Add baseURL override

Add Issuer override
Add CABundle for Kubeconfig & External kubeconfig

Signed-off-by: Mangirdas Judeikis <[email protected]>
On-behalf-of: SAP <[email protected]>

Author: mjudeikis

config/crd/bases/operator.kcp.io_frontproxies.yaml

@@ -188,6 +188,9 @@ spec:
                           description: |-
                             Requested DNS subject alternative names. The values given here will be merged into the
                             DNS names determined automatically by the kcp-operator.
+                            If DNSNames is used together with IssuerRef, DNSNames will be uses as-is and not merged.
+                            If IssuerRef is not set, DNSNames will be merged with the defaults. This is to avoid
+                            trying to guess what DNSNames configued issuer might support.
                           items:
                             type: string
                           type: array
@@ -208,6 +211,22 @@ spec:
                           items:
                             type: string
                           type: array
+                        issuerRef:
+                          description: IssuerRef is a reference to the issuer for
+                            this certificate.
+                          properties:
+                            group:
+                              description: Group of the resource being referred to.
+                              type: string
+                            kind:
+                              description: Kind of the resource being referred to.
+                              type: string
+                            name:
+                              description: Name of the resource being referred to.
+                              type: string
+                          required:
+                          - name
+                          type: object
                         privateKey:
                           description: |-
                             Private key options. These include the key algorithm and size, the used

config/crd/bases/operator.kcp.io_kubeconfigs.yaml

@@ -39,6 +39,25 @@ spec:
           spec:
             description: KubeconfigSpec defines the desired state of Kubeconfig.
             properties:
+              caBundleSecretRef:
+                description: |-
+                  CABundle references a v1.Secret object that contains the CA bundle
+                  that should be used to validate the API server's TLS certificate.
+                  The secret must contain a key named `tls.crt` that holds the PEM encoded CA certificate.
+                  It will be merged into the kubeconfig under the `certificate-authority-data` field.
+                  If not specified, the kubeconfig will use the CA bundle of the root shard or front-proxy referenced in the Target field.
+                properties:
+                  name:
+                    default: ""
+                    description: |-
+                      Name of the referent.
+                      This field is effectively required, but due to backwards compatibility is
+                      allowed to be empty. Instances of this type with an empty value here are
+                      almost certainly wrong.
+                      More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                    type: string
+                type: object
+                x-kubernetes-map-type: atomic
               certificateTemplate:
                 description: |-
                   CertificateTemplate allows to customize the properties on the generated
@@ -65,6 +84,9 @@ spec:
                         description: |-
                           Requested DNS subject alternative names. The values given here will be merged into the
                           DNS names determined automatically by the kcp-operator.
+                          If DNSNames is used together with IssuerRef, DNSNames will be uses as-is and not merged.
+                          If IssuerRef is not set, DNSNames will be merged with the defaults. This is to avoid
+                          trying to guess what DNSNames configued issuer might support.
                         items:
                           type: string
                         type: array
@@ -85,6 +107,22 @@ spec:
                         items:
                           type: string
                         type: array
+                      issuerRef:
+                        description: IssuerRef is a reference to the issuer for this
+                          certificate.
+                        properties:
+                          group:
+                            description: Group of the resource being referred to.
+                            type: string
+                          kind:
+                            description: Kind of the resource being referred to.
+                            type: string
+                          name:
+                            description: Name of the resource being referred to.
+                            type: string
+                        required:
+                        - name
+                        type: object
                       privateKey:
                         description: |-
                           Private key options. These include the key algorithm and size, the used

config/crd/bases/operator.kcp.io_rootshards.yaml

@@ -234,6 +234,26 @@ spec:
                         type: string
                     type: object
                 type: object
+              caBundleSecretRef:
+                description: |-
+                  CABundle references a v1.Secret object that contains the CA bundle
+                  that should be used to validate the API server's TLS certificate.
+                  The secret must contain a key named `tls.crt` that holds the PEM encoded CA certificate.
+                  It will be merged into the "external-logical-cluster-admin-kubeconfig" kubeconfig under the `certificate-authority-data` field.
+                  If not specified, the kubeconfig will use the CA bundle of the root shard or front-proxy referenced in the Target field.
+                  It will NOT be used to configure the API server's own TLS certificate or any other component.
+                properties:
+                  name:
+                    default: ""
+                    description: |-
+                      Name of the referent.
+                      This field is effectively required, but due to backwards compatibility is
+                      allowed to be empty. Instances of this type with an empty value here are
+                      almost certainly wrong.
+                      More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                    type: string
+                type: object
+                x-kubernetes-map-type: atomic
               cache:
                 description: Cache configures the cache server (with a Kubernetes-like
                   API) used by a sharded kcp instance.
@@ -274,6 +294,9 @@ spec:
                           description: |-
                             Requested DNS subject alternative names. The values given here will be merged into the
                             DNS names determined automatically by the kcp-operator.
+                            If DNSNames is used together with IssuerRef, DNSNames will be uses as-is and not merged.
+                            If IssuerRef is not set, DNSNames will be merged with the defaults. This is to avoid
+                            trying to guess what DNSNames configued issuer might support.
                           items:
                             type: string
                           type: array
@@ -294,6 +317,22 @@ spec:
                           items:
                             type: string
                           type: array
+                        issuerRef:
+                          description: IssuerRef is a reference to the issuer for
+                            this certificate.
+                          properties:
+                            group:
+                              description: Group of the resource being referred to.
+                              type: string
+                            kind:
+                              description: Kind of the resource being referred to.
+                              type: string
+                            name:
+                              description: Name of the resource being referred to.
+                              type: string
+                          required:
+                          - name
+                          type: object
                         privateKey:
                           description: |-
                             Private key options. These include the key algorithm and size, the used
@@ -472,19 +511,21 @@ spec:
                       to acquire new certificates. This field is mutually exclusive with caSecretRef.
                     properties:
                       group:
-                        description: Group of the object being referred to.
+                        description: Group of the resource being referred to.
                         type: string
                       kind:
-                        description: Kind of the object being referred to.
+                        description: Kind of the resource being referred to.
                         type: string
                       name:
-                        description: Name of the object being referred to.
+                        description: Name of the resource being referred to.
                         type: string
                     required:
                     - name
                     type: object
                 type: object
               clusterDomain:
+                description: ClusterDomain is the DNS domain for services in the cluster.
+                  Defaults to "cluster.local" if not set.
                 type: string
               deploymentTemplate:
                 description: 'Optional: DeploymentTemplate configures the Kubernetes
@@ -1689,6 +1730,9 @@ spec:
                               description: |-
                                 Requested DNS subject alternative names. The values given here will be merged into the
                                 DNS names determined automatically by the kcp-operator.
+                                If DNSNames is used together with IssuerRef, DNSNames will be uses as-is and not merged.
+                                If IssuerRef is not set, DNSNames will be merged with the defaults. This is to avoid
+                                trying to guess what DNSNames configued issuer might support.
                               items:
                                 type: string
                               type: array
@@ -1709,6 +1753,25 @@ spec:
                               items:
                                 type: string
                               type: array
+                            issuerRef:
+                              description: IssuerRef is a reference to the issuer
+                                for this certificate.
+                              properties:
+                                group:
+                                  description: Group of the resource being referred
+                                    to.
+                                  type: string
+                                kind:
+                                  description: Kind of the resource being referred
+                                    to.
+                                  type: string
+                                name:
+                                  description: Name of the resource being referred
+                                    to.
+                                  type: string
+                              required:
+                              - name
+                              type: object
                             privateKey:
                               description: |-
                                 Private key options. These include the key algorithm and size, the used
@@ -3198,6 +3261,11 @@ spec:
                         type: string
                     type: object
                 type: object
+              shardBaseURL:
+                description: |-
+                  ShardBaseURL is the base URL under which this shard should be reachable. This is used to configure
+                  the external URL. If not provided, the operator will use kubernetes service address to generate it.
+                type: string
             required:
             - cache
             - certificates

config/crd/bases/operator.kcp.io_shards.yaml

@@ -234,6 +234,26 @@ spec:
                         type: string
                     type: object
                 type: object
+              caBundleSecretRef:
+                description: |-
+                  CABundle references a v1.Secret object that contains the CA bundle
+                  that should be used to validate the API server's TLS certificate.
+                  The secret must contain a key named `tls.crt` that holds the PEM encoded CA certificate.
+                  It will be merged into the "external-logical-cluster-admin-kubeconfig" kubeconfig under the `certificate-authority-data` field.
+                  If not specified, the kubeconfig will use the CA bundle of the root shard or front-proxy referenced in the Target field.
+                  It will NOT be used to configure the API server's own TLS certificate or any other component.
+                properties:
+                  name:
+                    default: ""
+                    description: |-
+                      Name of the referent.
+                      This field is effectively required, but due to backwards compatibility is
+                      allowed to be empty. Instances of this type with an empty value here are
+                      almost certainly wrong.
+                      More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                    type: string
+                type: object
+                x-kubernetes-map-type: atomic
               certificateTemplates:
                 additionalProperties:
                   properties:
@@ -258,6 +278,9 @@ spec:
                           description: |-
                             Requested DNS subject alternative names. The values given here will be merged into the
                             DNS names determined automatically by the kcp-operator.
+                            If DNSNames is used together with IssuerRef, DNSNames will be uses as-is and not merged.
+                            If IssuerRef is not set, DNSNames will be merged with the defaults. This is to avoid
+                            trying to guess what DNSNames configued issuer might support.
                           items:
                             type: string
                           type: array
@@ -278,6 +301,22 @@ spec:
                           items:
                             type: string
                           type: array
+                        issuerRef:
+                          description: IssuerRef is a reference to the issuer for
+                            this certificate.
+                          properties:
+                            group:
+                              description: Group of the resource being referred to.
+                              type: string
+                            kind:
+                              description: Kind of the resource being referred to.
+                              type: string
+                            name:
+                              description: Name of the resource being referred to.
+                              type: string
+                          required:
+                          - name
+                          type: object
                         privateKey:
                           description: |-
                             Private key options. These include the key algorithm and size, the used
@@ -428,6 +467,8 @@ spec:
                   certificates for this shard.
                 type: object
               clusterDomain:
+                description: ClusterDomain is the DNS domain for services in the cluster.
+                  Defaults to "cluster.local" if not set.
                 type: string
               deploymentTemplate:
                 description: 'Optional: DeploymentTemplate configures the Kubernetes
@@ -1702,6 +1743,11 @@ spec:
                         type: string
                     type: object
                 type: object
+              shardBaseURL:
+                description: |-
+                  ShardBaseURL is the base URL under which this shard should be reachable. This is used to configure
+                  the external URL. If not provided, the operator will use kubernetes service address to generate it.
+                type: string
             required:
             - etcd
             - rootShard