1/*
2Copyright The Kubernetes Authors.
3
4Licensed under the Apache License, Version 2.0 (the "License");
5you may not use this file except in compliance with the License.
6You may obtain a copy of the License at
7
8 http://www.apache.org/licenses/LICENSE-2.0
9
10Unless required by applicable law or agreed to in writing, software
11distributed under the License is distributed on an "AS IS" BASIS,
12WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13See the License for the specific language governing permissions and
14limitations under the License.
15*/
16
17
18// This file was autogenerated by go-to-protobuf. Do not edit it manually!
19
20syntax = "proto2";
21
22package k8s.io.api.certificates.v1alpha1;
23
24import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
25import "k8s.io/apimachinery/pkg/runtime/generated.proto";
26import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
27
28// Package-wide variables from generator "generated".
29option go_package = "k8s.io/api/certificates/v1alpha1";
30
31// ClusterTrustBundle is a cluster-scoped container for X.509 trust anchors
32// (root certificates).
33//
34// ClusterTrustBundle objects are considered to be readable by any authenticated
35// user in the cluster, because they can be mounted by pods using the
36// `clusterTrustBundle` projection. All service accounts have read access to
37// ClusterTrustBundles by default. Users who only have namespace-level access
38// to a cluster can read ClusterTrustBundles by impersonating a serviceaccount
39// that they have access to.
40//
41// It can be optionally associated with a particular assigner, in which case it
42// contains one valid set of trust anchors for that signer. Signers may have
43// multiple associated ClusterTrustBundles; each is an independent set of trust
44// anchors for that signer. Admission control is used to enforce that only users
45// with permissions on the signer can create or modify the corresponding bundle.
46message ClusterTrustBundle {
47 // metadata contains the object metadata.
48 // +optional
49 optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
50
51 // spec contains the signer (if any) and trust anchors.
52 optional ClusterTrustBundleSpec spec = 2;
53}
54
55// ClusterTrustBundleList is a collection of ClusterTrustBundle objects
56message ClusterTrustBundleList {
57 // metadata contains the list metadata.
58 //
59 // +optional
60 optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
61
62 // items is a collection of ClusterTrustBundle objects
63 repeated ClusterTrustBundle items = 2;
64}
65
66// ClusterTrustBundleSpec contains the signer and trust anchors.
67message ClusterTrustBundleSpec {
68 // signerName indicates the associated signer, if any.
69 //
70 // In order to create or update a ClusterTrustBundle that sets signerName,
71 // you must have the following cluster-scoped permission:
72 // group=certificates.k8s.io resource=signers resourceName=<the signer name>
73 // verb=attest.
74 //
75 // If signerName is not empty, then the ClusterTrustBundle object must be
76 // named with the signer name as a prefix (translating slashes to colons).
77 // For example, for the signer name `example.com/foo`, valid
78 // ClusterTrustBundle object names include `example.com:foo:abc` and
79 // `example.com:foo:v1`.
80 //
81 // If signerName is empty, then the ClusterTrustBundle object's name must
82 // not have such a prefix.
83 //
84 // List/watch requests for ClusterTrustBundles can filter on this field
85 // using a `spec.signerName=NAME` field selector.
86 //
87 // +optional
88 optional string signerName = 1;
89
90 // trustBundle contains the individual X.509 trust anchors for this
91 // bundle, as PEM bundle of PEM-wrapped, DER-formatted X.509 certificates.
92 //
93 // The data must consist only of PEM certificate blocks that parse as valid
94 // X.509 certificates. Each certificate must include a basic constraints
95 // extension with the CA bit set. The API server will reject objects that
96 // contain duplicate certificates, or that use PEM block headers.
97 //
98 // Users of ClusterTrustBundles, including Kubelet, are free to reorder and
99 // deduplicate certificate blocks in this file according to their own logic,
100 // as well as to drop PEM block headers and inter-block data.
101 optional string trustBundle = 2;
102}
103
View as plain text