diff --git a/config/v1alpha1/types_cluster_monitoring.go b/config/v1alpha1/types_cluster_monitoring.go index ca2f0216a94..01cec5066c9 100644 --- a/config/v1alpha1/types_cluster_monitoring.go +++ b/config/v1alpha1/types_cluster_monitoring.go @@ -1552,7 +1552,7 @@ type RemoteWriteSpec struct { Name string `json:"name,omitempty"` // authorization defines the authorization method for the remote write endpoint. // When omitted, no authorization is performed. - // When set, type must be one of BearerToken, BasicAuth, OAuth2, SigV4, SafeAuthorization, or ServiceAccount; the corresponding nested config must be set (ServiceAccount has no config). + // When set, type must be one of Authorization, BasicAuth, OAuth2, SigV4, or ServiceAccount; the corresponding nested config must be set (ServiceAccount has no config). // +optional AuthorizationConfig RemoteWriteAuthorization `json:"authorization,omitzero"` // headers specifies the custom HTTP headers to be sent along with each remote write request. @@ -1654,39 +1654,52 @@ type BasicAuth struct { } // RemoteWriteAuthorizationType defines the authorization method for remote write endpoints. -// +kubebuilder:validation:Enum=BearerToken;BasicAuth;OAuth2;SigV4;SafeAuthorization;ServiceAccount +// +kubebuilder:validation:Enum=Authorization;BasicAuth;OAuth2;SigV4;ServiceAccount;BearerToken;SafeAuthorization type RemoteWriteAuthorizationType string const ( - // RemoteWriteAuthorizationTypeBearerToken indicates bearer token from a secret. - RemoteWriteAuthorizationTypeBearerToken RemoteWriteAuthorizationType = "BearerToken" + // RemoteWriteAuthorizationTypeAuthorization indicates authorization credentials from a secret. + // The secret key contains the credentials (e.g. a Bearer token). Use the authorization field. + RemoteWriteAuthorizationTypeAuthorization RemoteWriteAuthorizationType = "Authorization" // RemoteWriteAuthorizationTypeBasicAuth indicates HTTP basic authentication. RemoteWriteAuthorizationTypeBasicAuth RemoteWriteAuthorizationType = "BasicAuth" // RemoteWriteAuthorizationTypeOAuth2 indicates OAuth2 client credentials. RemoteWriteAuthorizationTypeOAuth2 RemoteWriteAuthorizationType = "OAuth2" // RemoteWriteAuthorizationTypeSigV4 indicates AWS Signature Version 4. RemoteWriteAuthorizationTypeSigV4 RemoteWriteAuthorizationType = "SigV4" - // RemoteWriteAuthorizationTypeSafeAuthorization indicates authorization from a secret (Prometheus SafeAuthorization pattern). - // The secret key contains the credentials (e.g. a Bearer token). Use the safeAuthorization field. - RemoteWriteAuthorizationTypeSafeAuthorization RemoteWriteAuthorizationType = "SafeAuthorization" // RemoteWriteAuthorizationTypeServiceAccount indicates use of the pod's service account token for machine identity. // No additional field is required; the operator configures the token path. RemoteWriteAuthorizationTypeServiceAccount RemoteWriteAuthorizationType = "ServiceAccount" + + // --- TOMBSTONE --- + // RemoteWriteAuthorizationTypeBearerToken is deprecated. Use RemoteWriteAuthorizationTypeAuthorization instead. + // The value remains in the API schema but is rejected by validation. + RemoteWriteAuthorizationTypeBearerToken RemoteWriteAuthorizationType = "BearerToken" + + // --- TOMBSTONE --- + // RemoteWriteAuthorizationTypeSafeAuthorization is deprecated. Use RemoteWriteAuthorizationTypeAuthorization instead. + // The value remains in the API schema but is rejected by validation. + RemoteWriteAuthorizationTypeSafeAuthorization RemoteWriteAuthorizationType = "SafeAuthorization" ) // RemoteWriteAuthorization defines the authorization method for a remote write endpoint. -// Exactly one of the nested configs must be set according to the type discriminator. -// +kubebuilder:validation:XValidation:rule="has(self.type) && self.type == 'BearerToken' ? has(self.bearerToken) : !has(self.bearerToken)",message="bearerToken is required when type is BearerToken, and forbidden otherwise" +// Nested config requirements depend on the type discriminator: Authorization requires authorization, +// BasicAuth requires basicAuth, OAuth2 requires oauth2, SigV4 requires sigv4, and ServiceAccount forbids all nested configs. +// +kubebuilder:validation:XValidation:rule="has(self.type) && self.type == 'Authorization' ? has(self.authorization) : !has(self.authorization)",message="authorization is required when type is Authorization, and forbidden otherwise" // +kubebuilder:validation:XValidation:rule="has(self.type) && self.type == 'BasicAuth' ? has(self.basicAuth) : !has(self.basicAuth)",message="basicAuth is required when type is BasicAuth, and forbidden otherwise" // +kubebuilder:validation:XValidation:rule="has(self.type) && self.type == 'OAuth2' ? has(self.oauth2) : !has(self.oauth2)",message="oauth2 is required when type is OAuth2, and forbidden otherwise" // +kubebuilder:validation:XValidation:rule="has(self.type) && self.type == 'SigV4' ? has(self.sigv4) : !has(self.sigv4)",message="sigv4 is required when type is SigV4, and forbidden otherwise" -// +kubebuilder:validation:XValidation:rule="has(self.type) && self.type == 'SafeAuthorization' ? has(self.safeAuthorization) : !has(self.safeAuthorization)",message="safeAuthorization is required when type is SafeAuthorization, and forbidden otherwise" +// +kubebuilder:validation:XValidation:rule="!has(self.type) || self.type != 'BearerToken'",message="type BearerToken is deprecated, use Authorization instead" +// +kubebuilder:validation:XValidation:rule="!has(self.type) || self.type != 'SafeAuthorization'",message="type SafeAuthorization is deprecated, use Authorization instead" +// +kubebuilder:validation:XValidation:rule="!has(self.bearerToken)",message="bearerToken is deprecated, use authorization with type Authorization instead" +// +kubebuilder:validation:XValidation:rule="!has(self.safeAuthorization)",message="safeAuthorization is deprecated, use authorization with type Authorization instead" // +union type RemoteWriteAuthorization struct { // type specifies the authorization method to use. - // Allowed values are BearerToken, BasicAuth, OAuth2, SigV4, SafeAuthorization, ServiceAccount. + // Allowed values are Authorization, BasicAuth, OAuth2, SigV4, and ServiceAccount. + // BearerToken and SafeAuthorization are deprecated and rejected by validation; use Authorization instead. // - // When set to BearerToken, the bearer token is read from a Secret referenced by the bearerToken field. + // When set to Authorization, credentials are read from a single Secret key. The secret key typically contains a Bearer token. Use the authorization field. // // When set to BasicAuth, HTTP basic authentication is used; the basicAuth field (username and password from Secrets) must be set. // @@ -1694,22 +1707,26 @@ type RemoteWriteAuthorization struct { // // When set to SigV4, AWS Signature Version 4 is used for authentication; the sigv4 field must be set. // - // When set to SafeAuthorization, credentials are read from a single Secret key (Prometheus SafeAuthorization pattern). The secret key typically contains a Bearer token. Use the safeAuthorization field. - // // When set to ServiceAccount, the pod's service account token is used for machine identity. No additional field is required; the operator configures the token path. // +unionDiscriminator // +required Type RemoteWriteAuthorizationType `json:"type,omitempty"` - // safeAuthorization defines the secret reference containing the credentials for authentication (e.g. Bearer token). - // Required when type is "SafeAuthorization", and forbidden otherwise. Maps to Prometheus SafeAuthorization. The secret must exist in the openshift-monitoring namespace. - // +unionMember + // authorization defines the secret reference containing the authorization credentials (e.g. Bearer token). + // Required when type is "Authorization", and forbidden otherwise. + // The secret must exist in the openshift-monitoring namespace. + // +unionMember=Authorization // +optional - SafeAuthorization *v1.SecretKeySelector `json:"safeAuthorization,omitempty"` - // bearerToken defines the secret reference containing the bearer token. - // Required when type is "BearerToken", and forbidden otherwise. + Authorization SecretKeySelector `json:"authorization,omitempty,omitzero"` + // bearerToken is a tombstoned field that is deprecated. Use authorization with type Authorization instead. + // This field remains in the API schema but is rejected by validation. // +unionMember // +optional BearerToken SecretKeySelector `json:"bearerToken,omitempty,omitzero"` + // safeAuthorization is a tombstoned field that is deprecated. Use authorization with type Authorization instead. + // This field remains in the API schema but is rejected by validation. + // +unionMember + // +optional + SafeAuthorization *v1.SecretKeySelector `json:"safeAuthorization,omitempty"` // basicAuth defines HTTP basic authentication credentials. // Required when type is "BasicAuth", and forbidden otherwise. // +unionMember diff --git a/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clustermonitorings.crd.yaml b/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clustermonitorings.crd.yaml index 1d541afc757..a2543058b9a 100644 --- a/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clustermonitorings.crd.yaml +++ b/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clustermonitorings.crd.yaml @@ -3381,8 +3381,44 @@ spec: description: |- authorization defines the authorization method for the remote write endpoint. When omitted, no authorization is performed. - When set, type must be one of BearerToken, BasicAuth, OAuth2, SigV4, SafeAuthorization, or ServiceAccount; the corresponding nested config must be set (ServiceAccount has no config). + When set, type must be one of Authorization, BasicAuth, OAuth2, SigV4, or ServiceAccount; the corresponding nested config must be set (ServiceAccount has no config). properties: + authorization: + description: |- + authorization defines the secret reference containing the authorization credentials (e.g. Bearer token). + Required when type is "Authorization", and forbidden otherwise. + The secret must exist in the openshift-monitoring namespace. + properties: + key: + description: |- + key is the key of the secret to select from. + Must consist of alphanumeric characters, '-', '_', or '.'. + Must be between 1 and 253 characters in length. + maxLength: 253 + minLength: 1 + type: string + x-kubernetes-validations: + - message: must contain only alphanumeric characters, + '-', '_', or '.' + rule: self.matches('^[a-zA-Z0-9._-]+$') + name: + description: |- + name is the name of the secret in the `openshift-monitoring` namespace to select from. + Must be a valid Kubernetes secret name (lowercase alphanumeric, '-' or '.', start/end with alphanumeric). + Must be between 1 and 253 characters in length. + maxLength: 253 + minLength: 1 + type: string + x-kubernetes-validations: + - message: must be a valid secret name (lowercase + alphanumeric characters, '-' or '.', start and + end with alphanumeric) + rule: '!format.dns1123Subdomain().validate(self).hasValue()' + required: + - key + - name + type: object + x-kubernetes-map-type: atomic basicAuth: description: |- basicAuth defines HTTP basic authentication credentials. @@ -3464,8 +3500,8 @@ spec: type: object bearerToken: description: |- - bearerToken defines the secret reference containing the bearer token. - Required when type is "BearerToken", and forbidden otherwise. + bearerToken is a tombstoned field that is deprecated. Use authorization with type Authorization instead. + This field remains in the API schema but is rejected by validation. properties: key: description: |- @@ -3640,8 +3676,8 @@ spec: type: object safeAuthorization: description: |- - safeAuthorization defines the secret reference containing the credentials for authentication (e.g. Bearer token). - Required when type is "SafeAuthorization", and forbidden otherwise. Maps to Prometheus SafeAuthorization. The secret must exist in the openshift-monitoring namespace. + safeAuthorization is a tombstoned field that is deprecated. Use authorization with type Authorization instead. + This field remains in the API schema but is rejected by validation. properties: key: description: The key of the secret to select from. Must @@ -3775,9 +3811,10 @@ spec: type: description: |- type specifies the authorization method to use. - Allowed values are BearerToken, BasicAuth, OAuth2, SigV4, SafeAuthorization, ServiceAccount. + Allowed values are Authorization, BasicAuth, OAuth2, SigV4, and ServiceAccount. + BearerToken and SafeAuthorization are deprecated and rejected by validation; use Authorization instead. - When set to BearerToken, the bearer token is read from a Secret referenced by the bearerToken field. + When set to Authorization, credentials are read from a single Secret key. The secret key typically contains a Bearer token. Use the authorization field. When set to BasicAuth, HTTP basic authentication is used; the basicAuth field (username and password from Secrets) must be set. @@ -3785,25 +3822,24 @@ spec: When set to SigV4, AWS Signature Version 4 is used for authentication; the sigv4 field must be set. - When set to SafeAuthorization, credentials are read from a single Secret key (Prometheus SafeAuthorization pattern). The secret key typically contains a Bearer token. Use the safeAuthorization field. - When set to ServiceAccount, the pod's service account token is used for machine identity. No additional field is required; the operator configures the token path. enum: - - BearerToken + - Authorization - BasicAuth - OAuth2 - SigV4 - - SafeAuthorization - ServiceAccount + - BearerToken + - SafeAuthorization type: string required: - type type: object x-kubernetes-validations: - - message: bearerToken is required when type is BearerToken, + - message: authorization is required when type is Authorization, and forbidden otherwise - rule: 'has(self.type) && self.type == ''BearerToken'' - ? has(self.bearerToken) : !has(self.bearerToken)' + rule: 'has(self.type) && self.type == ''Authorization'' + ? has(self.authorization) : !has(self.authorization)' - message: basicAuth is required when type is BasicAuth, and forbidden otherwise rule: 'has(self.type) && self.type == ''BasicAuth'' ? @@ -3816,10 +3852,18 @@ spec: otherwise rule: 'has(self.type) && self.type == ''SigV4'' ? has(self.sigv4) : !has(self.sigv4)' - - message: safeAuthorization is required when type is SafeAuthorization, - and forbidden otherwise - rule: 'has(self.type) && self.type == ''SafeAuthorization'' - ? has(self.safeAuthorization) : !has(self.safeAuthorization)' + - message: type BearerToken is deprecated, use Authorization + instead + rule: '!has(self.type) || self.type != ''BearerToken''' + - message: type SafeAuthorization is deprecated, use Authorization + instead + rule: '!has(self.type) || self.type != ''SafeAuthorization''' + - message: bearerToken is deprecated, use authorization + with type Authorization instead + rule: '!has(self.bearerToken)' + - message: safeAuthorization is deprecated, use authorization + with type Authorization instead + rule: '!has(self.safeAuthorization)' exemplarsMode: description: |- exemplarsMode controls whether exemplars are sent via remote write. diff --git a/config/v1alpha1/zz_generated.deepcopy.go b/config/v1alpha1/zz_generated.deepcopy.go index 7313338a3b9..9ef38c08c2f 100644 --- a/config/v1alpha1/zz_generated.deepcopy.go +++ b/config/v1alpha1/zz_generated.deepcopy.go @@ -1755,12 +1755,13 @@ func (in *RelabelConfig) DeepCopy() *RelabelConfig { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *RemoteWriteAuthorization) DeepCopyInto(out *RemoteWriteAuthorization) { *out = *in + out.Authorization = in.Authorization + out.BearerToken = in.BearerToken if in.SafeAuthorization != nil { in, out := &in.SafeAuthorization, &out.SafeAuthorization *out = new(v1.SecretKeySelector) (*in).DeepCopyInto(*out) } - out.BearerToken = in.BearerToken out.BasicAuth = in.BasicAuth in.OAuth2.DeepCopyInto(&out.OAuth2) out.Sigv4 = in.Sigv4 diff --git a/config/v1alpha1/zz_generated.featuregated-crd-manifests/clustermonitorings.config.openshift.io/ClusterMonitoringConfig.yaml b/config/v1alpha1/zz_generated.featuregated-crd-manifests/clustermonitorings.config.openshift.io/ClusterMonitoringConfig.yaml index 2b47bb31e70..dd12712e16b 100644 --- a/config/v1alpha1/zz_generated.featuregated-crd-manifests/clustermonitorings.config.openshift.io/ClusterMonitoringConfig.yaml +++ b/config/v1alpha1/zz_generated.featuregated-crd-manifests/clustermonitorings.config.openshift.io/ClusterMonitoringConfig.yaml @@ -3381,8 +3381,44 @@ spec: description: |- authorization defines the authorization method for the remote write endpoint. When omitted, no authorization is performed. - When set, type must be one of BearerToken, BasicAuth, OAuth2, SigV4, SafeAuthorization, or ServiceAccount; the corresponding nested config must be set (ServiceAccount has no config). + When set, type must be one of Authorization, BasicAuth, OAuth2, SigV4, or ServiceAccount; the corresponding nested config must be set (ServiceAccount has no config). properties: + authorization: + description: |- + authorization defines the secret reference containing the authorization credentials (e.g. Bearer token). + Required when type is "Authorization", and forbidden otherwise. + The secret must exist in the openshift-monitoring namespace. + properties: + key: + description: |- + key is the key of the secret to select from. + Must consist of alphanumeric characters, '-', '_', or '.'. + Must be between 1 and 253 characters in length. + maxLength: 253 + minLength: 1 + type: string + x-kubernetes-validations: + - message: must contain only alphanumeric characters, + '-', '_', or '.' + rule: self.matches('^[a-zA-Z0-9._-]+$') + name: + description: |- + name is the name of the secret in the `openshift-monitoring` namespace to select from. + Must be a valid Kubernetes secret name (lowercase alphanumeric, '-' or '.', start/end with alphanumeric). + Must be between 1 and 253 characters in length. + maxLength: 253 + minLength: 1 + type: string + x-kubernetes-validations: + - message: must be a valid secret name (lowercase + alphanumeric characters, '-' or '.', start and + end with alphanumeric) + rule: '!format.dns1123Subdomain().validate(self).hasValue()' + required: + - key + - name + type: object + x-kubernetes-map-type: atomic basicAuth: description: |- basicAuth defines HTTP basic authentication credentials. @@ -3464,8 +3500,8 @@ spec: type: object bearerToken: description: |- - bearerToken defines the secret reference containing the bearer token. - Required when type is "BearerToken", and forbidden otherwise. + bearerToken is a tombstoned field that is deprecated. Use authorization with type Authorization instead. + This field remains in the API schema but is rejected by validation. properties: key: description: |- @@ -3640,8 +3676,8 @@ spec: type: object safeAuthorization: description: |- - safeAuthorization defines the secret reference containing the credentials for authentication (e.g. Bearer token). - Required when type is "SafeAuthorization", and forbidden otherwise. Maps to Prometheus SafeAuthorization. The secret must exist in the openshift-monitoring namespace. + safeAuthorization is a tombstoned field that is deprecated. Use authorization with type Authorization instead. + This field remains in the API schema but is rejected by validation. properties: key: description: The key of the secret to select from. Must @@ -3775,9 +3811,10 @@ spec: type: description: |- type specifies the authorization method to use. - Allowed values are BearerToken, BasicAuth, OAuth2, SigV4, SafeAuthorization, ServiceAccount. + Allowed values are Authorization, BasicAuth, OAuth2, SigV4, and ServiceAccount. + BearerToken and SafeAuthorization are deprecated and rejected by validation; use Authorization instead. - When set to BearerToken, the bearer token is read from a Secret referenced by the bearerToken field. + When set to Authorization, credentials are read from a single Secret key. The secret key typically contains a Bearer token. Use the authorization field. When set to BasicAuth, HTTP basic authentication is used; the basicAuth field (username and password from Secrets) must be set. @@ -3785,25 +3822,24 @@ spec: When set to SigV4, AWS Signature Version 4 is used for authentication; the sigv4 field must be set. - When set to SafeAuthorization, credentials are read from a single Secret key (Prometheus SafeAuthorization pattern). The secret key typically contains a Bearer token. Use the safeAuthorization field. - When set to ServiceAccount, the pod's service account token is used for machine identity. No additional field is required; the operator configures the token path. enum: - - BearerToken + - Authorization - BasicAuth - OAuth2 - SigV4 - - SafeAuthorization - ServiceAccount + - BearerToken + - SafeAuthorization type: string required: - type type: object x-kubernetes-validations: - - message: bearerToken is required when type is BearerToken, + - message: authorization is required when type is Authorization, and forbidden otherwise - rule: 'has(self.type) && self.type == ''BearerToken'' - ? has(self.bearerToken) : !has(self.bearerToken)' + rule: 'has(self.type) && self.type == ''Authorization'' + ? has(self.authorization) : !has(self.authorization)' - message: basicAuth is required when type is BasicAuth, and forbidden otherwise rule: 'has(self.type) && self.type == ''BasicAuth'' ? @@ -3816,10 +3852,18 @@ spec: otherwise rule: 'has(self.type) && self.type == ''SigV4'' ? has(self.sigv4) : !has(self.sigv4)' - - message: safeAuthorization is required when type is SafeAuthorization, - and forbidden otherwise - rule: 'has(self.type) && self.type == ''SafeAuthorization'' - ? has(self.safeAuthorization) : !has(self.safeAuthorization)' + - message: type BearerToken is deprecated, use Authorization + instead + rule: '!has(self.type) || self.type != ''BearerToken''' + - message: type SafeAuthorization is deprecated, use Authorization + instead + rule: '!has(self.type) || self.type != ''SafeAuthorization''' + - message: bearerToken is deprecated, use authorization + with type Authorization instead + rule: '!has(self.bearerToken)' + - message: safeAuthorization is deprecated, use authorization + with type Authorization instead + rule: '!has(self.safeAuthorization)' exemplarsMode: description: |- exemplarsMode controls whether exemplars are sent via remote write. diff --git a/config/v1alpha1/zz_generated.swagger_doc_generated.go b/config/v1alpha1/zz_generated.swagger_doc_generated.go index 2194d79def9..8ac88be268d 100644 --- a/config/v1alpha1/zz_generated.swagger_doc_generated.go +++ b/config/v1alpha1/zz_generated.swagger_doc_generated.go @@ -619,10 +619,11 @@ func (RelabelConfig) SwaggerDoc() map[string]string { } var map_RemoteWriteAuthorization = map[string]string{ - "": "RemoteWriteAuthorization defines the authorization method for a remote write endpoint. Exactly one of the nested configs must be set according to the type discriminator.", - "type": "type specifies the authorization method to use. Allowed values are BearerToken, BasicAuth, OAuth2, SigV4, SafeAuthorization, ServiceAccount.\n\nWhen set to BearerToken, the bearer token is read from a Secret referenced by the bearerToken field.\n\nWhen set to BasicAuth, HTTP basic authentication is used; the basicAuth field (username and password from Secrets) must be set.\n\nWhen set to OAuth2, OAuth2 client credentials flow is used; the oauth2 field (clientId, clientSecret, tokenUrl) must be set.\n\nWhen set to SigV4, AWS Signature Version 4 is used for authentication; the sigv4 field must be set.\n\nWhen set to SafeAuthorization, credentials are read from a single Secret key (Prometheus SafeAuthorization pattern). The secret key typically contains a Bearer token. Use the safeAuthorization field.\n\nWhen set to ServiceAccount, the pod's service account token is used for machine identity. No additional field is required; the operator configures the token path.", - "safeAuthorization": "safeAuthorization defines the secret reference containing the credentials for authentication (e.g. Bearer token). Required when type is \"SafeAuthorization\", and forbidden otherwise. Maps to Prometheus SafeAuthorization. The secret must exist in the openshift-monitoring namespace.", - "bearerToken": "bearerToken defines the secret reference containing the bearer token. Required when type is \"BearerToken\", and forbidden otherwise.", + "": "RemoteWriteAuthorization defines the authorization method for a remote write endpoint. Nested config requirements depend on the type discriminator: Authorization requires authorization, BasicAuth requires basicAuth, OAuth2 requires oauth2, SigV4 requires sigv4, and ServiceAccount forbids all nested configs.", + "type": "type specifies the authorization method to use. Allowed values are Authorization, BasicAuth, OAuth2, SigV4, and ServiceAccount. BearerToken and SafeAuthorization are deprecated and rejected by validation; use Authorization instead.\n\nWhen set to Authorization, credentials are read from a single Secret key. The secret key typically contains a Bearer token. Use the authorization field.\n\nWhen set to BasicAuth, HTTP basic authentication is used; the basicAuth field (username and password from Secrets) must be set.\n\nWhen set to OAuth2, OAuth2 client credentials flow is used; the oauth2 field (clientId, clientSecret, tokenUrl) must be set.\n\nWhen set to SigV4, AWS Signature Version 4 is used for authentication; the sigv4 field must be set.\n\nWhen set to ServiceAccount, the pod's service account token is used for machine identity. No additional field is required; the operator configures the token path.", + "authorization": "authorization defines the secret reference containing the authorization credentials (e.g. Bearer token). Required when type is \"Authorization\", and forbidden otherwise. The secret must exist in the openshift-monitoring namespace.", + "bearerToken": "bearerToken is a tombstoned field that is deprecated. Use authorization with type Authorization instead. This field remains in the API schema but is rejected by validation.", + "safeAuthorization": "safeAuthorization is a tombstoned field that is deprecated. Use authorization with type Authorization instead. This field remains in the API schema but is rejected by validation.", "basicAuth": "basicAuth defines HTTP basic authentication credentials. Required when type is \"BasicAuth\", and forbidden otherwise.", "oauth2": "oauth2 defines OAuth2 client credentials authentication. Required when type is \"OAuth2\", and forbidden otherwise.", "sigv4": "sigv4 defines AWS Signature Version 4 authentication. Required when type is \"SigV4\", and forbidden otherwise.", @@ -636,7 +637,7 @@ var map_RemoteWriteSpec = map[string]string{ "": "RemoteWriteSpec represents configuration for remote write endpoints.", "url": "url is the URL of the remote write endpoint. Must be a valid URL with http or https scheme and a non-empty hostname. Query parameters, fragments, and user information (e.g. user:password@host) are not allowed. Empty string is invalid. Must be between 1 and 2048 characters in length.", "name": "name is a required identifier for this remote write configuration (name is the list key for the remoteWrite list). This name is used in metrics and logging to differentiate remote write queues. Must contain only alphanumeric characters, hyphens, and underscores. Must be between 1 and 63 characters in length.", - "authorization": "authorization defines the authorization method for the remote write endpoint. When omitted, no authorization is performed. When set, type must be one of BearerToken, BasicAuth, OAuth2, SigV4, SafeAuthorization, or ServiceAccount; the corresponding nested config must be set (ServiceAccount has no config).", + "authorization": "authorization defines the authorization method for the remote write endpoint. When omitted, no authorization is performed. When set, type must be one of Authorization, BasicAuth, OAuth2, SigV4, or ServiceAccount; the corresponding nested config must be set (ServiceAccount has no config).", "headers": "headers specifies the custom HTTP headers to be sent along with each remote write request. Sending custom headers makes the configuration of a proxy in between optional and helps the receiver recognize the given source better. Clients MAY allow users to send custom HTTP headers; they MUST NOT allow users to configure them in such a way as to send reserved headers. Headers set by Prometheus cannot be overwritten. When omitted, no custom headers are sent. Maximum of 50 headers can be specified. Each header name must be unique. Each header name must contain only alphanumeric characters, hyphens, and underscores, and must not be a reserved Prometheus header (Host, Authorization, Content-Encoding, Content-Type, X-Prometheus-Remote-Write-Version, User-Agent, Connection, Keep-Alive, Proxy-Authenticate, Proxy-Authorization, WWW-Authenticate).", "metadataConfig": "metadataConfig configures the sending of series metadata to remote storage. When omitted, no metadata is sent. When set to sendPolicy: Default, metadata is sent using platform-chosen defaults (e.g. send interval 30 seconds). When set to sendPolicy: Custom, metadata is sent using the settings in the custom field (e.g. custom.sendIntervalSeconds).", "proxyUrl": "proxyUrl defines an optional proxy URL. If the cluster-wide proxy is enabled, it replaces the proxyUrl setting. The cluster-wide proxy supports both HTTP and HTTPS proxies, with HTTPS taking precedence. When omitted, no proxy is used. Must be a valid URL with http or https scheme. Must be between 1 and 2048 characters in length.", diff --git a/openapi/generated_openapi/zz_generated.openapi.go b/openapi/generated_openapi/zz_generated.openapi.go index 1903405ea06..cc5c3d04950 100644 --- a/openapi/generated_openapi/zz_generated.openapi.go +++ b/openapi/generated_openapi/zz_generated.openapi.go @@ -26485,29 +26485,36 @@ func schema_openshift_api_config_v1alpha1_RemoteWriteAuthorization(ref common.Re return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "RemoteWriteAuthorization defines the authorization method for a remote write endpoint. Exactly one of the nested configs must be set according to the type discriminator.", + Description: "RemoteWriteAuthorization defines the authorization method for a remote write endpoint. Nested config requirements depend on the type discriminator: Authorization requires authorization, BasicAuth requires basicAuth, OAuth2 requires oauth2, SigV4 requires sigv4, and ServiceAccount forbids all nested configs.", Type: []string{"object"}, Properties: map[string]spec.Schema{ "type": { SchemaProps: spec.SchemaProps{ - Description: "type specifies the authorization method to use. Allowed values are BearerToken, BasicAuth, OAuth2, SigV4, SafeAuthorization, ServiceAccount.\n\nWhen set to BearerToken, the bearer token is read from a Secret referenced by the bearerToken field.\n\nWhen set to BasicAuth, HTTP basic authentication is used; the basicAuth field (username and password from Secrets) must be set.\n\nWhen set to OAuth2, OAuth2 client credentials flow is used; the oauth2 field (clientId, clientSecret, tokenUrl) must be set.\n\nWhen set to SigV4, AWS Signature Version 4 is used for authentication; the sigv4 field must be set.\n\nWhen set to SafeAuthorization, credentials are read from a single Secret key (Prometheus SafeAuthorization pattern). The secret key typically contains a Bearer token. Use the safeAuthorization field.\n\nWhen set to ServiceAccount, the pod's service account token is used for machine identity. No additional field is required; the operator configures the token path.", + Description: "type specifies the authorization method to use. Allowed values are Authorization, BasicAuth, OAuth2, SigV4, and ServiceAccount. BearerToken and SafeAuthorization are deprecated and rejected by validation; use Authorization instead.\n\nWhen set to Authorization, credentials are read from a single Secret key. The secret key typically contains a Bearer token. Use the authorization field.\n\nWhen set to BasicAuth, HTTP basic authentication is used; the basicAuth field (username and password from Secrets) must be set.\n\nWhen set to OAuth2, OAuth2 client credentials flow is used; the oauth2 field (clientId, clientSecret, tokenUrl) must be set.\n\nWhen set to SigV4, AWS Signature Version 4 is used for authentication; the sigv4 field must be set.\n\nWhen set to ServiceAccount, the pod's service account token is used for machine identity. No additional field is required; the operator configures the token path.", Type: []string{"string"}, Format: "", }, }, - "safeAuthorization": { + "authorization": { SchemaProps: spec.SchemaProps{ - Description: "safeAuthorization defines the secret reference containing the credentials for authentication (e.g. Bearer token). Required when type is \"SafeAuthorization\", and forbidden otherwise. Maps to Prometheus SafeAuthorization. The secret must exist in the openshift-monitoring namespace.", - Ref: ref(corev1.SecretKeySelector{}.OpenAPIModelName()), + Description: "authorization defines the secret reference containing the authorization credentials (e.g. Bearer token). Required when type is \"Authorization\", and forbidden otherwise. The secret must exist in the openshift-monitoring namespace.", + Default: map[string]interface{}{}, + Ref: ref(configv1alpha1.SecretKeySelector{}.OpenAPIModelName()), }, }, "bearerToken": { SchemaProps: spec.SchemaProps{ - Description: "bearerToken defines the secret reference containing the bearer token. Required when type is \"BearerToken\", and forbidden otherwise.", + Description: "bearerToken is a tombstoned field that is deprecated. Use authorization with type Authorization instead. This field remains in the API schema but is rejected by validation.", Default: map[string]interface{}{}, Ref: ref(configv1alpha1.SecretKeySelector{}.OpenAPIModelName()), }, }, + "safeAuthorization": { + SchemaProps: spec.SchemaProps{ + Description: "safeAuthorization is a tombstoned field that is deprecated. Use authorization with type Authorization instead. This field remains in the API schema but is rejected by validation.", + Ref: ref(corev1.SecretKeySelector{}.OpenAPIModelName()), + }, + }, "basicAuth": { SchemaProps: spec.SchemaProps{ Description: "basicAuth defines HTTP basic authentication credentials. Required when type is \"BasicAuth\", and forbidden otherwise.", @@ -26538,6 +26545,7 @@ func schema_openshift_api_config_v1alpha1_RemoteWriteAuthorization(ref common.Re map[string]interface{}{ "discriminator": "type", "fields-to-discriminateBy": map[string]interface{}{ + "authorization": "Authorization", "basicAuth": "BasicAuth", "bearerToken": "BearerToken", "oauth2": "OAuth2", @@ -26577,7 +26585,7 @@ func schema_openshift_api_config_v1alpha1_RemoteWriteSpec(ref common.ReferenceCa }, "authorization": { SchemaProps: spec.SchemaProps{ - Description: "authorization defines the authorization method for the remote write endpoint. When omitted, no authorization is performed. When set, type must be one of BearerToken, BasicAuth, OAuth2, SigV4, SafeAuthorization, or ServiceAccount; the corresponding nested config must be set (ServiceAccount has no config).", + Description: "authorization defines the authorization method for the remote write endpoint. When omitted, no authorization is performed. When set, type must be one of Authorization, BasicAuth, OAuth2, SigV4, or ServiceAccount; the corresponding nested config must be set (ServiceAccount has no config).", Default: map[string]interface{}{}, Ref: ref(configv1alpha1.RemoteWriteAuthorization{}.OpenAPIModelName()), }, diff --git a/openapi/openapi.json b/openapi/openapi.json index cb93e4c7216..05eb773d9ff 100644 --- a/openapi/openapi.json +++ b/openapi/openapi.json @@ -14567,19 +14567,24 @@ } }, "com.github.openshift.api.config.v1alpha1.RemoteWriteAuthorization": { - "description": "RemoteWriteAuthorization defines the authorization method for a remote write endpoint. Exactly one of the nested configs must be set according to the type discriminator.", + "description": "RemoteWriteAuthorization defines the authorization method for a remote write endpoint. Nested config requirements depend on the type discriminator: Authorization requires authorization, BasicAuth requires basicAuth, OAuth2 requires oauth2, SigV4 requires sigv4, and ServiceAccount forbids all nested configs.", "type": "object", "required": [ "type" ], "properties": { + "authorization": { + "description": "authorization defines the secret reference containing the authorization credentials (e.g. Bearer token). Required when type is \"Authorization\", and forbidden otherwise. The secret must exist in the openshift-monitoring namespace.", + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.SecretKeySelector" + }, "basicAuth": { "description": "basicAuth defines HTTP basic authentication credentials. Required when type is \"BasicAuth\", and forbidden otherwise.", "default": {}, "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.BasicAuth" }, "bearerToken": { - "description": "bearerToken defines the secret reference containing the bearer token. Required when type is \"BearerToken\", and forbidden otherwise.", + "description": "bearerToken is a tombstoned field that is deprecated. Use authorization with type Authorization instead. This field remains in the API schema but is rejected by validation.", "default": {}, "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.SecretKeySelector" }, @@ -14589,7 +14594,7 @@ "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.OAuth2" }, "safeAuthorization": { - "description": "safeAuthorization defines the secret reference containing the credentials for authentication (e.g. Bearer token). Required when type is \"SafeAuthorization\", and forbidden otherwise. Maps to Prometheus SafeAuthorization. The secret must exist in the openshift-monitoring namespace.", + "description": "safeAuthorization is a tombstoned field that is deprecated. Use authorization with type Authorization instead. This field remains in the API schema but is rejected by validation.", "$ref": "#/definitions/io.k8s.api.core.v1.SecretKeySelector" }, "sigv4": { @@ -14598,7 +14603,7 @@ "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.Sigv4" }, "type": { - "description": "type specifies the authorization method to use. Allowed values are BearerToken, BasicAuth, OAuth2, SigV4, SafeAuthorization, ServiceAccount.\n\nWhen set to BearerToken, the bearer token is read from a Secret referenced by the bearerToken field.\n\nWhen set to BasicAuth, HTTP basic authentication is used; the basicAuth field (username and password from Secrets) must be set.\n\nWhen set to OAuth2, OAuth2 client credentials flow is used; the oauth2 field (clientId, clientSecret, tokenUrl) must be set.\n\nWhen set to SigV4, AWS Signature Version 4 is used for authentication; the sigv4 field must be set.\n\nWhen set to SafeAuthorization, credentials are read from a single Secret key (Prometheus SafeAuthorization pattern). The secret key typically contains a Bearer token. Use the safeAuthorization field.\n\nWhen set to ServiceAccount, the pod's service account token is used for machine identity. No additional field is required; the operator configures the token path.", + "description": "type specifies the authorization method to use. Allowed values are Authorization, BasicAuth, OAuth2, SigV4, and ServiceAccount. BearerToken and SafeAuthorization are deprecated and rejected by validation; use Authorization instead.\n\nWhen set to Authorization, credentials are read from a single Secret key. The secret key typically contains a Bearer token. Use the authorization field.\n\nWhen set to BasicAuth, HTTP basic authentication is used; the basicAuth field (username and password from Secrets) must be set.\n\nWhen set to OAuth2, OAuth2 client credentials flow is used; the oauth2 field (clientId, clientSecret, tokenUrl) must be set.\n\nWhen set to SigV4, AWS Signature Version 4 is used for authentication; the sigv4 field must be set.\n\nWhen set to ServiceAccount, the pod's service account token is used for machine identity. No additional field is required; the operator configures the token path.", "type": "string" } }, @@ -14606,6 +14611,7 @@ { "discriminator": "type", "fields-to-discriminateBy": { + "authorization": "Authorization", "basicAuth": "BasicAuth", "bearerToken": "BearerToken", "oauth2": "OAuth2", @@ -14624,7 +14630,7 @@ ], "properties": { "authorization": { - "description": "authorization defines the authorization method for the remote write endpoint. When omitted, no authorization is performed. When set, type must be one of BearerToken, BasicAuth, OAuth2, SigV4, SafeAuthorization, or ServiceAccount; the corresponding nested config must be set (ServiceAccount has no config).", + "description": "authorization defines the authorization method for the remote write endpoint. When omitted, no authorization is performed. When set, type must be one of Authorization, BasicAuth, OAuth2, SigV4, or ServiceAccount; the corresponding nested config must be set (ServiceAccount has no config).", "default": {}, "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.RemoteWriteAuthorization" }, diff --git a/payload-manifests/crds/0000_10_config-operator_01_clustermonitorings.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_clustermonitorings.crd.yaml index 1d541afc757..a2543058b9a 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_clustermonitorings.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_clustermonitorings.crd.yaml @@ -3381,8 +3381,44 @@ spec: description: |- authorization defines the authorization method for the remote write endpoint. When omitted, no authorization is performed. - When set, type must be one of BearerToken, BasicAuth, OAuth2, SigV4, SafeAuthorization, or ServiceAccount; the corresponding nested config must be set (ServiceAccount has no config). + When set, type must be one of Authorization, BasicAuth, OAuth2, SigV4, or ServiceAccount; the corresponding nested config must be set (ServiceAccount has no config). properties: + authorization: + description: |- + authorization defines the secret reference containing the authorization credentials (e.g. Bearer token). + Required when type is "Authorization", and forbidden otherwise. + The secret must exist in the openshift-monitoring namespace. + properties: + key: + description: |- + key is the key of the secret to select from. + Must consist of alphanumeric characters, '-', '_', or '.'. + Must be between 1 and 253 characters in length. + maxLength: 253 + minLength: 1 + type: string + x-kubernetes-validations: + - message: must contain only alphanumeric characters, + '-', '_', or '.' + rule: self.matches('^[a-zA-Z0-9._-]+$') + name: + description: |- + name is the name of the secret in the `openshift-monitoring` namespace to select from. + Must be a valid Kubernetes secret name (lowercase alphanumeric, '-' or '.', start/end with alphanumeric). + Must be between 1 and 253 characters in length. + maxLength: 253 + minLength: 1 + type: string + x-kubernetes-validations: + - message: must be a valid secret name (lowercase + alphanumeric characters, '-' or '.', start and + end with alphanumeric) + rule: '!format.dns1123Subdomain().validate(self).hasValue()' + required: + - key + - name + type: object + x-kubernetes-map-type: atomic basicAuth: description: |- basicAuth defines HTTP basic authentication credentials. @@ -3464,8 +3500,8 @@ spec: type: object bearerToken: description: |- - bearerToken defines the secret reference containing the bearer token. - Required when type is "BearerToken", and forbidden otherwise. + bearerToken is a tombstoned field that is deprecated. Use authorization with type Authorization instead. + This field remains in the API schema but is rejected by validation. properties: key: description: |- @@ -3640,8 +3676,8 @@ spec: type: object safeAuthorization: description: |- - safeAuthorization defines the secret reference containing the credentials for authentication (e.g. Bearer token). - Required when type is "SafeAuthorization", and forbidden otherwise. Maps to Prometheus SafeAuthorization. The secret must exist in the openshift-monitoring namespace. + safeAuthorization is a tombstoned field that is deprecated. Use authorization with type Authorization instead. + This field remains in the API schema but is rejected by validation. properties: key: description: The key of the secret to select from. Must @@ -3775,9 +3811,10 @@ spec: type: description: |- type specifies the authorization method to use. - Allowed values are BearerToken, BasicAuth, OAuth2, SigV4, SafeAuthorization, ServiceAccount. + Allowed values are Authorization, BasicAuth, OAuth2, SigV4, and ServiceAccount. + BearerToken and SafeAuthorization are deprecated and rejected by validation; use Authorization instead. - When set to BearerToken, the bearer token is read from a Secret referenced by the bearerToken field. + When set to Authorization, credentials are read from a single Secret key. The secret key typically contains a Bearer token. Use the authorization field. When set to BasicAuth, HTTP basic authentication is used; the basicAuth field (username and password from Secrets) must be set. @@ -3785,25 +3822,24 @@ spec: When set to SigV4, AWS Signature Version 4 is used for authentication; the sigv4 field must be set. - When set to SafeAuthorization, credentials are read from a single Secret key (Prometheus SafeAuthorization pattern). The secret key typically contains a Bearer token. Use the safeAuthorization field. - When set to ServiceAccount, the pod's service account token is used for machine identity. No additional field is required; the operator configures the token path. enum: - - BearerToken + - Authorization - BasicAuth - OAuth2 - SigV4 - - SafeAuthorization - ServiceAccount + - BearerToken + - SafeAuthorization type: string required: - type type: object x-kubernetes-validations: - - message: bearerToken is required when type is BearerToken, + - message: authorization is required when type is Authorization, and forbidden otherwise - rule: 'has(self.type) && self.type == ''BearerToken'' - ? has(self.bearerToken) : !has(self.bearerToken)' + rule: 'has(self.type) && self.type == ''Authorization'' + ? has(self.authorization) : !has(self.authorization)' - message: basicAuth is required when type is BasicAuth, and forbidden otherwise rule: 'has(self.type) && self.type == ''BasicAuth'' ? @@ -3816,10 +3852,18 @@ spec: otherwise rule: 'has(self.type) && self.type == ''SigV4'' ? has(self.sigv4) : !has(self.sigv4)' - - message: safeAuthorization is required when type is SafeAuthorization, - and forbidden otherwise - rule: 'has(self.type) && self.type == ''SafeAuthorization'' - ? has(self.safeAuthorization) : !has(self.safeAuthorization)' + - message: type BearerToken is deprecated, use Authorization + instead + rule: '!has(self.type) || self.type != ''BearerToken''' + - message: type SafeAuthorization is deprecated, use Authorization + instead + rule: '!has(self.type) || self.type != ''SafeAuthorization''' + - message: bearerToken is deprecated, use authorization + with type Authorization instead + rule: '!has(self.bearerToken)' + - message: safeAuthorization is deprecated, use authorization + with type Authorization instead + rule: '!has(self.safeAuthorization)' exemplarsMode: description: |- exemplarsMode controls whether exemplars are sent via remote write.