diff --git a/pkg/apis/authentication/register.go b/pkg/apis/authentication/register.go index b0ac3c28bfb..1174d5cce50 100644 --- a/pkg/apis/authentication/register.go +++ b/pkg/apis/authentication/register.go @@ -45,6 +45,7 @@ var ( func addKnownTypes(scheme *runtime.Scheme) error { scheme.AddKnownTypes(SchemeGroupVersion, &TokenReview{}, + &TokenRequest{}, ) return nil } diff --git a/pkg/apis/authentication/types.go b/pkg/apis/authentication/types.go index 52cfe6bf8ca..deb33cfc198 100644 --- a/pkg/apis/authentication/types.go +++ b/pkg/apis/authentication/types.go @@ -18,6 +18,7 @@ package authentication import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/types" ) const ( @@ -88,3 +89,57 @@ type UserInfo struct { // ExtraValue masks the value so protobuf can generate type ExtraValue []string + +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object + +// TokenRequest requests a token for a given service account. +type TokenRequest struct { + metav1.TypeMeta + // ObjectMeta fulfills the metav1.ObjectMetaAccessor interface so that the stock + // REST handler paths work + metav1.ObjectMeta + + Spec TokenRequestSpec + Status TokenRequestStatus +} + +// TokenRequestSpec contains client provided parameters of a token request. +type TokenRequestSpec struct { + // Audiences are the intendend audiences of the token. A recipient of a + // token must identitfy themself with an identifier in the list of + // audiences of the token, and otherwise should reject the token. A + // token issued for multiple audiences may be used to authenticate + // against any of the audiences listed but implies a high degree of + // trust between the target audiences. + Audiences []string + + // ExpirationSeconds is the requested duration of validity of the request. The + // token issuer may return a token with a different validity duration so a + // client needs to check the 'expiration' field in a response. + ExpirationSeconds int64 + + // BoundObjectRef is a reference to an object that the token will be bound to. + // The token will only be valid for as long as the bound objet exists. + BoundObjectRef *BoundObjectReference +} + +// TokenRequestStatus is the result of a token request. +type TokenRequestStatus struct { + // Token is the opaque bearer token. + Token string + // ExpirationTimestamp is the time of expiration of the returned token. + ExpirationTimestamp metav1.Time +} + +// BoundObjectReference is a reference to an object that a token is bound to. +type BoundObjectReference struct { + // Kind of the referent. Valid kinds are 'Pod' and 'Secret'. + Kind string + // API version of the referent. + APIVersion string + + // Name of the referent. + Name string + // UID of the referent. + UID types.UID +} diff --git a/staging/src/k8s.io/api/authentication/v1/register.go b/staging/src/k8s.io/api/authentication/v1/register.go index 2ca79a620a5..c522e4a46d7 100644 --- a/staging/src/k8s.io/api/authentication/v1/register.go +++ b/staging/src/k8s.io/api/authentication/v1/register.go @@ -45,6 +45,7 @@ var ( func addKnownTypes(scheme *runtime.Scheme) error { scheme.AddKnownTypes(SchemeGroupVersion, &TokenReview{}, + &TokenRequest{}, ) metav1.AddToGroupVersion(scheme, SchemeGroupVersion) return nil diff --git a/staging/src/k8s.io/api/authentication/v1/types.go b/staging/src/k8s.io/api/authentication/v1/types.go index b6d30bbe613..723457a3dd2 100644 --- a/staging/src/k8s.io/api/authentication/v1/types.go +++ b/staging/src/k8s.io/api/authentication/v1/types.go @@ -20,6 +20,7 @@ import ( "fmt" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/types" ) const ( @@ -105,3 +106,63 @@ type ExtraValue []string func (t ExtraValue) String() string { return fmt.Sprintf("%v", []string(t)) } + +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object + +// TokenRequest requests a token for a given service account. +type TokenRequest struct { + metav1.TypeMeta `json:",inline"` + // +optional + metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` + + Spec TokenRequestSpec `json:"spec" protobuf:"bytes,2,opt,name=spec"` + // +optional + Status TokenRequestStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"` +} + +// TokenRequestSpec contains client provided parameters of a token request. +type TokenRequestSpec struct { + // Audiences are the intendend audiences of the token. A recipient of a + // token must identitfy themself with an identifier in the list of + // audiences of the token, and otherwise should reject the token. A + // token issued for multiple audiences may be used to authenticate + // against any of the audiences listed but implies a high degree of + // trust between the target audiences. + Audiences []string `json:"audiences" protobuf:"bytes,1,rep,name=audiences"` + + // ExpirationSeconds is the requested duration of validity of the request. The + // token issuer may return a token with a different validity duration so a + // client needs to check the 'expiration' field in a response. + // +optional + ExpirationSeconds *int64 `json:"expirationSeconds" protobuf:"varint,4,opt,name=expirationSeconds"` + + // BoundObjectRef is a reference to an object that the token will be bound to. + // The token will only be valid for as long as the bound objet exists. + // +optional + BoundObjectRef *BoundObjectReference `json:"boundObjectRef" protobuf:"bytes,3,opt,name=boundObjectRef"` +} + +// TokenRequestStatus is the result of a token request. +type TokenRequestStatus struct { + // Token is the opaque bearer token. + Token string `json:"token" protobuf:"bytes,1,opt,name=token"` + // ExpirationTimestamp is the time of expiration of the returned token. + ExpirationTimestamp metav1.Time `json:"expirationTimestamp" protobuf:"bytes,2,opt,name=expirationTimestamp"` +} + +// BoundObjectReference is a reference to an object that a token is bound to. +type BoundObjectReference struct { + // Kind of the referent. Valid kinds are 'Pod' and 'Secret'. + // +optional + Kind string `json:"kind,omitempty" protobuf:"bytes,1,opt,name=kind"` + // API version of the referent. + // +optional + APIVersion string `json:"apiVersion,omitempty" protobuf:"bytes,2,opt,name=aPIVersion"` + + // Name of the referent. + // +optional + Name string `json:"name,omitempty" protobuf:"bytes,3,opt,name=name"` + // UID of the referent. + // +optional + UID types.UID `json:"uid,omitempty" protobuf:"bytes,4,opt,name=uID,casttype=k8s.io/apimachinery/pkg/types.UID"` +} diff --git a/staging/src/k8s.io/api/authentication/v1beta1/register.go b/staging/src/k8s.io/api/authentication/v1beta1/register.go index ed23e50f7e9..da772f92906 100644 --- a/staging/src/k8s.io/api/authentication/v1beta1/register.go +++ b/staging/src/k8s.io/api/authentication/v1beta1/register.go @@ -45,6 +45,7 @@ var ( func addKnownTypes(scheme *runtime.Scheme) error { scheme.AddKnownTypes(SchemeGroupVersion, &TokenReview{}, + &TokenRequest{}, ) metav1.AddToGroupVersion(scheme, SchemeGroupVersion) return nil diff --git a/staging/src/k8s.io/api/authentication/v1beta1/types.go b/staging/src/k8s.io/api/authentication/v1beta1/types.go index a90949dc37d..4608966a354 100644 --- a/staging/src/k8s.io/api/authentication/v1beta1/types.go +++ b/staging/src/k8s.io/api/authentication/v1beta1/types.go @@ -20,6 +20,7 @@ import ( "fmt" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/types" ) // +genclient @@ -90,3 +91,63 @@ type ExtraValue []string func (t ExtraValue) String() string { return fmt.Sprintf("%v", []string(t)) } + +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object + +// TokenRequest requests a token for a given service account. +type TokenRequest struct { + metav1.TypeMeta `json:",inline"` + // +optional + metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` + + Spec TokenRequestSpec `json:"spec" protobuf:"bytes,2,opt,name=spec"` + // +optional + Status TokenRequestStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"` +} + +// TokenRequestSpec contains client provided parameters of a token request. +type TokenRequestSpec struct { + // Audiences are the intendend audiences of the token. A recipient of a + // token must identitfy themself with an identifier in the list of + // audiences of the token, and otherwise should reject the token. A + // token issued for multiple audiences may be used to authenticate + // against any of the audiences listed but implies a high degree of + // trust between the target audiences. + Audiences []string `json:"audiences" protobuf:"bytes,1,rep,name=audiences"` + + // ExpirationSeconds is the requested duration of validity of the request. The + // token issuer may return a token with a different validity duration so a + // client needs to check the 'expiration' field in a response. + // +optional + ExpirationSeconds *int64 `json:"expirationSeconds" protobuf:"varint,4,opt,name=expirationSeconds"` + + // BoundObjectRef is a reference to an object that the token will be bound to. + // The token will only be valid for as long as the bound objet exists. + // +optional + BoundObjectRef *BoundObjectReference `json:"boundObjectRef" protobuf:"bytes,3,opt,name=boundObjectRef"` +} + +// TokenRequestStatus is the result of a token request. +type TokenRequestStatus struct { + // Token is the opaque bearer token. + Token string `json:"token" protobuf:"bytes,1,opt,name=token"` + // ExpirationTimestmap is the time of expiration of the returned token. + ExpirationTimestamp metav1.Time `json:"expirationTimestamp" protobuf:"bytes,2,opt,name=expirationTimestamp"` +} + +// BoundObjectReference is a reference to an object that a token is bound to. +type BoundObjectReference struct { + // Kind of the referent. Valid kinds are 'Pod' and 'Secret'. + // +optional + Kind string `json:"kind,omitempty" protobuf:"bytes,1,opt,name=kind"` + // API version of the referent. + // +optional + APIVersion string `json:"apiVersion,omitempty" protobuf:"bytes,2,opt,name=aPIVersion"` + + // Name of the referent. + // +optional + Name string `json:"name,omitempty" protobuf:"bytes,3,opt,name=name"` + // UID of the referent. + // +optional + UID types.UID `json:"uid,omitempty" protobuf:"bytes,4,opt,name=uID,casttype=k8s.io/apimachinery/pkg/types.UID"` +} diff --git a/test/integration/etcd/etcd_storage_path_test.go b/test/integration/etcd/etcd_storage_path_test.go index 39190c871d2..db54540b89a 100644 --- a/test/integration/etcd/etcd_storage_path_test.go +++ b/test/integration/etcd/etcd_storage_path_test.go @@ -437,11 +437,13 @@ var ephemeralWhiteList = createEphemeralWhiteList( // -- // k8s.io/kubernetes/pkg/apis/authentication/v1beta1 - gvr("authentication.k8s.io", "v1beta1", "tokenreviews"), // not stored in etcd + gvr("authentication.k8s.io", "v1beta1", "tokenreviews"), // not stored in etcd + gvr("authentication.k8s.io", "v1beta1", "tokenrequests"), // not stored in etcd // -- // k8s.io/kubernetes/pkg/apis/authentication/v1 - gvr("authentication.k8s.io", "v1", "tokenreviews"), // not stored in etcd + gvr("authentication.k8s.io", "v1", "tokenreviews"), // not stored in etcd + gvr("authentication.k8s.io", "v1", "tokenrequests"), // not stored in etcd // -- // k8s.io/kubernetes/pkg/apis/authorization/v1beta1