From 1bb239b7b07f9b9a10915c2fb37927884421ad3a Mon Sep 17 00:00:00 2001 From: Mario Fernandez Date: Tue, 23 Jun 2026 13:25:14 +0200 Subject: [PATCH 1/4] config/v1alpha1: rename remote write SafeAuthorization to Authorization Align remote write auth with CMO by replacing SafeAuthorization and BearerToken with type Authorization and a credentials secret reference. Co-authored-by: Cursor --- config/v1alpha1/types_cluster_monitoring.go | 35 +++++------- ...ig-operator_01_clustermonitorings.crd.yaml | 54 ++++--------------- config/v1alpha1/zz_generated.deepcopy.go | 7 +-- .../ClusterMonitoringConfig.yaml | 54 ++++--------------- .../zz_generated.swagger_doc_generated.go | 15 +++--- .../generated_openapi/zz_generated.openapi.go | 25 ++++----- openapi/openapi.json | 15 ++---- ...ig-operator_01_clustermonitorings.crd.yaml | 54 ++++--------------- 8 files changed, 68 insertions(+), 191 deletions(-) diff --git a/config/v1alpha1/types_cluster_monitoring.go b/config/v1alpha1/types_cluster_monitoring.go index ca2f0216a94..e1adb60df08 100644 --- a/config/v1alpha1/types_cluster_monitoring.go +++ b/config/v1alpha1/types_cluster_monitoring.go @@ -1552,7 +1552,7 @@ type RemoteWriteSpec struct { Name string `json:"name,omitempty"` // authorization defines the authorization method for the remote write endpoint. // When omitted, no authorization is performed. - // When set, type must be one of BearerToken, BasicAuth, OAuth2, SigV4, SafeAuthorization, or ServiceAccount; the corresponding nested config must be set (ServiceAccount has no config). + // When set, type must be one of Authorization, BasicAuth, OAuth2, SigV4, or ServiceAccount; the corresponding nested config must be set (ServiceAccount has no config). // +optional AuthorizationConfig RemoteWriteAuthorization `json:"authorization,omitzero"` // headers specifies the custom HTTP headers to be sent along with each remote write request. @@ -1654,21 +1654,19 @@ type BasicAuth struct { } // RemoteWriteAuthorizationType defines the authorization method for remote write endpoints. -// +kubebuilder:validation:Enum=BearerToken;BasicAuth;OAuth2;SigV4;SafeAuthorization;ServiceAccount +// +kubebuilder:validation:Enum=Authorization;BasicAuth;OAuth2;SigV4;ServiceAccount type RemoteWriteAuthorizationType string const ( - // RemoteWriteAuthorizationTypeBearerToken indicates bearer token from a secret. - RemoteWriteAuthorizationTypeBearerToken RemoteWriteAuthorizationType = "BearerToken" + // RemoteWriteAuthorizationTypeAuthorization indicates authorization credentials from a secret. + // The secret key contains the credentials (e.g. a Bearer token). Use the credentials field. + RemoteWriteAuthorizationTypeAuthorization RemoteWriteAuthorizationType = "Authorization" // RemoteWriteAuthorizationTypeBasicAuth indicates HTTP basic authentication. RemoteWriteAuthorizationTypeBasicAuth RemoteWriteAuthorizationType = "BasicAuth" // RemoteWriteAuthorizationTypeOAuth2 indicates OAuth2 client credentials. RemoteWriteAuthorizationTypeOAuth2 RemoteWriteAuthorizationType = "OAuth2" // RemoteWriteAuthorizationTypeSigV4 indicates AWS Signature Version 4. RemoteWriteAuthorizationTypeSigV4 RemoteWriteAuthorizationType = "SigV4" - // RemoteWriteAuthorizationTypeSafeAuthorization indicates authorization from a secret (Prometheus SafeAuthorization pattern). - // The secret key contains the credentials (e.g. a Bearer token). Use the safeAuthorization field. - RemoteWriteAuthorizationTypeSafeAuthorization RemoteWriteAuthorizationType = "SafeAuthorization" // RemoteWriteAuthorizationTypeServiceAccount indicates use of the pod's service account token for machine identity. // No additional field is required; the operator configures the token path. RemoteWriteAuthorizationTypeServiceAccount RemoteWriteAuthorizationType = "ServiceAccount" @@ -1676,17 +1674,16 @@ const ( // RemoteWriteAuthorization defines the authorization method for a remote write endpoint. // Exactly one of the nested configs must be set according to the type discriminator. -// +kubebuilder:validation:XValidation:rule="has(self.type) && self.type == 'BearerToken' ? has(self.bearerToken) : !has(self.bearerToken)",message="bearerToken is required when type is BearerToken, and forbidden otherwise" +// +kubebuilder:validation:XValidation:rule="has(self.type) && self.type == 'Authorization' ? has(self.credentials) : !has(self.credentials)",message="credentials is required when type is Authorization, and forbidden otherwise" // +kubebuilder:validation:XValidation:rule="has(self.type) && self.type == 'BasicAuth' ? has(self.basicAuth) : !has(self.basicAuth)",message="basicAuth is required when type is BasicAuth, and forbidden otherwise" // +kubebuilder:validation:XValidation:rule="has(self.type) && self.type == 'OAuth2' ? has(self.oauth2) : !has(self.oauth2)",message="oauth2 is required when type is OAuth2, and forbidden otherwise" // +kubebuilder:validation:XValidation:rule="has(self.type) && self.type == 'SigV4' ? has(self.sigv4) : !has(self.sigv4)",message="sigv4 is required when type is SigV4, and forbidden otherwise" -// +kubebuilder:validation:XValidation:rule="has(self.type) && self.type == 'SafeAuthorization' ? has(self.safeAuthorization) : !has(self.safeAuthorization)",message="safeAuthorization is required when type is SafeAuthorization, and forbidden otherwise" // +union type RemoteWriteAuthorization struct { // type specifies the authorization method to use. - // Allowed values are BearerToken, BasicAuth, OAuth2, SigV4, SafeAuthorization, ServiceAccount. + // Allowed values are Authorization, BasicAuth, OAuth2, SigV4, ServiceAccount. // - // When set to BearerToken, the bearer token is read from a Secret referenced by the bearerToken field. + // When set to Authorization, credentials are read from a single Secret key. The secret key typically contains a Bearer token. Use the credentials field. // // When set to BasicAuth, HTTP basic authentication is used; the basicAuth field (username and password from Secrets) must be set. // @@ -1694,22 +1691,16 @@ type RemoteWriteAuthorization struct { // // When set to SigV4, AWS Signature Version 4 is used for authentication; the sigv4 field must be set. // - // When set to SafeAuthorization, credentials are read from a single Secret key (Prometheus SafeAuthorization pattern). The secret key typically contains a Bearer token. Use the safeAuthorization field. - // // When set to ServiceAccount, the pod's service account token is used for machine identity. No additional field is required; the operator configures the token path. // +unionDiscriminator // +required Type RemoteWriteAuthorizationType `json:"type,omitempty"` - // safeAuthorization defines the secret reference containing the credentials for authentication (e.g. Bearer token). - // Required when type is "SafeAuthorization", and forbidden otherwise. Maps to Prometheus SafeAuthorization. The secret must exist in the openshift-monitoring namespace. - // +unionMember - // +optional - SafeAuthorization *v1.SecretKeySelector `json:"safeAuthorization,omitempty"` - // bearerToken defines the secret reference containing the bearer token. - // Required when type is "BearerToken", and forbidden otherwise. - // +unionMember + // credentials defines the secret reference containing the authorization credentials (e.g. Bearer token). + // Required when type is "Authorization", and forbidden otherwise. + // The secret must exist in the openshift-monitoring namespace. + // +unionMember=Authorization // +optional - BearerToken SecretKeySelector `json:"bearerToken,omitempty,omitzero"` + Credentials SecretKeySelector `json:"credentials,omitempty,omitzero"` // basicAuth defines HTTP basic authentication credentials. // Required when type is "BasicAuth", and forbidden otherwise. // +unionMember diff --git a/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clustermonitorings.crd.yaml b/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clustermonitorings.crd.yaml index 1d541afc757..d533f20ced8 100644 --- a/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clustermonitorings.crd.yaml +++ b/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clustermonitorings.crd.yaml @@ -3381,7 +3381,7 @@ spec: description: |- authorization defines the authorization method for the remote write endpoint. When omitted, no authorization is performed. - When set, type must be one of BearerToken, BasicAuth, OAuth2, SigV4, SafeAuthorization, or ServiceAccount; the corresponding nested config must be set (ServiceAccount has no config). + When set, type must be one of Authorization, BasicAuth, OAuth2, SigV4, or ServiceAccount; the corresponding nested config must be set (ServiceAccount has no config). properties: basicAuth: description: |- @@ -3462,10 +3462,11 @@ spec: - password - username type: object - bearerToken: + credentials: description: |- - bearerToken defines the secret reference containing the bearer token. - Required when type is "BearerToken", and forbidden otherwise. + credentials defines the secret reference containing the authorization credentials (e.g. Bearer token). + Required when type is "Authorization", and forbidden otherwise. + The secret must exist in the openshift-monitoring namespace. properties: key: description: |- @@ -3638,32 +3639,6 @@ spec: - clientSecret - tokenUrl type: object - safeAuthorization: - description: |- - safeAuthorization defines the secret reference containing the credentials for authentication (e.g. Bearer token). - Required when type is "SafeAuthorization", and forbidden otherwise. Maps to Prometheus SafeAuthorization. The secret must exist in the openshift-monitoring namespace. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic sigv4: description: |- sigv4 defines AWS Signature Version 4 authentication. @@ -3775,9 +3750,9 @@ spec: type: description: |- type specifies the authorization method to use. - Allowed values are BearerToken, BasicAuth, OAuth2, SigV4, SafeAuthorization, ServiceAccount. + Allowed values are Authorization, BasicAuth, OAuth2, SigV4, ServiceAccount. - When set to BearerToken, the bearer token is read from a Secret referenced by the bearerToken field. + When set to Authorization, credentials are read from a single Secret key. The secret key typically contains a Bearer token. Use the credentials field. When set to BasicAuth, HTTP basic authentication is used; the basicAuth field (username and password from Secrets) must be set. @@ -3785,25 +3760,22 @@ spec: When set to SigV4, AWS Signature Version 4 is used for authentication; the sigv4 field must be set. - When set to SafeAuthorization, credentials are read from a single Secret key (Prometheus SafeAuthorization pattern). The secret key typically contains a Bearer token. Use the safeAuthorization field. - When set to ServiceAccount, the pod's service account token is used for machine identity. No additional field is required; the operator configures the token path. enum: - - BearerToken + - Authorization - BasicAuth - OAuth2 - SigV4 - - SafeAuthorization - ServiceAccount type: string required: - type type: object x-kubernetes-validations: - - message: bearerToken is required when type is BearerToken, + - message: credentials is required when type is Authorization, and forbidden otherwise - rule: 'has(self.type) && self.type == ''BearerToken'' - ? has(self.bearerToken) : !has(self.bearerToken)' + rule: 'has(self.type) && self.type == ''Authorization'' + ? has(self.credentials) : !has(self.credentials)' - message: basicAuth is required when type is BasicAuth, and forbidden otherwise rule: 'has(self.type) && self.type == ''BasicAuth'' ? @@ -3816,10 +3788,6 @@ spec: otherwise rule: 'has(self.type) && self.type == ''SigV4'' ? has(self.sigv4) : !has(self.sigv4)' - - message: safeAuthorization is required when type is SafeAuthorization, - and forbidden otherwise - rule: 'has(self.type) && self.type == ''SafeAuthorization'' - ? has(self.safeAuthorization) : !has(self.safeAuthorization)' exemplarsMode: description: |- exemplarsMode controls whether exemplars are sent via remote write. diff --git a/config/v1alpha1/zz_generated.deepcopy.go b/config/v1alpha1/zz_generated.deepcopy.go index 7313338a3b9..bad14632638 100644 --- a/config/v1alpha1/zz_generated.deepcopy.go +++ b/config/v1alpha1/zz_generated.deepcopy.go @@ -1755,12 +1755,7 @@ func (in *RelabelConfig) DeepCopy() *RelabelConfig { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *RemoteWriteAuthorization) DeepCopyInto(out *RemoteWriteAuthorization) { *out = *in - if in.SafeAuthorization != nil { - in, out := &in.SafeAuthorization, &out.SafeAuthorization - *out = new(v1.SecretKeySelector) - (*in).DeepCopyInto(*out) - } - out.BearerToken = in.BearerToken + out.Credentials = in.Credentials out.BasicAuth = in.BasicAuth in.OAuth2.DeepCopyInto(&out.OAuth2) out.Sigv4 = in.Sigv4 diff --git a/config/v1alpha1/zz_generated.featuregated-crd-manifests/clustermonitorings.config.openshift.io/ClusterMonitoringConfig.yaml b/config/v1alpha1/zz_generated.featuregated-crd-manifests/clustermonitorings.config.openshift.io/ClusterMonitoringConfig.yaml index 2b47bb31e70..bc76919181b 100644 --- a/config/v1alpha1/zz_generated.featuregated-crd-manifests/clustermonitorings.config.openshift.io/ClusterMonitoringConfig.yaml +++ b/config/v1alpha1/zz_generated.featuregated-crd-manifests/clustermonitorings.config.openshift.io/ClusterMonitoringConfig.yaml @@ -3381,7 +3381,7 @@ spec: description: |- authorization defines the authorization method for the remote write endpoint. When omitted, no authorization is performed. - When set, type must be one of BearerToken, BasicAuth, OAuth2, SigV4, SafeAuthorization, or ServiceAccount; the corresponding nested config must be set (ServiceAccount has no config). + When set, type must be one of Authorization, BasicAuth, OAuth2, SigV4, or ServiceAccount; the corresponding nested config must be set (ServiceAccount has no config). properties: basicAuth: description: |- @@ -3462,10 +3462,11 @@ spec: - password - username type: object - bearerToken: + credentials: description: |- - bearerToken defines the secret reference containing the bearer token. - Required when type is "BearerToken", and forbidden otherwise. + credentials defines the secret reference containing the authorization credentials (e.g. Bearer token). + Required when type is "Authorization", and forbidden otherwise. + The secret must exist in the openshift-monitoring namespace. properties: key: description: |- @@ -3638,32 +3639,6 @@ spec: - clientSecret - tokenUrl type: object - safeAuthorization: - description: |- - safeAuthorization defines the secret reference containing the credentials for authentication (e.g. Bearer token). - Required when type is "SafeAuthorization", and forbidden otherwise. Maps to Prometheus SafeAuthorization. The secret must exist in the openshift-monitoring namespace. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic sigv4: description: |- sigv4 defines AWS Signature Version 4 authentication. @@ -3775,9 +3750,9 @@ spec: type: description: |- type specifies the authorization method to use. - Allowed values are BearerToken, BasicAuth, OAuth2, SigV4, SafeAuthorization, ServiceAccount. + Allowed values are Authorization, BasicAuth, OAuth2, SigV4, ServiceAccount. - When set to BearerToken, the bearer token is read from a Secret referenced by the bearerToken field. + When set to Authorization, credentials are read from a single Secret key. The secret key typically contains a Bearer token. Use the credentials field. When set to BasicAuth, HTTP basic authentication is used; the basicAuth field (username and password from Secrets) must be set. @@ -3785,25 +3760,22 @@ spec: When set to SigV4, AWS Signature Version 4 is used for authentication; the sigv4 field must be set. - When set to SafeAuthorization, credentials are read from a single Secret key (Prometheus SafeAuthorization pattern). The secret key typically contains a Bearer token. Use the safeAuthorization field. - When set to ServiceAccount, the pod's service account token is used for machine identity. No additional field is required; the operator configures the token path. enum: - - BearerToken + - Authorization - BasicAuth - OAuth2 - SigV4 - - SafeAuthorization - ServiceAccount type: string required: - type type: object x-kubernetes-validations: - - message: bearerToken is required when type is BearerToken, + - message: credentials is required when type is Authorization, and forbidden otherwise - rule: 'has(self.type) && self.type == ''BearerToken'' - ? has(self.bearerToken) : !has(self.bearerToken)' + rule: 'has(self.type) && self.type == ''Authorization'' + ? has(self.credentials) : !has(self.credentials)' - message: basicAuth is required when type is BasicAuth, and forbidden otherwise rule: 'has(self.type) && self.type == ''BasicAuth'' ? @@ -3816,10 +3788,6 @@ spec: otherwise rule: 'has(self.type) && self.type == ''SigV4'' ? has(self.sigv4) : !has(self.sigv4)' - - message: safeAuthorization is required when type is SafeAuthorization, - and forbidden otherwise - rule: 'has(self.type) && self.type == ''SafeAuthorization'' - ? has(self.safeAuthorization) : !has(self.safeAuthorization)' exemplarsMode: description: |- exemplarsMode controls whether exemplars are sent via remote write. diff --git a/config/v1alpha1/zz_generated.swagger_doc_generated.go b/config/v1alpha1/zz_generated.swagger_doc_generated.go index 2194d79def9..b372f42cf68 100644 --- a/config/v1alpha1/zz_generated.swagger_doc_generated.go +++ b/config/v1alpha1/zz_generated.swagger_doc_generated.go @@ -619,13 +619,12 @@ func (RelabelConfig) SwaggerDoc() map[string]string { } var map_RemoteWriteAuthorization = map[string]string{ - "": "RemoteWriteAuthorization defines the authorization method for a remote write endpoint. Exactly one of the nested configs must be set according to the type discriminator.", - "type": "type specifies the authorization method to use. Allowed values are BearerToken, BasicAuth, OAuth2, SigV4, SafeAuthorization, ServiceAccount.\n\nWhen set to BearerToken, the bearer token is read from a Secret referenced by the bearerToken field.\n\nWhen set to BasicAuth, HTTP basic authentication is used; the basicAuth field (username and password from Secrets) must be set.\n\nWhen set to OAuth2, OAuth2 client credentials flow is used; the oauth2 field (clientId, clientSecret, tokenUrl) must be set.\n\nWhen set to SigV4, AWS Signature Version 4 is used for authentication; the sigv4 field must be set.\n\nWhen set to SafeAuthorization, credentials are read from a single Secret key (Prometheus SafeAuthorization pattern). The secret key typically contains a Bearer token. Use the safeAuthorization field.\n\nWhen set to ServiceAccount, the pod's service account token is used for machine identity. No additional field is required; the operator configures the token path.", - "safeAuthorization": "safeAuthorization defines the secret reference containing the credentials for authentication (e.g. Bearer token). Required when type is \"SafeAuthorization\", and forbidden otherwise. Maps to Prometheus SafeAuthorization. The secret must exist in the openshift-monitoring namespace.", - "bearerToken": "bearerToken defines the secret reference containing the bearer token. Required when type is \"BearerToken\", and forbidden otherwise.", - "basicAuth": "basicAuth defines HTTP basic authentication credentials. Required when type is \"BasicAuth\", and forbidden otherwise.", - "oauth2": "oauth2 defines OAuth2 client credentials authentication. Required when type is \"OAuth2\", and forbidden otherwise.", - "sigv4": "sigv4 defines AWS Signature Version 4 authentication. Required when type is \"SigV4\", and forbidden otherwise.", + "": "RemoteWriteAuthorization defines the authorization method for a remote write endpoint. Exactly one of the nested configs must be set according to the type discriminator.", + "type": "type specifies the authorization method to use. Allowed values are Authorization, BasicAuth, OAuth2, SigV4, ServiceAccount.\n\nWhen set to Authorization, credentials are read from a single Secret key. The secret key typically contains a Bearer token. Use the credentials field.\n\nWhen set to BasicAuth, HTTP basic authentication is used; the basicAuth field (username and password from Secrets) must be set.\n\nWhen set to OAuth2, OAuth2 client credentials flow is used; the oauth2 field (clientId, clientSecret, tokenUrl) must be set.\n\nWhen set to SigV4, AWS Signature Version 4 is used for authentication; the sigv4 field must be set.\n\nWhen set to ServiceAccount, the pod's service account token is used for machine identity. No additional field is required; the operator configures the token path.", + "credentials": "credentials defines the secret reference containing the authorization credentials (e.g. Bearer token). Required when type is \"Authorization\", and forbidden otherwise. The secret must exist in the openshift-monitoring namespace.", + "basicAuth": "basicAuth defines HTTP basic authentication credentials. Required when type is \"BasicAuth\", and forbidden otherwise.", + "oauth2": "oauth2 defines OAuth2 client credentials authentication. Required when type is \"OAuth2\", and forbidden otherwise.", + "sigv4": "sigv4 defines AWS Signature Version 4 authentication. Required when type is \"SigV4\", and forbidden otherwise.", } func (RemoteWriteAuthorization) SwaggerDoc() map[string]string { @@ -636,7 +635,7 @@ var map_RemoteWriteSpec = map[string]string{ "": "RemoteWriteSpec represents configuration for remote write endpoints.", "url": "url is the URL of the remote write endpoint. Must be a valid URL with http or https scheme and a non-empty hostname. Query parameters, fragments, and user information (e.g. user:password@host) are not allowed. Empty string is invalid. Must be between 1 and 2048 characters in length.", "name": "name is a required identifier for this remote write configuration (name is the list key for the remoteWrite list). This name is used in metrics and logging to differentiate remote write queues. Must contain only alphanumeric characters, hyphens, and underscores. Must be between 1 and 63 characters in length.", - "authorization": "authorization defines the authorization method for the remote write endpoint. When omitted, no authorization is performed. When set, type must be one of BearerToken, BasicAuth, OAuth2, SigV4, SafeAuthorization, or ServiceAccount; the corresponding nested config must be set (ServiceAccount has no config).", + "authorization": "authorization defines the authorization method for the remote write endpoint. When omitted, no authorization is performed. When set, type must be one of Authorization, BasicAuth, OAuth2, SigV4, or ServiceAccount; the corresponding nested config must be set (ServiceAccount has no config).", "headers": "headers specifies the custom HTTP headers to be sent along with each remote write request. Sending custom headers makes the configuration of a proxy in between optional and helps the receiver recognize the given source better. Clients MAY allow users to send custom HTTP headers; they MUST NOT allow users to configure them in such a way as to send reserved headers. Headers set by Prometheus cannot be overwritten. When omitted, no custom headers are sent. Maximum of 50 headers can be specified. Each header name must be unique. Each header name must contain only alphanumeric characters, hyphens, and underscores, and must not be a reserved Prometheus header (Host, Authorization, Content-Encoding, Content-Type, X-Prometheus-Remote-Write-Version, User-Agent, Connection, Keep-Alive, Proxy-Authenticate, Proxy-Authorization, WWW-Authenticate).", "metadataConfig": "metadataConfig configures the sending of series metadata to remote storage. When omitted, no metadata is sent. When set to sendPolicy: Default, metadata is sent using platform-chosen defaults (e.g. send interval 30 seconds). When set to sendPolicy: Custom, metadata is sent using the settings in the custom field (e.g. custom.sendIntervalSeconds).", "proxyUrl": "proxyUrl defines an optional proxy URL. If the cluster-wide proxy is enabled, it replaces the proxyUrl setting. The cluster-wide proxy supports both HTTP and HTTPS proxies, with HTTPS taking precedence. When omitted, no proxy is used. Must be a valid URL with http or https scheme. Must be between 1 and 2048 characters in length.", diff --git a/openapi/generated_openapi/zz_generated.openapi.go b/openapi/generated_openapi/zz_generated.openapi.go index 1903405ea06..c0875c3a285 100644 --- a/openapi/generated_openapi/zz_generated.openapi.go +++ b/openapi/generated_openapi/zz_generated.openapi.go @@ -26490,20 +26490,14 @@ func schema_openshift_api_config_v1alpha1_RemoteWriteAuthorization(ref common.Re Properties: map[string]spec.Schema{ "type": { SchemaProps: spec.SchemaProps{ - Description: "type specifies the authorization method to use. Allowed values are BearerToken, BasicAuth, OAuth2, SigV4, SafeAuthorization, ServiceAccount.\n\nWhen set to BearerToken, the bearer token is read from a Secret referenced by the bearerToken field.\n\nWhen set to BasicAuth, HTTP basic authentication is used; the basicAuth field (username and password from Secrets) must be set.\n\nWhen set to OAuth2, OAuth2 client credentials flow is used; the oauth2 field (clientId, clientSecret, tokenUrl) must be set.\n\nWhen set to SigV4, AWS Signature Version 4 is used for authentication; the sigv4 field must be set.\n\nWhen set to SafeAuthorization, credentials are read from a single Secret key (Prometheus SafeAuthorization pattern). The secret key typically contains a Bearer token. Use the safeAuthorization field.\n\nWhen set to ServiceAccount, the pod's service account token is used for machine identity. No additional field is required; the operator configures the token path.", + Description: "type specifies the authorization method to use. Allowed values are Authorization, BasicAuth, OAuth2, SigV4, ServiceAccount.\n\nWhen set to Authorization, credentials are read from a single Secret key. The secret key typically contains a Bearer token. Use the credentials field.\n\nWhen set to BasicAuth, HTTP basic authentication is used; the basicAuth field (username and password from Secrets) must be set.\n\nWhen set to OAuth2, OAuth2 client credentials flow is used; the oauth2 field (clientId, clientSecret, tokenUrl) must be set.\n\nWhen set to SigV4, AWS Signature Version 4 is used for authentication; the sigv4 field must be set.\n\nWhen set to ServiceAccount, the pod's service account token is used for machine identity. No additional field is required; the operator configures the token path.", Type: []string{"string"}, Format: "", }, }, - "safeAuthorization": { + "credentials": { SchemaProps: spec.SchemaProps{ - Description: "safeAuthorization defines the secret reference containing the credentials for authentication (e.g. Bearer token). Required when type is \"SafeAuthorization\", and forbidden otherwise. Maps to Prometheus SafeAuthorization. The secret must exist in the openshift-monitoring namespace.", - Ref: ref(corev1.SecretKeySelector{}.OpenAPIModelName()), - }, - }, - "bearerToken": { - SchemaProps: spec.SchemaProps{ - Description: "bearerToken defines the secret reference containing the bearer token. Required when type is \"BearerToken\", and forbidden otherwise.", + Description: "credentials defines the secret reference containing the authorization credentials (e.g. Bearer token). Required when type is \"Authorization\", and forbidden otherwise. The secret must exist in the openshift-monitoring namespace.", Default: map[string]interface{}{}, Ref: ref(configv1alpha1.SecretKeySelector{}.OpenAPIModelName()), }, @@ -26538,11 +26532,10 @@ func schema_openshift_api_config_v1alpha1_RemoteWriteAuthorization(ref common.Re map[string]interface{}{ "discriminator": "type", "fields-to-discriminateBy": map[string]interface{}{ - "basicAuth": "BasicAuth", - "bearerToken": "BearerToken", - "oauth2": "OAuth2", - "safeAuthorization": "SafeAuthorization", - "sigv4": "Sigv4", + "basicAuth": "BasicAuth", + "credentials": "Credentials", + "oauth2": "OAuth2", + "sigv4": "Sigv4", }, }, }, @@ -26550,7 +26543,7 @@ func schema_openshift_api_config_v1alpha1_RemoteWriteAuthorization(ref common.Re }, }, Dependencies: []string{ - configv1alpha1.BasicAuth{}.OpenAPIModelName(), configv1alpha1.OAuth2{}.OpenAPIModelName(), configv1alpha1.SecretKeySelector{}.OpenAPIModelName(), configv1alpha1.Sigv4{}.OpenAPIModelName(), corev1.SecretKeySelector{}.OpenAPIModelName()}, + configv1alpha1.BasicAuth{}.OpenAPIModelName(), configv1alpha1.OAuth2{}.OpenAPIModelName(), configv1alpha1.SecretKeySelector{}.OpenAPIModelName(), configv1alpha1.Sigv4{}.OpenAPIModelName()}, } } @@ -26577,7 +26570,7 @@ func schema_openshift_api_config_v1alpha1_RemoteWriteSpec(ref common.ReferenceCa }, "authorization": { SchemaProps: spec.SchemaProps{ - Description: "authorization defines the authorization method for the remote write endpoint. When omitted, no authorization is performed. When set, type must be one of BearerToken, BasicAuth, OAuth2, SigV4, SafeAuthorization, or ServiceAccount; the corresponding nested config must be set (ServiceAccount has no config).", + Description: "authorization defines the authorization method for the remote write endpoint. When omitted, no authorization is performed. When set, type must be one of Authorization, BasicAuth, OAuth2, SigV4, or ServiceAccount; the corresponding nested config must be set (ServiceAccount has no config).", Default: map[string]interface{}{}, Ref: ref(configv1alpha1.RemoteWriteAuthorization{}.OpenAPIModelName()), }, diff --git a/openapi/openapi.json b/openapi/openapi.json index cb93e4c7216..15fe65685a9 100644 --- a/openapi/openapi.json +++ b/openapi/openapi.json @@ -14578,8 +14578,8 @@ "default": {}, "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.BasicAuth" }, - "bearerToken": { - "description": "bearerToken defines the secret reference containing the bearer token. Required when type is \"BearerToken\", and forbidden otherwise.", + "credentials": { + "description": "credentials defines the secret reference containing the authorization credentials (e.g. Bearer token). Required when type is \"Authorization\", and forbidden otherwise. The secret must exist in the openshift-monitoring namespace.", "default": {}, "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.SecretKeySelector" }, @@ -14588,17 +14588,13 @@ "default": {}, "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.OAuth2" }, - "safeAuthorization": { - "description": "safeAuthorization defines the secret reference containing the credentials for authentication (e.g. Bearer token). Required when type is \"SafeAuthorization\", and forbidden otherwise. Maps to Prometheus SafeAuthorization. The secret must exist in the openshift-monitoring namespace.", - "$ref": "#/definitions/io.k8s.api.core.v1.SecretKeySelector" - }, "sigv4": { "description": "sigv4 defines AWS Signature Version 4 authentication. Required when type is \"SigV4\", and forbidden otherwise.", "default": {}, "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.Sigv4" }, "type": { - "description": "type specifies the authorization method to use. Allowed values are BearerToken, BasicAuth, OAuth2, SigV4, SafeAuthorization, ServiceAccount.\n\nWhen set to BearerToken, the bearer token is read from a Secret referenced by the bearerToken field.\n\nWhen set to BasicAuth, HTTP basic authentication is used; the basicAuth field (username and password from Secrets) must be set.\n\nWhen set to OAuth2, OAuth2 client credentials flow is used; the oauth2 field (clientId, clientSecret, tokenUrl) must be set.\n\nWhen set to SigV4, AWS Signature Version 4 is used for authentication; the sigv4 field must be set.\n\nWhen set to SafeAuthorization, credentials are read from a single Secret key (Prometheus SafeAuthorization pattern). The secret key typically contains a Bearer token. Use the safeAuthorization field.\n\nWhen set to ServiceAccount, the pod's service account token is used for machine identity. No additional field is required; the operator configures the token path.", + "description": "type specifies the authorization method to use. Allowed values are Authorization, BasicAuth, OAuth2, SigV4, ServiceAccount.\n\nWhen set to Authorization, credentials are read from a single Secret key. The secret key typically contains a Bearer token. Use the credentials field.\n\nWhen set to BasicAuth, HTTP basic authentication is used; the basicAuth field (username and password from Secrets) must be set.\n\nWhen set to OAuth2, OAuth2 client credentials flow is used; the oauth2 field (clientId, clientSecret, tokenUrl) must be set.\n\nWhen set to SigV4, AWS Signature Version 4 is used for authentication; the sigv4 field must be set.\n\nWhen set to ServiceAccount, the pod's service account token is used for machine identity. No additional field is required; the operator configures the token path.", "type": "string" } }, @@ -14607,9 +14603,8 @@ "discriminator": "type", "fields-to-discriminateBy": { "basicAuth": "BasicAuth", - "bearerToken": "BearerToken", + "credentials": "Credentials", "oauth2": "OAuth2", - "safeAuthorization": "SafeAuthorization", "sigv4": "Sigv4" } } @@ -14624,7 +14619,7 @@ ], "properties": { "authorization": { - "description": "authorization defines the authorization method for the remote write endpoint. When omitted, no authorization is performed. When set, type must be one of BearerToken, BasicAuth, OAuth2, SigV4, SafeAuthorization, or ServiceAccount; the corresponding nested config must be set (ServiceAccount has no config).", + "description": "authorization defines the authorization method for the remote write endpoint. When omitted, no authorization is performed. When set, type must be one of Authorization, BasicAuth, OAuth2, SigV4, or ServiceAccount; the corresponding nested config must be set (ServiceAccount has no config).", "default": {}, "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.RemoteWriteAuthorization" }, diff --git a/payload-manifests/crds/0000_10_config-operator_01_clustermonitorings.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_clustermonitorings.crd.yaml index 1d541afc757..d533f20ced8 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_clustermonitorings.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_clustermonitorings.crd.yaml @@ -3381,7 +3381,7 @@ spec: description: |- authorization defines the authorization method for the remote write endpoint. When omitted, no authorization is performed. - When set, type must be one of BearerToken, BasicAuth, OAuth2, SigV4, SafeAuthorization, or ServiceAccount; the corresponding nested config must be set (ServiceAccount has no config). + When set, type must be one of Authorization, BasicAuth, OAuth2, SigV4, or ServiceAccount; the corresponding nested config must be set (ServiceAccount has no config). properties: basicAuth: description: |- @@ -3462,10 +3462,11 @@ spec: - password - username type: object - bearerToken: + credentials: description: |- - bearerToken defines the secret reference containing the bearer token. - Required when type is "BearerToken", and forbidden otherwise. + credentials defines the secret reference containing the authorization credentials (e.g. Bearer token). + Required when type is "Authorization", and forbidden otherwise. + The secret must exist in the openshift-monitoring namespace. properties: key: description: |- @@ -3638,32 +3639,6 @@ spec: - clientSecret - tokenUrl type: object - safeAuthorization: - description: |- - safeAuthorization defines the secret reference containing the credentials for authentication (e.g. Bearer token). - Required when type is "SafeAuthorization", and forbidden otherwise. Maps to Prometheus SafeAuthorization. The secret must exist in the openshift-monitoring namespace. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic sigv4: description: |- sigv4 defines AWS Signature Version 4 authentication. @@ -3775,9 +3750,9 @@ spec: type: description: |- type specifies the authorization method to use. - Allowed values are BearerToken, BasicAuth, OAuth2, SigV4, SafeAuthorization, ServiceAccount. + Allowed values are Authorization, BasicAuth, OAuth2, SigV4, ServiceAccount. - When set to BearerToken, the bearer token is read from a Secret referenced by the bearerToken field. + When set to Authorization, credentials are read from a single Secret key. The secret key typically contains a Bearer token. Use the credentials field. When set to BasicAuth, HTTP basic authentication is used; the basicAuth field (username and password from Secrets) must be set. @@ -3785,25 +3760,22 @@ spec: When set to SigV4, AWS Signature Version 4 is used for authentication; the sigv4 field must be set. - When set to SafeAuthorization, credentials are read from a single Secret key (Prometheus SafeAuthorization pattern). The secret key typically contains a Bearer token. Use the safeAuthorization field. - When set to ServiceAccount, the pod's service account token is used for machine identity. No additional field is required; the operator configures the token path. enum: - - BearerToken + - Authorization - BasicAuth - OAuth2 - SigV4 - - SafeAuthorization - ServiceAccount type: string required: - type type: object x-kubernetes-validations: - - message: bearerToken is required when type is BearerToken, + - message: credentials is required when type is Authorization, and forbidden otherwise - rule: 'has(self.type) && self.type == ''BearerToken'' - ? has(self.bearerToken) : !has(self.bearerToken)' + rule: 'has(self.type) && self.type == ''Authorization'' + ? has(self.credentials) : !has(self.credentials)' - message: basicAuth is required when type is BasicAuth, and forbidden otherwise rule: 'has(self.type) && self.type == ''BasicAuth'' ? @@ -3816,10 +3788,6 @@ spec: otherwise rule: 'has(self.type) && self.type == ''SigV4'' ? has(self.sigv4) : !has(self.sigv4)' - - message: safeAuthorization is required when type is SafeAuthorization, - and forbidden otherwise - rule: 'has(self.type) && self.type == ''SafeAuthorization'' - ? has(self.safeAuthorization) : !has(self.safeAuthorization)' exemplarsMode: description: |- exemplarsMode controls whether exemplars are sent via remote write. From 0fa312d8bd6a813fa42031411af13b61b18400aa Mon Sep 17 00:00:00 2001 From: Mario Fernandez Date: Wed, 24 Jun 2026 16:16:45 +0200 Subject: [PATCH 2/4] config/v1alpha1: align remote write auth union with review feedback Rename the Authorization union member to authorization, tombstone removed BearerToken/SafeAuthorization values and fields, and clarify ServiceAccount validation so the API follows discriminated union conventions. Co-authored-by: Cursor --- config/v1alpha1/types_cluster_monitoring.go | 39 +++++++-- ...ig-operator_01_clustermonitorings.crd.yaml | 83 +++++++++---------- config/v1alpha1/zz_generated.deepcopy.go | 2 +- .../ClusterMonitoringConfig.yaml | 83 +++++++++---------- .../zz_generated.swagger_doc_generated.go | 11 ++- .../generated_openapi/zz_generated.openapi.go | 18 ++-- openapi/openapi.json | 15 ++-- ...ig-operator_01_clustermonitorings.crd.yaml | 83 +++++++++---------- 8 files changed, 181 insertions(+), 153 deletions(-) diff --git a/config/v1alpha1/types_cluster_monitoring.go b/config/v1alpha1/types_cluster_monitoring.go index e1adb60df08..1966451fd87 100644 --- a/config/v1alpha1/types_cluster_monitoring.go +++ b/config/v1alpha1/types_cluster_monitoring.go @@ -1659,7 +1659,7 @@ type RemoteWriteAuthorizationType string const ( // RemoteWriteAuthorizationTypeAuthorization indicates authorization credentials from a secret. - // The secret key contains the credentials (e.g. a Bearer token). Use the credentials field. + // The secret key contains the credentials (e.g. a Bearer token). Use the authorization field. RemoteWriteAuthorizationTypeAuthorization RemoteWriteAuthorizationType = "Authorization" // RemoteWriteAuthorizationTypeBasicAuth indicates HTTP basic authentication. RemoteWriteAuthorizationTypeBasicAuth RemoteWriteAuthorizationType = "BasicAuth" @@ -1670,11 +1670,24 @@ const ( // RemoteWriteAuthorizationTypeServiceAccount indicates use of the pod's service account token for machine identity. // No additional field is required; the operator configures the token path. RemoteWriteAuthorizationTypeServiceAccount RemoteWriteAuthorizationType = "ServiceAccount" + + // --- TOMBSTONE --- + // RemoteWriteAuthorizationTypeBearerToken was a constant for bearer token authentication from a secret. + // It has been removed in favor of RemoteWriteAuthorizationTypeAuthorization. The constant name is reserved to prevent reuse. + // + // RemoteWriteAuthorizationTypeBearerToken RemoteWriteAuthorizationType = "BearerToken" + + // --- TOMBSTONE --- + // RemoteWriteAuthorizationTypeSafeAuthorization was a constant for authorization credentials from a secret (Prometheus SafeAuthorization pattern). + // It has been removed in favor of RemoteWriteAuthorizationTypeAuthorization. The constant name is reserved to prevent reuse. + // + // RemoteWriteAuthorizationTypeSafeAuthorization RemoteWriteAuthorizationType = "SafeAuthorization" ) // RemoteWriteAuthorization defines the authorization method for a remote write endpoint. -// Exactly one of the nested configs must be set according to the type discriminator. -// +kubebuilder:validation:XValidation:rule="has(self.type) && self.type == 'Authorization' ? has(self.credentials) : !has(self.credentials)",message="credentials is required when type is Authorization, and forbidden otherwise" +// Nested config requirements depend on the type discriminator: Authorization requires authorization, +// BasicAuth requires basicAuth, OAuth2 requires oauth2, SigV4 requires sigv4, and ServiceAccount forbids all nested configs. +// +kubebuilder:validation:XValidation:rule="has(self.type) && self.type == 'Authorization' ? has(self.authorization) : !has(self.authorization)",message="authorization is required when type is Authorization, and forbidden otherwise" // +kubebuilder:validation:XValidation:rule="has(self.type) && self.type == 'BasicAuth' ? has(self.basicAuth) : !has(self.basicAuth)",message="basicAuth is required when type is BasicAuth, and forbidden otherwise" // +kubebuilder:validation:XValidation:rule="has(self.type) && self.type == 'OAuth2' ? has(self.oauth2) : !has(self.oauth2)",message="oauth2 is required when type is OAuth2, and forbidden otherwise" // +kubebuilder:validation:XValidation:rule="has(self.type) && self.type == 'SigV4' ? has(self.sigv4) : !has(self.sigv4)",message="sigv4 is required when type is SigV4, and forbidden otherwise" @@ -1683,7 +1696,7 @@ type RemoteWriteAuthorization struct { // type specifies the authorization method to use. // Allowed values are Authorization, BasicAuth, OAuth2, SigV4, ServiceAccount. // - // When set to Authorization, credentials are read from a single Secret key. The secret key typically contains a Bearer token. Use the credentials field. + // When set to Authorization, credentials are read from a single Secret key. The secret key typically contains a Bearer token. Use the authorization field. // // When set to BasicAuth, HTTP basic authentication is used; the basicAuth field (username and password from Secrets) must be set. // @@ -1695,12 +1708,26 @@ type RemoteWriteAuthorization struct { // +unionDiscriminator // +required Type RemoteWriteAuthorizationType `json:"type,omitempty"` - // credentials defines the secret reference containing the authorization credentials (e.g. Bearer token). + // authorization defines the secret reference containing the authorization credentials (e.g. Bearer token). // Required when type is "Authorization", and forbidden otherwise. // The secret must exist in the openshift-monitoring namespace. // +unionMember=Authorization // +optional - Credentials SecretKeySelector `json:"credentials,omitempty,omitzero"` + Authorization SecretKeySelector `json:"authorization,omitempty,omitzero"` + // --- TOMBSTONE --- + // bearerToken was a field for bearer token authentication from a secret. + // It has been removed in favor of authorization. The field name is reserved to prevent reuse. + // + // +unionMember + // +optional + // BearerToken SecretKeySelector `json:"bearerToken,omitempty,omitzero"` + // --- TOMBSTONE --- + // safeAuthorization was a field for authorization credentials from a secret (Prometheus SafeAuthorization pattern). + // It has been removed in favor of authorization. The field name is reserved to prevent reuse. + // + // +unionMember + // +optional + // SafeAuthorization *v1.SecretKeySelector `json:"safeAuthorization,omitempty"` // basicAuth defines HTTP basic authentication credentials. // Required when type is "BasicAuth", and forbidden otherwise. // +unionMember diff --git a/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clustermonitorings.crd.yaml b/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clustermonitorings.crd.yaml index d533f20ced8..ade249f5d81 100644 --- a/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clustermonitorings.crd.yaml +++ b/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clustermonitorings.crd.yaml @@ -3383,10 +3383,45 @@ spec: When omitted, no authorization is performed. When set, type must be one of Authorization, BasicAuth, OAuth2, SigV4, or ServiceAccount; the corresponding nested config must be set (ServiceAccount has no config). properties: - basicAuth: + authorization: description: |- - basicAuth defines HTTP basic authentication credentials. - Required when type is "BasicAuth", and forbidden otherwise. + authorization defines the secret reference containing the authorization credentials (e.g. Bearer token). + Required when type is "Authorization", and forbidden otherwise. + The secret must exist in the openshift-monitoring namespace. + properties: + key: + description: |- + key is the key of the secret to select from. + Must consist of alphanumeric characters, '-', '_', or '.'. + Must be between 1 and 253 characters in length. + maxLength: 253 + minLength: 1 + type: string + x-kubernetes-validations: + - message: must contain only alphanumeric characters, + '-', '_', or '.' + rule: self.matches('^[a-zA-Z0-9._-]+$') + name: + description: |- + name is the name of the secret in the `openshift-monitoring` namespace to select from. + Must be a valid Kubernetes secret name (lowercase alphanumeric, '-' or '.', start/end with alphanumeric). + Must be between 1 and 253 characters in length. + maxLength: 253 + minLength: 1 + type: string + x-kubernetes-validations: + - message: must be a valid secret name (lowercase + alphanumeric characters, '-' or '.', start and + end with alphanumeric) + rule: '!format.dns1123Subdomain().validate(self).hasValue()' + required: + - key + - name + type: object + x-kubernetes-map-type: atomic + basicAuth: + description: BasicAuth defines basic authentication + settings for the remote write endpoint URL. properties: password: description: |- @@ -3462,42 +3497,6 @@ spec: - password - username type: object - credentials: - description: |- - credentials defines the secret reference containing the authorization credentials (e.g. Bearer token). - Required when type is "Authorization", and forbidden otherwise. - The secret must exist in the openshift-monitoring namespace. - properties: - key: - description: |- - key is the key of the secret to select from. - Must consist of alphanumeric characters, '-', '_', or '.'. - Must be between 1 and 253 characters in length. - maxLength: 253 - minLength: 1 - type: string - x-kubernetes-validations: - - message: must contain only alphanumeric characters, - '-', '_', or '.' - rule: self.matches('^[a-zA-Z0-9._-]+$') - name: - description: |- - name is the name of the secret in the `openshift-monitoring` namespace to select from. - Must be a valid Kubernetes secret name (lowercase alphanumeric, '-' or '.', start/end with alphanumeric). - Must be between 1 and 253 characters in length. - maxLength: 253 - minLength: 1 - type: string - x-kubernetes-validations: - - message: must be a valid secret name (lowercase - alphanumeric characters, '-' or '.', start and - end with alphanumeric) - rule: '!format.dns1123Subdomain().validate(self).hasValue()' - required: - - key - - name - type: object - x-kubernetes-map-type: atomic oauth2: description: |- oauth2 defines OAuth2 client credentials authentication. @@ -3752,7 +3751,7 @@ spec: type specifies the authorization method to use. Allowed values are Authorization, BasicAuth, OAuth2, SigV4, ServiceAccount. - When set to Authorization, credentials are read from a single Secret key. The secret key typically contains a Bearer token. Use the credentials field. + When set to Authorization, credentials are read from a single Secret key. The secret key typically contains a Bearer token. Use the authorization field. When set to BasicAuth, HTTP basic authentication is used; the basicAuth field (username and password from Secrets) must be set. @@ -3772,10 +3771,10 @@ spec: - type type: object x-kubernetes-validations: - - message: credentials is required when type is Authorization, + - message: authorization is required when type is Authorization, and forbidden otherwise rule: 'has(self.type) && self.type == ''Authorization'' - ? has(self.credentials) : !has(self.credentials)' + ? has(self.authorization) : !has(self.authorization)' - message: basicAuth is required when type is BasicAuth, and forbidden otherwise rule: 'has(self.type) && self.type == ''BasicAuth'' ? diff --git a/config/v1alpha1/zz_generated.deepcopy.go b/config/v1alpha1/zz_generated.deepcopy.go index bad14632638..12dd0cd3127 100644 --- a/config/v1alpha1/zz_generated.deepcopy.go +++ b/config/v1alpha1/zz_generated.deepcopy.go @@ -1755,7 +1755,7 @@ func (in *RelabelConfig) DeepCopy() *RelabelConfig { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *RemoteWriteAuthorization) DeepCopyInto(out *RemoteWriteAuthorization) { *out = *in - out.Credentials = in.Credentials + out.Authorization = in.Authorization out.BasicAuth = in.BasicAuth in.OAuth2.DeepCopyInto(&out.OAuth2) out.Sigv4 = in.Sigv4 diff --git a/config/v1alpha1/zz_generated.featuregated-crd-manifests/clustermonitorings.config.openshift.io/ClusterMonitoringConfig.yaml b/config/v1alpha1/zz_generated.featuregated-crd-manifests/clustermonitorings.config.openshift.io/ClusterMonitoringConfig.yaml index bc76919181b..d0df46c2aa8 100644 --- a/config/v1alpha1/zz_generated.featuregated-crd-manifests/clustermonitorings.config.openshift.io/ClusterMonitoringConfig.yaml +++ b/config/v1alpha1/zz_generated.featuregated-crd-manifests/clustermonitorings.config.openshift.io/ClusterMonitoringConfig.yaml @@ -3383,10 +3383,45 @@ spec: When omitted, no authorization is performed. When set, type must be one of Authorization, BasicAuth, OAuth2, SigV4, or ServiceAccount; the corresponding nested config must be set (ServiceAccount has no config). properties: - basicAuth: + authorization: description: |- - basicAuth defines HTTP basic authentication credentials. - Required when type is "BasicAuth", and forbidden otherwise. + authorization defines the secret reference containing the authorization credentials (e.g. Bearer token). + Required when type is "Authorization", and forbidden otherwise. + The secret must exist in the openshift-monitoring namespace. + properties: + key: + description: |- + key is the key of the secret to select from. + Must consist of alphanumeric characters, '-', '_', or '.'. + Must be between 1 and 253 characters in length. + maxLength: 253 + minLength: 1 + type: string + x-kubernetes-validations: + - message: must contain only alphanumeric characters, + '-', '_', or '.' + rule: self.matches('^[a-zA-Z0-9._-]+$') + name: + description: |- + name is the name of the secret in the `openshift-monitoring` namespace to select from. + Must be a valid Kubernetes secret name (lowercase alphanumeric, '-' or '.', start/end with alphanumeric). + Must be between 1 and 253 characters in length. + maxLength: 253 + minLength: 1 + type: string + x-kubernetes-validations: + - message: must be a valid secret name (lowercase + alphanumeric characters, '-' or '.', start and + end with alphanumeric) + rule: '!format.dns1123Subdomain().validate(self).hasValue()' + required: + - key + - name + type: object + x-kubernetes-map-type: atomic + basicAuth: + description: BasicAuth defines basic authentication + settings for the remote write endpoint URL. properties: password: description: |- @@ -3462,42 +3497,6 @@ spec: - password - username type: object - credentials: - description: |- - credentials defines the secret reference containing the authorization credentials (e.g. Bearer token). - Required when type is "Authorization", and forbidden otherwise. - The secret must exist in the openshift-monitoring namespace. - properties: - key: - description: |- - key is the key of the secret to select from. - Must consist of alphanumeric characters, '-', '_', or '.'. - Must be between 1 and 253 characters in length. - maxLength: 253 - minLength: 1 - type: string - x-kubernetes-validations: - - message: must contain only alphanumeric characters, - '-', '_', or '.' - rule: self.matches('^[a-zA-Z0-9._-]+$') - name: - description: |- - name is the name of the secret in the `openshift-monitoring` namespace to select from. - Must be a valid Kubernetes secret name (lowercase alphanumeric, '-' or '.', start/end with alphanumeric). - Must be between 1 and 253 characters in length. - maxLength: 253 - minLength: 1 - type: string - x-kubernetes-validations: - - message: must be a valid secret name (lowercase - alphanumeric characters, '-' or '.', start and - end with alphanumeric) - rule: '!format.dns1123Subdomain().validate(self).hasValue()' - required: - - key - - name - type: object - x-kubernetes-map-type: atomic oauth2: description: |- oauth2 defines OAuth2 client credentials authentication. @@ -3752,7 +3751,7 @@ spec: type specifies the authorization method to use. Allowed values are Authorization, BasicAuth, OAuth2, SigV4, ServiceAccount. - When set to Authorization, credentials are read from a single Secret key. The secret key typically contains a Bearer token. Use the credentials field. + When set to Authorization, credentials are read from a single Secret key. The secret key typically contains a Bearer token. Use the authorization field. When set to BasicAuth, HTTP basic authentication is used; the basicAuth field (username and password from Secrets) must be set. @@ -3772,10 +3771,10 @@ spec: - type type: object x-kubernetes-validations: - - message: credentials is required when type is Authorization, + - message: authorization is required when type is Authorization, and forbidden otherwise rule: 'has(self.type) && self.type == ''Authorization'' - ? has(self.credentials) : !has(self.credentials)' + ? has(self.authorization) : !has(self.authorization)' - message: basicAuth is required when type is BasicAuth, and forbidden otherwise rule: 'has(self.type) && self.type == ''BasicAuth'' ? diff --git a/config/v1alpha1/zz_generated.swagger_doc_generated.go b/config/v1alpha1/zz_generated.swagger_doc_generated.go index b372f42cf68..ee86d77abb8 100644 --- a/config/v1alpha1/zz_generated.swagger_doc_generated.go +++ b/config/v1alpha1/zz_generated.swagger_doc_generated.go @@ -619,12 +619,11 @@ func (RelabelConfig) SwaggerDoc() map[string]string { } var map_RemoteWriteAuthorization = map[string]string{ - "": "RemoteWriteAuthorization defines the authorization method for a remote write endpoint. Exactly one of the nested configs must be set according to the type discriminator.", - "type": "type specifies the authorization method to use. Allowed values are Authorization, BasicAuth, OAuth2, SigV4, ServiceAccount.\n\nWhen set to Authorization, credentials are read from a single Secret key. The secret key typically contains a Bearer token. Use the credentials field.\n\nWhen set to BasicAuth, HTTP basic authentication is used; the basicAuth field (username and password from Secrets) must be set.\n\nWhen set to OAuth2, OAuth2 client credentials flow is used; the oauth2 field (clientId, clientSecret, tokenUrl) must be set.\n\nWhen set to SigV4, AWS Signature Version 4 is used for authentication; the sigv4 field must be set.\n\nWhen set to ServiceAccount, the pod's service account token is used for machine identity. No additional field is required; the operator configures the token path.", - "credentials": "credentials defines the secret reference containing the authorization credentials (e.g. Bearer token). Required when type is \"Authorization\", and forbidden otherwise. The secret must exist in the openshift-monitoring namespace.", - "basicAuth": "basicAuth defines HTTP basic authentication credentials. Required when type is \"BasicAuth\", and forbidden otherwise.", - "oauth2": "oauth2 defines OAuth2 client credentials authentication. Required when type is \"OAuth2\", and forbidden otherwise.", - "sigv4": "sigv4 defines AWS Signature Version 4 authentication. Required when type is \"SigV4\", and forbidden otherwise.", + "": "RemoteWriteAuthorization defines the authorization method for a remote write endpoint. Nested config requirements depend on the type discriminator: Authorization requires authorization, BasicAuth requires basicAuth, OAuth2 requires oauth2, SigV4 requires sigv4, and ServiceAccount forbids all nested configs.", + "type": "type specifies the authorization method to use. Allowed values are Authorization, BasicAuth, OAuth2, SigV4, ServiceAccount.\n\nWhen set to Authorization, credentials are read from a single Secret key. The secret key typically contains a Bearer token. Use the authorization field.\n\nWhen set to BasicAuth, HTTP basic authentication is used; the basicAuth field (username and password from Secrets) must be set.\n\nWhen set to OAuth2, OAuth2 client credentials flow is used; the oauth2 field (clientId, clientSecret, tokenUrl) must be set.\n\nWhen set to SigV4, AWS Signature Version 4 is used for authentication; the sigv4 field must be set.\n\nWhen set to ServiceAccount, the pod's service account token is used for machine identity. No additional field is required; the operator configures the token path.", + "authorization": "authorization defines the secret reference containing the authorization credentials (e.g. Bearer token). Required when type is \"Authorization\", and forbidden otherwise. The secret must exist in the openshift-monitoring namespace.", + "oauth2": "oauth2 defines OAuth2 client credentials authentication. Required when type is \"OAuth2\", and forbidden otherwise.", + "sigv4": "sigv4 defines AWS Signature Version 4 authentication. Required when type is \"SigV4\", and forbidden otherwise.", } func (RemoteWriteAuthorization) SwaggerDoc() map[string]string { diff --git a/openapi/generated_openapi/zz_generated.openapi.go b/openapi/generated_openapi/zz_generated.openapi.go index c0875c3a285..c8f959324d0 100644 --- a/openapi/generated_openapi/zz_generated.openapi.go +++ b/openapi/generated_openapi/zz_generated.openapi.go @@ -26485,26 +26485,26 @@ func schema_openshift_api_config_v1alpha1_RemoteWriteAuthorization(ref common.Re return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "RemoteWriteAuthorization defines the authorization method for a remote write endpoint. Exactly one of the nested configs must be set according to the type discriminator.", + Description: "RemoteWriteAuthorization defines the authorization method for a remote write endpoint. Nested config requirements depend on the type discriminator: Authorization requires authorization, BasicAuth requires basicAuth, OAuth2 requires oauth2, SigV4 requires sigv4, and ServiceAccount forbids all nested configs.", Type: []string{"object"}, Properties: map[string]spec.Schema{ "type": { SchemaProps: spec.SchemaProps{ - Description: "type specifies the authorization method to use. Allowed values are Authorization, BasicAuth, OAuth2, SigV4, ServiceAccount.\n\nWhen set to Authorization, credentials are read from a single Secret key. The secret key typically contains a Bearer token. Use the credentials field.\n\nWhen set to BasicAuth, HTTP basic authentication is used; the basicAuth field (username and password from Secrets) must be set.\n\nWhen set to OAuth2, OAuth2 client credentials flow is used; the oauth2 field (clientId, clientSecret, tokenUrl) must be set.\n\nWhen set to SigV4, AWS Signature Version 4 is used for authentication; the sigv4 field must be set.\n\nWhen set to ServiceAccount, the pod's service account token is used for machine identity. No additional field is required; the operator configures the token path.", + Description: "type specifies the authorization method to use. Allowed values are Authorization, BasicAuth, OAuth2, SigV4, ServiceAccount.\n\nWhen set to Authorization, credentials are read from a single Secret key. The secret key typically contains a Bearer token. Use the authorization field.\n\nWhen set to BasicAuth, HTTP basic authentication is used; the basicAuth field (username and password from Secrets) must be set.\n\nWhen set to OAuth2, OAuth2 client credentials flow is used; the oauth2 field (clientId, clientSecret, tokenUrl) must be set.\n\nWhen set to SigV4, AWS Signature Version 4 is used for authentication; the sigv4 field must be set.\n\nWhen set to ServiceAccount, the pod's service account token is used for machine identity. No additional field is required; the operator configures the token path.", Type: []string{"string"}, Format: "", }, }, - "credentials": { + "authorization": { SchemaProps: spec.SchemaProps{ - Description: "credentials defines the secret reference containing the authorization credentials (e.g. Bearer token). Required when type is \"Authorization\", and forbidden otherwise. The secret must exist in the openshift-monitoring namespace.", + Description: "authorization defines the secret reference containing the authorization credentials (e.g. Bearer token). Required when type is \"Authorization\", and forbidden otherwise. The secret must exist in the openshift-monitoring namespace.", Default: map[string]interface{}{}, Ref: ref(configv1alpha1.SecretKeySelector{}.OpenAPIModelName()), }, }, "basicAuth": { SchemaProps: spec.SchemaProps{ - Description: "basicAuth defines HTTP basic authentication credentials. Required when type is \"BasicAuth\", and forbidden otherwise.", + Description: "--- TOMBSTONE --- bearerToken was a field for bearer token authentication from a secret. It has been removed in favor of authorization. The field name is reserved to prevent reuse.\n\nBearerToken SecretKeySelector `json:\"bearerToken,omitempty,omitzero\"` --- TOMBSTONE --- safeAuthorization was a field for authorization credentials from a secret (Prometheus SafeAuthorization pattern). It has been removed in favor of authorization. The field name is reserved to prevent reuse.\n\nSafeAuthorization *v1.SecretKeySelector `json:\"safeAuthorization,omitempty\"` basicAuth defines HTTP basic authentication credentials. Required when type is \"BasicAuth\", and forbidden otherwise.", Default: map[string]interface{}{}, Ref: ref(configv1alpha1.BasicAuth{}.OpenAPIModelName()), }, @@ -26532,10 +26532,10 @@ func schema_openshift_api_config_v1alpha1_RemoteWriteAuthorization(ref common.Re map[string]interface{}{ "discriminator": "type", "fields-to-discriminateBy": map[string]interface{}{ - "basicAuth": "BasicAuth", - "credentials": "Credentials", - "oauth2": "OAuth2", - "sigv4": "Sigv4", + "authorization": "Authorization", + "basicAuth": "BasicAuth", + "oauth2": "OAuth2", + "sigv4": "Sigv4", }, }, }, diff --git a/openapi/openapi.json b/openapi/openapi.json index 15fe65685a9..cb93e4c7216 100644 --- a/openapi/openapi.json +++ b/openapi/openapi.json @@ -14578,8 +14578,8 @@ "default": {}, "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.BasicAuth" }, - "credentials": { - "description": "credentials defines the secret reference containing the authorization credentials (e.g. Bearer token). Required when type is \"Authorization\", and forbidden otherwise. The secret must exist in the openshift-monitoring namespace.", + "bearerToken": { + "description": "bearerToken defines the secret reference containing the bearer token. Required when type is \"BearerToken\", and forbidden otherwise.", "default": {}, "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.SecretKeySelector" }, @@ -14588,13 +14588,17 @@ "default": {}, "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.OAuth2" }, + "safeAuthorization": { + "description": "safeAuthorization defines the secret reference containing the credentials for authentication (e.g. Bearer token). Required when type is \"SafeAuthorization\", and forbidden otherwise. Maps to Prometheus SafeAuthorization. The secret must exist in the openshift-monitoring namespace.", + "$ref": "#/definitions/io.k8s.api.core.v1.SecretKeySelector" + }, "sigv4": { "description": "sigv4 defines AWS Signature Version 4 authentication. Required when type is \"SigV4\", and forbidden otherwise.", "default": {}, "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.Sigv4" }, "type": { - "description": "type specifies the authorization method to use. Allowed values are Authorization, BasicAuth, OAuth2, SigV4, ServiceAccount.\n\nWhen set to Authorization, credentials are read from a single Secret key. The secret key typically contains a Bearer token. Use the credentials field.\n\nWhen set to BasicAuth, HTTP basic authentication is used; the basicAuth field (username and password from Secrets) must be set.\n\nWhen set to OAuth2, OAuth2 client credentials flow is used; the oauth2 field (clientId, clientSecret, tokenUrl) must be set.\n\nWhen set to SigV4, AWS Signature Version 4 is used for authentication; the sigv4 field must be set.\n\nWhen set to ServiceAccount, the pod's service account token is used for machine identity. No additional field is required; the operator configures the token path.", + "description": "type specifies the authorization method to use. Allowed values are BearerToken, BasicAuth, OAuth2, SigV4, SafeAuthorization, ServiceAccount.\n\nWhen set to BearerToken, the bearer token is read from a Secret referenced by the bearerToken field.\n\nWhen set to BasicAuth, HTTP basic authentication is used; the basicAuth field (username and password from Secrets) must be set.\n\nWhen set to OAuth2, OAuth2 client credentials flow is used; the oauth2 field (clientId, clientSecret, tokenUrl) must be set.\n\nWhen set to SigV4, AWS Signature Version 4 is used for authentication; the sigv4 field must be set.\n\nWhen set to SafeAuthorization, credentials are read from a single Secret key (Prometheus SafeAuthorization pattern). The secret key typically contains a Bearer token. Use the safeAuthorization field.\n\nWhen set to ServiceAccount, the pod's service account token is used for machine identity. No additional field is required; the operator configures the token path.", "type": "string" } }, @@ -14603,8 +14607,9 @@ "discriminator": "type", "fields-to-discriminateBy": { "basicAuth": "BasicAuth", - "credentials": "Credentials", + "bearerToken": "BearerToken", "oauth2": "OAuth2", + "safeAuthorization": "SafeAuthorization", "sigv4": "Sigv4" } } @@ -14619,7 +14624,7 @@ ], "properties": { "authorization": { - "description": "authorization defines the authorization method for the remote write endpoint. When omitted, no authorization is performed. When set, type must be one of Authorization, BasicAuth, OAuth2, SigV4, or ServiceAccount; the corresponding nested config must be set (ServiceAccount has no config).", + "description": "authorization defines the authorization method for the remote write endpoint. When omitted, no authorization is performed. When set, type must be one of BearerToken, BasicAuth, OAuth2, SigV4, SafeAuthorization, or ServiceAccount; the corresponding nested config must be set (ServiceAccount has no config).", "default": {}, "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.RemoteWriteAuthorization" }, diff --git a/payload-manifests/crds/0000_10_config-operator_01_clustermonitorings.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_clustermonitorings.crd.yaml index d533f20ced8..ade249f5d81 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_clustermonitorings.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_clustermonitorings.crd.yaml @@ -3383,10 +3383,45 @@ spec: When omitted, no authorization is performed. When set, type must be one of Authorization, BasicAuth, OAuth2, SigV4, or ServiceAccount; the corresponding nested config must be set (ServiceAccount has no config). properties: - basicAuth: + authorization: description: |- - basicAuth defines HTTP basic authentication credentials. - Required when type is "BasicAuth", and forbidden otherwise. + authorization defines the secret reference containing the authorization credentials (e.g. Bearer token). + Required when type is "Authorization", and forbidden otherwise. + The secret must exist in the openshift-monitoring namespace. + properties: + key: + description: |- + key is the key of the secret to select from. + Must consist of alphanumeric characters, '-', '_', or '.'. + Must be between 1 and 253 characters in length. + maxLength: 253 + minLength: 1 + type: string + x-kubernetes-validations: + - message: must contain only alphanumeric characters, + '-', '_', or '.' + rule: self.matches('^[a-zA-Z0-9._-]+$') + name: + description: |- + name is the name of the secret in the `openshift-monitoring` namespace to select from. + Must be a valid Kubernetes secret name (lowercase alphanumeric, '-' or '.', start/end with alphanumeric). + Must be between 1 and 253 characters in length. + maxLength: 253 + minLength: 1 + type: string + x-kubernetes-validations: + - message: must be a valid secret name (lowercase + alphanumeric characters, '-' or '.', start and + end with alphanumeric) + rule: '!format.dns1123Subdomain().validate(self).hasValue()' + required: + - key + - name + type: object + x-kubernetes-map-type: atomic + basicAuth: + description: BasicAuth defines basic authentication + settings for the remote write endpoint URL. properties: password: description: |- @@ -3462,42 +3497,6 @@ spec: - password - username type: object - credentials: - description: |- - credentials defines the secret reference containing the authorization credentials (e.g. Bearer token). - Required when type is "Authorization", and forbidden otherwise. - The secret must exist in the openshift-monitoring namespace. - properties: - key: - description: |- - key is the key of the secret to select from. - Must consist of alphanumeric characters, '-', '_', or '.'. - Must be between 1 and 253 characters in length. - maxLength: 253 - minLength: 1 - type: string - x-kubernetes-validations: - - message: must contain only alphanumeric characters, - '-', '_', or '.' - rule: self.matches('^[a-zA-Z0-9._-]+$') - name: - description: |- - name is the name of the secret in the `openshift-monitoring` namespace to select from. - Must be a valid Kubernetes secret name (lowercase alphanumeric, '-' or '.', start/end with alphanumeric). - Must be between 1 and 253 characters in length. - maxLength: 253 - minLength: 1 - type: string - x-kubernetes-validations: - - message: must be a valid secret name (lowercase - alphanumeric characters, '-' or '.', start and - end with alphanumeric) - rule: '!format.dns1123Subdomain().validate(self).hasValue()' - required: - - key - - name - type: object - x-kubernetes-map-type: atomic oauth2: description: |- oauth2 defines OAuth2 client credentials authentication. @@ -3752,7 +3751,7 @@ spec: type specifies the authorization method to use. Allowed values are Authorization, BasicAuth, OAuth2, SigV4, ServiceAccount. - When set to Authorization, credentials are read from a single Secret key. The secret key typically contains a Bearer token. Use the credentials field. + When set to Authorization, credentials are read from a single Secret key. The secret key typically contains a Bearer token. Use the authorization field. When set to BasicAuth, HTTP basic authentication is used; the basicAuth field (username and password from Secrets) must be set. @@ -3772,10 +3771,10 @@ spec: - type type: object x-kubernetes-validations: - - message: credentials is required when type is Authorization, + - message: authorization is required when type is Authorization, and forbidden otherwise rule: 'has(self.type) && self.type == ''Authorization'' - ? has(self.credentials) : !has(self.credentials)' + ? has(self.authorization) : !has(self.authorization)' - message: basicAuth is required when type is BasicAuth, and forbidden otherwise rule: 'has(self.type) && self.type == ''BasicAuth'' ? From 62a162bf24ea9985ec44185f48fd07c3769a647f Mon Sep 17 00:00:00 2001 From: Mario Fernandez Date: Thu, 25 Jun 2026 11:10:52 +0200 Subject: [PATCH 3/4] config/v1alpha1: keep deprecated remote write auth fields for crdify Retain BearerToken and SafeAuthorization in the CRD schema while rejecting them via validation, so verify-crdify passes and callers migrate to the Authorization union member. Co-authored-by: Cursor --- config/v1alpha1/types_cluster_monitoring.go | 37 ++++----- ...ig-operator_01_clustermonitorings.crd.yaml | 80 ++++++++++++++++++- config/v1alpha1/zz_generated.deepcopy.go | 6 ++ .../ClusterMonitoringConfig.yaml | 80 ++++++++++++++++++- .../zz_generated.swagger_doc_generated.go | 3 +- .../generated_openapi/zz_generated.openapi.go | 29 +++++-- openapi/openapi.json | 16 ++-- ...ig-operator_01_clustermonitorings.crd.yaml | 80 ++++++++++++++++++- 8 files changed, 291 insertions(+), 40 deletions(-) diff --git a/config/v1alpha1/types_cluster_monitoring.go b/config/v1alpha1/types_cluster_monitoring.go index 1966451fd87..b87616e7958 100644 --- a/config/v1alpha1/types_cluster_monitoring.go +++ b/config/v1alpha1/types_cluster_monitoring.go @@ -1654,7 +1654,7 @@ type BasicAuth struct { } // RemoteWriteAuthorizationType defines the authorization method for remote write endpoints. -// +kubebuilder:validation:Enum=Authorization;BasicAuth;OAuth2;SigV4;ServiceAccount +// +kubebuilder:validation:Enum=Authorization;BasicAuth;OAuth2;SigV4;ServiceAccount;BearerToken;SafeAuthorization type RemoteWriteAuthorizationType string const ( @@ -1672,16 +1672,14 @@ const ( RemoteWriteAuthorizationTypeServiceAccount RemoteWriteAuthorizationType = "ServiceAccount" // --- TOMBSTONE --- - // RemoteWriteAuthorizationTypeBearerToken was a constant for bearer token authentication from a secret. - // It has been removed in favor of RemoteWriteAuthorizationTypeAuthorization. The constant name is reserved to prevent reuse. - // - // RemoteWriteAuthorizationTypeBearerToken RemoteWriteAuthorizationType = "BearerToken" + // RemoteWriteAuthorizationTypeBearerToken is deprecated. Use RemoteWriteAuthorizationTypeAuthorization instead. + // The value remains in the API schema but is rejected by validation. + RemoteWriteAuthorizationTypeBearerToken RemoteWriteAuthorizationType = "BearerToken" // --- TOMBSTONE --- - // RemoteWriteAuthorizationTypeSafeAuthorization was a constant for authorization credentials from a secret (Prometheus SafeAuthorization pattern). - // It has been removed in favor of RemoteWriteAuthorizationTypeAuthorization. The constant name is reserved to prevent reuse. - // - // RemoteWriteAuthorizationTypeSafeAuthorization RemoteWriteAuthorizationType = "SafeAuthorization" + // RemoteWriteAuthorizationTypeSafeAuthorization is deprecated. Use RemoteWriteAuthorizationTypeAuthorization instead. + // The value remains in the API schema but is rejected by validation. + RemoteWriteAuthorizationTypeSafeAuthorization RemoteWriteAuthorizationType = "SafeAuthorization" ) // RemoteWriteAuthorization defines the authorization method for a remote write endpoint. @@ -1691,10 +1689,15 @@ const ( // +kubebuilder:validation:XValidation:rule="has(self.type) && self.type == 'BasicAuth' ? has(self.basicAuth) : !has(self.basicAuth)",message="basicAuth is required when type is BasicAuth, and forbidden otherwise" // +kubebuilder:validation:XValidation:rule="has(self.type) && self.type == 'OAuth2' ? has(self.oauth2) : !has(self.oauth2)",message="oauth2 is required when type is OAuth2, and forbidden otherwise" // +kubebuilder:validation:XValidation:rule="has(self.type) && self.type == 'SigV4' ? has(self.sigv4) : !has(self.sigv4)",message="sigv4 is required when type is SigV4, and forbidden otherwise" +// +kubebuilder:validation:XValidation:rule="!has(self.type) || self.type != 'BearerToken'",message="type BearerToken is deprecated, use Authorization instead" +// +kubebuilder:validation:XValidation:rule="!has(self.type) || self.type != 'SafeAuthorization'",message="type SafeAuthorization is deprecated, use Authorization instead" +// +kubebuilder:validation:XValidation:rule="!has(self.bearerToken)",message="bearerToken is deprecated, use authorization with type Authorization instead" +// +kubebuilder:validation:XValidation:rule="!has(self.safeAuthorization)",message="safeAuthorization is deprecated, use authorization with type Authorization instead" // +union type RemoteWriteAuthorization struct { // type specifies the authorization method to use. - // Allowed values are Authorization, BasicAuth, OAuth2, SigV4, ServiceAccount. + // Allowed values are Authorization, BasicAuth, OAuth2, SigV4, and ServiceAccount. + // BearerToken and SafeAuthorization are deprecated and rejected by validation; use Authorization instead. // // When set to Authorization, credentials are read from a single Secret key. The secret key typically contains a Bearer token. Use the authorization field. // @@ -1715,19 +1718,17 @@ type RemoteWriteAuthorization struct { // +optional Authorization SecretKeySelector `json:"authorization,omitempty,omitzero"` // --- TOMBSTONE --- - // bearerToken was a field for bearer token authentication from a secret. - // It has been removed in favor of authorization. The field name is reserved to prevent reuse. - // + // bearerToken is deprecated. Use authorization with type Authorization instead. + // This field remains in the API schema but is rejected by validation. // +unionMember // +optional - // BearerToken SecretKeySelector `json:"bearerToken,omitempty,omitzero"` + BearerToken SecretKeySelector `json:"bearerToken,omitempty,omitzero"` // --- TOMBSTONE --- - // safeAuthorization was a field for authorization credentials from a secret (Prometheus SafeAuthorization pattern). - // It has been removed in favor of authorization. The field name is reserved to prevent reuse. - // + // safeAuthorization is deprecated. Use authorization with type Authorization instead. + // This field remains in the API schema but is rejected by validation. // +unionMember // +optional - // SafeAuthorization *v1.SecretKeySelector `json:"safeAuthorization,omitempty"` + SafeAuthorization *v1.SecretKeySelector `json:"safeAuthorization,omitempty"` // basicAuth defines HTTP basic authentication credentials. // Required when type is "BasicAuth", and forbidden otherwise. // +unionMember diff --git a/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clustermonitorings.crd.yaml b/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clustermonitorings.crd.yaml index ade249f5d81..b5eb7ef3016 100644 --- a/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clustermonitorings.crd.yaml +++ b/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clustermonitorings.crd.yaml @@ -3420,8 +3420,9 @@ spec: type: object x-kubernetes-map-type: atomic basicAuth: - description: BasicAuth defines basic authentication - settings for the remote write endpoint URL. + description: |- + basicAuth defines HTTP basic authentication credentials. + Required when type is "BasicAuth", and forbidden otherwise. properties: password: description: |- @@ -3497,6 +3498,40 @@ spec: - password - username type: object + bearerToken: + description: SecretKeySelector selects a key of a Secret + in the `openshift-monitoring` namespace. + properties: + key: + description: |- + key is the key of the secret to select from. + Must consist of alphanumeric characters, '-', '_', or '.'. + Must be between 1 and 253 characters in length. + maxLength: 253 + minLength: 1 + type: string + x-kubernetes-validations: + - message: must contain only alphanumeric characters, + '-', '_', or '.' + rule: self.matches('^[a-zA-Z0-9._-]+$') + name: + description: |- + name is the name of the secret in the `openshift-monitoring` namespace to select from. + Must be a valid Kubernetes secret name (lowercase alphanumeric, '-' or '.', start/end with alphanumeric). + Must be between 1 and 253 characters in length. + maxLength: 253 + minLength: 1 + type: string + x-kubernetes-validations: + - message: must be a valid secret name (lowercase + alphanumeric characters, '-' or '.', start and + end with alphanumeric) + rule: '!format.dns1123Subdomain().validate(self).hasValue()' + required: + - key + - name + type: object + x-kubernetes-map-type: atomic oauth2: description: |- oauth2 defines OAuth2 client credentials authentication. @@ -3638,6 +3673,30 @@ spec: - clientSecret - tokenUrl type: object + safeAuthorization: + description: SecretKeySelector selects a key of a Secret. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or its key + must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic sigv4: description: |- sigv4 defines AWS Signature Version 4 authentication. @@ -3749,7 +3808,8 @@ spec: type: description: |- type specifies the authorization method to use. - Allowed values are Authorization, BasicAuth, OAuth2, SigV4, ServiceAccount. + Allowed values are Authorization, BasicAuth, OAuth2, SigV4, and ServiceAccount. + BearerToken and SafeAuthorization are deprecated and rejected by validation; use Authorization instead. When set to Authorization, credentials are read from a single Secret key. The secret key typically contains a Bearer token. Use the authorization field. @@ -3766,6 +3826,8 @@ spec: - OAuth2 - SigV4 - ServiceAccount + - BearerToken + - SafeAuthorization type: string required: - type @@ -3787,6 +3849,18 @@ spec: otherwise rule: 'has(self.type) && self.type == ''SigV4'' ? has(self.sigv4) : !has(self.sigv4)' + - message: type BearerToken is deprecated, use Authorization + instead + rule: '!has(self.type) || self.type != ''BearerToken''' + - message: type SafeAuthorization is deprecated, use Authorization + instead + rule: '!has(self.type) || self.type != ''SafeAuthorization''' + - message: bearerToken is deprecated, use authorization + with type Authorization instead + rule: '!has(self.bearerToken)' + - message: safeAuthorization is deprecated, use authorization + with type Authorization instead + rule: '!has(self.safeAuthorization)' exemplarsMode: description: |- exemplarsMode controls whether exemplars are sent via remote write. diff --git a/config/v1alpha1/zz_generated.deepcopy.go b/config/v1alpha1/zz_generated.deepcopy.go index 12dd0cd3127..9ef38c08c2f 100644 --- a/config/v1alpha1/zz_generated.deepcopy.go +++ b/config/v1alpha1/zz_generated.deepcopy.go @@ -1756,6 +1756,12 @@ func (in *RelabelConfig) DeepCopy() *RelabelConfig { func (in *RemoteWriteAuthorization) DeepCopyInto(out *RemoteWriteAuthorization) { *out = *in out.Authorization = in.Authorization + out.BearerToken = in.BearerToken + if in.SafeAuthorization != nil { + in, out := &in.SafeAuthorization, &out.SafeAuthorization + *out = new(v1.SecretKeySelector) + (*in).DeepCopyInto(*out) + } out.BasicAuth = in.BasicAuth in.OAuth2.DeepCopyInto(&out.OAuth2) out.Sigv4 = in.Sigv4 diff --git a/config/v1alpha1/zz_generated.featuregated-crd-manifests/clustermonitorings.config.openshift.io/ClusterMonitoringConfig.yaml b/config/v1alpha1/zz_generated.featuregated-crd-manifests/clustermonitorings.config.openshift.io/ClusterMonitoringConfig.yaml index d0df46c2aa8..246d8eb725a 100644 --- a/config/v1alpha1/zz_generated.featuregated-crd-manifests/clustermonitorings.config.openshift.io/ClusterMonitoringConfig.yaml +++ b/config/v1alpha1/zz_generated.featuregated-crd-manifests/clustermonitorings.config.openshift.io/ClusterMonitoringConfig.yaml @@ -3420,8 +3420,9 @@ spec: type: object x-kubernetes-map-type: atomic basicAuth: - description: BasicAuth defines basic authentication - settings for the remote write endpoint URL. + description: |- + basicAuth defines HTTP basic authentication credentials. + Required when type is "BasicAuth", and forbidden otherwise. properties: password: description: |- @@ -3497,6 +3498,40 @@ spec: - password - username type: object + bearerToken: + description: SecretKeySelector selects a key of a Secret + in the `openshift-monitoring` namespace. + properties: + key: + description: |- + key is the key of the secret to select from. + Must consist of alphanumeric characters, '-', '_', or '.'. + Must be between 1 and 253 characters in length. + maxLength: 253 + minLength: 1 + type: string + x-kubernetes-validations: + - message: must contain only alphanumeric characters, + '-', '_', or '.' + rule: self.matches('^[a-zA-Z0-9._-]+$') + name: + description: |- + name is the name of the secret in the `openshift-monitoring` namespace to select from. + Must be a valid Kubernetes secret name (lowercase alphanumeric, '-' or '.', start/end with alphanumeric). + Must be between 1 and 253 characters in length. + maxLength: 253 + minLength: 1 + type: string + x-kubernetes-validations: + - message: must be a valid secret name (lowercase + alphanumeric characters, '-' or '.', start and + end with alphanumeric) + rule: '!format.dns1123Subdomain().validate(self).hasValue()' + required: + - key + - name + type: object + x-kubernetes-map-type: atomic oauth2: description: |- oauth2 defines OAuth2 client credentials authentication. @@ -3638,6 +3673,30 @@ spec: - clientSecret - tokenUrl type: object + safeAuthorization: + description: SecretKeySelector selects a key of a Secret. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or its key + must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic sigv4: description: |- sigv4 defines AWS Signature Version 4 authentication. @@ -3749,7 +3808,8 @@ spec: type: description: |- type specifies the authorization method to use. - Allowed values are Authorization, BasicAuth, OAuth2, SigV4, ServiceAccount. + Allowed values are Authorization, BasicAuth, OAuth2, SigV4, and ServiceAccount. + BearerToken and SafeAuthorization are deprecated and rejected by validation; use Authorization instead. When set to Authorization, credentials are read from a single Secret key. The secret key typically contains a Bearer token. Use the authorization field. @@ -3766,6 +3826,8 @@ spec: - OAuth2 - SigV4 - ServiceAccount + - BearerToken + - SafeAuthorization type: string required: - type @@ -3787,6 +3849,18 @@ spec: otherwise rule: 'has(self.type) && self.type == ''SigV4'' ? has(self.sigv4) : !has(self.sigv4)' + - message: type BearerToken is deprecated, use Authorization + instead + rule: '!has(self.type) || self.type != ''BearerToken''' + - message: type SafeAuthorization is deprecated, use Authorization + instead + rule: '!has(self.type) || self.type != ''SafeAuthorization''' + - message: bearerToken is deprecated, use authorization + with type Authorization instead + rule: '!has(self.bearerToken)' + - message: safeAuthorization is deprecated, use authorization + with type Authorization instead + rule: '!has(self.safeAuthorization)' exemplarsMode: description: |- exemplarsMode controls whether exemplars are sent via remote write. diff --git a/config/v1alpha1/zz_generated.swagger_doc_generated.go b/config/v1alpha1/zz_generated.swagger_doc_generated.go index ee86d77abb8..c215ae54e6a 100644 --- a/config/v1alpha1/zz_generated.swagger_doc_generated.go +++ b/config/v1alpha1/zz_generated.swagger_doc_generated.go @@ -620,8 +620,9 @@ func (RelabelConfig) SwaggerDoc() map[string]string { var map_RemoteWriteAuthorization = map[string]string{ "": "RemoteWriteAuthorization defines the authorization method for a remote write endpoint. Nested config requirements depend on the type discriminator: Authorization requires authorization, BasicAuth requires basicAuth, OAuth2 requires oauth2, SigV4 requires sigv4, and ServiceAccount forbids all nested configs.", - "type": "type specifies the authorization method to use. Allowed values are Authorization, BasicAuth, OAuth2, SigV4, ServiceAccount.\n\nWhen set to Authorization, credentials are read from a single Secret key. The secret key typically contains a Bearer token. Use the authorization field.\n\nWhen set to BasicAuth, HTTP basic authentication is used; the basicAuth field (username and password from Secrets) must be set.\n\nWhen set to OAuth2, OAuth2 client credentials flow is used; the oauth2 field (clientId, clientSecret, tokenUrl) must be set.\n\nWhen set to SigV4, AWS Signature Version 4 is used for authentication; the sigv4 field must be set.\n\nWhen set to ServiceAccount, the pod's service account token is used for machine identity. No additional field is required; the operator configures the token path.", + "type": "type specifies the authorization method to use. Allowed values are Authorization, BasicAuth, OAuth2, SigV4, and ServiceAccount. BearerToken and SafeAuthorization are deprecated and rejected by validation; use Authorization instead.\n\nWhen set to Authorization, credentials are read from a single Secret key. The secret key typically contains a Bearer token. Use the authorization field.\n\nWhen set to BasicAuth, HTTP basic authentication is used; the basicAuth field (username and password from Secrets) must be set.\n\nWhen set to OAuth2, OAuth2 client credentials flow is used; the oauth2 field (clientId, clientSecret, tokenUrl) must be set.\n\nWhen set to SigV4, AWS Signature Version 4 is used for authentication; the sigv4 field must be set.\n\nWhen set to ServiceAccount, the pod's service account token is used for machine identity. No additional field is required; the operator configures the token path.", "authorization": "authorization defines the secret reference containing the authorization credentials (e.g. Bearer token). Required when type is \"Authorization\", and forbidden otherwise. The secret must exist in the openshift-monitoring namespace.", + "basicAuth": "basicAuth defines HTTP basic authentication credentials. Required when type is \"BasicAuth\", and forbidden otherwise.", "oauth2": "oauth2 defines OAuth2 client credentials authentication. Required when type is \"OAuth2\", and forbidden otherwise.", "sigv4": "sigv4 defines AWS Signature Version 4 authentication. Required when type is \"SigV4\", and forbidden otherwise.", } diff --git a/openapi/generated_openapi/zz_generated.openapi.go b/openapi/generated_openapi/zz_generated.openapi.go index c8f959324d0..fc24d29d331 100644 --- a/openapi/generated_openapi/zz_generated.openapi.go +++ b/openapi/generated_openapi/zz_generated.openapi.go @@ -26490,7 +26490,7 @@ func schema_openshift_api_config_v1alpha1_RemoteWriteAuthorization(ref common.Re Properties: map[string]spec.Schema{ "type": { SchemaProps: spec.SchemaProps{ - Description: "type specifies the authorization method to use. Allowed values are Authorization, BasicAuth, OAuth2, SigV4, ServiceAccount.\n\nWhen set to Authorization, credentials are read from a single Secret key. The secret key typically contains a Bearer token. Use the authorization field.\n\nWhen set to BasicAuth, HTTP basic authentication is used; the basicAuth field (username and password from Secrets) must be set.\n\nWhen set to OAuth2, OAuth2 client credentials flow is used; the oauth2 field (clientId, clientSecret, tokenUrl) must be set.\n\nWhen set to SigV4, AWS Signature Version 4 is used for authentication; the sigv4 field must be set.\n\nWhen set to ServiceAccount, the pod's service account token is used for machine identity. No additional field is required; the operator configures the token path.", + Description: "type specifies the authorization method to use. Allowed values are Authorization, BasicAuth, OAuth2, SigV4, and ServiceAccount. BearerToken and SafeAuthorization are deprecated and rejected by validation; use Authorization instead.\n\nWhen set to Authorization, credentials are read from a single Secret key. The secret key typically contains a Bearer token. Use the authorization field.\n\nWhen set to BasicAuth, HTTP basic authentication is used; the basicAuth field (username and password from Secrets) must be set.\n\nWhen set to OAuth2, OAuth2 client credentials flow is used; the oauth2 field (clientId, clientSecret, tokenUrl) must be set.\n\nWhen set to SigV4, AWS Signature Version 4 is used for authentication; the sigv4 field must be set.\n\nWhen set to ServiceAccount, the pod's service account token is used for machine identity. No additional field is required; the operator configures the token path.", Type: []string{"string"}, Format: "", }, @@ -26502,9 +26502,22 @@ func schema_openshift_api_config_v1alpha1_RemoteWriteAuthorization(ref common.Re Ref: ref(configv1alpha1.SecretKeySelector{}.OpenAPIModelName()), }, }, + "bearerToken": { + SchemaProps: spec.SchemaProps{ + Description: "--- TOMBSTONE --- bearerToken is deprecated. Use authorization with type Authorization instead. This field remains in the API schema but is rejected by validation.", + Default: map[string]interface{}{}, + Ref: ref(configv1alpha1.SecretKeySelector{}.OpenAPIModelName()), + }, + }, + "safeAuthorization": { + SchemaProps: spec.SchemaProps{ + Description: "--- TOMBSTONE --- safeAuthorization is deprecated. Use authorization with type Authorization instead. This field remains in the API schema but is rejected by validation.", + Ref: ref(corev1.SecretKeySelector{}.OpenAPIModelName()), + }, + }, "basicAuth": { SchemaProps: spec.SchemaProps{ - Description: "--- TOMBSTONE --- bearerToken was a field for bearer token authentication from a secret. It has been removed in favor of authorization. The field name is reserved to prevent reuse.\n\nBearerToken SecretKeySelector `json:\"bearerToken,omitempty,omitzero\"` --- TOMBSTONE --- safeAuthorization was a field for authorization credentials from a secret (Prometheus SafeAuthorization pattern). It has been removed in favor of authorization. The field name is reserved to prevent reuse.\n\nSafeAuthorization *v1.SecretKeySelector `json:\"safeAuthorization,omitempty\"` basicAuth defines HTTP basic authentication credentials. Required when type is \"BasicAuth\", and forbidden otherwise.", + Description: "basicAuth defines HTTP basic authentication credentials. Required when type is \"BasicAuth\", and forbidden otherwise.", Default: map[string]interface{}{}, Ref: ref(configv1alpha1.BasicAuth{}.OpenAPIModelName()), }, @@ -26532,10 +26545,12 @@ func schema_openshift_api_config_v1alpha1_RemoteWriteAuthorization(ref common.Re map[string]interface{}{ "discriminator": "type", "fields-to-discriminateBy": map[string]interface{}{ - "authorization": "Authorization", - "basicAuth": "BasicAuth", - "oauth2": "OAuth2", - "sigv4": "Sigv4", + "authorization": "Authorization", + "basicAuth": "BasicAuth", + "bearerToken": "BearerToken", + "oauth2": "OAuth2", + "safeAuthorization": "SafeAuthorization", + "sigv4": "Sigv4", }, }, }, @@ -26543,7 +26558,7 @@ func schema_openshift_api_config_v1alpha1_RemoteWriteAuthorization(ref common.Re }, }, Dependencies: []string{ - configv1alpha1.BasicAuth{}.OpenAPIModelName(), configv1alpha1.OAuth2{}.OpenAPIModelName(), configv1alpha1.SecretKeySelector{}.OpenAPIModelName(), configv1alpha1.Sigv4{}.OpenAPIModelName()}, + configv1alpha1.BasicAuth{}.OpenAPIModelName(), configv1alpha1.OAuth2{}.OpenAPIModelName(), configv1alpha1.SecretKeySelector{}.OpenAPIModelName(), configv1alpha1.Sigv4{}.OpenAPIModelName(), corev1.SecretKeySelector{}.OpenAPIModelName()}, } } diff --git a/openapi/openapi.json b/openapi/openapi.json index cb93e4c7216..f4bb02fa120 100644 --- a/openapi/openapi.json +++ b/openapi/openapi.json @@ -14567,19 +14567,24 @@ } }, "com.github.openshift.api.config.v1alpha1.RemoteWriteAuthorization": { - "description": "RemoteWriteAuthorization defines the authorization method for a remote write endpoint. Exactly one of the nested configs must be set according to the type discriminator.", + "description": "RemoteWriteAuthorization defines the authorization method for a remote write endpoint. Nested config requirements depend on the type discriminator: Authorization requires authorization, BasicAuth requires basicAuth, OAuth2 requires oauth2, SigV4 requires sigv4, and ServiceAccount forbids all nested configs.", "type": "object", "required": [ "type" ], "properties": { + "authorization": { + "description": "authorization defines the secret reference containing the authorization credentials (e.g. Bearer token). Required when type is \"Authorization\", and forbidden otherwise. The secret must exist in the openshift-monitoring namespace.", + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.SecretKeySelector" + }, "basicAuth": { "description": "basicAuth defines HTTP basic authentication credentials. Required when type is \"BasicAuth\", and forbidden otherwise.", "default": {}, "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.BasicAuth" }, "bearerToken": { - "description": "bearerToken defines the secret reference containing the bearer token. Required when type is \"BearerToken\", and forbidden otherwise.", + "description": "--- TOMBSTONE --- bearerToken is deprecated. Use authorization with type Authorization instead. This field remains in the API schema but is rejected by validation.", "default": {}, "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.SecretKeySelector" }, @@ -14589,7 +14594,7 @@ "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.OAuth2" }, "safeAuthorization": { - "description": "safeAuthorization defines the secret reference containing the credentials for authentication (e.g. Bearer token). Required when type is \"SafeAuthorization\", and forbidden otherwise. Maps to Prometheus SafeAuthorization. The secret must exist in the openshift-monitoring namespace.", + "description": "--- TOMBSTONE --- safeAuthorization is deprecated. Use authorization with type Authorization instead. This field remains in the API schema but is rejected by validation.", "$ref": "#/definitions/io.k8s.api.core.v1.SecretKeySelector" }, "sigv4": { @@ -14598,7 +14603,7 @@ "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.Sigv4" }, "type": { - "description": "type specifies the authorization method to use. Allowed values are BearerToken, BasicAuth, OAuth2, SigV4, SafeAuthorization, ServiceAccount.\n\nWhen set to BearerToken, the bearer token is read from a Secret referenced by the bearerToken field.\n\nWhen set to BasicAuth, HTTP basic authentication is used; the basicAuth field (username and password from Secrets) must be set.\n\nWhen set to OAuth2, OAuth2 client credentials flow is used; the oauth2 field (clientId, clientSecret, tokenUrl) must be set.\n\nWhen set to SigV4, AWS Signature Version 4 is used for authentication; the sigv4 field must be set.\n\nWhen set to SafeAuthorization, credentials are read from a single Secret key (Prometheus SafeAuthorization pattern). The secret key typically contains a Bearer token. Use the safeAuthorization field.\n\nWhen set to ServiceAccount, the pod's service account token is used for machine identity. No additional field is required; the operator configures the token path.", + "description": "type specifies the authorization method to use. Allowed values are Authorization, BasicAuth, OAuth2, SigV4, and ServiceAccount. BearerToken and SafeAuthorization are deprecated and rejected by validation; use Authorization instead.\n\nWhen set to Authorization, credentials are read from a single Secret key. The secret key typically contains a Bearer token. Use the authorization field.\n\nWhen set to BasicAuth, HTTP basic authentication is used; the basicAuth field (username and password from Secrets) must be set.\n\nWhen set to OAuth2, OAuth2 client credentials flow is used; the oauth2 field (clientId, clientSecret, tokenUrl) must be set.\n\nWhen set to SigV4, AWS Signature Version 4 is used for authentication; the sigv4 field must be set.\n\nWhen set to ServiceAccount, the pod's service account token is used for machine identity. No additional field is required; the operator configures the token path.", "type": "string" } }, @@ -14606,6 +14611,7 @@ { "discriminator": "type", "fields-to-discriminateBy": { + "authorization": "Authorization", "basicAuth": "BasicAuth", "bearerToken": "BearerToken", "oauth2": "OAuth2", @@ -14624,7 +14630,7 @@ ], "properties": { "authorization": { - "description": "authorization defines the authorization method for the remote write endpoint. When omitted, no authorization is performed. When set, type must be one of BearerToken, BasicAuth, OAuth2, SigV4, SafeAuthorization, or ServiceAccount; the corresponding nested config must be set (ServiceAccount has no config).", + "description": "authorization defines the authorization method for the remote write endpoint. When omitted, no authorization is performed. When set, type must be one of Authorization, BasicAuth, OAuth2, SigV4, or ServiceAccount; the corresponding nested config must be set (ServiceAccount has no config).", "default": {}, "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.RemoteWriteAuthorization" }, diff --git a/payload-manifests/crds/0000_10_config-operator_01_clustermonitorings.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_clustermonitorings.crd.yaml index ade249f5d81..b5eb7ef3016 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_clustermonitorings.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_clustermonitorings.crd.yaml @@ -3420,8 +3420,9 @@ spec: type: object x-kubernetes-map-type: atomic basicAuth: - description: BasicAuth defines basic authentication - settings for the remote write endpoint URL. + description: |- + basicAuth defines HTTP basic authentication credentials. + Required when type is "BasicAuth", and forbidden otherwise. properties: password: description: |- @@ -3497,6 +3498,40 @@ spec: - password - username type: object + bearerToken: + description: SecretKeySelector selects a key of a Secret + in the `openshift-monitoring` namespace. + properties: + key: + description: |- + key is the key of the secret to select from. + Must consist of alphanumeric characters, '-', '_', or '.'. + Must be between 1 and 253 characters in length. + maxLength: 253 + minLength: 1 + type: string + x-kubernetes-validations: + - message: must contain only alphanumeric characters, + '-', '_', or '.' + rule: self.matches('^[a-zA-Z0-9._-]+$') + name: + description: |- + name is the name of the secret in the `openshift-monitoring` namespace to select from. + Must be a valid Kubernetes secret name (lowercase alphanumeric, '-' or '.', start/end with alphanumeric). + Must be between 1 and 253 characters in length. + maxLength: 253 + minLength: 1 + type: string + x-kubernetes-validations: + - message: must be a valid secret name (lowercase + alphanumeric characters, '-' or '.', start and + end with alphanumeric) + rule: '!format.dns1123Subdomain().validate(self).hasValue()' + required: + - key + - name + type: object + x-kubernetes-map-type: atomic oauth2: description: |- oauth2 defines OAuth2 client credentials authentication. @@ -3638,6 +3673,30 @@ spec: - clientSecret - tokenUrl type: object + safeAuthorization: + description: SecretKeySelector selects a key of a Secret. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or its key + must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic sigv4: description: |- sigv4 defines AWS Signature Version 4 authentication. @@ -3749,7 +3808,8 @@ spec: type: description: |- type specifies the authorization method to use. - Allowed values are Authorization, BasicAuth, OAuth2, SigV4, ServiceAccount. + Allowed values are Authorization, BasicAuth, OAuth2, SigV4, and ServiceAccount. + BearerToken and SafeAuthorization are deprecated and rejected by validation; use Authorization instead. When set to Authorization, credentials are read from a single Secret key. The secret key typically contains a Bearer token. Use the authorization field. @@ -3766,6 +3826,8 @@ spec: - OAuth2 - SigV4 - ServiceAccount + - BearerToken + - SafeAuthorization type: string required: - type @@ -3787,6 +3849,18 @@ spec: otherwise rule: 'has(self.type) && self.type == ''SigV4'' ? has(self.sigv4) : !has(self.sigv4)' + - message: type BearerToken is deprecated, use Authorization + instead + rule: '!has(self.type) || self.type != ''BearerToken''' + - message: type SafeAuthorization is deprecated, use Authorization + instead + rule: '!has(self.type) || self.type != ''SafeAuthorization''' + - message: bearerToken is deprecated, use authorization + with type Authorization instead + rule: '!has(self.bearerToken)' + - message: safeAuthorization is deprecated, use authorization + with type Authorization instead + rule: '!has(self.safeAuthorization)' exemplarsMode: description: |- exemplarsMode controls whether exemplars are sent via remote write. From 0ef6b40c8e062a8ce5a61c74b7f359cf915eeb26 Mon Sep 17 00:00:00 2001 From: Mario Fernandez Date: Thu, 25 Jun 2026 12:01:51 +0200 Subject: [PATCH 4/4] config/v1alpha1: fix tombstoned remote write auth field godoc Start bearerToken and safeAuthorization comments with the field name so kubeapilinter commentstart checks pass. Co-authored-by: Cursor --- config/v1alpha1/types_cluster_monitoring.go | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/config/v1alpha1/types_cluster_monitoring.go b/config/v1alpha1/types_cluster_monitoring.go index b87616e7958..01cec5066c9 100644 --- a/config/v1alpha1/types_cluster_monitoring.go +++ b/config/v1alpha1/types_cluster_monitoring.go @@ -1717,14 +1717,12 @@ type RemoteWriteAuthorization struct { // +unionMember=Authorization // +optional Authorization SecretKeySelector `json:"authorization,omitempty,omitzero"` - // --- TOMBSTONE --- - // bearerToken is deprecated. Use authorization with type Authorization instead. + // bearerToken is a tombstoned field that is deprecated. Use authorization with type Authorization instead. // This field remains in the API schema but is rejected by validation. // +unionMember // +optional BearerToken SecretKeySelector `json:"bearerToken,omitempty,omitzero"` - // --- TOMBSTONE --- - // safeAuthorization is deprecated. Use authorization with type Authorization instead. + // safeAuthorization is a tombstoned field that is deprecated. Use authorization with type Authorization instead. // This field remains in the API schema but is rejected by validation. // +unionMember // +optional