Skip to content

Instantly share code, notes, and snippets.

@Miciah

Miciah/00-custom-resource-definition.yaml

Created June 24, 2019 19:30
Show Gist options
  • Save Miciah/242fb05c909b394171c638cbb1b03dd9 to your computer and use it in GitHub Desktop.
Save Miciah/242fb05c909b394171c638cbb1b03dd9 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
00-custom-resource-definition.yaml
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
creationTimestamp: null
name: ingresscontrollers.operator.openshift.io
spec:
group: operator.openshift.io
names:
kind: IngressController
plural: ingresscontrollers
scope: ""
subresources:
scale:
labelSelectorPath: .status.labelSelector
specReplicasPath: .spec.replicas
statusReplicasPath: .status.availableReplicas
status: {}
validation:
openAPIV3Schema:
description: "IngressController describes a managed ingress controller for the
cluster. The controller can service OpenShift Route and Kubernetes Ingress
resources. \n When an IngressController is created, a new ingress controller
deployment is created to allow external traffic to reach the services that
expose Ingress or Route resources. Updating this resource may lead to disruption
for public facing network connections as a new ingress controller revision
may be rolled out. \n https://kubernetes.io/docs/concepts/services-networking/ingress-controllers
\n Whenever possible, sensible defaults for the platform are used. See each
field for more details."
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
type: string
metadata:
properties:
annotations:
additionalProperties:
type: string
description: 'Annotations is an unstructured key value map stored with
a resource that may be set by external tools to store and retrieve
arbitrary metadata. They are not queryable and should be preserved
when modifying objects. More info: http://kubernetes.io/docs/user-guide/annotations'
type: object
clusterName:
description: The name of the cluster which the object belongs to. This
is used to distinguish resources with same name and namespace in different
clusters. This field is not set anywhere right now and apiserver is
going to ignore it if set in create or update request.
type: string
creationTimestamp:
description: "CreationTimestamp is a timestamp representing the server
time when this object was created. It is not guaranteed to be set
in happens-before order across separate operations. Clients may not
set this value. It is represented in RFC3339 form and is in UTC. \n
Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata"
format: date-time
type: string
deletionGracePeriodSeconds:
description: Number of seconds allowed for this object to gracefully
terminate before it will be removed from the system. Only set when
deletionTimestamp is also set. May only be shortened. Read-only.
format: int64
type: integer
deletionTimestamp:
description: "DeletionTimestamp is RFC 3339 date and time at which this
resource will be deleted. This field is set by the server when a graceful
deletion is requested by the user, and is not directly settable by
a client. The resource is expected to be deleted (no longer visible
from resource lists, and not reachable by name) after the time in
this field, once the finalizers list is empty. As long as the finalizers
list contains items, deletion is blocked. Once the deletionTimestamp
is set, this value may not be unset or be set further into the future,
although it may be shortened or the resource may be deleted prior
to this time. For example, a user may request that a pod is deleted
in 30 seconds. The Kubelet will react by sending a graceful termination
signal to the containers in the pod. After that 30 seconds, the Kubelet
will send a hard termination signal (SIGKILL) to the container and
after cleanup, remove the pod from the API. In the presence of network
partitions, this object may still exist after this timestamp, until
an administrator or automated process can determine the resource is
fully terminated. If not set, graceful deletion of the object has
not been requested. \n Populated by the system when a graceful deletion
is requested. Read-only. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata"
format: date-time
type: string
finalizers:
description: Must be empty before the object is deleted from the registry.
Each entry is an identifier for the responsible component that will
remove the entry from the list. If the deletionTimestamp of the object
is non-nil, entries in this list can only be removed.
items:
type: string
type: array
generateName:
description: "GenerateName is an optional prefix, used by the server,
to generate a unique name ONLY IF the Name field has not been provided.
If this field is used, the name returned to the client will be different
than the name passed. This value will also be combined with a unique
suffix. The provided value has the same validation rules as the Name
field, and may be truncated by the length of the suffix required to
make the value unique on the server. \n If this field is specified
and the generated name exists, the server will NOT return a 409 -
instead, it will either return 201 Created or 500 with Reason ServerTimeout
indicating a unique name could not be found in the time allotted,
and the client should retry (optionally after the time indicated in
the Retry-After header). \n Applied only if Name is not specified.
More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#idempotency"
type: string
generation:
description: A sequence number representing a specific generation of
the desired state. Populated by the system. Read-only.
format: int64
type: integer
initializers:
description: "An initializer is a controller which enforces some system
invariant at object creation time. This field is a list of initializers
that have not yet acted on this object. If nil or empty, this object
has been completely initialized. Otherwise, the object is considered
uninitialized and is hidden (in list/watch and get calls) from clients
that haven't explicitly asked to observe uninitialized objects. \n
When an object is created, the system will populate this list with
the current set of initializers. Only privileged users may set or
modify this list. Once it is empty, it may not be modified further
by any user. \n DEPRECATED - initializers are an alpha field and will
be removed in v1.15."
properties:
pending:
description: Pending is a list of initializers that must execute
in order before this object is visible. When the last pending
initializer is removed, and no failing result is set, the initializers
struct will be set to nil and the object is considered as initialized
and visible to all clients.
items:
properties:
name:
description: name of the process that is responsible for initializing
this object.
type: string
required:
- name
type: object
type: array
result:
description: If result is set with the Failure field, the object
will be persisted to storage and then deleted, ensuring that other
clients can observe the deletion.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this
representation of an object. Servers should convert recognized
schemas to the latest internal value, and may reject unrecognized
values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
type: string
code:
description: Suggested HTTP return code for this status, 0 if
not set.
format: int32
type: integer
details:
description: Extended data associated with the reason. Each
reason may define its own extended details. This field is
optional and the data returned is not guaranteed to conform
to any schema except that defined by the reason type.
properties:
causes:
description: The Causes array includes more details associated
with the StatusReason failure. Not all StatusReasons may
provide detailed causes.
items:
properties:
field:
description: "The field of the resource that has caused
this error, as named by its JSON serialization.
May include dot and postfix notation for nested
attributes. Arrays are zero-indexed. Fields may
appear more than once in an array of causes due
to fields having multiple errors. Optional. \n Examples:
\ \"name\" - the field \"name\" on the current
resource \"items[0].name\" - the field \"name\"
on the first array entry in \"items\""
type: string
message:
description: A human-readable description of the cause
of the error. This field may be presented as-is
to a reader.
type: string
reason:
description: A machine-readable description of the
cause of the error. If this value is empty there
is no information available.
type: string
type: object
type: array
group:
description: The group attribute of the resource associated
with the status StatusReason.
type: string
kind:
description: 'The kind attribute of the resource associated
with the status StatusReason. On some operations may differ
from the requested resource Kind. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
type: string
name:
description: The name attribute of the resource associated
with the status StatusReason (when there is a single name
which can be described).
type: string
retryAfterSeconds:
description: If specified, the time in seconds before the
operation should be retried. Some errors may indicate
the client must take an alternate action - for those errors
this field may indicate how long to wait before taking
the alternate action.
format: int32
type: integer
uid:
description: 'UID of the resource. (when there is a single
resource which can be described). More info: http://kubernetes.io/docs/user-guide/identifiers#uids'
type: string
type: object
kind:
description: 'Kind is a string value representing the REST resource
this object represents. Servers may infer this from the endpoint
the client submits requests to. Cannot be updated. In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
type: string
message:
description: A human-readable description of the status of this
operation.
type: string
metadata:
description: 'Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
properties:
continue:
description: continue may be set if the user set a limit
on the number of items returned, and indicates that the
server has more data available. The value is opaque and
may be used to issue another request to the endpoint that
served this list to retrieve the next set of available
objects. Continuing a consistent list may not be possible
if the server configuration has changed or more than a
few minutes have passed. The resourceVersion field returned
when using this continue value will be identical to the
value in the first response, unless you have received
this token from an error message.
type: string
resourceVersion:
description: 'String that identifies the server''s internal
version of this object that can be used by clients to
determine when objects have changed. Value must be treated
as opaque by clients and passed unmodified back to the
server. Populated by the system. Read-only. More info:
https://git.k8s.io/community/contributors/devel/api-conventions.md#concurrency-control-and-consistency'
type: string
selfLink:
description: selfLink is a URL representing this object.
Populated by the system. Read-only.
type: string
type: object
reason:
description: A machine-readable description of why this operation
is in the "Failure" status. If this value is empty there is
no information available. A Reason clarifies an HTTP status
code but does not override it.
type: string
status:
description: 'Status of the operation. One of: "Success" or
"Failure". More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status'
type: string
type: object
required:
- pending
type: object
labels:
additionalProperties:
type: string
description: 'Map of string keys and values that can be used to organize
and categorize (scope and select) objects. May match selectors of
replication controllers and services. More info: http://kubernetes.io/docs/user-guide/labels'
type: object
managedFields:
description: "ManagedFields maps workflow-id and version to the set
of fields that are managed by that workflow. This is mostly for internal
housekeeping, and users typically shouldn't need to set or understand
this field. A workflow can be the user's name, a controller's name,
or the name of a specific apply path like \"ci-cd\". The set of fields
is always in the version that the workflow used when modifying the
object. \n This field is alpha and can be changed or removed without
notice."
items:
properties:
apiVersion:
description: APIVersion defines the version of this resource that
this field set applies to. The format is "group/version" just
like the top-level APIVersion field. It is necessary to track
the version of a field set because it cannot be automatically
converted.
type: string
fields:
additionalProperties: true
description: Fields identifies a set of fields.
type: object
manager:
description: Manager is an identifier of the workflow managing
these fields.
type: string
operation:
description: Operation is the type of operation which lead to
this ManagedFieldsEntry being created. The only valid values
for this field are 'Apply' and 'Update'.
type: string
time:
description: Time is timestamp of when these fields were set.
It should always be empty if Operation is 'Apply'
format: date-time
type: string
type: object
type: array
name:
description: 'Name must be unique within a namespace. Is required when
creating resources, although some resources may allow a client to
request the generation of an appropriate name automatically. Name
is primarily intended for creation idempotence and configuration definition.
Cannot be updated. More info: http://kubernetes.io/docs/user-guide/identifiers#names'
type: string
namespace:
description: "Namespace defines the space within each name must be unique.
An empty namespace is equivalent to the \"default\" namespace, but
\"default\" is the canonical representation. Not all objects are required
to be scoped to a namespace - the value of this field for those objects
will be empty. \n Must be a DNS_LABEL. Cannot be updated. More info:
http://kubernetes.io/docs/user-guide/namespaces"
type: string
ownerReferences:
description: List of objects depended by this object. If ALL objects
in the list have been deleted, this object will be garbage collected.
If this object is managed by a controller, then an entry in this list
will point to this controller, with the controller field set to true.
There cannot be more than one managing controller.
items:
properties:
apiVersion:
description: API version of the referent.
type: string
blockOwnerDeletion:
description: If true, AND if the owner has the "foregroundDeletion"
finalizer, then the owner cannot be deleted from the key-value
store until this reference is removed. Defaults to false. To
set this field, a user needs "delete" permission of the owner,
otherwise 422 (Unprocessable Entity) will be returned.
type: boolean
controller:
description: If true, this reference points to the managing controller.
type: boolean
kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
type: string
name:
description: 'Name of the referent. More info: http://kubernetes.io/docs/user-guide/identifiers#names'
type: string
uid:
description: 'UID of the referent. More info: http://kubernetes.io/docs/user-guide/identifiers#uids'
type: string
required:
- apiVersion
- kind
- name
- uid
type: object
type: array
resourceVersion:
description: "An opaque value that represents the internal version of
this object that can be used by clients to determine when objects
have changed. May be used for optimistic concurrency, change detection,
and the watch operation on a resource or set of resources. Clients
must treat these values as opaque and passed unmodified back to the
server. They may only be valid for a particular resource or set of
resources. \n Populated by the system. Read-only. Value must be treated
as opaque by clients and . More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#concurrency-control-and-consistency"
type: string
selfLink:
description: SelfLink is a URL representing this object. Populated by
the system. Read-only.
type: string
uid:
description: "UID is the unique in time and space value for this object.
It is typically generated by the server on successful creation of
a resource and is not allowed to change on PUT operations. \n Populated
by the system. Read-only. More info: http://kubernetes.io/docs/user-guide/identifiers#uids"
type: string
type: object
spec:
description: spec is the specification of the desired behavior of the IngressController.
properties:
defaultCertificate:
description: "defaultCertificate is a reference to a secret containing
the default certificate served by the ingress controller. When Routes
don't specify their own certificate, defaultCertificate is used. \n
The secret must contain the following keys and data: \n tls.crt:
certificate file contents tls.key: key file contents \n If unset,
a wildcard certificate is automatically generated and used. The certificate
is valid for the ingress controller domain (and subdomains) and the
generated certificate's CA will be automatically integrated with the
cluster's trust store. \n The in-use certificate (whether generated
or user-specified) will be automatically integrated with OpenShift's
built-in OAuth server."
properties:
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
type: object
domain:
description: "domain is a DNS name serviced by the ingress controller
and is used to configure multiple features: \n * For the LoadBalancerService
endpoint publishing strategy, domain is used to configure DNS records.
See endpointPublishingStrategy. \n * When using a generated default
certificate, the certificate will be valid for domain and its subdomains.
See defaultCertificate. \n * The value is published to individual
Route statuses so that end-users know where to target external DNS
records. \n domain must be unique among all IngressControllers, and
cannot be updated. \n If empty, defaults to ingress.config.openshift.io/cluster
.spec.domain."
type: string
endpointPublishingStrategy:
description: "endpointPublishingStrategy is used to publish the ingress
controller endpoints to other networks, enable load balancer integrations,
etc. \n If unset, the default is based on infrastructure.config.openshift.io/cluster
.status.platform: \n AWS: LoadBalancerService Azure: LoadBalancerService
\ GCP: LoadBalancerService Libvirt: HostNetwork \n Any other
platform types (including None) default to HostNetwork. \n endpointPublishingStrategy
cannot be updated."
properties:
hostNetwork:
description: hostNetwork holds parameters for the HostNetwork endpoint
publishing strategy. Present only if type is HostNetwork.
type: object
loadBalancer:
description: loadBalancer holds parameters for the load balancer.
Present only if type is LoadBalancerService.
properties:
scope:
description: scope indicates the scope at which the load balancer
is exposed. Possible values are "External" and "Internal". The
default is "External".
type: string
required:
- scope
type: object
private:
description: private holds parameters for the Private endpoint publishing
strategy. Present only if type is Private.
type: object
type:
description: "type is the publishing strategy to use. Valid values
are: \n * LoadBalancerService \n Publishes the ingress controller
using a Kubernetes LoadBalancer Service. \n In this configuration,
the ingress controller deployment uses container networking. A
LoadBalancer Service is created to publish the deployment. \n
See: https://kubernetes.io/docs/concepts/services-networking/#loadbalancer
\n If domain is set, a wildcard DNS record will be managed to
point at the LoadBalancer Service's external name. DNS records
are managed only in DNS zones defined by dns.config.openshift.io/cluster
.spec.publicZone and .spec.privateZone. \n Wildcard DNS management
is currently supported only on the AWS platform. \n * HostNetwork
\n Publishes the ingress controller on node ports where the ingress
controller is deployed. \n In this configuration, the ingress
controller deployment uses host networking, bound to node ports
80 and 443. The user is responsible for configuring an external
load balancer to publish the ingress controller via the node ports.
\n * Private \n Does not publish the ingress controller. \n In
this configuration, the ingress controller deployment uses container
networking, and is not explicitly published. The user must manually
publish the ingress controller."
type: string
required:
- type
type: object
namespaceSelector:
description: "namespaceSelector is used to filter the set of namespaces
serviced by the ingress controller. This is useful for implementing
shards. \n If unset, the default is no filtering."
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements.
The requirements are ANDed.
items:
properties:
key:
description: key is the label key that the selector applies
to.
type: string
operator:
description: operator represents a key's relationship to a
set of values. Valid operators are In, NotIn, Exists and
DoesNotExist.
type: string
values:
description: values is an array of string values. If the operator
is In or NotIn, the values array must be non-empty. If the
operator is Exists or DoesNotExist, the values array must
be empty. This array is replaced during a strategic merge
patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single
{key,value} in the matchLabels map is equivalent to an element
of matchExpressions, whose key field is "key", the operator is
"In", and the values array contains only "value". The requirements
are ANDed.
type: object
type: object
nodePlacement:
description: "nodePlacement enables explicit control over the scheduling
of the ingress controller. \n If unset, defaults are used. See NodePlacement
for more details."
properties:
nodeSelector:
description: "nodeSelector is the node selector applied to ingress
controller deployments. \n If unset, the default is: \n beta.kubernetes.io/os:
linux node-role.kubernetes.io/worker: '' \n If set, the specified
selector is used and replaces the default."
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements.
The requirements are ANDed.
items:
properties:
key:
description: key is the label key that the selector applies
to.
type: string
operator:
description: operator represents a key's relationship
to a set of values. Valid operators are In, NotIn, Exists
and DoesNotExist.
type: string
values:
description: values is an array of string values. If the
operator is In or NotIn, the values array must be non-empty.
If the operator is Exists or DoesNotExist, the values
array must be empty. This array is replaced during a
strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single
{key,value} in the matchLabels map is equivalent to an element
of matchExpressions, whose key field is "key", the operator
is "In", and the values array contains only "value". The requirements
are ANDed.
type: object
type: object
tolerations:
description: "tolerations is a list of tolerations applied to ingress
controller deployments. \n The default is an empty list. \n See
https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/"
items:
properties:
effect:
description: Effect indicates the taint effect to match. Empty
means match all taint effects. When specified, allowed values
are NoSchedule, PreferNoSchedule and NoExecute.
type: string
key:
description: Key is the taint key that the toleration applies
to. Empty means match all taint keys. If the key is empty,
operator must be Exists; this combination means to match
all values and all keys.
type: string
operator:
description: Operator represents a key's relationship to the
value. Valid operators are Exists and Equal. Defaults to
Equal. Exists is equivalent to wildcard for value, so that
a pod can tolerate all taints of a particular category.
type: string
tolerationSeconds:
description: TolerationSeconds represents the period of time
the toleration (which must be of effect NoExecute, otherwise
this field is ignored) tolerates the taint. By default,
it is not set, which means tolerate the taint forever (do
not evict). Zero and negative values will be treated as
0 (evict immediately) by the system.
format: int64
type: integer
value:
description: Value is the taint value the toleration matches
to. If the operator is Exists, the value should be empty,
otherwise just a regular string.
type: string
type: object
type: array
type: object
replicas:
description: replicas is the desired number of ingress controller replicas.
If unset, defaults to 2.
format: int32
type: integer
routeSelector:
description: "routeSelector is used to filter the set of Routes serviced
by the ingress controller. This is useful for implementing shards.
\n If unset, the default is no filtering."
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements.
The requirements are ANDed.
items:
properties:
key:
description: key is the label key that the selector applies
to.
type: string
operator:
description: operator represents a key's relationship to a
set of values. Valid operators are In, NotIn, Exists and
DoesNotExist.
type: string
values:
description: values is an array of string values. If the operator
is In or NotIn, the values array must be non-empty. If the
operator is Exists or DoesNotExist, the values array must
be empty. This array is replaced during a strategic merge
patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single
{key,value} in the matchLabels map is equivalent to an element
of matchExpressions, whose key field is "key", the operator is
"In", and the values array contains only "value". The requirements
are ANDed.
type: object
type: object
securitySpec:
description: securitySpec specifies settings for securing an IngressController.
properties:
profile:
description: profile defines the schema for a security profile.
properties:
custom:
description: "custom is a user-defined security profile. An
example custom profile looks like this: \n cipers: >-
\n ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:
\n ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256
\n securityProtocol: \n minimumVersion: TLSv1.1
\n maximumVersion: TLSv1.2 \n dhParamSize: 1024"
properties:
securityProfile:
description: "securityProfile defines the schema for a custom
security profile. \n Any unspecified fields will default
to the \"Intermediate\" compatibility configuration as
defined by: \n https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29"
properties:
ciphers:
description: "ciphers is used to specify the cipher
algorithms that are negotiated during the SSL/TLS
handshake with an IngressController. Each cipher must
be an explicit, colon-delimited list of ciphers. \n
If unset, the \"Intermediate\" Ciphersuites [1] are
used: \n [1] https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29"
type: string
dhParamSize:
description: "dhParamSize sets the maximum size of the
Diffie-Hellman parameters used for generating the
ephemeral/temporary Diffie-Hellman key in case of
DHE key exchange. The final size will try to match
the size of the server's RSA (or DSA) key (e.g, a
2048 bits temporary DH key for a 2048 bits RSA key),
but will not exceed this maximum value. Only 1024
or 2048 values are allowed. \n If unset, the \"Intermediate\"
DH Parameter size [1] is used: \n [1] https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29"
type: string
securityProtocol:
description: "securityProtocol is used to specify one
or more encryption protocols that are negotiated during
the SSL/TLS handshake with the IngressController.
\n If unset, the \"Intermediate\" Versions [1] are
used: \n [1] https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29"
properties:
maximumVersion:
description: "maximumVersion enforces use of SecurityProtocolVersion
or older on SSL connections initiated by an IngressController.
maximumVersion must be higher than minimumVersion.
\n If unset and minimumVersion is set, maximumVersion
will be set to minimumVersion. If minimumVersion
and maximumVersion are unset, the maximum version
in \"Intermediate\" Versions [1] is used: \n [1]
https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29"
type: string
minimumVersion:
description: "minimumVersion enforces use of SecurityProtocolVersion
or newer on SSL connections initiated by an IngressController.
minimumVersion must be lower than maximumVersion.
\n If unset and maximumVersion is set, minimumVersion
will be set to maximumVersion. If minimumVersion
and maximumVersion are unset, the minimum version
in \"Intermediate\" Versions [1] is used: \n [1]
https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29"
type: string
type: object
type: object
required:
- securityProfile
type: object
intermediate:
description: "intermediate is a security profile based on: https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29
and looks like this: \n cipers: >- ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:
\ ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:
\ DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:
\ ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:
\ ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:
\ DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:
\ ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:
\ AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
\ securityProtocol: minimumVersion: TLSv1.0 maximumVersion:
TLSv1.2 dhParamSize: 2048"
type: object
modern:
description: "modern is a security profile based on: https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility
and looks like this: \n cipers: >- ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:
\ ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:
\ ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
\ securityProtocol: minimumVersion: TLSv1.2 maximumVersion:
TLSv1.2 dhParamSize: 2048"
type: object
old:
description: "old is a security profile based on: https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility
and looks like this: \n cipers: >- ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:
\ ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:
\ DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:
\ ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:
\ ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:
\ ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:
\ DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:
\ ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:
\ AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:SEED:!aNULL:
\ !eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:
\ !KRB5-DES-CBC3-SHA:!SRP securityProtocol: minimumVersion:
TLSv1.0 maximumVersion: TLSv1.2 dhParamSize: 1024"
type: object
type:
description: "type is one of Old, Intermediate, Modern or Custom.
Custom provides the ability to specify individual security
profile parameters. Old, Intermediate and Modern are security
profiles based on: \n https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations
\n If unset, Intermediate is used."
type: string
required:
- type
type: object
required:
- profile
type: object
type: object
status:
description: status is the most recently observed status of the IngressController.
properties:
availableReplicas:
description: availableReplicas is number of observed available replicas
according to the ingress controller deployment.
format: int32
type: integer
conditions:
description: "conditions is a list of conditions and their status. \n
Available means the ingress controller deployment is available and
servicing route and ingress resources (i.e, .status.availableReplicas
equals .spec.replicas) \n There are additional conditions which indicate
the status of other ingress controller features and capabilities.
\n * LoadBalancerManaged - True if the following conditions are
met: * The endpoint publishing strategy requires a service load
balancer. - False if any of those conditions are unsatisfied. \n
\ * LoadBalancerReady - True if the following conditions are met:
\ * A load balancer is managed. * The load balancer is ready.
\ - False if any of those conditions are unsatisfied. \n * DNSManaged
\ - True if the following conditions are met: * The endpoint
publishing strategy and platform support DNS. * The ingress controller
domain is set. * dns.config.openshift.io/cluster configures DNS
zones. - False if any of those conditions are unsatisfied. \n *
DNSReady - True if the following conditions are met: * DNS is
managed. * DNS records have been successfully created. - False
if any of those conditions are unsatisfied."
items:
properties:
lastTransitionTime:
format: date-time
type: string
message:
type: string
reason:
type: string
status:
type: string
type:
type: string
required:
- type
- status
type: object
type: array
domain:
description: domain is the actual domain in use.
type: string
endpointPublishingStrategy:
description: endpointPublishingStrategy is the actual strategy in use.
properties:
hostNetwork:
description: hostNetwork holds parameters for the HostNetwork endpoint
publishing strategy. Present only if type is HostNetwork.
type: object
loadBalancer:
description: loadBalancer holds parameters for the load balancer.
Present only if type is LoadBalancerService.
properties:
scope:
description: scope indicates the scope at which the load balancer
is exposed. Possible values are "External" and "Internal". The
default is "External".
type: string
required:
- scope
type: object
private:
description: private holds parameters for the Private endpoint publishing
strategy. Present only if type is Private.
type: object
type:
description: "type is the publishing strategy to use. Valid values
are: \n * LoadBalancerService \n Publishes the ingress controller
using a Kubernetes LoadBalancer Service. \n In this configuration,
the ingress controller deployment uses container networking. A
LoadBalancer Service is created to publish the deployment. \n
See: https://kubernetes.io/docs/concepts/services-networking/#loadbalancer
\n If domain is set, a wildcard DNS record will be managed to
point at the LoadBalancer Service's external name. DNS records
are managed only in DNS zones defined by dns.config.openshift.io/cluster
.spec.publicZone and .spec.privateZone. \n Wildcard DNS management
is currently supported only on the AWS platform. \n * HostNetwork
\n Publishes the ingress controller on node ports where the ingress
controller is deployed. \n In this configuration, the ingress
controller deployment uses host networking, bound to node ports
80 and 443. The user is responsible for configuring an external
load balancer to publish the ingress controller via the node ports.
\n * Private \n Does not publish the ingress controller. \n In
this configuration, the ingress controller deployment uses container
networking, and is not explicitly published. The user must manually
publish the ingress controller."
type: string
required:
- type
type: object
securityProfile:
description: securityProfileType is the actual security profile in use.
properties:
ciphers:
description: "ciphers is used to specify the cipher algorithms that
are negotiated during the SSL/TLS handshake with an IngressController.
Each cipher must be an explicit, colon-delimited list of ciphers.
\n If unset, the \"Intermediate\" Ciphersuites [1] are used: \n
[1] https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29"
type: string
dhParamSize:
description: "dhParamSize sets the maximum size of the Diffie-Hellman
parameters used for generating the ephemeral/temporary Diffie-Hellman
key in case of DHE key exchange. The final size will try to match
the size of the server's RSA (or DSA) key (e.g, a 2048 bits temporary
DH key for a 2048 bits RSA key), but will not exceed this maximum
value. Only 1024 or 2048 values are allowed. \n If unset, the
\"Intermediate\" DH Parameter size [1] is used: \n [1] https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29"
type: string
securityProtocol:
description: "securityProtocol is used to specify one or more encryption
protocols that are negotiated during the SSL/TLS handshake with
the IngressController. \n If unset, the \"Intermediate\" Versions
[1] are used: \n [1] https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29"
properties:
maximumVersion:
description: "maximumVersion enforces use of SecurityProtocolVersion
or older on SSL connections initiated by an IngressController.
maximumVersion must be higher than minimumVersion. \n If unset
and minimumVersion is set, maximumVersion will be set to minimumVersion.
If minimumVersion and maximumVersion are unset, the maximum
version in \"Intermediate\" Versions [1] is used: \n [1] https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29"
type: string
minimumVersion:
description: "minimumVersion enforces use of SecurityProtocolVersion
or newer on SSL connections initiated by an IngressController.
minimumVersion must be lower than maximumVersion. \n If unset
and maximumVersion is set, minimumVersion will be set to maximumVersion.
If minimumVersion and maximumVersion are unset, the minimum
version in \"Intermediate\" Versions [1] is used: \n [1] https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29"
type: string
type: object
type: object
selector:
description: selector is a label selector, in string format, for ingress
controller pods corresponding to the IngressController. The number
of matching pods should equal the value of availableReplicas.
type: string
required:
- availableReplicas
- selector
- domain
type: object
type: object
versions:
- name: v1
served: true
storage: true
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment