From 3a09f7e5e4c645b7862f0d4f224130ca3c482e0a Mon Sep 17 00:00:00 2001
From: "mengjiao.liu" <mengjiao.liu@daocloud.io>
Date: Thu, 25 Feb 2021 16:34:37 +0800
Subject: [PATCH] Clarify external CSR signerName description

---
 pkg/apis/certificates/types.go | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/pkg/apis/certificates/types.go b/pkg/apis/certificates/types.go
index b616c000113..78b3e9b9db9 100644
--- a/pkg/apis/certificates/types.go
+++ b/pkg/apis/certificates/types.go
@@ -49,6 +49,12 @@ type CertificateSigningRequestSpec struct {
 	// `scope-hostname.io/name`.
 	// Distribution of trust for signers happens out of band.
 	// You can select on this field using `spec.signerName`.
+	// Kubernetes provides built-in signers that each have a well-known signerName:
+	// 1. kubernetes.io/kube-apiserver-client
+	// 2. kubernetes.io/kube-apiserver-client-kubelet
+	// 3. kubernetes.io/kubelet-serving
+	// 4. kubernetes.io/legacy-unknown
+	// Custom signerNames can also be specified and that those are external signers and as such the control plane signer will not issue certificates.
 	SignerName string
 
 	// usages specifies a set of usage contexts the key will be