From 3e571abe96fe0f5270b561d13576e1511020830a Mon Sep 17 00:00:00 2001 From: Davide Salerno Date: Wed, 4 Feb 2026 17:47:54 +0100 Subject: [PATCH 1/5] NE-2334: Implement enhancement in OpenShift API to support for TLS curves in TLSProfile Signed-off-by: Davide Salerno --- .../TLSCurvePreferences.yaml | 311 ++ config/v1/types_tlssecurityprofile.go | 78 +- ...tor_01_apiservers-CustomNoUpgrade.crd.yaml | 80 +- ...ig-operator_01_apiservers-Default.crd.yaml | 48 +- ...01_apiservers-DevPreviewNoUpgrade.crd.yaml | 80 +- ...config-operator_01_apiservers-OKD.crd.yaml | 48 +- ...1_apiservers-TechPreviewNoUpgrade.crd.yaml | 80 +- config/v1/zz_generated.deepcopy.go | 5 + ..._generated.featuregated-crd-manifests.yaml | 1 + .../AAA_ungated.yaml | 48 +- .../KMSEncryption.yaml | 48 +- .../KMSEncryptionProvider.yaml | 48 +- .../TLSCurvePreferences.yaml | 420 ++ .../v1/zz_generated.swagger_doc_generated.go | 13 +- features.md | 1 + features/features.go | 8 + .../TLSCurvePreferences.yaml | 291 ++ ...01_kubeletconfigs-CustomNoUpgrade.crd.yaml | 344 ++ ...-config_01_kubeletconfigs-Default.crd.yaml | 312 ++ ...ubeletconfigs-DevPreviewNoUpgrade.crd.yaml | 344 ++ ...ine-config_01_kubeletconfigs-OKD.crd.yaml} | 49 +- ...beletconfigs-TechPreviewNoUpgrade.crd.yaml | 344 ++ ..._generated.featuregated-crd-manifests.yaml | 3 +- .../AAA_ungated.yaml | 48 +- .../TLSCurvePreferences.yaml | 344 ++ .../generated_openapi/zz_generated.openapi.go | 500 +-- openapi/openapi.json | 26 +- .../TLSCurvePreferences.yaml | 384 ++ ...ngresscontrollers-CustomNoUpgrade.crd.yaml | 3368 +++++++++++++++++ ...ess_00_ingresscontrollers-Default.crd.yaml | 3304 ++++++++++++++++ ...sscontrollers-DevPreviewNoUpgrade.crd.yaml | 3368 +++++++++++++++++ ...ngress_00_ingresscontrollers-OKD.crd.yaml} | 58 +- ...scontrollers-TechPreviewNoUpgrade.crd.yaml | 3368 +++++++++++++++++ ..._generated.featuregated-crd-manifests.yaml | 3 +- .../AAA_ungated.yaml | 57 +- .../TLSCurvePreferences.yaml | 3346 ++++++++++++++++ ...tor_01_apiservers-CustomNoUpgrade.crd.yaml | 80 +- ...ig-operator_01_apiservers-Default.crd.yaml | 48 +- ...01_apiservers-DevPreviewNoUpgrade.crd.yaml | 80 +- ...config-operator_01_apiservers-OKD.crd.yaml | 48 +- ...1_apiservers-TechPreviewNoUpgrade.crd.yaml | 80 +- ...01_kubeletconfigs-CustomNoUpgrade.crd.yaml | 344 ++ ...-config_01_kubeletconfigs-Default.crd.yaml | 312 ++ ...ubeletconfigs-DevPreviewNoUpgrade.crd.yaml | 344 ++ ...ine-config_01_kubeletconfigs-OKD.crd.yaml} | 49 +- ...beletconfigs-TechPreviewNoUpgrade.crd.yaml | 344 ++ .../featureGate-Hypershift-Default.yaml | 3 + ...reGate-Hypershift-DevPreviewNoUpgrade.yaml | 3 + .../featureGate-Hypershift-OKD.yaml | 3 + ...eGate-Hypershift-TechPreviewNoUpgrade.yaml | 3 + .../featureGate-SelfManagedHA-Default.yaml | 3 + ...ate-SelfManagedHA-DevPreviewNoUpgrade.yaml | 3 + .../featureGate-SelfManagedHA-OKD.yaml | 3 + ...te-SelfManagedHA-TechPreviewNoUpgrade.yaml | 3 + 54 files changed, 22222 insertions(+), 709 deletions(-) create mode 100644 config/v1/tests/apiservers.config.openshift.io/TLSCurvePreferences.yaml create mode 100644 config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/TLSCurvePreferences.yaml create mode 100644 machineconfiguration/v1/tests/kubeletconfigs.machineconfiguration.openshift.io/TLSCurvePreferences.yaml create mode 100644 machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_kubeletconfigs-CustomNoUpgrade.crd.yaml create mode 100644 machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_kubeletconfigs-Default.crd.yaml create mode 100644 machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_kubeletconfigs-DevPreviewNoUpgrade.crd.yaml rename machineconfiguration/v1/zz_generated.crd-manifests/{0000_80_machine-config_01_kubeletconfigs.crd.yaml => 0000_80_machine-config_01_kubeletconfigs-OKD.crd.yaml} (86%) create mode 100644 machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_kubeletconfigs-TechPreviewNoUpgrade.crd.yaml create mode 100644 machineconfiguration/v1/zz_generated.featuregated-crd-manifests/kubeletconfigs.machineconfiguration.openshift.io/TLSCurvePreferences.yaml create mode 100644 operator/v1/tests/ingresscontrollers.operator.openshift.io/TLSCurvePreferences.yaml create mode 100644 operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-CustomNoUpgrade.crd.yaml create mode 100644 operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-Default.crd.yaml create mode 100644 operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-DevPreviewNoUpgrade.crd.yaml rename operator/v1/zz_generated.crd-manifests/{0000_50_ingress_00_ingresscontrollers.crd.yaml => 0000_50_ingress_00_ingresscontrollers-OKD.crd.yaml} (98%) create mode 100644 operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-TechPreviewNoUpgrade.crd.yaml create mode 100644 operator/v1/zz_generated.featuregated-crd-manifests/ingresscontrollers.operator.openshift.io/TLSCurvePreferences.yaml create mode 100644 payload-manifests/crds/0000_80_machine-config_01_kubeletconfigs-CustomNoUpgrade.crd.yaml create mode 100644 payload-manifests/crds/0000_80_machine-config_01_kubeletconfigs-Default.crd.yaml create mode 100644 payload-manifests/crds/0000_80_machine-config_01_kubeletconfigs-DevPreviewNoUpgrade.crd.yaml rename payload-manifests/crds/{0000_80_machine-config_01_kubeletconfigs.crd.yaml => 0000_80_machine-config_01_kubeletconfigs-OKD.crd.yaml} (86%) create mode 100644 payload-manifests/crds/0000_80_machine-config_01_kubeletconfigs-TechPreviewNoUpgrade.crd.yaml diff --git a/config/v1/tests/apiservers.config.openshift.io/TLSCurvePreferences.yaml b/config/v1/tests/apiservers.config.openshift.io/TLSCurvePreferences.yaml new file mode 100644 index 00000000000..8c64e86f331 --- /dev/null +++ b/config/v1/tests/apiservers.config.openshift.io/TLSCurvePreferences.yaml @@ -0,0 +1,311 @@ +apiVersion: apiextensions.k8s.io/v1 +name: "APIServer" +crdName: apiservers.config.openshift.io +featureGates: + - TLSCurvePreferences +tests: + onCreate: + - name: Should be able to create with Custom TLS profile and curves + initial: | + apiVersion: config.openshift.io/v1 + kind: APIServer + spec: + tlsSecurityProfile: + type: Custom + custom: + minTLSVersion: VersionTLS12 + ciphers: + - TLS_AES_128_GCM_SHA256 + - TLS_AES_256_GCM_SHA384 + curves: + - X25519 + - SecP256r1 + expected: | + apiVersion: config.openshift.io/v1 + kind: APIServer + spec: + audit: + profile: Default + tlsSecurityProfile: + type: Custom + custom: + minTLSVersion: VersionTLS12 + ciphers: + - TLS_AES_128_GCM_SHA256 + - TLS_AES_256_GCM_SHA384 + curves: + - X25519 + - SecP256r1 + - name: Should be able to create with all supported curves + initial: | + apiVersion: config.openshift.io/v1 + kind: APIServer + spec: + tlsSecurityProfile: + type: Custom + custom: + minTLSVersion: VersionTLS12 + ciphers: + - TLS_AES_128_GCM_SHA256 + curves: + - X25519 + - SecP256r1 + - SecP384r1 + - SecP521r1 + - X25519MLKEM768 + expected: | + apiVersion: config.openshift.io/v1 + kind: APIServer + spec: + audit: + profile: Default + tlsSecurityProfile: + type: Custom + custom: + minTLSVersion: VersionTLS12 + ciphers: + - TLS_AES_128_GCM_SHA256 + curves: + - X25519 + - SecP256r1 + - SecP384r1 + - SecP521r1 + - X25519MLKEM768 + - name: Should fail to create with Custom TLS profile and empty curves + initial: | + apiVersion: config.openshift.io/v1 + kind: APIServer + spec: + tlsSecurityProfile: + type: Custom + custom: + minTLSVersion: VersionTLS12 + ciphers: + - TLS_AES_128_GCM_SHA256 + curves: [] + expectedError: "spec.tlsSecurityProfile.custom.curves in body should have at least 1 items" + - name: Should be able to create with Custom TLS profile and curves omitted + initial: | + apiVersion: config.openshift.io/v1 + kind: APIServer + spec: + tlsSecurityProfile: + type: Custom + custom: + minTLSVersion: VersionTLS12 + ciphers: + - TLS_AES_128_GCM_SHA256 + expected: | + apiVersion: config.openshift.io/v1 + kind: APIServer + spec: + audit: + profile: Default + tlsSecurityProfile: + type: Custom + custom: + minTLSVersion: VersionTLS12 + ciphers: + - TLS_AES_128_GCM_SHA256 + - name: Should be able to create with Custom TLS profile VersionTLS10 and curves + initial: | + apiVersion: config.openshift.io/v1 + kind: APIServer + spec: + tlsSecurityProfile: + type: Custom + custom: + minTLSVersion: VersionTLS10 + ciphers: + - TLS_AES_128_GCM_SHA256 + curves: + - SecP256r1 + - SecP384r1 + expected: | + apiVersion: config.openshift.io/v1 + kind: APIServer + spec: + audit: + profile: Default + tlsSecurityProfile: + type: Custom + custom: + minTLSVersion: VersionTLS10 + ciphers: + - TLS_AES_128_GCM_SHA256 + curves: + - SecP256r1 + - SecP384r1 + - name: Should be able to create with Custom TLS profile VersionTLS11 and curves + initial: | + apiVersion: config.openshift.io/v1 + kind: APIServer + spec: + tlsSecurityProfile: + type: Custom + custom: + minTLSVersion: VersionTLS11 + ciphers: + - TLS_AES_128_GCM_SHA256 + curves: + - SecP384r1 + expected: | + apiVersion: config.openshift.io/v1 + kind: APIServer + spec: + audit: + profile: Default + tlsSecurityProfile: + type: Custom + custom: + minTLSVersion: VersionTLS11 + ciphers: + - TLS_AES_128_GCM_SHA256 + curves: + - SecP384r1 + - name: Should fail to create with more than 5 curves + initial: | + apiVersion: config.openshift.io/v1 + kind: APIServer + spec: + tlsSecurityProfile: + type: Custom + custom: + minTLSVersion: VersionTLS12 + ciphers: + - TLS_AES_128_GCM_SHA256 + curves: + - X25519 + - SecP256r1 + - SecP384r1 + - SecP521r1 + - X25519MLKEM768 + - X25519 + expectedError: "spec.tlsSecurityProfile.custom.curves: Too many: 6: must have at most 5 items" + - name: Should fail to create with invalid curve value + initial: | + apiVersion: config.openshift.io/v1 + kind: APIServer + spec: + tlsSecurityProfile: + type: Custom + custom: + minTLSVersion: VersionTLS12 + ciphers: + - TLS_AES_128_GCM_SHA256 + curves: + - InvalidCurve + expectedError: "spec.tlsSecurityProfile.custom.curves[0]: Unsupported value: \"InvalidCurve\": supported values: \"X25519\", \"SecP256r1\", \"SecP384r1\", \"SecP521r1\", \"X25519MLKEM768\"" + onUpdate: + - name: Should be able to add curves to existing Custom TLS profile + initial: | + apiVersion: config.openshift.io/v1 + kind: APIServer + spec: + tlsSecurityProfile: + type: Custom + custom: + minTLSVersion: VersionTLS12 + ciphers: + - TLS_AES_128_GCM_SHA256 + updated: | + apiVersion: config.openshift.io/v1 + kind: APIServer + spec: + audit: + profile: Default + tlsSecurityProfile: + type: Custom + custom: + minTLSVersion: VersionTLS12 + ciphers: + - TLS_AES_128_GCM_SHA256 + curves: + - X25519 + - SecP256r1 + expected: | + apiVersion: config.openshift.io/v1 + kind: APIServer + spec: + audit: + profile: Default + tlsSecurityProfile: + type: Custom + custom: + minTLSVersion: VersionTLS12 + ciphers: + - TLS_AES_128_GCM_SHA256 + curves: + - X25519 + - SecP256r1 + - name: Should be able to update curves in existing Custom TLS profile + initial: | + apiVersion: config.openshift.io/v1 + kind: APIServer + spec: + tlsSecurityProfile: + type: Custom + custom: + minTLSVersion: VersionTLS12 + ciphers: + - TLS_AES_128_GCM_SHA256 + curves: + - X25519 + updated: | + apiVersion: config.openshift.io/v1 + kind: APIServer + spec: + audit: + profile: Default + tlsSecurityProfile: + type: Custom + custom: + minTLSVersion: VersionTLS12 + ciphers: + - TLS_AES_128_GCM_SHA256 + curves: + - SecP256r1 + - SecP384r1 + expected: | + apiVersion: config.openshift.io/v1 + kind: APIServer + spec: + audit: + profile: Default + tlsSecurityProfile: + type: Custom + custom: + minTLSVersion: VersionTLS12 + ciphers: + - TLS_AES_128_GCM_SHA256 + curves: + - SecP256r1 + - SecP384r1 + - name: Should fail to remove all curves from existing Custom TLS profile + initial: | + apiVersion: config.openshift.io/v1 + kind: APIServer + spec: + tlsSecurityProfile: + type: Custom + custom: + minTLSVersion: VersionTLS12 + ciphers: + - TLS_AES_128_GCM_SHA256 + curves: + - X25519 + - SecP256r1 + updated: | + apiVersion: config.openshift.io/v1 + kind: APIServer + spec: + audit: + profile: Default + tlsSecurityProfile: + type: Custom + custom: + minTLSVersion: VersionTLS12 + ciphers: + - TLS_AES_128_GCM_SHA256 + curves: [] + expectedError: "spec.tlsSecurityProfile.custom.curves in body should have at least 1 items" diff --git a/config/v1/types_tlssecurityprofile.go b/config/v1/types_tlssecurityprofile.go index 48657b08947..33fab07827c 100644 --- a/config/v1/types_tlssecurityprofile.go +++ b/config/v1/types_tlssecurityprofile.go @@ -23,6 +23,9 @@ type TLSSecurityProfile struct { // old is a TLS profile for use when services need to be accessed by very old // clients or libraries and should be used only as a last resort. // + // The curve list includes by default the following curves: + // X25519, SecP256r1, SecP384r1, X25519MLKEM768. + // // This profile is equivalent to a Custom profile specified as: // minTLSVersion: VersionTLS10 // ciphers: @@ -56,6 +59,9 @@ type TLSSecurityProfile struct { // legacy clients and want to remain highly secure while being compatible with // most clients currently in use. // + // The curve list includes by default the following curves: + // X25519, SecP256r1, SecP384r1, X25519MLKEM768. + // // This profile is equivalent to a Custom profile specified as: // minTLSVersion: VersionTLS12 // ciphers: @@ -75,7 +81,8 @@ type TLSSecurityProfile struct { // modern is a TLS security profile for use with clients that support TLS 1.3 and // do not need backward compatibility for older clients. - // + // The curve list includes by default the following curves: + // X25519, SecP256r1, SecP384r1, X25519MLKEM768. // This profile is equivalent to a Custom profile specified as: // minTLSVersion: VersionTLS13 // ciphers: @@ -88,8 +95,11 @@ type TLSSecurityProfile struct { Modern *ModernTLSProfile `json:"modern,omitempty"` // custom is a user-defined TLS security profile. Be extremely careful using a custom - // profile as invalid configurations can be catastrophic. An example custom profile - // looks like this: + // profile as invalid configurations can be catastrophic. + // + // The curve list for this profile is empty by default. + // + // An example custom profile looks like this: // // minTLSVersion: VersionTLS11 // ciphers: @@ -142,6 +152,27 @@ const ( TLSProfileCustomType TLSProfileType = "Custom" ) +// TLSCurve is a named curve identifier that can be used in TLSProfile.Curves. +// There is a one-to-one mapping between these names and the curve IDs defined +// in crypto/tls package based on IANA's "TLS Supported Groups" registry: +// https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8 +// +// +kubebuilder:validation:Enum=X25519;SecP256r1;SecP384r1;SecP521r1;X25519MLKEM768 +type TLSCurve string + +const ( + // TLSCurveX25519 represents X25519. + TLSCurveX25519 TLSCurve = "X25519" + // TLSCurveSecp256r1 represents P-256 (secp256r1). + TLSCurveSecp256r1 TLSCurve = "SecP256r1" + // TLSCurveSecp384r1 represents P-384 (secp384r1). + TLSCurveSecp384r1 TLSCurve = "SecP384r1" + // TLSCurveSecp521r1 represents P-521 (secp521r1). + TLSCurveSecp521r1 TLSCurve = "SecP521r1" + // TLSCurveX25519MLKEM768 represents X25519MLKEM768. + TLSCurveX25519MLKEM768 TLSCurve = "X25519MLKEM768" +) + // TLSProfileSpec is the desired behavior of a TLSSecurityProfile. type TLSProfileSpec struct { // ciphers is used to specify the cipher algorithms that are negotiated @@ -155,6 +186,26 @@ type TLSProfileSpec struct { // and are always enabled when TLS 1.3 is negotiated. // +listType=atomic Ciphers []string `json:"ciphers"` + // curves is an optional field used to specify the elliptic curves that are used during + // the TLS handshake. Operators may remove entries their operands do + // not support. + // + // When omitted, this means no opinion and the platform is left to choose reasonable defaults which are + // subject to change over time and may be different per platform component depending on the underlying TLS + // libraries they use. If specified, the list must contain at least one curve. + // + // For example, to use X25519 and SecP256r1 (yaml): + // + // curves: + // - X25519 + // - SecP256r1 + // + // +optional + // +listType=set + // +kubebuilder:validation:MaxItems=5 + // +kubebuilder:validation:MinItems=1 + // +openshift:enable:FeatureGate=TLSCurvePreferences + Curves []TLSCurve `json:"curves,omitempty"` // minTLSVersion is used to specify the minimal version of the TLS protocol // that is negotiated during the TLS handshake. For example, to use TLS // versions 1.1, 1.2 and 1.3 (yaml): @@ -193,6 +244,9 @@ const ( // Each Ciphers slice is the configuration's "ciphersuites" followed by the // Go-specific "ciphers" from the guidelines JSON. // +// TLSProfiles Old, Intermediate, Modern include by default the following +// curves: X25519, SecP256r1, SecP384r1, X25519MLKEM768 +// // NOTE: The caller needs to make sure to check that these constants are valid // for their binary. Not all entries map to values for all binaries. In the case // of ties, the kube-apiserver wins. Do not fail, just be sure to include only @@ -222,6 +276,12 @@ var TLSProfiles = map[TLSProfileType]*TLSProfileSpec{ "AES256-SHA", "DES-CBC3-SHA", }, + Curves: []TLSCurve{ + TLSCurveX25519, + TLSCurveSecp256r1, + TLSCurveSecp384r1, + TLSCurveX25519MLKEM768, + }, MinTLSVersion: VersionTLS10, }, TLSProfileIntermediateType: { @@ -236,6 +296,12 @@ var TLSProfiles = map[TLSProfileType]*TLSProfileSpec{ "ECDHE-ECDSA-CHACHA20-POLY1305", "ECDHE-RSA-CHACHA20-POLY1305", }, + Curves: []TLSCurve{ + TLSCurveX25519, + TLSCurveSecp256r1, + TLSCurveSecp384r1, + TLSCurveX25519MLKEM768, + }, MinTLSVersion: VersionTLS12, }, TLSProfileModernType: { @@ -244,6 +310,12 @@ var TLSProfiles = map[TLSProfileType]*TLSProfileSpec{ "TLS_AES_256_GCM_SHA384", "TLS_CHACHA20_POLY1305_SHA256", }, + Curves: []TLSCurve{ + TLSCurveX25519, + TLSCurveSecp256r1, + TLSCurveSecp384r1, + TLSCurveX25519MLKEM768, + }, MinTLSVersion: VersionTLS13, }, } diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml index 2e45da09e5b..c83a804a169 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml @@ -302,8 +302,11 @@ spec: custom: description: |- custom is a user-defined TLS security profile. Be extremely careful using a custom - profile as invalid configurations can be catastrophic. An example custom profile - looks like this: + profile as invalid configurations can be catastrophic. + + The curve list for this profile is empty by default. + + An example custom profile looks like this: minTLSVersion: VersionTLS11 ciphers: @@ -316,18 +319,47 @@ spec: ciphers: description: |- ciphers is used to specify the cipher algorithms that are negotiated - during the TLS handshake. Operators may remove entries that their operands - do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml): + during the TLS handshake. Operators may remove entries their operands + do not support. For example, to use DES-CBC3-SHA (yaml): ciphers: - - ECDHE-RSA-AES128-GCM-SHA256 - - TLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable - and are always enabled when TLS 1.3 is negotiated. + - DES-CBC3-SHA items: type: string type: array x-kubernetes-list-type: atomic + curves: + description: |- + curves is an optional field used to specify the elliptic curves that are used during + the TLS handshake. Operators may remove entries their operands do + not support. + + When omitted, this means no opinion and the platform is left to choose reasonable defaults which are + subject to change over time and may be different per platform component depending on the underlying TLS + libraries they use. If specified, the list must contain at least one curve. + + For example, to use X25519 and SecP256r1 (yaml): + + curves: + - X25519 + - SecP256r1 + items: + description: |- + TLSCurve is a named curve identifier that can be used in TLSProfile.Curves. + There is a one-to-one mapping between these names and the curve IDs defined + in crypto/tls package based on IANA's "TLS Supported Groups" registry: + https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8 + enum: + - X25519 + - SecP256r1 + - SecP384r1 + - SecP521r1 + - X25519MLKEM768 + type: string + maxItems: 5 + minItems: 1 + type: array + x-kubernetes-list-type: set minTLSVersion: description: |- minTLSVersion is used to specify the minimal version of the TLS protocol @@ -348,6 +380,12 @@ spec: legacy clients and want to remain highly secure while being compatible with most clients currently in use. + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "intermediate" profile ciphers. + + The curve list includes by default the following curves: + X25519, SecP256r1, SecP384r1, X25519MLKEM768. + This profile is equivalent to a Custom profile specified as: minTLSVersion: VersionTLS12 ciphers: @@ -360,13 +398,16 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 + - DHE-RSA-AES128-GCM-SHA256 + - DHE-RSA-AES256-GCM-SHA384 nullable: true type: object modern: description: |- modern is a TLS security profile for use with clients that support TLS 1.3 and do not need backward compatibility for older clients. - + The curve list includes by default the following curves: + X25519, SecP256r1, SecP384r1, X25519MLKEM768. This profile is equivalent to a Custom profile specified as: minTLSVersion: VersionTLS13 ciphers: @@ -380,6 +421,12 @@ spec: old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort. + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "old" profile ciphers. + + The curve list includes by default the following curves: + X25519, SecP256r1, SecP384r1, X25519MLKEM768. + This profile is equivalent to a Custom profile specified as: minTLSVersion: VersionTLS10 ciphers: @@ -392,15 +439,23 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 + - DHE-RSA-AES128-GCM-SHA256 + - DHE-RSA-AES256-GCM-SHA384 + - DHE-RSA-CHACHA20-POLY1305 - ECDHE-ECDSA-AES128-SHA256 - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES128-SHA + - ECDHE-ECDSA-AES256-SHA384 + - ECDHE-RSA-AES256-SHA384 - ECDHE-ECDSA-AES256-SHA - ECDHE-RSA-AES256-SHA + - DHE-RSA-AES128-SHA256 + - DHE-RSA-AES256-SHA256 - AES128-GCM-SHA256 - AES256-GCM-SHA384 - AES128-SHA256 + - AES256-SHA256 - AES128-SHA - AES256-SHA - DES-CBC3-SHA @@ -411,10 +466,9 @@ spec: type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters. - The profiles are based on version 5.7 of the Mozilla Server Side TLS - configuration guidelines. The cipher lists consist of the configuration's - "ciphersuites" followed by the Go-specific "ciphers" from the guidelines. - See: https://ssl-config.mozilla.org/guidelines/5.7.json + The profiles are currently based on version 5.0 of the Mozilla Server Side TLS + configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for + forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-Default.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-Default.crd.yaml index 272d49db0e3..32e3cf9b8bd 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-Default.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-Default.crd.yaml @@ -233,8 +233,11 @@ spec: custom: description: |- custom is a user-defined TLS security profile. Be extremely careful using a custom - profile as invalid configurations can be catastrophic. An example custom profile - looks like this: + profile as invalid configurations can be catastrophic. + + The curve list for this profile is empty by default. + + An example custom profile looks like this: minTLSVersion: VersionTLS11 ciphers: @@ -247,14 +250,11 @@ spec: ciphers: description: |- ciphers is used to specify the cipher algorithms that are negotiated - during the TLS handshake. Operators may remove entries that their operands - do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml): + during the TLS handshake. Operators may remove entries their operands + do not support. For example, to use DES-CBC3-SHA (yaml): ciphers: - - ECDHE-RSA-AES128-GCM-SHA256 - - TLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable - and are always enabled when TLS 1.3 is negotiated. + - DES-CBC3-SHA items: type: string type: array @@ -279,6 +279,12 @@ spec: legacy clients and want to remain highly secure while being compatible with most clients currently in use. + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "intermediate" profile ciphers. + + The curve list includes by default the following curves: + X25519, SecP256r1, SecP384r1, X25519MLKEM768. + This profile is equivalent to a Custom profile specified as: minTLSVersion: VersionTLS12 ciphers: @@ -291,13 +297,16 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 + - DHE-RSA-AES128-GCM-SHA256 + - DHE-RSA-AES256-GCM-SHA384 nullable: true type: object modern: description: |- modern is a TLS security profile for use with clients that support TLS 1.3 and do not need backward compatibility for older clients. - + The curve list includes by default the following curves: + X25519, SecP256r1, SecP384r1, X25519MLKEM768. This profile is equivalent to a Custom profile specified as: minTLSVersion: VersionTLS13 ciphers: @@ -311,6 +320,12 @@ spec: old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort. + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "old" profile ciphers. + + The curve list includes by default the following curves: + X25519, SecP256r1, SecP384r1, X25519MLKEM768. + This profile is equivalent to a Custom profile specified as: minTLSVersion: VersionTLS10 ciphers: @@ -323,15 +338,23 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 + - DHE-RSA-AES128-GCM-SHA256 + - DHE-RSA-AES256-GCM-SHA384 + - DHE-RSA-CHACHA20-POLY1305 - ECDHE-ECDSA-AES128-SHA256 - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES128-SHA + - ECDHE-ECDSA-AES256-SHA384 + - ECDHE-RSA-AES256-SHA384 - ECDHE-ECDSA-AES256-SHA - ECDHE-RSA-AES256-SHA + - DHE-RSA-AES128-SHA256 + - DHE-RSA-AES256-SHA256 - AES128-GCM-SHA256 - AES256-GCM-SHA384 - AES128-SHA256 + - AES256-SHA256 - AES128-SHA - AES256-SHA - DES-CBC3-SHA @@ -342,10 +365,9 @@ spec: type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters. - The profiles are based on version 5.7 of the Mozilla Server Side TLS - configuration guidelines. The cipher lists consist of the configuration's - "ciphersuites" followed by the Go-specific "ciphers" from the guidelines. - See: https://ssl-config.mozilla.org/guidelines/5.7.json + The profiles are currently based on version 5.0 of the Mozilla Server Side TLS + configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for + forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml index 23c43814428..a7636b01d0d 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml @@ -302,8 +302,11 @@ spec: custom: description: |- custom is a user-defined TLS security profile. Be extremely careful using a custom - profile as invalid configurations can be catastrophic. An example custom profile - looks like this: + profile as invalid configurations can be catastrophic. + + The curve list for this profile is empty by default. + + An example custom profile looks like this: minTLSVersion: VersionTLS11 ciphers: @@ -316,18 +319,47 @@ spec: ciphers: description: |- ciphers is used to specify the cipher algorithms that are negotiated - during the TLS handshake. Operators may remove entries that their operands - do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml): + during the TLS handshake. Operators may remove entries their operands + do not support. For example, to use DES-CBC3-SHA (yaml): ciphers: - - ECDHE-RSA-AES128-GCM-SHA256 - - TLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable - and are always enabled when TLS 1.3 is negotiated. + - DES-CBC3-SHA items: type: string type: array x-kubernetes-list-type: atomic + curves: + description: |- + curves is an optional field used to specify the elliptic curves that are used during + the TLS handshake. Operators may remove entries their operands do + not support. + + When omitted, this means no opinion and the platform is left to choose reasonable defaults which are + subject to change over time and may be different per platform component depending on the underlying TLS + libraries they use. If specified, the list must contain at least one curve. + + For example, to use X25519 and SecP256r1 (yaml): + + curves: + - X25519 + - SecP256r1 + items: + description: |- + TLSCurve is a named curve identifier that can be used in TLSProfile.Curves. + There is a one-to-one mapping between these names and the curve IDs defined + in crypto/tls package based on IANA's "TLS Supported Groups" registry: + https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8 + enum: + - X25519 + - SecP256r1 + - SecP384r1 + - SecP521r1 + - X25519MLKEM768 + type: string + maxItems: 5 + minItems: 1 + type: array + x-kubernetes-list-type: set minTLSVersion: description: |- minTLSVersion is used to specify the minimal version of the TLS protocol @@ -348,6 +380,12 @@ spec: legacy clients and want to remain highly secure while being compatible with most clients currently in use. + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "intermediate" profile ciphers. + + The curve list includes by default the following curves: + X25519, SecP256r1, SecP384r1, X25519MLKEM768. + This profile is equivalent to a Custom profile specified as: minTLSVersion: VersionTLS12 ciphers: @@ -360,13 +398,16 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 + - DHE-RSA-AES128-GCM-SHA256 + - DHE-RSA-AES256-GCM-SHA384 nullable: true type: object modern: description: |- modern is a TLS security profile for use with clients that support TLS 1.3 and do not need backward compatibility for older clients. - + The curve list includes by default the following curves: + X25519, SecP256r1, SecP384r1, X25519MLKEM768. This profile is equivalent to a Custom profile specified as: minTLSVersion: VersionTLS13 ciphers: @@ -380,6 +421,12 @@ spec: old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort. + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "old" profile ciphers. + + The curve list includes by default the following curves: + X25519, SecP256r1, SecP384r1, X25519MLKEM768. + This profile is equivalent to a Custom profile specified as: minTLSVersion: VersionTLS10 ciphers: @@ -392,15 +439,23 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 + - DHE-RSA-AES128-GCM-SHA256 + - DHE-RSA-AES256-GCM-SHA384 + - DHE-RSA-CHACHA20-POLY1305 - ECDHE-ECDSA-AES128-SHA256 - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES128-SHA + - ECDHE-ECDSA-AES256-SHA384 + - ECDHE-RSA-AES256-SHA384 - ECDHE-ECDSA-AES256-SHA - ECDHE-RSA-AES256-SHA + - DHE-RSA-AES128-SHA256 + - DHE-RSA-AES256-SHA256 - AES128-GCM-SHA256 - AES256-GCM-SHA384 - AES128-SHA256 + - AES256-SHA256 - AES128-SHA - AES256-SHA - DES-CBC3-SHA @@ -411,10 +466,9 @@ spec: type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters. - The profiles are based on version 5.7 of the Mozilla Server Side TLS - configuration guidelines. The cipher lists consist of the configuration's - "ciphersuites" followed by the Go-specific "ciphers" from the guidelines. - See: https://ssl-config.mozilla.org/guidelines/5.7.json + The profiles are currently based on version 5.0 of the Mozilla Server Side TLS + configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for + forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-OKD.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-OKD.crd.yaml index 3c81a12e872..a5677d9b594 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-OKD.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-OKD.crd.yaml @@ -233,8 +233,11 @@ spec: custom: description: |- custom is a user-defined TLS security profile. Be extremely careful using a custom - profile as invalid configurations can be catastrophic. An example custom profile - looks like this: + profile as invalid configurations can be catastrophic. + + The curve list for this profile is empty by default. + + An example custom profile looks like this: minTLSVersion: VersionTLS11 ciphers: @@ -247,14 +250,11 @@ spec: ciphers: description: |- ciphers is used to specify the cipher algorithms that are negotiated - during the TLS handshake. Operators may remove entries that their operands - do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml): + during the TLS handshake. Operators may remove entries their operands + do not support. For example, to use DES-CBC3-SHA (yaml): ciphers: - - ECDHE-RSA-AES128-GCM-SHA256 - - TLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable - and are always enabled when TLS 1.3 is negotiated. + - DES-CBC3-SHA items: type: string type: array @@ -279,6 +279,12 @@ spec: legacy clients and want to remain highly secure while being compatible with most clients currently in use. + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "intermediate" profile ciphers. + + The curve list includes by default the following curves: + X25519, SecP256r1, SecP384r1, X25519MLKEM768. + This profile is equivalent to a Custom profile specified as: minTLSVersion: VersionTLS12 ciphers: @@ -291,13 +297,16 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 + - DHE-RSA-AES128-GCM-SHA256 + - DHE-RSA-AES256-GCM-SHA384 nullable: true type: object modern: description: |- modern is a TLS security profile for use with clients that support TLS 1.3 and do not need backward compatibility for older clients. - + The curve list includes by default the following curves: + X25519, SecP256r1, SecP384r1, X25519MLKEM768. This profile is equivalent to a Custom profile specified as: minTLSVersion: VersionTLS13 ciphers: @@ -311,6 +320,12 @@ spec: old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort. + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "old" profile ciphers. + + The curve list includes by default the following curves: + X25519, SecP256r1, SecP384r1, X25519MLKEM768. + This profile is equivalent to a Custom profile specified as: minTLSVersion: VersionTLS10 ciphers: @@ -323,15 +338,23 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 + - DHE-RSA-AES128-GCM-SHA256 + - DHE-RSA-AES256-GCM-SHA384 + - DHE-RSA-CHACHA20-POLY1305 - ECDHE-ECDSA-AES128-SHA256 - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES128-SHA + - ECDHE-ECDSA-AES256-SHA384 + - ECDHE-RSA-AES256-SHA384 - ECDHE-ECDSA-AES256-SHA - ECDHE-RSA-AES256-SHA + - DHE-RSA-AES128-SHA256 + - DHE-RSA-AES256-SHA256 - AES128-GCM-SHA256 - AES256-GCM-SHA384 - AES128-SHA256 + - AES256-SHA256 - AES128-SHA - AES256-SHA - DES-CBC3-SHA @@ -342,10 +365,9 @@ spec: type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters. - The profiles are based on version 5.7 of the Mozilla Server Side TLS - configuration guidelines. The cipher lists consist of the configuration's - "ciphersuites" followed by the Go-specific "ciphers" from the guidelines. - See: https://ssl-config.mozilla.org/guidelines/5.7.json + The profiles are currently based on version 5.0 of the Mozilla Server Side TLS + configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for + forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml index 1d75d68e5a6..114c97cbd75 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml @@ -234,8 +234,11 @@ spec: custom: description: |- custom is a user-defined TLS security profile. Be extremely careful using a custom - profile as invalid configurations can be catastrophic. An example custom profile - looks like this: + profile as invalid configurations can be catastrophic. + + The curve list for this profile is empty by default. + + An example custom profile looks like this: minTLSVersion: VersionTLS11 ciphers: @@ -248,18 +251,47 @@ spec: ciphers: description: |- ciphers is used to specify the cipher algorithms that are negotiated - during the TLS handshake. Operators may remove entries that their operands - do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml): + during the TLS handshake. Operators may remove entries their operands + do not support. For example, to use DES-CBC3-SHA (yaml): ciphers: - - ECDHE-RSA-AES128-GCM-SHA256 - - TLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable - and are always enabled when TLS 1.3 is negotiated. + - DES-CBC3-SHA items: type: string type: array x-kubernetes-list-type: atomic + curves: + description: |- + curves is an optional field used to specify the elliptic curves that are used during + the TLS handshake. Operators may remove entries their operands do + not support. + + When omitted, this means no opinion and the platform is left to choose reasonable defaults which are + subject to change over time and may be different per platform component depending on the underlying TLS + libraries they use. If specified, the list must contain at least one curve. + + For example, to use X25519 and SecP256r1 (yaml): + + curves: + - X25519 + - SecP256r1 + items: + description: |- + TLSCurve is a named curve identifier that can be used in TLSProfile.Curves. + There is a one-to-one mapping between these names and the curve IDs defined + in crypto/tls package based on IANA's "TLS Supported Groups" registry: + https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8 + enum: + - X25519 + - SecP256r1 + - SecP384r1 + - SecP521r1 + - X25519MLKEM768 + type: string + maxItems: 5 + minItems: 1 + type: array + x-kubernetes-list-type: set minTLSVersion: description: |- minTLSVersion is used to specify the minimal version of the TLS protocol @@ -280,6 +312,12 @@ spec: legacy clients and want to remain highly secure while being compatible with most clients currently in use. + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "intermediate" profile ciphers. + + The curve list includes by default the following curves: + X25519, SecP256r1, SecP384r1, X25519MLKEM768. + This profile is equivalent to a Custom profile specified as: minTLSVersion: VersionTLS12 ciphers: @@ -292,13 +330,16 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 + - DHE-RSA-AES128-GCM-SHA256 + - DHE-RSA-AES256-GCM-SHA384 nullable: true type: object modern: description: |- modern is a TLS security profile for use with clients that support TLS 1.3 and do not need backward compatibility for older clients. - + The curve list includes by default the following curves: + X25519, SecP256r1, SecP384r1, X25519MLKEM768. This profile is equivalent to a Custom profile specified as: minTLSVersion: VersionTLS13 ciphers: @@ -312,6 +353,12 @@ spec: old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort. + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "old" profile ciphers. + + The curve list includes by default the following curves: + X25519, SecP256r1, SecP384r1, X25519MLKEM768. + This profile is equivalent to a Custom profile specified as: minTLSVersion: VersionTLS10 ciphers: @@ -324,15 +371,23 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 + - DHE-RSA-AES128-GCM-SHA256 + - DHE-RSA-AES256-GCM-SHA384 + - DHE-RSA-CHACHA20-POLY1305 - ECDHE-ECDSA-AES128-SHA256 - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES128-SHA + - ECDHE-ECDSA-AES256-SHA384 + - ECDHE-RSA-AES256-SHA384 - ECDHE-ECDSA-AES256-SHA - ECDHE-RSA-AES256-SHA + - DHE-RSA-AES128-SHA256 + - DHE-RSA-AES256-SHA256 - AES128-GCM-SHA256 - AES256-GCM-SHA384 - AES128-SHA256 + - AES256-SHA256 - AES128-SHA - AES256-SHA - DES-CBC3-SHA @@ -343,10 +398,9 @@ spec: type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters. - The profiles are based on version 5.7 of the Mozilla Server Side TLS - configuration guidelines. The cipher lists consist of the configuration's - "ciphersuites" followed by the Go-specific "ciphers" from the guidelines. - See: https://ssl-config.mozilla.org/guidelines/5.7.json + The profiles are currently based on version 5.0 of the Mozilla Server Side TLS + configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for + forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on diff --git a/config/v1/zz_generated.deepcopy.go b/config/v1/zz_generated.deepcopy.go index 30b85b78e96..5a673a3df3a 100644 --- a/config/v1/zz_generated.deepcopy.go +++ b/config/v1/zz_generated.deepcopy.go @@ -6245,6 +6245,11 @@ func (in *TLSProfileSpec) DeepCopyInto(out *TLSProfileSpec) { *out = make([]string, len(*in)) copy(*out, *in) } + if in.Curves != nil { + in, out := &in.Curves, &out.Curves + *out = make([]TLSCurve, len(*in)) + copy(*out, *in) + } return } diff --git a/config/v1/zz_generated.featuregated-crd-manifests.yaml b/config/v1/zz_generated.featuregated-crd-manifests.yaml index eb7c485e03f..bac1ac4c831 100644 --- a/config/v1/zz_generated.featuregated-crd-manifests.yaml +++ b/config/v1/zz_generated.featuregated-crd-manifests.yaml @@ -8,6 +8,7 @@ apiservers.config.openshift.io: FeatureGates: - KMSEncryption - KMSEncryptionProvider + - TLSCurvePreferences FilenameOperatorName: config-operator FilenameOperatorOrdering: "01" FilenameRunLevel: "0000_10" diff --git a/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/AAA_ungated.yaml b/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/AAA_ungated.yaml index cf5221c2f45..14dccbabaf1 100644 --- a/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/AAA_ungated.yaml +++ b/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/AAA_ungated.yaml @@ -233,8 +233,11 @@ spec: custom: description: |- custom is a user-defined TLS security profile. Be extremely careful using a custom - profile as invalid configurations can be catastrophic. An example custom profile - looks like this: + profile as invalid configurations can be catastrophic. + + The curve list for this profile is empty by default. + + An example custom profile looks like this: minTLSVersion: VersionTLS11 ciphers: @@ -247,14 +250,11 @@ spec: ciphers: description: |- ciphers is used to specify the cipher algorithms that are negotiated - during the TLS handshake. Operators may remove entries that their operands - do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml): + during the TLS handshake. Operators may remove entries their operands + do not support. For example, to use DES-CBC3-SHA (yaml): ciphers: - - ECDHE-RSA-AES128-GCM-SHA256 - - TLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable - and are always enabled when TLS 1.3 is negotiated. + - DES-CBC3-SHA items: type: string type: array @@ -279,6 +279,12 @@ spec: legacy clients and want to remain highly secure while being compatible with most clients currently in use. + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "intermediate" profile ciphers. + + The curve list includes by default the following curves: + X25519, SecP256r1, SecP384r1, X25519MLKEM768. + This profile is equivalent to a Custom profile specified as: minTLSVersion: VersionTLS12 ciphers: @@ -291,13 +297,16 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 + - DHE-RSA-AES128-GCM-SHA256 + - DHE-RSA-AES256-GCM-SHA384 nullable: true type: object modern: description: |- modern is a TLS security profile for use with clients that support TLS 1.3 and do not need backward compatibility for older clients. - + The curve list includes by default the following curves: + X25519, SecP256r1, SecP384r1, X25519MLKEM768. This profile is equivalent to a Custom profile specified as: minTLSVersion: VersionTLS13 ciphers: @@ -311,6 +320,12 @@ spec: old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort. + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "old" profile ciphers. + + The curve list includes by default the following curves: + X25519, SecP256r1, SecP384r1, X25519MLKEM768. + This profile is equivalent to a Custom profile specified as: minTLSVersion: VersionTLS10 ciphers: @@ -323,15 +338,23 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 + - DHE-RSA-AES128-GCM-SHA256 + - DHE-RSA-AES256-GCM-SHA384 + - DHE-RSA-CHACHA20-POLY1305 - ECDHE-ECDSA-AES128-SHA256 - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES128-SHA + - ECDHE-ECDSA-AES256-SHA384 + - ECDHE-RSA-AES256-SHA384 - ECDHE-ECDSA-AES256-SHA - ECDHE-RSA-AES256-SHA + - DHE-RSA-AES128-SHA256 + - DHE-RSA-AES256-SHA256 - AES128-GCM-SHA256 - AES256-GCM-SHA384 - AES128-SHA256 + - AES256-SHA256 - AES128-SHA - AES256-SHA - DES-CBC3-SHA @@ -342,10 +365,9 @@ spec: type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters. - The profiles are based on version 5.7 of the Mozilla Server Side TLS - configuration guidelines. The cipher lists consist of the configuration's - "ciphersuites" followed by the Go-specific "ciphers" from the guidelines. - See: https://ssl-config.mozilla.org/guidelines/5.7.json + The profiles are currently based on version 5.0 of the Mozilla Server Side TLS + configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for + forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on diff --git a/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryption.yaml b/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryption.yaml index a2ef296269b..e879458c8ce 100644 --- a/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryption.yaml +++ b/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryption.yaml @@ -234,8 +234,11 @@ spec: custom: description: |- custom is a user-defined TLS security profile. Be extremely careful using a custom - profile as invalid configurations can be catastrophic. An example custom profile - looks like this: + profile as invalid configurations can be catastrophic. + + The curve list for this profile is empty by default. + + An example custom profile looks like this: minTLSVersion: VersionTLS11 ciphers: @@ -248,14 +251,11 @@ spec: ciphers: description: |- ciphers is used to specify the cipher algorithms that are negotiated - during the TLS handshake. Operators may remove entries that their operands - do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml): + during the TLS handshake. Operators may remove entries their operands + do not support. For example, to use DES-CBC3-SHA (yaml): ciphers: - - ECDHE-RSA-AES128-GCM-SHA256 - - TLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable - and are always enabled when TLS 1.3 is negotiated. + - DES-CBC3-SHA items: type: string type: array @@ -280,6 +280,12 @@ spec: legacy clients and want to remain highly secure while being compatible with most clients currently in use. + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "intermediate" profile ciphers. + + The curve list includes by default the following curves: + X25519, SecP256r1, SecP384r1, X25519MLKEM768. + This profile is equivalent to a Custom profile specified as: minTLSVersion: VersionTLS12 ciphers: @@ -292,13 +298,16 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 + - DHE-RSA-AES128-GCM-SHA256 + - DHE-RSA-AES256-GCM-SHA384 nullable: true type: object modern: description: |- modern is a TLS security profile for use with clients that support TLS 1.3 and do not need backward compatibility for older clients. - + The curve list includes by default the following curves: + X25519, SecP256r1, SecP384r1, X25519MLKEM768. This profile is equivalent to a Custom profile specified as: minTLSVersion: VersionTLS13 ciphers: @@ -312,6 +321,12 @@ spec: old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort. + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "old" profile ciphers. + + The curve list includes by default the following curves: + X25519, SecP256r1, SecP384r1, X25519MLKEM768. + This profile is equivalent to a Custom profile specified as: minTLSVersion: VersionTLS10 ciphers: @@ -324,15 +339,23 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 + - DHE-RSA-AES128-GCM-SHA256 + - DHE-RSA-AES256-GCM-SHA384 + - DHE-RSA-CHACHA20-POLY1305 - ECDHE-ECDSA-AES128-SHA256 - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES128-SHA + - ECDHE-ECDSA-AES256-SHA384 + - ECDHE-RSA-AES256-SHA384 - ECDHE-ECDSA-AES256-SHA - ECDHE-RSA-AES256-SHA + - DHE-RSA-AES128-SHA256 + - DHE-RSA-AES256-SHA256 - AES128-GCM-SHA256 - AES256-GCM-SHA384 - AES128-SHA256 + - AES256-SHA256 - AES128-SHA - AES256-SHA - DES-CBC3-SHA @@ -343,10 +366,9 @@ spec: type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters. - The profiles are based on version 5.7 of the Mozilla Server Side TLS - configuration guidelines. The cipher lists consist of the configuration's - "ciphersuites" followed by the Go-specific "ciphers" from the guidelines. - See: https://ssl-config.mozilla.org/guidelines/5.7.json + The profiles are currently based on version 5.0 of the Mozilla Server Side TLS + configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for + forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on diff --git a/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml b/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml index 0a9b213ea67..ddd39480293 100644 --- a/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml +++ b/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml @@ -302,8 +302,11 @@ spec: custom: description: |- custom is a user-defined TLS security profile. Be extremely careful using a custom - profile as invalid configurations can be catastrophic. An example custom profile - looks like this: + profile as invalid configurations can be catastrophic. + + The curve list for this profile is empty by default. + + An example custom profile looks like this: minTLSVersion: VersionTLS11 ciphers: @@ -316,14 +319,11 @@ spec: ciphers: description: |- ciphers is used to specify the cipher algorithms that are negotiated - during the TLS handshake. Operators may remove entries that their operands - do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml): + during the TLS handshake. Operators may remove entries their operands + do not support. For example, to use DES-CBC3-SHA (yaml): ciphers: - - ECDHE-RSA-AES128-GCM-SHA256 - - TLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable - and are always enabled when TLS 1.3 is negotiated. + - DES-CBC3-SHA items: type: string type: array @@ -348,6 +348,12 @@ spec: legacy clients and want to remain highly secure while being compatible with most clients currently in use. + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "intermediate" profile ciphers. + + The curve list includes by default the following curves: + X25519, SecP256r1, SecP384r1, X25519MLKEM768. + This profile is equivalent to a Custom profile specified as: minTLSVersion: VersionTLS12 ciphers: @@ -360,13 +366,16 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 + - DHE-RSA-AES128-GCM-SHA256 + - DHE-RSA-AES256-GCM-SHA384 nullable: true type: object modern: description: |- modern is a TLS security profile for use with clients that support TLS 1.3 and do not need backward compatibility for older clients. - + The curve list includes by default the following curves: + X25519, SecP256r1, SecP384r1, X25519MLKEM768. This profile is equivalent to a Custom profile specified as: minTLSVersion: VersionTLS13 ciphers: @@ -380,6 +389,12 @@ spec: old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort. + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "old" profile ciphers. + + The curve list includes by default the following curves: + X25519, SecP256r1, SecP384r1, X25519MLKEM768. + This profile is equivalent to a Custom profile specified as: minTLSVersion: VersionTLS10 ciphers: @@ -392,15 +407,23 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 + - DHE-RSA-AES128-GCM-SHA256 + - DHE-RSA-AES256-GCM-SHA384 + - DHE-RSA-CHACHA20-POLY1305 - ECDHE-ECDSA-AES128-SHA256 - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES128-SHA + - ECDHE-ECDSA-AES256-SHA384 + - ECDHE-RSA-AES256-SHA384 - ECDHE-ECDSA-AES256-SHA - ECDHE-RSA-AES256-SHA + - DHE-RSA-AES128-SHA256 + - DHE-RSA-AES256-SHA256 - AES128-GCM-SHA256 - AES256-GCM-SHA384 - AES128-SHA256 + - AES256-SHA256 - AES128-SHA - AES256-SHA - DES-CBC3-SHA @@ -411,10 +434,9 @@ spec: type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters. - The profiles are based on version 5.7 of the Mozilla Server Side TLS - configuration guidelines. The cipher lists consist of the configuration's - "ciphersuites" followed by the Go-specific "ciphers" from the guidelines. - See: https://ssl-config.mozilla.org/guidelines/5.7.json + The profiles are currently based on version 5.0 of the Mozilla Server Side TLS + configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for + forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on diff --git a/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/TLSCurvePreferences.yaml b/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/TLSCurvePreferences.yaml new file mode 100644 index 00000000000..5ca0e619e3d --- /dev/null +++ b/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/TLSCurvePreferences.yaml @@ -0,0 +1,420 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/470 + api.openshift.io/filename-cvo-runlevel: "0000_10" + api.openshift.io/filename-operator: config-operator + api.openshift.io/filename-ordering: "01" + feature-gate.release.openshift.io/TLSCurvePreferences: "true" + release.openshift.io/bootstrap-required: "true" + name: apiservers.config.openshift.io +spec: + group: config.openshift.io + names: + kind: APIServer + listKind: APIServerList + plural: apiservers + singular: apiserver + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + APIServer holds configuration (like serving certificates, client CA and CORS domains) + shared by all API servers in the system, among them especially kube-apiserver + and openshift-apiserver. The canonical name of an instance is 'cluster'. + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec holds user settable values for configuration + properties: + additionalCORSAllowedOrigins: + description: |- + additionalCORSAllowedOrigins lists additional, user-defined regular expressions describing hosts for which the + API server allows access using the CORS headers. This may be needed to access the API and the integrated OAuth + server from JavaScript applications. + The values are regular expressions that correspond to the Golang regular expression language. + items: + type: string + type: array + x-kubernetes-list-type: atomic + audit: + default: + profile: Default + description: |- + audit specifies the settings for audit configuration to be applied to all OpenShift-provided + API servers in the cluster. + properties: + customRules: + description: |- + customRules specify profiles per group. These profile take precedence over the + top-level profile field if they apply. They are evaluation from top to bottom and + the first one that matches, applies. + items: + description: |- + AuditCustomRule describes a custom rule for an audit profile that takes precedence over + the top-level profile. + properties: + group: + description: group is a name of group a request user must + be member of in order to this profile to apply. + minLength: 1 + type: string + profile: + description: |- + profile specifies the name of the desired audit policy configuration to be deployed to + all OpenShift-provided API servers in the cluster. + + The following profiles are provided: + - Default: the existing default policy. + - WriteRequestBodies: like 'Default', but logs request and response HTTP payloads for + write requests (create, update, patch). + - AllRequestBodies: like 'WriteRequestBodies', but also logs request and response + HTTP payloads for read requests (get, list). + - None: no requests are logged at all, not even oauthaccesstokens and oauthauthorizetokens. + + If unset, the 'Default' profile is used as the default. + enum: + - Default + - WriteRequestBodies + - AllRequestBodies + - None + type: string + required: + - group + - profile + type: object + type: array + x-kubernetes-list-map-keys: + - group + x-kubernetes-list-type: map + profile: + default: Default + description: |- + profile specifies the name of the desired top-level audit profile to be applied to all requests + sent to any of the OpenShift-provided API servers in the cluster (kube-apiserver, + openshift-apiserver and oauth-apiserver), with the exception of those requests that match + one or more of the customRules. + + The following profiles are provided: + - Default: default policy which means MetaData level logging with the exception of events + (not logged at all), oauthaccesstokens and oauthauthorizetokens (both logged at RequestBody + level). + - WriteRequestBodies: like 'Default', but logs request and response HTTP payloads for + write requests (create, update, patch). + - AllRequestBodies: like 'WriteRequestBodies', but also logs request and response + HTTP payloads for read requests (get, list). + - None: no requests are logged at all, not even oauthaccesstokens and oauthauthorizetokens. + + Warning: It is not recommended to disable audit logging by using the `None` profile unless you + are fully aware of the risks of not logging data that can be beneficial when troubleshooting issues. + If you disable audit logging and a support situation arises, you might need to enable audit logging + and reproduce the issue in order to troubleshoot properly. + + If unset, the 'Default' profile is used as the default. + enum: + - Default + - WriteRequestBodies + - AllRequestBodies + - None + type: string + type: object + clientCA: + description: |- + clientCA references a ConfigMap containing a certificate bundle for the signers that will be recognized for + incoming client certificates in addition to the operator managed signers. If this is empty, then only operator managed signers are valid. + You usually only have to set this if you have your own PKI you wish to honor client certificates from. + The ConfigMap must exist in the openshift-config namespace and contain the following required fields: + - ConfigMap.Data["ca-bundle.crt"] - CA bundle. + properties: + name: + description: name is the metadata.name of the referenced config + map + type: string + required: + - name + type: object + encryption: + description: encryption allows the configuration of encryption of + resources at the datastore layer. + properties: + type: + description: |- + type defines what encryption type should be used to encrypt resources at the datastore layer. + When this field is unset (i.e. when it is set to the empty string), identity is implied. + The behavior of unset can and will change over time. Even if encryption is enabled by default, + the meaning of unset may change to a different encryption type based on changes in best practices. + + When encryption is enabled, all sensitive resources shipped with the platform are encrypted. + This list of sensitive resources can and will change over time. The current authoritative list is: + + 1. secrets + 2. configmaps + 3. routes.route.openshift.io + 4. oauthaccesstokens.oauth.openshift.io + 5. oauthauthorizetokens.oauth.openshift.io + type: string + type: object + servingCerts: + description: |- + servingCert is the TLS cert info for serving secure traffic. If not specified, operator managed certificates + will be used for serving secure traffic. + properties: + namedCertificates: + description: |- + namedCertificates references secrets containing the TLS cert info for serving secure traffic to specific hostnames. + If no named certificates are provided, or no named certificates match the server name as understood by a client, + the defaultServingCertificate will be used. + items: + description: APIServerNamedServingCert maps a server DNS name, + as understood by a client, to a certificate. + properties: + names: + description: |- + names is a optional list of explicit DNS names (leading wildcards allowed) that should use this certificate to + serve secure traffic. If no names are provided, the implicit names will be extracted from the certificates. + Exact names trump over wildcard names. Explicit names defined here trump over extracted implicit names. + items: + type: string + maxItems: 64 + type: array + x-kubernetes-list-type: atomic + servingCertificate: + description: |- + servingCertificate references a kubernetes.io/tls type secret containing the TLS cert info for serving secure traffic. + The secret must exist in the openshift-config namespace and contain the following required fields: + - Secret.Data["tls.key"] - TLS private key. + - Secret.Data["tls.crt"] - TLS certificate. + properties: + name: + description: name is the metadata.name of the referenced + secret + type: string + required: + - name + type: object + type: object + maxItems: 32 + type: array + x-kubernetes-list-type: atomic + type: object + tlsSecurityProfile: + description: |- + tlsSecurityProfile specifies settings for TLS connections for externally exposed servers. + + When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. + The current default is the Intermediate profile. + properties: + custom: + description: |- + custom is a user-defined TLS security profile. Be extremely careful using a custom + profile as invalid configurations can be catastrophic. + + The curve list for this profile is empty by default. + + An example custom profile looks like this: + + minTLSVersion: VersionTLS11 + ciphers: + - ECDHE-ECDSA-CHACHA20-POLY1305 + - ECDHE-RSA-CHACHA20-POLY1305 + - ECDHE-RSA-AES128-GCM-SHA256 + - ECDHE-ECDSA-AES128-GCM-SHA256 + nullable: true + properties: + ciphers: + description: |- + ciphers is used to specify the cipher algorithms that are negotiated + during the TLS handshake. Operators may remove entries their operands + do not support. For example, to use DES-CBC3-SHA (yaml): + + ciphers: + - DES-CBC3-SHA + items: + type: string + type: array + x-kubernetes-list-type: atomic + curves: + description: |- + curves is an optional field used to specify the elliptic curves that are used during + the TLS handshake. Operators may remove entries their operands do + not support. + + When omitted, this means no opinion and the platform is left to choose reasonable defaults which are + subject to change over time and may be different per platform component depending on the underlying TLS + libraries they use. If specified, the list must contain at least one curve. + + For example, to use X25519 and SecP256r1 (yaml): + + curves: + - X25519 + - SecP256r1 + items: + description: |- + TLSCurve is a named curve identifier that can be used in TLSProfile.Curves. + There is a one-to-one mapping between these names and the curve IDs defined + in crypto/tls package based on IANA's "TLS Supported Groups" registry: + https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8 + enum: + - X25519 + - SecP256r1 + - SecP384r1 + - SecP521r1 + - X25519MLKEM768 + type: string + maxItems: 5 + minItems: 1 + type: array + x-kubernetes-list-type: set + minTLSVersion: + description: |- + minTLSVersion is used to specify the minimal version of the TLS protocol + that is negotiated during the TLS handshake. For example, to use TLS + versions 1.1, 1.2 and 1.3 (yaml): + + minTLSVersion: VersionTLS11 + enum: + - VersionTLS10 + - VersionTLS11 + - VersionTLS12 + - VersionTLS13 + type: string + type: object + intermediate: + description: |- + intermediate is a TLS profile for use when you do not need compatibility with + legacy clients and want to remain highly secure while being compatible with + most clients currently in use. + + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "intermediate" profile ciphers. + + The curve list includes by default the following curves: + X25519, SecP256r1, SecP384r1, X25519MLKEM768. + + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS12 + ciphers: + - TLS_AES_128_GCM_SHA256 + - TLS_AES_256_GCM_SHA384 + - TLS_CHACHA20_POLY1305_SHA256 + - ECDHE-ECDSA-AES128-GCM-SHA256 + - ECDHE-RSA-AES128-GCM-SHA256 + - ECDHE-ECDSA-AES256-GCM-SHA384 + - ECDHE-RSA-AES256-GCM-SHA384 + - ECDHE-ECDSA-CHACHA20-POLY1305 + - ECDHE-RSA-CHACHA20-POLY1305 + - DHE-RSA-AES128-GCM-SHA256 + - DHE-RSA-AES256-GCM-SHA384 + nullable: true + type: object + modern: + description: |- + modern is a TLS security profile for use with clients that support TLS 1.3 and + do not need backward compatibility for older clients. + The curve list includes by default the following curves: + X25519, SecP256r1, SecP384r1, X25519MLKEM768. + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS13 + ciphers: + - TLS_AES_128_GCM_SHA256 + - TLS_AES_256_GCM_SHA384 + - TLS_CHACHA20_POLY1305_SHA256 + nullable: true + type: object + old: + description: |- + old is a TLS profile for use when services need to be accessed by very old + clients or libraries and should be used only as a last resort. + + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "old" profile ciphers. + + The curve list includes by default the following curves: + X25519, SecP256r1, SecP384r1, X25519MLKEM768. + + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS10 + ciphers: + - TLS_AES_128_GCM_SHA256 + - TLS_AES_256_GCM_SHA384 + - TLS_CHACHA20_POLY1305_SHA256 + - ECDHE-ECDSA-AES128-GCM-SHA256 + - ECDHE-RSA-AES128-GCM-SHA256 + - ECDHE-ECDSA-AES256-GCM-SHA384 + - ECDHE-RSA-AES256-GCM-SHA384 + - ECDHE-ECDSA-CHACHA20-POLY1305 + - ECDHE-RSA-CHACHA20-POLY1305 + - DHE-RSA-AES128-GCM-SHA256 + - DHE-RSA-AES256-GCM-SHA384 + - DHE-RSA-CHACHA20-POLY1305 + - ECDHE-ECDSA-AES128-SHA256 + - ECDHE-RSA-AES128-SHA256 + - ECDHE-ECDSA-AES128-SHA + - ECDHE-RSA-AES128-SHA + - ECDHE-ECDSA-AES256-SHA384 + - ECDHE-RSA-AES256-SHA384 + - ECDHE-ECDSA-AES256-SHA + - ECDHE-RSA-AES256-SHA + - DHE-RSA-AES128-SHA256 + - DHE-RSA-AES256-SHA256 + - AES128-GCM-SHA256 + - AES256-GCM-SHA384 + - AES128-SHA256 + - AES256-SHA256 + - AES128-SHA + - AES256-SHA + - DES-CBC3-SHA + nullable: true + type: object + type: + description: |- + type is one of Old, Intermediate, Modern or Custom. Custom provides the + ability to specify individual TLS security profile parameters. + + The profiles are currently based on version 5.0 of the Mozilla Server Side TLS + configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for + forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json + + The profiles are intent based, so they may change over time as new ciphers are + developed and existing ciphers are found to be insecure. Depending on + precisely which ciphers are available to a process, the list may be reduced. + enum: + - Old + - Intermediate + - Modern + - Custom + type: string + type: object + type: object + status: + description: status holds observed values from the cluster. They may not + be overridden. + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/config/v1/zz_generated.swagger_doc_generated.go b/config/v1/zz_generated.swagger_doc_generated.go index 69fb37c5233..f562bd890c5 100644 --- a/config/v1/zz_generated.swagger_doc_generated.go +++ b/config/v1/zz_generated.swagger_doc_generated.go @@ -3004,7 +3004,8 @@ func (OldTLSProfile) SwaggerDoc() map[string]string { var map_TLSProfileSpec = map[string]string{ "": "TLSProfileSpec is the desired behavior of a TLSSecurityProfile.", - "ciphers": "ciphers is used to specify the cipher algorithms that are negotiated during the TLS handshake. Operators may remove entries that their operands do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml):\n\n ciphers:\n - ECDHE-RSA-AES128-GCM-SHA256\n\nTLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable and are always enabled when TLS 1.3 is negotiated.", + "ciphers": "ciphers is used to specify the cipher algorithms that are negotiated during the TLS handshake. Operators may remove entries their operands do not support. For example, to use DES-CBC3-SHA (yaml):\n\n ciphers:\n - DES-CBC3-SHA", + "curves": "curves is an optional field used to specify the elliptic curves that are used during the TLS handshake. Operators may remove entries their operands do not support.\n\nWhen omitted, this means no opinion and the platform is left to choose reasonable defaults which are subject to change over time and may be different per platform component depending on the underlying TLS libraries they use. If specified, the list must contain at least one curve.\n\nFor example, to use X25519 and SecP256r1 (yaml):\n\n curves:\n - X25519\n - SecP256r1", "minTLSVersion": "minTLSVersion is used to specify the minimal version of the TLS protocol that is negotiated during the TLS handshake. For example, to use TLS versions 1.1, 1.2 and 1.3 (yaml):\n\n minTLSVersion: VersionTLS11", } @@ -3014,11 +3015,11 @@ func (TLSProfileSpec) SwaggerDoc() map[string]string { var map_TLSSecurityProfile = map[string]string{ "": "TLSSecurityProfile defines the schema for a TLS security profile. This object is used by operators to apply TLS security settings to operands.", - "type": "type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters.\n\nThe profiles are based on version 5.7 of the Mozilla Server Side TLS configuration guidelines. The cipher lists consist of the configuration's \"ciphersuites\" followed by the Go-specific \"ciphers\" from the guidelines. See: https://ssl-config.mozilla.org/guidelines/5.7.json\n\nThe profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be reduced.", - "old": "old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort.\n\nThis profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS10\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES256-GCM-SHA384\n - ECDHE-RSA-AES256-GCM-SHA384\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305\n - ECDHE-ECDSA-AES128-SHA256\n - ECDHE-RSA-AES128-SHA256\n - ECDHE-ECDSA-AES128-SHA\n - ECDHE-RSA-AES128-SHA\n - ECDHE-ECDSA-AES256-SHA\n - ECDHE-RSA-AES256-SHA\n - AES128-GCM-SHA256\n - AES256-GCM-SHA384\n - AES128-SHA256\n - AES128-SHA\n - AES256-SHA\n - DES-CBC3-SHA", - "intermediate": "intermediate is a TLS profile for use when you do not need compatibility with legacy clients and want to remain highly secure while being compatible with most clients currently in use.\n\nThis profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS12\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES256-GCM-SHA384\n - ECDHE-RSA-AES256-GCM-SHA384\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305", - "modern": "modern is a TLS security profile for use with clients that support TLS 1.3 and do not need backward compatibility for older clients.\n\nThis profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS13\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256", - "custom": "custom is a user-defined TLS security profile. Be extremely careful using a custom profile as invalid configurations can be catastrophic. An example custom profile looks like this:\n\n minTLSVersion: VersionTLS11\n ciphers:\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256", + "type": "type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters.\n\nThe profiles are currently based on version 5.0 of the Mozilla Server Side TLS configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json\n\nThe profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be reduced.", + "old": "old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort.\n\nThe cipher list includes TLS 1.3 ciphers for forward compatibility, followed by the \"old\" profile ciphers.\n\nThe curve list includes by default the following curves: X25519, SecP256r1, SecP384r1, X25519MLKEM768.\n\nThis profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS10\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES256-GCM-SHA384\n - ECDHE-RSA-AES256-GCM-SHA384\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305\n - DHE-RSA-AES128-GCM-SHA256\n - DHE-RSA-AES256-GCM-SHA384\n - DHE-RSA-CHACHA20-POLY1305\n - ECDHE-ECDSA-AES128-SHA256\n - ECDHE-RSA-AES128-SHA256\n - ECDHE-ECDSA-AES128-SHA\n - ECDHE-RSA-AES128-SHA\n - ECDHE-ECDSA-AES256-SHA384\n - ECDHE-RSA-AES256-SHA384\n - ECDHE-ECDSA-AES256-SHA\n - ECDHE-RSA-AES256-SHA\n - DHE-RSA-AES128-SHA256\n - DHE-RSA-AES256-SHA256\n - AES128-GCM-SHA256\n - AES256-GCM-SHA384\n - AES128-SHA256\n - AES256-SHA256\n - AES128-SHA\n - AES256-SHA\n - DES-CBC3-SHA", + "intermediate": "intermediate is a TLS profile for use when you do not need compatibility with legacy clients and want to remain highly secure while being compatible with most clients currently in use.\n\nThe cipher list includes TLS 1.3 ciphers for forward compatibility, followed by the \"intermediate\" profile ciphers.\n\nThe curve list includes by default the following curves: X25519, SecP256r1, SecP384r1, X25519MLKEM768.\n\nThis profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS12\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES256-GCM-SHA384\n - ECDHE-RSA-AES256-GCM-SHA384\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305\n - DHE-RSA-AES128-GCM-SHA256\n - DHE-RSA-AES256-GCM-SHA384", + "modern": "modern is a TLS security profile for use with clients that support TLS 1.3 and do not need backward compatibility for older clients. The curve list includes by default the following curves: X25519, SecP256r1, SecP384r1, X25519MLKEM768. This profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS13\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256", + "custom": "custom is a user-defined TLS security profile. Be extremely careful using a custom profile as invalid configurations can be catastrophic.\n\nThe curve list for this profile is empty by default.\n\nAn example custom profile looks like this:\n\n minTLSVersion: VersionTLS11\n ciphers:\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256", } func (TLSSecurityProfile) SwaggerDoc() map[string]string { diff --git a/features.md b/features.md index d2a18f5da0e..35f8400ecd1 100644 --- a/features.md +++ b/features.md @@ -76,6 +76,7 @@ | OnPremDNSRecords| | | Enabled | Enabled | | | Enabled | Enabled | | SELinuxMount| | | Enabled | Enabled | | | Enabled | Enabled | | SignatureStores| | | Enabled | Enabled | | | Enabled | Enabled | +| TLSCurvePreferences| | | Enabled | Enabled | | | Enabled | Enabled | | VSphereConfigurableMaxAllowedBlockVolumesPerNode| | | Enabled | Enabled | | | Enabled | Enabled | | VSphereHostVMGroupZonal| | | Enabled | Enabled | | | Enabled | Enabled | | VSphereMixedNodeEnv| | | Enabled | Enabled | | | Enabled | Enabled | diff --git a/features/features.go b/features/features.go index 36a479071a1..6811155df72 100644 --- a/features/features.go +++ b/features/features.go @@ -938,5 +938,13 @@ var ( enhancementPR("https://github.com/openshift/enhancements/pull/1933"). enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() + + FeatureGateTLSCurvePreferences = newFeatureGate("TLSCurvePreferences"). + reportProblemsToJiraComponent("Networking"). + contactPerson("davidesalerno"). + productScope(ocpSpecific). + enhancementPR("https://github.com/openshift/enhancements/pull/1894"). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + mustRegister() ) diff --git a/machineconfiguration/v1/tests/kubeletconfigs.machineconfiguration.openshift.io/TLSCurvePreferences.yaml b/machineconfiguration/v1/tests/kubeletconfigs.machineconfiguration.openshift.io/TLSCurvePreferences.yaml new file mode 100644 index 00000000000..91c35ef490e --- /dev/null +++ b/machineconfiguration/v1/tests/kubeletconfigs.machineconfiguration.openshift.io/TLSCurvePreferences.yaml @@ -0,0 +1,291 @@ +apiVersion: apiextensions.k8s.io/v1 +name: "KubeletConfig" +crdName: kubeletconfigs.machineconfiguration.openshift.io +featureGates: + - TLSCurvePreferences +tests: + onCreate: + - name: Should be able to create with Custom TLS profile and curves + initial: | + apiVersion: machineconfiguration.openshift.io/v1 + kind: KubeletConfig + spec: + tlsSecurityProfile: + type: Custom + custom: + minTLSVersion: VersionTLS12 + ciphers: + - TLS_AES_128_GCM_SHA256 + - TLS_AES_256_GCM_SHA384 + curves: + - X25519 + - SecP256r1 + expected: | + apiVersion: machineconfiguration.openshift.io/v1 + kind: KubeletConfig + spec: + tlsSecurityProfile: + type: Custom + custom: + minTLSVersion: VersionTLS12 + ciphers: + - TLS_AES_128_GCM_SHA256 + - TLS_AES_256_GCM_SHA384 + curves: + - X25519 + - SecP256r1 + - name: Should be able to create with all supported curves + initial: | + apiVersion: machineconfiguration.openshift.io/v1 + kind: KubeletConfig + spec: + tlsSecurityProfile: + type: Custom + custom: + minTLSVersion: VersionTLS12 + ciphers: + - TLS_AES_128_GCM_SHA256 + curves: + - X25519 + - SecP256r1 + - SecP384r1 + - SecP521r1 + - X25519MLKEM768 + expected: | + apiVersion: machineconfiguration.openshift.io/v1 + kind: KubeletConfig + spec: + tlsSecurityProfile: + type: Custom + custom: + minTLSVersion: VersionTLS12 + ciphers: + - TLS_AES_128_GCM_SHA256 + curves: + - X25519 + - SecP256r1 + - SecP384r1 + - SecP521r1 + - X25519MLKEM768 + - name: Should fail to create with Custom TLS profile and empty curves + initial: | + apiVersion: machineconfiguration.openshift.io/v1 + kind: KubeletConfig + spec: + tlsSecurityProfile: + type: Custom + custom: + minTLSVersion: VersionTLS12 + ciphers: + - TLS_AES_128_GCM_SHA256 + curves: [] + expectedError: "spec.tlsSecurityProfile.custom.curves in body should have at least 1 items" + - name: Should be able to create with Custom TLS profile and curves omitted + initial: | + apiVersion: machineconfiguration.openshift.io/v1 + kind: KubeletConfig + spec: + tlsSecurityProfile: + type: Custom + custom: + minTLSVersion: VersionTLS12 + ciphers: + - TLS_AES_128_GCM_SHA256 + expected: | + apiVersion: machineconfiguration.openshift.io/v1 + kind: KubeletConfig + spec: + tlsSecurityProfile: + type: Custom + custom: + minTLSVersion: VersionTLS12 + ciphers: + - TLS_AES_128_GCM_SHA256 + - name: Should be able to create with Custom TLS profile VersionTLS10 and curves + initial: | + apiVersion: machineconfiguration.openshift.io/v1 + kind: KubeletConfig + spec: + tlsSecurityProfile: + type: Custom + custom: + minTLSVersion: VersionTLS10 + ciphers: + - TLS_AES_128_GCM_SHA256 + curves: + - SecP256r1 + - SecP384r1 + expected: | + apiVersion: machineconfiguration.openshift.io/v1 + kind: KubeletConfig + spec: + tlsSecurityProfile: + type: Custom + custom: + minTLSVersion: VersionTLS10 + ciphers: + - TLS_AES_128_GCM_SHA256 + curves: + - SecP256r1 + - SecP384r1 + - name: Should be able to create with Custom TLS profile VersionTLS11 and curves + initial: | + apiVersion: machineconfiguration.openshift.io/v1 + kind: KubeletConfig + spec: + tlsSecurityProfile: + type: Custom + custom: + minTLSVersion: VersionTLS11 + ciphers: + - TLS_AES_128_GCM_SHA256 + curves: + - SecP384r1 + expected: | + apiVersion: machineconfiguration.openshift.io/v1 + kind: KubeletConfig + spec: + tlsSecurityProfile: + type: Custom + custom: + minTLSVersion: VersionTLS11 + ciphers: + - TLS_AES_128_GCM_SHA256 + curves: + - SecP384r1 + - name: Should fail to create with more than 5 curves + initial: | + apiVersion: machineconfiguration.openshift.io/v1 + kind: KubeletConfig + spec: + tlsSecurityProfile: + type: Custom + custom: + minTLSVersion: VersionTLS12 + ciphers: + - TLS_AES_128_GCM_SHA256 + curves: + - X25519 + - SecP256r1 + - SecP384r1 + - SecP521r1 + - X25519MLKEM768 + - X25519 + expectedError: "spec.tlsSecurityProfile.custom.curves: Too many: 6: must have at most 5 items" + - name: Should fail to create with invalid curve value + initial: | + apiVersion: machineconfiguration.openshift.io/v1 + kind: KubeletConfig + spec: + tlsSecurityProfile: + type: Custom + custom: + minTLSVersion: VersionTLS12 + ciphers: + - TLS_AES_128_GCM_SHA256 + curves: + - InvalidCurve + expectedError: "spec.tlsSecurityProfile.custom.curves[0]: Unsupported value: \"InvalidCurve\": supported values: \"X25519\", \"SecP256r1\", \"SecP384r1\", \"SecP521r1\", \"X25519MLKEM768\"" + onUpdate: + - name: Should be able to add curves to existing Custom TLS profile + initial: | + apiVersion: machineconfiguration.openshift.io/v1 + kind: KubeletConfig + spec: + tlsSecurityProfile: + type: Custom + custom: + minTLSVersion: VersionTLS12 + ciphers: + - TLS_AES_128_GCM_SHA256 + updated: | + apiVersion: machineconfiguration.openshift.io/v1 + kind: KubeletConfig + spec: + tlsSecurityProfile: + type: Custom + custom: + minTLSVersion: VersionTLS12 + ciphers: + - TLS_AES_128_GCM_SHA256 + curves: + - X25519 + - SecP256r1 + expected: | + apiVersion: machineconfiguration.openshift.io/v1 + kind: KubeletConfig + spec: + tlsSecurityProfile: + type: Custom + custom: + minTLSVersion: VersionTLS12 + ciphers: + - TLS_AES_128_GCM_SHA256 + curves: + - X25519 + - SecP256r1 + - name: Should be able to update curves in existing Custom TLS profile + initial: | + apiVersion: machineconfiguration.openshift.io/v1 + kind: KubeletConfig + spec: + tlsSecurityProfile: + type: Custom + custom: + minTLSVersion: VersionTLS12 + ciphers: + - TLS_AES_128_GCM_SHA256 + curves: + - X25519 + updated: | + apiVersion: machineconfiguration.openshift.io/v1 + kind: KubeletConfig + spec: + tlsSecurityProfile: + type: Custom + custom: + minTLSVersion: VersionTLS12 + ciphers: + - TLS_AES_128_GCM_SHA256 + curves: + - SecP256r1 + - SecP384r1 + expected: | + apiVersion: machineconfiguration.openshift.io/v1 + kind: KubeletConfig + spec: + tlsSecurityProfile: + type: Custom + custom: + minTLSVersion: VersionTLS12 + ciphers: + - TLS_AES_128_GCM_SHA256 + curves: + - SecP256r1 + - SecP384r1 + - name: Should fail to remove all curves from existing Custom TLS profile + initial: | + apiVersion: machineconfiguration.openshift.io/v1 + kind: KubeletConfig + spec: + tlsSecurityProfile: + type: Custom + custom: + minTLSVersion: VersionTLS12 + ciphers: + - TLS_AES_128_GCM_SHA256 + curves: + - X25519 + - SecP256r1 + updated: | + apiVersion: machineconfiguration.openshift.io/v1 + kind: KubeletConfig + spec: + tlsSecurityProfile: + type: Custom + custom: + minTLSVersion: VersionTLS12 + ciphers: + - TLS_AES_128_GCM_SHA256 + curves: [] + expectedError: "spec.tlsSecurityProfile.custom.curves in body should have at least 1 items" diff --git a/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_kubeletconfigs-CustomNoUpgrade.crd.yaml b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_kubeletconfigs-CustomNoUpgrade.crd.yaml new file mode 100644 index 00000000000..70203c6c034 --- /dev/null +++ b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_kubeletconfigs-CustomNoUpgrade.crd.yaml @@ -0,0 +1,344 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/1453 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: CustomNoUpgrade + labels: + openshift.io/operator-managed: "" + name: kubeletconfigs.machineconfiguration.openshift.io +spec: + group: machineconfiguration.openshift.io + names: + kind: KubeletConfig + listKind: KubeletConfigList + plural: kubeletconfigs + singular: kubeletconfig + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + KubeletConfig describes a customized Kubelet configuration. + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec contains the desired kubelet configuration. + properties: + autoSizingReserved: + type: boolean + kubeletConfig: + description: |- + kubeletConfig fields are defined in kubernetes upstream. Please refer to the types defined in the version/commit used by + OpenShift of the upstream kubernetes. It's important to note that, since the fields of the kubelet configuration are directly fetched from + upstream the validation of those values is handled directly by the kubelet. Please refer to the upstream version of the relevant kubernetes + for the valid values of these fields. Invalid values of the kubelet configuration fields may render cluster nodes unusable. + type: object + x-kubernetes-preserve-unknown-fields: true + logLevel: + format: int32 + type: integer + machineConfigPoolSelector: + description: |- + machineConfigPoolSelector selects which pools the KubeletConfig shoud apply to. + A nil selector will result in no pools being selected. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + tlsSecurityProfile: + description: |- + If unset, the default is based on the apiservers.config.openshift.io/cluster resource. + Note that only Old and Intermediate profiles are currently supported, and + the maximum available minTLSVersion is VersionTLS12. + properties: + custom: + description: |- + custom is a user-defined TLS security profile. Be extremely careful using a custom + profile as invalid configurations can be catastrophic. + + The curve list for this profile is empty by default. + + An example custom profile looks like this: + + minTLSVersion: VersionTLS11 + ciphers: + - ECDHE-ECDSA-CHACHA20-POLY1305 + - ECDHE-RSA-CHACHA20-POLY1305 + - ECDHE-RSA-AES128-GCM-SHA256 + - ECDHE-ECDSA-AES128-GCM-SHA256 + nullable: true + properties: + ciphers: + description: |- + ciphers is used to specify the cipher algorithms that are negotiated + during the TLS handshake. Operators may remove entries their operands + do not support. For example, to use DES-CBC3-SHA (yaml): + + ciphers: + - DES-CBC3-SHA + items: + type: string + type: array + x-kubernetes-list-type: atomic + curves: + description: |- + curves is an optional field used to specify the elliptic curves that are used during + the TLS handshake. Operators may remove entries their operands do + not support. + + When omitted, this means no opinion and the platform is left to choose reasonable defaults which are + subject to change over time and may be different per platform component depending on the underlying TLS + libraries they use. If specified, the list must contain at least one curve. + + For example, to use X25519 and SecP256r1 (yaml): + + curves: + - X25519 + - SecP256r1 + items: + description: |- + TLSCurve is a named curve identifier that can be used in TLSProfile.Curves. + There is a one-to-one mapping between these names and the curve IDs defined + in crypto/tls package based on IANA's "TLS Supported Groups" registry: + https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8 + enum: + - X25519 + - SecP256r1 + - SecP384r1 + - SecP521r1 + - X25519MLKEM768 + type: string + maxItems: 5 + minItems: 1 + type: array + x-kubernetes-list-type: set + minTLSVersion: + description: |- + minTLSVersion is used to specify the minimal version of the TLS protocol + that is negotiated during the TLS handshake. For example, to use TLS + versions 1.1, 1.2 and 1.3 (yaml): + + minTLSVersion: VersionTLS11 + enum: + - VersionTLS10 + - VersionTLS11 + - VersionTLS12 + - VersionTLS13 + type: string + type: object + intermediate: + description: |- + intermediate is a TLS profile for use when you do not need compatibility with + legacy clients and want to remain highly secure while being compatible with + most clients currently in use. + + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "intermediate" profile ciphers. + + The curve list includes by default the following curves: + X25519, SecP256r1, SecP384r1, X25519MLKEM768. + + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS12 + ciphers: + - TLS_AES_128_GCM_SHA256 + - TLS_AES_256_GCM_SHA384 + - TLS_CHACHA20_POLY1305_SHA256 + - ECDHE-ECDSA-AES128-GCM-SHA256 + - ECDHE-RSA-AES128-GCM-SHA256 + - ECDHE-ECDSA-AES256-GCM-SHA384 + - ECDHE-RSA-AES256-GCM-SHA384 + - ECDHE-ECDSA-CHACHA20-POLY1305 + - ECDHE-RSA-CHACHA20-POLY1305 + - DHE-RSA-AES128-GCM-SHA256 + - DHE-RSA-AES256-GCM-SHA384 + nullable: true + type: object + modern: + description: |- + modern is a TLS security profile for use with clients that support TLS 1.3 and + do not need backward compatibility for older clients. + The curve list includes by default the following curves: + X25519, SecP256r1, SecP384r1, X25519MLKEM768. + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS13 + ciphers: + - TLS_AES_128_GCM_SHA256 + - TLS_AES_256_GCM_SHA384 + - TLS_CHACHA20_POLY1305_SHA256 + nullable: true + type: object + old: + description: |- + old is a TLS profile for use when services need to be accessed by very old + clients or libraries and should be used only as a last resort. + + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "old" profile ciphers. + + The curve list includes by default the following curves: + X25519, SecP256r1, SecP384r1, X25519MLKEM768. + + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS10 + ciphers: + - TLS_AES_128_GCM_SHA256 + - TLS_AES_256_GCM_SHA384 + - TLS_CHACHA20_POLY1305_SHA256 + - ECDHE-ECDSA-AES128-GCM-SHA256 + - ECDHE-RSA-AES128-GCM-SHA256 + - ECDHE-ECDSA-AES256-GCM-SHA384 + - ECDHE-RSA-AES256-GCM-SHA384 + - ECDHE-ECDSA-CHACHA20-POLY1305 + - ECDHE-RSA-CHACHA20-POLY1305 + - DHE-RSA-AES128-GCM-SHA256 + - DHE-RSA-AES256-GCM-SHA384 + - DHE-RSA-CHACHA20-POLY1305 + - ECDHE-ECDSA-AES128-SHA256 + - ECDHE-RSA-AES128-SHA256 + - ECDHE-ECDSA-AES128-SHA + - ECDHE-RSA-AES128-SHA + - ECDHE-ECDSA-AES256-SHA384 + - ECDHE-RSA-AES256-SHA384 + - ECDHE-ECDSA-AES256-SHA + - ECDHE-RSA-AES256-SHA + - DHE-RSA-AES128-SHA256 + - DHE-RSA-AES256-SHA256 + - AES128-GCM-SHA256 + - AES256-GCM-SHA384 + - AES128-SHA256 + - AES256-SHA256 + - AES128-SHA + - AES256-SHA + - DES-CBC3-SHA + nullable: true + type: object + type: + description: |- + type is one of Old, Intermediate, Modern or Custom. Custom provides the + ability to specify individual TLS security profile parameters. + + The profiles are currently based on version 5.0 of the Mozilla Server Side TLS + configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for + forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json + + The profiles are intent based, so they may change over time as new ciphers are + developed and existing ciphers are found to be insecure. Depending on + precisely which ciphers are available to a process, the list may be reduced. + enum: + - Old + - Intermediate + - Modern + - Custom + type: string + type: object + type: object + status: + description: status contains observed information about the kubelet configuration. + properties: + conditions: + description: conditions represents the latest available observations + of current state. + items: + description: KubeletConfigCondition defines the state of the KubeletConfig + properties: + lastTransitionTime: + description: lastTransitionTime is the time of the last update + to the current status object. + format: date-time + nullable: true + type: string + message: + description: |- + message provides additional information about the current condition. + This is only to be consumed by humans. + type: string + reason: + description: reason is the reason for the condition's last transition. Reasons + are PascalCase + type: string + status: + description: status of the condition, one of True, False, Unknown. + type: string + type: + description: type specifies the state of the operator's reconciliation + functionality. + type: string + type: object + type: array + observedGeneration: + description: observedGeneration represents the generation observed + by the controller. + format: int64 + type: integer + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_kubeletconfigs-Default.crd.yaml b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_kubeletconfigs-Default.crd.yaml new file mode 100644 index 00000000000..4f4862bef74 --- /dev/null +++ b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_kubeletconfigs-Default.crd.yaml @@ -0,0 +1,312 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/1453 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: Default + labels: + openshift.io/operator-managed: "" + name: kubeletconfigs.machineconfiguration.openshift.io +spec: + group: machineconfiguration.openshift.io + names: + kind: KubeletConfig + listKind: KubeletConfigList + plural: kubeletconfigs + singular: kubeletconfig + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + KubeletConfig describes a customized Kubelet configuration. + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec contains the desired kubelet configuration. + properties: + autoSizingReserved: + type: boolean + kubeletConfig: + description: |- + kubeletConfig fields are defined in kubernetes upstream. Please refer to the types defined in the version/commit used by + OpenShift of the upstream kubernetes. It's important to note that, since the fields of the kubelet configuration are directly fetched from + upstream the validation of those values is handled directly by the kubelet. Please refer to the upstream version of the relevant kubernetes + for the valid values of these fields. Invalid values of the kubelet configuration fields may render cluster nodes unusable. + type: object + x-kubernetes-preserve-unknown-fields: true + logLevel: + format: int32 + type: integer + machineConfigPoolSelector: + description: |- + machineConfigPoolSelector selects which pools the KubeletConfig shoud apply to. + A nil selector will result in no pools being selected. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + tlsSecurityProfile: + description: |- + If unset, the default is based on the apiservers.config.openshift.io/cluster resource. + Note that only Old and Intermediate profiles are currently supported, and + the maximum available minTLSVersion is VersionTLS12. + properties: + custom: + description: |- + custom is a user-defined TLS security profile. Be extremely careful using a custom + profile as invalid configurations can be catastrophic. + + The curve list for this profile is empty by default. + + An example custom profile looks like this: + + minTLSVersion: VersionTLS11 + ciphers: + - ECDHE-ECDSA-CHACHA20-POLY1305 + - ECDHE-RSA-CHACHA20-POLY1305 + - ECDHE-RSA-AES128-GCM-SHA256 + - ECDHE-ECDSA-AES128-GCM-SHA256 + nullable: true + properties: + ciphers: + description: |- + ciphers is used to specify the cipher algorithms that are negotiated + during the TLS handshake. Operators may remove entries their operands + do not support. For example, to use DES-CBC3-SHA (yaml): + + ciphers: + - DES-CBC3-SHA + items: + type: string + type: array + x-kubernetes-list-type: atomic + minTLSVersion: + description: |- + minTLSVersion is used to specify the minimal version of the TLS protocol + that is negotiated during the TLS handshake. For example, to use TLS + versions 1.1, 1.2 and 1.3 (yaml): + + minTLSVersion: VersionTLS11 + enum: + - VersionTLS10 + - VersionTLS11 + - VersionTLS12 + - VersionTLS13 + type: string + type: object + intermediate: + description: |- + intermediate is a TLS profile for use when you do not need compatibility with + legacy clients and want to remain highly secure while being compatible with + most clients currently in use. + + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "intermediate" profile ciphers. + + The curve list includes by default the following curves: + X25519, SecP256r1, SecP384r1, X25519MLKEM768. + + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS12 + ciphers: + - TLS_AES_128_GCM_SHA256 + - TLS_AES_256_GCM_SHA384 + - TLS_CHACHA20_POLY1305_SHA256 + - ECDHE-ECDSA-AES128-GCM-SHA256 + - ECDHE-RSA-AES128-GCM-SHA256 + - ECDHE-ECDSA-AES256-GCM-SHA384 + - ECDHE-RSA-AES256-GCM-SHA384 + - ECDHE-ECDSA-CHACHA20-POLY1305 + - ECDHE-RSA-CHACHA20-POLY1305 + - DHE-RSA-AES128-GCM-SHA256 + - DHE-RSA-AES256-GCM-SHA384 + nullable: true + type: object + modern: + description: |- + modern is a TLS security profile for use with clients that support TLS 1.3 and + do not need backward compatibility for older clients. + The curve list includes by default the following curves: + X25519, SecP256r1, SecP384r1, X25519MLKEM768. + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS13 + ciphers: + - TLS_AES_128_GCM_SHA256 + - TLS_AES_256_GCM_SHA384 + - TLS_CHACHA20_POLY1305_SHA256 + nullable: true + type: object + old: + description: |- + old is a TLS profile for use when services need to be accessed by very old + clients or libraries and should be used only as a last resort. + + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "old" profile ciphers. + + The curve list includes by default the following curves: + X25519, SecP256r1, SecP384r1, X25519MLKEM768. + + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS10 + ciphers: + - TLS_AES_128_GCM_SHA256 + - TLS_AES_256_GCM_SHA384 + - TLS_CHACHA20_POLY1305_SHA256 + - ECDHE-ECDSA-AES128-GCM-SHA256 + - ECDHE-RSA-AES128-GCM-SHA256 + - ECDHE-ECDSA-AES256-GCM-SHA384 + - ECDHE-RSA-AES256-GCM-SHA384 + - ECDHE-ECDSA-CHACHA20-POLY1305 + - ECDHE-RSA-CHACHA20-POLY1305 + - DHE-RSA-AES128-GCM-SHA256 + - DHE-RSA-AES256-GCM-SHA384 + - DHE-RSA-CHACHA20-POLY1305 + - ECDHE-ECDSA-AES128-SHA256 + - ECDHE-RSA-AES128-SHA256 + - ECDHE-ECDSA-AES128-SHA + - ECDHE-RSA-AES128-SHA + - ECDHE-ECDSA-AES256-SHA384 + - ECDHE-RSA-AES256-SHA384 + - ECDHE-ECDSA-AES256-SHA + - ECDHE-RSA-AES256-SHA + - DHE-RSA-AES128-SHA256 + - DHE-RSA-AES256-SHA256 + - AES128-GCM-SHA256 + - AES256-GCM-SHA384 + - AES128-SHA256 + - AES256-SHA256 + - AES128-SHA + - AES256-SHA + - DES-CBC3-SHA + nullable: true + type: object + type: + description: |- + type is one of Old, Intermediate, Modern or Custom. Custom provides the + ability to specify individual TLS security profile parameters. + + The profiles are currently based on version 5.0 of the Mozilla Server Side TLS + configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for + forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json + + The profiles are intent based, so they may change over time as new ciphers are + developed and existing ciphers are found to be insecure. Depending on + precisely which ciphers are available to a process, the list may be reduced. + enum: + - Old + - Intermediate + - Modern + - Custom + type: string + type: object + type: object + status: + description: status contains observed information about the kubelet configuration. + properties: + conditions: + description: conditions represents the latest available observations + of current state. + items: + description: KubeletConfigCondition defines the state of the KubeletConfig + properties: + lastTransitionTime: + description: lastTransitionTime is the time of the last update + to the current status object. + format: date-time + nullable: true + type: string + message: + description: |- + message provides additional information about the current condition. + This is only to be consumed by humans. + type: string + reason: + description: reason is the reason for the condition's last transition. Reasons + are PascalCase + type: string + status: + description: status of the condition, one of True, False, Unknown. + type: string + type: + description: type specifies the state of the operator's reconciliation + functionality. + type: string + type: object + type: array + observedGeneration: + description: observedGeneration represents the generation observed + by the controller. + format: int64 + type: integer + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_kubeletconfigs-DevPreviewNoUpgrade.crd.yaml b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_kubeletconfigs-DevPreviewNoUpgrade.crd.yaml new file mode 100644 index 00000000000..309a946b023 --- /dev/null +++ b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_kubeletconfigs-DevPreviewNoUpgrade.crd.yaml @@ -0,0 +1,344 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/1453 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: DevPreviewNoUpgrade + labels: + openshift.io/operator-managed: "" + name: kubeletconfigs.machineconfiguration.openshift.io +spec: + group: machineconfiguration.openshift.io + names: + kind: KubeletConfig + listKind: KubeletConfigList + plural: kubeletconfigs + singular: kubeletconfig + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + KubeletConfig describes a customized Kubelet configuration. + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec contains the desired kubelet configuration. + properties: + autoSizingReserved: + type: boolean + kubeletConfig: + description: |- + kubeletConfig fields are defined in kubernetes upstream. Please refer to the types defined in the version/commit used by + OpenShift of the upstream kubernetes. It's important to note that, since the fields of the kubelet configuration are directly fetched from + upstream the validation of those values is handled directly by the kubelet. Please refer to the upstream version of the relevant kubernetes + for the valid values of these fields. Invalid values of the kubelet configuration fields may render cluster nodes unusable. + type: object + x-kubernetes-preserve-unknown-fields: true + logLevel: + format: int32 + type: integer + machineConfigPoolSelector: + description: |- + machineConfigPoolSelector selects which pools the KubeletConfig shoud apply to. + A nil selector will result in no pools being selected. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + tlsSecurityProfile: + description: |- + If unset, the default is based on the apiservers.config.openshift.io/cluster resource. + Note that only Old and Intermediate profiles are currently supported, and + the maximum available minTLSVersion is VersionTLS12. + properties: + custom: + description: |- + custom is a user-defined TLS security profile. Be extremely careful using a custom + profile as invalid configurations can be catastrophic. + + The curve list for this profile is empty by default. + + An example custom profile looks like this: + + minTLSVersion: VersionTLS11 + ciphers: + - ECDHE-ECDSA-CHACHA20-POLY1305 + - ECDHE-RSA-CHACHA20-POLY1305 + - ECDHE-RSA-AES128-GCM-SHA256 + - ECDHE-ECDSA-AES128-GCM-SHA256 + nullable: true + properties: + ciphers: + description: |- + ciphers is used to specify the cipher algorithms that are negotiated + during the TLS handshake. Operators may remove entries their operands + do not support. For example, to use DES-CBC3-SHA (yaml): + + ciphers: + - DES-CBC3-SHA + items: + type: string + type: array + x-kubernetes-list-type: atomic + curves: + description: |- + curves is an optional field used to specify the elliptic curves that are used during + the TLS handshake. Operators may remove entries their operands do + not support. + + When omitted, this means no opinion and the platform is left to choose reasonable defaults which are + subject to change over time and may be different per platform component depending on the underlying TLS + libraries they use. If specified, the list must contain at least one curve. + + For example, to use X25519 and SecP256r1 (yaml): + + curves: + - X25519 + - SecP256r1 + items: + description: |- + TLSCurve is a named curve identifier that can be used in TLSProfile.Curves. + There is a one-to-one mapping between these names and the curve IDs defined + in crypto/tls package based on IANA's "TLS Supported Groups" registry: + https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8 + enum: + - X25519 + - SecP256r1 + - SecP384r1 + - SecP521r1 + - X25519MLKEM768 + type: string + maxItems: 5 + minItems: 1 + type: array + x-kubernetes-list-type: set + minTLSVersion: + description: |- + minTLSVersion is used to specify the minimal version of the TLS protocol + that is negotiated during the TLS handshake. For example, to use TLS + versions 1.1, 1.2 and 1.3 (yaml): + + minTLSVersion: VersionTLS11 + enum: + - VersionTLS10 + - VersionTLS11 + - VersionTLS12 + - VersionTLS13 + type: string + type: object + intermediate: + description: |- + intermediate is a TLS profile for use when you do not need compatibility with + legacy clients and want to remain highly secure while being compatible with + most clients currently in use. + + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "intermediate" profile ciphers. + + The curve list includes by default the following curves: + X25519, SecP256r1, SecP384r1, X25519MLKEM768. + + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS12 + ciphers: + - TLS_AES_128_GCM_SHA256 + - TLS_AES_256_GCM_SHA384 + - TLS_CHACHA20_POLY1305_SHA256 + - ECDHE-ECDSA-AES128-GCM-SHA256 + - ECDHE-RSA-AES128-GCM-SHA256 + - ECDHE-ECDSA-AES256-GCM-SHA384 + - ECDHE-RSA-AES256-GCM-SHA384 + - ECDHE-ECDSA-CHACHA20-POLY1305 + - ECDHE-RSA-CHACHA20-POLY1305 + - DHE-RSA-AES128-GCM-SHA256 + - DHE-RSA-AES256-GCM-SHA384 + nullable: true + type: object + modern: + description: |- + modern is a TLS security profile for use with clients that support TLS 1.3 and + do not need backward compatibility for older clients. + The curve list includes by default the following curves: + X25519, SecP256r1, SecP384r1, X25519MLKEM768. + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS13 + ciphers: + - TLS_AES_128_GCM_SHA256 + - TLS_AES_256_GCM_SHA384 + - TLS_CHACHA20_POLY1305_SHA256 + nullable: true + type: object + old: + description: |- + old is a TLS profile for use when services need to be accessed by very old + clients or libraries and should be used only as a last resort. + + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "old" profile ciphers. + + The curve list includes by default the following curves: + X25519, SecP256r1, SecP384r1, X25519MLKEM768. + + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS10 + ciphers: + - TLS_AES_128_GCM_SHA256 + - TLS_AES_256_GCM_SHA384 + - TLS_CHACHA20_POLY1305_SHA256 + - ECDHE-ECDSA-AES128-GCM-SHA256 + - ECDHE-RSA-AES128-GCM-SHA256 + - ECDHE-ECDSA-AES256-GCM-SHA384 + - ECDHE-RSA-AES256-GCM-SHA384 + - ECDHE-ECDSA-CHACHA20-POLY1305 + - ECDHE-RSA-CHACHA20-POLY1305 + - DHE-RSA-AES128-GCM-SHA256 + - DHE-RSA-AES256-GCM-SHA384 + - DHE-RSA-CHACHA20-POLY1305 + - ECDHE-ECDSA-AES128-SHA256 + - ECDHE-RSA-AES128-SHA256 + - ECDHE-ECDSA-AES128-SHA + - ECDHE-RSA-AES128-SHA + - ECDHE-ECDSA-AES256-SHA384 + - ECDHE-RSA-AES256-SHA384 + - ECDHE-ECDSA-AES256-SHA + - ECDHE-RSA-AES256-SHA + - DHE-RSA-AES128-SHA256 + - DHE-RSA-AES256-SHA256 + - AES128-GCM-SHA256 + - AES256-GCM-SHA384 + - AES128-SHA256 + - AES256-SHA256 + - AES128-SHA + - AES256-SHA + - DES-CBC3-SHA + nullable: true + type: object + type: + description: |- + type is one of Old, Intermediate, Modern or Custom. Custom provides the + ability to specify individual TLS security profile parameters. + + The profiles are currently based on version 5.0 of the Mozilla Server Side TLS + configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for + forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json + + The profiles are intent based, so they may change over time as new ciphers are + developed and existing ciphers are found to be insecure. Depending on + precisely which ciphers are available to a process, the list may be reduced. + enum: + - Old + - Intermediate + - Modern + - Custom + type: string + type: object + type: object + status: + description: status contains observed information about the kubelet configuration. + properties: + conditions: + description: conditions represents the latest available observations + of current state. + items: + description: KubeletConfigCondition defines the state of the KubeletConfig + properties: + lastTransitionTime: + description: lastTransitionTime is the time of the last update + to the current status object. + format: date-time + nullable: true + type: string + message: + description: |- + message provides additional information about the current condition. + This is only to be consumed by humans. + type: string + reason: + description: reason is the reason for the condition's last transition. Reasons + are PascalCase + type: string + status: + description: status of the condition, one of True, False, Unknown. + type: string + type: + description: type specifies the state of the operator's reconciliation + functionality. + type: string + type: object + type: array + observedGeneration: + description: observedGeneration represents the generation observed + by the controller. + format: int64 + type: integer + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_kubeletconfigs.crd.yaml b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_kubeletconfigs-OKD.crd.yaml similarity index 86% rename from machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_kubeletconfigs.crd.yaml rename to machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_kubeletconfigs-OKD.crd.yaml index 62bfe308b12..343e12221ab 100644 --- a/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_kubeletconfigs.crd.yaml +++ b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_kubeletconfigs-OKD.crd.yaml @@ -6,6 +6,7 @@ metadata: api.openshift.io/merged-by-featuregates: "true" include.release.openshift.io/ibm-cloud-managed: "true" include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: OKD labels: openshift.io/operator-managed: "" name: kubeletconfigs.machineconfiguration.openshift.io @@ -116,8 +117,11 @@ spec: custom: description: |- custom is a user-defined TLS security profile. Be extremely careful using a custom - profile as invalid configurations can be catastrophic. An example custom profile - looks like this: + profile as invalid configurations can be catastrophic. + + The curve list for this profile is empty by default. + + An example custom profile looks like this: minTLSVersion: VersionTLS11 ciphers: @@ -130,14 +134,11 @@ spec: ciphers: description: |- ciphers is used to specify the cipher algorithms that are negotiated - during the TLS handshake. Operators may remove entries that their operands - do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml): + during the TLS handshake. Operators may remove entries their operands + do not support. For example, to use DES-CBC3-SHA (yaml): ciphers: - - ECDHE-RSA-AES128-GCM-SHA256 - - TLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable - and are always enabled when TLS 1.3 is negotiated. + - DES-CBC3-SHA items: type: string type: array @@ -162,6 +163,12 @@ spec: legacy clients and want to remain highly secure while being compatible with most clients currently in use. + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "intermediate" profile ciphers. + + The curve list includes by default the following curves: + X25519, SecP256r1, SecP384r1, X25519MLKEM768. + This profile is equivalent to a Custom profile specified as: minTLSVersion: VersionTLS12 ciphers: @@ -174,13 +181,16 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 + - DHE-RSA-AES128-GCM-SHA256 + - DHE-RSA-AES256-GCM-SHA384 nullable: true type: object modern: description: |- modern is a TLS security profile for use with clients that support TLS 1.3 and do not need backward compatibility for older clients. - + The curve list includes by default the following curves: + X25519, SecP256r1, SecP384r1, X25519MLKEM768. This profile is equivalent to a Custom profile specified as: minTLSVersion: VersionTLS13 ciphers: @@ -194,6 +204,12 @@ spec: old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort. + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "old" profile ciphers. + + The curve list includes by default the following curves: + X25519, SecP256r1, SecP384r1, X25519MLKEM768. + This profile is equivalent to a Custom profile specified as: minTLSVersion: VersionTLS10 ciphers: @@ -206,15 +222,23 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 + - DHE-RSA-AES128-GCM-SHA256 + - DHE-RSA-AES256-GCM-SHA384 + - DHE-RSA-CHACHA20-POLY1305 - ECDHE-ECDSA-AES128-SHA256 - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES128-SHA + - ECDHE-ECDSA-AES256-SHA384 + - ECDHE-RSA-AES256-SHA384 - ECDHE-ECDSA-AES256-SHA - ECDHE-RSA-AES256-SHA + - DHE-RSA-AES128-SHA256 + - DHE-RSA-AES256-SHA256 - AES128-GCM-SHA256 - AES256-GCM-SHA384 - AES128-SHA256 + - AES256-SHA256 - AES128-SHA - AES256-SHA - DES-CBC3-SHA @@ -225,10 +249,9 @@ spec: type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters. - The profiles are based on version 5.7 of the Mozilla Server Side TLS - configuration guidelines. The cipher lists consist of the configuration's - "ciphersuites" followed by the Go-specific "ciphers" from the guidelines. - See: https://ssl-config.mozilla.org/guidelines/5.7.json + The profiles are currently based on version 5.0 of the Mozilla Server Side TLS + configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for + forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on diff --git a/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_kubeletconfigs-TechPreviewNoUpgrade.crd.yaml b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_kubeletconfigs-TechPreviewNoUpgrade.crd.yaml new file mode 100644 index 00000000000..faf7987cd1d --- /dev/null +++ b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_kubeletconfigs-TechPreviewNoUpgrade.crd.yaml @@ -0,0 +1,344 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/1453 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: TechPreviewNoUpgrade + labels: + openshift.io/operator-managed: "" + name: kubeletconfigs.machineconfiguration.openshift.io +spec: + group: machineconfiguration.openshift.io + names: + kind: KubeletConfig + listKind: KubeletConfigList + plural: kubeletconfigs + singular: kubeletconfig + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + KubeletConfig describes a customized Kubelet configuration. + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec contains the desired kubelet configuration. + properties: + autoSizingReserved: + type: boolean + kubeletConfig: + description: |- + kubeletConfig fields are defined in kubernetes upstream. Please refer to the types defined in the version/commit used by + OpenShift of the upstream kubernetes. It's important to note that, since the fields of the kubelet configuration are directly fetched from + upstream the validation of those values is handled directly by the kubelet. Please refer to the upstream version of the relevant kubernetes + for the valid values of these fields. Invalid values of the kubelet configuration fields may render cluster nodes unusable. + type: object + x-kubernetes-preserve-unknown-fields: true + logLevel: + format: int32 + type: integer + machineConfigPoolSelector: + description: |- + machineConfigPoolSelector selects which pools the KubeletConfig shoud apply to. + A nil selector will result in no pools being selected. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + tlsSecurityProfile: + description: |- + If unset, the default is based on the apiservers.config.openshift.io/cluster resource. + Note that only Old and Intermediate profiles are currently supported, and + the maximum available minTLSVersion is VersionTLS12. + properties: + custom: + description: |- + custom is a user-defined TLS security profile. Be extremely careful using a custom + profile as invalid configurations can be catastrophic. + + The curve list for this profile is empty by default. + + An example custom profile looks like this: + + minTLSVersion: VersionTLS11 + ciphers: + - ECDHE-ECDSA-CHACHA20-POLY1305 + - ECDHE-RSA-CHACHA20-POLY1305 + - ECDHE-RSA-AES128-GCM-SHA256 + - ECDHE-ECDSA-AES128-GCM-SHA256 + nullable: true + properties: + ciphers: + description: |- + ciphers is used to specify the cipher algorithms that are negotiated + during the TLS handshake. Operators may remove entries their operands + do not support. For example, to use DES-CBC3-SHA (yaml): + + ciphers: + - DES-CBC3-SHA + items: + type: string + type: array + x-kubernetes-list-type: atomic + curves: + description: |- + curves is an optional field used to specify the elliptic curves that are used during + the TLS handshake. Operators may remove entries their operands do + not support. + + When omitted, this means no opinion and the platform is left to choose reasonable defaults which are + subject to change over time and may be different per platform component depending on the underlying TLS + libraries they use. If specified, the list must contain at least one curve. + + For example, to use X25519 and SecP256r1 (yaml): + + curves: + - X25519 + - SecP256r1 + items: + description: |- + TLSCurve is a named curve identifier that can be used in TLSProfile.Curves. + There is a one-to-one mapping between these names and the curve IDs defined + in crypto/tls package based on IANA's "TLS Supported Groups" registry: + https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8 + enum: + - X25519 + - SecP256r1 + - SecP384r1 + - SecP521r1 + - X25519MLKEM768 + type: string + maxItems: 5 + minItems: 1 + type: array + x-kubernetes-list-type: set + minTLSVersion: + description: |- + minTLSVersion is used to specify the minimal version of the TLS protocol + that is negotiated during the TLS handshake. For example, to use TLS + versions 1.1, 1.2 and 1.3 (yaml): + + minTLSVersion: VersionTLS11 + enum: + - VersionTLS10 + - VersionTLS11 + - VersionTLS12 + - VersionTLS13 + type: string + type: object + intermediate: + description: |- + intermediate is a TLS profile for use when you do not need compatibility with + legacy clients and want to remain highly secure while being compatible with + most clients currently in use. + + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "intermediate" profile ciphers. + + The curve list includes by default the following curves: + X25519, SecP256r1, SecP384r1, X25519MLKEM768. + + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS12 + ciphers: + - TLS_AES_128_GCM_SHA256 + - TLS_AES_256_GCM_SHA384 + - TLS_CHACHA20_POLY1305_SHA256 + - ECDHE-ECDSA-AES128-GCM-SHA256 + - ECDHE-RSA-AES128-GCM-SHA256 + - ECDHE-ECDSA-AES256-GCM-SHA384 + - ECDHE-RSA-AES256-GCM-SHA384 + - ECDHE-ECDSA-CHACHA20-POLY1305 + - ECDHE-RSA-CHACHA20-POLY1305 + - DHE-RSA-AES128-GCM-SHA256 + - DHE-RSA-AES256-GCM-SHA384 + nullable: true + type: object + modern: + description: |- + modern is a TLS security profile for use with clients that support TLS 1.3 and + do not need backward compatibility for older clients. + The curve list includes by default the following curves: + X25519, SecP256r1, SecP384r1, X25519MLKEM768. + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS13 + ciphers: + - TLS_AES_128_GCM_SHA256 + - TLS_AES_256_GCM_SHA384 + - TLS_CHACHA20_POLY1305_SHA256 + nullable: true + type: object + old: + description: |- + old is a TLS profile for use when services need to be accessed by very old + clients or libraries and should be used only as a last resort. + + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "old" profile ciphers. + + The curve list includes by default the following curves: + X25519, SecP256r1, SecP384r1, X25519MLKEM768. + + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS10 + ciphers: + - TLS_AES_128_GCM_SHA256 + - TLS_AES_256_GCM_SHA384 + - TLS_CHACHA20_POLY1305_SHA256 + - ECDHE-ECDSA-AES128-GCM-SHA256 + - ECDHE-RSA-AES128-GCM-SHA256 + - ECDHE-ECDSA-AES256-GCM-SHA384 + - ECDHE-RSA-AES256-GCM-SHA384 + - ECDHE-ECDSA-CHACHA20-POLY1305 + - ECDHE-RSA-CHACHA20-POLY1305 + - DHE-RSA-AES128-GCM-SHA256 + - DHE-RSA-AES256-GCM-SHA384 + - DHE-RSA-CHACHA20-POLY1305 + - ECDHE-ECDSA-AES128-SHA256 + - ECDHE-RSA-AES128-SHA256 + - ECDHE-ECDSA-AES128-SHA + - ECDHE-RSA-AES128-SHA + - ECDHE-ECDSA-AES256-SHA384 + - ECDHE-RSA-AES256-SHA384 + - ECDHE-ECDSA-AES256-SHA + - ECDHE-RSA-AES256-SHA + - DHE-RSA-AES128-SHA256 + - DHE-RSA-AES256-SHA256 + - AES128-GCM-SHA256 + - AES256-GCM-SHA384 + - AES128-SHA256 + - AES256-SHA256 + - AES128-SHA + - AES256-SHA + - DES-CBC3-SHA + nullable: true + type: object + type: + description: |- + type is one of Old, Intermediate, Modern or Custom. Custom provides the + ability to specify individual TLS security profile parameters. + + The profiles are currently based on version 5.0 of the Mozilla Server Side TLS + configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for + forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json + + The profiles are intent based, so they may change over time as new ciphers are + developed and existing ciphers are found to be insecure. Depending on + precisely which ciphers are available to a process, the list may be reduced. + enum: + - Old + - Intermediate + - Modern + - Custom + type: string + type: object + type: object + status: + description: status contains observed information about the kubelet configuration. + properties: + conditions: + description: conditions represents the latest available observations + of current state. + items: + description: KubeletConfigCondition defines the state of the KubeletConfig + properties: + lastTransitionTime: + description: lastTransitionTime is the time of the last update + to the current status object. + format: date-time + nullable: true + type: string + message: + description: |- + message provides additional information about the current condition. + This is only to be consumed by humans. + type: string + reason: + description: reason is the reason for the condition's last transition. Reasons + are PascalCase + type: string + status: + description: status of the condition, one of True, False, Unknown. + type: string + type: + description: type specifies the state of the operator's reconciliation + functionality. + type: string + type: object + type: array + observedGeneration: + description: observedGeneration represents the generation observed + by the controller. + format: int64 + type: integer + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/machineconfiguration/v1/zz_generated.featuregated-crd-manifests.yaml b/machineconfiguration/v1/zz_generated.featuregated-crd-manifests.yaml index 1d96519e7e5..1d51b0c68f8 100644 --- a/machineconfiguration/v1/zz_generated.featuregated-crd-manifests.yaml +++ b/machineconfiguration/v1/zz_generated.featuregated-crd-manifests.yaml @@ -62,7 +62,8 @@ kubeletconfigs.machineconfiguration.openshift.io: CRDName: kubeletconfigs.machineconfiguration.openshift.io Capability: "" Category: "" - FeatureGates: [] + FeatureGates: + - TLSCurvePreferences FilenameOperatorName: machine-config FilenameOperatorOrdering: "01" FilenameRunLevel: "0000_80" diff --git a/machineconfiguration/v1/zz_generated.featuregated-crd-manifests/kubeletconfigs.machineconfiguration.openshift.io/AAA_ungated.yaml b/machineconfiguration/v1/zz_generated.featuregated-crd-manifests/kubeletconfigs.machineconfiguration.openshift.io/AAA_ungated.yaml index c73f8f7211a..3ddec7bed38 100644 --- a/machineconfiguration/v1/zz_generated.featuregated-crd-manifests/kubeletconfigs.machineconfiguration.openshift.io/AAA_ungated.yaml +++ b/machineconfiguration/v1/zz_generated.featuregated-crd-manifests/kubeletconfigs.machineconfiguration.openshift.io/AAA_ungated.yaml @@ -117,8 +117,11 @@ spec: custom: description: |- custom is a user-defined TLS security profile. Be extremely careful using a custom - profile as invalid configurations can be catastrophic. An example custom profile - looks like this: + profile as invalid configurations can be catastrophic. + + The curve list for this profile is empty by default. + + An example custom profile looks like this: minTLSVersion: VersionTLS11 ciphers: @@ -131,14 +134,11 @@ spec: ciphers: description: |- ciphers is used to specify the cipher algorithms that are negotiated - during the TLS handshake. Operators may remove entries that their operands - do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml): + during the TLS handshake. Operators may remove entries their operands + do not support. For example, to use DES-CBC3-SHA (yaml): ciphers: - - ECDHE-RSA-AES128-GCM-SHA256 - - TLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable - and are always enabled when TLS 1.3 is negotiated. + - DES-CBC3-SHA items: type: string type: array @@ -163,6 +163,12 @@ spec: legacy clients and want to remain highly secure while being compatible with most clients currently in use. + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "intermediate" profile ciphers. + + The curve list includes by default the following curves: + X25519, SecP256r1, SecP384r1, X25519MLKEM768. + This profile is equivalent to a Custom profile specified as: minTLSVersion: VersionTLS12 ciphers: @@ -175,13 +181,16 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 + - DHE-RSA-AES128-GCM-SHA256 + - DHE-RSA-AES256-GCM-SHA384 nullable: true type: object modern: description: |- modern is a TLS security profile for use with clients that support TLS 1.3 and do not need backward compatibility for older clients. - + The curve list includes by default the following curves: + X25519, SecP256r1, SecP384r1, X25519MLKEM768. This profile is equivalent to a Custom profile specified as: minTLSVersion: VersionTLS13 ciphers: @@ -195,6 +204,12 @@ spec: old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort. + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "old" profile ciphers. + + The curve list includes by default the following curves: + X25519, SecP256r1, SecP384r1, X25519MLKEM768. + This profile is equivalent to a Custom profile specified as: minTLSVersion: VersionTLS10 ciphers: @@ -207,15 +222,23 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 + - DHE-RSA-AES128-GCM-SHA256 + - DHE-RSA-AES256-GCM-SHA384 + - DHE-RSA-CHACHA20-POLY1305 - ECDHE-ECDSA-AES128-SHA256 - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES128-SHA + - ECDHE-ECDSA-AES256-SHA384 + - ECDHE-RSA-AES256-SHA384 - ECDHE-ECDSA-AES256-SHA - ECDHE-RSA-AES256-SHA + - DHE-RSA-AES128-SHA256 + - DHE-RSA-AES256-SHA256 - AES128-GCM-SHA256 - AES256-GCM-SHA384 - AES128-SHA256 + - AES256-SHA256 - AES128-SHA - AES256-SHA - DES-CBC3-SHA @@ -226,10 +249,9 @@ spec: type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters. - The profiles are based on version 5.7 of the Mozilla Server Side TLS - configuration guidelines. The cipher lists consist of the configuration's - "ciphersuites" followed by the Go-specific "ciphers" from the guidelines. - See: https://ssl-config.mozilla.org/guidelines/5.7.json + The profiles are currently based on version 5.0 of the Mozilla Server Side TLS + configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for + forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on diff --git a/machineconfiguration/v1/zz_generated.featuregated-crd-manifests/kubeletconfigs.machineconfiguration.openshift.io/TLSCurvePreferences.yaml b/machineconfiguration/v1/zz_generated.featuregated-crd-manifests/kubeletconfigs.machineconfiguration.openshift.io/TLSCurvePreferences.yaml new file mode 100644 index 00000000000..b349b320971 --- /dev/null +++ b/machineconfiguration/v1/zz_generated.featuregated-crd-manifests/kubeletconfigs.machineconfiguration.openshift.io/TLSCurvePreferences.yaml @@ -0,0 +1,344 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/1453 + api.openshift.io/filename-cvo-runlevel: "0000_80" + api.openshift.io/filename-operator: machine-config + api.openshift.io/filename-ordering: "01" + feature-gate.release.openshift.io/TLSCurvePreferences: "true" + labels: + openshift.io/operator-managed: "" + name: kubeletconfigs.machineconfiguration.openshift.io +spec: + group: machineconfiguration.openshift.io + names: + kind: KubeletConfig + listKind: KubeletConfigList + plural: kubeletconfigs + singular: kubeletconfig + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + KubeletConfig describes a customized Kubelet configuration. + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec contains the desired kubelet configuration. + properties: + autoSizingReserved: + type: boolean + kubeletConfig: + description: |- + kubeletConfig fields are defined in kubernetes upstream. Please refer to the types defined in the version/commit used by + OpenShift of the upstream kubernetes. It's important to note that, since the fields of the kubelet configuration are directly fetched from + upstream the validation of those values is handled directly by the kubelet. Please refer to the upstream version of the relevant kubernetes + for the valid values of these fields. Invalid values of the kubelet configuration fields may render cluster nodes unusable. + type: object + x-kubernetes-preserve-unknown-fields: true + logLevel: + format: int32 + type: integer + machineConfigPoolSelector: + description: |- + machineConfigPoolSelector selects which pools the KubeletConfig shoud apply to. + A nil selector will result in no pools being selected. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + tlsSecurityProfile: + description: |- + If unset, the default is based on the apiservers.config.openshift.io/cluster resource. + Note that only Old and Intermediate profiles are currently supported, and + the maximum available minTLSVersion is VersionTLS12. + properties: + custom: + description: |- + custom is a user-defined TLS security profile. Be extremely careful using a custom + profile as invalid configurations can be catastrophic. + + The curve list for this profile is empty by default. + + An example custom profile looks like this: + + minTLSVersion: VersionTLS11 + ciphers: + - ECDHE-ECDSA-CHACHA20-POLY1305 + - ECDHE-RSA-CHACHA20-POLY1305 + - ECDHE-RSA-AES128-GCM-SHA256 + - ECDHE-ECDSA-AES128-GCM-SHA256 + nullable: true + properties: + ciphers: + description: |- + ciphers is used to specify the cipher algorithms that are negotiated + during the TLS handshake. Operators may remove entries their operands + do not support. For example, to use DES-CBC3-SHA (yaml): + + ciphers: + - DES-CBC3-SHA + items: + type: string + type: array + x-kubernetes-list-type: atomic + curves: + description: |- + curves is an optional field used to specify the elliptic curves that are used during + the TLS handshake. Operators may remove entries their operands do + not support. + + When omitted, this means no opinion and the platform is left to choose reasonable defaults which are + subject to change over time and may be different per platform component depending on the underlying TLS + libraries they use. If specified, the list must contain at least one curve. + + For example, to use X25519 and SecP256r1 (yaml): + + curves: + - X25519 + - SecP256r1 + items: + description: |- + TLSCurve is a named curve identifier that can be used in TLSProfile.Curves. + There is a one-to-one mapping between these names and the curve IDs defined + in crypto/tls package based on IANA's "TLS Supported Groups" registry: + https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8 + enum: + - X25519 + - SecP256r1 + - SecP384r1 + - SecP521r1 + - X25519MLKEM768 + type: string + maxItems: 5 + minItems: 1 + type: array + x-kubernetes-list-type: set + minTLSVersion: + description: |- + minTLSVersion is used to specify the minimal version of the TLS protocol + that is negotiated during the TLS handshake. For example, to use TLS + versions 1.1, 1.2 and 1.3 (yaml): + + minTLSVersion: VersionTLS11 + enum: + - VersionTLS10 + - VersionTLS11 + - VersionTLS12 + - VersionTLS13 + type: string + type: object + intermediate: + description: |- + intermediate is a TLS profile for use when you do not need compatibility with + legacy clients and want to remain highly secure while being compatible with + most clients currently in use. + + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "intermediate" profile ciphers. + + The curve list includes by default the following curves: + X25519, SecP256r1, SecP384r1, X25519MLKEM768. + + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS12 + ciphers: + - TLS_AES_128_GCM_SHA256 + - TLS_AES_256_GCM_SHA384 + - TLS_CHACHA20_POLY1305_SHA256 + - ECDHE-ECDSA-AES128-GCM-SHA256 + - ECDHE-RSA-AES128-GCM-SHA256 + - ECDHE-ECDSA-AES256-GCM-SHA384 + - ECDHE-RSA-AES256-GCM-SHA384 + - ECDHE-ECDSA-CHACHA20-POLY1305 + - ECDHE-RSA-CHACHA20-POLY1305 + - DHE-RSA-AES128-GCM-SHA256 + - DHE-RSA-AES256-GCM-SHA384 + nullable: true + type: object + modern: + description: |- + modern is a TLS security profile for use with clients that support TLS 1.3 and + do not need backward compatibility for older clients. + The curve list includes by default the following curves: + X25519, SecP256r1, SecP384r1, X25519MLKEM768. + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS13 + ciphers: + - TLS_AES_128_GCM_SHA256 + - TLS_AES_256_GCM_SHA384 + - TLS_CHACHA20_POLY1305_SHA256 + nullable: true + type: object + old: + description: |- + old is a TLS profile for use when services need to be accessed by very old + clients or libraries and should be used only as a last resort. + + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "old" profile ciphers. + + The curve list includes by default the following curves: + X25519, SecP256r1, SecP384r1, X25519MLKEM768. + + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS10 + ciphers: + - TLS_AES_128_GCM_SHA256 + - TLS_AES_256_GCM_SHA384 + - TLS_CHACHA20_POLY1305_SHA256 + - ECDHE-ECDSA-AES128-GCM-SHA256 + - ECDHE-RSA-AES128-GCM-SHA256 + - ECDHE-ECDSA-AES256-GCM-SHA384 + - ECDHE-RSA-AES256-GCM-SHA384 + - ECDHE-ECDSA-CHACHA20-POLY1305 + - ECDHE-RSA-CHACHA20-POLY1305 + - DHE-RSA-AES128-GCM-SHA256 + - DHE-RSA-AES256-GCM-SHA384 + - DHE-RSA-CHACHA20-POLY1305 + - ECDHE-ECDSA-AES128-SHA256 + - ECDHE-RSA-AES128-SHA256 + - ECDHE-ECDSA-AES128-SHA + - ECDHE-RSA-AES128-SHA + - ECDHE-ECDSA-AES256-SHA384 + - ECDHE-RSA-AES256-SHA384 + - ECDHE-ECDSA-AES256-SHA + - ECDHE-RSA-AES256-SHA + - DHE-RSA-AES128-SHA256 + - DHE-RSA-AES256-SHA256 + - AES128-GCM-SHA256 + - AES256-GCM-SHA384 + - AES128-SHA256 + - AES256-SHA256 + - AES128-SHA + - AES256-SHA + - DES-CBC3-SHA + nullable: true + type: object + type: + description: |- + type is one of Old, Intermediate, Modern or Custom. Custom provides the + ability to specify individual TLS security profile parameters. + + The profiles are currently based on version 5.0 of the Mozilla Server Side TLS + configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for + forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json + + The profiles are intent based, so they may change over time as new ciphers are + developed and existing ciphers are found to be insecure. Depending on + precisely which ciphers are available to a process, the list may be reduced. + enum: + - Old + - Intermediate + - Modern + - Custom + type: string + type: object + type: object + status: + description: status contains observed information about the kubelet configuration. + properties: + conditions: + description: conditions represents the latest available observations + of current state. + items: + description: KubeletConfigCondition defines the state of the KubeletConfig + properties: + lastTransitionTime: + description: lastTransitionTime is the time of the last update + to the current status object. + format: date-time + nullable: true + type: string + message: + description: |- + message provides additional information about the current condition. + This is only to be consumed by humans. + type: string + reason: + description: reason is the reason for the condition's last transition. Reasons + are PascalCase + type: string + status: + description: status of the condition, one of True, False, Unknown. + type: string + type: + description: type specifies the state of the operator's reconciliation + functionality. + type: string + type: object + type: array + observedGeneration: + description: observedGeneration represents the generation observed + by the controller. + format: int64 + type: integer + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/openapi/generated_openapi/zz_generated.openapi.go b/openapi/generated_openapi/zz_generated.openapi.go index 4d962e76155..5e071a26be9 100644 --- a/openapi/generated_openapi/zz_generated.openapi.go +++ b/openapi/generated_openapi/zz_generated.openapi.go @@ -821,10 +821,8 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "github.com/openshift/api/machine/v1beta1.DataDisk": schema_openshift_api_machine_v1beta1_DataDisk(ref), "github.com/openshift/api/machine/v1beta1.DataDiskManagedDiskParameters": schema_openshift_api_machine_v1beta1_DataDiskManagedDiskParameters(ref), "github.com/openshift/api/machine/v1beta1.DedicatedHost": schema_openshift_api_machine_v1beta1_DedicatedHost(ref), - "github.com/openshift/api/machine/v1beta1.DedicatedHostStatus": schema_openshift_api_machine_v1beta1_DedicatedHostStatus(ref), "github.com/openshift/api/machine/v1beta1.DiskEncryptionSetParameters": schema_openshift_api_machine_v1beta1_DiskEncryptionSetParameters(ref), "github.com/openshift/api/machine/v1beta1.DiskSettings": schema_openshift_api_machine_v1beta1_DiskSettings(ref), - "github.com/openshift/api/machine/v1beta1.DynamicHostAllocationSpec": schema_openshift_api_machine_v1beta1_DynamicHostAllocationSpec(ref), "github.com/openshift/api/machine/v1beta1.EBSBlockDeviceSpec": schema_openshift_api_machine_v1beta1_EBSBlockDeviceSpec(ref), "github.com/openshift/api/machine/v1beta1.Filter": schema_openshift_api_machine_v1beta1_Filter(ref), "github.com/openshift/api/machine/v1beta1.GCPDisk": schema_openshift_api_machine_v1beta1_GCPDisk(ref), @@ -1208,13 +1206,6 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "github.com/openshift/api/operator/v1.UpstreamResolvers": schema_openshift_api_operator_v1_UpstreamResolvers(ref), "github.com/openshift/api/operator/v1.VSphereCSIDriverConfigSpec": schema_openshift_api_operator_v1_VSphereCSIDriverConfigSpec(ref), "github.com/openshift/api/operator/v1alpha1.BackupJobReference": schema_openshift_api_operator_v1alpha1_BackupJobReference(ref), - "github.com/openshift/api/operator/v1alpha1.ClusterAPI": schema_openshift_api_operator_v1alpha1_ClusterAPI(ref), - "github.com/openshift/api/operator/v1alpha1.ClusterAPIInstallerComponent": schema_openshift_api_operator_v1alpha1_ClusterAPIInstallerComponent(ref), - "github.com/openshift/api/operator/v1alpha1.ClusterAPIInstallerComponentImage": schema_openshift_api_operator_v1alpha1_ClusterAPIInstallerComponentImage(ref), - "github.com/openshift/api/operator/v1alpha1.ClusterAPIInstallerRevision": schema_openshift_api_operator_v1alpha1_ClusterAPIInstallerRevision(ref), - "github.com/openshift/api/operator/v1alpha1.ClusterAPIList": schema_openshift_api_operator_v1alpha1_ClusterAPIList(ref), - "github.com/openshift/api/operator/v1alpha1.ClusterAPISpec": schema_openshift_api_operator_v1alpha1_ClusterAPISpec(ref), - "github.com/openshift/api/operator/v1alpha1.ClusterAPIStatus": schema_openshift_api_operator_v1alpha1_ClusterAPIStatus(ref), "github.com/openshift/api/operator/v1alpha1.ClusterVersionOperator": schema_openshift_api_operator_v1alpha1_ClusterVersionOperator(ref), "github.com/openshift/api/operator/v1alpha1.ClusterVersionOperatorList": schema_openshift_api_operator_v1alpha1_ClusterVersionOperatorList(ref), "github.com/openshift/api/operator/v1alpha1.ClusterVersionOperatorSpec": schema_openshift_api_operator_v1alpha1_ClusterVersionOperatorSpec(ref), @@ -12438,7 +12429,27 @@ func schema_openshift_api_config_v1_CustomTLSProfile(ref common.ReferenceCallbac }, }, SchemaProps: spec.SchemaProps{ - Description: "ciphers is used to specify the cipher algorithms that are negotiated during the TLS handshake. Operators may remove entries that their operands do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml):\n\n ciphers:\n - ECDHE-RSA-AES128-GCM-SHA256\n\nTLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable and are always enabled when TLS 1.3 is negotiated.", + Description: "ciphers is used to specify the cipher algorithms that are negotiated during the TLS handshake. Operators may remove entries their operands do not support. For example, to use DES-CBC3-SHA (yaml):\n\n ciphers:\n - DES-CBC3-SHA", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, + }, + }, + "curves": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "set", + }, + }, + SchemaProps: spec.SchemaProps{ + Description: "curves is an optional field used to specify the elliptic curves that are used during the TLS handshake. Operators may remove entries their operands do not support.\n\nWhen omitted, this means no opinion and the platform is left to choose reasonable defaults which are subject to change over time and may be different per platform component depending on the underlying TLS libraries they use. If specified, the list must contain at least one curve.\n\nFor example, to use X25519 and SecP256r1 (yaml):\n\n curves:\n - X25519\n - SecP256r1", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ @@ -20892,7 +20903,27 @@ func schema_openshift_api_config_v1_TLSProfileSpec(ref common.ReferenceCallback) }, }, SchemaProps: spec.SchemaProps{ - Description: "ciphers is used to specify the cipher algorithms that are negotiated during the TLS handshake. Operators may remove entries that their operands do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml):\n\n ciphers:\n - ECDHE-RSA-AES128-GCM-SHA256\n\nTLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable and are always enabled when TLS 1.3 is negotiated.", + Description: "ciphers is used to specify the cipher algorithms that are negotiated during the TLS handshake. Operators may remove entries their operands do not support. For example, to use DES-CBC3-SHA (yaml):\n\n ciphers:\n - DES-CBC3-SHA", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, + }, + }, + "curves": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "set", + }, + }, + SchemaProps: spec.SchemaProps{ + Description: "curves is an optional field used to specify the elliptic curves that are used during the TLS handshake. Operators may remove entries their operands do not support.\n\nWhen omitted, this means no opinion and the platform is left to choose reasonable defaults which are subject to change over time and may be different per platform component depending on the underlying TLS libraries they use. If specified, the list must contain at least one curve.\n\nFor example, to use X25519 and SecP256r1 (yaml):\n\n curves:\n - X25519\n - SecP256r1", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ @@ -20929,7 +20960,7 @@ func schema_openshift_api_config_v1_TLSSecurityProfile(ref common.ReferenceCallb Properties: map[string]spec.Schema{ "type": { SchemaProps: spec.SchemaProps{ - Description: "type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters.\n\nThe profiles are based on version 5.7 of the Mozilla Server Side TLS configuration guidelines. The cipher lists consist of the configuration's \"ciphersuites\" followed by the Go-specific \"ciphers\" from the guidelines. See: https://ssl-config.mozilla.org/guidelines/5.7.json\n\nThe profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be reduced.", + Description: "type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters.\n\nThe profiles are currently based on version 5.0 of the Mozilla Server Side TLS configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json\n\nThe profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be reduced.", Default: "", Type: []string{"string"}, Format: "", @@ -20937,25 +20968,25 @@ func schema_openshift_api_config_v1_TLSSecurityProfile(ref common.ReferenceCallb }, "old": { SchemaProps: spec.SchemaProps{ - Description: "old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort.\n\nThis profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS10\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES256-GCM-SHA384\n - ECDHE-RSA-AES256-GCM-SHA384\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305\n - ECDHE-ECDSA-AES128-SHA256\n - ECDHE-RSA-AES128-SHA256\n - ECDHE-ECDSA-AES128-SHA\n - ECDHE-RSA-AES128-SHA\n - ECDHE-ECDSA-AES256-SHA\n - ECDHE-RSA-AES256-SHA\n - AES128-GCM-SHA256\n - AES256-GCM-SHA384\n - AES128-SHA256\n - AES128-SHA\n - AES256-SHA\n - DES-CBC3-SHA", + Description: "old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort.\n\nThe cipher list includes TLS 1.3 ciphers for forward compatibility, followed by the \"old\" profile ciphers.\n\nThe curve list includes by default the following curves: X25519, SecP256r1, SecP384r1, X25519MLKEM768.\n\nThis profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS10\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES256-GCM-SHA384\n - ECDHE-RSA-AES256-GCM-SHA384\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305\n - DHE-RSA-AES128-GCM-SHA256\n - DHE-RSA-AES256-GCM-SHA384\n - DHE-RSA-CHACHA20-POLY1305\n - ECDHE-ECDSA-AES128-SHA256\n - ECDHE-RSA-AES128-SHA256\n - ECDHE-ECDSA-AES128-SHA\n - ECDHE-RSA-AES128-SHA\n - ECDHE-ECDSA-AES256-SHA384\n - ECDHE-RSA-AES256-SHA384\n - ECDHE-ECDSA-AES256-SHA\n - ECDHE-RSA-AES256-SHA\n - DHE-RSA-AES128-SHA256\n - DHE-RSA-AES256-SHA256\n - AES128-GCM-SHA256\n - AES256-GCM-SHA384\n - AES128-SHA256\n - AES256-SHA256\n - AES128-SHA\n - AES256-SHA\n - DES-CBC3-SHA", Ref: ref("github.com/openshift/api/config/v1.OldTLSProfile"), }, }, "intermediate": { SchemaProps: spec.SchemaProps{ - Description: "intermediate is a TLS profile for use when you do not need compatibility with legacy clients and want to remain highly secure while being compatible with most clients currently in use.\n\nThis profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS12\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES256-GCM-SHA384\n - ECDHE-RSA-AES256-GCM-SHA384\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305", + Description: "intermediate is a TLS profile for use when you do not need compatibility with legacy clients and want to remain highly secure while being compatible with most clients currently in use.\n\nThe cipher list includes TLS 1.3 ciphers for forward compatibility, followed by the \"intermediate\" profile ciphers.\n\nThe curve list includes by default the following curves: X25519, SecP256r1, SecP384r1, X25519MLKEM768.\n\nThis profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS12\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES256-GCM-SHA384\n - ECDHE-RSA-AES256-GCM-SHA384\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305\n - DHE-RSA-AES128-GCM-SHA256\n - DHE-RSA-AES256-GCM-SHA384", Ref: ref("github.com/openshift/api/config/v1.IntermediateTLSProfile"), }, }, "modern": { SchemaProps: spec.SchemaProps{ - Description: "modern is a TLS security profile for use with clients that support TLS 1.3 and do not need backward compatibility for older clients.\n\nThis profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS13\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256", + Description: "modern is a TLS security profile for use with clients that support TLS 1.3 and do not need backward compatibility for older clients. The curve list includes by default the following curves: X25519, SecP256r1, SecP384r1, X25519MLKEM768. This profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS13\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256", Ref: ref("github.com/openshift/api/config/v1.ModernTLSProfile"), }, }, "custom": { SchemaProps: spec.SchemaProps{ - Description: "custom is a user-defined TLS security profile. Be extremely careful using a custom profile as invalid configurations can be catastrophic. An example custom profile looks like this:\n\n minTLSVersion: VersionTLS11\n ciphers:\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256", + Description: "custom is a user-defined TLS security profile. Be extremely careful using a custom profile as invalid configurations can be catastrophic.\n\nThe curve list for this profile is empty by default.\n\nAn example custom profile looks like this:\n\n minTLSVersion: VersionTLS11\n ciphers:\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256", Ref: ref("github.com/openshift/api/config/v1.CustomTLSProfile"), }, }, @@ -41131,17 +41162,11 @@ func schema_openshift_api_machine_v1beta1_AWSMachineProviderStatus(ref common.Re }, }, }, - "dedicatedHost": { - SchemaProps: spec.SchemaProps{ - Description: "dedicatedHost tracks the dynamically allocated dedicated host. This field is populated when allocationStrategy is Dynamic (with or without DynamicHostAllocation). When omitted, this indicates that the dedicated host has not yet been allocated, or allocation is in progress.", - Ref: ref("github.com/openshift/api/machine/v1beta1.DedicatedHostStatus"), - }, - }, }, }, }, Dependencies: []string{ - "github.com/openshift/api/machine/v1beta1.DedicatedHostStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.Condition"}, + "k8s.io/apimachinery/pkg/apis/meta/v1.Condition"}, } } @@ -41878,60 +41903,10 @@ func schema_openshift_api_machine_v1beta1_DedicatedHost(ref common.ReferenceCall SchemaProps: spec.SchemaProps{ Description: "DedicatedHost represents the configuration for the usage of dedicated host.", Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "allocationStrategy": { - SchemaProps: spec.SchemaProps{ - Description: "allocationStrategy specifies if the dedicated host will be provided by the admin through the id field or if the host will be dynamically allocated. Valid values are UserProvided and Dynamic. When omitted, the value defaults to \"UserProvided\", which requires the id field to be set. When allocationStrategy is set to UserProvided, an ID of the dedicated host to assign must be provided. When allocationStrategy is set to Dynamic, a dedicated host will be allocated and used to assign instances. When allocationStrategy is set to Dynamic, and dynamicHostAllocation is configured, a dedicated host will be allocated and the tags in dynamicHostAllocation will be assigned to that host.\n\nPossible enum values:\n - `\"Dynamic\"` specifies that the system should dynamically allocate a dedicated host for instances.\n - `\"UserProvided\"` specifies that the system should assign instances to a user-provided dedicated host.", - Default: "UserProvided", - Type: []string{"string"}, - Format: "", - Enum: []interface{}{"Dynamic", "UserProvided"}, - }, - }, - "id": { - SchemaProps: spec.SchemaProps{ - Description: "id identifies the AWS Dedicated Host on which the instance must run. The value must start with \"h-\" followed by either 8 or 17 lowercase hexadecimal characters (0-9 and a-f). The use of 8 lowercase hexadecimal characters is for older legacy hosts that may not have been migrated to newer format. Must be either 10 or 19 characters in length. This field is required when allocationStrategy is UserProvided, and forbidden otherwise. When omitted with allocationStrategy set to Dynamic, the platform will dynamically allocate a dedicated host.", - Type: []string{"string"}, - Format: "", - }, - }, - "dynamicHostAllocation": { - SchemaProps: spec.SchemaProps{ - Description: "dynamicHostAllocation specifies tags to apply to a dynamically allocated dedicated host. This field is only allowed when allocationStrategy is Dynamic, and is mutually exclusive with id. When specified, a dedicated host will be allocated with the provided tags applied. When omitted (and allocationStrategy is Dynamic), a dedicated host will be allocated without any additional tags.", - Ref: ref("github.com/openshift/api/machine/v1beta1.DynamicHostAllocationSpec"), - }, - }, - }, - }, - VendorExtensible: spec.VendorExtensible{ - Extensions: spec.Extensions{ - "x-kubernetes-unions": []interface{}{ - map[string]interface{}{ - "discriminator": "allocationStrategy", - "fields-to-discriminateBy": map[string]interface{}{ - "dynamicHostAllocation": "DynamicHostAllocation", - "id": "ID", - }, - }, - }, - }, - }, - }, - Dependencies: []string{ - "github.com/openshift/api/machine/v1beta1.DynamicHostAllocationSpec"}, - } -} - -func schema_openshift_api_machine_v1beta1_DedicatedHostStatus(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "DedicatedHostStatus defines the observed state of a dynamically allocated dedicated host associated with an AWSMachine. This struct is used to track the ID of the dedicated host.", - Type: []string{"object"}, Properties: map[string]spec.Schema{ "id": { SchemaProps: spec.SchemaProps{ - Description: "id tracks the dynamically allocated dedicated host ID. This field is populated when allocationStrategy is Dynamic (with or without DynamicHostAllocation). The value must start with \"h-\" followed by either 8 or 17 lowercase hexadecimal characters (0-9 and a-f). The use of 8 lowercase hexadecimal characters is for older legacy hosts that may not have been migrated to newer format. Must be either 10 or 19 characters in length.", + Description: "id identifies the AWS Dedicated Host on which the instance must run. The value must start with \"h-\" followed by either 8 or 17 lowercase hexadecimal characters (0-9 and a-f). The use of 8 lowercase hexadecimal characters is for older legacy hosts that may not have been migrated to newer format. Must be either 10 or 19 characters in length.", Type: []string{"string"}, Format: "", }, @@ -41983,43 +41958,6 @@ func schema_openshift_api_machine_v1beta1_DiskSettings(ref common.ReferenceCallb } } -func schema_openshift_api_machine_v1beta1_DynamicHostAllocationSpec(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "DynamicHostAllocationSpec defines the configuration for dynamic dedicated host allocation. This specification always allocates exactly one dedicated host per machine. At least one property must be specified when this struct is used. Currently only Tags are available for configuring, but in the future more configs may become available.", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "tags": { - VendorExtensible: spec.VendorExtensible{ - Extensions: spec.Extensions{ - "x-kubernetes-list-map-keys": []interface{}{ - "name", - }, - "x-kubernetes-list-type": "map", - }, - }, - SchemaProps: spec.SchemaProps{ - Description: "tags specifies a set of key-value pairs to apply to the allocated dedicated host. When omitted, no additional user-defined tags will be applied to the allocated host. A maximum of 50 tags can be specified.", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/machine/v1beta1.TagSpecification"), - }, - }, - }, - }, - }, - }, - }, - }, - Dependencies: []string{ - "github.com/openshift/api/machine/v1beta1.TagSpecification"}, - } -} - func schema_openshift_api_machine_v1beta1_EBSBlockDeviceSpec(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ @@ -44378,7 +44316,7 @@ func schema_openshift_api_machine_v1beta1_TagSpecification(ref common.ReferenceC Properties: map[string]spec.Schema{ "name": { SchemaProps: spec.SchemaProps{ - Description: "name of the tag. This field is required and must be a non-empty string. Must be between 1 and 128 characters in length.", + Description: "name of the tag", Default: "", Type: []string{"string"}, Format: "", @@ -44386,14 +44324,14 @@ func schema_openshift_api_machine_v1beta1_TagSpecification(ref common.ReferenceC }, "value": { SchemaProps: spec.SchemaProps{ - Description: "value of the tag. When omitted, this creates a tag with an empty string as the value.", + Description: "value of the tag", Default: "", Type: []string{"string"}, Format: "", }, }, }, - Required: []string{"name"}, + Required: []string{"name", "value"}, }, }, } @@ -61699,340 +61637,6 @@ func schema_openshift_api_operator_v1alpha1_BackupJobReference(ref common.Refere } } -func schema_openshift_api_operator_v1alpha1_ClusterAPI(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "ClusterAPI provides configuration for the capi-operator.\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "kind": { - SchemaProps: spec.SchemaProps{ - Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - Type: []string{"string"}, - Format: "", - }, - }, - "apiVersion": { - SchemaProps: spec.SchemaProps{ - Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - Type: []string{"string"}, - Format: "", - }, - }, - "metadata": { - SchemaProps: spec.SchemaProps{ - Description: "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", - Default: map[string]interface{}{}, - Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"), - }, - }, - "spec": { - SchemaProps: spec.SchemaProps{ - Description: "spec is the specification of the desired behavior of the capi-operator.", - Ref: ref("github.com/openshift/api/operator/v1alpha1.ClusterAPISpec"), - }, - }, - "status": { - SchemaProps: spec.SchemaProps{ - Description: "status defines the observed status of the capi-operator.", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/operator/v1alpha1.ClusterAPIStatus"), - }, - }, - }, - Required: []string{"metadata", "spec"}, - }, - }, - Dependencies: []string{ - "github.com/openshift/api/operator/v1alpha1.ClusterAPISpec", "github.com/openshift/api/operator/v1alpha1.ClusterAPIStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"}, - } -} - -func schema_openshift_api_operator_v1alpha1_ClusterAPIInstallerComponent(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "ClusterAPIInstallerComponent defines a component which will be installed by this revision.", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "type": { - SchemaProps: spec.SchemaProps{ - Description: "type is the source type of the component. The only valid value is Image. When set to Image, the image field must be set and will define an image source for the component.\n\nPossible enum values:\n - `\"Image\"` is an image source for a component.", - Type: []string{"string"}, - Format: "", - Enum: []interface{}{"Image"}, - }, - }, - "image": { - SchemaProps: spec.SchemaProps{ - Description: "image defines an image source for a component. The image must contain a /capi-operator-installer directory containing the component manifests.", - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/operator/v1alpha1.ClusterAPIInstallerComponentImage"), - }, - }, - }, - Required: []string{"type"}, - }, - VendorExtensible: spec.VendorExtensible{ - Extensions: spec.Extensions{ - "x-kubernetes-unions": []interface{}{ - map[string]interface{}{ - "discriminator": "type", - "fields-to-discriminateBy": map[string]interface{}{ - "image": "Image", - }, - }, - }, - }, - }, - }, - Dependencies: []string{ - "github.com/openshift/api/operator/v1alpha1.ClusterAPIInstallerComponentImage"}, - } -} - -func schema_openshift_api_operator_v1alpha1_ClusterAPIInstallerComponentImage(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "ClusterAPIInstallerComponentImage defines an image source for a component.", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "ref": { - SchemaProps: spec.SchemaProps{ - Description: "ref is an image reference to the image containing the component manifests. The reference must be a valid image digest reference in the format host[:port][/namespace]/name@sha256:. The digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. The length of the field must be between 1 to 447 characters.", - Type: []string{"string"}, - Format: "", - }, - }, - "profile": { - SchemaProps: spec.SchemaProps{ - Description: "profile is the name of a profile to use from the image.\n\nA profile name may be up to 255 characters long. It must consist of alphanumeric characters, '-', or '_'.", - Type: []string{"string"}, - Format: "", - }, - }, - }, - Required: []string{"ref", "profile"}, - }, - }, - } -} - -func schema_openshift_api_operator_v1alpha1_ClusterAPIInstallerRevision(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "name": { - SchemaProps: spec.SchemaProps{ - Description: "name is the name of a revision.", - Type: []string{"string"}, - Format: "", - }, - }, - "revision": { - SchemaProps: spec.SchemaProps{ - Description: "revision is a monotonically increasing number that is assigned to a revision.", - Type: []string{"integer"}, - Format: "int64", - }, - }, - "contentID": { - SchemaProps: spec.SchemaProps{ - Description: "contentID uniquely identifies the content of this revision. The contentID must be between 1 and 255 characters long.", - Type: []string{"string"}, - Format: "", - }, - }, - "unmanagedCustomResourceDefinitions": { - VendorExtensible: spec.VendorExtensible{ - Extensions: spec.Extensions{ - "x-kubernetes-list-type": "atomic", - }, - }, - SchemaProps: spec.SchemaProps{ - Description: "unmanagedCustomResourceDefinitions is a list of the names of ClusterResourceDefinition (CRD) objects which are included in this revision, but which should not be installed or updated. If not set, all CRDs in the revision will be managed by the CAPI operator.", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, - }, - }, - "components": { - VendorExtensible: spec.VendorExtensible{ - Extensions: spec.Extensions{ - "x-kubernetes-list-type": "atomic", - }, - }, - SchemaProps: spec.SchemaProps{ - Description: "components is list of components which will be installed by this revision. Components will be installed in the order they are listed.\n\nThe maximum number of components is 32.", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/operator/v1alpha1.ClusterAPIInstallerComponent"), - }, - }, - }, - }, - }, - }, - Required: []string{"name", "revision", "contentID", "components"}, - }, - VendorExtensible: spec.VendorExtensible{ - Extensions: spec.Extensions{ - "x-kubernetes-map-type": "atomic", - }, - }, - }, - Dependencies: []string{ - "github.com/openshift/api/operator/v1alpha1.ClusterAPIInstallerComponent"}, - } -} - -func schema_openshift_api_operator_v1alpha1_ClusterAPIList(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "ClusterAPIList contains a list of ClusterAPI configurations\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "kind": { - SchemaProps: spec.SchemaProps{ - Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - Type: []string{"string"}, - Format: "", - }, - }, - "apiVersion": { - SchemaProps: spec.SchemaProps{ - Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - Type: []string{"string"}, - Format: "", - }, - }, - "metadata": { - SchemaProps: spec.SchemaProps{ - Description: "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", - Default: map[string]interface{}{}, - Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"), - }, - }, - "items": { - SchemaProps: spec.SchemaProps{ - Description: "items contains the items", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/operator/v1alpha1.ClusterAPI"), - }, - }, - }, - }, - }, - }, - Required: []string{"metadata", "items"}, - }, - }, - Dependencies: []string{ - "github.com/openshift/api/operator/v1alpha1.ClusterAPI", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"}, - } -} - -func schema_openshift_api_operator_v1alpha1_ClusterAPISpec(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "ClusterAPISpec defines the desired configuration of the capi-operator. The spec is required but we deliberately allow it to be empty.", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "unmanagedCustomResourceDefinitions": { - VendorExtensible: spec.VendorExtensible{ - Extensions: spec.Extensions{ - "x-kubernetes-list-type": "set", - }, - }, - SchemaProps: spec.SchemaProps{ - Description: "unmanagedCustomResourceDefinitions is a list of ClusterResourceDefinition (CRD) names that should not be managed by the capi-operator installer controller. This allows external actors to own specific CRDs while capi-operator manages others.\n\nEach CRD name must be a valid DNS-1123 subdomain consisting of lowercase alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character, with a maximum length of 253 characters. CRD names must contain at least two '.' characters. Example: \"clusters.cluster.x-k8s.io\"\n\nItems cannot be removed from this list once added.\n\nThe maximum number of unmanagedCustomResourceDefinitions is 128.", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, - }, - }, - }, - }, - }, - } -} - -func schema_openshift_api_operator_v1alpha1_ClusterAPIStatus(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "ClusterAPIStatus describes the current state of the capi-operator.", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "currentRevision": { - SchemaProps: spec.SchemaProps{ - Description: "currentRevision is the name of the most recently fully applied revision. It is written by the installer controller. If it is absent, it indicates that no revision has been fully applied yet. If set, currentRevision must correspond to an entry in the revisions list.", - Type: []string{"string"}, - Format: "", - }, - }, - "desiredRevision": { - SchemaProps: spec.SchemaProps{ - Description: "desiredRevision is the name of the desired revision. It is written by the revision controller. It must be set to the name of the entry in the revisions list with the highest revision number.", - Type: []string{"string"}, - Format: "", - }, - }, - "revisions": { - VendorExtensible: spec.VendorExtensible{ - Extensions: spec.Extensions{ - "x-kubernetes-list-type": "atomic", - }, - }, - SchemaProps: spec.SchemaProps{ - Description: "revisions is a list of all currently active revisions. A revision is active until the installer controller updates currentRevision to a later revision. It is written by the revision controller.\n\nThe maximum number of revisions is 16. All revisions must have a unique name. All revisions must have a unique revision number. When adding a revision, the revision number must be greater than the highest revision number in the list. Revisions are immutable, although they can be deleted.", - Type: []string{"array"}, - Items: &spec.SchemaOrArray{ - Schema: &spec.Schema{ - SchemaProps: spec.SchemaProps{ - Default: map[string]interface{}{}, - Ref: ref("github.com/openshift/api/operator/v1alpha1.ClusterAPIInstallerRevision"), - }, - }, - }, - }, - }, - }, - Required: []string{"desiredRevision", "revisions"}, - }, - }, - Dependencies: []string{ - "github.com/openshift/api/operator/v1alpha1.ClusterAPIInstallerRevision"}, - } -} - func schema_openshift_api_operator_v1alpha1_ClusterVersionOperator(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ diff --git a/openapi/openapi.json b/openapi/openapi.json index 8b6daefd49a..f94bd24e8ad 100644 --- a/openapi/openapi.json +++ b/openapi/openapi.json @@ -6347,6 +6347,15 @@ }, "x-kubernetes-list-type": "atomic" }, + "curves": { + "description": "curves is used to specify the elliptic curves that are used during the TLS handshake. Operators may remove entries their operands do not support.\n\nWhen omitted, this means no opinion and the platform is left to choose reasonable defaults which are subject to change over time and may be different per platform component depending on the underlying TLS libraries they use.\n\nFor example, to use X25519 and P-256 (yaml):\n\n curves:\n - X25519\n - P-256", + "type": "array", + "items": { + "type": "string", + "default": "" + }, + "x-kubernetes-list-type": "set" + }, "minTLSVersion": { "description": "minTLSVersion is used to specify the minimal version of the TLS protocol that is negotiated during the TLS handshake. For example, to use TLS versions 1.1, 1.2 and 1.3 (yaml):\n\n minTLSVersion: VersionTLS11", "type": "string", @@ -11319,6 +11328,15 @@ }, "x-kubernetes-list-type": "atomic" }, + "curves": { + "description": "curves is used to specify the elliptic curves that are used during the TLS handshake. Operators may remove entries their operands do not support.\n\nWhen omitted, this means no opinion and the platform is left to choose reasonable defaults which are subject to change over time and may be different per platform component depending on the underlying TLS libraries they use.\n\nFor example, to use X25519 and P-256 (yaml):\n\n curves:\n - X25519\n - P-256", + "type": "array", + "items": { + "type": "string", + "default": "" + }, + "x-kubernetes-list-type": "set" + }, "minTLSVersion": { "description": "minTLSVersion is used to specify the minimal version of the TLS protocol that is negotiated during the TLS handshake. For example, to use TLS versions 1.1, 1.2 and 1.3 (yaml):\n\n minTLSVersion: VersionTLS11", "type": "string", @@ -11331,19 +11349,19 @@ "type": "object", "properties": { "custom": { - "description": "custom is a user-defined TLS security profile. Be extremely careful using a custom profile as invalid configurations can be catastrophic. An example custom profile looks like this:\n\n minTLSVersion: VersionTLS11\n ciphers:\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256", + "description": "custom is a user-defined TLS security profile. Be extremely careful using a custom profile as invalid configurations can be catastrophic.\n\nThe curve list for this profile is empty by default.\n\nAn example custom profile looks like this:\n\n minTLSVersion: VersionTLS11\n ciphers:\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256", "$ref": "#/definitions/com.github.openshift.api.config.v1.CustomTLSProfile" }, "intermediate": { - "description": "intermediate is a TLS profile for use when you do not need compatibility with legacy clients and want to remain highly secure while being compatible with most clients currently in use.\n\nThe cipher list includes TLS 1.3 ciphers for forward compatibility, followed by the \"intermediate\" profile ciphers.\n\nThis profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS12\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES256-GCM-SHA384\n - ECDHE-RSA-AES256-GCM-SHA384\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305\n - DHE-RSA-AES128-GCM-SHA256\n - DHE-RSA-AES256-GCM-SHA384", + "description": "intermediate is a TLS profile for use when you do not need compatibility with legacy clients and want to remain highly secure while being compatible with most clients currently in use.\n\nThe cipher list includes TLS 1.3 ciphers for forward compatibility, followed by the \"intermediate\" profile ciphers.\n\nThe curve list includes by default the following curves: X25519, P-256, P-384, P-521, X25519MLKEM768, P256r1MLKEM768, P384r1MLKEM1024.\n\nThis profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS12\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES256-GCM-SHA384\n - ECDHE-RSA-AES256-GCM-SHA384\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305\n - DHE-RSA-AES128-GCM-SHA256\n - DHE-RSA-AES256-GCM-SHA384", "$ref": "#/definitions/com.github.openshift.api.config.v1.IntermediateTLSProfile" }, "modern": { - "description": "modern is a TLS security profile for use with clients that support TLS 1.3 and do not need backward compatibility for older clients.\n\nThis profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS13\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256", + "description": "modern is a TLS security profile for use with clients that support TLS 1.3 and do not need backward compatibility for older clients. The curve list includes by default the following curves: X25519, P-256, P-384, P-521, X25519MLKEM768, P256r1MLKEM768, P384r1MLKEM1024. This profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS13\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256", "$ref": "#/definitions/com.github.openshift.api.config.v1.ModernTLSProfile" }, "old": { - "description": "old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort.\n\nThe cipher list includes TLS 1.3 ciphers for forward compatibility, followed by the \"old\" profile ciphers.\n\nThis profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS10\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES256-GCM-SHA384\n - ECDHE-RSA-AES256-GCM-SHA384\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305\n - DHE-RSA-AES128-GCM-SHA256\n - DHE-RSA-AES256-GCM-SHA384\n - DHE-RSA-CHACHA20-POLY1305\n - ECDHE-ECDSA-AES128-SHA256\n - ECDHE-RSA-AES128-SHA256\n - ECDHE-ECDSA-AES128-SHA\n - ECDHE-RSA-AES128-SHA\n - ECDHE-ECDSA-AES256-SHA384\n - ECDHE-RSA-AES256-SHA384\n - ECDHE-ECDSA-AES256-SHA\n - ECDHE-RSA-AES256-SHA\n - DHE-RSA-AES128-SHA256\n - DHE-RSA-AES256-SHA256\n - AES128-GCM-SHA256\n - AES256-GCM-SHA384\n - AES128-SHA256\n - AES256-SHA256\n - AES128-SHA\n - AES256-SHA\n - DES-CBC3-SHA", + "description": "old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort.\n\nThe cipher list includes TLS 1.3 ciphers for forward compatibility, followed by the \"old\" profile ciphers.\n\nThe curve list includes by default the following curves: X25519, P-256, P-384, P-521, X25519MLKEM768, P256r1MLKEM768, P384r1MLKEM1024.\n\nThis profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS10\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES256-GCM-SHA384\n - ECDHE-RSA-AES256-GCM-SHA384\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305\n - DHE-RSA-AES128-GCM-SHA256\n - DHE-RSA-AES256-GCM-SHA384\n - DHE-RSA-CHACHA20-POLY1305\n - ECDHE-ECDSA-AES128-SHA256\n - ECDHE-RSA-AES128-SHA256\n - ECDHE-ECDSA-AES128-SHA\n - ECDHE-RSA-AES128-SHA\n - ECDHE-ECDSA-AES256-SHA384\n - ECDHE-RSA-AES256-SHA384\n - ECDHE-ECDSA-AES256-SHA\n - ECDHE-RSA-AES256-SHA\n - DHE-RSA-AES128-SHA256\n - DHE-RSA-AES256-SHA256\n - AES128-GCM-SHA256\n - AES256-GCM-SHA384\n - AES128-SHA256\n - AES256-SHA256\n - AES128-SHA\n - AES256-SHA\n - DES-CBC3-SHA", "$ref": "#/definitions/com.github.openshift.api.config.v1.OldTLSProfile" }, "type": { diff --git a/operator/v1/tests/ingresscontrollers.operator.openshift.io/TLSCurvePreferences.yaml b/operator/v1/tests/ingresscontrollers.operator.openshift.io/TLSCurvePreferences.yaml new file mode 100644 index 00000000000..52918acc95d --- /dev/null +++ b/operator/v1/tests/ingresscontrollers.operator.openshift.io/TLSCurvePreferences.yaml @@ -0,0 +1,384 @@ +apiVersion: apiextensions.k8s.io/v1 +name: "IngressController" +crdName: ingresscontrollers.operator.openshift.io +featureGates: + - TLSCurvePreferences +tests: + onCreate: + - name: Should be able to create with Custom TLS profile and curves + initial: | + apiVersion: operator.openshift.io/v1 + kind: IngressController + metadata: + name: default + namespace: openshift-ingress-operator + spec: + tlsSecurityProfile: + type: Custom + custom: + minTLSVersion: VersionTLS12 + ciphers: + - TLS_AES_128_GCM_SHA256 + - TLS_AES_256_GCM_SHA384 + curves: + - X25519 + - SecP256r1 + expected: | + apiVersion: operator.openshift.io/v1 + kind: IngressController + metadata: + name: default + namespace: openshift-ingress-operator + spec: + closedClientConnectionPolicy: Continue + httpEmptyRequestsPolicy: Respond + idleConnectionTerminationPolicy: Immediate + tlsSecurityProfile: + type: Custom + custom: + minTLSVersion: VersionTLS12 + ciphers: + - TLS_AES_128_GCM_SHA256 + - TLS_AES_256_GCM_SHA384 + curves: + - X25519 + - SecP256r1 + - name: Should be able to create with all supported curves + initial: | + apiVersion: operator.openshift.io/v1 + kind: IngressController + metadata: + name: default + namespace: openshift-ingress-operator + spec: + tlsSecurityProfile: + type: Custom + custom: + minTLSVersion: VersionTLS12 + ciphers: + - TLS_AES_128_GCM_SHA256 + curves: + - X25519 + - SecP256r1 + - SecP384r1 + - SecP521r1 + - X25519MLKEM768 + expected: | + apiVersion: operator.openshift.io/v1 + kind: IngressController + metadata: + name: default + namespace: openshift-ingress-operator + spec: + closedClientConnectionPolicy: Continue + httpEmptyRequestsPolicy: Respond + idleConnectionTerminationPolicy: Immediate + tlsSecurityProfile: + type: Custom + custom: + minTLSVersion: VersionTLS12 + ciphers: + - TLS_AES_128_GCM_SHA256 + curves: + - X25519 + - SecP256r1 + - SecP384r1 + - SecP521r1 + - X25519MLKEM768 + - name: Should fail to create with Custom TLS profile and empty curves + initial: | + apiVersion: operator.openshift.io/v1 + kind: IngressController + metadata: + name: default + namespace: openshift-ingress-operator + spec: + tlsSecurityProfile: + type: Custom + custom: + minTLSVersion: VersionTLS12 + ciphers: + - TLS_AES_128_GCM_SHA256 + curves: [] + expectedError: "spec.tlsSecurityProfile.custom.curves in body should have at least 1 items" + - name: Should be able to create with Custom TLS profile and curves omitted + initial: | + apiVersion: operator.openshift.io/v1 + kind: IngressController + metadata: + name: default + namespace: openshift-ingress-operator + spec: + tlsSecurityProfile: + type: Custom + custom: + minTLSVersion: VersionTLS12 + ciphers: + - TLS_AES_128_GCM_SHA256 + expected: | + apiVersion: operator.openshift.io/v1 + kind: IngressController + metadata: + name: default + namespace: openshift-ingress-operator + spec: + closedClientConnectionPolicy: Continue + httpEmptyRequestsPolicy: Respond + idleConnectionTerminationPolicy: Immediate + tlsSecurityProfile: + type: Custom + custom: + minTLSVersion: VersionTLS12 + ciphers: + - TLS_AES_128_GCM_SHA256 + - name: Should be able to create with Custom TLS profile VersionTLS10 and curves + initial: | + apiVersion: operator.openshift.io/v1 + kind: IngressController + metadata: + name: default + namespace: openshift-ingress-operator + spec: + tlsSecurityProfile: + type: Custom + custom: + minTLSVersion: VersionTLS10 + ciphers: + - TLS_AES_128_GCM_SHA256 + curves: + - SecP256r1 + - SecP384r1 + expected: | + apiVersion: operator.openshift.io/v1 + kind: IngressController + metadata: + name: default + namespace: openshift-ingress-operator + spec: + closedClientConnectionPolicy: Continue + httpEmptyRequestsPolicy: Respond + idleConnectionTerminationPolicy: Immediate + tlsSecurityProfile: + type: Custom + custom: + minTLSVersion: VersionTLS10 + ciphers: + - TLS_AES_128_GCM_SHA256 + curves: + - SecP256r1 + - SecP384r1 + - name: Should be able to create with Custom TLS profile VersionTLS11 and curves + initial: | + apiVersion: operator.openshift.io/v1 + kind: IngressController + metadata: + name: default + namespace: openshift-ingress-operator + spec: + tlsSecurityProfile: + type: Custom + custom: + minTLSVersion: VersionTLS11 + ciphers: + - TLS_AES_128_GCM_SHA256 + curves: + - SecP384r1 + expected: | + apiVersion: operator.openshift.io/v1 + kind: IngressController + metadata: + name: default + namespace: openshift-ingress-operator + spec: + closedClientConnectionPolicy: Continue + httpEmptyRequestsPolicy: Respond + idleConnectionTerminationPolicy: Immediate + tlsSecurityProfile: + type: Custom + custom: + minTLSVersion: VersionTLS11 + ciphers: + - TLS_AES_128_GCM_SHA256 + curves: + - SecP384r1 + - name: Should fail to create with more than 5 curves + initial: | + apiVersion: operator.openshift.io/v1 + kind: IngressController + metadata: + name: default + namespace: openshift-ingress-operator + spec: + tlsSecurityProfile: + type: Custom + custom: + minTLSVersion: VersionTLS12 + ciphers: + - TLS_AES_128_GCM_SHA256 + curves: + - X25519 + - SecP256r1 + - SecP384r1 + - SecP521r1 + - X25519MLKEM768 + - X25519 + expectedError: "spec.tlsSecurityProfile.custom.curves: Too many: 6: must have at most 5 items" + - name: Should fail to create with invalid curve value + initial: | + apiVersion: operator.openshift.io/v1 + kind: IngressController + metadata: + name: default + namespace: openshift-ingress-operator + spec: + tlsSecurityProfile: + type: Custom + custom: + minTLSVersion: VersionTLS12 + ciphers: + - TLS_AES_128_GCM_SHA256 + curves: + - InvalidCurve + expectedError: "spec.tlsSecurityProfile.custom.curves[0]: Unsupported value: \"InvalidCurve\": supported values: \"X25519\", \"SecP256r1\", \"SecP384r1\", \"SecP521r1\", \"X25519MLKEM768\"" + onUpdate: + - name: Should be able to add curves to existing Custom TLS profile + initial: | + apiVersion: operator.openshift.io/v1 + kind: IngressController + metadata: + name: default + namespace: openshift-ingress-operator + spec: + tlsSecurityProfile: + type: Custom + custom: + minTLSVersion: VersionTLS12 + ciphers: + - TLS_AES_128_GCM_SHA256 + updated: | + apiVersion: operator.openshift.io/v1 + kind: IngressController + metadata: + name: default + namespace: openshift-ingress-operator + spec: + closedClientConnectionPolicy: Continue + httpEmptyRequestsPolicy: Respond + idleConnectionTerminationPolicy: Immediate + tlsSecurityProfile: + type: Custom + custom: + minTLSVersion: VersionTLS12 + ciphers: + - TLS_AES_128_GCM_SHA256 + curves: + - X25519 + - SecP256r1 + expected: | + apiVersion: operator.openshift.io/v1 + kind: IngressController + metadata: + name: default + namespace: openshift-ingress-operator + spec: + closedClientConnectionPolicy: Continue + httpEmptyRequestsPolicy: Respond + idleConnectionTerminationPolicy: Immediate + tlsSecurityProfile: + type: Custom + custom: + minTLSVersion: VersionTLS12 + ciphers: + - TLS_AES_128_GCM_SHA256 + curves: + - X25519 + - SecP256r1 + - name: Should be able to update curves in existing Custom TLS profile + initial: | + apiVersion: operator.openshift.io/v1 + kind: IngressController + metadata: + name: default + namespace: openshift-ingress-operator + spec: + tlsSecurityProfile: + type: Custom + custom: + minTLSVersion: VersionTLS12 + ciphers: + - TLS_AES_128_GCM_SHA256 + curves: + - X25519 + updated: | + apiVersion: operator.openshift.io/v1 + kind: IngressController + metadata: + name: default + namespace: openshift-ingress-operator + spec: + closedClientConnectionPolicy: Continue + httpEmptyRequestsPolicy: Respond + idleConnectionTerminationPolicy: Immediate + tlsSecurityProfile: + type: Custom + custom: + minTLSVersion: VersionTLS12 + ciphers: + - TLS_AES_128_GCM_SHA256 + curves: + - SecP256r1 + - SecP384r1 + expected: | + apiVersion: operator.openshift.io/v1 + kind: IngressController + metadata: + name: default + namespace: openshift-ingress-operator + spec: + closedClientConnectionPolicy: Continue + httpEmptyRequestsPolicy: Respond + idleConnectionTerminationPolicy: Immediate + tlsSecurityProfile: + type: Custom + custom: + minTLSVersion: VersionTLS12 + ciphers: + - TLS_AES_128_GCM_SHA256 + curves: + - SecP256r1 + - SecP384r1 + - name: Should fail to remove all curves from existing Custom TLS profile + initial: | + apiVersion: operator.openshift.io/v1 + kind: IngressController + metadata: + name: default + namespace: openshift-ingress-operator + spec: + tlsSecurityProfile: + type: Custom + custom: + minTLSVersion: VersionTLS12 + ciphers: + - TLS_AES_128_GCM_SHA256 + curves: + - X25519 + - SecP256r1 + updated: | + apiVersion: operator.openshift.io/v1 + kind: IngressController + metadata: + name: default + namespace: openshift-ingress-operator + spec: + closedClientConnectionPolicy: Continue + httpEmptyRequestsPolicy: Respond + idleConnectionTerminationPolicy: Immediate + tlsSecurityProfile: + type: Custom + custom: + minTLSVersion: VersionTLS12 + ciphers: + - TLS_AES_128_GCM_SHA256 + curves: [] + expectedError: "spec.tlsSecurityProfile.custom.curves in body should have at least 1 items" diff --git a/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-CustomNoUpgrade.crd.yaml b/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-CustomNoUpgrade.crd.yaml new file mode 100644 index 00000000000..8eadb4ca4c8 --- /dev/null +++ b/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-CustomNoUpgrade.crd.yaml @@ -0,0 +1,3368 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/616 + api.openshift.io/merged-by-featuregates: "true" + capability.openshift.io/name: Ingress + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: CustomNoUpgrade + name: ingresscontrollers.operator.openshift.io +spec: + group: operator.openshift.io + names: + kind: IngressController + listKind: IngressControllerList + plural: ingresscontrollers + singular: ingresscontroller + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + IngressController describes a managed ingress controller for the cluster. The + controller can service OpenShift Route and Kubernetes Ingress resources. + + When an IngressController is created, a new ingress controller deployment is + created to allow external traffic to reach the services that expose Ingress + or Route resources. Updating this resource may lead to disruption for public + facing network connections as a new ingress controller revision may be rolled + out. + + https://kubernetes.io/docs/concepts/services-networking/ingress-controllers + + Whenever possible, sensible defaults for the platform are used. See each + field for more details. + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec is the specification of the desired behavior of the + IngressController. + properties: + clientTLS: + description: |- + clientTLS specifies settings for requesting and verifying client + certificates, which can be used to enable mutual TLS for + edge-terminated and reencrypt routes. + properties: + allowedSubjectPatterns: + description: |- + allowedSubjectPatterns specifies a list of regular expressions that + should be matched against the distinguished name on a valid client + certificate to filter requests. The regular expressions must use + PCRE syntax. If this list is empty, no filtering is performed. If + the list is nonempty, then at least one pattern must match a client + certificate's distinguished name or else the ingress controller + rejects the certificate and denies the connection. + items: + type: string + type: array + x-kubernetes-list-type: atomic + clientCA: + description: |- + clientCA specifies a configmap containing the PEM-encoded CA + certificate bundle that should be used to verify a client's + certificate. The administrator must create this configmap in the + openshift-config namespace. + properties: + name: + description: name is the metadata.name of the referenced config + map + type: string + required: + - name + type: object + clientCertificatePolicy: + description: |- + clientCertificatePolicy specifies whether the ingress controller + requires clients to provide certificates. This field accepts the + values "Required" or "Optional". + + Note that the ingress controller only checks client certificates for + edge-terminated and reencrypt TLS routes; it cannot check + certificates for cleartext HTTP or passthrough TLS routes. + enum: + - "" + - Required + - Optional + type: string + required: + - clientCA + - clientCertificatePolicy + type: object + closedClientConnectionPolicy: + default: Continue + description: |- + closedClientConnectionPolicy controls how the IngressController + behaves when the client closes the TCP connection while the TLS + handshake or HTTP request is in progress. This option maps directly + to HAProxy’s "abortonclose" option. + + Valid values are: "Abort" and "Continue". + The default value is "Continue". + + When set to "Abort", the router will stop processing the TLS handshake + if it is in progress, and it will not send an HTTP request to the backend server + if the request has not yet been sent when the client closes the connection. + + When set to "Continue", the router will complete the TLS handshake + if it is in progress, or send an HTTP request to the backend server + and wait for the backend server's response, regardless of + whether the client has closed the connection. + + Setting "Abort" can help free CPU resources otherwise spent on TLS computation + for connections the client has already closed, and can reduce request queue + size, thereby reducing the load on saturated backend servers. + + Important Considerations: + + - The default policy ("Continue") is HTTP-compliant, and requests + for aborted client connections will still be served. + Use the "Continue" policy to allow a client to send a request + and then immediately close its side of the connection while + still receiving a response on the half-closed connection. + + - When clients use keep-alive connections, the most common case for premature + closure is when the user wants to cancel the transfer or when a timeout + occurs. In that case, the "Abort" policy may be used to reduce resource consumption. + + - Using RSA keys larger than 2048 bits can significantly slow down + TLS computations. Consider using the "Abort" policy to reduce CPU usage. + enum: + - Abort + - Continue + type: string + defaultCertificate: + description: |- + defaultCertificate is a reference to a secret containing the default + certificate served by the ingress controller. When Routes don't specify + their own certificate, defaultCertificate is used. + + The secret must contain the following keys and data: + + tls.crt: certificate file contents + tls.key: key file contents + + If unset, a wildcard certificate is automatically generated and used. The + certificate is valid for the ingress controller domain (and subdomains) and + the generated certificate's CA will be automatically integrated with the + cluster's trust store. + + If a wildcard certificate is used and shared by multiple + HTTP/2 enabled routes (which implies ALPN) then clients + (i.e., notably browsers) are at liberty to reuse open + connections. This means a client can reuse a connection to + another route and that is likely to fail. This behaviour is + generally known as connection coalescing. + + The in-use certificate (whether generated or user-specified) will be + automatically integrated with OpenShift's built-in OAuth server. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + domain: + description: |- + domain is a DNS name serviced by the ingress controller and is used to + configure multiple features: + + * For the LoadBalancerService endpoint publishing strategy, domain is + used to configure DNS records. See endpointPublishingStrategy. + + * When using a generated default certificate, the certificate will be valid + for domain and its subdomains. See defaultCertificate. + + * The value is published to individual Route statuses so that end-users + know where to target external DNS records. + + domain must be unique among all IngressControllers, and cannot be + updated. + + If empty, defaults to ingress.config.openshift.io/cluster .spec.domain. + + The domain value must be a valid DNS name. It must consist of lowercase + alphanumeric characters, '-' or '.', and each label must start and end + with an alphanumeric character and not exceed 63 characters. Maximum + length of a valid DNS domain is 253 characters. + + The implementation may add a prefix such as "router-default." to the domain + when constructing the router canonical hostname. To ensure the resulting + hostname does not exceed the DNS maximum length of 253 characters, + the domain length is additionally validated at the IngressController object + level. For the maximum length of the domain value itself, the shortest + possible variant of the prefix and the ingress controller name was considered + for example "router-a." + maxLength: 244 + type: string + x-kubernetes-validations: + - message: domain must consist of lower case alphanumeric characters, + '-' or '.', and must start and end with an alphanumeric character + rule: '!format.dns1123Subdomain().validate(self).hasValue()' + - message: each DNS label must not exceed 63 characters + rule: self.split('.').all(label, size(label) <= 63) + endpointPublishingStrategy: + description: |- + endpointPublishingStrategy is used to publish the ingress controller + endpoints to other networks, enable load balancer integrations, etc. + + If unset, the default is based on + infrastructure.config.openshift.io/cluster .status.platform: + + AWS: LoadBalancerService (with External scope) + Azure: LoadBalancerService (with External scope) + GCP: LoadBalancerService (with External scope) + IBMCloud: LoadBalancerService (with External scope) + AlibabaCloud: LoadBalancerService (with External scope) + Libvirt: HostNetwork + + Any other platform types (including None) default to HostNetwork. + + endpointPublishingStrategy cannot be updated. + properties: + hostNetwork: + description: |- + hostNetwork holds parameters for the HostNetwork endpoint publishing + strategy. Present only if type is HostNetwork. + properties: + httpPort: + default: 80 + description: |- + httpPort is the port on the host which should be used to listen for + HTTP requests. This field should be set when port 80 is already in use. + The value should not coincide with the NodePort range of the cluster. + When the value is 0 or is not specified it defaults to 80. + format: int32 + maximum: 65535 + minimum: 0 + type: integer + httpsPort: + default: 443 + description: |- + httpsPort is the port on the host which should be used to listen for + HTTPS requests. This field should be set when port 443 is already in use. + The value should not coincide with the NodePort range of the cluster. + When the value is 0 or is not specified it defaults to 443. + format: int32 + maximum: 65535 + minimum: 0 + type: integer + protocol: + description: |- + protocol specifies whether the IngressController expects incoming + connections to use plain TCP or whether the IngressController expects + PROXY protocol. + + PROXY protocol can be used with load balancers that support it to + communicate the source addresses of client connections when + forwarding those connections to the IngressController. Using PROXY + protocol enables the IngressController to report those source + addresses instead of reporting the load balancer's address in HTTP + headers and logs. Note that enabling PROXY protocol on the + IngressController will cause connections to fail if you are not using + a load balancer that uses PROXY protocol to forward connections to + the IngressController. See + http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt for + information about PROXY protocol. + + The following values are valid for this field: + + * The empty string. + * "TCP". + * "PROXY". + + The empty string specifies the default, which is TCP without PROXY + protocol. Note that the default is subject to change. + enum: + - "" + - TCP + - PROXY + type: string + statsPort: + default: 1936 + description: |- + statsPort is the port on the host where the stats from the router are + published. The value should not coincide with the NodePort range of the + cluster. If an external load balancer is configured to forward connections + to this IngressController, the load balancer should use this port for + health checks. The load balancer can send HTTP probes on this port on a + given node, with the path /healthz/ready to determine if the ingress + controller is ready to receive traffic on the node. For proper operation + the load balancer must not forward traffic to a node until the health + check reports ready. The load balancer should also stop forwarding requests + within a maximum of 45 seconds after /healthz/ready starts reporting + not-ready. Probing every 5 to 10 seconds, with a 5-second timeout and with + a threshold of two successful or failed requests to become healthy or + unhealthy respectively, are well-tested values. When the value is 0 or + is not specified it defaults to 1936. + format: int32 + maximum: 65535 + minimum: 0 + type: integer + type: object + loadBalancer: + description: |- + loadBalancer holds parameters for the load balancer. Present only if + type is LoadBalancerService. + properties: + allowedSourceRanges: + description: |- + allowedSourceRanges specifies an allowlist of IP address ranges to which + access to the load balancer should be restricted. Each range must be + specified using CIDR notation (e.g. "10.0.0.0/8" or "fd00::/8"). If no range is + specified, "0.0.0.0/0" for IPv4 and "::/0" for IPv6 are used by default, + which allows all source addresses. + + To facilitate migration from earlier versions of OpenShift that did + not have the allowedSourceRanges field, you may set the + service.beta.kubernetes.io/load-balancer-source-ranges annotation on + the "router-" service in the + "openshift-ingress" namespace, and this annotation will take + effect if allowedSourceRanges is empty on OpenShift 4.12. + items: + description: |- + CIDR is an IP address range in CIDR notation (for example, "10.0.0.0/8" + or "fd00::/8"). + pattern: (^(([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])/([0-9]|[12][0-9]|3[0-2])$)|(^s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:)))(%.+)?s*(\/(12[0-8]|1[0-1][0-9]|[1-9][0-9]|[0-9]))$) + type: string + nullable: true + type: array + x-kubernetes-list-type: atomic + dnsManagementPolicy: + default: Managed + description: |- + dnsManagementPolicy indicates if the lifecycle of the wildcard DNS record + associated with the load balancer service will be managed by + the ingress operator. It defaults to Managed. + Valid values are: Managed and Unmanaged. + enum: + - Managed + - Unmanaged + type: string + providerParameters: + description: |- + providerParameters holds desired load balancer information specific to + the underlying infrastructure provider. + + If empty, defaults will be applied. See specific providerParameters + fields for details about their defaults. + properties: + aws: + description: |- + aws provides configuration settings that are specific to AWS + load balancers. + + If empty, defaults will be applied. See specific aws fields for + details about their defaults. + properties: + classicLoadBalancer: + description: |- + classicLoadBalancerParameters holds configuration parameters for an AWS + classic load balancer. Present only if type is Classic. + properties: + connectionIdleTimeout: + description: |- + connectionIdleTimeout specifies the maximum time period that a + connection may be idle before the load balancer closes the + connection. The value must be parseable as a time duration value; + see . A nil or zero value + means no opinion, in which case a default value is used. The default + value for this field is 60s. This default is subject to change. + format: duration + type: string + subnets: + description: |- + subnets specifies the subnets to which the load balancer will + attach. The subnets may be specified by either their + ID or name. The total number of subnets is limited to 10. + + In order for the load balancer to be provisioned with subnets, + each subnet must exist, each subnet must be from a different + availability zone, and the load balancer service must be + recreated to pick up new values. + + When omitted from the spec, the subnets will be auto-discovered + for each availability zone. Auto-discovered subnets are not reported + in the status of the IngressController object. + properties: + ids: + description: |- + ids specifies a list of AWS subnets by subnet ID. + Subnet IDs must start with "subnet-", consist only + of alphanumeric characters, must be exactly 24 + characters long, must be unique, and the total + number of subnets specified by ids and names + must not exceed 10. + items: + description: AWSSubnetID is a reference + to an AWS subnet ID. + maxLength: 24 + minLength: 24 + pattern: ^subnet-[0-9A-Za-z]+$ + type: string + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: subnet ids cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == + y)) + names: + description: |- + names specifies a list of AWS subnets by subnet name. + Subnet names must not start with "subnet-", must not + include commas, must be under 256 characters in length, + must be unique, and the total number of subnets + specified by ids and names must not exceed 10. + items: + description: AWSSubnetName is a reference + to an AWS subnet name. + maxLength: 256 + minLength: 1 + type: string + x-kubernetes-validations: + - message: subnet name cannot contain a + comma + rule: '!self.contains('','')' + - message: subnet name cannot start with + 'subnet-' + rule: '!self.startsWith(''subnet-'')' + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: subnet names cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == + y)) + type: object + x-kubernetes-validations: + - message: the total number of subnets cannot + exceed 10 + rule: 'has(self.ids) && has(self.names) ? size(self.ids + + self.names) <= 10 : true' + - message: must specify at least 1 subnet name + or id + rule: has(self.ids) && self.ids.size() > 0 || + has(self.names) && self.names.size() > 0 + type: object + networkLoadBalancer: + description: |- + networkLoadBalancerParameters holds configuration parameters for an AWS + network load balancer. Present only if type is NLB. + properties: + eipAllocations: + description: |- + eipAllocations is a list of IDs for Elastic IP (EIP) addresses that + are assigned to the Network Load Balancer. + The following restrictions apply: + + eipAllocations can only be used with external scope, not internal. + An EIP can be allocated to only a single IngressController. + The number of EIP allocations must match the number of subnets that are used for the load balancer. + Each EIP allocation must be unique. + A maximum of 10 EIP allocations are permitted. + + See https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html for general + information about configuration, characteristics, and limitations of Elastic IP addresses. + items: + description: |- + EIPAllocation is an ID for an Elastic IP (EIP) address that can be allocated to an ELB in the AWS environment. + Values must begin with `eipalloc-` followed by exactly 17 hexadecimal (`[0-9a-fA-F]`) characters. + maxLength: 26 + minLength: 26 + type: string + x-kubernetes-validations: + - message: eipAllocations should start with + 'eipalloc-' + rule: self.startsWith('eipalloc-') + - message: eipAllocations must be 'eipalloc-' + followed by exactly 17 hexadecimal characters + (0-9, a-f, A-F) + rule: self.split("-", 2)[1].matches('[0-9a-fA-F]{17}$') + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: eipAllocations cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == y)) + subnets: + description: |- + subnets specifies the subnets to which the load balancer will + attach. The subnets may be specified by either their + ID or name. The total number of subnets is limited to 10. + + In order for the load balancer to be provisioned with subnets, + each subnet must exist, each subnet must be from a different + availability zone, and the load balancer service must be + recreated to pick up new values. + + When omitted from the spec, the subnets will be auto-discovered + for each availability zone. Auto-discovered subnets are not reported + in the status of the IngressController object. + properties: + ids: + description: |- + ids specifies a list of AWS subnets by subnet ID. + Subnet IDs must start with "subnet-", consist only + of alphanumeric characters, must be exactly 24 + characters long, must be unique, and the total + number of subnets specified by ids and names + must not exceed 10. + items: + description: AWSSubnetID is a reference + to an AWS subnet ID. + maxLength: 24 + minLength: 24 + pattern: ^subnet-[0-9A-Za-z]+$ + type: string + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: subnet ids cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == + y)) + names: + description: |- + names specifies a list of AWS subnets by subnet name. + Subnet names must not start with "subnet-", must not + include commas, must be under 256 characters in length, + must be unique, and the total number of subnets + specified by ids and names must not exceed 10. + items: + description: AWSSubnetName is a reference + to an AWS subnet name. + maxLength: 256 + minLength: 1 + type: string + x-kubernetes-validations: + - message: subnet name cannot contain a + comma + rule: '!self.contains('','')' + - message: subnet name cannot start with + 'subnet-' + rule: '!self.startsWith(''subnet-'')' + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: subnet names cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == + y)) + type: object + x-kubernetes-validations: + - message: the total number of subnets cannot + exceed 10 + rule: 'has(self.ids) && has(self.names) ? size(self.ids + + self.names) <= 10 : true' + - message: must specify at least 1 subnet name + or id + rule: has(self.ids) && self.ids.size() > 0 || + has(self.names) && self.names.size() > 0 + type: object + x-kubernetes-validations: + - message: number of subnets must be equal to number + of eipAllocations + rule: 'has(self.subnets) && has(self.subnets.ids) + && has(self.subnets.names) && has(self.eipAllocations) + ? size(self.subnets.ids + self.subnets.names) + == size(self.eipAllocations) : true' + - message: number of subnets must be equal to number + of eipAllocations + rule: 'has(self.subnets) && has(self.subnets.ids) + && !has(self.subnets.names) && has(self.eipAllocations) + ? size(self.subnets.ids) == size(self.eipAllocations) + : true' + - message: number of subnets must be equal to number + of eipAllocations + rule: 'has(self.subnets) && has(self.subnets.names) + && !has(self.subnets.ids) && has(self.eipAllocations) + ? size(self.subnets.names) == size(self.eipAllocations) + : true' + type: + description: |- + type is the type of AWS load balancer to instantiate for an ingresscontroller. + + Valid values are: + + * "Classic": A Classic Load Balancer that makes routing decisions at either + the transport layer (TCP/SSL) or the application layer (HTTP/HTTPS). See + the following for additional details: + + https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#clb + + * "NLB": A Network Load Balancer that makes routing decisions at the + transport layer (TCP/SSL). See the following for additional details: + + https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#nlb + enum: + - Classic + - NLB + type: string + required: + - type + type: object + gcp: + description: |- + gcp provides configuration settings that are specific to GCP + load balancers. + + If empty, defaults will be applied. See specific gcp fields for + details about their defaults. + properties: + clientAccess: + description: |- + clientAccess describes how client access is restricted for internal + load balancers. + + Valid values are: + * "Global": Specifying an internal load balancer with Global client access + allows clients from any region within the VPC to communicate with the load + balancer. + + https://cloud.google.com/kubernetes-engine/docs/how-to/internal-load-balancing#global_access + + * "Local": Specifying an internal load balancer with Local client access + means only clients within the same region (and VPC) as the GCP load balancer + can communicate with the load balancer. Note that this is the default behavior. + + https://cloud.google.com/load-balancing/docs/internal#client_access + enum: + - Global + - Local + type: string + type: object + ibm: + description: |- + ibm provides configuration settings that are specific to IBM Cloud + load balancers. + + If empty, defaults will be applied. See specific ibm fields for + details about their defaults. + properties: + protocol: + description: |- + protocol specifies whether the load balancer uses PROXY protocol to forward connections to + the IngressController. See "service.kubernetes.io/ibm-load-balancer-cloud-provider-enable-features: + "proxy-protocol"" at https://cloud.ibm.com/docs/containers?topic=containers-vpc-lbaas" + + PROXY protocol can be used with load balancers that support it to + communicate the source addresses of client connections when + forwarding those connections to the IngressController. Using PROXY + protocol enables the IngressController to report those source + addresses instead of reporting the load balancer's address in HTTP + headers and logs. Note that enabling PROXY protocol on the + IngressController will cause connections to fail if you are not using + a load balancer that uses PROXY protocol to forward connections to + the IngressController. See + http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt for + information about PROXY protocol. + + Valid values for protocol are TCP, PROXY and omitted. + When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. + The current default is TCP, without the proxy protocol enabled. + enum: + - "" + - TCP + - PROXY + type: string + type: object + openstack: + description: |- + openstack provides configuration settings that are specific to OpenStack + load balancers. + + If empty, defaults will be applied. See specific openstack fields for + details about their defaults. + properties: + floatingIP: + description: |- + floatingIP specifies the IP address that the load balancer will use. + When not specified, an IP address will be assigned randomly by the OpenStack cloud provider. + When specified, the floating IP has to be pre-created. If the + specified value is not a floating IP or is already claimed, the + OpenStack cloud provider won't be able to provision the load + balancer. + This field may only be used if the IngressController has External scope. + This value must be a valid IPv4 or IPv6 address. + type: string + x-kubernetes-validations: + - message: floatingIP must be a valid IPv4 or IPv6 + address + rule: isIP(self) + type: object + type: + description: |- + type is the underlying infrastructure provider for the load balancer. + Allowed values are "AWS", "Azure", "BareMetal", "GCP", "IBM", "Nutanix", + "OpenStack", and "VSphere". + enum: + - AWS + - Azure + - BareMetal + - GCP + - Nutanix + - OpenStack + - VSphere + - IBM + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: openstack is not permitted when type is not OpenStack + rule: 'has(self.type) && self.type == ''OpenStack'' ? true + : !has(self.openstack)' + scope: + description: |- + scope indicates the scope at which the load balancer is exposed. + Possible values are "External" and "Internal". + enum: + - Internal + - External + type: string + required: + - dnsManagementPolicy + - scope + type: object + x-kubernetes-validations: + - message: eipAllocations are forbidden when the scope is Internal. + rule: '!has(self.scope) || self.scope != ''Internal'' || !has(self.providerParameters) + || !has(self.providerParameters.aws) || !has(self.providerParameters.aws.networkLoadBalancer) + || !has(self.providerParameters.aws.networkLoadBalancer.eipAllocations)' + - message: cannot specify a floating ip when scope is internal + rule: '!has(self.scope) || self.scope != ''Internal'' || !has(self.providerParameters) + || !has(self.providerParameters.openstack) || !has(self.providerParameters.openstack.floatingIP) + || self.providerParameters.openstack.floatingIP == ""' + nodePort: + description: |- + nodePort holds parameters for the NodePortService endpoint publishing strategy. + Present only if type is NodePortService. + properties: + protocol: + description: |- + protocol specifies whether the IngressController expects incoming + connections to use plain TCP or whether the IngressController expects + PROXY protocol. + + PROXY protocol can be used with load balancers that support it to + communicate the source addresses of client connections when + forwarding those connections to the IngressController. Using PROXY + protocol enables the IngressController to report those source + addresses instead of reporting the load balancer's address in HTTP + headers and logs. Note that enabling PROXY protocol on the + IngressController will cause connections to fail if you are not using + a load balancer that uses PROXY protocol to forward connections to + the IngressController. See + http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt for + information about PROXY protocol. + + The following values are valid for this field: + + * The empty string. + * "TCP". + * "PROXY". + + The empty string specifies the default, which is TCP without PROXY + protocol. Note that the default is subject to change. + enum: + - "" + - TCP + - PROXY + type: string + type: object + private: + description: |- + private holds parameters for the Private endpoint publishing + strategy. Present only if type is Private. + properties: + protocol: + description: |- + protocol specifies whether the IngressController expects incoming + connections to use plain TCP or whether the IngressController expects + PROXY protocol. + + PROXY protocol can be used with load balancers that support it to + communicate the source addresses of client connections when + forwarding those connections to the IngressController. Using PROXY + protocol enables the IngressController to report those source + addresses instead of reporting the load balancer's address in HTTP + headers and logs. Note that enabling PROXY protocol on the + IngressController will cause connections to fail if you are not using + a load balancer that uses PROXY protocol to forward connections to + the IngressController. See + http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt for + information about PROXY protocol. + + The following values are valid for this field: + + * The empty string. + * "TCP". + * "PROXY". + + The empty string specifies the default, which is TCP without PROXY + protocol. Note that the default is subject to change. + enum: + - "" + - TCP + - PROXY + type: string + type: object + type: + description: |- + type is the publishing strategy to use. Valid values are: + + * LoadBalancerService + + Publishes the ingress controller using a Kubernetes LoadBalancer Service. + + In this configuration, the ingress controller deployment uses container + networking. A LoadBalancer Service is created to publish the deployment. + + See: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer + + If domain is set, a wildcard DNS record will be managed to point at the + LoadBalancer Service's external name. DNS records are managed only in DNS + zones defined by dns.config.openshift.io/cluster .spec.publicZone and + .spec.privateZone. + + Wildcard DNS management is currently supported only on the AWS, Azure, + and GCP platforms. + + * HostNetwork + + Publishes the ingress controller on node ports where the ingress controller + is deployed. + + In this configuration, the ingress controller deployment uses host + networking, bound to node ports 80 and 443. The user is responsible for + configuring an external load balancer to publish the ingress controller via + the node ports. + + * Private + + Does not publish the ingress controller. + + In this configuration, the ingress controller deployment uses container + networking, and is not explicitly published. The user must manually publish + the ingress controller. + + * NodePortService + + Publishes the ingress controller using a Kubernetes NodePort Service. + + In this configuration, the ingress controller deployment uses container + networking. A NodePort Service is created to publish the deployment. The + specific node ports are dynamically allocated by OpenShift; however, to + support static port allocations, user changes to the node port + field of the managed NodePort Service will preserved. + enum: + - LoadBalancerService + - HostNetwork + - Private + - NodePortService + type: string + required: + - type + type: object + httpCompression: + description: |- + httpCompression defines a policy for HTTP traffic compression. + By default, there is no HTTP compression. + properties: + mimeTypes: + description: |- + mimeTypes is a list of MIME types that should have compression applied. + This list can be empty, in which case the ingress controller does not apply compression. + + Note: Not all MIME types benefit from compression, but HAProxy will still use resources + to try to compress if instructed to. Generally speaking, text (html, css, js, etc.) + formats benefit from compression, but formats that are already compressed (image, + audio, video, etc.) benefit little in exchange for the time and cpu spent on compressing + again. See https://joehonton.medium.com/the-gzip-penalty-d31bd697f1a2 + items: + description: |- + CompressionMIMEType defines the format of a single MIME type. + E.g. "text/css; charset=utf-8", "text/html", "text/*", "image/svg+xml", + "application/octet-stream", "X-custom/customsub", etc. + + The format should follow the Content-Type definition in RFC 1341: + Content-Type := type "/" subtype *[";" parameter] + - The type in Content-Type can be one of: + application, audio, image, message, multipart, text, video, or a custom + type preceded by "X-" and followed by a token as defined below. + - The token is a string of at least one character, and not containing white + space, control characters, or any of the characters in the tspecials set. + - The tspecials set contains the characters ()<>@,;:\"/[]?.= + - The subtype in Content-Type is also a token. + - The optional parameter/s following the subtype are defined as: + token "=" (token / quoted-string) + - The quoted-string, as defined in RFC 822, is surrounded by double quotes + and can contain white space plus any character EXCEPT \, ", and CR. + It can also contain any single ASCII character as long as it is escaped by \. + pattern: ^(?i)(x-[^][ ()\\<>@,;:"/?.=\x00-\x1F\x7F]+|application|audio|image|message|multipart|text|video)/[^][ + ()\\<>@,;:"/?.=\x00-\x1F\x7F]+(; *[^][ ()\\<>@,;:"/?.=\x00-\x1F\x7F]+=([^][ + ()\\<>@,;:"/?.=\x00-\x1F\x7F]+|"(\\[\x00-\x7F]|[^\x0D"\\])*"))*$ + type: string + type: array + x-kubernetes-list-type: set + type: object + httpEmptyRequestsPolicy: + default: Respond + description: |- + httpEmptyRequestsPolicy describes how HTTP connections should be + handled if the connection times out before a request is received. + Allowed values for this field are "Respond" and "Ignore". If the + field is set to "Respond", the ingress controller sends an HTTP 400 + or 408 response, logs the connection (if access logging is enabled), + and counts the connection in the appropriate metrics. If the field + is set to "Ignore", the ingress controller closes the connection + without sending a response, logging the connection, or incrementing + metrics. The default value is "Respond". + + Typically, these connections come from load balancers' health probes + or Web browsers' speculative connections ("preconnect") and can be + safely ignored. However, these requests may also be caused by + network errors, and so setting this field to "Ignore" may impede + detection and diagnosis of problems. In addition, these requests may + be caused by port scans, in which case logging empty requests may aid + in detecting intrusion attempts. + enum: + - Respond + - Ignore + type: string + httpErrorCodePages: + description: |- + httpErrorCodePages specifies a configmap with custom error pages. + The administrator must create this configmap in the openshift-config namespace. + This configmap should have keys in the format "error-page-.http", + where is an HTTP error code. + For example, "error-page-503.http" defines an error page for HTTP 503 responses. + Currently only error pages for 503 and 404 responses can be customized. + Each value in the configmap should be the full response, including HTTP headers. + Eg- https://raw.githubusercontent.com/openshift/router/fadab45747a9b30cc3f0a4b41ad2871f95827a93/images/router/haproxy/conf/error-page-503.http + If this field is empty, the ingress controller uses the default error pages. + properties: + name: + description: name is the metadata.name of the referenced config + map + type: string + required: + - name + type: object + httpHeaders: + description: |- + httpHeaders defines policy for HTTP headers. + + If this field is empty, the default values are used. + properties: + actions: + description: |- + actions specifies options for modifying headers and their values. + Note that this option only applies to cleartext HTTP connections + and to secure HTTP connections for which the ingress controller + terminates encryption (that is, edge-terminated or reencrypt + connections). Headers cannot be modified for TLS passthrough + connections. + Setting the HSTS (`Strict-Transport-Security`) header is not supported via actions. `Strict-Transport-Security` + may only be configured using the "haproxy.router.openshift.io/hsts_header" route annotation, and only in + accordance with the policy specified in Ingress.Spec.RequiredHSTSPolicies. + Any actions defined here are applied after any actions related to the following other fields: + cache-control, spec.clientTLS, + spec.httpHeaders.forwardedHeaderPolicy, spec.httpHeaders.uniqueId, + and spec.httpHeaders.headerNameCaseAdjustments. + In case of HTTP request headers, the actions specified in spec.httpHeaders.actions on the Route will be executed after + the actions specified in the IngressController's spec.httpHeaders.actions field. + In case of HTTP response headers, the actions specified in spec.httpHeaders.actions on the IngressController will be + executed after the actions specified in the Route's spec.httpHeaders.actions field. + Headers set using this API cannot be captured for use in access logs. + The following header names are reserved and may not be modified via this API: + Strict-Transport-Security, Proxy, Host, Cookie, Set-Cookie. + Note that the total size of all net added headers *after* interpolating dynamic values + must not exceed the value of spec.tuningOptions.headerBufferMaxRewriteBytes on the + IngressController. Please refer to the documentation + for that API field for more details. + properties: + request: + description: |- + request is a list of HTTP request headers to modify. + Actions defined here will modify the request headers of all requests passing through an ingress controller. + These actions are applied to all Routes i.e. for all connections handled by the ingress controller defined within a cluster. + IngressController actions for request headers will be executed before Route actions. + Currently, actions may define to either `Set` or `Delete` headers values. + Actions are applied in sequence as defined in this list. + A maximum of 20 request header actions may be configured. + Sample fetchers allowed are "req.hdr" and "ssl_c_der". + Converters allowed are "lower" and "base64". + Example header values: "%[req.hdr(X-target),lower]", "%{+Q}[ssl_c_der,base64]". + items: + description: IngressControllerHTTPHeader specifies configuration + for setting or deleting an HTTP header. + properties: + action: + description: action specifies actions to perform on + headers, such as setting or deleting headers. + properties: + set: + description: |- + set specifies how the HTTP header should be set. + This field is required when type is Set and forbidden otherwise. + properties: + value: + description: |- + value specifies a header value. + Dynamic values can be added. The value will be interpreted as an HAProxy format string as defined in + http://cbonte.github.io/haproxy-dconv/2.6/configuration.html#8.2.6 and may use HAProxy's %[] syntax and + otherwise must be a valid HTTP header value as defined in https://datatracker.ietf.org/doc/html/rfc7230#section-3.2. + The value of this field must be no more than 16384 characters in length. + Note that the total size of all net added headers *after* interpolating dynamic values + must not exceed the value of spec.tuningOptions.headerBufferMaxRewriteBytes on the + IngressController. + maxLength: 16384 + minLength: 1 + type: string + required: + - value + type: object + type: + description: |- + type defines the type of the action to be applied on the header. + Possible values are Set or Delete. + Set allows you to set HTTP request and response headers. + Delete allows you to delete HTTP request and response headers. + enum: + - Set + - Delete + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: set is required when type is Set, and forbidden + otherwise + rule: 'has(self.type) && self.type == ''Set'' ? has(self.set) + : !has(self.set)' + name: + description: |- + name specifies the name of a header on which to perform an action. Its value must be a valid HTTP header + name as defined in RFC 2616 section 4.2. + The name must consist only of alphanumeric and the following special characters, "-!#$%&'*+.^_`". + The following header names are reserved and may not be modified via this API: + Strict-Transport-Security, Proxy, Host, Cookie, Set-Cookie. + It must be no more than 255 characters in length. + Header name must be unique. + maxLength: 255 + minLength: 1 + pattern: ^[-!#$%&'*+.0-9A-Z^_`a-z|~]+$ + type: string + x-kubernetes-validations: + - message: strict-transport-security header may not + be modified via header actions + rule: self.lowerAscii() != 'strict-transport-security' + - message: proxy header may not be modified via header + actions + rule: self.lowerAscii() != 'proxy' + - message: host header may not be modified via header + actions + rule: self.lowerAscii() != 'host' + - message: cookie header may not be modified via header + actions + rule: self.lowerAscii() != 'cookie' + - message: set-cookie header may not be modified via + header actions + rule: self.lowerAscii() != 'set-cookie' + required: + - action + - name + type: object + maxItems: 20 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: Either the header value provided is not in correct + format or the sample fetcher/converter specified is not + allowed. The dynamic header value will be interpreted + as an HAProxy format string as defined in http://cbonte.github.io/haproxy-dconv/2.6/configuration.html#8.2.6 + and may use HAProxy's %[] syntax and otherwise must be + a valid HTTP header value as defined in https://datatracker.ietf.org/doc/html/rfc7230#section-3.2. + Sample fetchers allowed are req.hdr, ssl_c_der. Converters + allowed are lower, base64. + rule: self.all(key, key.action.type == "Delete" || (has(key.action.set) + && key.action.set.value.matches('^(?:%(?:%|(?:\\{[-+]?[QXE](?:,[-+]?[QXE])*\\})?\\[(?:req\\.hdr\\([0-9A-Za-z-]+\\)|ssl_c_der)(?:,(?:lower|base64))*\\])|[^%[:cntrl:]])+$'))) + response: + description: |- + response is a list of HTTP response headers to modify. + Actions defined here will modify the response headers of all requests passing through an ingress controller. + These actions are applied to all Routes i.e. for all connections handled by the ingress controller defined within a cluster. + IngressController actions for response headers will be executed after Route actions. + Currently, actions may define to either `Set` or `Delete` headers values. + Actions are applied in sequence as defined in this list. + A maximum of 20 response header actions may be configured. + Sample fetchers allowed are "res.hdr" and "ssl_c_der". + Converters allowed are "lower" and "base64". + Example header values: "%[res.hdr(X-target),lower]", "%{+Q}[ssl_c_der,base64]". + items: + description: IngressControllerHTTPHeader specifies configuration + for setting or deleting an HTTP header. + properties: + action: + description: action specifies actions to perform on + headers, such as setting or deleting headers. + properties: + set: + description: |- + set specifies how the HTTP header should be set. + This field is required when type is Set and forbidden otherwise. + properties: + value: + description: |- + value specifies a header value. + Dynamic values can be added. The value will be interpreted as an HAProxy format string as defined in + http://cbonte.github.io/haproxy-dconv/2.6/configuration.html#8.2.6 and may use HAProxy's %[] syntax and + otherwise must be a valid HTTP header value as defined in https://datatracker.ietf.org/doc/html/rfc7230#section-3.2. + The value of this field must be no more than 16384 characters in length. + Note that the total size of all net added headers *after* interpolating dynamic values + must not exceed the value of spec.tuningOptions.headerBufferMaxRewriteBytes on the + IngressController. + maxLength: 16384 + minLength: 1 + type: string + required: + - value + type: object + type: + description: |- + type defines the type of the action to be applied on the header. + Possible values are Set or Delete. + Set allows you to set HTTP request and response headers. + Delete allows you to delete HTTP request and response headers. + enum: + - Set + - Delete + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: set is required when type is Set, and forbidden + otherwise + rule: 'has(self.type) && self.type == ''Set'' ? has(self.set) + : !has(self.set)' + name: + description: |- + name specifies the name of a header on which to perform an action. Its value must be a valid HTTP header + name as defined in RFC 2616 section 4.2. + The name must consist only of alphanumeric and the following special characters, "-!#$%&'*+.^_`". + The following header names are reserved and may not be modified via this API: + Strict-Transport-Security, Proxy, Host, Cookie, Set-Cookie. + It must be no more than 255 characters in length. + Header name must be unique. + maxLength: 255 + minLength: 1 + pattern: ^[-!#$%&'*+.0-9A-Z^_`a-z|~]+$ + type: string + x-kubernetes-validations: + - message: strict-transport-security header may not + be modified via header actions + rule: self.lowerAscii() != 'strict-transport-security' + - message: proxy header may not be modified via header + actions + rule: self.lowerAscii() != 'proxy' + - message: host header may not be modified via header + actions + rule: self.lowerAscii() != 'host' + - message: cookie header may not be modified via header + actions + rule: self.lowerAscii() != 'cookie' + - message: set-cookie header may not be modified via + header actions + rule: self.lowerAscii() != 'set-cookie' + required: + - action + - name + type: object + maxItems: 20 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: Either the header value provided is not in correct + format or the sample fetcher/converter specified is not + allowed. The dynamic header value will be interpreted + as an HAProxy format string as defined in http://cbonte.github.io/haproxy-dconv/2.6/configuration.html#8.2.6 + and may use HAProxy's %[] syntax and otherwise must be + a valid HTTP header value as defined in https://datatracker.ietf.org/doc/html/rfc7230#section-3.2. + Sample fetchers allowed are res.hdr, ssl_c_der. Converters + allowed are lower, base64. + rule: self.all(key, key.action.type == "Delete" || (has(key.action.set) + && key.action.set.value.matches('^(?:%(?:%|(?:\\{[-+]?[QXE](?:,[-+]?[QXE])*\\})?\\[(?:res\\.hdr\\([0-9A-Za-z-]+\\)|ssl_c_der)(?:,(?:lower|base64))*\\])|[^%[:cntrl:]])+$'))) + type: object + forwardedHeaderPolicy: + description: |- + forwardedHeaderPolicy specifies when and how the IngressController + sets the Forwarded, X-Forwarded-For, X-Forwarded-Host, + X-Forwarded-Port, X-Forwarded-Proto, and X-Forwarded-Proto-Version + HTTP headers. The value may be one of the following: + + * "Append", which specifies that the IngressController appends the + headers, preserving existing headers. + + * "Replace", which specifies that the IngressController sets the + headers, replacing any existing Forwarded or X-Forwarded-* headers. + + * "IfNone", which specifies that the IngressController sets the + headers if they are not already set. + + * "Never", which specifies that the IngressController never sets the + headers, preserving any existing headers. + + By default, the policy is "Append". + enum: + - Append + - Replace + - IfNone + - Never + type: string + headerNameCaseAdjustments: + description: |- + headerNameCaseAdjustments specifies case adjustments that can be + applied to HTTP header names. Each adjustment is specified as an + HTTP header name with the desired capitalization. For example, + specifying "X-Forwarded-For" indicates that the "x-forwarded-for" + HTTP header should be adjusted to have the specified capitalization. + + These adjustments are only applied to cleartext, edge-terminated, and + re-encrypt routes, and only when using HTTP/1. + + For request headers, these adjustments are applied only for routes + that have the haproxy.router.openshift.io/h1-adjust-case=true + annotation. For response headers, these adjustments are applied to + all HTTP responses. + + If this field is empty, no request headers are adjusted. + items: + description: |- + IngressControllerHTTPHeaderNameCaseAdjustment is the name of an HTTP header + (for example, "X-Forwarded-For") in the desired capitalization. The value + must be a valid HTTP header name as defined in RFC 2616 section 4.2. + maxLength: 1024 + minLength: 0 + pattern: ^$|^[-!#$%&'*+.0-9A-Z^_`a-z|~]+$ + type: string + nullable: true + type: array + x-kubernetes-list-type: atomic + uniqueId: + description: |- + uniqueId describes configuration for a custom HTTP header that the + ingress controller should inject into incoming HTTP requests. + Typically, this header is configured to have a value that is unique + to the HTTP request. The header can be used by applications or + included in access logs to facilitate tracing individual HTTP + requests. + + If this field is empty, no such header is injected into requests. + properties: + format: + description: |- + format specifies the format for the injected HTTP header's value. + This field has no effect unless name is specified. For the + HAProxy-based ingress controller implementation, this format uses the + same syntax as the HTTP log format. If the field is empty, the + default value is "%{+X}o\\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid"; see the + corresponding HAProxy documentation: + http://cbonte.github.io/haproxy-dconv/2.0/configuration.html#8.2.3 + maxLength: 1024 + minLength: 0 + pattern: ^(%(%|(\{[-+]?[QXE](,[-+]?[QXE])*\})?([A-Za-z]+|\[[.0-9A-Z_a-z]+(\([^)]+\))?(,[.0-9A-Z_a-z]+(\([^)]+\))?)*\]))|[^%[:cntrl:]])*$ + type: string + name: + description: |- + name specifies the name of the HTTP header (for example, "unique-id") + that the ingress controller should inject into HTTP requests. The + field's value must be a valid HTTP header name as defined in RFC 2616 + section 4.2. If the field is empty, no header is injected. + maxLength: 1024 + minLength: 0 + pattern: ^$|^[-!#$%&'*+.0-9A-Z^_`a-z|~]+$ + type: string + type: object + type: object + idleConnectionTerminationPolicy: + default: Immediate + description: |- + idleConnectionTerminationPolicy maps directly to HAProxy's + idle-close-on-response option and controls whether HAProxy + keeps idle frontend connections open during a soft stop + (router reload). + + Allowed values for this field are "Immediate" and + "Deferred". The default value is "Immediate". + + When set to "Immediate", idle connections are closed + immediately during router reloads. This ensures immediate + propagation of route changes but may impact clients + sensitive to connection resets. + + When set to "Deferred", HAProxy will maintain idle + connections during a soft reload instead of closing them + immediately. These connections remain open until any of the + following occurs: + + - A new request is received on the connection, in which + case HAProxy handles it in the old process and closes + the connection after sending the response. + + - HAProxy's `timeout http-keep-alive` duration expires. + By default this is 300 seconds, but it can be changed + using httpKeepAliveTimeout tuning option. + + - The client's keep-alive timeout expires, causing the + client to close the connection. + + Setting Deferred can help prevent errors in clients or load + balancers that do not properly handle connection resets. + Additionally, this option allows you to retain the pre-2.4 + HAProxy behaviour: in HAProxy version 2.2 (OpenShift + versions < 4.14), maintaining idle connections during a + soft reload was the default behaviour, but starting with + HAProxy 2.4, the default changed to closing idle + connections immediately. + + Important Consideration: + + - Using Deferred will result in temporary inconsistencies + for the first request on each persistent connection + after a route update and router reload. This request + will be processed by the old HAProxy process using its + old configuration. Subsequent requests will use the + updated configuration. + + Operational Considerations: + + - Keeping idle connections open during reloads may lead + to an accumulation of old HAProxy processes if + connections remain idle for extended periods, + especially in environments where frequent reloads + occur. + + - Consider monitoring the number of HAProxy processes in + the router pods when Deferred is set. + + - You may need to enable or adjust the + `ingress.operator.openshift.io/hard-stop-after` + duration (configured via an annotation on the + IngressController resource) in environments with + frequent reloads to prevent resource exhaustion. + enum: + - Immediate + - Deferred + type: string + logging: + description: |- + logging defines parameters for what should be logged where. If this + field is empty, operational logs are enabled but access logs are + disabled. + properties: + access: + description: |- + access describes how the client requests should be logged. + + If this field is empty, access logging is disabled. + properties: + destination: + description: destination is where access logs go. + properties: + container: + description: |- + container holds parameters for the Container logging destination. + Present only if type is Container. + properties: + maxLength: + default: 1024 + description: |- + maxLength is the maximum length of the log message. + + Valid values are integers in the range 480 to 8192, inclusive. + + When omitted, the default value is 1024. + format: int32 + maximum: 8192 + minimum: 480 + type: integer + type: object + syslog: + description: |- + syslog holds parameters for a syslog endpoint. Present only if + type is Syslog. + oneOf: + - properties: + address: + format: ipv4 + - properties: + address: + format: ipv6 + properties: + address: + description: |- + address is the IP address of the syslog endpoint that receives log + messages. + type: string + facility: + description: |- + facility specifies the syslog facility of log messages. + + If this field is empty, the facility is "local1". + enum: + - kern + - user + - mail + - daemon + - auth + - syslog + - lpr + - news + - uucp + - cron + - auth2 + - ftp + - ntp + - audit + - alert + - cron2 + - local0 + - local1 + - local2 + - local3 + - local4 + - local5 + - local6 + - local7 + type: string + maxLength: + default: 1024 + description: |- + maxLength is the maximum length of the log message. + + Valid values are integers in the range 480 to 4096, inclusive. + + When omitted, the default value is 1024. + format: int32 + maximum: 4096 + minimum: 480 + type: integer + port: + description: |- + port is the UDP port number of the syslog endpoint that receives log + messages. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - address + - port + type: object + type: + description: |- + type is the type of destination for logs. It must be one of the + following: + + * Container + + The ingress operator configures the sidecar container named "logs" on + the ingress controller pod and configures the ingress controller to + write logs to the sidecar. The logs are then available as container + logs. The expectation is that the administrator configures a custom + logging solution that reads logs from this sidecar. Note that using + container logs means that logs may be dropped if the rate of logs + exceeds the container runtime's or the custom logging solution's + capacity. + + * Syslog + + Logs are sent to a syslog endpoint. The administrator must specify + an endpoint that can receive syslog messages. The expectation is + that the administrator has configured a custom syslog instance. + enum: + - Container + - Syslog + type: string + required: + - type + type: object + httpCaptureCookies: + description: |- + httpCaptureCookies specifies HTTP cookies that should be captured in + access logs. If this field is empty, no cookies are captured. + items: + description: |- + IngressControllerCaptureHTTPCookie describes an HTTP cookie that should be + captured. + properties: + matchType: + description: |- + matchType specifies the type of match to be performed on the cookie + name. Allowed values are "Exact" for an exact string match and + "Prefix" for a string prefix match. If "Exact" is specified, a name + must be specified in the name field. If "Prefix" is provided, a + prefix must be specified in the namePrefix field. For example, + specifying matchType "Prefix" and namePrefix "foo" will capture a + cookie named "foo" or "foobar" but not one named "bar". The first + matching cookie is captured. + enum: + - Exact + - Prefix + type: string + maxLength: + description: |- + maxLength specifies a maximum length of the string that will be + logged, which includes the cookie name, cookie value, and + one-character delimiter. If the log entry exceeds this length, the + value will be truncated in the log message. Note that the ingress + controller may impose a separate bound on the total length of HTTP + headers in a request. + maximum: 1024 + minimum: 1 + type: integer + name: + description: |- + name specifies a cookie name. Its value must be a valid HTTP cookie + name as defined in RFC 6265 section 4.1. + maxLength: 1024 + minLength: 0 + pattern: ^[-!#$%&'*+.0-9A-Z^_`a-z|~]*$ + type: string + namePrefix: + description: |- + namePrefix specifies a cookie name prefix. Its value must be a valid + HTTP cookie name as defined in RFC 6265 section 4.1. + maxLength: 1024 + minLength: 0 + pattern: ^[-!#$%&'*+.0-9A-Z^_`a-z|~]*$ + type: string + required: + - matchType + - maxLength + type: object + maxItems: 1 + nullable: true + type: array + x-kubernetes-list-type: atomic + httpCaptureHeaders: + description: |- + httpCaptureHeaders defines HTTP headers that should be captured in + access logs. If this field is empty, no headers are captured. + + Note that this option only applies to cleartext HTTP connections + and to secure HTTP connections for which the ingress controller + terminates encryption (that is, edge-terminated or reencrypt + connections). Headers cannot be captured for TLS passthrough + connections. + properties: + request: + description: |- + request specifies which HTTP request headers to capture. + + If this field is empty, no request headers are captured. + items: + description: |- + IngressControllerCaptureHTTPHeader describes an HTTP header that should be + captured. + properties: + maxLength: + description: |- + maxLength specifies a maximum length for the header value. If a + header value exceeds this length, the value will be truncated in the + log message. Note that the ingress controller may impose a separate + bound on the total length of HTTP headers in a request. + minimum: 1 + type: integer + name: + description: |- + name specifies a header name. Its value must be a valid HTTP header + name as defined in RFC 2616 section 4.2. + pattern: ^[-!#$%&'*+.0-9A-Z^_`a-z|~]+$ + type: string + required: + - maxLength + - name + type: object + nullable: true + type: array + x-kubernetes-list-type: atomic + response: + description: |- + response specifies which HTTP response headers to capture. + + If this field is empty, no response headers are captured. + items: + description: |- + IngressControllerCaptureHTTPHeader describes an HTTP header that should be + captured. + properties: + maxLength: + description: |- + maxLength specifies a maximum length for the header value. If a + header value exceeds this length, the value will be truncated in the + log message. Note that the ingress controller may impose a separate + bound on the total length of HTTP headers in a request. + minimum: 1 + type: integer + name: + description: |- + name specifies a header name. Its value must be a valid HTTP header + name as defined in RFC 2616 section 4.2. + pattern: ^[-!#$%&'*+.0-9A-Z^_`a-z|~]+$ + type: string + required: + - maxLength + - name + type: object + nullable: true + type: array + x-kubernetes-list-type: atomic + type: object + httpLogFormat: + description: |- + httpLogFormat specifies the format of the log message for an HTTP + request. + + If this field is empty, log messages use the implementation's default + HTTP log format. For HAProxy's default HTTP log format, see the + HAProxy documentation: + http://cbonte.github.io/haproxy-dconv/2.0/configuration.html#8.2.3 + + Note that this format only applies to cleartext HTTP connections + and to secure HTTP connections for which the ingress controller + terminates encryption (that is, edge-terminated or reencrypt + connections). It does not affect the log format for TLS passthrough + connections. + type: string + logEmptyRequests: + default: Log + description: |- + logEmptyRequests specifies how connections on which no request is + received should be logged. Typically, these empty requests come from + load balancers' health probes or Web browsers' speculative + connections ("preconnect"), in which case logging these requests may + be undesirable. However, these requests may also be caused by + network errors, in which case logging empty requests may be useful + for diagnosing the errors. In addition, these requests may be caused + by port scans, in which case logging empty requests may aid in + detecting intrusion attempts. Allowed values for this field are + "Log" and "Ignore". The default value is "Log". + enum: + - Log + - Ignore + type: string + required: + - destination + type: object + type: object + namespaceSelector: + description: |- + namespaceSelector is used to filter the set of namespaces serviced by the + ingress controller. This is useful for implementing shards. + + If unset, the default is no filtering. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + nodePlacement: + description: |- + nodePlacement enables explicit control over the scheduling of the ingress + controller. + + If unset, defaults are used. See NodePlacement for more details. + properties: + nodeSelector: + description: |- + nodeSelector is the node selector applied to ingress controller + deployments. + + If set, the specified selector is used and replaces the default. + + If unset, the default depends on the value of the defaultPlacement + field in the cluster config.openshift.io/v1/ingresses status. + + When defaultPlacement is Workers, the default is: + + kubernetes.io/os: linux + node-role.kubernetes.io/worker: '' + + When defaultPlacement is ControlPlane, the default is: + + kubernetes.io/os: linux + node-role.kubernetes.io/master: '' + + These defaults are subject to change. + + Note that using nodeSelector.matchExpressions is not supported. Only + nodeSelector.matchLabels may be used. This is a limitation of the + Kubernetes API: the pod spec does not allow complex expressions for + node selectors. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + tolerations: + description: |- + tolerations is a list of tolerations applied to ingress controller + deployments. + + The default is an empty list. + + See https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + items: + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . + properties: + effect: + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. + type: string + operator: + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. + type: string + type: object + type: array + x-kubernetes-list-type: atomic + type: object + replicas: + description: |- + replicas is the desired number of ingress controller replicas. If unset, + the default depends on the value of the defaultPlacement field in the + cluster config.openshift.io/v1/ingresses status. + + The value of replicas is set based on the value of a chosen field in the + Infrastructure CR. If defaultPlacement is set to ControlPlane, the + chosen field will be controlPlaneTopology. If it is set to Workers the + chosen field will be infrastructureTopology. Replicas will then be set to 1 + or 2 based whether the chosen field's value is SingleReplica or + HighlyAvailable, respectively. + + These defaults are subject to change. + format: int32 + type: integer + routeAdmission: + description: |- + routeAdmission defines a policy for handling new route claims (for example, + to allow or deny claims across namespaces). + + If empty, defaults will be applied. See specific routeAdmission fields + for details about their defaults. + properties: + namespaceOwnership: + description: |- + namespaceOwnership describes how host name claims across namespaces should + be handled. + + Value must be one of: + + - Strict: Do not allow routes in different namespaces to claim the same host. + + - InterNamespaceAllowed: Allow routes to claim different paths of the same + host name across namespaces. + + If empty, the default is Strict. + enum: + - InterNamespaceAllowed + - Strict + type: string + wildcardPolicy: + description: |- + wildcardPolicy describes how routes with wildcard policies should + be handled for the ingress controller. WildcardPolicy controls use + of routes [1] exposed by the ingress controller based on the route's + wildcard policy. + + [1] https://github.com/openshift/api/blob/master/route/v1/types.go + + Note: Updating WildcardPolicy from WildcardsAllowed to WildcardsDisallowed + will cause admitted routes with a wildcard policy of Subdomain to stop + working. These routes must be updated to a wildcard policy of None to be + readmitted by the ingress controller. + + WildcardPolicy supports WildcardsAllowed and WildcardsDisallowed values. + + If empty, defaults to "WildcardsDisallowed". + enum: + - WildcardsAllowed + - WildcardsDisallowed + type: string + type: object + routeSelector: + description: |- + routeSelector is used to filter the set of Routes serviced by the ingress + controller. This is useful for implementing shards. + + If unset, the default is no filtering. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + tlsSecurityProfile: + description: |- + tlsSecurityProfile specifies settings for TLS connections for ingresscontrollers. + + If unset, the default is based on the apiservers.config.openshift.io/cluster resource. + + Note that when using the Old, Intermediate, and Modern profile types, the effective + profile configuration is subject to change between releases. For example, given + a specification to use the Intermediate profile deployed on release X.Y.Z, an upgrade + to release X.Y.Z+1 may cause a new profile configuration to be applied to the ingress + controller, resulting in a rollout. + properties: + custom: + description: |- + custom is a user-defined TLS security profile. Be extremely careful using a custom + profile as invalid configurations can be catastrophic. + + The curve list for this profile is empty by default. + + An example custom profile looks like this: + + minTLSVersion: VersionTLS11 + ciphers: + - ECDHE-ECDSA-CHACHA20-POLY1305 + - ECDHE-RSA-CHACHA20-POLY1305 + - ECDHE-RSA-AES128-GCM-SHA256 + - ECDHE-ECDSA-AES128-GCM-SHA256 + nullable: true + properties: + ciphers: + description: |- + ciphers is used to specify the cipher algorithms that are negotiated + during the TLS handshake. Operators may remove entries their operands + do not support. For example, to use DES-CBC3-SHA (yaml): + + ciphers: + - DES-CBC3-SHA + items: + type: string + type: array + x-kubernetes-list-type: atomic + curves: + description: |- + curves is an optional field used to specify the elliptic curves that are used during + the TLS handshake. Operators may remove entries their operands do + not support. + + When omitted, this means no opinion and the platform is left to choose reasonable defaults which are + subject to change over time and may be different per platform component depending on the underlying TLS + libraries they use. If specified, the list must contain at least one curve. + + For example, to use X25519 and SecP256r1 (yaml): + + curves: + - X25519 + - SecP256r1 + items: + description: |- + TLSCurve is a named curve identifier that can be used in TLSProfile.Curves. + There is a one-to-one mapping between these names and the curve IDs defined + in crypto/tls package based on IANA's "TLS Supported Groups" registry: + https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8 + enum: + - X25519 + - SecP256r1 + - SecP384r1 + - SecP521r1 + - X25519MLKEM768 + type: string + maxItems: 5 + minItems: 1 + type: array + x-kubernetes-list-type: set + minTLSVersion: + description: |- + minTLSVersion is used to specify the minimal version of the TLS protocol + that is negotiated during the TLS handshake. For example, to use TLS + versions 1.1, 1.2 and 1.3 (yaml): + + minTLSVersion: VersionTLS11 + enum: + - VersionTLS10 + - VersionTLS11 + - VersionTLS12 + - VersionTLS13 + type: string + type: object + intermediate: + description: |- + intermediate is a TLS profile for use when you do not need compatibility with + legacy clients and want to remain highly secure while being compatible with + most clients currently in use. + + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "intermediate" profile ciphers. + + The curve list includes by default the following curves: + X25519, SecP256r1, SecP384r1, X25519MLKEM768. + + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS12 + ciphers: + - TLS_AES_128_GCM_SHA256 + - TLS_AES_256_GCM_SHA384 + - TLS_CHACHA20_POLY1305_SHA256 + - ECDHE-ECDSA-AES128-GCM-SHA256 + - ECDHE-RSA-AES128-GCM-SHA256 + - ECDHE-ECDSA-AES256-GCM-SHA384 + - ECDHE-RSA-AES256-GCM-SHA384 + - ECDHE-ECDSA-CHACHA20-POLY1305 + - ECDHE-RSA-CHACHA20-POLY1305 + - DHE-RSA-AES128-GCM-SHA256 + - DHE-RSA-AES256-GCM-SHA384 + nullable: true + type: object + modern: + description: |- + modern is a TLS security profile for use with clients that support TLS 1.3 and + do not need backward compatibility for older clients. + The curve list includes by default the following curves: + X25519, SecP256r1, SecP384r1, X25519MLKEM768. + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS13 + ciphers: + - TLS_AES_128_GCM_SHA256 + - TLS_AES_256_GCM_SHA384 + - TLS_CHACHA20_POLY1305_SHA256 + nullable: true + type: object + old: + description: |- + old is a TLS profile for use when services need to be accessed by very old + clients or libraries and should be used only as a last resort. + + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "old" profile ciphers. + + The curve list includes by default the following curves: + X25519, SecP256r1, SecP384r1, X25519MLKEM768. + + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS10 + ciphers: + - TLS_AES_128_GCM_SHA256 + - TLS_AES_256_GCM_SHA384 + - TLS_CHACHA20_POLY1305_SHA256 + - ECDHE-ECDSA-AES128-GCM-SHA256 + - ECDHE-RSA-AES128-GCM-SHA256 + - ECDHE-ECDSA-AES256-GCM-SHA384 + - ECDHE-RSA-AES256-GCM-SHA384 + - ECDHE-ECDSA-CHACHA20-POLY1305 + - ECDHE-RSA-CHACHA20-POLY1305 + - DHE-RSA-AES128-GCM-SHA256 + - DHE-RSA-AES256-GCM-SHA384 + - DHE-RSA-CHACHA20-POLY1305 + - ECDHE-ECDSA-AES128-SHA256 + - ECDHE-RSA-AES128-SHA256 + - ECDHE-ECDSA-AES128-SHA + - ECDHE-RSA-AES128-SHA + - ECDHE-ECDSA-AES256-SHA384 + - ECDHE-RSA-AES256-SHA384 + - ECDHE-ECDSA-AES256-SHA + - ECDHE-RSA-AES256-SHA + - DHE-RSA-AES128-SHA256 + - DHE-RSA-AES256-SHA256 + - AES128-GCM-SHA256 + - AES256-GCM-SHA384 + - AES128-SHA256 + - AES256-SHA256 + - AES128-SHA + - AES256-SHA + - DES-CBC3-SHA + nullable: true + type: object + type: + description: |- + type is one of Old, Intermediate, Modern or Custom. Custom provides the + ability to specify individual TLS security profile parameters. + + The profiles are currently based on version 5.0 of the Mozilla Server Side TLS + configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for + forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json + + The profiles are intent based, so they may change over time as new ciphers are + developed and existing ciphers are found to be insecure. Depending on + precisely which ciphers are available to a process, the list may be reduced. + enum: + - Old + - Intermediate + - Modern + - Custom + type: string + type: object + tuningOptions: + anyOf: + - properties: + maxConnections: + enum: + - -1 + - 0 + - properties: + maxConnections: + format: int32 + maximum: 2000000 + minimum: 2000 + description: |- + tuningOptions defines parameters for adjusting the performance of + ingress controller pods. All fields are optional and will use their + respective defaults if not set. See specific tuningOptions fields for + more details. + + Setting fields within tuningOptions is generally not recommended. The + default values are suitable for most configurations. + properties: + clientFinTimeout: + description: |- + clientFinTimeout defines how long a connection will be held open while + waiting for the client response to the server/backend closing the + connection. + + If unset, the default timeout is 1s + format: duration + type: string + clientTimeout: + description: |- + clientTimeout defines how long a connection will be held open while + waiting for a client response. + + If unset, the default timeout is 30s + format: duration + type: string + connectTimeout: + description: |- + connectTimeout defines the maximum time to wait for + a connection attempt to a server/backend to succeed. + + This field expects an unsigned duration string of decimal numbers, each with optional + fraction and a unit suffix, e.g. "300ms", "1.5h" or "2h45m". + Valid time units are "ns", "us" (or "µs" U+00B5 or "μs" U+03BC), "ms", "s", "m", "h". + + When omitted, this means the user has no opinion and the platform is left + to choose a reasonable default. This default is subject to change over time. + The current default is 5s. + pattern: ^(0|([0-9]+(\.[0-9]+)?(ns|us|µs|μs|ms|s|m|h))+)$ + type: string + headerBufferBytes: + description: |- + headerBufferBytes describes how much memory should be reserved + (in bytes) for IngressController connection sessions. + Note that this value must be at least 16384 if HTTP/2 is + enabled for the IngressController (https://tools.ietf.org/html/rfc7540). + If this field is empty, the IngressController will use a default value + of 32768 bytes. + + Setting this field is generally not recommended as headerBufferBytes + values that are too small may break the IngressController and + headerBufferBytes values that are too large could cause the + IngressController to use significantly more memory than necessary. + format: int32 + minimum: 16384 + type: integer + headerBufferMaxRewriteBytes: + description: |- + headerBufferMaxRewriteBytes describes how much memory should be reserved + (in bytes) from headerBufferBytes for HTTP header rewriting + and appending for IngressController connection sessions. + Note that incoming HTTP requests will be limited to + (headerBufferBytes - headerBufferMaxRewriteBytes) bytes, meaning + headerBufferBytes must be greater than headerBufferMaxRewriteBytes. + If this field is empty, the IngressController will use a default value + of 8192 bytes. + + Setting this field is generally not recommended as + headerBufferMaxRewriteBytes values that are too small may break the + IngressController and headerBufferMaxRewriteBytes values that are too + large could cause the IngressController to use significantly more memory + than necessary. + format: int32 + minimum: 4096 + type: integer + healthCheckInterval: + description: |- + healthCheckInterval defines how long the router waits between two consecutive + health checks on its configured backends. This value is applied globally as + a default for all routes, but may be overridden per-route by the route annotation + "router.openshift.io/haproxy.health.check.interval". + + Expects an unsigned duration string of decimal numbers, each with optional + fraction and a unit suffix, eg "300ms", "1.5h" or "2h45m". + Valid time units are "ns", "us" (or "µs" U+00B5 or "μs" U+03BC), "ms", "s", "m", "h". + + Setting this to less than 5s can cause excess traffic due to too frequent + TCP health checks and accompanying SYN packet storms. Alternatively, setting + this too high can result in increased latency, due to backend servers that are no + longer available, but haven't yet been detected as such. + + An empty or zero healthCheckInterval means no opinion and IngressController chooses + a default, which is subject to change over time. + Currently the default healthCheckInterval value is 5s. + + Currently the minimum allowed value is 1s and the maximum allowed value is + 2147483647ms (24.85 days). Both are subject to change over time. + pattern: ^(0|([0-9]+(\.[0-9]+)?(ns|us|µs|μs|ms|s|m|h))+)$ + type: string + httpKeepAliveTimeout: + description: |- + httpKeepAliveTimeout defines the maximum allowed time to wait for + a new HTTP request to appear on a connection from the client to the router. + + This field expects an unsigned duration string of a decimal number, with optional + fraction and a unit suffix, e.g. "300ms", "1.5s" or "2m45s". + Valid time units are "ms", "s", "m". + The allowed range is from 1 millisecond to 15 minutes. + + When omitted, this means the user has no opinion and the platform is left + to choose a reasonable default. This default is subject to change over time. + The current default is 300s. + + Low values (tens of milliseconds or less) can cause clients to close and reopen connections + for each request, leading to reduced connection sharing. + For HTTP/2, special care should be taken with low values. + A few seconds is a reasonable starting point to avoid holding idle connections open + while still allowing subsequent requests to reuse the connection. + + High values (minutes or more) favor connection reuse but may cause idle + connections to linger longer. + maxLength: 16 + minLength: 1 + type: string + x-kubernetes-validations: + - message: httpKeepAliveTimeout must be a valid duration string + composed of an unsigned integer value, optionally followed + by a decimal fraction and a unit suffix (ms, s, m) + rule: self.matches('^([0-9]+(\\.[0-9]+)?(ms|s|m))+$') + - message: httpKeepAliveTimeout must be less than or equal to + 15 minutes + rule: '!self.matches(''^([0-9]+(\\.[0-9]+)?(ms|s|m))+$'') || + duration(self) <= duration(''15m'')' + - message: httpKeepAliveTimeout must be greater than or equal + to 1 millisecond + rule: '!self.matches(''^([0-9]+(\\.[0-9]+)?(ms|s|m))+$'') || + duration(self) >= duration(''1ms'')' + maxConnections: + description: |- + maxConnections defines the maximum number of simultaneous + connections that can be established per HAProxy process. + Increasing this value allows each ingress controller pod to + handle more connections but at the cost of additional + system resources being consumed. + + Permitted values are: empty, 0, -1, and the range + 2000-2000000. + + If this field is empty or 0, the IngressController will use + the default value of 50000, but the default is subject to + change in future releases. + + If the value is -1 then HAProxy will dynamically compute a + maximum value based on the available ulimits in the running + container. Selecting -1 (i.e., auto) will result in a large + value being computed (~520000 on OpenShift >=4.10 clusters) + and therefore each HAProxy process will incur significant + memory usage compared to the current default of 50000. + + Setting a value that is greater than the current operating + system limit will prevent the HAProxy process from + starting. + + If you choose a discrete value (e.g., 750000) and the + router pod is migrated to a new node, there's no guarantee + that that new node has identical ulimits configured. In + such a scenario the pod would fail to start. If you have + nodes with different ulimits configured (e.g., different + tuned profiles) and you choose a discrete value then the + guidance is to use -1 and let the value be computed + dynamically at runtime. + + You can monitor memory usage for router containers with the + following metric: + 'container_memory_working_set_bytes{container="router",namespace="openshift-ingress"}'. + + You can monitor memory usage of individual HAProxy + processes in router containers with the following metric: + 'container_memory_working_set_bytes{container="router",namespace="openshift-ingress"}/container_processes{container="router",namespace="openshift-ingress"}'. + format: int32 + type: integer + reloadInterval: + description: |- + reloadInterval defines the minimum interval at which the router is allowed to reload + to accept new changes. Increasing this value can prevent the accumulation of + HAProxy processes, depending on the scenario. Increasing this interval can + also lessen load imbalance on a backend's servers when using the roundrobin + balancing algorithm. Alternatively, decreasing this value may decrease latency + since updates to HAProxy's configuration can take effect more quickly. + + The value must be a time duration value; see . + Currently, the minimum value allowed is 1s, and the maximum allowed value is + 120s. Minimum and maximum allowed values may change in future versions of OpenShift. + Note that if a duration outside of these bounds is provided, the value of reloadInterval + will be capped/floored and not rejected (e.g. a duration of over 120s will be capped to + 120s; the IngressController will not reject and replace this disallowed value with + the default). + + A zero value for reloadInterval tells the IngressController to choose the default, + which is currently 5s and subject to change without notice. + + This field expects an unsigned duration string of decimal numbers, each with optional + fraction and a unit suffix, e.g. "300ms", "1.5h" or "2h45m". + Valid time units are "ns", "us" (or "µs" U+00B5 or "μs" U+03BC), "ms", "s", "m", "h". + + Note: Setting a value significantly larger than the default of 5s can cause latency + in observing updates to routes and their endpoints. HAProxy's configuration will + be reloaded less frequently, and newly created routes will not be served until the + subsequent reload. + pattern: ^(0|([0-9]+(\.[0-9]+)?(ns|us|µs|μs|ms|s|m|h))+)$ + type: string + serverFinTimeout: + description: |- + serverFinTimeout defines how long a connection will be held open while + waiting for the server/backend response to the client closing the + connection. + + If unset, the default timeout is 1s + format: duration + type: string + serverTimeout: + description: |- + serverTimeout defines how long a connection will be held open while + waiting for a server/backend response. + + If unset, the default timeout is 30s + format: duration + type: string + threadCount: + description: |- + threadCount defines the number of threads created per HAProxy process. + Creating more threads allows each ingress controller pod to handle more + connections, at the cost of more system resources being used. HAProxy + currently supports up to 64 threads. If this field is empty, the + IngressController will use the default value. The current default is 4 + threads, but this may change in future releases. + + Setting this field is generally not recommended. Increasing the number + of HAProxy threads allows ingress controller pods to utilize more CPU + time under load, potentially starving other pods if set too high. + Reducing the number of threads may cause the ingress controller to + perform poorly. + format: int32 + maximum: 64 + minimum: 1 + type: integer + tlsInspectDelay: + description: |- + tlsInspectDelay defines how long the router can hold data to find a + matching route. + + Setting this too short can cause the router to fall back to the default + certificate for edge-terminated or reencrypt routes even when a better + matching certificate could be used. + + If unset, the default inspect delay is 5s + format: duration + type: string + tunnelTimeout: + description: |- + tunnelTimeout defines how long a tunnel connection (including + websockets) will be held open while the tunnel is idle. + + If unset, the default timeout is 1h + format: duration + type: string + type: object + unsupportedConfigOverrides: + description: |- + unsupportedConfigOverrides allows specifying unsupported + configuration options. Its use is unsupported. + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + status: + description: status is the most recently observed status of the IngressController. + properties: + availableReplicas: + description: |- + availableReplicas is number of observed available replicas according to the + ingress controller deployment. + format: int32 + type: integer + conditions: + description: |- + conditions is a list of conditions and their status. + + Available means the ingress controller deployment is available and + servicing route and ingress resources (i.e, .status.availableReplicas + equals .spec.replicas) + + There are additional conditions which indicate the status of other + ingress controller features and capabilities. + + * LoadBalancerManaged + - True if the following conditions are met: + * The endpoint publishing strategy requires a service load balancer. + - False if any of those conditions are unsatisfied. + + * LoadBalancerReady + - True if the following conditions are met: + * A load balancer is managed. + * The load balancer is ready. + - False if any of those conditions are unsatisfied. + + * DNSManaged + - True if the following conditions are met: + * The endpoint publishing strategy and platform support DNS. + * The ingress controller domain is set. + * dns.config.openshift.io/cluster configures DNS zones. + - False if any of those conditions are unsatisfied. + + * DNSReady + - True if the following conditions are met: + * DNS is managed. + * DNS records have been successfully created. + - False if any of those conditions are unsatisfied. + items: + description: OperatorCondition is just the standard condition fields. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + type: string + reason: + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + domain: + description: domain is the actual domain in use. + type: string + endpointPublishingStrategy: + description: endpointPublishingStrategy is the actual strategy in + use. + properties: + hostNetwork: + description: |- + hostNetwork holds parameters for the HostNetwork endpoint publishing + strategy. Present only if type is HostNetwork. + properties: + httpPort: + default: 80 + description: |- + httpPort is the port on the host which should be used to listen for + HTTP requests. This field should be set when port 80 is already in use. + The value should not coincide with the NodePort range of the cluster. + When the value is 0 or is not specified it defaults to 80. + format: int32 + maximum: 65535 + minimum: 0 + type: integer + httpsPort: + default: 443 + description: |- + httpsPort is the port on the host which should be used to listen for + HTTPS requests. This field should be set when port 443 is already in use. + The value should not coincide with the NodePort range of the cluster. + When the value is 0 or is not specified it defaults to 443. + format: int32 + maximum: 65535 + minimum: 0 + type: integer + protocol: + description: |- + protocol specifies whether the IngressController expects incoming + connections to use plain TCP or whether the IngressController expects + PROXY protocol. + + PROXY protocol can be used with load balancers that support it to + communicate the source addresses of client connections when + forwarding those connections to the IngressController. Using PROXY + protocol enables the IngressController to report those source + addresses instead of reporting the load balancer's address in HTTP + headers and logs. Note that enabling PROXY protocol on the + IngressController will cause connections to fail if you are not using + a load balancer that uses PROXY protocol to forward connections to + the IngressController. See + http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt for + information about PROXY protocol. + + The following values are valid for this field: + + * The empty string. + * "TCP". + * "PROXY". + + The empty string specifies the default, which is TCP without PROXY + protocol. Note that the default is subject to change. + enum: + - "" + - TCP + - PROXY + type: string + statsPort: + default: 1936 + description: |- + statsPort is the port on the host where the stats from the router are + published. The value should not coincide with the NodePort range of the + cluster. If an external load balancer is configured to forward connections + to this IngressController, the load balancer should use this port for + health checks. The load balancer can send HTTP probes on this port on a + given node, with the path /healthz/ready to determine if the ingress + controller is ready to receive traffic on the node. For proper operation + the load balancer must not forward traffic to a node until the health + check reports ready. The load balancer should also stop forwarding requests + within a maximum of 45 seconds after /healthz/ready starts reporting + not-ready. Probing every 5 to 10 seconds, with a 5-second timeout and with + a threshold of two successful or failed requests to become healthy or + unhealthy respectively, are well-tested values. When the value is 0 or + is not specified it defaults to 1936. + format: int32 + maximum: 65535 + minimum: 0 + type: integer + type: object + loadBalancer: + description: |- + loadBalancer holds parameters for the load balancer. Present only if + type is LoadBalancerService. + properties: + allowedSourceRanges: + description: |- + allowedSourceRanges specifies an allowlist of IP address ranges to which + access to the load balancer should be restricted. Each range must be + specified using CIDR notation (e.g. "10.0.0.0/8" or "fd00::/8"). If no range is + specified, "0.0.0.0/0" for IPv4 and "::/0" for IPv6 are used by default, + which allows all source addresses. + + To facilitate migration from earlier versions of OpenShift that did + not have the allowedSourceRanges field, you may set the + service.beta.kubernetes.io/load-balancer-source-ranges annotation on + the "router-" service in the + "openshift-ingress" namespace, and this annotation will take + effect if allowedSourceRanges is empty on OpenShift 4.12. + items: + description: |- + CIDR is an IP address range in CIDR notation (for example, "10.0.0.0/8" + or "fd00::/8"). + pattern: (^(([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])/([0-9]|[12][0-9]|3[0-2])$)|(^s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:)))(%.+)?s*(\/(12[0-8]|1[0-1][0-9]|[1-9][0-9]|[0-9]))$) + type: string + nullable: true + type: array + x-kubernetes-list-type: atomic + dnsManagementPolicy: + default: Managed + description: |- + dnsManagementPolicy indicates if the lifecycle of the wildcard DNS record + associated with the load balancer service will be managed by + the ingress operator. It defaults to Managed. + Valid values are: Managed and Unmanaged. + enum: + - Managed + - Unmanaged + type: string + providerParameters: + description: |- + providerParameters holds desired load balancer information specific to + the underlying infrastructure provider. + + If empty, defaults will be applied. See specific providerParameters + fields for details about their defaults. + properties: + aws: + description: |- + aws provides configuration settings that are specific to AWS + load balancers. + + If empty, defaults will be applied. See specific aws fields for + details about their defaults. + properties: + classicLoadBalancer: + description: |- + classicLoadBalancerParameters holds configuration parameters for an AWS + classic load balancer. Present only if type is Classic. + properties: + connectionIdleTimeout: + description: |- + connectionIdleTimeout specifies the maximum time period that a + connection may be idle before the load balancer closes the + connection. The value must be parseable as a time duration value; + see . A nil or zero value + means no opinion, in which case a default value is used. The default + value for this field is 60s. This default is subject to change. + format: duration + type: string + subnets: + description: |- + subnets specifies the subnets to which the load balancer will + attach. The subnets may be specified by either their + ID or name. The total number of subnets is limited to 10. + + In order for the load balancer to be provisioned with subnets, + each subnet must exist, each subnet must be from a different + availability zone, and the load balancer service must be + recreated to pick up new values. + + When omitted from the spec, the subnets will be auto-discovered + for each availability zone. Auto-discovered subnets are not reported + in the status of the IngressController object. + properties: + ids: + description: |- + ids specifies a list of AWS subnets by subnet ID. + Subnet IDs must start with "subnet-", consist only + of alphanumeric characters, must be exactly 24 + characters long, must be unique, and the total + number of subnets specified by ids and names + must not exceed 10. + items: + description: AWSSubnetID is a reference + to an AWS subnet ID. + maxLength: 24 + minLength: 24 + pattern: ^subnet-[0-9A-Za-z]+$ + type: string + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: subnet ids cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == + y)) + names: + description: |- + names specifies a list of AWS subnets by subnet name. + Subnet names must not start with "subnet-", must not + include commas, must be under 256 characters in length, + must be unique, and the total number of subnets + specified by ids and names must not exceed 10. + items: + description: AWSSubnetName is a reference + to an AWS subnet name. + maxLength: 256 + minLength: 1 + type: string + x-kubernetes-validations: + - message: subnet name cannot contain a + comma + rule: '!self.contains('','')' + - message: subnet name cannot start with + 'subnet-' + rule: '!self.startsWith(''subnet-'')' + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: subnet names cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == + y)) + type: object + x-kubernetes-validations: + - message: the total number of subnets cannot + exceed 10 + rule: 'has(self.ids) && has(self.names) ? size(self.ids + + self.names) <= 10 : true' + - message: must specify at least 1 subnet name + or id + rule: has(self.ids) && self.ids.size() > 0 || + has(self.names) && self.names.size() > 0 + type: object + networkLoadBalancer: + description: |- + networkLoadBalancerParameters holds configuration parameters for an AWS + network load balancer. Present only if type is NLB. + properties: + eipAllocations: + description: |- + eipAllocations is a list of IDs for Elastic IP (EIP) addresses that + are assigned to the Network Load Balancer. + The following restrictions apply: + + eipAllocations can only be used with external scope, not internal. + An EIP can be allocated to only a single IngressController. + The number of EIP allocations must match the number of subnets that are used for the load balancer. + Each EIP allocation must be unique. + A maximum of 10 EIP allocations are permitted. + + See https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html for general + information about configuration, characteristics, and limitations of Elastic IP addresses. + items: + description: |- + EIPAllocation is an ID for an Elastic IP (EIP) address that can be allocated to an ELB in the AWS environment. + Values must begin with `eipalloc-` followed by exactly 17 hexadecimal (`[0-9a-fA-F]`) characters. + maxLength: 26 + minLength: 26 + type: string + x-kubernetes-validations: + - message: eipAllocations should start with + 'eipalloc-' + rule: self.startsWith('eipalloc-') + - message: eipAllocations must be 'eipalloc-' + followed by exactly 17 hexadecimal characters + (0-9, a-f, A-F) + rule: self.split("-", 2)[1].matches('[0-9a-fA-F]{17}$') + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: eipAllocations cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == y)) + subnets: + description: |- + subnets specifies the subnets to which the load balancer will + attach. The subnets may be specified by either their + ID or name. The total number of subnets is limited to 10. + + In order for the load balancer to be provisioned with subnets, + each subnet must exist, each subnet must be from a different + availability zone, and the load balancer service must be + recreated to pick up new values. + + When omitted from the spec, the subnets will be auto-discovered + for each availability zone. Auto-discovered subnets are not reported + in the status of the IngressController object. + properties: + ids: + description: |- + ids specifies a list of AWS subnets by subnet ID. + Subnet IDs must start with "subnet-", consist only + of alphanumeric characters, must be exactly 24 + characters long, must be unique, and the total + number of subnets specified by ids and names + must not exceed 10. + items: + description: AWSSubnetID is a reference + to an AWS subnet ID. + maxLength: 24 + minLength: 24 + pattern: ^subnet-[0-9A-Za-z]+$ + type: string + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: subnet ids cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == + y)) + names: + description: |- + names specifies a list of AWS subnets by subnet name. + Subnet names must not start with "subnet-", must not + include commas, must be under 256 characters in length, + must be unique, and the total number of subnets + specified by ids and names must not exceed 10. + items: + description: AWSSubnetName is a reference + to an AWS subnet name. + maxLength: 256 + minLength: 1 + type: string + x-kubernetes-validations: + - message: subnet name cannot contain a + comma + rule: '!self.contains('','')' + - message: subnet name cannot start with + 'subnet-' + rule: '!self.startsWith(''subnet-'')' + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: subnet names cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == + y)) + type: object + x-kubernetes-validations: + - message: the total number of subnets cannot + exceed 10 + rule: 'has(self.ids) && has(self.names) ? size(self.ids + + self.names) <= 10 : true' + - message: must specify at least 1 subnet name + or id + rule: has(self.ids) && self.ids.size() > 0 || + has(self.names) && self.names.size() > 0 + type: object + x-kubernetes-validations: + - message: number of subnets must be equal to number + of eipAllocations + rule: 'has(self.subnets) && has(self.subnets.ids) + && has(self.subnets.names) && has(self.eipAllocations) + ? size(self.subnets.ids + self.subnets.names) + == size(self.eipAllocations) : true' + - message: number of subnets must be equal to number + of eipAllocations + rule: 'has(self.subnets) && has(self.subnets.ids) + && !has(self.subnets.names) && has(self.eipAllocations) + ? size(self.subnets.ids) == size(self.eipAllocations) + : true' + - message: number of subnets must be equal to number + of eipAllocations + rule: 'has(self.subnets) && has(self.subnets.names) + && !has(self.subnets.ids) && has(self.eipAllocations) + ? size(self.subnets.names) == size(self.eipAllocations) + : true' + type: + description: |- + type is the type of AWS load balancer to instantiate for an ingresscontroller. + + Valid values are: + + * "Classic": A Classic Load Balancer that makes routing decisions at either + the transport layer (TCP/SSL) or the application layer (HTTP/HTTPS). See + the following for additional details: + + https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#clb + + * "NLB": A Network Load Balancer that makes routing decisions at the + transport layer (TCP/SSL). See the following for additional details: + + https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#nlb + enum: + - Classic + - NLB + type: string + required: + - type + type: object + gcp: + description: |- + gcp provides configuration settings that are specific to GCP + load balancers. + + If empty, defaults will be applied. See specific gcp fields for + details about their defaults. + properties: + clientAccess: + description: |- + clientAccess describes how client access is restricted for internal + load balancers. + + Valid values are: + * "Global": Specifying an internal load balancer with Global client access + allows clients from any region within the VPC to communicate with the load + balancer. + + https://cloud.google.com/kubernetes-engine/docs/how-to/internal-load-balancing#global_access + + * "Local": Specifying an internal load balancer with Local client access + means only clients within the same region (and VPC) as the GCP load balancer + can communicate with the load balancer. Note that this is the default behavior. + + https://cloud.google.com/load-balancing/docs/internal#client_access + enum: + - Global + - Local + type: string + type: object + ibm: + description: |- + ibm provides configuration settings that are specific to IBM Cloud + load balancers. + + If empty, defaults will be applied. See specific ibm fields for + details about their defaults. + properties: + protocol: + description: |- + protocol specifies whether the load balancer uses PROXY protocol to forward connections to + the IngressController. See "service.kubernetes.io/ibm-load-balancer-cloud-provider-enable-features: + "proxy-protocol"" at https://cloud.ibm.com/docs/containers?topic=containers-vpc-lbaas" + + PROXY protocol can be used with load balancers that support it to + communicate the source addresses of client connections when + forwarding those connections to the IngressController. Using PROXY + protocol enables the IngressController to report those source + addresses instead of reporting the load balancer's address in HTTP + headers and logs. Note that enabling PROXY protocol on the + IngressController will cause connections to fail if you are not using + a load balancer that uses PROXY protocol to forward connections to + the IngressController. See + http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt for + information about PROXY protocol. + + Valid values for protocol are TCP, PROXY and omitted. + When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. + The current default is TCP, without the proxy protocol enabled. + enum: + - "" + - TCP + - PROXY + type: string + type: object + openstack: + description: |- + openstack provides configuration settings that are specific to OpenStack + load balancers. + + If empty, defaults will be applied. See specific openstack fields for + details about their defaults. + properties: + floatingIP: + description: |- + floatingIP specifies the IP address that the load balancer will use. + When not specified, an IP address will be assigned randomly by the OpenStack cloud provider. + When specified, the floating IP has to be pre-created. If the + specified value is not a floating IP or is already claimed, the + OpenStack cloud provider won't be able to provision the load + balancer. + This field may only be used if the IngressController has External scope. + This value must be a valid IPv4 or IPv6 address. + type: string + x-kubernetes-validations: + - message: floatingIP must be a valid IPv4 or IPv6 + address + rule: isIP(self) + type: object + type: + description: |- + type is the underlying infrastructure provider for the load balancer. + Allowed values are "AWS", "Azure", "BareMetal", "GCP", "IBM", "Nutanix", + "OpenStack", and "VSphere". + enum: + - AWS + - Azure + - BareMetal + - GCP + - Nutanix + - OpenStack + - VSphere + - IBM + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: openstack is not permitted when type is not OpenStack + rule: 'has(self.type) && self.type == ''OpenStack'' ? true + : !has(self.openstack)' + scope: + description: |- + scope indicates the scope at which the load balancer is exposed. + Possible values are "External" and "Internal". + enum: + - Internal + - External + type: string + required: + - dnsManagementPolicy + - scope + type: object + x-kubernetes-validations: + - message: eipAllocations are forbidden when the scope is Internal. + rule: '!has(self.scope) || self.scope != ''Internal'' || !has(self.providerParameters) + || !has(self.providerParameters.aws) || !has(self.providerParameters.aws.networkLoadBalancer) + || !has(self.providerParameters.aws.networkLoadBalancer.eipAllocations)' + - message: cannot specify a floating ip when scope is internal + rule: '!has(self.scope) || self.scope != ''Internal'' || !has(self.providerParameters) + || !has(self.providerParameters.openstack) || !has(self.providerParameters.openstack.floatingIP) + || self.providerParameters.openstack.floatingIP == ""' + nodePort: + description: |- + nodePort holds parameters for the NodePortService endpoint publishing strategy. + Present only if type is NodePortService. + properties: + protocol: + description: |- + protocol specifies whether the IngressController expects incoming + connections to use plain TCP or whether the IngressController expects + PROXY protocol. + + PROXY protocol can be used with load balancers that support it to + communicate the source addresses of client connections when + forwarding those connections to the IngressController. Using PROXY + protocol enables the IngressController to report those source + addresses instead of reporting the load balancer's address in HTTP + headers and logs. Note that enabling PROXY protocol on the + IngressController will cause connections to fail if you are not using + a load balancer that uses PROXY protocol to forward connections to + the IngressController. See + http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt for + information about PROXY protocol. + + The following values are valid for this field: + + * The empty string. + * "TCP". + * "PROXY". + + The empty string specifies the default, which is TCP without PROXY + protocol. Note that the default is subject to change. + enum: + - "" + - TCP + - PROXY + type: string + type: object + private: + description: |- + private holds parameters for the Private endpoint publishing + strategy. Present only if type is Private. + properties: + protocol: + description: |- + protocol specifies whether the IngressController expects incoming + connections to use plain TCP or whether the IngressController expects + PROXY protocol. + + PROXY protocol can be used with load balancers that support it to + communicate the source addresses of client connections when + forwarding those connections to the IngressController. Using PROXY + protocol enables the IngressController to report those source + addresses instead of reporting the load balancer's address in HTTP + headers and logs. Note that enabling PROXY protocol on the + IngressController will cause connections to fail if you are not using + a load balancer that uses PROXY protocol to forward connections to + the IngressController. See + http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt for + information about PROXY protocol. + + The following values are valid for this field: + + * The empty string. + * "TCP". + * "PROXY". + + The empty string specifies the default, which is TCP without PROXY + protocol. Note that the default is subject to change. + enum: + - "" + - TCP + - PROXY + type: string + type: object + type: + description: |- + type is the publishing strategy to use. Valid values are: + + * LoadBalancerService + + Publishes the ingress controller using a Kubernetes LoadBalancer Service. + + In this configuration, the ingress controller deployment uses container + networking. A LoadBalancer Service is created to publish the deployment. + + See: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer + + If domain is set, a wildcard DNS record will be managed to point at the + LoadBalancer Service's external name. DNS records are managed only in DNS + zones defined by dns.config.openshift.io/cluster .spec.publicZone and + .spec.privateZone. + + Wildcard DNS management is currently supported only on the AWS, Azure, + and GCP platforms. + + * HostNetwork + + Publishes the ingress controller on node ports where the ingress controller + is deployed. + + In this configuration, the ingress controller deployment uses host + networking, bound to node ports 80 and 443. The user is responsible for + configuring an external load balancer to publish the ingress controller via + the node ports. + + * Private + + Does not publish the ingress controller. + + In this configuration, the ingress controller deployment uses container + networking, and is not explicitly published. The user must manually publish + the ingress controller. + + * NodePortService + + Publishes the ingress controller using a Kubernetes NodePort Service. + + In this configuration, the ingress controller deployment uses container + networking. A NodePort Service is created to publish the deployment. The + specific node ports are dynamically allocated by OpenShift; however, to + support static port allocations, user changes to the node port + field of the managed NodePort Service will preserved. + enum: + - LoadBalancerService + - HostNetwork + - Private + - NodePortService + type: string + required: + - type + type: object + namespaceSelector: + description: namespaceSelector is the actual namespaceSelector in + use. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + observedGeneration: + description: observedGeneration is the most recent generation observed. + format: int64 + type: integer + routeSelector: + description: routeSelector is the actual routeSelector in use. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + selector: + description: |- + selector is a label selector, in string format, for ingress controller pods + corresponding to the IngressController. The number of matching pods should + equal the value of availableReplicas. + type: string + tlsProfile: + description: tlsProfile is the TLS connection configuration that is + in effect. + properties: + ciphers: + description: |- + ciphers is used to specify the cipher algorithms that are negotiated + during the TLS handshake. Operators may remove entries their operands + do not support. For example, to use DES-CBC3-SHA (yaml): + + ciphers: + - DES-CBC3-SHA + items: + type: string + type: array + x-kubernetes-list-type: atomic + curves: + description: |- + curves is an optional field used to specify the elliptic curves that are used during + the TLS handshake. Operators may remove entries their operands do + not support. + + When omitted, this means no opinion and the platform is left to choose reasonable defaults which are + subject to change over time and may be different per platform component depending on the underlying TLS + libraries they use. If specified, the list must contain at least one curve. + + For example, to use X25519 and SecP256r1 (yaml): + + curves: + - X25519 + - SecP256r1 + items: + description: |- + TLSCurve is a named curve identifier that can be used in TLSProfile.Curves. + There is a one-to-one mapping between these names and the curve IDs defined + in crypto/tls package based on IANA's "TLS Supported Groups" registry: + https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8 + enum: + - X25519 + - SecP256r1 + - SecP384r1 + - SecP521r1 + - X25519MLKEM768 + type: string + maxItems: 5 + minItems: 1 + type: array + x-kubernetes-list-type: set + minTLSVersion: + description: |- + minTLSVersion is used to specify the minimal version of the TLS protocol + that is negotiated during the TLS handshake. For example, to use TLS + versions 1.1, 1.2 and 1.3 (yaml): + + minTLSVersion: VersionTLS11 + enum: + - VersionTLS10 + - VersionTLS11 + - VersionTLS12 + - VersionTLS13 + type: string + type: object + type: object + type: object + x-kubernetes-validations: + - message: The combined 'router-' + metadata.name + '.' + .spec.domain cannot + exceed 253 characters + rule: '!has(self.spec.domain) || size(''router-'' + self.metadata.name + + ''.'' + self.spec.domain) <= 253' + served: true + storage: true + subresources: + scale: + labelSelectorPath: .status.selector + specReplicasPath: .spec.replicas + statusReplicasPath: .status.availableReplicas + status: {} diff --git a/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-Default.crd.yaml b/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-Default.crd.yaml new file mode 100644 index 00000000000..88cff97976a --- /dev/null +++ b/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-Default.crd.yaml @@ -0,0 +1,3304 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/616 + api.openshift.io/merged-by-featuregates: "true" + capability.openshift.io/name: Ingress + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: Default + name: ingresscontrollers.operator.openshift.io +spec: + group: operator.openshift.io + names: + kind: IngressController + listKind: IngressControllerList + plural: ingresscontrollers + singular: ingresscontroller + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + IngressController describes a managed ingress controller for the cluster. The + controller can service OpenShift Route and Kubernetes Ingress resources. + + When an IngressController is created, a new ingress controller deployment is + created to allow external traffic to reach the services that expose Ingress + or Route resources. Updating this resource may lead to disruption for public + facing network connections as a new ingress controller revision may be rolled + out. + + https://kubernetes.io/docs/concepts/services-networking/ingress-controllers + + Whenever possible, sensible defaults for the platform are used. See each + field for more details. + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec is the specification of the desired behavior of the + IngressController. + properties: + clientTLS: + description: |- + clientTLS specifies settings for requesting and verifying client + certificates, which can be used to enable mutual TLS for + edge-terminated and reencrypt routes. + properties: + allowedSubjectPatterns: + description: |- + allowedSubjectPatterns specifies a list of regular expressions that + should be matched against the distinguished name on a valid client + certificate to filter requests. The regular expressions must use + PCRE syntax. If this list is empty, no filtering is performed. If + the list is nonempty, then at least one pattern must match a client + certificate's distinguished name or else the ingress controller + rejects the certificate and denies the connection. + items: + type: string + type: array + x-kubernetes-list-type: atomic + clientCA: + description: |- + clientCA specifies a configmap containing the PEM-encoded CA + certificate bundle that should be used to verify a client's + certificate. The administrator must create this configmap in the + openshift-config namespace. + properties: + name: + description: name is the metadata.name of the referenced config + map + type: string + required: + - name + type: object + clientCertificatePolicy: + description: |- + clientCertificatePolicy specifies whether the ingress controller + requires clients to provide certificates. This field accepts the + values "Required" or "Optional". + + Note that the ingress controller only checks client certificates for + edge-terminated and reencrypt TLS routes; it cannot check + certificates for cleartext HTTP or passthrough TLS routes. + enum: + - "" + - Required + - Optional + type: string + required: + - clientCA + - clientCertificatePolicy + type: object + closedClientConnectionPolicy: + default: Continue + description: |- + closedClientConnectionPolicy controls how the IngressController + behaves when the client closes the TCP connection while the TLS + handshake or HTTP request is in progress. This option maps directly + to HAProxy’s "abortonclose" option. + + Valid values are: "Abort" and "Continue". + The default value is "Continue". + + When set to "Abort", the router will stop processing the TLS handshake + if it is in progress, and it will not send an HTTP request to the backend server + if the request has not yet been sent when the client closes the connection. + + When set to "Continue", the router will complete the TLS handshake + if it is in progress, or send an HTTP request to the backend server + and wait for the backend server's response, regardless of + whether the client has closed the connection. + + Setting "Abort" can help free CPU resources otherwise spent on TLS computation + for connections the client has already closed, and can reduce request queue + size, thereby reducing the load on saturated backend servers. + + Important Considerations: + + - The default policy ("Continue") is HTTP-compliant, and requests + for aborted client connections will still be served. + Use the "Continue" policy to allow a client to send a request + and then immediately close its side of the connection while + still receiving a response on the half-closed connection. + + - When clients use keep-alive connections, the most common case for premature + closure is when the user wants to cancel the transfer or when a timeout + occurs. In that case, the "Abort" policy may be used to reduce resource consumption. + + - Using RSA keys larger than 2048 bits can significantly slow down + TLS computations. Consider using the "Abort" policy to reduce CPU usage. + enum: + - Abort + - Continue + type: string + defaultCertificate: + description: |- + defaultCertificate is a reference to a secret containing the default + certificate served by the ingress controller. When Routes don't specify + their own certificate, defaultCertificate is used. + + The secret must contain the following keys and data: + + tls.crt: certificate file contents + tls.key: key file contents + + If unset, a wildcard certificate is automatically generated and used. The + certificate is valid for the ingress controller domain (and subdomains) and + the generated certificate's CA will be automatically integrated with the + cluster's trust store. + + If a wildcard certificate is used and shared by multiple + HTTP/2 enabled routes (which implies ALPN) then clients + (i.e., notably browsers) are at liberty to reuse open + connections. This means a client can reuse a connection to + another route and that is likely to fail. This behaviour is + generally known as connection coalescing. + + The in-use certificate (whether generated or user-specified) will be + automatically integrated with OpenShift's built-in OAuth server. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + domain: + description: |- + domain is a DNS name serviced by the ingress controller and is used to + configure multiple features: + + * For the LoadBalancerService endpoint publishing strategy, domain is + used to configure DNS records. See endpointPublishingStrategy. + + * When using a generated default certificate, the certificate will be valid + for domain and its subdomains. See defaultCertificate. + + * The value is published to individual Route statuses so that end-users + know where to target external DNS records. + + domain must be unique among all IngressControllers, and cannot be + updated. + + If empty, defaults to ingress.config.openshift.io/cluster .spec.domain. + + The domain value must be a valid DNS name. It must consist of lowercase + alphanumeric characters, '-' or '.', and each label must start and end + with an alphanumeric character and not exceed 63 characters. Maximum + length of a valid DNS domain is 253 characters. + + The implementation may add a prefix such as "router-default." to the domain + when constructing the router canonical hostname. To ensure the resulting + hostname does not exceed the DNS maximum length of 253 characters, + the domain length is additionally validated at the IngressController object + level. For the maximum length of the domain value itself, the shortest + possible variant of the prefix and the ingress controller name was considered + for example "router-a." + maxLength: 244 + type: string + x-kubernetes-validations: + - message: domain must consist of lower case alphanumeric characters, + '-' or '.', and must start and end with an alphanumeric character + rule: '!format.dns1123Subdomain().validate(self).hasValue()' + - message: each DNS label must not exceed 63 characters + rule: self.split('.').all(label, size(label) <= 63) + endpointPublishingStrategy: + description: |- + endpointPublishingStrategy is used to publish the ingress controller + endpoints to other networks, enable load balancer integrations, etc. + + If unset, the default is based on + infrastructure.config.openshift.io/cluster .status.platform: + + AWS: LoadBalancerService (with External scope) + Azure: LoadBalancerService (with External scope) + GCP: LoadBalancerService (with External scope) + IBMCloud: LoadBalancerService (with External scope) + AlibabaCloud: LoadBalancerService (with External scope) + Libvirt: HostNetwork + + Any other platform types (including None) default to HostNetwork. + + endpointPublishingStrategy cannot be updated. + properties: + hostNetwork: + description: |- + hostNetwork holds parameters for the HostNetwork endpoint publishing + strategy. Present only if type is HostNetwork. + properties: + httpPort: + default: 80 + description: |- + httpPort is the port on the host which should be used to listen for + HTTP requests. This field should be set when port 80 is already in use. + The value should not coincide with the NodePort range of the cluster. + When the value is 0 or is not specified it defaults to 80. + format: int32 + maximum: 65535 + minimum: 0 + type: integer + httpsPort: + default: 443 + description: |- + httpsPort is the port on the host which should be used to listen for + HTTPS requests. This field should be set when port 443 is already in use. + The value should not coincide with the NodePort range of the cluster. + When the value is 0 or is not specified it defaults to 443. + format: int32 + maximum: 65535 + minimum: 0 + type: integer + protocol: + description: |- + protocol specifies whether the IngressController expects incoming + connections to use plain TCP or whether the IngressController expects + PROXY protocol. + + PROXY protocol can be used with load balancers that support it to + communicate the source addresses of client connections when + forwarding those connections to the IngressController. Using PROXY + protocol enables the IngressController to report those source + addresses instead of reporting the load balancer's address in HTTP + headers and logs. Note that enabling PROXY protocol on the + IngressController will cause connections to fail if you are not using + a load balancer that uses PROXY protocol to forward connections to + the IngressController. See + http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt for + information about PROXY protocol. + + The following values are valid for this field: + + * The empty string. + * "TCP". + * "PROXY". + + The empty string specifies the default, which is TCP without PROXY + protocol. Note that the default is subject to change. + enum: + - "" + - TCP + - PROXY + type: string + statsPort: + default: 1936 + description: |- + statsPort is the port on the host where the stats from the router are + published. The value should not coincide with the NodePort range of the + cluster. If an external load balancer is configured to forward connections + to this IngressController, the load balancer should use this port for + health checks. The load balancer can send HTTP probes on this port on a + given node, with the path /healthz/ready to determine if the ingress + controller is ready to receive traffic on the node. For proper operation + the load balancer must not forward traffic to a node until the health + check reports ready. The load balancer should also stop forwarding requests + within a maximum of 45 seconds after /healthz/ready starts reporting + not-ready. Probing every 5 to 10 seconds, with a 5-second timeout and with + a threshold of two successful or failed requests to become healthy or + unhealthy respectively, are well-tested values. When the value is 0 or + is not specified it defaults to 1936. + format: int32 + maximum: 65535 + minimum: 0 + type: integer + type: object + loadBalancer: + description: |- + loadBalancer holds parameters for the load balancer. Present only if + type is LoadBalancerService. + properties: + allowedSourceRanges: + description: |- + allowedSourceRanges specifies an allowlist of IP address ranges to which + access to the load balancer should be restricted. Each range must be + specified using CIDR notation (e.g. "10.0.0.0/8" or "fd00::/8"). If no range is + specified, "0.0.0.0/0" for IPv4 and "::/0" for IPv6 are used by default, + which allows all source addresses. + + To facilitate migration from earlier versions of OpenShift that did + not have the allowedSourceRanges field, you may set the + service.beta.kubernetes.io/load-balancer-source-ranges annotation on + the "router-" service in the + "openshift-ingress" namespace, and this annotation will take + effect if allowedSourceRanges is empty on OpenShift 4.12. + items: + description: |- + CIDR is an IP address range in CIDR notation (for example, "10.0.0.0/8" + or "fd00::/8"). + pattern: (^(([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])/([0-9]|[12][0-9]|3[0-2])$)|(^s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:)))(%.+)?s*(\/(12[0-8]|1[0-1][0-9]|[1-9][0-9]|[0-9]))$) + type: string + nullable: true + type: array + x-kubernetes-list-type: atomic + dnsManagementPolicy: + default: Managed + description: |- + dnsManagementPolicy indicates if the lifecycle of the wildcard DNS record + associated with the load balancer service will be managed by + the ingress operator. It defaults to Managed. + Valid values are: Managed and Unmanaged. + enum: + - Managed + - Unmanaged + type: string + providerParameters: + description: |- + providerParameters holds desired load balancer information specific to + the underlying infrastructure provider. + + If empty, defaults will be applied. See specific providerParameters + fields for details about their defaults. + properties: + aws: + description: |- + aws provides configuration settings that are specific to AWS + load balancers. + + If empty, defaults will be applied. See specific aws fields for + details about their defaults. + properties: + classicLoadBalancer: + description: |- + classicLoadBalancerParameters holds configuration parameters for an AWS + classic load balancer. Present only if type is Classic. + properties: + connectionIdleTimeout: + description: |- + connectionIdleTimeout specifies the maximum time period that a + connection may be idle before the load balancer closes the + connection. The value must be parseable as a time duration value; + see . A nil or zero value + means no opinion, in which case a default value is used. The default + value for this field is 60s. This default is subject to change. + format: duration + type: string + subnets: + description: |- + subnets specifies the subnets to which the load balancer will + attach. The subnets may be specified by either their + ID or name. The total number of subnets is limited to 10. + + In order for the load balancer to be provisioned with subnets, + each subnet must exist, each subnet must be from a different + availability zone, and the load balancer service must be + recreated to pick up new values. + + When omitted from the spec, the subnets will be auto-discovered + for each availability zone. Auto-discovered subnets are not reported + in the status of the IngressController object. + properties: + ids: + description: |- + ids specifies a list of AWS subnets by subnet ID. + Subnet IDs must start with "subnet-", consist only + of alphanumeric characters, must be exactly 24 + characters long, must be unique, and the total + number of subnets specified by ids and names + must not exceed 10. + items: + description: AWSSubnetID is a reference + to an AWS subnet ID. + maxLength: 24 + minLength: 24 + pattern: ^subnet-[0-9A-Za-z]+$ + type: string + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: subnet ids cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == + y)) + names: + description: |- + names specifies a list of AWS subnets by subnet name. + Subnet names must not start with "subnet-", must not + include commas, must be under 256 characters in length, + must be unique, and the total number of subnets + specified by ids and names must not exceed 10. + items: + description: AWSSubnetName is a reference + to an AWS subnet name. + maxLength: 256 + minLength: 1 + type: string + x-kubernetes-validations: + - message: subnet name cannot contain a + comma + rule: '!self.contains('','')' + - message: subnet name cannot start with + 'subnet-' + rule: '!self.startsWith(''subnet-'')' + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: subnet names cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == + y)) + type: object + x-kubernetes-validations: + - message: the total number of subnets cannot + exceed 10 + rule: 'has(self.ids) && has(self.names) ? size(self.ids + + self.names) <= 10 : true' + - message: must specify at least 1 subnet name + or id + rule: has(self.ids) && self.ids.size() > 0 || + has(self.names) && self.names.size() > 0 + type: object + networkLoadBalancer: + description: |- + networkLoadBalancerParameters holds configuration parameters for an AWS + network load balancer. Present only if type is NLB. + properties: + eipAllocations: + description: |- + eipAllocations is a list of IDs for Elastic IP (EIP) addresses that + are assigned to the Network Load Balancer. + The following restrictions apply: + + eipAllocations can only be used with external scope, not internal. + An EIP can be allocated to only a single IngressController. + The number of EIP allocations must match the number of subnets that are used for the load balancer. + Each EIP allocation must be unique. + A maximum of 10 EIP allocations are permitted. + + See https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html for general + information about configuration, characteristics, and limitations of Elastic IP addresses. + items: + description: |- + EIPAllocation is an ID for an Elastic IP (EIP) address that can be allocated to an ELB in the AWS environment. + Values must begin with `eipalloc-` followed by exactly 17 hexadecimal (`[0-9a-fA-F]`) characters. + maxLength: 26 + minLength: 26 + type: string + x-kubernetes-validations: + - message: eipAllocations should start with + 'eipalloc-' + rule: self.startsWith('eipalloc-') + - message: eipAllocations must be 'eipalloc-' + followed by exactly 17 hexadecimal characters + (0-9, a-f, A-F) + rule: self.split("-", 2)[1].matches('[0-9a-fA-F]{17}$') + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: eipAllocations cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == y)) + subnets: + description: |- + subnets specifies the subnets to which the load balancer will + attach. The subnets may be specified by either their + ID or name. The total number of subnets is limited to 10. + + In order for the load balancer to be provisioned with subnets, + each subnet must exist, each subnet must be from a different + availability zone, and the load balancer service must be + recreated to pick up new values. + + When omitted from the spec, the subnets will be auto-discovered + for each availability zone. Auto-discovered subnets are not reported + in the status of the IngressController object. + properties: + ids: + description: |- + ids specifies a list of AWS subnets by subnet ID. + Subnet IDs must start with "subnet-", consist only + of alphanumeric characters, must be exactly 24 + characters long, must be unique, and the total + number of subnets specified by ids and names + must not exceed 10. + items: + description: AWSSubnetID is a reference + to an AWS subnet ID. + maxLength: 24 + minLength: 24 + pattern: ^subnet-[0-9A-Za-z]+$ + type: string + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: subnet ids cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == + y)) + names: + description: |- + names specifies a list of AWS subnets by subnet name. + Subnet names must not start with "subnet-", must not + include commas, must be under 256 characters in length, + must be unique, and the total number of subnets + specified by ids and names must not exceed 10. + items: + description: AWSSubnetName is a reference + to an AWS subnet name. + maxLength: 256 + minLength: 1 + type: string + x-kubernetes-validations: + - message: subnet name cannot contain a + comma + rule: '!self.contains('','')' + - message: subnet name cannot start with + 'subnet-' + rule: '!self.startsWith(''subnet-'')' + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: subnet names cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == + y)) + type: object + x-kubernetes-validations: + - message: the total number of subnets cannot + exceed 10 + rule: 'has(self.ids) && has(self.names) ? size(self.ids + + self.names) <= 10 : true' + - message: must specify at least 1 subnet name + or id + rule: has(self.ids) && self.ids.size() > 0 || + has(self.names) && self.names.size() > 0 + type: object + x-kubernetes-validations: + - message: number of subnets must be equal to number + of eipAllocations + rule: 'has(self.subnets) && has(self.subnets.ids) + && has(self.subnets.names) && has(self.eipAllocations) + ? size(self.subnets.ids + self.subnets.names) + == size(self.eipAllocations) : true' + - message: number of subnets must be equal to number + of eipAllocations + rule: 'has(self.subnets) && has(self.subnets.ids) + && !has(self.subnets.names) && has(self.eipAllocations) + ? size(self.subnets.ids) == size(self.eipAllocations) + : true' + - message: number of subnets must be equal to number + of eipAllocations + rule: 'has(self.subnets) && has(self.subnets.names) + && !has(self.subnets.ids) && has(self.eipAllocations) + ? size(self.subnets.names) == size(self.eipAllocations) + : true' + type: + description: |- + type is the type of AWS load balancer to instantiate for an ingresscontroller. + + Valid values are: + + * "Classic": A Classic Load Balancer that makes routing decisions at either + the transport layer (TCP/SSL) or the application layer (HTTP/HTTPS). See + the following for additional details: + + https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#clb + + * "NLB": A Network Load Balancer that makes routing decisions at the + transport layer (TCP/SSL). See the following for additional details: + + https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#nlb + enum: + - Classic + - NLB + type: string + required: + - type + type: object + gcp: + description: |- + gcp provides configuration settings that are specific to GCP + load balancers. + + If empty, defaults will be applied. See specific gcp fields for + details about their defaults. + properties: + clientAccess: + description: |- + clientAccess describes how client access is restricted for internal + load balancers. + + Valid values are: + * "Global": Specifying an internal load balancer with Global client access + allows clients from any region within the VPC to communicate with the load + balancer. + + https://cloud.google.com/kubernetes-engine/docs/how-to/internal-load-balancing#global_access + + * "Local": Specifying an internal load balancer with Local client access + means only clients within the same region (and VPC) as the GCP load balancer + can communicate with the load balancer. Note that this is the default behavior. + + https://cloud.google.com/load-balancing/docs/internal#client_access + enum: + - Global + - Local + type: string + type: object + ibm: + description: |- + ibm provides configuration settings that are specific to IBM Cloud + load balancers. + + If empty, defaults will be applied. See specific ibm fields for + details about their defaults. + properties: + protocol: + description: |- + protocol specifies whether the load balancer uses PROXY protocol to forward connections to + the IngressController. See "service.kubernetes.io/ibm-load-balancer-cloud-provider-enable-features: + "proxy-protocol"" at https://cloud.ibm.com/docs/containers?topic=containers-vpc-lbaas" + + PROXY protocol can be used with load balancers that support it to + communicate the source addresses of client connections when + forwarding those connections to the IngressController. Using PROXY + protocol enables the IngressController to report those source + addresses instead of reporting the load balancer's address in HTTP + headers and logs. Note that enabling PROXY protocol on the + IngressController will cause connections to fail if you are not using + a load balancer that uses PROXY protocol to forward connections to + the IngressController. See + http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt for + information about PROXY protocol. + + Valid values for protocol are TCP, PROXY and omitted. + When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. + The current default is TCP, without the proxy protocol enabled. + enum: + - "" + - TCP + - PROXY + type: string + type: object + openstack: + description: |- + openstack provides configuration settings that are specific to OpenStack + load balancers. + + If empty, defaults will be applied. See specific openstack fields for + details about their defaults. + properties: + floatingIP: + description: |- + floatingIP specifies the IP address that the load balancer will use. + When not specified, an IP address will be assigned randomly by the OpenStack cloud provider. + When specified, the floating IP has to be pre-created. If the + specified value is not a floating IP or is already claimed, the + OpenStack cloud provider won't be able to provision the load + balancer. + This field may only be used if the IngressController has External scope. + This value must be a valid IPv4 or IPv6 address. + type: string + x-kubernetes-validations: + - message: floatingIP must be a valid IPv4 or IPv6 + address + rule: isIP(self) + type: object + type: + description: |- + type is the underlying infrastructure provider for the load balancer. + Allowed values are "AWS", "Azure", "BareMetal", "GCP", "IBM", "Nutanix", + "OpenStack", and "VSphere". + enum: + - AWS + - Azure + - BareMetal + - GCP + - Nutanix + - OpenStack + - VSphere + - IBM + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: openstack is not permitted when type is not OpenStack + rule: 'has(self.type) && self.type == ''OpenStack'' ? true + : !has(self.openstack)' + scope: + description: |- + scope indicates the scope at which the load balancer is exposed. + Possible values are "External" and "Internal". + enum: + - Internal + - External + type: string + required: + - dnsManagementPolicy + - scope + type: object + x-kubernetes-validations: + - message: eipAllocations are forbidden when the scope is Internal. + rule: '!has(self.scope) || self.scope != ''Internal'' || !has(self.providerParameters) + || !has(self.providerParameters.aws) || !has(self.providerParameters.aws.networkLoadBalancer) + || !has(self.providerParameters.aws.networkLoadBalancer.eipAllocations)' + - message: cannot specify a floating ip when scope is internal + rule: '!has(self.scope) || self.scope != ''Internal'' || !has(self.providerParameters) + || !has(self.providerParameters.openstack) || !has(self.providerParameters.openstack.floatingIP) + || self.providerParameters.openstack.floatingIP == ""' + nodePort: + description: |- + nodePort holds parameters for the NodePortService endpoint publishing strategy. + Present only if type is NodePortService. + properties: + protocol: + description: |- + protocol specifies whether the IngressController expects incoming + connections to use plain TCP or whether the IngressController expects + PROXY protocol. + + PROXY protocol can be used with load balancers that support it to + communicate the source addresses of client connections when + forwarding those connections to the IngressController. Using PROXY + protocol enables the IngressController to report those source + addresses instead of reporting the load balancer's address in HTTP + headers and logs. Note that enabling PROXY protocol on the + IngressController will cause connections to fail if you are not using + a load balancer that uses PROXY protocol to forward connections to + the IngressController. See + http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt for + information about PROXY protocol. + + The following values are valid for this field: + + * The empty string. + * "TCP". + * "PROXY". + + The empty string specifies the default, which is TCP without PROXY + protocol. Note that the default is subject to change. + enum: + - "" + - TCP + - PROXY + type: string + type: object + private: + description: |- + private holds parameters for the Private endpoint publishing + strategy. Present only if type is Private. + properties: + protocol: + description: |- + protocol specifies whether the IngressController expects incoming + connections to use plain TCP or whether the IngressController expects + PROXY protocol. + + PROXY protocol can be used with load balancers that support it to + communicate the source addresses of client connections when + forwarding those connections to the IngressController. Using PROXY + protocol enables the IngressController to report those source + addresses instead of reporting the load balancer's address in HTTP + headers and logs. Note that enabling PROXY protocol on the + IngressController will cause connections to fail if you are not using + a load balancer that uses PROXY protocol to forward connections to + the IngressController. See + http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt for + information about PROXY protocol. + + The following values are valid for this field: + + * The empty string. + * "TCP". + * "PROXY". + + The empty string specifies the default, which is TCP without PROXY + protocol. Note that the default is subject to change. + enum: + - "" + - TCP + - PROXY + type: string + type: object + type: + description: |- + type is the publishing strategy to use. Valid values are: + + * LoadBalancerService + + Publishes the ingress controller using a Kubernetes LoadBalancer Service. + + In this configuration, the ingress controller deployment uses container + networking. A LoadBalancer Service is created to publish the deployment. + + See: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer + + If domain is set, a wildcard DNS record will be managed to point at the + LoadBalancer Service's external name. DNS records are managed only in DNS + zones defined by dns.config.openshift.io/cluster .spec.publicZone and + .spec.privateZone. + + Wildcard DNS management is currently supported only on the AWS, Azure, + and GCP platforms. + + * HostNetwork + + Publishes the ingress controller on node ports where the ingress controller + is deployed. + + In this configuration, the ingress controller deployment uses host + networking, bound to node ports 80 and 443. The user is responsible for + configuring an external load balancer to publish the ingress controller via + the node ports. + + * Private + + Does not publish the ingress controller. + + In this configuration, the ingress controller deployment uses container + networking, and is not explicitly published. The user must manually publish + the ingress controller. + + * NodePortService + + Publishes the ingress controller using a Kubernetes NodePort Service. + + In this configuration, the ingress controller deployment uses container + networking. A NodePort Service is created to publish the deployment. The + specific node ports are dynamically allocated by OpenShift; however, to + support static port allocations, user changes to the node port + field of the managed NodePort Service will preserved. + enum: + - LoadBalancerService + - HostNetwork + - Private + - NodePortService + type: string + required: + - type + type: object + httpCompression: + description: |- + httpCompression defines a policy for HTTP traffic compression. + By default, there is no HTTP compression. + properties: + mimeTypes: + description: |- + mimeTypes is a list of MIME types that should have compression applied. + This list can be empty, in which case the ingress controller does not apply compression. + + Note: Not all MIME types benefit from compression, but HAProxy will still use resources + to try to compress if instructed to. Generally speaking, text (html, css, js, etc.) + formats benefit from compression, but formats that are already compressed (image, + audio, video, etc.) benefit little in exchange for the time and cpu spent on compressing + again. See https://joehonton.medium.com/the-gzip-penalty-d31bd697f1a2 + items: + description: |- + CompressionMIMEType defines the format of a single MIME type. + E.g. "text/css; charset=utf-8", "text/html", "text/*", "image/svg+xml", + "application/octet-stream", "X-custom/customsub", etc. + + The format should follow the Content-Type definition in RFC 1341: + Content-Type := type "/" subtype *[";" parameter] + - The type in Content-Type can be one of: + application, audio, image, message, multipart, text, video, or a custom + type preceded by "X-" and followed by a token as defined below. + - The token is a string of at least one character, and not containing white + space, control characters, or any of the characters in the tspecials set. + - The tspecials set contains the characters ()<>@,;:\"/[]?.= + - The subtype in Content-Type is also a token. + - The optional parameter/s following the subtype are defined as: + token "=" (token / quoted-string) + - The quoted-string, as defined in RFC 822, is surrounded by double quotes + and can contain white space plus any character EXCEPT \, ", and CR. + It can also contain any single ASCII character as long as it is escaped by \. + pattern: ^(?i)(x-[^][ ()\\<>@,;:"/?.=\x00-\x1F\x7F]+|application|audio|image|message|multipart|text|video)/[^][ + ()\\<>@,;:"/?.=\x00-\x1F\x7F]+(; *[^][ ()\\<>@,;:"/?.=\x00-\x1F\x7F]+=([^][ + ()\\<>@,;:"/?.=\x00-\x1F\x7F]+|"(\\[\x00-\x7F]|[^\x0D"\\])*"))*$ + type: string + type: array + x-kubernetes-list-type: set + type: object + httpEmptyRequestsPolicy: + default: Respond + description: |- + httpEmptyRequestsPolicy describes how HTTP connections should be + handled if the connection times out before a request is received. + Allowed values for this field are "Respond" and "Ignore". If the + field is set to "Respond", the ingress controller sends an HTTP 400 + or 408 response, logs the connection (if access logging is enabled), + and counts the connection in the appropriate metrics. If the field + is set to "Ignore", the ingress controller closes the connection + without sending a response, logging the connection, or incrementing + metrics. The default value is "Respond". + + Typically, these connections come from load balancers' health probes + or Web browsers' speculative connections ("preconnect") and can be + safely ignored. However, these requests may also be caused by + network errors, and so setting this field to "Ignore" may impede + detection and diagnosis of problems. In addition, these requests may + be caused by port scans, in which case logging empty requests may aid + in detecting intrusion attempts. + enum: + - Respond + - Ignore + type: string + httpErrorCodePages: + description: |- + httpErrorCodePages specifies a configmap with custom error pages. + The administrator must create this configmap in the openshift-config namespace. + This configmap should have keys in the format "error-page-.http", + where is an HTTP error code. + For example, "error-page-503.http" defines an error page for HTTP 503 responses. + Currently only error pages for 503 and 404 responses can be customized. + Each value in the configmap should be the full response, including HTTP headers. + Eg- https://raw.githubusercontent.com/openshift/router/fadab45747a9b30cc3f0a4b41ad2871f95827a93/images/router/haproxy/conf/error-page-503.http + If this field is empty, the ingress controller uses the default error pages. + properties: + name: + description: name is the metadata.name of the referenced config + map + type: string + required: + - name + type: object + httpHeaders: + description: |- + httpHeaders defines policy for HTTP headers. + + If this field is empty, the default values are used. + properties: + actions: + description: |- + actions specifies options for modifying headers and their values. + Note that this option only applies to cleartext HTTP connections + and to secure HTTP connections for which the ingress controller + terminates encryption (that is, edge-terminated or reencrypt + connections). Headers cannot be modified for TLS passthrough + connections. + Setting the HSTS (`Strict-Transport-Security`) header is not supported via actions. `Strict-Transport-Security` + may only be configured using the "haproxy.router.openshift.io/hsts_header" route annotation, and only in + accordance with the policy specified in Ingress.Spec.RequiredHSTSPolicies. + Any actions defined here are applied after any actions related to the following other fields: + cache-control, spec.clientTLS, + spec.httpHeaders.forwardedHeaderPolicy, spec.httpHeaders.uniqueId, + and spec.httpHeaders.headerNameCaseAdjustments. + In case of HTTP request headers, the actions specified in spec.httpHeaders.actions on the Route will be executed after + the actions specified in the IngressController's spec.httpHeaders.actions field. + In case of HTTP response headers, the actions specified in spec.httpHeaders.actions on the IngressController will be + executed after the actions specified in the Route's spec.httpHeaders.actions field. + Headers set using this API cannot be captured for use in access logs. + The following header names are reserved and may not be modified via this API: + Strict-Transport-Security, Proxy, Host, Cookie, Set-Cookie. + Note that the total size of all net added headers *after* interpolating dynamic values + must not exceed the value of spec.tuningOptions.headerBufferMaxRewriteBytes on the + IngressController. Please refer to the documentation + for that API field for more details. + properties: + request: + description: |- + request is a list of HTTP request headers to modify. + Actions defined here will modify the request headers of all requests passing through an ingress controller. + These actions are applied to all Routes i.e. for all connections handled by the ingress controller defined within a cluster. + IngressController actions for request headers will be executed before Route actions. + Currently, actions may define to either `Set` or `Delete` headers values. + Actions are applied in sequence as defined in this list. + A maximum of 20 request header actions may be configured. + Sample fetchers allowed are "req.hdr" and "ssl_c_der". + Converters allowed are "lower" and "base64". + Example header values: "%[req.hdr(X-target),lower]", "%{+Q}[ssl_c_der,base64]". + items: + description: IngressControllerHTTPHeader specifies configuration + for setting or deleting an HTTP header. + properties: + action: + description: action specifies actions to perform on + headers, such as setting or deleting headers. + properties: + set: + description: |- + set specifies how the HTTP header should be set. + This field is required when type is Set and forbidden otherwise. + properties: + value: + description: |- + value specifies a header value. + Dynamic values can be added. The value will be interpreted as an HAProxy format string as defined in + http://cbonte.github.io/haproxy-dconv/2.6/configuration.html#8.2.6 and may use HAProxy's %[] syntax and + otherwise must be a valid HTTP header value as defined in https://datatracker.ietf.org/doc/html/rfc7230#section-3.2. + The value of this field must be no more than 16384 characters in length. + Note that the total size of all net added headers *after* interpolating dynamic values + must not exceed the value of spec.tuningOptions.headerBufferMaxRewriteBytes on the + IngressController. + maxLength: 16384 + minLength: 1 + type: string + required: + - value + type: object + type: + description: |- + type defines the type of the action to be applied on the header. + Possible values are Set or Delete. + Set allows you to set HTTP request and response headers. + Delete allows you to delete HTTP request and response headers. + enum: + - Set + - Delete + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: set is required when type is Set, and forbidden + otherwise + rule: 'has(self.type) && self.type == ''Set'' ? has(self.set) + : !has(self.set)' + name: + description: |- + name specifies the name of a header on which to perform an action. Its value must be a valid HTTP header + name as defined in RFC 2616 section 4.2. + The name must consist only of alphanumeric and the following special characters, "-!#$%&'*+.^_`". + The following header names are reserved and may not be modified via this API: + Strict-Transport-Security, Proxy, Host, Cookie, Set-Cookie. + It must be no more than 255 characters in length. + Header name must be unique. + maxLength: 255 + minLength: 1 + pattern: ^[-!#$%&'*+.0-9A-Z^_`a-z|~]+$ + type: string + x-kubernetes-validations: + - message: strict-transport-security header may not + be modified via header actions + rule: self.lowerAscii() != 'strict-transport-security' + - message: proxy header may not be modified via header + actions + rule: self.lowerAscii() != 'proxy' + - message: host header may not be modified via header + actions + rule: self.lowerAscii() != 'host' + - message: cookie header may not be modified via header + actions + rule: self.lowerAscii() != 'cookie' + - message: set-cookie header may not be modified via + header actions + rule: self.lowerAscii() != 'set-cookie' + required: + - action + - name + type: object + maxItems: 20 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: Either the header value provided is not in correct + format or the sample fetcher/converter specified is not + allowed. The dynamic header value will be interpreted + as an HAProxy format string as defined in http://cbonte.github.io/haproxy-dconv/2.6/configuration.html#8.2.6 + and may use HAProxy's %[] syntax and otherwise must be + a valid HTTP header value as defined in https://datatracker.ietf.org/doc/html/rfc7230#section-3.2. + Sample fetchers allowed are req.hdr, ssl_c_der. Converters + allowed are lower, base64. + rule: self.all(key, key.action.type == "Delete" || (has(key.action.set) + && key.action.set.value.matches('^(?:%(?:%|(?:\\{[-+]?[QXE](?:,[-+]?[QXE])*\\})?\\[(?:req\\.hdr\\([0-9A-Za-z-]+\\)|ssl_c_der)(?:,(?:lower|base64))*\\])|[^%[:cntrl:]])+$'))) + response: + description: |- + response is a list of HTTP response headers to modify. + Actions defined here will modify the response headers of all requests passing through an ingress controller. + These actions are applied to all Routes i.e. for all connections handled by the ingress controller defined within a cluster. + IngressController actions for response headers will be executed after Route actions. + Currently, actions may define to either `Set` or `Delete` headers values. + Actions are applied in sequence as defined in this list. + A maximum of 20 response header actions may be configured. + Sample fetchers allowed are "res.hdr" and "ssl_c_der". + Converters allowed are "lower" and "base64". + Example header values: "%[res.hdr(X-target),lower]", "%{+Q}[ssl_c_der,base64]". + items: + description: IngressControllerHTTPHeader specifies configuration + for setting or deleting an HTTP header. + properties: + action: + description: action specifies actions to perform on + headers, such as setting or deleting headers. + properties: + set: + description: |- + set specifies how the HTTP header should be set. + This field is required when type is Set and forbidden otherwise. + properties: + value: + description: |- + value specifies a header value. + Dynamic values can be added. The value will be interpreted as an HAProxy format string as defined in + http://cbonte.github.io/haproxy-dconv/2.6/configuration.html#8.2.6 and may use HAProxy's %[] syntax and + otherwise must be a valid HTTP header value as defined in https://datatracker.ietf.org/doc/html/rfc7230#section-3.2. + The value of this field must be no more than 16384 characters in length. + Note that the total size of all net added headers *after* interpolating dynamic values + must not exceed the value of spec.tuningOptions.headerBufferMaxRewriteBytes on the + IngressController. + maxLength: 16384 + minLength: 1 + type: string + required: + - value + type: object + type: + description: |- + type defines the type of the action to be applied on the header. + Possible values are Set or Delete. + Set allows you to set HTTP request and response headers. + Delete allows you to delete HTTP request and response headers. + enum: + - Set + - Delete + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: set is required when type is Set, and forbidden + otherwise + rule: 'has(self.type) && self.type == ''Set'' ? has(self.set) + : !has(self.set)' + name: + description: |- + name specifies the name of a header on which to perform an action. Its value must be a valid HTTP header + name as defined in RFC 2616 section 4.2. + The name must consist only of alphanumeric and the following special characters, "-!#$%&'*+.^_`". + The following header names are reserved and may not be modified via this API: + Strict-Transport-Security, Proxy, Host, Cookie, Set-Cookie. + It must be no more than 255 characters in length. + Header name must be unique. + maxLength: 255 + minLength: 1 + pattern: ^[-!#$%&'*+.0-9A-Z^_`a-z|~]+$ + type: string + x-kubernetes-validations: + - message: strict-transport-security header may not + be modified via header actions + rule: self.lowerAscii() != 'strict-transport-security' + - message: proxy header may not be modified via header + actions + rule: self.lowerAscii() != 'proxy' + - message: host header may not be modified via header + actions + rule: self.lowerAscii() != 'host' + - message: cookie header may not be modified via header + actions + rule: self.lowerAscii() != 'cookie' + - message: set-cookie header may not be modified via + header actions + rule: self.lowerAscii() != 'set-cookie' + required: + - action + - name + type: object + maxItems: 20 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: Either the header value provided is not in correct + format or the sample fetcher/converter specified is not + allowed. The dynamic header value will be interpreted + as an HAProxy format string as defined in http://cbonte.github.io/haproxy-dconv/2.6/configuration.html#8.2.6 + and may use HAProxy's %[] syntax and otherwise must be + a valid HTTP header value as defined in https://datatracker.ietf.org/doc/html/rfc7230#section-3.2. + Sample fetchers allowed are res.hdr, ssl_c_der. Converters + allowed are lower, base64. + rule: self.all(key, key.action.type == "Delete" || (has(key.action.set) + && key.action.set.value.matches('^(?:%(?:%|(?:\\{[-+]?[QXE](?:,[-+]?[QXE])*\\})?\\[(?:res\\.hdr\\([0-9A-Za-z-]+\\)|ssl_c_der)(?:,(?:lower|base64))*\\])|[^%[:cntrl:]])+$'))) + type: object + forwardedHeaderPolicy: + description: |- + forwardedHeaderPolicy specifies when and how the IngressController + sets the Forwarded, X-Forwarded-For, X-Forwarded-Host, + X-Forwarded-Port, X-Forwarded-Proto, and X-Forwarded-Proto-Version + HTTP headers. The value may be one of the following: + + * "Append", which specifies that the IngressController appends the + headers, preserving existing headers. + + * "Replace", which specifies that the IngressController sets the + headers, replacing any existing Forwarded or X-Forwarded-* headers. + + * "IfNone", which specifies that the IngressController sets the + headers if they are not already set. + + * "Never", which specifies that the IngressController never sets the + headers, preserving any existing headers. + + By default, the policy is "Append". + enum: + - Append + - Replace + - IfNone + - Never + type: string + headerNameCaseAdjustments: + description: |- + headerNameCaseAdjustments specifies case adjustments that can be + applied to HTTP header names. Each adjustment is specified as an + HTTP header name with the desired capitalization. For example, + specifying "X-Forwarded-For" indicates that the "x-forwarded-for" + HTTP header should be adjusted to have the specified capitalization. + + These adjustments are only applied to cleartext, edge-terminated, and + re-encrypt routes, and only when using HTTP/1. + + For request headers, these adjustments are applied only for routes + that have the haproxy.router.openshift.io/h1-adjust-case=true + annotation. For response headers, these adjustments are applied to + all HTTP responses. + + If this field is empty, no request headers are adjusted. + items: + description: |- + IngressControllerHTTPHeaderNameCaseAdjustment is the name of an HTTP header + (for example, "X-Forwarded-For") in the desired capitalization. The value + must be a valid HTTP header name as defined in RFC 2616 section 4.2. + maxLength: 1024 + minLength: 0 + pattern: ^$|^[-!#$%&'*+.0-9A-Z^_`a-z|~]+$ + type: string + nullable: true + type: array + x-kubernetes-list-type: atomic + uniqueId: + description: |- + uniqueId describes configuration for a custom HTTP header that the + ingress controller should inject into incoming HTTP requests. + Typically, this header is configured to have a value that is unique + to the HTTP request. The header can be used by applications or + included in access logs to facilitate tracing individual HTTP + requests. + + If this field is empty, no such header is injected into requests. + properties: + format: + description: |- + format specifies the format for the injected HTTP header's value. + This field has no effect unless name is specified. For the + HAProxy-based ingress controller implementation, this format uses the + same syntax as the HTTP log format. If the field is empty, the + default value is "%{+X}o\\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid"; see the + corresponding HAProxy documentation: + http://cbonte.github.io/haproxy-dconv/2.0/configuration.html#8.2.3 + maxLength: 1024 + minLength: 0 + pattern: ^(%(%|(\{[-+]?[QXE](,[-+]?[QXE])*\})?([A-Za-z]+|\[[.0-9A-Z_a-z]+(\([^)]+\))?(,[.0-9A-Z_a-z]+(\([^)]+\))?)*\]))|[^%[:cntrl:]])*$ + type: string + name: + description: |- + name specifies the name of the HTTP header (for example, "unique-id") + that the ingress controller should inject into HTTP requests. The + field's value must be a valid HTTP header name as defined in RFC 2616 + section 4.2. If the field is empty, no header is injected. + maxLength: 1024 + minLength: 0 + pattern: ^$|^[-!#$%&'*+.0-9A-Z^_`a-z|~]+$ + type: string + type: object + type: object + idleConnectionTerminationPolicy: + default: Immediate + description: |- + idleConnectionTerminationPolicy maps directly to HAProxy's + idle-close-on-response option and controls whether HAProxy + keeps idle frontend connections open during a soft stop + (router reload). + + Allowed values for this field are "Immediate" and + "Deferred". The default value is "Immediate". + + When set to "Immediate", idle connections are closed + immediately during router reloads. This ensures immediate + propagation of route changes but may impact clients + sensitive to connection resets. + + When set to "Deferred", HAProxy will maintain idle + connections during a soft reload instead of closing them + immediately. These connections remain open until any of the + following occurs: + + - A new request is received on the connection, in which + case HAProxy handles it in the old process and closes + the connection after sending the response. + + - HAProxy's `timeout http-keep-alive` duration expires. + By default this is 300 seconds, but it can be changed + using httpKeepAliveTimeout tuning option. + + - The client's keep-alive timeout expires, causing the + client to close the connection. + + Setting Deferred can help prevent errors in clients or load + balancers that do not properly handle connection resets. + Additionally, this option allows you to retain the pre-2.4 + HAProxy behaviour: in HAProxy version 2.2 (OpenShift + versions < 4.14), maintaining idle connections during a + soft reload was the default behaviour, but starting with + HAProxy 2.4, the default changed to closing idle + connections immediately. + + Important Consideration: + + - Using Deferred will result in temporary inconsistencies + for the first request on each persistent connection + after a route update and router reload. This request + will be processed by the old HAProxy process using its + old configuration. Subsequent requests will use the + updated configuration. + + Operational Considerations: + + - Keeping idle connections open during reloads may lead + to an accumulation of old HAProxy processes if + connections remain idle for extended periods, + especially in environments where frequent reloads + occur. + + - Consider monitoring the number of HAProxy processes in + the router pods when Deferred is set. + + - You may need to enable or adjust the + `ingress.operator.openshift.io/hard-stop-after` + duration (configured via an annotation on the + IngressController resource) in environments with + frequent reloads to prevent resource exhaustion. + enum: + - Immediate + - Deferred + type: string + logging: + description: |- + logging defines parameters for what should be logged where. If this + field is empty, operational logs are enabled but access logs are + disabled. + properties: + access: + description: |- + access describes how the client requests should be logged. + + If this field is empty, access logging is disabled. + properties: + destination: + description: destination is where access logs go. + properties: + container: + description: |- + container holds parameters for the Container logging destination. + Present only if type is Container. + properties: + maxLength: + default: 1024 + description: |- + maxLength is the maximum length of the log message. + + Valid values are integers in the range 480 to 8192, inclusive. + + When omitted, the default value is 1024. + format: int32 + maximum: 8192 + minimum: 480 + type: integer + type: object + syslog: + description: |- + syslog holds parameters for a syslog endpoint. Present only if + type is Syslog. + oneOf: + - properties: + address: + format: ipv4 + - properties: + address: + format: ipv6 + properties: + address: + description: |- + address is the IP address of the syslog endpoint that receives log + messages. + type: string + facility: + description: |- + facility specifies the syslog facility of log messages. + + If this field is empty, the facility is "local1". + enum: + - kern + - user + - mail + - daemon + - auth + - syslog + - lpr + - news + - uucp + - cron + - auth2 + - ftp + - ntp + - audit + - alert + - cron2 + - local0 + - local1 + - local2 + - local3 + - local4 + - local5 + - local6 + - local7 + type: string + maxLength: + default: 1024 + description: |- + maxLength is the maximum length of the log message. + + Valid values are integers in the range 480 to 4096, inclusive. + + When omitted, the default value is 1024. + format: int32 + maximum: 4096 + minimum: 480 + type: integer + port: + description: |- + port is the UDP port number of the syslog endpoint that receives log + messages. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - address + - port + type: object + type: + description: |- + type is the type of destination for logs. It must be one of the + following: + + * Container + + The ingress operator configures the sidecar container named "logs" on + the ingress controller pod and configures the ingress controller to + write logs to the sidecar. The logs are then available as container + logs. The expectation is that the administrator configures a custom + logging solution that reads logs from this sidecar. Note that using + container logs means that logs may be dropped if the rate of logs + exceeds the container runtime's or the custom logging solution's + capacity. + + * Syslog + + Logs are sent to a syslog endpoint. The administrator must specify + an endpoint that can receive syslog messages. The expectation is + that the administrator has configured a custom syslog instance. + enum: + - Container + - Syslog + type: string + required: + - type + type: object + httpCaptureCookies: + description: |- + httpCaptureCookies specifies HTTP cookies that should be captured in + access logs. If this field is empty, no cookies are captured. + items: + description: |- + IngressControllerCaptureHTTPCookie describes an HTTP cookie that should be + captured. + properties: + matchType: + description: |- + matchType specifies the type of match to be performed on the cookie + name. Allowed values are "Exact" for an exact string match and + "Prefix" for a string prefix match. If "Exact" is specified, a name + must be specified in the name field. If "Prefix" is provided, a + prefix must be specified in the namePrefix field. For example, + specifying matchType "Prefix" and namePrefix "foo" will capture a + cookie named "foo" or "foobar" but not one named "bar". The first + matching cookie is captured. + enum: + - Exact + - Prefix + type: string + maxLength: + description: |- + maxLength specifies a maximum length of the string that will be + logged, which includes the cookie name, cookie value, and + one-character delimiter. If the log entry exceeds this length, the + value will be truncated in the log message. Note that the ingress + controller may impose a separate bound on the total length of HTTP + headers in a request. + maximum: 1024 + minimum: 1 + type: integer + name: + description: |- + name specifies a cookie name. Its value must be a valid HTTP cookie + name as defined in RFC 6265 section 4.1. + maxLength: 1024 + minLength: 0 + pattern: ^[-!#$%&'*+.0-9A-Z^_`a-z|~]*$ + type: string + namePrefix: + description: |- + namePrefix specifies a cookie name prefix. Its value must be a valid + HTTP cookie name as defined in RFC 6265 section 4.1. + maxLength: 1024 + minLength: 0 + pattern: ^[-!#$%&'*+.0-9A-Z^_`a-z|~]*$ + type: string + required: + - matchType + - maxLength + type: object + maxItems: 1 + nullable: true + type: array + x-kubernetes-list-type: atomic + httpCaptureHeaders: + description: |- + httpCaptureHeaders defines HTTP headers that should be captured in + access logs. If this field is empty, no headers are captured. + + Note that this option only applies to cleartext HTTP connections + and to secure HTTP connections for which the ingress controller + terminates encryption (that is, edge-terminated or reencrypt + connections). Headers cannot be captured for TLS passthrough + connections. + properties: + request: + description: |- + request specifies which HTTP request headers to capture. + + If this field is empty, no request headers are captured. + items: + description: |- + IngressControllerCaptureHTTPHeader describes an HTTP header that should be + captured. + properties: + maxLength: + description: |- + maxLength specifies a maximum length for the header value. If a + header value exceeds this length, the value will be truncated in the + log message. Note that the ingress controller may impose a separate + bound on the total length of HTTP headers in a request. + minimum: 1 + type: integer + name: + description: |- + name specifies a header name. Its value must be a valid HTTP header + name as defined in RFC 2616 section 4.2. + pattern: ^[-!#$%&'*+.0-9A-Z^_`a-z|~]+$ + type: string + required: + - maxLength + - name + type: object + nullable: true + type: array + x-kubernetes-list-type: atomic + response: + description: |- + response specifies which HTTP response headers to capture. + + If this field is empty, no response headers are captured. + items: + description: |- + IngressControllerCaptureHTTPHeader describes an HTTP header that should be + captured. + properties: + maxLength: + description: |- + maxLength specifies a maximum length for the header value. If a + header value exceeds this length, the value will be truncated in the + log message. Note that the ingress controller may impose a separate + bound on the total length of HTTP headers in a request. + minimum: 1 + type: integer + name: + description: |- + name specifies a header name. Its value must be a valid HTTP header + name as defined in RFC 2616 section 4.2. + pattern: ^[-!#$%&'*+.0-9A-Z^_`a-z|~]+$ + type: string + required: + - maxLength + - name + type: object + nullable: true + type: array + x-kubernetes-list-type: atomic + type: object + httpLogFormat: + description: |- + httpLogFormat specifies the format of the log message for an HTTP + request. + + If this field is empty, log messages use the implementation's default + HTTP log format. For HAProxy's default HTTP log format, see the + HAProxy documentation: + http://cbonte.github.io/haproxy-dconv/2.0/configuration.html#8.2.3 + + Note that this format only applies to cleartext HTTP connections + and to secure HTTP connections for which the ingress controller + terminates encryption (that is, edge-terminated or reencrypt + connections). It does not affect the log format for TLS passthrough + connections. + type: string + logEmptyRequests: + default: Log + description: |- + logEmptyRequests specifies how connections on which no request is + received should be logged. Typically, these empty requests come from + load balancers' health probes or Web browsers' speculative + connections ("preconnect"), in which case logging these requests may + be undesirable. However, these requests may also be caused by + network errors, in which case logging empty requests may be useful + for diagnosing the errors. In addition, these requests may be caused + by port scans, in which case logging empty requests may aid in + detecting intrusion attempts. Allowed values for this field are + "Log" and "Ignore". The default value is "Log". + enum: + - Log + - Ignore + type: string + required: + - destination + type: object + type: object + namespaceSelector: + description: |- + namespaceSelector is used to filter the set of namespaces serviced by the + ingress controller. This is useful for implementing shards. + + If unset, the default is no filtering. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + nodePlacement: + description: |- + nodePlacement enables explicit control over the scheduling of the ingress + controller. + + If unset, defaults are used. See NodePlacement for more details. + properties: + nodeSelector: + description: |- + nodeSelector is the node selector applied to ingress controller + deployments. + + If set, the specified selector is used and replaces the default. + + If unset, the default depends on the value of the defaultPlacement + field in the cluster config.openshift.io/v1/ingresses status. + + When defaultPlacement is Workers, the default is: + + kubernetes.io/os: linux + node-role.kubernetes.io/worker: '' + + When defaultPlacement is ControlPlane, the default is: + + kubernetes.io/os: linux + node-role.kubernetes.io/master: '' + + These defaults are subject to change. + + Note that using nodeSelector.matchExpressions is not supported. Only + nodeSelector.matchLabels may be used. This is a limitation of the + Kubernetes API: the pod spec does not allow complex expressions for + node selectors. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + tolerations: + description: |- + tolerations is a list of tolerations applied to ingress controller + deployments. + + The default is an empty list. + + See https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + items: + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . + properties: + effect: + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. + type: string + operator: + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. + type: string + type: object + type: array + x-kubernetes-list-type: atomic + type: object + replicas: + description: |- + replicas is the desired number of ingress controller replicas. If unset, + the default depends on the value of the defaultPlacement field in the + cluster config.openshift.io/v1/ingresses status. + + The value of replicas is set based on the value of a chosen field in the + Infrastructure CR. If defaultPlacement is set to ControlPlane, the + chosen field will be controlPlaneTopology. If it is set to Workers the + chosen field will be infrastructureTopology. Replicas will then be set to 1 + or 2 based whether the chosen field's value is SingleReplica or + HighlyAvailable, respectively. + + These defaults are subject to change. + format: int32 + type: integer + routeAdmission: + description: |- + routeAdmission defines a policy for handling new route claims (for example, + to allow or deny claims across namespaces). + + If empty, defaults will be applied. See specific routeAdmission fields + for details about their defaults. + properties: + namespaceOwnership: + description: |- + namespaceOwnership describes how host name claims across namespaces should + be handled. + + Value must be one of: + + - Strict: Do not allow routes in different namespaces to claim the same host. + + - InterNamespaceAllowed: Allow routes to claim different paths of the same + host name across namespaces. + + If empty, the default is Strict. + enum: + - InterNamespaceAllowed + - Strict + type: string + wildcardPolicy: + description: |- + wildcardPolicy describes how routes with wildcard policies should + be handled for the ingress controller. WildcardPolicy controls use + of routes [1] exposed by the ingress controller based on the route's + wildcard policy. + + [1] https://github.com/openshift/api/blob/master/route/v1/types.go + + Note: Updating WildcardPolicy from WildcardsAllowed to WildcardsDisallowed + will cause admitted routes with a wildcard policy of Subdomain to stop + working. These routes must be updated to a wildcard policy of None to be + readmitted by the ingress controller. + + WildcardPolicy supports WildcardsAllowed and WildcardsDisallowed values. + + If empty, defaults to "WildcardsDisallowed". + enum: + - WildcardsAllowed + - WildcardsDisallowed + type: string + type: object + routeSelector: + description: |- + routeSelector is used to filter the set of Routes serviced by the ingress + controller. This is useful for implementing shards. + + If unset, the default is no filtering. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + tlsSecurityProfile: + description: |- + tlsSecurityProfile specifies settings for TLS connections for ingresscontrollers. + + If unset, the default is based on the apiservers.config.openshift.io/cluster resource. + + Note that when using the Old, Intermediate, and Modern profile types, the effective + profile configuration is subject to change between releases. For example, given + a specification to use the Intermediate profile deployed on release X.Y.Z, an upgrade + to release X.Y.Z+1 may cause a new profile configuration to be applied to the ingress + controller, resulting in a rollout. + properties: + custom: + description: |- + custom is a user-defined TLS security profile. Be extremely careful using a custom + profile as invalid configurations can be catastrophic. + + The curve list for this profile is empty by default. + + An example custom profile looks like this: + + minTLSVersion: VersionTLS11 + ciphers: + - ECDHE-ECDSA-CHACHA20-POLY1305 + - ECDHE-RSA-CHACHA20-POLY1305 + - ECDHE-RSA-AES128-GCM-SHA256 + - ECDHE-ECDSA-AES128-GCM-SHA256 + nullable: true + properties: + ciphers: + description: |- + ciphers is used to specify the cipher algorithms that are negotiated + during the TLS handshake. Operators may remove entries their operands + do not support. For example, to use DES-CBC3-SHA (yaml): + + ciphers: + - DES-CBC3-SHA + items: + type: string + type: array + x-kubernetes-list-type: atomic + minTLSVersion: + description: |- + minTLSVersion is used to specify the minimal version of the TLS protocol + that is negotiated during the TLS handshake. For example, to use TLS + versions 1.1, 1.2 and 1.3 (yaml): + + minTLSVersion: VersionTLS11 + enum: + - VersionTLS10 + - VersionTLS11 + - VersionTLS12 + - VersionTLS13 + type: string + type: object + intermediate: + description: |- + intermediate is a TLS profile for use when you do not need compatibility with + legacy clients and want to remain highly secure while being compatible with + most clients currently in use. + + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "intermediate" profile ciphers. + + The curve list includes by default the following curves: + X25519, SecP256r1, SecP384r1, X25519MLKEM768. + + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS12 + ciphers: + - TLS_AES_128_GCM_SHA256 + - TLS_AES_256_GCM_SHA384 + - TLS_CHACHA20_POLY1305_SHA256 + - ECDHE-ECDSA-AES128-GCM-SHA256 + - ECDHE-RSA-AES128-GCM-SHA256 + - ECDHE-ECDSA-AES256-GCM-SHA384 + - ECDHE-RSA-AES256-GCM-SHA384 + - ECDHE-ECDSA-CHACHA20-POLY1305 + - ECDHE-RSA-CHACHA20-POLY1305 + - DHE-RSA-AES128-GCM-SHA256 + - DHE-RSA-AES256-GCM-SHA384 + nullable: true + type: object + modern: + description: |- + modern is a TLS security profile for use with clients that support TLS 1.3 and + do not need backward compatibility for older clients. + The curve list includes by default the following curves: + X25519, SecP256r1, SecP384r1, X25519MLKEM768. + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS13 + ciphers: + - TLS_AES_128_GCM_SHA256 + - TLS_AES_256_GCM_SHA384 + - TLS_CHACHA20_POLY1305_SHA256 + nullable: true + type: object + old: + description: |- + old is a TLS profile for use when services need to be accessed by very old + clients or libraries and should be used only as a last resort. + + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "old" profile ciphers. + + The curve list includes by default the following curves: + X25519, SecP256r1, SecP384r1, X25519MLKEM768. + + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS10 + ciphers: + - TLS_AES_128_GCM_SHA256 + - TLS_AES_256_GCM_SHA384 + - TLS_CHACHA20_POLY1305_SHA256 + - ECDHE-ECDSA-AES128-GCM-SHA256 + - ECDHE-RSA-AES128-GCM-SHA256 + - ECDHE-ECDSA-AES256-GCM-SHA384 + - ECDHE-RSA-AES256-GCM-SHA384 + - ECDHE-ECDSA-CHACHA20-POLY1305 + - ECDHE-RSA-CHACHA20-POLY1305 + - DHE-RSA-AES128-GCM-SHA256 + - DHE-RSA-AES256-GCM-SHA384 + - DHE-RSA-CHACHA20-POLY1305 + - ECDHE-ECDSA-AES128-SHA256 + - ECDHE-RSA-AES128-SHA256 + - ECDHE-ECDSA-AES128-SHA + - ECDHE-RSA-AES128-SHA + - ECDHE-ECDSA-AES256-SHA384 + - ECDHE-RSA-AES256-SHA384 + - ECDHE-ECDSA-AES256-SHA + - ECDHE-RSA-AES256-SHA + - DHE-RSA-AES128-SHA256 + - DHE-RSA-AES256-SHA256 + - AES128-GCM-SHA256 + - AES256-GCM-SHA384 + - AES128-SHA256 + - AES256-SHA256 + - AES128-SHA + - AES256-SHA + - DES-CBC3-SHA + nullable: true + type: object + type: + description: |- + type is one of Old, Intermediate, Modern or Custom. Custom provides the + ability to specify individual TLS security profile parameters. + + The profiles are currently based on version 5.0 of the Mozilla Server Side TLS + configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for + forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json + + The profiles are intent based, so they may change over time as new ciphers are + developed and existing ciphers are found to be insecure. Depending on + precisely which ciphers are available to a process, the list may be reduced. + enum: + - Old + - Intermediate + - Modern + - Custom + type: string + type: object + tuningOptions: + anyOf: + - properties: + maxConnections: + enum: + - -1 + - 0 + - properties: + maxConnections: + format: int32 + maximum: 2000000 + minimum: 2000 + description: |- + tuningOptions defines parameters for adjusting the performance of + ingress controller pods. All fields are optional and will use their + respective defaults if not set. See specific tuningOptions fields for + more details. + + Setting fields within tuningOptions is generally not recommended. The + default values are suitable for most configurations. + properties: + clientFinTimeout: + description: |- + clientFinTimeout defines how long a connection will be held open while + waiting for the client response to the server/backend closing the + connection. + + If unset, the default timeout is 1s + format: duration + type: string + clientTimeout: + description: |- + clientTimeout defines how long a connection will be held open while + waiting for a client response. + + If unset, the default timeout is 30s + format: duration + type: string + connectTimeout: + description: |- + connectTimeout defines the maximum time to wait for + a connection attempt to a server/backend to succeed. + + This field expects an unsigned duration string of decimal numbers, each with optional + fraction and a unit suffix, e.g. "300ms", "1.5h" or "2h45m". + Valid time units are "ns", "us" (or "µs" U+00B5 or "μs" U+03BC), "ms", "s", "m", "h". + + When omitted, this means the user has no opinion and the platform is left + to choose a reasonable default. This default is subject to change over time. + The current default is 5s. + pattern: ^(0|([0-9]+(\.[0-9]+)?(ns|us|µs|μs|ms|s|m|h))+)$ + type: string + headerBufferBytes: + description: |- + headerBufferBytes describes how much memory should be reserved + (in bytes) for IngressController connection sessions. + Note that this value must be at least 16384 if HTTP/2 is + enabled for the IngressController (https://tools.ietf.org/html/rfc7540). + If this field is empty, the IngressController will use a default value + of 32768 bytes. + + Setting this field is generally not recommended as headerBufferBytes + values that are too small may break the IngressController and + headerBufferBytes values that are too large could cause the + IngressController to use significantly more memory than necessary. + format: int32 + minimum: 16384 + type: integer + headerBufferMaxRewriteBytes: + description: |- + headerBufferMaxRewriteBytes describes how much memory should be reserved + (in bytes) from headerBufferBytes for HTTP header rewriting + and appending for IngressController connection sessions. + Note that incoming HTTP requests will be limited to + (headerBufferBytes - headerBufferMaxRewriteBytes) bytes, meaning + headerBufferBytes must be greater than headerBufferMaxRewriteBytes. + If this field is empty, the IngressController will use a default value + of 8192 bytes. + + Setting this field is generally not recommended as + headerBufferMaxRewriteBytes values that are too small may break the + IngressController and headerBufferMaxRewriteBytes values that are too + large could cause the IngressController to use significantly more memory + than necessary. + format: int32 + minimum: 4096 + type: integer + healthCheckInterval: + description: |- + healthCheckInterval defines how long the router waits between two consecutive + health checks on its configured backends. This value is applied globally as + a default for all routes, but may be overridden per-route by the route annotation + "router.openshift.io/haproxy.health.check.interval". + + Expects an unsigned duration string of decimal numbers, each with optional + fraction and a unit suffix, eg "300ms", "1.5h" or "2h45m". + Valid time units are "ns", "us" (or "µs" U+00B5 or "μs" U+03BC), "ms", "s", "m", "h". + + Setting this to less than 5s can cause excess traffic due to too frequent + TCP health checks and accompanying SYN packet storms. Alternatively, setting + this too high can result in increased latency, due to backend servers that are no + longer available, but haven't yet been detected as such. + + An empty or zero healthCheckInterval means no opinion and IngressController chooses + a default, which is subject to change over time. + Currently the default healthCheckInterval value is 5s. + + Currently the minimum allowed value is 1s and the maximum allowed value is + 2147483647ms (24.85 days). Both are subject to change over time. + pattern: ^(0|([0-9]+(\.[0-9]+)?(ns|us|µs|μs|ms|s|m|h))+)$ + type: string + httpKeepAliveTimeout: + description: |- + httpKeepAliveTimeout defines the maximum allowed time to wait for + a new HTTP request to appear on a connection from the client to the router. + + This field expects an unsigned duration string of a decimal number, with optional + fraction and a unit suffix, e.g. "300ms", "1.5s" or "2m45s". + Valid time units are "ms", "s", "m". + The allowed range is from 1 millisecond to 15 minutes. + + When omitted, this means the user has no opinion and the platform is left + to choose a reasonable default. This default is subject to change over time. + The current default is 300s. + + Low values (tens of milliseconds or less) can cause clients to close and reopen connections + for each request, leading to reduced connection sharing. + For HTTP/2, special care should be taken with low values. + A few seconds is a reasonable starting point to avoid holding idle connections open + while still allowing subsequent requests to reuse the connection. + + High values (minutes or more) favor connection reuse but may cause idle + connections to linger longer. + maxLength: 16 + minLength: 1 + type: string + x-kubernetes-validations: + - message: httpKeepAliveTimeout must be a valid duration string + composed of an unsigned integer value, optionally followed + by a decimal fraction and a unit suffix (ms, s, m) + rule: self.matches('^([0-9]+(\\.[0-9]+)?(ms|s|m))+$') + - message: httpKeepAliveTimeout must be less than or equal to + 15 minutes + rule: '!self.matches(''^([0-9]+(\\.[0-9]+)?(ms|s|m))+$'') || + duration(self) <= duration(''15m'')' + - message: httpKeepAliveTimeout must be greater than or equal + to 1 millisecond + rule: '!self.matches(''^([0-9]+(\\.[0-9]+)?(ms|s|m))+$'') || + duration(self) >= duration(''1ms'')' + maxConnections: + description: |- + maxConnections defines the maximum number of simultaneous + connections that can be established per HAProxy process. + Increasing this value allows each ingress controller pod to + handle more connections but at the cost of additional + system resources being consumed. + + Permitted values are: empty, 0, -1, and the range + 2000-2000000. + + If this field is empty or 0, the IngressController will use + the default value of 50000, but the default is subject to + change in future releases. + + If the value is -1 then HAProxy will dynamically compute a + maximum value based on the available ulimits in the running + container. Selecting -1 (i.e., auto) will result in a large + value being computed (~520000 on OpenShift >=4.10 clusters) + and therefore each HAProxy process will incur significant + memory usage compared to the current default of 50000. + + Setting a value that is greater than the current operating + system limit will prevent the HAProxy process from + starting. + + If you choose a discrete value (e.g., 750000) and the + router pod is migrated to a new node, there's no guarantee + that that new node has identical ulimits configured. In + such a scenario the pod would fail to start. If you have + nodes with different ulimits configured (e.g., different + tuned profiles) and you choose a discrete value then the + guidance is to use -1 and let the value be computed + dynamically at runtime. + + You can monitor memory usage for router containers with the + following metric: + 'container_memory_working_set_bytes{container="router",namespace="openshift-ingress"}'. + + You can monitor memory usage of individual HAProxy + processes in router containers with the following metric: + 'container_memory_working_set_bytes{container="router",namespace="openshift-ingress"}/container_processes{container="router",namespace="openshift-ingress"}'. + format: int32 + type: integer + reloadInterval: + description: |- + reloadInterval defines the minimum interval at which the router is allowed to reload + to accept new changes. Increasing this value can prevent the accumulation of + HAProxy processes, depending on the scenario. Increasing this interval can + also lessen load imbalance on a backend's servers when using the roundrobin + balancing algorithm. Alternatively, decreasing this value may decrease latency + since updates to HAProxy's configuration can take effect more quickly. + + The value must be a time duration value; see . + Currently, the minimum value allowed is 1s, and the maximum allowed value is + 120s. Minimum and maximum allowed values may change in future versions of OpenShift. + Note that if a duration outside of these bounds is provided, the value of reloadInterval + will be capped/floored and not rejected (e.g. a duration of over 120s will be capped to + 120s; the IngressController will not reject and replace this disallowed value with + the default). + + A zero value for reloadInterval tells the IngressController to choose the default, + which is currently 5s and subject to change without notice. + + This field expects an unsigned duration string of decimal numbers, each with optional + fraction and a unit suffix, e.g. "300ms", "1.5h" or "2h45m". + Valid time units are "ns", "us" (or "µs" U+00B5 or "μs" U+03BC), "ms", "s", "m", "h". + + Note: Setting a value significantly larger than the default of 5s can cause latency + in observing updates to routes and their endpoints. HAProxy's configuration will + be reloaded less frequently, and newly created routes will not be served until the + subsequent reload. + pattern: ^(0|([0-9]+(\.[0-9]+)?(ns|us|µs|μs|ms|s|m|h))+)$ + type: string + serverFinTimeout: + description: |- + serverFinTimeout defines how long a connection will be held open while + waiting for the server/backend response to the client closing the + connection. + + If unset, the default timeout is 1s + format: duration + type: string + serverTimeout: + description: |- + serverTimeout defines how long a connection will be held open while + waiting for a server/backend response. + + If unset, the default timeout is 30s + format: duration + type: string + threadCount: + description: |- + threadCount defines the number of threads created per HAProxy process. + Creating more threads allows each ingress controller pod to handle more + connections, at the cost of more system resources being used. HAProxy + currently supports up to 64 threads. If this field is empty, the + IngressController will use the default value. The current default is 4 + threads, but this may change in future releases. + + Setting this field is generally not recommended. Increasing the number + of HAProxy threads allows ingress controller pods to utilize more CPU + time under load, potentially starving other pods if set too high. + Reducing the number of threads may cause the ingress controller to + perform poorly. + format: int32 + maximum: 64 + minimum: 1 + type: integer + tlsInspectDelay: + description: |- + tlsInspectDelay defines how long the router can hold data to find a + matching route. + + Setting this too short can cause the router to fall back to the default + certificate for edge-terminated or reencrypt routes even when a better + matching certificate could be used. + + If unset, the default inspect delay is 5s + format: duration + type: string + tunnelTimeout: + description: |- + tunnelTimeout defines how long a tunnel connection (including + websockets) will be held open while the tunnel is idle. + + If unset, the default timeout is 1h + format: duration + type: string + type: object + unsupportedConfigOverrides: + description: |- + unsupportedConfigOverrides allows specifying unsupported + configuration options. Its use is unsupported. + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + status: + description: status is the most recently observed status of the IngressController. + properties: + availableReplicas: + description: |- + availableReplicas is number of observed available replicas according to the + ingress controller deployment. + format: int32 + type: integer + conditions: + description: |- + conditions is a list of conditions and their status. + + Available means the ingress controller deployment is available and + servicing route and ingress resources (i.e, .status.availableReplicas + equals .spec.replicas) + + There are additional conditions which indicate the status of other + ingress controller features and capabilities. + + * LoadBalancerManaged + - True if the following conditions are met: + * The endpoint publishing strategy requires a service load balancer. + - False if any of those conditions are unsatisfied. + + * LoadBalancerReady + - True if the following conditions are met: + * A load balancer is managed. + * The load balancer is ready. + - False if any of those conditions are unsatisfied. + + * DNSManaged + - True if the following conditions are met: + * The endpoint publishing strategy and platform support DNS. + * The ingress controller domain is set. + * dns.config.openshift.io/cluster configures DNS zones. + - False if any of those conditions are unsatisfied. + + * DNSReady + - True if the following conditions are met: + * DNS is managed. + * DNS records have been successfully created. + - False if any of those conditions are unsatisfied. + items: + description: OperatorCondition is just the standard condition fields. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + type: string + reason: + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + domain: + description: domain is the actual domain in use. + type: string + endpointPublishingStrategy: + description: endpointPublishingStrategy is the actual strategy in + use. + properties: + hostNetwork: + description: |- + hostNetwork holds parameters for the HostNetwork endpoint publishing + strategy. Present only if type is HostNetwork. + properties: + httpPort: + default: 80 + description: |- + httpPort is the port on the host which should be used to listen for + HTTP requests. This field should be set when port 80 is already in use. + The value should not coincide with the NodePort range of the cluster. + When the value is 0 or is not specified it defaults to 80. + format: int32 + maximum: 65535 + minimum: 0 + type: integer + httpsPort: + default: 443 + description: |- + httpsPort is the port on the host which should be used to listen for + HTTPS requests. This field should be set when port 443 is already in use. + The value should not coincide with the NodePort range of the cluster. + When the value is 0 or is not specified it defaults to 443. + format: int32 + maximum: 65535 + minimum: 0 + type: integer + protocol: + description: |- + protocol specifies whether the IngressController expects incoming + connections to use plain TCP or whether the IngressController expects + PROXY protocol. + + PROXY protocol can be used with load balancers that support it to + communicate the source addresses of client connections when + forwarding those connections to the IngressController. Using PROXY + protocol enables the IngressController to report those source + addresses instead of reporting the load balancer's address in HTTP + headers and logs. Note that enabling PROXY protocol on the + IngressController will cause connections to fail if you are not using + a load balancer that uses PROXY protocol to forward connections to + the IngressController. See + http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt for + information about PROXY protocol. + + The following values are valid for this field: + + * The empty string. + * "TCP". + * "PROXY". + + The empty string specifies the default, which is TCP without PROXY + protocol. Note that the default is subject to change. + enum: + - "" + - TCP + - PROXY + type: string + statsPort: + default: 1936 + description: |- + statsPort is the port on the host where the stats from the router are + published. The value should not coincide with the NodePort range of the + cluster. If an external load balancer is configured to forward connections + to this IngressController, the load balancer should use this port for + health checks. The load balancer can send HTTP probes on this port on a + given node, with the path /healthz/ready to determine if the ingress + controller is ready to receive traffic on the node. For proper operation + the load balancer must not forward traffic to a node until the health + check reports ready. The load balancer should also stop forwarding requests + within a maximum of 45 seconds after /healthz/ready starts reporting + not-ready. Probing every 5 to 10 seconds, with a 5-second timeout and with + a threshold of two successful or failed requests to become healthy or + unhealthy respectively, are well-tested values. When the value is 0 or + is not specified it defaults to 1936. + format: int32 + maximum: 65535 + minimum: 0 + type: integer + type: object + loadBalancer: + description: |- + loadBalancer holds parameters for the load balancer. Present only if + type is LoadBalancerService. + properties: + allowedSourceRanges: + description: |- + allowedSourceRanges specifies an allowlist of IP address ranges to which + access to the load balancer should be restricted. Each range must be + specified using CIDR notation (e.g. "10.0.0.0/8" or "fd00::/8"). If no range is + specified, "0.0.0.0/0" for IPv4 and "::/0" for IPv6 are used by default, + which allows all source addresses. + + To facilitate migration from earlier versions of OpenShift that did + not have the allowedSourceRanges field, you may set the + service.beta.kubernetes.io/load-balancer-source-ranges annotation on + the "router-" service in the + "openshift-ingress" namespace, and this annotation will take + effect if allowedSourceRanges is empty on OpenShift 4.12. + items: + description: |- + CIDR is an IP address range in CIDR notation (for example, "10.0.0.0/8" + or "fd00::/8"). + pattern: (^(([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])/([0-9]|[12][0-9]|3[0-2])$)|(^s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:)))(%.+)?s*(\/(12[0-8]|1[0-1][0-9]|[1-9][0-9]|[0-9]))$) + type: string + nullable: true + type: array + x-kubernetes-list-type: atomic + dnsManagementPolicy: + default: Managed + description: |- + dnsManagementPolicy indicates if the lifecycle of the wildcard DNS record + associated with the load balancer service will be managed by + the ingress operator. It defaults to Managed. + Valid values are: Managed and Unmanaged. + enum: + - Managed + - Unmanaged + type: string + providerParameters: + description: |- + providerParameters holds desired load balancer information specific to + the underlying infrastructure provider. + + If empty, defaults will be applied. See specific providerParameters + fields for details about their defaults. + properties: + aws: + description: |- + aws provides configuration settings that are specific to AWS + load balancers. + + If empty, defaults will be applied. See specific aws fields for + details about their defaults. + properties: + classicLoadBalancer: + description: |- + classicLoadBalancerParameters holds configuration parameters for an AWS + classic load balancer. Present only if type is Classic. + properties: + connectionIdleTimeout: + description: |- + connectionIdleTimeout specifies the maximum time period that a + connection may be idle before the load balancer closes the + connection. The value must be parseable as a time duration value; + see . A nil or zero value + means no opinion, in which case a default value is used. The default + value for this field is 60s. This default is subject to change. + format: duration + type: string + subnets: + description: |- + subnets specifies the subnets to which the load balancer will + attach. The subnets may be specified by either their + ID or name. The total number of subnets is limited to 10. + + In order for the load balancer to be provisioned with subnets, + each subnet must exist, each subnet must be from a different + availability zone, and the load balancer service must be + recreated to pick up new values. + + When omitted from the spec, the subnets will be auto-discovered + for each availability zone. Auto-discovered subnets are not reported + in the status of the IngressController object. + properties: + ids: + description: |- + ids specifies a list of AWS subnets by subnet ID. + Subnet IDs must start with "subnet-", consist only + of alphanumeric characters, must be exactly 24 + characters long, must be unique, and the total + number of subnets specified by ids and names + must not exceed 10. + items: + description: AWSSubnetID is a reference + to an AWS subnet ID. + maxLength: 24 + minLength: 24 + pattern: ^subnet-[0-9A-Za-z]+$ + type: string + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: subnet ids cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == + y)) + names: + description: |- + names specifies a list of AWS subnets by subnet name. + Subnet names must not start with "subnet-", must not + include commas, must be under 256 characters in length, + must be unique, and the total number of subnets + specified by ids and names must not exceed 10. + items: + description: AWSSubnetName is a reference + to an AWS subnet name. + maxLength: 256 + minLength: 1 + type: string + x-kubernetes-validations: + - message: subnet name cannot contain a + comma + rule: '!self.contains('','')' + - message: subnet name cannot start with + 'subnet-' + rule: '!self.startsWith(''subnet-'')' + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: subnet names cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == + y)) + type: object + x-kubernetes-validations: + - message: the total number of subnets cannot + exceed 10 + rule: 'has(self.ids) && has(self.names) ? size(self.ids + + self.names) <= 10 : true' + - message: must specify at least 1 subnet name + or id + rule: has(self.ids) && self.ids.size() > 0 || + has(self.names) && self.names.size() > 0 + type: object + networkLoadBalancer: + description: |- + networkLoadBalancerParameters holds configuration parameters for an AWS + network load balancer. Present only if type is NLB. + properties: + eipAllocations: + description: |- + eipAllocations is a list of IDs for Elastic IP (EIP) addresses that + are assigned to the Network Load Balancer. + The following restrictions apply: + + eipAllocations can only be used with external scope, not internal. + An EIP can be allocated to only a single IngressController. + The number of EIP allocations must match the number of subnets that are used for the load balancer. + Each EIP allocation must be unique. + A maximum of 10 EIP allocations are permitted. + + See https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html for general + information about configuration, characteristics, and limitations of Elastic IP addresses. + items: + description: |- + EIPAllocation is an ID for an Elastic IP (EIP) address that can be allocated to an ELB in the AWS environment. + Values must begin with `eipalloc-` followed by exactly 17 hexadecimal (`[0-9a-fA-F]`) characters. + maxLength: 26 + minLength: 26 + type: string + x-kubernetes-validations: + - message: eipAllocations should start with + 'eipalloc-' + rule: self.startsWith('eipalloc-') + - message: eipAllocations must be 'eipalloc-' + followed by exactly 17 hexadecimal characters + (0-9, a-f, A-F) + rule: self.split("-", 2)[1].matches('[0-9a-fA-F]{17}$') + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: eipAllocations cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == y)) + subnets: + description: |- + subnets specifies the subnets to which the load balancer will + attach. The subnets may be specified by either their + ID or name. The total number of subnets is limited to 10. + + In order for the load balancer to be provisioned with subnets, + each subnet must exist, each subnet must be from a different + availability zone, and the load balancer service must be + recreated to pick up new values. + + When omitted from the spec, the subnets will be auto-discovered + for each availability zone. Auto-discovered subnets are not reported + in the status of the IngressController object. + properties: + ids: + description: |- + ids specifies a list of AWS subnets by subnet ID. + Subnet IDs must start with "subnet-", consist only + of alphanumeric characters, must be exactly 24 + characters long, must be unique, and the total + number of subnets specified by ids and names + must not exceed 10. + items: + description: AWSSubnetID is a reference + to an AWS subnet ID. + maxLength: 24 + minLength: 24 + pattern: ^subnet-[0-9A-Za-z]+$ + type: string + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: subnet ids cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == + y)) + names: + description: |- + names specifies a list of AWS subnets by subnet name. + Subnet names must not start with "subnet-", must not + include commas, must be under 256 characters in length, + must be unique, and the total number of subnets + specified by ids and names must not exceed 10. + items: + description: AWSSubnetName is a reference + to an AWS subnet name. + maxLength: 256 + minLength: 1 + type: string + x-kubernetes-validations: + - message: subnet name cannot contain a + comma + rule: '!self.contains('','')' + - message: subnet name cannot start with + 'subnet-' + rule: '!self.startsWith(''subnet-'')' + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: subnet names cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == + y)) + type: object + x-kubernetes-validations: + - message: the total number of subnets cannot + exceed 10 + rule: 'has(self.ids) && has(self.names) ? size(self.ids + + self.names) <= 10 : true' + - message: must specify at least 1 subnet name + or id + rule: has(self.ids) && self.ids.size() > 0 || + has(self.names) && self.names.size() > 0 + type: object + x-kubernetes-validations: + - message: number of subnets must be equal to number + of eipAllocations + rule: 'has(self.subnets) && has(self.subnets.ids) + && has(self.subnets.names) && has(self.eipAllocations) + ? size(self.subnets.ids + self.subnets.names) + == size(self.eipAllocations) : true' + - message: number of subnets must be equal to number + of eipAllocations + rule: 'has(self.subnets) && has(self.subnets.ids) + && !has(self.subnets.names) && has(self.eipAllocations) + ? size(self.subnets.ids) == size(self.eipAllocations) + : true' + - message: number of subnets must be equal to number + of eipAllocations + rule: 'has(self.subnets) && has(self.subnets.names) + && !has(self.subnets.ids) && has(self.eipAllocations) + ? size(self.subnets.names) == size(self.eipAllocations) + : true' + type: + description: |- + type is the type of AWS load balancer to instantiate for an ingresscontroller. + + Valid values are: + + * "Classic": A Classic Load Balancer that makes routing decisions at either + the transport layer (TCP/SSL) or the application layer (HTTP/HTTPS). See + the following for additional details: + + https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#clb + + * "NLB": A Network Load Balancer that makes routing decisions at the + transport layer (TCP/SSL). See the following for additional details: + + https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#nlb + enum: + - Classic + - NLB + type: string + required: + - type + type: object + gcp: + description: |- + gcp provides configuration settings that are specific to GCP + load balancers. + + If empty, defaults will be applied. See specific gcp fields for + details about their defaults. + properties: + clientAccess: + description: |- + clientAccess describes how client access is restricted for internal + load balancers. + + Valid values are: + * "Global": Specifying an internal load balancer with Global client access + allows clients from any region within the VPC to communicate with the load + balancer. + + https://cloud.google.com/kubernetes-engine/docs/how-to/internal-load-balancing#global_access + + * "Local": Specifying an internal load balancer with Local client access + means only clients within the same region (and VPC) as the GCP load balancer + can communicate with the load balancer. Note that this is the default behavior. + + https://cloud.google.com/load-balancing/docs/internal#client_access + enum: + - Global + - Local + type: string + type: object + ibm: + description: |- + ibm provides configuration settings that are specific to IBM Cloud + load balancers. + + If empty, defaults will be applied. See specific ibm fields for + details about their defaults. + properties: + protocol: + description: |- + protocol specifies whether the load balancer uses PROXY protocol to forward connections to + the IngressController. See "service.kubernetes.io/ibm-load-balancer-cloud-provider-enable-features: + "proxy-protocol"" at https://cloud.ibm.com/docs/containers?topic=containers-vpc-lbaas" + + PROXY protocol can be used with load balancers that support it to + communicate the source addresses of client connections when + forwarding those connections to the IngressController. Using PROXY + protocol enables the IngressController to report those source + addresses instead of reporting the load balancer's address in HTTP + headers and logs. Note that enabling PROXY protocol on the + IngressController will cause connections to fail if you are not using + a load balancer that uses PROXY protocol to forward connections to + the IngressController. See + http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt for + information about PROXY protocol. + + Valid values for protocol are TCP, PROXY and omitted. + When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. + The current default is TCP, without the proxy protocol enabled. + enum: + - "" + - TCP + - PROXY + type: string + type: object + openstack: + description: |- + openstack provides configuration settings that are specific to OpenStack + load balancers. + + If empty, defaults will be applied. See specific openstack fields for + details about their defaults. + properties: + floatingIP: + description: |- + floatingIP specifies the IP address that the load balancer will use. + When not specified, an IP address will be assigned randomly by the OpenStack cloud provider. + When specified, the floating IP has to be pre-created. If the + specified value is not a floating IP or is already claimed, the + OpenStack cloud provider won't be able to provision the load + balancer. + This field may only be used if the IngressController has External scope. + This value must be a valid IPv4 or IPv6 address. + type: string + x-kubernetes-validations: + - message: floatingIP must be a valid IPv4 or IPv6 + address + rule: isIP(self) + type: object + type: + description: |- + type is the underlying infrastructure provider for the load balancer. + Allowed values are "AWS", "Azure", "BareMetal", "GCP", "IBM", "Nutanix", + "OpenStack", and "VSphere". + enum: + - AWS + - Azure + - BareMetal + - GCP + - Nutanix + - OpenStack + - VSphere + - IBM + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: openstack is not permitted when type is not OpenStack + rule: 'has(self.type) && self.type == ''OpenStack'' ? true + : !has(self.openstack)' + scope: + description: |- + scope indicates the scope at which the load balancer is exposed. + Possible values are "External" and "Internal". + enum: + - Internal + - External + type: string + required: + - dnsManagementPolicy + - scope + type: object + x-kubernetes-validations: + - message: eipAllocations are forbidden when the scope is Internal. + rule: '!has(self.scope) || self.scope != ''Internal'' || !has(self.providerParameters) + || !has(self.providerParameters.aws) || !has(self.providerParameters.aws.networkLoadBalancer) + || !has(self.providerParameters.aws.networkLoadBalancer.eipAllocations)' + - message: cannot specify a floating ip when scope is internal + rule: '!has(self.scope) || self.scope != ''Internal'' || !has(self.providerParameters) + || !has(self.providerParameters.openstack) || !has(self.providerParameters.openstack.floatingIP) + || self.providerParameters.openstack.floatingIP == ""' + nodePort: + description: |- + nodePort holds parameters for the NodePortService endpoint publishing strategy. + Present only if type is NodePortService. + properties: + protocol: + description: |- + protocol specifies whether the IngressController expects incoming + connections to use plain TCP or whether the IngressController expects + PROXY protocol. + + PROXY protocol can be used with load balancers that support it to + communicate the source addresses of client connections when + forwarding those connections to the IngressController. Using PROXY + protocol enables the IngressController to report those source + addresses instead of reporting the load balancer's address in HTTP + headers and logs. Note that enabling PROXY protocol on the + IngressController will cause connections to fail if you are not using + a load balancer that uses PROXY protocol to forward connections to + the IngressController. See + http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt for + information about PROXY protocol. + + The following values are valid for this field: + + * The empty string. + * "TCP". + * "PROXY". + + The empty string specifies the default, which is TCP without PROXY + protocol. Note that the default is subject to change. + enum: + - "" + - TCP + - PROXY + type: string + type: object + private: + description: |- + private holds parameters for the Private endpoint publishing + strategy. Present only if type is Private. + properties: + protocol: + description: |- + protocol specifies whether the IngressController expects incoming + connections to use plain TCP or whether the IngressController expects + PROXY protocol. + + PROXY protocol can be used with load balancers that support it to + communicate the source addresses of client connections when + forwarding those connections to the IngressController. Using PROXY + protocol enables the IngressController to report those source + addresses instead of reporting the load balancer's address in HTTP + headers and logs. Note that enabling PROXY protocol on the + IngressController will cause connections to fail if you are not using + a load balancer that uses PROXY protocol to forward connections to + the IngressController. See + http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt for + information about PROXY protocol. + + The following values are valid for this field: + + * The empty string. + * "TCP". + * "PROXY". + + The empty string specifies the default, which is TCP without PROXY + protocol. Note that the default is subject to change. + enum: + - "" + - TCP + - PROXY + type: string + type: object + type: + description: |- + type is the publishing strategy to use. Valid values are: + + * LoadBalancerService + + Publishes the ingress controller using a Kubernetes LoadBalancer Service. + + In this configuration, the ingress controller deployment uses container + networking. A LoadBalancer Service is created to publish the deployment. + + See: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer + + If domain is set, a wildcard DNS record will be managed to point at the + LoadBalancer Service's external name. DNS records are managed only in DNS + zones defined by dns.config.openshift.io/cluster .spec.publicZone and + .spec.privateZone. + + Wildcard DNS management is currently supported only on the AWS, Azure, + and GCP platforms. + + * HostNetwork + + Publishes the ingress controller on node ports where the ingress controller + is deployed. + + In this configuration, the ingress controller deployment uses host + networking, bound to node ports 80 and 443. The user is responsible for + configuring an external load balancer to publish the ingress controller via + the node ports. + + * Private + + Does not publish the ingress controller. + + In this configuration, the ingress controller deployment uses container + networking, and is not explicitly published. The user must manually publish + the ingress controller. + + * NodePortService + + Publishes the ingress controller using a Kubernetes NodePort Service. + + In this configuration, the ingress controller deployment uses container + networking. A NodePort Service is created to publish the deployment. The + specific node ports are dynamically allocated by OpenShift; however, to + support static port allocations, user changes to the node port + field of the managed NodePort Service will preserved. + enum: + - LoadBalancerService + - HostNetwork + - Private + - NodePortService + type: string + required: + - type + type: object + namespaceSelector: + description: namespaceSelector is the actual namespaceSelector in + use. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + observedGeneration: + description: observedGeneration is the most recent generation observed. + format: int64 + type: integer + routeSelector: + description: routeSelector is the actual routeSelector in use. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + selector: + description: |- + selector is a label selector, in string format, for ingress controller pods + corresponding to the IngressController. The number of matching pods should + equal the value of availableReplicas. + type: string + tlsProfile: + description: tlsProfile is the TLS connection configuration that is + in effect. + properties: + ciphers: + description: |- + ciphers is used to specify the cipher algorithms that are negotiated + during the TLS handshake. Operators may remove entries their operands + do not support. For example, to use DES-CBC3-SHA (yaml): + + ciphers: + - DES-CBC3-SHA + items: + type: string + type: array + x-kubernetes-list-type: atomic + minTLSVersion: + description: |- + minTLSVersion is used to specify the minimal version of the TLS protocol + that is negotiated during the TLS handshake. For example, to use TLS + versions 1.1, 1.2 and 1.3 (yaml): + + minTLSVersion: VersionTLS11 + enum: + - VersionTLS10 + - VersionTLS11 + - VersionTLS12 + - VersionTLS13 + type: string + type: object + type: object + type: object + x-kubernetes-validations: + - message: The combined 'router-' + metadata.name + '.' + .spec.domain cannot + exceed 253 characters + rule: '!has(self.spec.domain) || size(''router-'' + self.metadata.name + + ''.'' + self.spec.domain) <= 253' + served: true + storage: true + subresources: + scale: + labelSelectorPath: .status.selector + specReplicasPath: .spec.replicas + statusReplicasPath: .status.availableReplicas + status: {} diff --git a/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-DevPreviewNoUpgrade.crd.yaml b/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-DevPreviewNoUpgrade.crd.yaml new file mode 100644 index 00000000000..8fab4f058aa --- /dev/null +++ b/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-DevPreviewNoUpgrade.crd.yaml @@ -0,0 +1,3368 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/616 + api.openshift.io/merged-by-featuregates: "true" + capability.openshift.io/name: Ingress + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: DevPreviewNoUpgrade + name: ingresscontrollers.operator.openshift.io +spec: + group: operator.openshift.io + names: + kind: IngressController + listKind: IngressControllerList + plural: ingresscontrollers + singular: ingresscontroller + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + IngressController describes a managed ingress controller for the cluster. The + controller can service OpenShift Route and Kubernetes Ingress resources. + + When an IngressController is created, a new ingress controller deployment is + created to allow external traffic to reach the services that expose Ingress + or Route resources. Updating this resource may lead to disruption for public + facing network connections as a new ingress controller revision may be rolled + out. + + https://kubernetes.io/docs/concepts/services-networking/ingress-controllers + + Whenever possible, sensible defaults for the platform are used. See each + field for more details. + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec is the specification of the desired behavior of the + IngressController. + properties: + clientTLS: + description: |- + clientTLS specifies settings for requesting and verifying client + certificates, which can be used to enable mutual TLS for + edge-terminated and reencrypt routes. + properties: + allowedSubjectPatterns: + description: |- + allowedSubjectPatterns specifies a list of regular expressions that + should be matched against the distinguished name on a valid client + certificate to filter requests. The regular expressions must use + PCRE syntax. If this list is empty, no filtering is performed. If + the list is nonempty, then at least one pattern must match a client + certificate's distinguished name or else the ingress controller + rejects the certificate and denies the connection. + items: + type: string + type: array + x-kubernetes-list-type: atomic + clientCA: + description: |- + clientCA specifies a configmap containing the PEM-encoded CA + certificate bundle that should be used to verify a client's + certificate. The administrator must create this configmap in the + openshift-config namespace. + properties: + name: + description: name is the metadata.name of the referenced config + map + type: string + required: + - name + type: object + clientCertificatePolicy: + description: |- + clientCertificatePolicy specifies whether the ingress controller + requires clients to provide certificates. This field accepts the + values "Required" or "Optional". + + Note that the ingress controller only checks client certificates for + edge-terminated and reencrypt TLS routes; it cannot check + certificates for cleartext HTTP or passthrough TLS routes. + enum: + - "" + - Required + - Optional + type: string + required: + - clientCA + - clientCertificatePolicy + type: object + closedClientConnectionPolicy: + default: Continue + description: |- + closedClientConnectionPolicy controls how the IngressController + behaves when the client closes the TCP connection while the TLS + handshake or HTTP request is in progress. This option maps directly + to HAProxy’s "abortonclose" option. + + Valid values are: "Abort" and "Continue". + The default value is "Continue". + + When set to "Abort", the router will stop processing the TLS handshake + if it is in progress, and it will not send an HTTP request to the backend server + if the request has not yet been sent when the client closes the connection. + + When set to "Continue", the router will complete the TLS handshake + if it is in progress, or send an HTTP request to the backend server + and wait for the backend server's response, regardless of + whether the client has closed the connection. + + Setting "Abort" can help free CPU resources otherwise spent on TLS computation + for connections the client has already closed, and can reduce request queue + size, thereby reducing the load on saturated backend servers. + + Important Considerations: + + - The default policy ("Continue") is HTTP-compliant, and requests + for aborted client connections will still be served. + Use the "Continue" policy to allow a client to send a request + and then immediately close its side of the connection while + still receiving a response on the half-closed connection. + + - When clients use keep-alive connections, the most common case for premature + closure is when the user wants to cancel the transfer or when a timeout + occurs. In that case, the "Abort" policy may be used to reduce resource consumption. + + - Using RSA keys larger than 2048 bits can significantly slow down + TLS computations. Consider using the "Abort" policy to reduce CPU usage. + enum: + - Abort + - Continue + type: string + defaultCertificate: + description: |- + defaultCertificate is a reference to a secret containing the default + certificate served by the ingress controller. When Routes don't specify + their own certificate, defaultCertificate is used. + + The secret must contain the following keys and data: + + tls.crt: certificate file contents + tls.key: key file contents + + If unset, a wildcard certificate is automatically generated and used. The + certificate is valid for the ingress controller domain (and subdomains) and + the generated certificate's CA will be automatically integrated with the + cluster's trust store. + + If a wildcard certificate is used and shared by multiple + HTTP/2 enabled routes (which implies ALPN) then clients + (i.e., notably browsers) are at liberty to reuse open + connections. This means a client can reuse a connection to + another route and that is likely to fail. This behaviour is + generally known as connection coalescing. + + The in-use certificate (whether generated or user-specified) will be + automatically integrated with OpenShift's built-in OAuth server. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + domain: + description: |- + domain is a DNS name serviced by the ingress controller and is used to + configure multiple features: + + * For the LoadBalancerService endpoint publishing strategy, domain is + used to configure DNS records. See endpointPublishingStrategy. + + * When using a generated default certificate, the certificate will be valid + for domain and its subdomains. See defaultCertificate. + + * The value is published to individual Route statuses so that end-users + know where to target external DNS records. + + domain must be unique among all IngressControllers, and cannot be + updated. + + If empty, defaults to ingress.config.openshift.io/cluster .spec.domain. + + The domain value must be a valid DNS name. It must consist of lowercase + alphanumeric characters, '-' or '.', and each label must start and end + with an alphanumeric character and not exceed 63 characters. Maximum + length of a valid DNS domain is 253 characters. + + The implementation may add a prefix such as "router-default." to the domain + when constructing the router canonical hostname. To ensure the resulting + hostname does not exceed the DNS maximum length of 253 characters, + the domain length is additionally validated at the IngressController object + level. For the maximum length of the domain value itself, the shortest + possible variant of the prefix and the ingress controller name was considered + for example "router-a." + maxLength: 244 + type: string + x-kubernetes-validations: + - message: domain must consist of lower case alphanumeric characters, + '-' or '.', and must start and end with an alphanumeric character + rule: '!format.dns1123Subdomain().validate(self).hasValue()' + - message: each DNS label must not exceed 63 characters + rule: self.split('.').all(label, size(label) <= 63) + endpointPublishingStrategy: + description: |- + endpointPublishingStrategy is used to publish the ingress controller + endpoints to other networks, enable load balancer integrations, etc. + + If unset, the default is based on + infrastructure.config.openshift.io/cluster .status.platform: + + AWS: LoadBalancerService (with External scope) + Azure: LoadBalancerService (with External scope) + GCP: LoadBalancerService (with External scope) + IBMCloud: LoadBalancerService (with External scope) + AlibabaCloud: LoadBalancerService (with External scope) + Libvirt: HostNetwork + + Any other platform types (including None) default to HostNetwork. + + endpointPublishingStrategy cannot be updated. + properties: + hostNetwork: + description: |- + hostNetwork holds parameters for the HostNetwork endpoint publishing + strategy. Present only if type is HostNetwork. + properties: + httpPort: + default: 80 + description: |- + httpPort is the port on the host which should be used to listen for + HTTP requests. This field should be set when port 80 is already in use. + The value should not coincide with the NodePort range of the cluster. + When the value is 0 or is not specified it defaults to 80. + format: int32 + maximum: 65535 + minimum: 0 + type: integer + httpsPort: + default: 443 + description: |- + httpsPort is the port on the host which should be used to listen for + HTTPS requests. This field should be set when port 443 is already in use. + The value should not coincide with the NodePort range of the cluster. + When the value is 0 or is not specified it defaults to 443. + format: int32 + maximum: 65535 + minimum: 0 + type: integer + protocol: + description: |- + protocol specifies whether the IngressController expects incoming + connections to use plain TCP or whether the IngressController expects + PROXY protocol. + + PROXY protocol can be used with load balancers that support it to + communicate the source addresses of client connections when + forwarding those connections to the IngressController. Using PROXY + protocol enables the IngressController to report those source + addresses instead of reporting the load balancer's address in HTTP + headers and logs. Note that enabling PROXY protocol on the + IngressController will cause connections to fail if you are not using + a load balancer that uses PROXY protocol to forward connections to + the IngressController. See + http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt for + information about PROXY protocol. + + The following values are valid for this field: + + * The empty string. + * "TCP". + * "PROXY". + + The empty string specifies the default, which is TCP without PROXY + protocol. Note that the default is subject to change. + enum: + - "" + - TCP + - PROXY + type: string + statsPort: + default: 1936 + description: |- + statsPort is the port on the host where the stats from the router are + published. The value should not coincide with the NodePort range of the + cluster. If an external load balancer is configured to forward connections + to this IngressController, the load balancer should use this port for + health checks. The load balancer can send HTTP probes on this port on a + given node, with the path /healthz/ready to determine if the ingress + controller is ready to receive traffic on the node. For proper operation + the load balancer must not forward traffic to a node until the health + check reports ready. The load balancer should also stop forwarding requests + within a maximum of 45 seconds after /healthz/ready starts reporting + not-ready. Probing every 5 to 10 seconds, with a 5-second timeout and with + a threshold of two successful or failed requests to become healthy or + unhealthy respectively, are well-tested values. When the value is 0 or + is not specified it defaults to 1936. + format: int32 + maximum: 65535 + minimum: 0 + type: integer + type: object + loadBalancer: + description: |- + loadBalancer holds parameters for the load balancer. Present only if + type is LoadBalancerService. + properties: + allowedSourceRanges: + description: |- + allowedSourceRanges specifies an allowlist of IP address ranges to which + access to the load balancer should be restricted. Each range must be + specified using CIDR notation (e.g. "10.0.0.0/8" or "fd00::/8"). If no range is + specified, "0.0.0.0/0" for IPv4 and "::/0" for IPv6 are used by default, + which allows all source addresses. + + To facilitate migration from earlier versions of OpenShift that did + not have the allowedSourceRanges field, you may set the + service.beta.kubernetes.io/load-balancer-source-ranges annotation on + the "router-" service in the + "openshift-ingress" namespace, and this annotation will take + effect if allowedSourceRanges is empty on OpenShift 4.12. + items: + description: |- + CIDR is an IP address range in CIDR notation (for example, "10.0.0.0/8" + or "fd00::/8"). + pattern: (^(([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])/([0-9]|[12][0-9]|3[0-2])$)|(^s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:)))(%.+)?s*(\/(12[0-8]|1[0-1][0-9]|[1-9][0-9]|[0-9]))$) + type: string + nullable: true + type: array + x-kubernetes-list-type: atomic + dnsManagementPolicy: + default: Managed + description: |- + dnsManagementPolicy indicates if the lifecycle of the wildcard DNS record + associated with the load balancer service will be managed by + the ingress operator. It defaults to Managed. + Valid values are: Managed and Unmanaged. + enum: + - Managed + - Unmanaged + type: string + providerParameters: + description: |- + providerParameters holds desired load balancer information specific to + the underlying infrastructure provider. + + If empty, defaults will be applied. See specific providerParameters + fields for details about their defaults. + properties: + aws: + description: |- + aws provides configuration settings that are specific to AWS + load balancers. + + If empty, defaults will be applied. See specific aws fields for + details about their defaults. + properties: + classicLoadBalancer: + description: |- + classicLoadBalancerParameters holds configuration parameters for an AWS + classic load balancer. Present only if type is Classic. + properties: + connectionIdleTimeout: + description: |- + connectionIdleTimeout specifies the maximum time period that a + connection may be idle before the load balancer closes the + connection. The value must be parseable as a time duration value; + see . A nil or zero value + means no opinion, in which case a default value is used. The default + value for this field is 60s. This default is subject to change. + format: duration + type: string + subnets: + description: |- + subnets specifies the subnets to which the load balancer will + attach. The subnets may be specified by either their + ID or name. The total number of subnets is limited to 10. + + In order for the load balancer to be provisioned with subnets, + each subnet must exist, each subnet must be from a different + availability zone, and the load balancer service must be + recreated to pick up new values. + + When omitted from the spec, the subnets will be auto-discovered + for each availability zone. Auto-discovered subnets are not reported + in the status of the IngressController object. + properties: + ids: + description: |- + ids specifies a list of AWS subnets by subnet ID. + Subnet IDs must start with "subnet-", consist only + of alphanumeric characters, must be exactly 24 + characters long, must be unique, and the total + number of subnets specified by ids and names + must not exceed 10. + items: + description: AWSSubnetID is a reference + to an AWS subnet ID. + maxLength: 24 + minLength: 24 + pattern: ^subnet-[0-9A-Za-z]+$ + type: string + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: subnet ids cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == + y)) + names: + description: |- + names specifies a list of AWS subnets by subnet name. + Subnet names must not start with "subnet-", must not + include commas, must be under 256 characters in length, + must be unique, and the total number of subnets + specified by ids and names must not exceed 10. + items: + description: AWSSubnetName is a reference + to an AWS subnet name. + maxLength: 256 + minLength: 1 + type: string + x-kubernetes-validations: + - message: subnet name cannot contain a + comma + rule: '!self.contains('','')' + - message: subnet name cannot start with + 'subnet-' + rule: '!self.startsWith(''subnet-'')' + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: subnet names cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == + y)) + type: object + x-kubernetes-validations: + - message: the total number of subnets cannot + exceed 10 + rule: 'has(self.ids) && has(self.names) ? size(self.ids + + self.names) <= 10 : true' + - message: must specify at least 1 subnet name + or id + rule: has(self.ids) && self.ids.size() > 0 || + has(self.names) && self.names.size() > 0 + type: object + networkLoadBalancer: + description: |- + networkLoadBalancerParameters holds configuration parameters for an AWS + network load balancer. Present only if type is NLB. + properties: + eipAllocations: + description: |- + eipAllocations is a list of IDs for Elastic IP (EIP) addresses that + are assigned to the Network Load Balancer. + The following restrictions apply: + + eipAllocations can only be used with external scope, not internal. + An EIP can be allocated to only a single IngressController. + The number of EIP allocations must match the number of subnets that are used for the load balancer. + Each EIP allocation must be unique. + A maximum of 10 EIP allocations are permitted. + + See https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html for general + information about configuration, characteristics, and limitations of Elastic IP addresses. + items: + description: |- + EIPAllocation is an ID for an Elastic IP (EIP) address that can be allocated to an ELB in the AWS environment. + Values must begin with `eipalloc-` followed by exactly 17 hexadecimal (`[0-9a-fA-F]`) characters. + maxLength: 26 + minLength: 26 + type: string + x-kubernetes-validations: + - message: eipAllocations should start with + 'eipalloc-' + rule: self.startsWith('eipalloc-') + - message: eipAllocations must be 'eipalloc-' + followed by exactly 17 hexadecimal characters + (0-9, a-f, A-F) + rule: self.split("-", 2)[1].matches('[0-9a-fA-F]{17}$') + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: eipAllocations cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == y)) + subnets: + description: |- + subnets specifies the subnets to which the load balancer will + attach. The subnets may be specified by either their + ID or name. The total number of subnets is limited to 10. + + In order for the load balancer to be provisioned with subnets, + each subnet must exist, each subnet must be from a different + availability zone, and the load balancer service must be + recreated to pick up new values. + + When omitted from the spec, the subnets will be auto-discovered + for each availability zone. Auto-discovered subnets are not reported + in the status of the IngressController object. + properties: + ids: + description: |- + ids specifies a list of AWS subnets by subnet ID. + Subnet IDs must start with "subnet-", consist only + of alphanumeric characters, must be exactly 24 + characters long, must be unique, and the total + number of subnets specified by ids and names + must not exceed 10. + items: + description: AWSSubnetID is a reference + to an AWS subnet ID. + maxLength: 24 + minLength: 24 + pattern: ^subnet-[0-9A-Za-z]+$ + type: string + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: subnet ids cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == + y)) + names: + description: |- + names specifies a list of AWS subnets by subnet name. + Subnet names must not start with "subnet-", must not + include commas, must be under 256 characters in length, + must be unique, and the total number of subnets + specified by ids and names must not exceed 10. + items: + description: AWSSubnetName is a reference + to an AWS subnet name. + maxLength: 256 + minLength: 1 + type: string + x-kubernetes-validations: + - message: subnet name cannot contain a + comma + rule: '!self.contains('','')' + - message: subnet name cannot start with + 'subnet-' + rule: '!self.startsWith(''subnet-'')' + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: subnet names cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == + y)) + type: object + x-kubernetes-validations: + - message: the total number of subnets cannot + exceed 10 + rule: 'has(self.ids) && has(self.names) ? size(self.ids + + self.names) <= 10 : true' + - message: must specify at least 1 subnet name + or id + rule: has(self.ids) && self.ids.size() > 0 || + has(self.names) && self.names.size() > 0 + type: object + x-kubernetes-validations: + - message: number of subnets must be equal to number + of eipAllocations + rule: 'has(self.subnets) && has(self.subnets.ids) + && has(self.subnets.names) && has(self.eipAllocations) + ? size(self.subnets.ids + self.subnets.names) + == size(self.eipAllocations) : true' + - message: number of subnets must be equal to number + of eipAllocations + rule: 'has(self.subnets) && has(self.subnets.ids) + && !has(self.subnets.names) && has(self.eipAllocations) + ? size(self.subnets.ids) == size(self.eipAllocations) + : true' + - message: number of subnets must be equal to number + of eipAllocations + rule: 'has(self.subnets) && has(self.subnets.names) + && !has(self.subnets.ids) && has(self.eipAllocations) + ? size(self.subnets.names) == size(self.eipAllocations) + : true' + type: + description: |- + type is the type of AWS load balancer to instantiate for an ingresscontroller. + + Valid values are: + + * "Classic": A Classic Load Balancer that makes routing decisions at either + the transport layer (TCP/SSL) or the application layer (HTTP/HTTPS). See + the following for additional details: + + https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#clb + + * "NLB": A Network Load Balancer that makes routing decisions at the + transport layer (TCP/SSL). See the following for additional details: + + https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#nlb + enum: + - Classic + - NLB + type: string + required: + - type + type: object + gcp: + description: |- + gcp provides configuration settings that are specific to GCP + load balancers. + + If empty, defaults will be applied. See specific gcp fields for + details about their defaults. + properties: + clientAccess: + description: |- + clientAccess describes how client access is restricted for internal + load balancers. + + Valid values are: + * "Global": Specifying an internal load balancer with Global client access + allows clients from any region within the VPC to communicate with the load + balancer. + + https://cloud.google.com/kubernetes-engine/docs/how-to/internal-load-balancing#global_access + + * "Local": Specifying an internal load balancer with Local client access + means only clients within the same region (and VPC) as the GCP load balancer + can communicate with the load balancer. Note that this is the default behavior. + + https://cloud.google.com/load-balancing/docs/internal#client_access + enum: + - Global + - Local + type: string + type: object + ibm: + description: |- + ibm provides configuration settings that are specific to IBM Cloud + load balancers. + + If empty, defaults will be applied. See specific ibm fields for + details about their defaults. + properties: + protocol: + description: |- + protocol specifies whether the load balancer uses PROXY protocol to forward connections to + the IngressController. See "service.kubernetes.io/ibm-load-balancer-cloud-provider-enable-features: + "proxy-protocol"" at https://cloud.ibm.com/docs/containers?topic=containers-vpc-lbaas" + + PROXY protocol can be used with load balancers that support it to + communicate the source addresses of client connections when + forwarding those connections to the IngressController. Using PROXY + protocol enables the IngressController to report those source + addresses instead of reporting the load balancer's address in HTTP + headers and logs. Note that enabling PROXY protocol on the + IngressController will cause connections to fail if you are not using + a load balancer that uses PROXY protocol to forward connections to + the IngressController. See + http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt for + information about PROXY protocol. + + Valid values for protocol are TCP, PROXY and omitted. + When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. + The current default is TCP, without the proxy protocol enabled. + enum: + - "" + - TCP + - PROXY + type: string + type: object + openstack: + description: |- + openstack provides configuration settings that are specific to OpenStack + load balancers. + + If empty, defaults will be applied. See specific openstack fields for + details about their defaults. + properties: + floatingIP: + description: |- + floatingIP specifies the IP address that the load balancer will use. + When not specified, an IP address will be assigned randomly by the OpenStack cloud provider. + When specified, the floating IP has to be pre-created. If the + specified value is not a floating IP or is already claimed, the + OpenStack cloud provider won't be able to provision the load + balancer. + This field may only be used if the IngressController has External scope. + This value must be a valid IPv4 or IPv6 address. + type: string + x-kubernetes-validations: + - message: floatingIP must be a valid IPv4 or IPv6 + address + rule: isIP(self) + type: object + type: + description: |- + type is the underlying infrastructure provider for the load balancer. + Allowed values are "AWS", "Azure", "BareMetal", "GCP", "IBM", "Nutanix", + "OpenStack", and "VSphere". + enum: + - AWS + - Azure + - BareMetal + - GCP + - Nutanix + - OpenStack + - VSphere + - IBM + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: openstack is not permitted when type is not OpenStack + rule: 'has(self.type) && self.type == ''OpenStack'' ? true + : !has(self.openstack)' + scope: + description: |- + scope indicates the scope at which the load balancer is exposed. + Possible values are "External" and "Internal". + enum: + - Internal + - External + type: string + required: + - dnsManagementPolicy + - scope + type: object + x-kubernetes-validations: + - message: eipAllocations are forbidden when the scope is Internal. + rule: '!has(self.scope) || self.scope != ''Internal'' || !has(self.providerParameters) + || !has(self.providerParameters.aws) || !has(self.providerParameters.aws.networkLoadBalancer) + || !has(self.providerParameters.aws.networkLoadBalancer.eipAllocations)' + - message: cannot specify a floating ip when scope is internal + rule: '!has(self.scope) || self.scope != ''Internal'' || !has(self.providerParameters) + || !has(self.providerParameters.openstack) || !has(self.providerParameters.openstack.floatingIP) + || self.providerParameters.openstack.floatingIP == ""' + nodePort: + description: |- + nodePort holds parameters for the NodePortService endpoint publishing strategy. + Present only if type is NodePortService. + properties: + protocol: + description: |- + protocol specifies whether the IngressController expects incoming + connections to use plain TCP or whether the IngressController expects + PROXY protocol. + + PROXY protocol can be used with load balancers that support it to + communicate the source addresses of client connections when + forwarding those connections to the IngressController. Using PROXY + protocol enables the IngressController to report those source + addresses instead of reporting the load balancer's address in HTTP + headers and logs. Note that enabling PROXY protocol on the + IngressController will cause connections to fail if you are not using + a load balancer that uses PROXY protocol to forward connections to + the IngressController. See + http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt for + information about PROXY protocol. + + The following values are valid for this field: + + * The empty string. + * "TCP". + * "PROXY". + + The empty string specifies the default, which is TCP without PROXY + protocol. Note that the default is subject to change. + enum: + - "" + - TCP + - PROXY + type: string + type: object + private: + description: |- + private holds parameters for the Private endpoint publishing + strategy. Present only if type is Private. + properties: + protocol: + description: |- + protocol specifies whether the IngressController expects incoming + connections to use plain TCP or whether the IngressController expects + PROXY protocol. + + PROXY protocol can be used with load balancers that support it to + communicate the source addresses of client connections when + forwarding those connections to the IngressController. Using PROXY + protocol enables the IngressController to report those source + addresses instead of reporting the load balancer's address in HTTP + headers and logs. Note that enabling PROXY protocol on the + IngressController will cause connections to fail if you are not using + a load balancer that uses PROXY protocol to forward connections to + the IngressController. See + http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt for + information about PROXY protocol. + + The following values are valid for this field: + + * The empty string. + * "TCP". + * "PROXY". + + The empty string specifies the default, which is TCP without PROXY + protocol. Note that the default is subject to change. + enum: + - "" + - TCP + - PROXY + type: string + type: object + type: + description: |- + type is the publishing strategy to use. Valid values are: + + * LoadBalancerService + + Publishes the ingress controller using a Kubernetes LoadBalancer Service. + + In this configuration, the ingress controller deployment uses container + networking. A LoadBalancer Service is created to publish the deployment. + + See: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer + + If domain is set, a wildcard DNS record will be managed to point at the + LoadBalancer Service's external name. DNS records are managed only in DNS + zones defined by dns.config.openshift.io/cluster .spec.publicZone and + .spec.privateZone. + + Wildcard DNS management is currently supported only on the AWS, Azure, + and GCP platforms. + + * HostNetwork + + Publishes the ingress controller on node ports where the ingress controller + is deployed. + + In this configuration, the ingress controller deployment uses host + networking, bound to node ports 80 and 443. The user is responsible for + configuring an external load balancer to publish the ingress controller via + the node ports. + + * Private + + Does not publish the ingress controller. + + In this configuration, the ingress controller deployment uses container + networking, and is not explicitly published. The user must manually publish + the ingress controller. + + * NodePortService + + Publishes the ingress controller using a Kubernetes NodePort Service. + + In this configuration, the ingress controller deployment uses container + networking. A NodePort Service is created to publish the deployment. The + specific node ports are dynamically allocated by OpenShift; however, to + support static port allocations, user changes to the node port + field of the managed NodePort Service will preserved. + enum: + - LoadBalancerService + - HostNetwork + - Private + - NodePortService + type: string + required: + - type + type: object + httpCompression: + description: |- + httpCompression defines a policy for HTTP traffic compression. + By default, there is no HTTP compression. + properties: + mimeTypes: + description: |- + mimeTypes is a list of MIME types that should have compression applied. + This list can be empty, in which case the ingress controller does not apply compression. + + Note: Not all MIME types benefit from compression, but HAProxy will still use resources + to try to compress if instructed to. Generally speaking, text (html, css, js, etc.) + formats benefit from compression, but formats that are already compressed (image, + audio, video, etc.) benefit little in exchange for the time and cpu spent on compressing + again. See https://joehonton.medium.com/the-gzip-penalty-d31bd697f1a2 + items: + description: |- + CompressionMIMEType defines the format of a single MIME type. + E.g. "text/css; charset=utf-8", "text/html", "text/*", "image/svg+xml", + "application/octet-stream", "X-custom/customsub", etc. + + The format should follow the Content-Type definition in RFC 1341: + Content-Type := type "/" subtype *[";" parameter] + - The type in Content-Type can be one of: + application, audio, image, message, multipart, text, video, or a custom + type preceded by "X-" and followed by a token as defined below. + - The token is a string of at least one character, and not containing white + space, control characters, or any of the characters in the tspecials set. + - The tspecials set contains the characters ()<>@,;:\"/[]?.= + - The subtype in Content-Type is also a token. + - The optional parameter/s following the subtype are defined as: + token "=" (token / quoted-string) + - The quoted-string, as defined in RFC 822, is surrounded by double quotes + and can contain white space plus any character EXCEPT \, ", and CR. + It can also contain any single ASCII character as long as it is escaped by \. + pattern: ^(?i)(x-[^][ ()\\<>@,;:"/?.=\x00-\x1F\x7F]+|application|audio|image|message|multipart|text|video)/[^][ + ()\\<>@,;:"/?.=\x00-\x1F\x7F]+(; *[^][ ()\\<>@,;:"/?.=\x00-\x1F\x7F]+=([^][ + ()\\<>@,;:"/?.=\x00-\x1F\x7F]+|"(\\[\x00-\x7F]|[^\x0D"\\])*"))*$ + type: string + type: array + x-kubernetes-list-type: set + type: object + httpEmptyRequestsPolicy: + default: Respond + description: |- + httpEmptyRequestsPolicy describes how HTTP connections should be + handled if the connection times out before a request is received. + Allowed values for this field are "Respond" and "Ignore". If the + field is set to "Respond", the ingress controller sends an HTTP 400 + or 408 response, logs the connection (if access logging is enabled), + and counts the connection in the appropriate metrics. If the field + is set to "Ignore", the ingress controller closes the connection + without sending a response, logging the connection, or incrementing + metrics. The default value is "Respond". + + Typically, these connections come from load balancers' health probes + or Web browsers' speculative connections ("preconnect") and can be + safely ignored. However, these requests may also be caused by + network errors, and so setting this field to "Ignore" may impede + detection and diagnosis of problems. In addition, these requests may + be caused by port scans, in which case logging empty requests may aid + in detecting intrusion attempts. + enum: + - Respond + - Ignore + type: string + httpErrorCodePages: + description: |- + httpErrorCodePages specifies a configmap with custom error pages. + The administrator must create this configmap in the openshift-config namespace. + This configmap should have keys in the format "error-page-.http", + where is an HTTP error code. + For example, "error-page-503.http" defines an error page for HTTP 503 responses. + Currently only error pages for 503 and 404 responses can be customized. + Each value in the configmap should be the full response, including HTTP headers. + Eg- https://raw.githubusercontent.com/openshift/router/fadab45747a9b30cc3f0a4b41ad2871f95827a93/images/router/haproxy/conf/error-page-503.http + If this field is empty, the ingress controller uses the default error pages. + properties: + name: + description: name is the metadata.name of the referenced config + map + type: string + required: + - name + type: object + httpHeaders: + description: |- + httpHeaders defines policy for HTTP headers. + + If this field is empty, the default values are used. + properties: + actions: + description: |- + actions specifies options for modifying headers and their values. + Note that this option only applies to cleartext HTTP connections + and to secure HTTP connections for which the ingress controller + terminates encryption (that is, edge-terminated or reencrypt + connections). Headers cannot be modified for TLS passthrough + connections. + Setting the HSTS (`Strict-Transport-Security`) header is not supported via actions. `Strict-Transport-Security` + may only be configured using the "haproxy.router.openshift.io/hsts_header" route annotation, and only in + accordance with the policy specified in Ingress.Spec.RequiredHSTSPolicies. + Any actions defined here are applied after any actions related to the following other fields: + cache-control, spec.clientTLS, + spec.httpHeaders.forwardedHeaderPolicy, spec.httpHeaders.uniqueId, + and spec.httpHeaders.headerNameCaseAdjustments. + In case of HTTP request headers, the actions specified in spec.httpHeaders.actions on the Route will be executed after + the actions specified in the IngressController's spec.httpHeaders.actions field. + In case of HTTP response headers, the actions specified in spec.httpHeaders.actions on the IngressController will be + executed after the actions specified in the Route's spec.httpHeaders.actions field. + Headers set using this API cannot be captured for use in access logs. + The following header names are reserved and may not be modified via this API: + Strict-Transport-Security, Proxy, Host, Cookie, Set-Cookie. + Note that the total size of all net added headers *after* interpolating dynamic values + must not exceed the value of spec.tuningOptions.headerBufferMaxRewriteBytes on the + IngressController. Please refer to the documentation + for that API field for more details. + properties: + request: + description: |- + request is a list of HTTP request headers to modify. + Actions defined here will modify the request headers of all requests passing through an ingress controller. + These actions are applied to all Routes i.e. for all connections handled by the ingress controller defined within a cluster. + IngressController actions for request headers will be executed before Route actions. + Currently, actions may define to either `Set` or `Delete` headers values. + Actions are applied in sequence as defined in this list. + A maximum of 20 request header actions may be configured. + Sample fetchers allowed are "req.hdr" and "ssl_c_der". + Converters allowed are "lower" and "base64". + Example header values: "%[req.hdr(X-target),lower]", "%{+Q}[ssl_c_der,base64]". + items: + description: IngressControllerHTTPHeader specifies configuration + for setting or deleting an HTTP header. + properties: + action: + description: action specifies actions to perform on + headers, such as setting or deleting headers. + properties: + set: + description: |- + set specifies how the HTTP header should be set. + This field is required when type is Set and forbidden otherwise. + properties: + value: + description: |- + value specifies a header value. + Dynamic values can be added. The value will be interpreted as an HAProxy format string as defined in + http://cbonte.github.io/haproxy-dconv/2.6/configuration.html#8.2.6 and may use HAProxy's %[] syntax and + otherwise must be a valid HTTP header value as defined in https://datatracker.ietf.org/doc/html/rfc7230#section-3.2. + The value of this field must be no more than 16384 characters in length. + Note that the total size of all net added headers *after* interpolating dynamic values + must not exceed the value of spec.tuningOptions.headerBufferMaxRewriteBytes on the + IngressController. + maxLength: 16384 + minLength: 1 + type: string + required: + - value + type: object + type: + description: |- + type defines the type of the action to be applied on the header. + Possible values are Set or Delete. + Set allows you to set HTTP request and response headers. + Delete allows you to delete HTTP request and response headers. + enum: + - Set + - Delete + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: set is required when type is Set, and forbidden + otherwise + rule: 'has(self.type) && self.type == ''Set'' ? has(self.set) + : !has(self.set)' + name: + description: |- + name specifies the name of a header on which to perform an action. Its value must be a valid HTTP header + name as defined in RFC 2616 section 4.2. + The name must consist only of alphanumeric and the following special characters, "-!#$%&'*+.^_`". + The following header names are reserved and may not be modified via this API: + Strict-Transport-Security, Proxy, Host, Cookie, Set-Cookie. + It must be no more than 255 characters in length. + Header name must be unique. + maxLength: 255 + minLength: 1 + pattern: ^[-!#$%&'*+.0-9A-Z^_`a-z|~]+$ + type: string + x-kubernetes-validations: + - message: strict-transport-security header may not + be modified via header actions + rule: self.lowerAscii() != 'strict-transport-security' + - message: proxy header may not be modified via header + actions + rule: self.lowerAscii() != 'proxy' + - message: host header may not be modified via header + actions + rule: self.lowerAscii() != 'host' + - message: cookie header may not be modified via header + actions + rule: self.lowerAscii() != 'cookie' + - message: set-cookie header may not be modified via + header actions + rule: self.lowerAscii() != 'set-cookie' + required: + - action + - name + type: object + maxItems: 20 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: Either the header value provided is not in correct + format or the sample fetcher/converter specified is not + allowed. The dynamic header value will be interpreted + as an HAProxy format string as defined in http://cbonte.github.io/haproxy-dconv/2.6/configuration.html#8.2.6 + and may use HAProxy's %[] syntax and otherwise must be + a valid HTTP header value as defined in https://datatracker.ietf.org/doc/html/rfc7230#section-3.2. + Sample fetchers allowed are req.hdr, ssl_c_der. Converters + allowed are lower, base64. + rule: self.all(key, key.action.type == "Delete" || (has(key.action.set) + && key.action.set.value.matches('^(?:%(?:%|(?:\\{[-+]?[QXE](?:,[-+]?[QXE])*\\})?\\[(?:req\\.hdr\\([0-9A-Za-z-]+\\)|ssl_c_der)(?:,(?:lower|base64))*\\])|[^%[:cntrl:]])+$'))) + response: + description: |- + response is a list of HTTP response headers to modify. + Actions defined here will modify the response headers of all requests passing through an ingress controller. + These actions are applied to all Routes i.e. for all connections handled by the ingress controller defined within a cluster. + IngressController actions for response headers will be executed after Route actions. + Currently, actions may define to either `Set` or `Delete` headers values. + Actions are applied in sequence as defined in this list. + A maximum of 20 response header actions may be configured. + Sample fetchers allowed are "res.hdr" and "ssl_c_der". + Converters allowed are "lower" and "base64". + Example header values: "%[res.hdr(X-target),lower]", "%{+Q}[ssl_c_der,base64]". + items: + description: IngressControllerHTTPHeader specifies configuration + for setting or deleting an HTTP header. + properties: + action: + description: action specifies actions to perform on + headers, such as setting or deleting headers. + properties: + set: + description: |- + set specifies how the HTTP header should be set. + This field is required when type is Set and forbidden otherwise. + properties: + value: + description: |- + value specifies a header value. + Dynamic values can be added. The value will be interpreted as an HAProxy format string as defined in + http://cbonte.github.io/haproxy-dconv/2.6/configuration.html#8.2.6 and may use HAProxy's %[] syntax and + otherwise must be a valid HTTP header value as defined in https://datatracker.ietf.org/doc/html/rfc7230#section-3.2. + The value of this field must be no more than 16384 characters in length. + Note that the total size of all net added headers *after* interpolating dynamic values + must not exceed the value of spec.tuningOptions.headerBufferMaxRewriteBytes on the + IngressController. + maxLength: 16384 + minLength: 1 + type: string + required: + - value + type: object + type: + description: |- + type defines the type of the action to be applied on the header. + Possible values are Set or Delete. + Set allows you to set HTTP request and response headers. + Delete allows you to delete HTTP request and response headers. + enum: + - Set + - Delete + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: set is required when type is Set, and forbidden + otherwise + rule: 'has(self.type) && self.type == ''Set'' ? has(self.set) + : !has(self.set)' + name: + description: |- + name specifies the name of a header on which to perform an action. Its value must be a valid HTTP header + name as defined in RFC 2616 section 4.2. + The name must consist only of alphanumeric and the following special characters, "-!#$%&'*+.^_`". + The following header names are reserved and may not be modified via this API: + Strict-Transport-Security, Proxy, Host, Cookie, Set-Cookie. + It must be no more than 255 characters in length. + Header name must be unique. + maxLength: 255 + minLength: 1 + pattern: ^[-!#$%&'*+.0-9A-Z^_`a-z|~]+$ + type: string + x-kubernetes-validations: + - message: strict-transport-security header may not + be modified via header actions + rule: self.lowerAscii() != 'strict-transport-security' + - message: proxy header may not be modified via header + actions + rule: self.lowerAscii() != 'proxy' + - message: host header may not be modified via header + actions + rule: self.lowerAscii() != 'host' + - message: cookie header may not be modified via header + actions + rule: self.lowerAscii() != 'cookie' + - message: set-cookie header may not be modified via + header actions + rule: self.lowerAscii() != 'set-cookie' + required: + - action + - name + type: object + maxItems: 20 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: Either the header value provided is not in correct + format or the sample fetcher/converter specified is not + allowed. The dynamic header value will be interpreted + as an HAProxy format string as defined in http://cbonte.github.io/haproxy-dconv/2.6/configuration.html#8.2.6 + and may use HAProxy's %[] syntax and otherwise must be + a valid HTTP header value as defined in https://datatracker.ietf.org/doc/html/rfc7230#section-3.2. + Sample fetchers allowed are res.hdr, ssl_c_der. Converters + allowed are lower, base64. + rule: self.all(key, key.action.type == "Delete" || (has(key.action.set) + && key.action.set.value.matches('^(?:%(?:%|(?:\\{[-+]?[QXE](?:,[-+]?[QXE])*\\})?\\[(?:res\\.hdr\\([0-9A-Za-z-]+\\)|ssl_c_der)(?:,(?:lower|base64))*\\])|[^%[:cntrl:]])+$'))) + type: object + forwardedHeaderPolicy: + description: |- + forwardedHeaderPolicy specifies when and how the IngressController + sets the Forwarded, X-Forwarded-For, X-Forwarded-Host, + X-Forwarded-Port, X-Forwarded-Proto, and X-Forwarded-Proto-Version + HTTP headers. The value may be one of the following: + + * "Append", which specifies that the IngressController appends the + headers, preserving existing headers. + + * "Replace", which specifies that the IngressController sets the + headers, replacing any existing Forwarded or X-Forwarded-* headers. + + * "IfNone", which specifies that the IngressController sets the + headers if they are not already set. + + * "Never", which specifies that the IngressController never sets the + headers, preserving any existing headers. + + By default, the policy is "Append". + enum: + - Append + - Replace + - IfNone + - Never + type: string + headerNameCaseAdjustments: + description: |- + headerNameCaseAdjustments specifies case adjustments that can be + applied to HTTP header names. Each adjustment is specified as an + HTTP header name with the desired capitalization. For example, + specifying "X-Forwarded-For" indicates that the "x-forwarded-for" + HTTP header should be adjusted to have the specified capitalization. + + These adjustments are only applied to cleartext, edge-terminated, and + re-encrypt routes, and only when using HTTP/1. + + For request headers, these adjustments are applied only for routes + that have the haproxy.router.openshift.io/h1-adjust-case=true + annotation. For response headers, these adjustments are applied to + all HTTP responses. + + If this field is empty, no request headers are adjusted. + items: + description: |- + IngressControllerHTTPHeaderNameCaseAdjustment is the name of an HTTP header + (for example, "X-Forwarded-For") in the desired capitalization. The value + must be a valid HTTP header name as defined in RFC 2616 section 4.2. + maxLength: 1024 + minLength: 0 + pattern: ^$|^[-!#$%&'*+.0-9A-Z^_`a-z|~]+$ + type: string + nullable: true + type: array + x-kubernetes-list-type: atomic + uniqueId: + description: |- + uniqueId describes configuration for a custom HTTP header that the + ingress controller should inject into incoming HTTP requests. + Typically, this header is configured to have a value that is unique + to the HTTP request. The header can be used by applications or + included in access logs to facilitate tracing individual HTTP + requests. + + If this field is empty, no such header is injected into requests. + properties: + format: + description: |- + format specifies the format for the injected HTTP header's value. + This field has no effect unless name is specified. For the + HAProxy-based ingress controller implementation, this format uses the + same syntax as the HTTP log format. If the field is empty, the + default value is "%{+X}o\\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid"; see the + corresponding HAProxy documentation: + http://cbonte.github.io/haproxy-dconv/2.0/configuration.html#8.2.3 + maxLength: 1024 + minLength: 0 + pattern: ^(%(%|(\{[-+]?[QXE](,[-+]?[QXE])*\})?([A-Za-z]+|\[[.0-9A-Z_a-z]+(\([^)]+\))?(,[.0-9A-Z_a-z]+(\([^)]+\))?)*\]))|[^%[:cntrl:]])*$ + type: string + name: + description: |- + name specifies the name of the HTTP header (for example, "unique-id") + that the ingress controller should inject into HTTP requests. The + field's value must be a valid HTTP header name as defined in RFC 2616 + section 4.2. If the field is empty, no header is injected. + maxLength: 1024 + minLength: 0 + pattern: ^$|^[-!#$%&'*+.0-9A-Z^_`a-z|~]+$ + type: string + type: object + type: object + idleConnectionTerminationPolicy: + default: Immediate + description: |- + idleConnectionTerminationPolicy maps directly to HAProxy's + idle-close-on-response option and controls whether HAProxy + keeps idle frontend connections open during a soft stop + (router reload). + + Allowed values for this field are "Immediate" and + "Deferred". The default value is "Immediate". + + When set to "Immediate", idle connections are closed + immediately during router reloads. This ensures immediate + propagation of route changes but may impact clients + sensitive to connection resets. + + When set to "Deferred", HAProxy will maintain idle + connections during a soft reload instead of closing them + immediately. These connections remain open until any of the + following occurs: + + - A new request is received on the connection, in which + case HAProxy handles it in the old process and closes + the connection after sending the response. + + - HAProxy's `timeout http-keep-alive` duration expires. + By default this is 300 seconds, but it can be changed + using httpKeepAliveTimeout tuning option. + + - The client's keep-alive timeout expires, causing the + client to close the connection. + + Setting Deferred can help prevent errors in clients or load + balancers that do not properly handle connection resets. + Additionally, this option allows you to retain the pre-2.4 + HAProxy behaviour: in HAProxy version 2.2 (OpenShift + versions < 4.14), maintaining idle connections during a + soft reload was the default behaviour, but starting with + HAProxy 2.4, the default changed to closing idle + connections immediately. + + Important Consideration: + + - Using Deferred will result in temporary inconsistencies + for the first request on each persistent connection + after a route update and router reload. This request + will be processed by the old HAProxy process using its + old configuration. Subsequent requests will use the + updated configuration. + + Operational Considerations: + + - Keeping idle connections open during reloads may lead + to an accumulation of old HAProxy processes if + connections remain idle for extended periods, + especially in environments where frequent reloads + occur. + + - Consider monitoring the number of HAProxy processes in + the router pods when Deferred is set. + + - You may need to enable or adjust the + `ingress.operator.openshift.io/hard-stop-after` + duration (configured via an annotation on the + IngressController resource) in environments with + frequent reloads to prevent resource exhaustion. + enum: + - Immediate + - Deferred + type: string + logging: + description: |- + logging defines parameters for what should be logged where. If this + field is empty, operational logs are enabled but access logs are + disabled. + properties: + access: + description: |- + access describes how the client requests should be logged. + + If this field is empty, access logging is disabled. + properties: + destination: + description: destination is where access logs go. + properties: + container: + description: |- + container holds parameters for the Container logging destination. + Present only if type is Container. + properties: + maxLength: + default: 1024 + description: |- + maxLength is the maximum length of the log message. + + Valid values are integers in the range 480 to 8192, inclusive. + + When omitted, the default value is 1024. + format: int32 + maximum: 8192 + minimum: 480 + type: integer + type: object + syslog: + description: |- + syslog holds parameters for a syslog endpoint. Present only if + type is Syslog. + oneOf: + - properties: + address: + format: ipv4 + - properties: + address: + format: ipv6 + properties: + address: + description: |- + address is the IP address of the syslog endpoint that receives log + messages. + type: string + facility: + description: |- + facility specifies the syslog facility of log messages. + + If this field is empty, the facility is "local1". + enum: + - kern + - user + - mail + - daemon + - auth + - syslog + - lpr + - news + - uucp + - cron + - auth2 + - ftp + - ntp + - audit + - alert + - cron2 + - local0 + - local1 + - local2 + - local3 + - local4 + - local5 + - local6 + - local7 + type: string + maxLength: + default: 1024 + description: |- + maxLength is the maximum length of the log message. + + Valid values are integers in the range 480 to 4096, inclusive. + + When omitted, the default value is 1024. + format: int32 + maximum: 4096 + minimum: 480 + type: integer + port: + description: |- + port is the UDP port number of the syslog endpoint that receives log + messages. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - address + - port + type: object + type: + description: |- + type is the type of destination for logs. It must be one of the + following: + + * Container + + The ingress operator configures the sidecar container named "logs" on + the ingress controller pod and configures the ingress controller to + write logs to the sidecar. The logs are then available as container + logs. The expectation is that the administrator configures a custom + logging solution that reads logs from this sidecar. Note that using + container logs means that logs may be dropped if the rate of logs + exceeds the container runtime's or the custom logging solution's + capacity. + + * Syslog + + Logs are sent to a syslog endpoint. The administrator must specify + an endpoint that can receive syslog messages. The expectation is + that the administrator has configured a custom syslog instance. + enum: + - Container + - Syslog + type: string + required: + - type + type: object + httpCaptureCookies: + description: |- + httpCaptureCookies specifies HTTP cookies that should be captured in + access logs. If this field is empty, no cookies are captured. + items: + description: |- + IngressControllerCaptureHTTPCookie describes an HTTP cookie that should be + captured. + properties: + matchType: + description: |- + matchType specifies the type of match to be performed on the cookie + name. Allowed values are "Exact" for an exact string match and + "Prefix" for a string prefix match. If "Exact" is specified, a name + must be specified in the name field. If "Prefix" is provided, a + prefix must be specified in the namePrefix field. For example, + specifying matchType "Prefix" and namePrefix "foo" will capture a + cookie named "foo" or "foobar" but not one named "bar". The first + matching cookie is captured. + enum: + - Exact + - Prefix + type: string + maxLength: + description: |- + maxLength specifies a maximum length of the string that will be + logged, which includes the cookie name, cookie value, and + one-character delimiter. If the log entry exceeds this length, the + value will be truncated in the log message. Note that the ingress + controller may impose a separate bound on the total length of HTTP + headers in a request. + maximum: 1024 + minimum: 1 + type: integer + name: + description: |- + name specifies a cookie name. Its value must be a valid HTTP cookie + name as defined in RFC 6265 section 4.1. + maxLength: 1024 + minLength: 0 + pattern: ^[-!#$%&'*+.0-9A-Z^_`a-z|~]*$ + type: string + namePrefix: + description: |- + namePrefix specifies a cookie name prefix. Its value must be a valid + HTTP cookie name as defined in RFC 6265 section 4.1. + maxLength: 1024 + minLength: 0 + pattern: ^[-!#$%&'*+.0-9A-Z^_`a-z|~]*$ + type: string + required: + - matchType + - maxLength + type: object + maxItems: 1 + nullable: true + type: array + x-kubernetes-list-type: atomic + httpCaptureHeaders: + description: |- + httpCaptureHeaders defines HTTP headers that should be captured in + access logs. If this field is empty, no headers are captured. + + Note that this option only applies to cleartext HTTP connections + and to secure HTTP connections for which the ingress controller + terminates encryption (that is, edge-terminated or reencrypt + connections). Headers cannot be captured for TLS passthrough + connections. + properties: + request: + description: |- + request specifies which HTTP request headers to capture. + + If this field is empty, no request headers are captured. + items: + description: |- + IngressControllerCaptureHTTPHeader describes an HTTP header that should be + captured. + properties: + maxLength: + description: |- + maxLength specifies a maximum length for the header value. If a + header value exceeds this length, the value will be truncated in the + log message. Note that the ingress controller may impose a separate + bound on the total length of HTTP headers in a request. + minimum: 1 + type: integer + name: + description: |- + name specifies a header name. Its value must be a valid HTTP header + name as defined in RFC 2616 section 4.2. + pattern: ^[-!#$%&'*+.0-9A-Z^_`a-z|~]+$ + type: string + required: + - maxLength + - name + type: object + nullable: true + type: array + x-kubernetes-list-type: atomic + response: + description: |- + response specifies which HTTP response headers to capture. + + If this field is empty, no response headers are captured. + items: + description: |- + IngressControllerCaptureHTTPHeader describes an HTTP header that should be + captured. + properties: + maxLength: + description: |- + maxLength specifies a maximum length for the header value. If a + header value exceeds this length, the value will be truncated in the + log message. Note that the ingress controller may impose a separate + bound on the total length of HTTP headers in a request. + minimum: 1 + type: integer + name: + description: |- + name specifies a header name. Its value must be a valid HTTP header + name as defined in RFC 2616 section 4.2. + pattern: ^[-!#$%&'*+.0-9A-Z^_`a-z|~]+$ + type: string + required: + - maxLength + - name + type: object + nullable: true + type: array + x-kubernetes-list-type: atomic + type: object + httpLogFormat: + description: |- + httpLogFormat specifies the format of the log message for an HTTP + request. + + If this field is empty, log messages use the implementation's default + HTTP log format. For HAProxy's default HTTP log format, see the + HAProxy documentation: + http://cbonte.github.io/haproxy-dconv/2.0/configuration.html#8.2.3 + + Note that this format only applies to cleartext HTTP connections + and to secure HTTP connections for which the ingress controller + terminates encryption (that is, edge-terminated or reencrypt + connections). It does not affect the log format for TLS passthrough + connections. + type: string + logEmptyRequests: + default: Log + description: |- + logEmptyRequests specifies how connections on which no request is + received should be logged. Typically, these empty requests come from + load balancers' health probes or Web browsers' speculative + connections ("preconnect"), in which case logging these requests may + be undesirable. However, these requests may also be caused by + network errors, in which case logging empty requests may be useful + for diagnosing the errors. In addition, these requests may be caused + by port scans, in which case logging empty requests may aid in + detecting intrusion attempts. Allowed values for this field are + "Log" and "Ignore". The default value is "Log". + enum: + - Log + - Ignore + type: string + required: + - destination + type: object + type: object + namespaceSelector: + description: |- + namespaceSelector is used to filter the set of namespaces serviced by the + ingress controller. This is useful for implementing shards. + + If unset, the default is no filtering. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + nodePlacement: + description: |- + nodePlacement enables explicit control over the scheduling of the ingress + controller. + + If unset, defaults are used. See NodePlacement for more details. + properties: + nodeSelector: + description: |- + nodeSelector is the node selector applied to ingress controller + deployments. + + If set, the specified selector is used and replaces the default. + + If unset, the default depends on the value of the defaultPlacement + field in the cluster config.openshift.io/v1/ingresses status. + + When defaultPlacement is Workers, the default is: + + kubernetes.io/os: linux + node-role.kubernetes.io/worker: '' + + When defaultPlacement is ControlPlane, the default is: + + kubernetes.io/os: linux + node-role.kubernetes.io/master: '' + + These defaults are subject to change. + + Note that using nodeSelector.matchExpressions is not supported. Only + nodeSelector.matchLabels may be used. This is a limitation of the + Kubernetes API: the pod spec does not allow complex expressions for + node selectors. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + tolerations: + description: |- + tolerations is a list of tolerations applied to ingress controller + deployments. + + The default is an empty list. + + See https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + items: + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . + properties: + effect: + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. + type: string + operator: + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. + type: string + type: object + type: array + x-kubernetes-list-type: atomic + type: object + replicas: + description: |- + replicas is the desired number of ingress controller replicas. If unset, + the default depends on the value of the defaultPlacement field in the + cluster config.openshift.io/v1/ingresses status. + + The value of replicas is set based on the value of a chosen field in the + Infrastructure CR. If defaultPlacement is set to ControlPlane, the + chosen field will be controlPlaneTopology. If it is set to Workers the + chosen field will be infrastructureTopology. Replicas will then be set to 1 + or 2 based whether the chosen field's value is SingleReplica or + HighlyAvailable, respectively. + + These defaults are subject to change. + format: int32 + type: integer + routeAdmission: + description: |- + routeAdmission defines a policy for handling new route claims (for example, + to allow or deny claims across namespaces). + + If empty, defaults will be applied. See specific routeAdmission fields + for details about their defaults. + properties: + namespaceOwnership: + description: |- + namespaceOwnership describes how host name claims across namespaces should + be handled. + + Value must be one of: + + - Strict: Do not allow routes in different namespaces to claim the same host. + + - InterNamespaceAllowed: Allow routes to claim different paths of the same + host name across namespaces. + + If empty, the default is Strict. + enum: + - InterNamespaceAllowed + - Strict + type: string + wildcardPolicy: + description: |- + wildcardPolicy describes how routes with wildcard policies should + be handled for the ingress controller. WildcardPolicy controls use + of routes [1] exposed by the ingress controller based on the route's + wildcard policy. + + [1] https://github.com/openshift/api/blob/master/route/v1/types.go + + Note: Updating WildcardPolicy from WildcardsAllowed to WildcardsDisallowed + will cause admitted routes with a wildcard policy of Subdomain to stop + working. These routes must be updated to a wildcard policy of None to be + readmitted by the ingress controller. + + WildcardPolicy supports WildcardsAllowed and WildcardsDisallowed values. + + If empty, defaults to "WildcardsDisallowed". + enum: + - WildcardsAllowed + - WildcardsDisallowed + type: string + type: object + routeSelector: + description: |- + routeSelector is used to filter the set of Routes serviced by the ingress + controller. This is useful for implementing shards. + + If unset, the default is no filtering. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + tlsSecurityProfile: + description: |- + tlsSecurityProfile specifies settings for TLS connections for ingresscontrollers. + + If unset, the default is based on the apiservers.config.openshift.io/cluster resource. + + Note that when using the Old, Intermediate, and Modern profile types, the effective + profile configuration is subject to change between releases. For example, given + a specification to use the Intermediate profile deployed on release X.Y.Z, an upgrade + to release X.Y.Z+1 may cause a new profile configuration to be applied to the ingress + controller, resulting in a rollout. + properties: + custom: + description: |- + custom is a user-defined TLS security profile. Be extremely careful using a custom + profile as invalid configurations can be catastrophic. + + The curve list for this profile is empty by default. + + An example custom profile looks like this: + + minTLSVersion: VersionTLS11 + ciphers: + - ECDHE-ECDSA-CHACHA20-POLY1305 + - ECDHE-RSA-CHACHA20-POLY1305 + - ECDHE-RSA-AES128-GCM-SHA256 + - ECDHE-ECDSA-AES128-GCM-SHA256 + nullable: true + properties: + ciphers: + description: |- + ciphers is used to specify the cipher algorithms that are negotiated + during the TLS handshake. Operators may remove entries their operands + do not support. For example, to use DES-CBC3-SHA (yaml): + + ciphers: + - DES-CBC3-SHA + items: + type: string + type: array + x-kubernetes-list-type: atomic + curves: + description: |- + curves is an optional field used to specify the elliptic curves that are used during + the TLS handshake. Operators may remove entries their operands do + not support. + + When omitted, this means no opinion and the platform is left to choose reasonable defaults which are + subject to change over time and may be different per platform component depending on the underlying TLS + libraries they use. If specified, the list must contain at least one curve. + + For example, to use X25519 and SecP256r1 (yaml): + + curves: + - X25519 + - SecP256r1 + items: + description: |- + TLSCurve is a named curve identifier that can be used in TLSProfile.Curves. + There is a one-to-one mapping between these names and the curve IDs defined + in crypto/tls package based on IANA's "TLS Supported Groups" registry: + https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8 + enum: + - X25519 + - SecP256r1 + - SecP384r1 + - SecP521r1 + - X25519MLKEM768 + type: string + maxItems: 5 + minItems: 1 + type: array + x-kubernetes-list-type: set + minTLSVersion: + description: |- + minTLSVersion is used to specify the minimal version of the TLS protocol + that is negotiated during the TLS handshake. For example, to use TLS + versions 1.1, 1.2 and 1.3 (yaml): + + minTLSVersion: VersionTLS11 + enum: + - VersionTLS10 + - VersionTLS11 + - VersionTLS12 + - VersionTLS13 + type: string + type: object + intermediate: + description: |- + intermediate is a TLS profile for use when you do not need compatibility with + legacy clients and want to remain highly secure while being compatible with + most clients currently in use. + + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "intermediate" profile ciphers. + + The curve list includes by default the following curves: + X25519, SecP256r1, SecP384r1, X25519MLKEM768. + + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS12 + ciphers: + - TLS_AES_128_GCM_SHA256 + - TLS_AES_256_GCM_SHA384 + - TLS_CHACHA20_POLY1305_SHA256 + - ECDHE-ECDSA-AES128-GCM-SHA256 + - ECDHE-RSA-AES128-GCM-SHA256 + - ECDHE-ECDSA-AES256-GCM-SHA384 + - ECDHE-RSA-AES256-GCM-SHA384 + - ECDHE-ECDSA-CHACHA20-POLY1305 + - ECDHE-RSA-CHACHA20-POLY1305 + - DHE-RSA-AES128-GCM-SHA256 + - DHE-RSA-AES256-GCM-SHA384 + nullable: true + type: object + modern: + description: |- + modern is a TLS security profile for use with clients that support TLS 1.3 and + do not need backward compatibility for older clients. + The curve list includes by default the following curves: + X25519, SecP256r1, SecP384r1, X25519MLKEM768. + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS13 + ciphers: + - TLS_AES_128_GCM_SHA256 + - TLS_AES_256_GCM_SHA384 + - TLS_CHACHA20_POLY1305_SHA256 + nullable: true + type: object + old: + description: |- + old is a TLS profile for use when services need to be accessed by very old + clients or libraries and should be used only as a last resort. + + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "old" profile ciphers. + + The curve list includes by default the following curves: + X25519, SecP256r1, SecP384r1, X25519MLKEM768. + + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS10 + ciphers: + - TLS_AES_128_GCM_SHA256 + - TLS_AES_256_GCM_SHA384 + - TLS_CHACHA20_POLY1305_SHA256 + - ECDHE-ECDSA-AES128-GCM-SHA256 + - ECDHE-RSA-AES128-GCM-SHA256 + - ECDHE-ECDSA-AES256-GCM-SHA384 + - ECDHE-RSA-AES256-GCM-SHA384 + - ECDHE-ECDSA-CHACHA20-POLY1305 + - ECDHE-RSA-CHACHA20-POLY1305 + - DHE-RSA-AES128-GCM-SHA256 + - DHE-RSA-AES256-GCM-SHA384 + - DHE-RSA-CHACHA20-POLY1305 + - ECDHE-ECDSA-AES128-SHA256 + - ECDHE-RSA-AES128-SHA256 + - ECDHE-ECDSA-AES128-SHA + - ECDHE-RSA-AES128-SHA + - ECDHE-ECDSA-AES256-SHA384 + - ECDHE-RSA-AES256-SHA384 + - ECDHE-ECDSA-AES256-SHA + - ECDHE-RSA-AES256-SHA + - DHE-RSA-AES128-SHA256 + - DHE-RSA-AES256-SHA256 + - AES128-GCM-SHA256 + - AES256-GCM-SHA384 + - AES128-SHA256 + - AES256-SHA256 + - AES128-SHA + - AES256-SHA + - DES-CBC3-SHA + nullable: true + type: object + type: + description: |- + type is one of Old, Intermediate, Modern or Custom. Custom provides the + ability to specify individual TLS security profile parameters. + + The profiles are currently based on version 5.0 of the Mozilla Server Side TLS + configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for + forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json + + The profiles are intent based, so they may change over time as new ciphers are + developed and existing ciphers are found to be insecure. Depending on + precisely which ciphers are available to a process, the list may be reduced. + enum: + - Old + - Intermediate + - Modern + - Custom + type: string + type: object + tuningOptions: + anyOf: + - properties: + maxConnections: + enum: + - -1 + - 0 + - properties: + maxConnections: + format: int32 + maximum: 2000000 + minimum: 2000 + description: |- + tuningOptions defines parameters for adjusting the performance of + ingress controller pods. All fields are optional and will use their + respective defaults if not set. See specific tuningOptions fields for + more details. + + Setting fields within tuningOptions is generally not recommended. The + default values are suitable for most configurations. + properties: + clientFinTimeout: + description: |- + clientFinTimeout defines how long a connection will be held open while + waiting for the client response to the server/backend closing the + connection. + + If unset, the default timeout is 1s + format: duration + type: string + clientTimeout: + description: |- + clientTimeout defines how long a connection will be held open while + waiting for a client response. + + If unset, the default timeout is 30s + format: duration + type: string + connectTimeout: + description: |- + connectTimeout defines the maximum time to wait for + a connection attempt to a server/backend to succeed. + + This field expects an unsigned duration string of decimal numbers, each with optional + fraction and a unit suffix, e.g. "300ms", "1.5h" or "2h45m". + Valid time units are "ns", "us" (or "µs" U+00B5 or "μs" U+03BC), "ms", "s", "m", "h". + + When omitted, this means the user has no opinion and the platform is left + to choose a reasonable default. This default is subject to change over time. + The current default is 5s. + pattern: ^(0|([0-9]+(\.[0-9]+)?(ns|us|µs|μs|ms|s|m|h))+)$ + type: string + headerBufferBytes: + description: |- + headerBufferBytes describes how much memory should be reserved + (in bytes) for IngressController connection sessions. + Note that this value must be at least 16384 if HTTP/2 is + enabled for the IngressController (https://tools.ietf.org/html/rfc7540). + If this field is empty, the IngressController will use a default value + of 32768 bytes. + + Setting this field is generally not recommended as headerBufferBytes + values that are too small may break the IngressController and + headerBufferBytes values that are too large could cause the + IngressController to use significantly more memory than necessary. + format: int32 + minimum: 16384 + type: integer + headerBufferMaxRewriteBytes: + description: |- + headerBufferMaxRewriteBytes describes how much memory should be reserved + (in bytes) from headerBufferBytes for HTTP header rewriting + and appending for IngressController connection sessions. + Note that incoming HTTP requests will be limited to + (headerBufferBytes - headerBufferMaxRewriteBytes) bytes, meaning + headerBufferBytes must be greater than headerBufferMaxRewriteBytes. + If this field is empty, the IngressController will use a default value + of 8192 bytes. + + Setting this field is generally not recommended as + headerBufferMaxRewriteBytes values that are too small may break the + IngressController and headerBufferMaxRewriteBytes values that are too + large could cause the IngressController to use significantly more memory + than necessary. + format: int32 + minimum: 4096 + type: integer + healthCheckInterval: + description: |- + healthCheckInterval defines how long the router waits between two consecutive + health checks on its configured backends. This value is applied globally as + a default for all routes, but may be overridden per-route by the route annotation + "router.openshift.io/haproxy.health.check.interval". + + Expects an unsigned duration string of decimal numbers, each with optional + fraction and a unit suffix, eg "300ms", "1.5h" or "2h45m". + Valid time units are "ns", "us" (or "µs" U+00B5 or "μs" U+03BC), "ms", "s", "m", "h". + + Setting this to less than 5s can cause excess traffic due to too frequent + TCP health checks and accompanying SYN packet storms. Alternatively, setting + this too high can result in increased latency, due to backend servers that are no + longer available, but haven't yet been detected as such. + + An empty or zero healthCheckInterval means no opinion and IngressController chooses + a default, which is subject to change over time. + Currently the default healthCheckInterval value is 5s. + + Currently the minimum allowed value is 1s and the maximum allowed value is + 2147483647ms (24.85 days). Both are subject to change over time. + pattern: ^(0|([0-9]+(\.[0-9]+)?(ns|us|µs|μs|ms|s|m|h))+)$ + type: string + httpKeepAliveTimeout: + description: |- + httpKeepAliveTimeout defines the maximum allowed time to wait for + a new HTTP request to appear on a connection from the client to the router. + + This field expects an unsigned duration string of a decimal number, with optional + fraction and a unit suffix, e.g. "300ms", "1.5s" or "2m45s". + Valid time units are "ms", "s", "m". + The allowed range is from 1 millisecond to 15 minutes. + + When omitted, this means the user has no opinion and the platform is left + to choose a reasonable default. This default is subject to change over time. + The current default is 300s. + + Low values (tens of milliseconds or less) can cause clients to close and reopen connections + for each request, leading to reduced connection sharing. + For HTTP/2, special care should be taken with low values. + A few seconds is a reasonable starting point to avoid holding idle connections open + while still allowing subsequent requests to reuse the connection. + + High values (minutes or more) favor connection reuse but may cause idle + connections to linger longer. + maxLength: 16 + minLength: 1 + type: string + x-kubernetes-validations: + - message: httpKeepAliveTimeout must be a valid duration string + composed of an unsigned integer value, optionally followed + by a decimal fraction and a unit suffix (ms, s, m) + rule: self.matches('^([0-9]+(\\.[0-9]+)?(ms|s|m))+$') + - message: httpKeepAliveTimeout must be less than or equal to + 15 minutes + rule: '!self.matches(''^([0-9]+(\\.[0-9]+)?(ms|s|m))+$'') || + duration(self) <= duration(''15m'')' + - message: httpKeepAliveTimeout must be greater than or equal + to 1 millisecond + rule: '!self.matches(''^([0-9]+(\\.[0-9]+)?(ms|s|m))+$'') || + duration(self) >= duration(''1ms'')' + maxConnections: + description: |- + maxConnections defines the maximum number of simultaneous + connections that can be established per HAProxy process. + Increasing this value allows each ingress controller pod to + handle more connections but at the cost of additional + system resources being consumed. + + Permitted values are: empty, 0, -1, and the range + 2000-2000000. + + If this field is empty or 0, the IngressController will use + the default value of 50000, but the default is subject to + change in future releases. + + If the value is -1 then HAProxy will dynamically compute a + maximum value based on the available ulimits in the running + container. Selecting -1 (i.e., auto) will result in a large + value being computed (~520000 on OpenShift >=4.10 clusters) + and therefore each HAProxy process will incur significant + memory usage compared to the current default of 50000. + + Setting a value that is greater than the current operating + system limit will prevent the HAProxy process from + starting. + + If you choose a discrete value (e.g., 750000) and the + router pod is migrated to a new node, there's no guarantee + that that new node has identical ulimits configured. In + such a scenario the pod would fail to start. If you have + nodes with different ulimits configured (e.g., different + tuned profiles) and you choose a discrete value then the + guidance is to use -1 and let the value be computed + dynamically at runtime. + + You can monitor memory usage for router containers with the + following metric: + 'container_memory_working_set_bytes{container="router",namespace="openshift-ingress"}'. + + You can monitor memory usage of individual HAProxy + processes in router containers with the following metric: + 'container_memory_working_set_bytes{container="router",namespace="openshift-ingress"}/container_processes{container="router",namespace="openshift-ingress"}'. + format: int32 + type: integer + reloadInterval: + description: |- + reloadInterval defines the minimum interval at which the router is allowed to reload + to accept new changes. Increasing this value can prevent the accumulation of + HAProxy processes, depending on the scenario. Increasing this interval can + also lessen load imbalance on a backend's servers when using the roundrobin + balancing algorithm. Alternatively, decreasing this value may decrease latency + since updates to HAProxy's configuration can take effect more quickly. + + The value must be a time duration value; see . + Currently, the minimum value allowed is 1s, and the maximum allowed value is + 120s. Minimum and maximum allowed values may change in future versions of OpenShift. + Note that if a duration outside of these bounds is provided, the value of reloadInterval + will be capped/floored and not rejected (e.g. a duration of over 120s will be capped to + 120s; the IngressController will not reject and replace this disallowed value with + the default). + + A zero value for reloadInterval tells the IngressController to choose the default, + which is currently 5s and subject to change without notice. + + This field expects an unsigned duration string of decimal numbers, each with optional + fraction and a unit suffix, e.g. "300ms", "1.5h" or "2h45m". + Valid time units are "ns", "us" (or "µs" U+00B5 or "μs" U+03BC), "ms", "s", "m", "h". + + Note: Setting a value significantly larger than the default of 5s can cause latency + in observing updates to routes and their endpoints. HAProxy's configuration will + be reloaded less frequently, and newly created routes will not be served until the + subsequent reload. + pattern: ^(0|([0-9]+(\.[0-9]+)?(ns|us|µs|μs|ms|s|m|h))+)$ + type: string + serverFinTimeout: + description: |- + serverFinTimeout defines how long a connection will be held open while + waiting for the server/backend response to the client closing the + connection. + + If unset, the default timeout is 1s + format: duration + type: string + serverTimeout: + description: |- + serverTimeout defines how long a connection will be held open while + waiting for a server/backend response. + + If unset, the default timeout is 30s + format: duration + type: string + threadCount: + description: |- + threadCount defines the number of threads created per HAProxy process. + Creating more threads allows each ingress controller pod to handle more + connections, at the cost of more system resources being used. HAProxy + currently supports up to 64 threads. If this field is empty, the + IngressController will use the default value. The current default is 4 + threads, but this may change in future releases. + + Setting this field is generally not recommended. Increasing the number + of HAProxy threads allows ingress controller pods to utilize more CPU + time under load, potentially starving other pods if set too high. + Reducing the number of threads may cause the ingress controller to + perform poorly. + format: int32 + maximum: 64 + minimum: 1 + type: integer + tlsInspectDelay: + description: |- + tlsInspectDelay defines how long the router can hold data to find a + matching route. + + Setting this too short can cause the router to fall back to the default + certificate for edge-terminated or reencrypt routes even when a better + matching certificate could be used. + + If unset, the default inspect delay is 5s + format: duration + type: string + tunnelTimeout: + description: |- + tunnelTimeout defines how long a tunnel connection (including + websockets) will be held open while the tunnel is idle. + + If unset, the default timeout is 1h + format: duration + type: string + type: object + unsupportedConfigOverrides: + description: |- + unsupportedConfigOverrides allows specifying unsupported + configuration options. Its use is unsupported. + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + status: + description: status is the most recently observed status of the IngressController. + properties: + availableReplicas: + description: |- + availableReplicas is number of observed available replicas according to the + ingress controller deployment. + format: int32 + type: integer + conditions: + description: |- + conditions is a list of conditions and their status. + + Available means the ingress controller deployment is available and + servicing route and ingress resources (i.e, .status.availableReplicas + equals .spec.replicas) + + There are additional conditions which indicate the status of other + ingress controller features and capabilities. + + * LoadBalancerManaged + - True if the following conditions are met: + * The endpoint publishing strategy requires a service load balancer. + - False if any of those conditions are unsatisfied. + + * LoadBalancerReady + - True if the following conditions are met: + * A load balancer is managed. + * The load balancer is ready. + - False if any of those conditions are unsatisfied. + + * DNSManaged + - True if the following conditions are met: + * The endpoint publishing strategy and platform support DNS. + * The ingress controller domain is set. + * dns.config.openshift.io/cluster configures DNS zones. + - False if any of those conditions are unsatisfied. + + * DNSReady + - True if the following conditions are met: + * DNS is managed. + * DNS records have been successfully created. + - False if any of those conditions are unsatisfied. + items: + description: OperatorCondition is just the standard condition fields. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + type: string + reason: + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + domain: + description: domain is the actual domain in use. + type: string + endpointPublishingStrategy: + description: endpointPublishingStrategy is the actual strategy in + use. + properties: + hostNetwork: + description: |- + hostNetwork holds parameters for the HostNetwork endpoint publishing + strategy. Present only if type is HostNetwork. + properties: + httpPort: + default: 80 + description: |- + httpPort is the port on the host which should be used to listen for + HTTP requests. This field should be set when port 80 is already in use. + The value should not coincide with the NodePort range of the cluster. + When the value is 0 or is not specified it defaults to 80. + format: int32 + maximum: 65535 + minimum: 0 + type: integer + httpsPort: + default: 443 + description: |- + httpsPort is the port on the host which should be used to listen for + HTTPS requests. This field should be set when port 443 is already in use. + The value should not coincide with the NodePort range of the cluster. + When the value is 0 or is not specified it defaults to 443. + format: int32 + maximum: 65535 + minimum: 0 + type: integer + protocol: + description: |- + protocol specifies whether the IngressController expects incoming + connections to use plain TCP or whether the IngressController expects + PROXY protocol. + + PROXY protocol can be used with load balancers that support it to + communicate the source addresses of client connections when + forwarding those connections to the IngressController. Using PROXY + protocol enables the IngressController to report those source + addresses instead of reporting the load balancer's address in HTTP + headers and logs. Note that enabling PROXY protocol on the + IngressController will cause connections to fail if you are not using + a load balancer that uses PROXY protocol to forward connections to + the IngressController. See + http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt for + information about PROXY protocol. + + The following values are valid for this field: + + * The empty string. + * "TCP". + * "PROXY". + + The empty string specifies the default, which is TCP without PROXY + protocol. Note that the default is subject to change. + enum: + - "" + - TCP + - PROXY + type: string + statsPort: + default: 1936 + description: |- + statsPort is the port on the host where the stats from the router are + published. The value should not coincide with the NodePort range of the + cluster. If an external load balancer is configured to forward connections + to this IngressController, the load balancer should use this port for + health checks. The load balancer can send HTTP probes on this port on a + given node, with the path /healthz/ready to determine if the ingress + controller is ready to receive traffic on the node. For proper operation + the load balancer must not forward traffic to a node until the health + check reports ready. The load balancer should also stop forwarding requests + within a maximum of 45 seconds after /healthz/ready starts reporting + not-ready. Probing every 5 to 10 seconds, with a 5-second timeout and with + a threshold of two successful or failed requests to become healthy or + unhealthy respectively, are well-tested values. When the value is 0 or + is not specified it defaults to 1936. + format: int32 + maximum: 65535 + minimum: 0 + type: integer + type: object + loadBalancer: + description: |- + loadBalancer holds parameters for the load balancer. Present only if + type is LoadBalancerService. + properties: + allowedSourceRanges: + description: |- + allowedSourceRanges specifies an allowlist of IP address ranges to which + access to the load balancer should be restricted. Each range must be + specified using CIDR notation (e.g. "10.0.0.0/8" or "fd00::/8"). If no range is + specified, "0.0.0.0/0" for IPv4 and "::/0" for IPv6 are used by default, + which allows all source addresses. + + To facilitate migration from earlier versions of OpenShift that did + not have the allowedSourceRanges field, you may set the + service.beta.kubernetes.io/load-balancer-source-ranges annotation on + the "router-" service in the + "openshift-ingress" namespace, and this annotation will take + effect if allowedSourceRanges is empty on OpenShift 4.12. + items: + description: |- + CIDR is an IP address range in CIDR notation (for example, "10.0.0.0/8" + or "fd00::/8"). + pattern: (^(([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])/([0-9]|[12][0-9]|3[0-2])$)|(^s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:)))(%.+)?s*(\/(12[0-8]|1[0-1][0-9]|[1-9][0-9]|[0-9]))$) + type: string + nullable: true + type: array + x-kubernetes-list-type: atomic + dnsManagementPolicy: + default: Managed + description: |- + dnsManagementPolicy indicates if the lifecycle of the wildcard DNS record + associated with the load balancer service will be managed by + the ingress operator. It defaults to Managed. + Valid values are: Managed and Unmanaged. + enum: + - Managed + - Unmanaged + type: string + providerParameters: + description: |- + providerParameters holds desired load balancer information specific to + the underlying infrastructure provider. + + If empty, defaults will be applied. See specific providerParameters + fields for details about their defaults. + properties: + aws: + description: |- + aws provides configuration settings that are specific to AWS + load balancers. + + If empty, defaults will be applied. See specific aws fields for + details about their defaults. + properties: + classicLoadBalancer: + description: |- + classicLoadBalancerParameters holds configuration parameters for an AWS + classic load balancer. Present only if type is Classic. + properties: + connectionIdleTimeout: + description: |- + connectionIdleTimeout specifies the maximum time period that a + connection may be idle before the load balancer closes the + connection. The value must be parseable as a time duration value; + see . A nil or zero value + means no opinion, in which case a default value is used. The default + value for this field is 60s. This default is subject to change. + format: duration + type: string + subnets: + description: |- + subnets specifies the subnets to which the load balancer will + attach. The subnets may be specified by either their + ID or name. The total number of subnets is limited to 10. + + In order for the load balancer to be provisioned with subnets, + each subnet must exist, each subnet must be from a different + availability zone, and the load balancer service must be + recreated to pick up new values. + + When omitted from the spec, the subnets will be auto-discovered + for each availability zone. Auto-discovered subnets are not reported + in the status of the IngressController object. + properties: + ids: + description: |- + ids specifies a list of AWS subnets by subnet ID. + Subnet IDs must start with "subnet-", consist only + of alphanumeric characters, must be exactly 24 + characters long, must be unique, and the total + number of subnets specified by ids and names + must not exceed 10. + items: + description: AWSSubnetID is a reference + to an AWS subnet ID. + maxLength: 24 + minLength: 24 + pattern: ^subnet-[0-9A-Za-z]+$ + type: string + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: subnet ids cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == + y)) + names: + description: |- + names specifies a list of AWS subnets by subnet name. + Subnet names must not start with "subnet-", must not + include commas, must be under 256 characters in length, + must be unique, and the total number of subnets + specified by ids and names must not exceed 10. + items: + description: AWSSubnetName is a reference + to an AWS subnet name. + maxLength: 256 + minLength: 1 + type: string + x-kubernetes-validations: + - message: subnet name cannot contain a + comma + rule: '!self.contains('','')' + - message: subnet name cannot start with + 'subnet-' + rule: '!self.startsWith(''subnet-'')' + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: subnet names cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == + y)) + type: object + x-kubernetes-validations: + - message: the total number of subnets cannot + exceed 10 + rule: 'has(self.ids) && has(self.names) ? size(self.ids + + self.names) <= 10 : true' + - message: must specify at least 1 subnet name + or id + rule: has(self.ids) && self.ids.size() > 0 || + has(self.names) && self.names.size() > 0 + type: object + networkLoadBalancer: + description: |- + networkLoadBalancerParameters holds configuration parameters for an AWS + network load balancer. Present only if type is NLB. + properties: + eipAllocations: + description: |- + eipAllocations is a list of IDs for Elastic IP (EIP) addresses that + are assigned to the Network Load Balancer. + The following restrictions apply: + + eipAllocations can only be used with external scope, not internal. + An EIP can be allocated to only a single IngressController. + The number of EIP allocations must match the number of subnets that are used for the load balancer. + Each EIP allocation must be unique. + A maximum of 10 EIP allocations are permitted. + + See https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html for general + information about configuration, characteristics, and limitations of Elastic IP addresses. + items: + description: |- + EIPAllocation is an ID for an Elastic IP (EIP) address that can be allocated to an ELB in the AWS environment. + Values must begin with `eipalloc-` followed by exactly 17 hexadecimal (`[0-9a-fA-F]`) characters. + maxLength: 26 + minLength: 26 + type: string + x-kubernetes-validations: + - message: eipAllocations should start with + 'eipalloc-' + rule: self.startsWith('eipalloc-') + - message: eipAllocations must be 'eipalloc-' + followed by exactly 17 hexadecimal characters + (0-9, a-f, A-F) + rule: self.split("-", 2)[1].matches('[0-9a-fA-F]{17}$') + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: eipAllocations cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == y)) + subnets: + description: |- + subnets specifies the subnets to which the load balancer will + attach. The subnets may be specified by either their + ID or name. The total number of subnets is limited to 10. + + In order for the load balancer to be provisioned with subnets, + each subnet must exist, each subnet must be from a different + availability zone, and the load balancer service must be + recreated to pick up new values. + + When omitted from the spec, the subnets will be auto-discovered + for each availability zone. Auto-discovered subnets are not reported + in the status of the IngressController object. + properties: + ids: + description: |- + ids specifies a list of AWS subnets by subnet ID. + Subnet IDs must start with "subnet-", consist only + of alphanumeric characters, must be exactly 24 + characters long, must be unique, and the total + number of subnets specified by ids and names + must not exceed 10. + items: + description: AWSSubnetID is a reference + to an AWS subnet ID. + maxLength: 24 + minLength: 24 + pattern: ^subnet-[0-9A-Za-z]+$ + type: string + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: subnet ids cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == + y)) + names: + description: |- + names specifies a list of AWS subnets by subnet name. + Subnet names must not start with "subnet-", must not + include commas, must be under 256 characters in length, + must be unique, and the total number of subnets + specified by ids and names must not exceed 10. + items: + description: AWSSubnetName is a reference + to an AWS subnet name. + maxLength: 256 + minLength: 1 + type: string + x-kubernetes-validations: + - message: subnet name cannot contain a + comma + rule: '!self.contains('','')' + - message: subnet name cannot start with + 'subnet-' + rule: '!self.startsWith(''subnet-'')' + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: subnet names cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == + y)) + type: object + x-kubernetes-validations: + - message: the total number of subnets cannot + exceed 10 + rule: 'has(self.ids) && has(self.names) ? size(self.ids + + self.names) <= 10 : true' + - message: must specify at least 1 subnet name + or id + rule: has(self.ids) && self.ids.size() > 0 || + has(self.names) && self.names.size() > 0 + type: object + x-kubernetes-validations: + - message: number of subnets must be equal to number + of eipAllocations + rule: 'has(self.subnets) && has(self.subnets.ids) + && has(self.subnets.names) && has(self.eipAllocations) + ? size(self.subnets.ids + self.subnets.names) + == size(self.eipAllocations) : true' + - message: number of subnets must be equal to number + of eipAllocations + rule: 'has(self.subnets) && has(self.subnets.ids) + && !has(self.subnets.names) && has(self.eipAllocations) + ? size(self.subnets.ids) == size(self.eipAllocations) + : true' + - message: number of subnets must be equal to number + of eipAllocations + rule: 'has(self.subnets) && has(self.subnets.names) + && !has(self.subnets.ids) && has(self.eipAllocations) + ? size(self.subnets.names) == size(self.eipAllocations) + : true' + type: + description: |- + type is the type of AWS load balancer to instantiate for an ingresscontroller. + + Valid values are: + + * "Classic": A Classic Load Balancer that makes routing decisions at either + the transport layer (TCP/SSL) or the application layer (HTTP/HTTPS). See + the following for additional details: + + https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#clb + + * "NLB": A Network Load Balancer that makes routing decisions at the + transport layer (TCP/SSL). See the following for additional details: + + https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#nlb + enum: + - Classic + - NLB + type: string + required: + - type + type: object + gcp: + description: |- + gcp provides configuration settings that are specific to GCP + load balancers. + + If empty, defaults will be applied. See specific gcp fields for + details about their defaults. + properties: + clientAccess: + description: |- + clientAccess describes how client access is restricted for internal + load balancers. + + Valid values are: + * "Global": Specifying an internal load balancer with Global client access + allows clients from any region within the VPC to communicate with the load + balancer. + + https://cloud.google.com/kubernetes-engine/docs/how-to/internal-load-balancing#global_access + + * "Local": Specifying an internal load balancer with Local client access + means only clients within the same region (and VPC) as the GCP load balancer + can communicate with the load balancer. Note that this is the default behavior. + + https://cloud.google.com/load-balancing/docs/internal#client_access + enum: + - Global + - Local + type: string + type: object + ibm: + description: |- + ibm provides configuration settings that are specific to IBM Cloud + load balancers. + + If empty, defaults will be applied. See specific ibm fields for + details about their defaults. + properties: + protocol: + description: |- + protocol specifies whether the load balancer uses PROXY protocol to forward connections to + the IngressController. See "service.kubernetes.io/ibm-load-balancer-cloud-provider-enable-features: + "proxy-protocol"" at https://cloud.ibm.com/docs/containers?topic=containers-vpc-lbaas" + + PROXY protocol can be used with load balancers that support it to + communicate the source addresses of client connections when + forwarding those connections to the IngressController. Using PROXY + protocol enables the IngressController to report those source + addresses instead of reporting the load balancer's address in HTTP + headers and logs. Note that enabling PROXY protocol on the + IngressController will cause connections to fail if you are not using + a load balancer that uses PROXY protocol to forward connections to + the IngressController. See + http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt for + information about PROXY protocol. + + Valid values for protocol are TCP, PROXY and omitted. + When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. + The current default is TCP, without the proxy protocol enabled. + enum: + - "" + - TCP + - PROXY + type: string + type: object + openstack: + description: |- + openstack provides configuration settings that are specific to OpenStack + load balancers. + + If empty, defaults will be applied. See specific openstack fields for + details about their defaults. + properties: + floatingIP: + description: |- + floatingIP specifies the IP address that the load balancer will use. + When not specified, an IP address will be assigned randomly by the OpenStack cloud provider. + When specified, the floating IP has to be pre-created. If the + specified value is not a floating IP or is already claimed, the + OpenStack cloud provider won't be able to provision the load + balancer. + This field may only be used if the IngressController has External scope. + This value must be a valid IPv4 or IPv6 address. + type: string + x-kubernetes-validations: + - message: floatingIP must be a valid IPv4 or IPv6 + address + rule: isIP(self) + type: object + type: + description: |- + type is the underlying infrastructure provider for the load balancer. + Allowed values are "AWS", "Azure", "BareMetal", "GCP", "IBM", "Nutanix", + "OpenStack", and "VSphere". + enum: + - AWS + - Azure + - BareMetal + - GCP + - Nutanix + - OpenStack + - VSphere + - IBM + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: openstack is not permitted when type is not OpenStack + rule: 'has(self.type) && self.type == ''OpenStack'' ? true + : !has(self.openstack)' + scope: + description: |- + scope indicates the scope at which the load balancer is exposed. + Possible values are "External" and "Internal". + enum: + - Internal + - External + type: string + required: + - dnsManagementPolicy + - scope + type: object + x-kubernetes-validations: + - message: eipAllocations are forbidden when the scope is Internal. + rule: '!has(self.scope) || self.scope != ''Internal'' || !has(self.providerParameters) + || !has(self.providerParameters.aws) || !has(self.providerParameters.aws.networkLoadBalancer) + || !has(self.providerParameters.aws.networkLoadBalancer.eipAllocations)' + - message: cannot specify a floating ip when scope is internal + rule: '!has(self.scope) || self.scope != ''Internal'' || !has(self.providerParameters) + || !has(self.providerParameters.openstack) || !has(self.providerParameters.openstack.floatingIP) + || self.providerParameters.openstack.floatingIP == ""' + nodePort: + description: |- + nodePort holds parameters for the NodePortService endpoint publishing strategy. + Present only if type is NodePortService. + properties: + protocol: + description: |- + protocol specifies whether the IngressController expects incoming + connections to use plain TCP or whether the IngressController expects + PROXY protocol. + + PROXY protocol can be used with load balancers that support it to + communicate the source addresses of client connections when + forwarding those connections to the IngressController. Using PROXY + protocol enables the IngressController to report those source + addresses instead of reporting the load balancer's address in HTTP + headers and logs. Note that enabling PROXY protocol on the + IngressController will cause connections to fail if you are not using + a load balancer that uses PROXY protocol to forward connections to + the IngressController. See + http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt for + information about PROXY protocol. + + The following values are valid for this field: + + * The empty string. + * "TCP". + * "PROXY". + + The empty string specifies the default, which is TCP without PROXY + protocol. Note that the default is subject to change. + enum: + - "" + - TCP + - PROXY + type: string + type: object + private: + description: |- + private holds parameters for the Private endpoint publishing + strategy. Present only if type is Private. + properties: + protocol: + description: |- + protocol specifies whether the IngressController expects incoming + connections to use plain TCP or whether the IngressController expects + PROXY protocol. + + PROXY protocol can be used with load balancers that support it to + communicate the source addresses of client connections when + forwarding those connections to the IngressController. Using PROXY + protocol enables the IngressController to report those source + addresses instead of reporting the load balancer's address in HTTP + headers and logs. Note that enabling PROXY protocol on the + IngressController will cause connections to fail if you are not using + a load balancer that uses PROXY protocol to forward connections to + the IngressController. See + http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt for + information about PROXY protocol. + + The following values are valid for this field: + + * The empty string. + * "TCP". + * "PROXY". + + The empty string specifies the default, which is TCP without PROXY + protocol. Note that the default is subject to change. + enum: + - "" + - TCP + - PROXY + type: string + type: object + type: + description: |- + type is the publishing strategy to use. Valid values are: + + * LoadBalancerService + + Publishes the ingress controller using a Kubernetes LoadBalancer Service. + + In this configuration, the ingress controller deployment uses container + networking. A LoadBalancer Service is created to publish the deployment. + + See: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer + + If domain is set, a wildcard DNS record will be managed to point at the + LoadBalancer Service's external name. DNS records are managed only in DNS + zones defined by dns.config.openshift.io/cluster .spec.publicZone and + .spec.privateZone. + + Wildcard DNS management is currently supported only on the AWS, Azure, + and GCP platforms. + + * HostNetwork + + Publishes the ingress controller on node ports where the ingress controller + is deployed. + + In this configuration, the ingress controller deployment uses host + networking, bound to node ports 80 and 443. The user is responsible for + configuring an external load balancer to publish the ingress controller via + the node ports. + + * Private + + Does not publish the ingress controller. + + In this configuration, the ingress controller deployment uses container + networking, and is not explicitly published. The user must manually publish + the ingress controller. + + * NodePortService + + Publishes the ingress controller using a Kubernetes NodePort Service. + + In this configuration, the ingress controller deployment uses container + networking. A NodePort Service is created to publish the deployment. The + specific node ports are dynamically allocated by OpenShift; however, to + support static port allocations, user changes to the node port + field of the managed NodePort Service will preserved. + enum: + - LoadBalancerService + - HostNetwork + - Private + - NodePortService + type: string + required: + - type + type: object + namespaceSelector: + description: namespaceSelector is the actual namespaceSelector in + use. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + observedGeneration: + description: observedGeneration is the most recent generation observed. + format: int64 + type: integer + routeSelector: + description: routeSelector is the actual routeSelector in use. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + selector: + description: |- + selector is a label selector, in string format, for ingress controller pods + corresponding to the IngressController. The number of matching pods should + equal the value of availableReplicas. + type: string + tlsProfile: + description: tlsProfile is the TLS connection configuration that is + in effect. + properties: + ciphers: + description: |- + ciphers is used to specify the cipher algorithms that are negotiated + during the TLS handshake. Operators may remove entries their operands + do not support. For example, to use DES-CBC3-SHA (yaml): + + ciphers: + - DES-CBC3-SHA + items: + type: string + type: array + x-kubernetes-list-type: atomic + curves: + description: |- + curves is an optional field used to specify the elliptic curves that are used during + the TLS handshake. Operators may remove entries their operands do + not support. + + When omitted, this means no opinion and the platform is left to choose reasonable defaults which are + subject to change over time and may be different per platform component depending on the underlying TLS + libraries they use. If specified, the list must contain at least one curve. + + For example, to use X25519 and SecP256r1 (yaml): + + curves: + - X25519 + - SecP256r1 + items: + description: |- + TLSCurve is a named curve identifier that can be used in TLSProfile.Curves. + There is a one-to-one mapping between these names and the curve IDs defined + in crypto/tls package based on IANA's "TLS Supported Groups" registry: + https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8 + enum: + - X25519 + - SecP256r1 + - SecP384r1 + - SecP521r1 + - X25519MLKEM768 + type: string + maxItems: 5 + minItems: 1 + type: array + x-kubernetes-list-type: set + minTLSVersion: + description: |- + minTLSVersion is used to specify the minimal version of the TLS protocol + that is negotiated during the TLS handshake. For example, to use TLS + versions 1.1, 1.2 and 1.3 (yaml): + + minTLSVersion: VersionTLS11 + enum: + - VersionTLS10 + - VersionTLS11 + - VersionTLS12 + - VersionTLS13 + type: string + type: object + type: object + type: object + x-kubernetes-validations: + - message: The combined 'router-' + metadata.name + '.' + .spec.domain cannot + exceed 253 characters + rule: '!has(self.spec.domain) || size(''router-'' + self.metadata.name + + ''.'' + self.spec.domain) <= 253' + served: true + storage: true + subresources: + scale: + labelSelectorPath: .status.selector + specReplicasPath: .spec.replicas + statusReplicasPath: .status.availableReplicas + status: {} diff --git a/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers.crd.yaml b/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-OKD.crd.yaml similarity index 98% rename from operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers.crd.yaml rename to operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-OKD.crd.yaml index fd7ecdeba24..6267311c953 100644 --- a/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers.crd.yaml +++ b/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-OKD.crd.yaml @@ -7,6 +7,7 @@ metadata: capability.openshift.io/name: Ingress include.release.openshift.io/ibm-cloud-managed: "true" include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: OKD name: ingresscontrollers.operator.openshift.io spec: group: operator.openshift.io @@ -1991,8 +1992,11 @@ spec: custom: description: |- custom is a user-defined TLS security profile. Be extremely careful using a custom - profile as invalid configurations can be catastrophic. An example custom profile - looks like this: + profile as invalid configurations can be catastrophic. + + The curve list for this profile is empty by default. + + An example custom profile looks like this: minTLSVersion: VersionTLS11 ciphers: @@ -2005,14 +2009,11 @@ spec: ciphers: description: |- ciphers is used to specify the cipher algorithms that are negotiated - during the TLS handshake. Operators may remove entries that their operands - do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml): + during the TLS handshake. Operators may remove entries their operands + do not support. For example, to use DES-CBC3-SHA (yaml): ciphers: - - ECDHE-RSA-AES128-GCM-SHA256 - - TLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable - and are always enabled when TLS 1.3 is negotiated. + - DES-CBC3-SHA items: type: string type: array @@ -2037,6 +2038,12 @@ spec: legacy clients and want to remain highly secure while being compatible with most clients currently in use. + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "intermediate" profile ciphers. + + The curve list includes by default the following curves: + X25519, SecP256r1, SecP384r1, X25519MLKEM768. + This profile is equivalent to a Custom profile specified as: minTLSVersion: VersionTLS12 ciphers: @@ -2049,13 +2056,16 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 + - DHE-RSA-AES128-GCM-SHA256 + - DHE-RSA-AES256-GCM-SHA384 nullable: true type: object modern: description: |- modern is a TLS security profile for use with clients that support TLS 1.3 and do not need backward compatibility for older clients. - + The curve list includes by default the following curves: + X25519, SecP256r1, SecP384r1, X25519MLKEM768. This profile is equivalent to a Custom profile specified as: minTLSVersion: VersionTLS13 ciphers: @@ -2069,6 +2079,12 @@ spec: old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort. + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "old" profile ciphers. + + The curve list includes by default the following curves: + X25519, SecP256r1, SecP384r1, X25519MLKEM768. + This profile is equivalent to a Custom profile specified as: minTLSVersion: VersionTLS10 ciphers: @@ -2081,15 +2097,23 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 + - DHE-RSA-AES128-GCM-SHA256 + - DHE-RSA-AES256-GCM-SHA384 + - DHE-RSA-CHACHA20-POLY1305 - ECDHE-ECDSA-AES128-SHA256 - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES128-SHA + - ECDHE-ECDSA-AES256-SHA384 + - ECDHE-RSA-AES256-SHA384 - ECDHE-ECDSA-AES256-SHA - ECDHE-RSA-AES256-SHA + - DHE-RSA-AES128-SHA256 + - DHE-RSA-AES256-SHA256 - AES128-GCM-SHA256 - AES256-GCM-SHA384 - AES128-SHA256 + - AES256-SHA256 - AES128-SHA - AES256-SHA - DES-CBC3-SHA @@ -2100,10 +2124,9 @@ spec: type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters. - The profiles are based on version 5.7 of the Mozilla Server Side TLS - configuration guidelines. The cipher lists consist of the configuration's - "ciphersuites" followed by the Go-specific "ciphers" from the guidelines. - See: https://ssl-config.mozilla.org/guidelines/5.7.json + The profiles are currently based on version 5.0 of the Mozilla Server Side TLS + configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for + forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on @@ -3241,14 +3264,11 @@ spec: ciphers: description: |- ciphers is used to specify the cipher algorithms that are negotiated - during the TLS handshake. Operators may remove entries that their operands - do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml): + during the TLS handshake. Operators may remove entries their operands + do not support. For example, to use DES-CBC3-SHA (yaml): ciphers: - - ECDHE-RSA-AES128-GCM-SHA256 - - TLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable - and are always enabled when TLS 1.3 is negotiated. + - DES-CBC3-SHA items: type: string type: array diff --git a/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-TechPreviewNoUpgrade.crd.yaml b/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-TechPreviewNoUpgrade.crd.yaml new file mode 100644 index 00000000000..2efe9d649b5 --- /dev/null +++ b/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-TechPreviewNoUpgrade.crd.yaml @@ -0,0 +1,3368 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/616 + api.openshift.io/merged-by-featuregates: "true" + capability.openshift.io/name: Ingress + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: TechPreviewNoUpgrade + name: ingresscontrollers.operator.openshift.io +spec: + group: operator.openshift.io + names: + kind: IngressController + listKind: IngressControllerList + plural: ingresscontrollers + singular: ingresscontroller + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + IngressController describes a managed ingress controller for the cluster. The + controller can service OpenShift Route and Kubernetes Ingress resources. + + When an IngressController is created, a new ingress controller deployment is + created to allow external traffic to reach the services that expose Ingress + or Route resources. Updating this resource may lead to disruption for public + facing network connections as a new ingress controller revision may be rolled + out. + + https://kubernetes.io/docs/concepts/services-networking/ingress-controllers + + Whenever possible, sensible defaults for the platform are used. See each + field for more details. + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec is the specification of the desired behavior of the + IngressController. + properties: + clientTLS: + description: |- + clientTLS specifies settings for requesting and verifying client + certificates, which can be used to enable mutual TLS for + edge-terminated and reencrypt routes. + properties: + allowedSubjectPatterns: + description: |- + allowedSubjectPatterns specifies a list of regular expressions that + should be matched against the distinguished name on a valid client + certificate to filter requests. The regular expressions must use + PCRE syntax. If this list is empty, no filtering is performed. If + the list is nonempty, then at least one pattern must match a client + certificate's distinguished name or else the ingress controller + rejects the certificate and denies the connection. + items: + type: string + type: array + x-kubernetes-list-type: atomic + clientCA: + description: |- + clientCA specifies a configmap containing the PEM-encoded CA + certificate bundle that should be used to verify a client's + certificate. The administrator must create this configmap in the + openshift-config namespace. + properties: + name: + description: name is the metadata.name of the referenced config + map + type: string + required: + - name + type: object + clientCertificatePolicy: + description: |- + clientCertificatePolicy specifies whether the ingress controller + requires clients to provide certificates. This field accepts the + values "Required" or "Optional". + + Note that the ingress controller only checks client certificates for + edge-terminated and reencrypt TLS routes; it cannot check + certificates for cleartext HTTP or passthrough TLS routes. + enum: + - "" + - Required + - Optional + type: string + required: + - clientCA + - clientCertificatePolicy + type: object + closedClientConnectionPolicy: + default: Continue + description: |- + closedClientConnectionPolicy controls how the IngressController + behaves when the client closes the TCP connection while the TLS + handshake or HTTP request is in progress. This option maps directly + to HAProxy’s "abortonclose" option. + + Valid values are: "Abort" and "Continue". + The default value is "Continue". + + When set to "Abort", the router will stop processing the TLS handshake + if it is in progress, and it will not send an HTTP request to the backend server + if the request has not yet been sent when the client closes the connection. + + When set to "Continue", the router will complete the TLS handshake + if it is in progress, or send an HTTP request to the backend server + and wait for the backend server's response, regardless of + whether the client has closed the connection. + + Setting "Abort" can help free CPU resources otherwise spent on TLS computation + for connections the client has already closed, and can reduce request queue + size, thereby reducing the load on saturated backend servers. + + Important Considerations: + + - The default policy ("Continue") is HTTP-compliant, and requests + for aborted client connections will still be served. + Use the "Continue" policy to allow a client to send a request + and then immediately close its side of the connection while + still receiving a response on the half-closed connection. + + - When clients use keep-alive connections, the most common case for premature + closure is when the user wants to cancel the transfer or when a timeout + occurs. In that case, the "Abort" policy may be used to reduce resource consumption. + + - Using RSA keys larger than 2048 bits can significantly slow down + TLS computations. Consider using the "Abort" policy to reduce CPU usage. + enum: + - Abort + - Continue + type: string + defaultCertificate: + description: |- + defaultCertificate is a reference to a secret containing the default + certificate served by the ingress controller. When Routes don't specify + their own certificate, defaultCertificate is used. + + The secret must contain the following keys and data: + + tls.crt: certificate file contents + tls.key: key file contents + + If unset, a wildcard certificate is automatically generated and used. The + certificate is valid for the ingress controller domain (and subdomains) and + the generated certificate's CA will be automatically integrated with the + cluster's trust store. + + If a wildcard certificate is used and shared by multiple + HTTP/2 enabled routes (which implies ALPN) then clients + (i.e., notably browsers) are at liberty to reuse open + connections. This means a client can reuse a connection to + another route and that is likely to fail. This behaviour is + generally known as connection coalescing. + + The in-use certificate (whether generated or user-specified) will be + automatically integrated with OpenShift's built-in OAuth server. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + domain: + description: |- + domain is a DNS name serviced by the ingress controller and is used to + configure multiple features: + + * For the LoadBalancerService endpoint publishing strategy, domain is + used to configure DNS records. See endpointPublishingStrategy. + + * When using a generated default certificate, the certificate will be valid + for domain and its subdomains. See defaultCertificate. + + * The value is published to individual Route statuses so that end-users + know where to target external DNS records. + + domain must be unique among all IngressControllers, and cannot be + updated. + + If empty, defaults to ingress.config.openshift.io/cluster .spec.domain. + + The domain value must be a valid DNS name. It must consist of lowercase + alphanumeric characters, '-' or '.', and each label must start and end + with an alphanumeric character and not exceed 63 characters. Maximum + length of a valid DNS domain is 253 characters. + + The implementation may add a prefix such as "router-default." to the domain + when constructing the router canonical hostname. To ensure the resulting + hostname does not exceed the DNS maximum length of 253 characters, + the domain length is additionally validated at the IngressController object + level. For the maximum length of the domain value itself, the shortest + possible variant of the prefix and the ingress controller name was considered + for example "router-a." + maxLength: 244 + type: string + x-kubernetes-validations: + - message: domain must consist of lower case alphanumeric characters, + '-' or '.', and must start and end with an alphanumeric character + rule: '!format.dns1123Subdomain().validate(self).hasValue()' + - message: each DNS label must not exceed 63 characters + rule: self.split('.').all(label, size(label) <= 63) + endpointPublishingStrategy: + description: |- + endpointPublishingStrategy is used to publish the ingress controller + endpoints to other networks, enable load balancer integrations, etc. + + If unset, the default is based on + infrastructure.config.openshift.io/cluster .status.platform: + + AWS: LoadBalancerService (with External scope) + Azure: LoadBalancerService (with External scope) + GCP: LoadBalancerService (with External scope) + IBMCloud: LoadBalancerService (with External scope) + AlibabaCloud: LoadBalancerService (with External scope) + Libvirt: HostNetwork + + Any other platform types (including None) default to HostNetwork. + + endpointPublishingStrategy cannot be updated. + properties: + hostNetwork: + description: |- + hostNetwork holds parameters for the HostNetwork endpoint publishing + strategy. Present only if type is HostNetwork. + properties: + httpPort: + default: 80 + description: |- + httpPort is the port on the host which should be used to listen for + HTTP requests. This field should be set when port 80 is already in use. + The value should not coincide with the NodePort range of the cluster. + When the value is 0 or is not specified it defaults to 80. + format: int32 + maximum: 65535 + minimum: 0 + type: integer + httpsPort: + default: 443 + description: |- + httpsPort is the port on the host which should be used to listen for + HTTPS requests. This field should be set when port 443 is already in use. + The value should not coincide with the NodePort range of the cluster. + When the value is 0 or is not specified it defaults to 443. + format: int32 + maximum: 65535 + minimum: 0 + type: integer + protocol: + description: |- + protocol specifies whether the IngressController expects incoming + connections to use plain TCP or whether the IngressController expects + PROXY protocol. + + PROXY protocol can be used with load balancers that support it to + communicate the source addresses of client connections when + forwarding those connections to the IngressController. Using PROXY + protocol enables the IngressController to report those source + addresses instead of reporting the load balancer's address in HTTP + headers and logs. Note that enabling PROXY protocol on the + IngressController will cause connections to fail if you are not using + a load balancer that uses PROXY protocol to forward connections to + the IngressController. See + http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt for + information about PROXY protocol. + + The following values are valid for this field: + + * The empty string. + * "TCP". + * "PROXY". + + The empty string specifies the default, which is TCP without PROXY + protocol. Note that the default is subject to change. + enum: + - "" + - TCP + - PROXY + type: string + statsPort: + default: 1936 + description: |- + statsPort is the port on the host where the stats from the router are + published. The value should not coincide with the NodePort range of the + cluster. If an external load balancer is configured to forward connections + to this IngressController, the load balancer should use this port for + health checks. The load balancer can send HTTP probes on this port on a + given node, with the path /healthz/ready to determine if the ingress + controller is ready to receive traffic on the node. For proper operation + the load balancer must not forward traffic to a node until the health + check reports ready. The load balancer should also stop forwarding requests + within a maximum of 45 seconds after /healthz/ready starts reporting + not-ready. Probing every 5 to 10 seconds, with a 5-second timeout and with + a threshold of two successful or failed requests to become healthy or + unhealthy respectively, are well-tested values. When the value is 0 or + is not specified it defaults to 1936. + format: int32 + maximum: 65535 + minimum: 0 + type: integer + type: object + loadBalancer: + description: |- + loadBalancer holds parameters for the load balancer. Present only if + type is LoadBalancerService. + properties: + allowedSourceRanges: + description: |- + allowedSourceRanges specifies an allowlist of IP address ranges to which + access to the load balancer should be restricted. Each range must be + specified using CIDR notation (e.g. "10.0.0.0/8" or "fd00::/8"). If no range is + specified, "0.0.0.0/0" for IPv4 and "::/0" for IPv6 are used by default, + which allows all source addresses. + + To facilitate migration from earlier versions of OpenShift that did + not have the allowedSourceRanges field, you may set the + service.beta.kubernetes.io/load-balancer-source-ranges annotation on + the "router-" service in the + "openshift-ingress" namespace, and this annotation will take + effect if allowedSourceRanges is empty on OpenShift 4.12. + items: + description: |- + CIDR is an IP address range in CIDR notation (for example, "10.0.0.0/8" + or "fd00::/8"). + pattern: (^(([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])/([0-9]|[12][0-9]|3[0-2])$)|(^s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:)))(%.+)?s*(\/(12[0-8]|1[0-1][0-9]|[1-9][0-9]|[0-9]))$) + type: string + nullable: true + type: array + x-kubernetes-list-type: atomic + dnsManagementPolicy: + default: Managed + description: |- + dnsManagementPolicy indicates if the lifecycle of the wildcard DNS record + associated with the load balancer service will be managed by + the ingress operator. It defaults to Managed. + Valid values are: Managed and Unmanaged. + enum: + - Managed + - Unmanaged + type: string + providerParameters: + description: |- + providerParameters holds desired load balancer information specific to + the underlying infrastructure provider. + + If empty, defaults will be applied. See specific providerParameters + fields for details about their defaults. + properties: + aws: + description: |- + aws provides configuration settings that are specific to AWS + load balancers. + + If empty, defaults will be applied. See specific aws fields for + details about their defaults. + properties: + classicLoadBalancer: + description: |- + classicLoadBalancerParameters holds configuration parameters for an AWS + classic load balancer. Present only if type is Classic. + properties: + connectionIdleTimeout: + description: |- + connectionIdleTimeout specifies the maximum time period that a + connection may be idle before the load balancer closes the + connection. The value must be parseable as a time duration value; + see . A nil or zero value + means no opinion, in which case a default value is used. The default + value for this field is 60s. This default is subject to change. + format: duration + type: string + subnets: + description: |- + subnets specifies the subnets to which the load balancer will + attach. The subnets may be specified by either their + ID or name. The total number of subnets is limited to 10. + + In order for the load balancer to be provisioned with subnets, + each subnet must exist, each subnet must be from a different + availability zone, and the load balancer service must be + recreated to pick up new values. + + When omitted from the spec, the subnets will be auto-discovered + for each availability zone. Auto-discovered subnets are not reported + in the status of the IngressController object. + properties: + ids: + description: |- + ids specifies a list of AWS subnets by subnet ID. + Subnet IDs must start with "subnet-", consist only + of alphanumeric characters, must be exactly 24 + characters long, must be unique, and the total + number of subnets specified by ids and names + must not exceed 10. + items: + description: AWSSubnetID is a reference + to an AWS subnet ID. + maxLength: 24 + minLength: 24 + pattern: ^subnet-[0-9A-Za-z]+$ + type: string + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: subnet ids cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == + y)) + names: + description: |- + names specifies a list of AWS subnets by subnet name. + Subnet names must not start with "subnet-", must not + include commas, must be under 256 characters in length, + must be unique, and the total number of subnets + specified by ids and names must not exceed 10. + items: + description: AWSSubnetName is a reference + to an AWS subnet name. + maxLength: 256 + minLength: 1 + type: string + x-kubernetes-validations: + - message: subnet name cannot contain a + comma + rule: '!self.contains('','')' + - message: subnet name cannot start with + 'subnet-' + rule: '!self.startsWith(''subnet-'')' + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: subnet names cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == + y)) + type: object + x-kubernetes-validations: + - message: the total number of subnets cannot + exceed 10 + rule: 'has(self.ids) && has(self.names) ? size(self.ids + + self.names) <= 10 : true' + - message: must specify at least 1 subnet name + or id + rule: has(self.ids) && self.ids.size() > 0 || + has(self.names) && self.names.size() > 0 + type: object + networkLoadBalancer: + description: |- + networkLoadBalancerParameters holds configuration parameters for an AWS + network load balancer. Present only if type is NLB. + properties: + eipAllocations: + description: |- + eipAllocations is a list of IDs for Elastic IP (EIP) addresses that + are assigned to the Network Load Balancer. + The following restrictions apply: + + eipAllocations can only be used with external scope, not internal. + An EIP can be allocated to only a single IngressController. + The number of EIP allocations must match the number of subnets that are used for the load balancer. + Each EIP allocation must be unique. + A maximum of 10 EIP allocations are permitted. + + See https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html for general + information about configuration, characteristics, and limitations of Elastic IP addresses. + items: + description: |- + EIPAllocation is an ID for an Elastic IP (EIP) address that can be allocated to an ELB in the AWS environment. + Values must begin with `eipalloc-` followed by exactly 17 hexadecimal (`[0-9a-fA-F]`) characters. + maxLength: 26 + minLength: 26 + type: string + x-kubernetes-validations: + - message: eipAllocations should start with + 'eipalloc-' + rule: self.startsWith('eipalloc-') + - message: eipAllocations must be 'eipalloc-' + followed by exactly 17 hexadecimal characters + (0-9, a-f, A-F) + rule: self.split("-", 2)[1].matches('[0-9a-fA-F]{17}$') + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: eipAllocations cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == y)) + subnets: + description: |- + subnets specifies the subnets to which the load balancer will + attach. The subnets may be specified by either their + ID or name. The total number of subnets is limited to 10. + + In order for the load balancer to be provisioned with subnets, + each subnet must exist, each subnet must be from a different + availability zone, and the load balancer service must be + recreated to pick up new values. + + When omitted from the spec, the subnets will be auto-discovered + for each availability zone. Auto-discovered subnets are not reported + in the status of the IngressController object. + properties: + ids: + description: |- + ids specifies a list of AWS subnets by subnet ID. + Subnet IDs must start with "subnet-", consist only + of alphanumeric characters, must be exactly 24 + characters long, must be unique, and the total + number of subnets specified by ids and names + must not exceed 10. + items: + description: AWSSubnetID is a reference + to an AWS subnet ID. + maxLength: 24 + minLength: 24 + pattern: ^subnet-[0-9A-Za-z]+$ + type: string + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: subnet ids cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == + y)) + names: + description: |- + names specifies a list of AWS subnets by subnet name. + Subnet names must not start with "subnet-", must not + include commas, must be under 256 characters in length, + must be unique, and the total number of subnets + specified by ids and names must not exceed 10. + items: + description: AWSSubnetName is a reference + to an AWS subnet name. + maxLength: 256 + minLength: 1 + type: string + x-kubernetes-validations: + - message: subnet name cannot contain a + comma + rule: '!self.contains('','')' + - message: subnet name cannot start with + 'subnet-' + rule: '!self.startsWith(''subnet-'')' + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: subnet names cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == + y)) + type: object + x-kubernetes-validations: + - message: the total number of subnets cannot + exceed 10 + rule: 'has(self.ids) && has(self.names) ? size(self.ids + + self.names) <= 10 : true' + - message: must specify at least 1 subnet name + or id + rule: has(self.ids) && self.ids.size() > 0 || + has(self.names) && self.names.size() > 0 + type: object + x-kubernetes-validations: + - message: number of subnets must be equal to number + of eipAllocations + rule: 'has(self.subnets) && has(self.subnets.ids) + && has(self.subnets.names) && has(self.eipAllocations) + ? size(self.subnets.ids + self.subnets.names) + == size(self.eipAllocations) : true' + - message: number of subnets must be equal to number + of eipAllocations + rule: 'has(self.subnets) && has(self.subnets.ids) + && !has(self.subnets.names) && has(self.eipAllocations) + ? size(self.subnets.ids) == size(self.eipAllocations) + : true' + - message: number of subnets must be equal to number + of eipAllocations + rule: 'has(self.subnets) && has(self.subnets.names) + && !has(self.subnets.ids) && has(self.eipAllocations) + ? size(self.subnets.names) == size(self.eipAllocations) + : true' + type: + description: |- + type is the type of AWS load balancer to instantiate for an ingresscontroller. + + Valid values are: + + * "Classic": A Classic Load Balancer that makes routing decisions at either + the transport layer (TCP/SSL) or the application layer (HTTP/HTTPS). See + the following for additional details: + + https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#clb + + * "NLB": A Network Load Balancer that makes routing decisions at the + transport layer (TCP/SSL). See the following for additional details: + + https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#nlb + enum: + - Classic + - NLB + type: string + required: + - type + type: object + gcp: + description: |- + gcp provides configuration settings that are specific to GCP + load balancers. + + If empty, defaults will be applied. See specific gcp fields for + details about their defaults. + properties: + clientAccess: + description: |- + clientAccess describes how client access is restricted for internal + load balancers. + + Valid values are: + * "Global": Specifying an internal load balancer with Global client access + allows clients from any region within the VPC to communicate with the load + balancer. + + https://cloud.google.com/kubernetes-engine/docs/how-to/internal-load-balancing#global_access + + * "Local": Specifying an internal load balancer with Local client access + means only clients within the same region (and VPC) as the GCP load balancer + can communicate with the load balancer. Note that this is the default behavior. + + https://cloud.google.com/load-balancing/docs/internal#client_access + enum: + - Global + - Local + type: string + type: object + ibm: + description: |- + ibm provides configuration settings that are specific to IBM Cloud + load balancers. + + If empty, defaults will be applied. See specific ibm fields for + details about their defaults. + properties: + protocol: + description: |- + protocol specifies whether the load balancer uses PROXY protocol to forward connections to + the IngressController. See "service.kubernetes.io/ibm-load-balancer-cloud-provider-enable-features: + "proxy-protocol"" at https://cloud.ibm.com/docs/containers?topic=containers-vpc-lbaas" + + PROXY protocol can be used with load balancers that support it to + communicate the source addresses of client connections when + forwarding those connections to the IngressController. Using PROXY + protocol enables the IngressController to report those source + addresses instead of reporting the load balancer's address in HTTP + headers and logs. Note that enabling PROXY protocol on the + IngressController will cause connections to fail if you are not using + a load balancer that uses PROXY protocol to forward connections to + the IngressController. See + http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt for + information about PROXY protocol. + + Valid values for protocol are TCP, PROXY and omitted. + When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. + The current default is TCP, without the proxy protocol enabled. + enum: + - "" + - TCP + - PROXY + type: string + type: object + openstack: + description: |- + openstack provides configuration settings that are specific to OpenStack + load balancers. + + If empty, defaults will be applied. See specific openstack fields for + details about their defaults. + properties: + floatingIP: + description: |- + floatingIP specifies the IP address that the load balancer will use. + When not specified, an IP address will be assigned randomly by the OpenStack cloud provider. + When specified, the floating IP has to be pre-created. If the + specified value is not a floating IP or is already claimed, the + OpenStack cloud provider won't be able to provision the load + balancer. + This field may only be used if the IngressController has External scope. + This value must be a valid IPv4 or IPv6 address. + type: string + x-kubernetes-validations: + - message: floatingIP must be a valid IPv4 or IPv6 + address + rule: isIP(self) + type: object + type: + description: |- + type is the underlying infrastructure provider for the load balancer. + Allowed values are "AWS", "Azure", "BareMetal", "GCP", "IBM", "Nutanix", + "OpenStack", and "VSphere". + enum: + - AWS + - Azure + - BareMetal + - GCP + - Nutanix + - OpenStack + - VSphere + - IBM + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: openstack is not permitted when type is not OpenStack + rule: 'has(self.type) && self.type == ''OpenStack'' ? true + : !has(self.openstack)' + scope: + description: |- + scope indicates the scope at which the load balancer is exposed. + Possible values are "External" and "Internal". + enum: + - Internal + - External + type: string + required: + - dnsManagementPolicy + - scope + type: object + x-kubernetes-validations: + - message: eipAllocations are forbidden when the scope is Internal. + rule: '!has(self.scope) || self.scope != ''Internal'' || !has(self.providerParameters) + || !has(self.providerParameters.aws) || !has(self.providerParameters.aws.networkLoadBalancer) + || !has(self.providerParameters.aws.networkLoadBalancer.eipAllocations)' + - message: cannot specify a floating ip when scope is internal + rule: '!has(self.scope) || self.scope != ''Internal'' || !has(self.providerParameters) + || !has(self.providerParameters.openstack) || !has(self.providerParameters.openstack.floatingIP) + || self.providerParameters.openstack.floatingIP == ""' + nodePort: + description: |- + nodePort holds parameters for the NodePortService endpoint publishing strategy. + Present only if type is NodePortService. + properties: + protocol: + description: |- + protocol specifies whether the IngressController expects incoming + connections to use plain TCP or whether the IngressController expects + PROXY protocol. + + PROXY protocol can be used with load balancers that support it to + communicate the source addresses of client connections when + forwarding those connections to the IngressController. Using PROXY + protocol enables the IngressController to report those source + addresses instead of reporting the load balancer's address in HTTP + headers and logs. Note that enabling PROXY protocol on the + IngressController will cause connections to fail if you are not using + a load balancer that uses PROXY protocol to forward connections to + the IngressController. See + http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt for + information about PROXY protocol. + + The following values are valid for this field: + + * The empty string. + * "TCP". + * "PROXY". + + The empty string specifies the default, which is TCP without PROXY + protocol. Note that the default is subject to change. + enum: + - "" + - TCP + - PROXY + type: string + type: object + private: + description: |- + private holds parameters for the Private endpoint publishing + strategy. Present only if type is Private. + properties: + protocol: + description: |- + protocol specifies whether the IngressController expects incoming + connections to use plain TCP or whether the IngressController expects + PROXY protocol. + + PROXY protocol can be used with load balancers that support it to + communicate the source addresses of client connections when + forwarding those connections to the IngressController. Using PROXY + protocol enables the IngressController to report those source + addresses instead of reporting the load balancer's address in HTTP + headers and logs. Note that enabling PROXY protocol on the + IngressController will cause connections to fail if you are not using + a load balancer that uses PROXY protocol to forward connections to + the IngressController. See + http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt for + information about PROXY protocol. + + The following values are valid for this field: + + * The empty string. + * "TCP". + * "PROXY". + + The empty string specifies the default, which is TCP without PROXY + protocol. Note that the default is subject to change. + enum: + - "" + - TCP + - PROXY + type: string + type: object + type: + description: |- + type is the publishing strategy to use. Valid values are: + + * LoadBalancerService + + Publishes the ingress controller using a Kubernetes LoadBalancer Service. + + In this configuration, the ingress controller deployment uses container + networking. A LoadBalancer Service is created to publish the deployment. + + See: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer + + If domain is set, a wildcard DNS record will be managed to point at the + LoadBalancer Service's external name. DNS records are managed only in DNS + zones defined by dns.config.openshift.io/cluster .spec.publicZone and + .spec.privateZone. + + Wildcard DNS management is currently supported only on the AWS, Azure, + and GCP platforms. + + * HostNetwork + + Publishes the ingress controller on node ports where the ingress controller + is deployed. + + In this configuration, the ingress controller deployment uses host + networking, bound to node ports 80 and 443. The user is responsible for + configuring an external load balancer to publish the ingress controller via + the node ports. + + * Private + + Does not publish the ingress controller. + + In this configuration, the ingress controller deployment uses container + networking, and is not explicitly published. The user must manually publish + the ingress controller. + + * NodePortService + + Publishes the ingress controller using a Kubernetes NodePort Service. + + In this configuration, the ingress controller deployment uses container + networking. A NodePort Service is created to publish the deployment. The + specific node ports are dynamically allocated by OpenShift; however, to + support static port allocations, user changes to the node port + field of the managed NodePort Service will preserved. + enum: + - LoadBalancerService + - HostNetwork + - Private + - NodePortService + type: string + required: + - type + type: object + httpCompression: + description: |- + httpCompression defines a policy for HTTP traffic compression. + By default, there is no HTTP compression. + properties: + mimeTypes: + description: |- + mimeTypes is a list of MIME types that should have compression applied. + This list can be empty, in which case the ingress controller does not apply compression. + + Note: Not all MIME types benefit from compression, but HAProxy will still use resources + to try to compress if instructed to. Generally speaking, text (html, css, js, etc.) + formats benefit from compression, but formats that are already compressed (image, + audio, video, etc.) benefit little in exchange for the time and cpu spent on compressing + again. See https://joehonton.medium.com/the-gzip-penalty-d31bd697f1a2 + items: + description: |- + CompressionMIMEType defines the format of a single MIME type. + E.g. "text/css; charset=utf-8", "text/html", "text/*", "image/svg+xml", + "application/octet-stream", "X-custom/customsub", etc. + + The format should follow the Content-Type definition in RFC 1341: + Content-Type := type "/" subtype *[";" parameter] + - The type in Content-Type can be one of: + application, audio, image, message, multipart, text, video, or a custom + type preceded by "X-" and followed by a token as defined below. + - The token is a string of at least one character, and not containing white + space, control characters, or any of the characters in the tspecials set. + - The tspecials set contains the characters ()<>@,;:\"/[]?.= + - The subtype in Content-Type is also a token. + - The optional parameter/s following the subtype are defined as: + token "=" (token / quoted-string) + - The quoted-string, as defined in RFC 822, is surrounded by double quotes + and can contain white space plus any character EXCEPT \, ", and CR. + It can also contain any single ASCII character as long as it is escaped by \. + pattern: ^(?i)(x-[^][ ()\\<>@,;:"/?.=\x00-\x1F\x7F]+|application|audio|image|message|multipart|text|video)/[^][ + ()\\<>@,;:"/?.=\x00-\x1F\x7F]+(; *[^][ ()\\<>@,;:"/?.=\x00-\x1F\x7F]+=([^][ + ()\\<>@,;:"/?.=\x00-\x1F\x7F]+|"(\\[\x00-\x7F]|[^\x0D"\\])*"))*$ + type: string + type: array + x-kubernetes-list-type: set + type: object + httpEmptyRequestsPolicy: + default: Respond + description: |- + httpEmptyRequestsPolicy describes how HTTP connections should be + handled if the connection times out before a request is received. + Allowed values for this field are "Respond" and "Ignore". If the + field is set to "Respond", the ingress controller sends an HTTP 400 + or 408 response, logs the connection (if access logging is enabled), + and counts the connection in the appropriate metrics. If the field + is set to "Ignore", the ingress controller closes the connection + without sending a response, logging the connection, or incrementing + metrics. The default value is "Respond". + + Typically, these connections come from load balancers' health probes + or Web browsers' speculative connections ("preconnect") and can be + safely ignored. However, these requests may also be caused by + network errors, and so setting this field to "Ignore" may impede + detection and diagnosis of problems. In addition, these requests may + be caused by port scans, in which case logging empty requests may aid + in detecting intrusion attempts. + enum: + - Respond + - Ignore + type: string + httpErrorCodePages: + description: |- + httpErrorCodePages specifies a configmap with custom error pages. + The administrator must create this configmap in the openshift-config namespace. + This configmap should have keys in the format "error-page-.http", + where is an HTTP error code. + For example, "error-page-503.http" defines an error page for HTTP 503 responses. + Currently only error pages for 503 and 404 responses can be customized. + Each value in the configmap should be the full response, including HTTP headers. + Eg- https://raw.githubusercontent.com/openshift/router/fadab45747a9b30cc3f0a4b41ad2871f95827a93/images/router/haproxy/conf/error-page-503.http + If this field is empty, the ingress controller uses the default error pages. + properties: + name: + description: name is the metadata.name of the referenced config + map + type: string + required: + - name + type: object + httpHeaders: + description: |- + httpHeaders defines policy for HTTP headers. + + If this field is empty, the default values are used. + properties: + actions: + description: |- + actions specifies options for modifying headers and their values. + Note that this option only applies to cleartext HTTP connections + and to secure HTTP connections for which the ingress controller + terminates encryption (that is, edge-terminated or reencrypt + connections). Headers cannot be modified for TLS passthrough + connections. + Setting the HSTS (`Strict-Transport-Security`) header is not supported via actions. `Strict-Transport-Security` + may only be configured using the "haproxy.router.openshift.io/hsts_header" route annotation, and only in + accordance with the policy specified in Ingress.Spec.RequiredHSTSPolicies. + Any actions defined here are applied after any actions related to the following other fields: + cache-control, spec.clientTLS, + spec.httpHeaders.forwardedHeaderPolicy, spec.httpHeaders.uniqueId, + and spec.httpHeaders.headerNameCaseAdjustments. + In case of HTTP request headers, the actions specified in spec.httpHeaders.actions on the Route will be executed after + the actions specified in the IngressController's spec.httpHeaders.actions field. + In case of HTTP response headers, the actions specified in spec.httpHeaders.actions on the IngressController will be + executed after the actions specified in the Route's spec.httpHeaders.actions field. + Headers set using this API cannot be captured for use in access logs. + The following header names are reserved and may not be modified via this API: + Strict-Transport-Security, Proxy, Host, Cookie, Set-Cookie. + Note that the total size of all net added headers *after* interpolating dynamic values + must not exceed the value of spec.tuningOptions.headerBufferMaxRewriteBytes on the + IngressController. Please refer to the documentation + for that API field for more details. + properties: + request: + description: |- + request is a list of HTTP request headers to modify. + Actions defined here will modify the request headers of all requests passing through an ingress controller. + These actions are applied to all Routes i.e. for all connections handled by the ingress controller defined within a cluster. + IngressController actions for request headers will be executed before Route actions. + Currently, actions may define to either `Set` or `Delete` headers values. + Actions are applied in sequence as defined in this list. + A maximum of 20 request header actions may be configured. + Sample fetchers allowed are "req.hdr" and "ssl_c_der". + Converters allowed are "lower" and "base64". + Example header values: "%[req.hdr(X-target),lower]", "%{+Q}[ssl_c_der,base64]". + items: + description: IngressControllerHTTPHeader specifies configuration + for setting or deleting an HTTP header. + properties: + action: + description: action specifies actions to perform on + headers, such as setting or deleting headers. + properties: + set: + description: |- + set specifies how the HTTP header should be set. + This field is required when type is Set and forbidden otherwise. + properties: + value: + description: |- + value specifies a header value. + Dynamic values can be added. The value will be interpreted as an HAProxy format string as defined in + http://cbonte.github.io/haproxy-dconv/2.6/configuration.html#8.2.6 and may use HAProxy's %[] syntax and + otherwise must be a valid HTTP header value as defined in https://datatracker.ietf.org/doc/html/rfc7230#section-3.2. + The value of this field must be no more than 16384 characters in length. + Note that the total size of all net added headers *after* interpolating dynamic values + must not exceed the value of spec.tuningOptions.headerBufferMaxRewriteBytes on the + IngressController. + maxLength: 16384 + minLength: 1 + type: string + required: + - value + type: object + type: + description: |- + type defines the type of the action to be applied on the header. + Possible values are Set or Delete. + Set allows you to set HTTP request and response headers. + Delete allows you to delete HTTP request and response headers. + enum: + - Set + - Delete + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: set is required when type is Set, and forbidden + otherwise + rule: 'has(self.type) && self.type == ''Set'' ? has(self.set) + : !has(self.set)' + name: + description: |- + name specifies the name of a header on which to perform an action. Its value must be a valid HTTP header + name as defined in RFC 2616 section 4.2. + The name must consist only of alphanumeric and the following special characters, "-!#$%&'*+.^_`". + The following header names are reserved and may not be modified via this API: + Strict-Transport-Security, Proxy, Host, Cookie, Set-Cookie. + It must be no more than 255 characters in length. + Header name must be unique. + maxLength: 255 + minLength: 1 + pattern: ^[-!#$%&'*+.0-9A-Z^_`a-z|~]+$ + type: string + x-kubernetes-validations: + - message: strict-transport-security header may not + be modified via header actions + rule: self.lowerAscii() != 'strict-transport-security' + - message: proxy header may not be modified via header + actions + rule: self.lowerAscii() != 'proxy' + - message: host header may not be modified via header + actions + rule: self.lowerAscii() != 'host' + - message: cookie header may not be modified via header + actions + rule: self.lowerAscii() != 'cookie' + - message: set-cookie header may not be modified via + header actions + rule: self.lowerAscii() != 'set-cookie' + required: + - action + - name + type: object + maxItems: 20 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: Either the header value provided is not in correct + format or the sample fetcher/converter specified is not + allowed. The dynamic header value will be interpreted + as an HAProxy format string as defined in http://cbonte.github.io/haproxy-dconv/2.6/configuration.html#8.2.6 + and may use HAProxy's %[] syntax and otherwise must be + a valid HTTP header value as defined in https://datatracker.ietf.org/doc/html/rfc7230#section-3.2. + Sample fetchers allowed are req.hdr, ssl_c_der. Converters + allowed are lower, base64. + rule: self.all(key, key.action.type == "Delete" || (has(key.action.set) + && key.action.set.value.matches('^(?:%(?:%|(?:\\{[-+]?[QXE](?:,[-+]?[QXE])*\\})?\\[(?:req\\.hdr\\([0-9A-Za-z-]+\\)|ssl_c_der)(?:,(?:lower|base64))*\\])|[^%[:cntrl:]])+$'))) + response: + description: |- + response is a list of HTTP response headers to modify. + Actions defined here will modify the response headers of all requests passing through an ingress controller. + These actions are applied to all Routes i.e. for all connections handled by the ingress controller defined within a cluster. + IngressController actions for response headers will be executed after Route actions. + Currently, actions may define to either `Set` or `Delete` headers values. + Actions are applied in sequence as defined in this list. + A maximum of 20 response header actions may be configured. + Sample fetchers allowed are "res.hdr" and "ssl_c_der". + Converters allowed are "lower" and "base64". + Example header values: "%[res.hdr(X-target),lower]", "%{+Q}[ssl_c_der,base64]". + items: + description: IngressControllerHTTPHeader specifies configuration + for setting or deleting an HTTP header. + properties: + action: + description: action specifies actions to perform on + headers, such as setting or deleting headers. + properties: + set: + description: |- + set specifies how the HTTP header should be set. + This field is required when type is Set and forbidden otherwise. + properties: + value: + description: |- + value specifies a header value. + Dynamic values can be added. The value will be interpreted as an HAProxy format string as defined in + http://cbonte.github.io/haproxy-dconv/2.6/configuration.html#8.2.6 and may use HAProxy's %[] syntax and + otherwise must be a valid HTTP header value as defined in https://datatracker.ietf.org/doc/html/rfc7230#section-3.2. + The value of this field must be no more than 16384 characters in length. + Note that the total size of all net added headers *after* interpolating dynamic values + must not exceed the value of spec.tuningOptions.headerBufferMaxRewriteBytes on the + IngressController. + maxLength: 16384 + minLength: 1 + type: string + required: + - value + type: object + type: + description: |- + type defines the type of the action to be applied on the header. + Possible values are Set or Delete. + Set allows you to set HTTP request and response headers. + Delete allows you to delete HTTP request and response headers. + enum: + - Set + - Delete + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: set is required when type is Set, and forbidden + otherwise + rule: 'has(self.type) && self.type == ''Set'' ? has(self.set) + : !has(self.set)' + name: + description: |- + name specifies the name of a header on which to perform an action. Its value must be a valid HTTP header + name as defined in RFC 2616 section 4.2. + The name must consist only of alphanumeric and the following special characters, "-!#$%&'*+.^_`". + The following header names are reserved and may not be modified via this API: + Strict-Transport-Security, Proxy, Host, Cookie, Set-Cookie. + It must be no more than 255 characters in length. + Header name must be unique. + maxLength: 255 + minLength: 1 + pattern: ^[-!#$%&'*+.0-9A-Z^_`a-z|~]+$ + type: string + x-kubernetes-validations: + - message: strict-transport-security header may not + be modified via header actions + rule: self.lowerAscii() != 'strict-transport-security' + - message: proxy header may not be modified via header + actions + rule: self.lowerAscii() != 'proxy' + - message: host header may not be modified via header + actions + rule: self.lowerAscii() != 'host' + - message: cookie header may not be modified via header + actions + rule: self.lowerAscii() != 'cookie' + - message: set-cookie header may not be modified via + header actions + rule: self.lowerAscii() != 'set-cookie' + required: + - action + - name + type: object + maxItems: 20 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: Either the header value provided is not in correct + format or the sample fetcher/converter specified is not + allowed. The dynamic header value will be interpreted + as an HAProxy format string as defined in http://cbonte.github.io/haproxy-dconv/2.6/configuration.html#8.2.6 + and may use HAProxy's %[] syntax and otherwise must be + a valid HTTP header value as defined in https://datatracker.ietf.org/doc/html/rfc7230#section-3.2. + Sample fetchers allowed are res.hdr, ssl_c_der. Converters + allowed are lower, base64. + rule: self.all(key, key.action.type == "Delete" || (has(key.action.set) + && key.action.set.value.matches('^(?:%(?:%|(?:\\{[-+]?[QXE](?:,[-+]?[QXE])*\\})?\\[(?:res\\.hdr\\([0-9A-Za-z-]+\\)|ssl_c_der)(?:,(?:lower|base64))*\\])|[^%[:cntrl:]])+$'))) + type: object + forwardedHeaderPolicy: + description: |- + forwardedHeaderPolicy specifies when and how the IngressController + sets the Forwarded, X-Forwarded-For, X-Forwarded-Host, + X-Forwarded-Port, X-Forwarded-Proto, and X-Forwarded-Proto-Version + HTTP headers. The value may be one of the following: + + * "Append", which specifies that the IngressController appends the + headers, preserving existing headers. + + * "Replace", which specifies that the IngressController sets the + headers, replacing any existing Forwarded or X-Forwarded-* headers. + + * "IfNone", which specifies that the IngressController sets the + headers if they are not already set. + + * "Never", which specifies that the IngressController never sets the + headers, preserving any existing headers. + + By default, the policy is "Append". + enum: + - Append + - Replace + - IfNone + - Never + type: string + headerNameCaseAdjustments: + description: |- + headerNameCaseAdjustments specifies case adjustments that can be + applied to HTTP header names. Each adjustment is specified as an + HTTP header name with the desired capitalization. For example, + specifying "X-Forwarded-For" indicates that the "x-forwarded-for" + HTTP header should be adjusted to have the specified capitalization. + + These adjustments are only applied to cleartext, edge-terminated, and + re-encrypt routes, and only when using HTTP/1. + + For request headers, these adjustments are applied only for routes + that have the haproxy.router.openshift.io/h1-adjust-case=true + annotation. For response headers, these adjustments are applied to + all HTTP responses. + + If this field is empty, no request headers are adjusted. + items: + description: |- + IngressControllerHTTPHeaderNameCaseAdjustment is the name of an HTTP header + (for example, "X-Forwarded-For") in the desired capitalization. The value + must be a valid HTTP header name as defined in RFC 2616 section 4.2. + maxLength: 1024 + minLength: 0 + pattern: ^$|^[-!#$%&'*+.0-9A-Z^_`a-z|~]+$ + type: string + nullable: true + type: array + x-kubernetes-list-type: atomic + uniqueId: + description: |- + uniqueId describes configuration for a custom HTTP header that the + ingress controller should inject into incoming HTTP requests. + Typically, this header is configured to have a value that is unique + to the HTTP request. The header can be used by applications or + included in access logs to facilitate tracing individual HTTP + requests. + + If this field is empty, no such header is injected into requests. + properties: + format: + description: |- + format specifies the format for the injected HTTP header's value. + This field has no effect unless name is specified. For the + HAProxy-based ingress controller implementation, this format uses the + same syntax as the HTTP log format. If the field is empty, the + default value is "%{+X}o\\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid"; see the + corresponding HAProxy documentation: + http://cbonte.github.io/haproxy-dconv/2.0/configuration.html#8.2.3 + maxLength: 1024 + minLength: 0 + pattern: ^(%(%|(\{[-+]?[QXE](,[-+]?[QXE])*\})?([A-Za-z]+|\[[.0-9A-Z_a-z]+(\([^)]+\))?(,[.0-9A-Z_a-z]+(\([^)]+\))?)*\]))|[^%[:cntrl:]])*$ + type: string + name: + description: |- + name specifies the name of the HTTP header (for example, "unique-id") + that the ingress controller should inject into HTTP requests. The + field's value must be a valid HTTP header name as defined in RFC 2616 + section 4.2. If the field is empty, no header is injected. + maxLength: 1024 + minLength: 0 + pattern: ^$|^[-!#$%&'*+.0-9A-Z^_`a-z|~]+$ + type: string + type: object + type: object + idleConnectionTerminationPolicy: + default: Immediate + description: |- + idleConnectionTerminationPolicy maps directly to HAProxy's + idle-close-on-response option and controls whether HAProxy + keeps idle frontend connections open during a soft stop + (router reload). + + Allowed values for this field are "Immediate" and + "Deferred". The default value is "Immediate". + + When set to "Immediate", idle connections are closed + immediately during router reloads. This ensures immediate + propagation of route changes but may impact clients + sensitive to connection resets. + + When set to "Deferred", HAProxy will maintain idle + connections during a soft reload instead of closing them + immediately. These connections remain open until any of the + following occurs: + + - A new request is received on the connection, in which + case HAProxy handles it in the old process and closes + the connection after sending the response. + + - HAProxy's `timeout http-keep-alive` duration expires. + By default this is 300 seconds, but it can be changed + using httpKeepAliveTimeout tuning option. + + - The client's keep-alive timeout expires, causing the + client to close the connection. + + Setting Deferred can help prevent errors in clients or load + balancers that do not properly handle connection resets. + Additionally, this option allows you to retain the pre-2.4 + HAProxy behaviour: in HAProxy version 2.2 (OpenShift + versions < 4.14), maintaining idle connections during a + soft reload was the default behaviour, but starting with + HAProxy 2.4, the default changed to closing idle + connections immediately. + + Important Consideration: + + - Using Deferred will result in temporary inconsistencies + for the first request on each persistent connection + after a route update and router reload. This request + will be processed by the old HAProxy process using its + old configuration. Subsequent requests will use the + updated configuration. + + Operational Considerations: + + - Keeping idle connections open during reloads may lead + to an accumulation of old HAProxy processes if + connections remain idle for extended periods, + especially in environments where frequent reloads + occur. + + - Consider monitoring the number of HAProxy processes in + the router pods when Deferred is set. + + - You may need to enable or adjust the + `ingress.operator.openshift.io/hard-stop-after` + duration (configured via an annotation on the + IngressController resource) in environments with + frequent reloads to prevent resource exhaustion. + enum: + - Immediate + - Deferred + type: string + logging: + description: |- + logging defines parameters for what should be logged where. If this + field is empty, operational logs are enabled but access logs are + disabled. + properties: + access: + description: |- + access describes how the client requests should be logged. + + If this field is empty, access logging is disabled. + properties: + destination: + description: destination is where access logs go. + properties: + container: + description: |- + container holds parameters for the Container logging destination. + Present only if type is Container. + properties: + maxLength: + default: 1024 + description: |- + maxLength is the maximum length of the log message. + + Valid values are integers in the range 480 to 8192, inclusive. + + When omitted, the default value is 1024. + format: int32 + maximum: 8192 + minimum: 480 + type: integer + type: object + syslog: + description: |- + syslog holds parameters for a syslog endpoint. Present only if + type is Syslog. + oneOf: + - properties: + address: + format: ipv4 + - properties: + address: + format: ipv6 + properties: + address: + description: |- + address is the IP address of the syslog endpoint that receives log + messages. + type: string + facility: + description: |- + facility specifies the syslog facility of log messages. + + If this field is empty, the facility is "local1". + enum: + - kern + - user + - mail + - daemon + - auth + - syslog + - lpr + - news + - uucp + - cron + - auth2 + - ftp + - ntp + - audit + - alert + - cron2 + - local0 + - local1 + - local2 + - local3 + - local4 + - local5 + - local6 + - local7 + type: string + maxLength: + default: 1024 + description: |- + maxLength is the maximum length of the log message. + + Valid values are integers in the range 480 to 4096, inclusive. + + When omitted, the default value is 1024. + format: int32 + maximum: 4096 + minimum: 480 + type: integer + port: + description: |- + port is the UDP port number of the syslog endpoint that receives log + messages. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - address + - port + type: object + type: + description: |- + type is the type of destination for logs. It must be one of the + following: + + * Container + + The ingress operator configures the sidecar container named "logs" on + the ingress controller pod and configures the ingress controller to + write logs to the sidecar. The logs are then available as container + logs. The expectation is that the administrator configures a custom + logging solution that reads logs from this sidecar. Note that using + container logs means that logs may be dropped if the rate of logs + exceeds the container runtime's or the custom logging solution's + capacity. + + * Syslog + + Logs are sent to a syslog endpoint. The administrator must specify + an endpoint that can receive syslog messages. The expectation is + that the administrator has configured a custom syslog instance. + enum: + - Container + - Syslog + type: string + required: + - type + type: object + httpCaptureCookies: + description: |- + httpCaptureCookies specifies HTTP cookies that should be captured in + access logs. If this field is empty, no cookies are captured. + items: + description: |- + IngressControllerCaptureHTTPCookie describes an HTTP cookie that should be + captured. + properties: + matchType: + description: |- + matchType specifies the type of match to be performed on the cookie + name. Allowed values are "Exact" for an exact string match and + "Prefix" for a string prefix match. If "Exact" is specified, a name + must be specified in the name field. If "Prefix" is provided, a + prefix must be specified in the namePrefix field. For example, + specifying matchType "Prefix" and namePrefix "foo" will capture a + cookie named "foo" or "foobar" but not one named "bar". The first + matching cookie is captured. + enum: + - Exact + - Prefix + type: string + maxLength: + description: |- + maxLength specifies a maximum length of the string that will be + logged, which includes the cookie name, cookie value, and + one-character delimiter. If the log entry exceeds this length, the + value will be truncated in the log message. Note that the ingress + controller may impose a separate bound on the total length of HTTP + headers in a request. + maximum: 1024 + minimum: 1 + type: integer + name: + description: |- + name specifies a cookie name. Its value must be a valid HTTP cookie + name as defined in RFC 6265 section 4.1. + maxLength: 1024 + minLength: 0 + pattern: ^[-!#$%&'*+.0-9A-Z^_`a-z|~]*$ + type: string + namePrefix: + description: |- + namePrefix specifies a cookie name prefix. Its value must be a valid + HTTP cookie name as defined in RFC 6265 section 4.1. + maxLength: 1024 + minLength: 0 + pattern: ^[-!#$%&'*+.0-9A-Z^_`a-z|~]*$ + type: string + required: + - matchType + - maxLength + type: object + maxItems: 1 + nullable: true + type: array + x-kubernetes-list-type: atomic + httpCaptureHeaders: + description: |- + httpCaptureHeaders defines HTTP headers that should be captured in + access logs. If this field is empty, no headers are captured. + + Note that this option only applies to cleartext HTTP connections + and to secure HTTP connections for which the ingress controller + terminates encryption (that is, edge-terminated or reencrypt + connections). Headers cannot be captured for TLS passthrough + connections. + properties: + request: + description: |- + request specifies which HTTP request headers to capture. + + If this field is empty, no request headers are captured. + items: + description: |- + IngressControllerCaptureHTTPHeader describes an HTTP header that should be + captured. + properties: + maxLength: + description: |- + maxLength specifies a maximum length for the header value. If a + header value exceeds this length, the value will be truncated in the + log message. Note that the ingress controller may impose a separate + bound on the total length of HTTP headers in a request. + minimum: 1 + type: integer + name: + description: |- + name specifies a header name. Its value must be a valid HTTP header + name as defined in RFC 2616 section 4.2. + pattern: ^[-!#$%&'*+.0-9A-Z^_`a-z|~]+$ + type: string + required: + - maxLength + - name + type: object + nullable: true + type: array + x-kubernetes-list-type: atomic + response: + description: |- + response specifies which HTTP response headers to capture. + + If this field is empty, no response headers are captured. + items: + description: |- + IngressControllerCaptureHTTPHeader describes an HTTP header that should be + captured. + properties: + maxLength: + description: |- + maxLength specifies a maximum length for the header value. If a + header value exceeds this length, the value will be truncated in the + log message. Note that the ingress controller may impose a separate + bound on the total length of HTTP headers in a request. + minimum: 1 + type: integer + name: + description: |- + name specifies a header name. Its value must be a valid HTTP header + name as defined in RFC 2616 section 4.2. + pattern: ^[-!#$%&'*+.0-9A-Z^_`a-z|~]+$ + type: string + required: + - maxLength + - name + type: object + nullable: true + type: array + x-kubernetes-list-type: atomic + type: object + httpLogFormat: + description: |- + httpLogFormat specifies the format of the log message for an HTTP + request. + + If this field is empty, log messages use the implementation's default + HTTP log format. For HAProxy's default HTTP log format, see the + HAProxy documentation: + http://cbonte.github.io/haproxy-dconv/2.0/configuration.html#8.2.3 + + Note that this format only applies to cleartext HTTP connections + and to secure HTTP connections for which the ingress controller + terminates encryption (that is, edge-terminated or reencrypt + connections). It does not affect the log format for TLS passthrough + connections. + type: string + logEmptyRequests: + default: Log + description: |- + logEmptyRequests specifies how connections on which no request is + received should be logged. Typically, these empty requests come from + load balancers' health probes or Web browsers' speculative + connections ("preconnect"), in which case logging these requests may + be undesirable. However, these requests may also be caused by + network errors, in which case logging empty requests may be useful + for diagnosing the errors. In addition, these requests may be caused + by port scans, in which case logging empty requests may aid in + detecting intrusion attempts. Allowed values for this field are + "Log" and "Ignore". The default value is "Log". + enum: + - Log + - Ignore + type: string + required: + - destination + type: object + type: object + namespaceSelector: + description: |- + namespaceSelector is used to filter the set of namespaces serviced by the + ingress controller. This is useful for implementing shards. + + If unset, the default is no filtering. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + nodePlacement: + description: |- + nodePlacement enables explicit control over the scheduling of the ingress + controller. + + If unset, defaults are used. See NodePlacement for more details. + properties: + nodeSelector: + description: |- + nodeSelector is the node selector applied to ingress controller + deployments. + + If set, the specified selector is used and replaces the default. + + If unset, the default depends on the value of the defaultPlacement + field in the cluster config.openshift.io/v1/ingresses status. + + When defaultPlacement is Workers, the default is: + + kubernetes.io/os: linux + node-role.kubernetes.io/worker: '' + + When defaultPlacement is ControlPlane, the default is: + + kubernetes.io/os: linux + node-role.kubernetes.io/master: '' + + These defaults are subject to change. + + Note that using nodeSelector.matchExpressions is not supported. Only + nodeSelector.matchLabels may be used. This is a limitation of the + Kubernetes API: the pod spec does not allow complex expressions for + node selectors. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + tolerations: + description: |- + tolerations is a list of tolerations applied to ingress controller + deployments. + + The default is an empty list. + + See https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + items: + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . + properties: + effect: + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. + type: string + operator: + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. + type: string + type: object + type: array + x-kubernetes-list-type: atomic + type: object + replicas: + description: |- + replicas is the desired number of ingress controller replicas. If unset, + the default depends on the value of the defaultPlacement field in the + cluster config.openshift.io/v1/ingresses status. + + The value of replicas is set based on the value of a chosen field in the + Infrastructure CR. If defaultPlacement is set to ControlPlane, the + chosen field will be controlPlaneTopology. If it is set to Workers the + chosen field will be infrastructureTopology. Replicas will then be set to 1 + or 2 based whether the chosen field's value is SingleReplica or + HighlyAvailable, respectively. + + These defaults are subject to change. + format: int32 + type: integer + routeAdmission: + description: |- + routeAdmission defines a policy for handling new route claims (for example, + to allow or deny claims across namespaces). + + If empty, defaults will be applied. See specific routeAdmission fields + for details about their defaults. + properties: + namespaceOwnership: + description: |- + namespaceOwnership describes how host name claims across namespaces should + be handled. + + Value must be one of: + + - Strict: Do not allow routes in different namespaces to claim the same host. + + - InterNamespaceAllowed: Allow routes to claim different paths of the same + host name across namespaces. + + If empty, the default is Strict. + enum: + - InterNamespaceAllowed + - Strict + type: string + wildcardPolicy: + description: |- + wildcardPolicy describes how routes with wildcard policies should + be handled for the ingress controller. WildcardPolicy controls use + of routes [1] exposed by the ingress controller based on the route's + wildcard policy. + + [1] https://github.com/openshift/api/blob/master/route/v1/types.go + + Note: Updating WildcardPolicy from WildcardsAllowed to WildcardsDisallowed + will cause admitted routes with a wildcard policy of Subdomain to stop + working. These routes must be updated to a wildcard policy of None to be + readmitted by the ingress controller. + + WildcardPolicy supports WildcardsAllowed and WildcardsDisallowed values. + + If empty, defaults to "WildcardsDisallowed". + enum: + - WildcardsAllowed + - WildcardsDisallowed + type: string + type: object + routeSelector: + description: |- + routeSelector is used to filter the set of Routes serviced by the ingress + controller. This is useful for implementing shards. + + If unset, the default is no filtering. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + tlsSecurityProfile: + description: |- + tlsSecurityProfile specifies settings for TLS connections for ingresscontrollers. + + If unset, the default is based on the apiservers.config.openshift.io/cluster resource. + + Note that when using the Old, Intermediate, and Modern profile types, the effective + profile configuration is subject to change between releases. For example, given + a specification to use the Intermediate profile deployed on release X.Y.Z, an upgrade + to release X.Y.Z+1 may cause a new profile configuration to be applied to the ingress + controller, resulting in a rollout. + properties: + custom: + description: |- + custom is a user-defined TLS security profile. Be extremely careful using a custom + profile as invalid configurations can be catastrophic. + + The curve list for this profile is empty by default. + + An example custom profile looks like this: + + minTLSVersion: VersionTLS11 + ciphers: + - ECDHE-ECDSA-CHACHA20-POLY1305 + - ECDHE-RSA-CHACHA20-POLY1305 + - ECDHE-RSA-AES128-GCM-SHA256 + - ECDHE-ECDSA-AES128-GCM-SHA256 + nullable: true + properties: + ciphers: + description: |- + ciphers is used to specify the cipher algorithms that are negotiated + during the TLS handshake. Operators may remove entries their operands + do not support. For example, to use DES-CBC3-SHA (yaml): + + ciphers: + - DES-CBC3-SHA + items: + type: string + type: array + x-kubernetes-list-type: atomic + curves: + description: |- + curves is an optional field used to specify the elliptic curves that are used during + the TLS handshake. Operators may remove entries their operands do + not support. + + When omitted, this means no opinion and the platform is left to choose reasonable defaults which are + subject to change over time and may be different per platform component depending on the underlying TLS + libraries they use. If specified, the list must contain at least one curve. + + For example, to use X25519 and SecP256r1 (yaml): + + curves: + - X25519 + - SecP256r1 + items: + description: |- + TLSCurve is a named curve identifier that can be used in TLSProfile.Curves. + There is a one-to-one mapping between these names and the curve IDs defined + in crypto/tls package based on IANA's "TLS Supported Groups" registry: + https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8 + enum: + - X25519 + - SecP256r1 + - SecP384r1 + - SecP521r1 + - X25519MLKEM768 + type: string + maxItems: 5 + minItems: 1 + type: array + x-kubernetes-list-type: set + minTLSVersion: + description: |- + minTLSVersion is used to specify the minimal version of the TLS protocol + that is negotiated during the TLS handshake. For example, to use TLS + versions 1.1, 1.2 and 1.3 (yaml): + + minTLSVersion: VersionTLS11 + enum: + - VersionTLS10 + - VersionTLS11 + - VersionTLS12 + - VersionTLS13 + type: string + type: object + intermediate: + description: |- + intermediate is a TLS profile for use when you do not need compatibility with + legacy clients and want to remain highly secure while being compatible with + most clients currently in use. + + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "intermediate" profile ciphers. + + The curve list includes by default the following curves: + X25519, SecP256r1, SecP384r1, X25519MLKEM768. + + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS12 + ciphers: + - TLS_AES_128_GCM_SHA256 + - TLS_AES_256_GCM_SHA384 + - TLS_CHACHA20_POLY1305_SHA256 + - ECDHE-ECDSA-AES128-GCM-SHA256 + - ECDHE-RSA-AES128-GCM-SHA256 + - ECDHE-ECDSA-AES256-GCM-SHA384 + - ECDHE-RSA-AES256-GCM-SHA384 + - ECDHE-ECDSA-CHACHA20-POLY1305 + - ECDHE-RSA-CHACHA20-POLY1305 + - DHE-RSA-AES128-GCM-SHA256 + - DHE-RSA-AES256-GCM-SHA384 + nullable: true + type: object + modern: + description: |- + modern is a TLS security profile for use with clients that support TLS 1.3 and + do not need backward compatibility for older clients. + The curve list includes by default the following curves: + X25519, SecP256r1, SecP384r1, X25519MLKEM768. + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS13 + ciphers: + - TLS_AES_128_GCM_SHA256 + - TLS_AES_256_GCM_SHA384 + - TLS_CHACHA20_POLY1305_SHA256 + nullable: true + type: object + old: + description: |- + old is a TLS profile for use when services need to be accessed by very old + clients or libraries and should be used only as a last resort. + + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "old" profile ciphers. + + The curve list includes by default the following curves: + X25519, SecP256r1, SecP384r1, X25519MLKEM768. + + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS10 + ciphers: + - TLS_AES_128_GCM_SHA256 + - TLS_AES_256_GCM_SHA384 + - TLS_CHACHA20_POLY1305_SHA256 + - ECDHE-ECDSA-AES128-GCM-SHA256 + - ECDHE-RSA-AES128-GCM-SHA256 + - ECDHE-ECDSA-AES256-GCM-SHA384 + - ECDHE-RSA-AES256-GCM-SHA384 + - ECDHE-ECDSA-CHACHA20-POLY1305 + - ECDHE-RSA-CHACHA20-POLY1305 + - DHE-RSA-AES128-GCM-SHA256 + - DHE-RSA-AES256-GCM-SHA384 + - DHE-RSA-CHACHA20-POLY1305 + - ECDHE-ECDSA-AES128-SHA256 + - ECDHE-RSA-AES128-SHA256 + - ECDHE-ECDSA-AES128-SHA + - ECDHE-RSA-AES128-SHA + - ECDHE-ECDSA-AES256-SHA384 + - ECDHE-RSA-AES256-SHA384 + - ECDHE-ECDSA-AES256-SHA + - ECDHE-RSA-AES256-SHA + - DHE-RSA-AES128-SHA256 + - DHE-RSA-AES256-SHA256 + - AES128-GCM-SHA256 + - AES256-GCM-SHA384 + - AES128-SHA256 + - AES256-SHA256 + - AES128-SHA + - AES256-SHA + - DES-CBC3-SHA + nullable: true + type: object + type: + description: |- + type is one of Old, Intermediate, Modern or Custom. Custom provides the + ability to specify individual TLS security profile parameters. + + The profiles are currently based on version 5.0 of the Mozilla Server Side TLS + configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for + forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json + + The profiles are intent based, so they may change over time as new ciphers are + developed and existing ciphers are found to be insecure. Depending on + precisely which ciphers are available to a process, the list may be reduced. + enum: + - Old + - Intermediate + - Modern + - Custom + type: string + type: object + tuningOptions: + anyOf: + - properties: + maxConnections: + enum: + - -1 + - 0 + - properties: + maxConnections: + format: int32 + maximum: 2000000 + minimum: 2000 + description: |- + tuningOptions defines parameters for adjusting the performance of + ingress controller pods. All fields are optional and will use their + respective defaults if not set. See specific tuningOptions fields for + more details. + + Setting fields within tuningOptions is generally not recommended. The + default values are suitable for most configurations. + properties: + clientFinTimeout: + description: |- + clientFinTimeout defines how long a connection will be held open while + waiting for the client response to the server/backend closing the + connection. + + If unset, the default timeout is 1s + format: duration + type: string + clientTimeout: + description: |- + clientTimeout defines how long a connection will be held open while + waiting for a client response. + + If unset, the default timeout is 30s + format: duration + type: string + connectTimeout: + description: |- + connectTimeout defines the maximum time to wait for + a connection attempt to a server/backend to succeed. + + This field expects an unsigned duration string of decimal numbers, each with optional + fraction and a unit suffix, e.g. "300ms", "1.5h" or "2h45m". + Valid time units are "ns", "us" (or "µs" U+00B5 or "μs" U+03BC), "ms", "s", "m", "h". + + When omitted, this means the user has no opinion and the platform is left + to choose a reasonable default. This default is subject to change over time. + The current default is 5s. + pattern: ^(0|([0-9]+(\.[0-9]+)?(ns|us|µs|μs|ms|s|m|h))+)$ + type: string + headerBufferBytes: + description: |- + headerBufferBytes describes how much memory should be reserved + (in bytes) for IngressController connection sessions. + Note that this value must be at least 16384 if HTTP/2 is + enabled for the IngressController (https://tools.ietf.org/html/rfc7540). + If this field is empty, the IngressController will use a default value + of 32768 bytes. + + Setting this field is generally not recommended as headerBufferBytes + values that are too small may break the IngressController and + headerBufferBytes values that are too large could cause the + IngressController to use significantly more memory than necessary. + format: int32 + minimum: 16384 + type: integer + headerBufferMaxRewriteBytes: + description: |- + headerBufferMaxRewriteBytes describes how much memory should be reserved + (in bytes) from headerBufferBytes for HTTP header rewriting + and appending for IngressController connection sessions. + Note that incoming HTTP requests will be limited to + (headerBufferBytes - headerBufferMaxRewriteBytes) bytes, meaning + headerBufferBytes must be greater than headerBufferMaxRewriteBytes. + If this field is empty, the IngressController will use a default value + of 8192 bytes. + + Setting this field is generally not recommended as + headerBufferMaxRewriteBytes values that are too small may break the + IngressController and headerBufferMaxRewriteBytes values that are too + large could cause the IngressController to use significantly more memory + than necessary. + format: int32 + minimum: 4096 + type: integer + healthCheckInterval: + description: |- + healthCheckInterval defines how long the router waits between two consecutive + health checks on its configured backends. This value is applied globally as + a default for all routes, but may be overridden per-route by the route annotation + "router.openshift.io/haproxy.health.check.interval". + + Expects an unsigned duration string of decimal numbers, each with optional + fraction and a unit suffix, eg "300ms", "1.5h" or "2h45m". + Valid time units are "ns", "us" (or "µs" U+00B5 or "μs" U+03BC), "ms", "s", "m", "h". + + Setting this to less than 5s can cause excess traffic due to too frequent + TCP health checks and accompanying SYN packet storms. Alternatively, setting + this too high can result in increased latency, due to backend servers that are no + longer available, but haven't yet been detected as such. + + An empty or zero healthCheckInterval means no opinion and IngressController chooses + a default, which is subject to change over time. + Currently the default healthCheckInterval value is 5s. + + Currently the minimum allowed value is 1s and the maximum allowed value is + 2147483647ms (24.85 days). Both are subject to change over time. + pattern: ^(0|([0-9]+(\.[0-9]+)?(ns|us|µs|μs|ms|s|m|h))+)$ + type: string + httpKeepAliveTimeout: + description: |- + httpKeepAliveTimeout defines the maximum allowed time to wait for + a new HTTP request to appear on a connection from the client to the router. + + This field expects an unsigned duration string of a decimal number, with optional + fraction and a unit suffix, e.g. "300ms", "1.5s" or "2m45s". + Valid time units are "ms", "s", "m". + The allowed range is from 1 millisecond to 15 minutes. + + When omitted, this means the user has no opinion and the platform is left + to choose a reasonable default. This default is subject to change over time. + The current default is 300s. + + Low values (tens of milliseconds or less) can cause clients to close and reopen connections + for each request, leading to reduced connection sharing. + For HTTP/2, special care should be taken with low values. + A few seconds is a reasonable starting point to avoid holding idle connections open + while still allowing subsequent requests to reuse the connection. + + High values (minutes or more) favor connection reuse but may cause idle + connections to linger longer. + maxLength: 16 + minLength: 1 + type: string + x-kubernetes-validations: + - message: httpKeepAliveTimeout must be a valid duration string + composed of an unsigned integer value, optionally followed + by a decimal fraction and a unit suffix (ms, s, m) + rule: self.matches('^([0-9]+(\\.[0-9]+)?(ms|s|m))+$') + - message: httpKeepAliveTimeout must be less than or equal to + 15 minutes + rule: '!self.matches(''^([0-9]+(\\.[0-9]+)?(ms|s|m))+$'') || + duration(self) <= duration(''15m'')' + - message: httpKeepAliveTimeout must be greater than or equal + to 1 millisecond + rule: '!self.matches(''^([0-9]+(\\.[0-9]+)?(ms|s|m))+$'') || + duration(self) >= duration(''1ms'')' + maxConnections: + description: |- + maxConnections defines the maximum number of simultaneous + connections that can be established per HAProxy process. + Increasing this value allows each ingress controller pod to + handle more connections but at the cost of additional + system resources being consumed. + + Permitted values are: empty, 0, -1, and the range + 2000-2000000. + + If this field is empty or 0, the IngressController will use + the default value of 50000, but the default is subject to + change in future releases. + + If the value is -1 then HAProxy will dynamically compute a + maximum value based on the available ulimits in the running + container. Selecting -1 (i.e., auto) will result in a large + value being computed (~520000 on OpenShift >=4.10 clusters) + and therefore each HAProxy process will incur significant + memory usage compared to the current default of 50000. + + Setting a value that is greater than the current operating + system limit will prevent the HAProxy process from + starting. + + If you choose a discrete value (e.g., 750000) and the + router pod is migrated to a new node, there's no guarantee + that that new node has identical ulimits configured. In + such a scenario the pod would fail to start. If you have + nodes with different ulimits configured (e.g., different + tuned profiles) and you choose a discrete value then the + guidance is to use -1 and let the value be computed + dynamically at runtime. + + You can monitor memory usage for router containers with the + following metric: + 'container_memory_working_set_bytes{container="router",namespace="openshift-ingress"}'. + + You can monitor memory usage of individual HAProxy + processes in router containers with the following metric: + 'container_memory_working_set_bytes{container="router",namespace="openshift-ingress"}/container_processes{container="router",namespace="openshift-ingress"}'. + format: int32 + type: integer + reloadInterval: + description: |- + reloadInterval defines the minimum interval at which the router is allowed to reload + to accept new changes. Increasing this value can prevent the accumulation of + HAProxy processes, depending on the scenario. Increasing this interval can + also lessen load imbalance on a backend's servers when using the roundrobin + balancing algorithm. Alternatively, decreasing this value may decrease latency + since updates to HAProxy's configuration can take effect more quickly. + + The value must be a time duration value; see . + Currently, the minimum value allowed is 1s, and the maximum allowed value is + 120s. Minimum and maximum allowed values may change in future versions of OpenShift. + Note that if a duration outside of these bounds is provided, the value of reloadInterval + will be capped/floored and not rejected (e.g. a duration of over 120s will be capped to + 120s; the IngressController will not reject and replace this disallowed value with + the default). + + A zero value for reloadInterval tells the IngressController to choose the default, + which is currently 5s and subject to change without notice. + + This field expects an unsigned duration string of decimal numbers, each with optional + fraction and a unit suffix, e.g. "300ms", "1.5h" or "2h45m". + Valid time units are "ns", "us" (or "µs" U+00B5 or "μs" U+03BC), "ms", "s", "m", "h". + + Note: Setting a value significantly larger than the default of 5s can cause latency + in observing updates to routes and their endpoints. HAProxy's configuration will + be reloaded less frequently, and newly created routes will not be served until the + subsequent reload. + pattern: ^(0|([0-9]+(\.[0-9]+)?(ns|us|µs|μs|ms|s|m|h))+)$ + type: string + serverFinTimeout: + description: |- + serverFinTimeout defines how long a connection will be held open while + waiting for the server/backend response to the client closing the + connection. + + If unset, the default timeout is 1s + format: duration + type: string + serverTimeout: + description: |- + serverTimeout defines how long a connection will be held open while + waiting for a server/backend response. + + If unset, the default timeout is 30s + format: duration + type: string + threadCount: + description: |- + threadCount defines the number of threads created per HAProxy process. + Creating more threads allows each ingress controller pod to handle more + connections, at the cost of more system resources being used. HAProxy + currently supports up to 64 threads. If this field is empty, the + IngressController will use the default value. The current default is 4 + threads, but this may change in future releases. + + Setting this field is generally not recommended. Increasing the number + of HAProxy threads allows ingress controller pods to utilize more CPU + time under load, potentially starving other pods if set too high. + Reducing the number of threads may cause the ingress controller to + perform poorly. + format: int32 + maximum: 64 + minimum: 1 + type: integer + tlsInspectDelay: + description: |- + tlsInspectDelay defines how long the router can hold data to find a + matching route. + + Setting this too short can cause the router to fall back to the default + certificate for edge-terminated or reencrypt routes even when a better + matching certificate could be used. + + If unset, the default inspect delay is 5s + format: duration + type: string + tunnelTimeout: + description: |- + tunnelTimeout defines how long a tunnel connection (including + websockets) will be held open while the tunnel is idle. + + If unset, the default timeout is 1h + format: duration + type: string + type: object + unsupportedConfigOverrides: + description: |- + unsupportedConfigOverrides allows specifying unsupported + configuration options. Its use is unsupported. + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + status: + description: status is the most recently observed status of the IngressController. + properties: + availableReplicas: + description: |- + availableReplicas is number of observed available replicas according to the + ingress controller deployment. + format: int32 + type: integer + conditions: + description: |- + conditions is a list of conditions and their status. + + Available means the ingress controller deployment is available and + servicing route and ingress resources (i.e, .status.availableReplicas + equals .spec.replicas) + + There are additional conditions which indicate the status of other + ingress controller features and capabilities. + + * LoadBalancerManaged + - True if the following conditions are met: + * The endpoint publishing strategy requires a service load balancer. + - False if any of those conditions are unsatisfied. + + * LoadBalancerReady + - True if the following conditions are met: + * A load balancer is managed. + * The load balancer is ready. + - False if any of those conditions are unsatisfied. + + * DNSManaged + - True if the following conditions are met: + * The endpoint publishing strategy and platform support DNS. + * The ingress controller domain is set. + * dns.config.openshift.io/cluster configures DNS zones. + - False if any of those conditions are unsatisfied. + + * DNSReady + - True if the following conditions are met: + * DNS is managed. + * DNS records have been successfully created. + - False if any of those conditions are unsatisfied. + items: + description: OperatorCondition is just the standard condition fields. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + type: string + reason: + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + domain: + description: domain is the actual domain in use. + type: string + endpointPublishingStrategy: + description: endpointPublishingStrategy is the actual strategy in + use. + properties: + hostNetwork: + description: |- + hostNetwork holds parameters for the HostNetwork endpoint publishing + strategy. Present only if type is HostNetwork. + properties: + httpPort: + default: 80 + description: |- + httpPort is the port on the host which should be used to listen for + HTTP requests. This field should be set when port 80 is already in use. + The value should not coincide with the NodePort range of the cluster. + When the value is 0 or is not specified it defaults to 80. + format: int32 + maximum: 65535 + minimum: 0 + type: integer + httpsPort: + default: 443 + description: |- + httpsPort is the port on the host which should be used to listen for + HTTPS requests. This field should be set when port 443 is already in use. + The value should not coincide with the NodePort range of the cluster. + When the value is 0 or is not specified it defaults to 443. + format: int32 + maximum: 65535 + minimum: 0 + type: integer + protocol: + description: |- + protocol specifies whether the IngressController expects incoming + connections to use plain TCP or whether the IngressController expects + PROXY protocol. + + PROXY protocol can be used with load balancers that support it to + communicate the source addresses of client connections when + forwarding those connections to the IngressController. Using PROXY + protocol enables the IngressController to report those source + addresses instead of reporting the load balancer's address in HTTP + headers and logs. Note that enabling PROXY protocol on the + IngressController will cause connections to fail if you are not using + a load balancer that uses PROXY protocol to forward connections to + the IngressController. See + http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt for + information about PROXY protocol. + + The following values are valid for this field: + + * The empty string. + * "TCP". + * "PROXY". + + The empty string specifies the default, which is TCP without PROXY + protocol. Note that the default is subject to change. + enum: + - "" + - TCP + - PROXY + type: string + statsPort: + default: 1936 + description: |- + statsPort is the port on the host where the stats from the router are + published. The value should not coincide with the NodePort range of the + cluster. If an external load balancer is configured to forward connections + to this IngressController, the load balancer should use this port for + health checks. The load balancer can send HTTP probes on this port on a + given node, with the path /healthz/ready to determine if the ingress + controller is ready to receive traffic on the node. For proper operation + the load balancer must not forward traffic to a node until the health + check reports ready. The load balancer should also stop forwarding requests + within a maximum of 45 seconds after /healthz/ready starts reporting + not-ready. Probing every 5 to 10 seconds, with a 5-second timeout and with + a threshold of two successful or failed requests to become healthy or + unhealthy respectively, are well-tested values. When the value is 0 or + is not specified it defaults to 1936. + format: int32 + maximum: 65535 + minimum: 0 + type: integer + type: object + loadBalancer: + description: |- + loadBalancer holds parameters for the load balancer. Present only if + type is LoadBalancerService. + properties: + allowedSourceRanges: + description: |- + allowedSourceRanges specifies an allowlist of IP address ranges to which + access to the load balancer should be restricted. Each range must be + specified using CIDR notation (e.g. "10.0.0.0/8" or "fd00::/8"). If no range is + specified, "0.0.0.0/0" for IPv4 and "::/0" for IPv6 are used by default, + which allows all source addresses. + + To facilitate migration from earlier versions of OpenShift that did + not have the allowedSourceRanges field, you may set the + service.beta.kubernetes.io/load-balancer-source-ranges annotation on + the "router-" service in the + "openshift-ingress" namespace, and this annotation will take + effect if allowedSourceRanges is empty on OpenShift 4.12. + items: + description: |- + CIDR is an IP address range in CIDR notation (for example, "10.0.0.0/8" + or "fd00::/8"). + pattern: (^(([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])/([0-9]|[12][0-9]|3[0-2])$)|(^s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:)))(%.+)?s*(\/(12[0-8]|1[0-1][0-9]|[1-9][0-9]|[0-9]))$) + type: string + nullable: true + type: array + x-kubernetes-list-type: atomic + dnsManagementPolicy: + default: Managed + description: |- + dnsManagementPolicy indicates if the lifecycle of the wildcard DNS record + associated with the load balancer service will be managed by + the ingress operator. It defaults to Managed. + Valid values are: Managed and Unmanaged. + enum: + - Managed + - Unmanaged + type: string + providerParameters: + description: |- + providerParameters holds desired load balancer information specific to + the underlying infrastructure provider. + + If empty, defaults will be applied. See specific providerParameters + fields for details about their defaults. + properties: + aws: + description: |- + aws provides configuration settings that are specific to AWS + load balancers. + + If empty, defaults will be applied. See specific aws fields for + details about their defaults. + properties: + classicLoadBalancer: + description: |- + classicLoadBalancerParameters holds configuration parameters for an AWS + classic load balancer. Present only if type is Classic. + properties: + connectionIdleTimeout: + description: |- + connectionIdleTimeout specifies the maximum time period that a + connection may be idle before the load balancer closes the + connection. The value must be parseable as a time duration value; + see . A nil or zero value + means no opinion, in which case a default value is used. The default + value for this field is 60s. This default is subject to change. + format: duration + type: string + subnets: + description: |- + subnets specifies the subnets to which the load balancer will + attach. The subnets may be specified by either their + ID or name. The total number of subnets is limited to 10. + + In order for the load balancer to be provisioned with subnets, + each subnet must exist, each subnet must be from a different + availability zone, and the load balancer service must be + recreated to pick up new values. + + When omitted from the spec, the subnets will be auto-discovered + for each availability zone. Auto-discovered subnets are not reported + in the status of the IngressController object. + properties: + ids: + description: |- + ids specifies a list of AWS subnets by subnet ID. + Subnet IDs must start with "subnet-", consist only + of alphanumeric characters, must be exactly 24 + characters long, must be unique, and the total + number of subnets specified by ids and names + must not exceed 10. + items: + description: AWSSubnetID is a reference + to an AWS subnet ID. + maxLength: 24 + minLength: 24 + pattern: ^subnet-[0-9A-Za-z]+$ + type: string + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: subnet ids cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == + y)) + names: + description: |- + names specifies a list of AWS subnets by subnet name. + Subnet names must not start with "subnet-", must not + include commas, must be under 256 characters in length, + must be unique, and the total number of subnets + specified by ids and names must not exceed 10. + items: + description: AWSSubnetName is a reference + to an AWS subnet name. + maxLength: 256 + minLength: 1 + type: string + x-kubernetes-validations: + - message: subnet name cannot contain a + comma + rule: '!self.contains('','')' + - message: subnet name cannot start with + 'subnet-' + rule: '!self.startsWith(''subnet-'')' + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: subnet names cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == + y)) + type: object + x-kubernetes-validations: + - message: the total number of subnets cannot + exceed 10 + rule: 'has(self.ids) && has(self.names) ? size(self.ids + + self.names) <= 10 : true' + - message: must specify at least 1 subnet name + or id + rule: has(self.ids) && self.ids.size() > 0 || + has(self.names) && self.names.size() > 0 + type: object + networkLoadBalancer: + description: |- + networkLoadBalancerParameters holds configuration parameters for an AWS + network load balancer. Present only if type is NLB. + properties: + eipAllocations: + description: |- + eipAllocations is a list of IDs for Elastic IP (EIP) addresses that + are assigned to the Network Load Balancer. + The following restrictions apply: + + eipAllocations can only be used with external scope, not internal. + An EIP can be allocated to only a single IngressController. + The number of EIP allocations must match the number of subnets that are used for the load balancer. + Each EIP allocation must be unique. + A maximum of 10 EIP allocations are permitted. + + See https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html for general + information about configuration, characteristics, and limitations of Elastic IP addresses. + items: + description: |- + EIPAllocation is an ID for an Elastic IP (EIP) address that can be allocated to an ELB in the AWS environment. + Values must begin with `eipalloc-` followed by exactly 17 hexadecimal (`[0-9a-fA-F]`) characters. + maxLength: 26 + minLength: 26 + type: string + x-kubernetes-validations: + - message: eipAllocations should start with + 'eipalloc-' + rule: self.startsWith('eipalloc-') + - message: eipAllocations must be 'eipalloc-' + followed by exactly 17 hexadecimal characters + (0-9, a-f, A-F) + rule: self.split("-", 2)[1].matches('[0-9a-fA-F]{17}$') + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: eipAllocations cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == y)) + subnets: + description: |- + subnets specifies the subnets to which the load balancer will + attach. The subnets may be specified by either their + ID or name. The total number of subnets is limited to 10. + + In order for the load balancer to be provisioned with subnets, + each subnet must exist, each subnet must be from a different + availability zone, and the load balancer service must be + recreated to pick up new values. + + When omitted from the spec, the subnets will be auto-discovered + for each availability zone. Auto-discovered subnets are not reported + in the status of the IngressController object. + properties: + ids: + description: |- + ids specifies a list of AWS subnets by subnet ID. + Subnet IDs must start with "subnet-", consist only + of alphanumeric characters, must be exactly 24 + characters long, must be unique, and the total + number of subnets specified by ids and names + must not exceed 10. + items: + description: AWSSubnetID is a reference + to an AWS subnet ID. + maxLength: 24 + minLength: 24 + pattern: ^subnet-[0-9A-Za-z]+$ + type: string + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: subnet ids cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == + y)) + names: + description: |- + names specifies a list of AWS subnets by subnet name. + Subnet names must not start with "subnet-", must not + include commas, must be under 256 characters in length, + must be unique, and the total number of subnets + specified by ids and names must not exceed 10. + items: + description: AWSSubnetName is a reference + to an AWS subnet name. + maxLength: 256 + minLength: 1 + type: string + x-kubernetes-validations: + - message: subnet name cannot contain a + comma + rule: '!self.contains('','')' + - message: subnet name cannot start with + 'subnet-' + rule: '!self.startsWith(''subnet-'')' + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: subnet names cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == + y)) + type: object + x-kubernetes-validations: + - message: the total number of subnets cannot + exceed 10 + rule: 'has(self.ids) && has(self.names) ? size(self.ids + + self.names) <= 10 : true' + - message: must specify at least 1 subnet name + or id + rule: has(self.ids) && self.ids.size() > 0 || + has(self.names) && self.names.size() > 0 + type: object + x-kubernetes-validations: + - message: number of subnets must be equal to number + of eipAllocations + rule: 'has(self.subnets) && has(self.subnets.ids) + && has(self.subnets.names) && has(self.eipAllocations) + ? size(self.subnets.ids + self.subnets.names) + == size(self.eipAllocations) : true' + - message: number of subnets must be equal to number + of eipAllocations + rule: 'has(self.subnets) && has(self.subnets.ids) + && !has(self.subnets.names) && has(self.eipAllocations) + ? size(self.subnets.ids) == size(self.eipAllocations) + : true' + - message: number of subnets must be equal to number + of eipAllocations + rule: 'has(self.subnets) && has(self.subnets.names) + && !has(self.subnets.ids) && has(self.eipAllocations) + ? size(self.subnets.names) == size(self.eipAllocations) + : true' + type: + description: |- + type is the type of AWS load balancer to instantiate for an ingresscontroller. + + Valid values are: + + * "Classic": A Classic Load Balancer that makes routing decisions at either + the transport layer (TCP/SSL) or the application layer (HTTP/HTTPS). See + the following for additional details: + + https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#clb + + * "NLB": A Network Load Balancer that makes routing decisions at the + transport layer (TCP/SSL). See the following for additional details: + + https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#nlb + enum: + - Classic + - NLB + type: string + required: + - type + type: object + gcp: + description: |- + gcp provides configuration settings that are specific to GCP + load balancers. + + If empty, defaults will be applied. See specific gcp fields for + details about their defaults. + properties: + clientAccess: + description: |- + clientAccess describes how client access is restricted for internal + load balancers. + + Valid values are: + * "Global": Specifying an internal load balancer with Global client access + allows clients from any region within the VPC to communicate with the load + balancer. + + https://cloud.google.com/kubernetes-engine/docs/how-to/internal-load-balancing#global_access + + * "Local": Specifying an internal load balancer with Local client access + means only clients within the same region (and VPC) as the GCP load balancer + can communicate with the load balancer. Note that this is the default behavior. + + https://cloud.google.com/load-balancing/docs/internal#client_access + enum: + - Global + - Local + type: string + type: object + ibm: + description: |- + ibm provides configuration settings that are specific to IBM Cloud + load balancers. + + If empty, defaults will be applied. See specific ibm fields for + details about their defaults. + properties: + protocol: + description: |- + protocol specifies whether the load balancer uses PROXY protocol to forward connections to + the IngressController. See "service.kubernetes.io/ibm-load-balancer-cloud-provider-enable-features: + "proxy-protocol"" at https://cloud.ibm.com/docs/containers?topic=containers-vpc-lbaas" + + PROXY protocol can be used with load balancers that support it to + communicate the source addresses of client connections when + forwarding those connections to the IngressController. Using PROXY + protocol enables the IngressController to report those source + addresses instead of reporting the load balancer's address in HTTP + headers and logs. Note that enabling PROXY protocol on the + IngressController will cause connections to fail if you are not using + a load balancer that uses PROXY protocol to forward connections to + the IngressController. See + http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt for + information about PROXY protocol. + + Valid values for protocol are TCP, PROXY and omitted. + When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. + The current default is TCP, without the proxy protocol enabled. + enum: + - "" + - TCP + - PROXY + type: string + type: object + openstack: + description: |- + openstack provides configuration settings that are specific to OpenStack + load balancers. + + If empty, defaults will be applied. See specific openstack fields for + details about their defaults. + properties: + floatingIP: + description: |- + floatingIP specifies the IP address that the load balancer will use. + When not specified, an IP address will be assigned randomly by the OpenStack cloud provider. + When specified, the floating IP has to be pre-created. If the + specified value is not a floating IP or is already claimed, the + OpenStack cloud provider won't be able to provision the load + balancer. + This field may only be used if the IngressController has External scope. + This value must be a valid IPv4 or IPv6 address. + type: string + x-kubernetes-validations: + - message: floatingIP must be a valid IPv4 or IPv6 + address + rule: isIP(self) + type: object + type: + description: |- + type is the underlying infrastructure provider for the load balancer. + Allowed values are "AWS", "Azure", "BareMetal", "GCP", "IBM", "Nutanix", + "OpenStack", and "VSphere". + enum: + - AWS + - Azure + - BareMetal + - GCP + - Nutanix + - OpenStack + - VSphere + - IBM + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: openstack is not permitted when type is not OpenStack + rule: 'has(self.type) && self.type == ''OpenStack'' ? true + : !has(self.openstack)' + scope: + description: |- + scope indicates the scope at which the load balancer is exposed. + Possible values are "External" and "Internal". + enum: + - Internal + - External + type: string + required: + - dnsManagementPolicy + - scope + type: object + x-kubernetes-validations: + - message: eipAllocations are forbidden when the scope is Internal. + rule: '!has(self.scope) || self.scope != ''Internal'' || !has(self.providerParameters) + || !has(self.providerParameters.aws) || !has(self.providerParameters.aws.networkLoadBalancer) + || !has(self.providerParameters.aws.networkLoadBalancer.eipAllocations)' + - message: cannot specify a floating ip when scope is internal + rule: '!has(self.scope) || self.scope != ''Internal'' || !has(self.providerParameters) + || !has(self.providerParameters.openstack) || !has(self.providerParameters.openstack.floatingIP) + || self.providerParameters.openstack.floatingIP == ""' + nodePort: + description: |- + nodePort holds parameters for the NodePortService endpoint publishing strategy. + Present only if type is NodePortService. + properties: + protocol: + description: |- + protocol specifies whether the IngressController expects incoming + connections to use plain TCP or whether the IngressController expects + PROXY protocol. + + PROXY protocol can be used with load balancers that support it to + communicate the source addresses of client connections when + forwarding those connections to the IngressController. Using PROXY + protocol enables the IngressController to report those source + addresses instead of reporting the load balancer's address in HTTP + headers and logs. Note that enabling PROXY protocol on the + IngressController will cause connections to fail if you are not using + a load balancer that uses PROXY protocol to forward connections to + the IngressController. See + http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt for + information about PROXY protocol. + + The following values are valid for this field: + + * The empty string. + * "TCP". + * "PROXY". + + The empty string specifies the default, which is TCP without PROXY + protocol. Note that the default is subject to change. + enum: + - "" + - TCP + - PROXY + type: string + type: object + private: + description: |- + private holds parameters for the Private endpoint publishing + strategy. Present only if type is Private. + properties: + protocol: + description: |- + protocol specifies whether the IngressController expects incoming + connections to use plain TCP or whether the IngressController expects + PROXY protocol. + + PROXY protocol can be used with load balancers that support it to + communicate the source addresses of client connections when + forwarding those connections to the IngressController. Using PROXY + protocol enables the IngressController to report those source + addresses instead of reporting the load balancer's address in HTTP + headers and logs. Note that enabling PROXY protocol on the + IngressController will cause connections to fail if you are not using + a load balancer that uses PROXY protocol to forward connections to + the IngressController. See + http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt for + information about PROXY protocol. + + The following values are valid for this field: + + * The empty string. + * "TCP". + * "PROXY". + + The empty string specifies the default, which is TCP without PROXY + protocol. Note that the default is subject to change. + enum: + - "" + - TCP + - PROXY + type: string + type: object + type: + description: |- + type is the publishing strategy to use. Valid values are: + + * LoadBalancerService + + Publishes the ingress controller using a Kubernetes LoadBalancer Service. + + In this configuration, the ingress controller deployment uses container + networking. A LoadBalancer Service is created to publish the deployment. + + See: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer + + If domain is set, a wildcard DNS record will be managed to point at the + LoadBalancer Service's external name. DNS records are managed only in DNS + zones defined by dns.config.openshift.io/cluster .spec.publicZone and + .spec.privateZone. + + Wildcard DNS management is currently supported only on the AWS, Azure, + and GCP platforms. + + * HostNetwork + + Publishes the ingress controller on node ports where the ingress controller + is deployed. + + In this configuration, the ingress controller deployment uses host + networking, bound to node ports 80 and 443. The user is responsible for + configuring an external load balancer to publish the ingress controller via + the node ports. + + * Private + + Does not publish the ingress controller. + + In this configuration, the ingress controller deployment uses container + networking, and is not explicitly published. The user must manually publish + the ingress controller. + + * NodePortService + + Publishes the ingress controller using a Kubernetes NodePort Service. + + In this configuration, the ingress controller deployment uses container + networking. A NodePort Service is created to publish the deployment. The + specific node ports are dynamically allocated by OpenShift; however, to + support static port allocations, user changes to the node port + field of the managed NodePort Service will preserved. + enum: + - LoadBalancerService + - HostNetwork + - Private + - NodePortService + type: string + required: + - type + type: object + namespaceSelector: + description: namespaceSelector is the actual namespaceSelector in + use. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + observedGeneration: + description: observedGeneration is the most recent generation observed. + format: int64 + type: integer + routeSelector: + description: routeSelector is the actual routeSelector in use. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + selector: + description: |- + selector is a label selector, in string format, for ingress controller pods + corresponding to the IngressController. The number of matching pods should + equal the value of availableReplicas. + type: string + tlsProfile: + description: tlsProfile is the TLS connection configuration that is + in effect. + properties: + ciphers: + description: |- + ciphers is used to specify the cipher algorithms that are negotiated + during the TLS handshake. Operators may remove entries their operands + do not support. For example, to use DES-CBC3-SHA (yaml): + + ciphers: + - DES-CBC3-SHA + items: + type: string + type: array + x-kubernetes-list-type: atomic + curves: + description: |- + curves is an optional field used to specify the elliptic curves that are used during + the TLS handshake. Operators may remove entries their operands do + not support. + + When omitted, this means no opinion and the platform is left to choose reasonable defaults which are + subject to change over time and may be different per platform component depending on the underlying TLS + libraries they use. If specified, the list must contain at least one curve. + + For example, to use X25519 and SecP256r1 (yaml): + + curves: + - X25519 + - SecP256r1 + items: + description: |- + TLSCurve is a named curve identifier that can be used in TLSProfile.Curves. + There is a one-to-one mapping between these names and the curve IDs defined + in crypto/tls package based on IANA's "TLS Supported Groups" registry: + https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8 + enum: + - X25519 + - SecP256r1 + - SecP384r1 + - SecP521r1 + - X25519MLKEM768 + type: string + maxItems: 5 + minItems: 1 + type: array + x-kubernetes-list-type: set + minTLSVersion: + description: |- + minTLSVersion is used to specify the minimal version of the TLS protocol + that is negotiated during the TLS handshake. For example, to use TLS + versions 1.1, 1.2 and 1.3 (yaml): + + minTLSVersion: VersionTLS11 + enum: + - VersionTLS10 + - VersionTLS11 + - VersionTLS12 + - VersionTLS13 + type: string + type: object + type: object + type: object + x-kubernetes-validations: + - message: The combined 'router-' + metadata.name + '.' + .spec.domain cannot + exceed 253 characters + rule: '!has(self.spec.domain) || size(''router-'' + self.metadata.name + + ''.'' + self.spec.domain) <= 253' + served: true + storage: true + subresources: + scale: + labelSelectorPath: .status.selector + specReplicasPath: .spec.replicas + statusReplicasPath: .status.availableReplicas + status: {} diff --git a/operator/v1/zz_generated.featuregated-crd-manifests.yaml b/operator/v1/zz_generated.featuregated-crd-manifests.yaml index 51a758804d6..c71164a5726 100644 --- a/operator/v1/zz_generated.featuregated-crd-manifests.yaml +++ b/operator/v1/zz_generated.featuregated-crd-manifests.yaml @@ -175,7 +175,8 @@ ingresscontrollers.operator.openshift.io: CRDName: ingresscontrollers.operator.openshift.io Capability: Ingress Category: "" - FeatureGates: [] + FeatureGates: + - TLSCurvePreferences FilenameOperatorName: ingress FilenameOperatorOrdering: "00" FilenameRunLevel: "0000_50" diff --git a/operator/v1/zz_generated.featuregated-crd-manifests/ingresscontrollers.operator.openshift.io/AAA_ungated.yaml b/operator/v1/zz_generated.featuregated-crd-manifests/ingresscontrollers.operator.openshift.io/AAA_ungated.yaml index 92527d9a474..57aef85d317 100644 --- a/operator/v1/zz_generated.featuregated-crd-manifests/ingresscontrollers.operator.openshift.io/AAA_ungated.yaml +++ b/operator/v1/zz_generated.featuregated-crd-manifests/ingresscontrollers.operator.openshift.io/AAA_ungated.yaml @@ -1985,8 +1985,11 @@ spec: custom: description: |- custom is a user-defined TLS security profile. Be extremely careful using a custom - profile as invalid configurations can be catastrophic. An example custom profile - looks like this: + profile as invalid configurations can be catastrophic. + + The curve list for this profile is empty by default. + + An example custom profile looks like this: minTLSVersion: VersionTLS11 ciphers: @@ -1999,14 +2002,11 @@ spec: ciphers: description: |- ciphers is used to specify the cipher algorithms that are negotiated - during the TLS handshake. Operators may remove entries that their operands - do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml): + during the TLS handshake. Operators may remove entries their operands + do not support. For example, to use DES-CBC3-SHA (yaml): ciphers: - - ECDHE-RSA-AES128-GCM-SHA256 - - TLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable - and are always enabled when TLS 1.3 is negotiated. + - DES-CBC3-SHA items: type: string type: array @@ -2031,6 +2031,12 @@ spec: legacy clients and want to remain highly secure while being compatible with most clients currently in use. + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "intermediate" profile ciphers. + + The curve list includes by default the following curves: + X25519, SecP256r1, SecP384r1, X25519MLKEM768. + This profile is equivalent to a Custom profile specified as: minTLSVersion: VersionTLS12 ciphers: @@ -2043,13 +2049,16 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 + - DHE-RSA-AES128-GCM-SHA256 + - DHE-RSA-AES256-GCM-SHA384 nullable: true type: object modern: description: |- modern is a TLS security profile for use with clients that support TLS 1.3 and do not need backward compatibility for older clients. - + The curve list includes by default the following curves: + X25519, SecP256r1, SecP384r1, X25519MLKEM768. This profile is equivalent to a Custom profile specified as: minTLSVersion: VersionTLS13 ciphers: @@ -2063,6 +2072,12 @@ spec: old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort. + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "old" profile ciphers. + + The curve list includes by default the following curves: + X25519, SecP256r1, SecP384r1, X25519MLKEM768. + This profile is equivalent to a Custom profile specified as: minTLSVersion: VersionTLS10 ciphers: @@ -2075,15 +2090,23 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 + - DHE-RSA-AES128-GCM-SHA256 + - DHE-RSA-AES256-GCM-SHA384 + - DHE-RSA-CHACHA20-POLY1305 - ECDHE-ECDSA-AES128-SHA256 - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES128-SHA + - ECDHE-ECDSA-AES256-SHA384 + - ECDHE-RSA-AES256-SHA384 - ECDHE-ECDSA-AES256-SHA - ECDHE-RSA-AES256-SHA + - DHE-RSA-AES128-SHA256 + - DHE-RSA-AES256-SHA256 - AES128-GCM-SHA256 - AES256-GCM-SHA384 - AES128-SHA256 + - AES256-SHA256 - AES128-SHA - AES256-SHA - DES-CBC3-SHA @@ -2094,10 +2117,9 @@ spec: type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters. - The profiles are based on version 5.7 of the Mozilla Server Side TLS - configuration guidelines. The cipher lists consist of the configuration's - "ciphersuites" followed by the Go-specific "ciphers" from the guidelines. - See: https://ssl-config.mozilla.org/guidelines/5.7.json + The profiles are currently based on version 5.0 of the Mozilla Server Side TLS + configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for + forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on @@ -3224,14 +3246,11 @@ spec: ciphers: description: |- ciphers is used to specify the cipher algorithms that are negotiated - during the TLS handshake. Operators may remove entries that their operands - do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml): + during the TLS handshake. Operators may remove entries their operands + do not support. For example, to use DES-CBC3-SHA (yaml): ciphers: - - ECDHE-RSA-AES128-GCM-SHA256 - - TLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable - and are always enabled when TLS 1.3 is negotiated. + - DES-CBC3-SHA items: type: string type: array diff --git a/operator/v1/zz_generated.featuregated-crd-manifests/ingresscontrollers.operator.openshift.io/TLSCurvePreferences.yaml b/operator/v1/zz_generated.featuregated-crd-manifests/ingresscontrollers.operator.openshift.io/TLSCurvePreferences.yaml new file mode 100644 index 00000000000..4bfbf596c2d --- /dev/null +++ b/operator/v1/zz_generated.featuregated-crd-manifests/ingresscontrollers.operator.openshift.io/TLSCurvePreferences.yaml @@ -0,0 +1,3346 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/616 + api.openshift.io/filename-cvo-runlevel: "0000_50" + api.openshift.io/filename-operator: ingress + api.openshift.io/filename-ordering: "00" + capability.openshift.io/name: Ingress + feature-gate.release.openshift.io/TLSCurvePreferences: "true" + name: ingresscontrollers.operator.openshift.io +spec: + group: operator.openshift.io + names: + kind: IngressController + listKind: IngressControllerList + plural: ingresscontrollers + singular: ingresscontroller + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + IngressController describes a managed ingress controller for the cluster. The + controller can service OpenShift Route and Kubernetes Ingress resources. + + When an IngressController is created, a new ingress controller deployment is + created to allow external traffic to reach the services that expose Ingress + or Route resources. Updating this resource may lead to disruption for public + facing network connections as a new ingress controller revision may be rolled + out. + + https://kubernetes.io/docs/concepts/services-networking/ingress-controllers + + Whenever possible, sensible defaults for the platform are used. See each + field for more details. + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec is the specification of the desired behavior of the + IngressController. + properties: + clientTLS: + description: |- + clientTLS specifies settings for requesting and verifying client + certificates, which can be used to enable mutual TLS for + edge-terminated and reencrypt routes. + properties: + allowedSubjectPatterns: + description: |- + allowedSubjectPatterns specifies a list of regular expressions that + should be matched against the distinguished name on a valid client + certificate to filter requests. The regular expressions must use + PCRE syntax. If this list is empty, no filtering is performed. If + the list is nonempty, then at least one pattern must match a client + certificate's distinguished name or else the ingress controller + rejects the certificate and denies the connection. + items: + type: string + type: array + x-kubernetes-list-type: atomic + clientCA: + description: |- + clientCA specifies a configmap containing the PEM-encoded CA + certificate bundle that should be used to verify a client's + certificate. The administrator must create this configmap in the + openshift-config namespace. + properties: + name: + description: name is the metadata.name of the referenced config + map + type: string + required: + - name + type: object + clientCertificatePolicy: + description: |- + clientCertificatePolicy specifies whether the ingress controller + requires clients to provide certificates. This field accepts the + values "Required" or "Optional". + + Note that the ingress controller only checks client certificates for + edge-terminated and reencrypt TLS routes; it cannot check + certificates for cleartext HTTP or passthrough TLS routes. + enum: + - "" + - Required + - Optional + type: string + required: + - clientCA + - clientCertificatePolicy + type: object + closedClientConnectionPolicy: + default: Continue + description: |- + closedClientConnectionPolicy controls how the IngressController + behaves when the client closes the TCP connection while the TLS + handshake or HTTP request is in progress. This option maps directly + to HAProxy’s "abortonclose" option. + + Valid values are: "Abort" and "Continue". + The default value is "Continue". + + When set to "Abort", the router will stop processing the TLS handshake + if it is in progress, and it will not send an HTTP request to the backend server + if the request has not yet been sent when the client closes the connection. + + When set to "Continue", the router will complete the TLS handshake + if it is in progress, or send an HTTP request to the backend server + and wait for the backend server's response, regardless of + whether the client has closed the connection. + + Setting "Abort" can help free CPU resources otherwise spent on TLS computation + for connections the client has already closed, and can reduce request queue + size, thereby reducing the load on saturated backend servers. + + Important Considerations: + + - The default policy ("Continue") is HTTP-compliant, and requests + for aborted client connections will still be served. + Use the "Continue" policy to allow a client to send a request + and then immediately close its side of the connection while + still receiving a response on the half-closed connection. + + - When clients use keep-alive connections, the most common case for premature + closure is when the user wants to cancel the transfer or when a timeout + occurs. In that case, the "Abort" policy may be used to reduce resource consumption. + + - Using RSA keys larger than 2048 bits can significantly slow down + TLS computations. Consider using the "Abort" policy to reduce CPU usage. + enum: + - Abort + - Continue + type: string + defaultCertificate: + description: |- + defaultCertificate is a reference to a secret containing the default + certificate served by the ingress controller. When Routes don't specify + their own certificate, defaultCertificate is used. + + The secret must contain the following keys and data: + + tls.crt: certificate file contents + tls.key: key file contents + + If unset, a wildcard certificate is automatically generated and used. The + certificate is valid for the ingress controller domain (and subdomains) and + the generated certificate's CA will be automatically integrated with the + cluster's trust store. + + If a wildcard certificate is used and shared by multiple + HTTP/2 enabled routes (which implies ALPN) then clients + (i.e., notably browsers) are at liberty to reuse open + connections. This means a client can reuse a connection to + another route and that is likely to fail. This behaviour is + generally known as connection coalescing. + + The in-use certificate (whether generated or user-specified) will be + automatically integrated with OpenShift's built-in OAuth server. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + domain: + description: |- + domain is a DNS name serviced by the ingress controller and is used to + configure multiple features: + + * For the LoadBalancerService endpoint publishing strategy, domain is + used to configure DNS records. See endpointPublishingStrategy. + + * When using a generated default certificate, the certificate will be valid + for domain and its subdomains. See defaultCertificate. + + * The value is published to individual Route statuses so that end-users + know where to target external DNS records. + + domain must be unique among all IngressControllers, and cannot be + updated. + + If empty, defaults to ingress.config.openshift.io/cluster .spec.domain. + + The domain value must be a valid DNS name. It must consist of lowercase + alphanumeric characters, '-' or '.', and each label must start and end + with an alphanumeric character and not exceed 63 characters. Maximum + length of a valid DNS domain is 253 characters. + + The implementation may add a prefix such as "router-default." to the domain + when constructing the router canonical hostname. To ensure the resulting + hostname does not exceed the DNS maximum length of 253 characters, + the domain length is additionally validated at the IngressController object + level. For the maximum length of the domain value itself, the shortest + possible variant of the prefix and the ingress controller name was considered + for example "router-a." + maxLength: 244 + type: string + x-kubernetes-validations: + - message: domain must consist of lower case alphanumeric characters, + '-' or '.', and must start and end with an alphanumeric character + rule: '!format.dns1123Subdomain().validate(self).hasValue()' + - message: each DNS label must not exceed 63 characters + rule: self.split('.').all(label, size(label) <= 63) + endpointPublishingStrategy: + description: |- + endpointPublishingStrategy is used to publish the ingress controller + endpoints to other networks, enable load balancer integrations, etc. + + If unset, the default is based on + infrastructure.config.openshift.io/cluster .status.platform: + + AWS: LoadBalancerService (with External scope) + Azure: LoadBalancerService (with External scope) + GCP: LoadBalancerService (with External scope) + IBMCloud: LoadBalancerService (with External scope) + AlibabaCloud: LoadBalancerService (with External scope) + Libvirt: HostNetwork + + Any other platform types (including None) default to HostNetwork. + + endpointPublishingStrategy cannot be updated. + properties: + hostNetwork: + description: |- + hostNetwork holds parameters for the HostNetwork endpoint publishing + strategy. Present only if type is HostNetwork. + properties: + httpPort: + default: 80 + description: |- + httpPort is the port on the host which should be used to listen for + HTTP requests. This field should be set when port 80 is already in use. + The value should not coincide with the NodePort range of the cluster. + When the value is 0 or is not specified it defaults to 80. + format: int32 + maximum: 65535 + minimum: 0 + type: integer + httpsPort: + default: 443 + description: |- + httpsPort is the port on the host which should be used to listen for + HTTPS requests. This field should be set when port 443 is already in use. + The value should not coincide with the NodePort range of the cluster. + When the value is 0 or is not specified it defaults to 443. + format: int32 + maximum: 65535 + minimum: 0 + type: integer + protocol: + description: |- + protocol specifies whether the IngressController expects incoming + connections to use plain TCP or whether the IngressController expects + PROXY protocol. + + PROXY protocol can be used with load balancers that support it to + communicate the source addresses of client connections when + forwarding those connections to the IngressController. Using PROXY + protocol enables the IngressController to report those source + addresses instead of reporting the load balancer's address in HTTP + headers and logs. Note that enabling PROXY protocol on the + IngressController will cause connections to fail if you are not using + a load balancer that uses PROXY protocol to forward connections to + the IngressController. See + http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt for + information about PROXY protocol. + + The following values are valid for this field: + + * The empty string. + * "TCP". + * "PROXY". + + The empty string specifies the default, which is TCP without PROXY + protocol. Note that the default is subject to change. + enum: + - "" + - TCP + - PROXY + type: string + statsPort: + default: 1936 + description: |- + statsPort is the port on the host where the stats from the router are + published. The value should not coincide with the NodePort range of the + cluster. If an external load balancer is configured to forward connections + to this IngressController, the load balancer should use this port for + health checks. The load balancer can send HTTP probes on this port on a + given node, with the path /healthz/ready to determine if the ingress + controller is ready to receive traffic on the node. For proper operation + the load balancer must not forward traffic to a node until the health + check reports ready. The load balancer should also stop forwarding requests + within a maximum of 45 seconds after /healthz/ready starts reporting + not-ready. Probing every 5 to 10 seconds, with a 5-second timeout and with + a threshold of two successful or failed requests to become healthy or + unhealthy respectively, are well-tested values. When the value is 0 or + is not specified it defaults to 1936. + format: int32 + maximum: 65535 + minimum: 0 + type: integer + type: object + loadBalancer: + description: |- + loadBalancer holds parameters for the load balancer. Present only if + type is LoadBalancerService. + properties: + allowedSourceRanges: + description: |- + allowedSourceRanges specifies an allowlist of IP address ranges to which + access to the load balancer should be restricted. Each range must be + specified using CIDR notation (e.g. "10.0.0.0/8" or "fd00::/8"). If no range is + specified, "0.0.0.0/0" for IPv4 and "::/0" for IPv6 are used by default, + which allows all source addresses. + + To facilitate migration from earlier versions of OpenShift that did + not have the allowedSourceRanges field, you may set the + service.beta.kubernetes.io/load-balancer-source-ranges annotation on + the "router-" service in the + "openshift-ingress" namespace, and this annotation will take + effect if allowedSourceRanges is empty on OpenShift 4.12. + items: + description: |- + CIDR is an IP address range in CIDR notation (for example, "10.0.0.0/8" + or "fd00::/8"). + pattern: (^(([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])/([0-9]|[12][0-9]|3[0-2])$)|(^s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:)))(%.+)?s*(\/(12[0-8]|1[0-1][0-9]|[1-9][0-9]|[0-9]))$) + type: string + nullable: true + type: array + x-kubernetes-list-type: atomic + dnsManagementPolicy: + default: Managed + description: |- + dnsManagementPolicy indicates if the lifecycle of the wildcard DNS record + associated with the load balancer service will be managed by + the ingress operator. It defaults to Managed. + Valid values are: Managed and Unmanaged. + enum: + - Managed + - Unmanaged + type: string + providerParameters: + description: |- + providerParameters holds desired load balancer information specific to + the underlying infrastructure provider. + + If empty, defaults will be applied. See specific providerParameters + fields for details about their defaults. + properties: + aws: + description: |- + aws provides configuration settings that are specific to AWS + load balancers. + + If empty, defaults will be applied. See specific aws fields for + details about their defaults. + properties: + classicLoadBalancer: + description: |- + classicLoadBalancerParameters holds configuration parameters for an AWS + classic load balancer. Present only if type is Classic. + properties: + connectionIdleTimeout: + description: |- + connectionIdleTimeout specifies the maximum time period that a + connection may be idle before the load balancer closes the + connection. The value must be parseable as a time duration value; + see . A nil or zero value + means no opinion, in which case a default value is used. The default + value for this field is 60s. This default is subject to change. + format: duration + type: string + subnets: + description: |- + subnets specifies the subnets to which the load balancer will + attach. The subnets may be specified by either their + ID or name. The total number of subnets is limited to 10. + + In order for the load balancer to be provisioned with subnets, + each subnet must exist, each subnet must be from a different + availability zone, and the load balancer service must be + recreated to pick up new values. + + When omitted from the spec, the subnets will be auto-discovered + for each availability zone. Auto-discovered subnets are not reported + in the status of the IngressController object. + properties: + ids: + description: |- + ids specifies a list of AWS subnets by subnet ID. + Subnet IDs must start with "subnet-", consist only + of alphanumeric characters, must be exactly 24 + characters long, must be unique, and the total + number of subnets specified by ids and names + must not exceed 10. + items: + description: AWSSubnetID is a reference + to an AWS subnet ID. + maxLength: 24 + minLength: 24 + pattern: ^subnet-[0-9A-Za-z]+$ + type: string + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: subnet ids cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == + y)) + names: + description: |- + names specifies a list of AWS subnets by subnet name. + Subnet names must not start with "subnet-", must not + include commas, must be under 256 characters in length, + must be unique, and the total number of subnets + specified by ids and names must not exceed 10. + items: + description: AWSSubnetName is a reference + to an AWS subnet name. + maxLength: 256 + minLength: 1 + type: string + x-kubernetes-validations: + - message: subnet name cannot contain a + comma + rule: '!self.contains('','')' + - message: subnet name cannot start with + 'subnet-' + rule: '!self.startsWith(''subnet-'')' + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: subnet names cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == + y)) + type: object + x-kubernetes-validations: + - message: the total number of subnets cannot + exceed 10 + rule: 'has(self.ids) && has(self.names) ? size(self.ids + + self.names) <= 10 : true' + - message: must specify at least 1 subnet name + or id + rule: has(self.ids) && self.ids.size() > 0 || + has(self.names) && self.names.size() > 0 + type: object + networkLoadBalancer: + description: |- + networkLoadBalancerParameters holds configuration parameters for an AWS + network load balancer. Present only if type is NLB. + properties: + eipAllocations: + description: |- + eipAllocations is a list of IDs for Elastic IP (EIP) addresses that + are assigned to the Network Load Balancer. + The following restrictions apply: + + eipAllocations can only be used with external scope, not internal. + An EIP can be allocated to only a single IngressController. + The number of EIP allocations must match the number of subnets that are used for the load balancer. + Each EIP allocation must be unique. + A maximum of 10 EIP allocations are permitted. + + See https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html for general + information about configuration, characteristics, and limitations of Elastic IP addresses. + items: + description: |- + EIPAllocation is an ID for an Elastic IP (EIP) address that can be allocated to an ELB in the AWS environment. + Values must begin with `eipalloc-` followed by exactly 17 hexadecimal (`[0-9a-fA-F]`) characters. + maxLength: 26 + minLength: 26 + type: string + x-kubernetes-validations: + - message: eipAllocations should start with + 'eipalloc-' + rule: self.startsWith('eipalloc-') + - message: eipAllocations must be 'eipalloc-' + followed by exactly 17 hexadecimal characters + (0-9, a-f, A-F) + rule: self.split("-", 2)[1].matches('[0-9a-fA-F]{17}$') + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: eipAllocations cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == y)) + subnets: + description: |- + subnets specifies the subnets to which the load balancer will + attach. The subnets may be specified by either their + ID or name. The total number of subnets is limited to 10. + + In order for the load balancer to be provisioned with subnets, + each subnet must exist, each subnet must be from a different + availability zone, and the load balancer service must be + recreated to pick up new values. + + When omitted from the spec, the subnets will be auto-discovered + for each availability zone. Auto-discovered subnets are not reported + in the status of the IngressController object. + properties: + ids: + description: |- + ids specifies a list of AWS subnets by subnet ID. + Subnet IDs must start with "subnet-", consist only + of alphanumeric characters, must be exactly 24 + characters long, must be unique, and the total + number of subnets specified by ids and names + must not exceed 10. + items: + description: AWSSubnetID is a reference + to an AWS subnet ID. + maxLength: 24 + minLength: 24 + pattern: ^subnet-[0-9A-Za-z]+$ + type: string + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: subnet ids cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == + y)) + names: + description: |- + names specifies a list of AWS subnets by subnet name. + Subnet names must not start with "subnet-", must not + include commas, must be under 256 characters in length, + must be unique, and the total number of subnets + specified by ids and names must not exceed 10. + items: + description: AWSSubnetName is a reference + to an AWS subnet name. + maxLength: 256 + minLength: 1 + type: string + x-kubernetes-validations: + - message: subnet name cannot contain a + comma + rule: '!self.contains('','')' + - message: subnet name cannot start with + 'subnet-' + rule: '!self.startsWith(''subnet-'')' + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: subnet names cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == + y)) + type: object + x-kubernetes-validations: + - message: the total number of subnets cannot + exceed 10 + rule: 'has(self.ids) && has(self.names) ? size(self.ids + + self.names) <= 10 : true' + - message: must specify at least 1 subnet name + or id + rule: has(self.ids) && self.ids.size() > 0 || + has(self.names) && self.names.size() > 0 + type: object + x-kubernetes-validations: + - message: number of subnets must be equal to number + of eipAllocations + rule: 'has(self.subnets) && has(self.subnets.ids) + && has(self.subnets.names) && has(self.eipAllocations) + ? size(self.subnets.ids + self.subnets.names) + == size(self.eipAllocations) : true' + - message: number of subnets must be equal to number + of eipAllocations + rule: 'has(self.subnets) && has(self.subnets.ids) + && !has(self.subnets.names) && has(self.eipAllocations) + ? size(self.subnets.ids) == size(self.eipAllocations) + : true' + - message: number of subnets must be equal to number + of eipAllocations + rule: 'has(self.subnets) && has(self.subnets.names) + && !has(self.subnets.ids) && has(self.eipAllocations) + ? size(self.subnets.names) == size(self.eipAllocations) + : true' + type: + description: |- + type is the type of AWS load balancer to instantiate for an ingresscontroller. + + Valid values are: + + * "Classic": A Classic Load Balancer that makes routing decisions at either + the transport layer (TCP/SSL) or the application layer (HTTP/HTTPS). See + the following for additional details: + + https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#clb + + * "NLB": A Network Load Balancer that makes routing decisions at the + transport layer (TCP/SSL). See the following for additional details: + + https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#nlb + enum: + - Classic + - NLB + type: string + required: + - type + type: object + gcp: + description: |- + gcp provides configuration settings that are specific to GCP + load balancers. + + If empty, defaults will be applied. See specific gcp fields for + details about their defaults. + properties: + clientAccess: + description: |- + clientAccess describes how client access is restricted for internal + load balancers. + + Valid values are: + * "Global": Specifying an internal load balancer with Global client access + allows clients from any region within the VPC to communicate with the load + balancer. + + https://cloud.google.com/kubernetes-engine/docs/how-to/internal-load-balancing#global_access + + * "Local": Specifying an internal load balancer with Local client access + means only clients within the same region (and VPC) as the GCP load balancer + can communicate with the load balancer. Note that this is the default behavior. + + https://cloud.google.com/load-balancing/docs/internal#client_access + enum: + - Global + - Local + type: string + type: object + ibm: + description: |- + ibm provides configuration settings that are specific to IBM Cloud + load balancers. + + If empty, defaults will be applied. See specific ibm fields for + details about their defaults. + properties: + protocol: + description: |- + protocol specifies whether the load balancer uses PROXY protocol to forward connections to + the IngressController. See "service.kubernetes.io/ibm-load-balancer-cloud-provider-enable-features: + "proxy-protocol"" at https://cloud.ibm.com/docs/containers?topic=containers-vpc-lbaas" + + PROXY protocol can be used with load balancers that support it to + communicate the source addresses of client connections when + forwarding those connections to the IngressController. Using PROXY + protocol enables the IngressController to report those source + addresses instead of reporting the load balancer's address in HTTP + headers and logs. Note that enabling PROXY protocol on the + IngressController will cause connections to fail if you are not using + a load balancer that uses PROXY protocol to forward connections to + the IngressController. See + http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt for + information about PROXY protocol. + + Valid values for protocol are TCP, PROXY and omitted. + When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. + The current default is TCP, without the proxy protocol enabled. + enum: + - "" + - TCP + - PROXY + type: string + type: object + openstack: + description: |- + openstack provides configuration settings that are specific to OpenStack + load balancers. + + If empty, defaults will be applied. See specific openstack fields for + details about their defaults. + properties: + floatingIP: + description: |- + floatingIP specifies the IP address that the load balancer will use. + When not specified, an IP address will be assigned randomly by the OpenStack cloud provider. + When specified, the floating IP has to be pre-created. If the + specified value is not a floating IP or is already claimed, the + OpenStack cloud provider won't be able to provision the load + balancer. + This field may only be used if the IngressController has External scope. + This value must be a valid IPv4 or IPv6 address. + type: string + x-kubernetes-validations: + - message: floatingIP must be a valid IPv4 or IPv6 + address + rule: isIP(self) + type: object + type: + description: |- + type is the underlying infrastructure provider for the load balancer. + Allowed values are "AWS", "Azure", "BareMetal", "GCP", "IBM", "Nutanix", + "OpenStack", and "VSphere". + enum: + - AWS + - Azure + - BareMetal + - GCP + - Nutanix + - OpenStack + - VSphere + - IBM + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: openstack is not permitted when type is not OpenStack + rule: 'has(self.type) && self.type == ''OpenStack'' ? true + : !has(self.openstack)' + scope: + description: |- + scope indicates the scope at which the load balancer is exposed. + Possible values are "External" and "Internal". + enum: + - Internal + - External + type: string + required: + - dnsManagementPolicy + - scope + type: object + x-kubernetes-validations: + - message: eipAllocations are forbidden when the scope is Internal. + rule: '!has(self.scope) || self.scope != ''Internal'' || !has(self.providerParameters) + || !has(self.providerParameters.aws) || !has(self.providerParameters.aws.networkLoadBalancer) + || !has(self.providerParameters.aws.networkLoadBalancer.eipAllocations)' + - message: cannot specify a floating ip when scope is internal + rule: '!has(self.scope) || self.scope != ''Internal'' || !has(self.providerParameters) + || !has(self.providerParameters.openstack) || !has(self.providerParameters.openstack.floatingIP) + || self.providerParameters.openstack.floatingIP == ""' + nodePort: + description: |- + nodePort holds parameters for the NodePortService endpoint publishing strategy. + Present only if type is NodePortService. + properties: + protocol: + description: |- + protocol specifies whether the IngressController expects incoming + connections to use plain TCP or whether the IngressController expects + PROXY protocol. + + PROXY protocol can be used with load balancers that support it to + communicate the source addresses of client connections when + forwarding those connections to the IngressController. Using PROXY + protocol enables the IngressController to report those source + addresses instead of reporting the load balancer's address in HTTP + headers and logs. Note that enabling PROXY protocol on the + IngressController will cause connections to fail if you are not using + a load balancer that uses PROXY protocol to forward connections to + the IngressController. See + http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt for + information about PROXY protocol. + + The following values are valid for this field: + + * The empty string. + * "TCP". + * "PROXY". + + The empty string specifies the default, which is TCP without PROXY + protocol. Note that the default is subject to change. + enum: + - "" + - TCP + - PROXY + type: string + type: object + private: + description: |- + private holds parameters for the Private endpoint publishing + strategy. Present only if type is Private. + properties: + protocol: + description: |- + protocol specifies whether the IngressController expects incoming + connections to use plain TCP or whether the IngressController expects + PROXY protocol. + + PROXY protocol can be used with load balancers that support it to + communicate the source addresses of client connections when + forwarding those connections to the IngressController. Using PROXY + protocol enables the IngressController to report those source + addresses instead of reporting the load balancer's address in HTTP + headers and logs. Note that enabling PROXY protocol on the + IngressController will cause connections to fail if you are not using + a load balancer that uses PROXY protocol to forward connections to + the IngressController. See + http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt for + information about PROXY protocol. + + The following values are valid for this field: + + * The empty string. + * "TCP". + * "PROXY". + + The empty string specifies the default, which is TCP without PROXY + protocol. Note that the default is subject to change. + enum: + - "" + - TCP + - PROXY + type: string + type: object + type: + description: |- + type is the publishing strategy to use. Valid values are: + + * LoadBalancerService + + Publishes the ingress controller using a Kubernetes LoadBalancer Service. + + In this configuration, the ingress controller deployment uses container + networking. A LoadBalancer Service is created to publish the deployment. + + See: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer + + If domain is set, a wildcard DNS record will be managed to point at the + LoadBalancer Service's external name. DNS records are managed only in DNS + zones defined by dns.config.openshift.io/cluster .spec.publicZone and + .spec.privateZone. + + Wildcard DNS management is currently supported only on the AWS, Azure, + and GCP platforms. + + * HostNetwork + + Publishes the ingress controller on node ports where the ingress controller + is deployed. + + In this configuration, the ingress controller deployment uses host + networking, bound to node ports 80 and 443. The user is responsible for + configuring an external load balancer to publish the ingress controller via + the node ports. + + * Private + + Does not publish the ingress controller. + + In this configuration, the ingress controller deployment uses container + networking, and is not explicitly published. The user must manually publish + the ingress controller. + + * NodePortService + + Publishes the ingress controller using a Kubernetes NodePort Service. + + In this configuration, the ingress controller deployment uses container + networking. A NodePort Service is created to publish the deployment. The + specific node ports are dynamically allocated by OpenShift; however, to + support static port allocations, user changes to the node port + field of the managed NodePort Service will preserved. + enum: + - LoadBalancerService + - HostNetwork + - Private + - NodePortService + type: string + required: + - type + type: object + httpCompression: + description: |- + httpCompression defines a policy for HTTP traffic compression. + By default, there is no HTTP compression. + properties: + mimeTypes: + description: |- + mimeTypes is a list of MIME types that should have compression applied. + This list can be empty, in which case the ingress controller does not apply compression. + + Note: Not all MIME types benefit from compression, but HAProxy will still use resources + to try to compress if instructed to. Generally speaking, text (html, css, js, etc.) + formats benefit from compression, but formats that are already compressed (image, + audio, video, etc.) benefit little in exchange for the time and cpu spent on compressing + again. See https://joehonton.medium.com/the-gzip-penalty-d31bd697f1a2 + items: + description: |- + CompressionMIMEType defines the format of a single MIME type. + E.g. "text/css; charset=utf-8", "text/html", "text/*", "image/svg+xml", + "application/octet-stream", "X-custom/customsub", etc. + + The format should follow the Content-Type definition in RFC 1341: + Content-Type := type "/" subtype *[";" parameter] + - The type in Content-Type can be one of: + application, audio, image, message, multipart, text, video, or a custom + type preceded by "X-" and followed by a token as defined below. + - The token is a string of at least one character, and not containing white + space, control characters, or any of the characters in the tspecials set. + - The tspecials set contains the characters ()<>@,;:\"/[]?.= + - The subtype in Content-Type is also a token. + - The optional parameter/s following the subtype are defined as: + token "=" (token / quoted-string) + - The quoted-string, as defined in RFC 822, is surrounded by double quotes + and can contain white space plus any character EXCEPT \, ", and CR. + It can also contain any single ASCII character as long as it is escaped by \. + pattern: ^(?i)(x-[^][ ()\\<>@,;:"/?.=\x00-\x1F\x7F]+|application|audio|image|message|multipart|text|video)/[^][ + ()\\<>@,;:"/?.=\x00-\x1F\x7F]+(; *[^][ ()\\<>@,;:"/?.=\x00-\x1F\x7F]+=([^][ + ()\\<>@,;:"/?.=\x00-\x1F\x7F]+|"(\\[\x00-\x7F]|[^\x0D"\\])*"))*$ + type: string + type: array + x-kubernetes-list-type: set + type: object + httpEmptyRequestsPolicy: + default: Respond + description: |- + httpEmptyRequestsPolicy describes how HTTP connections should be + handled if the connection times out before a request is received. + Allowed values for this field are "Respond" and "Ignore". If the + field is set to "Respond", the ingress controller sends an HTTP 400 + or 408 response, logs the connection (if access logging is enabled), + and counts the connection in the appropriate metrics. If the field + is set to "Ignore", the ingress controller closes the connection + without sending a response, logging the connection, or incrementing + metrics. The default value is "Respond". + + Typically, these connections come from load balancers' health probes + or Web browsers' speculative connections ("preconnect") and can be + safely ignored. However, these requests may also be caused by + network errors, and so setting this field to "Ignore" may impede + detection and diagnosis of problems. In addition, these requests may + be caused by port scans, in which case logging empty requests may aid + in detecting intrusion attempts. + enum: + - Respond + - Ignore + type: string + httpErrorCodePages: + description: |- + httpErrorCodePages specifies a configmap with custom error pages. + The administrator must create this configmap in the openshift-config namespace. + This configmap should have keys in the format "error-page-.http", + where is an HTTP error code. + For example, "error-page-503.http" defines an error page for HTTP 503 responses. + Currently only error pages for 503 and 404 responses can be customized. + Each value in the configmap should be the full response, including HTTP headers. + Eg- https://raw.githubusercontent.com/openshift/router/fadab45747a9b30cc3f0a4b41ad2871f95827a93/images/router/haproxy/conf/error-page-503.http + If this field is empty, the ingress controller uses the default error pages. + properties: + name: + description: name is the metadata.name of the referenced config + map + type: string + required: + - name + type: object + httpHeaders: + description: |- + httpHeaders defines policy for HTTP headers. + + If this field is empty, the default values are used. + properties: + actions: + description: |- + actions specifies options for modifying headers and their values. + Note that this option only applies to cleartext HTTP connections + and to secure HTTP connections for which the ingress controller + terminates encryption (that is, edge-terminated or reencrypt + connections). Headers cannot be modified for TLS passthrough + connections. + Setting the HSTS (`Strict-Transport-Security`) header is not supported via actions. `Strict-Transport-Security` + may only be configured using the "haproxy.router.openshift.io/hsts_header" route annotation, and only in + accordance with the policy specified in Ingress.Spec.RequiredHSTSPolicies. + Any actions defined here are applied after any actions related to the following other fields: + cache-control, spec.clientTLS, + spec.httpHeaders.forwardedHeaderPolicy, spec.httpHeaders.uniqueId, + and spec.httpHeaders.headerNameCaseAdjustments. + In case of HTTP request headers, the actions specified in spec.httpHeaders.actions on the Route will be executed after + the actions specified in the IngressController's spec.httpHeaders.actions field. + In case of HTTP response headers, the actions specified in spec.httpHeaders.actions on the IngressController will be + executed after the actions specified in the Route's spec.httpHeaders.actions field. + Headers set using this API cannot be captured for use in access logs. + The following header names are reserved and may not be modified via this API: + Strict-Transport-Security, Proxy, Host, Cookie, Set-Cookie. + Note that the total size of all net added headers *after* interpolating dynamic values + must not exceed the value of spec.tuningOptions.headerBufferMaxRewriteBytes on the + IngressController. Please refer to the documentation + for that API field for more details. + properties: + request: + description: |- + request is a list of HTTP request headers to modify. + Actions defined here will modify the request headers of all requests passing through an ingress controller. + These actions are applied to all Routes i.e. for all connections handled by the ingress controller defined within a cluster. + IngressController actions for request headers will be executed before Route actions. + Currently, actions may define to either `Set` or `Delete` headers values. + Actions are applied in sequence as defined in this list. + A maximum of 20 request header actions may be configured. + Sample fetchers allowed are "req.hdr" and "ssl_c_der". + Converters allowed are "lower" and "base64". + Example header values: "%[req.hdr(X-target),lower]", "%{+Q}[ssl_c_der,base64]". + items: + description: IngressControllerHTTPHeader specifies configuration + for setting or deleting an HTTP header. + properties: + action: + description: action specifies actions to perform on + headers, such as setting or deleting headers. + properties: + set: + description: |- + set specifies how the HTTP header should be set. + This field is required when type is Set and forbidden otherwise. + properties: + value: + description: |- + value specifies a header value. + Dynamic values can be added. The value will be interpreted as an HAProxy format string as defined in + http://cbonte.github.io/haproxy-dconv/2.6/configuration.html#8.2.6 and may use HAProxy's %[] syntax and + otherwise must be a valid HTTP header value as defined in https://datatracker.ietf.org/doc/html/rfc7230#section-3.2. + The value of this field must be no more than 16384 characters in length. + Note that the total size of all net added headers *after* interpolating dynamic values + must not exceed the value of spec.tuningOptions.headerBufferMaxRewriteBytes on the + IngressController. + maxLength: 16384 + minLength: 1 + type: string + required: + - value + type: object + type: + description: |- + type defines the type of the action to be applied on the header. + Possible values are Set or Delete. + Set allows you to set HTTP request and response headers. + Delete allows you to delete HTTP request and response headers. + enum: + - Set + - Delete + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: set is required when type is Set, and forbidden + otherwise + rule: 'has(self.type) && self.type == ''Set'' ? has(self.set) + : !has(self.set)' + name: + description: |- + name specifies the name of a header on which to perform an action. Its value must be a valid HTTP header + name as defined in RFC 2616 section 4.2. + The name must consist only of alphanumeric and the following special characters, "-!#$%&'*+.^_`". + The following header names are reserved and may not be modified via this API: + Strict-Transport-Security, Proxy, Host, Cookie, Set-Cookie. + It must be no more than 255 characters in length. + Header name must be unique. + maxLength: 255 + minLength: 1 + pattern: ^[-!#$%&'*+.0-9A-Z^_`a-z|~]+$ + type: string + x-kubernetes-validations: + - message: strict-transport-security header may not + be modified via header actions + rule: self.lowerAscii() != 'strict-transport-security' + - message: proxy header may not be modified via header + actions + rule: self.lowerAscii() != 'proxy' + - message: host header may not be modified via header + actions + rule: self.lowerAscii() != 'host' + - message: cookie header may not be modified via header + actions + rule: self.lowerAscii() != 'cookie' + - message: set-cookie header may not be modified via + header actions + rule: self.lowerAscii() != 'set-cookie' + required: + - action + - name + type: object + maxItems: 20 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: Either the header value provided is not in correct + format or the sample fetcher/converter specified is not + allowed. The dynamic header value will be interpreted + as an HAProxy format string as defined in http://cbonte.github.io/haproxy-dconv/2.6/configuration.html#8.2.6 + and may use HAProxy's %[] syntax and otherwise must be + a valid HTTP header value as defined in https://datatracker.ietf.org/doc/html/rfc7230#section-3.2. + Sample fetchers allowed are req.hdr, ssl_c_der. Converters + allowed are lower, base64. + rule: self.all(key, key.action.type == "Delete" || (has(key.action.set) + && key.action.set.value.matches('^(?:%(?:%|(?:\\{[-+]?[QXE](?:,[-+]?[QXE])*\\})?\\[(?:req\\.hdr\\([0-9A-Za-z-]+\\)|ssl_c_der)(?:,(?:lower|base64))*\\])|[^%[:cntrl:]])+$'))) + response: + description: |- + response is a list of HTTP response headers to modify. + Actions defined here will modify the response headers of all requests passing through an ingress controller. + These actions are applied to all Routes i.e. for all connections handled by the ingress controller defined within a cluster. + IngressController actions for response headers will be executed after Route actions. + Currently, actions may define to either `Set` or `Delete` headers values. + Actions are applied in sequence as defined in this list. + A maximum of 20 response header actions may be configured. + Sample fetchers allowed are "res.hdr" and "ssl_c_der". + Converters allowed are "lower" and "base64". + Example header values: "%[res.hdr(X-target),lower]", "%{+Q}[ssl_c_der,base64]". + items: + description: IngressControllerHTTPHeader specifies configuration + for setting or deleting an HTTP header. + properties: + action: + description: action specifies actions to perform on + headers, such as setting or deleting headers. + properties: + set: + description: |- + set specifies how the HTTP header should be set. + This field is required when type is Set and forbidden otherwise. + properties: + value: + description: |- + value specifies a header value. + Dynamic values can be added. The value will be interpreted as an HAProxy format string as defined in + http://cbonte.github.io/haproxy-dconv/2.6/configuration.html#8.2.6 and may use HAProxy's %[] syntax and + otherwise must be a valid HTTP header value as defined in https://datatracker.ietf.org/doc/html/rfc7230#section-3.2. + The value of this field must be no more than 16384 characters in length. + Note that the total size of all net added headers *after* interpolating dynamic values + must not exceed the value of spec.tuningOptions.headerBufferMaxRewriteBytes on the + IngressController. + maxLength: 16384 + minLength: 1 + type: string + required: + - value + type: object + type: + description: |- + type defines the type of the action to be applied on the header. + Possible values are Set or Delete. + Set allows you to set HTTP request and response headers. + Delete allows you to delete HTTP request and response headers. + enum: + - Set + - Delete + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: set is required when type is Set, and forbidden + otherwise + rule: 'has(self.type) && self.type == ''Set'' ? has(self.set) + : !has(self.set)' + name: + description: |- + name specifies the name of a header on which to perform an action. Its value must be a valid HTTP header + name as defined in RFC 2616 section 4.2. + The name must consist only of alphanumeric and the following special characters, "-!#$%&'*+.^_`". + The following header names are reserved and may not be modified via this API: + Strict-Transport-Security, Proxy, Host, Cookie, Set-Cookie. + It must be no more than 255 characters in length. + Header name must be unique. + maxLength: 255 + minLength: 1 + pattern: ^[-!#$%&'*+.0-9A-Z^_`a-z|~]+$ + type: string + x-kubernetes-validations: + - message: strict-transport-security header may not + be modified via header actions + rule: self.lowerAscii() != 'strict-transport-security' + - message: proxy header may not be modified via header + actions + rule: self.lowerAscii() != 'proxy' + - message: host header may not be modified via header + actions + rule: self.lowerAscii() != 'host' + - message: cookie header may not be modified via header + actions + rule: self.lowerAscii() != 'cookie' + - message: set-cookie header may not be modified via + header actions + rule: self.lowerAscii() != 'set-cookie' + required: + - action + - name + type: object + maxItems: 20 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: Either the header value provided is not in correct + format or the sample fetcher/converter specified is not + allowed. The dynamic header value will be interpreted + as an HAProxy format string as defined in http://cbonte.github.io/haproxy-dconv/2.6/configuration.html#8.2.6 + and may use HAProxy's %[] syntax and otherwise must be + a valid HTTP header value as defined in https://datatracker.ietf.org/doc/html/rfc7230#section-3.2. + Sample fetchers allowed are res.hdr, ssl_c_der. Converters + allowed are lower, base64. + rule: self.all(key, key.action.type == "Delete" || (has(key.action.set) + && key.action.set.value.matches('^(?:%(?:%|(?:\\{[-+]?[QXE](?:,[-+]?[QXE])*\\})?\\[(?:res\\.hdr\\([0-9A-Za-z-]+\\)|ssl_c_der)(?:,(?:lower|base64))*\\])|[^%[:cntrl:]])+$'))) + type: object + forwardedHeaderPolicy: + description: |- + forwardedHeaderPolicy specifies when and how the IngressController + sets the Forwarded, X-Forwarded-For, X-Forwarded-Host, + X-Forwarded-Port, X-Forwarded-Proto, and X-Forwarded-Proto-Version + HTTP headers. The value may be one of the following: + + * "Append", which specifies that the IngressController appends the + headers, preserving existing headers. + + * "Replace", which specifies that the IngressController sets the + headers, replacing any existing Forwarded or X-Forwarded-* headers. + + * "IfNone", which specifies that the IngressController sets the + headers if they are not already set. + + * "Never", which specifies that the IngressController never sets the + headers, preserving any existing headers. + + By default, the policy is "Append". + enum: + - Append + - Replace + - IfNone + - Never + type: string + headerNameCaseAdjustments: + description: |- + headerNameCaseAdjustments specifies case adjustments that can be + applied to HTTP header names. Each adjustment is specified as an + HTTP header name with the desired capitalization. For example, + specifying "X-Forwarded-For" indicates that the "x-forwarded-for" + HTTP header should be adjusted to have the specified capitalization. + + These adjustments are only applied to cleartext, edge-terminated, and + re-encrypt routes, and only when using HTTP/1. + + For request headers, these adjustments are applied only for routes + that have the haproxy.router.openshift.io/h1-adjust-case=true + annotation. For response headers, these adjustments are applied to + all HTTP responses. + + If this field is empty, no request headers are adjusted. + items: + description: |- + IngressControllerHTTPHeaderNameCaseAdjustment is the name of an HTTP header + (for example, "X-Forwarded-For") in the desired capitalization. The value + must be a valid HTTP header name as defined in RFC 2616 section 4.2. + maxLength: 1024 + minLength: 0 + pattern: ^$|^[-!#$%&'*+.0-9A-Z^_`a-z|~]+$ + type: string + nullable: true + type: array + x-kubernetes-list-type: atomic + uniqueId: + description: |- + uniqueId describes configuration for a custom HTTP header that the + ingress controller should inject into incoming HTTP requests. + Typically, this header is configured to have a value that is unique + to the HTTP request. The header can be used by applications or + included in access logs to facilitate tracing individual HTTP + requests. + + If this field is empty, no such header is injected into requests. + properties: + format: + description: |- + format specifies the format for the injected HTTP header's value. + This field has no effect unless name is specified. For the + HAProxy-based ingress controller implementation, this format uses the + same syntax as the HTTP log format. If the field is empty, the + default value is "%{+X}o\\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid"; see the + corresponding HAProxy documentation: + http://cbonte.github.io/haproxy-dconv/2.0/configuration.html#8.2.3 + maxLength: 1024 + minLength: 0 + pattern: ^(%(%|(\{[-+]?[QXE](,[-+]?[QXE])*\})?([A-Za-z]+|\[[.0-9A-Z_a-z]+(\([^)]+\))?(,[.0-9A-Z_a-z]+(\([^)]+\))?)*\]))|[^%[:cntrl:]])*$ + type: string + name: + description: |- + name specifies the name of the HTTP header (for example, "unique-id") + that the ingress controller should inject into HTTP requests. The + field's value must be a valid HTTP header name as defined in RFC 2616 + section 4.2. If the field is empty, no header is injected. + maxLength: 1024 + minLength: 0 + pattern: ^$|^[-!#$%&'*+.0-9A-Z^_`a-z|~]+$ + type: string + type: object + type: object + idleConnectionTerminationPolicy: + default: Immediate + description: |- + idleConnectionTerminationPolicy maps directly to HAProxy's + idle-close-on-response option and controls whether HAProxy + keeps idle frontend connections open during a soft stop + (router reload). + + Allowed values for this field are "Immediate" and + "Deferred". The default value is "Immediate". + + When set to "Immediate", idle connections are closed + immediately during router reloads. This ensures immediate + propagation of route changes but may impact clients + sensitive to connection resets. + + When set to "Deferred", HAProxy will maintain idle + connections during a soft reload instead of closing them + immediately. These connections remain open until any of the + following occurs: + + - A new request is received on the connection, in which + case HAProxy handles it in the old process and closes + the connection after sending the response. + + - HAProxy's `timeout http-keep-alive` duration expires. + By default this is 300 seconds, but it can be changed + using httpKeepAliveTimeout tuning option. + + - The client's keep-alive timeout expires, causing the + client to close the connection. + + Setting Deferred can help prevent errors in clients or load + balancers that do not properly handle connection resets. + Additionally, this option allows you to retain the pre-2.4 + HAProxy behaviour: in HAProxy version 2.2 (OpenShift + versions < 4.14), maintaining idle connections during a + soft reload was the default behaviour, but starting with + HAProxy 2.4, the default changed to closing idle + connections immediately. + + Important Consideration: + + - Using Deferred will result in temporary inconsistencies + for the first request on each persistent connection + after a route update and router reload. This request + will be processed by the old HAProxy process using its + old configuration. Subsequent requests will use the + updated configuration. + + Operational Considerations: + + - Keeping idle connections open during reloads may lead + to an accumulation of old HAProxy processes if + connections remain idle for extended periods, + especially in environments where frequent reloads + occur. + + - Consider monitoring the number of HAProxy processes in + the router pods when Deferred is set. + + - You may need to enable or adjust the + `ingress.operator.openshift.io/hard-stop-after` + duration (configured via an annotation on the + IngressController resource) in environments with + frequent reloads to prevent resource exhaustion. + enum: + - Immediate + - Deferred + type: string + logging: + description: |- + logging defines parameters for what should be logged where. If this + field is empty, operational logs are enabled but access logs are + disabled. + properties: + access: + description: |- + access describes how the client requests should be logged. + + If this field is empty, access logging is disabled. + properties: + destination: + description: destination is where access logs go. + properties: + container: + description: |- + container holds parameters for the Container logging destination. + Present only if type is Container. + properties: + maxLength: + default: 1024 + description: |- + maxLength is the maximum length of the log message. + + Valid values are integers in the range 480 to 8192, inclusive. + + When omitted, the default value is 1024. + format: int32 + maximum: 8192 + minimum: 480 + type: integer + type: object + syslog: + description: |- + syslog holds parameters for a syslog endpoint. Present only if + type is Syslog. + properties: + address: + description: |- + address is the IP address of the syslog endpoint that receives log + messages. + type: string + facility: + description: |- + facility specifies the syslog facility of log messages. + + If this field is empty, the facility is "local1". + enum: + - kern + - user + - mail + - daemon + - auth + - syslog + - lpr + - news + - uucp + - cron + - auth2 + - ftp + - ntp + - audit + - alert + - cron2 + - local0 + - local1 + - local2 + - local3 + - local4 + - local5 + - local6 + - local7 + type: string + maxLength: + default: 1024 + description: |- + maxLength is the maximum length of the log message. + + Valid values are integers in the range 480 to 4096, inclusive. + + When omitted, the default value is 1024. + format: int32 + maximum: 4096 + minimum: 480 + type: integer + port: + description: |- + port is the UDP port number of the syslog endpoint that receives log + messages. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - address + - port + type: object + type: + description: |- + type is the type of destination for logs. It must be one of the + following: + + * Container + + The ingress operator configures the sidecar container named "logs" on + the ingress controller pod and configures the ingress controller to + write logs to the sidecar. The logs are then available as container + logs. The expectation is that the administrator configures a custom + logging solution that reads logs from this sidecar. Note that using + container logs means that logs may be dropped if the rate of logs + exceeds the container runtime's or the custom logging solution's + capacity. + + * Syslog + + Logs are sent to a syslog endpoint. The administrator must specify + an endpoint that can receive syslog messages. The expectation is + that the administrator has configured a custom syslog instance. + enum: + - Container + - Syslog + type: string + required: + - type + type: object + httpCaptureCookies: + description: |- + httpCaptureCookies specifies HTTP cookies that should be captured in + access logs. If this field is empty, no cookies are captured. + items: + description: |- + IngressControllerCaptureHTTPCookie describes an HTTP cookie that should be + captured. + properties: + matchType: + description: |- + matchType specifies the type of match to be performed on the cookie + name. Allowed values are "Exact" for an exact string match and + "Prefix" for a string prefix match. If "Exact" is specified, a name + must be specified in the name field. If "Prefix" is provided, a + prefix must be specified in the namePrefix field. For example, + specifying matchType "Prefix" and namePrefix "foo" will capture a + cookie named "foo" or "foobar" but not one named "bar". The first + matching cookie is captured. + enum: + - Exact + - Prefix + type: string + maxLength: + description: |- + maxLength specifies a maximum length of the string that will be + logged, which includes the cookie name, cookie value, and + one-character delimiter. If the log entry exceeds this length, the + value will be truncated in the log message. Note that the ingress + controller may impose a separate bound on the total length of HTTP + headers in a request. + maximum: 1024 + minimum: 1 + type: integer + name: + description: |- + name specifies a cookie name. Its value must be a valid HTTP cookie + name as defined in RFC 6265 section 4.1. + maxLength: 1024 + minLength: 0 + pattern: ^[-!#$%&'*+.0-9A-Z^_`a-z|~]*$ + type: string + namePrefix: + description: |- + namePrefix specifies a cookie name prefix. Its value must be a valid + HTTP cookie name as defined in RFC 6265 section 4.1. + maxLength: 1024 + minLength: 0 + pattern: ^[-!#$%&'*+.0-9A-Z^_`a-z|~]*$ + type: string + required: + - matchType + - maxLength + type: object + maxItems: 1 + nullable: true + type: array + x-kubernetes-list-type: atomic + httpCaptureHeaders: + description: |- + httpCaptureHeaders defines HTTP headers that should be captured in + access logs. If this field is empty, no headers are captured. + + Note that this option only applies to cleartext HTTP connections + and to secure HTTP connections for which the ingress controller + terminates encryption (that is, edge-terminated or reencrypt + connections). Headers cannot be captured for TLS passthrough + connections. + properties: + request: + description: |- + request specifies which HTTP request headers to capture. + + If this field is empty, no request headers are captured. + items: + description: |- + IngressControllerCaptureHTTPHeader describes an HTTP header that should be + captured. + properties: + maxLength: + description: |- + maxLength specifies a maximum length for the header value. If a + header value exceeds this length, the value will be truncated in the + log message. Note that the ingress controller may impose a separate + bound on the total length of HTTP headers in a request. + minimum: 1 + type: integer + name: + description: |- + name specifies a header name. Its value must be a valid HTTP header + name as defined in RFC 2616 section 4.2. + pattern: ^[-!#$%&'*+.0-9A-Z^_`a-z|~]+$ + type: string + required: + - maxLength + - name + type: object + nullable: true + type: array + x-kubernetes-list-type: atomic + response: + description: |- + response specifies which HTTP response headers to capture. + + If this field is empty, no response headers are captured. + items: + description: |- + IngressControllerCaptureHTTPHeader describes an HTTP header that should be + captured. + properties: + maxLength: + description: |- + maxLength specifies a maximum length for the header value. If a + header value exceeds this length, the value will be truncated in the + log message. Note that the ingress controller may impose a separate + bound on the total length of HTTP headers in a request. + minimum: 1 + type: integer + name: + description: |- + name specifies a header name. Its value must be a valid HTTP header + name as defined in RFC 2616 section 4.2. + pattern: ^[-!#$%&'*+.0-9A-Z^_`a-z|~]+$ + type: string + required: + - maxLength + - name + type: object + nullable: true + type: array + x-kubernetes-list-type: atomic + type: object + httpLogFormat: + description: |- + httpLogFormat specifies the format of the log message for an HTTP + request. + + If this field is empty, log messages use the implementation's default + HTTP log format. For HAProxy's default HTTP log format, see the + HAProxy documentation: + http://cbonte.github.io/haproxy-dconv/2.0/configuration.html#8.2.3 + + Note that this format only applies to cleartext HTTP connections + and to secure HTTP connections for which the ingress controller + terminates encryption (that is, edge-terminated or reencrypt + connections). It does not affect the log format for TLS passthrough + connections. + type: string + logEmptyRequests: + default: Log + description: |- + logEmptyRequests specifies how connections on which no request is + received should be logged. Typically, these empty requests come from + load balancers' health probes or Web browsers' speculative + connections ("preconnect"), in which case logging these requests may + be undesirable. However, these requests may also be caused by + network errors, in which case logging empty requests may be useful + for diagnosing the errors. In addition, these requests may be caused + by port scans, in which case logging empty requests may aid in + detecting intrusion attempts. Allowed values for this field are + "Log" and "Ignore". The default value is "Log". + enum: + - Log + - Ignore + type: string + required: + - destination + type: object + type: object + namespaceSelector: + description: |- + namespaceSelector is used to filter the set of namespaces serviced by the + ingress controller. This is useful for implementing shards. + + If unset, the default is no filtering. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + nodePlacement: + description: |- + nodePlacement enables explicit control over the scheduling of the ingress + controller. + + If unset, defaults are used. See NodePlacement for more details. + properties: + nodeSelector: + description: |- + nodeSelector is the node selector applied to ingress controller + deployments. + + If set, the specified selector is used and replaces the default. + + If unset, the default depends on the value of the defaultPlacement + field in the cluster config.openshift.io/v1/ingresses status. + + When defaultPlacement is Workers, the default is: + + kubernetes.io/os: linux + node-role.kubernetes.io/worker: '' + + When defaultPlacement is ControlPlane, the default is: + + kubernetes.io/os: linux + node-role.kubernetes.io/master: '' + + These defaults are subject to change. + + Note that using nodeSelector.matchExpressions is not supported. Only + nodeSelector.matchLabels may be used. This is a limitation of the + Kubernetes API: the pod spec does not allow complex expressions for + node selectors. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + tolerations: + description: |- + tolerations is a list of tolerations applied to ingress controller + deployments. + + The default is an empty list. + + See https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + items: + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . + properties: + effect: + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. + type: string + operator: + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. + type: string + type: object + type: array + x-kubernetes-list-type: atomic + type: object + replicas: + description: |- + replicas is the desired number of ingress controller replicas. If unset, + the default depends on the value of the defaultPlacement field in the + cluster config.openshift.io/v1/ingresses status. + + The value of replicas is set based on the value of a chosen field in the + Infrastructure CR. If defaultPlacement is set to ControlPlane, the + chosen field will be controlPlaneTopology. If it is set to Workers the + chosen field will be infrastructureTopology. Replicas will then be set to 1 + or 2 based whether the chosen field's value is SingleReplica or + HighlyAvailable, respectively. + + These defaults are subject to change. + format: int32 + type: integer + routeAdmission: + description: |- + routeAdmission defines a policy for handling new route claims (for example, + to allow or deny claims across namespaces). + + If empty, defaults will be applied. See specific routeAdmission fields + for details about their defaults. + properties: + namespaceOwnership: + description: |- + namespaceOwnership describes how host name claims across namespaces should + be handled. + + Value must be one of: + + - Strict: Do not allow routes in different namespaces to claim the same host. + + - InterNamespaceAllowed: Allow routes to claim different paths of the same + host name across namespaces. + + If empty, the default is Strict. + enum: + - InterNamespaceAllowed + - Strict + type: string + wildcardPolicy: + description: |- + wildcardPolicy describes how routes with wildcard policies should + be handled for the ingress controller. WildcardPolicy controls use + of routes [1] exposed by the ingress controller based on the route's + wildcard policy. + + [1] https://github.com/openshift/api/blob/master/route/v1/types.go + + Note: Updating WildcardPolicy from WildcardsAllowed to WildcardsDisallowed + will cause admitted routes with a wildcard policy of Subdomain to stop + working. These routes must be updated to a wildcard policy of None to be + readmitted by the ingress controller. + + WildcardPolicy supports WildcardsAllowed and WildcardsDisallowed values. + + If empty, defaults to "WildcardsDisallowed". + enum: + - WildcardsAllowed + - WildcardsDisallowed + type: string + type: object + routeSelector: + description: |- + routeSelector is used to filter the set of Routes serviced by the ingress + controller. This is useful for implementing shards. + + If unset, the default is no filtering. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + tlsSecurityProfile: + description: |- + tlsSecurityProfile specifies settings for TLS connections for ingresscontrollers. + + If unset, the default is based on the apiservers.config.openshift.io/cluster resource. + + Note that when using the Old, Intermediate, and Modern profile types, the effective + profile configuration is subject to change between releases. For example, given + a specification to use the Intermediate profile deployed on release X.Y.Z, an upgrade + to release X.Y.Z+1 may cause a new profile configuration to be applied to the ingress + controller, resulting in a rollout. + properties: + custom: + description: |- + custom is a user-defined TLS security profile. Be extremely careful using a custom + profile as invalid configurations can be catastrophic. + + The curve list for this profile is empty by default. + + An example custom profile looks like this: + + minTLSVersion: VersionTLS11 + ciphers: + - ECDHE-ECDSA-CHACHA20-POLY1305 + - ECDHE-RSA-CHACHA20-POLY1305 + - ECDHE-RSA-AES128-GCM-SHA256 + - ECDHE-ECDSA-AES128-GCM-SHA256 + nullable: true + properties: + ciphers: + description: |- + ciphers is used to specify the cipher algorithms that are negotiated + during the TLS handshake. Operators may remove entries their operands + do not support. For example, to use DES-CBC3-SHA (yaml): + + ciphers: + - DES-CBC3-SHA + items: + type: string + type: array + x-kubernetes-list-type: atomic + curves: + description: |- + curves is an optional field used to specify the elliptic curves that are used during + the TLS handshake. Operators may remove entries their operands do + not support. + + When omitted, this means no opinion and the platform is left to choose reasonable defaults which are + subject to change over time and may be different per platform component depending on the underlying TLS + libraries they use. If specified, the list must contain at least one curve. + + For example, to use X25519 and SecP256r1 (yaml): + + curves: + - X25519 + - SecP256r1 + items: + description: |- + TLSCurve is a named curve identifier that can be used in TLSProfile.Curves. + There is a one-to-one mapping between these names and the curve IDs defined + in crypto/tls package based on IANA's "TLS Supported Groups" registry: + https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8 + enum: + - X25519 + - SecP256r1 + - SecP384r1 + - SecP521r1 + - X25519MLKEM768 + type: string + maxItems: 5 + minItems: 1 + type: array + x-kubernetes-list-type: set + minTLSVersion: + description: |- + minTLSVersion is used to specify the minimal version of the TLS protocol + that is negotiated during the TLS handshake. For example, to use TLS + versions 1.1, 1.2 and 1.3 (yaml): + + minTLSVersion: VersionTLS11 + enum: + - VersionTLS10 + - VersionTLS11 + - VersionTLS12 + - VersionTLS13 + type: string + type: object + intermediate: + description: |- + intermediate is a TLS profile for use when you do not need compatibility with + legacy clients and want to remain highly secure while being compatible with + most clients currently in use. + + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "intermediate" profile ciphers. + + The curve list includes by default the following curves: + X25519, SecP256r1, SecP384r1, X25519MLKEM768. + + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS12 + ciphers: + - TLS_AES_128_GCM_SHA256 + - TLS_AES_256_GCM_SHA384 + - TLS_CHACHA20_POLY1305_SHA256 + - ECDHE-ECDSA-AES128-GCM-SHA256 + - ECDHE-RSA-AES128-GCM-SHA256 + - ECDHE-ECDSA-AES256-GCM-SHA384 + - ECDHE-RSA-AES256-GCM-SHA384 + - ECDHE-ECDSA-CHACHA20-POLY1305 + - ECDHE-RSA-CHACHA20-POLY1305 + - DHE-RSA-AES128-GCM-SHA256 + - DHE-RSA-AES256-GCM-SHA384 + nullable: true + type: object + modern: + description: |- + modern is a TLS security profile for use with clients that support TLS 1.3 and + do not need backward compatibility for older clients. + The curve list includes by default the following curves: + X25519, SecP256r1, SecP384r1, X25519MLKEM768. + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS13 + ciphers: + - TLS_AES_128_GCM_SHA256 + - TLS_AES_256_GCM_SHA384 + - TLS_CHACHA20_POLY1305_SHA256 + nullable: true + type: object + old: + description: |- + old is a TLS profile for use when services need to be accessed by very old + clients or libraries and should be used only as a last resort. + + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "old" profile ciphers. + + The curve list includes by default the following curves: + X25519, SecP256r1, SecP384r1, X25519MLKEM768. + + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS10 + ciphers: + - TLS_AES_128_GCM_SHA256 + - TLS_AES_256_GCM_SHA384 + - TLS_CHACHA20_POLY1305_SHA256 + - ECDHE-ECDSA-AES128-GCM-SHA256 + - ECDHE-RSA-AES128-GCM-SHA256 + - ECDHE-ECDSA-AES256-GCM-SHA384 + - ECDHE-RSA-AES256-GCM-SHA384 + - ECDHE-ECDSA-CHACHA20-POLY1305 + - ECDHE-RSA-CHACHA20-POLY1305 + - DHE-RSA-AES128-GCM-SHA256 + - DHE-RSA-AES256-GCM-SHA384 + - DHE-RSA-CHACHA20-POLY1305 + - ECDHE-ECDSA-AES128-SHA256 + - ECDHE-RSA-AES128-SHA256 + - ECDHE-ECDSA-AES128-SHA + - ECDHE-RSA-AES128-SHA + - ECDHE-ECDSA-AES256-SHA384 + - ECDHE-RSA-AES256-SHA384 + - ECDHE-ECDSA-AES256-SHA + - ECDHE-RSA-AES256-SHA + - DHE-RSA-AES128-SHA256 + - DHE-RSA-AES256-SHA256 + - AES128-GCM-SHA256 + - AES256-GCM-SHA384 + - AES128-SHA256 + - AES256-SHA256 + - AES128-SHA + - AES256-SHA + - DES-CBC3-SHA + nullable: true + type: object + type: + description: |- + type is one of Old, Intermediate, Modern or Custom. Custom provides the + ability to specify individual TLS security profile parameters. + + The profiles are currently based on version 5.0 of the Mozilla Server Side TLS + configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for + forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json + + The profiles are intent based, so they may change over time as new ciphers are + developed and existing ciphers are found to be insecure. Depending on + precisely which ciphers are available to a process, the list may be reduced. + enum: + - Old + - Intermediate + - Modern + - Custom + type: string + type: object + tuningOptions: + description: |- + tuningOptions defines parameters for adjusting the performance of + ingress controller pods. All fields are optional and will use their + respective defaults if not set. See specific tuningOptions fields for + more details. + + Setting fields within tuningOptions is generally not recommended. The + default values are suitable for most configurations. + properties: + clientFinTimeout: + description: |- + clientFinTimeout defines how long a connection will be held open while + waiting for the client response to the server/backend closing the + connection. + + If unset, the default timeout is 1s + format: duration + type: string + clientTimeout: + description: |- + clientTimeout defines how long a connection will be held open while + waiting for a client response. + + If unset, the default timeout is 30s + format: duration + type: string + connectTimeout: + description: |- + connectTimeout defines the maximum time to wait for + a connection attempt to a server/backend to succeed. + + This field expects an unsigned duration string of decimal numbers, each with optional + fraction and a unit suffix, e.g. "300ms", "1.5h" or "2h45m". + Valid time units are "ns", "us" (or "µs" U+00B5 or "μs" U+03BC), "ms", "s", "m", "h". + + When omitted, this means the user has no opinion and the platform is left + to choose a reasonable default. This default is subject to change over time. + The current default is 5s. + pattern: ^(0|([0-9]+(\.[0-9]+)?(ns|us|µs|μs|ms|s|m|h))+)$ + type: string + headerBufferBytes: + description: |- + headerBufferBytes describes how much memory should be reserved + (in bytes) for IngressController connection sessions. + Note that this value must be at least 16384 if HTTP/2 is + enabled for the IngressController (https://tools.ietf.org/html/rfc7540). + If this field is empty, the IngressController will use a default value + of 32768 bytes. + + Setting this field is generally not recommended as headerBufferBytes + values that are too small may break the IngressController and + headerBufferBytes values that are too large could cause the + IngressController to use significantly more memory than necessary. + format: int32 + minimum: 16384 + type: integer + headerBufferMaxRewriteBytes: + description: |- + headerBufferMaxRewriteBytes describes how much memory should be reserved + (in bytes) from headerBufferBytes for HTTP header rewriting + and appending for IngressController connection sessions. + Note that incoming HTTP requests will be limited to + (headerBufferBytes - headerBufferMaxRewriteBytes) bytes, meaning + headerBufferBytes must be greater than headerBufferMaxRewriteBytes. + If this field is empty, the IngressController will use a default value + of 8192 bytes. + + Setting this field is generally not recommended as + headerBufferMaxRewriteBytes values that are too small may break the + IngressController and headerBufferMaxRewriteBytes values that are too + large could cause the IngressController to use significantly more memory + than necessary. + format: int32 + minimum: 4096 + type: integer + healthCheckInterval: + description: |- + healthCheckInterval defines how long the router waits between two consecutive + health checks on its configured backends. This value is applied globally as + a default for all routes, but may be overridden per-route by the route annotation + "router.openshift.io/haproxy.health.check.interval". + + Expects an unsigned duration string of decimal numbers, each with optional + fraction and a unit suffix, eg "300ms", "1.5h" or "2h45m". + Valid time units are "ns", "us" (or "µs" U+00B5 or "μs" U+03BC), "ms", "s", "m", "h". + + Setting this to less than 5s can cause excess traffic due to too frequent + TCP health checks and accompanying SYN packet storms. Alternatively, setting + this too high can result in increased latency, due to backend servers that are no + longer available, but haven't yet been detected as such. + + An empty or zero healthCheckInterval means no opinion and IngressController chooses + a default, which is subject to change over time. + Currently the default healthCheckInterval value is 5s. + + Currently the minimum allowed value is 1s and the maximum allowed value is + 2147483647ms (24.85 days). Both are subject to change over time. + pattern: ^(0|([0-9]+(\.[0-9]+)?(ns|us|µs|μs|ms|s|m|h))+)$ + type: string + httpKeepAliveTimeout: + description: |- + httpKeepAliveTimeout defines the maximum allowed time to wait for + a new HTTP request to appear on a connection from the client to the router. + + This field expects an unsigned duration string of a decimal number, with optional + fraction and a unit suffix, e.g. "300ms", "1.5s" or "2m45s". + Valid time units are "ms", "s", "m". + The allowed range is from 1 millisecond to 15 minutes. + + When omitted, this means the user has no opinion and the platform is left + to choose a reasonable default. This default is subject to change over time. + The current default is 300s. + + Low values (tens of milliseconds or less) can cause clients to close and reopen connections + for each request, leading to reduced connection sharing. + For HTTP/2, special care should be taken with low values. + A few seconds is a reasonable starting point to avoid holding idle connections open + while still allowing subsequent requests to reuse the connection. + + High values (minutes or more) favor connection reuse but may cause idle + connections to linger longer. + maxLength: 16 + minLength: 1 + type: string + x-kubernetes-validations: + - message: httpKeepAliveTimeout must be a valid duration string + composed of an unsigned integer value, optionally followed + by a decimal fraction and a unit suffix (ms, s, m) + rule: self.matches('^([0-9]+(\\.[0-9]+)?(ms|s|m))+$') + - message: httpKeepAliveTimeout must be less than or equal to + 15 minutes + rule: '!self.matches(''^([0-9]+(\\.[0-9]+)?(ms|s|m))+$'') || + duration(self) <= duration(''15m'')' + - message: httpKeepAliveTimeout must be greater than or equal + to 1 millisecond + rule: '!self.matches(''^([0-9]+(\\.[0-9]+)?(ms|s|m))+$'') || + duration(self) >= duration(''1ms'')' + maxConnections: + description: |- + maxConnections defines the maximum number of simultaneous + connections that can be established per HAProxy process. + Increasing this value allows each ingress controller pod to + handle more connections but at the cost of additional + system resources being consumed. + + Permitted values are: empty, 0, -1, and the range + 2000-2000000. + + If this field is empty or 0, the IngressController will use + the default value of 50000, but the default is subject to + change in future releases. + + If the value is -1 then HAProxy will dynamically compute a + maximum value based on the available ulimits in the running + container. Selecting -1 (i.e., auto) will result in a large + value being computed (~520000 on OpenShift >=4.10 clusters) + and therefore each HAProxy process will incur significant + memory usage compared to the current default of 50000. + + Setting a value that is greater than the current operating + system limit will prevent the HAProxy process from + starting. + + If you choose a discrete value (e.g., 750000) and the + router pod is migrated to a new node, there's no guarantee + that that new node has identical ulimits configured. In + such a scenario the pod would fail to start. If you have + nodes with different ulimits configured (e.g., different + tuned profiles) and you choose a discrete value then the + guidance is to use -1 and let the value be computed + dynamically at runtime. + + You can monitor memory usage for router containers with the + following metric: + 'container_memory_working_set_bytes{container="router",namespace="openshift-ingress"}'. + + You can monitor memory usage of individual HAProxy + processes in router containers with the following metric: + 'container_memory_working_set_bytes{container="router",namespace="openshift-ingress"}/container_processes{container="router",namespace="openshift-ingress"}'. + format: int32 + type: integer + reloadInterval: + description: |- + reloadInterval defines the minimum interval at which the router is allowed to reload + to accept new changes. Increasing this value can prevent the accumulation of + HAProxy processes, depending on the scenario. Increasing this interval can + also lessen load imbalance on a backend's servers when using the roundrobin + balancing algorithm. Alternatively, decreasing this value may decrease latency + since updates to HAProxy's configuration can take effect more quickly. + + The value must be a time duration value; see . + Currently, the minimum value allowed is 1s, and the maximum allowed value is + 120s. Minimum and maximum allowed values may change in future versions of OpenShift. + Note that if a duration outside of these bounds is provided, the value of reloadInterval + will be capped/floored and not rejected (e.g. a duration of over 120s will be capped to + 120s; the IngressController will not reject and replace this disallowed value with + the default). + + A zero value for reloadInterval tells the IngressController to choose the default, + which is currently 5s and subject to change without notice. + + This field expects an unsigned duration string of decimal numbers, each with optional + fraction and a unit suffix, e.g. "300ms", "1.5h" or "2h45m". + Valid time units are "ns", "us" (or "µs" U+00B5 or "μs" U+03BC), "ms", "s", "m", "h". + + Note: Setting a value significantly larger than the default of 5s can cause latency + in observing updates to routes and their endpoints. HAProxy's configuration will + be reloaded less frequently, and newly created routes will not be served until the + subsequent reload. + pattern: ^(0|([0-9]+(\.[0-9]+)?(ns|us|µs|μs|ms|s|m|h))+)$ + type: string + serverFinTimeout: + description: |- + serverFinTimeout defines how long a connection will be held open while + waiting for the server/backend response to the client closing the + connection. + + If unset, the default timeout is 1s + format: duration + type: string + serverTimeout: + description: |- + serverTimeout defines how long a connection will be held open while + waiting for a server/backend response. + + If unset, the default timeout is 30s + format: duration + type: string + threadCount: + description: |- + threadCount defines the number of threads created per HAProxy process. + Creating more threads allows each ingress controller pod to handle more + connections, at the cost of more system resources being used. HAProxy + currently supports up to 64 threads. If this field is empty, the + IngressController will use the default value. The current default is 4 + threads, but this may change in future releases. + + Setting this field is generally not recommended. Increasing the number + of HAProxy threads allows ingress controller pods to utilize more CPU + time under load, potentially starving other pods if set too high. + Reducing the number of threads may cause the ingress controller to + perform poorly. + format: int32 + maximum: 64 + minimum: 1 + type: integer + tlsInspectDelay: + description: |- + tlsInspectDelay defines how long the router can hold data to find a + matching route. + + Setting this too short can cause the router to fall back to the default + certificate for edge-terminated or reencrypt routes even when a better + matching certificate could be used. + + If unset, the default inspect delay is 5s + format: duration + type: string + tunnelTimeout: + description: |- + tunnelTimeout defines how long a tunnel connection (including + websockets) will be held open while the tunnel is idle. + + If unset, the default timeout is 1h + format: duration + type: string + type: object + unsupportedConfigOverrides: + description: |- + unsupportedConfigOverrides allows specifying unsupported + configuration options. Its use is unsupported. + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + status: + description: status is the most recently observed status of the IngressController. + properties: + availableReplicas: + description: |- + availableReplicas is number of observed available replicas according to the + ingress controller deployment. + format: int32 + type: integer + conditions: + description: |- + conditions is a list of conditions and their status. + + Available means the ingress controller deployment is available and + servicing route and ingress resources (i.e, .status.availableReplicas + equals .spec.replicas) + + There are additional conditions which indicate the status of other + ingress controller features and capabilities. + + * LoadBalancerManaged + - True if the following conditions are met: + * The endpoint publishing strategy requires a service load balancer. + - False if any of those conditions are unsatisfied. + + * LoadBalancerReady + - True if the following conditions are met: + * A load balancer is managed. + * The load balancer is ready. + - False if any of those conditions are unsatisfied. + + * DNSManaged + - True if the following conditions are met: + * The endpoint publishing strategy and platform support DNS. + * The ingress controller domain is set. + * dns.config.openshift.io/cluster configures DNS zones. + - False if any of those conditions are unsatisfied. + + * DNSReady + - True if the following conditions are met: + * DNS is managed. + * DNS records have been successfully created. + - False if any of those conditions are unsatisfied. + items: + description: OperatorCondition is just the standard condition fields. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + type: string + reason: + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + domain: + description: domain is the actual domain in use. + type: string + endpointPublishingStrategy: + description: endpointPublishingStrategy is the actual strategy in + use. + properties: + hostNetwork: + description: |- + hostNetwork holds parameters for the HostNetwork endpoint publishing + strategy. Present only if type is HostNetwork. + properties: + httpPort: + default: 80 + description: |- + httpPort is the port on the host which should be used to listen for + HTTP requests. This field should be set when port 80 is already in use. + The value should not coincide with the NodePort range of the cluster. + When the value is 0 or is not specified it defaults to 80. + format: int32 + maximum: 65535 + minimum: 0 + type: integer + httpsPort: + default: 443 + description: |- + httpsPort is the port on the host which should be used to listen for + HTTPS requests. This field should be set when port 443 is already in use. + The value should not coincide with the NodePort range of the cluster. + When the value is 0 or is not specified it defaults to 443. + format: int32 + maximum: 65535 + minimum: 0 + type: integer + protocol: + description: |- + protocol specifies whether the IngressController expects incoming + connections to use plain TCP or whether the IngressController expects + PROXY protocol. + + PROXY protocol can be used with load balancers that support it to + communicate the source addresses of client connections when + forwarding those connections to the IngressController. Using PROXY + protocol enables the IngressController to report those source + addresses instead of reporting the load balancer's address in HTTP + headers and logs. Note that enabling PROXY protocol on the + IngressController will cause connections to fail if you are not using + a load balancer that uses PROXY protocol to forward connections to + the IngressController. See + http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt for + information about PROXY protocol. + + The following values are valid for this field: + + * The empty string. + * "TCP". + * "PROXY". + + The empty string specifies the default, which is TCP without PROXY + protocol. Note that the default is subject to change. + enum: + - "" + - TCP + - PROXY + type: string + statsPort: + default: 1936 + description: |- + statsPort is the port on the host where the stats from the router are + published. The value should not coincide with the NodePort range of the + cluster. If an external load balancer is configured to forward connections + to this IngressController, the load balancer should use this port for + health checks. The load balancer can send HTTP probes on this port on a + given node, with the path /healthz/ready to determine if the ingress + controller is ready to receive traffic on the node. For proper operation + the load balancer must not forward traffic to a node until the health + check reports ready. The load balancer should also stop forwarding requests + within a maximum of 45 seconds after /healthz/ready starts reporting + not-ready. Probing every 5 to 10 seconds, with a 5-second timeout and with + a threshold of two successful or failed requests to become healthy or + unhealthy respectively, are well-tested values. When the value is 0 or + is not specified it defaults to 1936. + format: int32 + maximum: 65535 + minimum: 0 + type: integer + type: object + loadBalancer: + description: |- + loadBalancer holds parameters for the load balancer. Present only if + type is LoadBalancerService. + properties: + allowedSourceRanges: + description: |- + allowedSourceRanges specifies an allowlist of IP address ranges to which + access to the load balancer should be restricted. Each range must be + specified using CIDR notation (e.g. "10.0.0.0/8" or "fd00::/8"). If no range is + specified, "0.0.0.0/0" for IPv4 and "::/0" for IPv6 are used by default, + which allows all source addresses. + + To facilitate migration from earlier versions of OpenShift that did + not have the allowedSourceRanges field, you may set the + service.beta.kubernetes.io/load-balancer-source-ranges annotation on + the "router-" service in the + "openshift-ingress" namespace, and this annotation will take + effect if allowedSourceRanges is empty on OpenShift 4.12. + items: + description: |- + CIDR is an IP address range in CIDR notation (for example, "10.0.0.0/8" + or "fd00::/8"). + pattern: (^(([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])/([0-9]|[12][0-9]|3[0-2])$)|(^s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:)))(%.+)?s*(\/(12[0-8]|1[0-1][0-9]|[1-9][0-9]|[0-9]))$) + type: string + nullable: true + type: array + x-kubernetes-list-type: atomic + dnsManagementPolicy: + default: Managed + description: |- + dnsManagementPolicy indicates if the lifecycle of the wildcard DNS record + associated with the load balancer service will be managed by + the ingress operator. It defaults to Managed. + Valid values are: Managed and Unmanaged. + enum: + - Managed + - Unmanaged + type: string + providerParameters: + description: |- + providerParameters holds desired load balancer information specific to + the underlying infrastructure provider. + + If empty, defaults will be applied. See specific providerParameters + fields for details about their defaults. + properties: + aws: + description: |- + aws provides configuration settings that are specific to AWS + load balancers. + + If empty, defaults will be applied. See specific aws fields for + details about their defaults. + properties: + classicLoadBalancer: + description: |- + classicLoadBalancerParameters holds configuration parameters for an AWS + classic load balancer. Present only if type is Classic. + properties: + connectionIdleTimeout: + description: |- + connectionIdleTimeout specifies the maximum time period that a + connection may be idle before the load balancer closes the + connection. The value must be parseable as a time duration value; + see . A nil or zero value + means no opinion, in which case a default value is used. The default + value for this field is 60s. This default is subject to change. + format: duration + type: string + subnets: + description: |- + subnets specifies the subnets to which the load balancer will + attach. The subnets may be specified by either their + ID or name. The total number of subnets is limited to 10. + + In order for the load balancer to be provisioned with subnets, + each subnet must exist, each subnet must be from a different + availability zone, and the load balancer service must be + recreated to pick up new values. + + When omitted from the spec, the subnets will be auto-discovered + for each availability zone. Auto-discovered subnets are not reported + in the status of the IngressController object. + properties: + ids: + description: |- + ids specifies a list of AWS subnets by subnet ID. + Subnet IDs must start with "subnet-", consist only + of alphanumeric characters, must be exactly 24 + characters long, must be unique, and the total + number of subnets specified by ids and names + must not exceed 10. + items: + description: AWSSubnetID is a reference + to an AWS subnet ID. + maxLength: 24 + minLength: 24 + pattern: ^subnet-[0-9A-Za-z]+$ + type: string + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: subnet ids cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == + y)) + names: + description: |- + names specifies a list of AWS subnets by subnet name. + Subnet names must not start with "subnet-", must not + include commas, must be under 256 characters in length, + must be unique, and the total number of subnets + specified by ids and names must not exceed 10. + items: + description: AWSSubnetName is a reference + to an AWS subnet name. + maxLength: 256 + minLength: 1 + type: string + x-kubernetes-validations: + - message: subnet name cannot contain a + comma + rule: '!self.contains('','')' + - message: subnet name cannot start with + 'subnet-' + rule: '!self.startsWith(''subnet-'')' + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: subnet names cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == + y)) + type: object + x-kubernetes-validations: + - message: the total number of subnets cannot + exceed 10 + rule: 'has(self.ids) && has(self.names) ? size(self.ids + + self.names) <= 10 : true' + - message: must specify at least 1 subnet name + or id + rule: has(self.ids) && self.ids.size() > 0 || + has(self.names) && self.names.size() > 0 + type: object + networkLoadBalancer: + description: |- + networkLoadBalancerParameters holds configuration parameters for an AWS + network load balancer. Present only if type is NLB. + properties: + eipAllocations: + description: |- + eipAllocations is a list of IDs for Elastic IP (EIP) addresses that + are assigned to the Network Load Balancer. + The following restrictions apply: + + eipAllocations can only be used with external scope, not internal. + An EIP can be allocated to only a single IngressController. + The number of EIP allocations must match the number of subnets that are used for the load balancer. + Each EIP allocation must be unique. + A maximum of 10 EIP allocations are permitted. + + See https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html for general + information about configuration, characteristics, and limitations of Elastic IP addresses. + items: + description: |- + EIPAllocation is an ID for an Elastic IP (EIP) address that can be allocated to an ELB in the AWS environment. + Values must begin with `eipalloc-` followed by exactly 17 hexadecimal (`[0-9a-fA-F]`) characters. + maxLength: 26 + minLength: 26 + type: string + x-kubernetes-validations: + - message: eipAllocations should start with + 'eipalloc-' + rule: self.startsWith('eipalloc-') + - message: eipAllocations must be 'eipalloc-' + followed by exactly 17 hexadecimal characters + (0-9, a-f, A-F) + rule: self.split("-", 2)[1].matches('[0-9a-fA-F]{17}$') + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: eipAllocations cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == y)) + subnets: + description: |- + subnets specifies the subnets to which the load balancer will + attach. The subnets may be specified by either their + ID or name. The total number of subnets is limited to 10. + + In order for the load balancer to be provisioned with subnets, + each subnet must exist, each subnet must be from a different + availability zone, and the load balancer service must be + recreated to pick up new values. + + When omitted from the spec, the subnets will be auto-discovered + for each availability zone. Auto-discovered subnets are not reported + in the status of the IngressController object. + properties: + ids: + description: |- + ids specifies a list of AWS subnets by subnet ID. + Subnet IDs must start with "subnet-", consist only + of alphanumeric characters, must be exactly 24 + characters long, must be unique, and the total + number of subnets specified by ids and names + must not exceed 10. + items: + description: AWSSubnetID is a reference + to an AWS subnet ID. + maxLength: 24 + minLength: 24 + pattern: ^subnet-[0-9A-Za-z]+$ + type: string + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: subnet ids cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == + y)) + names: + description: |- + names specifies a list of AWS subnets by subnet name. + Subnet names must not start with "subnet-", must not + include commas, must be under 256 characters in length, + must be unique, and the total number of subnets + specified by ids and names must not exceed 10. + items: + description: AWSSubnetName is a reference + to an AWS subnet name. + maxLength: 256 + minLength: 1 + type: string + x-kubernetes-validations: + - message: subnet name cannot contain a + comma + rule: '!self.contains('','')' + - message: subnet name cannot start with + 'subnet-' + rule: '!self.startsWith(''subnet-'')' + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: subnet names cannot contain duplicates + rule: self.all(x, self.exists_one(y, x == + y)) + type: object + x-kubernetes-validations: + - message: the total number of subnets cannot + exceed 10 + rule: 'has(self.ids) && has(self.names) ? size(self.ids + + self.names) <= 10 : true' + - message: must specify at least 1 subnet name + or id + rule: has(self.ids) && self.ids.size() > 0 || + has(self.names) && self.names.size() > 0 + type: object + x-kubernetes-validations: + - message: number of subnets must be equal to number + of eipAllocations + rule: 'has(self.subnets) && has(self.subnets.ids) + && has(self.subnets.names) && has(self.eipAllocations) + ? size(self.subnets.ids + self.subnets.names) + == size(self.eipAllocations) : true' + - message: number of subnets must be equal to number + of eipAllocations + rule: 'has(self.subnets) && has(self.subnets.ids) + && !has(self.subnets.names) && has(self.eipAllocations) + ? size(self.subnets.ids) == size(self.eipAllocations) + : true' + - message: number of subnets must be equal to number + of eipAllocations + rule: 'has(self.subnets) && has(self.subnets.names) + && !has(self.subnets.ids) && has(self.eipAllocations) + ? size(self.subnets.names) == size(self.eipAllocations) + : true' + type: + description: |- + type is the type of AWS load balancer to instantiate for an ingresscontroller. + + Valid values are: + + * "Classic": A Classic Load Balancer that makes routing decisions at either + the transport layer (TCP/SSL) or the application layer (HTTP/HTTPS). See + the following for additional details: + + https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#clb + + * "NLB": A Network Load Balancer that makes routing decisions at the + transport layer (TCP/SSL). See the following for additional details: + + https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#nlb + enum: + - Classic + - NLB + type: string + required: + - type + type: object + gcp: + description: |- + gcp provides configuration settings that are specific to GCP + load balancers. + + If empty, defaults will be applied. See specific gcp fields for + details about their defaults. + properties: + clientAccess: + description: |- + clientAccess describes how client access is restricted for internal + load balancers. + + Valid values are: + * "Global": Specifying an internal load balancer with Global client access + allows clients from any region within the VPC to communicate with the load + balancer. + + https://cloud.google.com/kubernetes-engine/docs/how-to/internal-load-balancing#global_access + + * "Local": Specifying an internal load balancer with Local client access + means only clients within the same region (and VPC) as the GCP load balancer + can communicate with the load balancer. Note that this is the default behavior. + + https://cloud.google.com/load-balancing/docs/internal#client_access + enum: + - Global + - Local + type: string + type: object + ibm: + description: |- + ibm provides configuration settings that are specific to IBM Cloud + load balancers. + + If empty, defaults will be applied. See specific ibm fields for + details about their defaults. + properties: + protocol: + description: |- + protocol specifies whether the load balancer uses PROXY protocol to forward connections to + the IngressController. See "service.kubernetes.io/ibm-load-balancer-cloud-provider-enable-features: + "proxy-protocol"" at https://cloud.ibm.com/docs/containers?topic=containers-vpc-lbaas" + + PROXY protocol can be used with load balancers that support it to + communicate the source addresses of client connections when + forwarding those connections to the IngressController. Using PROXY + protocol enables the IngressController to report those source + addresses instead of reporting the load balancer's address in HTTP + headers and logs. Note that enabling PROXY protocol on the + IngressController will cause connections to fail if you are not using + a load balancer that uses PROXY protocol to forward connections to + the IngressController. See + http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt for + information about PROXY protocol. + + Valid values for protocol are TCP, PROXY and omitted. + When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. + The current default is TCP, without the proxy protocol enabled. + enum: + - "" + - TCP + - PROXY + type: string + type: object + openstack: + description: |- + openstack provides configuration settings that are specific to OpenStack + load balancers. + + If empty, defaults will be applied. See specific openstack fields for + details about their defaults. + properties: + floatingIP: + description: |- + floatingIP specifies the IP address that the load balancer will use. + When not specified, an IP address will be assigned randomly by the OpenStack cloud provider. + When specified, the floating IP has to be pre-created. If the + specified value is not a floating IP or is already claimed, the + OpenStack cloud provider won't be able to provision the load + balancer. + This field may only be used if the IngressController has External scope. + This value must be a valid IPv4 or IPv6 address. + type: string + x-kubernetes-validations: + - message: floatingIP must be a valid IPv4 or IPv6 + address + rule: isIP(self) + type: object + type: + description: |- + type is the underlying infrastructure provider for the load balancer. + Allowed values are "AWS", "Azure", "BareMetal", "GCP", "IBM", "Nutanix", + "OpenStack", and "VSphere". + enum: + - AWS + - Azure + - BareMetal + - GCP + - Nutanix + - OpenStack + - VSphere + - IBM + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: openstack is not permitted when type is not OpenStack + rule: 'has(self.type) && self.type == ''OpenStack'' ? true + : !has(self.openstack)' + scope: + description: |- + scope indicates the scope at which the load balancer is exposed. + Possible values are "External" and "Internal". + enum: + - Internal + - External + type: string + required: + - dnsManagementPolicy + - scope + type: object + x-kubernetes-validations: + - message: eipAllocations are forbidden when the scope is Internal. + rule: '!has(self.scope) || self.scope != ''Internal'' || !has(self.providerParameters) + || !has(self.providerParameters.aws) || !has(self.providerParameters.aws.networkLoadBalancer) + || !has(self.providerParameters.aws.networkLoadBalancer.eipAllocations)' + - message: cannot specify a floating ip when scope is internal + rule: '!has(self.scope) || self.scope != ''Internal'' || !has(self.providerParameters) + || !has(self.providerParameters.openstack) || !has(self.providerParameters.openstack.floatingIP) + || self.providerParameters.openstack.floatingIP == ""' + nodePort: + description: |- + nodePort holds parameters for the NodePortService endpoint publishing strategy. + Present only if type is NodePortService. + properties: + protocol: + description: |- + protocol specifies whether the IngressController expects incoming + connections to use plain TCP or whether the IngressController expects + PROXY protocol. + + PROXY protocol can be used with load balancers that support it to + communicate the source addresses of client connections when + forwarding those connections to the IngressController. Using PROXY + protocol enables the IngressController to report those source + addresses instead of reporting the load balancer's address in HTTP + headers and logs. Note that enabling PROXY protocol on the + IngressController will cause connections to fail if you are not using + a load balancer that uses PROXY protocol to forward connections to + the IngressController. See + http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt for + information about PROXY protocol. + + The following values are valid for this field: + + * The empty string. + * "TCP". + * "PROXY". + + The empty string specifies the default, which is TCP without PROXY + protocol. Note that the default is subject to change. + enum: + - "" + - TCP + - PROXY + type: string + type: object + private: + description: |- + private holds parameters for the Private endpoint publishing + strategy. Present only if type is Private. + properties: + protocol: + description: |- + protocol specifies whether the IngressController expects incoming + connections to use plain TCP or whether the IngressController expects + PROXY protocol. + + PROXY protocol can be used with load balancers that support it to + communicate the source addresses of client connections when + forwarding those connections to the IngressController. Using PROXY + protocol enables the IngressController to report those source + addresses instead of reporting the load balancer's address in HTTP + headers and logs. Note that enabling PROXY protocol on the + IngressController will cause connections to fail if you are not using + a load balancer that uses PROXY protocol to forward connections to + the IngressController. See + http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt for + information about PROXY protocol. + + The following values are valid for this field: + + * The empty string. + * "TCP". + * "PROXY". + + The empty string specifies the default, which is TCP without PROXY + protocol. Note that the default is subject to change. + enum: + - "" + - TCP + - PROXY + type: string + type: object + type: + description: |- + type is the publishing strategy to use. Valid values are: + + * LoadBalancerService + + Publishes the ingress controller using a Kubernetes LoadBalancer Service. + + In this configuration, the ingress controller deployment uses container + networking. A LoadBalancer Service is created to publish the deployment. + + See: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer + + If domain is set, a wildcard DNS record will be managed to point at the + LoadBalancer Service's external name. DNS records are managed only in DNS + zones defined by dns.config.openshift.io/cluster .spec.publicZone and + .spec.privateZone. + + Wildcard DNS management is currently supported only on the AWS, Azure, + and GCP platforms. + + * HostNetwork + + Publishes the ingress controller on node ports where the ingress controller + is deployed. + + In this configuration, the ingress controller deployment uses host + networking, bound to node ports 80 and 443. The user is responsible for + configuring an external load balancer to publish the ingress controller via + the node ports. + + * Private + + Does not publish the ingress controller. + + In this configuration, the ingress controller deployment uses container + networking, and is not explicitly published. The user must manually publish + the ingress controller. + + * NodePortService + + Publishes the ingress controller using a Kubernetes NodePort Service. + + In this configuration, the ingress controller deployment uses container + networking. A NodePort Service is created to publish the deployment. The + specific node ports are dynamically allocated by OpenShift; however, to + support static port allocations, user changes to the node port + field of the managed NodePort Service will preserved. + enum: + - LoadBalancerService + - HostNetwork + - Private + - NodePortService + type: string + required: + - type + type: object + namespaceSelector: + description: namespaceSelector is the actual namespaceSelector in + use. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + observedGeneration: + description: observedGeneration is the most recent generation observed. + format: int64 + type: integer + routeSelector: + description: routeSelector is the actual routeSelector in use. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + selector: + description: |- + selector is a label selector, in string format, for ingress controller pods + corresponding to the IngressController. The number of matching pods should + equal the value of availableReplicas. + type: string + tlsProfile: + description: tlsProfile is the TLS connection configuration that is + in effect. + properties: + ciphers: + description: |- + ciphers is used to specify the cipher algorithms that are negotiated + during the TLS handshake. Operators may remove entries their operands + do not support. For example, to use DES-CBC3-SHA (yaml): + + ciphers: + - DES-CBC3-SHA + items: + type: string + type: array + x-kubernetes-list-type: atomic + curves: + description: |- + curves is an optional field used to specify the elliptic curves that are used during + the TLS handshake. Operators may remove entries their operands do + not support. + + When omitted, this means no opinion and the platform is left to choose reasonable defaults which are + subject to change over time and may be different per platform component depending on the underlying TLS + libraries they use. If specified, the list must contain at least one curve. + + For example, to use X25519 and SecP256r1 (yaml): + + curves: + - X25519 + - SecP256r1 + items: + description: |- + TLSCurve is a named curve identifier that can be used in TLSProfile.Curves. + There is a one-to-one mapping between these names and the curve IDs defined + in crypto/tls package based on IANA's "TLS Supported Groups" registry: + https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8 + enum: + - X25519 + - SecP256r1 + - SecP384r1 + - SecP521r1 + - X25519MLKEM768 + type: string + maxItems: 5 + minItems: 1 + type: array + x-kubernetes-list-type: set + minTLSVersion: + description: |- + minTLSVersion is used to specify the minimal version of the TLS protocol + that is negotiated during the TLS handshake. For example, to use TLS + versions 1.1, 1.2 and 1.3 (yaml): + + minTLSVersion: VersionTLS11 + enum: + - VersionTLS10 + - VersionTLS11 + - VersionTLS12 + - VersionTLS13 + type: string + type: object + type: object + type: object + x-kubernetes-validations: + - message: The combined 'router-' + metadata.name + '.' + .spec.domain cannot + exceed 253 characters + rule: '!has(self.spec.domain) || size(''router-'' + self.metadata.name + + ''.'' + self.spec.domain) <= 253' + served: true + storage: true + subresources: + status: {} diff --git a/payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml index 2e45da09e5b..c83a804a169 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml @@ -302,8 +302,11 @@ spec: custom: description: |- custom is a user-defined TLS security profile. Be extremely careful using a custom - profile as invalid configurations can be catastrophic. An example custom profile - looks like this: + profile as invalid configurations can be catastrophic. + + The curve list for this profile is empty by default. + + An example custom profile looks like this: minTLSVersion: VersionTLS11 ciphers: @@ -316,18 +319,47 @@ spec: ciphers: description: |- ciphers is used to specify the cipher algorithms that are negotiated - during the TLS handshake. Operators may remove entries that their operands - do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml): + during the TLS handshake. Operators may remove entries their operands + do not support. For example, to use DES-CBC3-SHA (yaml): ciphers: - - ECDHE-RSA-AES128-GCM-SHA256 - - TLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable - and are always enabled when TLS 1.3 is negotiated. + - DES-CBC3-SHA items: type: string type: array x-kubernetes-list-type: atomic + curves: + description: |- + curves is an optional field used to specify the elliptic curves that are used during + the TLS handshake. Operators may remove entries their operands do + not support. + + When omitted, this means no opinion and the platform is left to choose reasonable defaults which are + subject to change over time and may be different per platform component depending on the underlying TLS + libraries they use. If specified, the list must contain at least one curve. + + For example, to use X25519 and SecP256r1 (yaml): + + curves: + - X25519 + - SecP256r1 + items: + description: |- + TLSCurve is a named curve identifier that can be used in TLSProfile.Curves. + There is a one-to-one mapping between these names and the curve IDs defined + in crypto/tls package based on IANA's "TLS Supported Groups" registry: + https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8 + enum: + - X25519 + - SecP256r1 + - SecP384r1 + - SecP521r1 + - X25519MLKEM768 + type: string + maxItems: 5 + minItems: 1 + type: array + x-kubernetes-list-type: set minTLSVersion: description: |- minTLSVersion is used to specify the minimal version of the TLS protocol @@ -348,6 +380,12 @@ spec: legacy clients and want to remain highly secure while being compatible with most clients currently in use. + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "intermediate" profile ciphers. + + The curve list includes by default the following curves: + X25519, SecP256r1, SecP384r1, X25519MLKEM768. + This profile is equivalent to a Custom profile specified as: minTLSVersion: VersionTLS12 ciphers: @@ -360,13 +398,16 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 + - DHE-RSA-AES128-GCM-SHA256 + - DHE-RSA-AES256-GCM-SHA384 nullable: true type: object modern: description: |- modern is a TLS security profile for use with clients that support TLS 1.3 and do not need backward compatibility for older clients. - + The curve list includes by default the following curves: + X25519, SecP256r1, SecP384r1, X25519MLKEM768. This profile is equivalent to a Custom profile specified as: minTLSVersion: VersionTLS13 ciphers: @@ -380,6 +421,12 @@ spec: old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort. + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "old" profile ciphers. + + The curve list includes by default the following curves: + X25519, SecP256r1, SecP384r1, X25519MLKEM768. + This profile is equivalent to a Custom profile specified as: minTLSVersion: VersionTLS10 ciphers: @@ -392,15 +439,23 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 + - DHE-RSA-AES128-GCM-SHA256 + - DHE-RSA-AES256-GCM-SHA384 + - DHE-RSA-CHACHA20-POLY1305 - ECDHE-ECDSA-AES128-SHA256 - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES128-SHA + - ECDHE-ECDSA-AES256-SHA384 + - ECDHE-RSA-AES256-SHA384 - ECDHE-ECDSA-AES256-SHA - ECDHE-RSA-AES256-SHA + - DHE-RSA-AES128-SHA256 + - DHE-RSA-AES256-SHA256 - AES128-GCM-SHA256 - AES256-GCM-SHA384 - AES128-SHA256 + - AES256-SHA256 - AES128-SHA - AES256-SHA - DES-CBC3-SHA @@ -411,10 +466,9 @@ spec: type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters. - The profiles are based on version 5.7 of the Mozilla Server Side TLS - configuration guidelines. The cipher lists consist of the configuration's - "ciphersuites" followed by the Go-specific "ciphers" from the guidelines. - See: https://ssl-config.mozilla.org/guidelines/5.7.json + The profiles are currently based on version 5.0 of the Mozilla Server Side TLS + configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for + forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on diff --git a/payload-manifests/crds/0000_10_config-operator_01_apiservers-Default.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_apiservers-Default.crd.yaml index 272d49db0e3..32e3cf9b8bd 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_apiservers-Default.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_apiservers-Default.crd.yaml @@ -233,8 +233,11 @@ spec: custom: description: |- custom is a user-defined TLS security profile. Be extremely careful using a custom - profile as invalid configurations can be catastrophic. An example custom profile - looks like this: + profile as invalid configurations can be catastrophic. + + The curve list for this profile is empty by default. + + An example custom profile looks like this: minTLSVersion: VersionTLS11 ciphers: @@ -247,14 +250,11 @@ spec: ciphers: description: |- ciphers is used to specify the cipher algorithms that are negotiated - during the TLS handshake. Operators may remove entries that their operands - do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml): + during the TLS handshake. Operators may remove entries their operands + do not support. For example, to use DES-CBC3-SHA (yaml): ciphers: - - ECDHE-RSA-AES128-GCM-SHA256 - - TLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable - and are always enabled when TLS 1.3 is negotiated. + - DES-CBC3-SHA items: type: string type: array @@ -279,6 +279,12 @@ spec: legacy clients and want to remain highly secure while being compatible with most clients currently in use. + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "intermediate" profile ciphers. + + The curve list includes by default the following curves: + X25519, SecP256r1, SecP384r1, X25519MLKEM768. + This profile is equivalent to a Custom profile specified as: minTLSVersion: VersionTLS12 ciphers: @@ -291,13 +297,16 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 + - DHE-RSA-AES128-GCM-SHA256 + - DHE-RSA-AES256-GCM-SHA384 nullable: true type: object modern: description: |- modern is a TLS security profile for use with clients that support TLS 1.3 and do not need backward compatibility for older clients. - + The curve list includes by default the following curves: + X25519, SecP256r1, SecP384r1, X25519MLKEM768. This profile is equivalent to a Custom profile specified as: minTLSVersion: VersionTLS13 ciphers: @@ -311,6 +320,12 @@ spec: old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort. + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "old" profile ciphers. + + The curve list includes by default the following curves: + X25519, SecP256r1, SecP384r1, X25519MLKEM768. + This profile is equivalent to a Custom profile specified as: minTLSVersion: VersionTLS10 ciphers: @@ -323,15 +338,23 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 + - DHE-RSA-AES128-GCM-SHA256 + - DHE-RSA-AES256-GCM-SHA384 + - DHE-RSA-CHACHA20-POLY1305 - ECDHE-ECDSA-AES128-SHA256 - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES128-SHA + - ECDHE-ECDSA-AES256-SHA384 + - ECDHE-RSA-AES256-SHA384 - ECDHE-ECDSA-AES256-SHA - ECDHE-RSA-AES256-SHA + - DHE-RSA-AES128-SHA256 + - DHE-RSA-AES256-SHA256 - AES128-GCM-SHA256 - AES256-GCM-SHA384 - AES128-SHA256 + - AES256-SHA256 - AES128-SHA - AES256-SHA - DES-CBC3-SHA @@ -342,10 +365,9 @@ spec: type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters. - The profiles are based on version 5.7 of the Mozilla Server Side TLS - configuration guidelines. The cipher lists consist of the configuration's - "ciphersuites" followed by the Go-specific "ciphers" from the guidelines. - See: https://ssl-config.mozilla.org/guidelines/5.7.json + The profiles are currently based on version 5.0 of the Mozilla Server Side TLS + configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for + forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on diff --git a/payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml index 23c43814428..a7636b01d0d 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml @@ -302,8 +302,11 @@ spec: custom: description: |- custom is a user-defined TLS security profile. Be extremely careful using a custom - profile as invalid configurations can be catastrophic. An example custom profile - looks like this: + profile as invalid configurations can be catastrophic. + + The curve list for this profile is empty by default. + + An example custom profile looks like this: minTLSVersion: VersionTLS11 ciphers: @@ -316,18 +319,47 @@ spec: ciphers: description: |- ciphers is used to specify the cipher algorithms that are negotiated - during the TLS handshake. Operators may remove entries that their operands - do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml): + during the TLS handshake. Operators may remove entries their operands + do not support. For example, to use DES-CBC3-SHA (yaml): ciphers: - - ECDHE-RSA-AES128-GCM-SHA256 - - TLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable - and are always enabled when TLS 1.3 is negotiated. + - DES-CBC3-SHA items: type: string type: array x-kubernetes-list-type: atomic + curves: + description: |- + curves is an optional field used to specify the elliptic curves that are used during + the TLS handshake. Operators may remove entries their operands do + not support. + + When omitted, this means no opinion and the platform is left to choose reasonable defaults which are + subject to change over time and may be different per platform component depending on the underlying TLS + libraries they use. If specified, the list must contain at least one curve. + + For example, to use X25519 and SecP256r1 (yaml): + + curves: + - X25519 + - SecP256r1 + items: + description: |- + TLSCurve is a named curve identifier that can be used in TLSProfile.Curves. + There is a one-to-one mapping between these names and the curve IDs defined + in crypto/tls package based on IANA's "TLS Supported Groups" registry: + https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8 + enum: + - X25519 + - SecP256r1 + - SecP384r1 + - SecP521r1 + - X25519MLKEM768 + type: string + maxItems: 5 + minItems: 1 + type: array + x-kubernetes-list-type: set minTLSVersion: description: |- minTLSVersion is used to specify the minimal version of the TLS protocol @@ -348,6 +380,12 @@ spec: legacy clients and want to remain highly secure while being compatible with most clients currently in use. + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "intermediate" profile ciphers. + + The curve list includes by default the following curves: + X25519, SecP256r1, SecP384r1, X25519MLKEM768. + This profile is equivalent to a Custom profile specified as: minTLSVersion: VersionTLS12 ciphers: @@ -360,13 +398,16 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 + - DHE-RSA-AES128-GCM-SHA256 + - DHE-RSA-AES256-GCM-SHA384 nullable: true type: object modern: description: |- modern is a TLS security profile for use with clients that support TLS 1.3 and do not need backward compatibility for older clients. - + The curve list includes by default the following curves: + X25519, SecP256r1, SecP384r1, X25519MLKEM768. This profile is equivalent to a Custom profile specified as: minTLSVersion: VersionTLS13 ciphers: @@ -380,6 +421,12 @@ spec: old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort. + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "old" profile ciphers. + + The curve list includes by default the following curves: + X25519, SecP256r1, SecP384r1, X25519MLKEM768. + This profile is equivalent to a Custom profile specified as: minTLSVersion: VersionTLS10 ciphers: @@ -392,15 +439,23 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 + - DHE-RSA-AES128-GCM-SHA256 + - DHE-RSA-AES256-GCM-SHA384 + - DHE-RSA-CHACHA20-POLY1305 - ECDHE-ECDSA-AES128-SHA256 - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES128-SHA + - ECDHE-ECDSA-AES256-SHA384 + - ECDHE-RSA-AES256-SHA384 - ECDHE-ECDSA-AES256-SHA - ECDHE-RSA-AES256-SHA + - DHE-RSA-AES128-SHA256 + - DHE-RSA-AES256-SHA256 - AES128-GCM-SHA256 - AES256-GCM-SHA384 - AES128-SHA256 + - AES256-SHA256 - AES128-SHA - AES256-SHA - DES-CBC3-SHA @@ -411,10 +466,9 @@ spec: type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters. - The profiles are based on version 5.7 of the Mozilla Server Side TLS - configuration guidelines. The cipher lists consist of the configuration's - "ciphersuites" followed by the Go-specific "ciphers" from the guidelines. - See: https://ssl-config.mozilla.org/guidelines/5.7.json + The profiles are currently based on version 5.0 of the Mozilla Server Side TLS + configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for + forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on diff --git a/payload-manifests/crds/0000_10_config-operator_01_apiservers-OKD.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_apiservers-OKD.crd.yaml index 3c81a12e872..a5677d9b594 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_apiservers-OKD.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_apiservers-OKD.crd.yaml @@ -233,8 +233,11 @@ spec: custom: description: |- custom is a user-defined TLS security profile. Be extremely careful using a custom - profile as invalid configurations can be catastrophic. An example custom profile - looks like this: + profile as invalid configurations can be catastrophic. + + The curve list for this profile is empty by default. + + An example custom profile looks like this: minTLSVersion: VersionTLS11 ciphers: @@ -247,14 +250,11 @@ spec: ciphers: description: |- ciphers is used to specify the cipher algorithms that are negotiated - during the TLS handshake. Operators may remove entries that their operands - do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml): + during the TLS handshake. Operators may remove entries their operands + do not support. For example, to use DES-CBC3-SHA (yaml): ciphers: - - ECDHE-RSA-AES128-GCM-SHA256 - - TLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable - and are always enabled when TLS 1.3 is negotiated. + - DES-CBC3-SHA items: type: string type: array @@ -279,6 +279,12 @@ spec: legacy clients and want to remain highly secure while being compatible with most clients currently in use. + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "intermediate" profile ciphers. + + The curve list includes by default the following curves: + X25519, SecP256r1, SecP384r1, X25519MLKEM768. + This profile is equivalent to a Custom profile specified as: minTLSVersion: VersionTLS12 ciphers: @@ -291,13 +297,16 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 + - DHE-RSA-AES128-GCM-SHA256 + - DHE-RSA-AES256-GCM-SHA384 nullable: true type: object modern: description: |- modern is a TLS security profile for use with clients that support TLS 1.3 and do not need backward compatibility for older clients. - + The curve list includes by default the following curves: + X25519, SecP256r1, SecP384r1, X25519MLKEM768. This profile is equivalent to a Custom profile specified as: minTLSVersion: VersionTLS13 ciphers: @@ -311,6 +320,12 @@ spec: old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort. + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "old" profile ciphers. + + The curve list includes by default the following curves: + X25519, SecP256r1, SecP384r1, X25519MLKEM768. + This profile is equivalent to a Custom profile specified as: minTLSVersion: VersionTLS10 ciphers: @@ -323,15 +338,23 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 + - DHE-RSA-AES128-GCM-SHA256 + - DHE-RSA-AES256-GCM-SHA384 + - DHE-RSA-CHACHA20-POLY1305 - ECDHE-ECDSA-AES128-SHA256 - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES128-SHA + - ECDHE-ECDSA-AES256-SHA384 + - ECDHE-RSA-AES256-SHA384 - ECDHE-ECDSA-AES256-SHA - ECDHE-RSA-AES256-SHA + - DHE-RSA-AES128-SHA256 + - DHE-RSA-AES256-SHA256 - AES128-GCM-SHA256 - AES256-GCM-SHA384 - AES128-SHA256 + - AES256-SHA256 - AES128-SHA - AES256-SHA - DES-CBC3-SHA @@ -342,10 +365,9 @@ spec: type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters. - The profiles are based on version 5.7 of the Mozilla Server Side TLS - configuration guidelines. The cipher lists consist of the configuration's - "ciphersuites" followed by the Go-specific "ciphers" from the guidelines. - See: https://ssl-config.mozilla.org/guidelines/5.7.json + The profiles are currently based on version 5.0 of the Mozilla Server Side TLS + configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for + forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on diff --git a/payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml index 1d75d68e5a6..114c97cbd75 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml @@ -234,8 +234,11 @@ spec: custom: description: |- custom is a user-defined TLS security profile. Be extremely careful using a custom - profile as invalid configurations can be catastrophic. An example custom profile - looks like this: + profile as invalid configurations can be catastrophic. + + The curve list for this profile is empty by default. + + An example custom profile looks like this: minTLSVersion: VersionTLS11 ciphers: @@ -248,18 +251,47 @@ spec: ciphers: description: |- ciphers is used to specify the cipher algorithms that are negotiated - during the TLS handshake. Operators may remove entries that their operands - do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml): + during the TLS handshake. Operators may remove entries their operands + do not support. For example, to use DES-CBC3-SHA (yaml): ciphers: - - ECDHE-RSA-AES128-GCM-SHA256 - - TLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable - and are always enabled when TLS 1.3 is negotiated. + - DES-CBC3-SHA items: type: string type: array x-kubernetes-list-type: atomic + curves: + description: |- + curves is an optional field used to specify the elliptic curves that are used during + the TLS handshake. Operators may remove entries their operands do + not support. + + When omitted, this means no opinion and the platform is left to choose reasonable defaults which are + subject to change over time and may be different per platform component depending on the underlying TLS + libraries they use. If specified, the list must contain at least one curve. + + For example, to use X25519 and SecP256r1 (yaml): + + curves: + - X25519 + - SecP256r1 + items: + description: |- + TLSCurve is a named curve identifier that can be used in TLSProfile.Curves. + There is a one-to-one mapping between these names and the curve IDs defined + in crypto/tls package based on IANA's "TLS Supported Groups" registry: + https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8 + enum: + - X25519 + - SecP256r1 + - SecP384r1 + - SecP521r1 + - X25519MLKEM768 + type: string + maxItems: 5 + minItems: 1 + type: array + x-kubernetes-list-type: set minTLSVersion: description: |- minTLSVersion is used to specify the minimal version of the TLS protocol @@ -280,6 +312,12 @@ spec: legacy clients and want to remain highly secure while being compatible with most clients currently in use. + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "intermediate" profile ciphers. + + The curve list includes by default the following curves: + X25519, SecP256r1, SecP384r1, X25519MLKEM768. + This profile is equivalent to a Custom profile specified as: minTLSVersion: VersionTLS12 ciphers: @@ -292,13 +330,16 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 + - DHE-RSA-AES128-GCM-SHA256 + - DHE-RSA-AES256-GCM-SHA384 nullable: true type: object modern: description: |- modern is a TLS security profile for use with clients that support TLS 1.3 and do not need backward compatibility for older clients. - + The curve list includes by default the following curves: + X25519, SecP256r1, SecP384r1, X25519MLKEM768. This profile is equivalent to a Custom profile specified as: minTLSVersion: VersionTLS13 ciphers: @@ -312,6 +353,12 @@ spec: old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort. + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "old" profile ciphers. + + The curve list includes by default the following curves: + X25519, SecP256r1, SecP384r1, X25519MLKEM768. + This profile is equivalent to a Custom profile specified as: minTLSVersion: VersionTLS10 ciphers: @@ -324,15 +371,23 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 + - DHE-RSA-AES128-GCM-SHA256 + - DHE-RSA-AES256-GCM-SHA384 + - DHE-RSA-CHACHA20-POLY1305 - ECDHE-ECDSA-AES128-SHA256 - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES128-SHA + - ECDHE-ECDSA-AES256-SHA384 + - ECDHE-RSA-AES256-SHA384 - ECDHE-ECDSA-AES256-SHA - ECDHE-RSA-AES256-SHA + - DHE-RSA-AES128-SHA256 + - DHE-RSA-AES256-SHA256 - AES128-GCM-SHA256 - AES256-GCM-SHA384 - AES128-SHA256 + - AES256-SHA256 - AES128-SHA - AES256-SHA - DES-CBC3-SHA @@ -343,10 +398,9 @@ spec: type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters. - The profiles are based on version 5.7 of the Mozilla Server Side TLS - configuration guidelines. The cipher lists consist of the configuration's - "ciphersuites" followed by the Go-specific "ciphers" from the guidelines. - See: https://ssl-config.mozilla.org/guidelines/5.7.json + The profiles are currently based on version 5.0 of the Mozilla Server Side TLS + configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for + forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on diff --git a/payload-manifests/crds/0000_80_machine-config_01_kubeletconfigs-CustomNoUpgrade.crd.yaml b/payload-manifests/crds/0000_80_machine-config_01_kubeletconfigs-CustomNoUpgrade.crd.yaml new file mode 100644 index 00000000000..70203c6c034 --- /dev/null +++ b/payload-manifests/crds/0000_80_machine-config_01_kubeletconfigs-CustomNoUpgrade.crd.yaml @@ -0,0 +1,344 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/1453 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: CustomNoUpgrade + labels: + openshift.io/operator-managed: "" + name: kubeletconfigs.machineconfiguration.openshift.io +spec: + group: machineconfiguration.openshift.io + names: + kind: KubeletConfig + listKind: KubeletConfigList + plural: kubeletconfigs + singular: kubeletconfig + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + KubeletConfig describes a customized Kubelet configuration. + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec contains the desired kubelet configuration. + properties: + autoSizingReserved: + type: boolean + kubeletConfig: + description: |- + kubeletConfig fields are defined in kubernetes upstream. Please refer to the types defined in the version/commit used by + OpenShift of the upstream kubernetes. It's important to note that, since the fields of the kubelet configuration are directly fetched from + upstream the validation of those values is handled directly by the kubelet. Please refer to the upstream version of the relevant kubernetes + for the valid values of these fields. Invalid values of the kubelet configuration fields may render cluster nodes unusable. + type: object + x-kubernetes-preserve-unknown-fields: true + logLevel: + format: int32 + type: integer + machineConfigPoolSelector: + description: |- + machineConfigPoolSelector selects which pools the KubeletConfig shoud apply to. + A nil selector will result in no pools being selected. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + tlsSecurityProfile: + description: |- + If unset, the default is based on the apiservers.config.openshift.io/cluster resource. + Note that only Old and Intermediate profiles are currently supported, and + the maximum available minTLSVersion is VersionTLS12. + properties: + custom: + description: |- + custom is a user-defined TLS security profile. Be extremely careful using a custom + profile as invalid configurations can be catastrophic. + + The curve list for this profile is empty by default. + + An example custom profile looks like this: + + minTLSVersion: VersionTLS11 + ciphers: + - ECDHE-ECDSA-CHACHA20-POLY1305 + - ECDHE-RSA-CHACHA20-POLY1305 + - ECDHE-RSA-AES128-GCM-SHA256 + - ECDHE-ECDSA-AES128-GCM-SHA256 + nullable: true + properties: + ciphers: + description: |- + ciphers is used to specify the cipher algorithms that are negotiated + during the TLS handshake. Operators may remove entries their operands + do not support. For example, to use DES-CBC3-SHA (yaml): + + ciphers: + - DES-CBC3-SHA + items: + type: string + type: array + x-kubernetes-list-type: atomic + curves: + description: |- + curves is an optional field used to specify the elliptic curves that are used during + the TLS handshake. Operators may remove entries their operands do + not support. + + When omitted, this means no opinion and the platform is left to choose reasonable defaults which are + subject to change over time and may be different per platform component depending on the underlying TLS + libraries they use. If specified, the list must contain at least one curve. + + For example, to use X25519 and SecP256r1 (yaml): + + curves: + - X25519 + - SecP256r1 + items: + description: |- + TLSCurve is a named curve identifier that can be used in TLSProfile.Curves. + There is a one-to-one mapping between these names and the curve IDs defined + in crypto/tls package based on IANA's "TLS Supported Groups" registry: + https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8 + enum: + - X25519 + - SecP256r1 + - SecP384r1 + - SecP521r1 + - X25519MLKEM768 + type: string + maxItems: 5 + minItems: 1 + type: array + x-kubernetes-list-type: set + minTLSVersion: + description: |- + minTLSVersion is used to specify the minimal version of the TLS protocol + that is negotiated during the TLS handshake. For example, to use TLS + versions 1.1, 1.2 and 1.3 (yaml): + + minTLSVersion: VersionTLS11 + enum: + - VersionTLS10 + - VersionTLS11 + - VersionTLS12 + - VersionTLS13 + type: string + type: object + intermediate: + description: |- + intermediate is a TLS profile for use when you do not need compatibility with + legacy clients and want to remain highly secure while being compatible with + most clients currently in use. + + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "intermediate" profile ciphers. + + The curve list includes by default the following curves: + X25519, SecP256r1, SecP384r1, X25519MLKEM768. + + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS12 + ciphers: + - TLS_AES_128_GCM_SHA256 + - TLS_AES_256_GCM_SHA384 + - TLS_CHACHA20_POLY1305_SHA256 + - ECDHE-ECDSA-AES128-GCM-SHA256 + - ECDHE-RSA-AES128-GCM-SHA256 + - ECDHE-ECDSA-AES256-GCM-SHA384 + - ECDHE-RSA-AES256-GCM-SHA384 + - ECDHE-ECDSA-CHACHA20-POLY1305 + - ECDHE-RSA-CHACHA20-POLY1305 + - DHE-RSA-AES128-GCM-SHA256 + - DHE-RSA-AES256-GCM-SHA384 + nullable: true + type: object + modern: + description: |- + modern is a TLS security profile for use with clients that support TLS 1.3 and + do not need backward compatibility for older clients. + The curve list includes by default the following curves: + X25519, SecP256r1, SecP384r1, X25519MLKEM768. + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS13 + ciphers: + - TLS_AES_128_GCM_SHA256 + - TLS_AES_256_GCM_SHA384 + - TLS_CHACHA20_POLY1305_SHA256 + nullable: true + type: object + old: + description: |- + old is a TLS profile for use when services need to be accessed by very old + clients or libraries and should be used only as a last resort. + + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "old" profile ciphers. + + The curve list includes by default the following curves: + X25519, SecP256r1, SecP384r1, X25519MLKEM768. + + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS10 + ciphers: + - TLS_AES_128_GCM_SHA256 + - TLS_AES_256_GCM_SHA384 + - TLS_CHACHA20_POLY1305_SHA256 + - ECDHE-ECDSA-AES128-GCM-SHA256 + - ECDHE-RSA-AES128-GCM-SHA256 + - ECDHE-ECDSA-AES256-GCM-SHA384 + - ECDHE-RSA-AES256-GCM-SHA384 + - ECDHE-ECDSA-CHACHA20-POLY1305 + - ECDHE-RSA-CHACHA20-POLY1305 + - DHE-RSA-AES128-GCM-SHA256 + - DHE-RSA-AES256-GCM-SHA384 + - DHE-RSA-CHACHA20-POLY1305 + - ECDHE-ECDSA-AES128-SHA256 + - ECDHE-RSA-AES128-SHA256 + - ECDHE-ECDSA-AES128-SHA + - ECDHE-RSA-AES128-SHA + - ECDHE-ECDSA-AES256-SHA384 + - ECDHE-RSA-AES256-SHA384 + - ECDHE-ECDSA-AES256-SHA + - ECDHE-RSA-AES256-SHA + - DHE-RSA-AES128-SHA256 + - DHE-RSA-AES256-SHA256 + - AES128-GCM-SHA256 + - AES256-GCM-SHA384 + - AES128-SHA256 + - AES256-SHA256 + - AES128-SHA + - AES256-SHA + - DES-CBC3-SHA + nullable: true + type: object + type: + description: |- + type is one of Old, Intermediate, Modern or Custom. Custom provides the + ability to specify individual TLS security profile parameters. + + The profiles are currently based on version 5.0 of the Mozilla Server Side TLS + configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for + forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json + + The profiles are intent based, so they may change over time as new ciphers are + developed and existing ciphers are found to be insecure. Depending on + precisely which ciphers are available to a process, the list may be reduced. + enum: + - Old + - Intermediate + - Modern + - Custom + type: string + type: object + type: object + status: + description: status contains observed information about the kubelet configuration. + properties: + conditions: + description: conditions represents the latest available observations + of current state. + items: + description: KubeletConfigCondition defines the state of the KubeletConfig + properties: + lastTransitionTime: + description: lastTransitionTime is the time of the last update + to the current status object. + format: date-time + nullable: true + type: string + message: + description: |- + message provides additional information about the current condition. + This is only to be consumed by humans. + type: string + reason: + description: reason is the reason for the condition's last transition. Reasons + are PascalCase + type: string + status: + description: status of the condition, one of True, False, Unknown. + type: string + type: + description: type specifies the state of the operator's reconciliation + functionality. + type: string + type: object + type: array + observedGeneration: + description: observedGeneration represents the generation observed + by the controller. + format: int64 + type: integer + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/payload-manifests/crds/0000_80_machine-config_01_kubeletconfigs-Default.crd.yaml b/payload-manifests/crds/0000_80_machine-config_01_kubeletconfigs-Default.crd.yaml new file mode 100644 index 00000000000..4f4862bef74 --- /dev/null +++ b/payload-manifests/crds/0000_80_machine-config_01_kubeletconfigs-Default.crd.yaml @@ -0,0 +1,312 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/1453 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: Default + labels: + openshift.io/operator-managed: "" + name: kubeletconfigs.machineconfiguration.openshift.io +spec: + group: machineconfiguration.openshift.io + names: + kind: KubeletConfig + listKind: KubeletConfigList + plural: kubeletconfigs + singular: kubeletconfig + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + KubeletConfig describes a customized Kubelet configuration. + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec contains the desired kubelet configuration. + properties: + autoSizingReserved: + type: boolean + kubeletConfig: + description: |- + kubeletConfig fields are defined in kubernetes upstream. Please refer to the types defined in the version/commit used by + OpenShift of the upstream kubernetes. It's important to note that, since the fields of the kubelet configuration are directly fetched from + upstream the validation of those values is handled directly by the kubelet. Please refer to the upstream version of the relevant kubernetes + for the valid values of these fields. Invalid values of the kubelet configuration fields may render cluster nodes unusable. + type: object + x-kubernetes-preserve-unknown-fields: true + logLevel: + format: int32 + type: integer + machineConfigPoolSelector: + description: |- + machineConfigPoolSelector selects which pools the KubeletConfig shoud apply to. + A nil selector will result in no pools being selected. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + tlsSecurityProfile: + description: |- + If unset, the default is based on the apiservers.config.openshift.io/cluster resource. + Note that only Old and Intermediate profiles are currently supported, and + the maximum available minTLSVersion is VersionTLS12. + properties: + custom: + description: |- + custom is a user-defined TLS security profile. Be extremely careful using a custom + profile as invalid configurations can be catastrophic. + + The curve list for this profile is empty by default. + + An example custom profile looks like this: + + minTLSVersion: VersionTLS11 + ciphers: + - ECDHE-ECDSA-CHACHA20-POLY1305 + - ECDHE-RSA-CHACHA20-POLY1305 + - ECDHE-RSA-AES128-GCM-SHA256 + - ECDHE-ECDSA-AES128-GCM-SHA256 + nullable: true + properties: + ciphers: + description: |- + ciphers is used to specify the cipher algorithms that are negotiated + during the TLS handshake. Operators may remove entries their operands + do not support. For example, to use DES-CBC3-SHA (yaml): + + ciphers: + - DES-CBC3-SHA + items: + type: string + type: array + x-kubernetes-list-type: atomic + minTLSVersion: + description: |- + minTLSVersion is used to specify the minimal version of the TLS protocol + that is negotiated during the TLS handshake. For example, to use TLS + versions 1.1, 1.2 and 1.3 (yaml): + + minTLSVersion: VersionTLS11 + enum: + - VersionTLS10 + - VersionTLS11 + - VersionTLS12 + - VersionTLS13 + type: string + type: object + intermediate: + description: |- + intermediate is a TLS profile for use when you do not need compatibility with + legacy clients and want to remain highly secure while being compatible with + most clients currently in use. + + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "intermediate" profile ciphers. + + The curve list includes by default the following curves: + X25519, SecP256r1, SecP384r1, X25519MLKEM768. + + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS12 + ciphers: + - TLS_AES_128_GCM_SHA256 + - TLS_AES_256_GCM_SHA384 + - TLS_CHACHA20_POLY1305_SHA256 + - ECDHE-ECDSA-AES128-GCM-SHA256 + - ECDHE-RSA-AES128-GCM-SHA256 + - ECDHE-ECDSA-AES256-GCM-SHA384 + - ECDHE-RSA-AES256-GCM-SHA384 + - ECDHE-ECDSA-CHACHA20-POLY1305 + - ECDHE-RSA-CHACHA20-POLY1305 + - DHE-RSA-AES128-GCM-SHA256 + - DHE-RSA-AES256-GCM-SHA384 + nullable: true + type: object + modern: + description: |- + modern is a TLS security profile for use with clients that support TLS 1.3 and + do not need backward compatibility for older clients. + The curve list includes by default the following curves: + X25519, SecP256r1, SecP384r1, X25519MLKEM768. + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS13 + ciphers: + - TLS_AES_128_GCM_SHA256 + - TLS_AES_256_GCM_SHA384 + - TLS_CHACHA20_POLY1305_SHA256 + nullable: true + type: object + old: + description: |- + old is a TLS profile for use when services need to be accessed by very old + clients or libraries and should be used only as a last resort. + + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "old" profile ciphers. + + The curve list includes by default the following curves: + X25519, SecP256r1, SecP384r1, X25519MLKEM768. + + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS10 + ciphers: + - TLS_AES_128_GCM_SHA256 + - TLS_AES_256_GCM_SHA384 + - TLS_CHACHA20_POLY1305_SHA256 + - ECDHE-ECDSA-AES128-GCM-SHA256 + - ECDHE-RSA-AES128-GCM-SHA256 + - ECDHE-ECDSA-AES256-GCM-SHA384 + - ECDHE-RSA-AES256-GCM-SHA384 + - ECDHE-ECDSA-CHACHA20-POLY1305 + - ECDHE-RSA-CHACHA20-POLY1305 + - DHE-RSA-AES128-GCM-SHA256 + - DHE-RSA-AES256-GCM-SHA384 + - DHE-RSA-CHACHA20-POLY1305 + - ECDHE-ECDSA-AES128-SHA256 + - ECDHE-RSA-AES128-SHA256 + - ECDHE-ECDSA-AES128-SHA + - ECDHE-RSA-AES128-SHA + - ECDHE-ECDSA-AES256-SHA384 + - ECDHE-RSA-AES256-SHA384 + - ECDHE-ECDSA-AES256-SHA + - ECDHE-RSA-AES256-SHA + - DHE-RSA-AES128-SHA256 + - DHE-RSA-AES256-SHA256 + - AES128-GCM-SHA256 + - AES256-GCM-SHA384 + - AES128-SHA256 + - AES256-SHA256 + - AES128-SHA + - AES256-SHA + - DES-CBC3-SHA + nullable: true + type: object + type: + description: |- + type is one of Old, Intermediate, Modern or Custom. Custom provides the + ability to specify individual TLS security profile parameters. + + The profiles are currently based on version 5.0 of the Mozilla Server Side TLS + configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for + forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json + + The profiles are intent based, so they may change over time as new ciphers are + developed and existing ciphers are found to be insecure. Depending on + precisely which ciphers are available to a process, the list may be reduced. + enum: + - Old + - Intermediate + - Modern + - Custom + type: string + type: object + type: object + status: + description: status contains observed information about the kubelet configuration. + properties: + conditions: + description: conditions represents the latest available observations + of current state. + items: + description: KubeletConfigCondition defines the state of the KubeletConfig + properties: + lastTransitionTime: + description: lastTransitionTime is the time of the last update + to the current status object. + format: date-time + nullable: true + type: string + message: + description: |- + message provides additional information about the current condition. + This is only to be consumed by humans. + type: string + reason: + description: reason is the reason for the condition's last transition. Reasons + are PascalCase + type: string + status: + description: status of the condition, one of True, False, Unknown. + type: string + type: + description: type specifies the state of the operator's reconciliation + functionality. + type: string + type: object + type: array + observedGeneration: + description: observedGeneration represents the generation observed + by the controller. + format: int64 + type: integer + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/payload-manifests/crds/0000_80_machine-config_01_kubeletconfigs-DevPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_80_machine-config_01_kubeletconfigs-DevPreviewNoUpgrade.crd.yaml new file mode 100644 index 00000000000..309a946b023 --- /dev/null +++ b/payload-manifests/crds/0000_80_machine-config_01_kubeletconfigs-DevPreviewNoUpgrade.crd.yaml @@ -0,0 +1,344 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/1453 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: DevPreviewNoUpgrade + labels: + openshift.io/operator-managed: "" + name: kubeletconfigs.machineconfiguration.openshift.io +spec: + group: machineconfiguration.openshift.io + names: + kind: KubeletConfig + listKind: KubeletConfigList + plural: kubeletconfigs + singular: kubeletconfig + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + KubeletConfig describes a customized Kubelet configuration. + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec contains the desired kubelet configuration. + properties: + autoSizingReserved: + type: boolean + kubeletConfig: + description: |- + kubeletConfig fields are defined in kubernetes upstream. Please refer to the types defined in the version/commit used by + OpenShift of the upstream kubernetes. It's important to note that, since the fields of the kubelet configuration are directly fetched from + upstream the validation of those values is handled directly by the kubelet. Please refer to the upstream version of the relevant kubernetes + for the valid values of these fields. Invalid values of the kubelet configuration fields may render cluster nodes unusable. + type: object + x-kubernetes-preserve-unknown-fields: true + logLevel: + format: int32 + type: integer + machineConfigPoolSelector: + description: |- + machineConfigPoolSelector selects which pools the KubeletConfig shoud apply to. + A nil selector will result in no pools being selected. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + tlsSecurityProfile: + description: |- + If unset, the default is based on the apiservers.config.openshift.io/cluster resource. + Note that only Old and Intermediate profiles are currently supported, and + the maximum available minTLSVersion is VersionTLS12. + properties: + custom: + description: |- + custom is a user-defined TLS security profile. Be extremely careful using a custom + profile as invalid configurations can be catastrophic. + + The curve list for this profile is empty by default. + + An example custom profile looks like this: + + minTLSVersion: VersionTLS11 + ciphers: + - ECDHE-ECDSA-CHACHA20-POLY1305 + - ECDHE-RSA-CHACHA20-POLY1305 + - ECDHE-RSA-AES128-GCM-SHA256 + - ECDHE-ECDSA-AES128-GCM-SHA256 + nullable: true + properties: + ciphers: + description: |- + ciphers is used to specify the cipher algorithms that are negotiated + during the TLS handshake. Operators may remove entries their operands + do not support. For example, to use DES-CBC3-SHA (yaml): + + ciphers: + - DES-CBC3-SHA + items: + type: string + type: array + x-kubernetes-list-type: atomic + curves: + description: |- + curves is an optional field used to specify the elliptic curves that are used during + the TLS handshake. Operators may remove entries their operands do + not support. + + When omitted, this means no opinion and the platform is left to choose reasonable defaults which are + subject to change over time and may be different per platform component depending on the underlying TLS + libraries they use. If specified, the list must contain at least one curve. + + For example, to use X25519 and SecP256r1 (yaml): + + curves: + - X25519 + - SecP256r1 + items: + description: |- + TLSCurve is a named curve identifier that can be used in TLSProfile.Curves. + There is a one-to-one mapping between these names and the curve IDs defined + in crypto/tls package based on IANA's "TLS Supported Groups" registry: + https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8 + enum: + - X25519 + - SecP256r1 + - SecP384r1 + - SecP521r1 + - X25519MLKEM768 + type: string + maxItems: 5 + minItems: 1 + type: array + x-kubernetes-list-type: set + minTLSVersion: + description: |- + minTLSVersion is used to specify the minimal version of the TLS protocol + that is negotiated during the TLS handshake. For example, to use TLS + versions 1.1, 1.2 and 1.3 (yaml): + + minTLSVersion: VersionTLS11 + enum: + - VersionTLS10 + - VersionTLS11 + - VersionTLS12 + - VersionTLS13 + type: string + type: object + intermediate: + description: |- + intermediate is a TLS profile for use when you do not need compatibility with + legacy clients and want to remain highly secure while being compatible with + most clients currently in use. + + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "intermediate" profile ciphers. + + The curve list includes by default the following curves: + X25519, SecP256r1, SecP384r1, X25519MLKEM768. + + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS12 + ciphers: + - TLS_AES_128_GCM_SHA256 + - TLS_AES_256_GCM_SHA384 + - TLS_CHACHA20_POLY1305_SHA256 + - ECDHE-ECDSA-AES128-GCM-SHA256 + - ECDHE-RSA-AES128-GCM-SHA256 + - ECDHE-ECDSA-AES256-GCM-SHA384 + - ECDHE-RSA-AES256-GCM-SHA384 + - ECDHE-ECDSA-CHACHA20-POLY1305 + - ECDHE-RSA-CHACHA20-POLY1305 + - DHE-RSA-AES128-GCM-SHA256 + - DHE-RSA-AES256-GCM-SHA384 + nullable: true + type: object + modern: + description: |- + modern is a TLS security profile for use with clients that support TLS 1.3 and + do not need backward compatibility for older clients. + The curve list includes by default the following curves: + X25519, SecP256r1, SecP384r1, X25519MLKEM768. + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS13 + ciphers: + - TLS_AES_128_GCM_SHA256 + - TLS_AES_256_GCM_SHA384 + - TLS_CHACHA20_POLY1305_SHA256 + nullable: true + type: object + old: + description: |- + old is a TLS profile for use when services need to be accessed by very old + clients or libraries and should be used only as a last resort. + + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "old" profile ciphers. + + The curve list includes by default the following curves: + X25519, SecP256r1, SecP384r1, X25519MLKEM768. + + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS10 + ciphers: + - TLS_AES_128_GCM_SHA256 + - TLS_AES_256_GCM_SHA384 + - TLS_CHACHA20_POLY1305_SHA256 + - ECDHE-ECDSA-AES128-GCM-SHA256 + - ECDHE-RSA-AES128-GCM-SHA256 + - ECDHE-ECDSA-AES256-GCM-SHA384 + - ECDHE-RSA-AES256-GCM-SHA384 + - ECDHE-ECDSA-CHACHA20-POLY1305 + - ECDHE-RSA-CHACHA20-POLY1305 + - DHE-RSA-AES128-GCM-SHA256 + - DHE-RSA-AES256-GCM-SHA384 + - DHE-RSA-CHACHA20-POLY1305 + - ECDHE-ECDSA-AES128-SHA256 + - ECDHE-RSA-AES128-SHA256 + - ECDHE-ECDSA-AES128-SHA + - ECDHE-RSA-AES128-SHA + - ECDHE-ECDSA-AES256-SHA384 + - ECDHE-RSA-AES256-SHA384 + - ECDHE-ECDSA-AES256-SHA + - ECDHE-RSA-AES256-SHA + - DHE-RSA-AES128-SHA256 + - DHE-RSA-AES256-SHA256 + - AES128-GCM-SHA256 + - AES256-GCM-SHA384 + - AES128-SHA256 + - AES256-SHA256 + - AES128-SHA + - AES256-SHA + - DES-CBC3-SHA + nullable: true + type: object + type: + description: |- + type is one of Old, Intermediate, Modern or Custom. Custom provides the + ability to specify individual TLS security profile parameters. + + The profiles are currently based on version 5.0 of the Mozilla Server Side TLS + configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for + forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json + + The profiles are intent based, so they may change over time as new ciphers are + developed and existing ciphers are found to be insecure. Depending on + precisely which ciphers are available to a process, the list may be reduced. + enum: + - Old + - Intermediate + - Modern + - Custom + type: string + type: object + type: object + status: + description: status contains observed information about the kubelet configuration. + properties: + conditions: + description: conditions represents the latest available observations + of current state. + items: + description: KubeletConfigCondition defines the state of the KubeletConfig + properties: + lastTransitionTime: + description: lastTransitionTime is the time of the last update + to the current status object. + format: date-time + nullable: true + type: string + message: + description: |- + message provides additional information about the current condition. + This is only to be consumed by humans. + type: string + reason: + description: reason is the reason for the condition's last transition. Reasons + are PascalCase + type: string + status: + description: status of the condition, one of True, False, Unknown. + type: string + type: + description: type specifies the state of the operator's reconciliation + functionality. + type: string + type: object + type: array + observedGeneration: + description: observedGeneration represents the generation observed + by the controller. + format: int64 + type: integer + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/payload-manifests/crds/0000_80_machine-config_01_kubeletconfigs.crd.yaml b/payload-manifests/crds/0000_80_machine-config_01_kubeletconfigs-OKD.crd.yaml similarity index 86% rename from payload-manifests/crds/0000_80_machine-config_01_kubeletconfigs.crd.yaml rename to payload-manifests/crds/0000_80_machine-config_01_kubeletconfigs-OKD.crd.yaml index 62bfe308b12..343e12221ab 100644 --- a/payload-manifests/crds/0000_80_machine-config_01_kubeletconfigs.crd.yaml +++ b/payload-manifests/crds/0000_80_machine-config_01_kubeletconfigs-OKD.crd.yaml @@ -6,6 +6,7 @@ metadata: api.openshift.io/merged-by-featuregates: "true" include.release.openshift.io/ibm-cloud-managed: "true" include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: OKD labels: openshift.io/operator-managed: "" name: kubeletconfigs.machineconfiguration.openshift.io @@ -116,8 +117,11 @@ spec: custom: description: |- custom is a user-defined TLS security profile. Be extremely careful using a custom - profile as invalid configurations can be catastrophic. An example custom profile - looks like this: + profile as invalid configurations can be catastrophic. + + The curve list for this profile is empty by default. + + An example custom profile looks like this: minTLSVersion: VersionTLS11 ciphers: @@ -130,14 +134,11 @@ spec: ciphers: description: |- ciphers is used to specify the cipher algorithms that are negotiated - during the TLS handshake. Operators may remove entries that their operands - do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml): + during the TLS handshake. Operators may remove entries their operands + do not support. For example, to use DES-CBC3-SHA (yaml): ciphers: - - ECDHE-RSA-AES128-GCM-SHA256 - - TLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable - and are always enabled when TLS 1.3 is negotiated. + - DES-CBC3-SHA items: type: string type: array @@ -162,6 +163,12 @@ spec: legacy clients and want to remain highly secure while being compatible with most clients currently in use. + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "intermediate" profile ciphers. + + The curve list includes by default the following curves: + X25519, SecP256r1, SecP384r1, X25519MLKEM768. + This profile is equivalent to a Custom profile specified as: minTLSVersion: VersionTLS12 ciphers: @@ -174,13 +181,16 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 + - DHE-RSA-AES128-GCM-SHA256 + - DHE-RSA-AES256-GCM-SHA384 nullable: true type: object modern: description: |- modern is a TLS security profile for use with clients that support TLS 1.3 and do not need backward compatibility for older clients. - + The curve list includes by default the following curves: + X25519, SecP256r1, SecP384r1, X25519MLKEM768. This profile is equivalent to a Custom profile specified as: minTLSVersion: VersionTLS13 ciphers: @@ -194,6 +204,12 @@ spec: old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort. + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "old" profile ciphers. + + The curve list includes by default the following curves: + X25519, SecP256r1, SecP384r1, X25519MLKEM768. + This profile is equivalent to a Custom profile specified as: minTLSVersion: VersionTLS10 ciphers: @@ -206,15 +222,23 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 + - DHE-RSA-AES128-GCM-SHA256 + - DHE-RSA-AES256-GCM-SHA384 + - DHE-RSA-CHACHA20-POLY1305 - ECDHE-ECDSA-AES128-SHA256 - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES128-SHA + - ECDHE-ECDSA-AES256-SHA384 + - ECDHE-RSA-AES256-SHA384 - ECDHE-ECDSA-AES256-SHA - ECDHE-RSA-AES256-SHA + - DHE-RSA-AES128-SHA256 + - DHE-RSA-AES256-SHA256 - AES128-GCM-SHA256 - AES256-GCM-SHA384 - AES128-SHA256 + - AES256-SHA256 - AES128-SHA - AES256-SHA - DES-CBC3-SHA @@ -225,10 +249,9 @@ spec: type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters. - The profiles are based on version 5.7 of the Mozilla Server Side TLS - configuration guidelines. The cipher lists consist of the configuration's - "ciphersuites" followed by the Go-specific "ciphers" from the guidelines. - See: https://ssl-config.mozilla.org/guidelines/5.7.json + The profiles are currently based on version 5.0 of the Mozilla Server Side TLS + configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for + forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on diff --git a/payload-manifests/crds/0000_80_machine-config_01_kubeletconfigs-TechPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_80_machine-config_01_kubeletconfigs-TechPreviewNoUpgrade.crd.yaml new file mode 100644 index 00000000000..faf7987cd1d --- /dev/null +++ b/payload-manifests/crds/0000_80_machine-config_01_kubeletconfigs-TechPreviewNoUpgrade.crd.yaml @@ -0,0 +1,344 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/1453 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: TechPreviewNoUpgrade + labels: + openshift.io/operator-managed: "" + name: kubeletconfigs.machineconfiguration.openshift.io +spec: + group: machineconfiguration.openshift.io + names: + kind: KubeletConfig + listKind: KubeletConfigList + plural: kubeletconfigs + singular: kubeletconfig + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: |- + KubeletConfig describes a customized Kubelet configuration. + + Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec contains the desired kubelet configuration. + properties: + autoSizingReserved: + type: boolean + kubeletConfig: + description: |- + kubeletConfig fields are defined in kubernetes upstream. Please refer to the types defined in the version/commit used by + OpenShift of the upstream kubernetes. It's important to note that, since the fields of the kubelet configuration are directly fetched from + upstream the validation of those values is handled directly by the kubelet. Please refer to the upstream version of the relevant kubernetes + for the valid values of these fields. Invalid values of the kubelet configuration fields may render cluster nodes unusable. + type: object + x-kubernetes-preserve-unknown-fields: true + logLevel: + format: int32 + type: integer + machineConfigPoolSelector: + description: |- + machineConfigPoolSelector selects which pools the KubeletConfig shoud apply to. + A nil selector will result in no pools being selected. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + tlsSecurityProfile: + description: |- + If unset, the default is based on the apiservers.config.openshift.io/cluster resource. + Note that only Old and Intermediate profiles are currently supported, and + the maximum available minTLSVersion is VersionTLS12. + properties: + custom: + description: |- + custom is a user-defined TLS security profile. Be extremely careful using a custom + profile as invalid configurations can be catastrophic. + + The curve list for this profile is empty by default. + + An example custom profile looks like this: + + minTLSVersion: VersionTLS11 + ciphers: + - ECDHE-ECDSA-CHACHA20-POLY1305 + - ECDHE-RSA-CHACHA20-POLY1305 + - ECDHE-RSA-AES128-GCM-SHA256 + - ECDHE-ECDSA-AES128-GCM-SHA256 + nullable: true + properties: + ciphers: + description: |- + ciphers is used to specify the cipher algorithms that are negotiated + during the TLS handshake. Operators may remove entries their operands + do not support. For example, to use DES-CBC3-SHA (yaml): + + ciphers: + - DES-CBC3-SHA + items: + type: string + type: array + x-kubernetes-list-type: atomic + curves: + description: |- + curves is an optional field used to specify the elliptic curves that are used during + the TLS handshake. Operators may remove entries their operands do + not support. + + When omitted, this means no opinion and the platform is left to choose reasonable defaults which are + subject to change over time and may be different per platform component depending on the underlying TLS + libraries they use. If specified, the list must contain at least one curve. + + For example, to use X25519 and SecP256r1 (yaml): + + curves: + - X25519 + - SecP256r1 + items: + description: |- + TLSCurve is a named curve identifier that can be used in TLSProfile.Curves. + There is a one-to-one mapping between these names and the curve IDs defined + in crypto/tls package based on IANA's "TLS Supported Groups" registry: + https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8 + enum: + - X25519 + - SecP256r1 + - SecP384r1 + - SecP521r1 + - X25519MLKEM768 + type: string + maxItems: 5 + minItems: 1 + type: array + x-kubernetes-list-type: set + minTLSVersion: + description: |- + minTLSVersion is used to specify the minimal version of the TLS protocol + that is negotiated during the TLS handshake. For example, to use TLS + versions 1.1, 1.2 and 1.3 (yaml): + + minTLSVersion: VersionTLS11 + enum: + - VersionTLS10 + - VersionTLS11 + - VersionTLS12 + - VersionTLS13 + type: string + type: object + intermediate: + description: |- + intermediate is a TLS profile for use when you do not need compatibility with + legacy clients and want to remain highly secure while being compatible with + most clients currently in use. + + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "intermediate" profile ciphers. + + The curve list includes by default the following curves: + X25519, SecP256r1, SecP384r1, X25519MLKEM768. + + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS12 + ciphers: + - TLS_AES_128_GCM_SHA256 + - TLS_AES_256_GCM_SHA384 + - TLS_CHACHA20_POLY1305_SHA256 + - ECDHE-ECDSA-AES128-GCM-SHA256 + - ECDHE-RSA-AES128-GCM-SHA256 + - ECDHE-ECDSA-AES256-GCM-SHA384 + - ECDHE-RSA-AES256-GCM-SHA384 + - ECDHE-ECDSA-CHACHA20-POLY1305 + - ECDHE-RSA-CHACHA20-POLY1305 + - DHE-RSA-AES128-GCM-SHA256 + - DHE-RSA-AES256-GCM-SHA384 + nullable: true + type: object + modern: + description: |- + modern is a TLS security profile for use with clients that support TLS 1.3 and + do not need backward compatibility for older clients. + The curve list includes by default the following curves: + X25519, SecP256r1, SecP384r1, X25519MLKEM768. + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS13 + ciphers: + - TLS_AES_128_GCM_SHA256 + - TLS_AES_256_GCM_SHA384 + - TLS_CHACHA20_POLY1305_SHA256 + nullable: true + type: object + old: + description: |- + old is a TLS profile for use when services need to be accessed by very old + clients or libraries and should be used only as a last resort. + + The cipher list includes TLS 1.3 ciphers for forward compatibility, followed + by the "old" profile ciphers. + + The curve list includes by default the following curves: + X25519, SecP256r1, SecP384r1, X25519MLKEM768. + + This profile is equivalent to a Custom profile specified as: + minTLSVersion: VersionTLS10 + ciphers: + - TLS_AES_128_GCM_SHA256 + - TLS_AES_256_GCM_SHA384 + - TLS_CHACHA20_POLY1305_SHA256 + - ECDHE-ECDSA-AES128-GCM-SHA256 + - ECDHE-RSA-AES128-GCM-SHA256 + - ECDHE-ECDSA-AES256-GCM-SHA384 + - ECDHE-RSA-AES256-GCM-SHA384 + - ECDHE-ECDSA-CHACHA20-POLY1305 + - ECDHE-RSA-CHACHA20-POLY1305 + - DHE-RSA-AES128-GCM-SHA256 + - DHE-RSA-AES256-GCM-SHA384 + - DHE-RSA-CHACHA20-POLY1305 + - ECDHE-ECDSA-AES128-SHA256 + - ECDHE-RSA-AES128-SHA256 + - ECDHE-ECDSA-AES128-SHA + - ECDHE-RSA-AES128-SHA + - ECDHE-ECDSA-AES256-SHA384 + - ECDHE-RSA-AES256-SHA384 + - ECDHE-ECDSA-AES256-SHA + - ECDHE-RSA-AES256-SHA + - DHE-RSA-AES128-SHA256 + - DHE-RSA-AES256-SHA256 + - AES128-GCM-SHA256 + - AES256-GCM-SHA384 + - AES128-SHA256 + - AES256-SHA256 + - AES128-SHA + - AES256-SHA + - DES-CBC3-SHA + nullable: true + type: object + type: + description: |- + type is one of Old, Intermediate, Modern or Custom. Custom provides the + ability to specify individual TLS security profile parameters. + + The profiles are currently based on version 5.0 of the Mozilla Server Side TLS + configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for + forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json + + The profiles are intent based, so they may change over time as new ciphers are + developed and existing ciphers are found to be insecure. Depending on + precisely which ciphers are available to a process, the list may be reduced. + enum: + - Old + - Intermediate + - Modern + - Custom + type: string + type: object + type: object + status: + description: status contains observed information about the kubelet configuration. + properties: + conditions: + description: conditions represents the latest available observations + of current state. + items: + description: KubeletConfigCondition defines the state of the KubeletConfig + properties: + lastTransitionTime: + description: lastTransitionTime is the time of the last update + to the current status object. + format: date-time + nullable: true + type: string + message: + description: |- + message provides additional information about the current condition. + This is only to be consumed by humans. + type: string + reason: + description: reason is the reason for the condition's last transition. Reasons + are PascalCase + type: string + status: + description: status of the condition, one of True, False, Unknown. + type: string + type: + description: type specifies the state of the operator's reconciliation + functionality. + type: string + type: object + type: array + observedGeneration: + description: observedGeneration represents the generation observed + by the controller. + format: int64 + type: integer + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/payload-manifests/featuregates/featureGate-Hypershift-Default.yaml b/payload-manifests/featuregates/featureGate-Hypershift-Default.yaml index 83f8a22c8a8..b8480415e4e 100644 --- a/payload-manifests/featuregates/featureGate-Hypershift-Default.yaml +++ b/payload-manifests/featuregates/featureGate-Hypershift-Default.yaml @@ -237,6 +237,9 @@ { "name": "SignatureStores" }, + { + "name": "TLSCurvePreferences" + }, { "name": "VSphereConfigurableMaxAllowedBlockVolumesPerNode" }, diff --git a/payload-manifests/featuregates/featureGate-Hypershift-DevPreviewNoUpgrade.yaml b/payload-manifests/featuregates/featureGate-Hypershift-DevPreviewNoUpgrade.yaml index 9e7de93bb2c..cfdf8bf25bf 100644 --- a/payload-manifests/featuregates/featureGate-Hypershift-DevPreviewNoUpgrade.yaml +++ b/payload-manifests/featuregates/featureGate-Hypershift-DevPreviewNoUpgrade.yaml @@ -328,6 +328,9 @@ { "name": "StoragePerformantSecurityPolicy" }, + { + "name": "TLSCurvePreferences" + }, { "name": "UpgradeStatus" }, diff --git a/payload-manifests/featuregates/featureGate-Hypershift-OKD.yaml b/payload-manifests/featuregates/featureGate-Hypershift-OKD.yaml index 1b1be6b9064..191153be7c4 100644 --- a/payload-manifests/featuregates/featureGate-Hypershift-OKD.yaml +++ b/payload-manifests/featuregates/featureGate-Hypershift-OKD.yaml @@ -239,6 +239,9 @@ { "name": "SignatureStores" }, + { + "name": "TLSCurvePreferences" + }, { "name": "VSphereConfigurableMaxAllowedBlockVolumesPerNode" }, diff --git a/payload-manifests/featuregates/featureGate-Hypershift-TechPreviewNoUpgrade.yaml b/payload-manifests/featuregates/featureGate-Hypershift-TechPreviewNoUpgrade.yaml index 6e114c6f791..8c5acc3043b 100644 --- a/payload-manifests/featuregates/featureGate-Hypershift-TechPreviewNoUpgrade.yaml +++ b/payload-manifests/featuregates/featureGate-Hypershift-TechPreviewNoUpgrade.yaml @@ -328,6 +328,9 @@ { "name": "StoragePerformantSecurityPolicy" }, + { + "name": "TLSCurvePreferences" + }, { "name": "UpgradeStatus" }, diff --git a/payload-manifests/featuregates/featureGate-SelfManagedHA-Default.yaml b/payload-manifests/featuregates/featureGate-SelfManagedHA-Default.yaml index df725efc6a0..62df4267d23 100644 --- a/payload-manifests/featuregates/featureGate-SelfManagedHA-Default.yaml +++ b/payload-manifests/featuregates/featureGate-SelfManagedHA-Default.yaml @@ -231,6 +231,9 @@ { "name": "SignatureStores" }, + { + "name": "TLSCurvePreferences" + }, { "name": "VSphereConfigurableMaxAllowedBlockVolumesPerNode" }, diff --git a/payload-manifests/featuregates/featureGate-SelfManagedHA-DevPreviewNoUpgrade.yaml b/payload-manifests/featuregates/featureGate-SelfManagedHA-DevPreviewNoUpgrade.yaml index cf293828cc3..a041f821553 100644 --- a/payload-manifests/featuregates/featureGate-SelfManagedHA-DevPreviewNoUpgrade.yaml +++ b/payload-manifests/featuregates/featureGate-SelfManagedHA-DevPreviewNoUpgrade.yaml @@ -328,6 +328,9 @@ { "name": "StoragePerformantSecurityPolicy" }, + { + "name": "TLSCurvePreferences" + }, { "name": "UpgradeStatus" }, diff --git a/payload-manifests/featuregates/featureGate-SelfManagedHA-OKD.yaml b/payload-manifests/featuregates/featureGate-SelfManagedHA-OKD.yaml index 3ab78ca5355..0b8cb71f0b6 100644 --- a/payload-manifests/featuregates/featureGate-SelfManagedHA-OKD.yaml +++ b/payload-manifests/featuregates/featureGate-SelfManagedHA-OKD.yaml @@ -233,6 +233,9 @@ { "name": "SignatureStores" }, + { + "name": "TLSCurvePreferences" + }, { "name": "VSphereConfigurableMaxAllowedBlockVolumesPerNode" }, diff --git a/payload-manifests/featuregates/featureGate-SelfManagedHA-TechPreviewNoUpgrade.yaml b/payload-manifests/featuregates/featureGate-SelfManagedHA-TechPreviewNoUpgrade.yaml index 43b82c72114..cadc4181cfb 100644 --- a/payload-manifests/featuregates/featureGate-SelfManagedHA-TechPreviewNoUpgrade.yaml +++ b/payload-manifests/featuregates/featureGate-SelfManagedHA-TechPreviewNoUpgrade.yaml @@ -328,6 +328,9 @@ { "name": "StoragePerformantSecurityPolicy" }, + { + "name": "TLSCurvePreferences" + }, { "name": "UpgradeStatus" }, From 96b5d34c37f09aac2060711496a7cebfc994c69f Mon Sep 17 00:00:00 2001 From: Davide Salerno Date: Fri, 13 Feb 2026 14:56:32 +0100 Subject: [PATCH 2/5] Update config/v1/types_tlssecurityprofile.go Co-authored-by: Bryce Palmer --- config/v1/types_tlssecurityprofile.go | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/config/v1/types_tlssecurityprofile.go b/config/v1/types_tlssecurityprofile.go index 33fab07827c..f6b03654259 100644 --- a/config/v1/types_tlssecurityprofile.go +++ b/config/v1/types_tlssecurityprofile.go @@ -164,11 +164,11 @@ const ( // TLSCurveX25519 represents X25519. TLSCurveX25519 TLSCurve = "X25519" // TLSCurveSecp256r1 represents P-256 (secp256r1). - TLSCurveSecp256r1 TLSCurve = "SecP256r1" - // TLSCurveSecp384r1 represents P-384 (secp384r1). - TLSCurveSecp384r1 TLSCurve = "SecP384r1" - // TLSCurveSecp521r1 represents P-521 (secp521r1). - TLSCurveSecp521r1 TLSCurve = "SecP521r1" + TLSCurveSecP256r1 TLSCurve = "SecP256r1" + // TLSCurveSecP384r1 represents P-384 (secp384r1). + TLSCurveSecP384r1 TLSCurve = "SecP384r1" + // TLSCurveSecP521r1 represents P-521 (secp521r1). + TLSCurveSecP521r1 TLSCurve = "SecP521r1" // TLSCurveX25519MLKEM768 represents X25519MLKEM768. TLSCurveX25519MLKEM768 TLSCurve = "X25519MLKEM768" ) From 807ec6896e89cb69fcdd3909618d704695fbd874 Mon Sep 17 00:00:00 2001 From: Davide Salerno Date: Fri, 13 Feb 2026 15:22:51 +0100 Subject: [PATCH 3/5] Add feature gate test to verify that curves could be omitted Signed-off-by: Davide Salerno --- .../TLSCurvePreferences.yaml | 38 ++++++++++++++ .../TLSCurvePreferences.yaml | 34 +++++++++++++ .../TLSCurvePreferences.yaml | 49 +++++++++++++++++++ 3 files changed, 121 insertions(+) diff --git a/config/v1/tests/apiservers.config.openshift.io/TLSCurvePreferences.yaml b/config/v1/tests/apiservers.config.openshift.io/TLSCurvePreferences.yaml index 8c64e86f331..24c04062f7d 100644 --- a/config/v1/tests/apiservers.config.openshift.io/TLSCurvePreferences.yaml +++ b/config/v1/tests/apiservers.config.openshift.io/TLSCurvePreferences.yaml @@ -281,6 +281,44 @@ tests: curves: - SecP256r1 - SecP384r1 + - name: Should be able to remove curves field from existing Custom TLS profile + initial: | + apiVersion: config.openshift.io/v1 + kind: APIServer + spec: + tlsSecurityProfile: + type: Custom + custom: + minTLSVersion: VersionTLS12 + ciphers: + - TLS_AES_128_GCM_SHA256 + curves: + - X25519 + - SecP256r1 + updated: | + apiVersion: config.openshift.io/v1 + kind: APIServer + spec: + audit: + profile: Default + tlsSecurityProfile: + type: Custom + custom: + minTLSVersion: VersionTLS12 + ciphers: + - TLS_AES_128_GCM_SHA256 + expected: | + apiVersion: config.openshift.io/v1 + kind: APIServer + spec: + audit: + profile: Default + tlsSecurityProfile: + type: Custom + custom: + minTLSVersion: VersionTLS12 + ciphers: + - TLS_AES_128_GCM_SHA256 - name: Should fail to remove all curves from existing Custom TLS profile initial: | apiVersion: config.openshift.io/v1 diff --git a/machineconfiguration/v1/tests/kubeletconfigs.machineconfiguration.openshift.io/TLSCurvePreferences.yaml b/machineconfiguration/v1/tests/kubeletconfigs.machineconfiguration.openshift.io/TLSCurvePreferences.yaml index 91c35ef490e..38d5250e744 100644 --- a/machineconfiguration/v1/tests/kubeletconfigs.machineconfiguration.openshift.io/TLSCurvePreferences.yaml +++ b/machineconfiguration/v1/tests/kubeletconfigs.machineconfiguration.openshift.io/TLSCurvePreferences.yaml @@ -263,6 +263,40 @@ tests: curves: - SecP256r1 - SecP384r1 + - name: Should be able to remove curves field from existing Custom TLS profile + initial: | + apiVersion: machineconfiguration.openshift.io/v1 + kind: KubeletConfig + spec: + tlsSecurityProfile: + type: Custom + custom: + minTLSVersion: VersionTLS12 + ciphers: + - TLS_AES_128_GCM_SHA256 + curves: + - X25519 + - SecP256r1 + updated: | + apiVersion: machineconfiguration.openshift.io/v1 + kind: KubeletConfig + spec: + tlsSecurityProfile: + type: Custom + custom: + minTLSVersion: VersionTLS12 + ciphers: + - TLS_AES_128_GCM_SHA256 + expected: | + apiVersion: machineconfiguration.openshift.io/v1 + kind: KubeletConfig + spec: + tlsSecurityProfile: + type: Custom + custom: + minTLSVersion: VersionTLS12 + ciphers: + - TLS_AES_128_GCM_SHA256 - name: Should fail to remove all curves from existing Custom TLS profile initial: | apiVersion: machineconfiguration.openshift.io/v1 diff --git a/operator/v1/tests/ingresscontrollers.operator.openshift.io/TLSCurvePreferences.yaml b/operator/v1/tests/ingresscontrollers.operator.openshift.io/TLSCurvePreferences.yaml index 52918acc95d..59b1a7c276d 100644 --- a/operator/v1/tests/ingresscontrollers.operator.openshift.io/TLSCurvePreferences.yaml +++ b/operator/v1/tests/ingresscontrollers.operator.openshift.io/TLSCurvePreferences.yaml @@ -347,6 +347,55 @@ tests: curves: - SecP256r1 - SecP384r1 + - name: Should be able to remove curves field from existing Custom TLS profile + initial: | + apiVersion: operator.openshift.io/v1 + kind: IngressController + metadata: + name: default + namespace: openshift-ingress-operator + spec: + tlsSecurityProfile: + type: Custom + custom: + minTLSVersion: VersionTLS12 + ciphers: + - TLS_AES_128_GCM_SHA256 + curves: + - X25519 + - SecP256r1 + updated: | + apiVersion: operator.openshift.io/v1 + kind: IngressController + metadata: + name: default + namespace: openshift-ingress-operator + spec: + closedClientConnectionPolicy: Continue + httpEmptyRequestsPolicy: Respond + idleConnectionTerminationPolicy: Immediate + tlsSecurityProfile: + type: Custom + custom: + minTLSVersion: VersionTLS12 + ciphers: + - TLS_AES_128_GCM_SHA256 + expected: | + apiVersion: operator.openshift.io/v1 + kind: IngressController + metadata: + name: default + namespace: openshift-ingress-operator + spec: + closedClientConnectionPolicy: Continue + httpEmptyRequestsPolicy: Respond + idleConnectionTerminationPolicy: Immediate + tlsSecurityProfile: + type: Custom + custom: + minTLSVersion: VersionTLS12 + ciphers: + - TLS_AES_128_GCM_SHA256 - name: Should fail to remove all curves from existing Custom TLS profile initial: | apiVersion: operator.openshift.io/v1 From 26f6dc67beaef66b94a4c0d1c8e65ec7d70cee06 Mon Sep 17 00:00:00 2001 From: Davide Salerno Date: Fri, 13 Feb 2026 15:39:31 +0100 Subject: [PATCH 4/5] make update Signed-off-by: Davide Salerno --- config/v1/types_tlssecurityprofile.go | 12 ++++++------ ...g-operator_01_apiservers-CustomNoUpgrade.crd.yaml | 6 ------ ...10_config-operator_01_apiservers-Default.crd.yaml | 6 ------ ...erator_01_apiservers-DevPreviewNoUpgrade.crd.yaml | 6 ------ ...000_10_config-operator_01_apiservers-OKD.crd.yaml | 6 ------ ...rator_01_apiservers-TechPreviewNoUpgrade.crd.yaml | 6 ------ .../apiservers.config.openshift.io/AAA_ungated.yaml | 6 ------ .../KMSEncryption.yaml | 6 ------ .../KMSEncryptionProvider.yaml | 6 ------ .../TLSCurvePreferences.yaml | 6 ------ config/v1/zz_generated.swagger_doc_generated.go | 4 ++-- ...config_01_kubeletconfigs-CustomNoUpgrade.crd.yaml | 6 ------ ...machine-config_01_kubeletconfigs-Default.crd.yaml | 6 ------ ...ig_01_kubeletconfigs-DevPreviewNoUpgrade.crd.yaml | 6 ------ ..._80_machine-config_01_kubeletconfigs-OKD.crd.yaml | 6 ------ ...g_01_kubeletconfigs-TechPreviewNoUpgrade.crd.yaml | 6 ------ .../AAA_ungated.yaml | 6 ------ .../TLSCurvePreferences.yaml | 6 ------ openapi/generated_openapi/zz_generated.openapi.go | 4 ++-- openapi/openapi.json | 10 +++++----- ...ss_00_ingresscontrollers-CustomNoUpgrade.crd.yaml | 6 ------ ...50_ingress_00_ingresscontrollers-Default.crd.yaml | 6 ------ ...0_ingresscontrollers-DevPreviewNoUpgrade.crd.yaml | 6 ------ ...000_50_ingress_00_ingresscontrollers-OKD.crd.yaml | 6 ------ ..._ingresscontrollers-TechPreviewNoUpgrade.crd.yaml | 6 ------ .../AAA_ungated.yaml | 6 ------ .../TLSCurvePreferences.yaml | 6 ------ ...g-operator_01_apiservers-CustomNoUpgrade.crd.yaml | 6 ------ ...10_config-operator_01_apiservers-Default.crd.yaml | 6 ------ ...erator_01_apiservers-DevPreviewNoUpgrade.crd.yaml | 6 ------ ...000_10_config-operator_01_apiservers-OKD.crd.yaml | 6 ------ ...rator_01_apiservers-TechPreviewNoUpgrade.crd.yaml | 6 ------ ...config_01_kubeletconfigs-CustomNoUpgrade.crd.yaml | 6 ------ ...machine-config_01_kubeletconfigs-Default.crd.yaml | 6 ------ ...ig_01_kubeletconfigs-DevPreviewNoUpgrade.crd.yaml | 6 ------ ..._80_machine-config_01_kubeletconfigs-OKD.crd.yaml | 6 ------ ...g_01_kubeletconfigs-TechPreviewNoUpgrade.crd.yaml | 6 ------ 37 files changed, 15 insertions(+), 213 deletions(-) diff --git a/config/v1/types_tlssecurityprofile.go b/config/v1/types_tlssecurityprofile.go index f6b03654259..20e8a5fcebf 100644 --- a/config/v1/types_tlssecurityprofile.go +++ b/config/v1/types_tlssecurityprofile.go @@ -278,8 +278,8 @@ var TLSProfiles = map[TLSProfileType]*TLSProfileSpec{ }, Curves: []TLSCurve{ TLSCurveX25519, - TLSCurveSecp256r1, - TLSCurveSecp384r1, + TLSCurveSecP256r1, + TLSCurveSecP384r1, TLSCurveX25519MLKEM768, }, MinTLSVersion: VersionTLS10, @@ -298,8 +298,8 @@ var TLSProfiles = map[TLSProfileType]*TLSProfileSpec{ }, Curves: []TLSCurve{ TLSCurveX25519, - TLSCurveSecp256r1, - TLSCurveSecp384r1, + TLSCurveSecP256r1, + TLSCurveSecP384r1, TLSCurveX25519MLKEM768, }, MinTLSVersion: VersionTLS12, @@ -312,8 +312,8 @@ var TLSProfiles = map[TLSProfileType]*TLSProfileSpec{ }, Curves: []TLSCurve{ TLSCurveX25519, - TLSCurveSecp256r1, - TLSCurveSecp384r1, + TLSCurveSecP256r1, + TLSCurveSecP384r1, TLSCurveX25519MLKEM768, }, MinTLSVersion: VersionTLS13, diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml index c83a804a169..428080292b9 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml @@ -380,9 +380,6 @@ spec: legacy clients and want to remain highly secure while being compatible with most clients currently in use. - The cipher list includes TLS 1.3 ciphers for forward compatibility, followed - by the "intermediate" profile ciphers. - The curve list includes by default the following curves: X25519, SecP256r1, SecP384r1, X25519MLKEM768. @@ -421,9 +418,6 @@ spec: old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort. - The cipher list includes TLS 1.3 ciphers for forward compatibility, followed - by the "old" profile ciphers. - The curve list includes by default the following curves: X25519, SecP256r1, SecP384r1, X25519MLKEM768. diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-Default.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-Default.crd.yaml index 32e3cf9b8bd..8ba7facfc69 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-Default.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-Default.crd.yaml @@ -279,9 +279,6 @@ spec: legacy clients and want to remain highly secure while being compatible with most clients currently in use. - The cipher list includes TLS 1.3 ciphers for forward compatibility, followed - by the "intermediate" profile ciphers. - The curve list includes by default the following curves: X25519, SecP256r1, SecP384r1, X25519MLKEM768. @@ -320,9 +317,6 @@ spec: old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort. - The cipher list includes TLS 1.3 ciphers for forward compatibility, followed - by the "old" profile ciphers. - The curve list includes by default the following curves: X25519, SecP256r1, SecP384r1, X25519MLKEM768. diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml index a7636b01d0d..795a6bbb9a2 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml @@ -380,9 +380,6 @@ spec: legacy clients and want to remain highly secure while being compatible with most clients currently in use. - The cipher list includes TLS 1.3 ciphers for forward compatibility, followed - by the "intermediate" profile ciphers. - The curve list includes by default the following curves: X25519, SecP256r1, SecP384r1, X25519MLKEM768. @@ -421,9 +418,6 @@ spec: old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort. - The cipher list includes TLS 1.3 ciphers for forward compatibility, followed - by the "old" profile ciphers. - The curve list includes by default the following curves: X25519, SecP256r1, SecP384r1, X25519MLKEM768. diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-OKD.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-OKD.crd.yaml index a5677d9b594..1b4e173f19c 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-OKD.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-OKD.crd.yaml @@ -279,9 +279,6 @@ spec: legacy clients and want to remain highly secure while being compatible with most clients currently in use. - The cipher list includes TLS 1.3 ciphers for forward compatibility, followed - by the "intermediate" profile ciphers. - The curve list includes by default the following curves: X25519, SecP256r1, SecP384r1, X25519MLKEM768. @@ -320,9 +317,6 @@ spec: old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort. - The cipher list includes TLS 1.3 ciphers for forward compatibility, followed - by the "old" profile ciphers. - The curve list includes by default the following curves: X25519, SecP256r1, SecP384r1, X25519MLKEM768. diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml index 114c97cbd75..72559fc76bd 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml @@ -312,9 +312,6 @@ spec: legacy clients and want to remain highly secure while being compatible with most clients currently in use. - The cipher list includes TLS 1.3 ciphers for forward compatibility, followed - by the "intermediate" profile ciphers. - The curve list includes by default the following curves: X25519, SecP256r1, SecP384r1, X25519MLKEM768. @@ -353,9 +350,6 @@ spec: old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort. - The cipher list includes TLS 1.3 ciphers for forward compatibility, followed - by the "old" profile ciphers. - The curve list includes by default the following curves: X25519, SecP256r1, SecP384r1, X25519MLKEM768. diff --git a/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/AAA_ungated.yaml b/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/AAA_ungated.yaml index 14dccbabaf1..2fc78499889 100644 --- a/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/AAA_ungated.yaml +++ b/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/AAA_ungated.yaml @@ -279,9 +279,6 @@ spec: legacy clients and want to remain highly secure while being compatible with most clients currently in use. - The cipher list includes TLS 1.3 ciphers for forward compatibility, followed - by the "intermediate" profile ciphers. - The curve list includes by default the following curves: X25519, SecP256r1, SecP384r1, X25519MLKEM768. @@ -320,9 +317,6 @@ spec: old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort. - The cipher list includes TLS 1.3 ciphers for forward compatibility, followed - by the "old" profile ciphers. - The curve list includes by default the following curves: X25519, SecP256r1, SecP384r1, X25519MLKEM768. diff --git a/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryption.yaml b/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryption.yaml index e879458c8ce..a2ba0bfb023 100644 --- a/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryption.yaml +++ b/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryption.yaml @@ -280,9 +280,6 @@ spec: legacy clients and want to remain highly secure while being compatible with most clients currently in use. - The cipher list includes TLS 1.3 ciphers for forward compatibility, followed - by the "intermediate" profile ciphers. - The curve list includes by default the following curves: X25519, SecP256r1, SecP384r1, X25519MLKEM768. @@ -321,9 +318,6 @@ spec: old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort. - The cipher list includes TLS 1.3 ciphers for forward compatibility, followed - by the "old" profile ciphers. - The curve list includes by default the following curves: X25519, SecP256r1, SecP384r1, X25519MLKEM768. diff --git a/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml b/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml index ddd39480293..02387876d84 100644 --- a/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml +++ b/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml @@ -348,9 +348,6 @@ spec: legacy clients and want to remain highly secure while being compatible with most clients currently in use. - The cipher list includes TLS 1.3 ciphers for forward compatibility, followed - by the "intermediate" profile ciphers. - The curve list includes by default the following curves: X25519, SecP256r1, SecP384r1, X25519MLKEM768. @@ -389,9 +386,6 @@ spec: old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort. - The cipher list includes TLS 1.3 ciphers for forward compatibility, followed - by the "old" profile ciphers. - The curve list includes by default the following curves: X25519, SecP256r1, SecP384r1, X25519MLKEM768. diff --git a/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/TLSCurvePreferences.yaml b/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/TLSCurvePreferences.yaml index 5ca0e619e3d..b0f319cd494 100644 --- a/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/TLSCurvePreferences.yaml +++ b/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/TLSCurvePreferences.yaml @@ -306,9 +306,6 @@ spec: legacy clients and want to remain highly secure while being compatible with most clients currently in use. - The cipher list includes TLS 1.3 ciphers for forward compatibility, followed - by the "intermediate" profile ciphers. - The curve list includes by default the following curves: X25519, SecP256r1, SecP384r1, X25519MLKEM768. @@ -347,9 +344,6 @@ spec: old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort. - The cipher list includes TLS 1.3 ciphers for forward compatibility, followed - by the "old" profile ciphers. - The curve list includes by default the following curves: X25519, SecP256r1, SecP384r1, X25519MLKEM768. diff --git a/config/v1/zz_generated.swagger_doc_generated.go b/config/v1/zz_generated.swagger_doc_generated.go index f562bd890c5..1b9d2f13f11 100644 --- a/config/v1/zz_generated.swagger_doc_generated.go +++ b/config/v1/zz_generated.swagger_doc_generated.go @@ -3016,8 +3016,8 @@ func (TLSProfileSpec) SwaggerDoc() map[string]string { var map_TLSSecurityProfile = map[string]string{ "": "TLSSecurityProfile defines the schema for a TLS security profile. This object is used by operators to apply TLS security settings to operands.", "type": "type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters.\n\nThe profiles are currently based on version 5.0 of the Mozilla Server Side TLS configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json\n\nThe profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be reduced.", - "old": "old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort.\n\nThe cipher list includes TLS 1.3 ciphers for forward compatibility, followed by the \"old\" profile ciphers.\n\nThe curve list includes by default the following curves: X25519, SecP256r1, SecP384r1, X25519MLKEM768.\n\nThis profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS10\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES256-GCM-SHA384\n - ECDHE-RSA-AES256-GCM-SHA384\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305\n - DHE-RSA-AES128-GCM-SHA256\n - DHE-RSA-AES256-GCM-SHA384\n - DHE-RSA-CHACHA20-POLY1305\n - ECDHE-ECDSA-AES128-SHA256\n - ECDHE-RSA-AES128-SHA256\n - ECDHE-ECDSA-AES128-SHA\n - ECDHE-RSA-AES128-SHA\n - ECDHE-ECDSA-AES256-SHA384\n - ECDHE-RSA-AES256-SHA384\n - ECDHE-ECDSA-AES256-SHA\n - ECDHE-RSA-AES256-SHA\n - DHE-RSA-AES128-SHA256\n - DHE-RSA-AES256-SHA256\n - AES128-GCM-SHA256\n - AES256-GCM-SHA384\n - AES128-SHA256\n - AES256-SHA256\n - AES128-SHA\n - AES256-SHA\n - DES-CBC3-SHA", - "intermediate": "intermediate is a TLS profile for use when you do not need compatibility with legacy clients and want to remain highly secure while being compatible with most clients currently in use.\n\nThe cipher list includes TLS 1.3 ciphers for forward compatibility, followed by the \"intermediate\" profile ciphers.\n\nThe curve list includes by default the following curves: X25519, SecP256r1, SecP384r1, X25519MLKEM768.\n\nThis profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS12\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES256-GCM-SHA384\n - ECDHE-RSA-AES256-GCM-SHA384\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305\n - DHE-RSA-AES128-GCM-SHA256\n - DHE-RSA-AES256-GCM-SHA384", + "old": "old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort.\n\nThe curve list includes by default the following curves: X25519, SecP256r1, SecP384r1, X25519MLKEM768.\n\nThis profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS10\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES256-GCM-SHA384\n - ECDHE-RSA-AES256-GCM-SHA384\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305\n - DHE-RSA-AES128-GCM-SHA256\n - DHE-RSA-AES256-GCM-SHA384\n - DHE-RSA-CHACHA20-POLY1305\n - ECDHE-ECDSA-AES128-SHA256\n - ECDHE-RSA-AES128-SHA256\n - ECDHE-ECDSA-AES128-SHA\n - ECDHE-RSA-AES128-SHA\n - ECDHE-ECDSA-AES256-SHA384\n - ECDHE-RSA-AES256-SHA384\n - ECDHE-ECDSA-AES256-SHA\n - ECDHE-RSA-AES256-SHA\n - DHE-RSA-AES128-SHA256\n - DHE-RSA-AES256-SHA256\n - AES128-GCM-SHA256\n - AES256-GCM-SHA384\n - AES128-SHA256\n - AES256-SHA256\n - AES128-SHA\n - AES256-SHA\n - DES-CBC3-SHA", + "intermediate": "intermediate is a TLS profile for use when you do not need compatibility with legacy clients and want to remain highly secure while being compatible with most clients currently in use.\n\nThe curve list includes by default the following curves: X25519, SecP256r1, SecP384r1, X25519MLKEM768.\n\nThis profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS12\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES256-GCM-SHA384\n - ECDHE-RSA-AES256-GCM-SHA384\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305\n - DHE-RSA-AES128-GCM-SHA256\n - DHE-RSA-AES256-GCM-SHA384", "modern": "modern is a TLS security profile for use with clients that support TLS 1.3 and do not need backward compatibility for older clients. The curve list includes by default the following curves: X25519, SecP256r1, SecP384r1, X25519MLKEM768. This profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS13\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256", "custom": "custom is a user-defined TLS security profile. Be extremely careful using a custom profile as invalid configurations can be catastrophic.\n\nThe curve list for this profile is empty by default.\n\nAn example custom profile looks like this:\n\n minTLSVersion: VersionTLS11\n ciphers:\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256", } diff --git a/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_kubeletconfigs-CustomNoUpgrade.crd.yaml b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_kubeletconfigs-CustomNoUpgrade.crd.yaml index 70203c6c034..f76d502a787 100644 --- a/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_kubeletconfigs-CustomNoUpgrade.crd.yaml +++ b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_kubeletconfigs-CustomNoUpgrade.crd.yaml @@ -195,9 +195,6 @@ spec: legacy clients and want to remain highly secure while being compatible with most clients currently in use. - The cipher list includes TLS 1.3 ciphers for forward compatibility, followed - by the "intermediate" profile ciphers. - The curve list includes by default the following curves: X25519, SecP256r1, SecP384r1, X25519MLKEM768. @@ -236,9 +233,6 @@ spec: old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort. - The cipher list includes TLS 1.3 ciphers for forward compatibility, followed - by the "old" profile ciphers. - The curve list includes by default the following curves: X25519, SecP256r1, SecP384r1, X25519MLKEM768. diff --git a/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_kubeletconfigs-Default.crd.yaml b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_kubeletconfigs-Default.crd.yaml index 4f4862bef74..0efeb5e4878 100644 --- a/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_kubeletconfigs-Default.crd.yaml +++ b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_kubeletconfigs-Default.crd.yaml @@ -163,9 +163,6 @@ spec: legacy clients and want to remain highly secure while being compatible with most clients currently in use. - The cipher list includes TLS 1.3 ciphers for forward compatibility, followed - by the "intermediate" profile ciphers. - The curve list includes by default the following curves: X25519, SecP256r1, SecP384r1, X25519MLKEM768. @@ -204,9 +201,6 @@ spec: old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort. - The cipher list includes TLS 1.3 ciphers for forward compatibility, followed - by the "old" profile ciphers. - The curve list includes by default the following curves: X25519, SecP256r1, SecP384r1, X25519MLKEM768. diff --git a/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_kubeletconfigs-DevPreviewNoUpgrade.crd.yaml b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_kubeletconfigs-DevPreviewNoUpgrade.crd.yaml index 309a946b023..a017bef104c 100644 --- a/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_kubeletconfigs-DevPreviewNoUpgrade.crd.yaml +++ b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_kubeletconfigs-DevPreviewNoUpgrade.crd.yaml @@ -195,9 +195,6 @@ spec: legacy clients and want to remain highly secure while being compatible with most clients currently in use. - The cipher list includes TLS 1.3 ciphers for forward compatibility, followed - by the "intermediate" profile ciphers. - The curve list includes by default the following curves: X25519, SecP256r1, SecP384r1, X25519MLKEM768. @@ -236,9 +233,6 @@ spec: old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort. - The cipher list includes TLS 1.3 ciphers for forward compatibility, followed - by the "old" profile ciphers. - The curve list includes by default the following curves: X25519, SecP256r1, SecP384r1, X25519MLKEM768. diff --git a/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_kubeletconfigs-OKD.crd.yaml b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_kubeletconfigs-OKD.crd.yaml index 343e12221ab..23cf5b9646f 100644 --- a/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_kubeletconfigs-OKD.crd.yaml +++ b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_kubeletconfigs-OKD.crd.yaml @@ -163,9 +163,6 @@ spec: legacy clients and want to remain highly secure while being compatible with most clients currently in use. - The cipher list includes TLS 1.3 ciphers for forward compatibility, followed - by the "intermediate" profile ciphers. - The curve list includes by default the following curves: X25519, SecP256r1, SecP384r1, X25519MLKEM768. @@ -204,9 +201,6 @@ spec: old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort. - The cipher list includes TLS 1.3 ciphers for forward compatibility, followed - by the "old" profile ciphers. - The curve list includes by default the following curves: X25519, SecP256r1, SecP384r1, X25519MLKEM768. diff --git a/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_kubeletconfigs-TechPreviewNoUpgrade.crd.yaml b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_kubeletconfigs-TechPreviewNoUpgrade.crd.yaml index faf7987cd1d..573ed55ddaa 100644 --- a/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_kubeletconfigs-TechPreviewNoUpgrade.crd.yaml +++ b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_kubeletconfigs-TechPreviewNoUpgrade.crd.yaml @@ -195,9 +195,6 @@ spec: legacy clients and want to remain highly secure while being compatible with most clients currently in use. - The cipher list includes TLS 1.3 ciphers for forward compatibility, followed - by the "intermediate" profile ciphers. - The curve list includes by default the following curves: X25519, SecP256r1, SecP384r1, X25519MLKEM768. @@ -236,9 +233,6 @@ spec: old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort. - The cipher list includes TLS 1.3 ciphers for forward compatibility, followed - by the "old" profile ciphers. - The curve list includes by default the following curves: X25519, SecP256r1, SecP384r1, X25519MLKEM768. diff --git a/machineconfiguration/v1/zz_generated.featuregated-crd-manifests/kubeletconfigs.machineconfiguration.openshift.io/AAA_ungated.yaml b/machineconfiguration/v1/zz_generated.featuregated-crd-manifests/kubeletconfigs.machineconfiguration.openshift.io/AAA_ungated.yaml index 3ddec7bed38..1f13c4f0c94 100644 --- a/machineconfiguration/v1/zz_generated.featuregated-crd-manifests/kubeletconfigs.machineconfiguration.openshift.io/AAA_ungated.yaml +++ b/machineconfiguration/v1/zz_generated.featuregated-crd-manifests/kubeletconfigs.machineconfiguration.openshift.io/AAA_ungated.yaml @@ -163,9 +163,6 @@ spec: legacy clients and want to remain highly secure while being compatible with most clients currently in use. - The cipher list includes TLS 1.3 ciphers for forward compatibility, followed - by the "intermediate" profile ciphers. - The curve list includes by default the following curves: X25519, SecP256r1, SecP384r1, X25519MLKEM768. @@ -204,9 +201,6 @@ spec: old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort. - The cipher list includes TLS 1.3 ciphers for forward compatibility, followed - by the "old" profile ciphers. - The curve list includes by default the following curves: X25519, SecP256r1, SecP384r1, X25519MLKEM768. diff --git a/machineconfiguration/v1/zz_generated.featuregated-crd-manifests/kubeletconfigs.machineconfiguration.openshift.io/TLSCurvePreferences.yaml b/machineconfiguration/v1/zz_generated.featuregated-crd-manifests/kubeletconfigs.machineconfiguration.openshift.io/TLSCurvePreferences.yaml index b349b320971..8d98c12e564 100644 --- a/machineconfiguration/v1/zz_generated.featuregated-crd-manifests/kubeletconfigs.machineconfiguration.openshift.io/TLSCurvePreferences.yaml +++ b/machineconfiguration/v1/zz_generated.featuregated-crd-manifests/kubeletconfigs.machineconfiguration.openshift.io/TLSCurvePreferences.yaml @@ -195,9 +195,6 @@ spec: legacy clients and want to remain highly secure while being compatible with most clients currently in use. - The cipher list includes TLS 1.3 ciphers for forward compatibility, followed - by the "intermediate" profile ciphers. - The curve list includes by default the following curves: X25519, SecP256r1, SecP384r1, X25519MLKEM768. @@ -236,9 +233,6 @@ spec: old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort. - The cipher list includes TLS 1.3 ciphers for forward compatibility, followed - by the "old" profile ciphers. - The curve list includes by default the following curves: X25519, SecP256r1, SecP384r1, X25519MLKEM768. diff --git a/openapi/generated_openapi/zz_generated.openapi.go b/openapi/generated_openapi/zz_generated.openapi.go index 5e071a26be9..b767b0ad049 100644 --- a/openapi/generated_openapi/zz_generated.openapi.go +++ b/openapi/generated_openapi/zz_generated.openapi.go @@ -20968,13 +20968,13 @@ func schema_openshift_api_config_v1_TLSSecurityProfile(ref common.ReferenceCallb }, "old": { SchemaProps: spec.SchemaProps{ - Description: "old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort.\n\nThe cipher list includes TLS 1.3 ciphers for forward compatibility, followed by the \"old\" profile ciphers.\n\nThe curve list includes by default the following curves: X25519, SecP256r1, SecP384r1, X25519MLKEM768.\n\nThis profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS10\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES256-GCM-SHA384\n - ECDHE-RSA-AES256-GCM-SHA384\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305\n - DHE-RSA-AES128-GCM-SHA256\n - DHE-RSA-AES256-GCM-SHA384\n - DHE-RSA-CHACHA20-POLY1305\n - ECDHE-ECDSA-AES128-SHA256\n - ECDHE-RSA-AES128-SHA256\n - ECDHE-ECDSA-AES128-SHA\n - ECDHE-RSA-AES128-SHA\n - ECDHE-ECDSA-AES256-SHA384\n - ECDHE-RSA-AES256-SHA384\n - ECDHE-ECDSA-AES256-SHA\n - ECDHE-RSA-AES256-SHA\n - DHE-RSA-AES128-SHA256\n - DHE-RSA-AES256-SHA256\n - AES128-GCM-SHA256\n - AES256-GCM-SHA384\n - AES128-SHA256\n - AES256-SHA256\n - AES128-SHA\n - AES256-SHA\n - DES-CBC3-SHA", + Description: "old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort.\n\nThe curve list includes by default the following curves: X25519, SecP256r1, SecP384r1, X25519MLKEM768.\n\nThis profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS10\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES256-GCM-SHA384\n - ECDHE-RSA-AES256-GCM-SHA384\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305\n - DHE-RSA-AES128-GCM-SHA256\n - DHE-RSA-AES256-GCM-SHA384\n - DHE-RSA-CHACHA20-POLY1305\n - ECDHE-ECDSA-AES128-SHA256\n - ECDHE-RSA-AES128-SHA256\n - ECDHE-ECDSA-AES128-SHA\n - ECDHE-RSA-AES128-SHA\n - ECDHE-ECDSA-AES256-SHA384\n - ECDHE-RSA-AES256-SHA384\n - ECDHE-ECDSA-AES256-SHA\n - ECDHE-RSA-AES256-SHA\n - DHE-RSA-AES128-SHA256\n - DHE-RSA-AES256-SHA256\n - AES128-GCM-SHA256\n - AES256-GCM-SHA384\n - AES128-SHA256\n - AES256-SHA256\n - AES128-SHA\n - AES256-SHA\n - DES-CBC3-SHA", Ref: ref("github.com/openshift/api/config/v1.OldTLSProfile"), }, }, "intermediate": { SchemaProps: spec.SchemaProps{ - Description: "intermediate is a TLS profile for use when you do not need compatibility with legacy clients and want to remain highly secure while being compatible with most clients currently in use.\n\nThe cipher list includes TLS 1.3 ciphers for forward compatibility, followed by the \"intermediate\" profile ciphers.\n\nThe curve list includes by default the following curves: X25519, SecP256r1, SecP384r1, X25519MLKEM768.\n\nThis profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS12\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES256-GCM-SHA384\n - ECDHE-RSA-AES256-GCM-SHA384\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305\n - DHE-RSA-AES128-GCM-SHA256\n - DHE-RSA-AES256-GCM-SHA384", + Description: "intermediate is a TLS profile for use when you do not need compatibility with legacy clients and want to remain highly secure while being compatible with most clients currently in use.\n\nThe curve list includes by default the following curves: X25519, SecP256r1, SecP384r1, X25519MLKEM768.\n\nThis profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS12\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES256-GCM-SHA384\n - ECDHE-RSA-AES256-GCM-SHA384\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305\n - DHE-RSA-AES128-GCM-SHA256\n - DHE-RSA-AES256-GCM-SHA384", Ref: ref("github.com/openshift/api/config/v1.IntermediateTLSProfile"), }, }, diff --git a/openapi/openapi.json b/openapi/openapi.json index f94bd24e8ad..af3d18c9697 100644 --- a/openapi/openapi.json +++ b/openapi/openapi.json @@ -6348,7 +6348,7 @@ "x-kubernetes-list-type": "atomic" }, "curves": { - "description": "curves is used to specify the elliptic curves that are used during the TLS handshake. Operators may remove entries their operands do not support.\n\nWhen omitted, this means no opinion and the platform is left to choose reasonable defaults which are subject to change over time and may be different per platform component depending on the underlying TLS libraries they use.\n\nFor example, to use X25519 and P-256 (yaml):\n\n curves:\n - X25519\n - P-256", + "description": "curves is an optional field used to specify the elliptic curves that are used during the TLS handshake. Operators may remove entries their operands do not support.\n\nWhen omitted, this means no opinion and the platform is left to choose reasonable defaults which are subject to change over time and may be different per platform component depending on the underlying TLS libraries they use. If specified, the list must contain at least one curve.\n\nFor example, to use X25519 and SecP256r1 (yaml):\n\n curves:\n - X25519\n - SecP256r1", "type": "array", "items": { "type": "string", @@ -11329,7 +11329,7 @@ "x-kubernetes-list-type": "atomic" }, "curves": { - "description": "curves is used to specify the elliptic curves that are used during the TLS handshake. Operators may remove entries their operands do not support.\n\nWhen omitted, this means no opinion and the platform is left to choose reasonable defaults which are subject to change over time and may be different per platform component depending on the underlying TLS libraries they use.\n\nFor example, to use X25519 and P-256 (yaml):\n\n curves:\n - X25519\n - P-256", + "description": "curves is an optional field used to specify the elliptic curves that are used during the TLS handshake. Operators may remove entries their operands do not support.\n\nWhen omitted, this means no opinion and the platform is left to choose reasonable defaults which are subject to change over time and may be different per platform component depending on the underlying TLS libraries they use. If specified, the list must contain at least one curve.\n\nFor example, to use X25519 and SecP256r1 (yaml):\n\n curves:\n - X25519\n - SecP256r1", "type": "array", "items": { "type": "string", @@ -11353,15 +11353,15 @@ "$ref": "#/definitions/com.github.openshift.api.config.v1.CustomTLSProfile" }, "intermediate": { - "description": "intermediate is a TLS profile for use when you do not need compatibility with legacy clients and want to remain highly secure while being compatible with most clients currently in use.\n\nThe cipher list includes TLS 1.3 ciphers for forward compatibility, followed by the \"intermediate\" profile ciphers.\n\nThe curve list includes by default the following curves: X25519, P-256, P-384, P-521, X25519MLKEM768, P256r1MLKEM768, P384r1MLKEM1024.\n\nThis profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS12\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES256-GCM-SHA384\n - ECDHE-RSA-AES256-GCM-SHA384\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305\n - DHE-RSA-AES128-GCM-SHA256\n - DHE-RSA-AES256-GCM-SHA384", + "description": "intermediate is a TLS profile for use when you do not need compatibility with legacy clients and want to remain highly secure while being compatible with most clients currently in use.\n\nThe curve list includes by default the following curves: X25519, SecP256r1, SecP384r1, X25519MLKEM768.\n\nThis profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS12\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES256-GCM-SHA384\n - ECDHE-RSA-AES256-GCM-SHA384\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305\n - DHE-RSA-AES128-GCM-SHA256\n - DHE-RSA-AES256-GCM-SHA384", "$ref": "#/definitions/com.github.openshift.api.config.v1.IntermediateTLSProfile" }, "modern": { - "description": "modern is a TLS security profile for use with clients that support TLS 1.3 and do not need backward compatibility for older clients. The curve list includes by default the following curves: X25519, P-256, P-384, P-521, X25519MLKEM768, P256r1MLKEM768, P384r1MLKEM1024. This profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS13\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256", + "description": "modern is a TLS security profile for use with clients that support TLS 1.3 and do not need backward compatibility for older clients. The curve list includes by default the following curves: X25519, SecP256r1, SecP384r1, X25519MLKEM768. This profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS13\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256", "$ref": "#/definitions/com.github.openshift.api.config.v1.ModernTLSProfile" }, "old": { - "description": "old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort.\n\nThe cipher list includes TLS 1.3 ciphers for forward compatibility, followed by the \"old\" profile ciphers.\n\nThe curve list includes by default the following curves: X25519, P-256, P-384, P-521, X25519MLKEM768, P256r1MLKEM768, P384r1MLKEM1024.\n\nThis profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS10\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES256-GCM-SHA384\n - ECDHE-RSA-AES256-GCM-SHA384\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305\n - DHE-RSA-AES128-GCM-SHA256\n - DHE-RSA-AES256-GCM-SHA384\n - DHE-RSA-CHACHA20-POLY1305\n - ECDHE-ECDSA-AES128-SHA256\n - ECDHE-RSA-AES128-SHA256\n - ECDHE-ECDSA-AES128-SHA\n - ECDHE-RSA-AES128-SHA\n - ECDHE-ECDSA-AES256-SHA384\n - ECDHE-RSA-AES256-SHA384\n - ECDHE-ECDSA-AES256-SHA\n - ECDHE-RSA-AES256-SHA\n - DHE-RSA-AES128-SHA256\n - DHE-RSA-AES256-SHA256\n - AES128-GCM-SHA256\n - AES256-GCM-SHA384\n - AES128-SHA256\n - AES256-SHA256\n - AES128-SHA\n - AES256-SHA\n - DES-CBC3-SHA", + "description": "old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort.\n\nThe curve list includes by default the following curves: X25519, SecP256r1, SecP384r1, X25519MLKEM768.\n\nThis profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS10\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES256-GCM-SHA384\n - ECDHE-RSA-AES256-GCM-SHA384\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305\n - DHE-RSA-AES128-GCM-SHA256\n - DHE-RSA-AES256-GCM-SHA384\n - DHE-RSA-CHACHA20-POLY1305\n - ECDHE-ECDSA-AES128-SHA256\n - ECDHE-RSA-AES128-SHA256\n - ECDHE-ECDSA-AES128-SHA\n - ECDHE-RSA-AES128-SHA\n - ECDHE-ECDSA-AES256-SHA384\n - ECDHE-RSA-AES256-SHA384\n - ECDHE-ECDSA-AES256-SHA\n - ECDHE-RSA-AES256-SHA\n - DHE-RSA-AES128-SHA256\n - DHE-RSA-AES256-SHA256\n - AES128-GCM-SHA256\n - AES256-GCM-SHA384\n - AES128-SHA256\n - AES256-SHA256\n - AES128-SHA\n - AES256-SHA\n - DES-CBC3-SHA", "$ref": "#/definitions/com.github.openshift.api.config.v1.OldTLSProfile" }, "type": { diff --git a/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-CustomNoUpgrade.crd.yaml b/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-CustomNoUpgrade.crd.yaml index 8eadb4ca4c8..e857d998609 100644 --- a/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-CustomNoUpgrade.crd.yaml +++ b/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-CustomNoUpgrade.crd.yaml @@ -2070,9 +2070,6 @@ spec: legacy clients and want to remain highly secure while being compatible with most clients currently in use. - The cipher list includes TLS 1.3 ciphers for forward compatibility, followed - by the "intermediate" profile ciphers. - The curve list includes by default the following curves: X25519, SecP256r1, SecP384r1, X25519MLKEM768. @@ -2111,9 +2108,6 @@ spec: old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort. - The cipher list includes TLS 1.3 ciphers for forward compatibility, followed - by the "old" profile ciphers. - The curve list includes by default the following curves: X25519, SecP256r1, SecP384r1, X25519MLKEM768. diff --git a/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-Default.crd.yaml b/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-Default.crd.yaml index 88cff97976a..13c6c8aec62 100644 --- a/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-Default.crd.yaml +++ b/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-Default.crd.yaml @@ -2038,9 +2038,6 @@ spec: legacy clients and want to remain highly secure while being compatible with most clients currently in use. - The cipher list includes TLS 1.3 ciphers for forward compatibility, followed - by the "intermediate" profile ciphers. - The curve list includes by default the following curves: X25519, SecP256r1, SecP384r1, X25519MLKEM768. @@ -2079,9 +2076,6 @@ spec: old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort. - The cipher list includes TLS 1.3 ciphers for forward compatibility, followed - by the "old" profile ciphers. - The curve list includes by default the following curves: X25519, SecP256r1, SecP384r1, X25519MLKEM768. diff --git a/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-DevPreviewNoUpgrade.crd.yaml b/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-DevPreviewNoUpgrade.crd.yaml index 8fab4f058aa..54921998907 100644 --- a/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-DevPreviewNoUpgrade.crd.yaml +++ b/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-DevPreviewNoUpgrade.crd.yaml @@ -2070,9 +2070,6 @@ spec: legacy clients and want to remain highly secure while being compatible with most clients currently in use. - The cipher list includes TLS 1.3 ciphers for forward compatibility, followed - by the "intermediate" profile ciphers. - The curve list includes by default the following curves: X25519, SecP256r1, SecP384r1, X25519MLKEM768. @@ -2111,9 +2108,6 @@ spec: old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort. - The cipher list includes TLS 1.3 ciphers for forward compatibility, followed - by the "old" profile ciphers. - The curve list includes by default the following curves: X25519, SecP256r1, SecP384r1, X25519MLKEM768. diff --git a/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-OKD.crd.yaml b/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-OKD.crd.yaml index 6267311c953..87135857fe2 100644 --- a/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-OKD.crd.yaml +++ b/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-OKD.crd.yaml @@ -2038,9 +2038,6 @@ spec: legacy clients and want to remain highly secure while being compatible with most clients currently in use. - The cipher list includes TLS 1.3 ciphers for forward compatibility, followed - by the "intermediate" profile ciphers. - The curve list includes by default the following curves: X25519, SecP256r1, SecP384r1, X25519MLKEM768. @@ -2079,9 +2076,6 @@ spec: old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort. - The cipher list includes TLS 1.3 ciphers for forward compatibility, followed - by the "old" profile ciphers. - The curve list includes by default the following curves: X25519, SecP256r1, SecP384r1, X25519MLKEM768. diff --git a/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-TechPreviewNoUpgrade.crd.yaml b/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-TechPreviewNoUpgrade.crd.yaml index 2efe9d649b5..c752ebb4261 100644 --- a/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-TechPreviewNoUpgrade.crd.yaml +++ b/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-TechPreviewNoUpgrade.crd.yaml @@ -2070,9 +2070,6 @@ spec: legacy clients and want to remain highly secure while being compatible with most clients currently in use. - The cipher list includes TLS 1.3 ciphers for forward compatibility, followed - by the "intermediate" profile ciphers. - The curve list includes by default the following curves: X25519, SecP256r1, SecP384r1, X25519MLKEM768. @@ -2111,9 +2108,6 @@ spec: old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort. - The cipher list includes TLS 1.3 ciphers for forward compatibility, followed - by the "old" profile ciphers. - The curve list includes by default the following curves: X25519, SecP256r1, SecP384r1, X25519MLKEM768. diff --git a/operator/v1/zz_generated.featuregated-crd-manifests/ingresscontrollers.operator.openshift.io/AAA_ungated.yaml b/operator/v1/zz_generated.featuregated-crd-manifests/ingresscontrollers.operator.openshift.io/AAA_ungated.yaml index 57aef85d317..0868b57d23a 100644 --- a/operator/v1/zz_generated.featuregated-crd-manifests/ingresscontrollers.operator.openshift.io/AAA_ungated.yaml +++ b/operator/v1/zz_generated.featuregated-crd-manifests/ingresscontrollers.operator.openshift.io/AAA_ungated.yaml @@ -2031,9 +2031,6 @@ spec: legacy clients and want to remain highly secure while being compatible with most clients currently in use. - The cipher list includes TLS 1.3 ciphers for forward compatibility, followed - by the "intermediate" profile ciphers. - The curve list includes by default the following curves: X25519, SecP256r1, SecP384r1, X25519MLKEM768. @@ -2072,9 +2069,6 @@ spec: old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort. - The cipher list includes TLS 1.3 ciphers for forward compatibility, followed - by the "old" profile ciphers. - The curve list includes by default the following curves: X25519, SecP256r1, SecP384r1, X25519MLKEM768. diff --git a/operator/v1/zz_generated.featuregated-crd-manifests/ingresscontrollers.operator.openshift.io/TLSCurvePreferences.yaml b/operator/v1/zz_generated.featuregated-crd-manifests/ingresscontrollers.operator.openshift.io/TLSCurvePreferences.yaml index 4bfbf596c2d..4527400dec1 100644 --- a/operator/v1/zz_generated.featuregated-crd-manifests/ingresscontrollers.operator.openshift.io/TLSCurvePreferences.yaml +++ b/operator/v1/zz_generated.featuregated-crd-manifests/ingresscontrollers.operator.openshift.io/TLSCurvePreferences.yaml @@ -2063,9 +2063,6 @@ spec: legacy clients and want to remain highly secure while being compatible with most clients currently in use. - The cipher list includes TLS 1.3 ciphers for forward compatibility, followed - by the "intermediate" profile ciphers. - The curve list includes by default the following curves: X25519, SecP256r1, SecP384r1, X25519MLKEM768. @@ -2104,9 +2101,6 @@ spec: old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort. - The cipher list includes TLS 1.3 ciphers for forward compatibility, followed - by the "old" profile ciphers. - The curve list includes by default the following curves: X25519, SecP256r1, SecP384r1, X25519MLKEM768. diff --git a/payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml index c83a804a169..428080292b9 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml @@ -380,9 +380,6 @@ spec: legacy clients and want to remain highly secure while being compatible with most clients currently in use. - The cipher list includes TLS 1.3 ciphers for forward compatibility, followed - by the "intermediate" profile ciphers. - The curve list includes by default the following curves: X25519, SecP256r1, SecP384r1, X25519MLKEM768. @@ -421,9 +418,6 @@ spec: old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort. - The cipher list includes TLS 1.3 ciphers for forward compatibility, followed - by the "old" profile ciphers. - The curve list includes by default the following curves: X25519, SecP256r1, SecP384r1, X25519MLKEM768. diff --git a/payload-manifests/crds/0000_10_config-operator_01_apiservers-Default.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_apiservers-Default.crd.yaml index 32e3cf9b8bd..8ba7facfc69 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_apiservers-Default.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_apiservers-Default.crd.yaml @@ -279,9 +279,6 @@ spec: legacy clients and want to remain highly secure while being compatible with most clients currently in use. - The cipher list includes TLS 1.3 ciphers for forward compatibility, followed - by the "intermediate" profile ciphers. - The curve list includes by default the following curves: X25519, SecP256r1, SecP384r1, X25519MLKEM768. @@ -320,9 +317,6 @@ spec: old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort. - The cipher list includes TLS 1.3 ciphers for forward compatibility, followed - by the "old" profile ciphers. - The curve list includes by default the following curves: X25519, SecP256r1, SecP384r1, X25519MLKEM768. diff --git a/payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml index a7636b01d0d..795a6bbb9a2 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml @@ -380,9 +380,6 @@ spec: legacy clients and want to remain highly secure while being compatible with most clients currently in use. - The cipher list includes TLS 1.3 ciphers for forward compatibility, followed - by the "intermediate" profile ciphers. - The curve list includes by default the following curves: X25519, SecP256r1, SecP384r1, X25519MLKEM768. @@ -421,9 +418,6 @@ spec: old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort. - The cipher list includes TLS 1.3 ciphers for forward compatibility, followed - by the "old" profile ciphers. - The curve list includes by default the following curves: X25519, SecP256r1, SecP384r1, X25519MLKEM768. diff --git a/payload-manifests/crds/0000_10_config-operator_01_apiservers-OKD.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_apiservers-OKD.crd.yaml index a5677d9b594..1b4e173f19c 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_apiservers-OKD.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_apiservers-OKD.crd.yaml @@ -279,9 +279,6 @@ spec: legacy clients and want to remain highly secure while being compatible with most clients currently in use. - The cipher list includes TLS 1.3 ciphers for forward compatibility, followed - by the "intermediate" profile ciphers. - The curve list includes by default the following curves: X25519, SecP256r1, SecP384r1, X25519MLKEM768. @@ -320,9 +317,6 @@ spec: old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort. - The cipher list includes TLS 1.3 ciphers for forward compatibility, followed - by the "old" profile ciphers. - The curve list includes by default the following curves: X25519, SecP256r1, SecP384r1, X25519MLKEM768. diff --git a/payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml index 114c97cbd75..72559fc76bd 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml @@ -312,9 +312,6 @@ spec: legacy clients and want to remain highly secure while being compatible with most clients currently in use. - The cipher list includes TLS 1.3 ciphers for forward compatibility, followed - by the "intermediate" profile ciphers. - The curve list includes by default the following curves: X25519, SecP256r1, SecP384r1, X25519MLKEM768. @@ -353,9 +350,6 @@ spec: old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort. - The cipher list includes TLS 1.3 ciphers for forward compatibility, followed - by the "old" profile ciphers. - The curve list includes by default the following curves: X25519, SecP256r1, SecP384r1, X25519MLKEM768. diff --git a/payload-manifests/crds/0000_80_machine-config_01_kubeletconfigs-CustomNoUpgrade.crd.yaml b/payload-manifests/crds/0000_80_machine-config_01_kubeletconfigs-CustomNoUpgrade.crd.yaml index 70203c6c034..f76d502a787 100644 --- a/payload-manifests/crds/0000_80_machine-config_01_kubeletconfigs-CustomNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_80_machine-config_01_kubeletconfigs-CustomNoUpgrade.crd.yaml @@ -195,9 +195,6 @@ spec: legacy clients and want to remain highly secure while being compatible with most clients currently in use. - The cipher list includes TLS 1.3 ciphers for forward compatibility, followed - by the "intermediate" profile ciphers. - The curve list includes by default the following curves: X25519, SecP256r1, SecP384r1, X25519MLKEM768. @@ -236,9 +233,6 @@ spec: old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort. - The cipher list includes TLS 1.3 ciphers for forward compatibility, followed - by the "old" profile ciphers. - The curve list includes by default the following curves: X25519, SecP256r1, SecP384r1, X25519MLKEM768. diff --git a/payload-manifests/crds/0000_80_machine-config_01_kubeletconfigs-Default.crd.yaml b/payload-manifests/crds/0000_80_machine-config_01_kubeletconfigs-Default.crd.yaml index 4f4862bef74..0efeb5e4878 100644 --- a/payload-manifests/crds/0000_80_machine-config_01_kubeletconfigs-Default.crd.yaml +++ b/payload-manifests/crds/0000_80_machine-config_01_kubeletconfigs-Default.crd.yaml @@ -163,9 +163,6 @@ spec: legacy clients and want to remain highly secure while being compatible with most clients currently in use. - The cipher list includes TLS 1.3 ciphers for forward compatibility, followed - by the "intermediate" profile ciphers. - The curve list includes by default the following curves: X25519, SecP256r1, SecP384r1, X25519MLKEM768. @@ -204,9 +201,6 @@ spec: old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort. - The cipher list includes TLS 1.3 ciphers for forward compatibility, followed - by the "old" profile ciphers. - The curve list includes by default the following curves: X25519, SecP256r1, SecP384r1, X25519MLKEM768. diff --git a/payload-manifests/crds/0000_80_machine-config_01_kubeletconfigs-DevPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_80_machine-config_01_kubeletconfigs-DevPreviewNoUpgrade.crd.yaml index 309a946b023..a017bef104c 100644 --- a/payload-manifests/crds/0000_80_machine-config_01_kubeletconfigs-DevPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_80_machine-config_01_kubeletconfigs-DevPreviewNoUpgrade.crd.yaml @@ -195,9 +195,6 @@ spec: legacy clients and want to remain highly secure while being compatible with most clients currently in use. - The cipher list includes TLS 1.3 ciphers for forward compatibility, followed - by the "intermediate" profile ciphers. - The curve list includes by default the following curves: X25519, SecP256r1, SecP384r1, X25519MLKEM768. @@ -236,9 +233,6 @@ spec: old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort. - The cipher list includes TLS 1.3 ciphers for forward compatibility, followed - by the "old" profile ciphers. - The curve list includes by default the following curves: X25519, SecP256r1, SecP384r1, X25519MLKEM768. diff --git a/payload-manifests/crds/0000_80_machine-config_01_kubeletconfigs-OKD.crd.yaml b/payload-manifests/crds/0000_80_machine-config_01_kubeletconfigs-OKD.crd.yaml index 343e12221ab..23cf5b9646f 100644 --- a/payload-manifests/crds/0000_80_machine-config_01_kubeletconfigs-OKD.crd.yaml +++ b/payload-manifests/crds/0000_80_machine-config_01_kubeletconfigs-OKD.crd.yaml @@ -163,9 +163,6 @@ spec: legacy clients and want to remain highly secure while being compatible with most clients currently in use. - The cipher list includes TLS 1.3 ciphers for forward compatibility, followed - by the "intermediate" profile ciphers. - The curve list includes by default the following curves: X25519, SecP256r1, SecP384r1, X25519MLKEM768. @@ -204,9 +201,6 @@ spec: old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort. - The cipher list includes TLS 1.3 ciphers for forward compatibility, followed - by the "old" profile ciphers. - The curve list includes by default the following curves: X25519, SecP256r1, SecP384r1, X25519MLKEM768. diff --git a/payload-manifests/crds/0000_80_machine-config_01_kubeletconfigs-TechPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_80_machine-config_01_kubeletconfigs-TechPreviewNoUpgrade.crd.yaml index faf7987cd1d..573ed55ddaa 100644 --- a/payload-manifests/crds/0000_80_machine-config_01_kubeletconfigs-TechPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_80_machine-config_01_kubeletconfigs-TechPreviewNoUpgrade.crd.yaml @@ -195,9 +195,6 @@ spec: legacy clients and want to remain highly secure while being compatible with most clients currently in use. - The cipher list includes TLS 1.3 ciphers for forward compatibility, followed - by the "intermediate" profile ciphers. - The curve list includes by default the following curves: X25519, SecP256r1, SecP384r1, X25519MLKEM768. @@ -236,9 +233,6 @@ spec: old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort. - The cipher list includes TLS 1.3 ciphers for forward compatibility, followed - by the "old" profile ciphers. - The curve list includes by default the following curves: X25519, SecP256r1, SecP384r1, X25519MLKEM768. From b6786238ec55cda6f5d7d1e09a185ed7a5f9dbab Mon Sep 17 00:00:00 2001 From: Davide Salerno Date: Fri, 13 Feb 2026 16:12:41 +0100 Subject: [PATCH 5/5] make update after rebase Regenerate CRD manifests, OpenAPI definitions, and swagger docs after rebasing on upstream/masr Signed-off-by: Davide Salerno --- config/v1/types_tlssecurityprofile.go | 2 +- ...tor_01_apiservers-CustomNoUpgrade.crd.yaml | 28 +- ...ig-operator_01_apiservers-Default.crd.yaml | 26 +- ...01_apiservers-DevPreviewNoUpgrade.crd.yaml | 28 +- ...config-operator_01_apiservers-OKD.crd.yaml | 26 +- ...1_apiservers-TechPreviewNoUpgrade.crd.yaml | 28 +- .../AAA_ungated.yaml | 26 +- .../KMSEncryption.yaml | 26 +- .../KMSEncryptionProvider.yaml | 26 +- .../TLSCurvePreferences.yaml | 28 +- .../v1/zz_generated.swagger_doc_generated.go | 10 +- ...01_kubeletconfigs-CustomNoUpgrade.crd.yaml | 28 +- ...-config_01_kubeletconfigs-Default.crd.yaml | 26 +- ...ubeletconfigs-DevPreviewNoUpgrade.crd.yaml | 28 +- ...hine-config_01_kubeletconfigs-OKD.crd.yaml | 26 +- ...beletconfigs-TechPreviewNoUpgrade.crd.yaml | 28 +- .../AAA_ungated.yaml | 26 +- .../TLSCurvePreferences.yaml | 28 +- .../generated_openapi/zz_generated.openapi.go | 460 +++++++++++++++++- ...ngresscontrollers-CustomNoUpgrade.crd.yaml | 39 +- ...ess_00_ingresscontrollers-Default.crd.yaml | 35 +- ...sscontrollers-DevPreviewNoUpgrade.crd.yaml | 39 +- ...ingress_00_ingresscontrollers-OKD.crd.yaml | 35 +- ...scontrollers-TechPreviewNoUpgrade.crd.yaml | 39 +- .../AAA_ungated.yaml | 35 +- .../TLSCurvePreferences.yaml | 39 +- ...tor_01_apiservers-CustomNoUpgrade.crd.yaml | 28 +- ...ig-operator_01_apiservers-Default.crd.yaml | 26 +- ...01_apiservers-DevPreviewNoUpgrade.crd.yaml | 28 +- ...config-operator_01_apiservers-OKD.crd.yaml | 26 +- ...1_apiservers-TechPreviewNoUpgrade.crd.yaml | 28 +- ...01_kubeletconfigs-CustomNoUpgrade.crd.yaml | 28 +- ...-config_01_kubeletconfigs-Default.crd.yaml | 26 +- ...ubeletconfigs-DevPreviewNoUpgrade.crd.yaml | 28 +- ...hine-config_01_kubeletconfigs-OKD.crd.yaml | 26 +- ...beletconfigs-TechPreviewNoUpgrade.crd.yaml | 28 +- 36 files changed, 848 insertions(+), 589 deletions(-) diff --git a/config/v1/types_tlssecurityprofile.go b/config/v1/types_tlssecurityprofile.go index 20e8a5fcebf..4891a7489a6 100644 --- a/config/v1/types_tlssecurityprofile.go +++ b/config/v1/types_tlssecurityprofile.go @@ -192,7 +192,7 @@ type TLSProfileSpec struct { // // When omitted, this means no opinion and the platform is left to choose reasonable defaults which are // subject to change over time and may be different per platform component depending on the underlying TLS - // libraries they use. If specified, the list must contain at least one curve. + // libraries they use. If specified, the list must contain at least one curve and each curve must be unique. // // For example, to use X25519 and SecP256r1 (yaml): // diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml index 428080292b9..a77f32323cd 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml @@ -319,11 +319,14 @@ spec: ciphers: description: |- ciphers is used to specify the cipher algorithms that are negotiated - during the TLS handshake. Operators may remove entries their operands - do not support. For example, to use DES-CBC3-SHA (yaml): + during the TLS handshake. Operators may remove entries that their operands + do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml): ciphers: - - DES-CBC3-SHA + - ECDHE-RSA-AES128-GCM-SHA256 + + TLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable + and are always enabled when TLS 1.3 is negotiated. items: type: string type: array @@ -336,7 +339,7 @@ spec: When omitted, this means no opinion and the platform is left to choose reasonable defaults which are subject to change over time and may be different per platform component depending on the underlying TLS - libraries they use. If specified, the list must contain at least one curve. + libraries they use. If specified, the list must contain at least one curve and each curve must be unique. For example, to use X25519 and SecP256r1 (yaml): @@ -395,8 +398,6 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 nullable: true type: object modern: @@ -433,23 +434,15 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - DHE-RSA-CHACHA20-POLY1305 - ECDHE-ECDSA-AES128-SHA256 - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES128-SHA - - ECDHE-ECDSA-AES256-SHA384 - - ECDHE-RSA-AES256-SHA384 - ECDHE-ECDSA-AES256-SHA - ECDHE-RSA-AES256-SHA - - DHE-RSA-AES128-SHA256 - - DHE-RSA-AES256-SHA256 - AES128-GCM-SHA256 - AES256-GCM-SHA384 - AES128-SHA256 - - AES256-SHA256 - AES128-SHA - AES256-SHA - DES-CBC3-SHA @@ -460,9 +453,10 @@ spec: type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters. - The profiles are currently based on version 5.0 of the Mozilla Server Side TLS - configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for - forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json + The profiles are based on version 5.7 of the Mozilla Server Side TLS + configuration guidelines. The cipher lists consist of the configuration's + "ciphersuites" followed by the Go-specific "ciphers" from the guidelines. + See: https://ssl-config.mozilla.org/guidelines/5.7.json The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-Default.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-Default.crd.yaml index 8ba7facfc69..543f601c96b 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-Default.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-Default.crd.yaml @@ -250,11 +250,14 @@ spec: ciphers: description: |- ciphers is used to specify the cipher algorithms that are negotiated - during the TLS handshake. Operators may remove entries their operands - do not support. For example, to use DES-CBC3-SHA (yaml): + during the TLS handshake. Operators may remove entries that their operands + do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml): ciphers: - - DES-CBC3-SHA + - ECDHE-RSA-AES128-GCM-SHA256 + + TLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable + and are always enabled when TLS 1.3 is negotiated. items: type: string type: array @@ -294,8 +297,6 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 nullable: true type: object modern: @@ -332,23 +333,15 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - DHE-RSA-CHACHA20-POLY1305 - ECDHE-ECDSA-AES128-SHA256 - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES128-SHA - - ECDHE-ECDSA-AES256-SHA384 - - ECDHE-RSA-AES256-SHA384 - ECDHE-ECDSA-AES256-SHA - ECDHE-RSA-AES256-SHA - - DHE-RSA-AES128-SHA256 - - DHE-RSA-AES256-SHA256 - AES128-GCM-SHA256 - AES256-GCM-SHA384 - AES128-SHA256 - - AES256-SHA256 - AES128-SHA - AES256-SHA - DES-CBC3-SHA @@ -359,9 +352,10 @@ spec: type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters. - The profiles are currently based on version 5.0 of the Mozilla Server Side TLS - configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for - forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json + The profiles are based on version 5.7 of the Mozilla Server Side TLS + configuration guidelines. The cipher lists consist of the configuration's + "ciphersuites" followed by the Go-specific "ciphers" from the guidelines. + See: https://ssl-config.mozilla.org/guidelines/5.7.json The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml index 795a6bbb9a2..455500d698e 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml @@ -319,11 +319,14 @@ spec: ciphers: description: |- ciphers is used to specify the cipher algorithms that are negotiated - during the TLS handshake. Operators may remove entries their operands - do not support. For example, to use DES-CBC3-SHA (yaml): + during the TLS handshake. Operators may remove entries that their operands + do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml): ciphers: - - DES-CBC3-SHA + - ECDHE-RSA-AES128-GCM-SHA256 + + TLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable + and are always enabled when TLS 1.3 is negotiated. items: type: string type: array @@ -336,7 +339,7 @@ spec: When omitted, this means no opinion and the platform is left to choose reasonable defaults which are subject to change over time and may be different per platform component depending on the underlying TLS - libraries they use. If specified, the list must contain at least one curve. + libraries they use. If specified, the list must contain at least one curve and each curve must be unique. For example, to use X25519 and SecP256r1 (yaml): @@ -395,8 +398,6 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 nullable: true type: object modern: @@ -433,23 +434,15 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - DHE-RSA-CHACHA20-POLY1305 - ECDHE-ECDSA-AES128-SHA256 - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES128-SHA - - ECDHE-ECDSA-AES256-SHA384 - - ECDHE-RSA-AES256-SHA384 - ECDHE-ECDSA-AES256-SHA - ECDHE-RSA-AES256-SHA - - DHE-RSA-AES128-SHA256 - - DHE-RSA-AES256-SHA256 - AES128-GCM-SHA256 - AES256-GCM-SHA384 - AES128-SHA256 - - AES256-SHA256 - AES128-SHA - AES256-SHA - DES-CBC3-SHA @@ -460,9 +453,10 @@ spec: type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters. - The profiles are currently based on version 5.0 of the Mozilla Server Side TLS - configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for - forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json + The profiles are based on version 5.7 of the Mozilla Server Side TLS + configuration guidelines. The cipher lists consist of the configuration's + "ciphersuites" followed by the Go-specific "ciphers" from the guidelines. + See: https://ssl-config.mozilla.org/guidelines/5.7.json The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-OKD.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-OKD.crd.yaml index 1b4e173f19c..a3520df19cd 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-OKD.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-OKD.crd.yaml @@ -250,11 +250,14 @@ spec: ciphers: description: |- ciphers is used to specify the cipher algorithms that are negotiated - during the TLS handshake. Operators may remove entries their operands - do not support. For example, to use DES-CBC3-SHA (yaml): + during the TLS handshake. Operators may remove entries that their operands + do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml): ciphers: - - DES-CBC3-SHA + - ECDHE-RSA-AES128-GCM-SHA256 + + TLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable + and are always enabled when TLS 1.3 is negotiated. items: type: string type: array @@ -294,8 +297,6 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 nullable: true type: object modern: @@ -332,23 +333,15 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - DHE-RSA-CHACHA20-POLY1305 - ECDHE-ECDSA-AES128-SHA256 - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES128-SHA - - ECDHE-ECDSA-AES256-SHA384 - - ECDHE-RSA-AES256-SHA384 - ECDHE-ECDSA-AES256-SHA - ECDHE-RSA-AES256-SHA - - DHE-RSA-AES128-SHA256 - - DHE-RSA-AES256-SHA256 - AES128-GCM-SHA256 - AES256-GCM-SHA384 - AES128-SHA256 - - AES256-SHA256 - AES128-SHA - AES256-SHA - DES-CBC3-SHA @@ -359,9 +352,10 @@ spec: type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters. - The profiles are currently based on version 5.0 of the Mozilla Server Side TLS - configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for - forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json + The profiles are based on version 5.7 of the Mozilla Server Side TLS + configuration guidelines. The cipher lists consist of the configuration's + "ciphersuites" followed by the Go-specific "ciphers" from the guidelines. + See: https://ssl-config.mozilla.org/guidelines/5.7.json The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml index 72559fc76bd..36abe094627 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml @@ -251,11 +251,14 @@ spec: ciphers: description: |- ciphers is used to specify the cipher algorithms that are negotiated - during the TLS handshake. Operators may remove entries their operands - do not support. For example, to use DES-CBC3-SHA (yaml): + during the TLS handshake. Operators may remove entries that their operands + do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml): ciphers: - - DES-CBC3-SHA + - ECDHE-RSA-AES128-GCM-SHA256 + + TLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable + and are always enabled when TLS 1.3 is negotiated. items: type: string type: array @@ -268,7 +271,7 @@ spec: When omitted, this means no opinion and the platform is left to choose reasonable defaults which are subject to change over time and may be different per platform component depending on the underlying TLS - libraries they use. If specified, the list must contain at least one curve. + libraries they use. If specified, the list must contain at least one curve and each curve must be unique. For example, to use X25519 and SecP256r1 (yaml): @@ -327,8 +330,6 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 nullable: true type: object modern: @@ -365,23 +366,15 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - DHE-RSA-CHACHA20-POLY1305 - ECDHE-ECDSA-AES128-SHA256 - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES128-SHA - - ECDHE-ECDSA-AES256-SHA384 - - ECDHE-RSA-AES256-SHA384 - ECDHE-ECDSA-AES256-SHA - ECDHE-RSA-AES256-SHA - - DHE-RSA-AES128-SHA256 - - DHE-RSA-AES256-SHA256 - AES128-GCM-SHA256 - AES256-GCM-SHA384 - AES128-SHA256 - - AES256-SHA256 - AES128-SHA - AES256-SHA - DES-CBC3-SHA @@ -392,9 +385,10 @@ spec: type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters. - The profiles are currently based on version 5.0 of the Mozilla Server Side TLS - configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for - forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json + The profiles are based on version 5.7 of the Mozilla Server Side TLS + configuration guidelines. The cipher lists consist of the configuration's + "ciphersuites" followed by the Go-specific "ciphers" from the guidelines. + See: https://ssl-config.mozilla.org/guidelines/5.7.json The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on diff --git a/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/AAA_ungated.yaml b/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/AAA_ungated.yaml index 2fc78499889..748ebca6395 100644 --- a/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/AAA_ungated.yaml +++ b/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/AAA_ungated.yaml @@ -250,11 +250,14 @@ spec: ciphers: description: |- ciphers is used to specify the cipher algorithms that are negotiated - during the TLS handshake. Operators may remove entries their operands - do not support. For example, to use DES-CBC3-SHA (yaml): + during the TLS handshake. Operators may remove entries that their operands + do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml): ciphers: - - DES-CBC3-SHA + - ECDHE-RSA-AES128-GCM-SHA256 + + TLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable + and are always enabled when TLS 1.3 is negotiated. items: type: string type: array @@ -294,8 +297,6 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 nullable: true type: object modern: @@ -332,23 +333,15 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - DHE-RSA-CHACHA20-POLY1305 - ECDHE-ECDSA-AES128-SHA256 - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES128-SHA - - ECDHE-ECDSA-AES256-SHA384 - - ECDHE-RSA-AES256-SHA384 - ECDHE-ECDSA-AES256-SHA - ECDHE-RSA-AES256-SHA - - DHE-RSA-AES128-SHA256 - - DHE-RSA-AES256-SHA256 - AES128-GCM-SHA256 - AES256-GCM-SHA384 - AES128-SHA256 - - AES256-SHA256 - AES128-SHA - AES256-SHA - DES-CBC3-SHA @@ -359,9 +352,10 @@ spec: type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters. - The profiles are currently based on version 5.0 of the Mozilla Server Side TLS - configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for - forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json + The profiles are based on version 5.7 of the Mozilla Server Side TLS + configuration guidelines. The cipher lists consist of the configuration's + "ciphersuites" followed by the Go-specific "ciphers" from the guidelines. + See: https://ssl-config.mozilla.org/guidelines/5.7.json The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on diff --git a/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryption.yaml b/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryption.yaml index a2ba0bfb023..84891216933 100644 --- a/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryption.yaml +++ b/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryption.yaml @@ -251,11 +251,14 @@ spec: ciphers: description: |- ciphers is used to specify the cipher algorithms that are negotiated - during the TLS handshake. Operators may remove entries their operands - do not support. For example, to use DES-CBC3-SHA (yaml): + during the TLS handshake. Operators may remove entries that their operands + do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml): ciphers: - - DES-CBC3-SHA + - ECDHE-RSA-AES128-GCM-SHA256 + + TLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable + and are always enabled when TLS 1.3 is negotiated. items: type: string type: array @@ -295,8 +298,6 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 nullable: true type: object modern: @@ -333,23 +334,15 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - DHE-RSA-CHACHA20-POLY1305 - ECDHE-ECDSA-AES128-SHA256 - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES128-SHA - - ECDHE-ECDSA-AES256-SHA384 - - ECDHE-RSA-AES256-SHA384 - ECDHE-ECDSA-AES256-SHA - ECDHE-RSA-AES256-SHA - - DHE-RSA-AES128-SHA256 - - DHE-RSA-AES256-SHA256 - AES128-GCM-SHA256 - AES256-GCM-SHA384 - AES128-SHA256 - - AES256-SHA256 - AES128-SHA - AES256-SHA - DES-CBC3-SHA @@ -360,9 +353,10 @@ spec: type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters. - The profiles are currently based on version 5.0 of the Mozilla Server Side TLS - configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for - forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json + The profiles are based on version 5.7 of the Mozilla Server Side TLS + configuration guidelines. The cipher lists consist of the configuration's + "ciphersuites" followed by the Go-specific "ciphers" from the guidelines. + See: https://ssl-config.mozilla.org/guidelines/5.7.json The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on diff --git a/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml b/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml index 02387876d84..5361b1d0b13 100644 --- a/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml +++ b/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml @@ -319,11 +319,14 @@ spec: ciphers: description: |- ciphers is used to specify the cipher algorithms that are negotiated - during the TLS handshake. Operators may remove entries their operands - do not support. For example, to use DES-CBC3-SHA (yaml): + during the TLS handshake. Operators may remove entries that their operands + do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml): ciphers: - - DES-CBC3-SHA + - ECDHE-RSA-AES128-GCM-SHA256 + + TLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable + and are always enabled when TLS 1.3 is negotiated. items: type: string type: array @@ -363,8 +366,6 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 nullable: true type: object modern: @@ -401,23 +402,15 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - DHE-RSA-CHACHA20-POLY1305 - ECDHE-ECDSA-AES128-SHA256 - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES128-SHA - - ECDHE-ECDSA-AES256-SHA384 - - ECDHE-RSA-AES256-SHA384 - ECDHE-ECDSA-AES256-SHA - ECDHE-RSA-AES256-SHA - - DHE-RSA-AES128-SHA256 - - DHE-RSA-AES256-SHA256 - AES128-GCM-SHA256 - AES256-GCM-SHA384 - AES128-SHA256 - - AES256-SHA256 - AES128-SHA - AES256-SHA - DES-CBC3-SHA @@ -428,9 +421,10 @@ spec: type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters. - The profiles are currently based on version 5.0 of the Mozilla Server Side TLS - configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for - forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json + The profiles are based on version 5.7 of the Mozilla Server Side TLS + configuration guidelines. The cipher lists consist of the configuration's + "ciphersuites" followed by the Go-specific "ciphers" from the guidelines. + See: https://ssl-config.mozilla.org/guidelines/5.7.json The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on diff --git a/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/TLSCurvePreferences.yaml b/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/TLSCurvePreferences.yaml index b0f319cd494..d2d42851b2b 100644 --- a/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/TLSCurvePreferences.yaml +++ b/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/TLSCurvePreferences.yaml @@ -245,11 +245,14 @@ spec: ciphers: description: |- ciphers is used to specify the cipher algorithms that are negotiated - during the TLS handshake. Operators may remove entries their operands - do not support. For example, to use DES-CBC3-SHA (yaml): + during the TLS handshake. Operators may remove entries that their operands + do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml): ciphers: - - DES-CBC3-SHA + - ECDHE-RSA-AES128-GCM-SHA256 + + TLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable + and are always enabled when TLS 1.3 is negotiated. items: type: string type: array @@ -262,7 +265,7 @@ spec: When omitted, this means no opinion and the platform is left to choose reasonable defaults which are subject to change over time and may be different per platform component depending on the underlying TLS - libraries they use. If specified, the list must contain at least one curve. + libraries they use. If specified, the list must contain at least one curve and each curve must be unique. For example, to use X25519 and SecP256r1 (yaml): @@ -321,8 +324,6 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 nullable: true type: object modern: @@ -359,23 +360,15 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - DHE-RSA-CHACHA20-POLY1305 - ECDHE-ECDSA-AES128-SHA256 - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES128-SHA - - ECDHE-ECDSA-AES256-SHA384 - - ECDHE-RSA-AES256-SHA384 - ECDHE-ECDSA-AES256-SHA - ECDHE-RSA-AES256-SHA - - DHE-RSA-AES128-SHA256 - - DHE-RSA-AES256-SHA256 - AES128-GCM-SHA256 - AES256-GCM-SHA384 - AES128-SHA256 - - AES256-SHA256 - AES128-SHA - AES256-SHA - DES-CBC3-SHA @@ -386,9 +379,10 @@ spec: type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters. - The profiles are currently based on version 5.0 of the Mozilla Server Side TLS - configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for - forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json + The profiles are based on version 5.7 of the Mozilla Server Side TLS + configuration guidelines. The cipher lists consist of the configuration's + "ciphersuites" followed by the Go-specific "ciphers" from the guidelines. + See: https://ssl-config.mozilla.org/guidelines/5.7.json The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on diff --git a/config/v1/zz_generated.swagger_doc_generated.go b/config/v1/zz_generated.swagger_doc_generated.go index 1b9d2f13f11..fd0da9878ce 100644 --- a/config/v1/zz_generated.swagger_doc_generated.go +++ b/config/v1/zz_generated.swagger_doc_generated.go @@ -3004,8 +3004,8 @@ func (OldTLSProfile) SwaggerDoc() map[string]string { var map_TLSProfileSpec = map[string]string{ "": "TLSProfileSpec is the desired behavior of a TLSSecurityProfile.", - "ciphers": "ciphers is used to specify the cipher algorithms that are negotiated during the TLS handshake. Operators may remove entries their operands do not support. For example, to use DES-CBC3-SHA (yaml):\n\n ciphers:\n - DES-CBC3-SHA", - "curves": "curves is an optional field used to specify the elliptic curves that are used during the TLS handshake. Operators may remove entries their operands do not support.\n\nWhen omitted, this means no opinion and the platform is left to choose reasonable defaults which are subject to change over time and may be different per platform component depending on the underlying TLS libraries they use. If specified, the list must contain at least one curve.\n\nFor example, to use X25519 and SecP256r1 (yaml):\n\n curves:\n - X25519\n - SecP256r1", + "ciphers": "ciphers is used to specify the cipher algorithms that are negotiated during the TLS handshake. Operators may remove entries that their operands do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml):\n\n ciphers:\n - ECDHE-RSA-AES128-GCM-SHA256\n\nTLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable and are always enabled when TLS 1.3 is negotiated.", + "curves": "curves is an optional field used to specify the elliptic curves that are used during the TLS handshake. Operators may remove entries their operands do not support.\n\nWhen omitted, this means no opinion and the platform is left to choose reasonable defaults which are subject to change over time and may be different per platform component depending on the underlying TLS libraries they use. If specified, the list must contain at least one curve and each curve must be unique.\n\nFor example, to use X25519 and SecP256r1 (yaml):\n\n curves:\n - X25519\n - SecP256r1", "minTLSVersion": "minTLSVersion is used to specify the minimal version of the TLS protocol that is negotiated during the TLS handshake. For example, to use TLS versions 1.1, 1.2 and 1.3 (yaml):\n\n minTLSVersion: VersionTLS11", } @@ -3015,9 +3015,9 @@ func (TLSProfileSpec) SwaggerDoc() map[string]string { var map_TLSSecurityProfile = map[string]string{ "": "TLSSecurityProfile defines the schema for a TLS security profile. This object is used by operators to apply TLS security settings to operands.", - "type": "type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters.\n\nThe profiles are currently based on version 5.0 of the Mozilla Server Side TLS configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json\n\nThe profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be reduced.", - "old": "old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort.\n\nThe curve list includes by default the following curves: X25519, SecP256r1, SecP384r1, X25519MLKEM768.\n\nThis profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS10\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES256-GCM-SHA384\n - ECDHE-RSA-AES256-GCM-SHA384\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305\n - DHE-RSA-AES128-GCM-SHA256\n - DHE-RSA-AES256-GCM-SHA384\n - DHE-RSA-CHACHA20-POLY1305\n - ECDHE-ECDSA-AES128-SHA256\n - ECDHE-RSA-AES128-SHA256\n - ECDHE-ECDSA-AES128-SHA\n - ECDHE-RSA-AES128-SHA\n - ECDHE-ECDSA-AES256-SHA384\n - ECDHE-RSA-AES256-SHA384\n - ECDHE-ECDSA-AES256-SHA\n - ECDHE-RSA-AES256-SHA\n - DHE-RSA-AES128-SHA256\n - DHE-RSA-AES256-SHA256\n - AES128-GCM-SHA256\n - AES256-GCM-SHA384\n - AES128-SHA256\n - AES256-SHA256\n - AES128-SHA\n - AES256-SHA\n - DES-CBC3-SHA", - "intermediate": "intermediate is a TLS profile for use when you do not need compatibility with legacy clients and want to remain highly secure while being compatible with most clients currently in use.\n\nThe curve list includes by default the following curves: X25519, SecP256r1, SecP384r1, X25519MLKEM768.\n\nThis profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS12\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES256-GCM-SHA384\n - ECDHE-RSA-AES256-GCM-SHA384\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305\n - DHE-RSA-AES128-GCM-SHA256\n - DHE-RSA-AES256-GCM-SHA384", + "type": "type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters.\n\nThe profiles are based on version 5.7 of the Mozilla Server Side TLS configuration guidelines. The cipher lists consist of the configuration's \"ciphersuites\" followed by the Go-specific \"ciphers\" from the guidelines. See: https://ssl-config.mozilla.org/guidelines/5.7.json\n\nThe profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be reduced.", + "old": "old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort.\n\nThe curve list includes by default the following curves: X25519, SecP256r1, SecP384r1, X25519MLKEM768.\n\nThis profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS10\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES256-GCM-SHA384\n - ECDHE-RSA-AES256-GCM-SHA384\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305\n - ECDHE-ECDSA-AES128-SHA256\n - ECDHE-RSA-AES128-SHA256\n - ECDHE-ECDSA-AES128-SHA\n - ECDHE-RSA-AES128-SHA\n - ECDHE-ECDSA-AES256-SHA\n - ECDHE-RSA-AES256-SHA\n - AES128-GCM-SHA256\n - AES256-GCM-SHA384\n - AES128-SHA256\n - AES128-SHA\n - AES256-SHA\n - DES-CBC3-SHA", + "intermediate": "intermediate is a TLS profile for use when you do not need compatibility with legacy clients and want to remain highly secure while being compatible with most clients currently in use.\n\nThe curve list includes by default the following curves: X25519, SecP256r1, SecP384r1, X25519MLKEM768.\n\nThis profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS12\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES256-GCM-SHA384\n - ECDHE-RSA-AES256-GCM-SHA384\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305", "modern": "modern is a TLS security profile for use with clients that support TLS 1.3 and do not need backward compatibility for older clients. The curve list includes by default the following curves: X25519, SecP256r1, SecP384r1, X25519MLKEM768. This profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS13\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256", "custom": "custom is a user-defined TLS security profile. Be extremely careful using a custom profile as invalid configurations can be catastrophic.\n\nThe curve list for this profile is empty by default.\n\nAn example custom profile looks like this:\n\n minTLSVersion: VersionTLS11\n ciphers:\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256", } diff --git a/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_kubeletconfigs-CustomNoUpgrade.crd.yaml b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_kubeletconfigs-CustomNoUpgrade.crd.yaml index f76d502a787..6c3136a7530 100644 --- a/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_kubeletconfigs-CustomNoUpgrade.crd.yaml +++ b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_kubeletconfigs-CustomNoUpgrade.crd.yaml @@ -134,11 +134,14 @@ spec: ciphers: description: |- ciphers is used to specify the cipher algorithms that are negotiated - during the TLS handshake. Operators may remove entries their operands - do not support. For example, to use DES-CBC3-SHA (yaml): + during the TLS handshake. Operators may remove entries that their operands + do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml): ciphers: - - DES-CBC3-SHA + - ECDHE-RSA-AES128-GCM-SHA256 + + TLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable + and are always enabled when TLS 1.3 is negotiated. items: type: string type: array @@ -151,7 +154,7 @@ spec: When omitted, this means no opinion and the platform is left to choose reasonable defaults which are subject to change over time and may be different per platform component depending on the underlying TLS - libraries they use. If specified, the list must contain at least one curve. + libraries they use. If specified, the list must contain at least one curve and each curve must be unique. For example, to use X25519 and SecP256r1 (yaml): @@ -210,8 +213,6 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 nullable: true type: object modern: @@ -248,23 +249,15 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - DHE-RSA-CHACHA20-POLY1305 - ECDHE-ECDSA-AES128-SHA256 - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES128-SHA - - ECDHE-ECDSA-AES256-SHA384 - - ECDHE-RSA-AES256-SHA384 - ECDHE-ECDSA-AES256-SHA - ECDHE-RSA-AES256-SHA - - DHE-RSA-AES128-SHA256 - - DHE-RSA-AES256-SHA256 - AES128-GCM-SHA256 - AES256-GCM-SHA384 - AES128-SHA256 - - AES256-SHA256 - AES128-SHA - AES256-SHA - DES-CBC3-SHA @@ -275,9 +268,10 @@ spec: type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters. - The profiles are currently based on version 5.0 of the Mozilla Server Side TLS - configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for - forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json + The profiles are based on version 5.7 of the Mozilla Server Side TLS + configuration guidelines. The cipher lists consist of the configuration's + "ciphersuites" followed by the Go-specific "ciphers" from the guidelines. + See: https://ssl-config.mozilla.org/guidelines/5.7.json The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on diff --git a/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_kubeletconfigs-Default.crd.yaml b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_kubeletconfigs-Default.crd.yaml index 0efeb5e4878..c58025beae0 100644 --- a/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_kubeletconfigs-Default.crd.yaml +++ b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_kubeletconfigs-Default.crd.yaml @@ -134,11 +134,14 @@ spec: ciphers: description: |- ciphers is used to specify the cipher algorithms that are negotiated - during the TLS handshake. Operators may remove entries their operands - do not support. For example, to use DES-CBC3-SHA (yaml): + during the TLS handshake. Operators may remove entries that their operands + do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml): ciphers: - - DES-CBC3-SHA + - ECDHE-RSA-AES128-GCM-SHA256 + + TLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable + and are always enabled when TLS 1.3 is negotiated. items: type: string type: array @@ -178,8 +181,6 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 nullable: true type: object modern: @@ -216,23 +217,15 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - DHE-RSA-CHACHA20-POLY1305 - ECDHE-ECDSA-AES128-SHA256 - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES128-SHA - - ECDHE-ECDSA-AES256-SHA384 - - ECDHE-RSA-AES256-SHA384 - ECDHE-ECDSA-AES256-SHA - ECDHE-RSA-AES256-SHA - - DHE-RSA-AES128-SHA256 - - DHE-RSA-AES256-SHA256 - AES128-GCM-SHA256 - AES256-GCM-SHA384 - AES128-SHA256 - - AES256-SHA256 - AES128-SHA - AES256-SHA - DES-CBC3-SHA @@ -243,9 +236,10 @@ spec: type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters. - The profiles are currently based on version 5.0 of the Mozilla Server Side TLS - configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for - forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json + The profiles are based on version 5.7 of the Mozilla Server Side TLS + configuration guidelines. The cipher lists consist of the configuration's + "ciphersuites" followed by the Go-specific "ciphers" from the guidelines. + See: https://ssl-config.mozilla.org/guidelines/5.7.json The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on diff --git a/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_kubeletconfigs-DevPreviewNoUpgrade.crd.yaml b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_kubeletconfigs-DevPreviewNoUpgrade.crd.yaml index a017bef104c..6f2bdcec1be 100644 --- a/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_kubeletconfigs-DevPreviewNoUpgrade.crd.yaml +++ b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_kubeletconfigs-DevPreviewNoUpgrade.crd.yaml @@ -134,11 +134,14 @@ spec: ciphers: description: |- ciphers is used to specify the cipher algorithms that are negotiated - during the TLS handshake. Operators may remove entries their operands - do not support. For example, to use DES-CBC3-SHA (yaml): + during the TLS handshake. Operators may remove entries that their operands + do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml): ciphers: - - DES-CBC3-SHA + - ECDHE-RSA-AES128-GCM-SHA256 + + TLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable + and are always enabled when TLS 1.3 is negotiated. items: type: string type: array @@ -151,7 +154,7 @@ spec: When omitted, this means no opinion and the platform is left to choose reasonable defaults which are subject to change over time and may be different per platform component depending on the underlying TLS - libraries they use. If specified, the list must contain at least one curve. + libraries they use. If specified, the list must contain at least one curve and each curve must be unique. For example, to use X25519 and SecP256r1 (yaml): @@ -210,8 +213,6 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 nullable: true type: object modern: @@ -248,23 +249,15 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - DHE-RSA-CHACHA20-POLY1305 - ECDHE-ECDSA-AES128-SHA256 - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES128-SHA - - ECDHE-ECDSA-AES256-SHA384 - - ECDHE-RSA-AES256-SHA384 - ECDHE-ECDSA-AES256-SHA - ECDHE-RSA-AES256-SHA - - DHE-RSA-AES128-SHA256 - - DHE-RSA-AES256-SHA256 - AES128-GCM-SHA256 - AES256-GCM-SHA384 - AES128-SHA256 - - AES256-SHA256 - AES128-SHA - AES256-SHA - DES-CBC3-SHA @@ -275,9 +268,10 @@ spec: type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters. - The profiles are currently based on version 5.0 of the Mozilla Server Side TLS - configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for - forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json + The profiles are based on version 5.7 of the Mozilla Server Side TLS + configuration guidelines. The cipher lists consist of the configuration's + "ciphersuites" followed by the Go-specific "ciphers" from the guidelines. + See: https://ssl-config.mozilla.org/guidelines/5.7.json The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on diff --git a/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_kubeletconfigs-OKD.crd.yaml b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_kubeletconfigs-OKD.crd.yaml index 23cf5b9646f..542c24a5203 100644 --- a/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_kubeletconfigs-OKD.crd.yaml +++ b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_kubeletconfigs-OKD.crd.yaml @@ -134,11 +134,14 @@ spec: ciphers: description: |- ciphers is used to specify the cipher algorithms that are negotiated - during the TLS handshake. Operators may remove entries their operands - do not support. For example, to use DES-CBC3-SHA (yaml): + during the TLS handshake. Operators may remove entries that their operands + do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml): ciphers: - - DES-CBC3-SHA + - ECDHE-RSA-AES128-GCM-SHA256 + + TLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable + and are always enabled when TLS 1.3 is negotiated. items: type: string type: array @@ -178,8 +181,6 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 nullable: true type: object modern: @@ -216,23 +217,15 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - DHE-RSA-CHACHA20-POLY1305 - ECDHE-ECDSA-AES128-SHA256 - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES128-SHA - - ECDHE-ECDSA-AES256-SHA384 - - ECDHE-RSA-AES256-SHA384 - ECDHE-ECDSA-AES256-SHA - ECDHE-RSA-AES256-SHA - - DHE-RSA-AES128-SHA256 - - DHE-RSA-AES256-SHA256 - AES128-GCM-SHA256 - AES256-GCM-SHA384 - AES128-SHA256 - - AES256-SHA256 - AES128-SHA - AES256-SHA - DES-CBC3-SHA @@ -243,9 +236,10 @@ spec: type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters. - The profiles are currently based on version 5.0 of the Mozilla Server Side TLS - configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for - forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json + The profiles are based on version 5.7 of the Mozilla Server Side TLS + configuration guidelines. The cipher lists consist of the configuration's + "ciphersuites" followed by the Go-specific "ciphers" from the guidelines. + See: https://ssl-config.mozilla.org/guidelines/5.7.json The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on diff --git a/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_kubeletconfigs-TechPreviewNoUpgrade.crd.yaml b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_kubeletconfigs-TechPreviewNoUpgrade.crd.yaml index 573ed55ddaa..ab9f57c0f36 100644 --- a/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_kubeletconfigs-TechPreviewNoUpgrade.crd.yaml +++ b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_kubeletconfigs-TechPreviewNoUpgrade.crd.yaml @@ -134,11 +134,14 @@ spec: ciphers: description: |- ciphers is used to specify the cipher algorithms that are negotiated - during the TLS handshake. Operators may remove entries their operands - do not support. For example, to use DES-CBC3-SHA (yaml): + during the TLS handshake. Operators may remove entries that their operands + do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml): ciphers: - - DES-CBC3-SHA + - ECDHE-RSA-AES128-GCM-SHA256 + + TLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable + and are always enabled when TLS 1.3 is negotiated. items: type: string type: array @@ -151,7 +154,7 @@ spec: When omitted, this means no opinion and the platform is left to choose reasonable defaults which are subject to change over time and may be different per platform component depending on the underlying TLS - libraries they use. If specified, the list must contain at least one curve. + libraries they use. If specified, the list must contain at least one curve and each curve must be unique. For example, to use X25519 and SecP256r1 (yaml): @@ -210,8 +213,6 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 nullable: true type: object modern: @@ -248,23 +249,15 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - DHE-RSA-CHACHA20-POLY1305 - ECDHE-ECDSA-AES128-SHA256 - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES128-SHA - - ECDHE-ECDSA-AES256-SHA384 - - ECDHE-RSA-AES256-SHA384 - ECDHE-ECDSA-AES256-SHA - ECDHE-RSA-AES256-SHA - - DHE-RSA-AES128-SHA256 - - DHE-RSA-AES256-SHA256 - AES128-GCM-SHA256 - AES256-GCM-SHA384 - AES128-SHA256 - - AES256-SHA256 - AES128-SHA - AES256-SHA - DES-CBC3-SHA @@ -275,9 +268,10 @@ spec: type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters. - The profiles are currently based on version 5.0 of the Mozilla Server Side TLS - configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for - forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json + The profiles are based on version 5.7 of the Mozilla Server Side TLS + configuration guidelines. The cipher lists consist of the configuration's + "ciphersuites" followed by the Go-specific "ciphers" from the guidelines. + See: https://ssl-config.mozilla.org/guidelines/5.7.json The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on diff --git a/machineconfiguration/v1/zz_generated.featuregated-crd-manifests/kubeletconfigs.machineconfiguration.openshift.io/AAA_ungated.yaml b/machineconfiguration/v1/zz_generated.featuregated-crd-manifests/kubeletconfigs.machineconfiguration.openshift.io/AAA_ungated.yaml index 1f13c4f0c94..d3822330b64 100644 --- a/machineconfiguration/v1/zz_generated.featuregated-crd-manifests/kubeletconfigs.machineconfiguration.openshift.io/AAA_ungated.yaml +++ b/machineconfiguration/v1/zz_generated.featuregated-crd-manifests/kubeletconfigs.machineconfiguration.openshift.io/AAA_ungated.yaml @@ -134,11 +134,14 @@ spec: ciphers: description: |- ciphers is used to specify the cipher algorithms that are negotiated - during the TLS handshake. Operators may remove entries their operands - do not support. For example, to use DES-CBC3-SHA (yaml): + during the TLS handshake. Operators may remove entries that their operands + do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml): ciphers: - - DES-CBC3-SHA + - ECDHE-RSA-AES128-GCM-SHA256 + + TLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable + and are always enabled when TLS 1.3 is negotiated. items: type: string type: array @@ -178,8 +181,6 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 nullable: true type: object modern: @@ -216,23 +217,15 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - DHE-RSA-CHACHA20-POLY1305 - ECDHE-ECDSA-AES128-SHA256 - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES128-SHA - - ECDHE-ECDSA-AES256-SHA384 - - ECDHE-RSA-AES256-SHA384 - ECDHE-ECDSA-AES256-SHA - ECDHE-RSA-AES256-SHA - - DHE-RSA-AES128-SHA256 - - DHE-RSA-AES256-SHA256 - AES128-GCM-SHA256 - AES256-GCM-SHA384 - AES128-SHA256 - - AES256-SHA256 - AES128-SHA - AES256-SHA - DES-CBC3-SHA @@ -243,9 +236,10 @@ spec: type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters. - The profiles are currently based on version 5.0 of the Mozilla Server Side TLS - configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for - forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json + The profiles are based on version 5.7 of the Mozilla Server Side TLS + configuration guidelines. The cipher lists consist of the configuration's + "ciphersuites" followed by the Go-specific "ciphers" from the guidelines. + See: https://ssl-config.mozilla.org/guidelines/5.7.json The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on diff --git a/machineconfiguration/v1/zz_generated.featuregated-crd-manifests/kubeletconfigs.machineconfiguration.openshift.io/TLSCurvePreferences.yaml b/machineconfiguration/v1/zz_generated.featuregated-crd-manifests/kubeletconfigs.machineconfiguration.openshift.io/TLSCurvePreferences.yaml index 8d98c12e564..25f23f4dad2 100644 --- a/machineconfiguration/v1/zz_generated.featuregated-crd-manifests/kubeletconfigs.machineconfiguration.openshift.io/TLSCurvePreferences.yaml +++ b/machineconfiguration/v1/zz_generated.featuregated-crd-manifests/kubeletconfigs.machineconfiguration.openshift.io/TLSCurvePreferences.yaml @@ -134,11 +134,14 @@ spec: ciphers: description: |- ciphers is used to specify the cipher algorithms that are negotiated - during the TLS handshake. Operators may remove entries their operands - do not support. For example, to use DES-CBC3-SHA (yaml): + during the TLS handshake. Operators may remove entries that their operands + do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml): ciphers: - - DES-CBC3-SHA + - ECDHE-RSA-AES128-GCM-SHA256 + + TLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable + and are always enabled when TLS 1.3 is negotiated. items: type: string type: array @@ -151,7 +154,7 @@ spec: When omitted, this means no opinion and the platform is left to choose reasonable defaults which are subject to change over time and may be different per platform component depending on the underlying TLS - libraries they use. If specified, the list must contain at least one curve. + libraries they use. If specified, the list must contain at least one curve and each curve must be unique. For example, to use X25519 and SecP256r1 (yaml): @@ -210,8 +213,6 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 nullable: true type: object modern: @@ -248,23 +249,15 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - DHE-RSA-CHACHA20-POLY1305 - ECDHE-ECDSA-AES128-SHA256 - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES128-SHA - - ECDHE-ECDSA-AES256-SHA384 - - ECDHE-RSA-AES256-SHA384 - ECDHE-ECDSA-AES256-SHA - ECDHE-RSA-AES256-SHA - - DHE-RSA-AES128-SHA256 - - DHE-RSA-AES256-SHA256 - AES128-GCM-SHA256 - AES256-GCM-SHA384 - AES128-SHA256 - - AES256-SHA256 - AES128-SHA - AES256-SHA - DES-CBC3-SHA @@ -275,9 +268,10 @@ spec: type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters. - The profiles are currently based on version 5.0 of the Mozilla Server Side TLS - configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for - forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json + The profiles are based on version 5.7 of the Mozilla Server Side TLS + configuration guidelines. The cipher lists consist of the configuration's + "ciphersuites" followed by the Go-specific "ciphers" from the guidelines. + See: https://ssl-config.mozilla.org/guidelines/5.7.json The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on diff --git a/openapi/generated_openapi/zz_generated.openapi.go b/openapi/generated_openapi/zz_generated.openapi.go index b767b0ad049..f5406d3fb11 100644 --- a/openapi/generated_openapi/zz_generated.openapi.go +++ b/openapi/generated_openapi/zz_generated.openapi.go @@ -821,8 +821,10 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "github.com/openshift/api/machine/v1beta1.DataDisk": schema_openshift_api_machine_v1beta1_DataDisk(ref), "github.com/openshift/api/machine/v1beta1.DataDiskManagedDiskParameters": schema_openshift_api_machine_v1beta1_DataDiskManagedDiskParameters(ref), "github.com/openshift/api/machine/v1beta1.DedicatedHost": schema_openshift_api_machine_v1beta1_DedicatedHost(ref), + "github.com/openshift/api/machine/v1beta1.DedicatedHostStatus": schema_openshift_api_machine_v1beta1_DedicatedHostStatus(ref), "github.com/openshift/api/machine/v1beta1.DiskEncryptionSetParameters": schema_openshift_api_machine_v1beta1_DiskEncryptionSetParameters(ref), "github.com/openshift/api/machine/v1beta1.DiskSettings": schema_openshift_api_machine_v1beta1_DiskSettings(ref), + "github.com/openshift/api/machine/v1beta1.DynamicHostAllocationSpec": schema_openshift_api_machine_v1beta1_DynamicHostAllocationSpec(ref), "github.com/openshift/api/machine/v1beta1.EBSBlockDeviceSpec": schema_openshift_api_machine_v1beta1_EBSBlockDeviceSpec(ref), "github.com/openshift/api/machine/v1beta1.Filter": schema_openshift_api_machine_v1beta1_Filter(ref), "github.com/openshift/api/machine/v1beta1.GCPDisk": schema_openshift_api_machine_v1beta1_GCPDisk(ref), @@ -1206,6 +1208,13 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "github.com/openshift/api/operator/v1.UpstreamResolvers": schema_openshift_api_operator_v1_UpstreamResolvers(ref), "github.com/openshift/api/operator/v1.VSphereCSIDriverConfigSpec": schema_openshift_api_operator_v1_VSphereCSIDriverConfigSpec(ref), "github.com/openshift/api/operator/v1alpha1.BackupJobReference": schema_openshift_api_operator_v1alpha1_BackupJobReference(ref), + "github.com/openshift/api/operator/v1alpha1.ClusterAPI": schema_openshift_api_operator_v1alpha1_ClusterAPI(ref), + "github.com/openshift/api/operator/v1alpha1.ClusterAPIInstallerComponent": schema_openshift_api_operator_v1alpha1_ClusterAPIInstallerComponent(ref), + "github.com/openshift/api/operator/v1alpha1.ClusterAPIInstallerComponentImage": schema_openshift_api_operator_v1alpha1_ClusterAPIInstallerComponentImage(ref), + "github.com/openshift/api/operator/v1alpha1.ClusterAPIInstallerRevision": schema_openshift_api_operator_v1alpha1_ClusterAPIInstallerRevision(ref), + "github.com/openshift/api/operator/v1alpha1.ClusterAPIList": schema_openshift_api_operator_v1alpha1_ClusterAPIList(ref), + "github.com/openshift/api/operator/v1alpha1.ClusterAPISpec": schema_openshift_api_operator_v1alpha1_ClusterAPISpec(ref), + "github.com/openshift/api/operator/v1alpha1.ClusterAPIStatus": schema_openshift_api_operator_v1alpha1_ClusterAPIStatus(ref), "github.com/openshift/api/operator/v1alpha1.ClusterVersionOperator": schema_openshift_api_operator_v1alpha1_ClusterVersionOperator(ref), "github.com/openshift/api/operator/v1alpha1.ClusterVersionOperatorList": schema_openshift_api_operator_v1alpha1_ClusterVersionOperatorList(ref), "github.com/openshift/api/operator/v1alpha1.ClusterVersionOperatorSpec": schema_openshift_api_operator_v1alpha1_ClusterVersionOperatorSpec(ref), @@ -12429,7 +12438,7 @@ func schema_openshift_api_config_v1_CustomTLSProfile(ref common.ReferenceCallbac }, }, SchemaProps: spec.SchemaProps{ - Description: "ciphers is used to specify the cipher algorithms that are negotiated during the TLS handshake. Operators may remove entries their operands do not support. For example, to use DES-CBC3-SHA (yaml):\n\n ciphers:\n - DES-CBC3-SHA", + Description: "ciphers is used to specify the cipher algorithms that are negotiated during the TLS handshake. Operators may remove entries that their operands do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml):\n\n ciphers:\n - ECDHE-RSA-AES128-GCM-SHA256\n\nTLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable and are always enabled when TLS 1.3 is negotiated.", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ @@ -12449,7 +12458,7 @@ func schema_openshift_api_config_v1_CustomTLSProfile(ref common.ReferenceCallbac }, }, SchemaProps: spec.SchemaProps{ - Description: "curves is an optional field used to specify the elliptic curves that are used during the TLS handshake. Operators may remove entries their operands do not support.\n\nWhen omitted, this means no opinion and the platform is left to choose reasonable defaults which are subject to change over time and may be different per platform component depending on the underlying TLS libraries they use. If specified, the list must contain at least one curve.\n\nFor example, to use X25519 and SecP256r1 (yaml):\n\n curves:\n - X25519\n - SecP256r1", + Description: "curves is an optional field used to specify the elliptic curves that are used during the TLS handshake. Operators may remove entries their operands do not support.\n\nWhen omitted, this means no opinion and the platform is left to choose reasonable defaults which are subject to change over time and may be different per platform component depending on the underlying TLS libraries they use. If specified, the list must contain at least one curve and each curve must be unique.\n\nFor example, to use X25519 and SecP256r1 (yaml):\n\n curves:\n - X25519\n - SecP256r1", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ @@ -20903,7 +20912,7 @@ func schema_openshift_api_config_v1_TLSProfileSpec(ref common.ReferenceCallback) }, }, SchemaProps: spec.SchemaProps{ - Description: "ciphers is used to specify the cipher algorithms that are negotiated during the TLS handshake. Operators may remove entries their operands do not support. For example, to use DES-CBC3-SHA (yaml):\n\n ciphers:\n - DES-CBC3-SHA", + Description: "ciphers is used to specify the cipher algorithms that are negotiated during the TLS handshake. Operators may remove entries that their operands do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml):\n\n ciphers:\n - ECDHE-RSA-AES128-GCM-SHA256\n\nTLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable and are always enabled when TLS 1.3 is negotiated.", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ @@ -20923,7 +20932,7 @@ func schema_openshift_api_config_v1_TLSProfileSpec(ref common.ReferenceCallback) }, }, SchemaProps: spec.SchemaProps{ - Description: "curves is an optional field used to specify the elliptic curves that are used during the TLS handshake. Operators may remove entries their operands do not support.\n\nWhen omitted, this means no opinion and the platform is left to choose reasonable defaults which are subject to change over time and may be different per platform component depending on the underlying TLS libraries they use. If specified, the list must contain at least one curve.\n\nFor example, to use X25519 and SecP256r1 (yaml):\n\n curves:\n - X25519\n - SecP256r1", + Description: "curves is an optional field used to specify the elliptic curves that are used during the TLS handshake. Operators may remove entries their operands do not support.\n\nWhen omitted, this means no opinion and the platform is left to choose reasonable defaults which are subject to change over time and may be different per platform component depending on the underlying TLS libraries they use. If specified, the list must contain at least one curve and each curve must be unique.\n\nFor example, to use X25519 and SecP256r1 (yaml):\n\n curves:\n - X25519\n - SecP256r1", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ @@ -20960,7 +20969,7 @@ func schema_openshift_api_config_v1_TLSSecurityProfile(ref common.ReferenceCallb Properties: map[string]spec.Schema{ "type": { SchemaProps: spec.SchemaProps{ - Description: "type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters.\n\nThe profiles are currently based on version 5.0 of the Mozilla Server Side TLS configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json\n\nThe profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be reduced.", + Description: "type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters.\n\nThe profiles are based on version 5.7 of the Mozilla Server Side TLS configuration guidelines. The cipher lists consist of the configuration's \"ciphersuites\" followed by the Go-specific \"ciphers\" from the guidelines. See: https://ssl-config.mozilla.org/guidelines/5.7.json\n\nThe profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be reduced.", Default: "", Type: []string{"string"}, Format: "", @@ -20968,13 +20977,13 @@ func schema_openshift_api_config_v1_TLSSecurityProfile(ref common.ReferenceCallb }, "old": { SchemaProps: spec.SchemaProps{ - Description: "old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort.\n\nThe curve list includes by default the following curves: X25519, SecP256r1, SecP384r1, X25519MLKEM768.\n\nThis profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS10\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES256-GCM-SHA384\n - ECDHE-RSA-AES256-GCM-SHA384\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305\n - DHE-RSA-AES128-GCM-SHA256\n - DHE-RSA-AES256-GCM-SHA384\n - DHE-RSA-CHACHA20-POLY1305\n - ECDHE-ECDSA-AES128-SHA256\n - ECDHE-RSA-AES128-SHA256\n - ECDHE-ECDSA-AES128-SHA\n - ECDHE-RSA-AES128-SHA\n - ECDHE-ECDSA-AES256-SHA384\n - ECDHE-RSA-AES256-SHA384\n - ECDHE-ECDSA-AES256-SHA\n - ECDHE-RSA-AES256-SHA\n - DHE-RSA-AES128-SHA256\n - DHE-RSA-AES256-SHA256\n - AES128-GCM-SHA256\n - AES256-GCM-SHA384\n - AES128-SHA256\n - AES256-SHA256\n - AES128-SHA\n - AES256-SHA\n - DES-CBC3-SHA", + Description: "old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort.\n\nThe curve list includes by default the following curves: X25519, SecP256r1, SecP384r1, X25519MLKEM768.\n\nThis profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS10\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES256-GCM-SHA384\n - ECDHE-RSA-AES256-GCM-SHA384\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305\n - ECDHE-ECDSA-AES128-SHA256\n - ECDHE-RSA-AES128-SHA256\n - ECDHE-ECDSA-AES128-SHA\n - ECDHE-RSA-AES128-SHA\n - ECDHE-ECDSA-AES256-SHA\n - ECDHE-RSA-AES256-SHA\n - AES128-GCM-SHA256\n - AES256-GCM-SHA384\n - AES128-SHA256\n - AES128-SHA\n - AES256-SHA\n - DES-CBC3-SHA", Ref: ref("github.com/openshift/api/config/v1.OldTLSProfile"), }, }, "intermediate": { SchemaProps: spec.SchemaProps{ - Description: "intermediate is a TLS profile for use when you do not need compatibility with legacy clients and want to remain highly secure while being compatible with most clients currently in use.\n\nThe curve list includes by default the following curves: X25519, SecP256r1, SecP384r1, X25519MLKEM768.\n\nThis profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS12\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES256-GCM-SHA384\n - ECDHE-RSA-AES256-GCM-SHA384\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305\n - DHE-RSA-AES128-GCM-SHA256\n - DHE-RSA-AES256-GCM-SHA384", + Description: "intermediate is a TLS profile for use when you do not need compatibility with legacy clients and want to remain highly secure while being compatible with most clients currently in use.\n\nThe curve list includes by default the following curves: X25519, SecP256r1, SecP384r1, X25519MLKEM768.\n\nThis profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS12\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES256-GCM-SHA384\n - ECDHE-RSA-AES256-GCM-SHA384\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305", Ref: ref("github.com/openshift/api/config/v1.IntermediateTLSProfile"), }, }, @@ -41162,11 +41171,17 @@ func schema_openshift_api_machine_v1beta1_AWSMachineProviderStatus(ref common.Re }, }, }, + "dedicatedHost": { + SchemaProps: spec.SchemaProps{ + Description: "dedicatedHost tracks the dynamically allocated dedicated host. This field is populated when allocationStrategy is Dynamic (with or without DynamicHostAllocation). When omitted, this indicates that the dedicated host has not yet been allocated, or allocation is in progress.", + Ref: ref("github.com/openshift/api/machine/v1beta1.DedicatedHostStatus"), + }, + }, }, }, }, Dependencies: []string{ - "k8s.io/apimachinery/pkg/apis/meta/v1.Condition"}, + "github.com/openshift/api/machine/v1beta1.DedicatedHostStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.Condition"}, } } @@ -41903,10 +41918,60 @@ func schema_openshift_api_machine_v1beta1_DedicatedHost(ref common.ReferenceCall SchemaProps: spec.SchemaProps{ Description: "DedicatedHost represents the configuration for the usage of dedicated host.", Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "allocationStrategy": { + SchemaProps: spec.SchemaProps{ + Description: "allocationStrategy specifies if the dedicated host will be provided by the admin through the id field or if the host will be dynamically allocated. Valid values are UserProvided and Dynamic. When omitted, the value defaults to \"UserProvided\", which requires the id field to be set. When allocationStrategy is set to UserProvided, an ID of the dedicated host to assign must be provided. When allocationStrategy is set to Dynamic, a dedicated host will be allocated and used to assign instances. When allocationStrategy is set to Dynamic, and dynamicHostAllocation is configured, a dedicated host will be allocated and the tags in dynamicHostAllocation will be assigned to that host.\n\nPossible enum values:\n - `\"Dynamic\"` specifies that the system should dynamically allocate a dedicated host for instances.\n - `\"UserProvided\"` specifies that the system should assign instances to a user-provided dedicated host.", + Default: "UserProvided", + Type: []string{"string"}, + Format: "", + Enum: []interface{}{"Dynamic", "UserProvided"}, + }, + }, + "id": { + SchemaProps: spec.SchemaProps{ + Description: "id identifies the AWS Dedicated Host on which the instance must run. The value must start with \"h-\" followed by either 8 or 17 lowercase hexadecimal characters (0-9 and a-f). The use of 8 lowercase hexadecimal characters is for older legacy hosts that may not have been migrated to newer format. Must be either 10 or 19 characters in length. This field is required when allocationStrategy is UserProvided, and forbidden otherwise. When omitted with allocationStrategy set to Dynamic, the platform will dynamically allocate a dedicated host.", + Type: []string{"string"}, + Format: "", + }, + }, + "dynamicHostAllocation": { + SchemaProps: spec.SchemaProps{ + Description: "dynamicHostAllocation specifies tags to apply to a dynamically allocated dedicated host. This field is only allowed when allocationStrategy is Dynamic, and is mutually exclusive with id. When specified, a dedicated host will be allocated with the provided tags applied. When omitted (and allocationStrategy is Dynamic), a dedicated host will be allocated without any additional tags.", + Ref: ref("github.com/openshift/api/machine/v1beta1.DynamicHostAllocationSpec"), + }, + }, + }, + }, + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-unions": []interface{}{ + map[string]interface{}{ + "discriminator": "allocationStrategy", + "fields-to-discriminateBy": map[string]interface{}{ + "dynamicHostAllocation": "DynamicHostAllocation", + "id": "ID", + }, + }, + }, + }, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/machine/v1beta1.DynamicHostAllocationSpec"}, + } +} + +func schema_openshift_api_machine_v1beta1_DedicatedHostStatus(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "DedicatedHostStatus defines the observed state of a dynamically allocated dedicated host associated with an AWSMachine. This struct is used to track the ID of the dedicated host.", + Type: []string{"object"}, Properties: map[string]spec.Schema{ "id": { SchemaProps: spec.SchemaProps{ - Description: "id identifies the AWS Dedicated Host on which the instance must run. The value must start with \"h-\" followed by either 8 or 17 lowercase hexadecimal characters (0-9 and a-f). The use of 8 lowercase hexadecimal characters is for older legacy hosts that may not have been migrated to newer format. Must be either 10 or 19 characters in length.", + Description: "id tracks the dynamically allocated dedicated host ID. This field is populated when allocationStrategy is Dynamic (with or without DynamicHostAllocation). The value must start with \"h-\" followed by either 8 or 17 lowercase hexadecimal characters (0-9 and a-f). The use of 8 lowercase hexadecimal characters is for older legacy hosts that may not have been migrated to newer format. Must be either 10 or 19 characters in length.", Type: []string{"string"}, Format: "", }, @@ -41958,6 +42023,43 @@ func schema_openshift_api_machine_v1beta1_DiskSettings(ref common.ReferenceCallb } } +func schema_openshift_api_machine_v1beta1_DynamicHostAllocationSpec(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "DynamicHostAllocationSpec defines the configuration for dynamic dedicated host allocation. This specification always allocates exactly one dedicated host per machine. At least one property must be specified when this struct is used. Currently only Tags are available for configuring, but in the future more configs may become available.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "tags": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-map-keys": []interface{}{ + "name", + }, + "x-kubernetes-list-type": "map", + }, + }, + SchemaProps: spec.SchemaProps{ + Description: "tags specifies a set of key-value pairs to apply to the allocated dedicated host. When omitted, no additional user-defined tags will be applied to the allocated host. A maximum of 50 tags can be specified.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machine/v1beta1.TagSpecification"), + }, + }, + }, + }, + }, + }, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/machine/v1beta1.TagSpecification"}, + } +} + func schema_openshift_api_machine_v1beta1_EBSBlockDeviceSpec(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ @@ -44316,7 +44418,7 @@ func schema_openshift_api_machine_v1beta1_TagSpecification(ref common.ReferenceC Properties: map[string]spec.Schema{ "name": { SchemaProps: spec.SchemaProps{ - Description: "name of the tag", + Description: "name of the tag. This field is required and must be a non-empty string. Must be between 1 and 128 characters in length.", Default: "", Type: []string{"string"}, Format: "", @@ -44324,14 +44426,14 @@ func schema_openshift_api_machine_v1beta1_TagSpecification(ref common.ReferenceC }, "value": { SchemaProps: spec.SchemaProps{ - Description: "value of the tag", + Description: "value of the tag. When omitted, this creates a tag with an empty string as the value.", Default: "", Type: []string{"string"}, Format: "", }, }, }, - Required: []string{"name", "value"}, + Required: []string{"name"}, }, }, } @@ -61637,6 +61739,340 @@ func schema_openshift_api_operator_v1alpha1_BackupJobReference(ref common.Refere } } +func schema_openshift_api_operator_v1alpha1_ClusterAPI(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "ClusterAPI provides configuration for the capi-operator.\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "kind": { + SchemaProps: spec.SchemaProps{ + Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + Type: []string{"string"}, + Format: "", + }, + }, + "apiVersion": { + SchemaProps: spec.SchemaProps{ + Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + Type: []string{"string"}, + Format: "", + }, + }, + "metadata": { + SchemaProps: spec.SchemaProps{ + Description: "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + Default: map[string]interface{}{}, + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"), + }, + }, + "spec": { + SchemaProps: spec.SchemaProps{ + Description: "spec is the specification of the desired behavior of the capi-operator.", + Ref: ref("github.com/openshift/api/operator/v1alpha1.ClusterAPISpec"), + }, + }, + "status": { + SchemaProps: spec.SchemaProps{ + Description: "status defines the observed status of the capi-operator.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/operator/v1alpha1.ClusterAPIStatus"), + }, + }, + }, + Required: []string{"metadata", "spec"}, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/operator/v1alpha1.ClusterAPISpec", "github.com/openshift/api/operator/v1alpha1.ClusterAPIStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"}, + } +} + +func schema_openshift_api_operator_v1alpha1_ClusterAPIInstallerComponent(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "ClusterAPIInstallerComponent defines a component which will be installed by this revision.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "type": { + SchemaProps: spec.SchemaProps{ + Description: "type is the source type of the component. The only valid value is Image. When set to Image, the image field must be set and will define an image source for the component.\n\nPossible enum values:\n - `\"Image\"` is an image source for a component.", + Type: []string{"string"}, + Format: "", + Enum: []interface{}{"Image"}, + }, + }, + "image": { + SchemaProps: spec.SchemaProps{ + Description: "image defines an image source for a component. The image must contain a /capi-operator-installer directory containing the component manifests.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/operator/v1alpha1.ClusterAPIInstallerComponentImage"), + }, + }, + }, + Required: []string{"type"}, + }, + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-unions": []interface{}{ + map[string]interface{}{ + "discriminator": "type", + "fields-to-discriminateBy": map[string]interface{}{ + "image": "Image", + }, + }, + }, + }, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/operator/v1alpha1.ClusterAPIInstallerComponentImage"}, + } +} + +func schema_openshift_api_operator_v1alpha1_ClusterAPIInstallerComponentImage(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "ClusterAPIInstallerComponentImage defines an image source for a component.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "ref": { + SchemaProps: spec.SchemaProps{ + Description: "ref is an image reference to the image containing the component manifests. The reference must be a valid image digest reference in the format host[:port][/namespace]/name@sha256:. The digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. The length of the field must be between 1 to 447 characters.", + Type: []string{"string"}, + Format: "", + }, + }, + "profile": { + SchemaProps: spec.SchemaProps{ + Description: "profile is the name of a profile to use from the image.\n\nA profile name may be up to 255 characters long. It must consist of alphanumeric characters, '-', or '_'.", + Type: []string{"string"}, + Format: "", + }, + }, + }, + Required: []string{"ref", "profile"}, + }, + }, + } +} + +func schema_openshift_api_operator_v1alpha1_ClusterAPIInstallerRevision(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "name": { + SchemaProps: spec.SchemaProps{ + Description: "name is the name of a revision.", + Type: []string{"string"}, + Format: "", + }, + }, + "revision": { + SchemaProps: spec.SchemaProps{ + Description: "revision is a monotonically increasing number that is assigned to a revision.", + Type: []string{"integer"}, + Format: "int64", + }, + }, + "contentID": { + SchemaProps: spec.SchemaProps{ + Description: "contentID uniquely identifies the content of this revision. The contentID must be between 1 and 255 characters long.", + Type: []string{"string"}, + Format: "", + }, + }, + "unmanagedCustomResourceDefinitions": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "atomic", + }, + }, + SchemaProps: spec.SchemaProps{ + Description: "unmanagedCustomResourceDefinitions is a list of the names of ClusterResourceDefinition (CRD) objects which are included in this revision, but which should not be installed or updated. If not set, all CRDs in the revision will be managed by the CAPI operator.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, + }, + }, + "components": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "atomic", + }, + }, + SchemaProps: spec.SchemaProps{ + Description: "components is list of components which will be installed by this revision. Components will be installed in the order they are listed.\n\nThe maximum number of components is 32.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/operator/v1alpha1.ClusterAPIInstallerComponent"), + }, + }, + }, + }, + }, + }, + Required: []string{"name", "revision", "contentID", "components"}, + }, + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-map-type": "atomic", + }, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/operator/v1alpha1.ClusterAPIInstallerComponent"}, + } +} + +func schema_openshift_api_operator_v1alpha1_ClusterAPIList(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "ClusterAPIList contains a list of ClusterAPI configurations\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "kind": { + SchemaProps: spec.SchemaProps{ + Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + Type: []string{"string"}, + Format: "", + }, + }, + "apiVersion": { + SchemaProps: spec.SchemaProps{ + Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + Type: []string{"string"}, + Format: "", + }, + }, + "metadata": { + SchemaProps: spec.SchemaProps{ + Description: "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + Default: map[string]interface{}{}, + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"), + }, + }, + "items": { + SchemaProps: spec.SchemaProps{ + Description: "items contains the items", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/operator/v1alpha1.ClusterAPI"), + }, + }, + }, + }, + }, + }, + Required: []string{"metadata", "items"}, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/operator/v1alpha1.ClusterAPI", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"}, + } +} + +func schema_openshift_api_operator_v1alpha1_ClusterAPISpec(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "ClusterAPISpec defines the desired configuration of the capi-operator. The spec is required but we deliberately allow it to be empty.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "unmanagedCustomResourceDefinitions": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "set", + }, + }, + SchemaProps: spec.SchemaProps{ + Description: "unmanagedCustomResourceDefinitions is a list of ClusterResourceDefinition (CRD) names that should not be managed by the capi-operator installer controller. This allows external actors to own specific CRDs while capi-operator manages others.\n\nEach CRD name must be a valid DNS-1123 subdomain consisting of lowercase alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character, with a maximum length of 253 characters. CRD names must contain at least two '.' characters. Example: \"clusters.cluster.x-k8s.io\"\n\nItems cannot be removed from this list once added.\n\nThe maximum number of unmanagedCustomResourceDefinitions is 128.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, + }, + }, + }, + }, + }, + } +} + +func schema_openshift_api_operator_v1alpha1_ClusterAPIStatus(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "ClusterAPIStatus describes the current state of the capi-operator.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "currentRevision": { + SchemaProps: spec.SchemaProps{ + Description: "currentRevision is the name of the most recently fully applied revision. It is written by the installer controller. If it is absent, it indicates that no revision has been fully applied yet. If set, currentRevision must correspond to an entry in the revisions list.", + Type: []string{"string"}, + Format: "", + }, + }, + "desiredRevision": { + SchemaProps: spec.SchemaProps{ + Description: "desiredRevision is the name of the desired revision. It is written by the revision controller. It must be set to the name of the entry in the revisions list with the highest revision number.", + Type: []string{"string"}, + Format: "", + }, + }, + "revisions": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "atomic", + }, + }, + SchemaProps: spec.SchemaProps{ + Description: "revisions is a list of all currently active revisions. A revision is active until the installer controller updates currentRevision to a later revision. It is written by the revision controller.\n\nThe maximum number of revisions is 16. All revisions must have a unique name. All revisions must have a unique revision number. When adding a revision, the revision number must be greater than the highest revision number in the list. Revisions are immutable, although they can be deleted.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/operator/v1alpha1.ClusterAPIInstallerRevision"), + }, + }, + }, + }, + }, + }, + Required: []string{"desiredRevision", "revisions"}, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/operator/v1alpha1.ClusterAPIInstallerRevision"}, + } +} + func schema_openshift_api_operator_v1alpha1_ClusterVersionOperator(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ diff --git a/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-CustomNoUpgrade.crd.yaml b/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-CustomNoUpgrade.crd.yaml index e857d998609..60204f8a727 100644 --- a/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-CustomNoUpgrade.crd.yaml +++ b/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-CustomNoUpgrade.crd.yaml @@ -2009,11 +2009,14 @@ spec: ciphers: description: |- ciphers is used to specify the cipher algorithms that are negotiated - during the TLS handshake. Operators may remove entries their operands - do not support. For example, to use DES-CBC3-SHA (yaml): + during the TLS handshake. Operators may remove entries that their operands + do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml): ciphers: - - DES-CBC3-SHA + - ECDHE-RSA-AES128-GCM-SHA256 + + TLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable + and are always enabled when TLS 1.3 is negotiated. items: type: string type: array @@ -2026,7 +2029,7 @@ spec: When omitted, this means no opinion and the platform is left to choose reasonable defaults which are subject to change over time and may be different per platform component depending on the underlying TLS - libraries they use. If specified, the list must contain at least one curve. + libraries they use. If specified, the list must contain at least one curve and each curve must be unique. For example, to use X25519 and SecP256r1 (yaml): @@ -2085,8 +2088,6 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 nullable: true type: object modern: @@ -2123,23 +2124,15 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - DHE-RSA-CHACHA20-POLY1305 - ECDHE-ECDSA-AES128-SHA256 - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES128-SHA - - ECDHE-ECDSA-AES256-SHA384 - - ECDHE-RSA-AES256-SHA384 - ECDHE-ECDSA-AES256-SHA - ECDHE-RSA-AES256-SHA - - DHE-RSA-AES128-SHA256 - - DHE-RSA-AES256-SHA256 - AES128-GCM-SHA256 - AES256-GCM-SHA384 - AES128-SHA256 - - AES256-SHA256 - AES128-SHA - AES256-SHA - DES-CBC3-SHA @@ -2150,9 +2143,10 @@ spec: type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters. - The profiles are currently based on version 5.0 of the Mozilla Server Side TLS - configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for - forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json + The profiles are based on version 5.7 of the Mozilla Server Side TLS + configuration guidelines. The cipher lists consist of the configuration's + "ciphersuites" followed by the Go-specific "ciphers" from the guidelines. + See: https://ssl-config.mozilla.org/guidelines/5.7.json The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on @@ -3290,11 +3284,14 @@ spec: ciphers: description: |- ciphers is used to specify the cipher algorithms that are negotiated - during the TLS handshake. Operators may remove entries their operands - do not support. For example, to use DES-CBC3-SHA (yaml): + during the TLS handshake. Operators may remove entries that their operands + do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml): ciphers: - - DES-CBC3-SHA + - ECDHE-RSA-AES128-GCM-SHA256 + + TLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable + and are always enabled when TLS 1.3 is negotiated. items: type: string type: array @@ -3307,7 +3304,7 @@ spec: When omitted, this means no opinion and the platform is left to choose reasonable defaults which are subject to change over time and may be different per platform component depending on the underlying TLS - libraries they use. If specified, the list must contain at least one curve. + libraries they use. If specified, the list must contain at least one curve and each curve must be unique. For example, to use X25519 and SecP256r1 (yaml): diff --git a/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-Default.crd.yaml b/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-Default.crd.yaml index 13c6c8aec62..145fe61a699 100644 --- a/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-Default.crd.yaml +++ b/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-Default.crd.yaml @@ -2009,11 +2009,14 @@ spec: ciphers: description: |- ciphers is used to specify the cipher algorithms that are negotiated - during the TLS handshake. Operators may remove entries their operands - do not support. For example, to use DES-CBC3-SHA (yaml): + during the TLS handshake. Operators may remove entries that their operands + do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml): ciphers: - - DES-CBC3-SHA + - ECDHE-RSA-AES128-GCM-SHA256 + + TLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable + and are always enabled when TLS 1.3 is negotiated. items: type: string type: array @@ -2053,8 +2056,6 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 nullable: true type: object modern: @@ -2091,23 +2092,15 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - DHE-RSA-CHACHA20-POLY1305 - ECDHE-ECDSA-AES128-SHA256 - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES128-SHA - - ECDHE-ECDSA-AES256-SHA384 - - ECDHE-RSA-AES256-SHA384 - ECDHE-ECDSA-AES256-SHA - ECDHE-RSA-AES256-SHA - - DHE-RSA-AES128-SHA256 - - DHE-RSA-AES256-SHA256 - AES128-GCM-SHA256 - AES256-GCM-SHA384 - AES128-SHA256 - - AES256-SHA256 - AES128-SHA - AES256-SHA - DES-CBC3-SHA @@ -2118,9 +2111,10 @@ spec: type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters. - The profiles are currently based on version 5.0 of the Mozilla Server Side TLS - configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for - forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json + The profiles are based on version 5.7 of the Mozilla Server Side TLS + configuration guidelines. The cipher lists consist of the configuration's + "ciphersuites" followed by the Go-specific "ciphers" from the guidelines. + See: https://ssl-config.mozilla.org/guidelines/5.7.json The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on @@ -3258,11 +3252,14 @@ spec: ciphers: description: |- ciphers is used to specify the cipher algorithms that are negotiated - during the TLS handshake. Operators may remove entries their operands - do not support. For example, to use DES-CBC3-SHA (yaml): + during the TLS handshake. Operators may remove entries that their operands + do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml): ciphers: - - DES-CBC3-SHA + - ECDHE-RSA-AES128-GCM-SHA256 + + TLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable + and are always enabled when TLS 1.3 is negotiated. items: type: string type: array diff --git a/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-DevPreviewNoUpgrade.crd.yaml b/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-DevPreviewNoUpgrade.crd.yaml index 54921998907..2b13e35bdd3 100644 --- a/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-DevPreviewNoUpgrade.crd.yaml +++ b/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-DevPreviewNoUpgrade.crd.yaml @@ -2009,11 +2009,14 @@ spec: ciphers: description: |- ciphers is used to specify the cipher algorithms that are negotiated - during the TLS handshake. Operators may remove entries their operands - do not support. For example, to use DES-CBC3-SHA (yaml): + during the TLS handshake. Operators may remove entries that their operands + do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml): ciphers: - - DES-CBC3-SHA + - ECDHE-RSA-AES128-GCM-SHA256 + + TLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable + and are always enabled when TLS 1.3 is negotiated. items: type: string type: array @@ -2026,7 +2029,7 @@ spec: When omitted, this means no opinion and the platform is left to choose reasonable defaults which are subject to change over time and may be different per platform component depending on the underlying TLS - libraries they use. If specified, the list must contain at least one curve. + libraries they use. If specified, the list must contain at least one curve and each curve must be unique. For example, to use X25519 and SecP256r1 (yaml): @@ -2085,8 +2088,6 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 nullable: true type: object modern: @@ -2123,23 +2124,15 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - DHE-RSA-CHACHA20-POLY1305 - ECDHE-ECDSA-AES128-SHA256 - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES128-SHA - - ECDHE-ECDSA-AES256-SHA384 - - ECDHE-RSA-AES256-SHA384 - ECDHE-ECDSA-AES256-SHA - ECDHE-RSA-AES256-SHA - - DHE-RSA-AES128-SHA256 - - DHE-RSA-AES256-SHA256 - AES128-GCM-SHA256 - AES256-GCM-SHA384 - AES128-SHA256 - - AES256-SHA256 - AES128-SHA - AES256-SHA - DES-CBC3-SHA @@ -2150,9 +2143,10 @@ spec: type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters. - The profiles are currently based on version 5.0 of the Mozilla Server Side TLS - configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for - forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json + The profiles are based on version 5.7 of the Mozilla Server Side TLS + configuration guidelines. The cipher lists consist of the configuration's + "ciphersuites" followed by the Go-specific "ciphers" from the guidelines. + See: https://ssl-config.mozilla.org/guidelines/5.7.json The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on @@ -3290,11 +3284,14 @@ spec: ciphers: description: |- ciphers is used to specify the cipher algorithms that are negotiated - during the TLS handshake. Operators may remove entries their operands - do not support. For example, to use DES-CBC3-SHA (yaml): + during the TLS handshake. Operators may remove entries that their operands + do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml): ciphers: - - DES-CBC3-SHA + - ECDHE-RSA-AES128-GCM-SHA256 + + TLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable + and are always enabled when TLS 1.3 is negotiated. items: type: string type: array @@ -3307,7 +3304,7 @@ spec: When omitted, this means no opinion and the platform is left to choose reasonable defaults which are subject to change over time and may be different per platform component depending on the underlying TLS - libraries they use. If specified, the list must contain at least one curve. + libraries they use. If specified, the list must contain at least one curve and each curve must be unique. For example, to use X25519 and SecP256r1 (yaml): diff --git a/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-OKD.crd.yaml b/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-OKD.crd.yaml index 87135857fe2..b0261048181 100644 --- a/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-OKD.crd.yaml +++ b/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-OKD.crd.yaml @@ -2009,11 +2009,14 @@ spec: ciphers: description: |- ciphers is used to specify the cipher algorithms that are negotiated - during the TLS handshake. Operators may remove entries their operands - do not support. For example, to use DES-CBC3-SHA (yaml): + during the TLS handshake. Operators may remove entries that their operands + do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml): ciphers: - - DES-CBC3-SHA + - ECDHE-RSA-AES128-GCM-SHA256 + + TLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable + and are always enabled when TLS 1.3 is negotiated. items: type: string type: array @@ -2053,8 +2056,6 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 nullable: true type: object modern: @@ -2091,23 +2092,15 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - DHE-RSA-CHACHA20-POLY1305 - ECDHE-ECDSA-AES128-SHA256 - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES128-SHA - - ECDHE-ECDSA-AES256-SHA384 - - ECDHE-RSA-AES256-SHA384 - ECDHE-ECDSA-AES256-SHA - ECDHE-RSA-AES256-SHA - - DHE-RSA-AES128-SHA256 - - DHE-RSA-AES256-SHA256 - AES128-GCM-SHA256 - AES256-GCM-SHA384 - AES128-SHA256 - - AES256-SHA256 - AES128-SHA - AES256-SHA - DES-CBC3-SHA @@ -2118,9 +2111,10 @@ spec: type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters. - The profiles are currently based on version 5.0 of the Mozilla Server Side TLS - configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for - forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json + The profiles are based on version 5.7 of the Mozilla Server Side TLS + configuration guidelines. The cipher lists consist of the configuration's + "ciphersuites" followed by the Go-specific "ciphers" from the guidelines. + See: https://ssl-config.mozilla.org/guidelines/5.7.json The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on @@ -3258,11 +3252,14 @@ spec: ciphers: description: |- ciphers is used to specify the cipher algorithms that are negotiated - during the TLS handshake. Operators may remove entries their operands - do not support. For example, to use DES-CBC3-SHA (yaml): + during the TLS handshake. Operators may remove entries that their operands + do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml): ciphers: - - DES-CBC3-SHA + - ECDHE-RSA-AES128-GCM-SHA256 + + TLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable + and are always enabled when TLS 1.3 is negotiated. items: type: string type: array diff --git a/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-TechPreviewNoUpgrade.crd.yaml b/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-TechPreviewNoUpgrade.crd.yaml index c752ebb4261..0f905ad35b1 100644 --- a/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-TechPreviewNoUpgrade.crd.yaml +++ b/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-TechPreviewNoUpgrade.crd.yaml @@ -2009,11 +2009,14 @@ spec: ciphers: description: |- ciphers is used to specify the cipher algorithms that are negotiated - during the TLS handshake. Operators may remove entries their operands - do not support. For example, to use DES-CBC3-SHA (yaml): + during the TLS handshake. Operators may remove entries that their operands + do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml): ciphers: - - DES-CBC3-SHA + - ECDHE-RSA-AES128-GCM-SHA256 + + TLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable + and are always enabled when TLS 1.3 is negotiated. items: type: string type: array @@ -2026,7 +2029,7 @@ spec: When omitted, this means no opinion and the platform is left to choose reasonable defaults which are subject to change over time and may be different per platform component depending on the underlying TLS - libraries they use. If specified, the list must contain at least one curve. + libraries they use. If specified, the list must contain at least one curve and each curve must be unique. For example, to use X25519 and SecP256r1 (yaml): @@ -2085,8 +2088,6 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 nullable: true type: object modern: @@ -2123,23 +2124,15 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - DHE-RSA-CHACHA20-POLY1305 - ECDHE-ECDSA-AES128-SHA256 - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES128-SHA - - ECDHE-ECDSA-AES256-SHA384 - - ECDHE-RSA-AES256-SHA384 - ECDHE-ECDSA-AES256-SHA - ECDHE-RSA-AES256-SHA - - DHE-RSA-AES128-SHA256 - - DHE-RSA-AES256-SHA256 - AES128-GCM-SHA256 - AES256-GCM-SHA384 - AES128-SHA256 - - AES256-SHA256 - AES128-SHA - AES256-SHA - DES-CBC3-SHA @@ -2150,9 +2143,10 @@ spec: type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters. - The profiles are currently based on version 5.0 of the Mozilla Server Side TLS - configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for - forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json + The profiles are based on version 5.7 of the Mozilla Server Side TLS + configuration guidelines. The cipher lists consist of the configuration's + "ciphersuites" followed by the Go-specific "ciphers" from the guidelines. + See: https://ssl-config.mozilla.org/guidelines/5.7.json The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on @@ -3290,11 +3284,14 @@ spec: ciphers: description: |- ciphers is used to specify the cipher algorithms that are negotiated - during the TLS handshake. Operators may remove entries their operands - do not support. For example, to use DES-CBC3-SHA (yaml): + during the TLS handshake. Operators may remove entries that their operands + do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml): ciphers: - - DES-CBC3-SHA + - ECDHE-RSA-AES128-GCM-SHA256 + + TLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable + and are always enabled when TLS 1.3 is negotiated. items: type: string type: array @@ -3307,7 +3304,7 @@ spec: When omitted, this means no opinion and the platform is left to choose reasonable defaults which are subject to change over time and may be different per platform component depending on the underlying TLS - libraries they use. If specified, the list must contain at least one curve. + libraries they use. If specified, the list must contain at least one curve and each curve must be unique. For example, to use X25519 and SecP256r1 (yaml): diff --git a/operator/v1/zz_generated.featuregated-crd-manifests/ingresscontrollers.operator.openshift.io/AAA_ungated.yaml b/operator/v1/zz_generated.featuregated-crd-manifests/ingresscontrollers.operator.openshift.io/AAA_ungated.yaml index 0868b57d23a..b866e091e84 100644 --- a/operator/v1/zz_generated.featuregated-crd-manifests/ingresscontrollers.operator.openshift.io/AAA_ungated.yaml +++ b/operator/v1/zz_generated.featuregated-crd-manifests/ingresscontrollers.operator.openshift.io/AAA_ungated.yaml @@ -2002,11 +2002,14 @@ spec: ciphers: description: |- ciphers is used to specify the cipher algorithms that are negotiated - during the TLS handshake. Operators may remove entries their operands - do not support. For example, to use DES-CBC3-SHA (yaml): + during the TLS handshake. Operators may remove entries that their operands + do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml): ciphers: - - DES-CBC3-SHA + - ECDHE-RSA-AES128-GCM-SHA256 + + TLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable + and are always enabled when TLS 1.3 is negotiated. items: type: string type: array @@ -2046,8 +2049,6 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 nullable: true type: object modern: @@ -2084,23 +2085,15 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - DHE-RSA-CHACHA20-POLY1305 - ECDHE-ECDSA-AES128-SHA256 - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES128-SHA - - ECDHE-ECDSA-AES256-SHA384 - - ECDHE-RSA-AES256-SHA384 - ECDHE-ECDSA-AES256-SHA - ECDHE-RSA-AES256-SHA - - DHE-RSA-AES128-SHA256 - - DHE-RSA-AES256-SHA256 - AES128-GCM-SHA256 - AES256-GCM-SHA384 - AES128-SHA256 - - AES256-SHA256 - AES128-SHA - AES256-SHA - DES-CBC3-SHA @@ -2111,9 +2104,10 @@ spec: type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters. - The profiles are currently based on version 5.0 of the Mozilla Server Side TLS - configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for - forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json + The profiles are based on version 5.7 of the Mozilla Server Side TLS + configuration guidelines. The cipher lists consist of the configuration's + "ciphersuites" followed by the Go-specific "ciphers" from the guidelines. + See: https://ssl-config.mozilla.org/guidelines/5.7.json The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on @@ -3240,11 +3234,14 @@ spec: ciphers: description: |- ciphers is used to specify the cipher algorithms that are negotiated - during the TLS handshake. Operators may remove entries their operands - do not support. For example, to use DES-CBC3-SHA (yaml): + during the TLS handshake. Operators may remove entries that their operands + do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml): ciphers: - - DES-CBC3-SHA + - ECDHE-RSA-AES128-GCM-SHA256 + + TLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable + and are always enabled when TLS 1.3 is negotiated. items: type: string type: array diff --git a/operator/v1/zz_generated.featuregated-crd-manifests/ingresscontrollers.operator.openshift.io/TLSCurvePreferences.yaml b/operator/v1/zz_generated.featuregated-crd-manifests/ingresscontrollers.operator.openshift.io/TLSCurvePreferences.yaml index 4527400dec1..310a64938d4 100644 --- a/operator/v1/zz_generated.featuregated-crd-manifests/ingresscontrollers.operator.openshift.io/TLSCurvePreferences.yaml +++ b/operator/v1/zz_generated.featuregated-crd-manifests/ingresscontrollers.operator.openshift.io/TLSCurvePreferences.yaml @@ -2002,11 +2002,14 @@ spec: ciphers: description: |- ciphers is used to specify the cipher algorithms that are negotiated - during the TLS handshake. Operators may remove entries their operands - do not support. For example, to use DES-CBC3-SHA (yaml): + during the TLS handshake. Operators may remove entries that their operands + do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml): ciphers: - - DES-CBC3-SHA + - ECDHE-RSA-AES128-GCM-SHA256 + + TLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable + and are always enabled when TLS 1.3 is negotiated. items: type: string type: array @@ -2019,7 +2022,7 @@ spec: When omitted, this means no opinion and the platform is left to choose reasonable defaults which are subject to change over time and may be different per platform component depending on the underlying TLS - libraries they use. If specified, the list must contain at least one curve. + libraries they use. If specified, the list must contain at least one curve and each curve must be unique. For example, to use X25519 and SecP256r1 (yaml): @@ -2078,8 +2081,6 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 nullable: true type: object modern: @@ -2116,23 +2117,15 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - DHE-RSA-CHACHA20-POLY1305 - ECDHE-ECDSA-AES128-SHA256 - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES128-SHA - - ECDHE-ECDSA-AES256-SHA384 - - ECDHE-RSA-AES256-SHA384 - ECDHE-ECDSA-AES256-SHA - ECDHE-RSA-AES256-SHA - - DHE-RSA-AES128-SHA256 - - DHE-RSA-AES256-SHA256 - AES128-GCM-SHA256 - AES256-GCM-SHA384 - AES128-SHA256 - - AES256-SHA256 - AES128-SHA - AES256-SHA - DES-CBC3-SHA @@ -2143,9 +2136,10 @@ spec: type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters. - The profiles are currently based on version 5.0 of the Mozilla Server Side TLS - configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for - forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json + The profiles are based on version 5.7 of the Mozilla Server Side TLS + configuration guidelines. The cipher lists consist of the configuration's + "ciphersuites" followed by the Go-specific "ciphers" from the guidelines. + See: https://ssl-config.mozilla.org/guidelines/5.7.json The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on @@ -3272,11 +3266,14 @@ spec: ciphers: description: |- ciphers is used to specify the cipher algorithms that are negotiated - during the TLS handshake. Operators may remove entries their operands - do not support. For example, to use DES-CBC3-SHA (yaml): + during the TLS handshake. Operators may remove entries that their operands + do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml): ciphers: - - DES-CBC3-SHA + - ECDHE-RSA-AES128-GCM-SHA256 + + TLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable + and are always enabled when TLS 1.3 is negotiated. items: type: string type: array @@ -3289,7 +3286,7 @@ spec: When omitted, this means no opinion and the platform is left to choose reasonable defaults which are subject to change over time and may be different per platform component depending on the underlying TLS - libraries they use. If specified, the list must contain at least one curve. + libraries they use. If specified, the list must contain at least one curve and each curve must be unique. For example, to use X25519 and SecP256r1 (yaml): diff --git a/payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml index 428080292b9..a77f32323cd 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml @@ -319,11 +319,14 @@ spec: ciphers: description: |- ciphers is used to specify the cipher algorithms that are negotiated - during the TLS handshake. Operators may remove entries their operands - do not support. For example, to use DES-CBC3-SHA (yaml): + during the TLS handshake. Operators may remove entries that their operands + do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml): ciphers: - - DES-CBC3-SHA + - ECDHE-RSA-AES128-GCM-SHA256 + + TLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable + and are always enabled when TLS 1.3 is negotiated. items: type: string type: array @@ -336,7 +339,7 @@ spec: When omitted, this means no opinion and the platform is left to choose reasonable defaults which are subject to change over time and may be different per platform component depending on the underlying TLS - libraries they use. If specified, the list must contain at least one curve. + libraries they use. If specified, the list must contain at least one curve and each curve must be unique. For example, to use X25519 and SecP256r1 (yaml): @@ -395,8 +398,6 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 nullable: true type: object modern: @@ -433,23 +434,15 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - DHE-RSA-CHACHA20-POLY1305 - ECDHE-ECDSA-AES128-SHA256 - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES128-SHA - - ECDHE-ECDSA-AES256-SHA384 - - ECDHE-RSA-AES256-SHA384 - ECDHE-ECDSA-AES256-SHA - ECDHE-RSA-AES256-SHA - - DHE-RSA-AES128-SHA256 - - DHE-RSA-AES256-SHA256 - AES128-GCM-SHA256 - AES256-GCM-SHA384 - AES128-SHA256 - - AES256-SHA256 - AES128-SHA - AES256-SHA - DES-CBC3-SHA @@ -460,9 +453,10 @@ spec: type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters. - The profiles are currently based on version 5.0 of the Mozilla Server Side TLS - configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for - forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json + The profiles are based on version 5.7 of the Mozilla Server Side TLS + configuration guidelines. The cipher lists consist of the configuration's + "ciphersuites" followed by the Go-specific "ciphers" from the guidelines. + See: https://ssl-config.mozilla.org/guidelines/5.7.json The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on diff --git a/payload-manifests/crds/0000_10_config-operator_01_apiservers-Default.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_apiservers-Default.crd.yaml index 8ba7facfc69..543f601c96b 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_apiservers-Default.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_apiservers-Default.crd.yaml @@ -250,11 +250,14 @@ spec: ciphers: description: |- ciphers is used to specify the cipher algorithms that are negotiated - during the TLS handshake. Operators may remove entries their operands - do not support. For example, to use DES-CBC3-SHA (yaml): + during the TLS handshake. Operators may remove entries that their operands + do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml): ciphers: - - DES-CBC3-SHA + - ECDHE-RSA-AES128-GCM-SHA256 + + TLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable + and are always enabled when TLS 1.3 is negotiated. items: type: string type: array @@ -294,8 +297,6 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 nullable: true type: object modern: @@ -332,23 +333,15 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - DHE-RSA-CHACHA20-POLY1305 - ECDHE-ECDSA-AES128-SHA256 - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES128-SHA - - ECDHE-ECDSA-AES256-SHA384 - - ECDHE-RSA-AES256-SHA384 - ECDHE-ECDSA-AES256-SHA - ECDHE-RSA-AES256-SHA - - DHE-RSA-AES128-SHA256 - - DHE-RSA-AES256-SHA256 - AES128-GCM-SHA256 - AES256-GCM-SHA384 - AES128-SHA256 - - AES256-SHA256 - AES128-SHA - AES256-SHA - DES-CBC3-SHA @@ -359,9 +352,10 @@ spec: type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters. - The profiles are currently based on version 5.0 of the Mozilla Server Side TLS - configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for - forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json + The profiles are based on version 5.7 of the Mozilla Server Side TLS + configuration guidelines. The cipher lists consist of the configuration's + "ciphersuites" followed by the Go-specific "ciphers" from the guidelines. + See: https://ssl-config.mozilla.org/guidelines/5.7.json The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on diff --git a/payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml index 795a6bbb9a2..455500d698e 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml @@ -319,11 +319,14 @@ spec: ciphers: description: |- ciphers is used to specify the cipher algorithms that are negotiated - during the TLS handshake. Operators may remove entries their operands - do not support. For example, to use DES-CBC3-SHA (yaml): + during the TLS handshake. Operators may remove entries that their operands + do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml): ciphers: - - DES-CBC3-SHA + - ECDHE-RSA-AES128-GCM-SHA256 + + TLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable + and are always enabled when TLS 1.3 is negotiated. items: type: string type: array @@ -336,7 +339,7 @@ spec: When omitted, this means no opinion and the platform is left to choose reasonable defaults which are subject to change over time and may be different per platform component depending on the underlying TLS - libraries they use. If specified, the list must contain at least one curve. + libraries they use. If specified, the list must contain at least one curve and each curve must be unique. For example, to use X25519 and SecP256r1 (yaml): @@ -395,8 +398,6 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 nullable: true type: object modern: @@ -433,23 +434,15 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - DHE-RSA-CHACHA20-POLY1305 - ECDHE-ECDSA-AES128-SHA256 - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES128-SHA - - ECDHE-ECDSA-AES256-SHA384 - - ECDHE-RSA-AES256-SHA384 - ECDHE-ECDSA-AES256-SHA - ECDHE-RSA-AES256-SHA - - DHE-RSA-AES128-SHA256 - - DHE-RSA-AES256-SHA256 - AES128-GCM-SHA256 - AES256-GCM-SHA384 - AES128-SHA256 - - AES256-SHA256 - AES128-SHA - AES256-SHA - DES-CBC3-SHA @@ -460,9 +453,10 @@ spec: type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters. - The profiles are currently based on version 5.0 of the Mozilla Server Side TLS - configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for - forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json + The profiles are based on version 5.7 of the Mozilla Server Side TLS + configuration guidelines. The cipher lists consist of the configuration's + "ciphersuites" followed by the Go-specific "ciphers" from the guidelines. + See: https://ssl-config.mozilla.org/guidelines/5.7.json The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on diff --git a/payload-manifests/crds/0000_10_config-operator_01_apiservers-OKD.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_apiservers-OKD.crd.yaml index 1b4e173f19c..a3520df19cd 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_apiservers-OKD.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_apiservers-OKD.crd.yaml @@ -250,11 +250,14 @@ spec: ciphers: description: |- ciphers is used to specify the cipher algorithms that are negotiated - during the TLS handshake. Operators may remove entries their operands - do not support. For example, to use DES-CBC3-SHA (yaml): + during the TLS handshake. Operators may remove entries that their operands + do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml): ciphers: - - DES-CBC3-SHA + - ECDHE-RSA-AES128-GCM-SHA256 + + TLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable + and are always enabled when TLS 1.3 is negotiated. items: type: string type: array @@ -294,8 +297,6 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 nullable: true type: object modern: @@ -332,23 +333,15 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - DHE-RSA-CHACHA20-POLY1305 - ECDHE-ECDSA-AES128-SHA256 - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES128-SHA - - ECDHE-ECDSA-AES256-SHA384 - - ECDHE-RSA-AES256-SHA384 - ECDHE-ECDSA-AES256-SHA - ECDHE-RSA-AES256-SHA - - DHE-RSA-AES128-SHA256 - - DHE-RSA-AES256-SHA256 - AES128-GCM-SHA256 - AES256-GCM-SHA384 - AES128-SHA256 - - AES256-SHA256 - AES128-SHA - AES256-SHA - DES-CBC3-SHA @@ -359,9 +352,10 @@ spec: type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters. - The profiles are currently based on version 5.0 of the Mozilla Server Side TLS - configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for - forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json + The profiles are based on version 5.7 of the Mozilla Server Side TLS + configuration guidelines. The cipher lists consist of the configuration's + "ciphersuites" followed by the Go-specific "ciphers" from the guidelines. + See: https://ssl-config.mozilla.org/guidelines/5.7.json The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on diff --git a/payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml index 72559fc76bd..36abe094627 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml @@ -251,11 +251,14 @@ spec: ciphers: description: |- ciphers is used to specify the cipher algorithms that are negotiated - during the TLS handshake. Operators may remove entries their operands - do not support. For example, to use DES-CBC3-SHA (yaml): + during the TLS handshake. Operators may remove entries that their operands + do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml): ciphers: - - DES-CBC3-SHA + - ECDHE-RSA-AES128-GCM-SHA256 + + TLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable + and are always enabled when TLS 1.3 is negotiated. items: type: string type: array @@ -268,7 +271,7 @@ spec: When omitted, this means no opinion and the platform is left to choose reasonable defaults which are subject to change over time and may be different per platform component depending on the underlying TLS - libraries they use. If specified, the list must contain at least one curve. + libraries they use. If specified, the list must contain at least one curve and each curve must be unique. For example, to use X25519 and SecP256r1 (yaml): @@ -327,8 +330,6 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 nullable: true type: object modern: @@ -365,23 +366,15 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - DHE-RSA-CHACHA20-POLY1305 - ECDHE-ECDSA-AES128-SHA256 - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES128-SHA - - ECDHE-ECDSA-AES256-SHA384 - - ECDHE-RSA-AES256-SHA384 - ECDHE-ECDSA-AES256-SHA - ECDHE-RSA-AES256-SHA - - DHE-RSA-AES128-SHA256 - - DHE-RSA-AES256-SHA256 - AES128-GCM-SHA256 - AES256-GCM-SHA384 - AES128-SHA256 - - AES256-SHA256 - AES128-SHA - AES256-SHA - DES-CBC3-SHA @@ -392,9 +385,10 @@ spec: type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters. - The profiles are currently based on version 5.0 of the Mozilla Server Side TLS - configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for - forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json + The profiles are based on version 5.7 of the Mozilla Server Side TLS + configuration guidelines. The cipher lists consist of the configuration's + "ciphersuites" followed by the Go-specific "ciphers" from the guidelines. + See: https://ssl-config.mozilla.org/guidelines/5.7.json The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on diff --git a/payload-manifests/crds/0000_80_machine-config_01_kubeletconfigs-CustomNoUpgrade.crd.yaml b/payload-manifests/crds/0000_80_machine-config_01_kubeletconfigs-CustomNoUpgrade.crd.yaml index f76d502a787..6c3136a7530 100644 --- a/payload-manifests/crds/0000_80_machine-config_01_kubeletconfigs-CustomNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_80_machine-config_01_kubeletconfigs-CustomNoUpgrade.crd.yaml @@ -134,11 +134,14 @@ spec: ciphers: description: |- ciphers is used to specify the cipher algorithms that are negotiated - during the TLS handshake. Operators may remove entries their operands - do not support. For example, to use DES-CBC3-SHA (yaml): + during the TLS handshake. Operators may remove entries that their operands + do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml): ciphers: - - DES-CBC3-SHA + - ECDHE-RSA-AES128-GCM-SHA256 + + TLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable + and are always enabled when TLS 1.3 is negotiated. items: type: string type: array @@ -151,7 +154,7 @@ spec: When omitted, this means no opinion and the platform is left to choose reasonable defaults which are subject to change over time and may be different per platform component depending on the underlying TLS - libraries they use. If specified, the list must contain at least one curve. + libraries they use. If specified, the list must contain at least one curve and each curve must be unique. For example, to use X25519 and SecP256r1 (yaml): @@ -210,8 +213,6 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 nullable: true type: object modern: @@ -248,23 +249,15 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - DHE-RSA-CHACHA20-POLY1305 - ECDHE-ECDSA-AES128-SHA256 - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES128-SHA - - ECDHE-ECDSA-AES256-SHA384 - - ECDHE-RSA-AES256-SHA384 - ECDHE-ECDSA-AES256-SHA - ECDHE-RSA-AES256-SHA - - DHE-RSA-AES128-SHA256 - - DHE-RSA-AES256-SHA256 - AES128-GCM-SHA256 - AES256-GCM-SHA384 - AES128-SHA256 - - AES256-SHA256 - AES128-SHA - AES256-SHA - DES-CBC3-SHA @@ -275,9 +268,10 @@ spec: type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters. - The profiles are currently based on version 5.0 of the Mozilla Server Side TLS - configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for - forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json + The profiles are based on version 5.7 of the Mozilla Server Side TLS + configuration guidelines. The cipher lists consist of the configuration's + "ciphersuites" followed by the Go-specific "ciphers" from the guidelines. + See: https://ssl-config.mozilla.org/guidelines/5.7.json The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on diff --git a/payload-manifests/crds/0000_80_machine-config_01_kubeletconfigs-Default.crd.yaml b/payload-manifests/crds/0000_80_machine-config_01_kubeletconfigs-Default.crd.yaml index 0efeb5e4878..c58025beae0 100644 --- a/payload-manifests/crds/0000_80_machine-config_01_kubeletconfigs-Default.crd.yaml +++ b/payload-manifests/crds/0000_80_machine-config_01_kubeletconfigs-Default.crd.yaml @@ -134,11 +134,14 @@ spec: ciphers: description: |- ciphers is used to specify the cipher algorithms that are negotiated - during the TLS handshake. Operators may remove entries their operands - do not support. For example, to use DES-CBC3-SHA (yaml): + during the TLS handshake. Operators may remove entries that their operands + do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml): ciphers: - - DES-CBC3-SHA + - ECDHE-RSA-AES128-GCM-SHA256 + + TLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable + and are always enabled when TLS 1.3 is negotiated. items: type: string type: array @@ -178,8 +181,6 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 nullable: true type: object modern: @@ -216,23 +217,15 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - DHE-RSA-CHACHA20-POLY1305 - ECDHE-ECDSA-AES128-SHA256 - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES128-SHA - - ECDHE-ECDSA-AES256-SHA384 - - ECDHE-RSA-AES256-SHA384 - ECDHE-ECDSA-AES256-SHA - ECDHE-RSA-AES256-SHA - - DHE-RSA-AES128-SHA256 - - DHE-RSA-AES256-SHA256 - AES128-GCM-SHA256 - AES256-GCM-SHA384 - AES128-SHA256 - - AES256-SHA256 - AES128-SHA - AES256-SHA - DES-CBC3-SHA @@ -243,9 +236,10 @@ spec: type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters. - The profiles are currently based on version 5.0 of the Mozilla Server Side TLS - configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for - forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json + The profiles are based on version 5.7 of the Mozilla Server Side TLS + configuration guidelines. The cipher lists consist of the configuration's + "ciphersuites" followed by the Go-specific "ciphers" from the guidelines. + See: https://ssl-config.mozilla.org/guidelines/5.7.json The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on diff --git a/payload-manifests/crds/0000_80_machine-config_01_kubeletconfigs-DevPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_80_machine-config_01_kubeletconfigs-DevPreviewNoUpgrade.crd.yaml index a017bef104c..6f2bdcec1be 100644 --- a/payload-manifests/crds/0000_80_machine-config_01_kubeletconfigs-DevPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_80_machine-config_01_kubeletconfigs-DevPreviewNoUpgrade.crd.yaml @@ -134,11 +134,14 @@ spec: ciphers: description: |- ciphers is used to specify the cipher algorithms that are negotiated - during the TLS handshake. Operators may remove entries their operands - do not support. For example, to use DES-CBC3-SHA (yaml): + during the TLS handshake. Operators may remove entries that their operands + do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml): ciphers: - - DES-CBC3-SHA + - ECDHE-RSA-AES128-GCM-SHA256 + + TLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable + and are always enabled when TLS 1.3 is negotiated. items: type: string type: array @@ -151,7 +154,7 @@ spec: When omitted, this means no opinion and the platform is left to choose reasonable defaults which are subject to change over time and may be different per platform component depending on the underlying TLS - libraries they use. If specified, the list must contain at least one curve. + libraries they use. If specified, the list must contain at least one curve and each curve must be unique. For example, to use X25519 and SecP256r1 (yaml): @@ -210,8 +213,6 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 nullable: true type: object modern: @@ -248,23 +249,15 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - DHE-RSA-CHACHA20-POLY1305 - ECDHE-ECDSA-AES128-SHA256 - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES128-SHA - - ECDHE-ECDSA-AES256-SHA384 - - ECDHE-RSA-AES256-SHA384 - ECDHE-ECDSA-AES256-SHA - ECDHE-RSA-AES256-SHA - - DHE-RSA-AES128-SHA256 - - DHE-RSA-AES256-SHA256 - AES128-GCM-SHA256 - AES256-GCM-SHA384 - AES128-SHA256 - - AES256-SHA256 - AES128-SHA - AES256-SHA - DES-CBC3-SHA @@ -275,9 +268,10 @@ spec: type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters. - The profiles are currently based on version 5.0 of the Mozilla Server Side TLS - configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for - forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json + The profiles are based on version 5.7 of the Mozilla Server Side TLS + configuration guidelines. The cipher lists consist of the configuration's + "ciphersuites" followed by the Go-specific "ciphers" from the guidelines. + See: https://ssl-config.mozilla.org/guidelines/5.7.json The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on diff --git a/payload-manifests/crds/0000_80_machine-config_01_kubeletconfigs-OKD.crd.yaml b/payload-manifests/crds/0000_80_machine-config_01_kubeletconfigs-OKD.crd.yaml index 23cf5b9646f..542c24a5203 100644 --- a/payload-manifests/crds/0000_80_machine-config_01_kubeletconfigs-OKD.crd.yaml +++ b/payload-manifests/crds/0000_80_machine-config_01_kubeletconfigs-OKD.crd.yaml @@ -134,11 +134,14 @@ spec: ciphers: description: |- ciphers is used to specify the cipher algorithms that are negotiated - during the TLS handshake. Operators may remove entries their operands - do not support. For example, to use DES-CBC3-SHA (yaml): + during the TLS handshake. Operators may remove entries that their operands + do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml): ciphers: - - DES-CBC3-SHA + - ECDHE-RSA-AES128-GCM-SHA256 + + TLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable + and are always enabled when TLS 1.3 is negotiated. items: type: string type: array @@ -178,8 +181,6 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 nullable: true type: object modern: @@ -216,23 +217,15 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - DHE-RSA-CHACHA20-POLY1305 - ECDHE-ECDSA-AES128-SHA256 - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES128-SHA - - ECDHE-ECDSA-AES256-SHA384 - - ECDHE-RSA-AES256-SHA384 - ECDHE-ECDSA-AES256-SHA - ECDHE-RSA-AES256-SHA - - DHE-RSA-AES128-SHA256 - - DHE-RSA-AES256-SHA256 - AES128-GCM-SHA256 - AES256-GCM-SHA384 - AES128-SHA256 - - AES256-SHA256 - AES128-SHA - AES256-SHA - DES-CBC3-SHA @@ -243,9 +236,10 @@ spec: type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters. - The profiles are currently based on version 5.0 of the Mozilla Server Side TLS - configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for - forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json + The profiles are based on version 5.7 of the Mozilla Server Side TLS + configuration guidelines. The cipher lists consist of the configuration's + "ciphersuites" followed by the Go-specific "ciphers" from the guidelines. + See: https://ssl-config.mozilla.org/guidelines/5.7.json The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on diff --git a/payload-manifests/crds/0000_80_machine-config_01_kubeletconfigs-TechPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_80_machine-config_01_kubeletconfigs-TechPreviewNoUpgrade.crd.yaml index 573ed55ddaa..ab9f57c0f36 100644 --- a/payload-manifests/crds/0000_80_machine-config_01_kubeletconfigs-TechPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_80_machine-config_01_kubeletconfigs-TechPreviewNoUpgrade.crd.yaml @@ -134,11 +134,14 @@ spec: ciphers: description: |- ciphers is used to specify the cipher algorithms that are negotiated - during the TLS handshake. Operators may remove entries their operands - do not support. For example, to use DES-CBC3-SHA (yaml): + during the TLS handshake. Operators may remove entries that their operands + do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml): ciphers: - - DES-CBC3-SHA + - ECDHE-RSA-AES128-GCM-SHA256 + + TLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable + and are always enabled when TLS 1.3 is negotiated. items: type: string type: array @@ -151,7 +154,7 @@ spec: When omitted, this means no opinion and the platform is left to choose reasonable defaults which are subject to change over time and may be different per platform component depending on the underlying TLS - libraries they use. If specified, the list must contain at least one curve. + libraries they use. If specified, the list must contain at least one curve and each curve must be unique. For example, to use X25519 and SecP256r1 (yaml): @@ -210,8 +213,6 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 nullable: true type: object modern: @@ -248,23 +249,15 @@ spec: - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 - - DHE-RSA-CHACHA20-POLY1305 - ECDHE-ECDSA-AES128-SHA256 - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES128-SHA - - ECDHE-ECDSA-AES256-SHA384 - - ECDHE-RSA-AES256-SHA384 - ECDHE-ECDSA-AES256-SHA - ECDHE-RSA-AES256-SHA - - DHE-RSA-AES128-SHA256 - - DHE-RSA-AES256-SHA256 - AES128-GCM-SHA256 - AES256-GCM-SHA384 - AES128-SHA256 - - AES256-SHA256 - AES128-SHA - AES256-SHA - DES-CBC3-SHA @@ -275,9 +268,10 @@ spec: type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters. - The profiles are currently based on version 5.0 of the Mozilla Server Side TLS - configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for - forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json + The profiles are based on version 5.7 of the Mozilla Server Side TLS + configuration guidelines. The cipher lists consist of the configuration's + "ciphersuites" followed by the Go-specific "ciphers" from the guidelines. + See: https://ssl-config.mozilla.org/guidelines/5.7.json The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on