1 /* 2 Copyright 2016 The Kubernetes Authors. 3 4 Licensed under the Apache License, Version 2.0 (the "License"); 5 you may not use this file except in compliance with the License. 6 You may obtain a copy of the License at 7 8 http://www.apache.org/licenses/LICENSE-2.0 9 10 Unless required by applicable law or agreed to in writing, software 11 distributed under the License is distributed on an "AS IS" BASIS, 12 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 See the License for the specific language governing permissions and 14 limitations under the License. 15 */ 16 17 package v1beta1 18 19 import ( 20 "fmt" 21 22 v1 "k8s.io/api/core/v1" 23 metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 24 ) 25 26 // +genclient 27 // +genclient:nonNamespaced 28 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 29 // +k8s:prerelease-lifecycle-gen:introduced=1.12 30 // +k8s:prerelease-lifecycle-gen:deprecated=1.19 31 // +k8s:prerelease-lifecycle-gen:replacement=certificates.k8s.io,v1,CertificateSigningRequest 32 33 // Describes a certificate signing request 34 type CertificateSigningRequest struct { 35 metav1.TypeMeta `json:",inline"` 36 // +optional 37 metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` 38 39 // spec contains the certificate request, and is immutable after creation. 40 // Only the request, signerName, expirationSeconds, and usages fields can be set on creation. 41 // Other fields are derived by Kubernetes and cannot be modified by users. 42 Spec CertificateSigningRequestSpec `json:"spec" protobuf:"bytes,2,opt,name=spec"` 43 44 // Derived information about the request. 45 // +optional 46 Status CertificateSigningRequestStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"` 47 } 48 49 // CertificateSigningRequestSpec contains the certificate request. 50 type CertificateSigningRequestSpec struct { 51 // Base64-encoded PKCS#10 CSR data 52 // +listType=atomic 53 Request []byte `json:"request" protobuf:"bytes,1,opt,name=request"` 54 55 // Requested signer for the request. It is a qualified name in the form: 56 // `scope-hostname.io/name`. 57 // If empty, it will be defaulted: 58 // 1. If it's a kubelet client certificate, it is assigned 59 // "kubernetes.io/kube-apiserver-client-kubelet". 60 // 2. If it's a kubelet serving certificate, it is assigned 61 // "kubernetes.io/kubelet-serving". 62 // 3. Otherwise, it is assigned "kubernetes.io/legacy-unknown". 63 // Distribution of trust for signers happens out of band. 64 // You can select on this field using `spec.signerName`. 65 // +optional 66 SignerName *string `json:"signerName,omitempty" protobuf:"bytes,7,opt,name=signerName"` 67 68 // expirationSeconds is the requested duration of validity of the issued 69 // certificate. The certificate signer may issue a certificate with a different 70 // validity duration so a client must check the delta between the notBefore and 71 // and notAfter fields in the issued certificate to determine the actual duration. 72 // 73 // The v1.22+ in-tree implementations of the well-known Kubernetes signers will 74 // honor this field as long as the requested duration is not greater than the 75 // maximum duration they will honor per the --cluster-signing-duration CLI 76 // flag to the Kubernetes controller manager. 77 // 78 // Certificate signers may not honor this field for various reasons: 79 // 80 // 1. Old signer that is unaware of the field (such as the in-tree 81 // implementations prior to v1.22) 82 // 2. Signer whose configured maximum is shorter than the requested duration 83 // 3. Signer whose configured minimum is longer than the requested duration 84 // 85 // The minimum valid value for expirationSeconds is 600, i.e. 10 minutes. 86 // 87 // +optional 88 ExpirationSeconds *int32 `json:"expirationSeconds,omitempty" protobuf:"varint,8,opt,name=expirationSeconds"` 89 90 // allowedUsages specifies a set of usage contexts the key will be 91 // valid for. 92 // See: 93 // https://tools.ietf.org/html/rfc5280#section-4.2.1.3 94 // https://tools.ietf.org/html/rfc5280#section-4.2.1.12 95 // 96 // Valid values are: 97 // "signing", 98 // "digital signature", 99 // "content commitment", 100 // "key encipherment", 101 // "key agreement", 102 // "data encipherment", 103 // "cert sign", 104 // "crl sign", 105 // "encipher only", 106 // "decipher only", 107 // "any", 108 // "server auth", 109 // "client auth", 110 // "code signing", 111 // "email protection", 112 // "s/mime", 113 // "ipsec end system", 114 // "ipsec tunnel", 115 // "ipsec user", 116 // "timestamping", 117 // "ocsp signing", 118 // "microsoft sgc", 119 // "netscape sgc" 120 // +listType=atomic 121 Usages []KeyUsage `json:"usages,omitempty" protobuf:"bytes,5,opt,name=usages"` 122 123 // Information about the requesting user. 124 // See user.Info interface for details. 125 // +optional 126 Username string `json:"username,omitempty" protobuf:"bytes,2,opt,name=username"` 127 // UID information about the requesting user. 128 // See user.Info interface for details. 129 // +optional 130 UID string `json:"uid,omitempty" protobuf:"bytes,3,opt,name=uid"` 131 // Group information about the requesting user. 132 // See user.Info interface for details. 133 // +listType=atomic 134 // +optional 135 Groups []string `json:"groups,omitempty" protobuf:"bytes,4,rep,name=groups"` 136 // Extra information about the requesting user. 137 // See user.Info interface for details. 138 // +optional 139 Extra map[string]ExtraValue `json:"extra,omitempty" protobuf:"bytes,6,rep,name=extra"` 140 } 141 142 // Built in signerName values that are honoured by kube-controller-manager. 143 // None of these usages are related to ServiceAccount token secrets 144 // `.data[ca.crt]` in any way. 145 const ( 146 // Signs certificates that will be honored as client-certs by the 147 // kube-apiserver. Never auto-approved by kube-controller-manager. 148 KubeAPIServerClientSignerName = "kubernetes.io/kube-apiserver-client" 149 150 // Signs client certificates that will be honored as client-certs by the 151 // kube-apiserver for a kubelet. 152 // May be auto-approved by kube-controller-manager. 153 KubeAPIServerClientKubeletSignerName = "kubernetes.io/kube-apiserver-client-kubelet" 154 155 // Signs serving certificates that are honored as a valid kubelet serving 156 // certificate by the kube-apiserver, but has no other guarantees. 157 KubeletServingSignerName = "kubernetes.io/kubelet-serving" 158 159 // Has no guarantees for trust at all. Some distributions may honor these 160 // as client certs, but that behavior is not standard kubernetes behavior. 161 LegacyUnknownSignerName = "kubernetes.io/legacy-unknown" 162 ) 163 164 // ExtraValue masks the value so protobuf can generate 165 // +protobuf.nullable=true 166 // +protobuf.options.(gogoproto.goproto_stringer)=false 167 type ExtraValue []string 168 169 func (t ExtraValue) String() string { 170 return fmt.Sprintf("%v", []string(t)) 171 } 172 173 type CertificateSigningRequestStatus struct { 174 // Conditions applied to the request, such as approval or denial. 175 // +listType=map 176 // +listMapKey=type 177 // +optional 178 Conditions []CertificateSigningRequestCondition `json:"conditions,omitempty" protobuf:"bytes,1,rep,name=conditions"` 179 180 // If request was approved, the controller will place the issued certificate here. 181 // +listType=atomic 182 // +optional 183 Certificate []byte `json:"certificate,omitempty" protobuf:"bytes,2,opt,name=certificate"` 184 } 185 186 type RequestConditionType string 187 188 // These are the possible conditions for a certificate request. 189 const ( 190 CertificateApproved RequestConditionType = "Approved" 191 CertificateDenied RequestConditionType = "Denied" 192 CertificateFailed RequestConditionType = "Failed" 193 ) 194 195 type CertificateSigningRequestCondition struct { 196 // type of the condition. Known conditions include "Approved", "Denied", and "Failed". 197 Type RequestConditionType `json:"type" protobuf:"bytes,1,opt,name=type,casttype=RequestConditionType"` 198 // Status of the condition, one of True, False, Unknown. 199 // Approved, Denied, and Failed conditions may not be "False" or "Unknown". 200 // Defaults to "True". 201 // If unset, should be treated as "True". 202 // +optional 203 Status v1.ConditionStatus `json:"status" protobuf:"bytes,6,opt,name=status,casttype=k8s.io/api/core/v1.ConditionStatus"` 204 // brief reason for the request state 205 // +optional 206 Reason string `json:"reason,omitempty" protobuf:"bytes,2,opt,name=reason"` 207 // human readable message with details about the request state 208 // +optional 209 Message string `json:"message,omitempty" protobuf:"bytes,3,opt,name=message"` 210 // timestamp for the last update to this condition 211 // +optional 212 LastUpdateTime metav1.Time `json:"lastUpdateTime,omitempty" protobuf:"bytes,4,opt,name=lastUpdateTime"` 213 // lastTransitionTime is the time the condition last transitioned from one status to another. 214 // If unset, when a new condition type is added or an existing condition's status is changed, 215 // the server defaults this to the current time. 216 // +optional 217 LastTransitionTime metav1.Time `json:"lastTransitionTime,omitempty" protobuf:"bytes,5,opt,name=lastTransitionTime"` 218 } 219 220 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 221 // +k8s:prerelease-lifecycle-gen:introduced=1.12 222 // +k8s:prerelease-lifecycle-gen:deprecated=1.19 223 // +k8s:prerelease-lifecycle-gen:replacement=certificates.k8s.io,v1,CertificateSigningRequestList 224 225 type CertificateSigningRequestList struct { 226 metav1.TypeMeta `json:",inline"` 227 // +optional 228 metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` 229 230 Items []CertificateSigningRequest `json:"items" protobuf:"bytes,2,rep,name=items"` 231 } 232 233 // KeyUsages specifies valid usage contexts for keys. 234 // See: 235 // 236 // https://tools.ietf.org/html/rfc5280#section-4.2.1.3 237 // https://tools.ietf.org/html/rfc5280#section-4.2.1.12 238 type KeyUsage string 239 240 const ( 241 UsageSigning KeyUsage = "signing" 242 UsageDigitalSignature KeyUsage = "digital signature" 243 UsageContentCommitment KeyUsage = "content commitment" 244 UsageKeyEncipherment KeyUsage = "key encipherment" 245 UsageKeyAgreement KeyUsage = "key agreement" 246 UsageDataEncipherment KeyUsage = "data encipherment" 247 UsageCertSign KeyUsage = "cert sign" 248 UsageCRLSign KeyUsage = "crl sign" 249 UsageEncipherOnly KeyUsage = "encipher only" 250 UsageDecipherOnly KeyUsage = "decipher only" 251 UsageAny KeyUsage = "any" 252 UsageServerAuth KeyUsage = "server auth" 253 UsageClientAuth KeyUsage = "client auth" 254 UsageCodeSigning KeyUsage = "code signing" 255 UsageEmailProtection KeyUsage = "email protection" 256 UsageSMIME KeyUsage = "s/mime" 257 UsageIPsecEndSystem KeyUsage = "ipsec end system" 258 UsageIPsecTunnel KeyUsage = "ipsec tunnel" 259 UsageIPsecUser KeyUsage = "ipsec user" 260 UsageTimestamping KeyUsage = "timestamping" 261 UsageOCSPSigning KeyUsage = "ocsp signing" 262 UsageMicrosoftSGC KeyUsage = "microsoft sgc" 263 UsageNetscapeSGC KeyUsage = "netscape sgc" 264 ) 265