Merge pull request #91688 from liggitt/csr-generate-method

v1beta1 CSR cleanups

api/api-rules/violation_exceptions.list

@@ -68,11 +68,6 @@ API rule violation: list_type_missing,k8s.io/api/autoscaling/v2beta2,HorizontalP
 API rule violation: list_type_missing,k8s.io/api/batch/v1,JobStatus,Conditions
 API rule violation: list_type_missing,k8s.io/api/batch/v1beta1,CronJobStatus,Active
 API rule violation: list_type_missing,k8s.io/api/batch/v2alpha1,CronJobStatus,Active
-API rule violation: list_type_missing,k8s.io/api/certificates/v1beta1,CertificateSigningRequestSpec,Groups
-API rule violation: list_type_missing,k8s.io/api/certificates/v1beta1,CertificateSigningRequestSpec,Request
-API rule violation: list_type_missing,k8s.io/api/certificates/v1beta1,CertificateSigningRequestSpec,Usages
-API rule violation: list_type_missing,k8s.io/api/certificates/v1beta1,CertificateSigningRequestStatus,Certificate
-API rule violation: list_type_missing,k8s.io/api/certificates/v1beta1,CertificateSigningRequestStatus,Conditions
 API rule violation: list_type_missing,k8s.io/api/core/v1,AvoidPods,PreferAvoidPods
 API rule violation: list_type_missing,k8s.io/api/core/v1,Capabilities,Add
 API rule violation: list_type_missing,k8s.io/api/core/v1,Capabilities,Drop

api/openapi-spec/swagger.json

@@ -4427,12 +4427,14 @@
           "items": {
             "type": "string"
           },
-          "type": "array"
+          "type": "array",
+          "x-kubernetes-list-type": "atomic"
         },
         "request": {
           "description": "Base64-encoded PKCS#10 CSR data",
           "format": "byte",
-          "type": "string"
+          "type": "string",
+          "x-kubernetes-list-type": "atomic"
         },
         "signerName": {
           "description": "Requested signer for the request. It is a qualified name in the form: `scope-hostname.io/name`. If empty, it will be defaulted:\n 1. If it's a kubelet client certificate, it is assigned\n    \"kubernetes.io/kube-apiserver-client-kubelet\".\n 2. If it's a kubelet serving certificate, it is assigned\n    \"kubernetes.io/kubelet-serving\".\n 3. Otherwise, it is assigned \"kubernetes.io/legacy-unknown\".\nDistribution of trust for signers happens out of band. You can select on this field using `spec.signerName`.",
@@ -4447,7 +4449,8 @@
           "items": {
             "type": "string"
           },
-          "type": "array"
+          "type": "array",
+          "x-kubernetes-list-type": "atomic"
         },
         "username": {
           "description": "Information about the requesting user. See user.Info interface for details.",
@@ -4464,14 +4467,19 @@
         "certificate": {
           "description": "If request was approved, the controller will place the issued certificate here.",
           "format": "byte",
-          "type": "string"
+          "type": "string",
+          "x-kubernetes-list-type": "atomic"
         },
         "conditions": {
           "description": "Conditions applied to the request, such as approval or denial.",
           "items": {
             "$ref": "#/definitions/io.k8s.api.certificates.v1beta1.CertificateSigningRequestCondition"
           },
-          "type": "array"
+          "type": "array",
+          "x-kubernetes-list-map-keys": [
+            "type"
+          ],
+          "x-kubernetes-list-type": "map"
         }
       },
       "type": "object"

staging/src/k8s.io/api/certificates/v1beta1/generated.proto

@@ -85,6 +85,7 @@ message CertificateSigningRequestList {
 // Kubernetes and cannot be modified by users.
 message CertificateSigningRequestSpec {
   // Base64-encoded PKCS#10 CSR data
+  // +listType=atomic
   optional bytes request = 1;
 
   // Requested signer for the request. It is a qualified name in the form:
@@ -104,6 +105,7 @@ message CertificateSigningRequestSpec {
   // valid for.
   // See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3
   //      https://tools.ietf.org/html/rfc5280#section-4.2.1.12
+  // +listType=atomic
   repeated string usages = 5;
 
   // Information about the requesting user.
@@ -118,6 +120,7 @@ message CertificateSigningRequestSpec {
 
   // Group information about the requesting user.
   // See user.Info interface for details.
+  // +listType=atomic
   // +optional
   repeated string groups = 4;
 
@@ -129,10 +132,13 @@ message CertificateSigningRequestSpec {
 
 message CertificateSigningRequestStatus {
   // Conditions applied to the request, such as approval or denial.
+  // +listType=map
+  // +listMapKey=type
   // +optional
   repeated CertificateSigningRequestCondition conditions = 1;
 
   // If request was approved, the controller will place the issued certificate here.
+  // +listType=atomic
   // +optional
   optional bytes certificate = 2;
 }

staging/src/k8s.io/api/certificates/v1beta1/types.go

@@ -49,6 +49,7 @@ type CertificateSigningRequest struct {
 // Kubernetes and cannot be modified by users.
 type CertificateSigningRequestSpec struct {
 	// Base64-encoded PKCS#10 CSR data
+	// +listType=atomic
 	Request []byte `json:"request" protobuf:"bytes,1,opt,name=request"`
 
 	// Requested signer for the request. It is a qualified name in the form:
@@ -68,6 +69,7 @@ type CertificateSigningRequestSpec struct {
 	// valid for.
 	// See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3
 	//      https://tools.ietf.org/html/rfc5280#section-4.2.1.12
+	// +listType=atomic
 	Usages []KeyUsage `json:"usages,omitempty" protobuf:"bytes,5,opt,name=usages"`
 
 	// Information about the requesting user.
@@ -80,6 +82,7 @@ type CertificateSigningRequestSpec struct {
 	UID string `json:"uid,omitempty" protobuf:"bytes,3,opt,name=uid"`
 	// Group information about the requesting user.
 	// See user.Info interface for details.
+	// +listType=atomic
 	// +optional
 	Groups []string `json:"groups,omitempty" protobuf:"bytes,4,rep,name=groups"`
 	// Extra information about the requesting user.
@@ -121,10 +124,13 @@ func (t ExtraValue) String() string {
 
 type CertificateSigningRequestStatus struct {
 	// Conditions applied to the request, such as approval or denial.
+	// +listType=map
+	// +listMapKey=type
 	// +optional
 	Conditions []CertificateSigningRequestCondition `json:"conditions,omitempty" protobuf:"bytes,1,rep,name=conditions"`
 
 	// If request was approved, the controller will place the issued certificate here.
+	// +listType=atomic
 	// +optional
 	Certificate []byte `json:"certificate,omitempty" protobuf:"bytes,2,opt,name=certificate"`
 }