497 lines
18 KiB
Protocol Buffer
497 lines
18 KiB
Protocol Buffer
/*
|
|
Copyright The Kubernetes Authors.
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
you may not use this file except in compliance with the License.
|
|
You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
*/
|
|
|
|
|
|
// This file was autogenerated by go-to-protobuf. Do not edit it manually!
|
|
|
|
syntax = "proto2";
|
|
|
|
package k8s.io.api.certificates.v1beta1;
|
|
|
|
import "k8s.io/api/core/v1/generated.proto";
|
|
import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
|
|
import "k8s.io/apimachinery/pkg/runtime/generated.proto";
|
|
import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
|
|
|
|
// Package-wide variables from generator "generated".
|
|
option go_package = "k8s.io/api/certificates/v1beta1";
|
|
|
|
// Describes a certificate signing request
|
|
// +k8s:supportsSubresource=/status
|
|
// +k8s:supportsSubresource=/approval
|
|
message CertificateSigningRequest {
|
|
// +optional
|
|
optional .k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
|
|
|
|
// spec contains the certificate request, and is immutable after creation.
|
|
// Only the request, signerName, expirationSeconds, and usages fields can be set on creation.
|
|
// Other fields are derived by Kubernetes and cannot be modified by users.
|
|
optional CertificateSigningRequestSpec spec = 2;
|
|
|
|
// Derived information about the request.
|
|
// +optional
|
|
optional CertificateSigningRequestStatus status = 3;
|
|
}
|
|
|
|
message CertificateSigningRequestCondition {
|
|
// type of the condition. Known conditions include "Approved", "Denied", and "Failed".
|
|
optional string type = 1;
|
|
|
|
// Status of the condition, one of True, False, Unknown.
|
|
// Approved, Denied, and Failed conditions may not be "False" or "Unknown".
|
|
// Defaults to "True".
|
|
// If unset, should be treated as "True".
|
|
// +optional
|
|
optional string status = 6;
|
|
|
|
// brief reason for the request state
|
|
// +optional
|
|
optional string reason = 2;
|
|
|
|
// human readable message with details about the request state
|
|
// +optional
|
|
optional string message = 3;
|
|
|
|
// timestamp for the last update to this condition
|
|
// +optional
|
|
optional .k8s.io.apimachinery.pkg.apis.meta.v1.Time lastUpdateTime = 4;
|
|
|
|
// lastTransitionTime is the time the condition last transitioned from one status to another.
|
|
// If unset, when a new condition type is added or an existing condition's status is changed,
|
|
// the server defaults this to the current time.
|
|
// +optional
|
|
optional .k8s.io.apimachinery.pkg.apis.meta.v1.Time lastTransitionTime = 5;
|
|
}
|
|
|
|
message CertificateSigningRequestList {
|
|
// +optional
|
|
optional .k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
|
|
|
|
repeated CertificateSigningRequest items = 2;
|
|
}
|
|
|
|
// CertificateSigningRequestSpec contains the certificate request.
|
|
message CertificateSigningRequestSpec {
|
|
// Base64-encoded PKCS#10 CSR data
|
|
optional bytes request = 1;
|
|
|
|
// Requested signer for the request. It is a qualified name in the form:
|
|
// `scope-hostname.io/name`.
|
|
// If empty, it will be defaulted:
|
|
// 1. If it's a kubelet client certificate, it is assigned
|
|
// "kubernetes.io/kube-apiserver-client-kubelet".
|
|
// 2. If it's a kubelet serving certificate, it is assigned
|
|
// "kubernetes.io/kubelet-serving".
|
|
// 3. Otherwise, it is assigned "kubernetes.io/legacy-unknown".
|
|
// Distribution of trust for signers happens out of band.
|
|
// You can select on this field using `spec.signerName`.
|
|
// +optional
|
|
optional string signerName = 7;
|
|
|
|
// expirationSeconds is the requested duration of validity of the issued
|
|
// certificate. The certificate signer may issue a certificate with a different
|
|
// validity duration so a client must check the delta between the notBefore and
|
|
// and notAfter fields in the issued certificate to determine the actual duration.
|
|
//
|
|
// The v1.22+ in-tree implementations of the well-known Kubernetes signers will
|
|
// honor this field as long as the requested duration is not greater than the
|
|
// maximum duration they will honor per the --cluster-signing-duration CLI
|
|
// flag to the Kubernetes controller manager.
|
|
//
|
|
// Certificate signers may not honor this field for various reasons:
|
|
//
|
|
// 1. Old signer that is unaware of the field (such as the in-tree
|
|
// implementations prior to v1.22)
|
|
// 2. Signer whose configured maximum is shorter than the requested duration
|
|
// 3. Signer whose configured minimum is longer than the requested duration
|
|
//
|
|
// The minimum valid value for expirationSeconds is 600, i.e. 10 minutes.
|
|
//
|
|
// +optional
|
|
optional int32 expirationSeconds = 8;
|
|
|
|
// allowedUsages specifies a set of usage contexts the key will be
|
|
// valid for.
|
|
// See:
|
|
// https://tools.ietf.org/html/rfc5280#section-4.2.1.3
|
|
// https://tools.ietf.org/html/rfc5280#section-4.2.1.12
|
|
//
|
|
// Valid values are:
|
|
// "signing",
|
|
// "digital signature",
|
|
// "content commitment",
|
|
// "key encipherment",
|
|
// "key agreement",
|
|
// "data encipherment",
|
|
// "cert sign",
|
|
// "crl sign",
|
|
// "encipher only",
|
|
// "decipher only",
|
|
// "any",
|
|
// "server auth",
|
|
// "client auth",
|
|
// "code signing",
|
|
// "email protection",
|
|
// "s/mime",
|
|
// "ipsec end system",
|
|
// "ipsec tunnel",
|
|
// "ipsec user",
|
|
// "timestamping",
|
|
// "ocsp signing",
|
|
// "microsoft sgc",
|
|
// "netscape sgc"
|
|
// +listType=atomic
|
|
repeated string usages = 5;
|
|
|
|
// Information about the requesting user.
|
|
// See user.Info interface for details.
|
|
// +optional
|
|
optional string username = 2;
|
|
|
|
// UID information about the requesting user.
|
|
// See user.Info interface for details.
|
|
// +optional
|
|
optional string uid = 3;
|
|
|
|
// Group information about the requesting user.
|
|
// See user.Info interface for details.
|
|
// +listType=atomic
|
|
// +optional
|
|
repeated string groups = 4;
|
|
|
|
// Extra information about the requesting user.
|
|
// See user.Info interface for details.
|
|
// +optional
|
|
map<string, ExtraValue> extra = 6;
|
|
}
|
|
|
|
message CertificateSigningRequestStatus {
|
|
// Conditions applied to the request, such as approval or denial.
|
|
// +listType=map
|
|
// +listMapKey=type
|
|
// +optional
|
|
// +k8s:listType=map
|
|
// +k8s:listMapKey=type
|
|
// +k8s:customUnique
|
|
// +k8s:optional
|
|
// +k8s:item(type: "Approved")=+k8s:zeroOrOneOfMember
|
|
// +k8s:item(type: "Denied")=+k8s:zeroOrOneOfMember
|
|
repeated CertificateSigningRequestCondition conditions = 1;
|
|
|
|
// If request was approved, the controller will place the issued certificate here.
|
|
// +optional
|
|
optional bytes certificate = 2;
|
|
}
|
|
|
|
// ClusterTrustBundle is a cluster-scoped container for X.509 trust anchors
|
|
// (root certificates).
|
|
//
|
|
// ClusterTrustBundle objects are considered to be readable by any authenticated
|
|
// user in the cluster, because they can be mounted by pods using the
|
|
// `clusterTrustBundle` projection. All service accounts have read access to
|
|
// ClusterTrustBundles by default. Users who only have namespace-level access
|
|
// to a cluster can read ClusterTrustBundles by impersonating a serviceaccount
|
|
// that they have access to.
|
|
//
|
|
// It can be optionally associated with a particular assigner, in which case it
|
|
// contains one valid set of trust anchors for that signer. Signers may have
|
|
// multiple associated ClusterTrustBundles; each is an independent set of trust
|
|
// anchors for that signer. Admission control is used to enforce that only users
|
|
// with permissions on the signer can create or modify the corresponding bundle.
|
|
message ClusterTrustBundle {
|
|
// metadata contains the object metadata.
|
|
// +optional
|
|
optional .k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
|
|
|
|
// spec contains the signer (if any) and trust anchors.
|
|
optional ClusterTrustBundleSpec spec = 2;
|
|
}
|
|
|
|
// ClusterTrustBundleList is a collection of ClusterTrustBundle objects
|
|
message ClusterTrustBundleList {
|
|
// metadata contains the list metadata.
|
|
//
|
|
// +optional
|
|
optional .k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
|
|
|
|
// items is a collection of ClusterTrustBundle objects
|
|
repeated ClusterTrustBundle items = 2;
|
|
}
|
|
|
|
// ClusterTrustBundleSpec contains the signer and trust anchors.
|
|
message ClusterTrustBundleSpec {
|
|
// signerName indicates the associated signer, if any.
|
|
//
|
|
// In order to create or update a ClusterTrustBundle that sets signerName,
|
|
// you must have the following cluster-scoped permission:
|
|
// group=certificates.k8s.io resource=signers resourceName=<the signer name>
|
|
// verb=attest.
|
|
//
|
|
// If signerName is not empty, then the ClusterTrustBundle object must be
|
|
// named with the signer name as a prefix (translating slashes to colons).
|
|
// For example, for the signer name `example.com/foo`, valid
|
|
// ClusterTrustBundle object names include `example.com:foo:abc` and
|
|
// `example.com:foo:v1`.
|
|
//
|
|
// If signerName is empty, then the ClusterTrustBundle object's name must
|
|
// not have such a prefix.
|
|
//
|
|
// List/watch requests for ClusterTrustBundles can filter on this field
|
|
// using a `spec.signerName=NAME` field selector.
|
|
//
|
|
// +optional
|
|
optional string signerName = 1;
|
|
|
|
// trustBundle contains the individual X.509 trust anchors for this
|
|
// bundle, as PEM bundle of PEM-wrapped, DER-formatted X.509 certificates.
|
|
//
|
|
// The data must consist only of PEM certificate blocks that parse as valid
|
|
// X.509 certificates. Each certificate must include a basic constraints
|
|
// extension with the CA bit set. The API server will reject objects that
|
|
// contain duplicate certificates, or that use PEM block headers.
|
|
//
|
|
// Users of ClusterTrustBundles, including Kubelet, are free to reorder and
|
|
// deduplicate certificate blocks in this file according to their own logic,
|
|
// as well as to drop PEM block headers and inter-block data.
|
|
optional string trustBundle = 2;
|
|
}
|
|
|
|
// ExtraValue masks the value so protobuf can generate
|
|
// +protobuf.nullable=true
|
|
// +protobuf.options.(gogoproto.goproto_stringer)=false
|
|
message ExtraValue {
|
|
// items, if empty, will result in an empty slice
|
|
|
|
repeated string items = 1;
|
|
}
|
|
|
|
// PodCertificateRequest encodes a pod requesting a certificate from a given
|
|
// signer.
|
|
//
|
|
// Kubelets use this API to implement podCertificate projected volumes
|
|
message PodCertificateRequest {
|
|
// metadata contains the object metadata.
|
|
//
|
|
// +optional
|
|
optional .k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
|
|
|
|
// spec contains the details about the certificate being requested.
|
|
optional PodCertificateRequestSpec spec = 2;
|
|
|
|
// status contains the issued certificate, and a standard set of conditions.
|
|
// +optional
|
|
optional PodCertificateRequestStatus status = 3;
|
|
}
|
|
|
|
// PodCertificateRequestList is a collection of PodCertificateRequest objects
|
|
message PodCertificateRequestList {
|
|
// metadata contains the list metadata.
|
|
//
|
|
// +optional
|
|
optional .k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
|
|
|
|
// items is a collection of PodCertificateRequest objects
|
|
repeated PodCertificateRequest items = 2;
|
|
}
|
|
|
|
// PodCertificateRequestSpec describes the certificate request. All fields are
|
|
// immutable after creation.
|
|
message PodCertificateRequestSpec {
|
|
// signerName indicates the requested signer.
|
|
//
|
|
// All signer names beginning with `kubernetes.io` are reserved for use by
|
|
// the Kubernetes project. There is currently one well-known signer
|
|
// documented by the Kubernetes project,
|
|
// `kubernetes.io/kube-apiserver-client-pod`, which will issue client
|
|
// certificates understood by kube-apiserver. It is currently
|
|
// unimplemented.
|
|
//
|
|
// +required
|
|
optional string signerName = 1;
|
|
|
|
// podName is the name of the pod into which the certificate will be mounted.
|
|
//
|
|
// +required
|
|
optional string podName = 2;
|
|
|
|
// podUID is the UID of the pod into which the certificate will be mounted.
|
|
//
|
|
// +required
|
|
optional string podUID = 3;
|
|
|
|
// serviceAccountName is the name of the service account the pod is running as.
|
|
//
|
|
// +required
|
|
optional string serviceAccountName = 4;
|
|
|
|
// serviceAccountUID is the UID of the service account the pod is running as.
|
|
//
|
|
// +required
|
|
optional string serviceAccountUID = 5;
|
|
|
|
// nodeName is the name of the node the pod is assigned to.
|
|
//
|
|
// +required
|
|
optional string nodeName = 6;
|
|
|
|
// nodeUID is the UID of the node the pod is assigned to.
|
|
//
|
|
// +required
|
|
optional string nodeUID = 7;
|
|
|
|
// maxExpirationSeconds is the maximum lifetime permitted for the
|
|
// certificate.
|
|
//
|
|
// If omitted, kube-apiserver will set it to 86400(24 hours). kube-apiserver
|
|
// will reject values shorter than 3600 (1 hour). The maximum allowable
|
|
// value is 7862400 (91 days).
|
|
//
|
|
// The signer implementation is then free to issue a certificate with any
|
|
// lifetime *shorter* than MaxExpirationSeconds, but no shorter than 3600
|
|
// seconds (1 hour). This constraint is enforced by kube-apiserver.
|
|
// `kubernetes.io` signers will never issue certificates with a lifetime
|
|
// longer than 24 hours.
|
|
//
|
|
// +optional
|
|
// +default=86400
|
|
optional int32 maxExpirationSeconds = 8;
|
|
|
|
// pkixPublicKey is the PKIX-serialized public key the signer will issue the
|
|
// certificate to.
|
|
//
|
|
// The key must be one of RSA3072, RSA4096, ECDSAP256, ECDSAP384, ECDSAP521,
|
|
// or ED25519. Note that this list may be expanded in the future.
|
|
//
|
|
// Signer implementations do not need to support all key types supported by
|
|
// kube-apiserver and kubelet. If a signer does not support the key type
|
|
// used for a given PodCertificateRequest, it must deny the request by
|
|
// setting a status.conditions entry with a type of "Denied" and a reason of
|
|
// "UnsupportedKeyType". It may also suggest a key type that it does support
|
|
// in the message field.
|
|
//
|
|
// +required
|
|
optional bytes pkixPublicKey = 9;
|
|
|
|
// proofOfPossession proves that the requesting kubelet holds the private
|
|
// key corresponding to pkixPublicKey.
|
|
//
|
|
// It is contructed by signing the ASCII bytes of the pod's UID using
|
|
// `pkixPublicKey`.
|
|
//
|
|
// kube-apiserver validates the proof of possession during creation of the
|
|
// PodCertificateRequest.
|
|
//
|
|
// If the key is an RSA key, then the signature is over the ASCII bytes of
|
|
// the pod UID, using RSASSA-PSS from RFC 8017 (as implemented by the golang
|
|
// function crypto/rsa.SignPSS with nil options).
|
|
//
|
|
// If the key is an ECDSA key, then the signature is as described by [SEC 1,
|
|
// Version 2.0](https://www.secg.org/sec1-v2.pdf) (as implemented by the
|
|
// golang library function crypto/ecdsa.SignASN1)
|
|
//
|
|
// If the key is an ED25519 key, the the signature is as described by the
|
|
// [ED25519 Specification](https://ed25519.cr.yp.to/) (as implemented by
|
|
// the golang library crypto/ed25519.Sign).
|
|
//
|
|
// +required
|
|
optional bytes proofOfPossession = 10;
|
|
|
|
// unverifiedUserAnnotations allow pod authors to pass additional information to
|
|
// the signer implementation. Kubernetes does not restrict or validate this
|
|
// metadata in any way.
|
|
//
|
|
// Entries are subject to the same validation as object metadata annotations,
|
|
// with the addition that all keys must be domain-prefixed. No restrictions
|
|
// are placed on values, except an overall size limitation on the entire field.
|
|
//
|
|
// Signers should document the keys and values they support. Signers should
|
|
// deny requests that contain keys they do not recognize.
|
|
map<string, string> unverifiedUserAnnotations = 11;
|
|
}
|
|
|
|
// PodCertificateRequestStatus describes the status of the request, and holds
|
|
// the certificate data if the request is issued.
|
|
message PodCertificateRequestStatus {
|
|
// conditions applied to the request.
|
|
//
|
|
// The types "Issued", "Denied", and "Failed" have special handling. At
|
|
// most one of these conditions may be present, and they must have status
|
|
// "True".
|
|
//
|
|
// If the request is denied with `Reason=UnsupportedKeyType`, the signer may
|
|
// suggest a key type that will work in the message field.
|
|
//
|
|
// +patchMergeKey=type
|
|
// +patchStrategy=merge
|
|
// +listType=map
|
|
// +listMapKey=type
|
|
// +optional
|
|
repeated .k8s.io.apimachinery.pkg.apis.meta.v1.Condition conditions = 1;
|
|
|
|
// certificateChain is populated with an issued certificate by the signer.
|
|
// This field is set via the /status subresource. Once populated, this field
|
|
// is immutable.
|
|
//
|
|
// If the certificate signing request is denied, a condition of type
|
|
// "Denied" is added and this field remains empty. If the signer cannot
|
|
// issue the certificate, a condition of type "Failed" is added and this
|
|
// field remains empty.
|
|
//
|
|
// Validation requirements:
|
|
// 1. certificateChain must consist of one or more PEM-formatted certificates.
|
|
// 2. Each entry must be a valid PEM-wrapped, DER-encoded ASN.1 Certificate as
|
|
// described in section 4 of RFC5280.
|
|
//
|
|
// If more than one block is present, and the definition of the requested
|
|
// spec.signerName does not indicate otherwise, the first block is the
|
|
// issued certificate, and subsequent blocks should be treated as
|
|
// intermediate certificates and presented in TLS handshakes. When
|
|
// projecting the chain into a pod volume, kubelet will drop any data
|
|
// in-between the PEM blocks, as well as any PEM block headers.
|
|
//
|
|
// +optional
|
|
optional string certificateChain = 2;
|
|
|
|
// notBefore is the time at which the certificate becomes valid. The value
|
|
// must be the same as the notBefore value in the leaf certificate in
|
|
// certificateChain. This field is set via the /status subresource. Once
|
|
// populated, it is immutable. The signer must set this field at the same
|
|
// time it sets certificateChain.
|
|
//
|
|
// +optional
|
|
optional .k8s.io.apimachinery.pkg.apis.meta.v1.Time notBefore = 4;
|
|
|
|
// beginRefreshAt is the time at which the kubelet should begin trying to
|
|
// refresh the certificate. This field is set via the /status subresource,
|
|
// and must be set at the same time as certificateChain. Once populated,
|
|
// this field is immutable.
|
|
//
|
|
// This field is only a hint. Kubelet may start refreshing before or after
|
|
// this time if necessary.
|
|
//
|
|
// +optional
|
|
optional .k8s.io.apimachinery.pkg.apis.meta.v1.Time beginRefreshAt = 5;
|
|
|
|
// notAfter is the time at which the certificate expires. The value must be
|
|
// the same as the notAfter value in the leaf certificate in
|
|
// certificateChain. This field is set via the /status subresource. Once
|
|
// populated, it is immutable. The signer must set this field at the same
|
|
// time it sets certificateChain.
|
|
//
|
|
// +optional
|
|
optional .k8s.io.apimachinery.pkg.apis.meta.v1.Time notAfter = 6;
|
|
}
|
|
|