.type == ''KMS'' ? has(self.kms) : !has(self.kms)' servingCerts: diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml index cabbd04bb71..bae34f76162 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml @@ -168,59 +168,154 @@ spec: managing the lifecyle of the encryption keys outside of the control plane. This allows integration with an external provider to manage the data encryption keys securely. properties: - aws: + type: description: |- - aws defines the key config for using an AWS KMS instance - for the encryption. The AWS KMS instance is managed + type defines the kind of platform for the KMS provider. + Valid values are: + - "Vault": HashiCorp Vault KMS (available when KMSEncryption feature gate is enabled) + enum: + - Vault + type: string + vault: + description: |- + vault defines the configuration for the Vault KMS plugin. + The plugin connects to a Vault Enterprise server that is managed by the user outside the purview of the control plane. + This field must be set when type is Vault, and must be unset otherwise. properties: - keyARN: + approleSecretRef: description: |- - keyARN specifies the Amazon Resource Name (ARN) of the AWS KMS key used for encryption. - The value must adhere to the format `arn:aws:kms:::key/`, where: - - `` is the AWS region consisting of lowercase letters and hyphens followed by a number. - - `` is a 12-digit numeric identifier for the AWS account. - - `` is a unique identifier for the KMS key, consisting of lowercase hexadecimal characters and hyphens. - maxLength: 128 - minLength: 1 + approleSecretRef references a secret in the openshift-config namespace containing + the AppRole credentials used to authenticate with Vault. + The secret must contain the following keys: + - "roleID": The AppRole Role ID + - "secretID": The AppRole Secret ID + + The namespace for the secret referenced by approleSecretRef is openshift-config. + properties: + name: + description: name is the metadata.name of the referenced + secret + type: string + required: + - name + type: object + kmsPluginImage: + description: |- + kmsPluginImage specifies the container image for the HashiCorp Vault KMS plugin. + The image must be specified using a digest reference (not a tag). + + Consult the OpenShift documentation for compatible plugin versions with your cluster version, + then obtain the image digest for that version from HashiCorp's container registry. + + For disconnected environments, mirror the plugin image to an accessible registry and + reference the mirrored location with its digest. + + The minimum length is 75 characters (e.g., "r/i@sha256:" + 64 hex characters). + The maximum length is 512 characters to accommodate long registry names and repository paths. + maxLength: 512 + minLength: 75 type: string x-kubernetes-validations: - - message: keyARN must follow the format `arn:aws:kms:::key/`. - The account ID must be a 12 digit number and the region - and key ID should consist only of lowercase hexadecimal - characters and hyphens (-). - rule: self.matches('^arn:aws:kms:[a-z0-9-]+:[0-9]{12}:key/[a-f0-9-]+$') - region: + - message: vaultKMSPluginImage must be a valid image reference + with a SHA256 digest (e.g., 'registry.example.com/vault-plugin@sha256:0123...abcd'). + Use '@sha256:<64-character-hex-digest>' instead of + image tags like ':latest' or ':v1.0.0'. + rule: self.matches(r'^([a-zA-Z0-9.-]+)(:[0-9]+)?/[a-zA-Z0-9._/-]+@sha256:[a-f0-9]{64}$') + tls: + description: |- + tls contains the TLS configuration for connecting to the Vault server. + When this field is not set, system default TLS settings are used. + properties: + caBundle: + description: |- + caBundle references a ConfigMap in the openshift-config namespace containing + the CA certificate bundle used to verify the TLS connection to the Vault server. + The ConfigMap must contain the CA bundle in the key "ca-bundle.crt". + When this field is not set, the system's trusted CA certificates are used. + + The namespace for the ConfigMap is openshift-config. + + Example ConfigMap: + apiVersion: v1 + kind: ConfigMap + metadata: + name: vault-ca-bundle + namespace: openshift-config + data: + ca-bundle.crt: | + -----BEGIN CERTIFICATE----- + ... + -----END CERTIFICATE----- + properties: + name: + description: name is the metadata.name of the + referenced config map + type: string + required: + - name + type: object + serverName: + description: |- + serverName specifies the Server Name Indication (SNI) to use when connecting to Vault via TLS. + This is useful when the Vault server's hostname doesn't match its TLS certificate. + When this field is not set, the hostname from vaultAddress is used for SNI. + maxLength: 253 + minLength: 1 + type: string + type: object + transitKey: description: |- - region specifies the AWS region where the KMS instance exists, and follows the format - `--`, e.g.: `us-east-1`. - Only lowercase letters and hyphens followed by numbers are allowed. - maxLength: 64 + transitKey specifies the name of the encryption key in Vault's Transit engine. + This key is used to encrypt and decrypt data. + The value must be between 1 and 512 characters. + maxLength: 512 + minLength: 1 + type: string + transitMount: + default: transit + description: |- + transitMount specifies the mount path of the Vault Transit engine. + The value can be between 1 and 1024 characters. + When this field is not set, it defaults to "transit". + maxLength: 1024 + minLength: 1 + type: string + vaultAddress: + description: |- + vaultAddress specifies the address of the HashiCorp Vault instance. + The value must be a valid URL with scheme (https://) and can be up to 512 characters. + Example: https://vault.example.com:8200 + maxLength: 512 minLength: 1 type: string x-kubernetes-validations: - - message: region must be a valid AWS region, consisting - of lowercase characters, digits and hyphens (-) only. - rule: self.matches('^[a-z0-9]+(-[a-z0-9]+)*$') + - message: vaultAddress must be a valid URL starting with + 'https://' (e.g., 'https://vault.example.com:8200'). + rule: self.matches('^https://') + vaultNamespace: + description: |- + vaultNamespace specifies the Vault namespace where the Transit secrets engine is mounted. + This is only applicable for Vault Enterprise installations. + The value can be between 1 and 4096 characters. + When this field is not set, no namespace is used. + maxLength: 4096 + minLength: 1 + type: string required: - - keyARN - - region + - approleSecretRef + - kmsPluginImage + - transitKey + - vaultAddress type: object - type: - description: |- - type defines the kind of platform for the KMS provider. - Available provider types are AWS only. - enum: - - AWS - type: string required: - type type: object x-kubernetes-validations: - - message: aws config is required when kms provider type is AWS, - and forbidden otherwise - rule: 'has(self.type) && self.type == ''AWS'' ? has(self.aws) - : !has(self.aws)' + - message: vault config is required when kms provider type is + Vault, and forbidden otherwise + rule: 'has(self.type) && self.type == ''Vault'' ? (has(self.vault) + && self.vault.vaultAddress != "") : !has(self.vault)' type: description: |- type defines what encryption type should be used to encrypt resources at the datastore layer. @@ -245,8 +340,8 @@ spec: type: string type: object x-kubernetes-validations: - - message: kms config is required when encryption type is KMS, and - forbidden otherwise + - message: kms config is required when encryption type is KMS and + KMSEncryption feature gate is enabled, and forbidden otherwise rule: 'has(self.type) && self.type == ''KMS'' ? has(self.kms) : !has(self.kms)' servingCerts: diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml index b21c31dd439..969e1b07463 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml @@ -158,6 +158,164 @@ spec: description: encryption allows the configuration of encryption of resources at the datastore layer. properties: + kms: + description: |- + kms defines the configuration for the external KMS instance that manages the encryption keys, + when KMS encryption is enabled sensitive resources will be encrypted using keys managed by an + externally configured KMS instance. + + The Key Management Service (KMS) instance provides symmetric encryption and is responsible for + managing the lifecyle of the encryption keys outside of the control plane. + This allows integration with an external provider to manage the data encryption keys securely. + properties: + type: + description: |- + type defines the kind of platform for the KMS provider. + Valid values are: + - "Vault": HashiCorp Vault KMS (available when KMSEncryption feature gate is enabled) + enum: + - Vault + type: string + vault: + description: |- + vault defines the configuration for the Vault KMS plugin. + The plugin connects to a Vault Enterprise server that is managed + by the user outside the purview of the control plane. + This field must be set when type is Vault, and must be unset otherwise. + properties: + approleSecretRef: + description: |- + approleSecretRef references a secret in the openshift-config namespace containing + the AppRole credentials used to authenticate with Vault. + The secret must contain the following keys: + - "roleID": The AppRole Role ID + - "secretID": The AppRole Secret ID + + The namespace for the secret referenced by approleSecretRef is openshift-config. + properties: + name: + description: name is the metadata.name of the referenced + secret + type: string + required: + - name + type: object + kmsPluginImage: + description: |- + kmsPluginImage specifies the container image for the HashiCorp Vault KMS plugin. + The image must be specified using a digest reference (not a tag). + + Consult the OpenShift documentation for compatible plugin versions with your cluster version, + then obtain the image digest for that version from HashiCorp's container registry. + + For disconnected environments, mirror the plugin image to an accessible registry and + reference the mirrored location with its digest. + + The minimum length is 75 characters (e.g., "r/i@sha256:" + 64 hex characters). + The maximum length is 512 characters to accommodate long registry names and repository paths. + maxLength: 512 + minLength: 75 + type: string + x-kubernetes-validations: + - message: vaultKMSPluginImage must be a valid image reference + with a SHA256 digest (e.g., 'registry.example.com/vault-plugin@sha256:0123...abcd'). + Use '@sha256:<64-character-hex-digest>' instead of + image tags like ':latest' or ':v1.0.0'. + rule: self.matches(r'^([a-zA-Z0-9.-]+)(:[0-9]+)?/[a-zA-Z0-9._/-]+@sha256:[a-f0-9]{64}$') + tls: + description: |- + tls contains the TLS configuration for connecting to the Vault server. + When this field is not set, system default TLS settings are used. + properties: + caBundle: + description: |- + caBundle references a ConfigMap in the openshift-config namespace containing + the CA certificate bundle used to verify the TLS connection to the Vault server. + The ConfigMap must contain the CA bundle in the key "ca-bundle.crt". + When this field is not set, the system's trusted CA certificates are used. + + The namespace for the ConfigMap is openshift-config. + + Example ConfigMap: + apiVersion: v1 + kind: ConfigMap + metadata: + name: vault-ca-bundle + namespace: openshift-config + data: + ca-bundle.crt: | + -----BEGIN CERTIFICATE----- + ... + -----END CERTIFICATE----- + properties: + name: + description: name is the metadata.name of the + referenced config map + type: string + required: + - name + type: object + serverName: + description: |- + serverName specifies the Server Name Indication (SNI) to use when connecting to Vault via TLS. + This is useful when the Vault server's hostname doesn't match its TLS certificate. + When this field is not set, the hostname from vaultAddress is used for SNI. + maxLength: 253 + minLength: 1 + type: string + type: object + transitKey: + description: |- + transitKey specifies the name of the encryption key in Vault's Transit engine. + This key is used to encrypt and decrypt data. + The value must be between 1 and 512 characters. + maxLength: 512 + minLength: 1 + type: string + transitMount: + default: transit + description: |- + transitMount specifies the mount path of the Vault Transit engine. + The value can be between 1 and 1024 characters. + When this field is not set, it defaults to "transit". + maxLength: 1024 + minLength: 1 + type: string + vaultAddress: + description: |- + vaultAddress specifies the address of the HashiCorp Vault instance. + The value must be a valid URL with scheme (https://) and can be up to 512 characters. + Example: https://vault.example.com:8200 + maxLength: 512 + minLength: 1 + type: string + x-kubernetes-validations: + - message: vaultAddress must be a valid URL starting with + 'https://' (e.g., 'https://vault.example.com:8200'). + rule: self.matches('^https://') + vaultNamespace: + description: |- + vaultNamespace specifies the Vault namespace where the Transit secrets engine is mounted. + This is only applicable for Vault Enterprise installations. + The value can be between 1 and 4096 characters. + When this field is not set, no namespace is used. + maxLength: 4096 + minLength: 1 + type: string + required: + - approleSecretRef + - kmsPluginImage + - transitKey + - vaultAddress + type: object + required: + - type + type: object + x-kubernetes-validations: + - message: vault config is required when kms provider type is + Vault, and forbidden otherwise + rule: 'has(self.type) && self.type == ''Vault'' ? (has(self.vault) + && self.vault.vaultAddress != "") : !has(self.vault)' type: description: |- type defines what encryption type should be used to encrypt resources at the datastore layer. @@ -181,6 +339,11 @@ spec: - KMS type: string type: object + x-kubernetes-validations: + - message: kms config is required when encryption type is KMS and + KMSEncryption feature gate is enabled, and forbidden otherwise + rule: 'has(self.type) && self.type == ''KMS'' ? has(self.kms) : + !has(self.kms)' servingCerts: description: |- servingCert is the TLS cert info for serving secure traffic. If not specified, operator managed certificates diff --git a/config/v1/zz_generated.deepcopy.go b/config/v1/zz_generated.deepcopy.go index 30b85b78e96..4d581da7b75 100644 --- a/config/v1/zz_generated.deepcopy.go +++ b/config/v1/zz_generated.deepcopy.go @@ -216,22 +216,6 @@ func (in *AWSIngressSpec) DeepCopy() *AWSIngressSpec { return out } -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *AWSKMSConfig) DeepCopyInto(out *AWSKMSConfig) { - *out = *in - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AWSKMSConfig. -func (in *AWSKMSConfig) DeepCopy() *AWSKMSConfig { - if in == nil { - return nil - } - out := new(AWSKMSConfig) - in.DeepCopyInto(out) - return out -} - // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *AWSPlatformSpec) DeepCopyInto(out *AWSPlatformSpec) { *out = *in @@ -3832,10 +3816,10 @@ func (in *IntermediateTLSProfile) DeepCopy() *IntermediateTLSProfile { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *KMSConfig) DeepCopyInto(out *KMSConfig) { *out = *in - if in.AWS != nil { - in, out := &in.AWS, &out.AWS - *out = new(AWSKMSConfig) - **out = **in + if in.Vault != nil { + in, out := &in.Vault, &out.Vault + *out = new(VaultKMSConfig) + (*in).DeepCopyInto(*out) } return } @@ -6901,6 +6885,45 @@ func (in *VSpherePlatformVCenterSpec) DeepCopy() *VSpherePlatformVCenterSpec { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *VaultKMSConfig) DeepCopyInto(out *VaultKMSConfig) { + *out = *in + if in.TLS != nil { + in, out := &in.TLS, &out.TLS + *out = new(VaultTLSConfig) + **out = **in + } + out.ApproleSecretRef = in.ApproleSecretRef + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultKMSConfig. +func (in *VaultKMSConfig) DeepCopy() *VaultKMSConfig { + if in == nil { + return nil + } + out := new(VaultKMSConfig) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *VaultTLSConfig) DeepCopyInto(out *VaultTLSConfig) { + *out = *in + out.CABundle = in.CABundle + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultTLSConfig. +func (in *VaultTLSConfig) DeepCopy() *VaultTLSConfig { + if in == nil { + return nil + } + out := new(VaultTLSConfig) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *WebhookTokenAuthenticator) DeepCopyInto(out *WebhookTokenAuthenticator) { *out = *in diff --git a/config/v1/zz_generated.featuregated-crd-manifests.yaml b/config/v1/zz_generated.featuregated-crd-manifests.yaml index 4b768c3898d..9cba6a65878 100644 --- a/config/v1/zz_generated.featuregated-crd-manifests.yaml +++ b/config/v1/zz_generated.featuregated-crd-manifests.yaml @@ -7,7 +7,6 @@ apiservers.config.openshift.io: Category: "" FeatureGates: - KMSEncryption - - KMSEncryptionProvider - TLSAdherence FilenameOperatorName: config-operator FilenameOperatorOrdering: "01" diff --git a/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryption.yaml b/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryption.yaml index a2ef296269b..cd1773f256e 100644 --- a/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryption.yaml +++ b/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryption.yaml @@ -158,6 +158,164 @@ spec: description: encryption allows the configuration of encryption of resources at the datastore layer. properties: + kms: + description: |- + kms defines the configuration for the external KMS instance that manages the encryption keys, + when KMS encryption is enabled sensitive resources will be encrypted using keys managed by an + externally configured KMS instance. + + The Key Management Service (KMS) instance provides symmetric encryption and is responsible for + managing the lifecyle of the encryption keys outside of the control plane. + This allows integration with an external provider to manage the data encryption keys securely. + properties: + type: + description: |- + type defines the kind of platform for the KMS provider. + Valid values are: + - "Vault": HashiCorp Vault KMS (available when KMSEncryption feature gate is enabled) + enum: + - Vault + type: string + vault: + description: |- + vault defines the configuration for the Vault KMS plugin. + The plugin connects to a Vault Enterprise server that is managed + by the user outside the purview of the control plane. + This field must be set when type is Vault, and must be unset otherwise. + properties: + approleSecretRef: + description: |- + approleSecretRef references a secret in the openshift-config namespace containing + the AppRole credentials used to authenticate with Vault. + The secret must contain the following keys: + - "roleID": The AppRole Role ID + - "secretID": The AppRole Secret ID + + The namespace for the secret referenced by approleSecretRef is openshift-config. + properties: + name: + description: name is the metadata.name of the referenced + secret + type: string + required: + - name + type: object + kmsPluginImage: + description: |- + kmsPluginImage specifies the container image for the HashiCorp Vault KMS plugin. + The image must be specified using a digest reference (not a tag). + + Consult the OpenShift documentation for compatible plugin versions with your cluster version, + then obtain the image digest for that version from HashiCorp's container registry. + + For disconnected environments, mirror the plugin image to an accessible registry and + reference the mirrored location with its digest. + + The minimum length is 75 characters (e.g., "r/i@sha256:" + 64 hex characters). + The maximum length is 512 characters to accommodate long registry names and repository paths. + maxLength: 512 + minLength: 75 + type: string + x-kubernetes-validations: + - message: vaultKMSPluginImage must be a valid image reference + with a SHA256 digest (e.g., 'registry.example.com/vault-plugin@sha256:0123...abcd'). + Use '@sha256:<64-character-hex-digest>' instead of + image tags like ':latest' or ':v1.0.0'. + rule: self.matches(r'^([a-zA-Z0-9.-]+)(:[0-9]+)?/[a-zA-Z0-9._/-]+@sha256:[a-f0-9]{64}$') + tls: + description: |- + tls contains the TLS configuration for connecting to the Vault server. + When this field is not set, system default TLS settings are used. + properties: + caBundle: + description: |- + caBundle references a ConfigMap in the openshift-config namespace containing + the CA certificate bundle used to verify the TLS connection to the Vault server. + The ConfigMap must contain the CA bundle in the key "ca-bundle.crt". + When this field is not set, the system's trusted CA certificates are used. + + The namespace for the ConfigMap is openshift-config. + + Example ConfigMap: + apiVersion: v1 + kind: ConfigMap + metadata: + name: vault-ca-bundle + namespace: openshift-config + data: + ca-bundle.crt: | + -----BEGIN CERTIFICATE----- + ... + -----END CERTIFICATE----- + properties: + name: + description: name is the metadata.name of the + referenced config map + type: string + required: + - name + type: object + serverName: + description: |- + serverName specifies the Server Name Indication (SNI) to use when connecting to Vault via TLS. + This is useful when the Vault server's hostname doesn't match its TLS certificate. + When this field is not set, the hostname from vaultAddress is used for SNI. + maxLength: 253 + minLength: 1 + type: string + type: object + transitKey: + description: |- + transitKey specifies the name of the encryption key in Vault's Transit engine. + This key is used to encrypt and decrypt data. + The value must be between 1 and 512 characters. + maxLength: 512 + minLength: 1 + type: string + transitMount: + default: transit + description: |- + transitMount specifies the mount path of the Vault Transit engine. + The value can be between 1 and 1024 characters. + When this field is not set, it defaults to "transit". + maxLength: 1024 + minLength: 1 + type: string + vaultAddress: + description: |- + vaultAddress specifies the address of the HashiCorp Vault instance. + The value must be a valid URL with scheme (https://) and can be up to 512 characters. + Example: https://vault.example.com:8200 + maxLength: 512 + minLength: 1 + type: string + x-kubernetes-validations: + - message: vaultAddress must be a valid URL starting with + 'https://' (e.g., 'https://vault.example.com:8200'). + rule: self.matches('^https://') + vaultNamespace: + description: |- + vaultNamespace specifies the Vault namespace where the Transit secrets engine is mounted. + This is only applicable for Vault Enterprise installations. + The value can be between 1 and 4096 characters. + When this field is not set, no namespace is used. + maxLength: 4096 + minLength: 1 + type: string + required: + - approleSecretRef + - kmsPluginImage + - transitKey + - vaultAddress + type: object + required: + - type + type: object + x-kubernetes-validations: + - message: vault config is required when kms provider type is + Vault, and forbidden otherwise + rule: 'has(self.type) && self.type == ''Vault'' ? (has(self.vault) + && self.vault.vaultAddress != "") : !has(self.vault)' type: description: |- type defines what encryption type should be used to encrypt resources at the datastore layer. @@ -181,6 +339,11 @@ spec: - KMS type: string type: object + x-kubernetes-validations: + - message: kms config is required when encryption type is KMS and + KMSEncryption feature gate is enabled, and forbidden otherwise + rule: 'has(self.type) && self.type == ''KMS'' ? has(self.kms) : + !has(self.kms)' servingCerts: description: |- servingCert is the TLS cert info for serving secure traffic. If not specified, operator managed certificates diff --git a/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml b/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml deleted file mode 100644 index 0a9b213ea67..00000000000 --- a/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml +++ /dev/null @@ -1,440 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.openshift.io: https://github.com/openshift/api/pull/470 - api.openshift.io/filename-cvo-runlevel: "0000_10" - api.openshift.io/filename-operator: config-operator - api.openshift.io/filename-ordering: "01" - feature-gate.release.openshift.io/KMSEncryptionProvider: "true" - release.openshift.io/bootstrap-required: "true" - name: apiservers.config.openshift.io -spec: - group: config.openshift.io - names: - kind: APIServer - listKind: APIServerList - plural: apiservers - singular: apiserver - scope: Cluster - versions: - - name: v1 - schema: - openAPIV3Schema: - description: |- - APIServer holds configuration (like serving certificates, client CA and CORS domains) - shared by all API servers in the system, among them especially kube-apiserver - and openshift-apiserver. The canonical name of an instance is 'cluster'. - - Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: spec holds user settable values for configuration - properties: - additionalCORSAllowedOrigins: - description: |- - additionalCORSAllowedOrigins lists additional, user-defined regular expressions describing hosts for which the - API server allows access using the CORS headers. This may be needed to access the API and the integrated OAuth - server from JavaScript applications. - The values are regular expressions that correspond to the Golang regular expression language. - items: - type: string - type: array - x-kubernetes-list-type: atomic - audit: - default: - profile: Default - description: |- - audit specifies the settings for audit configuration to be applied to all OpenShift-provided - API servers in the cluster. - properties: - customRules: - description: |- - customRules specify profiles per group. These profile take precedence over the - top-level profile field if they apply. They are evaluation from top to bottom and - the first one that matches, applies. - items: - description: |- - AuditCustomRule describes a custom rule for an audit profile that takes precedence over - the top-level profile. - properties: - group: - description: group is a name of group a request user must - be member of in order to this profile to apply. - minLength: 1 - type: string - profile: - description: |- - profile specifies the name of the desired audit policy configuration to be deployed to - all OpenShift-provided API servers in the cluster. - - The following profiles are provided: - - Default: the existing default policy. - - WriteRequestBodies: like 'Default', but logs request and response HTTP payloads for - write requests (create, update, patch). - - AllRequestBodies: like 'WriteRequestBodies', but also logs request and response - HTTP payloads for read requests (get, list). - - None: no requests are logged at all, not even oauthaccesstokens and oauthauthorizetokens. - - If unset, the 'Default' profile is used as the default. - enum: - - Default - - WriteRequestBodies - - AllRequestBodies - - None - type: string - required: - - group - - profile - type: object - type: array - x-kubernetes-list-map-keys: - - group - x-kubernetes-list-type: map - profile: - default: Default - description: |- - profile specifies the name of the desired top-level audit profile to be applied to all requests - sent to any of the OpenShift-provided API servers in the cluster (kube-apiserver, - openshift-apiserver and oauth-apiserver), with the exception of those requests that match - one or more of the customRules. - - The following profiles are provided: - - Default: default policy which means MetaData level logging with the exception of events - (not logged at all), oauthaccesstokens and oauthauthorizetokens (both logged at RequestBody - level). - - WriteRequestBodies: like 'Default', but logs request and response HTTP payloads for - write requests (create, update, patch). - - AllRequestBodies: like 'WriteRequestBodies', but also logs request and response - HTTP payloads for read requests (get, list). - - None: no requests are logged at all, not even oauthaccesstokens and oauthauthorizetokens. - - Warning: It is not recommended to disable audit logging by using the `None` profile unless you - are fully aware of the risks of not logging data that can be beneficial when troubleshooting issues. - If you disable audit logging and a support situation arises, you might need to enable audit logging - and reproduce the issue in order to troubleshoot properly. - - If unset, the 'Default' profile is used as the default. - enum: - - Default - - WriteRequestBodies - - AllRequestBodies - - None - type: string - type: object - clientCA: - description: |- - clientCA references a ConfigMap containing a certificate bundle for the signers that will be recognized for - incoming client certificates in addition to the operator managed signers. If this is empty, then only operator managed signers are valid. - You usually only have to set this if you have your own PKI you wish to honor client certificates from. - The ConfigMap must exist in the openshift-config namespace and contain the following required fields: - - ConfigMap.Data["ca-bundle.crt"] - CA bundle. - properties: - name: - description: name is the metadata.name of the referenced config - map - type: string - required: - - name - type: object - encryption: - description: encryption allows the configuration of encryption of - resources at the datastore layer. - properties: - kms: - description: |- - kms defines the configuration for the external KMS instance that manages the encryption keys, - when KMS encryption is enabled sensitive resources will be encrypted using keys managed by an - externally configured KMS instance. - - The Key Management Service (KMS) instance provides symmetric encryption and is responsible for - managing the lifecyle of the encryption keys outside of the control plane. - This allows integration with an external provider to manage the data encryption keys securely. - properties: - aws: - description: |- - aws defines the key config for using an AWS KMS instance - for the encryption. The AWS KMS instance is managed - by the user outside the purview of the control plane. - properties: - keyARN: - description: |- - keyARN specifies the Amazon Resource Name (ARN) of the AWS KMS key used for encryption. - The value must adhere to the format `arn:aws:kms:::key/`, where: - - `` is the AWS region consisting of lowercase letters and hyphens followed by a number. - - `` is a 12-digit numeric identifier for the AWS account. - - `` is a unique identifier for the KMS key, consisting of lowercase hexadecimal characters and hyphens. - maxLength: 128 - minLength: 1 - type: string - x-kubernetes-validations: - - message: keyARN must follow the format `arn:aws:kms:::key/`. - The account ID must be a 12 digit number and the region - and key ID should consist only of lowercase hexadecimal - characters and hyphens (-). - rule: self.matches('^arn:aws:kms:[a-z0-9-]+:[0-9]{12}:key/[a-f0-9-]+$') - region: - description: |- - region specifies the AWS region where the KMS instance exists, and follows the format - `--`, e.g.: `us-east-1`. - Only lowercase letters and hyphens followed by numbers are allowed. - maxLength: 64 - minLength: 1 - type: string - x-kubernetes-validations: - - message: region must be a valid AWS region, consisting - of lowercase characters, digits and hyphens (-) only. - rule: self.matches('^[a-z0-9]+(-[a-z0-9]+)*$') - required: - - keyARN - - region - type: object - type: - description: |- - type defines the kind of platform for the KMS provider. - Available provider types are AWS only. - enum: - - AWS - type: string - required: - - type - type: object - x-kubernetes-validations: - - message: aws config is required when kms provider type is AWS, - and forbidden otherwise - rule: 'has(self.type) && self.type == ''AWS'' ? has(self.aws) - : !has(self.aws)' - type: - description: |- - type defines what encryption type should be used to encrypt resources at the datastore layer. - When this field is unset (i.e. when it is set to the empty string), identity is implied. - The behavior of unset can and will change over time. Even if encryption is enabled by default, - the meaning of unset may change to a different encryption type based on changes in best practices. - - When encryption is enabled, all sensitive resources shipped with the platform are encrypted. - This list of sensitive resources can and will change over time. The current authoritative list is: - - 1. secrets - 2. configmaps - 3. routes.route.openshift.io - 4. oauthaccesstokens.oauth.openshift.io - 5. oauthauthorizetokens.oauth.openshift.io - enum: - - "" - - identity - - aescbc - - aesgcm - - KMS - type: string - type: object - x-kubernetes-validations: - - message: kms config is required when encryption type is KMS, and - forbidden otherwise - rule: 'has(self.type) && self.type == ''KMS'' ? has(self.kms) : - !has(self.kms)' - servingCerts: - description: |- - servingCert is the TLS cert info for serving secure traffic. If not specified, operator managed certificates - will be used for serving secure traffic. - properties: - namedCertificates: - description: |- - namedCertificates references secrets containing the TLS cert info for serving secure traffic to specific hostnames. - If no named certificates are provided, or no named certificates match the server name as understood by a client, - the defaultServingCertificate will be used. - items: - description: APIServerNamedServingCert maps a server DNS name, - as understood by a client, to a certificate. - properties: - names: - description: |- - names is a optional list of explicit DNS names (leading wildcards allowed) that should use this certificate to - serve secure traffic. If no names are provided, the implicit names will be extracted from the certificates. - Exact names trump over wildcard names. Explicit names defined here trump over extracted implicit names. - items: - type: string - maxItems: 64 - type: array - x-kubernetes-list-type: atomic - servingCertificate: - description: |- - servingCertificate references a kubernetes.io/tls type secret containing the TLS cert info for serving secure traffic. - The secret must exist in the openshift-config namespace and contain the following required fields: - - Secret.Data["tls.key"] - TLS private key. - - Secret.Data["tls.crt"] - TLS certificate. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - type: object - maxItems: 32 - type: array - x-kubernetes-list-type: atomic - type: object - tlsSecurityProfile: - description: |- - tlsSecurityProfile specifies settings for TLS connections for externally exposed servers. - - When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. - The current default is the Intermediate profile. - properties: - custom: - description: |- - custom is a user-defined TLS security profile. Be extremely careful using a custom - profile as invalid configurations can be catastrophic. An example custom profile - looks like this: - - minTLSVersion: VersionTLS11 - ciphers: - - ECDHE-ECDSA-CHACHA20-POLY1305 - - ECDHE-RSA-CHACHA20-POLY1305 - - ECDHE-RSA-AES128-GCM-SHA256 - - ECDHE-ECDSA-AES128-GCM-SHA256 - nullable: true - properties: - ciphers: - description: |- - ciphers is used to specify the cipher algorithms that are negotiated - during the TLS handshake. Operators may remove entries that their operands - do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml): - - ciphers: - - ECDHE-RSA-AES128-GCM-SHA256 - - TLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable - and are always enabled when TLS 1.3 is negotiated. - items: - type: string - type: array - x-kubernetes-list-type: atomic - minTLSVersion: - description: |- - minTLSVersion is used to specify the minimal version of the TLS protocol - that is negotiated during the TLS handshake. For example, to use TLS - versions 1.1, 1.2 and 1.3 (yaml): - - minTLSVersion: VersionTLS11 - enum: - - VersionTLS10 - - VersionTLS11 - - VersionTLS12 - - VersionTLS13 - type: string - type: object - intermediate: - description: |- - intermediate is a TLS profile for use when you do not need compatibility with - legacy clients and want to remain highly secure while being compatible with - most clients currently in use. - - This profile is equivalent to a Custom profile specified as: - minTLSVersion: VersionTLS12 - ciphers: - - TLS_AES_128_GCM_SHA256 - - TLS_AES_256_GCM_SHA384 - - TLS_CHACHA20_POLY1305_SHA256 - - ECDHE-ECDSA-AES128-GCM-SHA256 - - ECDHE-RSA-AES128-GCM-SHA256 - - ECDHE-ECDSA-AES256-GCM-SHA384 - - ECDHE-RSA-AES256-GCM-SHA384 - - ECDHE-ECDSA-CHACHA20-POLY1305 - - ECDHE-RSA-CHACHA20-POLY1305 - nullable: true - type: object - modern: - description: |- - modern is a TLS security profile for use with clients that support TLS 1.3 and - do not need backward compatibility for older clients. - - This profile is equivalent to a Custom profile specified as: - minTLSVersion: VersionTLS13 - ciphers: - - TLS_AES_128_GCM_SHA256 - - TLS_AES_256_GCM_SHA384 - - TLS_CHACHA20_POLY1305_SHA256 - nullable: true - type: object - old: - description: |- - old is a TLS profile for use when services need to be accessed by very old - clients or libraries and should be used only as a last resort. - - This profile is equivalent to a Custom profile specified as: - minTLSVersion: VersionTLS10 - ciphers: - - TLS_AES_128_GCM_SHA256 - - TLS_AES_256_GCM_SHA384 - - TLS_CHACHA20_POLY1305_SHA256 - - ECDHE-ECDSA-AES128-GCM-SHA256 - - ECDHE-RSA-AES128-GCM-SHA256 - - ECDHE-ECDSA-AES256-GCM-SHA384 - - ECDHE-RSA-AES256-GCM-SHA384 - - ECDHE-ECDSA-CHACHA20-POLY1305 - - ECDHE-RSA-CHACHA20-POLY1305 - - ECDHE-ECDSA-AES128-SHA256 - - ECDHE-RSA-AES128-SHA256 - - ECDHE-ECDSA-AES128-SHA - - ECDHE-RSA-AES128-SHA - - ECDHE-ECDSA-AES256-SHA - - ECDHE-RSA-AES256-SHA - - AES128-GCM-SHA256 - - AES256-GCM-SHA384 - - AES128-SHA256 - - AES128-SHA - - AES256-SHA - - DES-CBC3-SHA - nullable: true - type: object - type: - description: |- - type is one of Old, Intermediate, Modern or Custom. Custom provides the - ability to specify individual TLS security profile parameters. - - The profiles are based on version 5.7 of the Mozilla Server Side TLS - configuration guidelines. The cipher lists consist of the configuration's - "ciphersuites" followed by the Go-specific "ciphers" from the guidelines. - See: https://ssl-config.mozilla.org/guidelines/5.7.json - - The profiles are intent based, so they may change over time as new ciphers are - developed and existing ciphers are found to be insecure. Depending on - precisely which ciphers are available to a process, the list may be reduced. - enum: - - Old - - Intermediate - - Modern - - Custom - type: string - type: object - type: object - status: - description: status holds observed values from the cluster. They may not - be overridden. - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} diff --git a/config/v1/zz_generated.swagger_doc_generated.go b/config/v1/zz_generated.swagger_doc_generated.go index a30061c252c..75791eaad6b 100644 --- a/config/v1/zz_generated.swagger_doc_generated.go +++ b/config/v1/zz_generated.swagger_doc_generated.go @@ -2329,24 +2329,39 @@ func (Storage) SwaggerDoc() map[string]string { return map_Storage } -var map_AWSKMSConfig = map[string]string{ - "": "AWSKMSConfig defines the KMS config specific to AWS KMS provider", - "keyARN": "keyARN specifies the Amazon Resource Name (ARN) of the AWS KMS key used for encryption. The value must adhere to the format `arn:aws:kms:::key/`, where: - `` is the AWS region consisting of lowercase letters and hyphens followed by a number. - `` is a 12-digit numeric identifier for the AWS account. - `` is a unique identifier for the KMS key, consisting of lowercase hexadecimal characters and hyphens.", - "region": "region specifies the AWS region where the KMS instance exists, and follows the format `--`, e.g.: `us-east-1`. Only lowercase letters and hyphens followed by numbers are allowed.", +var map_KMSConfig = map[string]string{ + "": "KMSConfig defines the configuration for the KMS instance that will be used with KMS encryption", + "type": "type defines the kind of platform for the KMS provider. Valid values are: - \"Vault\": HashiCorp Vault KMS (available when KMSEncryption feature gate is enabled)", + "vault": "vault defines the configuration for the Vault KMS plugin. The plugin connects to a Vault Enterprise server that is managed by the user outside the purview of the control plane. This field must be set when type is Vault, and must be unset otherwise.", } -func (AWSKMSConfig) SwaggerDoc() map[string]string { - return map_AWSKMSConfig +func (KMSConfig) SwaggerDoc() map[string]string { + return map_KMSConfig } -var map_KMSConfig = map[string]string{ - "": "KMSConfig defines the configuration for the KMS instance that will be used with KMSEncryptionProvider encryption", - "type": "type defines the kind of platform for the KMS provider. Available provider types are AWS only.", - "aws": "aws defines the key config for using an AWS KMS instance for the encryption. The AWS KMS instance is managed by the user outside the purview of the control plane.", +var map_VaultKMSConfig = map[string]string{ + "": "VaultKMSConfig defines the KMS plugin configuration specific to Vault KMS", + "kmsPluginImage": "kmsPluginImage specifies the container image for the HashiCorp Vault KMS plugin. The image must be specified using a digest reference (not a tag).\n\nConsult the OpenShift documentation for compatible plugin versions with your cluster version, then obtain the image digest for that version from HashiCorp's container registry.\n\nFor disconnected environments, mirror the plugin image to an accessible registry and reference the mirrored location with its digest.\n\nThe minimum length is 75 characters (e.g., \"r/i@sha256:\" + 64 hex characters). The maximum length is 512 characters to accommodate long registry names and repository paths.", + "vaultAddress": "vaultAddress specifies the address of the HashiCorp Vault instance. The value must be a valid URL with scheme (https://) and can be up to 512 characters. Example: https://vault.example.com:8200", + "vaultNamespace": "vaultNamespace specifies the Vault namespace where the Transit secrets engine is mounted. This is only applicable for Vault Enterprise installations. The value can be between 1 and 4096 characters. When this field is not set, no namespace is used.", + "tls": "tls contains the TLS configuration for connecting to the Vault server. When this field is not set, system default TLS settings are used.", + "approleSecretRef": "approleSecretRef references a secret in the openshift-config namespace containing the AppRole credentials used to authenticate with Vault. The secret must contain the following keys:\n - \"roleID\": The AppRole Role ID\n - \"secretID\": The AppRole Secret ID\n\nThe namespace for the secret referenced by approleSecretRef is openshift-config.", + "transitMount": "transitMount specifies the mount path of the Vault Transit engine. The value can be between 1 and 1024 characters. When this field is not set, it defaults to \"transit\".", + "transitKey": "transitKey specifies the name of the encryption key in Vault's Transit engine. This key is used to encrypt and decrypt data. The value must be between 1 and 512 characters.", } -func (KMSConfig) SwaggerDoc() map[string]string { - return map_KMSConfig +func (VaultKMSConfig) SwaggerDoc() map[string]string { + return map_VaultKMSConfig +} + +var map_VaultTLSConfig = map[string]string{ + "": "VaultTLSConfig contains TLS configuration for connecting to Vault.", + "caBundle": "caBundle references a ConfigMap in the openshift-config namespace containing the CA certificate bundle used to verify the TLS connection to the Vault server. The ConfigMap must contain the CA bundle in the key \"ca-bundle.crt\". When this field is not set, the system's trusted CA certificates are used.\n\nThe namespace for the ConfigMap is openshift-config.\n\nExample ConfigMap:\n apiVersion: v1\n kind: ConfigMap\n metadata:\n name: vault-ca-bundle\n namespace: openshift-config\n data:\n ca-bundle.crt: |", + "serverName": "serverName specifies the Server Name Indication (SNI) to use when connecting to Vault via TLS. This is useful when the Vault server's hostname doesn't match its TLS certificate. When this field is not set, the hostname from vaultAddress is used for SNI.", +} + +func (VaultTLSConfig) SwaggerDoc() map[string]string { + return map_VaultTLSConfig } var map_ClusterNetworkEntry = map[string]string{ diff --git a/features.md b/features.md index af1a1aafd5b..61190a07968 100644 --- a/features.md +++ b/features.md @@ -12,7 +12,6 @@ | Example2| | | Enabled | Enabled | | | | | | ExternalOIDCExternalClaimsSourcing| | | Enabled | Enabled | | | | | | ExternalSnapshotMetadata| | | Enabled | Enabled | | | | | -| KMSEncryptionProvider| | | Enabled | Enabled | | | | | | MachineAPIMigrationVSphere| | | Enabled | Enabled | | | | | | NetworkConnect| | | Enabled | Enabled | | | | | | NewOLMBoxCutterRuntime| | | | Enabled | | | | Enabled | diff --git a/features/features.go b/features/features.go index 0fcf9b395a2..d33e321f3d7 100644 --- a/features/features.go +++ b/features/features.go @@ -681,14 +681,6 @@ var ( enable(inDevPreviewNoUpgrade(), inTechPreviewNoUpgrade()). mustRegister() - FeatureGateKMSEncryptionProvider = newFeatureGate("KMSEncryptionProvider"). - reportProblemsToJiraComponent("kube-apiserver"). - contactPerson("swghosh"). - productScope(ocpSpecific). - enhancementPR("https://github.com/openshift/enhancements/pull/1682"). - enable(inDevPreviewNoUpgrade()). - mustRegister() - FeatureGateKMSEncryption = newFeatureGate("KMSEncryption"). reportProblemsToJiraComponent("kube-apiserver"). contactPerson("ardaguclu"). diff --git a/openapi/generated_openapi/zz_generated.openapi.go b/openapi/generated_openapi/zz_generated.openapi.go index de45907e780..2866a753a8d 100644 --- a/openapi/generated_openapi/zz_generated.openapi.go +++ b/openapi/generated_openapi/zz_generated.openapi.go @@ -165,7 +165,6 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "github.com/openshift/api/config/v1.APIServerStatus": schema_openshift_api_config_v1_APIServerStatus(ref), "github.com/openshift/api/config/v1.AWSDNSSpec": schema_openshift_api_config_v1_AWSDNSSpec(ref), "github.com/openshift/api/config/v1.AWSIngressSpec": schema_openshift_api_config_v1_AWSIngressSpec(ref), - "github.com/openshift/api/config/v1.AWSKMSConfig": schema_openshift_api_config_v1_AWSKMSConfig(ref), "github.com/openshift/api/config/v1.AWSPlatformSpec": schema_openshift_api_config_v1_AWSPlatformSpec(ref), "github.com/openshift/api/config/v1.AWSPlatformStatus": schema_openshift_api_config_v1_AWSPlatformStatus(ref), "github.com/openshift/api/config/v1.AWSResourceTag": schema_openshift_api_config_v1_AWSResourceTag(ref), @@ -448,6 +447,8 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "github.com/openshift/api/config/v1.VSpherePlatformStatus": schema_openshift_api_config_v1_VSpherePlatformStatus(ref), "github.com/openshift/api/config/v1.VSpherePlatformTopology": schema_openshift_api_config_v1_VSpherePlatformTopology(ref), "github.com/openshift/api/config/v1.VSpherePlatformVCenterSpec": schema_openshift_api_config_v1_VSpherePlatformVCenterSpec(ref), + "github.com/openshift/api/config/v1.VaultKMSConfig": schema_openshift_api_config_v1_VaultKMSConfig(ref), + "github.com/openshift/api/config/v1.VaultTLSConfig": schema_openshift_api_config_v1_VaultTLSConfig(ref), "github.com/openshift/api/config/v1.WebhookTokenAuthenticator": schema_openshift_api_config_v1_WebhookTokenAuthenticator(ref), "github.com/openshift/api/config/v1alpha1.AdditionalAlertmanagerConfig": schema_openshift_api_config_v1alpha1_AdditionalAlertmanagerConfig(ref), "github.com/openshift/api/config/v1alpha1.AlertmanagerConfig": schema_openshift_api_config_v1alpha1_AlertmanagerConfig(ref), @@ -9212,36 +9213,6 @@ func schema_openshift_api_config_v1_AWSIngressSpec(ref common.ReferenceCallback) } } -func schema_openshift_api_config_v1_AWSKMSConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "AWSKMSConfig defines the KMS config specific to AWS KMS provider", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "keyARN": { - SchemaProps: spec.SchemaProps{ - Description: "keyARN specifies the Amazon Resource Name (ARN) of the AWS KMS key used for encryption. The value must adhere to the format `arn:aws:kms:::key/`, where: - `` is the AWS region consisting of lowercase letters and hyphens followed by a number. - `` is a 12-digit numeric identifier for the AWS account. - `` is a unique identifier for the KMS key, consisting of lowercase hexadecimal characters and hyphens.", - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - "region": { - SchemaProps: spec.SchemaProps{ - Description: "region specifies the AWS region where the KMS instance exists, and follows the format `--`, e.g.: `us-east-1`. Only lowercase letters and hyphens followed by numbers are allowed.", - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, - Required: []string{"keyARN", "region"}, - }, - }, - } -} - func schema_openshift_api_config_v1_AWSPlatformSpec(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ @@ -16185,21 +16156,21 @@ func schema_openshift_api_config_v1_KMSConfig(ref common.ReferenceCallback) comm return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "KMSConfig defines the configuration for the KMS instance that will be used with KMSEncryptionProvider encryption", + Description: "KMSConfig defines the configuration for the KMS instance that will be used with KMS encryption", Type: []string{"object"}, Properties: map[string]spec.Schema{ "type": { SchemaProps: spec.SchemaProps{ - Description: "type defines the kind of platform for the KMS provider. Available provider types are AWS only.", + Description: "type defines the kind of platform for the KMS provider. Valid values are: - \"Vault\": HashiCorp Vault KMS (available when KMSEncryption feature gate is enabled)", Default: "", Type: []string{"string"}, Format: "", }, }, - "aws": { + "vault": { SchemaProps: spec.SchemaProps{ - Description: "aws defines the key config for using an AWS KMS instance for the encryption. The AWS KMS instance is managed by the user outside the purview of the control plane.", - Ref: ref("github.com/openshift/api/config/v1.AWSKMSConfig"), + Description: "vault defines the configuration for the Vault KMS plugin. The plugin connects to a Vault Enterprise server that is managed by the user outside the purview of the control plane. This field must be set when type is Vault, and must be unset otherwise.", + Ref: ref("github.com/openshift/api/config/v1.VaultKMSConfig"), }, }, }, @@ -16211,7 +16182,7 @@ func schema_openshift_api_config_v1_KMSConfig(ref common.ReferenceCallback) comm map[string]interface{}{ "discriminator": "type", "fields-to-discriminateBy": map[string]interface{}{ - "aws": "AWS", + "vault": "Vault", }, }, }, @@ -16219,7 +16190,7 @@ func schema_openshift_api_config_v1_KMSConfig(ref common.ReferenceCallback) comm }, }, Dependencies: []string{ - "github.com/openshift/api/config/v1.AWSKMSConfig"}, + "github.com/openshift/api/config/v1.VaultKMSConfig"}, } } @@ -22354,6 +22325,99 @@ func schema_openshift_api_config_v1_VSpherePlatformVCenterSpec(ref common.Refere } } +func schema_openshift_api_config_v1_VaultKMSConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "VaultKMSConfig defines the KMS plugin configuration specific to Vault KMS", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "kmsPluginImage": { + SchemaProps: spec.SchemaProps{ + Description: "kmsPluginImage specifies the container image for the HashiCorp Vault KMS plugin. The image must be specified using a digest reference (not a tag).\n\nConsult the OpenShift documentation for compatible plugin versions with your cluster version, then obtain the image digest for that version from HashiCorp's container registry.\n\nFor disconnected environments, mirror the plugin image to an accessible registry and reference the mirrored location with its digest.\n\nThe minimum length is 75 characters (e.g., \"r/i@sha256:\" + 64 hex characters). The maximum length is 512 characters to accommodate long registry names and repository paths.", + Type: []string{"string"}, + Format: "", + }, + }, + "vaultAddress": { + SchemaProps: spec.SchemaProps{ + Description: "vaultAddress specifies the address of the HashiCorp Vault instance. The value must be a valid URL with scheme (https://) and can be up to 512 characters. Example: https://vault.example.com:8200", + Type: []string{"string"}, + Format: "", + }, + }, + "vaultNamespace": { + SchemaProps: spec.SchemaProps{ + Description: "vaultNamespace specifies the Vault namespace where the Transit secrets engine is mounted. This is only applicable for Vault Enterprise installations. The value can be between 1 and 4096 characters. When this field is not set, no namespace is used.", + Type: []string{"string"}, + Format: "", + }, + }, + "tls": { + SchemaProps: spec.SchemaProps{ + Description: "tls contains the TLS configuration for connecting to the Vault server. When this field is not set, system default TLS settings are used.", + Ref: ref("github.com/openshift/api/config/v1.VaultTLSConfig"), + }, + }, + "approleSecretRef": { + SchemaProps: spec.SchemaProps{ + Description: "approleSecretRef references a secret in the openshift-config namespace containing the AppRole credentials used to authenticate with Vault. The secret must contain the following keys:\n - \"roleID\": The AppRole Role ID\n - \"secretID\": The AppRole Secret ID\n\nThe namespace for the secret referenced by approleSecretRef is openshift-config.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1.SecretNameReference"), + }, + }, + "transitMount": { + SchemaProps: spec.SchemaProps{ + Description: "transitMount specifies the mount path of the Vault Transit engine. The value can be between 1 and 1024 characters. When this field is not set, it defaults to \"transit\".", + Type: []string{"string"}, + Format: "", + }, + }, + "transitKey": { + SchemaProps: spec.SchemaProps{ + Description: "transitKey specifies the name of the encryption key in Vault's Transit engine. This key is used to encrypt and decrypt data. The value must be between 1 and 512 characters.", + Type: []string{"string"}, + Format: "", + }, + }, + }, + Required: []string{"kmsPluginImage", "vaultAddress", "approleSecretRef", "transitKey"}, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/config/v1.SecretNameReference", "github.com/openshift/api/config/v1.VaultTLSConfig"}, + } +} + +func schema_openshift_api_config_v1_VaultTLSConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "VaultTLSConfig contains TLS configuration for connecting to Vault.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "caBundle": { + SchemaProps: spec.SchemaProps{ + Description: "caBundle references a ConfigMap in the openshift-config namespace containing the CA certificate bundle used to verify the TLS connection to the Vault server. The ConfigMap must contain the CA bundle in the key \"ca-bundle.crt\". When this field is not set, the system's trusted CA certificates are used.\n\nThe namespace for the ConfigMap is openshift-config.\n\nExample ConfigMap:\n apiVersion: v1\n kind: ConfigMap\n metadata:\n name: vault-ca-bundle\n namespace: openshift-config\n data:\n ca-bundle.crt: |\n -----BEGIN CERTIFICATE-----\n ...\n -----END CERTIFICATE-----", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1.ConfigMapNameReference"), + }, + }, + "serverName": { + SchemaProps: spec.SchemaProps{ + Description: "serverName specifies the Server Name Indication (SNI) to use when connecting to Vault via TLS. This is useful when the Vault server's hostname doesn't match its TLS certificate. When this field is not set, the hostname from vaultAddress is used for SNI.", + Type: []string{"string"}, + Format: "", + }, + }, + }, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/config/v1.ConfigMapNameReference"}, + } +} + func schema_openshift_api_config_v1_WebhookTokenAuthenticator(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ diff --git a/openapi/openapi.json b/openapi/openapi.json index 6a6bc8edbc0..a0cf7c6d881 100644 --- a/openapi/openapi.json +++ b/openapi/openapi.json @@ -15949,6 +15949,10 @@ "default": {}, "$ref": "#/definitions/com.github.openshift.api.config.v1.APIServerServingCerts" }, + "tlsAdherence": { + "description": "tlsAdherence controls if components in the cluster adhere to the TLS security profile configured on this APIServer resource.\n\nValid values are \"LegacyAdheringComponentsOnly\" and \"StrictAllComponents\".\n\nWhen set to \"LegacyAdheringComponentsOnly\", components that already honor the cluster-wide TLS profile continue to do so. Components that do not already honor it continue to use their individual TLS configurations.\n\nWhen set to \"StrictAllComponents\", all components must honor the configured TLS profile unless they have a component-specific TLS configuration that overrides it. This mode is recommended for security-conscious deployments and is required for certain compliance frameworks.\n\nNote: Some components such as Kubelet and IngressController have their own dedicated TLS configuration mechanisms via KubeletConfig and IngressController CRs respectively. When these component-specific TLS configurations are set, they take precedence over the cluster-wide tlsSecurityProfile. When not set, these components fall back to the cluster-wide default.\n\nComponents that encounter an unknown value for tlsAdherence should treat it as \"StrictAllComponents\" and log a warning to ensure forward compatibility while defaulting to the more secure behavior.\n\nThis field is optional. When omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time. The current default is LegacyAdheringComponentsOnly.\n\nOnce set, this field may be changed to a different value, but may not be removed.", + "type": "string" + }, "tlsSecurityProfile": { "description": "tlsSecurityProfile specifies settings for TLS connections for externally exposed servers.\n\nWhen omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default is the Intermediate profile.", "$ref": "#/definitions/com.github.openshift.api.config.v1.TLSSecurityProfile" @@ -15989,26 +15993,6 @@ } ] }, - "com.github.openshift.api.config.v1.AWSKMSConfig": { - "description": "AWSKMSConfig defines the KMS config specific to AWS KMS provider", - "type": "object", - "required": [ - "keyARN", - "region" - ], - "properties": { - "keyARN": { - "description": "keyARN specifies the Amazon Resource Name (ARN) of the AWS KMS key used for encryption. The value must adhere to the format `arn:aws:kms:::key/`, where: - `` is the AWS region consisting of lowercase letters and hyphens followed by a number. - `` is a 12-digit numeric identifier for the AWS account. - `` is a unique identifier for the KMS key, consisting of lowercase hexadecimal characters and hyphens.", - "type": "string", - "default": "" - }, - "region": { - "description": "region specifies the AWS region where the KMS instance exists, and follows the format `--`, e.g.: `us-east-1`. Only lowercase letters and hyphens followed by numbers are allowed.", - "type": "string", - "default": "" - } - } - }, "com.github.openshift.api.config.v1.AWSPlatformSpec": { "description": "AWSPlatformSpec holds the desired state of the Amazon Web Services infrastructure provider. This only includes fields that can be modified in the cluster.", "type": "object", @@ -20074,27 +20058,27 @@ "type": "object" }, "com.github.openshift.api.config.v1.KMSConfig": { - "description": "KMSConfig defines the configuration for the KMS instance that will be used with KMSEncryptionProvider encryption", + "description": "KMSConfig defines the configuration for the KMS instance that will be used with KMS encryption", "type": "object", "required": [ "type" ], "properties": { - "aws": { - "description": "aws defines the key config for using an AWS KMS instance for the encryption. The AWS KMS instance is managed by the user outside the purview of the control plane.", - "$ref": "#/definitions/com.github.openshift.api.config.v1.AWSKMSConfig" - }, "type": { - "description": "type defines the kind of platform for the KMS provider. Available provider types are AWS only.", + "description": "type defines the kind of platform for the KMS provider. Valid values are: - \"Vault\": HashiCorp Vault KMS (available when KMSEncryption feature gate is enabled)", "type": "string", "default": "" + }, + "vault": { + "description": "vault defines the configuration for the Vault KMS plugin. The plugin connects to a Vault Enterprise server that is managed by the user outside the purview of the control plane. This field must be set when type is Vault, and must be unset otherwise.", + "$ref": "#/definitions/com.github.openshift.api.config.v1.VaultKMSConfig" } }, "x-kubernetes-unions": [ { "discriminator": "type", "fields-to-discriminateBy": { - "aws": "AWS" + "vault": "Vault" } } ] @@ -23693,6 +23677,62 @@ } } }, + "com.github.openshift.api.config.v1.VaultKMSConfig": { + "description": "VaultKMSConfig defines the KMS plugin configuration specific to Vault KMS", + "type": "object", + "required": [ + "kmsPluginImage", + "vaultAddress", + "approleSecretRef", + "transitKey" + ], + "properties": { + "approleSecretRef": { + "description": "approleSecretRef references a secret in the openshift-config namespace containing the AppRole credentials used to authenticate with Vault. The secret must contain the following keys:\n - \"roleID\": The AppRole Role ID\n - \"secretID\": The AppRole Secret ID\n\nThe namespace for the secret referenced by approleSecretRef is openshift-config.", + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.config.v1.SecretNameReference" + }, + "kmsPluginImage": { + "description": "kmsPluginImage specifies the container image for the HashiCorp Vault KMS plugin. The image must be specified using a digest reference (not a tag).\n\nConsult the OpenShift documentation for compatible plugin versions with your cluster version, then obtain the image digest for that version from HashiCorp's container registry.\n\nFor disconnected environments, mirror the plugin image to an accessible registry and reference the mirrored location with its digest.\n\nThe minimum length is 75 characters (e.g., \"r/i@sha256:\" + 64 hex characters). The maximum length is 512 characters to accommodate long registry names and repository paths.", + "type": "string" + }, + "tls": { + "description": "tls contains the TLS configuration for connecting to the Vault server. When this field is not set, system default TLS settings are used.", + "$ref": "#/definitions/com.github.openshift.api.config.v1.VaultTLSConfig" + }, + "transitKey": { + "description": "transitKey specifies the name of the encryption key in Vault's Transit engine. This key is used to encrypt and decrypt data. The value must be between 1 and 512 characters.", + "type": "string" + }, + "transitMount": { + "description": "transitMount specifies the mount path of the Vault Transit engine. The value can be between 1 and 1024 characters. When this field is not set, it defaults to \"transit\".", + "type": "string" + }, + "vaultAddress": { + "description": "vaultAddress specifies the address of the HashiCorp Vault instance. The value must be a valid URL with scheme (https://) and can be up to 512 characters. Example: https://vault.example.com:8200", + "type": "string" + }, + "vaultNamespace": { + "description": "vaultNamespace specifies the Vault namespace where the Transit secrets engine is mounted. This is only applicable for Vault Enterprise installations. The value can be between 1 and 4096 characters. When this field is not set, no namespace is used.", + "type": "string" + } + } + }, + "com.github.openshift.api.config.v1.VaultTLSConfig": { + "description": "VaultTLSConfig contains TLS configuration for connecting to Vault.", + "type": "object", + "properties": { + "caBundle": { + "description": "caBundle references a ConfigMap in the openshift-config namespace containing the CA certificate bundle used to verify the TLS connection to the Vault server. The ConfigMap must contain the CA bundle in the key \"ca-bundle.crt\". When this field is not set, the system's trusted CA certificates are used.\n\nThe namespace for the ConfigMap is openshift-config.\n\nExample ConfigMap:\n apiVersion: v1\n kind: ConfigMap\n metadata:\n name: vault-ca-bundle\n namespace: openshift-config\n data:\n ca-bundle.crt: |\n -----BEGIN CERTIFICATE-----\n ...\n -----END CERTIFICATE-----", + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.config.v1.ConfigMapNameReference" + }, + "serverName": { + "description": "serverName specifies the Server Name Indication (SNI) to use when connecting to Vault via TLS. This is useful when the Vault server's hostname doesn't match its TLS certificate. When this field is not set, the hostname from vaultAddress is used for SNI.", + "type": "string" + } + } + }, "com.github.openshift.api.config.v1.WebhookTokenAuthenticator": { "description": "webhookTokenAuthenticator holds the necessary configuration options for a remote token authenticator", "type": "object", @@ -24078,109 +24118,6 @@ } } }, - "com.github.openshift.api.config.v1alpha1.ClusterImagePolicy": { - "description": "ClusterImagePolicy holds cluster-wide configuration for image signature verification\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", - "type": "object", - "required": [ - "spec" - ], - "properties": { - "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - "type": "string" - }, - "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": "string" - }, - "metadata": { - "description": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", - "default": {}, - "$ref": "#/definitions/ObjectMeta.v1.meta.apis.pkg.apimachinery.k8s.io" - }, - "spec": { - "description": "spec contains the configuration for the cluster image policy.", - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.ClusterImagePolicySpec" - }, - "status": { - "description": "status contains the observed state of the resource.", - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.ClusterImagePolicyStatus" - } - } - }, - "com.github.openshift.api.config.v1alpha1.ClusterImagePolicyList": { - "description": "ClusterImagePolicyList is a list of ClusterImagePolicy resources\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", - "type": "object", - "required": [ - "metadata", - "items" - ], - "properties": { - "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - "type": "string" - }, - "items": { - "type": "array", - "items": { - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.ClusterImagePolicy" - } - }, - "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": "string" - }, - "metadata": { - "description": "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", - "default": {}, - "$ref": "#/definitions/ListMeta.v1.meta.apis.pkg.apimachinery.k8s.io" - } - } - }, - "com.github.openshift.api.config.v1alpha1.ClusterImagePolicySpec": { - "description": "CLusterImagePolicySpec is the specification of the ClusterImagePolicy custom resource.", - "type": "object", - "required": [ - "scopes", - "policy" - ], - "properties": { - "policy": { - "description": "policy contains configuration to allow scopes to be verified, and defines how images not matching the verification policy will be treated.", - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.ImageSigstoreVerificationPolicy" - }, - "scopes": { - "description": "scopes defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the \"Docker Registry HTTP API V2\". Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. If a scope is configured in both the ClusterImagePolicy and the ImagePolicy, or if the scope in ImagePolicy is nested under one of the scopes from the ClusterImagePolicy, only the policy from the ClusterImagePolicy will be applied. For additional details about the format, please refer to the document explaining the docker transport field, which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker", - "type": "array", - "items": { - "type": "string", - "default": "" - }, - "x-kubernetes-list-type": "set" - } - } - }, - "com.github.openshift.api.config.v1alpha1.ClusterImagePolicyStatus": { - "type": "object", - "properties": { - "conditions": { - "description": "conditions provide details on the status of this API Resource.", - "type": "array", - "items": { - "default": {}, - "$ref": "#/definitions/Condition.v1.meta.apis.pkg.apimachinery.k8s.io" - }, - "x-kubernetes-list-map-keys": [ - "type" - ], - "x-kubernetes-list-type": "map" - } - } - }, "com.github.openshift.api.config.v1alpha1.ClusterMonitoring": { "description": "ClusterMonitoring is the Custom Resource object which holds the current status of Cluster Monitoring Operator. CMO is a central component of the monitoring stack.\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support. ClusterMonitoring is the Schema for the Cluster Monitoring Operators API", "type": "object", @@ -24443,198 +24380,6 @@ } } }, - "com.github.openshift.api.config.v1alpha1.ImagePolicy": { - "description": "ImagePolicy holds namespace-wide configuration for image signature verification\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", - "type": "object", - "required": [ - "spec" - ], - "properties": { - "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - "type": "string" - }, - "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": "string" - }, - "metadata": { - "description": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", - "default": {}, - "$ref": "#/definitions/ObjectMeta.v1.meta.apis.pkg.apimachinery.k8s.io" - }, - "spec": { - "description": "spec holds user settable values for configuration", - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.ImagePolicySpec" - }, - "status": { - "description": "status contains the observed state of the resource.", - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.ImagePolicyStatus" - } - } - }, - "com.github.openshift.api.config.v1alpha1.ImagePolicyFulcioCAWithRekorRootOfTrust": { - "description": "ImagePolicyFulcioCAWithRekorRootOfTrust defines the root of trust based on the Fulcio certificate and the Rekor public key.", - "type": "object", - "required": [ - "fulcioCAData", - "rekorKeyData", - "fulcioSubject" - ], - "properties": { - "fulcioCAData": { - "description": "fulcioCAData contains inline base64-encoded data for the PEM format fulcio CA. fulcioCAData must be at most 8192 characters.", - "type": "string", - "format": "byte" - }, - "fulcioSubject": { - "description": "fulcioSubject specifies OIDC issuer and the email of the Fulcio authentication configuration.", - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.PolicyFulcioSubject" - }, - "rekorKeyData": { - "description": "rekorKeyData contains inline base64-encoded data for the PEM format from the Rekor public key. rekorKeyData must be at most 8192 characters.", - "type": "string", - "format": "byte" - } - } - }, - "com.github.openshift.api.config.v1alpha1.ImagePolicyList": { - "description": "ImagePolicyList is a list of ImagePolicy resources\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", - "type": "object", - "required": [ - "metadata", - "items" - ], - "properties": { - "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - "type": "string" - }, - "items": { - "type": "array", - "items": { - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.ImagePolicy" - } - }, - "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": "string" - }, - "metadata": { - "description": "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", - "default": {}, - "$ref": "#/definitions/ListMeta.v1.meta.apis.pkg.apimachinery.k8s.io" - } - } - }, - "com.github.openshift.api.config.v1alpha1.ImagePolicyPKIRootOfTrust": { - "description": "ImagePolicyPKIRootOfTrust defines the root of trust based on Root CA(s) and corresponding intermediate certificates.", - "type": "object", - "required": [ - "caRootsData", - "pkiCertificateSubject" - ], - "properties": { - "caIntermediatesData": { - "description": "caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format. The total length of the data must not exceed 8192 characters. caIntermediatesData requires caRootsData to be set.", - "type": "string", - "format": "byte" - }, - "caRootsData": { - "description": "caRootsData contains base64-encoded data of a certificate bundle PEM file, which contains one or more CA roots in the PEM format. The total length of the data must not exceed 8192 characters.", - "type": "string", - "format": "byte" - }, - "pkiCertificateSubject": { - "description": "pkiCertificateSubject defines the requirements imposed on the subject to which the certificate was issued.", - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.PKICertificateSubject" - } - } - }, - "com.github.openshift.api.config.v1alpha1.ImagePolicyPublicKeyRootOfTrust": { - "description": "ImagePolicyPublicKeyRootOfTrust defines the root of trust based on a sigstore public key.", - "type": "object", - "required": [ - "keyData" - ], - "properties": { - "keyData": { - "description": "keyData contains inline base64-encoded data for the PEM format public key. KeyData must be at most 8192 characters.", - "type": "string", - "format": "byte" - }, - "rekorKeyData": { - "description": "rekorKeyData contains inline base64-encoded data for the PEM format from the Rekor public key. rekorKeyData must be at most 8192 characters.", - "type": "string", - "format": "byte" - } - } - }, - "com.github.openshift.api.config.v1alpha1.ImagePolicySpec": { - "description": "ImagePolicySpec is the specification of the ImagePolicy CRD.", - "type": "object", - "required": [ - "scopes", - "policy" - ], - "properties": { - "policy": { - "description": "policy contains configuration to allow scopes to be verified, and defines how images not matching the verification policy will be treated.", - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.ImageSigstoreVerificationPolicy" - }, - "scopes": { - "description": "scopes defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the \"Docker Registry HTTP API V2\". Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. If a scope is configured in both the ClusterImagePolicy and the ImagePolicy, or if the scope in ImagePolicy is nested under one of the scopes from the ClusterImagePolicy, only the policy from the ClusterImagePolicy will be applied. For additional details about the format, please refer to the document explaining the docker transport field, which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker", - "type": "array", - "items": { - "type": "string", - "default": "" - }, - "x-kubernetes-list-type": "set" - } - } - }, - "com.github.openshift.api.config.v1alpha1.ImagePolicyStatus": { - "type": "object", - "properties": { - "conditions": { - "description": "conditions provide details on the status of this API Resource.", - "type": "array", - "items": { - "default": {}, - "$ref": "#/definitions/Condition.v1.meta.apis.pkg.apimachinery.k8s.io" - }, - "x-kubernetes-list-map-keys": [ - "type" - ], - "x-kubernetes-list-type": "map" - } - } - }, - "com.github.openshift.api.config.v1alpha1.ImageSigstoreVerificationPolicy": { - "description": "ImageSigstoreVerificationPolicy defines the verification policy for the items in the scopes list.", - "type": "object", - "required": [ - "rootOfTrust" - ], - "properties": { - "rootOfTrust": { - "description": "rootOfTrust specifies the root of trust for the policy.", - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.PolicyRootOfTrust" - }, - "signedIdentity": { - "description": "signedIdentity specifies what image identity the signature claims about the image. The required matchPolicy field specifies the approach used in the verification process to verify the identity in the signature and the actual image identity, the default matchPolicy is \"MatchRepoDigestOrExact\".", - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.PolicyIdentity" - } - } - }, "com.github.openshift.api.config.v1alpha1.InsightsDataGather": { "description": "InsightsDataGather provides data gather configuration options for the the Insights Operator.\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", "type": "object", @@ -25049,20 +24794,6 @@ } ] }, - "com.github.openshift.api.config.v1alpha1.PKICertificateSubject": { - "description": "PKICertificateSubject defines the requirements imposed on the subject to which the certificate was issued.", - "type": "object", - "properties": { - "email": { - "description": "email specifies the expected email address imposed on the subject to which the certificate was issued, and must match the email address listed in the Subject Alternative Name (SAN) field of the certificate. The email should be a valid email address and at most 320 characters in length.", - "type": "string" - }, - "hostname": { - "description": "hostname specifies the expected hostname imposed on the subject to which the certificate was issued, and it must match the hostname listed in the Subject Alternative Name (SAN) DNS field of the certificate. The hostname should be a valid dns 1123 subdomain name, optionally prefixed by '*.', and at most 253 characters in length. It should consist only of lowercase alphanumeric characters, hyphens, periods and the optional preceding asterisk.", - "type": "string" - } - } - }, "com.github.openshift.api.config.v1alpha1.PKIList": { "description": "PKIList is a collection of PKI resources.\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", "type": "object", @@ -25154,138 +24885,19 @@ "description": "persistentVolumeConfig provides configuration options for PersistentVolume storage.", "type": "object", "required": [ - "claim" - ], - "properties": { - "claim": { - "description": "claim is a required field that specifies the configuration of the PersistentVolumeClaim that will be used to store the Insights data archive. The PersistentVolumeClaim must be created in the openshift-insights namespace.", - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.PersistentVolumeClaimReference" - }, - "mountPath": { - "description": "mountPath is an optional field specifying the directory where the PVC will be mounted inside the Insights data gathering Pod. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default mount path is /var/lib/insights-operator The path may not exceed 1024 characters and must not contain a colon.", - "type": "string" - } - } - }, - "com.github.openshift.api.config.v1alpha1.PolicyFulcioSubject": { - "description": "PolicyFulcioSubject defines the OIDC issuer and the email of the Fulcio authentication configuration.", - "type": "object", - "required": [ - "oidcIssuer", - "signedEmail" - ], - "properties": { - "oidcIssuer": { - "description": "oidcIssuer contains the expected OIDC issuer. It will be verified that the Fulcio-issued certificate contains a (Fulcio-defined) certificate extension pointing at this OIDC issuer URL. When Fulcio issues certificates, it includes a value based on an URL inside the client-provided ID token. Example: \"https://expected.OIDC.issuer/\"", - "type": "string", - "default": "" - }, - "signedEmail": { - "description": "signedEmail holds the email address the the Fulcio certificate is issued for. Example: \"expected-signing-user@example.com\"", - "type": "string", - "default": "" - } - } - }, - "com.github.openshift.api.config.v1alpha1.PolicyIdentity": { - "description": "PolicyIdentity defines image identity the signature claims about the image. When omitted, the default matchPolicy is \"MatchRepoDigestOrExact\".", - "type": "object", - "required": [ - "matchPolicy" - ], - "properties": { - "exactRepository": { - "description": "exactRepository is required if matchPolicy is set to \"ExactRepository\".", - "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.PolicyMatchExactRepository" - }, - "matchPolicy": { - "description": "matchPolicy sets the type of matching to be used. Valid values are \"MatchRepoDigestOrExact\", \"MatchRepository\", \"ExactRepository\", \"RemapIdentity\". When omitted, the default value is \"MatchRepoDigestOrExact\". If set matchPolicy to ExactRepository, then the exactRepository must be specified. If set matchPolicy to RemapIdentity, then the remapIdentity must be specified. \"MatchRepoDigestOrExact\" means that the identity in the signature must be in the same repository as the image identity if the image identity is referenced by a digest. Otherwise, the identity in the signature must be the same as the image identity. \"MatchRepository\" means that the identity in the signature must be in the same repository as the image identity. \"ExactRepository\" means that the identity in the signature must be in the same repository as a specific identity specified by \"repository\". \"RemapIdentity\" means that the signature must be in the same as the remapped image identity. Remapped image identity is obtained by replacing the \"prefix\" with the specified “signedPrefix” if the the image identity matches the specified remapPrefix.", - "type": "string", - "default": "" - }, - "remapIdentity": { - "description": "remapIdentity is required if matchPolicy is set to \"RemapIdentity\".", - "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.PolicyMatchRemapIdentity" - } - }, - "x-kubernetes-unions": [ - { - "discriminator": "matchPolicy", - "fields-to-discriminateBy": { - "exactRepository": "PolicyMatchExactRepository", - "remapIdentity": "PolicyMatchRemapIdentity" - } - } - ] - }, - "com.github.openshift.api.config.v1alpha1.PolicyMatchExactRepository": { - "type": "object", - "required": [ - "repository" - ], - "properties": { - "repository": { - "description": "repository is the reference of the image identity to be matched. The value should be a repository name (by omitting the tag or digest) in a registry implementing the \"Docker Registry HTTP API V2\". For example, docker.io/library/busybox", - "type": "string", - "default": "" - } - } - }, - "com.github.openshift.api.config.v1alpha1.PolicyMatchRemapIdentity": { - "type": "object", - "required": [ - "prefix", - "signedPrefix" - ], - "properties": { - "prefix": { - "description": "prefix is the prefix of the image identity to be matched. If the image identity matches the specified prefix, that prefix is replaced by the specified “signedPrefix” (otherwise it is used as unchanged and no remapping takes place). This useful when verifying signatures for a mirror of some other repository namespace that preserves the vendor’s repository structure. The prefix and signedPrefix values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox.", - "type": "string", - "default": "" - }, - "signedPrefix": { - "description": "signedPrefix is the prefix of the image identity to be matched in the signature. The format is the same as \"prefix\". The values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces, or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form. For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox.", - "type": "string", - "default": "" - } - } - }, - "com.github.openshift.api.config.v1alpha1.PolicyRootOfTrust": { - "description": "PolicyRootOfTrust defines the root of trust based on the selected policyType.", - "type": "object", - "required": [ - "policyType" - ], - "properties": { - "fulcioCAWithRekor": { - "description": "fulcioCAWithRekor defines the root of trust based on the Fulcio certificate and the Rekor public key. For more information about Fulcio and Rekor, please refer to the document at: https://github.com/sigstore/fulcio and https://github.com/sigstore/rekor", - "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.ImagePolicyFulcioCAWithRekorRootOfTrust" - }, - "pki": { - "description": "pki defines the root of trust based on Bring Your Own Public Key Infrastructure (BYOPKI) Root CA(s) and corresponding intermediate certificates.", - "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.ImagePolicyPKIRootOfTrust" - }, - "policyType": { - "description": "policyType serves as the union's discriminator. Users are required to assign a value to this field, choosing one of the policy types that define the root of trust. \"PublicKey\" indicates that the policy relies on a sigstore publicKey and may optionally use a Rekor verification. \"FulcioCAWithRekor\" indicates that the policy is based on the Fulcio certification and incorporates a Rekor verification. \"PKI\" indicates that the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate.", - "type": "string", - "default": "" - }, - "publicKey": { - "description": "publicKey defines the root of trust based on a sigstore public key.", - "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.ImagePolicyPublicKeyRootOfTrust" - } - }, - "x-kubernetes-unions": [ - { - "discriminator": "policyType", - "fields-to-discriminateBy": { - "fulcioCAWithRekor": "FulcioCAWithRekor", - "pki": "PKI", - "publicKey": "PublicKey" - } + "claim" + ], + "properties": { + "claim": { + "description": "claim is a required field that specifies the configuration of the PersistentVolumeClaim that will be used to store the Insights data archive. The PersistentVolumeClaim must be created in the openshift-insights namespace.", + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.PersistentVolumeClaimReference" + }, + "mountPath": { + "description": "mountPath is an optional field specifying the directory where the PVC will be mounted inside the Insights data gathering Pod. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default mount path is /var/lib/insights-operator The path may not exceed 1024 characters and must not contain a colon.", + "type": "string" } - ] + } }, "com.github.openshift.api.config.v1alpha1.PrometheusConfig": { "description": "PrometheusConfig provides configuration options for the Prometheus instance. Use this configuration to control Prometheus deployment, pod scheduling, resource allocation, retention policies, and external integrations.", @@ -38699,214 +38311,6 @@ } } }, - "com.github.openshift.api.machineconfiguration.v1alpha1.MCOObjectReference": { - "description": "MCOObjectReference holds information about an object the MCO either owns or modifies in some way", - "type": "object", - "required": [ - "name" - ], - "properties": { - "name": { - "description": "name is the name of the object being referenced. For example, this can represent a machine config pool or node name. Must be a lowercase RFC-1123 subdomain name (https://tools.ietf.org/html/rfc1123) consisting of only lowercase alphanumeric characters, hyphens (-), and periods (.), and must start and end with an alphanumeric character, and be at most 253 characters in length.", - "type": "string", - "default": "" - } - } - }, - "com.github.openshift.api.machineconfiguration.v1alpha1.MachineConfigNode": { - "description": "MachineConfigNode describes the health of the Machines on the system Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", - "type": "object", - "required": [ - "spec" - ], - "properties": { - "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - "type": "string" - }, - "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": "string" - }, - "metadata": { - "description": "metadata is the standard object metadata.", - "default": {}, - "$ref": "#/definitions/ObjectMeta.v1.meta.apis.pkg.apimachinery.k8s.io" - }, - "spec": { - "description": "spec describes the configuration of the machine config node.", - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.machineconfiguration.v1alpha1.MachineConfigNodeSpec" - }, - "status": { - "description": "status describes the last observed state of this machine config node.", - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.machineconfiguration.v1alpha1.MachineConfigNodeStatus" - } - } - }, - "com.github.openshift.api.machineconfiguration.v1alpha1.MachineConfigNodeList": { - "description": "MachineConfigNodeList describes all of the MachinesStates on the system\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", - "type": "object", - "properties": { - "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - "type": "string" - }, - "items": { - "description": "items contains a collection of MachineConfigNode resources.", - "type": "array", - "items": { - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.machineconfiguration.v1alpha1.MachineConfigNode" - } - }, - "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": "string" - }, - "metadata": { - "description": "metadata is the standard list metadata.", - "default": {}, - "$ref": "#/definitions/ListMeta.v1.meta.apis.pkg.apimachinery.k8s.io" - } - } - }, - "com.github.openshift.api.machineconfiguration.v1alpha1.MachineConfigNodeSpec": { - "description": "MachineConfigNodeSpec describes the MachineConfigNode we are managing.", - "type": "object", - "required": [ - "node", - "pool", - "configVersion" - ], - "properties": { - "configVersion": { - "description": "configVersion holds the desired config version for the node targeted by this machine config node resource. The desired version represents the machine config the node will attempt to update to and gets set before the machine config operator validates the new machine config against the current machine config.", - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.machineconfiguration.v1alpha1.MachineConfigNodeSpecMachineConfigVersion" - }, - "node": { - "description": "node contains a reference to the node for this machine config node.", - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.machineconfiguration.v1alpha1.MCOObjectReference" - }, - "pool": { - "description": "pool contains a reference to the machine config pool that this machine config node's referenced node belongs to.", - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.machineconfiguration.v1alpha1.MCOObjectReference" - } - } - }, - "com.github.openshift.api.machineconfiguration.v1alpha1.MachineConfigNodeSpecMachineConfigVersion": { - "description": "MachineConfigNodeSpecMachineConfigVersion holds the desired config version for the current observed machine config node. When Current is not equal to Desired, the MachineConfigOperator is in an upgrade phase and the machine config node will take account of upgrade related events. Otherwise, they will be ignored given that certain operations happen both during the MCO's upgrade mode and the daily operations mode.", - "type": "object", - "required": [ - "desired" - ], - "properties": { - "desired": { - "description": "desired is the name of the machine config that the the node should be upgraded to. This value is set when the machine config pool generates a new version of its rendered configuration. When this value is changed, the machine config daemon starts the node upgrade process. This value gets set in the machine config node spec once the machine config has been targeted for upgrade and before it is validated. Must be a lowercase RFC-1123 subdomain name (https://tools.ietf.org/html/rfc1123) consisting of only lowercase alphanumeric characters, hyphens (-), and periods (.), and must start and end with an alphanumeric character, and be at most 253 characters in length.", - "type": "string", - "default": "" - } - } - }, - "com.github.openshift.api.machineconfiguration.v1alpha1.MachineConfigNodeStatus": { - "description": "MachineConfigNodeStatus holds the reported information on a particular machine config node.", - "type": "object", - "required": [ - "configVersion" - ], - "properties": { - "conditions": { - "description": "conditions represent the observations of a machine config node's current state.", - "type": "array", - "items": { - "default": {}, - "$ref": "#/definitions/Condition.v1.meta.apis.pkg.apimachinery.k8s.io" - }, - "x-kubernetes-list-map-keys": [ - "type" - ], - "x-kubernetes-list-type": "map" - }, - "configVersion": { - "description": "configVersion describes the current and desired machine config version for this node.", - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.machineconfiguration.v1alpha1.MachineConfigNodeStatusMachineConfigVersion" - }, - "observedGeneration": { - "description": "observedGeneration represents the generation of the MachineConfigNode object observed by the Machine Config Operator's controller. This field is updated when the controller observes a change to the desiredConfig in the configVersion of the machine config node spec.", - "type": "integer", - "format": "int64" - }, - "pinnedImageSets": { - "description": "pinnedImageSets describes the current and desired pinned image sets for this node.", - "type": "array", - "items": { - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.machineconfiguration.v1alpha1.MachineConfigNodeStatusPinnedImageSet" - }, - "x-kubernetes-list-map-keys": [ - "name" - ], - "x-kubernetes-list-type": "map" - } - } - }, - "com.github.openshift.api.machineconfiguration.v1alpha1.MachineConfigNodeStatusMachineConfigVersion": { - "description": "MachineConfigNodeStatusMachineConfigVersion holds the current and desired config versions as last updated in the MCN status. When the current and desired versions do not match, the machine config pool is processing an upgrade and the machine config node will monitor the upgrade process. When the current and desired versions do match, the machine config node will ignore these events given that certain operations happen both during the MCO's upgrade mode and the daily operations mode.", - "type": "object", - "required": [ - "desired" - ], - "properties": { - "current": { - "description": "current is the name of the machine config currently in use on the node. This value is updated once the machine config daemon has completed the update of the configuration for the node. This value should match the desired version unless an upgrade is in progress. Must be a lowercase RFC-1123 subdomain name (https://tools.ietf.org/html/rfc1123) consisting of only lowercase alphanumeric characters, hyphens (-), and periods (.), and must start and end with an alphanumeric character, and be at most 253 characters in length.", - "type": "string", - "default": "" - }, - "desired": { - "description": "desired is the MachineConfig the node wants to upgrade to. This value gets set in the machine config node status once the machine config has been validated against the current machine config. Must be a lowercase RFC-1123 subdomain name (https://tools.ietf.org/html/rfc1123) consisting of only lowercase alphanumeric characters, hyphens (-), and periods (.), and must start and end with an alphanumeric character, and be at most 253 characters in length.", - "type": "string", - "default": "" - } - } - }, - "com.github.openshift.api.machineconfiguration.v1alpha1.MachineConfigNodeStatusPinnedImageSet": { - "description": "MachineConfigNodeStatusPinnedImageSet holds information about the current, desired, and failed pinned image sets for the observed machine config node.", - "type": "object", - "required": [ - "name" - ], - "properties": { - "currentGeneration": { - "description": "currentGeneration is the generation of the pinned image set that has most recently been successfully pulled and pinned on this node.", - "type": "integer", - "format": "int32" - }, - "desiredGeneration": { - "description": "desiredGeneration is the generation of the pinned image set that is targeted to be pulled and pinned on this node.", - "type": "integer", - "format": "int32" - }, - "lastFailedGeneration": { - "description": "lastFailedGeneration is the generation of the most recent pinned image set that failed to be pulled and pinned on this node.", - "type": "integer", - "format": "int32" - }, - "lastFailedGenerationError": { - "description": "lastFailedGenerationError is the error explaining why the desired images failed to be pulled and pinned. The error is an empty string if the image pull and pin is successful.", - "type": "string" - }, - "name": { - "description": "name is the name of the pinned image set. Must be a lowercase RFC-1123 subdomain name (https://tools.ietf.org/html/rfc1123) consisting of only lowercase alphanumeric characters, hyphens (-), and periods (.), and must start and end with an alphanumeric character, and be at most 253 characters in length.", - "type": "string", - "default": "" - } - } - }, "com.github.openshift.api.machineconfiguration.v1alpha1.OSImageStream": { "description": "OSImageStream describes a set of streams and associated images available for the MachineConfigPools to be used as base OS images.\n\nThe resource is a singleton named \"cluster\".\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", "type": "object", @@ -38995,7 +38399,7 @@ "type": "object", "properties": { "defaultStream": { - "description": "defaultStream is the desired name of the stream that should be used as the default when no specific stream is requested by a MachineConfigPool.\n\nThis field is set by the installer during installation. Users may need to update it if the currently selected stream is no longer available, for example when the stream has reached its End of Life. The MachineConfigOperator uses this value to determine which stream from status.availableStreams to apply as the default for MachineConfigPools that do not specify a stream override.\n\nWhen status.availableStreams has been populated by the operator, updating this field requires that the new value references the name of one of the streams in status.availableStreams. Status-only updates by the operator are not subject to this constraint, allowing the operator to update availableStreams independently of this field. During initial creation, before the operator has populated status, any valid value is accepted.\n\nWhen omitted, the operator determines the default stream automatically.\n\nIt must be a valid RFC 1123 subdomain between 1 and 253 characters in length, consisting of lowercase alphanumeric characters, hyphens ('-'), and periods ('.').", + "description": "defaultStream is the desired name of the stream that should be used as the default when no specific stream is requested by a MachineConfigPool.\n\nThis field is set by the installer during installation. Users may need to update it if the currently selected stream is no longer available, for example when the stream has reached its End of Life. The MachineConfigOperator uses this value to determine which stream from status.availableStreams to apply as the default for MachineConfigPools that do not specify a stream override.\n\nWhen status.availableStreams has been populated by the operator, updating this field requires that the new value references the name of one of the streams in status.availableStreams. Status-only updates by the operator are not subject to this constraint, allowing the operator to update availableStreams independently of this field. During initial creation, before the operator has populated status, any valid value is accepted.\n\nWhen omitted, the operator determines the default stream automatically. Once set, this field cannot be removed.\n\nIt must be a valid RFC 1123 subdomain between 1 and 253 characters in length, consisting of lowercase alphanumeric characters, hyphens ('-'), and periods ('.').", "type": "string" } } @@ -39026,118 +38430,6 @@ } } }, - "com.github.openshift.api.machineconfiguration.v1alpha1.PinnedImageRef": { - "type": "object", - "required": [ - "name" - ], - "properties": { - "name": { - "description": "name is an OCI Image referenced by digest. The format of the image pull spec is: host[:port][/namespace]/name@sha256:, where the digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. The length of the whole spec must be between 1 to 447 characters.", - "type": "string" - } - } - }, - "com.github.openshift.api.machineconfiguration.v1alpha1.PinnedImageSet": { - "description": "PinnedImageSet describes a set of images that should be pinned by CRI-O and pulled to the nodes which are members of the declared MachineConfigPools.\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", - "type": "object", - "required": [ - "spec" - ], - "properties": { - "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - "type": "string" - }, - "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": "string" - }, - "metadata": { - "default": {}, - "$ref": "#/definitions/ObjectMeta.v1.meta.apis.pkg.apimachinery.k8s.io" - }, - "spec": { - "description": "spec describes the configuration of this pinned image set.", - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.machineconfiguration.v1alpha1.PinnedImageSetSpec" - }, - "status": { - "description": "status describes the last observed state of this pinned image set.", - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.machineconfiguration.v1alpha1.PinnedImageSetStatus" - } - } - }, - "com.github.openshift.api.machineconfiguration.v1alpha1.PinnedImageSetList": { - "description": "PinnedImageSetList is a list of PinnedImageSet resources\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", - "type": "object", - "required": [ - "metadata", - "items" - ], - "properties": { - "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - "type": "string" - }, - "items": { - "type": "array", - "items": { - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.machineconfiguration.v1alpha1.PinnedImageSet" - } - }, - "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": "string" - }, - "metadata": { - "description": "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", - "default": {}, - "$ref": "#/definitions/ListMeta.v1.meta.apis.pkg.apimachinery.k8s.io" - } - } - }, - "com.github.openshift.api.machineconfiguration.v1alpha1.PinnedImageSetSpec": { - "description": "PinnedImageSetSpec defines the desired state of a PinnedImageSet.", - "type": "object", - "required": [ - "pinnedImages" - ], - "properties": { - "pinnedImages": { - "description": "pinnedImages is a list of OCI Image referenced by digest that should be pinned and pre-loaded by the nodes of a MachineConfigPool. Translates into a new file inside the /etc/crio/crio.conf.d directory with content similar to this:\n\n pinned_images = [\n \"quay.io/openshift-release-dev/ocp-release@sha256:...\",\n \"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:...\",\n \"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:...\",\n ...\n ]\n\nThese image references should all be by digest, tags aren't allowed.", - "type": "array", - "items": { - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.machineconfiguration.v1alpha1.PinnedImageRef" - }, - "x-kubernetes-list-map-keys": [ - "name" - ], - "x-kubernetes-list-type": "map" - } - } - }, - "com.github.openshift.api.machineconfiguration.v1alpha1.PinnedImageSetStatus": { - "description": "PinnedImageSetStatus describes the current state of a PinnedImageSet.", - "type": "object", - "properties": { - "conditions": { - "description": "conditions represent the observations of a pinned image set's current state.", - "type": "array", - "items": { - "default": {}, - "$ref": "#/definitions/Condition.v1.meta.apis.pkg.apimachinery.k8s.io" - }, - "x-kubernetes-list-map-keys": [ - "type" - ], - "x-kubernetes-list-type": "map" - } - } - }, "com.github.openshift.api.monitoring.v1.AlertRelabelConfig": { "description": "AlertRelabelConfig defines a set of relabel configs for alerts.\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", "type": "object", diff --git a/payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml index d2ba7fc3253..48778ca0fcc 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml @@ -168,59 +168,154 @@ spec: managing the lifecyle of the encryption keys outside of the control plane. This allows integration with an external provider to manage the data encryption keys securely. properties: - aws: + type: description: |- - aws defines the key config for using an AWS KMS instance - for the encryption. The AWS KMS instance is managed + type defines the kind of platform for the KMS provider. + Valid values are: + - "Vault": HashiCorp Vault KMS (available when KMSEncryption feature gate is enabled) + enum: + - Vault + type: string + vault: + description: |- + vault defines the configuration for the Vault KMS plugin. + The plugin connects to a Vault Enterprise server that is managed by the user outside the purview of the control plane. + This field must be set when type is Vault, and must be unset otherwise. properties: - keyARN: + approleSecretRef: description: |- - keyARN specifies the Amazon Resource Name (ARN) of the AWS KMS key used for encryption. - The value must adhere to the format `arn:aws:kms:::key/`, where: - - `` is the AWS region consisting of lowercase letters and hyphens followed by a number. - - `` is a 12-digit numeric identifier for the AWS account. - - `` is a unique identifier for the KMS key, consisting of lowercase hexadecimal characters and hyphens. - maxLength: 128 - minLength: 1 + approleSecretRef references a secret in the openshift-config namespace containing + the AppRole credentials used to authenticate with Vault. + The secret must contain the following keys: + - "roleID": The AppRole Role ID + - "secretID": The AppRole Secret ID + + The namespace for the secret referenced by approleSecretRef is openshift-config. + properties: + name: + description: name is the metadata.name of the referenced + secret + type: string + required: + - name + type: object + kmsPluginImage: + description: |- + kmsPluginImage specifies the container image for the HashiCorp Vault KMS plugin. + The image must be specified using a digest reference (not a tag). + + Consult the OpenShift documentation for compatible plugin versions with your cluster version, + then obtain the image digest for that version from HashiCorp's container registry. + + For disconnected environments, mirror the plugin image to an accessible registry and + reference the mirrored location with its digest. + + The minimum length is 75 characters (e.g., "r/i@sha256:" + 64 hex characters). + The maximum length is 512 characters to accommodate long registry names and repository paths. + maxLength: 512 + minLength: 75 type: string x-kubernetes-validations: - - message: keyARN must follow the format `arn:aws:kms:::key/`. - The account ID must be a 12 digit number and the region - and key ID should consist only of lowercase hexadecimal - characters and hyphens (-). - rule: self.matches('^arn:aws:kms:[a-z0-9-]+:[0-9]{12}:key/[a-f0-9-]+$') - region: + - message: vaultKMSPluginImage must be a valid image reference + with a SHA256 digest (e.g., 'registry.example.com/vault-plugin@sha256:0123...abcd'). + Use '@sha256:<64-character-hex-digest>' instead of + image tags like ':latest' or ':v1.0.0'. + rule: self.matches(r'^([a-zA-Z0-9.-]+)(:[0-9]+)?/[a-zA-Z0-9._/-]+@sha256:[a-f0-9]{64}$') + tls: + description: |- + tls contains the TLS configuration for connecting to the Vault server. + When this field is not set, system default TLS settings are used. + properties: + caBundle: + description: |- + caBundle references a ConfigMap in the openshift-config namespace containing + the CA certificate bundle used to verify the TLS connection to the Vault server. + The ConfigMap must contain the CA bundle in the key "ca-bundle.crt". + When this field is not set, the system's trusted CA certificates are used. + + The namespace for the ConfigMap is openshift-config. + + Example ConfigMap: + apiVersion: v1 + kind: ConfigMap + metadata: + name: vault-ca-bundle + namespace: openshift-config + data: + ca-bundle.crt: | + -----BEGIN CERTIFICATE----- + ... + -----END CERTIFICATE----- + properties: + name: + description: name is the metadata.name of the + referenced config map + type: string + required: + - name + type: object + serverName: + description: |- + serverName specifies the Server Name Indication (SNI) to use when connecting to Vault via TLS. + This is useful when the Vault server's hostname doesn't match its TLS certificate. + When this field is not set, the hostname from vaultAddress is used for SNI. + maxLength: 253 + minLength: 1 + type: string + type: object + transitKey: description: |- - region specifies the AWS region where the KMS instance exists, and follows the format - `--`, e.g.: `us-east-1`. - Only lowercase letters and hyphens followed by numbers are allowed. - maxLength: 64 + transitKey specifies the name of the encryption key in Vault's Transit engine. + This key is used to encrypt and decrypt data. + The value must be between 1 and 512 characters. + maxLength: 512 + minLength: 1 + type: string + transitMount: + default: transit + description: |- + transitMount specifies the mount path of the Vault Transit engine. + The value can be between 1 and 1024 characters. + When this field is not set, it defaults to "transit". + maxLength: 1024 + minLength: 1 + type: string + vaultAddress: + description: |- + vaultAddress specifies the address of the HashiCorp Vault instance. + The value must be a valid URL with scheme (https://) and can be up to 512 characters. + Example: https://vault.example.com:8200 + maxLength: 512 minLength: 1 type: string x-kubernetes-validations: - - message: region must be a valid AWS region, consisting - of lowercase characters, digits and hyphens (-) only. - rule: self.matches('^[a-z0-9]+(-[a-z0-9]+)*$') + - message: vaultAddress must be a valid URL starting with + 'https://' (e.g., 'https://vault.example.com:8200'). + rule: self.matches('^https://') + vaultNamespace: + description: |- + vaultNamespace specifies the Vault namespace where the Transit secrets engine is mounted. + This is only applicable for Vault Enterprise installations. + The value can be between 1 and 4096 characters. + When this field is not set, no namespace is used. + maxLength: 4096 + minLength: 1 + type: string required: - - keyARN - - region + - approleSecretRef + - kmsPluginImage + - transitKey + - vaultAddress type: object - type: - description: |- - type defines the kind of platform for the KMS provider. - Available provider types are AWS only. - enum: - - AWS - type: string required: - type type: object x-kubernetes-validations: - - message: aws config is required when kms provider type is AWS, - and forbidden otherwise - rule: 'has(self.type) && self.type == ''AWS'' ? has(self.aws) - : !has(self.aws)' + - message: vault config is required when kms provider type is + Vault, and forbidden otherwise + rule: 'has(self.type) && self.type == ''Vault'' ? (has(self.vault) + && self.vault.vaultAddress != "") : !has(self.vault)' type: description: |- type defines what encryption type should be used to encrypt resources at the datastore layer. @@ -245,8 +340,8 @@ spec: type: string type: object x-kubernetes-validations: - - message: kms config is required when encryption type is KMS, and - forbidden otherwise + - message: kms config is required when encryption type is KMS and + KMSEncryption feature gate is enabled, and forbidden otherwise rule: 'has(self.type) && self.type == ''KMS'' ? has(self.kms) : !has(self.kms)' servingCerts: diff --git a/payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml index cabbd04bb71..bae34f76162 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml @@ -168,59 +168,154 @@ spec: managing the lifecyle of the encryption keys outside of the control plane. This allows integration with an external provider to manage the data encryption keys securely. properties: - aws: + type: description: |- - aws defines the key config for using an AWS KMS instance - for the encryption. The AWS KMS instance is managed + type defines the kind of platform for the KMS provider. + Valid values are: + - "Vault": HashiCorp Vault KMS (available when KMSEncryption feature gate is enabled) + enum: + - Vault + type: string + vault: + description: |- + vault defines the configuration for the Vault KMS plugin. + The plugin connects to a Vault Enterprise server that is managed by the user outside the purview of the control plane. + This field must be set when type is Vault, and must be unset otherwise. properties: - keyARN: + approleSecretRef: description: |- - keyARN specifies the Amazon Resource Name (ARN) of the AWS KMS key used for encryption. - The value must adhere to the format `arn:aws:kms:::key/`, where: - - `` is the AWS region consisting of lowercase letters and hyphens followed by a number. - - `` is a 12-digit numeric identifier for the AWS account. - - `` is a unique identifier for the KMS key, consisting of lowercase hexadecimal characters and hyphens. - maxLength: 128 - minLength: 1 + approleSecretRef references a secret in the openshift-config namespace containing + the AppRole credentials used to authenticate with Vault. + The secret must contain the following keys: + - "roleID": The AppRole Role ID + - "secretID": The AppRole Secret ID + + The namespace for the secret referenced by approleSecretRef is openshift-config. + properties: + name: + description: name is the metadata.name of the referenced + secret + type: string + required: + - name + type: object + kmsPluginImage: + description: |- + kmsPluginImage specifies the container image for the HashiCorp Vault KMS plugin. + The image must be specified using a digest reference (not a tag). + + Consult the OpenShift documentation for compatible plugin versions with your cluster version, + then obtain the image digest for that version from HashiCorp's container registry. + + For disconnected environments, mirror the plugin image to an accessible registry and + reference the mirrored location with its digest. + + The minimum length is 75 characters (e.g., "r/i@sha256:" + 64 hex characters). + The maximum length is 512 characters to accommodate long registry names and repository paths. + maxLength: 512 + minLength: 75 type: string x-kubernetes-validations: - - message: keyARN must follow the format `arn:aws:kms:::key/`. - The account ID must be a 12 digit number and the region - and key ID should consist only of lowercase hexadecimal - characters and hyphens (-). - rule: self.matches('^arn:aws:kms:[a-z0-9-]+:[0-9]{12}:key/[a-f0-9-]+$') - region: + - message: vaultKMSPluginImage must be a valid image reference + with a SHA256 digest (e.g., 'registry.example.com/vault-plugin@sha256:0123...abcd'). + Use '@sha256:<64-character-hex-digest>' instead of + image tags like ':latest' or ':v1.0.0'. + rule: self.matches(r'^([a-zA-Z0-9.-]+)(:[0-9]+)?/[a-zA-Z0-9._/-]+@sha256:[a-f0-9]{64}$') + tls: + description: |- + tls contains the TLS configuration for connecting to the Vault server. + When this field is not set, system default TLS settings are used. + properties: + caBundle: + description: |- + caBundle references a ConfigMap in the openshift-config namespace containing + the CA certificate bundle used to verify the TLS connection to the Vault server. + The ConfigMap must contain the CA bundle in the key "ca-bundle.crt". + When this field is not set, the system's trusted CA certificates are used. + + The namespace for the ConfigMap is openshift-config. + + Example ConfigMap: + apiVersion: v1 + kind: ConfigMap + metadata: + name: vault-ca-bundle + namespace: openshift-config + data: + ca-bundle.crt: | + -----BEGIN CERTIFICATE----- + ... + -----END CERTIFICATE----- + properties: + name: + description: name is the metadata.name of the + referenced config map + type: string + required: + - name + type: object + serverName: + description: |- + serverName specifies the Server Name Indication (SNI) to use when connecting to Vault via TLS. + This is useful when the Vault server's hostname doesn't match its TLS certificate. + When this field is not set, the hostname from vaultAddress is used for SNI. + maxLength: 253 + minLength: 1 + type: string + type: object + transitKey: description: |- - region specifies the AWS region where the KMS instance exists, and follows the format - `--`, e.g.: `us-east-1`. - Only lowercase letters and hyphens followed by numbers are allowed. - maxLength: 64 + transitKey specifies the name of the encryption key in Vault's Transit engine. + This key is used to encrypt and decrypt data. + The value must be between 1 and 512 characters. + maxLength: 512 + minLength: 1 + type: string + transitMount: + default: transit + description: |- + transitMount specifies the mount path of the Vault Transit engine. + The value can be between 1 and 1024 characters. + When this field is not set, it defaults to "transit". + maxLength: 1024 + minLength: 1 + type: string + vaultAddress: + description: |- + vaultAddress specifies the address of the HashiCorp Vault instance. + The value must be a valid URL with scheme (https://) and can be up to 512 characters. + Example: https://vault.example.com:8200 + maxLength: 512 minLength: 1 type: string x-kubernetes-validations: - - message: region must be a valid AWS region, consisting - of lowercase characters, digits and hyphens (-) only. - rule: self.matches('^[a-z0-9]+(-[a-z0-9]+)*$') + - message: vaultAddress must be a valid URL starting with + 'https://' (e.g., 'https://vault.example.com:8200'). + rule: self.matches('^https://') + vaultNamespace: + description: |- + vaultNamespace specifies the Vault namespace where the Transit secrets engine is mounted. + This is only applicable for Vault Enterprise installations. + The value can be between 1 and 4096 characters. + When this field is not set, no namespace is used. + maxLength: 4096 + minLength: 1 + type: string required: - - keyARN - - region + - approleSecretRef + - kmsPluginImage + - transitKey + - vaultAddress type: object - type: - description: |- - type defines the kind of platform for the KMS provider. - Available provider types are AWS only. - enum: - - AWS - type: string required: - type type: object x-kubernetes-validations: - - message: aws config is required when kms provider type is AWS, - and forbidden otherwise - rule: 'has(self.type) && self.type == ''AWS'' ? has(self.aws) - : !has(self.aws)' + - message: vault config is required when kms provider type is + Vault, and forbidden otherwise + rule: 'has(self.type) && self.type == ''Vault'' ? (has(self.vault) + && self.vault.vaultAddress != "") : !has(self.vault)' type: description: |- type defines what encryption type should be used to encrypt resources at the datastore layer. @@ -245,8 +340,8 @@ spec: type: string type: object x-kubernetes-validations: - - message: kms config is required when encryption type is KMS, and - forbidden otherwise + - message: kms config is required when encryption type is KMS and + KMSEncryption feature gate is enabled, and forbidden otherwise rule: 'has(self.type) && self.type == ''KMS'' ? has(self.kms) : !has(self.kms)' servingCerts: diff --git a/payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml index b21c31dd439..969e1b07463 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml @@ -158,6 +158,164 @@ spec: description: encryption allows the configuration of encryption of resources at the datastore layer. properties: + kms: + description: |- + kms defines the configuration for the external KMS instance that manages the encryption keys, + when KMS encryption is enabled sensitive resources will be encrypted using keys managed by an + externally configured KMS instance. + + The Key Management Service (KMS) instance provides symmetric encryption and is responsible for + managing the lifecyle of the encryption keys outside of the control plane. + This allows integration with an external provider to manage the data encryption keys securely. + properties: + type: + description: |- + type defines the kind of platform for the KMS provider. + Valid values are: + - "Vault": HashiCorp Vault KMS (available when KMSEncryption feature gate is enabled) + enum: + - Vault + type: string + vault: + description: |- + vault defines the configuration for the Vault KMS plugin. + The plugin connects to a Vault Enterprise server that is managed + by the user outside the purview of the control plane. + This field must be set when type is Vault, and must be unset otherwise. + properties: + approleSecretRef: + description: |- + approleSecretRef references a secret in the openshift-config namespace containing + the AppRole credentials used to authenticate with Vault. + The secret must contain the following keys: + - "roleID": The AppRole Role ID + - "secretID": The AppRole Secret ID + + The namespace for the secret referenced by approleSecretRef is openshift-config. + properties: + name: + description: name is the metadata.name of the referenced + secret + type: string + required: + - name + type: object + kmsPluginImage: + description: |- + kmsPluginImage specifies the container image for the HashiCorp Vault KMS plugin. + The image must be specified using a digest reference (not a tag). + + Consult the OpenShift documentation for compatible plugin versions with your cluster version, + then obtain the image digest for that version from HashiCorp's container registry. + + For disconnected environments, mirror the plugin image to an accessible registry and + reference the mirrored location with its digest. + + The minimum length is 75 characters (e.g., "r/i@sha256:" + 64 hex characters). + The maximum length is 512 characters to accommodate long registry names and repository paths. + maxLength: 512 + minLength: 75 + type: string + x-kubernetes-validations: + - message: vaultKMSPluginImage must be a valid image reference + with a SHA256 digest (e.g., 'registry.example.com/vault-plugin@sha256:0123...abcd'). + Use '@sha256:<64-character-hex-digest>' instead of + image tags like ':latest' or ':v1.0.0'. + rule: self.matches(r'^([a-zA-Z0-9.-]+)(:[0-9]+)?/[a-zA-Z0-9._/-]+@sha256:[a-f0-9]{64}$') + tls: + description: |- + tls contains the TLS configuration for connecting to the Vault server. + When this field is not set, system default TLS settings are used. + properties: + caBundle: + description: |- + caBundle references a ConfigMap in the openshift-config namespace containing + the CA certificate bundle used to verify the TLS connection to the Vault server. + The ConfigMap must contain the CA bundle in the key "ca-bundle.crt". + When this field is not set, the system's trusted CA certificates are used. + + The namespace for the ConfigMap is openshift-config. + + Example ConfigMap: + apiVersion: v1 + kind: ConfigMap + metadata: + name: vault-ca-bundle + namespace: openshift-config + data: + ca-bundle.crt: | + -----BEGIN CERTIFICATE----- + ... + -----END CERTIFICATE----- + properties: + name: + description: name is the metadata.name of the + referenced config map + type: string + required: + - name + type: object + serverName: + description: |- + serverName specifies the Server Name Indication (SNI) to use when connecting to Vault via TLS. + This is useful when the Vault server's hostname doesn't match its TLS certificate. + When this field is not set, the hostname from vaultAddress is used for SNI. + maxLength: 253 + minLength: 1 + type: string + type: object + transitKey: + description: |- + transitKey specifies the name of the encryption key in Vault's Transit engine. + This key is used to encrypt and decrypt data. + The value must be between 1 and 512 characters. + maxLength: 512 + minLength: 1 + type: string + transitMount: + default: transit + description: |- + transitMount specifies the mount path of the Vault Transit engine. + The value can be between 1 and 1024 characters. + When this field is not set, it defaults to "transit". + maxLength: 1024 + minLength: 1 + type: string + vaultAddress: + description: |- + vaultAddress specifies the address of the HashiCorp Vault instance. + The value must be a valid URL with scheme (https://) and can be up to 512 characters. + Example: https://vault.example.com:8200 + maxLength: 512 + minLength: 1 + type: string + x-kubernetes-validations: + - message: vaultAddress must be a valid URL starting with + 'https://' (e.g., 'https://vault.example.com:8200'). + rule: self.matches('^https://') + vaultNamespace: + description: |- + vaultNamespace specifies the Vault namespace where the Transit secrets engine is mounted. + This is only applicable for Vault Enterprise installations. + The value can be between 1 and 4096 characters. + When this field is not set, no namespace is used. + maxLength: 4096 + minLength: 1 + type: string + required: + - approleSecretRef + - kmsPluginImage + - transitKey + - vaultAddress + type: object + required: + - type + type: object + x-kubernetes-validations: + - message: vault config is required when kms provider type is + Vault, and forbidden otherwise + rule: 'has(self.type) && self.type == ''Vault'' ? (has(self.vault) + && self.vault.vaultAddress != "") : !has(self.vault)' type: description: |- type defines what encryption type should be used to encrypt resources at the datastore layer. @@ -181,6 +339,11 @@ spec: - KMS type: string type: object + x-kubernetes-validations: + - message: kms config is required when encryption type is KMS and + KMSEncryption feature gate is enabled, and forbidden otherwise + rule: 'has(self.type) && self.type == ''KMS'' ? has(self.kms) : + !has(self.kms)' servingCerts: description: |- servingCert is the TLS cert info for serving secure traffic. If not specified, operator managed certificates diff --git a/payload-manifests/featuregates/featureGate-4-10-Hypershift-Default.yaml b/payload-manifests/featuregates/featureGate-4-10-Hypershift-Default.yaml index 8eabfb74bde..f189d271209 100644 --- a/payload-manifests/featuregates/featureGate-4-10-Hypershift-Default.yaml +++ b/payload-manifests/featuregates/featureGate-4-10-Hypershift-Default.yaml @@ -185,9 +185,6 @@ { "name": "KMSEncryption" }, - { - "name": "KMSEncryptionProvider" - }, { "name": "MachineAPIMigration" }, diff --git a/payload-manifests/featuregates/featureGate-4-10-Hypershift-DevPreviewNoUpgrade.yaml b/payload-manifests/featuregates/featureGate-4-10-Hypershift-DevPreviewNoUpgrade.yaml index a18e3ffb8d4..b1f54b88340 100644 --- a/payload-manifests/featuregates/featureGate-4-10-Hypershift-DevPreviewNoUpgrade.yaml +++ b/payload-manifests/featuregates/featureGate-4-10-Hypershift-DevPreviewNoUpgrade.yaml @@ -258,9 +258,6 @@ { "name": "KMSEncryption" }, - { - "name": "KMSEncryptionProvider" - }, { "name": "KMSv1" }, diff --git a/payload-manifests/featuregates/featureGate-4-10-Hypershift-OKD.yaml b/payload-manifests/featuregates/featureGate-4-10-Hypershift-OKD.yaml index 799724633a5..6e5a87c5b9b 100644 --- a/payload-manifests/featuregates/featureGate-4-10-Hypershift-OKD.yaml +++ b/payload-manifests/featuregates/featureGate-4-10-Hypershift-OKD.yaml @@ -187,9 +187,6 @@ { "name": "KMSEncryption" }, - { - "name": "KMSEncryptionProvider" - }, { "name": "MachineAPIMigration" }, diff --git a/payload-manifests/featuregates/featureGate-4-10-Hypershift-TechPreviewNoUpgrade.yaml b/payload-manifests/featuregates/featureGate-4-10-Hypershift-TechPreviewNoUpgrade.yaml index fec1cef6138..3e8aa4f4426 100644 --- a/payload-manifests/featuregates/featureGate-4-10-Hypershift-TechPreviewNoUpgrade.yaml +++ b/payload-manifests/featuregates/featureGate-4-10-Hypershift-TechPreviewNoUpgrade.yaml @@ -43,9 +43,6 @@ { "name": "ExternalSnapshotMetadata" }, - { - "name": "KMSEncryptionProvider" - }, { "name": "MachineAPIMigrationVSphere" }, diff --git a/payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-Default.yaml b/payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-Default.yaml index 0a5d2f69de5..d29f805c7ac 100644 --- a/payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-Default.yaml +++ b/payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-Default.yaml @@ -185,9 +185,6 @@ { "name": "KMSEncryption" }, - { - "name": "KMSEncryptionProvider" - }, { "name": "MachineAPIMigration" }, diff --git a/payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-DevPreviewNoUpgrade.yaml b/payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-DevPreviewNoUpgrade.yaml index fb6e46db2d7..8e2aea3b56c 100644 --- a/payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-DevPreviewNoUpgrade.yaml +++ b/payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-DevPreviewNoUpgrade.yaml @@ -234,9 +234,6 @@ { "name": "KMSEncryption" }, - { - "name": "KMSEncryptionProvider" - }, { "name": "KMSv1" }, diff --git a/payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-OKD.yaml b/payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-OKD.yaml index 8b60bf06878..c37681ce023 100644 --- a/payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-OKD.yaml +++ b/payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-OKD.yaml @@ -187,9 +187,6 @@ { "name": "KMSEncryption" }, - { - "name": "KMSEncryptionProvider" - }, { "name": "MachineAPIMigration" }, diff --git a/payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-TechPreviewNoUpgrade.yaml b/payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-TechPreviewNoUpgrade.yaml index 3c48a8f327e..f214cba1e75 100644 --- a/payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-TechPreviewNoUpgrade.yaml +++ b/payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-TechPreviewNoUpgrade.yaml @@ -46,9 +46,6 @@ { "name": "HyperShiftOnlyDynamicResourceAllocation" }, - { - "name": "KMSEncryptionProvider" - }, { "name": "MachineAPIMigrationVSphere" },