diff --git a/config/v1alpha1/types_cluster_monitoring.go b/config/v1alpha1/types_cluster_monitoring.go index ca2f0216a94..e1adb60df08 100644 --- a/config/v1alpha1/types_cluster_monitoring.go +++ b/config/v1alpha1/types_cluster_monitoring.go @@ -1552,7 +1552,7 @@ type RemoteWriteSpec struct { Name string `json:"name,omitempty"` // authorization defines the authorization method for the remote write endpoint. // When omitted, no authorization is performed. - // When set, type must be one of BearerToken, BasicAuth, OAuth2, SigV4, SafeAuthorization, or ServiceAccount; the corresponding nested config must be set (ServiceAccount has no config). + // When set, type must be one of Authorization, BasicAuth, OAuth2, SigV4, or ServiceAccount; the corresponding nested config must be set (ServiceAccount has no config). // +optional AuthorizationConfig RemoteWriteAuthorization `json:"authorization,omitzero"` // headers specifies the custom HTTP headers to be sent along with each remote write request. @@ -1654,21 +1654,19 @@ type BasicAuth struct { } // RemoteWriteAuthorizationType defines the authorization method for remote write endpoints. -// +kubebuilder:validation:Enum=BearerToken;BasicAuth;OAuth2;SigV4;SafeAuthorization;ServiceAccount +// +kubebuilder:validation:Enum=Authorization;BasicAuth;OAuth2;SigV4;ServiceAccount type RemoteWriteAuthorizationType string const ( - // RemoteWriteAuthorizationTypeBearerToken indicates bearer token from a secret. - RemoteWriteAuthorizationTypeBearerToken RemoteWriteAuthorizationType = "BearerToken" + // RemoteWriteAuthorizationTypeAuthorization indicates authorization credentials from a secret. + // The secret key contains the credentials (e.g. a Bearer token). Use the credentials field. + RemoteWriteAuthorizationTypeAuthorization RemoteWriteAuthorizationType = "Authorization" // RemoteWriteAuthorizationTypeBasicAuth indicates HTTP basic authentication. RemoteWriteAuthorizationTypeBasicAuth RemoteWriteAuthorizationType = "BasicAuth" // RemoteWriteAuthorizationTypeOAuth2 indicates OAuth2 client credentials. RemoteWriteAuthorizationTypeOAuth2 RemoteWriteAuthorizationType = "OAuth2" // RemoteWriteAuthorizationTypeSigV4 indicates AWS Signature Version 4. RemoteWriteAuthorizationTypeSigV4 RemoteWriteAuthorizationType = "SigV4" - // RemoteWriteAuthorizationTypeSafeAuthorization indicates authorization from a secret (Prometheus SafeAuthorization pattern). - // The secret key contains the credentials (e.g. a Bearer token). Use the safeAuthorization field. - RemoteWriteAuthorizationTypeSafeAuthorization RemoteWriteAuthorizationType = "SafeAuthorization" // RemoteWriteAuthorizationTypeServiceAccount indicates use of the pod's service account token for machine identity. // No additional field is required; the operator configures the token path. RemoteWriteAuthorizationTypeServiceAccount RemoteWriteAuthorizationType = "ServiceAccount" @@ -1676,17 +1674,16 @@ const ( // RemoteWriteAuthorization defines the authorization method for a remote write endpoint. // Exactly one of the nested configs must be set according to the type discriminator. -// +kubebuilder:validation:XValidation:rule="has(self.type) && self.type == 'BearerToken' ? has(self.bearerToken) : !has(self.bearerToken)",message="bearerToken is required when type is BearerToken, and forbidden otherwise" +// +kubebuilder:validation:XValidation:rule="has(self.type) && self.type == 'Authorization' ? has(self.credentials) : !has(self.credentials)",message="credentials is required when type is Authorization, and forbidden otherwise" // +kubebuilder:validation:XValidation:rule="has(self.type) && self.type == 'BasicAuth' ? has(self.basicAuth) : !has(self.basicAuth)",message="basicAuth is required when type is BasicAuth, and forbidden otherwise" // +kubebuilder:validation:XValidation:rule="has(self.type) && self.type == 'OAuth2' ? has(self.oauth2) : !has(self.oauth2)",message="oauth2 is required when type is OAuth2, and forbidden otherwise" // +kubebuilder:validation:XValidation:rule="has(self.type) && self.type == 'SigV4' ? has(self.sigv4) : !has(self.sigv4)",message="sigv4 is required when type is SigV4, and forbidden otherwise" -// +kubebuilder:validation:XValidation:rule="has(self.type) && self.type == 'SafeAuthorization' ? has(self.safeAuthorization) : !has(self.safeAuthorization)",message="safeAuthorization is required when type is SafeAuthorization, and forbidden otherwise" // +union type RemoteWriteAuthorization struct { // type specifies the authorization method to use. - // Allowed values are BearerToken, BasicAuth, OAuth2, SigV4, SafeAuthorization, ServiceAccount. + // Allowed values are Authorization, BasicAuth, OAuth2, SigV4, ServiceAccount. // - // When set to BearerToken, the bearer token is read from a Secret referenced by the bearerToken field. + // When set to Authorization, credentials are read from a single Secret key. The secret key typically contains a Bearer token. Use the credentials field. // // When set to BasicAuth, HTTP basic authentication is used; the basicAuth field (username and password from Secrets) must be set. // @@ -1694,22 +1691,16 @@ type RemoteWriteAuthorization struct { // // When set to SigV4, AWS Signature Version 4 is used for authentication; the sigv4 field must be set. // - // When set to SafeAuthorization, credentials are read from a single Secret key (Prometheus SafeAuthorization pattern). The secret key typically contains a Bearer token. Use the safeAuthorization field. - // // When set to ServiceAccount, the pod's service account token is used for machine identity. No additional field is required; the operator configures the token path. // +unionDiscriminator // +required Type RemoteWriteAuthorizationType `json:"type,omitempty"` - // safeAuthorization defines the secret reference containing the credentials for authentication (e.g. Bearer token). - // Required when type is "SafeAuthorization", and forbidden otherwise. Maps to Prometheus SafeAuthorization. The secret must exist in the openshift-monitoring namespace. - // +unionMember - // +optional - SafeAuthorization *v1.SecretKeySelector `json:"safeAuthorization,omitempty"` - // bearerToken defines the secret reference containing the bearer token. - // Required when type is "BearerToken", and forbidden otherwise. - // +unionMember + // credentials defines the secret reference containing the authorization credentials (e.g. Bearer token). + // Required when type is "Authorization", and forbidden otherwise. + // The secret must exist in the openshift-monitoring namespace. + // +unionMember=Authorization // +optional - BearerToken SecretKeySelector `json:"bearerToken,omitempty,omitzero"` + Credentials SecretKeySelector `json:"credentials,omitempty,omitzero"` // basicAuth defines HTTP basic authentication credentials. // Required when type is "BasicAuth", and forbidden otherwise. // +unionMember diff --git a/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clustermonitorings.crd.yaml b/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clustermonitorings.crd.yaml index 1d541afc757..d533f20ced8 100644 --- a/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clustermonitorings.crd.yaml +++ b/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clustermonitorings.crd.yaml @@ -3381,7 +3381,7 @@ spec: description: |- authorization defines the authorization method for the remote write endpoint. When omitted, no authorization is performed. - When set, type must be one of BearerToken, BasicAuth, OAuth2, SigV4, SafeAuthorization, or ServiceAccount; the corresponding nested config must be set (ServiceAccount has no config). + When set, type must be one of Authorization, BasicAuth, OAuth2, SigV4, or ServiceAccount; the corresponding nested config must be set (ServiceAccount has no config). properties: basicAuth: description: |- @@ -3462,10 +3462,11 @@ spec: - password - username type: object - bearerToken: + credentials: description: |- - bearerToken defines the secret reference containing the bearer token. - Required when type is "BearerToken", and forbidden otherwise. + credentials defines the secret reference containing the authorization credentials (e.g. Bearer token). + Required when type is "Authorization", and forbidden otherwise. + The secret must exist in the openshift-monitoring namespace. properties: key: description: |- @@ -3638,32 +3639,6 @@ spec: - clientSecret - tokenUrl type: object - safeAuthorization: - description: |- - safeAuthorization defines the secret reference containing the credentials for authentication (e.g. Bearer token). - Required when type is "SafeAuthorization", and forbidden otherwise. Maps to Prometheus SafeAuthorization. The secret must exist in the openshift-monitoring namespace. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic sigv4: description: |- sigv4 defines AWS Signature Version 4 authentication. @@ -3775,9 +3750,9 @@ spec: type: description: |- type specifies the authorization method to use. - Allowed values are BearerToken, BasicAuth, OAuth2, SigV4, SafeAuthorization, ServiceAccount. + Allowed values are Authorization, BasicAuth, OAuth2, SigV4, ServiceAccount. - When set to BearerToken, the bearer token is read from a Secret referenced by the bearerToken field. + When set to Authorization, credentials are read from a single Secret key. The secret key typically contains a Bearer token. Use the credentials field. When set to BasicAuth, HTTP basic authentication is used; the basicAuth field (username and password from Secrets) must be set. @@ -3785,25 +3760,22 @@ spec: When set to SigV4, AWS Signature Version 4 is used for authentication; the sigv4 field must be set. - When set to SafeAuthorization, credentials are read from a single Secret key (Prometheus SafeAuthorization pattern). The secret key typically contains a Bearer token. Use the safeAuthorization field. - When set to ServiceAccount, the pod's service account token is used for machine identity. No additional field is required; the operator configures the token path. enum: - - BearerToken + - Authorization - BasicAuth - OAuth2 - SigV4 - - SafeAuthorization - ServiceAccount type: string required: - type type: object x-kubernetes-validations: - - message: bearerToken is required when type is BearerToken, + - message: credentials is required when type is Authorization, and forbidden otherwise - rule: 'has(self.type) && self.type == ''BearerToken'' - ? has(self.bearerToken) : !has(self.bearerToken)' + rule: 'has(self.type) && self.type == ''Authorization'' + ? has(self.credentials) : !has(self.credentials)' - message: basicAuth is required when type is BasicAuth, and forbidden otherwise rule: 'has(self.type) && self.type == ''BasicAuth'' ? @@ -3816,10 +3788,6 @@ spec: otherwise rule: 'has(self.type) && self.type == ''SigV4'' ? has(self.sigv4) : !has(self.sigv4)' - - message: safeAuthorization is required when type is SafeAuthorization, - and forbidden otherwise - rule: 'has(self.type) && self.type == ''SafeAuthorization'' - ? has(self.safeAuthorization) : !has(self.safeAuthorization)' exemplarsMode: description: |- exemplarsMode controls whether exemplars are sent via remote write. diff --git a/config/v1alpha1/zz_generated.deepcopy.go b/config/v1alpha1/zz_generated.deepcopy.go index 7313338a3b9..bad14632638 100644 --- a/config/v1alpha1/zz_generated.deepcopy.go +++ b/config/v1alpha1/zz_generated.deepcopy.go @@ -1755,12 +1755,7 @@ func (in *RelabelConfig) DeepCopy() *RelabelConfig { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *RemoteWriteAuthorization) DeepCopyInto(out *RemoteWriteAuthorization) { *out = *in - if in.SafeAuthorization != nil { - in, out := &in.SafeAuthorization, &out.SafeAuthorization - *out = new(v1.SecretKeySelector) - (*in).DeepCopyInto(*out) - } - out.BearerToken = in.BearerToken + out.Credentials = in.Credentials out.BasicAuth = in.BasicAuth in.OAuth2.DeepCopyInto(&out.OAuth2) out.Sigv4 = in.Sigv4 diff --git a/config/v1alpha1/zz_generated.featuregated-crd-manifests/clustermonitorings.config.openshift.io/ClusterMonitoringConfig.yaml b/config/v1alpha1/zz_generated.featuregated-crd-manifests/clustermonitorings.config.openshift.io/ClusterMonitoringConfig.yaml index 2b47bb31e70..bc76919181b 100644 --- a/config/v1alpha1/zz_generated.featuregated-crd-manifests/clustermonitorings.config.openshift.io/ClusterMonitoringConfig.yaml +++ b/config/v1alpha1/zz_generated.featuregated-crd-manifests/clustermonitorings.config.openshift.io/ClusterMonitoringConfig.yaml @@ -3381,7 +3381,7 @@ spec: description: |- authorization defines the authorization method for the remote write endpoint. When omitted, no authorization is performed. - When set, type must be one of BearerToken, BasicAuth, OAuth2, SigV4, SafeAuthorization, or ServiceAccount; the corresponding nested config must be set (ServiceAccount has no config). + When set, type must be one of Authorization, BasicAuth, OAuth2, SigV4, or ServiceAccount; the corresponding nested config must be set (ServiceAccount has no config). properties: basicAuth: description: |- @@ -3462,10 +3462,11 @@ spec: - password - username type: object - bearerToken: + credentials: description: |- - bearerToken defines the secret reference containing the bearer token. - Required when type is "BearerToken", and forbidden otherwise. + credentials defines the secret reference containing the authorization credentials (e.g. Bearer token). + Required when type is "Authorization", and forbidden otherwise. + The secret must exist in the openshift-monitoring namespace. properties: key: description: |- @@ -3638,32 +3639,6 @@ spec: - clientSecret - tokenUrl type: object - safeAuthorization: - description: |- - safeAuthorization defines the secret reference containing the credentials for authentication (e.g. Bearer token). - Required when type is "SafeAuthorization", and forbidden otherwise. Maps to Prometheus SafeAuthorization. The secret must exist in the openshift-monitoring namespace. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic sigv4: description: |- sigv4 defines AWS Signature Version 4 authentication. @@ -3775,9 +3750,9 @@ spec: type: description: |- type specifies the authorization method to use. - Allowed values are BearerToken, BasicAuth, OAuth2, SigV4, SafeAuthorization, ServiceAccount. + Allowed values are Authorization, BasicAuth, OAuth2, SigV4, ServiceAccount. - When set to BearerToken, the bearer token is read from a Secret referenced by the bearerToken field. + When set to Authorization, credentials are read from a single Secret key. The secret key typically contains a Bearer token. Use the credentials field. When set to BasicAuth, HTTP basic authentication is used; the basicAuth field (username and password from Secrets) must be set. @@ -3785,25 +3760,22 @@ spec: When set to SigV4, AWS Signature Version 4 is used for authentication; the sigv4 field must be set. - When set to SafeAuthorization, credentials are read from a single Secret key (Prometheus SafeAuthorization pattern). The secret key typically contains a Bearer token. Use the safeAuthorization field. - When set to ServiceAccount, the pod's service account token is used for machine identity. No additional field is required; the operator configures the token path. enum: - - BearerToken + - Authorization - BasicAuth - OAuth2 - SigV4 - - SafeAuthorization - ServiceAccount type: string required: - type type: object x-kubernetes-validations: - - message: bearerToken is required when type is BearerToken, + - message: credentials is required when type is Authorization, and forbidden otherwise - rule: 'has(self.type) && self.type == ''BearerToken'' - ? has(self.bearerToken) : !has(self.bearerToken)' + rule: 'has(self.type) && self.type == ''Authorization'' + ? has(self.credentials) : !has(self.credentials)' - message: basicAuth is required when type is BasicAuth, and forbidden otherwise rule: 'has(self.type) && self.type == ''BasicAuth'' ? @@ -3816,10 +3788,6 @@ spec: otherwise rule: 'has(self.type) && self.type == ''SigV4'' ? has(self.sigv4) : !has(self.sigv4)' - - message: safeAuthorization is required when type is SafeAuthorization, - and forbidden otherwise - rule: 'has(self.type) && self.type == ''SafeAuthorization'' - ? has(self.safeAuthorization) : !has(self.safeAuthorization)' exemplarsMode: description: |- exemplarsMode controls whether exemplars are sent via remote write. diff --git a/config/v1alpha1/zz_generated.swagger_doc_generated.go b/config/v1alpha1/zz_generated.swagger_doc_generated.go index 2194d79def9..b372f42cf68 100644 --- a/config/v1alpha1/zz_generated.swagger_doc_generated.go +++ b/config/v1alpha1/zz_generated.swagger_doc_generated.go @@ -619,13 +619,12 @@ func (RelabelConfig) SwaggerDoc() map[string]string { } var map_RemoteWriteAuthorization = map[string]string{ - "": "RemoteWriteAuthorization defines the authorization method for a remote write endpoint. Exactly one of the nested configs must be set according to the type discriminator.", - "type": "type specifies the authorization method to use. Allowed values are BearerToken, BasicAuth, OAuth2, SigV4, SafeAuthorization, ServiceAccount.\n\nWhen set to BearerToken, the bearer token is read from a Secret referenced by the bearerToken field.\n\nWhen set to BasicAuth, HTTP basic authentication is used; the basicAuth field (username and password from Secrets) must be set.\n\nWhen set to OAuth2, OAuth2 client credentials flow is used; the oauth2 field (clientId, clientSecret, tokenUrl) must be set.\n\nWhen set to SigV4, AWS Signature Version 4 is used for authentication; the sigv4 field must be set.\n\nWhen set to SafeAuthorization, credentials are read from a single Secret key (Prometheus SafeAuthorization pattern). The secret key typically contains a Bearer token. Use the safeAuthorization field.\n\nWhen set to ServiceAccount, the pod's service account token is used for machine identity. No additional field is required; the operator configures the token path.", - "safeAuthorization": "safeAuthorization defines the secret reference containing the credentials for authentication (e.g. Bearer token). Required when type is \"SafeAuthorization\", and forbidden otherwise. Maps to Prometheus SafeAuthorization. The secret must exist in the openshift-monitoring namespace.", - "bearerToken": "bearerToken defines the secret reference containing the bearer token. Required when type is \"BearerToken\", and forbidden otherwise.", - "basicAuth": "basicAuth defines HTTP basic authentication credentials. Required when type is \"BasicAuth\", and forbidden otherwise.", - "oauth2": "oauth2 defines OAuth2 client credentials authentication. Required when type is \"OAuth2\", and forbidden otherwise.", - "sigv4": "sigv4 defines AWS Signature Version 4 authentication. Required when type is \"SigV4\", and forbidden otherwise.", + "": "RemoteWriteAuthorization defines the authorization method for a remote write endpoint. Exactly one of the nested configs must be set according to the type discriminator.", + "type": "type specifies the authorization method to use. Allowed values are Authorization, BasicAuth, OAuth2, SigV4, ServiceAccount.\n\nWhen set to Authorization, credentials are read from a single Secret key. The secret key typically contains a Bearer token. Use the credentials field.\n\nWhen set to BasicAuth, HTTP basic authentication is used; the basicAuth field (username and password from Secrets) must be set.\n\nWhen set to OAuth2, OAuth2 client credentials flow is used; the oauth2 field (clientId, clientSecret, tokenUrl) must be set.\n\nWhen set to SigV4, AWS Signature Version 4 is used for authentication; the sigv4 field must be set.\n\nWhen set to ServiceAccount, the pod's service account token is used for machine identity. No additional field is required; the operator configures the token path.", + "credentials": "credentials defines the secret reference containing the authorization credentials (e.g. Bearer token). Required when type is \"Authorization\", and forbidden otherwise. The secret must exist in the openshift-monitoring namespace.", + "basicAuth": "basicAuth defines HTTP basic authentication credentials. Required when type is \"BasicAuth\", and forbidden otherwise.", + "oauth2": "oauth2 defines OAuth2 client credentials authentication. Required when type is \"OAuth2\", and forbidden otherwise.", + "sigv4": "sigv4 defines AWS Signature Version 4 authentication. Required when type is \"SigV4\", and forbidden otherwise.", } func (RemoteWriteAuthorization) SwaggerDoc() map[string]string { @@ -636,7 +635,7 @@ var map_RemoteWriteSpec = map[string]string{ "": "RemoteWriteSpec represents configuration for remote write endpoints.", "url": "url is the URL of the remote write endpoint. Must be a valid URL with http or https scheme and a non-empty hostname. Query parameters, fragments, and user information (e.g. user:password@host) are not allowed. Empty string is invalid. Must be between 1 and 2048 characters in length.", "name": "name is a required identifier for this remote write configuration (name is the list key for the remoteWrite list). This name is used in metrics and logging to differentiate remote write queues. Must contain only alphanumeric characters, hyphens, and underscores. Must be between 1 and 63 characters in length.", - "authorization": "authorization defines the authorization method for the remote write endpoint. When omitted, no authorization is performed. When set, type must be one of BearerToken, BasicAuth, OAuth2, SigV4, SafeAuthorization, or ServiceAccount; the corresponding nested config must be set (ServiceAccount has no config).", + "authorization": "authorization defines the authorization method for the remote write endpoint. When omitted, no authorization is performed. When set, type must be one of Authorization, BasicAuth, OAuth2, SigV4, or ServiceAccount; the corresponding nested config must be set (ServiceAccount has no config).", "headers": "headers specifies the custom HTTP headers to be sent along with each remote write request. Sending custom headers makes the configuration of a proxy in between optional and helps the receiver recognize the given source better. Clients MAY allow users to send custom HTTP headers; they MUST NOT allow users to configure them in such a way as to send reserved headers. Headers set by Prometheus cannot be overwritten. When omitted, no custom headers are sent. Maximum of 50 headers can be specified. Each header name must be unique. Each header name must contain only alphanumeric characters, hyphens, and underscores, and must not be a reserved Prometheus header (Host, Authorization, Content-Encoding, Content-Type, X-Prometheus-Remote-Write-Version, User-Agent, Connection, Keep-Alive, Proxy-Authenticate, Proxy-Authorization, WWW-Authenticate).", "metadataConfig": "metadataConfig configures the sending of series metadata to remote storage. When omitted, no metadata is sent. When set to sendPolicy: Default, metadata is sent using platform-chosen defaults (e.g. send interval 30 seconds). When set to sendPolicy: Custom, metadata is sent using the settings in the custom field (e.g. custom.sendIntervalSeconds).", "proxyUrl": "proxyUrl defines an optional proxy URL. If the cluster-wide proxy is enabled, it replaces the proxyUrl setting. The cluster-wide proxy supports both HTTP and HTTPS proxies, with HTTPS taking precedence. When omitted, no proxy is used. Must be a valid URL with http or https scheme. Must be between 1 and 2048 characters in length.", diff --git a/openapi/generated_openapi/zz_generated.openapi.go b/openapi/generated_openapi/zz_generated.openapi.go index 1903405ea06..c0875c3a285 100644 --- a/openapi/generated_openapi/zz_generated.openapi.go +++ b/openapi/generated_openapi/zz_generated.openapi.go @@ -26490,20 +26490,14 @@ func schema_openshift_api_config_v1alpha1_RemoteWriteAuthorization(ref common.Re Properties: map[string]spec.Schema{ "type": { SchemaProps: spec.SchemaProps{ - Description: "type specifies the authorization method to use. Allowed values are BearerToken, BasicAuth, OAuth2, SigV4, SafeAuthorization, ServiceAccount.\n\nWhen set to BearerToken, the bearer token is read from a Secret referenced by the bearerToken field.\n\nWhen set to BasicAuth, HTTP basic authentication is used; the basicAuth field (username and password from Secrets) must be set.\n\nWhen set to OAuth2, OAuth2 client credentials flow is used; the oauth2 field (clientId, clientSecret, tokenUrl) must be set.\n\nWhen set to SigV4, AWS Signature Version 4 is used for authentication; the sigv4 field must be set.\n\nWhen set to SafeAuthorization, credentials are read from a single Secret key (Prometheus SafeAuthorization pattern). The secret key typically contains a Bearer token. Use the safeAuthorization field.\n\nWhen set to ServiceAccount, the pod's service account token is used for machine identity. No additional field is required; the operator configures the token path.", + Description: "type specifies the authorization method to use. Allowed values are Authorization, BasicAuth, OAuth2, SigV4, ServiceAccount.\n\nWhen set to Authorization, credentials are read from a single Secret key. The secret key typically contains a Bearer token. Use the credentials field.\n\nWhen set to BasicAuth, HTTP basic authentication is used; the basicAuth field (username and password from Secrets) must be set.\n\nWhen set to OAuth2, OAuth2 client credentials flow is used; the oauth2 field (clientId, clientSecret, tokenUrl) must be set.\n\nWhen set to SigV4, AWS Signature Version 4 is used for authentication; the sigv4 field must be set.\n\nWhen set to ServiceAccount, the pod's service account token is used for machine identity. No additional field is required; the operator configures the token path.", Type: []string{"string"}, Format: "", }, }, - "safeAuthorization": { + "credentials": { SchemaProps: spec.SchemaProps{ - Description: "safeAuthorization defines the secret reference containing the credentials for authentication (e.g. Bearer token). Required when type is \"SafeAuthorization\", and forbidden otherwise. Maps to Prometheus SafeAuthorization. The secret must exist in the openshift-monitoring namespace.", - Ref: ref(corev1.SecretKeySelector{}.OpenAPIModelName()), - }, - }, - "bearerToken": { - SchemaProps: spec.SchemaProps{ - Description: "bearerToken defines the secret reference containing the bearer token. Required when type is \"BearerToken\", and forbidden otherwise.", + Description: "credentials defines the secret reference containing the authorization credentials (e.g. Bearer token). Required when type is \"Authorization\", and forbidden otherwise. The secret must exist in the openshift-monitoring namespace.", Default: map[string]interface{}{}, Ref: ref(configv1alpha1.SecretKeySelector{}.OpenAPIModelName()), }, @@ -26538,11 +26532,10 @@ func schema_openshift_api_config_v1alpha1_RemoteWriteAuthorization(ref common.Re map[string]interface{}{ "discriminator": "type", "fields-to-discriminateBy": map[string]interface{}{ - "basicAuth": "BasicAuth", - "bearerToken": "BearerToken", - "oauth2": "OAuth2", - "safeAuthorization": "SafeAuthorization", - "sigv4": "Sigv4", + "basicAuth": "BasicAuth", + "credentials": "Credentials", + "oauth2": "OAuth2", + "sigv4": "Sigv4", }, }, }, @@ -26550,7 +26543,7 @@ func schema_openshift_api_config_v1alpha1_RemoteWriteAuthorization(ref common.Re }, }, Dependencies: []string{ - configv1alpha1.BasicAuth{}.OpenAPIModelName(), configv1alpha1.OAuth2{}.OpenAPIModelName(), configv1alpha1.SecretKeySelector{}.OpenAPIModelName(), configv1alpha1.Sigv4{}.OpenAPIModelName(), corev1.SecretKeySelector{}.OpenAPIModelName()}, + configv1alpha1.BasicAuth{}.OpenAPIModelName(), configv1alpha1.OAuth2{}.OpenAPIModelName(), configv1alpha1.SecretKeySelector{}.OpenAPIModelName(), configv1alpha1.Sigv4{}.OpenAPIModelName()}, } } @@ -26577,7 +26570,7 @@ func schema_openshift_api_config_v1alpha1_RemoteWriteSpec(ref common.ReferenceCa }, "authorization": { SchemaProps: spec.SchemaProps{ - Description: "authorization defines the authorization method for the remote write endpoint. When omitted, no authorization is performed. When set, type must be one of BearerToken, BasicAuth, OAuth2, SigV4, SafeAuthorization, or ServiceAccount; the corresponding nested config must be set (ServiceAccount has no config).", + Description: "authorization defines the authorization method for the remote write endpoint. When omitted, no authorization is performed. When set, type must be one of Authorization, BasicAuth, OAuth2, SigV4, or ServiceAccount; the corresponding nested config must be set (ServiceAccount has no config).", Default: map[string]interface{}{}, Ref: ref(configv1alpha1.RemoteWriteAuthorization{}.OpenAPIModelName()), }, diff --git a/openapi/openapi.json b/openapi/openapi.json index cb93e4c7216..15fe65685a9 100644 --- a/openapi/openapi.json +++ b/openapi/openapi.json @@ -14578,8 +14578,8 @@ "default": {}, "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.BasicAuth" }, - "bearerToken": { - "description": "bearerToken defines the secret reference containing the bearer token. Required when type is \"BearerToken\", and forbidden otherwise.", + "credentials": { + "description": "credentials defines the secret reference containing the authorization credentials (e.g. Bearer token). Required when type is \"Authorization\", and forbidden otherwise. The secret must exist in the openshift-monitoring namespace.", "default": {}, "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.SecretKeySelector" }, @@ -14588,17 +14588,13 @@ "default": {}, "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.OAuth2" }, - "safeAuthorization": { - "description": "safeAuthorization defines the secret reference containing the credentials for authentication (e.g. Bearer token). Required when type is \"SafeAuthorization\", and forbidden otherwise. Maps to Prometheus SafeAuthorization. The secret must exist in the openshift-monitoring namespace.", - "$ref": "#/definitions/io.k8s.api.core.v1.SecretKeySelector" - }, "sigv4": { "description": "sigv4 defines AWS Signature Version 4 authentication. Required when type is \"SigV4\", and forbidden otherwise.", "default": {}, "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.Sigv4" }, "type": { - "description": "type specifies the authorization method to use. Allowed values are BearerToken, BasicAuth, OAuth2, SigV4, SafeAuthorization, ServiceAccount.\n\nWhen set to BearerToken, the bearer token is read from a Secret referenced by the bearerToken field.\n\nWhen set to BasicAuth, HTTP basic authentication is used; the basicAuth field (username and password from Secrets) must be set.\n\nWhen set to OAuth2, OAuth2 client credentials flow is used; the oauth2 field (clientId, clientSecret, tokenUrl) must be set.\n\nWhen set to SigV4, AWS Signature Version 4 is used for authentication; the sigv4 field must be set.\n\nWhen set to SafeAuthorization, credentials are read from a single Secret key (Prometheus SafeAuthorization pattern). The secret key typically contains a Bearer token. Use the safeAuthorization field.\n\nWhen set to ServiceAccount, the pod's service account token is used for machine identity. No additional field is required; the operator configures the token path.", + "description": "type specifies the authorization method to use. Allowed values are Authorization, BasicAuth, OAuth2, SigV4, ServiceAccount.\n\nWhen set to Authorization, credentials are read from a single Secret key. The secret key typically contains a Bearer token. Use the credentials field.\n\nWhen set to BasicAuth, HTTP basic authentication is used; the basicAuth field (username and password from Secrets) must be set.\n\nWhen set to OAuth2, OAuth2 client credentials flow is used; the oauth2 field (clientId, clientSecret, tokenUrl) must be set.\n\nWhen set to SigV4, AWS Signature Version 4 is used for authentication; the sigv4 field must be set.\n\nWhen set to ServiceAccount, the pod's service account token is used for machine identity. No additional field is required; the operator configures the token path.", "type": "string" } }, @@ -14607,9 +14603,8 @@ "discriminator": "type", "fields-to-discriminateBy": { "basicAuth": "BasicAuth", - "bearerToken": "BearerToken", + "credentials": "Credentials", "oauth2": "OAuth2", - "safeAuthorization": "SafeAuthorization", "sigv4": "Sigv4" } } @@ -14624,7 +14619,7 @@ ], "properties": { "authorization": { - "description": "authorization defines the authorization method for the remote write endpoint. When omitted, no authorization is performed. When set, type must be one of BearerToken, BasicAuth, OAuth2, SigV4, SafeAuthorization, or ServiceAccount; the corresponding nested config must be set (ServiceAccount has no config).", + "description": "authorization defines the authorization method for the remote write endpoint. When omitted, no authorization is performed. When set, type must be one of Authorization, BasicAuth, OAuth2, SigV4, or ServiceAccount; the corresponding nested config must be set (ServiceAccount has no config).", "default": {}, "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.RemoteWriteAuthorization" }, diff --git a/payload-manifests/crds/0000_10_config-operator_01_clustermonitorings.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_clustermonitorings.crd.yaml index 1d541afc757..d533f20ced8 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_clustermonitorings.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_clustermonitorings.crd.yaml @@ -3381,7 +3381,7 @@ spec: description: |- authorization defines the authorization method for the remote write endpoint. When omitted, no authorization is performed. - When set, type must be one of BearerToken, BasicAuth, OAuth2, SigV4, SafeAuthorization, or ServiceAccount; the corresponding nested config must be set (ServiceAccount has no config). + When set, type must be one of Authorization, BasicAuth, OAuth2, SigV4, or ServiceAccount; the corresponding nested config must be set (ServiceAccount has no config). properties: basicAuth: description: |- @@ -3462,10 +3462,11 @@ spec: - password - username type: object - bearerToken: + credentials: description: |- - bearerToken defines the secret reference containing the bearer token. - Required when type is "BearerToken", and forbidden otherwise. + credentials defines the secret reference containing the authorization credentials (e.g. Bearer token). + Required when type is "Authorization", and forbidden otherwise. + The secret must exist in the openshift-monitoring namespace. properties: key: description: |- @@ -3638,32 +3639,6 @@ spec: - clientSecret - tokenUrl type: object - safeAuthorization: - description: |- - safeAuthorization defines the secret reference containing the credentials for authentication (e.g. Bearer token). - Required when type is "SafeAuthorization", and forbidden otherwise. Maps to Prometheus SafeAuthorization. The secret must exist in the openshift-monitoring namespace. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic sigv4: description: |- sigv4 defines AWS Signature Version 4 authentication. @@ -3775,9 +3750,9 @@ spec: type: description: |- type specifies the authorization method to use. - Allowed values are BearerToken, BasicAuth, OAuth2, SigV4, SafeAuthorization, ServiceAccount. + Allowed values are Authorization, BasicAuth, OAuth2, SigV4, ServiceAccount. - When set to BearerToken, the bearer token is read from a Secret referenced by the bearerToken field. + When set to Authorization, credentials are read from a single Secret key. The secret key typically contains a Bearer token. Use the credentials field. When set to BasicAuth, HTTP basic authentication is used; the basicAuth field (username and password from Secrets) must be set. @@ -3785,25 +3760,22 @@ spec: When set to SigV4, AWS Signature Version 4 is used for authentication; the sigv4 field must be set. - When set to SafeAuthorization, credentials are read from a single Secret key (Prometheus SafeAuthorization pattern). The secret key typically contains a Bearer token. Use the safeAuthorization field. - When set to ServiceAccount, the pod's service account token is used for machine identity. No additional field is required; the operator configures the token path. enum: - - BearerToken + - Authorization - BasicAuth - OAuth2 - SigV4 - - SafeAuthorization - ServiceAccount type: string required: - type type: object x-kubernetes-validations: - - message: bearerToken is required when type is BearerToken, + - message: credentials is required when type is Authorization, and forbidden otherwise - rule: 'has(self.type) && self.type == ''BearerToken'' - ? has(self.bearerToken) : !has(self.bearerToken)' + rule: 'has(self.type) && self.type == ''Authorization'' + ? has(self.credentials) : !has(self.credentials)' - message: basicAuth is required when type is BasicAuth, and forbidden otherwise rule: 'has(self.type) && self.type == ''BasicAuth'' ? @@ -3816,10 +3788,6 @@ spec: otherwise rule: 'has(self.type) && self.type == ''SigV4'' ? has(self.sigv4) : !has(self.sigv4)' - - message: safeAuthorization is required when type is SafeAuthorization, - and forbidden otherwise - rule: 'has(self.type) && self.type == ''SafeAuthorization'' - ? has(self.safeAuthorization) : !has(self.safeAuthorization)' exemplarsMode: description: |- exemplarsMode controls whether exemplars are sent via remote write.