From 3721aecc1556c2143b0c667dbae382f71b7a54c9 Mon Sep 17 00:00:00 2001 From: Taahir Ahmed Date: Tue, 3 Feb 2026 20:26:42 -0800 Subject: [PATCH] Pod Certificates: make update Kubernetes-commit: c76efb3a145830f40ee042b8823e83a973e24372 --- .../v1beta1/podcertificaterequestspec.go | 48 ++++++++++++++++--- applyconfigurations/internal/internal.go | 3 ++ 2 files changed, 45 insertions(+), 6 deletions(-) diff --git a/applyconfigurations/certificates/v1beta1/podcertificaterequestspec.go b/applyconfigurations/certificates/v1beta1/podcertificaterequestspec.go index 234420c40..6e195e383 100644 --- a/applyconfigurations/certificates/v1beta1/podcertificaterequestspec.go +++ b/applyconfigurations/certificates/v1beta1/podcertificaterequestspec.go @@ -62,8 +62,7 @@ type PodCertificateRequestSpecApplyConfiguration struct { // `kubernetes.io` signers will never issue certificates with a lifetime // longer than 24 hours. MaxExpirationSeconds *int32 `json:"maxExpirationSeconds,omitempty"` - // pkixPublicKey is the PKIX-serialized public key the signer will issue the - // certificate to. + // The PKIX-serialized public key the signer will issue the certificate to. // // The key must be one of RSA3072, RSA4096, ECDSAP256, ECDSAP384, ECDSAP521, // or ED25519. Note that this list may be expanded in the future. @@ -74,9 +73,14 @@ type PodCertificateRequestSpecApplyConfiguration struct { // setting a status.conditions entry with a type of "Denied" and a reason of // "UnsupportedKeyType". It may also suggest a key type that it does support // in the message field. + // + // Deprecated: This field is replaced by StubPKCS10Request. If + // StubPKCS10Request is set, this field must be empty. Signer + // implementations should extract the public key from the StubPKCS10Request + // field. PKIXPublicKey []byte `json:"pkixPublicKey,omitempty"` - // proofOfPossession proves that the requesting kubelet holds the private - // key corresponding to pkixPublicKey. + // A proof that the requesting kubelet holds the private key corresponding + // to pkixPublicKey. // // It is contructed by signing the ASCII bytes of the pod's UID using // `pkixPublicKey`. @@ -93,9 +97,31 @@ type PodCertificateRequestSpecApplyConfiguration struct { // golang library function crypto/ecdsa.SignASN1) // // If the key is an ED25519 key, the the signature is as described by the - // [ED25519 Specification](https://ed25519.cr.yp.to/) (as implemented by - // the golang library crypto/ed25519.Sign). + // [ED25519 Specification](https://ed25519.cr.yp.to/) (as implemented by the + // golang library crypto/ed25519.Sign). + // + // Deprecated: This field is replaced by StubPKCS10Request. If + // StubPKCS10Request is set, this field must be empty. ProofOfPossession []byte `json:"proofOfPossession,omitempty"` + // A PKCS#10 certificate signing request (DER-serialized) generated by + // Kubelet using the subject private key. + // + // Most signer implementations will ignore the contents of the CSR except to + // extract the subject public key. The API server automatically verifies the + // CSR signature during admission, so the signer does not need to repeat the + // verification. CSRs generated by kubelet are completely empty. + // + // The subject public key must be one of RSA3072, RSA4096, ECDSAP256, + // ECDSAP384, ECDSAP521, or ED25519. Note that this list may be expanded in + // the future. + // + // Signer implementations do not need to support all key types supported by + // kube-apiserver and kubelet. If a signer does not support the key type + // used for a given PodCertificateRequest, it must deny the request by + // setting a status.conditions entry with a type of "Denied" and a reason of + // "UnsupportedKeyType". It may also suggest a key type that it does support + // in the message field. + StubPKCS10Request []byte `json:"stubPKCS10Request,omitempty"` // unverifiedUserAnnotations allow pod authors to pass additional information to // the signer implementation. Kubernetes does not restrict or validate this // metadata in any way. @@ -199,6 +225,16 @@ func (b *PodCertificateRequestSpecApplyConfiguration) WithProofOfPossession(valu return b } +// WithStubPKCS10Request adds the given value to the StubPKCS10Request field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, values provided by each call will be appended to the StubPKCS10Request field. +func (b *PodCertificateRequestSpecApplyConfiguration) WithStubPKCS10Request(values ...byte) *PodCertificateRequestSpecApplyConfiguration { + for i := range values { + b.StubPKCS10Request = append(b.StubPKCS10Request, values[i]) + } + return b +} + // WithUnverifiedUserAnnotations puts the entries into the UnverifiedUserAnnotations field in the declarative configuration // and returns the receiver, so that objects can be build by chaining "With" function invocations. // If called multiple times, the entries provided by each call will be put on the UnverifiedUserAnnotations field, diff --git a/applyconfigurations/internal/internal.go b/applyconfigurations/internal/internal.go index 368e4df3a..c32f94c46 100644 --- a/applyconfigurations/internal/internal.go +++ b/applyconfigurations/internal/internal.go @@ -3983,6 +3983,9 @@ var schemaYAML = typed.YAMLObject(`types: type: scalar: string default: "" + - name: stubPKCS10Request + type: + scalar: string - name: unverifiedUserAnnotations type: map: