1/*
2Copyright The Kubernetes Authors.
3
4Licensed under the Apache License, Version 2.0 (the "License");
5you may not use this file except in compliance with the License.
6You may obtain a copy of the License at
7
8 http://www.apache.org/licenses/LICENSE-2.0
9
10Unless required by applicable law or agreed to in writing, software
11distributed under the License is distributed on an "AS IS" BASIS,
12WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13See the License for the specific language governing permissions and
14limitations under the License.
15*/
16
17
18// This file was autogenerated by go-to-protobuf. Do not edit it manually!
19
20syntax = "proto2";
21
22package k8s.io.api.certificates.v1beta1;
23
24import "k8s.io/api/core/v1/generated.proto";
25import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
26import "k8s.io/apimachinery/pkg/runtime/generated.proto";
27import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
28
29// Package-wide variables from generator "generated".
30option go_package = "k8s.io/api/certificates/v1beta1";
31
32// Describes a certificate signing request
33message CertificateSigningRequest {
34 // +optional
35 optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
36
37 // spec contains the certificate request, and is immutable after creation.
38 // Only the request, signerName, expirationSeconds, and usages fields can be set on creation.
39 // Other fields are derived by Kubernetes and cannot be modified by users.
40 optional CertificateSigningRequestSpec spec = 2;
41
42 // Derived information about the request.
43 // +optional
44 optional CertificateSigningRequestStatus status = 3;
45}
46
47message CertificateSigningRequestCondition {
48 // type of the condition. Known conditions include "Approved", "Denied", and "Failed".
49 optional string type = 1;
50
51 // Status of the condition, one of True, False, Unknown.
52 // Approved, Denied, and Failed conditions may not be "False" or "Unknown".
53 // Defaults to "True".
54 // If unset, should be treated as "True".
55 // +optional
56 optional string status = 6;
57
58 // brief reason for the request state
59 // +optional
60 optional string reason = 2;
61
62 // human readable message with details about the request state
63 // +optional
64 optional string message = 3;
65
66 // timestamp for the last update to this condition
67 // +optional
68 optional k8s.io.apimachinery.pkg.apis.meta.v1.Time lastUpdateTime = 4;
69
70 // lastTransitionTime is the time the condition last transitioned from one status to another.
71 // If unset, when a new condition type is added or an existing condition's status is changed,
72 // the server defaults this to the current time.
73 // +optional
74 optional k8s.io.apimachinery.pkg.apis.meta.v1.Time lastTransitionTime = 5;
75}
76
77message CertificateSigningRequestList {
78 // +optional
79 optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
80
81 repeated CertificateSigningRequest items = 2;
82}
83
84// CertificateSigningRequestSpec contains the certificate request.
85message CertificateSigningRequestSpec {
86 // Base64-encoded PKCS#10 CSR data
87 // +listType=atomic
88 optional bytes request = 1;
89
90 // Requested signer for the request. It is a qualified name in the form:
91 // `scope-hostname.io/name`.
92 // If empty, it will be defaulted:
93 // 1. If it's a kubelet client certificate, it is assigned
94 // "kubernetes.io/kube-apiserver-client-kubelet".
95 // 2. If it's a kubelet serving certificate, it is assigned
96 // "kubernetes.io/kubelet-serving".
97 // 3. Otherwise, it is assigned "kubernetes.io/legacy-unknown".
98 // Distribution of trust for signers happens out of band.
99 // You can select on this field using `spec.signerName`.
100 // +optional
101 optional string signerName = 7;
102
103 // expirationSeconds is the requested duration of validity of the issued
104 // certificate. The certificate signer may issue a certificate with a different
105 // validity duration so a client must check the delta between the notBefore and
106 // and notAfter fields in the issued certificate to determine the actual duration.
107 //
108 // The v1.22+ in-tree implementations of the well-known Kubernetes signers will
109 // honor this field as long as the requested duration is not greater than the
110 // maximum duration they will honor per the --cluster-signing-duration CLI
111 // flag to the Kubernetes controller manager.
112 //
113 // Certificate signers may not honor this field for various reasons:
114 //
115 // 1. Old signer that is unaware of the field (such as the in-tree
116 // implementations prior to v1.22)
117 // 2. Signer whose configured maximum is shorter than the requested duration
118 // 3. Signer whose configured minimum is longer than the requested duration
119 //
120 // The minimum valid value for expirationSeconds is 600, i.e. 10 minutes.
121 //
122 // +optional
123 optional int32 expirationSeconds = 8;
124
125 // allowedUsages specifies a set of usage contexts the key will be
126 // valid for.
127 // See:
128 // https://tools.ietf.org/html/rfc5280#section-4.2.1.3
129 // https://tools.ietf.org/html/rfc5280#section-4.2.1.12
130 //
131 // Valid values are:
132 // "signing",
133 // "digital signature",
134 // "content commitment",
135 // "key encipherment",
136 // "key agreement",
137 // "data encipherment",
138 // "cert sign",
139 // "crl sign",
140 // "encipher only",
141 // "decipher only",
142 // "any",
143 // "server auth",
144 // "client auth",
145 // "code signing",
146 // "email protection",
147 // "s/mime",
148 // "ipsec end system",
149 // "ipsec tunnel",
150 // "ipsec user",
151 // "timestamping",
152 // "ocsp signing",
153 // "microsoft sgc",
154 // "netscape sgc"
155 // +listType=atomic
156 repeated string usages = 5;
157
158 // Information about the requesting user.
159 // See user.Info interface for details.
160 // +optional
161 optional string username = 2;
162
163 // UID information about the requesting user.
164 // See user.Info interface for details.
165 // +optional
166 optional string uid = 3;
167
168 // Group information about the requesting user.
169 // See user.Info interface for details.
170 // +listType=atomic
171 // +optional
172 repeated string groups = 4;
173
174 // Extra information about the requesting user.
175 // See user.Info interface for details.
176 // +optional
177 map<string, ExtraValue> extra = 6;
178}
179
180message CertificateSigningRequestStatus {
181 // Conditions applied to the request, such as approval or denial.
182 // +listType=map
183 // +listMapKey=type
184 // +optional
185 repeated CertificateSigningRequestCondition conditions = 1;
186
187 // If request was approved, the controller will place the issued certificate here.
188 // +listType=atomic
189 // +optional
190 optional bytes certificate = 2;
191}
192
193// ExtraValue masks the value so protobuf can generate
194// +protobuf.nullable=true
195// +protobuf.options.(gogoproto.goproto_stringer)=false
196message ExtraValue {
197 // items, if empty, will result in an empty slice
198
199 repeated string items = 1;
200}
201
View as plain text