-
Sub-task
-
Resolution: Unresolved
-
Undefined
-
None
-
None
-
None
-
None
-
None
-
False
-
-
False
-
None
-
None
-
None
-
None
-
None
Define the PKI, PKISpec, PKIStatus, and related Go types in openshift/api repository with CEL validation rules using the discriminated union pattern.
Repository
openshift/api/config/v1alpha1/types_pki.go
Required Types
- PKI: Top-level resource with TypeMeta, ObjectMeta, Spec, Status
- PKIList: List type for PKI resources
- PKISpec: Specification with Defaults, Categories, Overrides fields
- PKIStatus: Status subresource (initially simple)
- CertificateConfig: Wrapper type for certificate configuration (extensibility layer)
- KeyConfig: Discriminated union type with CEL validation (algorithm as discriminator)
- RSAKeyConfig: RSA-specific parameters (keySize)
- ECDSAKeyConfig: ECDSA-specific parameters (curve)
- KeyAlgorithm: Enum type (RSA, ECDSA)
- ECDSACurve: Enum type (P256, P384, P521)
- CertificateCategory: Enum type (SignerCertificate, ServingCertificate, ClientCertificate)
- CategoryCertificateConfig: Category-level configuration
- CertificateOverride: Certificate-specific override with CEL validation
Required Annotations
- +genclient - Generate client
- +genclient:nonNamespaced - Cluster-scoped resource
- +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object - Generate DeepCopy
- +kubebuilder:object:root=true - Root object
- +kubebuilder:subresource:status - Status subresource
- +kubebuilder:resource:path=pkis,scope=Cluster - Resource metadata
- +openshift:compatibility-gen:level=4 - Compatibility level
Discriminated Union Markers
KeyConfig type:
- +union - Marks type as discriminated union
- +unionDiscriminator - Marks algorithm field as discriminator
- +unionMember - Marks rsa and ecdsa fields as union members
CEL Validation Rules
KeyConfig type CEL validation:
- Union enforcement: algorithm must match the configuration field
- +kubebuilder:validation:XValidation:rule="(self.algorithm == 'RSA' && has(self.rsa) && !has(self.ecdsa)) || (self.algorithm == 'ECDSA' && has(self.ecdsa) && !has(self.rsa))"
- Ensures RSA requires rsa field, ECDSA requires ecdsa field
CertificateOverride type CEL validation:
- Certificate name must be in well-known list
- +kubebuilder:validation:XValidation:rule="self.certificateName in [list of well-known names]"
OpenAPI Validation (Standard Markers)
- Required fields marked with +kubebuilder:validation:Required
- Enums defined with +kubebuilder:validation:Enum
- String length validation with +kubebuilder:validation:MinLength
Type Structure
PKISpec contains:
- Defaults *CertificateConfig
- Categories []CategoryCertificateConfig
- Overrides []CertificateOverride
CertificateConfig contains:
- Key KeyConfig (required)
- Future: Lifetime, Rotation, Extensions
CategoryCertificateConfig contains:
- Category CertificateCategory
- Certificate CertificateConfig
CertificateOverride contains:
- CertificateName string
- Certificate CertificateConfig
Example YAML Structure
{{
spec:
defaults:
key:
algorithm: RSA
rsa:
keySize: 2048
categories:
- category: ServingCertificate
certificate:
key:
algorithm: ECDSA
ecdsa:
curve: P384
overrides: - certificateName: etcd-signer
certificate:
key:
algorithm: RSA
rsa:
keySize: 4096
}}
Acceptance Criteria
- All types compile without errors
- Discriminated union markers correctly applied
- CEL validation rules generate correct CRD validation
- OpenAPI validation markers generate correct CRD schema
- CertificateConfig wrapper properly wraps KeyConfig
- Godoc comments follow Kubernetes conventions
- Types pass make verify in openshift/api
- No linter errors or warnings
- CEL validation tested (invalid configs properly rejected)
- Union pattern validated (cannot set both rsa and ecdsa)
- duplicates
-
-
- Closed
-
