OCM-7376: Add registry allowlists and cluster registry config

Add a new root endpoint:
- Registry allowlist
And a new cluster type part
- Registry config

to both v1 and v2alpha1 model

model/clusters_mgmt/v1/cluster_registry_config_type.model

@@ -0,0 +1,88 @@
+/*
+Copyright (c) 2024 Red Hat, Inc.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// ClusterRegistryConfig describes the configuration of registries for the cluster.
+// Its format reflects the OpenShift Image Configuration, for which docs are available on
+// [docs.openshift.com](https://docs.openshift.com/container-platform/4.16/openshift_images/image-configuration.html)
+// ```json
+// {
+//    "registry_config": {
+//      "registry_sources": {
+//        "blocked_registries": [
+//          "badregistry.io",
+//          "badregistry8.io"
+//        ]
+//      }
+//    }
+// }
+// ```
+//
+struct ClusterRegistryConfig {
+	// Allowlist contains a reference to a RegistryAllowlist which is a list of internal registries
+	// which needs to be whitelisted for the platform to work. It can be omitted at creation and 
+	// updating and its lifecycle can be managed separately if needed.
+	Allowlist RegistryAllowlist
+	// A map containing the registry hostname as the key, and the PEM-encoded certificate as the value,
+	// for each additional registry CA to trust.
+	AdditionalTrustedCa [String]String
+	// AllowedRegistriesForImport limits the container image registries that normal users may import
+	// images from. Set this list to the registries that you trust to contain valid Docker
+	// images and that you want applications to be able to import from. Users with
+	// permission to create Images or ImageStreamMappings via the API are not affected by
+	// this policy - typically only administrators or system integrations will have those
+	// permissions.
+	AllowedRegistriesForImport []RegistryLocation
+	// RegistrySources contains configuration that determines how the container runtime
+	// should treat individual registries when accessing images for builds+pods. (e.g.
+	// whether or not to allow insecure access). It does not contain configuration for the
+	// internal cluster registry.
+	RegistrySources RegistrySources
+}
+
+// RegistrySources contains configuration that determines how the container runtime should treat individual
+// registries when accessing images for builds and pods. For instance, whether or not to allow insecure access.
+// It does not contain configuration for the internal cluster registry.
+struct RegistrySources {
+	// AllowedRegistries: registries for which image pull and push actions are allowed.
+	// To specify all subdomains, add the asterisk (*) wildcard character as a prefix to the domain name.
+	// For example, *.example.com. You can specify an individual repository within a registry.
+	// For example: reg1.io/myrepo/myapp:latest. All other registries are blocked.
+	// Mutually exclusive with `BlockedRegistries`
+	AllowedRegistries []String
+	// BlockedRegistries: registries for which image pull and push actions are denied.
+	// To specify all subdomains, add the asterisk (*) wildcard character as a prefix to the domain name.
+	// For example, *.example.com. You can specify an individual repository within a registry.
+	// For example: reg1.io/myrepo/myapp:latest. All other registries are allowed.
+	// Mutually exclusive with `AllowedRegistries`
+	BlockedRegistries []String
+	// InsecureRegistries are registries which do not have a valid TLS certificate or only support HTTP connections.
+	// To specify all subdomains, add the asterisk (*) wildcard character as a prefix to the domain name.
+	// For example, *.example.com. You can specify an individual repository within a registry.
+	// For example: reg1.io/myrepo/myapp:latest.
+	InsecureRegistries []String
+}
+
+// RegistryLocation contains a location of the registry specified by the registry domain
+// name. The domain name might include wildcards, like '*' or '??'.
+struct RegistryLocation {
+	// domainName specifies a domain name for the registry
+	// In case the registry use non-standard (80 or 443) port, the port should be included
+	// in the domain name as well.
+	DomainName String
+	// insecure indicates whether the registry is secure (https) or insecure (http)
+	// By default (if not specified) the registry is assumed as secure.
+	Insecure Boolean
+}

model/clusters_mgmt/v1/cluster_type.model

@@ -242,4 +242,7 @@ class Cluster {
 
 	// Indicate whether the cluster is enabled for multi arch workers
 	MultiArchEnabled Boolean
+
+	// Registry configuration for the cluster
+	RegistryConfig ClusterRegistryConfig
 }

model/clusters_mgmt/v1/registry_allowlist_resource.model

@@ -0,0 +1,27 @@
+/*
+Copyright (c) 2024 Red Hat, Inc.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Manages a specific registry allowlist.
+resource RegistryAllowlist {
+	// Retrieves the details of the allowlist.
+	method Get {
+		out Body RegistryAllowlist
+	}
+
+	// Deletes the allowlist.
+	method Delete {
+	}
+}

model/clusters_mgmt/v1/registry_allowlist_type.model

@@ -0,0 +1,25 @@
+/*
+Copyright (c) 2024 Red Hat, Inc.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// RegistryAllowlist represents a single registry allowlist.
+class RegistryAllowlist {
+	// CreationTimestamp is the date and time when the allow list has been created.
+	CreationTimestamp Date
+	// Registries is the list of registries contained in this Allowlist.
+	Registries        []String
+	// CloudProvider is the cloud provider for which this allowlist is valid.
+	CloudProvider     CloudProvider
+}

model/clusters_mgmt/v1/registry_allowlists_resource.model

@@ -0,0 +1,75 @@
+/*
+Copyright (c) 2024 Red Hat, Inc.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Manages the registry allowlists.
+resource RegistryAllowlists {
+	// Retrieves the list of registry allowlists.
+	method List {
+		// Index of the requested page, where one corresponds to the first page.
+		in out Page Integer = 1
+
+		// Number of items contained in the returned page.
+		in out Size Integer = 100
+
+		// Search criteria.
+		//
+		// The syntax of this parameter is similar to the syntax of the _where_ clause of a
+		// SQL statement, but using the names of the attributes of the registry allowlists
+		// instead of the names of the columns of a table. For example, in order to retrieve all
+		// the allowlists with a specific cloud provider and creation time the following is required:
+		//
+		// ```sql
+		// cloud_provider.id='aws' and creation_timestamp > '2023-03-01T00:00:00Z'
+		// ```
+		//
+		// If the parameter isn't provided, or if the value is empty, then all the
+		// registry allowlists that the user has permission to see will be returned.
+		in Search String
+
+		// Order criteria.
+		//
+		// The syntax of this parameter is similar to the syntax of the _order by_ clause of
+		// a SQL statement, but using the names of the attributes of the registry allowlists
+		// instead of the the names of the columns of a table. For example, in order to sort the
+		// allowlists descending by identifier the value should be:
+		//
+		// ```sql
+		// creation_timestamp desc
+		// ```
+		//
+		// If the parameter isn't provided, or if the value is empty, then the order of the
+		// results is undefined.
+		in Order String
+
+		// Total number of items of the collection.
+		out Total Integer
+
+		// Retrieved list of registry allowlists.
+		out Items []RegistryAllowlist
+	}
+
+	// Adds a new break registry allowlist.
+	method Add {
+		// Data of the new registry allowlist.
+		in out Body RegistryAllowlist
+	}
+
+	// Reference to the service that manages a specific registry allowlist.
+	locator RegistryAllowlist {
+		target RegistryAllowlist
+		variable ID
+	}
+}

model/clusters_mgmt/v1/root_resource.model

@@ -131,4 +131,9 @@ resource Root {
 	locator GCP {
 		target GCP
 	}
+
+	// Reference to the resource that manages the collection of registry allowlists.
+	locator RegistryAllowlists {
+		target RegistryAllowlists
+	}
 }

model/clusters_mgmt/v2alpha1/cluster_registry_config_type.model

@@ -0,0 +1,88 @@
+/*
+Copyright (c) 2024 Red Hat, Inc.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// ClusterRegistryConfig describes the configuration of registries for the cluster.
+// Its format reflects the OpenShift Image Configuration, for which docs are available on
+// [docs.openshift.com](https://docs.openshift.com/container-platform/4.16/openshift_images/image-configuration.html)
+// ```json
+// {
+//    "registry_config": {
+//      "registry_sources": {
+//        "blocked_registries": [
+//          "badregistry.io",
+//          "badregistry8.io"
+//        ]
+//      }
+//    }
+// }
+// ```
+//
+struct ClusterRegistryConfig {
+	// Allowlist contains a reference to a RegistryAllowlist which is a list of internal registries
+	// which needs to be whitelisted for the platform to work. It can be omitted at creation and 
+	// updating and its lifecycle can be managed separately if needed.
+	Allowlist RegistryAllowlist
+	// A map containing the registry hostname as the key, and the PEM-encoded certificate as the value,
+	// for each additional registry CA to trust.
+	AdditionalTrustedCa [String]String
+	// AllowedRegistriesForImport limits the container image registries that normal users may import
+	// images from. Set this list to the registries that you trust to contain valid Docker
+	// images and that you want applications to be able to import from. Users with
+	// permission to create Images or ImageStreamMappings via the API are not affected by
+	// this policy - typically only administrators or system integrations will have those
+	// permissions.
+	AllowedRegistriesForImport []RegistryLocation
+	// RegistrySources contains configuration that determines how the container runtime
+	// should treat individual registries when accessing images for builds+pods. (e.g.
+	// whether or not to allow insecure access). It does not contain configuration for the
+	// internal cluster registry.
+	RegistrySources RegistrySources
+}
+
+// RegistrySources contains configuration that determines how the container runtime should treat individual
+// registries when accessing images for builds and pods. For instance, whether or not to allow insecure access.
+// It does not contain configuration for the internal cluster registry.
+struct RegistrySources {
+	// AllowedRegistries: registries for which image pull and push actions are allowed.
+	// To specify all subdomains, add the asterisk (*) wildcard character as a prefix to the domain name.
+	// For example, *.example.com. You can specify an individual repository within a registry.
+	// For example: reg1.io/myrepo/myapp:latest. All other registries are blocked.
+	// Mutually exclusive with `BlockedRegistries`
+	AllowedRegistries []String
+	// BlockedRegistries: registries for which image pull and push actions are denied.
+	// To specify all subdomains, add the asterisk (*) wildcard character as a prefix to the domain name.
+	// For example, *.example.com. You can specify an individual repository within a registry.
+	// For example: reg1.io/myrepo/myapp:latest. All other registries are allowed.
+	// Mutually exclusive with `AllowedRegistries`
+	BlockedRegistries []String
+	// InsecureRegistries are registries which do not have a valid TLS certificate or only support HTTP connections.
+	// To specify all subdomains, add the asterisk (*) wildcard character as a prefix to the domain name.
+	// For example, *.example.com. You can specify an individual repository within a registry.
+	// For example: reg1.io/myrepo/myapp:latest.
+	InsecureRegistries []String
+}
+
+// RegistryLocation contains a location of the registry specified by the registry domain
+// name. The domain name might include wildcards, like '*' or '??'.
+struct RegistryLocation {
+	// domainName specifies a domain name for the registry
+	// In case the registry use non-standard (80 or 443) port, the port should be included
+	// in the domain name as well.
+	DomainName String
+	// insecure indicates whether the registry is secure (https) or insecure (http)
+	// By default (if not specified) the registry is assumed as secure.
+	Insecure Boolean
+}

model/clusters_mgmt/v2alpha1/cluster_type.model

@@ -242,4 +242,7 @@ class Cluster {
 
 	// Indicate whether the cluster is enabled for multi arch workers
 	MultiArchEnabled Boolean
+
+	// Registry configuration for the cluster
+	RegistryConfig ClusterRegistryConfig
 }

model/clusters_mgmt/v2alpha1/registry_allowlist_resource.model

@@ -0,0 +1,27 @@
+/*
+Copyright (c) 2024 Red Hat, Inc.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Manages a specific registry allowlist.
+resource RegistryAllowlist {
+	// Retrieves the details of the allowlist.
+	method Get {
+		out Body RegistryAllowlist
+	}
+
+	// Deletes the allowlist.
+	method Delete {
+	}
+}

model/clusters_mgmt/v2alpha1/registry_allowlist_type.model

@@ -0,0 +1,25 @@
+/*
+Copyright (c) 2024 Red Hat, Inc.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// RegistryAllowlist represents a single registry allowlist.
+class RegistryAllowlist {
+	// CreationTimestamp is the date and time when the allow list has been created.
+	CreationTimestamp Date
+	// Registries is the list of registries contained in this Allowlist.
+	Registries        []String
+	// CloudProvider is the cloud provider for which this allowlist is valid.
+	CloudProvider     CloudProvider
+}