CUE Central Registry

cue.dev/x/k8s.io@v0.7.0

api/certificates/v1alpha1/schema.cue raw

  1package v1alpha1
  2
  3import "cue.dev/x/k8s.io/apimachinery/pkg/apis/meta/v1"
  4
  5// ClusterTrustBundle is a cluster-scoped container for X.509
  6// trust anchors (root certificates).
  7//
  8// ClusterTrustBundle objects are considered to be readable by any
  9// authenticated user in the cluster, because they can be mounted
 10// by pods using the `clusterTrustBundle` projection. All service
 11// accounts have read access to ClusterTrustBundles by default.
 12// Users who only have namespace-level access to a cluster can
 13// read ClusterTrustBundles by impersonating a serviceaccount
 14// that they have access to.
 15//
 16// It can be optionally associated with a particular assigner, in
 17// which case it contains one valid set of trust anchors for that
 18// signer. Signers may have multiple associated
 19// ClusterTrustBundles; each is an independent set of trust
 20// anchors for that signer. Admission control is used to enforce
 21// that only users with permissions on the signer can create or
 22// modify the corresponding bundle.
 23#ClusterTrustBundle: {
 24	// APIVersion defines the versioned schema of this representation
 25	// of an object. Servers should convert recognized schemas to the
 26	// latest internal value, and may reject unrecognized values.
 27	// More info:
 28	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
 29	"apiVersion": "certificates.k8s.io/v1alpha1"
 30
 31	// Kind is a string value representing the REST resource this
 32	// object represents. Servers may infer this from the endpoint
 33	// the client submits requests to. Cannot be updated. In
 34	// CamelCase. More info:
 35	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
 36	"kind": "ClusterTrustBundle"
 37
 38	// metadata contains the object metadata.
 39	"metadata"?: v1.#ObjectMeta
 40
 41	// spec contains the signer (if any) and trust anchors.
 42	"spec"!: #ClusterTrustBundleSpec
 43}
 44
 45// ClusterTrustBundleList is a collection of ClusterTrustBundle
 46// objects
 47#ClusterTrustBundleList: {
 48	// APIVersion defines the versioned schema of this representation
 49	// of an object. Servers should convert recognized schemas to the
 50	// latest internal value, and may reject unrecognized values.
 51	// More info:
 52	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
 53	"apiVersion": "certificates.k8s.io/v1alpha1"
 54
 55	// items is a collection of ClusterTrustBundle objects
 56	"items"!: [...#ClusterTrustBundle]
 57
 58	// Kind is a string value representing the REST resource this
 59	// object represents. Servers may infer this from the endpoint
 60	// the client submits requests to. Cannot be updated. In
 61	// CamelCase. More info:
 62	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
 63	"kind": "ClusterTrustBundleList"
 64
 65	// metadata contains the list metadata.
 66	"metadata"?: v1.#ListMeta
 67}
 68
 69// ClusterTrustBundleSpec contains the signer and trust anchors.
 70#ClusterTrustBundleSpec: {
 71	// signerName indicates the associated signer, if any.
 72	//
 73	// In order to create or update a ClusterTrustBundle that sets
 74	// signerName, you must have the following cluster-scoped
 75	// permission: group=certificates.k8s.io resource=signers
 76	// resourceName=<the signer name> verb=attest.
 77	//
 78	// If signerName is not empty, then the ClusterTrustBundle object
 79	// must be named with the signer name as a prefix (translating
 80	// slashes to colons). For example, for the signer name
 81	// `example.com/foo`, valid ClusterTrustBundle object names
 82	// include `example.com:foo:abc` and `example.com:foo:v1`.
 83	//
 84	// If signerName is empty, then the ClusterTrustBundle object's
 85	// name must not have such a prefix.
 86	//
 87	// List/watch requests for ClusterTrustBundles can filter on this
 88	// field using a `spec.signerName=NAME` field selector.
 89	"signerName"?: string
 90
 91	// trustBundle contains the individual X.509 trust anchors for
 92	// this bundle, as PEM bundle of PEM-wrapped, DER-formatted X.509
 93	// certificates.
 94	//
 95	// The data must consist only of PEM certificate blocks that parse
 96	// as valid X.509 certificates. Each certificate must include a
 97	// basic constraints extension with the CA bit set. The API
 98	// server will reject objects that contain duplicate
 99	// certificates, or that use PEM block headers.
100	//
101	// Users of ClusterTrustBundles, including Kubelet, are free to
102	// reorder and deduplicate certificate blocks in this file
103	// according to their own logic, as well as to drop PEM block
104	// headers and inter-block data.
105	"trustBundle"!: string
106}