From 5934f41f9d0e2f817f8e9f10f7e33d89c18b4cc7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Arda=20G=C3=BC=C3=A7l=C3=BC?= Date: Fri, 12 Dec 2025 09:34:29 +0300 Subject: [PATCH 1/2] Update KMSConfig to allow manualy managed kms plugins --- .../KMSEncryptionProvider.yaml | 145 +++++++++++++----- config/v1/types_kmsencryption.go | 34 +++- ...tor_01_apiservers-CustomNoUpgrade.crd.yaml | 28 +++- ...01_apiservers-DevPreviewNoUpgrade.crd.yaml | 28 +++- ...1_apiservers-TechPreviewNoUpgrade.crd.yaml | 28 +++- config/v1/zz_generated.deepcopy.go | 21 +++ .../KMSEncryptionProvider.yaml | 28 +++- .../v1/zz_generated.swagger_doc_generated.go | 18 ++- .../generated_openapi/zz_generated.openapi.go | 38 ++++- openapi/openapi.json | 83 +++++++++- ...tor_01_apiservers-CustomNoUpgrade.crd.yaml | 28 +++- ...01_apiservers-DevPreviewNoUpgrade.crd.yaml | 28 +++- ...1_apiservers-TechPreviewNoUpgrade.crd.yaml | 28 +++- 13 files changed, 473 insertions(+), 62 deletions(-) diff --git a/config/v1/tests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml b/config/v1/tests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml index 59386f7de22..228a5e61600 100644 --- a/config/v1/tests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml +++ b/config/v1/tests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml @@ -5,7 +5,52 @@ featureGates: - KMSEncryptionProvider tests: onCreate: - - name: Should be able to create encrypt with KMS for AWS with valid values + - name: Should be able to create encrypt with KMS for Manual provider with valid name + initial: | + apiVersion: config.openshift.io/v1 + kind: APIServer + spec: + encryption: + type: KMS + kms: + type: Manual + manual: + name: my-kms-plugin + expected: | + apiVersion: config.openshift.io/v1 + kind: APIServer + spec: + audit: + profile: Default + encryption: + type: KMS + kms: + type: Manual + manual: + name: my-kms-plugin + - name: Should fail to create KMS Manual provider without manual config + initial: | + apiVersion: config.openshift.io/v1 + kind: APIServer + spec: + encryption: + type: KMS + kms: + type: Manual + expectedError: "manual config with non-empty name is required when kms provider type is Manual" + - name: Should fail to create KMS Manual provider with empty name + initial: | + apiVersion: config.openshift.io/v1 + kind: APIServer + spec: + encryption: + type: KMS + kms: + type: Manual + manual: + name: "" + expectedError: "spec.encryption.kms.manual.name: Invalid value" + - name: Should be able to create KMS with AWS provider and valid aws config initial: | apiVersion: config.openshift.io/v1 kind: APIServer @@ -15,7 +60,7 @@ tests: kms: type: AWS aws: - keyARN: arn:aws:kms:us-east-1:101010101010:key/9a512e29-0d9c-4cf5-8174-fc1a5b22cd6a + keyARN: arn:aws:kms:us-east-1:123456789012:key/abcd1234-ab12-cd34-ef56-abcdef123456 region: us-east-1 expected: | apiVersion: config.openshift.io/v1 @@ -28,9 +73,9 @@ tests: kms: type: AWS aws: - keyARN: arn:aws:kms:us-east-1:101010101010:key/9a512e29-0d9c-4cf5-8174-fc1a5b22cd6a + keyARN: arn:aws:kms:us-east-1:123456789012:key/abcd1234-ab12-cd34-ef56-abcdef123456 region: us-east-1 - - name: Should fail to create encrypt with KMS for AWS without region + - name: Should fail to create KMS AWS provider without aws config initial: | apiVersion: config.openshift.io/v1 kind: APIServer @@ -39,32 +84,32 @@ tests: type: KMS kms: type: AWS - aws: - keyARN: arn:aws:kms:us-east-1:101010101010:key/9a512e29-0d9c-4cf5-8174-fc1a5b22cd6a - expectedError: "spec.encryption.kms.aws.region: Required value" - - name: Should not allow kms config with encrypt aescbc + expectedError: "aws config is required when kms provider type is AWS" + - name: Should fail to create KMS with invalid provider type initial: | apiVersion: config.openshift.io/v1 kind: APIServer spec: encryption: - type: aescbc + type: KMS kms: - type: AWS - aws: - keyARN: arn:aws:kms:us-east-1:101010101010:key/9a512e29-0d9c-4cf5-8174-fc1a5b22cd6a - region: us-east-1 - expectedError: "kms config is required when encryption type is KMS, and forbidden otherwise" - - name: Should fail to create with an empty KMS config + type: InvalidType + manual: + name: my-plugin + expectedError: "supported values: \"AWS\", \"Manual\"" + - name: Should fail to create KMS Manual provider with name longer than 80 characters initial: | apiVersion: config.openshift.io/v1 kind: APIServer spec: encryption: type: KMS - kms: {} - expectedError: "spec.encryption.kms.type: Required value" - - name: Should fail to create with kms type AWS but without aws config + kms: + type: Manual + manual: + name: this-is-a-very-long-name-that-exceeds-the-maximum-allowed-length-of-eighty-characters-for-kms-plugin + expectedError: "Too long: may not be more than 80 bytes" + - name: Should fail to create KMS Manual provider with name containing forward slash initial: | apiVersion: config.openshift.io/v1 kind: APIServer @@ -72,9 +117,11 @@ tests: encryption: type: KMS kms: - type: AWS - expectedError: "aws config is required when kms provider type is AWS, and forbidden otherwise" - - name: Should fail to create AWS KMS without a keyARN + type: Manual + manual: + name: invalid/path + expectedError: "name must be a safe socket filename (must not contain '/' or '..')" + - name: Should fail to create KMS Manual provider with name containing double dots initial: | apiVersion: config.openshift.io/v1 kind: APIServer @@ -82,11 +129,11 @@ tests: encryption: type: KMS kms: - type: AWS - aws: - region: us-east-1 - expectedError: "spec.encryption.kms.aws.keyARN: Required value" - - name: Should fail to create AWS KMS with invalid keyARN format + type: Manual + manual: + name: ../escape + expectedError: "name must be a safe socket filename (must not contain '/' or '..')" + - name: Should fail to create KMS Manual provider with name containing double dots in middle initial: | apiVersion: config.openshift.io/v1 kind: APIServer @@ -94,12 +141,32 @@ tests: encryption: type: KMS kms: - type: AWS - aws: - keyARN: not-a-kms-arn - region: us-east-1 - expectedError: "keyARN must follow the format `arn:aws:kms:::key/`. The account ID must be a 12 digit number and the region and key ID should consist only of lowercase hexadecimal characters and hyphens (-)." - - name: Should fail to create AWS KMS with empty region + type: Manual + manual: + name: some..name + expectedError: "name must be a safe socket filename (must not contain '/' or '..')" + - name: Should not allow kms config with encrypt aescbc + initial: | + apiVersion: config.openshift.io/v1 + kind: APIServer + spec: + encryption: + type: aescbc + kms: + type: Manual + manual: + name: my-plugin + expectedError: "kms config is required when encryption type is KMS, and forbidden otherwise" + - name: Should fail to create with an empty KMS config + initial: | + apiVersion: config.openshift.io/v1 + kind: APIServer + spec: + encryption: + type: KMS + kms: {} + expectedError: "spec.encryption.kms.type: Required value" + - name: Should fail to create KMS AWS with invalid keyARN format initial: | apiVersion: config.openshift.io/v1 kind: APIServer @@ -109,10 +176,10 @@ tests: kms: type: AWS aws: - keyARN: arn:aws:kms:us-east-1:101010101010:key/9a512e29-0d9c-4cf5-8174-fc1a5b22cd6a - region: "" - expectedError: "spec.encryption.kms.aws.region in body should be at least 1 chars long" - - name: Should fail to create AWS KMS with invalid region format + keyARN: invalid-arn-format + region: us-east-1 + expectedError: "keyARN must follow the format" + - name: Should fail to create KMS AWS with invalid region format initial: | apiVersion: config.openshift.io/v1 kind: APIServer @@ -122,6 +189,6 @@ tests: kms: type: AWS aws: - keyARN: arn:aws:kms:us-east-1:101010101010:key/9a512e29-0d9c-4cf5-8174-fc1a5b22cd6a - region: "INVALID-REGION" - expectedError: "region must be a valid AWS region, consisting of lowercase characters, digits and hyphens (-) only." + keyARN: arn:aws:kms:us-east-1:123456789012:key/abcd1234-ab12-cd34-ef56-abcdef123456 + region: INVALID_REGION + expectedError: "region must be a valid AWS region" diff --git a/config/v1/types_kmsencryption.go b/config/v1/types_kmsencryption.go index 3293204fa4e..d6d489bbf20 100644 --- a/config/v1/types_kmsencryption.go +++ b/config/v1/types_kmsencryption.go @@ -2,26 +2,51 @@ package v1 // KMSConfig defines the configuration for the KMS instance // that will be used with KMSEncryptionProvider encryption +// +kubebuilder:validation:XValidation:rule="has(self.type) && self.type == 'Manual' ? (has(self.manual) && has(self.manual.name) && self.manual.name != '') : !has(self.manual)",message="manual config with non-empty name is required when kms provider type is Manual, and forbidden otherwise" // +kubebuilder:validation:XValidation:rule="has(self.type) && self.type == 'AWS' ? has(self.aws) : !has(self.aws)",message="aws config is required when kms provider type is AWS, and forbidden otherwise" // +union type KMSConfig struct { // type defines the kind of platform for the KMS provider. - // Available provider types are AWS only. + // Available provider types are AWS, Manual. // // +unionDiscriminator // +required Type KMSProviderType `json:"type"` + // manual defines the configuration for manually managed KMS plugins. + // The KMS plugin must be deployed as a static pod by the cluster admin. + // + // +unionMember + // +optional + Manual *ManualKMSConfig `json:"manual,omitempty"` + // aws defines the key config for using an AWS KMS instance // for the encryption. The AWS KMS instance is managed // by the user outside the purview of the control plane. + // Deprecated: There is no logic listening to this resource type, we plan to remove it in next release. // // +unionMember // +optional AWS *AWSKMSConfig `json:"aws,omitempty"` } +// ManualKMSConfig defines the configuration for manually managed KMS plugins +type ManualKMSConfig struct { + // name specifies the KMS plugin name. + // This name is templated into the UNIX domain socket path: unix:///var/run/kmsplugin/.sock + // and is between 1 and 80 characters in length. + // The KMS plugin must listen at this socket path. + // The name must be a safe socket filename and must not contain '/' or '..'. + // + // +kubebuilder:validation:MaxLength=80 + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:XValidation:rule="!self.contains('/') && !self.contains('..')",message="name must be a safe socket filename (must not contain '/' or '..')" + // +optional + Name string `json:"name,omitempty"` +} + // AWSKMSConfig defines the KMS config specific to AWS KMS provider +// Deprecated: There is no logic listening to this resource type, we plan to remove it in next release. type AWSKMSConfig struct { // keyARN specifies the Amazon Resource Name (ARN) of the AWS KMS key used for encryption. // The value must adhere to the format `arn:aws:kms:::key/`, where: @@ -46,10 +71,15 @@ type AWSKMSConfig struct { } // KMSProviderType is a specific supported KMS provider -// +kubebuilder:validation:Enum=AWS +// +kubebuilder:validation:Enum=AWS;Manual type KMSProviderType string const ( // AWSKMSProvider represents a supported KMS provider for use with AWS KMS + // Deprecated: There is no logic listening to this resource type, we plan to remove it in next release. AWSKMSProvider KMSProviderType = "AWS" + + // ManualKMSProvider represents a supported KMS provider is managed by user manually not by OpenShift. + // KMS plugin is supposed to be run as static pods on each control plane + ManualKMSProvider KMSProviderType = "Manual" ) diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml index 86a51460699..fbf2e36fbc4 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml @@ -173,6 +173,7 @@ spec: aws defines the key config for using an AWS KMS instance for the encryption. The AWS KMS instance is managed by the user outside the purview of the control plane. + Deprecated: There is no logic listening to this resource type, we plan to remove it in next release. properties: keyARN: description: |- @@ -206,17 +207,42 @@ spec: - keyARN - region type: object + manual: + description: |- + manual defines the configuration for manually managed KMS plugins. + The KMS plugin must be deployed as a static pod by the cluster admin. + properties: + name: + description: |- + name specifies the KMS plugin name. + This name is templated into the UNIX domain socket path: unix:///var/run/kmsplugin/.sock + and is between 1 and 80 characters in length. + The KMS plugin must listen at this socket path. + The name must be a safe socket filename and must not contain '/' or '..'. + maxLength: 80 + minLength: 1 + type: string + x-kubernetes-validations: + - message: name must be a safe socket filename (must not + contain '/' or '..') + rule: '!self.contains(''/'') && !self.contains(''..'')' + type: object type: description: |- type defines the kind of platform for the KMS provider. - Available provider types are AWS only. + Available provider types are AWS, Manual. enum: - AWS + - Manual type: string required: - type type: object x-kubernetes-validations: + - message: manual config with non-empty name is required when + kms provider type is Manual, and forbidden otherwise + rule: 'has(self.type) && self.type == ''Manual'' ? (has(self.manual) + && has(self.manual.name) && self.manual.name != '''') : !has(self.manual)' - message: aws config is required when kms provider type is AWS, and forbidden otherwise rule: 'has(self.type) && self.type == ''AWS'' ? has(self.aws) diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml index f4dec273978..adcc1a98bcc 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml @@ -173,6 +173,7 @@ spec: aws defines the key config for using an AWS KMS instance for the encryption. The AWS KMS instance is managed by the user outside the purview of the control plane. + Deprecated: There is no logic listening to this resource type, we plan to remove it in next release. properties: keyARN: description: |- @@ -206,17 +207,42 @@ spec: - keyARN - region type: object + manual: + description: |- + manual defines the configuration for manually managed KMS plugins. + The KMS plugin must be deployed as a static pod by the cluster admin. + properties: + name: + description: |- + name specifies the KMS plugin name. + This name is templated into the UNIX domain socket path: unix:///var/run/kmsplugin/.sock + and is between 1 and 80 characters in length. + The KMS plugin must listen at this socket path. + The name must be a safe socket filename and must not contain '/' or '..'. + maxLength: 80 + minLength: 1 + type: string + x-kubernetes-validations: + - message: name must be a safe socket filename (must not + contain '/' or '..') + rule: '!self.contains(''/'') && !self.contains(''..'')' + type: object type: description: |- type defines the kind of platform for the KMS provider. - Available provider types are AWS only. + Available provider types are AWS, Manual. enum: - AWS + - Manual type: string required: - type type: object x-kubernetes-validations: + - message: manual config with non-empty name is required when + kms provider type is Manual, and forbidden otherwise + rule: 'has(self.type) && self.type == ''Manual'' ? (has(self.manual) + && has(self.manual.name) && self.manual.name != '''') : !has(self.manual)' - message: aws config is required when kms provider type is AWS, and forbidden otherwise rule: 'has(self.type) && self.type == ''AWS'' ? has(self.aws) diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml index 6206ad77a82..56bf9fe0b62 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml @@ -173,6 +173,7 @@ spec: aws defines the key config for using an AWS KMS instance for the encryption. The AWS KMS instance is managed by the user outside the purview of the control plane. + Deprecated: There is no logic listening to this resource type, we plan to remove it in next release. properties: keyARN: description: |- @@ -206,17 +207,42 @@ spec: - keyARN - region type: object + manual: + description: |- + manual defines the configuration for manually managed KMS plugins. + The KMS plugin must be deployed as a static pod by the cluster admin. + properties: + name: + description: |- + name specifies the KMS plugin name. + This name is templated into the UNIX domain socket path: unix:///var/run/kmsplugin/.sock + and is between 1 and 80 characters in length. + The KMS plugin must listen at this socket path. + The name must be a safe socket filename and must not contain '/' or '..'. + maxLength: 80 + minLength: 1 + type: string + x-kubernetes-validations: + - message: name must be a safe socket filename (must not + contain '/' or '..') + rule: '!self.contains(''/'') && !self.contains(''..'')' + type: object type: description: |- type defines the kind of platform for the KMS provider. - Available provider types are AWS only. + Available provider types are AWS, Manual. enum: - AWS + - Manual type: string required: - type type: object x-kubernetes-validations: + - message: manual config with non-empty name is required when + kms provider type is Manual, and forbidden otherwise + rule: 'has(self.type) && self.type == ''Manual'' ? (has(self.manual) + && has(self.manual.name) && self.manual.name != '''') : !has(self.manual)' - message: aws config is required when kms provider type is AWS, and forbidden otherwise rule: 'has(self.type) && self.type == ''AWS'' ? has(self.aws) diff --git a/config/v1/zz_generated.deepcopy.go b/config/v1/zz_generated.deepcopy.go index 30b85b78e96..bb715c9a29b 100644 --- a/config/v1/zz_generated.deepcopy.go +++ b/config/v1/zz_generated.deepcopy.go @@ -3832,6 +3832,11 @@ func (in *IntermediateTLSProfile) DeepCopy() *IntermediateTLSProfile { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *KMSConfig) DeepCopyInto(out *KMSConfig) { *out = *in + if in.Manual != nil { + in, out := &in.Manual, &out.Manual + *out = new(ManualKMSConfig) + **out = **in + } if in.AWS != nil { in, out := &in.AWS, &out.AWS *out = new(AWSKMSConfig) @@ -4059,6 +4064,22 @@ func (in *MTUMigrationValues) DeepCopy() *MTUMigrationValues { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ManualKMSConfig) DeepCopyInto(out *ManualKMSConfig) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ManualKMSConfig. +func (in *ManualKMSConfig) DeepCopy() *ManualKMSConfig { + if in == nil { + return nil + } + out := new(ManualKMSConfig) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *MaxAgePolicy) DeepCopyInto(out *MaxAgePolicy) { *out = *in diff --git a/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml b/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml index a5725c96a88..327f7c248e2 100644 --- a/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml +++ b/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml @@ -173,6 +173,7 @@ spec: aws defines the key config for using an AWS KMS instance for the encryption. The AWS KMS instance is managed by the user outside the purview of the control plane. + Deprecated: There is no logic listening to this resource type, we plan to remove it in next release. properties: keyARN: description: |- @@ -206,17 +207,42 @@ spec: - keyARN - region type: object + manual: + description: |- + manual defines the configuration for manually managed KMS plugins. + The KMS plugin must be deployed as a static pod by the cluster admin. + properties: + name: + description: |- + name specifies the KMS plugin name. + This name is templated into the UNIX domain socket path: unix:///var/run/kmsplugin/.sock + and is between 1 and 80 characters in length. + The KMS plugin must listen at this socket path. + The name must be a safe socket filename and must not contain '/' or '..'. + maxLength: 80 + minLength: 1 + type: string + x-kubernetes-validations: + - message: name must be a safe socket filename (must not + contain '/' or '..') + rule: '!self.contains(''/'') && !self.contains(''..'')' + type: object type: description: |- type defines the kind of platform for the KMS provider. - Available provider types are AWS only. + Available provider types are AWS, Manual. enum: - AWS + - Manual type: string required: - type type: object x-kubernetes-validations: + - message: manual config with non-empty name is required when + kms provider type is Manual, and forbidden otherwise + rule: 'has(self.type) && self.type == ''Manual'' ? (has(self.manual) + && has(self.manual.name) && self.manual.name != '''') : !has(self.manual)' - message: aws config is required when kms provider type is AWS, and forbidden otherwise rule: 'has(self.type) && self.type == ''AWS'' ? has(self.aws) diff --git a/config/v1/zz_generated.swagger_doc_generated.go b/config/v1/zz_generated.swagger_doc_generated.go index e7bc0aebb33..5a066c655c1 100644 --- a/config/v1/zz_generated.swagger_doc_generated.go +++ b/config/v1/zz_generated.swagger_doc_generated.go @@ -2326,7 +2326,7 @@ func (Storage) SwaggerDoc() map[string]string { } var map_AWSKMSConfig = map[string]string{ - "": "AWSKMSConfig defines the KMS config specific to AWS KMS provider", + "": "AWSKMSConfig defines the KMS config specific to AWS KMS provider Deprecated: There is no logic listening to this resource type, we plan to remove it in next release.", "keyARN": "keyARN specifies the Amazon Resource Name (ARN) of the AWS KMS key used for encryption. The value must adhere to the format `arn:aws:kms:::key/`, where: - `` is the AWS region consisting of lowercase letters and hyphens followed by a number. - `` is a 12-digit numeric identifier for the AWS account. - `` is a unique identifier for the KMS key, consisting of lowercase hexadecimal characters and hyphens.", "region": "region specifies the AWS region where the KMS instance exists, and follows the format `--`, e.g.: `us-east-1`. Only lowercase letters and hyphens followed by numbers are allowed.", } @@ -2336,15 +2336,25 @@ func (AWSKMSConfig) SwaggerDoc() map[string]string { } var map_KMSConfig = map[string]string{ - "": "KMSConfig defines the configuration for the KMS instance that will be used with KMSEncryptionProvider encryption", - "type": "type defines the kind of platform for the KMS provider. Available provider types are AWS only.", - "aws": "aws defines the key config for using an AWS KMS instance for the encryption. The AWS KMS instance is managed by the user outside the purview of the control plane.", + "": "KMSConfig defines the configuration for the KMS instance that will be used with KMSEncryptionProvider encryption", + "type": "type defines the kind of platform for the KMS provider. Available provider types are AWS, Manual.", + "manual": "manual defines the configuration for manually managed KMS plugins. The KMS plugin must be deployed as a static pod by the cluster admin.", + "aws": "aws defines the key config for using an AWS KMS instance for the encryption. The AWS KMS instance is managed by the user outside the purview of the control plane. Deprecated: There is no logic listening to this resource type, we plan to remove it in next release.", } func (KMSConfig) SwaggerDoc() map[string]string { return map_KMSConfig } +var map_ManualKMSConfig = map[string]string{ + "": "ManualKMSConfig defines the configuration for manually managed KMS plugins", + "name": "name specifies the KMS plugin name. This name is templated into the UNIX domain socket path: unix:///var/run/kmsplugin/.sock and is between 1 and 80 characters in length. The KMS plugin must listen at this socket path. The name must be a safe socket filename and must not contain '/' or '..'.", +} + +func (ManualKMSConfig) SwaggerDoc() map[string]string { + return map_ManualKMSConfig +} + var map_ClusterNetworkEntry = map[string]string{ "": "ClusterNetworkEntry is a contiguous block of IP addresses from which pod IPs are allocated.", "cidr": "The complete block for pod IPs.", diff --git a/openapi/generated_openapi/zz_generated.openapi.go b/openapi/generated_openapi/zz_generated.openapi.go index f29c06e82fb..bea1c60b847 100644 --- a/openapi/generated_openapi/zz_generated.openapi.go +++ b/openapi/generated_openapi/zz_generated.openapi.go @@ -325,6 +325,7 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "github.com/openshift/api/config/v1.LoadBalancer": schema_openshift_api_config_v1_LoadBalancer(ref), "github.com/openshift/api/config/v1.MTUMigration": schema_openshift_api_config_v1_MTUMigration(ref), "github.com/openshift/api/config/v1.MTUMigrationValues": schema_openshift_api_config_v1_MTUMigrationValues(ref), + "github.com/openshift/api/config/v1.ManualKMSConfig": schema_openshift_api_config_v1_ManualKMSConfig(ref), "github.com/openshift/api/config/v1.MaxAgePolicy": schema_openshift_api_config_v1_MaxAgePolicy(ref), "github.com/openshift/api/config/v1.ModernTLSProfile": schema_openshift_api_config_v1_ModernTLSProfile(ref), "github.com/openshift/api/config/v1.NamedCertificate": schema_openshift_api_config_v1_NamedCertificate(ref), @@ -9174,7 +9175,7 @@ func schema_openshift_api_config_v1_AWSKMSConfig(ref common.ReferenceCallback) c return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "AWSKMSConfig defines the KMS config specific to AWS KMS provider", + Description: "AWSKMSConfig defines the KMS config specific to AWS KMS provider Deprecated: There is no logic listening to this resource type, we plan to remove it in next release.", Type: []string{"object"}, Properties: map[string]spec.Schema{ "keyARN": { @@ -16148,15 +16149,21 @@ func schema_openshift_api_config_v1_KMSConfig(ref common.ReferenceCallback) comm Properties: map[string]spec.Schema{ "type": { SchemaProps: spec.SchemaProps{ - Description: "type defines the kind of platform for the KMS provider. Available provider types are AWS only.", + Description: "type defines the kind of platform for the KMS provider. Available provider types are AWS, Manual.", Default: "", Type: []string{"string"}, Format: "", }, }, + "manual": { + SchemaProps: spec.SchemaProps{ + Description: "manual defines the configuration for manually managed KMS plugins. The KMS plugin must be deployed as a static pod by the cluster admin.", + Ref: ref("github.com/openshift/api/config/v1.ManualKMSConfig"), + }, + }, "aws": { SchemaProps: spec.SchemaProps{ - Description: "aws defines the key config for using an AWS KMS instance for the encryption. The AWS KMS instance is managed by the user outside the purview of the control plane.", + Description: "aws defines the key config for using an AWS KMS instance for the encryption. The AWS KMS instance is managed by the user outside the purview of the control plane. Deprecated: There is no logic listening to this resource type, we plan to remove it in next release.", Ref: ref("github.com/openshift/api/config/v1.AWSKMSConfig"), }, }, @@ -16169,7 +16176,8 @@ func schema_openshift_api_config_v1_KMSConfig(ref common.ReferenceCallback) comm map[string]interface{}{ "discriminator": "type", "fields-to-discriminateBy": map[string]interface{}{ - "aws": "AWS", + "aws": "AWS", + "manual": "Manual", }, }, }, @@ -16177,7 +16185,7 @@ func schema_openshift_api_config_v1_KMSConfig(ref common.ReferenceCallback) comm }, }, Dependencies: []string{ - "github.com/openshift/api/config/v1.AWSKMSConfig"}, + "github.com/openshift/api/config/v1.AWSKMSConfig", "github.com/openshift/api/config/v1.ManualKMSConfig"}, } } @@ -16568,6 +16576,26 @@ func schema_openshift_api_config_v1_MTUMigrationValues(ref common.ReferenceCallb } } +func schema_openshift_api_config_v1_ManualKMSConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "ManualKMSConfig defines the configuration for manually managed KMS plugins", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "name": { + SchemaProps: spec.SchemaProps{ + Description: "name specifies the KMS plugin name. This name is templated into the UNIX domain socket path: unix:///var/run/kmsplugin/.sock and is between 1 and 80 characters in length. The KMS plugin must listen at this socket path. The name must be a safe socket filename and must not contain '/' or '..'.", + Type: []string{"string"}, + Format: "", + }, + }, + }, + }, + }, + } +} + func schema_openshift_api_config_v1_MaxAgePolicy(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ diff --git a/openapi/openapi.json b/openapi/openapi.json index 97afd57f431..aec4bf3bf33 100644 --- a/openapi/openapi.json +++ b/openapi/openapi.json @@ -4454,7 +4454,7 @@ ] }, "com.github.openshift.api.config.v1.AWSKMSConfig": { - "description": "AWSKMSConfig defines the KMS config specific to AWS KMS provider", + "description": "AWSKMSConfig defines the KMS config specific to AWS KMS provider Deprecated: There is no logic listening to this resource type, we plan to remove it in next release.", "type": "object", "required": [ "keyARN", @@ -4572,6 +4572,19 @@ } } }, + "com.github.openshift.api.config.v1.AcceptRisk": { + "description": "AcceptRisk represents a risk that is considered acceptable.", + "type": "object", + "required": [ + "name" + ], + "properties": { + "name": { + "description": "name is the name of the acceptable risk. It must be a non-empty string and must not exceed 256 characters.", + "type": "string" + } + } + }, "com.github.openshift.api.config.v1.AdmissionConfig": { "type": "object", "properties": { @@ -5859,6 +5872,18 @@ "default": {}, "$ref": "#/definitions/com.github.openshift.api.config.v1.ClusterVersionCapabilitiesStatus" }, + "conditionalUpdateRisks": { + "description": "conditionalUpdateRisks contains the list of risks associated with conditionalUpdates. When performing a conditional update, all its associated risks will be compared with the set of accepted risks in the spec.desiredUpdate.acceptRisks field. If all risks for a conditional update are included in the spec.desiredUpdate.acceptRisks set, the conditional update can proceed, otherwise it is blocked. The risk names in the list must be unique. conditionalUpdateRisks must not contain more than 500 entries.", + "type": "array", + "items": { + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.config.v1.ConditionalUpdateRisk" + }, + "x-kubernetes-list-map-keys": [ + "name" + ], + "x-kubernetes-list-type": "map" + }, "conditionalUpdates": { "description": "conditionalUpdates contains the list of updates that may be recommended for this cluster if it meets specific required conditions. Consumers interested in the set of updates that are actually recommended for this cluster should use availableUpdates. This list may be empty if no updates are recommended, if the update service is unavailable, or if an empty or invalid channel has been specified.", "type": "array", @@ -6066,6 +6091,15 @@ "default": {}, "$ref": "#/definitions/com.github.openshift.api.config.v1.Release" }, + "riskNames": { + "description": "riskNames represents the set of the names of conditionalUpdateRisks that are relevant to this update for some clusters. The Applies condition of each conditionalUpdateRisks entry declares if that risk applies to this cluster. A conditional update is accepted only if each of its risks either does not apply to the cluster or is considered acceptable by the cluster administrator. The latter means that the risk names are included in value of the spec.desiredUpdate.acceptRisks field. Entries must be unique and must not exceed 256 characters. riskNames must not contain more than 500 entries.", + "type": "array", + "items": { + "type": "string", + "default": "" + }, + "x-kubernetes-list-type": "set" + }, "risks": { "description": "risks represents the range of issues associated with updating to the target release. The cluster-version operator will evaluate all entries, and only recommend the update if there is at least one entry and all entries recommend the update.", "type": "array", @@ -6092,6 +6126,18 @@ "matchingRules" ], "properties": { + "conditions": { + "description": "conditions represents the observations of the conditional update risk's current status. Known types are: * Applies, for whether the risk applies to the current cluster. The condition's types in the list must be unique. conditions must not contain more than one entry.", + "type": "array", + "items": { + "default": {}, + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Condition" + }, + "x-kubernetes-list-map-keys": [ + "type" + ], + "x-kubernetes-list-type": "map" + }, "matchingRules": { "description": "matchingRules is a slice of conditions for deciding which clusters match the risk and which do not. The slice is ordered by decreasing precedence. The cluster-version operator will walk the slice in order, and stop after the first it can successfully evaluate. If no condition can be successfully evaluated, the update will not be recommended.", "type": "array", @@ -8499,11 +8545,15 @@ ], "properties": { "aws": { - "description": "aws defines the key config for using an AWS KMS instance for the encryption. The AWS KMS instance is managed by the user outside the purview of the control plane.", + "description": "aws defines the key config for using an AWS KMS instance for the encryption. The AWS KMS instance is managed by the user outside the purview of the control plane. Deprecated: There is no logic listening to this resource type, we plan to remove it in next release.", "$ref": "#/definitions/com.github.openshift.api.config.v1.AWSKMSConfig" }, + "manual": { + "description": "manual defines the configuration for manually managed KMS plugins. The KMS plugin must be deployed as a static pod by the cluster admin.", + "$ref": "#/definitions/com.github.openshift.api.config.v1.ManualKMSConfig" + }, "type": { - "description": "type defines the kind of platform for the KMS provider. Available provider types are AWS only.", + "description": "type defines the kind of platform for the KMS provider. Available provider types are AWS, Manual.", "type": "string", "default": "" } @@ -8512,7 +8562,8 @@ { "discriminator": "type", "fields-to-discriminateBy": { - "aws": "AWS" + "aws": "AWS", + "manual": "Manual" } } ] @@ -8749,6 +8800,16 @@ } } }, + "com.github.openshift.api.config.v1.ManualKMSConfig": { + "description": "ManualKMSConfig defines the configuration for manually managed KMS plugins", + "type": "object", + "properties": { + "name": { + "description": "name specifies the KMS plugin name. This name is templated into the UNIX domain socket path: unix:///var/run/kmsplugin/.sock and is between 1 and 80 characters in length. The KMS plugin must listen at this socket path. The name must be a safe socket filename and must not contain '/' or '..'.", + "type": "string" + } + } + }, "com.github.openshift.api.config.v1.MaxAgePolicy": { "description": "MaxAgePolicy contains a numeric range for specifying a compliant HSTS max-age for the enclosing RequiredHSTSPolicy", "type": "object", @@ -11590,6 +11651,18 @@ "description": "Update represents an administrator update request.", "type": "object", "properties": { + "acceptRisks": { + "description": "acceptRisks is an optional set of names of conditional update risks that are considered acceptable. A conditional update is performed only if all of its risks are acceptable. This list may contain entries that apply to current, previous or future updates. The entries therefore may not map directly to a risk in .status.conditionalUpdateRisks. acceptRisks must not contain more than 1000 entries. Entries in this list must be unique.", + "type": "array", + "items": { + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.config.v1.AcceptRisk" + }, + "x-kubernetes-list-map-keys": [ + "name" + ], + "x-kubernetes-list-type": "map" + }, "architecture": { "description": "architecture is an optional field that indicates the desired value of the cluster architecture. In this context cluster architecture means either a single architecture or a multi architecture. architecture can only be set to Multi thereby only allowing updates from single to multi architecture. If architecture is set, image cannot be set and version must be set. Valid values are 'Multi' and empty.", "type": "string", @@ -11624,7 +11697,7 @@ ], "properties": { "acceptedRisks": { - "description": "acceptedRisks records risks which were accepted to initiate the update. For example, it may menition an Upgradeable=False or missing signature that was overridden via desiredUpdate.force, or an update that was initiated despite not being in the availableUpdates set of recommended update targets.", + "description": "acceptedRisks records risks which were accepted to initiate the update. For example, it may mention an Upgradeable=False or missing signature that was overridden via desiredUpdate.force, or an update that was initiated despite not being in the availableUpdates set of recommended update targets.", "type": "string" }, "completionTime": { diff --git a/payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml index 86a51460699..fbf2e36fbc4 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml @@ -173,6 +173,7 @@ spec: aws defines the key config for using an AWS KMS instance for the encryption. The AWS KMS instance is managed by the user outside the purview of the control plane. + Deprecated: There is no logic listening to this resource type, we plan to remove it in next release. properties: keyARN: description: |- @@ -206,17 +207,42 @@ spec: - keyARN - region type: object + manual: + description: |- + manual defines the configuration for manually managed KMS plugins. + The KMS plugin must be deployed as a static pod by the cluster admin. + properties: + name: + description: |- + name specifies the KMS plugin name. + This name is templated into the UNIX domain socket path: unix:///var/run/kmsplugin/.sock + and is between 1 and 80 characters in length. + The KMS plugin must listen at this socket path. + The name must be a safe socket filename and must not contain '/' or '..'. + maxLength: 80 + minLength: 1 + type: string + x-kubernetes-validations: + - message: name must be a safe socket filename (must not + contain '/' or '..') + rule: '!self.contains(''/'') && !self.contains(''..'')' + type: object type: description: |- type defines the kind of platform for the KMS provider. - Available provider types are AWS only. + Available provider types are AWS, Manual. enum: - AWS + - Manual type: string required: - type type: object x-kubernetes-validations: + - message: manual config with non-empty name is required when + kms provider type is Manual, and forbidden otherwise + rule: 'has(self.type) && self.type == ''Manual'' ? (has(self.manual) + && has(self.manual.name) && self.manual.name != '''') : !has(self.manual)' - message: aws config is required when kms provider type is AWS, and forbidden otherwise rule: 'has(self.type) && self.type == ''AWS'' ? has(self.aws) diff --git a/payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml index f4dec273978..adcc1a98bcc 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml @@ -173,6 +173,7 @@ spec: aws defines the key config for using an AWS KMS instance for the encryption. The AWS KMS instance is managed by the user outside the purview of the control plane. + Deprecated: There is no logic listening to this resource type, we plan to remove it in next release. properties: keyARN: description: |- @@ -206,17 +207,42 @@ spec: - keyARN - region type: object + manual: + description: |- + manual defines the configuration for manually managed KMS plugins. + The KMS plugin must be deployed as a static pod by the cluster admin. + properties: + name: + description: |- + name specifies the KMS plugin name. + This name is templated into the UNIX domain socket path: unix:///var/run/kmsplugin/.sock + and is between 1 and 80 characters in length. + The KMS plugin must listen at this socket path. + The name must be a safe socket filename and must not contain '/' or '..'. + maxLength: 80 + minLength: 1 + type: string + x-kubernetes-validations: + - message: name must be a safe socket filename (must not + contain '/' or '..') + rule: '!self.contains(''/'') && !self.contains(''..'')' + type: object type: description: |- type defines the kind of platform for the KMS provider. - Available provider types are AWS only. + Available provider types are AWS, Manual. enum: - AWS + - Manual type: string required: - type type: object x-kubernetes-validations: + - message: manual config with non-empty name is required when + kms provider type is Manual, and forbidden otherwise + rule: 'has(self.type) && self.type == ''Manual'' ? (has(self.manual) + && has(self.manual.name) && self.manual.name != '''') : !has(self.manual)' - message: aws config is required when kms provider type is AWS, and forbidden otherwise rule: 'has(self.type) && self.type == ''AWS'' ? has(self.aws) diff --git a/payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml index 6206ad77a82..56bf9fe0b62 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml @@ -173,6 +173,7 @@ spec: aws defines the key config for using an AWS KMS instance for the encryption. The AWS KMS instance is managed by the user outside the purview of the control plane. + Deprecated: There is no logic listening to this resource type, we plan to remove it in next release. properties: keyARN: description: |- @@ -206,17 +207,42 @@ spec: - keyARN - region type: object + manual: + description: |- + manual defines the configuration for manually managed KMS plugins. + The KMS plugin must be deployed as a static pod by the cluster admin. + properties: + name: + description: |- + name specifies the KMS plugin name. + This name is templated into the UNIX domain socket path: unix:///var/run/kmsplugin/.sock + and is between 1 and 80 characters in length. + The KMS plugin must listen at this socket path. + The name must be a safe socket filename and must not contain '/' or '..'. + maxLength: 80 + minLength: 1 + type: string + x-kubernetes-validations: + - message: name must be a safe socket filename (must not + contain '/' or '..') + rule: '!self.contains(''/'') && !self.contains(''..'')' + type: object type: description: |- type defines the kind of platform for the KMS provider. - Available provider types are AWS only. + Available provider types are AWS, Manual. enum: - AWS + - Manual type: string required: - type type: object x-kubernetes-validations: + - message: manual config with non-empty name is required when + kms provider type is Manual, and forbidden otherwise + rule: 'has(self.type) && self.type == ''Manual'' ? (has(self.manual) + && has(self.manual.name) && self.manual.name != '''') : !has(self.manual)' - message: aws config is required when kms provider type is AWS, and forbidden otherwise rule: 'has(self.type) && self.type == ''AWS'' ? has(self.aws) From a63a57ff2ca725597faf49301d5d33cdb86a2736 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Arda=20G=C3=BC=C3=A7l=C3=BC?= Date: Fri, 16 Jan 2026 10:03:06 +0300 Subject: [PATCH 2/2] Tombstone KMSConfig as it is obsolete --- .../KMSEncryptionProvider.yaml | 176 +----------------- config/v1/types_apiserver.go | 4 +- config/v1/types_kmsencryption.go | 120 +++++------- ...tor_01_apiservers-CustomNoUpgrade.crd.yaml | 94 ---------- ...01_apiservers-DevPreviewNoUpgrade.crd.yaml | 94 ---------- ...1_apiservers-TechPreviewNoUpgrade.crd.yaml | 94 ---------- config/v1/zz_generated.deepcopy.go | 65 +------ .../KMSEncryptionProvider.yaml | 94 ---------- .../v1/zz_generated.swagger_doc_generated.go | 31 --- .../generated_openapi/zz_generated.openapi.go | 116 +----------- openapi/openapi.json | 93 ++------- ...tor_01_apiservers-CustomNoUpgrade.crd.yaml | 94 ---------- ...01_apiservers-DevPreviewNoUpgrade.crd.yaml | 94 ---------- ...1_apiservers-TechPreviewNoUpgrade.crd.yaml | 94 ---------- 14 files changed, 67 insertions(+), 1196 deletions(-) diff --git a/config/v1/tests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml b/config/v1/tests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml index 228a5e61600..8f738baba66 100644 --- a/config/v1/tests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml +++ b/config/v1/tests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml @@ -2,20 +2,16 @@ apiVersion: apiextensions.k8s.io/v1 # Hack because controller-gen complains if w name: "APIServer" crdName: apiservers.config.openshift.io featureGates: -- KMSEncryptionProvider + - KMSEncryptionProvider tests: onCreate: - - name: Should be able to create encrypt with KMS for Manual provider with valid name + - name: Should be able to set encryption type to KMS initial: | apiVersion: config.openshift.io/v1 kind: APIServer spec: encryption: type: KMS - kms: - type: Manual - manual: - name: my-kms-plugin expected: | apiVersion: config.openshift.io/v1 kind: APIServer @@ -24,171 +20,3 @@ tests: profile: Default encryption: type: KMS - kms: - type: Manual - manual: - name: my-kms-plugin - - name: Should fail to create KMS Manual provider without manual config - initial: | - apiVersion: config.openshift.io/v1 - kind: APIServer - spec: - encryption: - type: KMS - kms: - type: Manual - expectedError: "manual config with non-empty name is required when kms provider type is Manual" - - name: Should fail to create KMS Manual provider with empty name - initial: | - apiVersion: config.openshift.io/v1 - kind: APIServer - spec: - encryption: - type: KMS - kms: - type: Manual - manual: - name: "" - expectedError: "spec.encryption.kms.manual.name: Invalid value" - - name: Should be able to create KMS with AWS provider and valid aws config - initial: | - apiVersion: config.openshift.io/v1 - kind: APIServer - spec: - encryption: - type: KMS - kms: - type: AWS - aws: - keyARN: arn:aws:kms:us-east-1:123456789012:key/abcd1234-ab12-cd34-ef56-abcdef123456 - region: us-east-1 - expected: | - apiVersion: config.openshift.io/v1 - kind: APIServer - spec: - audit: - profile: Default - encryption: - type: KMS - kms: - type: AWS - aws: - keyARN: arn:aws:kms:us-east-1:123456789012:key/abcd1234-ab12-cd34-ef56-abcdef123456 - region: us-east-1 - - name: Should fail to create KMS AWS provider without aws config - initial: | - apiVersion: config.openshift.io/v1 - kind: APIServer - spec: - encryption: - type: KMS - kms: - type: AWS - expectedError: "aws config is required when kms provider type is AWS" - - name: Should fail to create KMS with invalid provider type - initial: | - apiVersion: config.openshift.io/v1 - kind: APIServer - spec: - encryption: - type: KMS - kms: - type: InvalidType - manual: - name: my-plugin - expectedError: "supported values: \"AWS\", \"Manual\"" - - name: Should fail to create KMS Manual provider with name longer than 80 characters - initial: | - apiVersion: config.openshift.io/v1 - kind: APIServer - spec: - encryption: - type: KMS - kms: - type: Manual - manual: - name: this-is-a-very-long-name-that-exceeds-the-maximum-allowed-length-of-eighty-characters-for-kms-plugin - expectedError: "Too long: may not be more than 80 bytes" - - name: Should fail to create KMS Manual provider with name containing forward slash - initial: | - apiVersion: config.openshift.io/v1 - kind: APIServer - spec: - encryption: - type: KMS - kms: - type: Manual - manual: - name: invalid/path - expectedError: "name must be a safe socket filename (must not contain '/' or '..')" - - name: Should fail to create KMS Manual provider with name containing double dots - initial: | - apiVersion: config.openshift.io/v1 - kind: APIServer - spec: - encryption: - type: KMS - kms: - type: Manual - manual: - name: ../escape - expectedError: "name must be a safe socket filename (must not contain '/' or '..')" - - name: Should fail to create KMS Manual provider with name containing double dots in middle - initial: | - apiVersion: config.openshift.io/v1 - kind: APIServer - spec: - encryption: - type: KMS - kms: - type: Manual - manual: - name: some..name - expectedError: "name must be a safe socket filename (must not contain '/' or '..')" - - name: Should not allow kms config with encrypt aescbc - initial: | - apiVersion: config.openshift.io/v1 - kind: APIServer - spec: - encryption: - type: aescbc - kms: - type: Manual - manual: - name: my-plugin - expectedError: "kms config is required when encryption type is KMS, and forbidden otherwise" - - name: Should fail to create with an empty KMS config - initial: | - apiVersion: config.openshift.io/v1 - kind: APIServer - spec: - encryption: - type: KMS - kms: {} - expectedError: "spec.encryption.kms.type: Required value" - - name: Should fail to create KMS AWS with invalid keyARN format - initial: | - apiVersion: config.openshift.io/v1 - kind: APIServer - spec: - encryption: - type: KMS - kms: - type: AWS - aws: - keyARN: invalid-arn-format - region: us-east-1 - expectedError: "keyARN must follow the format" - - name: Should fail to create KMS AWS with invalid region format - initial: | - apiVersion: config.openshift.io/v1 - kind: APIServer - spec: - encryption: - type: KMS - kms: - type: AWS - aws: - keyARN: arn:aws:kms:us-east-1:123456789012:key/abcd1234-ab12-cd34-ef56-abcdef123456 - region: INVALID_REGION - expectedError: "region must be a valid AWS region" diff --git a/config/v1/types_apiserver.go b/config/v1/types_apiserver.go index 0afe7b1d8de..95ee5fa1fde 100644 --- a/config/v1/types_apiserver.go +++ b/config/v1/types_apiserver.go @@ -175,7 +175,6 @@ type APIServerNamedServingCert struct { } // APIServerEncryption is used to encrypt sensitive resources on the cluster. -// +openshift:validation:FeatureGateAwareXValidation:featureGate=KMSEncryptionProvider,rule="has(self.type) && self.type == 'KMS' ? has(self.kms) : !has(self.kms)",message="kms config is required when encryption type is KMS, and forbidden otherwise" // +union type APIServerEncryption struct { // type defines what encryption type should be used to encrypt resources at the datastore layer. @@ -196,6 +195,7 @@ type APIServerEncryption struct { // +optional Type EncryptionType `json:"type,omitempty"` + // Tombstone: Functionality was not implemented for this struct. There will be newer struct for new design. // kms defines the configuration for the external KMS instance that manages the encryption keys, // when KMS encryption is enabled sensitive resources will be encrypted using keys managed by an // externally configured KMS instance. @@ -207,7 +207,7 @@ type APIServerEncryption struct { // +openshift:enable:FeatureGate=KMSEncryptionProvider // +unionMember // +optional - KMS *KMSConfig `json:"kms,omitempty"` + //KMS *KMSConfig `json:"kms,omitempty"` } // +openshift:validation:FeatureGateAwareEnum:featureGate="",enum="";identity;aescbc;aesgcm diff --git a/config/v1/types_kmsencryption.go b/config/v1/types_kmsencryption.go index d6d489bbf20..2a59023834b 100644 --- a/config/v1/types_kmsencryption.go +++ b/config/v1/types_kmsencryption.go @@ -1,85 +1,59 @@ package v1 +// Start: TOMBSTONE + // KMSConfig defines the configuration for the KMS instance // that will be used with KMSEncryptionProvider encryption -// +kubebuilder:validation:XValidation:rule="has(self.type) && self.type == 'Manual' ? (has(self.manual) && has(self.manual.name) && self.manual.name != '') : !has(self.manual)",message="manual config with non-empty name is required when kms provider type is Manual, and forbidden otherwise" // +kubebuilder:validation:XValidation:rule="has(self.type) && self.type == 'AWS' ? has(self.aws) : !has(self.aws)",message="aws config is required when kms provider type is AWS, and forbidden otherwise" // +union -type KMSConfig struct { - // type defines the kind of platform for the KMS provider. - // Available provider types are AWS, Manual. - // - // +unionDiscriminator - // +required - Type KMSProviderType `json:"type"` - - // manual defines the configuration for manually managed KMS plugins. - // The KMS plugin must be deployed as a static pod by the cluster admin. - // - // +unionMember - // +optional - Manual *ManualKMSConfig `json:"manual,omitempty"` - - // aws defines the key config for using an AWS KMS instance - // for the encryption. The AWS KMS instance is managed - // by the user outside the purview of the control plane. - // Deprecated: There is no logic listening to this resource type, we plan to remove it in next release. - // - // +unionMember - // +optional - AWS *AWSKMSConfig `json:"aws,omitempty"` -} - -// ManualKMSConfig defines the configuration for manually managed KMS plugins -type ManualKMSConfig struct { - // name specifies the KMS plugin name. - // This name is templated into the UNIX domain socket path: unix:///var/run/kmsplugin/.sock - // and is between 1 and 80 characters in length. - // The KMS plugin must listen at this socket path. - // The name must be a safe socket filename and must not contain '/' or '..'. - // - // +kubebuilder:validation:MaxLength=80 - // +kubebuilder:validation:MinLength=1 - // +kubebuilder:validation:XValidation:rule="!self.contains('/') && !self.contains('..')",message="name must be a safe socket filename (must not contain '/' or '..')" - // +optional - Name string `json:"name,omitempty"` -} +//type KMSConfig struct { +// type defines the kind of platform for the KMS provider. +// Available provider types are AWS only. +// +// +unionDiscriminator +// +required +//Type KMSProviderType `json:"type"` + +// aws defines the key config for using an AWS KMS instance +// for the encryption. The AWS KMS instance is managed +// by the user outside the purview of the control plane. +// +// +unionMember +// +optional +//AWS *AWSKMSConfig `json:"aws,omitempty"` +//} // AWSKMSConfig defines the KMS config specific to AWS KMS provider -// Deprecated: There is no logic listening to this resource type, we plan to remove it in next release. -type AWSKMSConfig struct { - // keyARN specifies the Amazon Resource Name (ARN) of the AWS KMS key used for encryption. - // The value must adhere to the format `arn:aws:kms:::key/`, where: - // - `` is the AWS region consisting of lowercase letters and hyphens followed by a number. - // - `` is a 12-digit numeric identifier for the AWS account. - // - `` is a unique identifier for the KMS key, consisting of lowercase hexadecimal characters and hyphens. - // - // +kubebuilder:validation:MaxLength=128 - // +kubebuilder:validation:MinLength=1 - // +kubebuilder:validation:XValidation:rule="self.matches('^arn:aws:kms:[a-z0-9-]+:[0-9]{12}:key/[a-f0-9-]+$')",message="keyARN must follow the format `arn:aws:kms:::key/`. The account ID must be a 12 digit number and the region and key ID should consist only of lowercase hexadecimal characters and hyphens (-)." - // +required - KeyARN string `json:"keyARN"` - // region specifies the AWS region where the KMS instance exists, and follows the format - // `--`, e.g.: `us-east-1`. - // Only lowercase letters and hyphens followed by numbers are allowed. - // - // +kubebuilder:validation:MaxLength=64 - // +kubebuilder:validation:MinLength=1 - // +kubebuilder:validation:XValidation:rule="self.matches('^[a-z0-9]+(-[a-z0-9]+)*$')",message="region must be a valid AWS region, consisting of lowercase characters, digits and hyphens (-) only." - // +required - Region string `json:"region"` -} +//type AWSKMSConfig struct { +// keyARN specifies the Amazon Resource Name (ARN) of the AWS KMS key used for encryption. +// The value must adhere to the format `arn:aws:kms:::key/`, where: +// - `` is the AWS region consisting of lowercase letters and hyphens followed by a number. +// - `` is a 12-digit numeric identifier for the AWS account. +// - `` is a unique identifier for the KMS key, consisting of lowercase hexadecimal characters and hyphens. +// +// +kubebuilder:validation:MaxLength=128 +// +kubebuilder:validation:MinLength=1 +// +kubebuilder:validation:XValidation:rule="self.matches('^arn:aws:kms:[a-z0-9-]+:[0-9]{12}:key/[a-f0-9-]+$')",message="keyARN must follow the format `arn:aws:kms:::key/`. The account ID must be a 12 digit number and the region and key ID should consist only of lowercase hexadecimal characters and hyphens (-)." +// +required +//KeyARN string `json:"keyARN"` +// region specifies the AWS region where the KMS instance exists, and follows the format +// `--`, e.g.: `us-east-1`. +// Only lowercase letters and hyphens followed by numbers are allowed. +// +// +kubebuilder:validation:MaxLength=64 +// +kubebuilder:validation:MinLength=1 +// +kubebuilder:validation:XValidation:rule="self.matches('^[a-z0-9]+(-[a-z0-9]+)*$')",message="region must be a valid AWS region, consisting of lowercase characters, digits and hyphens (-) only." +// +required +//Region string `json:"region"` +//} // KMSProviderType is a specific supported KMS provider -// +kubebuilder:validation:Enum=AWS;Manual -type KMSProviderType string +// +kubebuilder:validation:Enum=AWS +//type KMSProviderType string -const ( - // AWSKMSProvider represents a supported KMS provider for use with AWS KMS - // Deprecated: There is no logic listening to this resource type, we plan to remove it in next release. - AWSKMSProvider KMSProviderType = "AWS" +//const ( +// AWSKMSProvider represents a supported KMS provider for use with AWS KMS +// AWSKMSProvider KMSProviderType = "AWS" +//) - // ManualKMSProvider represents a supported KMS provider is managed by user manually not by OpenShift. - // KMS plugin is supposed to be run as static pods on each control plane - ManualKMSProvider KMSProviderType = "Manual" -) +// End: TOMBSTONE diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml index fbf2e36fbc4..bf6a9ff56fe 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml @@ -158,95 +158,6 @@ spec: description: encryption allows the configuration of encryption of resources at the datastore layer. properties: - kms: - description: |- - kms defines the configuration for the external KMS instance that manages the encryption keys, - when KMS encryption is enabled sensitive resources will be encrypted using keys managed by an - externally configured KMS instance. - - The Key Management Service (KMS) instance provides symmetric encryption and is responsible for - managing the lifecyle of the encryption keys outside of the control plane. - This allows integration with an external provider to manage the data encryption keys securely. - properties: - aws: - description: |- - aws defines the key config for using an AWS KMS instance - for the encryption. The AWS KMS instance is managed - by the user outside the purview of the control plane. - Deprecated: There is no logic listening to this resource type, we plan to remove it in next release. - properties: - keyARN: - description: |- - keyARN specifies the Amazon Resource Name (ARN) of the AWS KMS key used for encryption. - The value must adhere to the format `arn:aws:kms:::key/`, where: - - `` is the AWS region consisting of lowercase letters and hyphens followed by a number. - - `` is a 12-digit numeric identifier for the AWS account. - - `` is a unique identifier for the KMS key, consisting of lowercase hexadecimal characters and hyphens. - maxLength: 128 - minLength: 1 - type: string - x-kubernetes-validations: - - message: keyARN must follow the format `arn:aws:kms:::key/`. - The account ID must be a 12 digit number and the region - and key ID should consist only of lowercase hexadecimal - characters and hyphens (-). - rule: self.matches('^arn:aws:kms:[a-z0-9-]+:[0-9]{12}:key/[a-f0-9-]+$') - region: - description: |- - region specifies the AWS region where the KMS instance exists, and follows the format - `--`, e.g.: `us-east-1`. - Only lowercase letters and hyphens followed by numbers are allowed. - maxLength: 64 - minLength: 1 - type: string - x-kubernetes-validations: - - message: region must be a valid AWS region, consisting - of lowercase characters, digits and hyphens (-) only. - rule: self.matches('^[a-z0-9]+(-[a-z0-9]+)*$') - required: - - keyARN - - region - type: object - manual: - description: |- - manual defines the configuration for manually managed KMS plugins. - The KMS plugin must be deployed as a static pod by the cluster admin. - properties: - name: - description: |- - name specifies the KMS plugin name. - This name is templated into the UNIX domain socket path: unix:///var/run/kmsplugin/.sock - and is between 1 and 80 characters in length. - The KMS plugin must listen at this socket path. - The name must be a safe socket filename and must not contain '/' or '..'. - maxLength: 80 - minLength: 1 - type: string - x-kubernetes-validations: - - message: name must be a safe socket filename (must not - contain '/' or '..') - rule: '!self.contains(''/'') && !self.contains(''..'')' - type: object - type: - description: |- - type defines the kind of platform for the KMS provider. - Available provider types are AWS, Manual. - enum: - - AWS - - Manual - type: string - required: - - type - type: object - x-kubernetes-validations: - - message: manual config with non-empty name is required when - kms provider type is Manual, and forbidden otherwise - rule: 'has(self.type) && self.type == ''Manual'' ? (has(self.manual) - && has(self.manual.name) && self.manual.name != '''') : !has(self.manual)' - - message: aws config is required when kms provider type is AWS, - and forbidden otherwise - rule: 'has(self.type) && self.type == ''AWS'' ? has(self.aws) - : !has(self.aws)' type: description: |- type defines what encryption type should be used to encrypt resources at the datastore layer. @@ -270,11 +181,6 @@ spec: - KMS type: string type: object - x-kubernetes-validations: - - message: kms config is required when encryption type is KMS, and - forbidden otherwise - rule: 'has(self.type) && self.type == ''KMS'' ? has(self.kms) : - !has(self.kms)' servingCerts: description: |- servingCert is the TLS cert info for serving secure traffic. If not specified, operator managed certificates diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml index adcc1a98bcc..bf2cc7d7c43 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml @@ -158,95 +158,6 @@ spec: description: encryption allows the configuration of encryption of resources at the datastore layer. properties: - kms: - description: |- - kms defines the configuration for the external KMS instance that manages the encryption keys, - when KMS encryption is enabled sensitive resources will be encrypted using keys managed by an - externally configured KMS instance. - - The Key Management Service (KMS) instance provides symmetric encryption and is responsible for - managing the lifecyle of the encryption keys outside of the control plane. - This allows integration with an external provider to manage the data encryption keys securely. - properties: - aws: - description: |- - aws defines the key config for using an AWS KMS instance - for the encryption. The AWS KMS instance is managed - by the user outside the purview of the control plane. - Deprecated: There is no logic listening to this resource type, we plan to remove it in next release. - properties: - keyARN: - description: |- - keyARN specifies the Amazon Resource Name (ARN) of the AWS KMS key used for encryption. - The value must adhere to the format `arn:aws:kms:::key/`, where: - - `` is the AWS region consisting of lowercase letters and hyphens followed by a number. - - `` is a 12-digit numeric identifier for the AWS account. - - `` is a unique identifier for the KMS key, consisting of lowercase hexadecimal characters and hyphens. - maxLength: 128 - minLength: 1 - type: string - x-kubernetes-validations: - - message: keyARN must follow the format `arn:aws:kms:::key/`. - The account ID must be a 12 digit number and the region - and key ID should consist only of lowercase hexadecimal - characters and hyphens (-). - rule: self.matches('^arn:aws:kms:[a-z0-9-]+:[0-9]{12}:key/[a-f0-9-]+$') - region: - description: |- - region specifies the AWS region where the KMS instance exists, and follows the format - `--`, e.g.: `us-east-1`. - Only lowercase letters and hyphens followed by numbers are allowed. - maxLength: 64 - minLength: 1 - type: string - x-kubernetes-validations: - - message: region must be a valid AWS region, consisting - of lowercase characters, digits and hyphens (-) only. - rule: self.matches('^[a-z0-9]+(-[a-z0-9]+)*$') - required: - - keyARN - - region - type: object - manual: - description: |- - manual defines the configuration for manually managed KMS plugins. - The KMS plugin must be deployed as a static pod by the cluster admin. - properties: - name: - description: |- - name specifies the KMS plugin name. - This name is templated into the UNIX domain socket path: unix:///var/run/kmsplugin/.sock - and is between 1 and 80 characters in length. - The KMS plugin must listen at this socket path. - The name must be a safe socket filename and must not contain '/' or '..'. - maxLength: 80 - minLength: 1 - type: string - x-kubernetes-validations: - - message: name must be a safe socket filename (must not - contain '/' or '..') - rule: '!self.contains(''/'') && !self.contains(''..'')' - type: object - type: - description: |- - type defines the kind of platform for the KMS provider. - Available provider types are AWS, Manual. - enum: - - AWS - - Manual - type: string - required: - - type - type: object - x-kubernetes-validations: - - message: manual config with non-empty name is required when - kms provider type is Manual, and forbidden otherwise - rule: 'has(self.type) && self.type == ''Manual'' ? (has(self.manual) - && has(self.manual.name) && self.manual.name != '''') : !has(self.manual)' - - message: aws config is required when kms provider type is AWS, - and forbidden otherwise - rule: 'has(self.type) && self.type == ''AWS'' ? has(self.aws) - : !has(self.aws)' type: description: |- type defines what encryption type should be used to encrypt resources at the datastore layer. @@ -270,11 +181,6 @@ spec: - KMS type: string type: object - x-kubernetes-validations: - - message: kms config is required when encryption type is KMS, and - forbidden otherwise - rule: 'has(self.type) && self.type == ''KMS'' ? has(self.kms) : - !has(self.kms)' servingCerts: description: |- servingCert is the TLS cert info for serving secure traffic. If not specified, operator managed certificates diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml index 56bf9fe0b62..d436a75b809 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml @@ -158,95 +158,6 @@ spec: description: encryption allows the configuration of encryption of resources at the datastore layer. properties: - kms: - description: |- - kms defines the configuration for the external KMS instance that manages the encryption keys, - when KMS encryption is enabled sensitive resources will be encrypted using keys managed by an - externally configured KMS instance. - - The Key Management Service (KMS) instance provides symmetric encryption and is responsible for - managing the lifecyle of the encryption keys outside of the control plane. - This allows integration with an external provider to manage the data encryption keys securely. - properties: - aws: - description: |- - aws defines the key config for using an AWS KMS instance - for the encryption. The AWS KMS instance is managed - by the user outside the purview of the control plane. - Deprecated: There is no logic listening to this resource type, we plan to remove it in next release. - properties: - keyARN: - description: |- - keyARN specifies the Amazon Resource Name (ARN) of the AWS KMS key used for encryption. - The value must adhere to the format `arn:aws:kms:::key/`, where: - - `` is the AWS region consisting of lowercase letters and hyphens followed by a number. - - `` is a 12-digit numeric identifier for the AWS account. - - `` is a unique identifier for the KMS key, consisting of lowercase hexadecimal characters and hyphens. - maxLength: 128 - minLength: 1 - type: string - x-kubernetes-validations: - - message: keyARN must follow the format `arn:aws:kms:::key/`. - The account ID must be a 12 digit number and the region - and key ID should consist only of lowercase hexadecimal - characters and hyphens (-). - rule: self.matches('^arn:aws:kms:[a-z0-9-]+:[0-9]{12}:key/[a-f0-9-]+$') - region: - description: |- - region specifies the AWS region where the KMS instance exists, and follows the format - `--`, e.g.: `us-east-1`. - Only lowercase letters and hyphens followed by numbers are allowed. - maxLength: 64 - minLength: 1 - type: string - x-kubernetes-validations: - - message: region must be a valid AWS region, consisting - of lowercase characters, digits and hyphens (-) only. - rule: self.matches('^[a-z0-9]+(-[a-z0-9]+)*$') - required: - - keyARN - - region - type: object - manual: - description: |- - manual defines the configuration for manually managed KMS plugins. - The KMS plugin must be deployed as a static pod by the cluster admin. - properties: - name: - description: |- - name specifies the KMS plugin name. - This name is templated into the UNIX domain socket path: unix:///var/run/kmsplugin/.sock - and is between 1 and 80 characters in length. - The KMS plugin must listen at this socket path. - The name must be a safe socket filename and must not contain '/' or '..'. - maxLength: 80 - minLength: 1 - type: string - x-kubernetes-validations: - - message: name must be a safe socket filename (must not - contain '/' or '..') - rule: '!self.contains(''/'') && !self.contains(''..'')' - type: object - type: - description: |- - type defines the kind of platform for the KMS provider. - Available provider types are AWS, Manual. - enum: - - AWS - - Manual - type: string - required: - - type - type: object - x-kubernetes-validations: - - message: manual config with non-empty name is required when - kms provider type is Manual, and forbidden otherwise - rule: 'has(self.type) && self.type == ''Manual'' ? (has(self.manual) - && has(self.manual.name) && self.manual.name != '''') : !has(self.manual)' - - message: aws config is required when kms provider type is AWS, - and forbidden otherwise - rule: 'has(self.type) && self.type == ''AWS'' ? has(self.aws) - : !has(self.aws)' type: description: |- type defines what encryption type should be used to encrypt resources at the datastore layer. @@ -270,11 +181,6 @@ spec: - KMS type: string type: object - x-kubernetes-validations: - - message: kms config is required when encryption type is KMS, and - forbidden otherwise - rule: 'has(self.type) && self.type == ''KMS'' ? has(self.kms) : - !has(self.kms)' servingCerts: description: |- servingCert is the TLS cert info for serving secure traffic. If not specified, operator managed certificates diff --git a/config/v1/zz_generated.deepcopy.go b/config/v1/zz_generated.deepcopy.go index bb715c9a29b..b6d5335514b 100644 --- a/config/v1/zz_generated.deepcopy.go +++ b/config/v1/zz_generated.deepcopy.go @@ -42,11 +42,6 @@ func (in *APIServer) DeepCopyObject() runtime.Object { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *APIServerEncryption) DeepCopyInto(out *APIServerEncryption) { *out = *in - if in.KMS != nil { - in, out := &in.KMS, &out.KMS - *out = new(KMSConfig) - (*in).DeepCopyInto(*out) - } return } @@ -148,7 +143,7 @@ func (in *APIServerSpec) DeepCopyInto(out *APIServerSpec) { *out = make([]string, len(*in)) copy(*out, *in) } - in.Encryption.DeepCopyInto(&out.Encryption) + out.Encryption = in.Encryption if in.TLSSecurityProfile != nil { in, out := &in.TLSSecurityProfile, &out.TLSSecurityProfile *out = new(TLSSecurityProfile) @@ -216,22 +211,6 @@ func (in *AWSIngressSpec) DeepCopy() *AWSIngressSpec { return out } -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *AWSKMSConfig) DeepCopyInto(out *AWSKMSConfig) { - *out = *in - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AWSKMSConfig. -func (in *AWSKMSConfig) DeepCopy() *AWSKMSConfig { - if in == nil { - return nil - } - out := new(AWSKMSConfig) - in.DeepCopyInto(out) - return out -} - // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *AWSPlatformSpec) DeepCopyInto(out *AWSPlatformSpec) { *out = *in @@ -3829,32 +3808,6 @@ func (in *IntermediateTLSProfile) DeepCopy() *IntermediateTLSProfile { return out } -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *KMSConfig) DeepCopyInto(out *KMSConfig) { - *out = *in - if in.Manual != nil { - in, out := &in.Manual, &out.Manual - *out = new(ManualKMSConfig) - **out = **in - } - if in.AWS != nil { - in, out := &in.AWS, &out.AWS - *out = new(AWSKMSConfig) - **out = **in - } - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KMSConfig. -func (in *KMSConfig) DeepCopy() *KMSConfig { - if in == nil { - return nil - } - out := new(KMSConfig) - in.DeepCopyInto(out) - return out -} - // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *KeystoneIdentityProvider) DeepCopyInto(out *KeystoneIdentityProvider) { *out = *in @@ -4064,22 +4017,6 @@ func (in *MTUMigrationValues) DeepCopy() *MTUMigrationValues { return out } -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *ManualKMSConfig) DeepCopyInto(out *ManualKMSConfig) { - *out = *in - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ManualKMSConfig. -func (in *ManualKMSConfig) DeepCopy() *ManualKMSConfig { - if in == nil { - return nil - } - out := new(ManualKMSConfig) - in.DeepCopyInto(out) - return out -} - // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *MaxAgePolicy) DeepCopyInto(out *MaxAgePolicy) { *out = *in diff --git a/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml b/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml index 327f7c248e2..0109efbf5ef 100644 --- a/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml +++ b/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml @@ -158,95 +158,6 @@ spec: description: encryption allows the configuration of encryption of resources at the datastore layer. properties: - kms: - description: |- - kms defines the configuration for the external KMS instance that manages the encryption keys, - when KMS encryption is enabled sensitive resources will be encrypted using keys managed by an - externally configured KMS instance. - - The Key Management Service (KMS) instance provides symmetric encryption and is responsible for - managing the lifecyle of the encryption keys outside of the control plane. - This allows integration with an external provider to manage the data encryption keys securely. - properties: - aws: - description: |- - aws defines the key config for using an AWS KMS instance - for the encryption. The AWS KMS instance is managed - by the user outside the purview of the control plane. - Deprecated: There is no logic listening to this resource type, we plan to remove it in next release. - properties: - keyARN: - description: |- - keyARN specifies the Amazon Resource Name (ARN) of the AWS KMS key used for encryption. - The value must adhere to the format `arn:aws:kms:::key/`, where: - - `` is the AWS region consisting of lowercase letters and hyphens followed by a number. - - `` is a 12-digit numeric identifier for the AWS account. - - `` is a unique identifier for the KMS key, consisting of lowercase hexadecimal characters and hyphens. - maxLength: 128 - minLength: 1 - type: string - x-kubernetes-validations: - - message: keyARN must follow the format `arn:aws:kms:::key/`. - The account ID must be a 12 digit number and the region - and key ID should consist only of lowercase hexadecimal - characters and hyphens (-). - rule: self.matches('^arn:aws:kms:[a-z0-9-]+:[0-9]{12}:key/[a-f0-9-]+$') - region: - description: |- - region specifies the AWS region where the KMS instance exists, and follows the format - `--`, e.g.: `us-east-1`. - Only lowercase letters and hyphens followed by numbers are allowed. - maxLength: 64 - minLength: 1 - type: string - x-kubernetes-validations: - - message: region must be a valid AWS region, consisting - of lowercase characters, digits and hyphens (-) only. - rule: self.matches('^[a-z0-9]+(-[a-z0-9]+)*$') - required: - - keyARN - - region - type: object - manual: - description: |- - manual defines the configuration for manually managed KMS plugins. - The KMS plugin must be deployed as a static pod by the cluster admin. - properties: - name: - description: |- - name specifies the KMS plugin name. - This name is templated into the UNIX domain socket path: unix:///var/run/kmsplugin/.sock - and is between 1 and 80 characters in length. - The KMS plugin must listen at this socket path. - The name must be a safe socket filename and must not contain '/' or '..'. - maxLength: 80 - minLength: 1 - type: string - x-kubernetes-validations: - - message: name must be a safe socket filename (must not - contain '/' or '..') - rule: '!self.contains(''/'') && !self.contains(''..'')' - type: object - type: - description: |- - type defines the kind of platform for the KMS provider. - Available provider types are AWS, Manual. - enum: - - AWS - - Manual - type: string - required: - - type - type: object - x-kubernetes-validations: - - message: manual config with non-empty name is required when - kms provider type is Manual, and forbidden otherwise - rule: 'has(self.type) && self.type == ''Manual'' ? (has(self.manual) - && has(self.manual.name) && self.manual.name != '''') : !has(self.manual)' - - message: aws config is required when kms provider type is AWS, - and forbidden otherwise - rule: 'has(self.type) && self.type == ''AWS'' ? has(self.aws) - : !has(self.aws)' type: description: |- type defines what encryption type should be used to encrypt resources at the datastore layer. @@ -270,11 +181,6 @@ spec: - KMS type: string type: object - x-kubernetes-validations: - - message: kms config is required when encryption type is KMS, and - forbidden otherwise - rule: 'has(self.type) && self.type == ''KMS'' ? has(self.kms) : - !has(self.kms)' servingCerts: description: |- servingCert is the TLS cert info for serving secure traffic. If not specified, operator managed certificates diff --git a/config/v1/zz_generated.swagger_doc_generated.go b/config/v1/zz_generated.swagger_doc_generated.go index 5a066c655c1..e11d4f5a2a9 100644 --- a/config/v1/zz_generated.swagger_doc_generated.go +++ b/config/v1/zz_generated.swagger_doc_generated.go @@ -279,7 +279,6 @@ func (APIServer) SwaggerDoc() map[string]string { var map_APIServerEncryption = map[string]string{ "": "APIServerEncryption is used to encrypt sensitive resources on the cluster.", "type": "type defines what encryption type should be used to encrypt resources at the datastore layer. When this field is unset (i.e. when it is set to the empty string), identity is implied. The behavior of unset can and will change over time. Even if encryption is enabled by default, the meaning of unset may change to a different encryption type based on changes in best practices.\n\nWhen encryption is enabled, all sensitive resources shipped with the platform are encrypted. This list of sensitive resources can and will change over time. The current authoritative list is:\n\n 1. secrets\n 2. configmaps\n 3. routes.route.openshift.io\n 4. oauthaccesstokens.oauth.openshift.io\n 5. oauthauthorizetokens.oauth.openshift.io", - "kms": "kms defines the configuration for the external KMS instance that manages the encryption keys, when KMS encryption is enabled sensitive resources will be encrypted using keys managed by an externally configured KMS instance.\n\nThe Key Management Service (KMS) instance provides symmetric encryption and is responsible for managing the lifecyle of the encryption keys outside of the control plane. This allows integration with an external provider to manage the data encryption keys securely.", } func (APIServerEncryption) SwaggerDoc() map[string]string { @@ -2325,36 +2324,6 @@ func (Storage) SwaggerDoc() map[string]string { return map_Storage } -var map_AWSKMSConfig = map[string]string{ - "": "AWSKMSConfig defines the KMS config specific to AWS KMS provider Deprecated: There is no logic listening to this resource type, we plan to remove it in next release.", - "keyARN": "keyARN specifies the Amazon Resource Name (ARN) of the AWS KMS key used for encryption. The value must adhere to the format `arn:aws:kms:::key/`, where: - `` is the AWS region consisting of lowercase letters and hyphens followed by a number. - `` is a 12-digit numeric identifier for the AWS account. - `` is a unique identifier for the KMS key, consisting of lowercase hexadecimal characters and hyphens.", - "region": "region specifies the AWS region where the KMS instance exists, and follows the format `--`, e.g.: `us-east-1`. Only lowercase letters and hyphens followed by numbers are allowed.", -} - -func (AWSKMSConfig) SwaggerDoc() map[string]string { - return map_AWSKMSConfig -} - -var map_KMSConfig = map[string]string{ - "": "KMSConfig defines the configuration for the KMS instance that will be used with KMSEncryptionProvider encryption", - "type": "type defines the kind of platform for the KMS provider. Available provider types are AWS, Manual.", - "manual": "manual defines the configuration for manually managed KMS plugins. The KMS plugin must be deployed as a static pod by the cluster admin.", - "aws": "aws defines the key config for using an AWS KMS instance for the encryption. The AWS KMS instance is managed by the user outside the purview of the control plane. Deprecated: There is no logic listening to this resource type, we plan to remove it in next release.", -} - -func (KMSConfig) SwaggerDoc() map[string]string { - return map_KMSConfig -} - -var map_ManualKMSConfig = map[string]string{ - "": "ManualKMSConfig defines the configuration for manually managed KMS plugins", - "name": "name specifies the KMS plugin name. This name is templated into the UNIX domain socket path: unix:///var/run/kmsplugin/.sock and is between 1 and 80 characters in length. The KMS plugin must listen at this socket path. The name must be a safe socket filename and must not contain '/' or '..'.", -} - -func (ManualKMSConfig) SwaggerDoc() map[string]string { - return map_ManualKMSConfig -} - var map_ClusterNetworkEntry = map[string]string{ "": "ClusterNetworkEntry is a contiguous block of IP addresses from which pod IPs are allocated.", "cidr": "The complete block for pod IPs.", diff --git a/openapi/generated_openapi/zz_generated.openapi.go b/openapi/generated_openapi/zz_generated.openapi.go index bea1c60b847..08dd2922085 100644 --- a/openapi/generated_openapi/zz_generated.openapi.go +++ b/openapi/generated_openapi/zz_generated.openapi.go @@ -161,7 +161,6 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "github.com/openshift/api/config/v1.APIServerStatus": schema_openshift_api_config_v1_APIServerStatus(ref), "github.com/openshift/api/config/v1.AWSDNSSpec": schema_openshift_api_config_v1_AWSDNSSpec(ref), "github.com/openshift/api/config/v1.AWSIngressSpec": schema_openshift_api_config_v1_AWSIngressSpec(ref), - "github.com/openshift/api/config/v1.AWSKMSConfig": schema_openshift_api_config_v1_AWSKMSConfig(ref), "github.com/openshift/api/config/v1.AWSPlatformSpec": schema_openshift_api_config_v1_AWSPlatformSpec(ref), "github.com/openshift/api/config/v1.AWSPlatformStatus": schema_openshift_api_config_v1_AWSPlatformStatus(ref), "github.com/openshift/api/config/v1.AWSResourceTag": schema_openshift_api_config_v1_AWSResourceTag(ref), @@ -314,7 +313,6 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "github.com/openshift/api/config/v1.InsightsDataGatherList": schema_openshift_api_config_v1_InsightsDataGatherList(ref), "github.com/openshift/api/config/v1.InsightsDataGatherSpec": schema_openshift_api_config_v1_InsightsDataGatherSpec(ref), "github.com/openshift/api/config/v1.IntermediateTLSProfile": schema_openshift_api_config_v1_IntermediateTLSProfile(ref), - "github.com/openshift/api/config/v1.KMSConfig": schema_openshift_api_config_v1_KMSConfig(ref), "github.com/openshift/api/config/v1.KeystoneIdentityProvider": schema_openshift_api_config_v1_KeystoneIdentityProvider(ref), "github.com/openshift/api/config/v1.KubeClientConfig": schema_openshift_api_config_v1_KubeClientConfig(ref), "github.com/openshift/api/config/v1.KubevirtPlatformSpec": schema_openshift_api_config_v1_KubevirtPlatformSpec(ref), @@ -325,7 +323,6 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "github.com/openshift/api/config/v1.LoadBalancer": schema_openshift_api_config_v1_LoadBalancer(ref), "github.com/openshift/api/config/v1.MTUMigration": schema_openshift_api_config_v1_MTUMigration(ref), "github.com/openshift/api/config/v1.MTUMigrationValues": schema_openshift_api_config_v1_MTUMigrationValues(ref), - "github.com/openshift/api/config/v1.ManualKMSConfig": schema_openshift_api_config_v1_ManualKMSConfig(ref), "github.com/openshift/api/config/v1.MaxAgePolicy": schema_openshift_api_config_v1_MaxAgePolicy(ref), "github.com/openshift/api/config/v1.ModernTLSProfile": schema_openshift_api_config_v1_ModernTLSProfile(ref), "github.com/openshift/api/config/v1.NamedCertificate": schema_openshift_api_config_v1_NamedCertificate(ref), @@ -8888,29 +8885,19 @@ func schema_openshift_api_config_v1_APIServerEncryption(ref common.ReferenceCall Format: "", }, }, - "kms": { - SchemaProps: spec.SchemaProps{ - Description: "kms defines the configuration for the external KMS instance that manages the encryption keys, when KMS encryption is enabled sensitive resources will be encrypted using keys managed by an externally configured KMS instance.\n\nThe Key Management Service (KMS) instance provides symmetric encryption and is responsible for managing the lifecyle of the encryption keys outside of the control plane. This allows integration with an external provider to manage the data encryption keys securely.", - Ref: ref("github.com/openshift/api/config/v1.KMSConfig"), - }, - }, }, }, VendorExtensible: spec.VendorExtensible{ Extensions: spec.Extensions{ "x-kubernetes-unions": []interface{}{ map[string]interface{}{ - "discriminator": "type", - "fields-to-discriminateBy": map[string]interface{}{ - "kms": "KMS", - }, + "discriminator": "type", + "fields-to-discriminateBy": map[string]interface{}{}, }, }, }, }, }, - Dependencies: []string{ - "github.com/openshift/api/config/v1.KMSConfig"}, } } @@ -9171,36 +9158,6 @@ func schema_openshift_api_config_v1_AWSIngressSpec(ref common.ReferenceCallback) } } -func schema_openshift_api_config_v1_AWSKMSConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "AWSKMSConfig defines the KMS config specific to AWS KMS provider Deprecated: There is no logic listening to this resource type, we plan to remove it in next release.", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "keyARN": { - SchemaProps: spec.SchemaProps{ - Description: "keyARN specifies the Amazon Resource Name (ARN) of the AWS KMS key used for encryption. The value must adhere to the format `arn:aws:kms:::key/`, where: - `` is the AWS region consisting of lowercase letters and hyphens followed by a number. - `` is a 12-digit numeric identifier for the AWS account. - `` is a unique identifier for the KMS key, consisting of lowercase hexadecimal characters and hyphens.", - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - "region": { - SchemaProps: spec.SchemaProps{ - Description: "region specifies the AWS region where the KMS instance exists, and follows the format `--`, e.g.: `us-east-1`. Only lowercase letters and hyphens followed by numbers are allowed.", - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - }, - Required: []string{"keyARN", "region"}, - }, - }, - } -} - func schema_openshift_api_config_v1_AWSPlatformSpec(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ @@ -16140,55 +16097,6 @@ func schema_openshift_api_config_v1_IntermediateTLSProfile(ref common.ReferenceC } } -func schema_openshift_api_config_v1_KMSConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "KMSConfig defines the configuration for the KMS instance that will be used with KMSEncryptionProvider encryption", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "type": { - SchemaProps: spec.SchemaProps{ - Description: "type defines the kind of platform for the KMS provider. Available provider types are AWS, Manual.", - Default: "", - Type: []string{"string"}, - Format: "", - }, - }, - "manual": { - SchemaProps: spec.SchemaProps{ - Description: "manual defines the configuration for manually managed KMS plugins. The KMS plugin must be deployed as a static pod by the cluster admin.", - Ref: ref("github.com/openshift/api/config/v1.ManualKMSConfig"), - }, - }, - "aws": { - SchemaProps: spec.SchemaProps{ - Description: "aws defines the key config for using an AWS KMS instance for the encryption. The AWS KMS instance is managed by the user outside the purview of the control plane. Deprecated: There is no logic listening to this resource type, we plan to remove it in next release.", - Ref: ref("github.com/openshift/api/config/v1.AWSKMSConfig"), - }, - }, - }, - Required: []string{"type"}, - }, - VendorExtensible: spec.VendorExtensible{ - Extensions: spec.Extensions{ - "x-kubernetes-unions": []interface{}{ - map[string]interface{}{ - "discriminator": "type", - "fields-to-discriminateBy": map[string]interface{}{ - "aws": "AWS", - "manual": "Manual", - }, - }, - }, - }, - }, - }, - Dependencies: []string{ - "github.com/openshift/api/config/v1.AWSKMSConfig", "github.com/openshift/api/config/v1.ManualKMSConfig"}, - } -} - func schema_openshift_api_config_v1_KeystoneIdentityProvider(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ @@ -16576,26 +16484,6 @@ func schema_openshift_api_config_v1_MTUMigrationValues(ref common.ReferenceCallb } } -func schema_openshift_api_config_v1_ManualKMSConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { - return common.OpenAPIDefinition{ - Schema: spec.Schema{ - SchemaProps: spec.SchemaProps{ - Description: "ManualKMSConfig defines the configuration for manually managed KMS plugins", - Type: []string{"object"}, - Properties: map[string]spec.Schema{ - "name": { - SchemaProps: spec.SchemaProps{ - Description: "name specifies the KMS plugin name. This name is templated into the UNIX domain socket path: unix:///var/run/kmsplugin/.sock and is between 1 and 80 characters in length. The KMS plugin must listen at this socket path. The name must be a safe socket filename and must not contain '/' or '..'.", - Type: []string{"string"}, - Format: "", - }, - }, - }, - }, - }, - } -} - func schema_openshift_api_config_v1_MaxAgePolicy(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ diff --git a/openapi/openapi.json b/openapi/openapi.json index aec4bf3bf33..dbe47164a14 100644 --- a/openapi/openapi.json +++ b/openapi/openapi.json @@ -4296,10 +4296,6 @@ "description": "APIServerEncryption is used to encrypt sensitive resources on the cluster.", "type": "object", "properties": { - "kms": { - "description": "kms defines the configuration for the external KMS instance that manages the encryption keys, when KMS encryption is enabled sensitive resources will be encrypted using keys managed by an externally configured KMS instance.\n\nThe Key Management Service (KMS) instance provides symmetric encryption and is responsible for managing the lifecyle of the encryption keys outside of the control plane. This allows integration with an external provider to manage the data encryption keys securely.", - "$ref": "#/definitions/com.github.openshift.api.config.v1.KMSConfig" - }, "type": { "description": "type defines what encryption type should be used to encrypt resources at the datastore layer. When this field is unset (i.e. when it is set to the empty string), identity is implied. The behavior of unset can and will change over time. Even if encryption is enabled by default, the meaning of unset may change to a different encryption type based on changes in best practices.\n\nWhen encryption is enabled, all sensitive resources shipped with the platform are encrypted. This list of sensitive resources can and will change over time. The current authoritative list is:\n\n 1. secrets\n 2. configmaps\n 3. routes.route.openshift.io\n 4. oauthaccesstokens.oauth.openshift.io\n 5. oauthauthorizetokens.oauth.openshift.io", "type": "string" @@ -4308,9 +4304,7 @@ "x-kubernetes-unions": [ { "discriminator": "type", - "fields-to-discriminateBy": { - "kms": "KMS" - } + "fields-to-discriminateBy": {} } ] }, @@ -4453,26 +4447,6 @@ } ] }, - "com.github.openshift.api.config.v1.AWSKMSConfig": { - "description": "AWSKMSConfig defines the KMS config specific to AWS KMS provider Deprecated: There is no logic listening to this resource type, we plan to remove it in next release.", - "type": "object", - "required": [ - "keyARN", - "region" - ], - "properties": { - "keyARN": { - "description": "keyARN specifies the Amazon Resource Name (ARN) of the AWS KMS key used for encryption. The value must adhere to the format `arn:aws:kms:::key/`, where: - `` is the AWS region consisting of lowercase letters and hyphens followed by a number. - `` is a 12-digit numeric identifier for the AWS account. - `` is a unique identifier for the KMS key, consisting of lowercase hexadecimal characters and hyphens.", - "type": "string", - "default": "" - }, - "region": { - "description": "region specifies the AWS region where the KMS instance exists, and follows the format `--`, e.g.: `us-east-1`. Only lowercase letters and hyphens followed by numbers are allowed.", - "type": "string", - "default": "" - } - } - }, "com.github.openshift.api.config.v1.AWSPlatformSpec": { "description": "AWSPlatformSpec holds the desired state of the Amazon Web Services infrastructure provider. This only includes fields that can be modified in the cluster.", "type": "object", @@ -6348,7 +6322,7 @@ "x-kubernetes-list-type": "atomic" }, "minTLSVersion": { - "description": "minTLSVersion is used to specify the minimal version of the TLS protocol that is negotiated during the TLS handshake. For example, to use TLS versions 1.1, 1.2 and 1.3 (yaml):\n\n minTLSVersion: VersionTLS11\n\nNOTE: currently the highest minTLSVersion allowed is VersionTLS12", + "description": "minTLSVersion is used to specify the minimal version of the TLS protocol that is negotiated during the TLS handshake. For example, to use TLS versions 1.1, 1.2 and 1.3 (yaml):\n\n minTLSVersion: VersionTLS11", "type": "string", "default": "" } @@ -8534,40 +8508,9 @@ } }, "com.github.openshift.api.config.v1.IntermediateTLSProfile": { - "description": "IntermediateTLSProfile is a TLS security profile based on: https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29", + "description": "IntermediateTLSProfile is a TLS security profile based on the \"intermediate\" configuration of the Mozilla Server Side TLS configuration guidelines.", "type": "object" }, - "com.github.openshift.api.config.v1.KMSConfig": { - "description": "KMSConfig defines the configuration for the KMS instance that will be used with KMSEncryptionProvider encryption", - "type": "object", - "required": [ - "type" - ], - "properties": { - "aws": { - "description": "aws defines the key config for using an AWS KMS instance for the encryption. The AWS KMS instance is managed by the user outside the purview of the control plane. Deprecated: There is no logic listening to this resource type, we plan to remove it in next release.", - "$ref": "#/definitions/com.github.openshift.api.config.v1.AWSKMSConfig" - }, - "manual": { - "description": "manual defines the configuration for manually managed KMS plugins. The KMS plugin must be deployed as a static pod by the cluster admin.", - "$ref": "#/definitions/com.github.openshift.api.config.v1.ManualKMSConfig" - }, - "type": { - "description": "type defines the kind of platform for the KMS provider. Available provider types are AWS, Manual.", - "type": "string", - "default": "" - } - }, - "x-kubernetes-unions": [ - { - "discriminator": "type", - "fields-to-discriminateBy": { - "aws": "AWS", - "manual": "Manual" - } - } - ] - }, "com.github.openshift.api.config.v1.KeystoneIdentityProvider": { "description": "KeystonePasswordIdentityProvider provides identities for users authenticating using keystone password credentials", "type": "object", @@ -8800,16 +8743,6 @@ } } }, - "com.github.openshift.api.config.v1.ManualKMSConfig": { - "description": "ManualKMSConfig defines the configuration for manually managed KMS plugins", - "type": "object", - "properties": { - "name": { - "description": "name specifies the KMS plugin name. This name is templated into the UNIX domain socket path: unix:///var/run/kmsplugin/.sock and is between 1 and 80 characters in length. The KMS plugin must listen at this socket path. The name must be a safe socket filename and must not contain '/' or '..'.", - "type": "string" - } - } - }, "com.github.openshift.api.config.v1.MaxAgePolicy": { "description": "MaxAgePolicy contains a numeric range for specifying a compliant HSTS max-age for the enclosing RequiredHSTSPolicy", "type": "object", @@ -8827,7 +8760,7 @@ } }, "com.github.openshift.api.config.v1.ModernTLSProfile": { - "description": "ModernTLSProfile is a TLS security profile based on: https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility", + "description": "ModernTLSProfile is a TLS security profile based on the \"modern\" configuration of the Mozilla Server Side TLS configuration guidelines.", "type": "object" }, "com.github.openshift.api.config.v1.NamedCertificate": { @@ -9757,7 +9690,7 @@ } }, "com.github.openshift.api.config.v1.OldTLSProfile": { - "description": "OldTLSProfile is a TLS security profile based on: https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility", + "description": "OldTLSProfile is a TLS security profile based on the \"old\" configuration of the Mozilla Server Side TLS configuration guidelines.", "type": "object" }, "com.github.openshift.api.config.v1.OpenIDClaims": { @@ -11335,7 +11268,7 @@ "x-kubernetes-list-type": "atomic" }, "minTLSVersion": { - "description": "minTLSVersion is used to specify the minimal version of the TLS protocol that is negotiated during the TLS handshake. For example, to use TLS versions 1.1, 1.2 and 1.3 (yaml):\n\n minTLSVersion: VersionTLS11\n\nNOTE: currently the highest minTLSVersion allowed is VersionTLS12", + "description": "minTLSVersion is used to specify the minimal version of the TLS protocol that is negotiated during the TLS handshake. For example, to use TLS versions 1.1, 1.2 and 1.3 (yaml):\n\n minTLSVersion: VersionTLS11", "type": "string", "default": "" } @@ -11346,23 +11279,23 @@ "type": "object", "properties": { "custom": { - "description": "custom is a user-defined TLS security profile. Be extremely careful using a custom profile as invalid configurations can be catastrophic. An example custom profile looks like this:\n\n ciphers:\n\n - ECDHE-ECDSA-CHACHA20-POLY1305\n\n - ECDHE-RSA-CHACHA20-POLY1305\n\n - ECDHE-RSA-AES128-GCM-SHA256\n\n - ECDHE-ECDSA-AES128-GCM-SHA256\n\n minTLSVersion: VersionTLS11", + "description": "custom is a user-defined TLS security profile. Be extremely careful using a custom profile as invalid configurations can be catastrophic. An example custom profile looks like this:\n\n minTLSVersion: VersionTLS11\n ciphers:\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256", "$ref": "#/definitions/com.github.openshift.api.config.v1.CustomTLSProfile" }, "intermediate": { - "description": "intermediate is a TLS security profile based on:\n\nhttps://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29\n\nand looks like this (yaml):\n\n ciphers:\n\n - TLS_AES_128_GCM_SHA256\n\n - TLS_AES_256_GCM_SHA384\n\n - TLS_CHACHA20_POLY1305_SHA256\n\n - ECDHE-ECDSA-AES128-GCM-SHA256\n\n - ECDHE-RSA-AES128-GCM-SHA256\n\n - ECDHE-ECDSA-AES256-GCM-SHA384\n\n - ECDHE-RSA-AES256-GCM-SHA384\n\n - ECDHE-ECDSA-CHACHA20-POLY1305\n\n - ECDHE-RSA-CHACHA20-POLY1305\n\n - DHE-RSA-AES128-GCM-SHA256\n\n - DHE-RSA-AES256-GCM-SHA384\n\n minTLSVersion: VersionTLS12", + "description": "intermediate is a TLS profile for use when you do not need compatibility with legacy clients and want to remain highly secure while being compatible with most clients currently in use.\n\nThe cipher list includes TLS 1.3 ciphers for forward compatibility, followed by the \"intermediate\" profile ciphers.\n\nThis profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS12\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES256-GCM-SHA384\n - ECDHE-RSA-AES256-GCM-SHA384\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305\n - DHE-RSA-AES128-GCM-SHA256\n - DHE-RSA-AES256-GCM-SHA384", "$ref": "#/definitions/com.github.openshift.api.config.v1.IntermediateTLSProfile" }, "modern": { - "description": "modern is a TLS security profile based on:\n\nhttps://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility\n\nand looks like this (yaml):\n\n ciphers:\n\n - TLS_AES_128_GCM_SHA256\n\n - TLS_AES_256_GCM_SHA384\n\n - TLS_CHACHA20_POLY1305_SHA256\n\n minTLSVersion: VersionTLS13", + "description": "modern is a TLS security profile for use with clients that support TLS 1.3 and do not need backward compatibility for older clients.\n\nThis profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS13\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256", "$ref": "#/definitions/com.github.openshift.api.config.v1.ModernTLSProfile" }, "old": { - "description": "old is a TLS security profile based on:\n\nhttps://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility\n\nand looks like this (yaml):\n\n ciphers:\n\n - TLS_AES_128_GCM_SHA256\n\n - TLS_AES_256_GCM_SHA384\n\n - TLS_CHACHA20_POLY1305_SHA256\n\n - ECDHE-ECDSA-AES128-GCM-SHA256\n\n - ECDHE-RSA-AES128-GCM-SHA256\n\n - ECDHE-ECDSA-AES256-GCM-SHA384\n\n - ECDHE-RSA-AES256-GCM-SHA384\n\n - ECDHE-ECDSA-CHACHA20-POLY1305\n\n - ECDHE-RSA-CHACHA20-POLY1305\n\n - DHE-RSA-AES128-GCM-SHA256\n\n - DHE-RSA-AES256-GCM-SHA384\n\n - DHE-RSA-CHACHA20-POLY1305\n\n - ECDHE-ECDSA-AES128-SHA256\n\n - ECDHE-RSA-AES128-SHA256\n\n - ECDHE-ECDSA-AES128-SHA\n\n - ECDHE-RSA-AES128-SHA\n\n - ECDHE-ECDSA-AES256-SHA384\n\n - ECDHE-RSA-AES256-SHA384\n\n - ECDHE-ECDSA-AES256-SHA\n\n - ECDHE-RSA-AES256-SHA\n\n - DHE-RSA-AES128-SHA256\n\n - DHE-RSA-AES256-SHA256\n\n - AES128-GCM-SHA256\n\n - AES256-GCM-SHA384\n\n - AES128-SHA256\n\n - AES256-SHA256\n\n - AES128-SHA\n\n - AES256-SHA\n\n - DES-CBC3-SHA\n\n minTLSVersion: VersionTLS10", + "description": "old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort.\n\nThe cipher list includes TLS 1.3 ciphers for forward compatibility, followed by the \"old\" profile ciphers.\n\nThis profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS10\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES256-GCM-SHA384\n - ECDHE-RSA-AES256-GCM-SHA384\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305\n - DHE-RSA-AES128-GCM-SHA256\n - DHE-RSA-AES256-GCM-SHA384\n - DHE-RSA-CHACHA20-POLY1305\n - ECDHE-ECDSA-AES128-SHA256\n - ECDHE-RSA-AES128-SHA256\n - ECDHE-ECDSA-AES128-SHA\n - ECDHE-RSA-AES128-SHA\n - ECDHE-ECDSA-AES256-SHA384\n - ECDHE-RSA-AES256-SHA384\n - ECDHE-ECDSA-AES256-SHA\n - ECDHE-RSA-AES256-SHA\n - DHE-RSA-AES128-SHA256\n - DHE-RSA-AES256-SHA256\n - AES128-GCM-SHA256\n - AES256-GCM-SHA384\n - AES128-SHA256\n - AES256-SHA256\n - AES128-SHA\n - AES256-SHA\n - DES-CBC3-SHA", "$ref": "#/definitions/com.github.openshift.api.config.v1.OldTLSProfile" }, "type": { - "description": "type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters. Old, Intermediate and Modern are TLS security profiles based on:\n\nhttps://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations\n\nThe profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be reduced.\n\nNote that the Modern profile is currently not supported because it is not yet well adopted by common software libraries.", + "description": "type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters.\n\nThe profiles are currently based on version 5.0 of the Mozilla Server Side TLS configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json\n\nThe profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be reduced.", "type": "string", "default": "" } @@ -28971,7 +28904,7 @@ ], "properties": { "name": { - "description": "name is the unique name of a capability. Available capabilities are LightspeedButton and GettingStartedBanner.", + "description": "name is the unique name of a capability. Available capabilities are LightspeedButton, GettingStartedBanner, and GuidedTour.", "type": "string", "default": "" }, @@ -29620,7 +29553,7 @@ "type": "string" }, "capabilities": { - "description": "capabilities defines an array of capabilities that can be interacted with in the console UI. Each capability defines a visual state that can be interacted with the console to render in the UI. Available capabilities are LightspeedButton and GettingStartedBanner. Each of the available capabilities may appear only once in the list.", + "description": "capabilities defines an array of capabilities that can be interacted with in the console UI. Each capability defines a visual state that can be interacted with the console to render in the UI. Available capabilities are LightspeedButton, GettingStartedBanner, and GuidedTour. Each of the available capabilities may appear only once in the list.", "type": "array", "items": { "default": {}, diff --git a/payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml index fbf2e36fbc4..bf6a9ff56fe 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml @@ -158,95 +158,6 @@ spec: description: encryption allows the configuration of encryption of resources at the datastore layer. properties: - kms: - description: |- - kms defines the configuration for the external KMS instance that manages the encryption keys, - when KMS encryption is enabled sensitive resources will be encrypted using keys managed by an - externally configured KMS instance. - - The Key Management Service (KMS) instance provides symmetric encryption and is responsible for - managing the lifecyle of the encryption keys outside of the control plane. - This allows integration with an external provider to manage the data encryption keys securely. - properties: - aws: - description: |- - aws defines the key config for using an AWS KMS instance - for the encryption. The AWS KMS instance is managed - by the user outside the purview of the control plane. - Deprecated: There is no logic listening to this resource type, we plan to remove it in next release. - properties: - keyARN: - description: |- - keyARN specifies the Amazon Resource Name (ARN) of the AWS KMS key used for encryption. - The value must adhere to the format `arn:aws:kms:::key/`, where: - - `` is the AWS region consisting of lowercase letters and hyphens followed by a number. - - `` is a 12-digit numeric identifier for the AWS account. - - `` is a unique identifier for the KMS key, consisting of lowercase hexadecimal characters and hyphens. - maxLength: 128 - minLength: 1 - type: string - x-kubernetes-validations: - - message: keyARN must follow the format `arn:aws:kms:::key/`. - The account ID must be a 12 digit number and the region - and key ID should consist only of lowercase hexadecimal - characters and hyphens (-). - rule: self.matches('^arn:aws:kms:[a-z0-9-]+:[0-9]{12}:key/[a-f0-9-]+$') - region: - description: |- - region specifies the AWS region where the KMS instance exists, and follows the format - `--`, e.g.: `us-east-1`. - Only lowercase letters and hyphens followed by numbers are allowed. - maxLength: 64 - minLength: 1 - type: string - x-kubernetes-validations: - - message: region must be a valid AWS region, consisting - of lowercase characters, digits and hyphens (-) only. - rule: self.matches('^[a-z0-9]+(-[a-z0-9]+)*$') - required: - - keyARN - - region - type: object - manual: - description: |- - manual defines the configuration for manually managed KMS plugins. - The KMS plugin must be deployed as a static pod by the cluster admin. - properties: - name: - description: |- - name specifies the KMS plugin name. - This name is templated into the UNIX domain socket path: unix:///var/run/kmsplugin/.sock - and is between 1 and 80 characters in length. - The KMS plugin must listen at this socket path. - The name must be a safe socket filename and must not contain '/' or '..'. - maxLength: 80 - minLength: 1 - type: string - x-kubernetes-validations: - - message: name must be a safe socket filename (must not - contain '/' or '..') - rule: '!self.contains(''/'') && !self.contains(''..'')' - type: object - type: - description: |- - type defines the kind of platform for the KMS provider. - Available provider types are AWS, Manual. - enum: - - AWS - - Manual - type: string - required: - - type - type: object - x-kubernetes-validations: - - message: manual config with non-empty name is required when - kms provider type is Manual, and forbidden otherwise - rule: 'has(self.type) && self.type == ''Manual'' ? (has(self.manual) - && has(self.manual.name) && self.manual.name != '''') : !has(self.manual)' - - message: aws config is required when kms provider type is AWS, - and forbidden otherwise - rule: 'has(self.type) && self.type == ''AWS'' ? has(self.aws) - : !has(self.aws)' type: description: |- type defines what encryption type should be used to encrypt resources at the datastore layer. @@ -270,11 +181,6 @@ spec: - KMS type: string type: object - x-kubernetes-validations: - - message: kms config is required when encryption type is KMS, and - forbidden otherwise - rule: 'has(self.type) && self.type == ''KMS'' ? has(self.kms) : - !has(self.kms)' servingCerts: description: |- servingCert is the TLS cert info for serving secure traffic. If not specified, operator managed certificates diff --git a/payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml index adcc1a98bcc..bf2cc7d7c43 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml @@ -158,95 +158,6 @@ spec: description: encryption allows the configuration of encryption of resources at the datastore layer. properties: - kms: - description: |- - kms defines the configuration for the external KMS instance that manages the encryption keys, - when KMS encryption is enabled sensitive resources will be encrypted using keys managed by an - externally configured KMS instance. - - The Key Management Service (KMS) instance provides symmetric encryption and is responsible for - managing the lifecyle of the encryption keys outside of the control plane. - This allows integration with an external provider to manage the data encryption keys securely. - properties: - aws: - description: |- - aws defines the key config for using an AWS KMS instance - for the encryption. The AWS KMS instance is managed - by the user outside the purview of the control plane. - Deprecated: There is no logic listening to this resource type, we plan to remove it in next release. - properties: - keyARN: - description: |- - keyARN specifies the Amazon Resource Name (ARN) of the AWS KMS key used for encryption. - The value must adhere to the format `arn:aws:kms:::key/`, where: - - `` is the AWS region consisting of lowercase letters and hyphens followed by a number. - - `` is a 12-digit numeric identifier for the AWS account. - - `` is a unique identifier for the KMS key, consisting of lowercase hexadecimal characters and hyphens. - maxLength: 128 - minLength: 1 - type: string - x-kubernetes-validations: - - message: keyARN must follow the format `arn:aws:kms:::key/`. - The account ID must be a 12 digit number and the region - and key ID should consist only of lowercase hexadecimal - characters and hyphens (-). - rule: self.matches('^arn:aws:kms:[a-z0-9-]+:[0-9]{12}:key/[a-f0-9-]+$') - region: - description: |- - region specifies the AWS region where the KMS instance exists, and follows the format - `--`, e.g.: `us-east-1`. - Only lowercase letters and hyphens followed by numbers are allowed. - maxLength: 64 - minLength: 1 - type: string - x-kubernetes-validations: - - message: region must be a valid AWS region, consisting - of lowercase characters, digits and hyphens (-) only. - rule: self.matches('^[a-z0-9]+(-[a-z0-9]+)*$') - required: - - keyARN - - region - type: object - manual: - description: |- - manual defines the configuration for manually managed KMS plugins. - The KMS plugin must be deployed as a static pod by the cluster admin. - properties: - name: - description: |- - name specifies the KMS plugin name. - This name is templated into the UNIX domain socket path: unix:///var/run/kmsplugin/.sock - and is between 1 and 80 characters in length. - The KMS plugin must listen at this socket path. - The name must be a safe socket filename and must not contain '/' or '..'. - maxLength: 80 - minLength: 1 - type: string - x-kubernetes-validations: - - message: name must be a safe socket filename (must not - contain '/' or '..') - rule: '!self.contains(''/'') && !self.contains(''..'')' - type: object - type: - description: |- - type defines the kind of platform for the KMS provider. - Available provider types are AWS, Manual. - enum: - - AWS - - Manual - type: string - required: - - type - type: object - x-kubernetes-validations: - - message: manual config with non-empty name is required when - kms provider type is Manual, and forbidden otherwise - rule: 'has(self.type) && self.type == ''Manual'' ? (has(self.manual) - && has(self.manual.name) && self.manual.name != '''') : !has(self.manual)' - - message: aws config is required when kms provider type is AWS, - and forbidden otherwise - rule: 'has(self.type) && self.type == ''AWS'' ? has(self.aws) - : !has(self.aws)' type: description: |- type defines what encryption type should be used to encrypt resources at the datastore layer. @@ -270,11 +181,6 @@ spec: - KMS type: string type: object - x-kubernetes-validations: - - message: kms config is required when encryption type is KMS, and - forbidden otherwise - rule: 'has(self.type) && self.type == ''KMS'' ? has(self.kms) : - !has(self.kms)' servingCerts: description: |- servingCert is the TLS cert info for serving secure traffic. If not specified, operator managed certificates diff --git a/payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml index 56bf9fe0b62..d436a75b809 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml @@ -158,95 +158,6 @@ spec: description: encryption allows the configuration of encryption of resources at the datastore layer. properties: - kms: - description: |- - kms defines the configuration for the external KMS instance that manages the encryption keys, - when KMS encryption is enabled sensitive resources will be encrypted using keys managed by an - externally configured KMS instance. - - The Key Management Service (KMS) instance provides symmetric encryption and is responsible for - managing the lifecyle of the encryption keys outside of the control plane. - This allows integration with an external provider to manage the data encryption keys securely. - properties: - aws: - description: |- - aws defines the key config for using an AWS KMS instance - for the encryption. The AWS KMS instance is managed - by the user outside the purview of the control plane. - Deprecated: There is no logic listening to this resource type, we plan to remove it in next release. - properties: - keyARN: - description: |- - keyARN specifies the Amazon Resource Name (ARN) of the AWS KMS key used for encryption. - The value must adhere to the format `arn:aws:kms:::key/`, where: - - `` is the AWS region consisting of lowercase letters and hyphens followed by a number. - - `` is a 12-digit numeric identifier for the AWS account. - - `` is a unique identifier for the KMS key, consisting of lowercase hexadecimal characters and hyphens. - maxLength: 128 - minLength: 1 - type: string - x-kubernetes-validations: - - message: keyARN must follow the format `arn:aws:kms:::key/`. - The account ID must be a 12 digit number and the region - and key ID should consist only of lowercase hexadecimal - characters and hyphens (-). - rule: self.matches('^arn:aws:kms:[a-z0-9-]+:[0-9]{12}:key/[a-f0-9-]+$') - region: - description: |- - region specifies the AWS region where the KMS instance exists, and follows the format - `--`, e.g.: `us-east-1`. - Only lowercase letters and hyphens followed by numbers are allowed. - maxLength: 64 - minLength: 1 - type: string - x-kubernetes-validations: - - message: region must be a valid AWS region, consisting - of lowercase characters, digits and hyphens (-) only. - rule: self.matches('^[a-z0-9]+(-[a-z0-9]+)*$') - required: - - keyARN - - region - type: object - manual: - description: |- - manual defines the configuration for manually managed KMS plugins. - The KMS plugin must be deployed as a static pod by the cluster admin. - properties: - name: - description: |- - name specifies the KMS plugin name. - This name is templated into the UNIX domain socket path: unix:///var/run/kmsplugin/.sock - and is between 1 and 80 characters in length. - The KMS plugin must listen at this socket path. - The name must be a safe socket filename and must not contain '/' or '..'. - maxLength: 80 - minLength: 1 - type: string - x-kubernetes-validations: - - message: name must be a safe socket filename (must not - contain '/' or '..') - rule: '!self.contains(''/'') && !self.contains(''..'')' - type: object - type: - description: |- - type defines the kind of platform for the KMS provider. - Available provider types are AWS, Manual. - enum: - - AWS - - Manual - type: string - required: - - type - type: object - x-kubernetes-validations: - - message: manual config with non-empty name is required when - kms provider type is Manual, and forbidden otherwise - rule: 'has(self.type) && self.type == ''Manual'' ? (has(self.manual) - && has(self.manual.name) && self.manual.name != '''') : !has(self.manual)' - - message: aws config is required when kms provider type is AWS, - and forbidden otherwise - rule: 'has(self.type) && self.type == ''AWS'' ? has(self.aws) - : !has(self.aws)' type: description: |- type defines what encryption type should be used to encrypt resources at the datastore layer. @@ -270,11 +181,6 @@ spec: - KMS type: string type: object - x-kubernetes-validations: - - message: kms config is required when encryption type is KMS, and - forbidden otherwise - rule: 'has(self.type) && self.type == ''KMS'' ? has(self.kms) : - !has(self.kms)' servingCerts: description: |- servingCert is the TLS cert info for serving secure traffic. If not specified, operator managed certificates