1package v1
  2
  3import "cue.dev/x/k8s.io/apimachinery/pkg/apis/meta/v1"
  4
  5// CertificateSigningRequest objects provide a mechanism to obtain
  6// x509 certificates by submitting a certificate signing request,
  7// and having it asynchronously approved and issued.
  8//
  9// Kubelets use this API to obtain:
 10// 1. client certificates to authenticate to kube-apiserver (with
 11// the "kubernetes.io/kube-apiserver-client-kubelet" signerName).
 12// 2. serving certificates for TLS endpoints kube-apiserver can
 13// connect to securely (with the "kubernetes.io/kubelet-serving"
 14// signerName).
 15//
 16// This API can be used to request client certificates to
 17// authenticate to kube-apiserver (with the
 18// "kubernetes.io/kube-apiserver-client" signerName), or to
 19// obtain certificates from custom non-Kubernetes signers.
 20#CertificateSigningRequest: {
 21	// APIVersion defines the versioned schema of this representation
 22	// of an object. Servers should convert recognized schemas to the
 23	// latest internal value, and may reject unrecognized values.
 24	// More info:
 25	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
 26	"apiVersion": "certificates.k8s.io/v1"
 27
 28	// Kind is a string value representing the REST resource this
 29	// object represents. Servers may infer this from the endpoint
 30	// the client submits requests to. Cannot be updated. In
 31	// CamelCase. More info:
 32	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
 33	"kind":      "CertificateSigningRequest"
 34	"metadata"?: v1.#ObjectMeta
 35
 36	// spec contains the certificate request, and is immutable after
 37	// creation. Only the request, signerName, expirationSeconds, and
 38	// usages fields can be set on creation. Other fields are derived
 39	// by Kubernetes and cannot be modified by users.
 40	"spec"!: #CertificateSigningRequestSpec
 41
 42	// status contains information about whether the request is
 43	// approved or denied, and the certificate issued by the signer,
 44	// or the failure condition indicating signer failure.
 45	"status"?: #CertificateSigningRequestStatus
 46}
 47
 48// CertificateSigningRequestCondition describes a condition of a
 49// CertificateSigningRequest object
 50#CertificateSigningRequestCondition: {
 51	// lastTransitionTime is the time the condition last transitioned
 52	// from one status to another. If unset, when a new condition
 53	// type is added or an existing condition's status is changed,
 54	// the server defaults this to the current time.
 55	"lastTransitionTime"?: v1.#Time
 56
 57	// lastUpdateTime is the time of the last update to this condition
 58	"lastUpdateTime"?: v1.#Time
 59
 60	// message contains a human readable message with details about
 61	// the request state
 62	"message"?: string
 63
 64	// reason indicates a brief reason for the request state
 65	"reason"?: string
 66
 67	// status of the condition, one of True, False, Unknown. Approved,
 68	// Denied, and Failed conditions may not be "False" or "Unknown".
 69	"status"!: string
 70
 71	// type of the condition. Known conditions are "Approved",
 72	// "Denied", and "Failed".
 73	//
 74	// An "Approved" condition is added via the /approval subresource,
 75	// indicating the request was approved and should be issued by
 76	// the signer.
 77	//
 78	// A "Denied" condition is added via the /approval subresource,
 79	// indicating the request was denied and should not be issued by
 80	// the signer.
 81	//
 82	// A "Failed" condition is added via the /status subresource,
 83	// indicating the signer failed to issue the certificate.
 84	//
 85	// Approved and Denied conditions are mutually exclusive.
 86	// Approved, Denied, and Failed conditions cannot be removed once
 87	// added.
 88	//
 89	// Only one condition of a given type is allowed.
 90	"type"!: string
 91}
 92
 93// CertificateSigningRequestList is a collection of
 94// CertificateSigningRequest objects
 95#CertificateSigningRequestList: {
 96	// APIVersion defines the versioned schema of this representation
 97	// of an object. Servers should convert recognized schemas to the
 98	// latest internal value, and may reject unrecognized values.
 99	// More info:
100	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
101	"apiVersion": "certificates.k8s.io/v1"
102
103	// items is a collection of CertificateSigningRequest objects
104	"items"!: [...#CertificateSigningRequest]
105
106	// Kind is a string value representing the REST resource this
107	// object represents. Servers may infer this from the endpoint
108	// the client submits requests to. Cannot be updated. In
109	// CamelCase. More info:
110	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
111	"kind":      "CertificateSigningRequestList"
112	"metadata"?: v1.#ListMeta
113}
114
115// CertificateSigningRequestSpec contains the certificate request.
116#CertificateSigningRequestSpec: {
117	// expirationSeconds is the requested duration of validity of the
118	// issued certificate. The certificate signer may issue a
119	// certificate with a different validity duration so a client
120	// must check the delta between the notBefore and and notAfter
121	// fields in the issued certificate to determine the actual
122	// duration.
123	//
124	// The v1.22+ in-tree implementations of the well-known Kubernetes
125	// signers will honor this field as long as the requested
126	// duration is not greater than the maximum duration they will
127	// honor per the --cluster-signing-duration CLI flag to the
128	// Kubernetes controller manager.
129	//
130	// Certificate signers may not honor this field for various
131	// reasons:
132	//
133	// 1. Old signer that is unaware of the field (such as the in-tree
134	// implementations prior to v1.22)
135	// 2. Signer whose configured maximum is shorter than the
136	// requested duration
137	// 3. Signer whose configured minimum is longer than the requested
138	// duration
139	//
140	// The minimum valid value for expirationSeconds is 600, i.e. 10
141	// minutes.
142	"expirationSeconds"?: int32 & int
143
144	// extra contains extra attributes of the user that created the
145	// CertificateSigningRequest. Populated by the API server on
146	// creation and immutable.
147	"extra"?: {
148		[string]: [...string]
149	}
150
151	// groups contains group membership of the user that created the
152	// CertificateSigningRequest. Populated by the API server on
153	// creation and immutable.
154	"groups"?: [...string]
155
156	// request contains an x509 certificate signing request encoded in
157	// a "CERTIFICATE REQUEST" PEM block. When serialized as JSON or
158	// YAML, the data is additionally base64-encoded.
159	"request"!: string
160
161	// signerName indicates the requested signer, and is a qualified
162	// name.
163	//
164	// List/watch requests for CertificateSigningRequests can filter
165	// on this field using a "spec.signerName=NAME" fieldSelector.
166	//
167	// Well-known Kubernetes signers are:
168	// 1. "kubernetes.io/kube-apiserver-client": issues client
169	// certificates that can be used to authenticate to
170	// kube-apiserver.
171	// Requests for this signer are never auto-approved by
172	// kube-controller-manager, can be issued by the "csrsigning"
173	// controller in kube-controller-manager.
174	// 2. "kubernetes.io/kube-apiserver-client-kubelet": issues client
175	// certificates that kubelets use to authenticate to
176	// kube-apiserver.
177	// Requests for this signer can be auto-approved by the
178	// "csrapproving" controller in kube-controller-manager, and can
179	// be issued by the "csrsigning" controller in
180	// kube-controller-manager.
181	// 3. "kubernetes.io/kubelet-serving" issues serving certificates
182	// that kubelets use to serve TLS endpoints, which kube-apiserver
183	// can connect to securely.
184	// Requests for this signer are never auto-approved by
185	// kube-controller-manager, and can be issued by the "csrsigning"
186	// controller in kube-controller-manager.
187	//
188	// More details are available at
189	// https://k8s.io/docs/reference/access-authn-authz/certificate-signing-requests/#kubernetes-signers
190	//
191	// Custom signerNames can also be specified. The signer defines:
192	// 1. Trust distribution: how trust (CA bundles) are distributed.
193	// 2. Permitted subjects: and behavior when a disallowed subject
194	// is requested.
195	// 3. Required, permitted, or forbidden x509 extensions in the
196	// request (including whether subjectAltNames are allowed, which
197	// types, restrictions on allowed values) and behavior when a
198	// disallowed extension is requested.
199	// 4. Required, permitted, or forbidden key usages / extended key
200	// usages.
201	// 5. Expiration/certificate lifetime: whether it is fixed by the
202	// signer, configurable by the admin.
203	// 6. Whether or not requests for CA certificates are allowed.
204	"signerName"!: string
205
206	// uid contains the uid of the user that created the
207	// CertificateSigningRequest. Populated by the API server on
208	// creation and immutable.
209	"uid"?: string
210
211	// usages specifies a set of key usages requested in the issued
212	// certificate.
213	//
214	// Requests for TLS client certificates typically request:
215	// "digital signature", "key encipherment", "client auth".
216	//
217	// Requests for TLS serving certificates typically request: "key
218	// encipherment", "digital signature", "server auth".
219	//
220	// Valid values are:
221	// "signing", "digital signature", "content commitment",
222	// "key encipherment", "key agreement", "data encipherment",
223	// "cert sign", "crl sign", "encipher only", "decipher only",
224	// "any",
225	// "server auth", "client auth",
226	// "code signing", "email protection", "s/mime",
227	// "ipsec end system", "ipsec tunnel", "ipsec user",
228	// "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc"
229	"usages"?: [...string]
230
231	// username contains the name of the user that created the
232	// CertificateSigningRequest. Populated by the API server on
233	// creation and immutable.
234	"username"?: string
235}
236
237// CertificateSigningRequestStatus contains conditions used to
238// indicate approved/denied/failed status of the request, and the
239// issued certificate.
240#CertificateSigningRequestStatus: {
241	// certificate is populated with an issued certificate by the
242	// signer after an Approved condition is present. This field is
243	// set via the /status subresource. Once populated, this field is
244	// immutable.
245	//
246	// If the certificate signing request is denied, a condition of
247	// type "Denied" is added and this field remains empty. If the
248	// signer cannot issue the certificate, a condition of type
249	// "Failed" is added and this field remains empty.
250	//
251	// Validation requirements:
252	// 1. certificate must contain one or more PEM blocks.
253	// 2. All PEM blocks must have the "CERTIFICATE" label, contain no
254	// headers, and the encoded data
255	// must be a BER-encoded ASN.1 Certificate structure as described
256	// in section 4 of RFC5280.
257	// 3. Non-PEM content may appear before or after the "CERTIFICATE"
258	// PEM blocks and is unvalidated,
259	// to allow for explanatory text as described in section 5.2 of
260	// RFC7468.
261	//
262	// If more than one PEM block is present, and the definition of
263	// the requested spec.signerName does not indicate otherwise, the
264	// first block is the issued certificate, and subsequent blocks
265	// should be treated as intermediate certificates and presented
266	// in TLS handshakes.
267	//
268	// The certificate is encoded in PEM format.
269	//
270	// When serialized as JSON or YAML, the data is additionally
271	// base64-encoded, so it consists of:
272	//
273	// base64(
274	// -----BEGIN CERTIFICATE-----
275	// ...
276	// -----END CERTIFICATE-----
277	// )
278	"certificate"?: string
279
280	// conditions applied to the request. Known conditions are
281	// "Approved", "Denied", and "Failed".
282	"conditions"?: [...#CertificateSigningRequestCondition]
283}