Matteo Scandolo | a428586 | 2020-12-01 18:10:10 -0800 | [diff] [blame] | 1 | /* |
| 2 | Copyright 2016 The Kubernetes Authors. |
| 3 | |
| 4 | Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | you may not use this file except in compliance with the License. |
| 6 | You may obtain a copy of the License at |
| 7 | |
| 8 | http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | |
| 10 | Unless required by applicable law or agreed to in writing, software |
| 11 | distributed under the License is distributed on an "AS IS" BASIS, |
| 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 13 | See the License for the specific language governing permissions and |
| 14 | limitations under the License. |
| 15 | */ |
| 16 | |
| 17 | package v1beta1 |
| 18 | |
| 19 | import ( |
| 20 | "fmt" |
| 21 | |
| 22 | v1 "k8s.io/api/core/v1" |
| 23 | metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" |
| 24 | ) |
| 25 | |
| 26 | // +genclient |
| 27 | // +genclient:nonNamespaced |
| 28 | // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object |
| 29 | // +k8s:prerelease-lifecycle-gen:introduced=1.12 |
| 30 | // +k8s:prerelease-lifecycle-gen:deprecated=1.19 |
| 31 | // +k8s:prerelease-lifecycle-gen:replacement=certificates.k8s.io,v1,CertificateSigningRequest |
| 32 | |
| 33 | // Describes a certificate signing request |
| 34 | type CertificateSigningRequest struct { |
| 35 | metav1.TypeMeta `json:",inline"` |
| 36 | // +optional |
| 37 | metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` |
| 38 | |
| 39 | // The certificate request itself and any additional information. |
| 40 | // +optional |
| 41 | Spec CertificateSigningRequestSpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"` |
| 42 | |
| 43 | // Derived information about the request. |
| 44 | // +optional |
| 45 | Status CertificateSigningRequestStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"` |
| 46 | } |
| 47 | |
| 48 | // This information is immutable after the request is created. Only the Request |
| 49 | // and Usages fields can be set on creation, other fields are derived by |
| 50 | // Kubernetes and cannot be modified by users. |
| 51 | type CertificateSigningRequestSpec struct { |
| 52 | // Base64-encoded PKCS#10 CSR data |
| 53 | // +listType=atomic |
| 54 | Request []byte `json:"request" protobuf:"bytes,1,opt,name=request"` |
| 55 | |
| 56 | // Requested signer for the request. It is a qualified name in the form: |
| 57 | // `scope-hostname.io/name`. |
| 58 | // If empty, it will be defaulted: |
| 59 | // 1. If it's a kubelet client certificate, it is assigned |
| 60 | // "kubernetes.io/kube-apiserver-client-kubelet". |
| 61 | // 2. If it's a kubelet serving certificate, it is assigned |
| 62 | // "kubernetes.io/kubelet-serving". |
| 63 | // 3. Otherwise, it is assigned "kubernetes.io/legacy-unknown". |
| 64 | // Distribution of trust for signers happens out of band. |
| 65 | // You can select on this field using `spec.signerName`. |
| 66 | // +optional |
| 67 | SignerName *string `json:"signerName,omitempty" protobuf:"bytes,7,opt,name=signerName"` |
| 68 | |
| 69 | // allowedUsages specifies a set of usage contexts the key will be |
| 70 | // valid for. |
| 71 | // See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 |
| 72 | // https://tools.ietf.org/html/rfc5280#section-4.2.1.12 |
| 73 | // Valid values are: |
| 74 | // "signing", |
| 75 | // "digital signature", |
| 76 | // "content commitment", |
| 77 | // "key encipherment", |
| 78 | // "key agreement", |
| 79 | // "data encipherment", |
| 80 | // "cert sign", |
| 81 | // "crl sign", |
| 82 | // "encipher only", |
| 83 | // "decipher only", |
| 84 | // "any", |
| 85 | // "server auth", |
| 86 | // "client auth", |
| 87 | // "code signing", |
| 88 | // "email protection", |
| 89 | // "s/mime", |
| 90 | // "ipsec end system", |
| 91 | // "ipsec tunnel", |
| 92 | // "ipsec user", |
| 93 | // "timestamping", |
| 94 | // "ocsp signing", |
| 95 | // "microsoft sgc", |
| 96 | // "netscape sgc" |
| 97 | // +listType=atomic |
| 98 | Usages []KeyUsage `json:"usages,omitempty" protobuf:"bytes,5,opt,name=usages"` |
| 99 | |
| 100 | // Information about the requesting user. |
| 101 | // See user.Info interface for details. |
| 102 | // +optional |
| 103 | Username string `json:"username,omitempty" protobuf:"bytes,2,opt,name=username"` |
| 104 | // UID information about the requesting user. |
| 105 | // See user.Info interface for details. |
| 106 | // +optional |
| 107 | UID string `json:"uid,omitempty" protobuf:"bytes,3,opt,name=uid"` |
| 108 | // Group information about the requesting user. |
| 109 | // See user.Info interface for details. |
| 110 | // +listType=atomic |
| 111 | // +optional |
| 112 | Groups []string `json:"groups,omitempty" protobuf:"bytes,4,rep,name=groups"` |
| 113 | // Extra information about the requesting user. |
| 114 | // See user.Info interface for details. |
| 115 | // +optional |
| 116 | Extra map[string]ExtraValue `json:"extra,omitempty" protobuf:"bytes,6,rep,name=extra"` |
| 117 | } |
| 118 | |
| 119 | // Built in signerName values that are honoured by kube-controller-manager. |
| 120 | // None of these usages are related to ServiceAccount token secrets |
| 121 | // `.data[ca.crt]` in any way. |
| 122 | const ( |
| 123 | // Signs certificates that will be honored as client-certs by the |
| 124 | // kube-apiserver. Never auto-approved by kube-controller-manager. |
| 125 | KubeAPIServerClientSignerName = "kubernetes.io/kube-apiserver-client" |
| 126 | |
| 127 | // Signs client certificates that will be honored as client-certs by the |
| 128 | // kube-apiserver for a kubelet. |
| 129 | // May be auto-approved by kube-controller-manager. |
| 130 | KubeAPIServerClientKubeletSignerName = "kubernetes.io/kube-apiserver-client-kubelet" |
| 131 | |
| 132 | // Signs serving certificates that are honored as a valid kubelet serving |
| 133 | // certificate by the kube-apiserver, but has no other guarantees. |
| 134 | KubeletServingSignerName = "kubernetes.io/kubelet-serving" |
| 135 | |
| 136 | // Has no guarantees for trust at all. Some distributions may honor these |
| 137 | // as client certs, but that behavior is not standard kubernetes behavior. |
| 138 | LegacyUnknownSignerName = "kubernetes.io/legacy-unknown" |
| 139 | ) |
| 140 | |
| 141 | // ExtraValue masks the value so protobuf can generate |
| 142 | // +protobuf.nullable=true |
| 143 | // +protobuf.options.(gogoproto.goproto_stringer)=false |
| 144 | type ExtraValue []string |
| 145 | |
| 146 | func (t ExtraValue) String() string { |
| 147 | return fmt.Sprintf("%v", []string(t)) |
| 148 | } |
| 149 | |
| 150 | type CertificateSigningRequestStatus struct { |
| 151 | // Conditions applied to the request, such as approval or denial. |
| 152 | // +listType=map |
| 153 | // +listMapKey=type |
| 154 | // +optional |
| 155 | Conditions []CertificateSigningRequestCondition `json:"conditions,omitempty" protobuf:"bytes,1,rep,name=conditions"` |
| 156 | |
| 157 | // If request was approved, the controller will place the issued certificate here. |
| 158 | // +listType=atomic |
| 159 | // +optional |
| 160 | Certificate []byte `json:"certificate,omitempty" protobuf:"bytes,2,opt,name=certificate"` |
| 161 | } |
| 162 | |
| 163 | type RequestConditionType string |
| 164 | |
| 165 | // These are the possible conditions for a certificate request. |
| 166 | const ( |
| 167 | CertificateApproved RequestConditionType = "Approved" |
| 168 | CertificateDenied RequestConditionType = "Denied" |
| 169 | CertificateFailed RequestConditionType = "Failed" |
| 170 | ) |
| 171 | |
| 172 | type CertificateSigningRequestCondition struct { |
| 173 | // type of the condition. Known conditions include "Approved", "Denied", and "Failed". |
| 174 | Type RequestConditionType `json:"type" protobuf:"bytes,1,opt,name=type,casttype=RequestConditionType"` |
| 175 | // Status of the condition, one of True, False, Unknown. |
| 176 | // Approved, Denied, and Failed conditions may not be "False" or "Unknown". |
| 177 | // Defaults to "True". |
| 178 | // If unset, should be treated as "True". |
| 179 | // +optional |
| 180 | Status v1.ConditionStatus `json:"status" protobuf:"bytes,6,opt,name=status,casttype=k8s.io/api/core/v1.ConditionStatus"` |
| 181 | // brief reason for the request state |
| 182 | // +optional |
| 183 | Reason string `json:"reason,omitempty" protobuf:"bytes,2,opt,name=reason"` |
| 184 | // human readable message with details about the request state |
| 185 | // +optional |
| 186 | Message string `json:"message,omitempty" protobuf:"bytes,3,opt,name=message"` |
| 187 | // timestamp for the last update to this condition |
| 188 | // +optional |
| 189 | LastUpdateTime metav1.Time `json:"lastUpdateTime,omitempty" protobuf:"bytes,4,opt,name=lastUpdateTime"` |
| 190 | // lastTransitionTime is the time the condition last transitioned from one status to another. |
| 191 | // If unset, when a new condition type is added or an existing condition's status is changed, |
| 192 | // the server defaults this to the current time. |
| 193 | // +optional |
| 194 | LastTransitionTime metav1.Time `json:"lastTransitionTime,omitempty" protobuf:"bytes,5,opt,name=lastTransitionTime"` |
| 195 | } |
| 196 | |
| 197 | // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object |
| 198 | // +k8s:prerelease-lifecycle-gen:introduced=1.12 |
| 199 | // +k8s:prerelease-lifecycle-gen:deprecated=1.19 |
| 200 | // +k8s:prerelease-lifecycle-gen:replacement=certificates.k8s.io,v1,CertificateSigningRequestList |
| 201 | |
| 202 | type CertificateSigningRequestList struct { |
| 203 | metav1.TypeMeta `json:",inline"` |
| 204 | // +optional |
| 205 | metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` |
| 206 | |
| 207 | Items []CertificateSigningRequest `json:"items" protobuf:"bytes,2,rep,name=items"` |
| 208 | } |
| 209 | |
| 210 | // KeyUsages specifies valid usage contexts for keys. |
| 211 | // See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 |
| 212 | // https://tools.ietf.org/html/rfc5280#section-4.2.1.12 |
| 213 | type KeyUsage string |
| 214 | |
| 215 | const ( |
| 216 | UsageSigning KeyUsage = "signing" |
| 217 | UsageDigitalSignature KeyUsage = "digital signature" |
| 218 | UsageContentCommitment KeyUsage = "content commitment" |
| 219 | UsageKeyEncipherment KeyUsage = "key encipherment" |
| 220 | UsageKeyAgreement KeyUsage = "key agreement" |
| 221 | UsageDataEncipherment KeyUsage = "data encipherment" |
| 222 | UsageCertSign KeyUsage = "cert sign" |
| 223 | UsageCRLSign KeyUsage = "crl sign" |
| 224 | UsageEncipherOnly KeyUsage = "encipher only" |
| 225 | UsageDecipherOnly KeyUsage = "decipher only" |
| 226 | UsageAny KeyUsage = "any" |
| 227 | UsageServerAuth KeyUsage = "server auth" |
| 228 | UsageClientAuth KeyUsage = "client auth" |
| 229 | UsageCodeSigning KeyUsage = "code signing" |
| 230 | UsageEmailProtection KeyUsage = "email protection" |
| 231 | UsageSMIME KeyUsage = "s/mime" |
| 232 | UsageIPsecEndSystem KeyUsage = "ipsec end system" |
| 233 | UsageIPsecTunnel KeyUsage = "ipsec tunnel" |
| 234 | UsageIPsecUser KeyUsage = "ipsec user" |
| 235 | UsageTimestamping KeyUsage = "timestamping" |
| 236 | UsageOCSPSigning KeyUsage = "ocsp signing" |
| 237 | UsageMicrosoftSGC KeyUsage = "microsoft sgc" |
| 238 | UsageNetscapeSGC KeyUsage = "netscape sgc" |
| 239 | ) |