diff --git a/config/v1/0000_03_config-operator_01_proxy.crd.yaml b/config/v1/0000_03_config-operator_01_proxy.crd.yaml index afd0767479e..cf04b249b98 100644 --- a/config/v1/0000_03_config-operator_01_proxy.crd.yaml +++ b/config/v1/0000_03_config-operator_01_proxy.crd.yaml @@ -62,17 +62,19 @@ spec: type: string trustedCA: description: "trustedCA is a reference to a ConfigMap containing a CA - certificate bundle used for client egress HTTPS connections. The certificate - bundle must be from the CA that signed the proxy's certificate and - be signed for everything. The trustedCA field should only be consumed - by a proxy validator. The validator is responsible for reading the - certificate bundle from required key \"ca-bundle.crt\" and copying - it to a ConfigMap named \"trusted-ca-bundle\" in the \"openshift-config-managed\" - namespace. The namespace for the ConfigMap referenced by trustedCA - is \"openshift-config\". Here is an example ConfigMap (in yaml): \n - apiVersion: v1 kind: ConfigMap metadata: name: user-ca-bundle namespace: - openshift-config data: ca-bundle.crt: | -----BEGIN CERTIFICATE----- - \ Custom CA certificate bundle. -----END CERTIFICATE-----" + certificate bundle. The trustedCA field should only be consumed by + a proxy validator. The validator is responsible for reading the certificate + bundle from the required key \"ca-bundle.crt\", merging it with the + system default trust bundle, and writing the merged trust bundle to + a ConfigMap named \"trusted-ca-bundle\" in the \"openshift-config-managed\" + namespace. Clients that expect to make proxy connections must use + the trusted-ca-bundle for all HTTPS requests to the proxy, and may + use the trusted-ca-bundle for non-proxy HTTPS requests as well. \n + The namespace for the ConfigMap referenced by trustedCA is \"openshift-config\". + Here is an example ConfigMap (in yaml): \n apiVersion: v1 kind: ConfigMap + metadata: name: user-ca-bundle namespace: openshift-config data: + \ ca-bundle.crt: | -----BEGIN CERTIFICATE----- Custom + CA certificate bundle. -----END CERTIFICATE-----" type: object required: - name diff --git a/config/v1/0000_10_config-operator_01_build.crd.yaml b/config/v1/0000_10_config-operator_01_build.crd.yaml index 8f758397123..f3957ce34a4 100644 --- a/config/v1/0000_10_config-operator_01_build.crd.yaml +++ b/config/v1/0000_10_config-operator_01_build.crd.yaml @@ -89,19 +89,21 @@ spec: type: string trustedCA: description: "trustedCA is a reference to a ConfigMap containing - a CA certificate bundle used for client egress HTTPS connections. - The certificate bundle must be from the CA that signed the - proxy's certificate and be signed for everything. The trustedCA - field should only be consumed by a proxy validator. The validator - is responsible for reading the certificate bundle from required - key \"ca-bundle.crt\" and copying it to a ConfigMap named - \"trusted-ca-bundle\" in the \"openshift-config-managed\" - namespace. The namespace for the ConfigMap referenced by trustedCA - is \"openshift-config\". Here is an example ConfigMap (in - yaml): \n apiVersion: v1 kind: ConfigMap metadata: name: - user-ca-bundle namespace: openshift-config data: ca-bundle.crt: - | -----BEGIN CERTIFICATE----- Custom CA certificate - bundle. -----END CERTIFICATE-----" + a CA certificate bundle. The trustedCA field should only be + consumed by a proxy validator. The validator is responsible + for reading the certificate bundle from the required key \"ca-bundle.crt\", + merging it with the system default trust bundle, and writing + the merged trust bundle to a ConfigMap named \"trusted-ca-bundle\" + in the \"openshift-config-managed\" namespace. Clients that + expect to make proxy connections must use the trusted-ca-bundle + for all HTTPS requests to the proxy, and may use the trusted-ca-bundle + for non-proxy HTTPS requests as well. \n The namespace for + the ConfigMap referenced by trustedCA is \"openshift-config\". + Here is an example ConfigMap (in yaml): \n apiVersion: v1 + kind: ConfigMap metadata: name: user-ca-bundle namespace: + openshift-config data: ca-bundle.crt: | -----BEGIN + CERTIFICATE----- Custom CA certificate bundle. -----END + CERTIFICATE-----" type: object required: - name @@ -242,19 +244,21 @@ spec: type: string trustedCA: description: "trustedCA is a reference to a ConfigMap containing - a CA certificate bundle used for client egress HTTPS connections. - The certificate bundle must be from the CA that signed the - proxy's certificate and be signed for everything. The trustedCA - field should only be consumed by a proxy validator. The validator - is responsible for reading the certificate bundle from required - key \"ca-bundle.crt\" and copying it to a ConfigMap named - \"trusted-ca-bundle\" in the \"openshift-config-managed\" - namespace. The namespace for the ConfigMap referenced by trustedCA - is \"openshift-config\". Here is an example ConfigMap (in - yaml): \n apiVersion: v1 kind: ConfigMap metadata: name: - user-ca-bundle namespace: openshift-config data: ca-bundle.crt: - | -----BEGIN CERTIFICATE----- Custom CA certificate - bundle. -----END CERTIFICATE-----" + a CA certificate bundle. The trustedCA field should only be + consumed by a proxy validator. The validator is responsible + for reading the certificate bundle from the required key \"ca-bundle.crt\", + merging it with the system default trust bundle, and writing + the merged trust bundle to a ConfigMap named \"trusted-ca-bundle\" + in the \"openshift-config-managed\" namespace. Clients that + expect to make proxy connections must use the trusted-ca-bundle + for all HTTPS requests to the proxy, and may use the trusted-ca-bundle + for non-proxy HTTPS requests as well. \n The namespace for + the ConfigMap referenced by trustedCA is \"openshift-config\". + Here is an example ConfigMap (in yaml): \n apiVersion: v1 + kind: ConfigMap metadata: name: user-ca-bundle namespace: + openshift-config data: ca-bundle.crt: | -----BEGIN + CERTIFICATE----- Custom CA certificate bundle. -----END + CERTIFICATE-----" type: object required: - name diff --git a/config/v1/types_proxy.go b/config/v1/types_proxy.go index 93f4c487e49..211e501e08c 100644 --- a/config/v1/types_proxy.go +++ b/config/v1/types_proxy.go @@ -41,13 +41,17 @@ type ProxySpec struct { // +optional ReadinessEndpoints []string `json:"readinessEndpoints,omitempty"` - // trustedCA is a reference to a ConfigMap containing a CA certificate bundle used - // for client egress HTTPS connections. The certificate bundle must be from the CA - // that signed the proxy's certificate and be signed for everything. The trustedCA - // field should only be consumed by a proxy validator. The validator is responsible - // for reading the certificate bundle from required key "ca-bundle.crt" and copying - // it to a ConfigMap named "trusted-ca-bundle" in the "openshift-config-managed" - // namespace. The namespace for the ConfigMap referenced by trustedCA is + // trustedCA is a reference to a ConfigMap containing a CA certificate bundle. + // The trustedCA field should only be consumed by a proxy validator. The + // validator is responsible for reading the certificate bundle from the required + // key "ca-bundle.crt", merging it with the system default trust bundle, + // and writing the merged trust bundle to a ConfigMap named "trusted-ca-bundle" + // in the "openshift-config-managed" namespace. Clients that expect to make + // proxy connections must use the trusted-ca-bundle for all HTTPS requests to + // the proxy, and may use the trusted-ca-bundle for non-proxy HTTPS requests as + // well. + // + // The namespace for the ConfigMap referenced by trustedCA is // "openshift-config". Here is an example ConfigMap (in yaml): // // apiVersion: v1 diff --git a/config/v1/zz_generated.swagger_doc_generated.go b/config/v1/zz_generated.swagger_doc_generated.go index 81b5c10fb7a..982f11c0bc7 100644 --- a/config/v1/zz_generated.swagger_doc_generated.go +++ b/config/v1/zz_generated.swagger_doc_generated.go @@ -1220,7 +1220,7 @@ var map_ProxySpec = map[string]string{ "httpsProxy": "httpsProxy is the URL of the proxy for HTTPS requests. Empty means unset and will not result in an env var.", "noProxy": "noProxy is a comma-separated list of hostnames and/or CIDRs for which the proxy should not be used. Empty means unset and will not result in an env var.", "readinessEndpoints": "readinessEndpoints is a list of endpoints used to verify readiness of the proxy.", - "trustedCA": "trustedCA is a reference to a ConfigMap containing a CA certificate bundle used for client egress HTTPS connections. The certificate bundle must be from the CA that signed the proxy's certificate and be signed for everything. The trustedCA field should only be consumed by a proxy validator. The validator is responsible for reading the certificate bundle from required key \"ca-bundle.crt\" and copying it to a ConfigMap named \"trusted-ca-bundle\" in the \"openshift-config-managed\" namespace. The namespace for the ConfigMap referenced by trustedCA is \"openshift-config\". Here is an example ConfigMap (in yaml):\n\napiVersion: v1 kind: ConfigMap metadata:\n name: user-ca-bundle\n namespace: openshift-config\n data:\n ca-bundle.crt: |", + "trustedCA": "trustedCA is a reference to a ConfigMap containing a CA certificate bundle. The trustedCA field should only be consumed by a proxy validator. The validator is responsible for reading the certificate bundle from the required key \"ca-bundle.crt\", merging it with the system default trust bundle, and writing the merged trust bundle to a ConfigMap named \"trusted-ca-bundle\" in the \"openshift-config-managed\" namespace. Clients that expect to make proxy connections must use the trusted-ca-bundle for all HTTPS requests to the proxy, and may use the trusted-ca-bundle for non-proxy HTTPS requests as well.\n\nThe namespace for the ConfigMap referenced by trustedCA is \"openshift-config\". Here is an example ConfigMap (in yaml):\n\napiVersion: v1 kind: ConfigMap metadata:\n name: user-ca-bundle\n namespace: openshift-config\n data:\n ca-bundle.crt: |", } func (ProxySpec) SwaggerDoc() map[string]string {