From b1d243c035dcd2b6d5155e3800c77587d2d4c484 Mon Sep 17 00:00:00 2001 From: Luis Sanchez Date: Tue, 17 Feb 2026 11:19:08 -0500 Subject: [PATCH 1/4] pki: add config.openshift.io/v1alpha1/PKI --- config/v1alpha1/register.go | 2 + config/v1alpha1/types_pki.go | 274 +++++++++++++++++++++++++++++++++++ 2 files changed, 276 insertions(+) create mode 100644 config/v1alpha1/types_pki.go diff --git a/config/v1alpha1/register.go b/config/v1alpha1/register.go index c9096249505..383d19e7e61 100644 --- a/config/v1alpha1/register.go +++ b/config/v1alpha1/register.go @@ -42,6 +42,8 @@ func addKnownTypes(scheme *runtime.Scheme) error { &ClusterImagePolicyList{}, &CRIOCredentialProviderConfig{}, &CRIOCredentialProviderConfigList{}, + &PKI{}, + &PKIList{}, ) metav1.AddToGroupVersion(scheme, GroupVersion) return nil diff --git a/config/v1alpha1/types_pki.go b/config/v1alpha1/types_pki.go new file mode 100644 index 00000000000..c5be8b5bc91 --- /dev/null +++ b/config/v1alpha1/types_pki.go @@ -0,0 +1,274 @@ +package v1alpha1 + +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +// PKI configures cryptographic parameters for certificates generated +// internally by OpenShift components. +// +// Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support. +// +// +genclient +// +genclient:nonNamespaced +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +// +kubebuilder:object:root=true +// +kubebuilder:resource:path=pkis,scope=Cluster +// +openshift:api-approved.openshift.io=https://github.com/openshift/api/pull/2645 +// +openshift:file-pattern=cvoRunLevel=0000_10,operatorName=config-operator,operatorOrdering=01 +// +openshift:enable:FeatureGate=ConfigurablePKI +// +openshift:compatibility-gen:level=4 +type PKI struct { + metav1.TypeMeta `json:",inline"` + + // metadata is the standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metav1.ObjectMeta `json:"metadata,omitempty"` + + // spec holds user settable values for configuration + // +required + Spec PKISpec `json:"spec,omitzero"` +} + +// PKISpec holds the specification for PKI configuration. +type PKISpec struct { + // certificateManagement specifies how PKI configuration is managed for internally-generated certificates. + // This controls the certificate generation approach for all OpenShift components that create + // certificates internally, including certificate authorities, serving certificates, and client certificates. + // + // +required + CertificateManagement PKICertificateManagement `json:"certificateManagement,omitzero"` +} + +// PKICertificateManagement determines whether components use hardcoded defaults (Unmanaged), follow +// OpenShift best practices (Default), or use administrator-specified cryptographic parameters (Custom). +// This provides flexibility for organizations with specific compliance requirements or security policies +// while maintaining backwards compatibility for existing clusters. +// +// +kubebuilder:validation:XValidation:rule="self.mode == 'Custom' ? has(self.custom) : !has(self.custom)",message="custom is required when mode is Custom, and forbidden otherwise" +// +union +type PKICertificateManagement struct { + // mode determines how PKI configuration is managed. + // Valid values are "Unmanaged", "Default", and "Custom". + // + // When set to Unmanaged, components use their existing hardcoded certificate + // generation behavior, exactly as if this feature did not exist. Each component + // generates certificates using whatever parameters it was using before this + // feature. While most components use RSA 2048, some may use different + // parameters. Use of this mode might prevent upgrading to the next major + // OpenShift release. + // + // When set to Default, OpenShift-recommended best practices for certificate + // generation are applied. The specific parameters may evolve across OpenShift + // releases to adopt improved cryptographic standards. In the initial release, + // this matches Unmanaged behavior for each component. In future releases, this + // may adopt ECDSA or larger RSA keys based on industry best practices. + // Recommended for most customers who want to benefit from security improvements + // automatically. + // + // When set to Custom, the certificate management parameters can be set + // explicitly. Use the custom field to specify certificate generation parameters. + // + // +required + // +unionDiscriminator + Mode PKICertificateManagementMode `json:"mode,omitempty"` + + // custom contains administrator-specified cryptographic configuration. + // Use the defaults and category override fields + // to specify certificate generation parameters. + // Required when mode is Custom, and forbidden otherwise. + // + // +optional + // +unionMember + Custom CustomPKIPolicy `json:"custom,omitzero"` +} + +// CustomPKIPolicy contains administrator-specified cryptographic configuration. +// Administrators must specify defaults for all certificates and may optionally +// override specific categories of certificates. +// +// +kubebuilder:validation:MinProperties=1 +type CustomPKIPolicy struct { + PKIProfile `json:",inline"` +} + +// PKICertificateManagementMode specifies the mode for PKI certificate management. +// +// +kubebuilder:validation:Enum=Unmanaged;Default;Custom +type PKICertificateManagementMode string + +const ( + // PKICertificateManagementModeUnmanaged uses each component's existing hardcoded defaults. + // Most components currently use RSA 2048, but parameters may differ by component. + PKICertificateManagementModeUnmanaged PKICertificateManagementMode = "Unmanaged" + + // PKICertificateManagementModeDefault uses OpenShift-recommended best practices. + // Specific parameters may evolve across OpenShift releases. + PKICertificateManagementModeDefault PKICertificateManagementMode = "Default" + + // PKICertificateManagementModeCustom uses administrator-specified configuration. + PKICertificateManagementModeCustom PKICertificateManagementMode = "Custom" +) + +// PKIProfile defines the certificate generation parameters that OpenShift +// components use to create certificates. Category overrides take precedence +// over defaults. +type PKIProfile struct { + // defaults specifies the default certificate configuration that applies + // to all certificates unless overridden by a category override. + // + // +required + Defaults DefaultCertificateConfig `json:"defaults,omitzero"` + + // signerCertificates optionally overrides certificate parameters for + // certificate authority (CA) certificates that sign other certificates. + // When set, these parameters take precedence over defaults for all signer certificates. + // When omitted, the defaults are used for signer certificates. + // + // +optional + SignerCertificates CertificateConfig `json:"signerCertificates,omitempty,omitzero"` + + // servingCertificates optionally overrides certificate parameters for + // TLS server certificates used to serve HTTPS endpoints. + // When set, these parameters take precedence over defaults for all serving certificates. + // When omitted, the defaults are used for serving certificates. + // + // +optional + ServingCertificates CertificateConfig `json:"servingCertificates,omitempty,omitzero"` + + // clientCertificates optionally overrides certificate parameters for + // client authentication certificates used to authenticate to servers. + // When set, these parameters take precedence over defaults for all client certificates. + // When omitted, the defaults are used for client certificates. + // + // +optional + ClientCertificates CertificateConfig `json:"clientCertificates,omitempty,omitzero"` +} + +// DefaultCertificateConfig specifies the default certificate configuration +// parameters. All fields are required to ensure that defaults are fully +// specified for all certificates. +type DefaultCertificateConfig struct { + // key specifies the cryptographic parameters for the certificate's key pair. + // This field is required in defaults to ensure all certificates have a + // well-defined key configuration. + // +required + Key KeyConfig `json:"key,omitzero"` +} + +// CertificateConfig specifies configuration parameters for certificates. +// At least one property must be specified. +// +kubebuilder:validation:MinProperties=1 +type CertificateConfig struct { + // key specifies the cryptographic parameters for the certificate's key pair. + // Currently this is the only configurable parameter. When omitted in an + // overrides entry, the key configuration from defaults is used. + // +optional + Key KeyConfig `json:"key,omitzero"` +} + +// KeyConfig specifies cryptographic parameters for key generation. +// +// +kubebuilder:validation:XValidation:rule="has(self.algorithm) && self.algorithm == 'RSA' ? has(self.rsa) : !has(self.rsa)",message="rsa is required when algorithm is RSA, and forbidden otherwise" +// +kubebuilder:validation:XValidation:rule="has(self.algorithm) && self.algorithm == 'ECDSA' ? has(self.ecdsa) : !has(self.ecdsa)",message="ecdsa is required when algorithm is ECDSA, and forbidden otherwise" +// +union +type KeyConfig struct { + // algorithm specifies the key generation algorithm. + // Valid values are "RSA" and "ECDSA". + // + // When set to RSA, the rsa field must be specified and the generated key + // will be an RSA key with the configured key size. + // + // When set to ECDSA, the ecdsa field must be specified and the generated key + // will be an ECDSA key using the configured elliptic curve. + // + // +required + // +unionDiscriminator + Algorithm KeyAlgorithm `json:"algorithm,omitempty"` + + // rsa specifies RSA key parameters. + // Required when algorithm is RSA, and forbidden otherwise. + // +optional + // +unionMember + RSA RSAKeyConfig `json:"rsa,omitzero"` + + // ecdsa specifies ECDSA key parameters. + // Required when algorithm is ECDSA, and forbidden otherwise. + // +optional + // +unionMember + ECDSA ECDSAKeyConfig `json:"ecdsa,omitzero"` +} + +// RSAKeyConfig specifies parameters for RSA key generation. +type RSAKeyConfig struct { + // keySize specifies the size of RSA keys in bits. + // Valid values are multiples of 1024 from 2048 to 8192. + // +required + // +kubebuilder:validation:Minimum=2048 + // +kubebuilder:validation:Maximum=8192 + // +kubebuilder:validation:MultipleOf=1024 + KeySize int32 `json:"keySize,omitempty"` +} + +// ECDSAKeyConfig specifies parameters for ECDSA key generation. +type ECDSAKeyConfig struct { + // curve specifies the NIST elliptic curve for ECDSA keys. + // Valid values are "P256", "P384", and "P521". + // + // When set to P256, the NIST P-256 curve (also known as secp256r1) is used, + // providing 128-bit security. + // + // When set to P384, the NIST P-384 curve (also known as secp384r1) is used, + // providing 192-bit security. + // + // When set to P521, the NIST P-521 curve (also known as secp521r1) is used, + // providing 256-bit security. + // + // +required + Curve ECDSACurve `json:"curve,omitempty"` +} + +// KeyAlgorithm specifies the cryptographic algorithm used for key generation. +// +// +kubebuilder:validation:Enum=RSA;ECDSA +type KeyAlgorithm string + +const ( + // KeyAlgorithmRSA specifies the RSA (Rivest-Shamir-Adleman) algorithm for key generation. + KeyAlgorithmRSA KeyAlgorithm = "RSA" + + // KeyAlgorithmECDSA specifies the ECDSA (Elliptic Curve Digital Signature Algorithm) for key generation. + KeyAlgorithmECDSA KeyAlgorithm = "ECDSA" +) + +// ECDSACurve specifies the elliptic curve used for ECDSA key generation. +// +// +kubebuilder:validation:Enum=P256;P384;P521 +type ECDSACurve string + +const ( + // ECDSACurveP256 specifies the NIST P-256 curve (also known as secp256r1), providing 128-bit security. + ECDSACurveP256 ECDSACurve = "P256" + + // ECDSACurveP384 specifies the NIST P-384 curve (also known as secp384r1), providing 192-bit security. + ECDSACurveP384 ECDSACurve = "P384" + + // ECDSACurveP521 specifies the NIST P-521 curve (also known as secp521r1), providing 256-bit security. + ECDSACurveP521 ECDSACurve = "P521" +) + +// PKIList is a collection of PKI resources. +// +// Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support. +// +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +// +openshift:compatibility-gen:level=4 +type PKIList struct { + metav1.TypeMeta `json:",inline"` + + // metadata is the standard list's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + metav1.ListMeta `json:"metadata,omitempty"` + + // items is a list of PKI resources + Items []PKI `json:"items"` +} From f83c90424692a1a96fb46caaa2154de7f7b1a6ee Mon Sep 17 00:00:00 2001 From: Luis Sanchez Date: Tue, 17 Feb 2026 11:19:31 -0500 Subject: [PATCH 2/4] pki: tests --- .../ConfigurablePKI.yaml | 557 ++++++++++++++++++ 1 file changed, 557 insertions(+) create mode 100644 config/v1alpha1/tests/pkis.config.openshift.io/ConfigurablePKI.yaml diff --git a/config/v1alpha1/tests/pkis.config.openshift.io/ConfigurablePKI.yaml b/config/v1alpha1/tests/pkis.config.openshift.io/ConfigurablePKI.yaml new file mode 100644 index 00000000000..5554ca78958 --- /dev/null +++ b/config/v1alpha1/tests/pkis.config.openshift.io/ConfigurablePKI.yaml @@ -0,0 +1,557 @@ +apiVersion: apiextensions.k8s.io/v1 # Hack because controller-gen complains if we don't have this +name: "PKI" +crdName: pkis.config.openshift.io +featureGates: +- ConfigurablePKI +tests: + onCreate: + - name: Should be able to create a PKI with mode Unmanaged + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: PKI + metadata: + name: cluster + spec: + certificateManagement: + mode: Unmanaged + expected: | + apiVersion: config.openshift.io/v1alpha1 + kind: PKI + metadata: + name: cluster + spec: + certificateManagement: + mode: Unmanaged + - name: Should be able to create a PKI with mode Default + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: PKI + metadata: + name: cluster + spec: + certificateManagement: + mode: Default + expected: | + apiVersion: config.openshift.io/v1alpha1 + kind: PKI + metadata: + name: cluster + spec: + certificateManagement: + mode: Default + - name: Should be able to create a PKI with mode Custom with minimal config + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: PKI + metadata: + name: cluster + spec: + certificateManagement: + mode: Custom + custom: + defaults: + key: + algorithm: RSA + rsa: + keySize: 2048 + expected: | + apiVersion: config.openshift.io/v1alpha1 + kind: PKI + metadata: + name: cluster + spec: + certificateManagement: + mode: Custom + custom: + defaults: + key: + algorithm: RSA + rsa: + keySize: 2048 + - name: Should be able to create a PKI with mode Custom with ECDSA + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: PKI + metadata: + name: cluster + spec: + certificateManagement: + mode: Custom + custom: + defaults: + key: + algorithm: ECDSA + ecdsa: + curve: P384 + expected: | + apiVersion: config.openshift.io/v1alpha1 + kind: PKI + metadata: + name: cluster + spec: + certificateManagement: + mode: Custom + custom: + defaults: + key: + algorithm: ECDSA + ecdsa: + curve: P384 + - name: Should be able to create a PKI with mode Custom with signerCertificates override + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: PKI + metadata: + name: cluster + spec: + certificateManagement: + mode: Custom + custom: + defaults: + key: + algorithm: RSA + rsa: + keySize: 2048 + signerCertificates: + key: + algorithm: RSA + rsa: + keySize: 4096 + expected: | + apiVersion: config.openshift.io/v1alpha1 + kind: PKI + metadata: + name: cluster + spec: + certificateManagement: + mode: Custom + custom: + defaults: + key: + algorithm: RSA + rsa: + keySize: 2048 + signerCertificates: + key: + algorithm: RSA + rsa: + keySize: 4096 + - name: Should be able to create a PKI with mode Custom with all category overrides + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: PKI + metadata: + name: cluster + spec: + certificateManagement: + mode: Custom + custom: + defaults: + key: + algorithm: RSA + rsa: + keySize: 2048 + signerCertificates: + key: + algorithm: RSA + rsa: + keySize: 4096 + servingCertificates: + key: + algorithm: ECDSA + ecdsa: + curve: P256 + clientCertificates: + key: + algorithm: ECDSA + ecdsa: + curve: P384 + expected: | + apiVersion: config.openshift.io/v1alpha1 + kind: PKI + metadata: + name: cluster + spec: + certificateManagement: + mode: Custom + custom: + defaults: + key: + algorithm: RSA + rsa: + keySize: 2048 + signerCertificates: + key: + algorithm: RSA + rsa: + keySize: 4096 + servingCertificates: + key: + algorithm: ECDSA + ecdsa: + curve: P256 + clientCertificates: + key: + algorithm: ECDSA + ecdsa: + curve: P384 + - name: Should not allow mode Unmanaged with custom field set + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: PKI + metadata: + name: cluster + spec: + certificateManagement: + mode: Unmanaged + custom: + defaults: + key: + algorithm: RSA + rsa: + keySize: 2048 + expectedError: "spec.certificateManagement: Invalid value: \"object\": custom is required when mode is Custom, and forbidden otherwise" + - name: Should not allow mode Default with custom field set + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: PKI + metadata: + name: cluster + spec: + certificateManagement: + mode: Default + custom: + defaults: + key: + algorithm: RSA + rsa: + keySize: 2048 + expectedError: "spec.certificateManagement: Invalid value: \"object\": custom is required when mode is Custom, and forbidden otherwise" + - name: Should not allow mode Custom without custom field + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: PKI + metadata: + name: cluster + spec: + certificateManagement: + mode: Custom + expectedError: "spec.certificateManagement: Invalid value: \"object\": custom is required when mode is Custom, and forbidden otherwise" + - name: Should not allow mode missing + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: PKI + metadata: + name: cluster + spec: + certificateManagement: {} + expectedError: "spec.certificateManagement.mode: Required value" + - name: Should not allow RSA algorithm without rsa field + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: PKI + metadata: + name: cluster + spec: + certificateManagement: + mode: Custom + custom: + defaults: + key: + algorithm: RSA + expectedError: "spec.certificateManagement.custom.defaults.key: Invalid value: \"object\": rsa is required when algorithm is RSA, and forbidden otherwise" + - name: Should not allow ECDSA algorithm without ecdsa field + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: PKI + metadata: + name: cluster + spec: + certificateManagement: + mode: Custom + custom: + defaults: + key: + algorithm: ECDSA + expectedError: "spec.certificateManagement.custom.defaults.key: Invalid value: \"object\": ecdsa is required when algorithm is ECDSA, and forbidden otherwise" + - name: Should not allow rsa field with ECDSA algorithm + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: PKI + metadata: + name: cluster + spec: + certificateManagement: + mode: Custom + custom: + defaults: + key: + algorithm: ECDSA + ecdsa: + curve: P384 + rsa: + keySize: 2048 + expectedError: "spec.certificateManagement.custom.defaults.key: Invalid value: \"object\": rsa is required when algorithm is RSA, and forbidden otherwise" + - name: Should not allow ecdsa field with RSA algorithm + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: PKI + metadata: + name: cluster + spec: + certificateManagement: + mode: Custom + custom: + defaults: + key: + algorithm: RSA + rsa: + keySize: 2048 + ecdsa: + curve: P384 + expectedError: "spec.certificateManagement.custom.defaults.key: Invalid value: \"object\": ecdsa is required when algorithm is ECDSA, and forbidden otherwise" + - name: Should not allow RSA keySize below minimum + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: PKI + metadata: + name: cluster + spec: + certificateManagement: + mode: Custom + custom: + defaults: + key: + algorithm: RSA + rsa: + keySize: 1024 + expectedError: "spec.certificateManagement.custom.defaults.key.rsa.keySize in body should be greater than or equal to 2048" + - name: Should not allow RSA keySize above maximum + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: PKI + metadata: + name: cluster + spec: + certificateManagement: + mode: Custom + custom: + defaults: + key: + algorithm: RSA + rsa: + keySize: 9216 + expectedError: "spec.certificateManagement.custom.defaults.key.rsa.keySize in body should be less than or equal to 8192" + - name: Should not allow RSA keySize that is not a multiple of 1024 + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: PKI + metadata: + name: cluster + spec: + certificateManagement: + mode: Custom + custom: + defaults: + key: + algorithm: RSA + rsa: + keySize: 3000 + expectedError: "spec.certificateManagement.custom.defaults.key.rsa.keySize in body should be a multiple of 1024" + - name: Should not allow invalid algorithm value + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: PKI + metadata: + name: cluster + spec: + certificateManagement: + mode: Custom + custom: + defaults: + key: + algorithm: DSA + expectedError: "spec.certificateManagement.custom.defaults.key.algorithm: Unsupported value: \"DSA\": supported values: \"RSA\", \"ECDSA\"" + - name: Should not allow invalid ECDSA curve value + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: PKI + metadata: + name: cluster + spec: + certificateManagement: + mode: Custom + custom: + defaults: + key: + algorithm: ECDSA + ecdsa: + curve: P224 + expectedError: "spec.certificateManagement.custom.defaults.key.ecdsa.curve: Unsupported value: \"P224\": supported values: \"P256\", \"P384\", \"P521\"" + - name: Should not allow invalid mode value + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: PKI + metadata: + name: cluster + spec: + certificateManagement: + mode: Invalid + expectedError: "spec.certificateManagement.mode: Unsupported value: \"Invalid\": supported values: \"Unmanaged\", \"Default\", \"Custom\"" + - name: Should not allow empty signerCertificates override + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: PKI + metadata: + name: cluster + spec: + certificateManagement: + mode: Custom + custom: + defaults: + key: + algorithm: RSA + rsa: + keySize: 2048 + signerCertificates: {} + expectedError: "spec.certificateManagement.custom.signerCertificates in body should have at least 1 properties" + - name: Should not allow empty servingCertificates override + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: PKI + metadata: + name: cluster + spec: + certificateManagement: + mode: Custom + custom: + defaults: + key: + algorithm: RSA + rsa: + keySize: 2048 + servingCertificates: {} + expectedError: "spec.certificateManagement.custom.servingCertificates in body should have at least 1 properties" + - name: Should not allow empty clientCertificates override + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: PKI + metadata: + name: cluster + spec: + certificateManagement: + mode: Custom + custom: + defaults: + key: + algorithm: RSA + rsa: + keySize: 2048 + clientCertificates: {} + expectedError: "spec.certificateManagement.custom.clientCertificates in body should have at least 1 properties" + onUpdate: + - name: Should allow transition from Unmanaged to Default + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: PKI + metadata: + name: cluster + spec: + certificateManagement: + mode: Unmanaged + updated: | + apiVersion: config.openshift.io/v1alpha1 + kind: PKI + metadata: + name: cluster + spec: + certificateManagement: + mode: Default + expected: | + apiVersion: config.openshift.io/v1alpha1 + kind: PKI + metadata: + name: cluster + spec: + certificateManagement: + mode: Default + - name: Should allow transition from Default to Custom + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: PKI + metadata: + name: cluster + spec: + certificateManagement: + mode: Default + updated: | + apiVersion: config.openshift.io/v1alpha1 + kind: PKI + metadata: + name: cluster + spec: + certificateManagement: + mode: Custom + custom: + defaults: + key: + algorithm: RSA + rsa: + keySize: 4096 + expected: | + apiVersion: config.openshift.io/v1alpha1 + kind: PKI + metadata: + name: cluster + spec: + certificateManagement: + mode: Custom + custom: + defaults: + key: + algorithm: RSA + rsa: + keySize: 4096 + - name: Should allow updating custom configuration + initial: | + apiVersion: config.openshift.io/v1alpha1 + kind: PKI + metadata: + name: cluster + spec: + certificateManagement: + mode: Custom + custom: + defaults: + key: + algorithm: RSA + rsa: + keySize: 2048 + updated: | + apiVersion: config.openshift.io/v1alpha1 + kind: PKI + metadata: + name: cluster + spec: + certificateManagement: + mode: Custom + custom: + defaults: + key: + algorithm: ECDSA + ecdsa: + curve: P384 + expected: | + apiVersion: config.openshift.io/v1alpha1 + kind: PKI + metadata: + name: cluster + spec: + certificateManagement: + mode: Custom + custom: + defaults: + key: + algorithm: ECDSA + ecdsa: + curve: P384 From 2ee6c8c174b201d2d1cfef6c811b179dbb943dca Mon Sep 17 00:00:00 2001 From: Luis Sanchez Date: Tue, 17 Feb 2026 11:19:53 -0500 Subject: [PATCH 3/4] pki: generated --- .../0000_10_config-operator_01_pkis.crd.yaml | 441 +++++++++++++++ config/v1alpha1/zz_generated.deepcopy.go | 215 ++++++++ ..._generated.featuregated-crd-manifests.yaml | 23 + .../ConfigurablePKI.yaml | 441 +++++++++++++++ .../zz_generated.swagger_doc_generated.go | 106 ++++ .../generated_openapi/zz_generated.openapi.go | 396 +++++++++++++ openapi/openapi.json | 519 ++++++++++++++---- .../0000_10_config-operator_01_pkis.crd.yaml | 441 +++++++++++++++ 8 files changed, 2480 insertions(+), 102 deletions(-) create mode 100644 config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_pkis.crd.yaml create mode 100644 config/v1alpha1/zz_generated.featuregated-crd-manifests/pkis.config.openshift.io/ConfigurablePKI.yaml create mode 100644 payload-manifests/crds/0000_10_config-operator_01_pkis.crd.yaml diff --git a/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_pkis.crd.yaml b/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_pkis.crd.yaml new file mode 100644 index 00000000000..6c93b0ece87 --- /dev/null +++ b/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_pkis.crd.yaml @@ -0,0 +1,441 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/2645 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: CustomNoUpgrade,DevPreviewNoUpgrade,TechPreviewNoUpgrade + name: pkis.config.openshift.io +spec: + group: config.openshift.io + names: + kind: PKI + listKind: PKIList + plural: pkis + singular: pki + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + PKI configures cryptographic parameters for certificates generated + internally by OpenShift components. + + Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec holds user settable values for configuration + properties: + certificateManagement: + description: |- + certificateManagement specifies how PKI configuration is managed for internally-generated certificates. + This controls the certificate generation approach for all OpenShift components that create + certificates internally, including certificate authorities, serving certificates, and client certificates. + properties: + custom: + description: |- + custom contains administrator-specified cryptographic configuration. + Use the defaults and category override fields + to specify certificate generation parameters. + Required when mode is Custom, and forbidden otherwise. + minProperties: 1 + properties: + clientCertificates: + description: |- + clientCertificates optionally overrides certificate parameters for + client authentication certificates used to authenticate to servers. + When set, these parameters take precedence over defaults for all client certificates. + When omitted, the defaults are used for client certificates. + minProperties: 1 + properties: + key: + description: |- + key specifies the cryptographic parameters for the certificate's key pair. + Currently this is the only configurable parameter. When omitted in an + overrides entry, the key configuration from defaults is used. + properties: + algorithm: + description: |- + algorithm specifies the key generation algorithm. + Valid values are "RSA" and "ECDSA". + + When set to RSA, the rsa field must be specified and the generated key + will be an RSA key with the configured key size. + + When set to ECDSA, the ecdsa field must be specified and the generated key + will be an ECDSA key using the configured elliptic curve. + enum: + - RSA + - ECDSA + type: string + ecdsa: + description: |- + ecdsa specifies ECDSA key parameters. + Required when algorithm is ECDSA, and forbidden otherwise. + properties: + curve: + description: |- + curve specifies the NIST elliptic curve for ECDSA keys. + Valid values are "P256", "P384", and "P521". + + When set to P256, the NIST P-256 curve (also known as secp256r1) is used, + providing 128-bit security. + + When set to P384, the NIST P-384 curve (also known as secp384r1) is used, + providing 192-bit security. + + When set to P521, the NIST P-521 curve (also known as secp521r1) is used, + providing 256-bit security. + enum: + - P256 + - P384 + - P521 + type: string + required: + - curve + type: object + rsa: + description: |- + rsa specifies RSA key parameters. + Required when algorithm is RSA, and forbidden otherwise. + properties: + keySize: + description: |- + keySize specifies the size of RSA keys in bits. + Valid values are multiples of 1024 from 2048 to 8192. + format: int32 + maximum: 8192 + minimum: 2048 + multipleOf: 1024 + type: integer + required: + - keySize + type: object + required: + - algorithm + type: object + x-kubernetes-validations: + - message: rsa is required when algorithm is RSA, and + forbidden otherwise + rule: 'has(self.algorithm) && self.algorithm == ''RSA'' + ? has(self.rsa) : !has(self.rsa)' + - message: ecdsa is required when algorithm is ECDSA, + and forbidden otherwise + rule: 'has(self.algorithm) && self.algorithm == ''ECDSA'' + ? has(self.ecdsa) : !has(self.ecdsa)' + type: object + defaults: + description: |- + defaults specifies the default certificate configuration that applies + to all certificates unless overridden by a category override. + properties: + key: + description: |- + key specifies the cryptographic parameters for the certificate's key pair. + This field is required in defaults to ensure all certificates have a + well-defined key configuration. + properties: + algorithm: + description: |- + algorithm specifies the key generation algorithm. + Valid values are "RSA" and "ECDSA". + + When set to RSA, the rsa field must be specified and the generated key + will be an RSA key with the configured key size. + + When set to ECDSA, the ecdsa field must be specified and the generated key + will be an ECDSA key using the configured elliptic curve. + enum: + - RSA + - ECDSA + type: string + ecdsa: + description: |- + ecdsa specifies ECDSA key parameters. + Required when algorithm is ECDSA, and forbidden otherwise. + properties: + curve: + description: |- + curve specifies the NIST elliptic curve for ECDSA keys. + Valid values are "P256", "P384", and "P521". + + When set to P256, the NIST P-256 curve (also known as secp256r1) is used, + providing 128-bit security. + + When set to P384, the NIST P-384 curve (also known as secp384r1) is used, + providing 192-bit security. + + When set to P521, the NIST P-521 curve (also known as secp521r1) is used, + providing 256-bit security. + enum: + - P256 + - P384 + - P521 + type: string + required: + - curve + type: object + rsa: + description: |- + rsa specifies RSA key parameters. + Required when algorithm is RSA, and forbidden otherwise. + properties: + keySize: + description: |- + keySize specifies the size of RSA keys in bits. + Valid values are multiples of 1024 from 2048 to 8192. + format: int32 + maximum: 8192 + minimum: 2048 + multipleOf: 1024 + type: integer + required: + - keySize + type: object + required: + - algorithm + type: object + x-kubernetes-validations: + - message: rsa is required when algorithm is RSA, and + forbidden otherwise + rule: 'has(self.algorithm) && self.algorithm == ''RSA'' + ? has(self.rsa) : !has(self.rsa)' + - message: ecdsa is required when algorithm is ECDSA, + and forbidden otherwise + rule: 'has(self.algorithm) && self.algorithm == ''ECDSA'' + ? has(self.ecdsa) : !has(self.ecdsa)' + required: + - key + type: object + servingCertificates: + description: |- + servingCertificates optionally overrides certificate parameters for + TLS server certificates used to serve HTTPS endpoints. + When set, these parameters take precedence over defaults for all serving certificates. + When omitted, the defaults are used for serving certificates. + minProperties: 1 + properties: + key: + description: |- + key specifies the cryptographic parameters for the certificate's key pair. + Currently this is the only configurable parameter. When omitted in an + overrides entry, the key configuration from defaults is used. + properties: + algorithm: + description: |- + algorithm specifies the key generation algorithm. + Valid values are "RSA" and "ECDSA". + + When set to RSA, the rsa field must be specified and the generated key + will be an RSA key with the configured key size. + + When set to ECDSA, the ecdsa field must be specified and the generated key + will be an ECDSA key using the configured elliptic curve. + enum: + - RSA + - ECDSA + type: string + ecdsa: + description: |- + ecdsa specifies ECDSA key parameters. + Required when algorithm is ECDSA, and forbidden otherwise. + properties: + curve: + description: |- + curve specifies the NIST elliptic curve for ECDSA keys. + Valid values are "P256", "P384", and "P521". + + When set to P256, the NIST P-256 curve (also known as secp256r1) is used, + providing 128-bit security. + + When set to P384, the NIST P-384 curve (also known as secp384r1) is used, + providing 192-bit security. + + When set to P521, the NIST P-521 curve (also known as secp521r1) is used, + providing 256-bit security. + enum: + - P256 + - P384 + - P521 + type: string + required: + - curve + type: object + rsa: + description: |- + rsa specifies RSA key parameters. + Required when algorithm is RSA, and forbidden otherwise. + properties: + keySize: + description: |- + keySize specifies the size of RSA keys in bits. + Valid values are multiples of 1024 from 2048 to 8192. + format: int32 + maximum: 8192 + minimum: 2048 + multipleOf: 1024 + type: integer + required: + - keySize + type: object + required: + - algorithm + type: object + x-kubernetes-validations: + - message: rsa is required when algorithm is RSA, and + forbidden otherwise + rule: 'has(self.algorithm) && self.algorithm == ''RSA'' + ? has(self.rsa) : !has(self.rsa)' + - message: ecdsa is required when algorithm is ECDSA, + and forbidden otherwise + rule: 'has(self.algorithm) && self.algorithm == ''ECDSA'' + ? has(self.ecdsa) : !has(self.ecdsa)' + type: object + signerCertificates: + description: |- + signerCertificates optionally overrides certificate parameters for + certificate authority (CA) certificates that sign other certificates. + When set, these parameters take precedence over defaults for all signer certificates. + When omitted, the defaults are used for signer certificates. + minProperties: 1 + properties: + key: + description: |- + key specifies the cryptographic parameters for the certificate's key pair. + Currently this is the only configurable parameter. When omitted in an + overrides entry, the key configuration from defaults is used. + properties: + algorithm: + description: |- + algorithm specifies the key generation algorithm. + Valid values are "RSA" and "ECDSA". + + When set to RSA, the rsa field must be specified and the generated key + will be an RSA key with the configured key size. + + When set to ECDSA, the ecdsa field must be specified and the generated key + will be an ECDSA key using the configured elliptic curve. + enum: + - RSA + - ECDSA + type: string + ecdsa: + description: |- + ecdsa specifies ECDSA key parameters. + Required when algorithm is ECDSA, and forbidden otherwise. + properties: + curve: + description: |- + curve specifies the NIST elliptic curve for ECDSA keys. + Valid values are "P256", "P384", and "P521". + + When set to P256, the NIST P-256 curve (also known as secp256r1) is used, + providing 128-bit security. + + When set to P384, the NIST P-384 curve (also known as secp384r1) is used, + providing 192-bit security. + + When set to P521, the NIST P-521 curve (also known as secp521r1) is used, + providing 256-bit security. + enum: + - P256 + - P384 + - P521 + type: string + required: + - curve + type: object + rsa: + description: |- + rsa specifies RSA key parameters. + Required when algorithm is RSA, and forbidden otherwise. + properties: + keySize: + description: |- + keySize specifies the size of RSA keys in bits. + Valid values are multiples of 1024 from 2048 to 8192. + format: int32 + maximum: 8192 + minimum: 2048 + multipleOf: 1024 + type: integer + required: + - keySize + type: object + required: + - algorithm + type: object + x-kubernetes-validations: + - message: rsa is required when algorithm is RSA, and + forbidden otherwise + rule: 'has(self.algorithm) && self.algorithm == ''RSA'' + ? has(self.rsa) : !has(self.rsa)' + - message: ecdsa is required when algorithm is ECDSA, + and forbidden otherwise + rule: 'has(self.algorithm) && self.algorithm == ''ECDSA'' + ? has(self.ecdsa) : !has(self.ecdsa)' + type: object + required: + - defaults + type: object + mode: + description: |- + mode determines how PKI configuration is managed. + Valid values are "Unmanaged", "Default", and "Custom". + + When set to Unmanaged, components use their existing hardcoded certificate + generation behavior, exactly as if this feature did not exist. Each component + generates certificates using whatever parameters it was using before this + feature. While most components use RSA 2048, some may use different + parameters. Use of this mode might prevent upgrading to the next major + OpenShift release. + + When set to Default, OpenShift-recommended best practices for certificate + generation are applied. The specific parameters may evolve across OpenShift + releases to adopt improved cryptographic standards. In the initial release, + this matches Unmanaged behavior for each component. In future releases, this + may adopt ECDSA or larger RSA keys based on industry best practices. + Recommended for most customers who want to benefit from security improvements + automatically. + + When set to Custom, the certificate management parameters can be set + explicitly. Use the custom field to specify certificate generation parameters. + enum: + - Unmanaged + - Default + - Custom + type: string + required: + - mode + type: object + x-kubernetes-validations: + - message: custom is required when mode is Custom, and forbidden otherwise + rule: 'self.mode == ''Custom'' ? has(self.custom) : !has(self.custom)' + required: + - certificateManagement + type: object + required: + - spec + type: object + served: true + storage: true diff --git a/config/v1alpha1/zz_generated.deepcopy.go b/config/v1alpha1/zz_generated.deepcopy.go index d648413ab51..e28a94dbeff 100644 --- a/config/v1alpha1/zz_generated.deepcopy.go +++ b/config/v1alpha1/zz_generated.deepcopy.go @@ -301,6 +301,23 @@ func (in *CRIOCredentialProviderConfigStatus) DeepCopy() *CRIOCredentialProvider return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *CertificateConfig) DeepCopyInto(out *CertificateConfig) { + *out = *in + out.Key = in.Key + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateConfig. +func (in *CertificateConfig) DeepCopy() *CertificateConfig { + if in == nil { + return nil + } + out := new(CertificateConfig) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ClusterImagePolicy) DeepCopyInto(out *ClusterImagePolicy) { *out = *in @@ -523,6 +540,56 @@ func (in *ContainerResource) DeepCopy() *ContainerResource { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *CustomPKIPolicy) DeepCopyInto(out *CustomPKIPolicy) { + *out = *in + out.PKIProfile = in.PKIProfile + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CustomPKIPolicy. +func (in *CustomPKIPolicy) DeepCopy() *CustomPKIPolicy { + if in == nil { + return nil + } + out := new(CustomPKIPolicy) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *DefaultCertificateConfig) DeepCopyInto(out *DefaultCertificateConfig) { + *out = *in + out.Key = in.Key + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DefaultCertificateConfig. +func (in *DefaultCertificateConfig) DeepCopy() *DefaultCertificateConfig { + if in == nil { + return nil + } + out := new(DefaultCertificateConfig) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ECDSAKeyConfig) DeepCopyInto(out *ECDSAKeyConfig) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ECDSAKeyConfig. +func (in *ECDSAKeyConfig) DeepCopy() *ECDSAKeyConfig { + if in == nil { + return nil + } + out := new(ECDSAKeyConfig) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *EtcdBackupSpec) DeepCopyInto(out *EtcdBackupSpec) { *out = *in @@ -864,6 +931,24 @@ func (in *InsightsDataGatherStatus) DeepCopy() *InsightsDataGatherStatus { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *KeyConfig) DeepCopyInto(out *KeyConfig) { + *out = *in + out.RSA = in.RSA + out.ECDSA = in.ECDSA + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KeyConfig. +func (in *KeyConfig) DeepCopy() *KeyConfig { + if in == nil { + return nil + } + out := new(KeyConfig) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *MetricsServerConfig) DeepCopyInto(out *MetricsServerConfig) { *out = *in @@ -909,6 +994,50 @@ func (in *MetricsServerConfig) DeepCopy() *MetricsServerConfig { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PKI) DeepCopyInto(out *PKI) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + out.Spec = in.Spec + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PKI. +func (in *PKI) DeepCopy() *PKI { + if in == nil { + return nil + } + out := new(PKI) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *PKI) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PKICertificateManagement) DeepCopyInto(out *PKICertificateManagement) { + *out = *in + out.Custom = in.Custom + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PKICertificateManagement. +func (in *PKICertificateManagement) DeepCopy() *PKICertificateManagement { + if in == nil { + return nil + } + out := new(PKICertificateManagement) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *PKICertificateSubject) DeepCopyInto(out *PKICertificateSubject) { *out = *in @@ -925,6 +1054,76 @@ func (in *PKICertificateSubject) DeepCopy() *PKICertificateSubject { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PKIList) DeepCopyInto(out *PKIList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]PKI, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PKIList. +func (in *PKIList) DeepCopy() *PKIList { + if in == nil { + return nil + } + out := new(PKIList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *PKIList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PKIProfile) DeepCopyInto(out *PKIProfile) { + *out = *in + out.Defaults = in.Defaults + out.SignerCertificates = in.SignerCertificates + out.ServingCertificates = in.ServingCertificates + out.ClientCertificates = in.ClientCertificates + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PKIProfile. +func (in *PKIProfile) DeepCopy() *PKIProfile { + if in == nil { + return nil + } + out := new(PKIProfile) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PKISpec) DeepCopyInto(out *PKISpec) { + *out = *in + out.CertificateManagement = in.CertificateManagement + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PKISpec. +func (in *PKISpec) DeepCopy() *PKISpec { + if in == nil { + return nil + } + out := new(PKISpec) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *PersistentVolumeClaimReference) DeepCopyInto(out *PersistentVolumeClaimReference) { *out = *in @@ -1137,6 +1336,22 @@ func (in *PrometheusOperatorConfig) DeepCopy() *PrometheusOperatorConfig { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *RSAKeyConfig) DeepCopyInto(out *RSAKeyConfig) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RSAKeyConfig. +func (in *RSAKeyConfig) DeepCopy() *RSAKeyConfig { + if in == nil { + return nil + } + out := new(RSAKeyConfig) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *RetentionNumberConfig) DeepCopyInto(out *RetentionNumberConfig) { *out = *in diff --git a/config/v1alpha1/zz_generated.featuregated-crd-manifests.yaml b/config/v1alpha1/zz_generated.featuregated-crd-manifests.yaml index 14091b5872b..dc2d249a997 100644 --- a/config/v1alpha1/zz_generated.featuregated-crd-manifests.yaml +++ b/config/v1alpha1/zz_generated.featuregated-crd-manifests.yaml @@ -139,3 +139,26 @@ insightsdatagathers.config.openshift.io: - InsightsConfig Version: v1alpha1 +pkis.config.openshift.io: + Annotations: {} + ApprovedPRNumber: https://github.com/openshift/api/pull/2645 + CRDName: pkis.config.openshift.io + Capability: "" + Category: "" + FeatureGates: + - ConfigurablePKI + FilenameOperatorName: config-operator + FilenameOperatorOrdering: "01" + FilenameRunLevel: "0000_10" + GroupName: config.openshift.io + HasStatus: false + KindName: PKI + Labels: {} + PluralName: pkis + PrinterColumns: [] + Scope: Cluster + ShortNames: null + TopLevelFeatureGates: + - ConfigurablePKI + Version: v1alpha1 + diff --git a/config/v1alpha1/zz_generated.featuregated-crd-manifests/pkis.config.openshift.io/ConfigurablePKI.yaml b/config/v1alpha1/zz_generated.featuregated-crd-manifests/pkis.config.openshift.io/ConfigurablePKI.yaml new file mode 100644 index 00000000000..33044cb675f --- /dev/null +++ b/config/v1alpha1/zz_generated.featuregated-crd-manifests/pkis.config.openshift.io/ConfigurablePKI.yaml @@ -0,0 +1,441 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/2645 + api.openshift.io/filename-cvo-runlevel: "0000_10" + api.openshift.io/filename-operator: config-operator + api.openshift.io/filename-ordering: "01" + feature-gate.release.openshift.io/ConfigurablePKI: "true" + name: pkis.config.openshift.io +spec: + group: config.openshift.io + names: + kind: PKI + listKind: PKIList + plural: pkis + singular: pki + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + PKI configures cryptographic parameters for certificates generated + internally by OpenShift components. + + Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec holds user settable values for configuration + properties: + certificateManagement: + description: |- + certificateManagement specifies how PKI configuration is managed for internally-generated certificates. + This controls the certificate generation approach for all OpenShift components that create + certificates internally, including certificate authorities, serving certificates, and client certificates. + properties: + custom: + description: |- + custom contains administrator-specified cryptographic configuration. + Use the defaults and category override fields + to specify certificate generation parameters. + Required when mode is Custom, and forbidden otherwise. + minProperties: 1 + properties: + clientCertificates: + description: |- + clientCertificates optionally overrides certificate parameters for + client authentication certificates used to authenticate to servers. + When set, these parameters take precedence over defaults for all client certificates. + When omitted, the defaults are used for client certificates. + minProperties: 1 + properties: + key: + description: |- + key specifies the cryptographic parameters for the certificate's key pair. + Currently this is the only configurable parameter. When omitted in an + overrides entry, the key configuration from defaults is used. + properties: + algorithm: + description: |- + algorithm specifies the key generation algorithm. + Valid values are "RSA" and "ECDSA". + + When set to RSA, the rsa field must be specified and the generated key + will be an RSA key with the configured key size. + + When set to ECDSA, the ecdsa field must be specified and the generated key + will be an ECDSA key using the configured elliptic curve. + enum: + - RSA + - ECDSA + type: string + ecdsa: + description: |- + ecdsa specifies ECDSA key parameters. + Required when algorithm is ECDSA, and forbidden otherwise. + properties: + curve: + description: |- + curve specifies the NIST elliptic curve for ECDSA keys. + Valid values are "P256", "P384", and "P521". + + When set to P256, the NIST P-256 curve (also known as secp256r1) is used, + providing 128-bit security. + + When set to P384, the NIST P-384 curve (also known as secp384r1) is used, + providing 192-bit security. + + When set to P521, the NIST P-521 curve (also known as secp521r1) is used, + providing 256-bit security. + enum: + - P256 + - P384 + - P521 + type: string + required: + - curve + type: object + rsa: + description: |- + rsa specifies RSA key parameters. + Required when algorithm is RSA, and forbidden otherwise. + properties: + keySize: + description: |- + keySize specifies the size of RSA keys in bits. + Valid values are multiples of 1024 from 2048 to 8192. + format: int32 + maximum: 8192 + minimum: 2048 + multipleOf: 1024 + type: integer + required: + - keySize + type: object + required: + - algorithm + type: object + x-kubernetes-validations: + - message: rsa is required when algorithm is RSA, and + forbidden otherwise + rule: 'has(self.algorithm) && self.algorithm == ''RSA'' + ? has(self.rsa) : !has(self.rsa)' + - message: ecdsa is required when algorithm is ECDSA, + and forbidden otherwise + rule: 'has(self.algorithm) && self.algorithm == ''ECDSA'' + ? has(self.ecdsa) : !has(self.ecdsa)' + type: object + defaults: + description: |- + defaults specifies the default certificate configuration that applies + to all certificates unless overridden by a category override. + properties: + key: + description: |- + key specifies the cryptographic parameters for the certificate's key pair. + This field is required in defaults to ensure all certificates have a + well-defined key configuration. + properties: + algorithm: + description: |- + algorithm specifies the key generation algorithm. + Valid values are "RSA" and "ECDSA". + + When set to RSA, the rsa field must be specified and the generated key + will be an RSA key with the configured key size. + + When set to ECDSA, the ecdsa field must be specified and the generated key + will be an ECDSA key using the configured elliptic curve. + enum: + - RSA + - ECDSA + type: string + ecdsa: + description: |- + ecdsa specifies ECDSA key parameters. + Required when algorithm is ECDSA, and forbidden otherwise. + properties: + curve: + description: |- + curve specifies the NIST elliptic curve for ECDSA keys. + Valid values are "P256", "P384", and "P521". + + When set to P256, the NIST P-256 curve (also known as secp256r1) is used, + providing 128-bit security. + + When set to P384, the NIST P-384 curve (also known as secp384r1) is used, + providing 192-bit security. + + When set to P521, the NIST P-521 curve (also known as secp521r1) is used, + providing 256-bit security. + enum: + - P256 + - P384 + - P521 + type: string + required: + - curve + type: object + rsa: + description: |- + rsa specifies RSA key parameters. + Required when algorithm is RSA, and forbidden otherwise. + properties: + keySize: + description: |- + keySize specifies the size of RSA keys in bits. + Valid values are multiples of 1024 from 2048 to 8192. + format: int32 + maximum: 8192 + minimum: 2048 + multipleOf: 1024 + type: integer + required: + - keySize + type: object + required: + - algorithm + type: object + x-kubernetes-validations: + - message: rsa is required when algorithm is RSA, and + forbidden otherwise + rule: 'has(self.algorithm) && self.algorithm == ''RSA'' + ? has(self.rsa) : !has(self.rsa)' + - message: ecdsa is required when algorithm is ECDSA, + and forbidden otherwise + rule: 'has(self.algorithm) && self.algorithm == ''ECDSA'' + ? has(self.ecdsa) : !has(self.ecdsa)' + required: + - key + type: object + servingCertificates: + description: |- + servingCertificates optionally overrides certificate parameters for + TLS server certificates used to serve HTTPS endpoints. + When set, these parameters take precedence over defaults for all serving certificates. + When omitted, the defaults are used for serving certificates. + minProperties: 1 + properties: + key: + description: |- + key specifies the cryptographic parameters for the certificate's key pair. + Currently this is the only configurable parameter. When omitted in an + overrides entry, the key configuration from defaults is used. + properties: + algorithm: + description: |- + algorithm specifies the key generation algorithm. + Valid values are "RSA" and "ECDSA". + + When set to RSA, the rsa field must be specified and the generated key + will be an RSA key with the configured key size. + + When set to ECDSA, the ecdsa field must be specified and the generated key + will be an ECDSA key using the configured elliptic curve. + enum: + - RSA + - ECDSA + type: string + ecdsa: + description: |- + ecdsa specifies ECDSA key parameters. + Required when algorithm is ECDSA, and forbidden otherwise. + properties: + curve: + description: |- + curve specifies the NIST elliptic curve for ECDSA keys. + Valid values are "P256", "P384", and "P521". + + When set to P256, the NIST P-256 curve (also known as secp256r1) is used, + providing 128-bit security. + + When set to P384, the NIST P-384 curve (also known as secp384r1) is used, + providing 192-bit security. + + When set to P521, the NIST P-521 curve (also known as secp521r1) is used, + providing 256-bit security. + enum: + - P256 + - P384 + - P521 + type: string + required: + - curve + type: object + rsa: + description: |- + rsa specifies RSA key parameters. + Required when algorithm is RSA, and forbidden otherwise. + properties: + keySize: + description: |- + keySize specifies the size of RSA keys in bits. + Valid values are multiples of 1024 from 2048 to 8192. + format: int32 + maximum: 8192 + minimum: 2048 + multipleOf: 1024 + type: integer + required: + - keySize + type: object + required: + - algorithm + type: object + x-kubernetes-validations: + - message: rsa is required when algorithm is RSA, and + forbidden otherwise + rule: 'has(self.algorithm) && self.algorithm == ''RSA'' + ? has(self.rsa) : !has(self.rsa)' + - message: ecdsa is required when algorithm is ECDSA, + and forbidden otherwise + rule: 'has(self.algorithm) && self.algorithm == ''ECDSA'' + ? has(self.ecdsa) : !has(self.ecdsa)' + type: object + signerCertificates: + description: |- + signerCertificates optionally overrides certificate parameters for + certificate authority (CA) certificates that sign other certificates. + When set, these parameters take precedence over defaults for all signer certificates. + When omitted, the defaults are used for signer certificates. + minProperties: 1 + properties: + key: + description: |- + key specifies the cryptographic parameters for the certificate's key pair. + Currently this is the only configurable parameter. When omitted in an + overrides entry, the key configuration from defaults is used. + properties: + algorithm: + description: |- + algorithm specifies the key generation algorithm. + Valid values are "RSA" and "ECDSA". + + When set to RSA, the rsa field must be specified and the generated key + will be an RSA key with the configured key size. + + When set to ECDSA, the ecdsa field must be specified and the generated key + will be an ECDSA key using the configured elliptic curve. + enum: + - RSA + - ECDSA + type: string + ecdsa: + description: |- + ecdsa specifies ECDSA key parameters. + Required when algorithm is ECDSA, and forbidden otherwise. + properties: + curve: + description: |- + curve specifies the NIST elliptic curve for ECDSA keys. + Valid values are "P256", "P384", and "P521". + + When set to P256, the NIST P-256 curve (also known as secp256r1) is used, + providing 128-bit security. + + When set to P384, the NIST P-384 curve (also known as secp384r1) is used, + providing 192-bit security. + + When set to P521, the NIST P-521 curve (also known as secp521r1) is used, + providing 256-bit security. + enum: + - P256 + - P384 + - P521 + type: string + required: + - curve + type: object + rsa: + description: |- + rsa specifies RSA key parameters. + Required when algorithm is RSA, and forbidden otherwise. + properties: + keySize: + description: |- + keySize specifies the size of RSA keys in bits. + Valid values are multiples of 1024 from 2048 to 8192. + format: int32 + maximum: 8192 + minimum: 2048 + multipleOf: 1024 + type: integer + required: + - keySize + type: object + required: + - algorithm + type: object + x-kubernetes-validations: + - message: rsa is required when algorithm is RSA, and + forbidden otherwise + rule: 'has(self.algorithm) && self.algorithm == ''RSA'' + ? has(self.rsa) : !has(self.rsa)' + - message: ecdsa is required when algorithm is ECDSA, + and forbidden otherwise + rule: 'has(self.algorithm) && self.algorithm == ''ECDSA'' + ? has(self.ecdsa) : !has(self.ecdsa)' + type: object + required: + - defaults + type: object + mode: + description: |- + mode determines how PKI configuration is managed. + Valid values are "Unmanaged", "Default", and "Custom". + + When set to Unmanaged, components use their existing hardcoded certificate + generation behavior, exactly as if this feature did not exist. Each component + generates certificates using whatever parameters it was using before this + feature. While most components use RSA 2048, some may use different + parameters. Use of this mode might prevent upgrading to the next major + OpenShift release. + + When set to Default, OpenShift-recommended best practices for certificate + generation are applied. The specific parameters may evolve across OpenShift + releases to adopt improved cryptographic standards. In the initial release, + this matches Unmanaged behavior for each component. In future releases, this + may adopt ECDSA or larger RSA keys based on industry best practices. + Recommended for most customers who want to benefit from security improvements + automatically. + + When set to Custom, the certificate management parameters can be set + explicitly. Use the custom field to specify certificate generation parameters. + enum: + - Unmanaged + - Default + - Custom + type: string + required: + - mode + type: object + x-kubernetes-validations: + - message: custom is required when mode is Custom, and forbidden otherwise + rule: 'self.mode == ''Custom'' ? has(self.custom) : !has(self.custom)' + required: + - certificateManagement + type: object + required: + - spec + type: object + served: true + storage: true diff --git a/config/v1alpha1/zz_generated.swagger_doc_generated.go b/config/v1alpha1/zz_generated.swagger_doc_generated.go index 343947f5912..e43dc7b236f 100644 --- a/config/v1alpha1/zz_generated.swagger_doc_generated.go +++ b/config/v1alpha1/zz_generated.swagger_doc_generated.go @@ -497,4 +497,110 @@ func (Storage) SwaggerDoc() map[string]string { return map_Storage } +var map_CertificateConfig = map[string]string{ + "": "CertificateConfig specifies configuration parameters for certificates. At least one property must be specified.", + "key": "key specifies the cryptographic parameters for the certificate's key pair. Currently this is the only configurable parameter. When omitted in an overrides entry, the key configuration from defaults is used.", +} + +func (CertificateConfig) SwaggerDoc() map[string]string { + return map_CertificateConfig +} + +var map_CustomPKIPolicy = map[string]string{ + "": "CustomPKIPolicy contains administrator-specified cryptographic configuration. Administrators must specify defaults for all certificates and may optionally override specific categories of certificates.", +} + +func (CustomPKIPolicy) SwaggerDoc() map[string]string { + return map_CustomPKIPolicy +} + +var map_DefaultCertificateConfig = map[string]string{ + "": "DefaultCertificateConfig specifies the default certificate configuration parameters. All fields are required to ensure that defaults are fully specified for all certificates.", + "key": "key specifies the cryptographic parameters for the certificate's key pair. This field is required in defaults to ensure all certificates have a well-defined key configuration.", +} + +func (DefaultCertificateConfig) SwaggerDoc() map[string]string { + return map_DefaultCertificateConfig +} + +var map_ECDSAKeyConfig = map[string]string{ + "": "ECDSAKeyConfig specifies parameters for ECDSA key generation.", + "curve": "curve specifies the NIST elliptic curve for ECDSA keys. Valid values are \"P256\", \"P384\", and \"P521\".\n\nWhen set to P256, the NIST P-256 curve (also known as secp256r1) is used, providing 128-bit security.\n\nWhen set to P384, the NIST P-384 curve (also known as secp384r1) is used, providing 192-bit security.\n\nWhen set to P521, the NIST P-521 curve (also known as secp521r1) is used, providing 256-bit security.", +} + +func (ECDSAKeyConfig) SwaggerDoc() map[string]string { + return map_ECDSAKeyConfig +} + +var map_KeyConfig = map[string]string{ + "": "KeyConfig specifies cryptographic parameters for key generation.", + "algorithm": "algorithm specifies the key generation algorithm. Valid values are \"RSA\" and \"ECDSA\".\n\nWhen set to RSA, the rsa field must be specified and the generated key will be an RSA key with the configured key size.\n\nWhen set to ECDSA, the ecdsa field must be specified and the generated key will be an ECDSA key using the configured elliptic curve.", + "rsa": "rsa specifies RSA key parameters. Required when algorithm is RSA, and forbidden otherwise.", + "ecdsa": "ecdsa specifies ECDSA key parameters. Required when algorithm is ECDSA, and forbidden otherwise.", +} + +func (KeyConfig) SwaggerDoc() map[string]string { + return map_KeyConfig +} + +var map_PKI = map[string]string{ + "": "PKI configures cryptographic parameters for certificates generated internally by OpenShift components.\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", + "metadata": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + "spec": "spec holds user settable values for configuration", +} + +func (PKI) SwaggerDoc() map[string]string { + return map_PKI +} + +var map_PKICertificateManagement = map[string]string{ + "": "PKICertificateManagement determines whether components use hardcoded defaults (Unmanaged), follow OpenShift best practices (Default), or use administrator-specified cryptographic parameters (Custom). This provides flexibility for organizations with specific compliance requirements or security policies while maintaining backwards compatibility for existing clusters.", + "mode": "mode determines how PKI configuration is managed. Valid values are \"Unmanaged\", \"Default\", and \"Custom\".\n\nWhen set to Unmanaged, components use their existing hardcoded certificate generation behavior, exactly as if this feature did not exist. Each component generates certificates using whatever parameters it was using before this feature. While most components use RSA 2048, some may use different parameters. Use of this mode might prevent upgrading to the next major OpenShift release.\n\nWhen set to Default, OpenShift-recommended best practices for certificate generation are applied. The specific parameters may evolve across OpenShift releases to adopt improved cryptographic standards. In the initial release, this matches Unmanaged behavior for each component. In future releases, this may adopt ECDSA or larger RSA keys based on industry best practices. Recommended for most customers who want to benefit from security improvements automatically.\n\nWhen set to Custom, the certificate management parameters can be set explicitly. Use the custom field to specify certificate generation parameters.", + "custom": "custom contains administrator-specified cryptographic configuration. Use the defaults and category override fields to specify certificate generation parameters. Required when mode is Custom, and forbidden otherwise.", +} + +func (PKICertificateManagement) SwaggerDoc() map[string]string { + return map_PKICertificateManagement +} + +var map_PKIList = map[string]string{ + "": "PKIList is a collection of PKI resources.\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", + "metadata": "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + "items": "items is a list of PKI resources", +} + +func (PKIList) SwaggerDoc() map[string]string { + return map_PKIList +} + +var map_PKIProfile = map[string]string{ + "": "PKIProfile defines the certificate generation parameters that OpenShift components use to create certificates. Category overrides take precedence over defaults.", + "defaults": "defaults specifies the default certificate configuration that applies to all certificates unless overridden by a category override.", + "signerCertificates": "signerCertificates optionally overrides certificate parameters for certificate authority (CA) certificates that sign other certificates. When set, these parameters take precedence over defaults for all signer certificates. When omitted, the defaults are used for signer certificates.", + "servingCertificates": "servingCertificates optionally overrides certificate parameters for TLS server certificates used to serve HTTPS endpoints. When set, these parameters take precedence over defaults for all serving certificates. When omitted, the defaults are used for serving certificates.", + "clientCertificates": "clientCertificates optionally overrides certificate parameters for client authentication certificates used to authenticate to servers. When set, these parameters take precedence over defaults for all client certificates. When omitted, the defaults are used for client certificates.", +} + +func (PKIProfile) SwaggerDoc() map[string]string { + return map_PKIProfile +} + +var map_PKISpec = map[string]string{ + "": "PKISpec holds the specification for PKI configuration.", + "certificateManagement": "certificateManagement specifies how PKI configuration is managed for internally-generated certificates. This controls the certificate generation approach for all OpenShift components that create certificates internally, including certificate authorities, serving certificates, and client certificates.", +} + +func (PKISpec) SwaggerDoc() map[string]string { + return map_PKISpec +} + +var map_RSAKeyConfig = map[string]string{ + "": "RSAKeyConfig specifies parameters for RSA key generation.", + "keySize": "keySize specifies the size of RSA keys in bits. Valid values are multiples of 1024 from 2048 to 8192.", +} + +func (RSAKeyConfig) SwaggerDoc() map[string]string { + return map_RSAKeyConfig +} + // AUTO-GENERATED FUNCTIONS END HERE diff --git a/openapi/generated_openapi/zz_generated.openapi.go b/openapi/generated_openapi/zz_generated.openapi.go index c2746f05d0b..ac5cca0658d 100644 --- a/openapi/generated_openapi/zz_generated.openapi.go +++ b/openapi/generated_openapi/zz_generated.openapi.go @@ -460,6 +460,7 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "github.com/openshift/api/config/v1alpha1.CRIOCredentialProviderConfigList": schema_openshift_api_config_v1alpha1_CRIOCredentialProviderConfigList(ref), "github.com/openshift/api/config/v1alpha1.CRIOCredentialProviderConfigSpec": schema_openshift_api_config_v1alpha1_CRIOCredentialProviderConfigSpec(ref), "github.com/openshift/api/config/v1alpha1.CRIOCredentialProviderConfigStatus": schema_openshift_api_config_v1alpha1_CRIOCredentialProviderConfigStatus(ref), + "github.com/openshift/api/config/v1alpha1.CertificateConfig": schema_openshift_api_config_v1alpha1_CertificateConfig(ref), "github.com/openshift/api/config/v1alpha1.ClusterImagePolicy": schema_openshift_api_config_v1alpha1_ClusterImagePolicy(ref), "github.com/openshift/api/config/v1alpha1.ClusterImagePolicyList": schema_openshift_api_config_v1alpha1_ClusterImagePolicyList(ref), "github.com/openshift/api/config/v1alpha1.ClusterImagePolicySpec": schema_openshift_api_config_v1alpha1_ClusterImagePolicySpec(ref), @@ -469,6 +470,9 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "github.com/openshift/api/config/v1alpha1.ClusterMonitoringSpec": schema_openshift_api_config_v1alpha1_ClusterMonitoringSpec(ref), "github.com/openshift/api/config/v1alpha1.ClusterMonitoringStatus": schema_openshift_api_config_v1alpha1_ClusterMonitoringStatus(ref), "github.com/openshift/api/config/v1alpha1.ContainerResource": schema_openshift_api_config_v1alpha1_ContainerResource(ref), + "github.com/openshift/api/config/v1alpha1.CustomPKIPolicy": schema_openshift_api_config_v1alpha1_CustomPKIPolicy(ref), + "github.com/openshift/api/config/v1alpha1.DefaultCertificateConfig": schema_openshift_api_config_v1alpha1_DefaultCertificateConfig(ref), + "github.com/openshift/api/config/v1alpha1.ECDSAKeyConfig": schema_openshift_api_config_v1alpha1_ECDSAKeyConfig(ref), "github.com/openshift/api/config/v1alpha1.EtcdBackupSpec": schema_openshift_api_config_v1alpha1_EtcdBackupSpec(ref), "github.com/openshift/api/config/v1alpha1.GatherConfig": schema_openshift_api_config_v1alpha1_GatherConfig(ref), "github.com/openshift/api/config/v1alpha1.ImagePolicy": schema_openshift_api_config_v1alpha1_ImagePolicy(ref), @@ -483,8 +487,14 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "github.com/openshift/api/config/v1alpha1.InsightsDataGatherList": schema_openshift_api_config_v1alpha1_InsightsDataGatherList(ref), "github.com/openshift/api/config/v1alpha1.InsightsDataGatherSpec": schema_openshift_api_config_v1alpha1_InsightsDataGatherSpec(ref), "github.com/openshift/api/config/v1alpha1.InsightsDataGatherStatus": schema_openshift_api_config_v1alpha1_InsightsDataGatherStatus(ref), + "github.com/openshift/api/config/v1alpha1.KeyConfig": schema_openshift_api_config_v1alpha1_KeyConfig(ref), "github.com/openshift/api/config/v1alpha1.MetricsServerConfig": schema_openshift_api_config_v1alpha1_MetricsServerConfig(ref), + "github.com/openshift/api/config/v1alpha1.PKI": schema_openshift_api_config_v1alpha1_PKI(ref), + "github.com/openshift/api/config/v1alpha1.PKICertificateManagement": schema_openshift_api_config_v1alpha1_PKICertificateManagement(ref), "github.com/openshift/api/config/v1alpha1.PKICertificateSubject": schema_openshift_api_config_v1alpha1_PKICertificateSubject(ref), + "github.com/openshift/api/config/v1alpha1.PKIList": schema_openshift_api_config_v1alpha1_PKIList(ref), + "github.com/openshift/api/config/v1alpha1.PKIProfile": schema_openshift_api_config_v1alpha1_PKIProfile(ref), + "github.com/openshift/api/config/v1alpha1.PKISpec": schema_openshift_api_config_v1alpha1_PKISpec(ref), "github.com/openshift/api/config/v1alpha1.PersistentVolumeClaimReference": schema_openshift_api_config_v1alpha1_PersistentVolumeClaimReference(ref), "github.com/openshift/api/config/v1alpha1.PersistentVolumeConfig": schema_openshift_api_config_v1alpha1_PersistentVolumeConfig(ref), "github.com/openshift/api/config/v1alpha1.PolicyFulcioSubject": schema_openshift_api_config_v1alpha1_PolicyFulcioSubject(ref), @@ -494,6 +504,7 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "github.com/openshift/api/config/v1alpha1.PolicyRootOfTrust": schema_openshift_api_config_v1alpha1_PolicyRootOfTrust(ref), "github.com/openshift/api/config/v1alpha1.PrometheusOperatorAdmissionWebhookConfig": schema_openshift_api_config_v1alpha1_PrometheusOperatorAdmissionWebhookConfig(ref), "github.com/openshift/api/config/v1alpha1.PrometheusOperatorConfig": schema_openshift_api_config_v1alpha1_PrometheusOperatorConfig(ref), + "github.com/openshift/api/config/v1alpha1.RSAKeyConfig": schema_openshift_api_config_v1alpha1_RSAKeyConfig(ref), "github.com/openshift/api/config/v1alpha1.RetentionNumberConfig": schema_openshift_api_config_v1alpha1_RetentionNumberConfig(ref), "github.com/openshift/api/config/v1alpha1.RetentionPolicy": schema_openshift_api_config_v1alpha1_RetentionPolicy(ref), "github.com/openshift/api/config/v1alpha1.RetentionSizeConfig": schema_openshift_api_config_v1alpha1_RetentionSizeConfig(ref), @@ -22817,6 +22828,28 @@ func schema_openshift_api_config_v1alpha1_CRIOCredentialProviderConfigStatus(ref } } +func schema_openshift_api_config_v1alpha1_CertificateConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "CertificateConfig specifies configuration parameters for certificates. At least one property must be specified.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "key": { + SchemaProps: spec.SchemaProps{ + Description: "key specifies the cryptographic parameters for the certificate's key pair. Currently this is the only configurable parameter. When omitted in an overrides entry, the key configuration from defaults is used.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1alpha1.KeyConfig"), + }, + }, + }, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/config/v1alpha1.KeyConfig"}, + } +} + func schema_openshift_api_config_v1alpha1_ClusterImagePolicy(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ @@ -23194,6 +23227,94 @@ func schema_openshift_api_config_v1alpha1_ContainerResource(ref common.Reference } } +func schema_openshift_api_config_v1alpha1_CustomPKIPolicy(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "CustomPKIPolicy contains administrator-specified cryptographic configuration. Administrators must specify defaults for all certificates and may optionally override specific categories of certificates.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "defaults": { + SchemaProps: spec.SchemaProps{ + Description: "defaults specifies the default certificate configuration that applies to all certificates unless overridden by a category override.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1alpha1.DefaultCertificateConfig"), + }, + }, + "signerCertificates": { + SchemaProps: spec.SchemaProps{ + Description: "signerCertificates optionally overrides certificate parameters for certificate authority (CA) certificates that sign other certificates. When set, these parameters take precedence over defaults for all signer certificates. When omitted, the defaults are used for signer certificates.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1alpha1.CertificateConfig"), + }, + }, + "servingCertificates": { + SchemaProps: spec.SchemaProps{ + Description: "servingCertificates optionally overrides certificate parameters for TLS server certificates used to serve HTTPS endpoints. When set, these parameters take precedence over defaults for all serving certificates. When omitted, the defaults are used for serving certificates.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1alpha1.CertificateConfig"), + }, + }, + "clientCertificates": { + SchemaProps: spec.SchemaProps{ + Description: "clientCertificates optionally overrides certificate parameters for client authentication certificates used to authenticate to servers. When set, these parameters take precedence over defaults for all client certificates. When omitted, the defaults are used for client certificates.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1alpha1.CertificateConfig"), + }, + }, + }, + Required: []string{"defaults"}, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/config/v1alpha1.CertificateConfig", "github.com/openshift/api/config/v1alpha1.DefaultCertificateConfig"}, + } +} + +func schema_openshift_api_config_v1alpha1_DefaultCertificateConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "DefaultCertificateConfig specifies the default certificate configuration parameters. All fields are required to ensure that defaults are fully specified for all certificates.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "key": { + SchemaProps: spec.SchemaProps{ + Description: "key specifies the cryptographic parameters for the certificate's key pair. This field is required in defaults to ensure all certificates have a well-defined key configuration.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1alpha1.KeyConfig"), + }, + }, + }, + Required: []string{"key"}, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/config/v1alpha1.KeyConfig"}, + } +} + +func schema_openshift_api_config_v1alpha1_ECDSAKeyConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "ECDSAKeyConfig specifies parameters for ECDSA key generation.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "curve": { + SchemaProps: spec.SchemaProps{ + Description: "curve specifies the NIST elliptic curve for ECDSA keys. Valid values are \"P256\", \"P384\", and \"P521\".\n\nWhen set to P256, the NIST P-256 curve (also known as secp256r1) is used, providing 128-bit security.\n\nWhen set to P384, the NIST P-384 curve (also known as secp384r1) is used, providing 192-bit security.\n\nWhen set to P521, the NIST P-521 curve (also known as secp521r1) is used, providing 256-bit security.", + Type: []string{"string"}, + Format: "", + }, + }, + }, + Required: []string{"curve"}, + }, + }, + } +} + func schema_openshift_api_config_v1alpha1_EtcdBackupSpec(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ @@ -23732,6 +23853,56 @@ func schema_openshift_api_config_v1alpha1_InsightsDataGatherStatus(ref common.Re } } +func schema_openshift_api_config_v1alpha1_KeyConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "KeyConfig specifies cryptographic parameters for key generation.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "algorithm": { + SchemaProps: spec.SchemaProps{ + Description: "algorithm specifies the key generation algorithm. Valid values are \"RSA\" and \"ECDSA\".\n\nWhen set to RSA, the rsa field must be specified and the generated key will be an RSA key with the configured key size.\n\nWhen set to ECDSA, the ecdsa field must be specified and the generated key will be an ECDSA key using the configured elliptic curve.", + Type: []string{"string"}, + Format: "", + }, + }, + "rsa": { + SchemaProps: spec.SchemaProps{ + Description: "rsa specifies RSA key parameters. Required when algorithm is RSA, and forbidden otherwise.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1alpha1.RSAKeyConfig"), + }, + }, + "ecdsa": { + SchemaProps: spec.SchemaProps{ + Description: "ecdsa specifies ECDSA key parameters. Required when algorithm is ECDSA, and forbidden otherwise.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1alpha1.ECDSAKeyConfig"), + }, + }, + }, + Required: []string{"algorithm"}, + }, + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-unions": []interface{}{ + map[string]interface{}{ + "discriminator": "algorithm", + "fields-to-discriminateBy": map[string]interface{}{ + "ecdsa": "ECDSA", + "rsa": "RSA", + }, + }, + }, + }, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/config/v1alpha1.ECDSAKeyConfig", "github.com/openshift/api/config/v1alpha1.RSAKeyConfig"}, + } +} + func schema_openshift_api_config_v1alpha1_MetricsServerConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ @@ -23841,6 +24012,92 @@ func schema_openshift_api_config_v1alpha1_MetricsServerConfig(ref common.Referen } } +func schema_openshift_api_config_v1alpha1_PKI(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "PKI configures cryptographic parameters for certificates generated internally by OpenShift components.\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "kind": { + SchemaProps: spec.SchemaProps{ + Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + Type: []string{"string"}, + Format: "", + }, + }, + "apiVersion": { + SchemaProps: spec.SchemaProps{ + Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + Type: []string{"string"}, + Format: "", + }, + }, + "metadata": { + SchemaProps: spec.SchemaProps{ + Description: "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + Default: map[string]interface{}{}, + Ref: ref(metav1.ObjectMeta{}.OpenAPIModelName()), + }, + }, + "spec": { + SchemaProps: spec.SchemaProps{ + Description: "spec holds user settable values for configuration", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1alpha1.PKISpec"), + }, + }, + }, + Required: []string{"spec"}, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/config/v1alpha1.PKISpec", metav1.ObjectMeta{}.OpenAPIModelName()}, + } +} + +func schema_openshift_api_config_v1alpha1_PKICertificateManagement(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "PKICertificateManagement determines whether components use hardcoded defaults (Unmanaged), follow OpenShift best practices (Default), or use administrator-specified cryptographic parameters (Custom). This provides flexibility for organizations with specific compliance requirements or security policies while maintaining backwards compatibility for existing clusters.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "mode": { + SchemaProps: spec.SchemaProps{ + Description: "mode determines how PKI configuration is managed. Valid values are \"Unmanaged\", \"Default\", and \"Custom\".\n\nWhen set to Unmanaged, components use their existing hardcoded certificate generation behavior, exactly as if this feature did not exist. Each component generates certificates using whatever parameters it was using before this feature. While most components use RSA 2048, some may use different parameters. Use of this mode might prevent upgrading to the next major OpenShift release.\n\nWhen set to Default, OpenShift-recommended best practices for certificate generation are applied. The specific parameters may evolve across OpenShift releases to adopt improved cryptographic standards. In the initial release, this matches Unmanaged behavior for each component. In future releases, this may adopt ECDSA or larger RSA keys based on industry best practices. Recommended for most customers who want to benefit from security improvements automatically.\n\nWhen set to Custom, the certificate management parameters can be set explicitly. Use the custom field to specify certificate generation parameters.", + Type: []string{"string"}, + Format: "", + }, + }, + "custom": { + SchemaProps: spec.SchemaProps{ + Description: "custom contains administrator-specified cryptographic configuration. Use the defaults and category override fields to specify certificate generation parameters. Required when mode is Custom, and forbidden otherwise.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1alpha1.CustomPKIPolicy"), + }, + }, + }, + Required: []string{"mode"}, + }, + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-unions": []interface{}{ + map[string]interface{}{ + "discriminator": "mode", + "fields-to-discriminateBy": map[string]interface{}{ + "custom": "Custom", + }, + }, + }, + }, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/config/v1alpha1.CustomPKIPolicy"}, + } +} + func schema_openshift_api_config_v1alpha1_PKICertificateSubject(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ @@ -23868,6 +24125,124 @@ func schema_openshift_api_config_v1alpha1_PKICertificateSubject(ref common.Refer } } +func schema_openshift_api_config_v1alpha1_PKIList(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "PKIList is a collection of PKI resources.\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "kind": { + SchemaProps: spec.SchemaProps{ + Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + Type: []string{"string"}, + Format: "", + }, + }, + "apiVersion": { + SchemaProps: spec.SchemaProps{ + Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + Type: []string{"string"}, + Format: "", + }, + }, + "metadata": { + SchemaProps: spec.SchemaProps{ + Description: "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + Default: map[string]interface{}{}, + Ref: ref(metav1.ListMeta{}.OpenAPIModelName()), + }, + }, + "items": { + SchemaProps: spec.SchemaProps{ + Description: "items is a list of PKI resources", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1alpha1.PKI"), + }, + }, + }, + }, + }, + }, + Required: []string{"items"}, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/config/v1alpha1.PKI", metav1.ListMeta{}.OpenAPIModelName()}, + } +} + +func schema_openshift_api_config_v1alpha1_PKIProfile(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "PKIProfile defines the certificate generation parameters that OpenShift components use to create certificates. Category overrides take precedence over defaults.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "defaults": { + SchemaProps: spec.SchemaProps{ + Description: "defaults specifies the default certificate configuration that applies to all certificates unless overridden by a category override.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1alpha1.DefaultCertificateConfig"), + }, + }, + "signerCertificates": { + SchemaProps: spec.SchemaProps{ + Description: "signerCertificates optionally overrides certificate parameters for certificate authority (CA) certificates that sign other certificates. When set, these parameters take precedence over defaults for all signer certificates. When omitted, the defaults are used for signer certificates.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1alpha1.CertificateConfig"), + }, + }, + "servingCertificates": { + SchemaProps: spec.SchemaProps{ + Description: "servingCertificates optionally overrides certificate parameters for TLS server certificates used to serve HTTPS endpoints. When set, these parameters take precedence over defaults for all serving certificates. When omitted, the defaults are used for serving certificates.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1alpha1.CertificateConfig"), + }, + }, + "clientCertificates": { + SchemaProps: spec.SchemaProps{ + Description: "clientCertificates optionally overrides certificate parameters for client authentication certificates used to authenticate to servers. When set, these parameters take precedence over defaults for all client certificates. When omitted, the defaults are used for client certificates.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1alpha1.CertificateConfig"), + }, + }, + }, + Required: []string{"defaults"}, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/config/v1alpha1.CertificateConfig", "github.com/openshift/api/config/v1alpha1.DefaultCertificateConfig"}, + } +} + +func schema_openshift_api_config_v1alpha1_PKISpec(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "PKISpec holds the specification for PKI configuration.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "certificateManagement": { + SchemaProps: spec.SchemaProps{ + Description: "certificateManagement specifies how PKI configuration is managed for internally-generated certificates. This controls the certificate generation approach for all OpenShift components that create certificates internally, including certificate authorities, serving certificates, and client certificates.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/config/v1alpha1.PKICertificateManagement"), + }, + }, + }, + Required: []string{"certificateManagement"}, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/config/v1alpha1.PKICertificateManagement"}, + } +} + func schema_openshift_api_config_v1alpha1_PersistentVolumeClaimReference(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ @@ -24267,6 +24642,27 @@ func schema_openshift_api_config_v1alpha1_PrometheusOperatorConfig(ref common.Re } } +func schema_openshift_api_config_v1alpha1_RSAKeyConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "RSAKeyConfig specifies parameters for RSA key generation.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "keySize": { + SchemaProps: spec.SchemaProps{ + Description: "keySize specifies the size of RSA keys in bits. Valid values are multiples of 1024 from 2048 to 8192.", + Type: []string{"integer"}, + Format: "int32", + }, + }, + }, + Required: []string{"keySize"}, + }, + }, + } +} + func schema_openshift_api_config_v1alpha1_RetentionNumberConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ diff --git a/openapi/openapi.json b/openapi/openapi.json index fff430807d8..3d696cdc6a9 100644 --- a/openapi/openapi.json +++ b/openapi/openapi.json @@ -193,7 +193,7 @@ "$ref": "#/definitions/com.github.openshift.api.apiextensions.v1alpha1.CRDData" }, "excludedFields": { - "description": "excludedFields is a set of fields in the schema which will not be validated by crdSchemaValidation or objectSchemaValidation. The list may contain at most 64 fields. When not specified, all fields in the schema will be validated.", + "description": "excludedFields is a set of fields in the schema which will not be validated by crdSchemaValidation or objectSchemaValidation. The list may contain at most 64 fields. Each path in the list must be unique. When not specified, all fields in the schema will be validated.", "type": "array", "items": { "default": {}, @@ -6339,7 +6339,7 @@ ], "properties": { "ciphers": { - "description": "ciphers is used to specify the cipher algorithms that are negotiated during the TLS handshake. Operators may remove entries their operands do not support. For example, to use DES-CBC3-SHA (yaml):\n\n ciphers:\n - DES-CBC3-SHA", + "description": "ciphers is used to specify the cipher algorithms that are negotiated during the TLS handshake. Operators may remove entries that their operands do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml):\n\n ciphers:\n - ECDHE-RSA-AES128-GCM-SHA256\n\nTLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable and are always enabled when TLS 1.3 is negotiated.", "type": "array", "items": { "type": "string", @@ -11311,7 +11311,7 @@ ], "properties": { "ciphers": { - "description": "ciphers is used to specify the cipher algorithms that are negotiated during the TLS handshake. Operators may remove entries their operands do not support. For example, to use DES-CBC3-SHA (yaml):\n\n ciphers:\n - DES-CBC3-SHA", + "description": "ciphers is used to specify the cipher algorithms that are negotiated during the TLS handshake. Operators may remove entries that their operands do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml):\n\n ciphers:\n - ECDHE-RSA-AES128-GCM-SHA256\n\nTLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable and are always enabled when TLS 1.3 is negotiated.", "type": "array", "items": { "type": "string", @@ -11335,7 +11335,7 @@ "$ref": "#/definitions/com.github.openshift.api.config.v1.CustomTLSProfile" }, "intermediate": { - "description": "intermediate is a TLS profile for use when you do not need compatibility with legacy clients and want to remain highly secure while being compatible with most clients currently in use.\n\nThe cipher list includes TLS 1.3 ciphers for forward compatibility, followed by the \"intermediate\" profile ciphers.\n\nThis profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS12\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES256-GCM-SHA384\n - ECDHE-RSA-AES256-GCM-SHA384\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305\n - DHE-RSA-AES128-GCM-SHA256\n - DHE-RSA-AES256-GCM-SHA384", + "description": "intermediate is a TLS profile for use when you do not need compatibility with legacy clients and want to remain highly secure while being compatible with most clients currently in use.\n\nThis profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS12\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES256-GCM-SHA384\n - ECDHE-RSA-AES256-GCM-SHA384\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305", "$ref": "#/definitions/com.github.openshift.api.config.v1.IntermediateTLSProfile" }, "modern": { @@ -11343,11 +11343,11 @@ "$ref": "#/definitions/com.github.openshift.api.config.v1.ModernTLSProfile" }, "old": { - "description": "old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort.\n\nThe cipher list includes TLS 1.3 ciphers for forward compatibility, followed by the \"old\" profile ciphers.\n\nThis profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS10\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES256-GCM-SHA384\n - ECDHE-RSA-AES256-GCM-SHA384\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305\n - DHE-RSA-AES128-GCM-SHA256\n - DHE-RSA-AES256-GCM-SHA384\n - DHE-RSA-CHACHA20-POLY1305\n - ECDHE-ECDSA-AES128-SHA256\n - ECDHE-RSA-AES128-SHA256\n - ECDHE-ECDSA-AES128-SHA\n - ECDHE-RSA-AES128-SHA\n - ECDHE-ECDSA-AES256-SHA384\n - ECDHE-RSA-AES256-SHA384\n - ECDHE-ECDSA-AES256-SHA\n - ECDHE-RSA-AES256-SHA\n - DHE-RSA-AES128-SHA256\n - DHE-RSA-AES256-SHA256\n - AES128-GCM-SHA256\n - AES256-GCM-SHA384\n - AES128-SHA256\n - AES256-SHA256\n - AES128-SHA\n - AES256-SHA\n - DES-CBC3-SHA", + "description": "old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort.\n\nThis profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS10\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES256-GCM-SHA384\n - ECDHE-RSA-AES256-GCM-SHA384\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305\n - ECDHE-ECDSA-AES128-SHA256\n - ECDHE-RSA-AES128-SHA256\n - ECDHE-ECDSA-AES128-SHA\n - ECDHE-RSA-AES128-SHA\n - ECDHE-ECDSA-AES256-SHA\n - ECDHE-RSA-AES256-SHA\n - AES128-GCM-SHA256\n - AES256-GCM-SHA384\n - AES128-SHA256\n - AES128-SHA\n - AES256-SHA\n - DES-CBC3-SHA", "$ref": "#/definitions/com.github.openshift.api.config.v1.OldTLSProfile" }, "type": { - "description": "type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters.\n\nThe profiles are currently based on version 5.0 of the Mozilla Server Side TLS configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json\n\nThe profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be reduced.", + "description": "type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters.\n\nThe profiles are based on version 5.7 of the Mozilla Server Side TLS configuration guidelines. The cipher lists consist of the configuration's \"ciphersuites\" followed by the Go-specific \"ciphers\" from the guidelines. See: https://ssl-config.mozilla.org/guidelines/5.7.json\n\nThe profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be reduced.", "type": "string", "default": "" } @@ -12429,6 +12429,62 @@ } } }, + "com.github.openshift.api.config.v1alpha1.CategoryOverride": { + "description": "CategoryOverride specifies certificate configuration for a category of certificates.", + "type": "object", + "required": [ + "name", + "certificate" + ], + "properties": { + "certificate": { + "description": "certificate specifies the certificate configuration for this category override. At least one property must be set within the certificate configuration.", + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.CertificateConfig" + }, + "name": { + "description": "name identifies the certificate category. Valid values are \"Signer\", \"Serving\", and \"Client\".\n\nWhen set to Signer, the configuration applies to certificate authority (CA) certificates that sign other certificates.\n\nWhen set to Serving, the configuration applies to TLS server certificates used to serve HTTPS endpoints.\n\nWhen set to Client, the configuration applies to client authentication certificates used to authenticate to servers.", + "type": "string" + } + } + }, + "com.github.openshift.api.config.v1alpha1.CertificateConfig": { + "description": "CertificateConfig specifies configuration parameters for certificates. At least one property must be specified.", + "type": "object", + "properties": { + "key": { + "description": "key specifies the cryptographic parameters for the certificate's key pair. Currently this is the only configurable parameter. When omitted in an overrides entry, the key configuration from defaults is used.", + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.KeyConfig" + } + } + }, + "com.github.openshift.api.config.v1alpha1.CertificateOverride": { + "description": "CertificateOverride specifies a certificate configuration override. The type field determines what kind of override this is.", + "type": "object", + "required": [ + "type" + ], + "properties": { + "category": { + "description": "category specifies an override for a category of certificates. Required when type is Category, and forbidden otherwise.", + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.CategoryOverride" + }, + "type": { + "description": "type determines what this override targets. Valid values are \"Category\".\n\nWhen set to Category, the override applies to all certificates of the specified category. The category field must be set.", + "type": "string" + } + }, + "x-kubernetes-unions": [ + { + "discriminator": "type", + "fields-to-discriminateBy": { + "category": "Category" + } + } + ] + }, "com.github.openshift.api.config.v1alpha1.ClusterImagePolicy": { "description": "ClusterImagePolicy holds cluster-wide configuration for image signature verification\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", "type": "object", @@ -12642,6 +12698,56 @@ } } }, + "com.github.openshift.api.config.v1alpha1.CustomPKIPolicy": { + "description": "CustomPKIPolicy contains administrator-specified cryptographic configuration. Administrators must specify defaults for all certificates and may optionally override specific categories of certificates.", + "type": "object", + "required": [ + "defaults" + ], + "properties": { + "defaults": { + "description": "defaults specifies the default certificate configuration that applies to all certificates unless overridden by an overrides entry.", + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.DefaultCertificateConfig" + }, + "overrides": { + "description": "overrides allows overriding certificate parameters for specific categories of certificates. Overrides take precedence over defaults. Each override of type Category must target a unique category name. When provided, the list must contain between 1 and 3 entries.", + "type": "array", + "items": { + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.CertificateOverride" + }, + "x-kubernetes-list-type": "atomic" + } + } + }, + "com.github.openshift.api.config.v1alpha1.DefaultCertificateConfig": { + "description": "DefaultCertificateConfig specifies the default certificate configuration parameters. All fields are required to ensure that defaults are fully specified for all certificates.", + "type": "object", + "required": [ + "key" + ], + "properties": { + "key": { + "description": "key specifies the cryptographic parameters for the certificate's key pair. This field is required in defaults to ensure all certificates have a well-defined key configuration.", + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.KeyConfig" + } + } + }, + "com.github.openshift.api.config.v1alpha1.ECDSAKeyConfig": { + "description": "ECDSAKeyConfig specifies parameters for ECDSA key generation.", + "type": "object", + "required": [ + "curve" + ], + "properties": { + "curve": { + "description": "curve specifies the elliptic curve for ECDSA keys. Valid values are \"P256\", \"P384\", and \"P521\".", + "type": "string" + } + } + }, "com.github.openshift.api.config.v1alpha1.EtcdBackupSpec": { "description": "EtcdBackupSpec provides configuration for automated etcd backups to the cluster-etcd-operator", "type": "object", @@ -12682,7 +12788,8 @@ "items": { "type": "string", "default": "" - } + }, + "x-kubernetes-list-type": "atomic" }, "storage": { "description": "storage is an optional field that allows user to define persistent storage for gathering jobs to store the Insights data archive. If omitted, the gathering job will use ephemeral storage.", @@ -12957,6 +13064,38 @@ "com.github.openshift.api.config.v1alpha1.InsightsDataGatherStatus": { "type": "object" }, + "com.github.openshift.api.config.v1alpha1.KeyConfig": { + "description": "KeyConfig specifies cryptographic parameters for key generation.", + "type": "object", + "required": [ + "algorithm" + ], + "properties": { + "algorithm": { + "description": "algorithm specifies the key generation algorithm. Valid values are \"RSA\" and \"ECDSA\".\n\nWhen set to RSA, the rsa field must be specified and the generated key will be an RSA key with the configured key size.\n\nWhen set to ECDSA, the ecdsa field must be specified and the generated key will be an ECDSA key using the configured elliptic curve.", + "type": "string" + }, + "ecdsa": { + "description": "ecdsa specifies ECDSA key parameters. Required when algorithm is ECDSA, and forbidden otherwise.", + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.ECDSAKeyConfig" + }, + "rsa": { + "description": "rsa specifies RSA key parameters. Required when algorithm is RSA, and forbidden otherwise.", + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.RSAKeyConfig" + } + }, + "x-kubernetes-unions": [ + { + "discriminator": "algorithm", + "fields-to-discriminateBy": { + "ecdsa": "ECDSA", + "rsa": "RSA" + } + } + ] + }, "com.github.openshift.api.config.v1alpha1.MetricsServerConfig": { "description": "MetricsServerConfig provides configuration options for the Metrics Server instance that runs in the `openshift-monitoring` namespace. Use this configuration to control how the Metrics Server instance is deployed, how it logs, and how its pods are scheduled.", "type": "object", @@ -13014,6 +13153,59 @@ } } }, + "com.github.openshift.api.config.v1alpha1.PKI": { + "description": "PKI configures cryptographic parameters for certificates generated internally by OpenShift components.\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", + "type": "object", + "required": [ + "spec" + ], + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "metadata": { + "description": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + "default": {}, + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta" + }, + "spec": { + "description": "spec holds user settable values for configuration", + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.PKISpec" + } + } + }, + "com.github.openshift.api.config.v1alpha1.PKICertificateManagement": { + "description": "PKICertificateManagement determines whether components use hardcoded defaults (Unmanaged), follow OpenShift best practices (Default), or use administrator-specified cryptographic parameters (Custom). This provides flexibility for organizations with specific compliance requirements or security policies while maintaining backwards compatibility for existing clusters.", + "type": "object", + "required": [ + "mode" + ], + "properties": { + "custom": { + "description": "custom contains administrator-specified cryptographic configuration. Use the defaults and overrides fields to specify certificate generation parameters. Required when mode is Custom, and forbidden otherwise.", + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.CustomPKIPolicy" + }, + "mode": { + "description": "mode determines how PKI configuration is managed. Valid values are \"Unmanaged\", \"Default\", and \"Custom\".\n\nWhen set to Unmanaged, components use their existing hardcoded certificate generation behavior, exactly as if this feature did not exist. Each component generates certificates using whatever parameters it was using before this feature. While most components use RSA 2048, some may use different parameters. Use of this mode might prevent upgrading to the next major OpenShift release.\n\nWhen set to Default, OpenShift-recommended best practices for certificate generation are applied. The specific parameters may evolve across OpenShift releases to adopt improved cryptographic standards. In the initial release, this matches Unmanaged behavior for each component. In future releases, this may adopt ECDSA or larger RSA keys based on industry best practices. Recommended for most customers who want to benefit from security improvements automatically.\n\nWhen set to Custom, the certificate management parameters can be set explicitly. Use the custom field to specify certificate generation parameters.", + "type": "string" + } + }, + "x-kubernetes-unions": [ + { + "discriminator": "mode", + "fields-to-discriminateBy": { + "custom": "Custom" + } + } + ] + }, "com.github.openshift.api.config.v1alpha1.PKICertificateSubject": { "description": "PKICertificateSubject defines the requirements imposed on the subject to which the certificate was issued.", "type": "object", @@ -13028,6 +13220,73 @@ } } }, + "com.github.openshift.api.config.v1alpha1.PKIList": { + "description": "PKIList is a collection of PKI resources.\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", + "type": "object", + "required": [ + "items" + ], + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "items": { + "description": "items is a list of PKI resources", + "type": "array", + "items": { + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.PKI" + } + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "metadata": { + "description": "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + "default": {}, + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta" + } + } + }, + "com.github.openshift.api.config.v1alpha1.PKIProfile": { + "description": "PKIProfile defines the certificate generation parameters that OpenShift components use to create certificates. Overrides take precedence over defaults.", + "type": "object", + "required": [ + "defaults" + ], + "properties": { + "defaults": { + "description": "defaults specifies the default certificate configuration that applies to all certificates unless overridden by an overrides entry.", + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.DefaultCertificateConfig" + }, + "overrides": { + "description": "overrides allows overriding certificate parameters for specific categories of certificates. Overrides take precedence over defaults. Each override of type Category must target a unique category name. When provided, the list must contain between 1 and 3 entries.", + "type": "array", + "items": { + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.CertificateOverride" + }, + "x-kubernetes-list-type": "atomic" + } + } + }, + "com.github.openshift.api.config.v1alpha1.PKISpec": { + "description": "PKISpec holds the specification for PKI configuration.", + "type": "object", + "required": [ + "certificateManagement" + ], + "properties": { + "certificateManagement": { + "description": "certificateManagement specifies how PKI configuration is managed for internally-generated certificates. This controls the certificate generation approach for all OpenShift components that create certificates internally, including certificate authorities, serving certificates, and client certificates.", + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.PKICertificateManagement" + } + } + }, "com.github.openshift.api.config.v1alpha1.PersistentVolumeClaimReference": { "description": "persistentVolumeClaimReference is a reference to a PersistentVolumeClaim.", "type": "object", @@ -13231,6 +13490,20 @@ } } }, + "com.github.openshift.api.config.v1alpha1.RSAKeyConfig": { + "description": "RSAKeyConfig specifies parameters for RSA key generation.", + "type": "object", + "required": [ + "keySize" + ], + "properties": { + "keySize": { + "description": "keySize specifies the size of RSA keys in bits. Valid values are multiples of 1024 from 2048 to 8192.", + "type": "integer", + "format": "int32" + } + } + }, "com.github.openshift.api.config.v1alpha1.RetentionNumberConfig": { "description": "RetentionNumberConfig specifies the configuration of the retention policy on the number of backups", "type": "object", @@ -17310,7 +17583,11 @@ "items": { "default": {}, "$ref": "#/definitions/com.github.openshift.api.insights.v1alpha1.GathererConfig" - } + }, + "x-kubernetes-list-map-keys": [ + "name" + ], + "x-kubernetes-list-type": "map" }, "storage": { "description": "storage is an optional field that allows user to define persistent storage for gathering jobs to store the Insights data archive. If omitted, the gathering job will use ephemeral storage.", @@ -17369,7 +17646,12 @@ "items": { "default": {}, "$ref": "#/definitions/com.github.openshift.api.insights.v1alpha1.ObjectReference" - } + }, + "x-kubernetes-list-map-keys": [ + "name", + "namespace" + ], + "x-kubernetes-list-type": "map" }, "startTime": { "description": "startTime is the time when Insights data gathering started.", @@ -17490,7 +17772,8 @@ "required": [ "group", "resource", - "name" + "name", + "namespace" ], "properties": { "group": { @@ -17505,7 +17788,8 @@ }, "namespace": { "description": "namespace of the referent that follows the DNS1123 subdomain format. It must be at most 253 characters in length.", - "type": "string" + "type": "string", + "default": "" }, "resource": { "description": "resource is required field of the type that is being referenced. It is normally the plural form of the resource kind in lowercase. This value should consist of only lowercase alphanumeric characters and hyphens. Example: \"deployments\", \"deploymentconfigs\", \"pods\", etc.", @@ -26310,7 +26594,13 @@ }, "com.github.openshift.api.machineconfiguration.v1alpha1.OSImageStreamSpec": { "description": "OSImageStreamSpec defines the desired state of a OSImageStream.", - "type": "object" + "type": "object", + "properties": { + "defaultStream": { + "description": "defaultStream is the desired name of the stream that should be used as the default when no specific stream is requested by a MachineConfigPool.\n\nThis field is set by the installer during installation. Users may need to update it if the currently selected stream is no longer available, for example when the stream has reached its End of Life. The MachineConfigOperator uses this value to determine which stream from status.availableStreams to apply as the default for MachineConfigPools that do not specify a stream override.\n\nIt must be a valid RFC 1123 subdomain between 1 and 253 characters in length, consisting of lowercase alphanumeric characters, hyphens ('-'), and periods ('.').", + "type": "string" + } + } }, "com.github.openshift.api.machineconfiguration.v1alpha1.OSImageStreamStatus": { "description": "OSImageStreamStatus describes the current state of a OSImageStream", @@ -35897,7 +36187,6 @@ }, "spec": { "description": "spec is the specification of the desired behavior of the capi-operator.", - "default": {}, "$ref": "#/definitions/com.github.openshift.api.operator.v1alpha1.ClusterAPISpec" }, "status": { @@ -35907,6 +36196,96 @@ } } }, + "com.github.openshift.api.operator.v1alpha1.ClusterAPIInstallerComponent": { + "description": "ClusterAPIInstallerComponent defines a component which will be installed by this revision.", + "type": "object", + "required": [ + "type" + ], + "properties": { + "image": { + "description": "image defines an image source for a component. The image must contain a /capi-operator-installer directory containing the component manifests.", + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.operator.v1alpha1.ClusterAPIInstallerComponentImage" + }, + "type": { + "description": "type is the source type of the component. The only valid value is Image. When set to Image, the image field must be set and will define an image source for the component.\n\nPossible enum values:\n - `\"Image\"` is an image source for a component.", + "type": "string", + "enum": [ + "Image" + ] + } + }, + "x-kubernetes-unions": [ + { + "discriminator": "type", + "fields-to-discriminateBy": { + "image": "Image" + } + } + ] + }, + "com.github.openshift.api.operator.v1alpha1.ClusterAPIInstallerComponentImage": { + "description": "ClusterAPIInstallerComponentImage defines an image source for a component.", + "type": "object", + "required": [ + "ref", + "profile" + ], + "properties": { + "profile": { + "description": "profile is the name of a profile to use from the image.\n\nA profile name may be up to 255 characters long. It must consist of alphanumeric characters, '-', or '_'.", + "type": "string" + }, + "ref": { + "description": "ref is an image reference to the image containing the component manifests. The reference must be a valid image digest reference in the format host[:port][/namespace]/name@sha256:. The digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. The length of the field must be between 1 to 447 characters.", + "type": "string" + } + } + }, + "com.github.openshift.api.operator.v1alpha1.ClusterAPIInstallerRevision": { + "type": "object", + "required": [ + "name", + "revision", + "contentID", + "components" + ], + "properties": { + "components": { + "description": "components is list of components which will be installed by this revision. Components will be installed in the order they are listed.\n\nThe maximum number of components is 32.", + "type": "array", + "items": { + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.operator.v1alpha1.ClusterAPIInstallerComponent" + }, + "x-kubernetes-list-type": "atomic" + }, + "contentID": { + "description": "contentID uniquely identifies the content of this revision. The contentID must be between 1 and 255 characters long.", + "type": "string" + }, + "name": { + "description": "name is the name of a revision.", + "type": "string" + }, + "revision": { + "description": "revision is a monotonically increasing number that is assigned to a revision.", + "type": "integer", + "format": "int64" + }, + "unmanagedCustomResourceDefinitions": { + "description": "unmanagedCustomResourceDefinitions is a list of the names of ClusterResourceDefinition (CRD) objects which are included in this revision, but which should not be installed or updated. If not set, all CRDs in the revision will be managed by the CAPI operator.", + "type": "array", + "items": { + "type": "string", + "default": "" + }, + "x-kubernetes-list-type": "atomic" + } + }, + "x-kubernetes-map-type": "atomic" + }, "com.github.openshift.api.operator.v1alpha1.ClusterAPIList": { "description": "ClusterAPIList contains a list of ClusterAPI configurations\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", "type": "object", @@ -35939,11 +36318,11 @@ } }, "com.github.openshift.api.operator.v1alpha1.ClusterAPISpec": { - "description": "ClusterAPISpec defines the desired configuration of the capi-operator.", + "description": "ClusterAPISpec defines the desired configuration of the capi-operator. The spec is required but we deliberately allow it to be empty.", "type": "object", "properties": { "unmanagedCustomResourceDefinitions": { - "description": "unmanagedCustomResourceDefinitions is a list of ClusterResourceDefinition (CRD) names that should not be managed by the capi-operator installer controller. This allows external actors to own specific CRDs while capi-operator manages others.\n\nEach CRD name must be a valid DNS-1123 subdomain consisting of lowercase alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character, with a maximum length of 253 characters. Example: \"clusters.cluster.x-k8s.io\"\n\nItems cannot be removed from this list once added.\n\nThe maximum number of unmanagedCustomResourceDefinitions is 128.", + "description": "unmanagedCustomResourceDefinitions is a list of ClusterResourceDefinition (CRD) names that should not be managed by the capi-operator installer controller. This allows external actors to own specific CRDs while capi-operator manages others.\n\nEach CRD name must be a valid DNS-1123 subdomain consisting of lowercase alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character, with a maximum length of 253 characters. CRD names must contain at least two '.' characters. Example: \"clusters.cluster.x-k8s.io\"\n\nItems cannot be removed from this list once added.\n\nThe maximum number of unmanagedCustomResourceDefinitions is 128.", "type": "array", "items": { "type": "string", @@ -35956,22 +36335,25 @@ "com.github.openshift.api.operator.v1alpha1.ClusterAPIStatus": { "description": "ClusterAPIStatus describes the current state of the capi-operator.", "type": "object", + "required": [ + "desiredRevision", + "revisions" + ], "properties": { - "activeConfigMaps": { - "description": "activeConfigMaps is a list of ConfigMap names that the installer controller has successfully reconciled. This represents the currently deployed CAPI provider components.\n\nEach ConfigMap name must be a valid DNS-1123 label consisting of lowercase alphanumeric characters or hyphens, starting and ending with an alphanumeric character, with a maximum length of 63 characters.\n\nThis field is owned by the installer controller and is updated atomically after a successful reconciliation.\n\nThe maximum number of activeConfigMaps is 128.", - "type": "array", - "items": { - "type": "string", - "default": "" - }, - "x-kubernetes-list-type": "atomic" + "currentRevision": { + "description": "currentRevision is the name of the most recently fully applied revision. It is written by the installer controller. If it is absent, it indicates that no revision has been fully applied yet. If set, currentRevision must correspond to an entry in the revisions list.", + "type": "string" + }, + "desiredRevision": { + "description": "desiredRevision is the name of the desired revision. It is written by the revision controller. It must be set to the name of the entry in the revisions list with the highest revision number.", + "type": "string" }, - "targetConfigMaps": { - "description": "targetConfigMaps is a list of ConfigMap names that the staging controller has validated and approved for reconciliation. The installer controller will reconcile these ConfigMaps.\n\nEach ConfigMap name must be a valid DNS-1123 label consisting of lowercase alphanumeric characters or hyphens, starting and ending with an alphanumeric character, with a maximum length of 63 characters.\n\nThis field is owned by the staging controller and is updated atomically to a consistent set of transport ConfigMaps that have passed validation checks.\n\nThe maximum number of targetConfigMaps is 128.", + "revisions": { + "description": "revisions is a list of all currently active revisions. A revision is active until the installer controller updates currentRevision to a later revision. It is written by the revision controller.\n\nThe maximum number of revisions is 16. All revisions must have a unique name. All revisions must have a unique revision number. When adding a revision, the revision number must be greater than the highest revision number in the list. Revisions are immutable, although they can be deleted.", "type": "array", "items": { - "type": "string", - "default": "" + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.operator.v1alpha1.ClusterAPIInstallerRevision" }, "x-kubernetes-list-type": "atomic" } @@ -37023,7 +37405,8 @@ "items": { "default": {}, "$ref": "#/definitions/com.github.openshift.api.operatoringress.v1.DNSRecord" - } + }, + "x-kubernetes-list-type": "atomic" }, "kind": { "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", @@ -37074,7 +37457,8 @@ "items": { "type": "string", "default": "" - } + }, + "x-kubernetes-list-type": "atomic" } } }, @@ -37093,7 +37477,8 @@ "items": { "default": {}, "$ref": "#/definitions/com.github.openshift.api.operatoringress.v1.DNSZoneStatus" - } + }, + "x-kubernetes-list-type": "atomic" } } }, @@ -37137,7 +37522,8 @@ "items": { "default": {}, "$ref": "#/definitions/com.github.openshift.api.operatoringress.v1.DNSZoneCondition" - } + }, + "x-kubernetes-list-type": "atomic" }, "dnsZone": { "description": "dnsZone is the zone where the record is published.", @@ -52174,77 +52560,6 @@ "description": "IntOrString is a type that can hold an int32 or a string. When used in JSON or YAML marshalling and unmarshalling, it produces or consumes the inner type. This allows you to have, for example, a JSON field that can accept a name or number.", "type": "string", "format": "int-or-string" - }, - "io.k8s.apimachinery.pkg.version.Info": { - "description": "Info contains versioning information. how we'll want to distribute that information.", - "type": "object", - "required": [ - "major", - "minor", - "gitVersion", - "gitCommit", - "gitTreeState", - "buildDate", - "goVersion", - "compiler", - "platform" - ], - "properties": { - "buildDate": { - "type": "string", - "default": "" - }, - "compiler": { - "type": "string", - "default": "" - }, - "emulationMajor": { - "description": "EmulationMajor is the major version of the emulation version", - "type": "string" - }, - "emulationMinor": { - "description": "EmulationMinor is the minor version of the emulation version", - "type": "string" - }, - "gitCommit": { - "type": "string", - "default": "" - }, - "gitTreeState": { - "type": "string", - "default": "" - }, - "gitVersion": { - "type": "string", - "default": "" - }, - "goVersion": { - "type": "string", - "default": "" - }, - "major": { - "description": "Major is the major version of the binary version", - "type": "string", - "default": "" - }, - "minCompatibilityMajor": { - "description": "MinCompatibilityMajor is the major version of the minimum compatibility version", - "type": "string" - }, - "minCompatibilityMinor": { - "description": "MinCompatibilityMinor is the minor version of the minimum compatibility version", - "type": "string" - }, - "minor": { - "description": "Minor is the minor version of the binary version", - "type": "string", - "default": "" - }, - "platform": { - "type": "string", - "default": "" - } - } } } } diff --git a/payload-manifests/crds/0000_10_config-operator_01_pkis.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_pkis.crd.yaml new file mode 100644 index 00000000000..6c93b0ece87 --- /dev/null +++ b/payload-manifests/crds/0000_10_config-operator_01_pkis.crd.yaml @@ -0,0 +1,441 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.openshift.io: https://github.com/openshift/api/pull/2645 + api.openshift.io/merged-by-featuregates: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + release.openshift.io/feature-set: CustomNoUpgrade,DevPreviewNoUpgrade,TechPreviewNoUpgrade + name: pkis.config.openshift.io +spec: + group: config.openshift.io + names: + kind: PKI + listKind: PKIList + plural: pkis + singular: pki + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + PKI configures cryptographic parameters for certificates generated + internally by OpenShift components. + + Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: spec holds user settable values for configuration + properties: + certificateManagement: + description: |- + certificateManagement specifies how PKI configuration is managed for internally-generated certificates. + This controls the certificate generation approach for all OpenShift components that create + certificates internally, including certificate authorities, serving certificates, and client certificates. + properties: + custom: + description: |- + custom contains administrator-specified cryptographic configuration. + Use the defaults and category override fields + to specify certificate generation parameters. + Required when mode is Custom, and forbidden otherwise. + minProperties: 1 + properties: + clientCertificates: + description: |- + clientCertificates optionally overrides certificate parameters for + client authentication certificates used to authenticate to servers. + When set, these parameters take precedence over defaults for all client certificates. + When omitted, the defaults are used for client certificates. + minProperties: 1 + properties: + key: + description: |- + key specifies the cryptographic parameters for the certificate's key pair. + Currently this is the only configurable parameter. When omitted in an + overrides entry, the key configuration from defaults is used. + properties: + algorithm: + description: |- + algorithm specifies the key generation algorithm. + Valid values are "RSA" and "ECDSA". + + When set to RSA, the rsa field must be specified and the generated key + will be an RSA key with the configured key size. + + When set to ECDSA, the ecdsa field must be specified and the generated key + will be an ECDSA key using the configured elliptic curve. + enum: + - RSA + - ECDSA + type: string + ecdsa: + description: |- + ecdsa specifies ECDSA key parameters. + Required when algorithm is ECDSA, and forbidden otherwise. + properties: + curve: + description: |- + curve specifies the NIST elliptic curve for ECDSA keys. + Valid values are "P256", "P384", and "P521". + + When set to P256, the NIST P-256 curve (also known as secp256r1) is used, + providing 128-bit security. + + When set to P384, the NIST P-384 curve (also known as secp384r1) is used, + providing 192-bit security. + + When set to P521, the NIST P-521 curve (also known as secp521r1) is used, + providing 256-bit security. + enum: + - P256 + - P384 + - P521 + type: string + required: + - curve + type: object + rsa: + description: |- + rsa specifies RSA key parameters. + Required when algorithm is RSA, and forbidden otherwise. + properties: + keySize: + description: |- + keySize specifies the size of RSA keys in bits. + Valid values are multiples of 1024 from 2048 to 8192. + format: int32 + maximum: 8192 + minimum: 2048 + multipleOf: 1024 + type: integer + required: + - keySize + type: object + required: + - algorithm + type: object + x-kubernetes-validations: + - message: rsa is required when algorithm is RSA, and + forbidden otherwise + rule: 'has(self.algorithm) && self.algorithm == ''RSA'' + ? has(self.rsa) : !has(self.rsa)' + - message: ecdsa is required when algorithm is ECDSA, + and forbidden otherwise + rule: 'has(self.algorithm) && self.algorithm == ''ECDSA'' + ? has(self.ecdsa) : !has(self.ecdsa)' + type: object + defaults: + description: |- + defaults specifies the default certificate configuration that applies + to all certificates unless overridden by a category override. + properties: + key: + description: |- + key specifies the cryptographic parameters for the certificate's key pair. + This field is required in defaults to ensure all certificates have a + well-defined key configuration. + properties: + algorithm: + description: |- + algorithm specifies the key generation algorithm. + Valid values are "RSA" and "ECDSA". + + When set to RSA, the rsa field must be specified and the generated key + will be an RSA key with the configured key size. + + When set to ECDSA, the ecdsa field must be specified and the generated key + will be an ECDSA key using the configured elliptic curve. + enum: + - RSA + - ECDSA + type: string + ecdsa: + description: |- + ecdsa specifies ECDSA key parameters. + Required when algorithm is ECDSA, and forbidden otherwise. + properties: + curve: + description: |- + curve specifies the NIST elliptic curve for ECDSA keys. + Valid values are "P256", "P384", and "P521". + + When set to P256, the NIST P-256 curve (also known as secp256r1) is used, + providing 128-bit security. + + When set to P384, the NIST P-384 curve (also known as secp384r1) is used, + providing 192-bit security. + + When set to P521, the NIST P-521 curve (also known as secp521r1) is used, + providing 256-bit security. + enum: + - P256 + - P384 + - P521 + type: string + required: + - curve + type: object + rsa: + description: |- + rsa specifies RSA key parameters. + Required when algorithm is RSA, and forbidden otherwise. + properties: + keySize: + description: |- + keySize specifies the size of RSA keys in bits. + Valid values are multiples of 1024 from 2048 to 8192. + format: int32 + maximum: 8192 + minimum: 2048 + multipleOf: 1024 + type: integer + required: + - keySize + type: object + required: + - algorithm + type: object + x-kubernetes-validations: + - message: rsa is required when algorithm is RSA, and + forbidden otherwise + rule: 'has(self.algorithm) && self.algorithm == ''RSA'' + ? has(self.rsa) : !has(self.rsa)' + - message: ecdsa is required when algorithm is ECDSA, + and forbidden otherwise + rule: 'has(self.algorithm) && self.algorithm == ''ECDSA'' + ? has(self.ecdsa) : !has(self.ecdsa)' + required: + - key + type: object + servingCertificates: + description: |- + servingCertificates optionally overrides certificate parameters for + TLS server certificates used to serve HTTPS endpoints. + When set, these parameters take precedence over defaults for all serving certificates. + When omitted, the defaults are used for serving certificates. + minProperties: 1 + properties: + key: + description: |- + key specifies the cryptographic parameters for the certificate's key pair. + Currently this is the only configurable parameter. When omitted in an + overrides entry, the key configuration from defaults is used. + properties: + algorithm: + description: |- + algorithm specifies the key generation algorithm. + Valid values are "RSA" and "ECDSA". + + When set to RSA, the rsa field must be specified and the generated key + will be an RSA key with the configured key size. + + When set to ECDSA, the ecdsa field must be specified and the generated key + will be an ECDSA key using the configured elliptic curve. + enum: + - RSA + - ECDSA + type: string + ecdsa: + description: |- + ecdsa specifies ECDSA key parameters. + Required when algorithm is ECDSA, and forbidden otherwise. + properties: + curve: + description: |- + curve specifies the NIST elliptic curve for ECDSA keys. + Valid values are "P256", "P384", and "P521". + + When set to P256, the NIST P-256 curve (also known as secp256r1) is used, + providing 128-bit security. + + When set to P384, the NIST P-384 curve (also known as secp384r1) is used, + providing 192-bit security. + + When set to P521, the NIST P-521 curve (also known as secp521r1) is used, + providing 256-bit security. + enum: + - P256 + - P384 + - P521 + type: string + required: + - curve + type: object + rsa: + description: |- + rsa specifies RSA key parameters. + Required when algorithm is RSA, and forbidden otherwise. + properties: + keySize: + description: |- + keySize specifies the size of RSA keys in bits. + Valid values are multiples of 1024 from 2048 to 8192. + format: int32 + maximum: 8192 + minimum: 2048 + multipleOf: 1024 + type: integer + required: + - keySize + type: object + required: + - algorithm + type: object + x-kubernetes-validations: + - message: rsa is required when algorithm is RSA, and + forbidden otherwise + rule: 'has(self.algorithm) && self.algorithm == ''RSA'' + ? has(self.rsa) : !has(self.rsa)' + - message: ecdsa is required when algorithm is ECDSA, + and forbidden otherwise + rule: 'has(self.algorithm) && self.algorithm == ''ECDSA'' + ? has(self.ecdsa) : !has(self.ecdsa)' + type: object + signerCertificates: + description: |- + signerCertificates optionally overrides certificate parameters for + certificate authority (CA) certificates that sign other certificates. + When set, these parameters take precedence over defaults for all signer certificates. + When omitted, the defaults are used for signer certificates. + minProperties: 1 + properties: + key: + description: |- + key specifies the cryptographic parameters for the certificate's key pair. + Currently this is the only configurable parameter. When omitted in an + overrides entry, the key configuration from defaults is used. + properties: + algorithm: + description: |- + algorithm specifies the key generation algorithm. + Valid values are "RSA" and "ECDSA". + + When set to RSA, the rsa field must be specified and the generated key + will be an RSA key with the configured key size. + + When set to ECDSA, the ecdsa field must be specified and the generated key + will be an ECDSA key using the configured elliptic curve. + enum: + - RSA + - ECDSA + type: string + ecdsa: + description: |- + ecdsa specifies ECDSA key parameters. + Required when algorithm is ECDSA, and forbidden otherwise. + properties: + curve: + description: |- + curve specifies the NIST elliptic curve for ECDSA keys. + Valid values are "P256", "P384", and "P521". + + When set to P256, the NIST P-256 curve (also known as secp256r1) is used, + providing 128-bit security. + + When set to P384, the NIST P-384 curve (also known as secp384r1) is used, + providing 192-bit security. + + When set to P521, the NIST P-521 curve (also known as secp521r1) is used, + providing 256-bit security. + enum: + - P256 + - P384 + - P521 + type: string + required: + - curve + type: object + rsa: + description: |- + rsa specifies RSA key parameters. + Required when algorithm is RSA, and forbidden otherwise. + properties: + keySize: + description: |- + keySize specifies the size of RSA keys in bits. + Valid values are multiples of 1024 from 2048 to 8192. + format: int32 + maximum: 8192 + minimum: 2048 + multipleOf: 1024 + type: integer + required: + - keySize + type: object + required: + - algorithm + type: object + x-kubernetes-validations: + - message: rsa is required when algorithm is RSA, and + forbidden otherwise + rule: 'has(self.algorithm) && self.algorithm == ''RSA'' + ? has(self.rsa) : !has(self.rsa)' + - message: ecdsa is required when algorithm is ECDSA, + and forbidden otherwise + rule: 'has(self.algorithm) && self.algorithm == ''ECDSA'' + ? has(self.ecdsa) : !has(self.ecdsa)' + type: object + required: + - defaults + type: object + mode: + description: |- + mode determines how PKI configuration is managed. + Valid values are "Unmanaged", "Default", and "Custom". + + When set to Unmanaged, components use their existing hardcoded certificate + generation behavior, exactly as if this feature did not exist. Each component + generates certificates using whatever parameters it was using before this + feature. While most components use RSA 2048, some may use different + parameters. Use of this mode might prevent upgrading to the next major + OpenShift release. + + When set to Default, OpenShift-recommended best practices for certificate + generation are applied. The specific parameters may evolve across OpenShift + releases to adopt improved cryptographic standards. In the initial release, + this matches Unmanaged behavior for each component. In future releases, this + may adopt ECDSA or larger RSA keys based on industry best practices. + Recommended for most customers who want to benefit from security improvements + automatically. + + When set to Custom, the certificate management parameters can be set + explicitly. Use the custom field to specify certificate generation parameters. + enum: + - Unmanaged + - Default + - Custom + type: string + required: + - mode + type: object + x-kubernetes-validations: + - message: custom is required when mode is Custom, and forbidden otherwise + rule: 'self.mode == ''Custom'' ? has(self.custom) : !has(self.custom)' + required: + - certificateManagement + type: object + required: + - spec + type: object + served: true + storage: true From 77dcbe1db6fa114c7e3f20eddc7028832de9a28f Mon Sep 17 00:00:00 2001 From: Luis Sanchez Date: Thu, 26 Feb 2026 23:29:30 -0500 Subject: [PATCH 4/4] pki: update-payload-crds: add PKI manifest --- hack/update-payload-crds.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/hack/update-payload-crds.sh b/hack/update-payload-crds.sh index e1a2c2bb338..93a78779ce4 100755 --- a/hack/update-payload-crds.sh +++ b/hack/update-payload-crds.sh @@ -28,6 +28,7 @@ crd_globs="\ operator/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigurations*.crd.yaml config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clustermonitoring*.crd.yaml config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_criocredentialproviderconfigs*.crd.yaml + config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_pkis*.crd.yaml operator/v1/zz_generated.crd-manifests/*_storage_01_storages*.crd.yaml operator/v1/zz_generated.crd-manifests/*_csi-driver_01_clustercsidrivers*.crd.yaml insights/v1/zz_generated.crd-manifests/0000_10_insights_01_datagathers*.crd.yaml