diff --git a/applyconfigurations/certificates/v1beta1/podcertificaterequestspec.go b/applyconfigurations/certificates/v1beta1/podcertificaterequestspec.go index 234420c40..6e195e383 100644 --- a/applyconfigurations/certificates/v1beta1/podcertificaterequestspec.go +++ b/applyconfigurations/certificates/v1beta1/podcertificaterequestspec.go @@ -62,8 +62,7 @@ type PodCertificateRequestSpecApplyConfiguration struct { // `kubernetes.io` signers will never issue certificates with a lifetime // longer than 24 hours. MaxExpirationSeconds *int32 `json:"maxExpirationSeconds,omitempty"` - // pkixPublicKey is the PKIX-serialized public key the signer will issue the - // certificate to. + // The PKIX-serialized public key the signer will issue the certificate to. // // The key must be one of RSA3072, RSA4096, ECDSAP256, ECDSAP384, ECDSAP521, // or ED25519. Note that this list may be expanded in the future. @@ -74,9 +73,14 @@ type PodCertificateRequestSpecApplyConfiguration struct { // setting a status.conditions entry with a type of "Denied" and a reason of // "UnsupportedKeyType". It may also suggest a key type that it does support // in the message field. + // + // Deprecated: This field is replaced by StubPKCS10Request. If + // StubPKCS10Request is set, this field must be empty. Signer + // implementations should extract the public key from the StubPKCS10Request + // field. PKIXPublicKey []byte `json:"pkixPublicKey,omitempty"` - // proofOfPossession proves that the requesting kubelet holds the private - // key corresponding to pkixPublicKey. + // A proof that the requesting kubelet holds the private key corresponding + // to pkixPublicKey. // // It is contructed by signing the ASCII bytes of the pod's UID using // `pkixPublicKey`. @@ -93,9 +97,31 @@ type PodCertificateRequestSpecApplyConfiguration struct { // golang library function crypto/ecdsa.SignASN1) // // If the key is an ED25519 key, the the signature is as described by the - // [ED25519 Specification](https://ed25519.cr.yp.to/) (as implemented by - // the golang library crypto/ed25519.Sign). + // [ED25519 Specification](https://ed25519.cr.yp.to/) (as implemented by the + // golang library crypto/ed25519.Sign). + // + // Deprecated: This field is replaced by StubPKCS10Request. If + // StubPKCS10Request is set, this field must be empty. ProofOfPossession []byte `json:"proofOfPossession,omitempty"` + // A PKCS#10 certificate signing request (DER-serialized) generated by + // Kubelet using the subject private key. + // + // Most signer implementations will ignore the contents of the CSR except to + // extract the subject public key. The API server automatically verifies the + // CSR signature during admission, so the signer does not need to repeat the + // verification. CSRs generated by kubelet are completely empty. + // + // The subject public key must be one of RSA3072, RSA4096, ECDSAP256, + // ECDSAP384, ECDSAP521, or ED25519. Note that this list may be expanded in + // the future. + // + // Signer implementations do not need to support all key types supported by + // kube-apiserver and kubelet. If a signer does not support the key type + // used for a given PodCertificateRequest, it must deny the request by + // setting a status.conditions entry with a type of "Denied" and a reason of + // "UnsupportedKeyType". It may also suggest a key type that it does support + // in the message field. + StubPKCS10Request []byte `json:"stubPKCS10Request,omitempty"` // unverifiedUserAnnotations allow pod authors to pass additional information to // the signer implementation. Kubernetes does not restrict or validate this // metadata in any way. @@ -199,6 +225,16 @@ func (b *PodCertificateRequestSpecApplyConfiguration) WithProofOfPossession(valu return b } +// WithStubPKCS10Request adds the given value to the StubPKCS10Request field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, values provided by each call will be appended to the StubPKCS10Request field. +func (b *PodCertificateRequestSpecApplyConfiguration) WithStubPKCS10Request(values ...byte) *PodCertificateRequestSpecApplyConfiguration { + for i := range values { + b.StubPKCS10Request = append(b.StubPKCS10Request, values[i]) + } + return b +} + // WithUnverifiedUserAnnotations puts the entries into the UnverifiedUserAnnotations field in the declarative configuration // and returns the receiver, so that objects can be build by chaining "With" function invocations. // If called multiple times, the entries provided by each call will be put on the UnverifiedUserAnnotations field, diff --git a/applyconfigurations/internal/internal.go b/applyconfigurations/internal/internal.go index 368e4df3a..c32f94c46 100644 --- a/applyconfigurations/internal/internal.go +++ b/applyconfigurations/internal/internal.go @@ -3983,6 +3983,9 @@ var schemaYAML = typed.YAMLObject(`types: type: scalar: string default: "" + - name: stubPKCS10Request + type: + scalar: string - name: unverifiedUserAnnotations type: map: diff --git a/go.mod b/go.mod index ea86ceaa7..87c733d4f 100644 --- a/go.mod +++ b/go.mod @@ -23,7 +23,7 @@ require ( golang.org/x/time v0.14.0 google.golang.org/protobuf v1.36.11 gopkg.in/evanphx/json-patch.v4 v4.13.0 - k8s.io/api v0.0.0-20260210234759-a7e57c53516a + k8s.io/api v0.0.0-20260212004707-9572909952ab k8s.io/apimachinery v0.0.0-20260210195147-ac0aa3101e5c k8s.io/klog/v2 v2.130.1 k8s.io/kube-openapi v0.0.0-20260127142750-a19766b6e2d4 diff --git a/go.sum b/go.sum index 21098278d..e3e9c91cb 100644 --- a/go.sum +++ b/go.sum @@ -123,8 +123,8 @@ gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -k8s.io/api v0.0.0-20260210234759-a7e57c53516a h1:i6v7tCHuRarRfUqNl/XftxKFqDQBUvwJ8PaipCLPXVM= -k8s.io/api v0.0.0-20260210234759-a7e57c53516a/go.mod h1:B0NIq8pBNVioUSHt/kOyu7VRGgymqYRM18NNuzch9pA= +k8s.io/api v0.0.0-20260212004707-9572909952ab h1:kJolCsSZHfzmOA5rXmdyRWl5dsUXyRosRKsJrTFJxBs= +k8s.io/api v0.0.0-20260212004707-9572909952ab/go.mod h1:B0NIq8pBNVioUSHt/kOyu7VRGgymqYRM18NNuzch9pA= k8s.io/apimachinery v0.0.0-20260210195147-ac0aa3101e5c h1:IV922sFFodkSQRrni7sw7qoqNjDCY7bbHn/xW0tPc6k= k8s.io/apimachinery v0.0.0-20260210195147-ac0aa3101e5c/go.mod h1:MOYgM5v441TyeB214ckvgCU9rYGX/Mw6Z9ZXIp/F4sU= k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=