Pod Certificates: make update

Kubernetes-commit: c76efb3a145830f40ee042b8823e83a973e24372
2026-02-21 15:43:05 +00:00 · 2026-02-03 20:26:42 -08:00
parent 0efa7daafd
commit 3721aecc15
2 changed files with 45 additions and 6 deletions
--- a/applyconfigurations/certificates/v1beta1/podcertificaterequestspec.go
+++ b/applyconfigurations/certificates/v1beta1/podcertificaterequestspec.go
@@ -62,8 +62,7 @@ type PodCertificateRequestSpecApplyConfiguration struct {
 	// `kubernetes.io` signers will never issue certificates with a lifetime
 	// longer than 24 hours.
 	MaxExpirationSeconds *int32 `json:"maxExpirationSeconds,omitempty"`
-	// pkixPublicKey is the PKIX-serialized public key the signer will issue the
-	// certificate to.
+	// The PKIX-serialized public key the signer will issue the certificate to.
 	//
 	// The key must be one of RSA3072, RSA4096, ECDSAP256, ECDSAP384, ECDSAP521,
 	// or ED25519. Note that this list may be expanded in the future.
@@ -74,9 +73,14 @@ type PodCertificateRequestSpecApplyConfiguration struct {
 	// setting a status.conditions entry with a type of "Denied" and a reason of
 	// "UnsupportedKeyType". It may also suggest a key type that it does support
 	// in the message field.
+	//
+	// Deprecated: This field is replaced by StubPKCS10Request. If
+	// StubPKCS10Request is set, this field must be empty.  Signer
+	// implementations should extract the public key from the StubPKCS10Request
+	// field.
 	PKIXPublicKey []byte `json:"pkixPublicKey,omitempty"`
-	// proofOfPossession proves that the requesting kubelet holds the private
-	// key corresponding to pkixPublicKey.
+	// A proof that the requesting kubelet holds the private key corresponding
+	// to pkixPublicKey.
 	//
 	// It is contructed by signing the ASCII bytes of the pod's UID using
 	// `pkixPublicKey`.
@@ -93,9 +97,31 @@ type PodCertificateRequestSpecApplyConfiguration struct {
 	// golang library function crypto/ecdsa.SignASN1)
 	//
 	// If the key is an ED25519 key, the the signature is as described by the
-	// [ED25519 Specification](https://ed25519.cr.yp.to/) (as implemented by
-	// the golang library crypto/ed25519.Sign).
+	// [ED25519 Specification](https://ed25519.cr.yp.to/) (as implemented by the
+	// golang library crypto/ed25519.Sign).
+	//
+	// Deprecated: This field is replaced by StubPKCS10Request. If
+	// StubPKCS10Request is set, this field must be empty.
 	ProofOfPossession []byte `json:"proofOfPossession,omitempty"`
+	// A PKCS#10 certificate signing request (DER-serialized) generated by
+	// Kubelet using the subject private key.
+	//
+	// Most signer implementations will ignore the contents of the CSR except to
+	// extract the subject public key. The API server automatically verifies the
+	// CSR signature during admission, so the signer does not need to repeat the
+	// verification.  CSRs generated by kubelet are completely empty.
+	//
+	// The subject public key must be one of RSA3072, RSA4096, ECDSAP256,
+	// ECDSAP384, ECDSAP521, or ED25519. Note that this list may be expanded in
+	// the future.
+	//
+	// Signer implementations do not need to support all key types supported by
+	// kube-apiserver and kubelet.  If a signer does not support the key type
+	// used for a given PodCertificateRequest, it must deny the request by
+	// setting a status.conditions entry with a type of "Denied" and a reason of
+	// "UnsupportedKeyType". It may also suggest a key type that it does support
+	// in the message field.
+	StubPKCS10Request []byte `json:"stubPKCS10Request,omitempty"`
 	// unverifiedUserAnnotations allow pod authors to pass additional information to
 	// the signer implementation.  Kubernetes does not restrict or validate this
 	// metadata in any way.
@@ -199,6 +225,16 @@ func (b *PodCertificateRequestSpecApplyConfiguration) WithProofOfPossession(valu
 	return b
 }

+// WithStubPKCS10Request adds the given value to the StubPKCS10Request field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the StubPKCS10Request field.
+func (b *PodCertificateRequestSpecApplyConfiguration) WithStubPKCS10Request(values ...byte) *PodCertificateRequestSpecApplyConfiguration {
+	for i := range values {
+		b.StubPKCS10Request = append(b.StubPKCS10Request, values[i])
+	}
+	return b
+}
+
 // WithUnverifiedUserAnnotations puts the entries into the UnverifiedUserAnnotations field in the declarative configuration
 // and returns the receiver, so that objects can be build by chaining "With" function invocations.
 // If called multiple times, the entries provided by each call will be put on the UnverifiedUserAnnotations field,
--- a/applyconfigurations/internal/internal.go
+++ b/applyconfigurations/internal/internal.go
@@ -3983,6 +3983,9 @@ var schemaYAML = typed.YAMLObject(`types:
      type:
        scalar: string
      default: ""
+    - name: stubPKCS10Request
+      type:
+        scalar: string
    - name: unverifiedUserAnnotations
      type:
        map: