Rename enum values to LegacyExternalAPIServerComponentsOnly and StrictAllComponents

Author: richardsonnick

config/v1/types_apiserver.go

@@ -65,20 +65,21 @@ type APIServerSpec struct {
 	// tlsAdherence controls how strictly components in the cluster adhere to the TLS security profile
 	// configured on this APIServer resource.
 	//
-	// Valid values are "Legacy" and "Strict".
+	// Valid values are "LegacyExternalAPIServerComponentsOnly" and "StrictAllComponents".
 	//
-	// When set to "Legacy" (the default), components attempt to honor the configured TLS profile
-	// but may fall back to their individual defaults if conflicts arise. This mode is intended for
-	// clusters that need to maintain compatibility with existing configurations during migration.
+	// When set to "LegacyExternalAPIServerComponentsOnly" (the default), components attempt to honor
+	// the configured TLS profile but may fall back to their individual defaults if conflicts arise.
+	// This mode is intended for clusters that need to maintain compatibility with existing
+	// configurations during migration.
 	//
-	// When set to "Strict", all components must strictly honor the configured TLS profile.
+	// When set to "StrictAllComponents", all components must strictly honor the configured TLS profile.
 	// This mode is recommended for security-conscious deployments and is required for
 	// certain compliance frameworks.
 	//
-	// Components that encounter an unknown value for tlsAdherence should treat it as "Strict"
+	// Components that encounter an unknown value for tlsAdherence should treat it as "StrictAllComponents"
 	// and log a warning to ensure forward compatibility while defaulting to the more secure behavior.
 	//
-	// When omitted, the default value is "Legacy".
+	// When omitted, the default value is "LegacyExternalAPIServerComponentsOnly".
 	// +openshift:enable:FeatureGate=TLSAdherence
 	// +optional
 	TLSAdherence TLSAdherencePolicy `json:"tlsAdherence,omitempty"`
@@ -258,20 +259,20 @@ type APIServerStatus struct {
 }
 
 // TLSAdherencePolicy defines how strictly components adhere to the TLS security profile.
-// +kubebuilder:validation:Enum=Legacy;Strict
+// +kubebuilder:validation:Enum=LegacyExternalAPIServerComponentsOnly;StrictAllComponents
 type TLSAdherencePolicy string
 
 const (
-	// TLSAdherenceLegacy provides backward-compatible behavior where components attempt to
-	// honor the configured TLS profile but may fall back to their individual defaults if
-	// conflicts arise. This mode is intended for clusters that need to maintain compatibility
-	// with existing configurations during migration.
-	TLSAdherenceLegacy TLSAdherencePolicy = "Legacy"
+	// TLSAdherenceLegacyExternalAPIServerComponentsOnly provides backward-compatible behavior
+	// where components attempt to honor the configured TLS profile but may fall back to their
+	// individual defaults if conflicts arise. This mode is intended for clusters that need to
+	// maintain compatibility with existing configurations during migration.
+	TLSAdherenceLegacyExternalAPIServerComponentsOnly TLSAdherencePolicy = "LegacyExternalAPIServerComponentsOnly"
 
-	// TLSAdherenceStrict enforces strict adherence to the TLS configuration. All components
-	// must honor the configured profile. This mode is recommended for security-conscious
-	// deployments and is required for certain compliance frameworks.
-	TLSAdherenceStrict TLSAdherencePolicy = "Strict"
+	// TLSAdherenceStrictAllComponents enforces strict adherence to the TLS configuration.
+	// All components must honor the configured profile. This mode is recommended for
+	// security-conscious deployments and is required for certain compliance frameworks.
+	TLSAdherenceStrictAllComponents TLSAdherencePolicy = "StrictAllComponents"
 )
 
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object

config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml

@@ -297,27 +297,24 @@ spec:
                   tlsAdherence controls how strictly components in the cluster adhere to the TLS security profile
                   configured on this APIServer resource.
 
-                  Valid values are "Legacy" and "Strict".
+                  Valid values are "LegacyExternalAPIServerComponentsOnly" and "StrictAllComponents".
 
-                  When set to "Legacy" (the default), components attempt to honor the configured TLS profile
-                  but may fall back to their individual defaults if conflicts arise. This mode is intended for
-                  clusters that need to maintain compatibility with existing configurations during migration.
+                  When set to "LegacyExternalAPIServerComponentsOnly" (the default), components attempt to honor
+                  the configured TLS profile but may fall back to their individual defaults if conflicts arise.
+                  This mode is intended for clusters that need to maintain compatibility with existing
+                  configurations during migration.
 
-                  When set to "Strict", all components must strictly honor the configured TLS profile.
+                  When set to "StrictAllComponents", all components must strictly honor the configured TLS profile.
                   This mode is recommended for security-conscious deployments and is required for
                   certain compliance frameworks.
 
-                  Components that encounter an unknown value for tlsAdherence should treat it as "Strict"
+                  Components that encounter an unknown value for tlsAdherence should treat it as "StrictAllComponents"
                   and log a warning to ensure forward compatibility while defaulting to the more secure behavior.
 
-                  Note: The Kubelet and IngressController components are excluded from tlsAdherence control
-                  as they have their own dedicated TLS configuration mechanisms via KubeletConfig and
-                  IngressController CRs respectively.
-
-                  When omitted, the default value is "Legacy".
+                  When omitted, the default value is "LegacyExternalAPIServerComponentsOnly".
                 enum:
-                - Legacy
-                - Strict
+                - LegacyExternalAPIServerComponentsOnly
+                - StrictAllComponents
                 type: string
               tlsSecurityProfile:
                 description: |-

config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml

@@ -297,27 +297,24 @@ spec:
                   tlsAdherence controls how strictly components in the cluster adhere to the TLS security profile
                   configured on this APIServer resource.
 
-                  Valid values are "Legacy" and "Strict".
+                  Valid values are "LegacyExternalAPIServerComponentsOnly" and "StrictAllComponents".
 
-                  When set to "Legacy" (the default), components attempt to honor the configured TLS profile
-                  but may fall back to their individual defaults if conflicts arise. This mode is intended for
-                  clusters that need to maintain compatibility with existing configurations during migration.
+                  When set to "LegacyExternalAPIServerComponentsOnly" (the default), components attempt to honor
+                  the configured TLS profile but may fall back to their individual defaults if conflicts arise.
+                  This mode is intended for clusters that need to maintain compatibility with existing
+                  configurations during migration.
 
-                  When set to "Strict", all components must strictly honor the configured TLS profile.
+                  When set to "StrictAllComponents", all components must strictly honor the configured TLS profile.
                   This mode is recommended for security-conscious deployments and is required for
                   certain compliance frameworks.
 
-                  Components that encounter an unknown value for tlsAdherence should treat it as "Strict"
+                  Components that encounter an unknown value for tlsAdherence should treat it as "StrictAllComponents"
                   and log a warning to ensure forward compatibility while defaulting to the more secure behavior.
 
-                  Note: The Kubelet and IngressController components are excluded from tlsAdherence control
-                  as they have their own dedicated TLS configuration mechanisms via KubeletConfig and
-                  IngressController CRs respectively.
-
-                  When omitted, the default value is "Legacy".
+                  When omitted, the default value is "LegacyExternalAPIServerComponentsOnly".
                 enum:
-                - Legacy
-                - Strict
+                - LegacyExternalAPIServerComponentsOnly
+                - StrictAllComponents
                 type: string
               tlsSecurityProfile:
                 description: |-

config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml

@@ -229,27 +229,24 @@ spec:
                   tlsAdherence controls how strictly components in the cluster adhere to the TLS security profile
                   configured on this APIServer resource.
 
-                  Valid values are "Legacy" and "Strict".
+                  Valid values are "LegacyExternalAPIServerComponentsOnly" and "StrictAllComponents".
 
-                  When set to "Legacy" (the default), components attempt to honor the configured TLS profile
-                  but may fall back to their individual defaults if conflicts arise. This mode is intended for
-                  clusters that need to maintain compatibility with existing configurations during migration.
+                  When set to "LegacyExternalAPIServerComponentsOnly" (the default), components attempt to honor
+                  the configured TLS profile but may fall back to their individual defaults if conflicts arise.
+                  This mode is intended for clusters that need to maintain compatibility with existing
+                  configurations during migration.
 
-                  When set to "Strict", all components must strictly honor the configured TLS profile.
+                  When set to "StrictAllComponents", all components must strictly honor the configured TLS profile.
                   This mode is recommended for security-conscious deployments and is required for
                   certain compliance frameworks.
 
-                  Components that encounter an unknown value for tlsAdherence should treat it as "Strict"
+                  Components that encounter an unknown value for tlsAdherence should treat it as "StrictAllComponents"
                   and log a warning to ensure forward compatibility while defaulting to the more secure behavior.
 
-                  Note: The Kubelet and IngressController components are excluded from tlsAdherence control
-                  as they have their own dedicated TLS configuration mechanisms via KubeletConfig and
-                  IngressController CRs respectively.
-
-                  When omitted, the default value is "Legacy".
+                  When omitted, the default value is "LegacyExternalAPIServerComponentsOnly".
                 enum:
-                - Legacy
-                - Strict
+                - LegacyExternalAPIServerComponentsOnly
+                - StrictAllComponents
                 type: string
               tlsSecurityProfile:
                 description: |-

config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/TLSAdherence.yaml

@@ -223,27 +223,24 @@ spec:
                   tlsAdherence controls how strictly components in the cluster adhere to the TLS security profile
                   configured on this APIServer resource.
 
-                  Valid values are "Legacy" and "Strict".
+                  Valid values are "LegacyExternalAPIServerComponentsOnly" and "StrictAllComponents".
 
-                  When set to "Legacy" (the default), components attempt to honor the configured TLS profile
-                  but may fall back to their individual defaults if conflicts arise. This mode is intended for
-                  clusters that need to maintain compatibility with existing configurations during migration.
+                  When set to "LegacyExternalAPIServerComponentsOnly" (the default), components attempt to honor
+                  the configured TLS profile but may fall back to their individual defaults if conflicts arise.
+                  This mode is intended for clusters that need to maintain compatibility with existing
+                  configurations during migration.
 
-                  When set to "Strict", all components must strictly honor the configured TLS profile.
+                  When set to "StrictAllComponents", all components must strictly honor the configured TLS profile.
                   This mode is recommended for security-conscious deployments and is required for
                   certain compliance frameworks.
 
-                  Components that encounter an unknown value for tlsAdherence should treat it as "Strict"
+                  Components that encounter an unknown value for tlsAdherence should treat it as "StrictAllComponents"
                   and log a warning to ensure forward compatibility while defaulting to the more secure behavior.
 
-                  Note: The Kubelet and IngressController components are excluded from tlsAdherence control
-                  as they have their own dedicated TLS configuration mechanisms via KubeletConfig and
-                  IngressController CRs respectively.
-
-                  When omitted, the default value is "Legacy".
+                  When omitted, the default value is "LegacyExternalAPIServerComponentsOnly".
                 enum:
-                - Legacy
-                - Strict
+                - LegacyExternalAPIServerComponentsOnly
+                - StrictAllComponents
                 type: string
               tlsSecurityProfile:
                 description: |-