Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OCM-7377: Add registry allowlists and cluster registry config #977

Merged
merged 1 commit into from
Aug 28, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
88 changes: 88 additions & 0 deletions model/clusters_mgmt/v1/cluster_registry_config_type.model
Original file line number Diff line number Diff line change
@@ -0,0 +1,88 @@
/*
Copyright (c) 2024 Red Hat, Inc.

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

// ClusterRegistryConfig describes the configuration of registries for the cluster.
// Its format reflects the OpenShift Image Configuration, for which docs are available on
// [docs.openshift.com](https://docs.openshift.com/container-platform/4.16/openshift_images/image-configuration.html)
// ```json
// {
// "registry_config": {
// "registry_sources": {
// "blocked_registries": [
// "badregistry.io",
// "badregistry8.io"
// ]
// }
// }
// }
// ```
//
struct ClusterRegistryConfig {
// PlatformAllowlist contains a reference to a RegistryAllowlist which is a list of internal registries
// which needs to be whitelisted for the platform to work. It can be omitted at creation and
// updating and its lifecycle can be managed separately if needed.
PlatformAllowlist RegistryAllowlist
// A map containing the registry hostname as the key, and the PEM-encoded certificate as the value,
// for each additional registry CA to trust.
AdditionalTrustedCa [String]String
// AllowedRegistriesForImport limits the container image registries that normal users may import
// images from. Set this list to the registries that you trust to contain valid Docker
// images and that you want applications to be able to import from. Users with
// permission to create Images or ImageStreamMappings via the API are not affected by
// this policy - typically only administrators or system integrations will have those
// permissions.
AllowedRegistriesForImport []RegistryLocation
// RegistrySources contains configuration that determines how the container runtime
// should treat individual registries when accessing images for builds+pods. (e.g.
// whether or not to allow insecure access). It does not contain configuration for the
// internal cluster registry.
RegistrySources RegistrySources
}

// RegistrySources contains configuration that determines how the container runtime should treat individual
// registries when accessing images for builds and pods. For instance, whether or not to allow insecure access.
// It does not contain configuration for the internal cluster registry.
struct RegistrySources {
// AllowedRegistries: registries for which image pull and push actions are allowed.
// To specify all subdomains, add the asterisk (*) wildcard character as a prefix to the domain name.
// For example, *.example.com. You can specify an individual repository within a registry.
// For example: reg1.io/myrepo/myapp:latest. All other registries are blocked.
// Mutually exclusive with `BlockedRegistries`
AllowedRegistries []String
// BlockedRegistries: registries for which image pull and push actions are denied.
// To specify all subdomains, add the asterisk (*) wildcard character as a prefix to the domain name.
// For example, *.example.com. You can specify an individual repository within a registry.
// For example: reg1.io/myrepo/myapp:latest. All other registries are allowed.
// Mutually exclusive with `AllowedRegistries`
BlockedRegistries []String
// InsecureRegistries are registries which do not have a valid TLS certificate or only support HTTP connections.
// To specify all subdomains, add the asterisk (*) wildcard character as a prefix to the domain name.
// For example, *.example.com. You can specify an individual repository within a registry.
// For example: reg1.io/myrepo/myapp:latest.
InsecureRegistries []String
}

// RegistryLocation contains a location of the registry specified by the registry domain
// name. The domain name might include wildcards, like '*' or '??'.
struct RegistryLocation {
// domainName specifies a domain name for the registry
// In case the registry use non-standard (80 or 443) port, the port should be included
// in the domain name as well.
DomainName String
// insecure indicates whether the registry is secure (https) or insecure (http)
// By default (if not specified) the registry is assumed as secure.
Insecure Boolean
}
3 changes: 3 additions & 0 deletions model/clusters_mgmt/v1/cluster_type.model
Original file line number Diff line number Diff line change
Expand Up @@ -242,4 +242,7 @@ class Cluster {

// Indicate whether the cluster is enabled for multi arch workers
MultiArchEnabled Boolean

// Registry configuration for the cluster
RegistryConfig ClusterRegistryConfig
}
27 changes: 27 additions & 0 deletions model/clusters_mgmt/v1/registry_allowlist_resource.model
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
/*
Copyright (c) 2024 Red Hat, Inc.

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

// Manages a specific registry allowlist.
resource RegistryAllowlist {
// Retrieves the details of the allowlist.
method Get {
out Body RegistryAllowlist
}

// Deletes the allowlist.
method Delete {
}
}
25 changes: 25 additions & 0 deletions model/clusters_mgmt/v1/registry_allowlist_type.model
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
/*
Copyright (c) 2024 Red Hat, Inc.

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

// RegistryAllowlist represents a single registry allowlist.
lucasponce marked this conversation as resolved.
Show resolved Hide resolved
class RegistryAllowlist {
// CreationTimestamp is the date and time when the allow list has been created.
CreationTimestamp Date
// Registries is the list of registries contained in this Allowlist.
Registries []String
// CloudProvider is the cloud provider for which this allowlist is valid.
CloudProvider CloudProvider
}
75 changes: 75 additions & 0 deletions model/clusters_mgmt/v1/registry_allowlists_resource.model
Original file line number Diff line number Diff line change
@@ -0,0 +1,75 @@
/*
Copyright (c) 2024 Red Hat, Inc.

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

// Manages the registry allowlists.
resource RegistryAllowlists {
// Retrieves the list of registry allowlists.
method List {
// Index of the requested page, where one corresponds to the first page.
in out Page Integer = 1

// Number of items contained in the returned page.
in out Size Integer = 100

// Search criteria.
//
// The syntax of this parameter is similar to the syntax of the _where_ clause of a
// SQL statement, but using the names of the attributes of the registry allowlists
// instead of the names of the columns of a table. For example, in order to retrieve all
// the allowlists with a specific cloud provider and creation time the following is required:
//
// ```sql
// cloud_provider.id='aws' and creation_timestamp > '2023-03-01T00:00:00Z'
// ```
//
// If the parameter isn't provided, or if the value is empty, then all the
// registry allowlists that the user has permission to see will be returned.
in Search String

// Order criteria.
//
// The syntax of this parameter is similar to the syntax of the _order by_ clause of
// a SQL statement, but using the names of the attributes of the registry allowlists
// instead of the the names of the columns of a table. For example, in order to sort the
// allowlists descending by identifier the value should be:
//
// ```sql
// creation_timestamp desc
// ```
//
// If the parameter isn't provided, or if the value is empty, then the order of the
// results is undefined.
in Order String

// Total number of items of the collection.
out Total Integer

// Retrieved list of registry allowlists.
out Items []RegistryAllowlist
}

// Adds a new break registry allowlist.
method Add {
// Data of the new registry allowlist.
in out Body RegistryAllowlist
}

// Reference to the service that manages a specific registry allowlist.
locator RegistryAllowlist {
target RegistryAllowlist
variable ID
}
}
5 changes: 5 additions & 0 deletions model/clusters_mgmt/v1/root_resource.model
Original file line number Diff line number Diff line change
Expand Up @@ -131,4 +131,9 @@ resource Root {
locator GCP {
target GCP
}

// Reference to the resource that manages the collection of registry allowlists.
locator RegistryAllowlists {
target RegistryAllowlists
}
}
88 changes: 88 additions & 0 deletions model/clusters_mgmt/v2alpha1/cluster_registry_config_type.model
Original file line number Diff line number Diff line change
@@ -0,0 +1,88 @@
/*
Copyright (c) 2024 Red Hat, Inc.

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

// ClusterRegistryConfig describes the configuration of registries for the cluster.
// Its format reflects the OpenShift Image Configuration, for which docs are available on
// [docs.openshift.com](https://docs.openshift.com/container-platform/4.16/openshift_images/image-configuration.html)
// ```json
// {
// "registry_config": {
// "registry_sources": {
// "blocked_registries": [
// "badregistry.io",
// "badregistry8.io"
// ]
// }
// }
// }
// ```
//
struct ClusterRegistryConfig {
// PlatformAllowlist contains a reference to a RegistryAllowlist which is a list of internal registries
// which needs to be whitelisted for the platform to work. It can be omitted at creation and
// updating and its lifecycle can be managed separately if needed.
PlatformAllowlist RegistryAllowlist
// A map containing the registry hostname as the key, and the PEM-encoded certificate as the value,
// for each additional registry CA to trust.
AdditionalTrustedCa [String]String
// AllowedRegistriesForImport limits the container image registries that normal users may import
// images from. Set this list to the registries that you trust to contain valid Docker
// images and that you want applications to be able to import from. Users with
// permission to create Images or ImageStreamMappings via the API are not affected by
// this policy - typically only administrators or system integrations will have those
// permissions.
AllowedRegistriesForImport []RegistryLocation
// RegistrySources contains configuration that determines how the container runtime
// should treat individual registries when accessing images for builds+pods. (e.g.
// whether or not to allow insecure access). It does not contain configuration for the
// internal cluster registry.
RegistrySources RegistrySources
}

// RegistrySources contains configuration that determines how the container runtime should treat individual
// registries when accessing images for builds and pods. For instance, whether or not to allow insecure access.
// It does not contain configuration for the internal cluster registry.
struct RegistrySources {
// AllowedRegistries: registries for which image pull and push actions are allowed.
// To specify all subdomains, add the asterisk (*) wildcard character as a prefix to the domain name.
// For example, *.example.com. You can specify an individual repository within a registry.
// For example: reg1.io/myrepo/myapp:latest. All other registries are blocked.
// Mutually exclusive with `BlockedRegistries`
AllowedRegistries []String
// BlockedRegistries: registries for which image pull and push actions are denied.
// To specify all subdomains, add the asterisk (*) wildcard character as a prefix to the domain name.
// For example, *.example.com. You can specify an individual repository within a registry.
// For example: reg1.io/myrepo/myapp:latest. All other registries are allowed.
// Mutually exclusive with `AllowedRegistries`
BlockedRegistries []String
// InsecureRegistries are registries which do not have a valid TLS certificate or only support HTTP connections.
// To specify all subdomains, add the asterisk (*) wildcard character as a prefix to the domain name.
// For example, *.example.com. You can specify an individual repository within a registry.
// For example: reg1.io/myrepo/myapp:latest.
InsecureRegistries []String
}

// RegistryLocation contains a location of the registry specified by the registry domain
// name. The domain name might include wildcards, like '*' or '??'.
struct RegistryLocation {
// domainName specifies a domain name for the registry
// In case the registry use non-standard (80 or 443) port, the port should be included
// in the domain name as well.
DomainName String
// insecure indicates whether the registry is secure (https) or insecure (http)
// By default (if not specified) the registry is assumed as secure.
Insecure Boolean
}
3 changes: 3 additions & 0 deletions model/clusters_mgmt/v2alpha1/cluster_type.model
Original file line number Diff line number Diff line change
Expand Up @@ -242,4 +242,7 @@ class Cluster {

// Indicate whether the cluster is enabled for multi arch workers
MultiArchEnabled Boolean

// Registry configuration for the cluster
RegistryConfig ClusterRegistryConfig
}
27 changes: 27 additions & 0 deletions model/clusters_mgmt/v2alpha1/registry_allowlist_resource.model
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
/*
Copyright (c) 2024 Red Hat, Inc.

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

// Manages a specific registry allowlist.
resource RegistryAllowlist {
// Retrieves the details of the allowlist.
method Get {
out Body RegistryAllowlist
}

// Deletes the allowlist.
method Delete {
}
}
25 changes: 25 additions & 0 deletions model/clusters_mgmt/v2alpha1/registry_allowlist_type.model
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
/*
Copyright (c) 2024 Red Hat, Inc.

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

// RegistryAllowlist represents a single registry allowlist.
class RegistryAllowlist {
// CreationTimestamp is the date and time when the allow list has been created.
CreationTimestamp Date
// Registries is the list of registries contained in this Allowlist.
Registries []String
// CloudProvider is the cloud provider for which this allowlist is valid.
CloudProvider CloudProvider
}
Loading
Loading