Matteo Scandolo | a428586 | 2020-12-01 18:10:10 -0800 | [diff] [blame] | 1 | /* |
| 2 | Copyright 2020 The Kubernetes Authors. |
| 3 | |
| 4 | Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | you may not use this file except in compliance with the License. |
| 6 | You may obtain a copy of the License at |
| 7 | |
| 8 | http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | |
| 10 | Unless required by applicable law or agreed to in writing, software |
| 11 | distributed under the License is distributed on an "AS IS" BASIS, |
| 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 13 | See the License for the specific language governing permissions and |
| 14 | limitations under the License. |
| 15 | */ |
| 16 | |
| 17 | package v1 |
| 18 | |
| 19 | import ( |
| 20 | "fmt" |
| 21 | |
| 22 | v1 "k8s.io/api/core/v1" |
| 23 | metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" |
| 24 | ) |
| 25 | |
| 26 | // +genclient |
| 27 | // +genclient:nonNamespaced |
| 28 | // +genclient:method=UpdateApproval,verb=update,subresource=approval,input=k8s.io/api/certificates/v1.CertificateSigningRequest,result=k8s.io/api/certificates/v1.CertificateSigningRequest |
| 29 | // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object |
| 30 | |
| 31 | // CertificateSigningRequest objects provide a mechanism to obtain x509 certificates |
| 32 | // by submitting a certificate signing request, and having it asynchronously approved and issued. |
| 33 | // |
| 34 | // Kubelets use this API to obtain: |
| 35 | // 1. client certificates to authenticate to kube-apiserver (with the "kubernetes.io/kube-apiserver-client-kubelet" signerName). |
| 36 | // 2. serving certificates for TLS endpoints kube-apiserver can connect to securely (with the "kubernetes.io/kubelet-serving" signerName). |
| 37 | // |
| 38 | // This API can be used to request client certificates to authenticate to kube-apiserver |
| 39 | // (with the "kubernetes.io/kube-apiserver-client" signerName), |
| 40 | // or to obtain certificates from custom non-Kubernetes signers. |
| 41 | type CertificateSigningRequest struct { |
| 42 | metav1.TypeMeta `json:",inline"` |
| 43 | // +optional |
| 44 | metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` |
| 45 | |
| 46 | // spec contains the certificate request, and is immutable after creation. |
| 47 | // Only the request, signerName, and usages fields can be set on creation. |
| 48 | // Other fields are derived by Kubernetes and cannot be modified by users. |
| 49 | Spec CertificateSigningRequestSpec `json:"spec" protobuf:"bytes,2,opt,name=spec"` |
| 50 | |
| 51 | // status contains information about whether the request is approved or denied, |
| 52 | // and the certificate issued by the signer, or the failure condition indicating signer failure. |
| 53 | // +optional |
| 54 | Status CertificateSigningRequestStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"` |
| 55 | } |
| 56 | |
| 57 | // CertificateSigningRequestSpec contains the certificate request. |
| 58 | type CertificateSigningRequestSpec struct { |
| 59 | // request contains an x509 certificate signing request encoded in a "CERTIFICATE REQUEST" PEM block. |
| 60 | // When serialized as JSON or YAML, the data is additionally base64-encoded. |
| 61 | // +listType=atomic |
| 62 | Request []byte `json:"request" protobuf:"bytes,1,opt,name=request"` |
| 63 | |
| 64 | // signerName indicates the requested signer, and is a qualified name. |
| 65 | // |
| 66 | // List/watch requests for CertificateSigningRequests can filter on this field using a "spec.signerName=NAME" fieldSelector. |
| 67 | // |
| 68 | // Well-known Kubernetes signers are: |
| 69 | // 1. "kubernetes.io/kube-apiserver-client": issues client certificates that can be used to authenticate to kube-apiserver. |
| 70 | // Requests for this signer are never auto-approved by kube-controller-manager, can be issued by the "csrsigning" controller in kube-controller-manager. |
| 71 | // 2. "kubernetes.io/kube-apiserver-client-kubelet": issues client certificates that kubelets use to authenticate to kube-apiserver. |
| 72 | // Requests for this signer can be auto-approved by the "csrapproving" controller in kube-controller-manager, and can be issued by the "csrsigning" controller in kube-controller-manager. |
| 73 | // 3. "kubernetes.io/kubelet-serving" issues serving certificates that kubelets use to serve TLS endpoints, which kube-apiserver can connect to securely. |
| 74 | // Requests for this signer are never auto-approved by kube-controller-manager, and can be issued by the "csrsigning" controller in kube-controller-manager. |
| 75 | // |
| 76 | // More details are available at https://k8s.io/docs/reference/access-authn-authz/certificate-signing-requests/#kubernetes-signers |
| 77 | // |
| 78 | // Custom signerNames can also be specified. The signer defines: |
| 79 | // 1. Trust distribution: how trust (CA bundles) are distributed. |
| 80 | // 2. Permitted subjects: and behavior when a disallowed subject is requested. |
| 81 | // 3. Required, permitted, or forbidden x509 extensions in the request (including whether subjectAltNames are allowed, which types, restrictions on allowed values) and behavior when a disallowed extension is requested. |
| 82 | // 4. Required, permitted, or forbidden key usages / extended key usages. |
| 83 | // 5. Expiration/certificate lifetime: whether it is fixed by the signer, configurable by the admin. |
| 84 | // 6. Whether or not requests for CA certificates are allowed. |
| 85 | SignerName string `json:"signerName" protobuf:"bytes,7,opt,name=signerName"` |
| 86 | |
| 87 | // usages specifies a set of key usages requested in the issued certificate. |
| 88 | // |
| 89 | // Requests for TLS client certificates typically request: "digital signature", "key encipherment", "client auth". |
| 90 | // |
| 91 | // Requests for TLS serving certificates typically request: "key encipherment", "digital signature", "server auth". |
| 92 | // |
| 93 | // Valid values are: |
| 94 | // "signing", "digital signature", "content commitment", |
| 95 | // "key encipherment", "key agreement", "data encipherment", |
| 96 | // "cert sign", "crl sign", "encipher only", "decipher only", "any", |
| 97 | // "server auth", "client auth", |
| 98 | // "code signing", "email protection", "s/mime", |
| 99 | // "ipsec end system", "ipsec tunnel", "ipsec user", |
| 100 | // "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc" |
| 101 | // +listType=atomic |
| 102 | Usages []KeyUsage `json:"usages,omitempty" protobuf:"bytes,5,opt,name=usages"` |
| 103 | |
| 104 | // username contains the name of the user that created the CertificateSigningRequest. |
| 105 | // Populated by the API server on creation and immutable. |
| 106 | // +optional |
| 107 | Username string `json:"username,omitempty" protobuf:"bytes,2,opt,name=username"` |
| 108 | // uid contains the uid of the user that created the CertificateSigningRequest. |
| 109 | // Populated by the API server on creation and immutable. |
| 110 | // +optional |
| 111 | UID string `json:"uid,omitempty" protobuf:"bytes,3,opt,name=uid"` |
| 112 | // groups contains group membership of the user that created the CertificateSigningRequest. |
| 113 | // Populated by the API server on creation and immutable. |
| 114 | // +listType=atomic |
| 115 | // +optional |
| 116 | Groups []string `json:"groups,omitempty" protobuf:"bytes,4,rep,name=groups"` |
| 117 | // extra contains extra attributes of the user that created the CertificateSigningRequest. |
| 118 | // Populated by the API server on creation and immutable. |
| 119 | // +optional |
| 120 | Extra map[string]ExtraValue `json:"extra,omitempty" protobuf:"bytes,6,rep,name=extra"` |
| 121 | } |
| 122 | |
| 123 | // Built in signerName values that are honored by kube-controller-manager. |
| 124 | const ( |
| 125 | // "kubernetes.io/kube-apiserver-client" signer issues client certificates that can be used to authenticate to kube-apiserver. |
| 126 | // Never auto-approved by kube-controller-manager. |
| 127 | // Can be issued by the "csrsigning" controller in kube-controller-manager. |
| 128 | KubeAPIServerClientSignerName = "kubernetes.io/kube-apiserver-client" |
| 129 | |
| 130 | // "kubernetes.io/kube-apiserver-client-kubelet" issues client certificates that kubelets use to authenticate to kube-apiserver. |
| 131 | // Can be auto-approved by the "csrapproving" controller in kube-controller-manager. |
| 132 | // Can be issued by the "csrsigning" controller in kube-controller-manager. |
| 133 | KubeAPIServerClientKubeletSignerName = "kubernetes.io/kube-apiserver-client-kubelet" |
| 134 | |
| 135 | // "kubernetes.io/kubelet-serving" issues serving certificates that kubelets use to serve TLS endpoints, |
| 136 | // which kube-apiserver can connect to securely. |
| 137 | // Never auto-approved by kube-controller-manager. |
| 138 | // Can be issued by the "csrsigning" controller in kube-controller-manager. |
| 139 | KubeletServingSignerName = "kubernetes.io/kubelet-serving" |
| 140 | ) |
| 141 | |
| 142 | // ExtraValue masks the value so protobuf can generate |
| 143 | // +protobuf.nullable=true |
| 144 | // +protobuf.options.(gogoproto.goproto_stringer)=false |
| 145 | type ExtraValue []string |
| 146 | |
| 147 | func (t ExtraValue) String() string { |
| 148 | return fmt.Sprintf("%v", []string(t)) |
| 149 | } |
| 150 | |
| 151 | // CertificateSigningRequestStatus contains conditions used to indicate |
| 152 | // approved/denied/failed status of the request, and the issued certificate. |
| 153 | type CertificateSigningRequestStatus struct { |
| 154 | // conditions applied to the request. Known conditions are "Approved", "Denied", and "Failed". |
| 155 | // +listType=map |
| 156 | // +listMapKey=type |
| 157 | // +optional |
| 158 | Conditions []CertificateSigningRequestCondition `json:"conditions,omitempty" protobuf:"bytes,1,rep,name=conditions"` |
| 159 | |
| 160 | // certificate is populated with an issued certificate by the signer after an Approved condition is present. |
| 161 | // This field is set via the /status subresource. Once populated, this field is immutable. |
| 162 | // |
| 163 | // If the certificate signing request is denied, a condition of type "Denied" is added and this field remains empty. |
| 164 | // If the signer cannot issue the certificate, a condition of type "Failed" is added and this field remains empty. |
| 165 | // |
| 166 | // Validation requirements: |
| 167 | // 1. certificate must contain one or more PEM blocks. |
| 168 | // 2. All PEM blocks must have the "CERTIFICATE" label, contain no headers, and the encoded data |
| 169 | // must be a BER-encoded ASN.1 Certificate structure as described in section 4 of RFC5280. |
| 170 | // 3. Non-PEM content may appear before or after the "CERTIFICATE" PEM blocks and is unvalidated, |
| 171 | // to allow for explanatory text as described in section 5.2 of RFC7468. |
| 172 | // |
| 173 | // If more than one PEM block is present, and the definition of the requested spec.signerName |
| 174 | // does not indicate otherwise, the first block is the issued certificate, |
| 175 | // and subsequent blocks should be treated as intermediate certificates and presented in TLS handshakes. |
| 176 | // |
| 177 | // The certificate is encoded in PEM format. |
| 178 | // |
| 179 | // When serialized as JSON or YAML, the data is additionally base64-encoded, so it consists of: |
| 180 | // |
| 181 | // base64( |
| 182 | // -----BEGIN CERTIFICATE----- |
| 183 | // ... |
| 184 | // -----END CERTIFICATE----- |
| 185 | // ) |
| 186 | // |
| 187 | // +listType=atomic |
| 188 | // +optional |
| 189 | Certificate []byte `json:"certificate,omitempty" protobuf:"bytes,2,opt,name=certificate"` |
| 190 | } |
| 191 | |
| 192 | // RequestConditionType is the type of a CertificateSigningRequestCondition |
| 193 | type RequestConditionType string |
| 194 | |
| 195 | // Well-known condition types for certificate requests. |
| 196 | const ( |
| 197 | // Approved indicates the request was approved and should be issued by the signer. |
| 198 | CertificateApproved RequestConditionType = "Approved" |
| 199 | // Denied indicates the request was denied and should not be issued by the signer. |
| 200 | CertificateDenied RequestConditionType = "Denied" |
| 201 | // Failed indicates the signer failed to issue the certificate. |
| 202 | CertificateFailed RequestConditionType = "Failed" |
| 203 | ) |
| 204 | |
| 205 | // CertificateSigningRequestCondition describes a condition of a CertificateSigningRequest object |
| 206 | type CertificateSigningRequestCondition struct { |
| 207 | // type of the condition. Known conditions are "Approved", "Denied", and "Failed". |
| 208 | // |
| 209 | // An "Approved" condition is added via the /approval subresource, |
| 210 | // indicating the request was approved and should be issued by the signer. |
| 211 | // |
| 212 | // A "Denied" condition is added via the /approval subresource, |
| 213 | // indicating the request was denied and should not be issued by the signer. |
| 214 | // |
| 215 | // A "Failed" condition is added via the /status subresource, |
| 216 | // indicating the signer failed to issue the certificate. |
| 217 | // |
| 218 | // Approved and Denied conditions are mutually exclusive. |
| 219 | // Approved, Denied, and Failed conditions cannot be removed once added. |
| 220 | // |
| 221 | // Only one condition of a given type is allowed. |
| 222 | Type RequestConditionType `json:"type" protobuf:"bytes,1,opt,name=type,casttype=RequestConditionType"` |
| 223 | // status of the condition, one of True, False, Unknown. |
| 224 | // Approved, Denied, and Failed conditions may not be "False" or "Unknown". |
| 225 | Status v1.ConditionStatus `json:"status" protobuf:"bytes,6,opt,name=status,casttype=k8s.io/api/core/v1.ConditionStatus"` |
| 226 | // reason indicates a brief reason for the request state |
| 227 | // +optional |
| 228 | Reason string `json:"reason,omitempty" protobuf:"bytes,2,opt,name=reason"` |
| 229 | // message contains a human readable message with details about the request state |
| 230 | // +optional |
| 231 | Message string `json:"message,omitempty" protobuf:"bytes,3,opt,name=message"` |
| 232 | // lastUpdateTime is the time of the last update to this condition |
| 233 | // +optional |
| 234 | LastUpdateTime metav1.Time `json:"lastUpdateTime,omitempty" protobuf:"bytes,4,opt,name=lastUpdateTime"` |
| 235 | // lastTransitionTime is the time the condition last transitioned from one status to another. |
| 236 | // If unset, when a new condition type is added or an existing condition's status is changed, |
| 237 | // the server defaults this to the current time. |
| 238 | // +optional |
| 239 | LastTransitionTime metav1.Time `json:"lastTransitionTime,omitempty" protobuf:"bytes,5,opt,name=lastTransitionTime"` |
| 240 | } |
| 241 | |
| 242 | // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object |
| 243 | |
| 244 | // CertificateSigningRequestList is a collection of CertificateSigningRequest objects |
| 245 | type CertificateSigningRequestList struct { |
| 246 | metav1.TypeMeta `json:",inline"` |
| 247 | // +optional |
| 248 | metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` |
| 249 | |
| 250 | // items is a collection of CertificateSigningRequest objects |
| 251 | Items []CertificateSigningRequest `json:"items" protobuf:"bytes,2,rep,name=items"` |
| 252 | } |
| 253 | |
| 254 | // KeyUsage specifies valid usage contexts for keys. |
| 255 | // See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 |
| 256 | // https://tools.ietf.org/html/rfc5280#section-4.2.1.12 |
| 257 | type KeyUsage string |
| 258 | |
| 259 | // Valid key usages |
| 260 | const ( |
| 261 | UsageSigning KeyUsage = "signing" |
| 262 | UsageDigitalSignature KeyUsage = "digital signature" |
| 263 | UsageContentCommitment KeyUsage = "content commitment" |
| 264 | UsageKeyEncipherment KeyUsage = "key encipherment" |
| 265 | UsageKeyAgreement KeyUsage = "key agreement" |
| 266 | UsageDataEncipherment KeyUsage = "data encipherment" |
| 267 | UsageCertSign KeyUsage = "cert sign" |
| 268 | UsageCRLSign KeyUsage = "crl sign" |
| 269 | UsageEncipherOnly KeyUsage = "encipher only" |
| 270 | UsageDecipherOnly KeyUsage = "decipher only" |
| 271 | UsageAny KeyUsage = "any" |
| 272 | UsageServerAuth KeyUsage = "server auth" |
| 273 | UsageClientAuth KeyUsage = "client auth" |
| 274 | UsageCodeSigning KeyUsage = "code signing" |
| 275 | UsageEmailProtection KeyUsage = "email protection" |
| 276 | UsageSMIME KeyUsage = "s/mime" |
| 277 | UsageIPsecEndSystem KeyUsage = "ipsec end system" |
| 278 | UsageIPsecTunnel KeyUsage = "ipsec tunnel" |
| 279 | UsageIPsecUser KeyUsage = "ipsec user" |
| 280 | UsageTimestamping KeyUsage = "timestamping" |
| 281 | UsageOCSPSigning KeyUsage = "ocsp signing" |
| 282 | UsageMicrosoftSGC KeyUsage = "microsoft sgc" |
| 283 | UsageNetscapeSGC KeyUsage = "netscape sgc" |
| 284 | ) |