|
7 | 7 | apiserverendpointsopenapi "k8s.io/apiserver/pkg/endpoints/openapi" |
8 | 8 | aggregatorscheme "k8s.io/kube-aggregator/pkg/apiserver/scheme" |
9 | 9 | openapicommon "k8s.io/kube-openapi/pkg/common" |
| 10 | + "k8s.io/kube-openapi/pkg/spec3" |
10 | 11 | "k8s.io/kube-openapi/pkg/validation/spec" |
11 | 12 | "k8s.io/kubernetes/pkg/api/legacyscheme" |
12 | 13 |
|
@@ -115,3 +116,101 @@ func DefaultOpenAPIConfig() *openapicommon.Config { |
115 | 116 | SecurityDefinitions: &securityDefinitions, |
116 | 117 | } |
117 | 118 | } |
| 119 | + |
| 120 | +func DefaultOpenAPIV3Config() *openapicommon.OpenAPIV3Config { |
| 121 | + defNamer := apiserverendpointsopenapi.NewDefinitionNamer(legacyscheme.Scheme, extensionsapiserver.Scheme, aggregatorscheme.Scheme) |
| 122 | + return &openapicommon.OpenAPIV3Config{ |
| 123 | + Info: &spec.Info{ |
| 124 | + InfoProps: spec.InfoProps{ |
| 125 | + Title: "OpenShift OAuth-related APIs", |
| 126 | + Version: version.Get().String(), |
| 127 | + License: &spec.License{ |
| 128 | + Name: "Apache 2.0 (ASL2.0)", |
| 129 | + URL: "http://www.apache.org/licenses/LICENSE-2.0", |
| 130 | + }, |
| 131 | + Description: heredoc.Doc(` |
| 132 | + OpenShift OAuth APIs provide access and authorization tokens, |
| 133 | + users, groups and similar objects required for OpenShift integrated |
| 134 | + OAuth authentication to work on top of Kubernetes. The API allows |
| 135 | + consistent management of those objects. |
| 136 | +
|
| 137 | + All API operations are authenticated via an Authorization bearer token that |
| 138 | + is provided for service accounts as a generated secret (in JWT form) or via |
| 139 | + the native OAuth access tokens. Core infrastructure components may use client |
| 140 | + certificates that require no authentication. |
| 141 | +
|
| 142 | + All API operations return a 'resourceVersion' string that represents the |
| 143 | + version of the object in the underlying storage. The standard LIST operation |
| 144 | + performs a snapshot read of the underlying objects, returning a resourceVersion |
| 145 | + representing a consistent version of the listed objects. The WATCH operation |
| 146 | + allows all updates to a set of objects after the provided resourceVersion to |
| 147 | + be observed by a client. By listing and beginning a watch from the returned |
| 148 | + resourceVersion, clients may observe a consistent view of the state of one |
| 149 | + or more objects. Note that WATCH always returns the update after the provided |
| 150 | + resourceVersion. Watch may be extended a limited time in the past - using |
| 151 | + etcd 2 the watch window is 1000 events (which on a large cluster may only |
| 152 | + be a few tens of seconds) so clients must explicitly handle the "watch |
| 153 | + to old error" by re-listing. |
| 154 | +
|
| 155 | + Objects are divided into two rough categories - those that have a lifecycle |
| 156 | + and must reflect the state of the cluster, and those that have no state. |
| 157 | + Objects with lifecycle typically have three main sections: |
| 158 | +
|
| 159 | + * 'metadata' common to all objects |
| 160 | + * a 'spec' that represents the desired state |
| 161 | + * a 'status' that represents how much of the desired state is reflected on |
| 162 | + the cluster at the current time |
| 163 | +
|
| 164 | + Objects that have no state have 'metadata' but may lack a 'spec' or 'status' |
| 165 | + section. |
| 166 | +
|
| 167 | + Objects are divided into those that are namespace scoped (only exist inside |
| 168 | + of a namespace) and those that are cluster scoped (exist outside of |
| 169 | + a namespace). A namespace scoped resource will be deleted when the namespace |
| 170 | + is deleted and cannot be created if the namespace has not yet been created |
| 171 | + or is in the process of deletion. Cluster scoped resources are typically |
| 172 | + only accessible to admins - resources like nodes, persistent volumes, and |
| 173 | + cluster policy. |
| 174 | +
|
| 175 | + All objects have a schema that is a combination of the 'kind' and |
| 176 | + 'apiVersion' fields. This schema is additive only for any given version - |
| 177 | + no backwards incompatible changes are allowed without incrementing the |
| 178 | + apiVersion. The server will return and accept a number of standard |
| 179 | + responses that share a common schema - for instance, the common |
| 180 | + error type is 'metav1.Status' (described below) and will be returned |
| 181 | + on any error from the API server. |
| 182 | +
|
| 183 | + The API is available in multiple serialization formats - the default is |
| 184 | + JSON (Accept: application/json and Content-Type: application/json) but |
| 185 | + clients may also use YAML (application/yaml) or the native Protobuf |
| 186 | + schema (application/vnd.kubernetes.protobuf). Note that the format |
| 187 | + of the WATCH API call is slightly different - for JSON it returns newline |
| 188 | + delimited objects while for Protobuf it returns length-delimited frames |
| 189 | + (4 bytes in network-order) that contain a 'versioned.Watch' Protobuf |
| 190 | + object. |
| 191 | +
|
| 192 | + See the OpenShift documentation at https://docs.openshift.org for more |
| 193 | + information. |
| 194 | + `), |
| 195 | + }, |
| 196 | + }, |
| 197 | + DefaultResponse: &spec3.Response{ |
| 198 | + ResponseProps: spec3.ResponseProps{ |
| 199 | + Description: "Default Response.", |
| 200 | + }, |
| 201 | + }, |
| 202 | + IgnorePrefixes: []string{"/swaggerapi", "/healthz", "/controllers", "/metrics", "/version/openshift", "/brokers"}, |
| 203 | + GetDefinitions: openapigenerated.GetOpenAPIDefinitions, |
| 204 | + GetDefinitionName: defNamer.GetDefinitionName, |
| 205 | + SecuritySchemes: map[string]*spec3.SecurityScheme{ |
| 206 | + "BearerToken": { |
| 207 | + SecuritySchemeProps: spec3.SecuritySchemeProps{ |
| 208 | + Type: "apiKey", |
| 209 | + Name: "authorization", |
| 210 | + In: "header", |
| 211 | + Description: "Bearer Token authentication", |
| 212 | + }, |
| 213 | + }, |
| 214 | + }, |
| 215 | + } |
| 216 | +} |
0 commit comments