Merge pull request #136729 from ahmedtd/podcert-pkcs10

Pod Certificates: Add StubPKCS10Request; migrate in-tree usages Kubernetes-commit: 54489c1a338ba521f36f5b73667f03a8e164d18e
2026-02-21 15:43:05 +00:00 · 2026-02-12 04:43:59 +05:30
parent 0efa7daafd 3721aecc15
commit 9f57ca57bd
4 changed files with 48 additions and 9 deletions
--- a/applyconfigurations/certificates/v1beta1/podcertificaterequestspec.go
+++ b/applyconfigurations/certificates/v1beta1/podcertificaterequestspec.go
@@ -62,8 +62,7 @@ type PodCertificateRequestSpecApplyConfiguration struct {
 	// `kubernetes.io` signers will never issue certificates with a lifetime
 	// longer than 24 hours.
 	MaxExpirationSeconds *int32 `json:"maxExpirationSeconds,omitempty"`
-	// pkixPublicKey is the PKIX-serialized public key the signer will issue the
-	// certificate to.
+	// The PKIX-serialized public key the signer will issue the certificate to.
 	//
 	// The key must be one of RSA3072, RSA4096, ECDSAP256, ECDSAP384, ECDSAP521,
 	// or ED25519. Note that this list may be expanded in the future.
@@ -74,9 +73,14 @@ type PodCertificateRequestSpecApplyConfiguration struct {
 	// setting a status.conditions entry with a type of "Denied" and a reason of
 	// "UnsupportedKeyType". It may also suggest a key type that it does support
 	// in the message field.
+	//
+	// Deprecated: This field is replaced by StubPKCS10Request. If
+	// StubPKCS10Request is set, this field must be empty.  Signer
+	// implementations should extract the public key from the StubPKCS10Request
+	// field.
 	PKIXPublicKey []byte `json:"pkixPublicKey,omitempty"`
-	// proofOfPossession proves that the requesting kubelet holds the private
-	// key corresponding to pkixPublicKey.
+	// A proof that the requesting kubelet holds the private key corresponding
+	// to pkixPublicKey.
 	//
 	// It is contructed by signing the ASCII bytes of the pod's UID using
 	// `pkixPublicKey`.
@@ -93,9 +97,31 @@ type PodCertificateRequestSpecApplyConfiguration struct {
 	// golang library function crypto/ecdsa.SignASN1)
 	//
 	// If the key is an ED25519 key, the the signature is as described by the
-	// [ED25519 Specification](https://ed25519.cr.yp.to/) (as implemented by
-	// the golang library crypto/ed25519.Sign).
+	// [ED25519 Specification](https://ed25519.cr.yp.to/) (as implemented by the
+	// golang library crypto/ed25519.Sign).
+	//
+	// Deprecated: This field is replaced by StubPKCS10Request. If
+	// StubPKCS10Request is set, this field must be empty.
 	ProofOfPossession []byte `json:"proofOfPossession,omitempty"`
+	// A PKCS#10 certificate signing request (DER-serialized) generated by
+	// Kubelet using the subject private key.
+	//
+	// Most signer implementations will ignore the contents of the CSR except to
+	// extract the subject public key. The API server automatically verifies the
+	// CSR signature during admission, so the signer does not need to repeat the
+	// verification.  CSRs generated by kubelet are completely empty.
+	//
+	// The subject public key must be one of RSA3072, RSA4096, ECDSAP256,
+	// ECDSAP384, ECDSAP521, or ED25519. Note that this list may be expanded in
+	// the future.
+	//
+	// Signer implementations do not need to support all key types supported by
+	// kube-apiserver and kubelet.  If a signer does not support the key type
+	// used for a given PodCertificateRequest, it must deny the request by
+	// setting a status.conditions entry with a type of "Denied" and a reason of
+	// "UnsupportedKeyType". It may also suggest a key type that it does support
+	// in the message field.
+	StubPKCS10Request []byte `json:"stubPKCS10Request,omitempty"`
 	// unverifiedUserAnnotations allow pod authors to pass additional information to
 	// the signer implementation.  Kubernetes does not restrict or validate this
 	// metadata in any way.
@@ -199,6 +225,16 @@ func (b *PodCertificateRequestSpecApplyConfiguration) WithProofOfPossession(valu
 	return b
 }

+// WithStubPKCS10Request adds the given value to the StubPKCS10Request field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the StubPKCS10Request field.
+func (b *PodCertificateRequestSpecApplyConfiguration) WithStubPKCS10Request(values ...byte) *PodCertificateRequestSpecApplyConfiguration {
+	for i := range values {
+		b.StubPKCS10Request = append(b.StubPKCS10Request, values[i])
+	}
+	return b
+}
+
 // WithUnverifiedUserAnnotations puts the entries into the UnverifiedUserAnnotations field in the declarative configuration
 // and returns the receiver, so that objects can be build by chaining "With" function invocations.
 // If called multiple times, the entries provided by each call will be put on the UnverifiedUserAnnotations field,
--- a/applyconfigurations/internal/internal.go
+++ b/applyconfigurations/internal/internal.go
@@ -3983,6 +3983,9 @@ var schemaYAML = typed.YAMLObject(`types:
      type:
        scalar: string
      default: ""
+    - name: stubPKCS10Request
+      type:
+        scalar: string
    - name: unverifiedUserAnnotations
      type:
        map:
--- a/go.mod
+++ b/go.mod
@@ -23,7 +23,7 @@ require (
 	golang.org/x/time v0.14.0
 	google.golang.org/protobuf v1.36.11
 	gopkg.in/evanphx/json-patch.v4 v4.13.0
-	k8s.io/api v0.0.0-20260210234759-a7e57c53516a
+	k8s.io/api v0.0.0-20260212004707-9572909952ab
 	k8s.io/apimachinery v0.0.0-20260210195147-ac0aa3101e5c
 	k8s.io/klog/v2 v2.130.1
 	k8s.io/kube-openapi v0.0.0-20260127142750-a19766b6e2d4
--- a/go.sum
+++ b/go.sum
@@ -123,8 +123,8 @@ gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-k8s.io/api v0.0.0-20260210234759-a7e57c53516a h1:i6v7tCHuRarRfUqNl/XftxKFqDQBUvwJ8PaipCLPXVM=
-k8s.io/api v0.0.0-20260210234759-a7e57c53516a/go.mod h1:B0NIq8pBNVioUSHt/kOyu7VRGgymqYRM18NNuzch9pA=
+k8s.io/api v0.0.0-20260212004707-9572909952ab h1:kJolCsSZHfzmOA5rXmdyRWl5dsUXyRosRKsJrTFJxBs=
+k8s.io/api v0.0.0-20260212004707-9572909952ab/go.mod h1:B0NIq8pBNVioUSHt/kOyu7VRGgymqYRM18NNuzch9pA=
 k8s.io/apimachinery v0.0.0-20260210195147-ac0aa3101e5c h1:IV922sFFodkSQRrni7sw7qoqNjDCY7bbHn/xW0tPc6k=
 k8s.io/apimachinery v0.0.0-20260210195147-ac0aa3101e5c/go.mod h1:MOYgM5v441TyeB214ckvgCU9rYGX/Mw6Z9ZXIp/F4sU=
 k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=