github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-29 14:37:00 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #99494 from enj/enj/i/not_after_ttl_hint

Browse Source 
csr: add expirationSeconds field to control cert lifetime
This commit is contained in:
Kubernetes Prow Robot 2021-07-01 23:02:12 -07:00 committed by GitHub
commit 659c7e709f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
46 changed files with 1769 additions and 251 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
api/openapi-spec/swagger.json generated
View File

@ -3864,7 +3864,7 @@
},
"spec": {
"$ref": "#/definitions/io.k8s.api.certificates.v1.CertificateSigningRequestSpec",
"description": "spec contains the certificate request, and is immutable after creation. Only the request, signerName, and usages fields can be set on creation. Other fields are derived by Kubernetes and cannot be modified by users."
"description": "spec contains the certificate request, and is immutable after creation. Only the request, signerName, expirationSeconds, and usages fields can be set on creation. Other fields are derived by Kubernetes and cannot be modified by users."
},
"status": {
"$ref": "#/definitions/io.k8s.api.certificates.v1.CertificateSigningRequestStatus",
@ -3954,6 +3954,11 @@
"io.k8s.api.certificates.v1.CertificateSigningRequestSpec": {
"description": "CertificateSigningRequestSpec contains the certificate request.",
"properties": {
"expirationSeconds": {
"description": "expirationSeconds is the requested duration of validity of the issued certificate. The certificate signer may issue a certificate with a different validity duration so a client must check the delta between the notBefore and and notAfter fields in the issued certificate to determine the actual duration.\n\nThe v1.22+ in-tree implementations of the well-known Kubernetes signers will honor this field as long as the requested duration is not greater than the maximum duration they will honor per the --cluster-signing-duration CLI flag to the Kubernetes controller manager.\n\nCertificate signers may not honor this field for various reasons:\n\n 1. Old signer that is unaware of the field (such as the in-tree\n implementations prior to v1.22)\n 2. Signer whose configured maximum is shorter than the requested duration\n 3. Signer whose configured minimum is longer than the requested duration\n\nThe minimum valid value for expirationSeconds is 600, i.e. 10 minutes.\n\nAs of v1.22, this field is beta and is controlled via the CSRDuration feature gate.",
"format": "int32",
"type": "integer"
},
"extra": {
"additionalProperties": {
"items": {

4
cmd/kube-controller-manager/app/options/csrsigningcontroller.go
View File

@ -45,8 +45,8 @@ func (o *CSRSigningControllerOptions) AddFlags(fs *pflag.FlagSet) {
fs.StringVar(&o.KubeAPIServerClientSignerConfiguration.KeyFile, "cluster-signing-kube-apiserver-client-key-file", o.KubeAPIServerClientSignerConfiguration.KeyFile, "Filename containing a PEM-encoded RSA or ECDSA private key used to sign certificates for the kubernetes.io/kube-apiserver-client signer. If specified, --cluster-signing-{cert,key}-file must not be set.")
fs.StringVar(&o.LegacyUnknownSignerConfiguration.CertFile, "cluster-signing-legacy-unknown-cert-file", o.LegacyUnknownSignerConfiguration.CertFile, "Filename containing a PEM-encoded X509 CA certificate used to issue certificates for the kubernetes.io/legacy-unknown signer. If specified, --cluster-signing-{cert,key}-file must not be set.")
fs.StringVar(&o.LegacyUnknownSignerConfiguration.KeyFile, "cluster-signing-legacy-unknown-key-file", o.LegacyUnknownSignerConfiguration.KeyFile, "Filename containing a PEM-encoded RSA or ECDSA private key used to sign certificates for the kubernetes.io/legacy-unknown signer. If specified, --cluster-signing-{cert,key}-file must not be set.")
fs.DurationVar(&o.ClusterSigningDuration.Duration, "cluster-signing-duration", o.ClusterSigningDuration.Duration, "The length of duration signed certificates will be given.")
fs.DurationVar(&o.ClusterSigningDuration.Duration, "experimental-cluster-signing-duration", o.ClusterSigningDuration.Duration, "The length of duration signed certificates will be given.")
fs.DurationVar(&o.ClusterSigningDuration.Duration, "cluster-signing-duration", o.ClusterSigningDuration.Duration, "The max length of duration signed certificates will be given. Individual CSRs may request shorter certs by setting spec.expirationSeconds.")
fs.DurationVar(&o.ClusterSigningDuration.Duration, "experimental-cluster-signing-duration", o.ClusterSigningDuration.Duration, "The max length of duration signed certificates will be given. Individual CSRs may request shorter certs by setting spec.expirationSeconds.")
fs.MarkDeprecated("experimental-cluster-signing-duration", "use --cluster-signing-duration")
}

4
pkg/apis/certificates/fuzzer/fuzzer.go
View File

@ -17,9 +17,12 @@ limitations under the License.
package fuzzer
import (
"time"
fuzz "github.com/google/gofuzz"
runtimeserializer "k8s.io/apimachinery/pkg/runtime/serializer"
"k8s.io/client-go/util/certificate/csr"
"k8s.io/kubernetes/pkg/apis/certificates"
api "k8s.io/kubernetes/pkg/apis/core"
)
@ -31,6 +34,7 @@ var Funcs = func(codecs runtimeserializer.CodecFactory) []interface{} {
c.FuzzNoCustom(obj) // fuzz self without calling this function again
obj.Usages = []certificates.KeyUsage{certificates.UsageKeyEncipherment}
obj.SignerName = "example.com/custom-sample-signer"
obj.ExpirationSeconds = csr.DurationToExpirationSeconds(time.Hour + time.Minute + time.Second)
},
func(obj *certificates.CertificateSigningRequestCondition, c fuzz.Continue) {
c.FuzzNoCustom(obj) // fuzz self without calling this function again

24
pkg/apis/certificates/types.go
View File

@ -68,6 +68,30 @@ type CertificateSigningRequestSpec struct {
// 6. Whether or not requests for CA certificates are allowed.
SignerName string
// expirationSeconds is the requested duration of validity of the issued
// certificate. The certificate signer may issue a certificate with a different
// validity duration so a client must check the delta between the notBefore and
// and notAfter fields in the issued certificate to determine the actual duration.
//
// The v1.22+ in-tree implementations of the well-known Kubernetes signers will
// honor this field as long as the requested duration is not greater than the
// maximum duration they will honor per the --cluster-signing-duration CLI
// flag to the Kubernetes controller manager.
//
// Certificate signers may not honor this field for various reasons:
//
// 1. Old signer that is unaware of the field (such as the in-tree
// implementations prior to v1.22)
// 2. Signer whose configured maximum is shorter than the requested duration
// 3. Signer whose configured minimum is longer than the requested duration
//
// The minimum valid value for expirationSeconds is 600, i.e. 10 minutes.
//
// As of v1.22, this field is beta and is controlled via the CSRDuration feature gate.
//
// +optional
ExpirationSeconds *int32
// usages specifies a set of usage contexts the key will be
// valid for.
// See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3

2
pkg/apis/certificates/v1/zz_generated.conversion.go generated
View File

@ -178,6 +178,7 @@ func Convert_certificates_CertificateSigningRequestList_To_v1_CertificateSigning
func autoConvert_v1_CertificateSigningRequestSpec_To_certificates_CertificateSigningRequestSpec(in *v1.CertificateSigningRequestSpec, out *certificates.CertificateSigningRequestSpec, s conversion.Scope) error {
out.Request = *(*[]byte)(unsafe.Pointer(&in.Request))
out.SignerName = in.SignerName
out.ExpirationSeconds = (*int32)(unsafe.Pointer(in.ExpirationSeconds))
out.Usages = *(*[]certificates.KeyUsage)(unsafe.Pointer(&in.Usages))
out.Username = in.Username
out.UID = in.UID
@ -194,6 +195,7 @@ func Convert_v1_CertificateSigningRequestSpec_To_certificates_CertificateSigning
func autoConvert_certificates_CertificateSigningRequestSpec_To_v1_CertificateSigningRequestSpec(in *certificates.CertificateSigningRequestSpec, out *v1.CertificateSigningRequestSpec, s conversion.Scope) error {
out.Request = *(*[]byte)(unsafe.Pointer(&in.Request))
out.SignerName = in.SignerName
out.ExpirationSeconds = (*int32)(unsafe.Pointer(in.ExpirationSeconds))
out.Usages = *(*[]v1.KeyUsage)(unsafe.Pointer(&in.Usages))
out.Username = in.Username
out.UID = in.UID

2
pkg/apis/certificates/v1beta1/zz_generated.conversion.go generated
View File

@ -201,6 +201,7 @@ func autoConvert_v1beta1_CertificateSigningRequestSpec_To_certificates_Certifica
if err := metav1.Convert_Pointer_string_To_string(&in.SignerName, &out.SignerName, s); err != nil {
return err
}
out.ExpirationSeconds = (*int32)(unsafe.Pointer(in.ExpirationSeconds))
out.Usages = *(*[]certificates.KeyUsage)(unsafe.Pointer(&in.Usages))
out.Username = in.Username
out.UID = in.UID
@ -219,6 +220,7 @@ func autoConvert_certificates_CertificateSigningRequestSpec_To_v1beta1_Certifica
if err := metav1.Convert_string_To_Pointer_string(&in.SignerName, &out.SignerName, s); err != nil {
return err
}
out.ExpirationSeconds = (*int32)(unsafe.Pointer(in.ExpirationSeconds))
out.Usages = *(*[]v1beta1.KeyUsage)(unsafe.Pointer(&in.Usages))
out.Username = in.Username
out.UID = in.UID

3
pkg/apis/certificates/validation/validation.go
View File

@ -205,6 +205,9 @@ func validateCertificateSigningRequest(csr *certificates.CertificateSigningReque
} else {
allErrs = append(allErrs, ValidateCertificateSigningRequestSignerName(specPath.Child("signerName"), csr.Spec.SignerName)...)
}
if csr.Spec.ExpirationSeconds != nil && *csr.Spec.ExpirationSeconds < 600 {
allErrs = append(allErrs, field.Invalid(specPath.Child("expirationSeconds"), *csr.Spec.ExpirationSeconds, "may not specify a duration less than 600 seconds (10 minutes)"))
}
allErrs = append(allErrs, validateConditions(field.NewPath("status", "conditions"), csr, opts)...)
if !opts.allowArbitraryCertificate {

71
pkg/apis/certificates/validation/validation_test.go
View File

@ -26,14 +26,17 @@ import (
"reflect"
"strings"
"testing"
"time"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime/schema"
"k8s.io/apimachinery/pkg/util/sets"
"k8s.io/apimachinery/pkg/util/validation/field"
"k8s.io/client-go/util/certificate/csr"
capi "k8s.io/kubernetes/pkg/apis/certificates"
capiv1beta1 "k8s.io/kubernetes/pkg/apis/certificates/v1beta1"
"k8s.io/kubernetes/pkg/apis/core"
"k8s.io/utils/pointer"
)
var (
@ -262,6 +265,74 @@ func TestValidateCertificateSigningRequestCreate(t *testing.T) {
},
errs: field.ErrorList{},
},
"negative duration": {
csr: capi.CertificateSigningRequest{
ObjectMeta: validObjectMeta,
Spec: capi.CertificateSigningRequestSpec{
Usages: validUsages,
Request: newCSRPEM(t),
SignerName: validSignerName,
ExpirationSeconds: pointer.Int32(-1),
},
},
errs: field.ErrorList{
field.Invalid(specPath.Child("expirationSeconds"), int32(-1), "may not specify a duration less than 600 seconds (10 minutes)"),
},
},
"zero duration": {
csr: capi.CertificateSigningRequest{
ObjectMeta: validObjectMeta,
Spec: capi.CertificateSigningRequestSpec{
Usages: validUsages,
Request: newCSRPEM(t),
SignerName: validSignerName,
ExpirationSeconds: pointer.Int32(0),
},
},
errs: field.ErrorList{
field.Invalid(specPath.Child("expirationSeconds"), int32(0), "may not specify a duration less than 600 seconds (10 minutes)"),
},
},
"one duration": {
csr: capi.CertificateSigningRequest{
ObjectMeta: validObjectMeta,
Spec: capi.CertificateSigningRequestSpec{
Usages: validUsages,
Request: newCSRPEM(t),
SignerName: validSignerName,
ExpirationSeconds: pointer.Int32(1),
},
},
errs: field.ErrorList{
field.Invalid(specPath.Child("expirationSeconds"), int32(1), "may not specify a duration less than 600 seconds (10 minutes)"),
},
},
"too short duration": {
csr: capi.CertificateSigningRequest{
ObjectMeta: validObjectMeta,
Spec: capi.CertificateSigningRequestSpec{
Usages: validUsages,
Request: newCSRPEM(t),
SignerName: validSignerName,
ExpirationSeconds: csr.DurationToExpirationSeconds(time.Minute),
},
},
errs: field.ErrorList{
field.Invalid(specPath.Child("expirationSeconds"), *csr.DurationToExpirationSeconds(time.Minute), "may not specify a duration less than 600 seconds (10 minutes)"),
},
},
"valid duration": {
csr: capi.CertificateSigningRequest{
ObjectMeta: validObjectMeta,
Spec: capi.CertificateSigningRequestSpec{
Usages: validUsages,
Request: newCSRPEM(t),
SignerName: validSignerName,
ExpirationSeconds: csr.DurationToExpirationSeconds(10 * time.Minute),
},
},
errs: field.ErrorList{},
},
"missing usages": {
csr: capi.CertificateSigningRequest{
ObjectMeta: validObjectMeta,

5
pkg/apis/certificates/zz_generated.deepcopy.go generated
View File

@ -111,6 +111,11 @@ func (in *CertificateSigningRequestSpec) DeepCopyInto(out *CertificateSigningReq
*out = make([]byte, len(*in))
copy(*out, *in)
}
if in.ExpirationSeconds != nil {
in, out := &in.ExpirationSeconds, &out.ExpirationSeconds
*out = new(int32)
**out = **in
}
if in.Usages != nil {
in, out := &in.Usages, &out.Usages
*out = make([]KeyUsage, len(*in))

4
pkg/controller/certificates/signer/config/types.go
View File

@ -38,8 +38,8 @@ type CSRSigningControllerConfiguration struct {
// legacyUnknownSignerConfiguration holds the certificate and key used to issue certificates for the kubernetes.io/legacy-unknown
LegacyUnknownSignerConfiguration CSRSigningConfiguration
// clusterSigningDuration is the length of duration signed certificates
// will be given.
// clusterSigningDuration is the max length of duration signed certificates will be given.
// Individual CSRs may request shorter certs by setting spec.expirationSeconds.
ClusterSigningDuration metav1.Duration
}

37
pkg/controller/certificates/signer/signer.go
View File

@ -30,11 +30,14 @@ import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/util/sets"
"k8s.io/apiserver/pkg/server/dynamiccertificates"
utilfeature "k8s.io/apiserver/pkg/util/feature"
certificatesinformers "k8s.io/client-go/informers/certificates/v1"
clientset "k8s.io/client-go/kubernetes"
"k8s.io/client-go/util/certificate/csr"
capihelper "k8s.io/kubernetes/pkg/apis/certificates"
"k8s.io/kubernetes/pkg/controller/certificates"
"k8s.io/kubernetes/pkg/controller/certificates/authority"
"k8s.io/kubernetes/pkg/features"
)
type CSRSigningController struct {
@ -115,7 +118,7 @@ type signer struct {
caProvider *caProvider
client clientset.Interface
certTTL time.Duration
certTTL time.Duration // max TTL; individual requests may request shorter certs by setting spec.expirationSeconds
signerName string
isRequestForSignerFn isRequestForSignerFunc
@ -173,7 +176,7 @@ func (s *signer) handle(csr *capi.CertificateSigningRequest) error {
// Ignore requests for kubernetes.io signerNames we don't recognize
return nil
}
cert, err := s.sign(x509cr, csr.Spec.Usages, nil)
cert, err := s.sign(x509cr, csr.Spec.Usages, csr.Spec.ExpirationSeconds, nil)
if err != nil {
return fmt.Errorf("error auto signing csr: %v", err)
}
@ -185,15 +188,15 @@ func (s *signer) handle(csr *capi.CertificateSigningRequest) error {
return nil
}
func (s *signer) sign(x509cr *x509.CertificateRequest, usages []capi.KeyUsage, now func() time.Time) ([]byte, error) {
func (s *signer) sign(x509cr *x509.CertificateRequest, usages []capi.KeyUsage, expirationSeconds *int32, now func() time.Time) ([]byte, error) {
currCA, err := s.caProvider.currentCA()
if err != nil {
return nil, err
}
der, err := currCA.Sign(x509cr.Raw, authority.PermissiveSigningPolicy{
TTL: s.certTTL,
TTL: s.duration(expirationSeconds),
Usages: usages,
Backdate: 5 * time.Minute, // this must always be less than the minimum TTL requested by a user
Backdate: 5 * time.Minute, // this must always be less than the minimum TTL requested by a user (see sanity check requestedDuration below)
Short: 8 * time.Hour, // 5 minutes of backdating is roughly 1% of 8 hours
Now: now,
})
@ -203,6 +206,30 @@ func (s *signer) sign(x509cr *x509.CertificateRequest, usages []capi.KeyUsage, n
return pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: der}), nil
}
func (s *signer) duration(expirationSeconds *int32) time.Duration {
if !utilfeature.DefaultFeatureGate.Enabled(features.CSRDuration) {
return s.certTTL
}
if expirationSeconds == nil {
return s.certTTL
}
// honor requested duration is if it is less than the default TTL
// use 10 min (2x hard coded backdate above) as a sanity check lower bound
const min = 10 * time.Minute
switch requestedDuration := csr.ExpirationSecondsToDuration(*expirationSeconds); {
case requestedDuration > s.certTTL:
return s.certTTL
case requestedDuration < min:
return min
default:
return requestedDuration
}
}
// getCSRVerificationFuncForSignerName is a function that provides reliable mapping of signer names to verification so that
// we don't have accidents with wiring at some later date.
func getCSRVerificationFuncForSignerName(signerName string) (isRequestForSignerFunc, error) {

98
pkg/controller/certificates/signer/signer_test.go
View File

@ -32,11 +32,15 @@ import (
capi "k8s.io/api/certificates/v1"
"k8s.io/apimachinery/pkg/util/clock"
"k8s.io/apimachinery/pkg/util/diff"
utilfeature "k8s.io/apiserver/pkg/util/feature"
"k8s.io/client-go/kubernetes/fake"
testclient "k8s.io/client-go/testing"
"k8s.io/client-go/util/cert"
"k8s.io/client-go/util/certificate/csr"
featuregatetesting "k8s.io/component-base/featuregate/testing"
capihelper "k8s.io/kubernetes/pkg/apis/certificates/v1"
"k8s.io/kubernetes/pkg/controller/certificates"
"k8s.io/kubernetes/pkg/features"
)
func TestSigner(t *testing.T) {
@ -61,7 +65,11 @@ func TestSigner(t *testing.T) {
capi.UsageKeyEncipherment,
capi.UsageServerAuth,
capi.UsageClientAuth,
}, fakeClock.Now)
},
// requesting a duration that is greater than TTL is ignored
csr.DurationToExpirationSeconds(3*time.Hour),
fakeClock.Now,
)
if err != nil {
t.Fatalf("failed to sign CSR: %v", err)
}
@ -344,3 +352,91 @@ func makeTestCSR(b csrBuilder) *capi.CertificateSigningRequest {
}
return csr
}
func Test_signer_duration(t *testing.T) {
t.Parallel()
tests := []struct {
name string
certTTL time.Duration
expirationSeconds *int32
wantGateEnabled time.Duration
wantGateDisabled time.Duration
}{
{
name: "can request shorter duration than TTL",
certTTL: time.Hour,
expirationSeconds: csr.DurationToExpirationSeconds(30 * time.Minute),
wantGateEnabled: 30 * time.Minute,
wantGateDisabled: time.Hour,
},
{
name: "cannot request longer duration than TTL",
certTTL: time.Hour,
expirationSeconds: csr.DurationToExpirationSeconds(3 * time.Hour),
wantGateEnabled: time.Hour,
wantGateDisabled: time.Hour,
},
{
name: "cannot request negative duration",
certTTL: time.Hour,
expirationSeconds: csr.DurationToExpirationSeconds(-time.Minute),
wantGateEnabled: 10 * time.Minute,
wantGateDisabled: time.Hour,
},
{
name: "cannot request duration less than 10 mins",
certTTL: time.Hour,
expirationSeconds: csr.DurationToExpirationSeconds(10*time.Minute - time.Second),
wantGateEnabled: 10 * time.Minute,
wantGateDisabled: time.Hour,
},
{
name: "can request duration of exactly 10 mins",
certTTL: time.Hour,
expirationSeconds: csr.DurationToExpirationSeconds(10 * time.Minute),
wantGateEnabled: 10 * time.Minute,
wantGateDisabled: time.Hour,
},
{
name: "can request duration equal to the default",
certTTL: time.Hour,
expirationSeconds: csr.DurationToExpirationSeconds(time.Hour),
wantGateEnabled: time.Hour,
wantGateDisabled: time.Hour,
},
{
name: "can choose not to request a duration to get the default",
certTTL: time.Hour,
expirationSeconds: nil,
wantGateEnabled: time.Hour,
wantGateDisabled: time.Hour,
},
}
for _, tt := range tests {
tt := tt
f := func(t *testing.T, want time.Duration) {
s := &signer{
certTTL: tt.certTTL,
}
if got := s.duration(tt.expirationSeconds); got != want {
t.Errorf("duration() = %v, want %v", got, want)
}
}
// regular tests
t.Run(tt.name, func(t *testing.T) {
t.Parallel() // these are safe to run in parallel but not the feature gate disabled tests
f(t, tt.wantGateEnabled)
})
// same tests with the feature gate disabled
t.Run("feature gate disabled - "+tt.name, func(t *testing.T) {
defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.CSRDuration, false)()
f(t, tt.wantGateDisabled)
})
}
}

7
pkg/features/kube_features.go
View File

@ -740,6 +740,12 @@ const (
//
// Enables usage of the ReadWriteOncePod PersistentVolume access mode.
ReadWriteOncePod featuregate.Feature = "ReadWriteOncePod"
// owner: @enj
// beta: v1.22
//
// Allows clients to request a duration for certificates issued via the Kubernetes CSR API.
CSRDuration featuregate.Feature = "CSRDuration"
)
func init() {
@ -851,6 +857,7 @@ var defaultKubernetesFeatureGates = map[featuregate.Feature]featuregate.FeatureS
SeccompDefault: {Default: false, PreRelease: featuregate.Alpha},
PodSecurity: {Default: false, PreRelease: featuregate.Alpha},
ReadWriteOncePod: {Default: false, PreRelease: featuregate.Alpha},
CSRDuration: {Default: true, PreRelease: featuregate.Beta},
// inherited features from generic apiserver, relisted here to get a conflict if it is changed
// unintentionally on either side:

2
pkg/kubelet/certificate/bootstrap/bootstrap.go
View File

@ -344,7 +344,7 @@ func requestNodeCertificate(ctx context.Context, client clientset.Interface, pri
return nil, err
}
reqName, reqUID, err := csr.RequestCertificate(client, csrData, name, certificatesv1.KubeAPIServerClientKubeletSignerName, usages, privateKey)
reqName, reqUID, err := csr.RequestCertificate(client, csrData, name, certificatesv1.KubeAPIServerClientKubeletSignerName, nil, usages, privateKey)
if err != nil {
return nil, err
}

8
pkg/printers/internalversion/printers.go
View File

@ -48,6 +48,7 @@ import (
"k8s.io/apimachinery/pkg/util/duration"
"k8s.io/apimachinery/pkg/util/sets"
utilfeature "k8s.io/apiserver/pkg/util/feature"
"k8s.io/client-go/util/certificate/csr"
"k8s.io/kubernetes/pkg/apis/admissionregistration"
"k8s.io/kubernetes/pkg/apis/apiserverinternal"
"k8s.io/kubernetes/pkg/apis/apps"
@ -413,6 +414,7 @@ func AddHandlers(h printers.PrintHandler) {
{Name: "Age", Type: "string", Description: metav1.ObjectMeta{}.SwaggerDoc()["creationTimestamp"]},
{Name: "SignerName", Type: "string", Description: certificatesv1beta1.CertificateSigningRequestSpec{}.SwaggerDoc()["signerName"]},
{Name: "Requestor", Type: "string", Description: certificatesv1beta1.CertificateSigningRequestSpec{}.SwaggerDoc()["request"]},
{Name: "RequestedDuration", Type: "string", Description: certificatesv1beta1.CertificateSigningRequestSpec{}.SwaggerDoc()["expirationSeconds"]},
{Name: "Condition", Type: "string", Description: certificatesv1beta1.CertificateSigningRequestStatus{}.SwaggerDoc()["conditions"]},
}
h.TableHandler(certificateSigningRequestColumnDefinitions, printCertificateSigningRequest)
@ -1902,7 +1904,11 @@ func printCertificateSigningRequest(obj *certificates.CertificateSigningRequest,
if obj.Spec.SignerName != "" {
signerName = obj.Spec.SignerName
}
row.Cells = append(row.Cells, obj.Name, translateTimestampSince(obj.CreationTimestamp), signerName, obj.Spec.Username, status)
requestedDuration := "<none>"
if obj.Spec.ExpirationSeconds != nil {
requestedDuration = duration.HumanDuration(csr.ExpirationSecondsToDuration(*obj.Spec.ExpirationSeconds))
}
row.Cells = append(row.Cells, obj.Name, translateTimestampSince(obj.CreationTimestamp), signerName, obj.Spec.Username, requestedDuration, status)
return []metav1.TableRow{row}, nil
}

44
pkg/printers/internalversion/printers_test.go
View File

@ -27,6 +27,7 @@ import (
"k8s.io/apimachinery/pkg/runtime/schema"
"k8s.io/apimachinery/pkg/util/diff"
"k8s.io/apimachinery/pkg/util/intstr"
"k8s.io/client-go/util/certificate/csr"
"k8s.io/kubernetes/pkg/apis/apiserverinternal"
"k8s.io/kubernetes/pkg/apis/apps"
"k8s.io/kubernetes/pkg/apis/autoscaling"
@ -3990,8 +3991,8 @@ func TestPrintCertificateSigningRequest(t *testing.T) {
Spec: certificates.CertificateSigningRequestSpec{},
Status: certificates.CertificateSigningRequestStatus{},
},
// Columns: Name, Age, Requestor, Condition
expected: []metav1.TableRow{{Cells: []interface{}{"csr1", "0s", "<none>", "", "Pending"}}},
// Columns: Name, Age, SignerName, Requestor, RequestedDuration, Condition
expected: []metav1.TableRow{{Cells: []interface{}{"csr1", "0s", "<none>", "", "<none>", "Pending"}}},
},
// Basic CSR with Spec and Status=Approved.
{
@ -4011,8 +4012,8 @@ func TestPrintCertificateSigningRequest(t *testing.T) {
},
},
},
// Columns: Name, Age, Requestor, Condition
expected: []metav1.TableRow{{Cells: []interface{}{"csr2", "0s", "<none>", "CSR Requestor", "Approved"}}},
// Columns: Name, Age, SignerName, Requestor, RequestedDuration, Condition
expected: []metav1.TableRow{{Cells: []interface{}{"csr2", "0s", "<none>", "CSR Requestor", "<none>", "Approved"}}},
},
// Basic CSR with Spec and SignerName set
{
@ -4033,8 +4034,31 @@ func TestPrintCertificateSigningRequest(t *testing.T) {
},
},
},
// Columns: Name, Age, Requestor, Condition
expected: []metav1.TableRow{{Cells: []interface{}{"csr2", "0s", "example.com/test-signer", "CSR Requestor", "Approved"}}},
// Columns: Name, Age, SignerName, Requestor, RequestedDuration, Condition
expected: []metav1.TableRow{{Cells: []interface{}{"csr2", "0s", "example.com/test-signer", "CSR Requestor", "<none>", "Approved"}}},
},
// Basic CSR with Spec, SignerName and ExpirationSeconds set
{
csr: certificates.CertificateSigningRequest{
ObjectMeta: metav1.ObjectMeta{
Name: "csr2",
CreationTimestamp: metav1.Time{Time: time.Now().Add(1.9e9)},
},
Spec: certificates.CertificateSigningRequestSpec{
Username: "CSR Requestor",
SignerName: "example.com/test-signer",
ExpirationSeconds: csr.DurationToExpirationSeconds(7*24*time.Hour + time.Hour), // a little bit more than a week
},
Status: certificates.CertificateSigningRequestStatus{
Conditions: []certificates.CertificateSigningRequestCondition{
{
Type: certificates.CertificateApproved,
},
},
},
},
// Columns: Name, Age, SignerName, Requestor, RequestedDuration, Condition
expected: []metav1.TableRow{{Cells: []interface{}{"csr2", "0s", "example.com/test-signer", "CSR Requestor", "7d1h", "Approved"}}},
},
// Basic CSR with Spec and Status=Approved; certificate issued.
{
@ -4055,8 +4079,8 @@ func TestPrintCertificateSigningRequest(t *testing.T) {
Certificate: []byte("cert data"),
},
},
// Columns: Name, Age, Requestor, Condition
expected: []metav1.TableRow{{Cells: []interface{}{"csr2", "0s", "<none>", "CSR Requestor", "Approved,Issued"}}},
// Columns: Name, Age, SignerName, Requestor, RequestedDuration, Condition
expected: []metav1.TableRow{{Cells: []interface{}{"csr2", "0s", "<none>", "CSR Requestor", "<none>", "Approved,Issued"}}},
},
// Basic CSR with Spec and Status=Denied.
{
@ -4076,8 +4100,8 @@ func TestPrintCertificateSigningRequest(t *testing.T) {
},
},
},
// Columns: Name, Age, Requestor, Condition
expected: []metav1.TableRow{{Cells: []interface{}{"csr3", "0s", "<none>", "CSR Requestor", "Denied"}}},
// Columns: Name, Age, SignerName, Requestor, RequestedDuration, Condition
expected: []metav1.TableRow{{Cells: []interface{}{"csr3", "0s", "<none>", "CSR Requestor", "<none>", "Denied"}}},
},
}

169
pkg/registry/certificates/certificates/storage/metrics.go Normal file
View File

@ -0,0 +1,169 @@
/*
Copyright 2021 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package storage
import (
"context"
"fmt"
"strings"
"sync"
"time"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"
utilruntime "k8s.io/apimachinery/pkg/util/runtime"
genericregistry "k8s.io/apiserver/pkg/registry/generic/registry"
"k8s.io/apiserver/pkg/util/dryrun"
utilfeature "k8s.io/apiserver/pkg/util/feature"
"k8s.io/client-go/util/cert"
"k8s.io/client-go/util/certificate/csr"
"k8s.io/component-base/metrics"
"k8s.io/component-base/metrics/legacyregistry"
"k8s.io/kubernetes/pkg/apis/certificates"
"k8s.io/kubernetes/pkg/features"
)
const (
namespace = "apiserver"
subsystem = "certificates_registry"
)
var (
// csrDurationRequested counts and categorizes how many certificates were issued when the client requested a duration.
csrDurationRequested = metrics.NewCounterVec(
&metrics.CounterOpts{
Namespace: namespace,
Subsystem: subsystem,
Name: "csr_requested_duration_total",
Help: "Total number of issued CSRs with a requested duration, sliced by signer (only kubernetes.io signer names are specifically identified)",
StabilityLevel: metrics.ALPHA,
},
[]string{"signerName"},
)
// csrDurationHonored counts and categorizes how many certificates were issued when the client requested a duration and the signer honored it.
csrDurationHonored = metrics.NewCounterVec(
&metrics.CounterOpts{
Namespace: namespace,
Subsystem: subsystem,
Name: "csr_honored_duration_total",
Help: "Total number of issued CSRs with a requested duration that was honored, sliced by signer (only kubernetes.io signer names are specifically identified)",
StabilityLevel: metrics.ALPHA,
},
[]string{"signerName"},
)
)
func init() {
registerMetricsOnce.Do(func() {
legacyregistry.MustRegister(csrDurationRequested)
legacyregistry.MustRegister(csrDurationHonored)
})
}
var registerMetricsOnce sync.Once
type counterVecMetric interface {
WithLabelValues(...string) metrics.CounterMetric
}
func countCSRDurationMetric(requested, honored counterVecMetric) genericregistry.BeginUpdateFunc {
return func(ctx context.Context, obj, old runtime.Object, options *metav1.UpdateOptions) (genericregistry.FinishFunc, error) {
return func(ctx context.Context, success bool) {
if !success {
return // ignore failures
}
if dryrun.IsDryRun(options.DryRun) {
return // ignore things that would not get persisted
}
if !utilfeature.DefaultFeatureGate.Enabled(features.CSRDuration) {
return
}
oldCSR, ok := old.(*certificates.CertificateSigningRequest)
if !ok {
return
}
// if the old CSR already has a certificate, do not double count it
if len(oldCSR.Status.Certificate) > 0 {
return
}
if oldCSR.Spec.ExpirationSeconds == nil {
return // ignore CSRs that are not using the CSR duration feature
}
newCSR, ok := obj.(*certificates.CertificateSigningRequest)
if !ok {
return
}
issuedCert := newCSR.Status.Certificate
// new CSR has no issued certificate yet so do not count it.
// note that this means that we will ignore CSRs that set a duration
// but never get approved/signed. this is fine because the point
// of these metrics is to understand if the duration is honored
// by the signer. we are not checking the behavior of the approver.
if len(issuedCert) == 0 {
return
}
signer := compressSignerName(oldCSR.Spec.SignerName)
// at this point we know that this CSR is going to be persisted and
// the cert was just issued and the client requested a duration
requested.WithLabelValues(signer).Inc()
certs, err := cert.ParseCertsPEM(issuedCert)
if err != nil {
utilruntime.HandleError(fmt.Errorf("metrics recording failed to parse certificate for CSR %s: %w", oldCSR.Name, err))
return
}
// now we check to see if the signer honored the requested duration
certificate := certs[0]
wantDuration := csr.ExpirationSecondsToDuration(*oldCSR.Spec.ExpirationSeconds)
actualDuration := certificate.NotAfter.Sub(certificate.NotBefore)
if isDurationHonored(wantDuration, actualDuration) {
honored.WithLabelValues(signer).Inc()
}
}, nil
}
}
func isDurationHonored(want, got time.Duration) bool {
delta := want - got
if delta < 0 {
delta = -delta
}
// short-lived cert backdating + 5% of want
maxDelta := 5*time.Minute + (want / 20)
return delta < maxDelta
}
func compressSignerName(name string) string {
if strings.HasPrefix(name, "kubernetes.io/") {
return name
}
return "other"
}

496
pkg/registry/certificates/certificates/storage/metrics_test.go Normal file
View File

@ -0,0 +1,496 @@
/*
Copyright 2021 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package storage
import (
"crypto/ecdsa"
"crypto/elliptic"
"crypto/rand"
"crypto/x509"
"crypto/x509/pkix"
"encoding/pem"
"math/big"
"testing"
"time"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"
utilfeature "k8s.io/apiserver/pkg/util/feature"
certutil "k8s.io/client-go/util/cert"
"k8s.io/client-go/util/certificate/csr"
featuregatetesting "k8s.io/component-base/featuregate/testing"
"k8s.io/component-base/metrics"
"k8s.io/kubernetes/pkg/apis/certificates"
"k8s.io/kubernetes/pkg/features"
"k8s.io/utils/pointer"
)
func Test_countCSRDurationMetric(t *testing.T) {
caPrivateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
if err != nil {
t.Fatal(err)
}
caCert, err := certutil.NewSelfSignedCACert(certutil.Config{CommonName: "test-ca"}, caPrivateKey)
if err != nil {
t.Fatal(err)
}
tests := []struct {
name string
disableFeatureGate bool
success bool
obj, old runtime.Object
options *metav1.UpdateOptions
wantSigner string
wantRequested, wantHonored bool
}{
{
name: "cert parse failure",
success: true,
obj: &certificates.CertificateSigningRequest{
Status: certificates.CertificateSigningRequestStatus{
Certificate: []byte("junk"),
},
},
old: &certificates.CertificateSigningRequest{
Spec: certificates.CertificateSigningRequestSpec{
SignerName: "fancy",
ExpirationSeconds: pointer.Int32(77),
},
},
options: &metav1.UpdateOptions{},
wantSigner: "other",
wantRequested: true,
wantHonored: false,
},
{
name: "kube signer honors duration exactly",
success: true,
obj: &certificates.CertificateSigningRequest{
Status: certificates.CertificateSigningRequestStatus{
Certificate: createCert(t, time.Hour, caPrivateKey, caCert),
},
},
old: &certificates.CertificateSigningRequest{
Spec: certificates.CertificateSigningRequestSpec{
SignerName: "kubernetes.io/educate-dolphins",
ExpirationSeconds: csr.DurationToExpirationSeconds(time.Hour),
},
},
options: &metav1.UpdateOptions{},
wantSigner: "kubernetes.io/educate-dolphins",
wantRequested: true,
wantHonored: true,
},
{
name: "signer honors duration exactly",
success: true,
obj: &certificates.CertificateSigningRequest{
Status: certificates.CertificateSigningRequestStatus{
Certificate: createCert(t, time.Hour, caPrivateKey, caCert),
},
},
old: &certificates.CertificateSigningRequest{
Spec: certificates.CertificateSigningRequestSpec{
SignerName: "pandas",
ExpirationSeconds: csr.DurationToExpirationSeconds(time.Hour),
},
},
options: &metav1.UpdateOptions{},
wantSigner: "other",
wantRequested: true,
wantHonored: true,
},
{
name: "signer honors duration but just a little bit less",
success: true,
obj: &certificates.CertificateSigningRequest{
Status: certificates.CertificateSigningRequestStatus{
Certificate: createCert(t, time.Hour-6*time.Minute, caPrivateKey, caCert),
},
},
old: &certificates.CertificateSigningRequest{
Spec: certificates.CertificateSigningRequestSpec{
SignerName: "pandas",
ExpirationSeconds: csr.DurationToExpirationSeconds(time.Hour),
},
},
options: &metav1.UpdateOptions{},
wantSigner: "other",
wantRequested: true,
wantHonored: true,
},
{
name: "signer honors duration but just a little bit more",
success: true,
obj: &certificates.CertificateSigningRequest{
Status: certificates.CertificateSigningRequestStatus{
Certificate: createCert(t, time.Hour+6*time.Minute, caPrivateKey, caCert),
},
},
old: &certificates.CertificateSigningRequest{
Spec: certificates.CertificateSigningRequestSpec{
SignerName: "pandas",
ExpirationSeconds: csr.DurationToExpirationSeconds(time.Hour),
},
},
options: &metav1.UpdateOptions{},
wantSigner: "other",
wantRequested: true,
wantHonored: true,
},
{
name: "honors duration lower bound",
success: true,
obj: &certificates.CertificateSigningRequest{
Status: certificates.CertificateSigningRequestStatus{
Certificate: createCert(t, 651*time.Second, caPrivateKey, caCert),
},
},
old: &certificates.CertificateSigningRequest{
Spec: certificates.CertificateSigningRequestSpec{
SignerName: "kubernetes.io/educate-dolphins",
ExpirationSeconds: csr.DurationToExpirationSeconds(1_000 * time.Second),
},
},
options: &metav1.UpdateOptions{},
wantSigner: "kubernetes.io/educate-dolphins",
wantRequested: true,
wantHonored: true,
},
{
name: "does not honor duration just outside of lower bound",
success: true,
obj: &certificates.CertificateSigningRequest{
Status: certificates.CertificateSigningRequestStatus{
Certificate: createCert(t, 650*time.Second, caPrivateKey, caCert),
},
},
old: &certificates.CertificateSigningRequest{
Spec: certificates.CertificateSigningRequestSpec{
SignerName: "kubernetes.io/educate-dolphins",
ExpirationSeconds: csr.DurationToExpirationSeconds(1_000 * time.Second),
},
},
options: &metav1.UpdateOptions{},
wantSigner: "kubernetes.io/educate-dolphins",
wantRequested: true,
wantHonored: false,
},
{
name: "honors duration upper bound",
success: true,
obj: &certificates.CertificateSigningRequest{
Status: certificates.CertificateSigningRequestStatus{
Certificate: createCert(t, 1349*time.Second, caPrivateKey, caCert),
},
},
old: &certificates.CertificateSigningRequest{
Spec: certificates.CertificateSigningRequestSpec{
SignerName: "kubernetes.io/educate-dolphins",
ExpirationSeconds: csr.DurationToExpirationSeconds(1_000 * time.Second),
},
},
options: &metav1.UpdateOptions{},
wantSigner: "kubernetes.io/educate-dolphins",
wantRequested: true,
wantHonored: true,
},
{
name: "does not honor duration just outside of upper bound",
success: true,
obj: &certificates.CertificateSigningRequest{
Status: certificates.CertificateSigningRequestStatus{
Certificate: createCert(t, 1350*time.Second, caPrivateKey, caCert),
},
},
old: &certificates.CertificateSigningRequest{
Spec: certificates.CertificateSigningRequestSpec{
SignerName: "kubernetes.io/educate-dolphins",
ExpirationSeconds: csr.DurationToExpirationSeconds(1_000 * time.Second),
},
},
options: &metav1.UpdateOptions{},
wantSigner: "kubernetes.io/educate-dolphins",
wantRequested: true,
wantHonored: false,
},
{
name: "failed update is ignored",
success: false,
obj: &certificates.CertificateSigningRequest{
Status: certificates.CertificateSigningRequestStatus{
Certificate: createCert(t, time.Hour, caPrivateKey, caCert),
},
},
old: &certificates.CertificateSigningRequest{
Spec: certificates.CertificateSigningRequestSpec{
SignerName: "pandas",
ExpirationSeconds: csr.DurationToExpirationSeconds(time.Hour),
},
},
options: &metav1.UpdateOptions{},
wantSigner: "",
wantRequested: false,
wantHonored: false,
},
{
name: "dry run is ignored",
success: true,
obj: &certificates.CertificateSigningRequest{
Status: certificates.CertificateSigningRequestStatus{
Certificate: createCert(t, time.Hour, caPrivateKey, caCert),
},
},
old: &certificates.CertificateSigningRequest{
Spec: certificates.CertificateSigningRequestSpec{
SignerName: "pandas",
ExpirationSeconds: csr.DurationToExpirationSeconds(time.Hour),
},
},
options: &metav1.UpdateOptions{DryRun: []string{"stuff"}},
wantSigner: "",
wantRequested: false,
wantHonored: false,
},
{
name: "no metrics when feature gate is turned off",
disableFeatureGate: true,
success: true,
obj: &certificates.CertificateSigningRequest{
Status: certificates.CertificateSigningRequestStatus{
Certificate: createCert(t, time.Hour, caPrivateKey, caCert),
},
},
old: &certificates.CertificateSigningRequest{
Spec: certificates.CertificateSigningRequestSpec{
SignerName: "pandas",
ExpirationSeconds: csr.DurationToExpirationSeconds(time.Hour),
},
},
options: &metav1.UpdateOptions{},
wantSigner: "",
wantRequested: false,
wantHonored: false,
},
{
name: "old CSR already has a cert so it is ignored",
success: true,
obj: &certificates.CertificateSigningRequest{
Status: certificates.CertificateSigningRequestStatus{
Certificate: createCert(t, time.Hour, caPrivateKey, caCert),
},
},
old: &certificates.CertificateSigningRequest{
Spec: certificates.CertificateSigningRequestSpec{
SignerName: "pandas",
ExpirationSeconds: csr.DurationToExpirationSeconds(time.Hour),
},
Status: certificates.CertificateSigningRequestStatus{
Certificate: []byte("junk"),
},
},
options: &metav1.UpdateOptions{},
wantSigner: "",
wantRequested: false,
wantHonored: false,
},
{
name: "CSRs with no duration are ignored",
success: true,
obj: &certificates.CertificateSigningRequest{
Status: certificates.CertificateSigningRequestStatus{
Certificate: createCert(t, time.Hour, caPrivateKey, caCert),
},
},
old: &certificates.CertificateSigningRequest{
Spec: certificates.CertificateSigningRequestSpec{
SignerName: "pandas",
ExpirationSeconds: nil,
},
},
options: &metav1.UpdateOptions{},
wantSigner: "",
wantRequested: false,
wantHonored: false,
},
{
name: "unissued CSRs are ignored",
success: true,
obj: &certificates.CertificateSigningRequest{
Status: certificates.CertificateSigningRequestStatus{
Certificate: nil,
},
},
old: &certificates.CertificateSigningRequest{
Spec: certificates.CertificateSigningRequestSpec{
SignerName: "pandas",
ExpirationSeconds: csr.DurationToExpirationSeconds(time.Hour),
},
},
options: &metav1.UpdateOptions{},
wantSigner: "",
wantRequested: false,
wantHonored: false,
},
{
name: "invalid data - nil old object",
success: true,
obj: &certificates.CertificateSigningRequest{
Status: certificates.CertificateSigningRequestStatus{
Certificate: createCert(t, time.Hour, caPrivateKey, caCert),
},
},
old: nil,
options: &metav1.UpdateOptions{},
wantSigner: "",
wantRequested: false,
wantHonored: false,
},
{
name: "invalid data - nil new object",
success: true,
obj: nil,
old: &certificates.CertificateSigningRequest{
Spec: certificates.CertificateSigningRequestSpec{
SignerName: "pandas",
ExpirationSeconds: csr.DurationToExpirationSeconds(time.Hour),
},
},
options: &metav1.UpdateOptions{},
wantSigner: "",
wantRequested: false,
wantHonored: false,
},
{
name: "invalid data - junk old object",
success: true,
obj: &certificates.CertificateSigningRequest{
Status: certificates.CertificateSigningRequestStatus{
Certificate: createCert(t, time.Hour, caPrivateKey, caCert),
},
},
old: &corev1.Pod{},
options: &metav1.UpdateOptions{},
wantSigner: "",
wantRequested: false,
wantHonored: false,
},
{
name: "invalid data - junk new object",
success: true,
obj: &corev1.Pod{},
old: &certificates.CertificateSigningRequest{
Spec: certificates.CertificateSigningRequestSpec{
SignerName: "pandas",
ExpirationSeconds: csr.DurationToExpirationSeconds(time.Hour),
},
},
options: &metav1.UpdateOptions{},
wantSigner: "",
wantRequested: false,
wantHonored: false,
},
}
for _, tt := range tests {
tt := tt
t.Run(tt.name, func(t *testing.T) {
if tt.disableFeatureGate {
defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.CSRDuration, false)()
} else {
t.Parallel()
}
testReq := &testCounterVecMetric{}
testHon := &testCounterVecMetric{}
finishFunc, err := countCSRDurationMetric(testReq, testHon)(nil, tt.obj, tt.old, tt.options)
if err != nil {
t.Fatal(err)
}
finishFunc(nil, tt.success)
if got := testReq.signer; tt.wantRequested && tt.wantSigner != got {
t.Errorf("requested signer: want %v, got %v", tt.wantSigner, got)
}
if got := testHon.signer; tt.wantHonored && tt.wantSigner != got {
t.Errorf("honored signer: want %v, got %v", tt.wantSigner, got)
}
if got := testReq.called; tt.wantRequested != got {
t.Errorf("requested inc: want %v, got %v", tt.wantRequested, got)
}
if got := testHon.called; tt.wantHonored != got {
t.Errorf("honored inc: want %v, got %v", tt.wantHonored, got)
}
})
}
}
func createCert(t *testing.T, duration time.Duration, caPrivateKey *ecdsa.PrivateKey, caCert *x509.Certificate) []byte {
t.Helper()
crPublicKey := &caPrivateKey.PublicKey // this is supposed to be public key of the signee but it does not matter for this test
now := time.Now()
tmpl := &x509.Certificate{Subject: pkix.Name{CommonName: "panda"}, SerialNumber: big.NewInt(1234), NotBefore: now, NotAfter: now.Add(duration)}
der, err := x509.CreateCertificate(rand.Reader, tmpl, caCert, crPublicKey, caPrivateKey)
if err != nil {
t.Fatal(err)
}
return pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: der})
}
type testCounterVecMetric struct {
metrics.CounterMetric
signer string
called bool
}
func (m *testCounterVecMetric) WithLabelValues(lv ...string) metrics.CounterMetric {
if len(lv) != 1 {
panic(lv)
}
if len(m.signer) != 0 {
panic("unexpected multiple WithLabelValues() calls")
}
signer := lv[0]
if len(signer) == 0 {
panic("invalid empty signer")
}
m.signer = signer
return m
}
func (m *testCounterVecMetric) Inc() {
if m.called {
panic("unexpected multiple Inc() calls")
}
m.called = true
}

1
pkg/registry/certificates/certificates/storage/storage.go
View File

@ -62,6 +62,7 @@ func NewREST(optsGetter generic.RESTOptionsGetter) (*REST, *StatusREST, *Approva
statusStore := *store
statusStore.UpdateStrategy = csrregistry.StatusStrategy
statusStore.ResetFieldsStrategy = csrregistry.StatusStrategy
statusStore.BeginUpdate = countCSRDurationMetric(csrDurationRequested, csrDurationHonored)
approvalStore := *store
approvalStore.UpdateStrategy = csrregistry.ApprovalStrategy

8
pkg/registry/certificates/certificates/strategy.go
View File

@ -30,9 +30,11 @@ import (
genericapirequest "k8s.io/apiserver/pkg/endpoints/request"
"k8s.io/apiserver/pkg/registry/generic"
"k8s.io/apiserver/pkg/storage/names"
utilfeature "k8s.io/apiserver/pkg/util/feature"
"k8s.io/kubernetes/pkg/api/legacyscheme"
"k8s.io/kubernetes/pkg/apis/certificates"
"k8s.io/kubernetes/pkg/apis/certificates/validation"
"k8s.io/kubernetes/pkg/features"
"sigs.k8s.io/structured-merge-diff/v4/fieldpath"
)
@ -91,10 +93,14 @@ func (csrStrategy) PrepareForCreate(ctx context.Context, obj runtime.Object) {
if extra := user.GetExtra(); len(extra) > 0 {
csr.Spec.Extra = map[string]certificates.ExtraValue{}
for k, v := range extra {
csr.Spec.Extra[k] = certificates.ExtraValue(v)
csr.Spec.Extra[k] = v
}
}
}
// clear expirationSeconds if the CSRDuration feature is disabled
if !utilfeature.DefaultFeatureGate.Enabled(features.CSRDuration) {
csr.Spec.ExpirationSeconds = nil
}
// Be explicit that users cannot create pre-approved certificate requests.
csr.Status = certificates.CertificateSigningRequestStatus{}

59
pkg/registry/certificates/certificates/strategy_test.go
View File

@ -27,14 +27,19 @@ import (
"k8s.io/apimachinery/pkg/util/diff"
"k8s.io/apiserver/pkg/authentication/user"
genericapirequest "k8s.io/apiserver/pkg/endpoints/request"
utilfeature "k8s.io/apiserver/pkg/util/feature"
featuregatetesting "k8s.io/component-base/featuregate/testing"
certapi "k8s.io/kubernetes/pkg/apis/certificates"
"k8s.io/kubernetes/pkg/features"
"k8s.io/utils/pointer"
)
func TestStrategyCreate(t *testing.T) {
tests := map[string]struct {
ctx context.Context
obj runtime.Object
expectedObj runtime.Object
ctx context.Context
disableFeatureGate bool
obj runtime.Object
expectedObj runtime.Object
}{
"no user in context, no user in obj": {
ctx: genericapirequest.NewContext(),
@ -112,15 +117,51 @@ func TestStrategyCreate(t *testing.T) {
},
expectedObj: &certapi.CertificateSigningRequest{
Status: certapi.CertificateSigningRequestStatus{Conditions: []certapi.CertificateSigningRequestCondition{}},
}},
},
},
"expirationSeconds set with gate enabled": {
ctx: genericapirequest.NewContext(),
obj: &certapi.CertificateSigningRequest{
Spec: certapi.CertificateSigningRequestSpec{
ExpirationSeconds: pointer.Int32(1234),
},
},
expectedObj: &certapi.CertificateSigningRequest{
Spec: certapi.CertificateSigningRequestSpec{
ExpirationSeconds: pointer.Int32(1234),
},
Status: certapi.CertificateSigningRequestStatus{Conditions: []certapi.CertificateSigningRequestCondition{}},
},
},
"expirationSeconds set with gate disabled": {
ctx: genericapirequest.NewContext(),
disableFeatureGate: true,
obj: &certapi.CertificateSigningRequest{
Spec: certapi.CertificateSigningRequestSpec{
ExpirationSeconds: pointer.Int32(5678),
},
},
expectedObj: &certapi.CertificateSigningRequest{
Spec: certapi.CertificateSigningRequestSpec{
ExpirationSeconds: nil,
},
Status: certapi.CertificateSigningRequestStatus{Conditions: []certapi.CertificateSigningRequestCondition{}},
},
},
}
for k, tc := range tests {
obj := tc.obj
Strategy.PrepareForCreate(tc.ctx, obj)
if !reflect.DeepEqual(obj, tc.expectedObj) {
t.Errorf("%s: object diff: %s", k, diff.ObjectDiff(obj, tc.expectedObj))
}
tc := tc
t.Run(k, func(t *testing.T) {
if tc.disableFeatureGate {
defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.CSRDuration, false)()
}
obj := tc.obj
Strategy.PrepareForCreate(tc.ctx, obj)
if !reflect.DeepEqual(obj, tc.expectedObj) {
t.Errorf("object diff: %s", diff.ObjectDiff(obj, tc.expectedObj))
}
})
}
}

143
staging/src/k8s.io/api/certificates/v1/generated.pb.go generated
View File

@ -229,62 +229,64 @@ func init() {
}
var fileDescriptor_17e045d0de66f3c7 = []byte{
// 873 bytes of a gzipped FileDescriptorProto
0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x9c, 0x54, 0xcf, 0x6f, 0x1b, 0x45,
0x14, 0xf6, 0xfa, 0x57, 0xec, 0x71, 0x49, 0xab, 0x11, 0xaa, 0x16, 0x4b, 0xdd, 0x8d, 0x56, 0x50,
0x05, 0x04, 0xbb, 0x38, 0x2a, 0x10, 0x0a, 0xe2, 0xb0, 0x69, 0x85, 0x2a, 0x52, 0x90, 0x26, 0x09,
0x87, 0xc2, 0xa1, 0x93, 0xf5, 0xeb, 0x66, 0xea, 0xee, 0x0f, 0x66, 0x66, 0x2d, 0x7c, 0xeb, 0x9f,
0xc0, 0x91, 0x23, 0xff, 0x09, 0xd7, 0x1c, 0x7b, 0x2c, 0x12, 0xb2, 0x88, 0x7b, 0xe1, 0x6f, 0xc8,
0x09, 0xcd, 0xec, 0x78, 0xed, 0xfc, 0x70, 0x5b, 0x72, 0xdb, 0xf9, 0xde, 0xf7, 0xbe, 0xef, 0xbd,
0xb7, 0x6f, 0x06, 0xed, 0x8c, 0xb6, 0x85, 0xcf, 0xb2, 0x60, 0x54, 0x1c, 0x02, 0x4f, 0x41, 0x82,
0x08, 0xc6, 0x90, 0x0e, 0x33, 0x1e, 0x98, 0x00, 0xcd, 0x59, 0x10, 0x01, 0x97, 0xec, 0x09, 0x8b,
0xa8, 0x0e, 0x0f, 0x82, 0x18, 0x52, 0xe0, 0x54, 0xc2, 0xd0, 0xcf, 0x79, 0x26, 0x33, 0xdc, 0x2f,
0xb9, 0x3e, 0xcd, 0x99, 0xbf, 0xcc, 0xf5, 0xc7, 0x83, 0xfe, 0x27, 0x31, 0x93, 0x47, 0xc5, 0xa1,
0x1f, 0x65, 0x49, 0x10, 0x67, 0x71, 0x16, 0xe8, 0x94, 0xc3, 0xe2, 0x89, 0x3e, 0xe9, 0x83, 0xfe,
0x2a, 0xa5, 0xfa, 0xde, 0xb2, 0x6d, 0xc6, 0xe1, 0x12, 0xbb, 0xfe, 0x9d, 0x05, 0x27, 0xa1, 0xd1,
0x11, 0x4b, 0x81, 0x4f, 0x82, 0x7c, 0x14, 0x2b, 0x40, 0x04, 0x09, 0x48, 0x7a, 0x59, 0x56, 0xb0,
0x2a, 0x8b, 0x17, 0xa9, 0x64, 0x09, 0x5c, 0x48, 0xf8, 0xfc, 0x4d, 0x09, 0x22, 0x3a, 0x82, 0x84,
0x9e, 0xcf, 0xf3, 0xfe, 0xac, 0xa3, 0xf7, 0x76, 0x16, 0x53, 0xd8, 0x63, 0x71, 0xca, 0xd2, 0x98,
0xc0, 0x2f, 0x05, 0x08, 0x89, 0x1f, 0xa3, 0x8e, 0xaa, 0x70, 0x48, 0x25, 0xb5, 0xad, 0x0d, 0x6b,
0xb3, 0xb7, 0xf5, 0xa9, 0xbf, 0x18, 0x5f, 0x65, 0xe4, 0xe7, 0xa3, 0x58, 0x01, 0xc2, 0x57, 0x6c,
0x7f, 0x3c, 0xf0, 0x7f, 0x38, 0x7c, 0x0a, 0x91, 0x7c, 0x08, 0x92, 0x86, 0xf8, 0x78, 0xea, 0xd6,
0x66, 0x53, 0x17, 0x2d, 0x30, 0x52, 0xa9, 0xe2, 0x9f, 0x50, 0x53, 0xe4, 0x10, 0xd9, 0x75, 0xad,
0xfe, 0xa5, 0xbf, 0xfa, 0xe7, 0xf8, 0x2b, 0xcb, 0xdc, 0xcb, 0x21, 0x0a, 0xaf, 0x19, 0x9b, 0xa6,
0x3a, 0x11, 0x2d, 0x8a, 0x23, 0xd4, 0x16, 0x92, 0xca, 0x42, 0xd8, 0x0d, 0x2d, 0xff, 0xd5, 0xd5,
0xe4, 0xb5, 0x44, 0xb8, 0x6e, 0x0c, 0xda, 0xe5, 0x99, 0x18, 0x69, 0xef, 0x55, 0x03, 0x79, 0x2b,
0x73, 0x77, 0xb2, 0x74, 0xc8, 0x24, 0xcb, 0x52, 0xbc, 0x8d, 0x9a, 0x72, 0x92, 0x83, 0x1e, 0x63,
0x37, 0x7c, 0x7f, 0x5e, 0xed, 0xfe, 0x24, 0x87, 0xd3, 0xa9, 0xfb, 0xee, 0x79, 0xbe, 0xc2, 0x89,
0xce, 0xc0, 0xbb, 0x55, 0x17, 0x6d, 0x9d, 0x7b, 0xe7, 0x6c, 0x21, 0xa7, 0x53, 0xf7, 0x92, 0x3d,
0xf4, 0x2b, 0xa5, 0xb3, 0xe5, 0xe2, 0xdb, 0xa8, 0xcd, 0x81, 0x8a, 0x2c, 0xd5, 0x23, 0xef, 0x2e,
0xda, 0x22, 0x1a, 0x25, 0x26, 0x8a, 0x3f, 0x44, 0x6b, 0x09, 0x08, 0x41, 0x63, 0xd0, 0xc3, 0xeb,
0x86, 0xd7, 0x0d, 0x71, 0xed, 0x61, 0x09, 0x93, 0x79, 0x1c, 0x3f, 0x45, 0xeb, 0xcf, 0xa8, 0x90,
0x07, 0xf9, 0x90, 0x4a, 0xd8, 0x67, 0x09, 0xd8, 0x4d, 0x3d, 0xee, 0x8f, 0xde, 0x6e, 0x57, 0x54,
0x46, 0x78, 0xd3, 0xa8, 0xaf, 0xef, 0x9e, 0x51, 0x22, 0xe7, 0x94, 0xf1, 0x18, 0x61, 0x85, 0xec,
0x73, 0x9a, 0x8a, 0x72, 0x50, 0xca, 0xaf, 0xf5, 0xbf, 0xfd, 0xfa, 0xc6, 0x0f, 0xef, 0x5e, 0x50,
0x23, 0x97, 0x38, 0x78, 0x7f, 0x59, 0xe8, 0xd6, 0xca, 0xbf, 0xbc, 0xcb, 0x84, 0xc4, 0x3f, 0x5f,
0xb8, 0x2b, 0xfe, 0xdb, 0xd5, 0xa3, 0xb2, 0xf5, 0x4d, 0xb9, 0x61, 0x6a, 0xea, 0xcc, 0x91, 0xa5,
0x7b, 0xf2, 0x08, 0xb5, 0x98, 0x84, 0x44, 0xd8, 0xf5, 0x8d, 0xc6, 0x66, 0x6f, 0xeb, 0xb3, 0x2b,
0x6d, 0x72, 0xf8, 0x8e, 0x71, 0x68, 0x3d, 0x50, 0x5a, 0xa4, 0x94, 0xf4, 0xfe, 0x6d, 0xbc, 0xa6,
0x37, 0x75, 0x9d, 0xf0, 0x07, 0x68, 0x8d, 0x97, 0x47, 0xdd, 0xda, 0xb5, 0xb0, 0xa7, 0x16, 0xc1,
0x30, 0xc8, 0x3c, 0x86, 0xb7, 0x10, 0x12, 0x2c, 0x4e, 0x81, 0x7f, 0x4f, 0x13, 0xb0, 0xd7, 0xf4,
0xda, 0x54, 0xd7, 0x7f, 0xaf, 0x8a, 0x90, 0x25, 0x16, 0xf6, 0x51, 0xbb, 0x50, 0x5b, 0x24, 0xec,
0xd6, 0x46, 0x63, 0xb3, 0x1b, 0xde, 0x54, 0xbb, 0x78, 0xa0, 0x91, 0xd3, 0xa9, 0xdb, 0xf9, 0x0e,
0x26, 0xfa, 0x40, 0x0c, 0x0b, 0x7f, 0x8c, 0x3a, 0x85, 0x00, 0x9e, 0x2a, 0x87, 0x72, 0x83, 0xab,
0xb1, 0x1d, 0x18, 0x9c, 0x54, 0x0c, 0x7c, 0x0b, 0x35, 0x0a, 0x36, 0x34, 0x1b, 0xdc, 0x33, 0xc4,
0xc6, 0xc1, 0x83, 0x7b, 0x44, 0xe1, 0xd8, 0x43, 0xed, 0x98, 0x67, 0x45, 0x2e, 0xec, 0xa6, 0x36,
0x47, 0xca, 0xfc, 0x5b, 0x8d, 0x10, 0x13, 0xc1, 0x0c, 0xb5, 0xe0, 0x57, 0xc9, 0xa9, 0xdd, 0xd6,
0x93, 0xbf, 0x77, 0xe5, 0x27, 0xca, 0xbf, 0xaf, 0x64, 0xee, 0xa7, 0x92, 0x4f, 0x16, 0x3f, 0x42,
0x63, 0xa4, 0x74, 0xe8, 0x3f, 0x46, 0x68, 0xc1, 0xc1, 0x37, 0x50, 0x63, 0x04, 0x93, 0xf2, 0xc1,
0x20, 0xea, 0x13, 0x7f, 0x8d, 0x5a, 0x63, 0xfa, 0xac, 0x00, 0xf3, 0x5a, 0xde, 0x7e, 0x5d, 0x29,
0x5a, 0xe8, 0x47, 0xc5, 0x26, 0x65, 0xd2, 0xdd, 0xfa, 0xb6, 0xe5, 0x1d, 0x5b, 0xc8, 0x7d, 0xc3,
0x43, 0x87, 0x39, 0x42, 0xd1, 0xfc, 0xf1, 0x10, 0xb6, 0xa5, 0xbb, 0xfe, 0xe6, 0x4a, 0x5d, 0x57,
0x6f, 0xd0, 0x62, 0x0b, 0x2a, 0x48, 0x90, 0x25, 0x17, 0x3c, 0x40, 0xbd, 0x25, 0x55, 0xdd, 0xdf,
0xb5, 0xf0, 0xfa, 0x6c, 0xea, 0xf6, 0x96, 0xc4, 0xc9, 0x32, 0xc7, 0xfb, 0xc2, 0x0c, 0x4b, 0xf7,
0x88, 0xdd, 0xf9, 0xfd, 0xb0, 0xf4, 0x8f, 0xec, 0x9e, 0x5f, 0xf2, 0xbb, 0x9d, 0xdf, 0xff, 0x70,
0x6b, 0xcf, 0xff, 0xde, 0xa8, 0x85, 0x9b, 0xc7, 0x27, 0x4e, 0xed, 0xc5, 0x89, 0x53, 0x7b, 0x79,
0xe2, 0xd4, 0x9e, 0xcf, 0x1c, 0xeb, 0x78, 0xe6, 0x58, 0x2f, 0x66, 0x8e, 0xf5, 0x72, 0xe6, 0x58,
0xff, 0xcc, 0x1c, 0xeb, 0xb7, 0x57, 0x4e, 0xed, 0x51, 0x7d, 0x3c, 0xf8, 0x2f, 0x00, 0x00, 0xff,
0xff, 0x9d, 0x8f, 0x4c, 0xfa, 0x70, 0x08, 0x00, 0x00,
// 906 bytes of a gzipped FileDescriptorProto
0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x9c, 0x54, 0x4f, 0x6f, 0x1b, 0x45,
0x14, 0xf7, 0xc6, 0x7f, 0x62, 0x8f, 0x43, 0xda, 0x8e, 0xa0, 0x5a, 0x2c, 0xd5, 0x6b, 0x59, 0x50,
0x19, 0x04, 0xbb, 0x38, 0x2a, 0x10, 0x0a, 0xe2, 0xb0, 0x69, 0x84, 0x2a, 0x52, 0x90, 0x26, 0x09,
0x87, 0xc2, 0xa1, 0x93, 0xf5, 0xeb, 0x66, 0xea, 0xee, 0x1f, 0x66, 0x66, 0xad, 0xfa, 0xd6, 0x8f,
0xc0, 0x91, 0x23, 0x5f, 0x80, 0xcf, 0xc0, 0x35, 0xc7, 0x1e, 0x8b, 0x84, 0x2c, 0xe2, 0x7e, 0x8b,
0x9c, 0xd0, 0xcc, 0x8e, 0xd7, 0x8e, 0x13, 0xb7, 0x25, 0xb7, 0x99, 0xf7, 0x7e, 0xef, 0xf7, 0x7b,
0xef, 0xcd, 0x7b, 0x83, 0x76, 0x86, 0xdb, 0xc2, 0x65, 0x89, 0x37, 0xcc, 0x8e, 0x80, 0xc7, 0x20,
0x41, 0x78, 0x23, 0x88, 0x07, 0x09, 0xf7, 0x8c, 0x83, 0xa6, 0xcc, 0x0b, 0x80, 0x4b, 0xf6, 0x98,
0x05, 0x54, 0xbb, 0xfb, 0x5e, 0x08, 0x31, 0x70, 0x2a, 0x61, 0xe0, 0xa6, 0x3c, 0x91, 0x09, 0x6e,
0xe5, 0x58, 0x97, 0xa6, 0xcc, 0x5d, 0xc4, 0xba, 0xa3, 0x7e, 0xeb, 0xd3, 0x90, 0xc9, 0xe3, 0xec,
0xc8, 0x0d, 0x92, 0xc8, 0x0b, 0x93, 0x30, 0xf1, 0x74, 0xc8, 0x51, 0xf6, 0x58, 0xdf, 0xf4, 0x45,
0x9f, 0x72, 0xaa, 0x56, 0x77, 0x51, 0x36, 0xe1, 0x70, 0x89, 0x5c, 0xeb, 0xce, 0x1c, 0x13, 0xd1,
0xe0, 0x98, 0xc5, 0xc0, 0xc7, 0x5e, 0x3a, 0x0c, 0x95, 0x41, 0x78, 0x11, 0x48, 0x7a, 0x59, 0x94,
0xb7, 0x2a, 0x8a, 0x67, 0xb1, 0x64, 0x11, 0x5c, 0x08, 0xf8, 0xe2, 0x4d, 0x01, 0x22, 0x38, 0x86,
0x88, 0x2e, 0xc7, 0x75, 0xff, 0x5a, 0x43, 0xef, 0xef, 0xcc, 0xbb, 0xb0, 0xcf, 0xc2, 0x98, 0xc5,
0x21, 0x81, 0x5f, 0x33, 0x10, 0x12, 0x3f, 0x42, 0x75, 0x95, 0xe1, 0x80, 0x4a, 0x6a, 0x5b, 0x1d,
0xab, 0xd7, 0xdc, 0xfa, 0xcc, 0x9d, 0xb7, 0xaf, 0x10, 0x72, 0xd3, 0x61, 0xa8, 0x0c, 0xc2, 0x55,
0x68, 0x77, 0xd4, 0x77, 0x7f, 0x3c, 0x7a, 0x02, 0x81, 0x7c, 0x00, 0x92, 0xfa, 0xf8, 0x64, 0xe2,
0x94, 0xa6, 0x13, 0x07, 0xcd, 0x6d, 0xa4, 0x60, 0xc5, 0x3f, 0xa3, 0x8a, 0x48, 0x21, 0xb0, 0xd7,
0x34, 0xfb, 0x57, 0xee, 0xea, 0xc7, 0x71, 0x57, 0xa6, 0xb9, 0x9f, 0x42, 0xe0, 0x6f, 0x18, 0x99,
0x8a, 0xba, 0x11, 0x4d, 0x8a, 0x03, 0x54, 0x13, 0x92, 0xca, 0x4c, 0xd8, 0x65, 0x4d, 0xff, 0xf5,
0xd5, 0xe8, 0x35, 0x85, 0xbf, 0x69, 0x04, 0x6a, 0xf9, 0x9d, 0x18, 0xea, 0xee, 0xab, 0x32, 0xea,
0xae, 0x8c, 0xdd, 0x49, 0xe2, 0x01, 0x93, 0x2c, 0x89, 0xf1, 0x36, 0xaa, 0xc8, 0x71, 0x0a, 0xba,
0x8d, 0x0d, 0xff, 0x83, 0x59, 0xb6, 0x07, 0xe3, 0x14, 0xce, 0x26, 0xce, 0xbb, 0xcb, 0x78, 0x65,
0x27, 0x3a, 0x02, 0xef, 0x15, 0x55, 0xd4, 0x74, 0xec, 0x9d, 0xf3, 0x89, 0x9c, 0x4d, 0x9c, 0x4b,
0xe6, 0xd0, 0x2d, 0x98, 0xce, 0xa7, 0x8b, 0x6f, 0xa3, 0x1a, 0x07, 0x2a, 0x92, 0x58, 0xb7, 0xbc,
0x31, 0x2f, 0x8b, 0x68, 0x2b, 0x31, 0x5e, 0xfc, 0x11, 0x5a, 0x8f, 0x40, 0x08, 0x1a, 0x82, 0x6e,
0x5e, 0xc3, 0xbf, 0x66, 0x80, 0xeb, 0x0f, 0x72, 0x33, 0x99, 0xf9, 0xf1, 0x13, 0xb4, 0xf9, 0x94,
0x0a, 0x79, 0x98, 0x0e, 0xa8, 0x84, 0x03, 0x16, 0x81, 0x5d, 0xd1, 0xed, 0xfe, 0xf8, 0xed, 0x66,
0x45, 0x45, 0xf8, 0x37, 0x0d, 0xfb, 0xe6, 0xde, 0x39, 0x26, 0xb2, 0xc4, 0x8c, 0x47, 0x08, 0x2b,
0xcb, 0x01, 0xa7, 0xb1, 0xc8, 0x1b, 0xa5, 0xf4, 0xaa, 0xff, 0x5b, 0xaf, 0x65, 0xf4, 0xf0, 0xde,
0x05, 0x36, 0x72, 0x89, 0x42, 0xf7, 0x6f, 0x0b, 0xdd, 0x5a, 0xf9, 0xca, 0x7b, 0x4c, 0x48, 0xfc,
0xcb, 0x85, 0x5d, 0x71, 0xdf, 0x2e, 0x1f, 0x15, 0xad, 0x37, 0xe5, 0xba, 0xc9, 0xa9, 0x3e, 0xb3,
0x2c, 0xec, 0xc9, 0x43, 0x54, 0x65, 0x12, 0x22, 0x61, 0xaf, 0x75, 0xca, 0xbd, 0xe6, 0xd6, 0xe7,
0x57, 0x9a, 0x64, 0xff, 0x1d, 0xa3, 0x50, 0xbd, 0xaf, 0xb8, 0x48, 0x4e, 0xd9, 0xfd, 0xb3, 0xf2,
0x9a, 0xda, 0xd4, 0x3a, 0xe1, 0x0f, 0xd1, 0x3a, 0xcf, 0xaf, 0xba, 0xb4, 0x0d, 0xbf, 0xa9, 0x06,
0xc1, 0x20, 0xc8, 0xcc, 0x87, 0xb7, 0x10, 0x12, 0x2c, 0x8c, 0x81, 0xff, 0x40, 0x23, 0xb0, 0xd7,
0xf5, 0xd8, 0x14, 0xeb, 0xbf, 0x5f, 0x78, 0xc8, 0x02, 0x0a, 0xef, 0xa0, 0x1b, 0xf0, 0x2c, 0x65,
0x9c, 0xea, 0x59, 0x85, 0x20, 0x89, 0x07, 0xc2, 0xae, 0x77, 0xac, 0x5e, 0xd5, 0x7f, 0x6f, 0x3a,
0x71, 0x6e, 0xec, 0x2e, 0x3b, 0xc9, 0x45, 0x3c, 0x76, 0x51, 0x2d, 0x53, 0xa3, 0x28, 0xec, 0x6a,
0xa7, 0xdc, 0x6b, 0xf8, 0x37, 0xd5, 0x40, 0x1f, 0x6a, 0xcb, 0xd9, 0xc4, 0xa9, 0x7f, 0x0f, 0x63,
0x7d, 0x21, 0x06, 0x85, 0x3f, 0x41, 0xf5, 0x4c, 0x00, 0x8f, 0x55, 0x9a, 0xf9, 0x1a, 0x14, 0xbd,
0x3f, 0x34, 0x76, 0x52, 0x20, 0xf0, 0x2d, 0x54, 0xce, 0xd8, 0xc0, 0xac, 0x41, 0xd3, 0x00, 0xcb,
0x87, 0xf7, 0xef, 0x11, 0x65, 0xc7, 0x5d, 0x54, 0x0b, 0x79, 0x92, 0xa5, 0xc2, 0xae, 0x68, 0x71,
0xa4, 0xc4, 0xbf, 0xd3, 0x16, 0x62, 0x3c, 0x98, 0xa1, 0x2a, 0x3c, 0x93, 0x9c, 0xda, 0x35, 0xfd,
0x7c, 0xf7, 0xae, 0xfc, 0xcf, 0xb9, 0xbb, 0x8a, 0x66, 0x37, 0x96, 0x7c, 0x3c, 0x7f, 0x4d, 0x6d,
0x23, 0xb9, 0x42, 0xeb, 0x11, 0x42, 0x73, 0x0c, 0xbe, 0x8e, 0xca, 0x43, 0x18, 0xe7, 0xbf, 0x0e,
0x51, 0x47, 0xfc, 0x0d, 0xaa, 0x8e, 0xe8, 0xd3, 0x0c, 0xcc, 0x97, 0x7b, 0xfb, 0x75, 0xa9, 0x68,
0xa2, 0x9f, 0x14, 0x9a, 0xe4, 0x41, 0x77, 0xd7, 0xb6, 0xad, 0xee, 0x89, 0x85, 0x9c, 0x37, 0xfc,
0x96, 0x98, 0x23, 0x14, 0xcc, 0x7e, 0x20, 0x61, 0x5b, 0xba, 0xea, 0x6f, 0xaf, 0x54, 0x75, 0xf1,
0x91, 0xcd, 0x47, 0xa9, 0x30, 0x09, 0xb2, 0xa0, 0x82, 0xfb, 0xa8, 0xb9, 0xc0, 0xaa, 0xeb, 0xdb,
0xf0, 0xaf, 0x4d, 0x27, 0x4e, 0x73, 0x81, 0x9c, 0x2c, 0x62, 0xba, 0x5f, 0x9a, 0x66, 0xe9, 0x1a,
0xb1, 0x33, 0x5b, 0x32, 0x4b, 0x3f, 0x64, 0x63, 0x79, 0x53, 0xee, 0xd6, 0x7f, 0xff, 0xc3, 0x29,
0x3d, 0xff, 0xa7, 0x53, 0xf2, 0x7b, 0x27, 0xa7, 0xed, 0xd2, 0x8b, 0xd3, 0x76, 0xe9, 0xe5, 0x69,
0xbb, 0xf4, 0x7c, 0xda, 0xb6, 0x4e, 0xa6, 0x6d, 0xeb, 0xc5, 0xb4, 0x6d, 0xbd, 0x9c, 0xb6, 0xad,
0x7f, 0xa7, 0x6d, 0xeb, 0xb7, 0x57, 0xed, 0xd2, 0xc3, 0xb5, 0x51, 0xff, 0xbf, 0x00, 0x00, 0x00,
0xff, 0xff, 0x88, 0x08, 0x6d, 0x53, 0xb5, 0x08, 0x00, 0x00,
}
func (m *CertificateSigningRequest) Marshal() (dAtA []byte, err error) {
@ -470,6 +472,11 @@ func (m *CertificateSigningRequestSpec) MarshalToSizedBuffer(dAtA []byte) (int,
_ = i
var l int
_ = l
if m.ExpirationSeconds != nil {
i = encodeVarintGenerated(dAtA, i, uint64(*m.ExpirationSeconds))
i--
dAtA[i] = 0x40
}
i -= len(m.SignerName)
copy(dAtA[i:], m.SignerName)
i = encodeVarintGenerated(dAtA, i, uint64(len(m.SignerName)))
@ -719,6 +726,9 @@ func (m *CertificateSigningRequestSpec) Size() (n int) {
}
l = len(m.SignerName)
n += 1 + l + sovGenerated(uint64(l))
if m.ExpirationSeconds != nil {
n += 1 + sovGenerated(uint64(*m.ExpirationSeconds))
}
return n
}
@ -827,6 +837,7 @@ func (this *CertificateSigningRequestSpec) String() string {
`Usages:` + fmt.Sprintf("%v", this.Usages) + `,`,
`Extra:` + mapStringForExtra + `,`,
`SignerName:` + fmt.Sprintf("%v", this.SignerName) + `,`,
`ExpirationSeconds:` + valueToStringGenerated(this.ExpirationSeconds) + `,`,
`}`,
}, "")
return s
@ -1717,6 +1728,26 @@ func (m *CertificateSigningRequestSpec) Unmarshal(dAtA []byte) error {
}
m.SignerName = string(dAtA[iNdEx:postIndex])
iNdEx = postIndex
case 8:
if wireType != 0 {
return fmt.Errorf("proto: wrong wireType = %d for field ExpirationSeconds", wireType)
}
var v int32
for shift := uint(0); ; shift += 7 {
if shift >= 64 {
return ErrIntOverflowGenerated
}
if iNdEx >= l {
return io.ErrUnexpectedEOF
}
b := dAtA[iNdEx]
iNdEx++
v |= int32(b&0x7F) << shift
if b < 0x80 {
break
}
}
m.ExpirationSeconds = &v
default:
iNdEx = preIndex
skippy, err := skipGenerated(dAtA[iNdEx:])

26
staging/src/k8s.io/api/certificates/v1/generated.proto
View File

@ -44,7 +44,7 @@ message CertificateSigningRequest {
optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
// spec contains the certificate request, and is immutable after creation.
// Only the request, signerName, and usages fields can be set on creation.
// Only the request, signerName, expirationSeconds, and usages fields can be set on creation.
// Other fields are derived by Kubernetes and cannot be modified by users.
optional CertificateSigningRequestSpec spec = 2;
@ -135,6 +135,30 @@ message CertificateSigningRequestSpec {
// 6. Whether or not requests for CA certificates are allowed.
optional string signerName = 7;
// expirationSeconds is the requested duration of validity of the issued
// certificate. The certificate signer may issue a certificate with a different
// validity duration so a client must check the delta between the notBefore and
// and notAfter fields in the issued certificate to determine the actual duration.
//
// The v1.22+ in-tree implementations of the well-known Kubernetes signers will
// honor this field as long as the requested duration is not greater than the
// maximum duration they will honor per the --cluster-signing-duration CLI
// flag to the Kubernetes controller manager.
//
// Certificate signers may not honor this field for various reasons:
//
// 1. Old signer that is unaware of the field (such as the in-tree
// implementations prior to v1.22)
// 2. Signer whose configured maximum is shorter than the requested duration
// 3. Signer whose configured minimum is longer than the requested duration
//
// The minimum valid value for expirationSeconds is 600, i.e. 10 minutes.
//
// As of v1.22, this field is beta and is controlled via the CSRDuration feature gate.
//
// +optional
optional int32 expirationSeconds = 8;
// usages specifies a set of key usages requested in the issued certificate.
//
// Requests for TLS client certificates typically request: "digital signature", "key encipherment", "client auth".

26
staging/src/k8s.io/api/certificates/v1/types.go
View File

@ -44,7 +44,7 @@ type CertificateSigningRequest struct {
metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
// spec contains the certificate request, and is immutable after creation.
// Only the request, signerName, and usages fields can be set on creation.
// Only the request, signerName, expirationSeconds, and usages fields can be set on creation.
// Other fields are derived by Kubernetes and cannot be modified by users.
Spec CertificateSigningRequestSpec `json:"spec" protobuf:"bytes,2,opt,name=spec"`
@ -84,6 +84,30 @@ type CertificateSigningRequestSpec struct {
// 6. Whether or not requests for CA certificates are allowed.
SignerName string `json:"signerName" protobuf:"bytes,7,opt,name=signerName"`
// expirationSeconds is the requested duration of validity of the issued
// certificate. The certificate signer may issue a certificate with a different
// validity duration so a client must check the delta between the notBefore and
// and notAfter fields in the issued certificate to determine the actual duration.
//
// The v1.22+ in-tree implementations of the well-known Kubernetes signers will
// honor this field as long as the requested duration is not greater than the
// maximum duration they will honor per the --cluster-signing-duration CLI
// flag to the Kubernetes controller manager.
//
// Certificate signers may not honor this field for various reasons:
//
// 1. Old signer that is unaware of the field (such as the in-tree
// implementations prior to v1.22)
// 2. Signer whose configured maximum is shorter than the requested duration
// 3. Signer whose configured minimum is longer than the requested duration
//
// The minimum valid value for expirationSeconds is 600, i.e. 10 minutes.
//
// As of v1.22, this field is beta and is controlled via the CSRDuration feature gate.
//
// +optional
ExpirationSeconds *int32 `json:"expirationSeconds,omitempty" protobuf:"varint,8,opt,name=expirationSeconds"`
// usages specifies a set of key usages requested in the issued certificate.
//
// Requests for TLS client certificates typically request: "digital signature", "key encipherment", "client auth".

19
staging/src/k8s.io/api/certificates/v1/types_swagger_doc_generated.go generated
View File

@ -29,7 +29,7 @@ package v1
// AUTO-GENERATED FUNCTIONS START HERE. DO NOT EDIT.
var map_CertificateSigningRequest = map[string]string{
"": "CertificateSigningRequest objects provide a mechanism to obtain x509 certificates by submitting a certificate signing request, and having it asynchronously approved and issued.\n\nKubelets use this API to obtain:\n 1. client certificates to authenticate to kube-apiserver (with the \"kubernetes.io/kube-apiserver-client-kubelet\" signerName).\n 2. serving certificates for TLS endpoints kube-apiserver can connect to securely (with the \"kubernetes.io/kubelet-serving\" signerName).\n\nThis API can be used to request client certificates to authenticate to kube-apiserver (with the \"kubernetes.io/kube-apiserver-client\" signerName), or to obtain certificates from custom non-Kubernetes signers.",
"spec": "spec contains the certificate request, and is immutable after creation. Only the request, signerName, and usages fields can be set on creation. Other fields are derived by Kubernetes and cannot be modified by users.",
"spec": "spec contains the certificate request, and is immutable after creation. Only the request, signerName, expirationSeconds, and usages fields can be set on creation. Other fields are derived by Kubernetes and cannot be modified by users.",
"status": "status contains information about whether the request is approved or denied, and the certificate issued by the signer, or the failure condition indicating signer failure.",
}
@ -61,14 +61,15 @@ func (CertificateSigningRequestList) SwaggerDoc() map[string]string {
}
var map_CertificateSigningRequestSpec = map[string]string{
"": "CertificateSigningRequestSpec contains the certificate request.",
"request": "request contains an x509 certificate signing request encoded in a \"CERTIFICATE REQUEST\" PEM block. When serialized as JSON or YAML, the data is additionally base64-encoded.",
"signerName": "signerName indicates the requested signer, and is a qualified name.\n\nList/watch requests for CertificateSigningRequests can filter on this field using a \"spec.signerName=NAME\" fieldSelector.\n\nWell-known Kubernetes signers are:\n 1. \"kubernetes.io/kube-apiserver-client\": issues client certificates that can be used to authenticate to kube-apiserver.\n Requests for this signer are never auto-approved by kube-controller-manager, can be issued by the \"csrsigning\" controller in kube-controller-manager.\n 2. \"kubernetes.io/kube-apiserver-client-kubelet\": issues client certificates that kubelets use to authenticate to kube-apiserver.\n Requests for this signer can be auto-approved by the \"csrapproving\" controller in kube-controller-manager, and can be issued by the \"csrsigning\" controller in kube-controller-manager.\n 3. \"kubernetes.io/kubelet-serving\" issues serving certificates that kubelets use to serve TLS endpoints, which kube-apiserver can connect to securely.\n Requests for this signer are never auto-approved by kube-controller-manager, and can be issued by the \"csrsigning\" controller in kube-controller-manager.\n\nMore details are available at https://k8s.io/docs/reference/access-authn-authz/certificate-signing-requests/#kubernetes-signers\n\nCustom signerNames can also be specified. The signer defines:\n 1. Trust distribution: how trust (CA bundles) are distributed.\n 2. Permitted subjects: and behavior when a disallowed subject is requested.\n 3. Required, permitted, or forbidden x509 extensions in the request (including whether subjectAltNames are allowed, which types, restrictions on allowed values) and behavior when a disallowed extension is requested.\n 4. Required, permitted, or forbidden key usages / extended key usages.\n 5. Expiration/certificate lifetime: whether it is fixed by the signer, configurable by the admin.\n 6. Whether or not requests for CA certificates are allowed.",
"usages": "usages specifies a set of key usages requested in the issued certificate.\n\nRequests for TLS client certificates typically request: \"digital signature\", \"key encipherment\", \"client auth\".\n\nRequests for TLS serving certificates typically request: \"key encipherment\", \"digital signature\", \"server auth\".\n\nValid values are:\n \"signing\", \"digital signature\", \"content commitment\",\n \"key encipherment\", \"key agreement\", \"data encipherment\",\n \"cert sign\", \"crl sign\", \"encipher only\", \"decipher only\", \"any\",\n \"server auth\", \"client auth\",\n \"code signing\", \"email protection\", \"s/mime\",\n \"ipsec end system\", \"ipsec tunnel\", \"ipsec user\",\n \"timestamping\", \"ocsp signing\", \"microsoft sgc\", \"netscape sgc\"",
"username": "username contains the name of the user that created the CertificateSigningRequest. Populated by the API server on creation and immutable.",
"uid": "uid contains the uid of the user that created the CertificateSigningRequest. Populated by the API server on creation and immutable.",
"groups": "groups contains group membership of the user that created the CertificateSigningRequest. Populated by the API server on creation and immutable.",
"extra": "extra contains extra attributes of the user that created the CertificateSigningRequest. Populated by the API server on creation and immutable.",
"": "CertificateSigningRequestSpec contains the certificate request.",
"request": "request contains an x509 certificate signing request encoded in a \"CERTIFICATE REQUEST\" PEM block. When serialized as JSON or YAML, the data is additionally base64-encoded.",
"signerName": "signerName indicates the requested signer, and is a qualified name.\n\nList/watch requests for CertificateSigningRequests can filter on this field using a \"spec.signerName=NAME\" fieldSelector.\n\nWell-known Kubernetes signers are:\n 1. \"kubernetes.io/kube-apiserver-client\": issues client certificates that can be used to authenticate to kube-apiserver.\n Requests for this signer are never auto-approved by kube-controller-manager, can be issued by the \"csrsigning\" controller in kube-controller-manager.\n 2. \"kubernetes.io/kube-apiserver-client-kubelet\": issues client certificates that kubelets use to authenticate to kube-apiserver.\n Requests for this signer can be auto-approved by the \"csrapproving\" controller in kube-controller-manager, and can be issued by the \"csrsigning\" controller in kube-controller-manager.\n 3. \"kubernetes.io/kubelet-serving\" issues serving certificates that kubelets use to serve TLS endpoints, which kube-apiserver can connect to securely.\n Requests for this signer are never auto-approved by kube-controller-manager, and can be issued by the \"csrsigning\" controller in kube-controller-manager.\n\nMore details are available at https://k8s.io/docs/reference/access-authn-authz/certificate-signing-requests/#kubernetes-signers\n\nCustom signerNames can also be specified. The signer defines:\n 1. Trust distribution: how trust (CA bundles) are distributed.\n 2. Permitted subjects: and behavior when a disallowed subject is requested.\n 3. Required, permitted, or forbidden x509 extensions in the request (including whether subjectAltNames are allowed, which types, restrictions on allowed values) and behavior when a disallowed extension is requested.\n 4. Required, permitted, or forbidden key usages / extended key usages.\n 5. Expiration/certificate lifetime: whether it is fixed by the signer, configurable by the admin.\n 6. Whether or not requests for CA certificates are allowed.",
"expirationSeconds": "expirationSeconds is the requested duration of validity of the issued certificate. The certificate signer may issue a certificate with a different validity duration so a client must check the delta between the notBefore and and notAfter fields in the issued certificate to determine the actual duration.\n\nThe v1.22+ in-tree implementations of the well-known Kubernetes signers will honor this field as long as the requested duration is not greater than the maximum duration they will honor per the --cluster-signing-duration CLI flag to the Kubernetes controller manager.\n\nCertificate signers may not honor this field for various reasons:\n\n 1. Old signer that is unaware of the field (such as the in-tree\n implementations prior to v1.22)\n 2. Signer whose configured maximum is shorter than the requested duration\n 3. Signer whose configured minimum is longer than the requested duration\n\nThe minimum valid value for expirationSeconds is 600, i.e. 10 minutes.\n\nAs of v1.22, this field is beta and is controlled via the CSRDuration feature gate.",
"usages": "usages specifies a set of key usages requested in the issued certificate.\n\nRequests for TLS client certificates typically request: \"digital signature\", \"key encipherment\", \"client auth\".\n\nRequests for TLS serving certificates typically request: \"key encipherment\", \"digital signature\", \"server auth\".\n\nValid values are:\n \"signing\", \"digital signature\", \"content commitment\",\n \"key encipherment\", \"key agreement\", \"data encipherment\",\n \"cert sign\", \"crl sign\", \"encipher only\", \"decipher only\", \"any\",\n \"server auth\", \"client auth\",\n \"code signing\", \"email protection\", \"s/mime\",\n \"ipsec end system\", \"ipsec tunnel\", \"ipsec user\",\n \"timestamping\", \"ocsp signing\", \"microsoft sgc\", \"netscape sgc\"",
"username": "username contains the name of the user that created the CertificateSigningRequest. Populated by the API server on creation and immutable.",
"uid": "uid contains the uid of the user that created the CertificateSigningRequest. Populated by the API server on creation and immutable.",
"groups": "groups contains group membership of the user that created the CertificateSigningRequest. Populated by the API server on creation and immutable.",
"extra": "extra contains extra attributes of the user that created the CertificateSigningRequest. Populated by the API server on creation and immutable.",
}
func (CertificateSigningRequestSpec) SwaggerDoc() map[string]string {

5
staging/src/k8s.io/api/certificates/v1/zz_generated.deepcopy.go generated
View File

@ -111,6 +111,11 @@ func (in *CertificateSigningRequestSpec) DeepCopyInto(out *CertificateSigningReq
*out = make([]byte, len(*in))
copy(*out, *in)
}
if in.ExpirationSeconds != nil {
in, out := &in.ExpirationSeconds, &out.ExpirationSeconds
*out = new(int32)
**out = **in
}
if in.Usages != nil {
in, out := &in.Usages, &out.Usages
*out = make([]KeyUsage, len(*in))

143
staging/src/k8s.io/api/certificates/v1beta1/generated.pb.go generated
View File

@ -229,62 +229,64 @@ func init() {
}
var fileDescriptor_09d156762b8218ef = []byte{
// 878 bytes of a gzipped FileDescriptorProto
0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xa4, 0x55, 0x4b, 0x6f, 0x1c, 0x45,
0x10, 0xde, 0xf1, 0xbe, 0x7b, 0x8d, 0x13, 0xb5, 0x50, 0x34, 0xac, 0x94, 0x19, 0x6b, 0x04, 0xc8,
0x3c, 0xd2, 0x83, 0xa3, 0x08, 0x2c, 0x1f, 0x10, 0x8c, 0x89, 0xc0, 0xc2, 0x01, 0xa9, 0x6d, 0x73,
0x40, 0x48, 0xa4, 0x77, 0xb6, 0x32, 0xee, 0x6c, 0xe6, 0xc1, 0x74, 0xcf, 0xc2, 0xde, 0xf2, 0x13,
0x38, 0x72, 0xe4, 0xe7, 0x98, 0x03, 0x52, 0x8e, 0x39, 0xa0, 0x15, 0xde, 0xdc, 0xf9, 0x01, 0x3e,
0xa1, 0xee, 0xe9, 0x9d, 0x5d, 0xbf, 0x70, 0x48, 0x6e, 0xdb, 0x5f, 0xd7, 0xf7, 0x7d, 0x55, 0x35,
0xd5, 0xb5, 0xe8, 0xab, 0xd1, 0x96, 0x20, 0x3c, 0xf5, 0x47, 0xc5, 0x00, 0xf2, 0x04, 0x24, 0x08,
0x7f, 0x0c, 0xc9, 0x30, 0xcd, 0x7d, 0x73, 0xc1, 0x32, 0xee, 0x87, 0x90, 0x4b, 0xfe, 0x88, 0x87,
0x4c, 0x5f, 0x6f, 0x0e, 0x40, 0xb2, 0x4d, 0x3f, 0x82, 0x04, 0x72, 0x26, 0x61, 0x48, 0xb2, 0x3c,
0x95, 0x29, 0x76, 0x4b, 0x02, 0x61, 0x19, 0x27, 0xcb, 0x04, 0x62, 0x08, 0xfd, 0x3b, 0x11, 0x97,
0x47, 0xc5, 0x80, 0x84, 0x69, 0xec, 0x47, 0x69, 0x94, 0xfa, 0x9a, 0x37, 0x28, 0x1e, 0xe9, 0x93,
0x3e, 0xe8, 0x5f, 0xa5, 0x5e, 0xdf, 0x5b, 0x4e, 0x20, 0xcd, 0xc1, 0x1f, 0x5f, 0xf0, 0xec, 0xdf,
0x5b, 0xc4, 0xc4, 0x2c, 0x3c, 0xe2, 0x09, 0xe4, 0x13, 0x3f, 0x1b, 0x45, 0x0a, 0x10, 0x7e, 0x0c,
0x92, 0x5d, 0xc6, 0xf2, 0xaf, 0x62, 0xe5, 0x45, 0x22, 0x79, 0x0c, 0x17, 0x08, 0x1f, 0x5f, 0x47,
0x10, 0xe1, 0x11, 0xc4, 0xec, 0x3c, 0xcf, 0xfb, 0x63, 0x05, 0xbd, 0xb5, 0xb3, 0x68, 0xc5, 0x3e,
0x8f, 0x12, 0x9e, 0x44, 0x14, 0x7e, 0x2a, 0x40, 0x48, 0xfc, 0x10, 0x75, 0x54, 0x86, 0x43, 0x26,
0x99, 0x6d, 0xad, 0x5b, 0x1b, 0xbd, 0xbb, 0x1f, 0x91, 0x45, 0x0f, 0x2b, 0x23, 0x92, 0x8d, 0x22,
0x05, 0x08, 0xa2, 0xa2, 0xc9, 0x78, 0x93, 0x7c, 0x3b, 0x78, 0x0c, 0xa1, 0x7c, 0x00, 0x92, 0x05,
0xf8, 0x78, 0xea, 0xd6, 0x66, 0x53, 0x17, 0x2d, 0x30, 0x5a, 0xa9, 0xe2, 0x87, 0xa8, 0x21, 0x32,
0x08, 0xed, 0x15, 0xad, 0xfe, 0x29, 0xb9, 0xe6, 0x0b, 0x91, 0x2b, 0x73, 0xdd, 0xcf, 0x20, 0x0c,
0x56, 0x8d, 0x57, 0x43, 0x9d, 0xa8, 0x56, 0xc6, 0x47, 0xa8, 0x25, 0x24, 0x93, 0x85, 0xb0, 0xeb,
0xda, 0xe3, 0xb3, 0xd7, 0xf0, 0xd0, 0x3a, 0xc1, 0x9a, 0x71, 0x69, 0x95, 0x67, 0x6a, 0xf4, 0xbd,
0x17, 0x75, 0xe4, 0x5d, 0xc9, 0xdd, 0x49, 0x93, 0x21, 0x97, 0x3c, 0x4d, 0xf0, 0x16, 0x6a, 0xc8,
0x49, 0x06, 0xba, 0xa1, 0xdd, 0xe0, 0xed, 0x79, 0xca, 0x07, 0x93, 0x0c, 0x4e, 0xa7, 0xee, 0x9b,
0xe7, 0xe3, 0x15, 0x4e, 0x35, 0x03, 0xef, 0x55, 0xa5, 0xb4, 0x34, 0xf7, 0xde, 0xd9, 0x44, 0x4e,
0xa7, 0xee, 0x25, 0x13, 0x49, 0x2a, 0xa5, 0xb3, 0xe9, 0xe2, 0x77, 0x51, 0x2b, 0x07, 0x26, 0xd2,
0x44, 0x37, 0xbf, 0xbb, 0x28, 0x8b, 0x6a, 0x94, 0x9a, 0x5b, 0xfc, 0x1e, 0x6a, 0xc7, 0x20, 0x04,
0x8b, 0x40, 0x77, 0xb0, 0x1b, 0xdc, 0x30, 0x81, 0xed, 0x07, 0x25, 0x4c, 0xe7, 0xf7, 0xf8, 0x31,
0x5a, 0x7b, 0xc2, 0x84, 0x3c, 0xcc, 0x86, 0x4c, 0xc2, 0x01, 0x8f, 0xc1, 0x6e, 0xe8, 0x9e, 0xbf,
0xff, 0x72, 0x53, 0xa3, 0x18, 0xc1, 0x2d, 0xa3, 0xbe, 0xb6, 0x77, 0x46, 0x89, 0x9e, 0x53, 0xc6,
0x63, 0x84, 0x15, 0x72, 0x90, 0xb3, 0x44, 0x94, 0x8d, 0x52, 0x7e, 0xcd, 0xff, 0xed, 0xd7, 0x37,
0x7e, 0x78, 0xef, 0x82, 0x1a, 0xbd, 0xc4, 0xc1, 0x9b, 0x5a, 0xe8, 0xf6, 0x95, 0x5f, 0x79, 0x8f,
0x0b, 0x89, 0x7f, 0xb8, 0xf0, 0x6a, 0xc8, 0xcb, 0xe5, 0xa3, 0xd8, 0xfa, 0xcd, 0xdc, 0x34, 0x39,
0x75, 0xe6, 0xc8, 0xd2, 0x8b, 0xf9, 0x11, 0x35, 0xb9, 0x84, 0x58, 0xd8, 0x2b, 0xeb, 0xf5, 0x8d,
0xde, 0xdd, 0xed, 0x57, 0x1f, 0xe7, 0xe0, 0x0d, 0x63, 0xd3, 0xdc, 0x55, 0x82, 0xb4, 0xd4, 0xf5,
0xfe, 0xa9, 0xff, 0x47, 0x81, 0xea, 0x61, 0xe1, 0x77, 0x50, 0x3b, 0x2f, 0x8f, 0xba, 0xbe, 0xd5,
0xa0, 0xa7, 0xa6, 0xc1, 0x44, 0xd0, 0xf9, 0x1d, 0x26, 0x08, 0x09, 0x1e, 0x25, 0x90, 0x7f, 0xc3,
0x62, 0xb0, 0xdb, 0xe5, 0x90, 0xa9, 0x4d, 0xb0, 0x5f, 0xa1, 0x74, 0x29, 0x02, 0x13, 0xd4, 0x2a,
0xd4, 0x18, 0x09, 0xbb, 0xb9, 0x5e, 0xdf, 0xe8, 0x06, 0xb7, 0xd4, 0x30, 0x1e, 0x6a, 0xe4, 0x74,
0xea, 0x76, 0xbe, 0x86, 0x89, 0x3e, 0x50, 0x13, 0x85, 0x3f, 0x44, 0x9d, 0x42, 0x40, 0x9e, 0x28,
0xf5, 0x72, 0x84, 0xab, 0xbe, 0x1d, 0x1a, 0x9c, 0x56, 0x11, 0xf8, 0x36, 0xaa, 0x17, 0x7c, 0x68,
0x46, 0xb8, 0x67, 0x02, 0xeb, 0x87, 0xbb, 0x5f, 0x50, 0x85, 0x63, 0x0f, 0xb5, 0xa2, 0x3c, 0x2d,
0x32, 0x61, 0x37, 0xb4, 0x39, 0x52, 0xe6, 0x5f, 0x6a, 0x84, 0x9a, 0x1b, 0x9c, 0xa0, 0x26, 0xfc,
0x22, 0x73, 0x66, 0xb7, 0x74, 0xeb, 0x77, 0x5f, 0x6f, 0x5b, 0x91, 0xfb, 0x4a, 0xeb, 0x7e, 0x22,
0xf3, 0xc9, 0xe2, 0x4b, 0x68, 0x8c, 0x96, 0x36, 0x7d, 0x40, 0x68, 0x11, 0x83, 0x6f, 0xa2, 0xfa,
0x08, 0x26, 0xe5, 0xda, 0xa0, 0xea, 0x27, 0xfe, 0x1c, 0x35, 0xc7, 0xec, 0x49, 0x01, 0x66, 0x7b,
0x7e, 0x70, 0x6d, 0x3e, 0x5a, 0xed, 0x3b, 0x45, 0xa1, 0x25, 0x73, 0x7b, 0x65, 0xcb, 0xf2, 0xfe,
0xb4, 0x90, 0x7b, 0xcd, 0xce, 0xc3, 0x3f, 0x23, 0x14, 0xce, 0xf7, 0x88, 0xb0, 0x2d, 0x5d, 0xff,
0xce, 0xab, 0xd7, 0x5f, 0xed, 0xa4, 0xc5, 0xdf, 0x43, 0x05, 0x09, 0xba, 0x64, 0x85, 0x37, 0x51,
0x6f, 0x49, 0x5a, 0x57, 0xba, 0x1a, 0xdc, 0x98, 0x4d, 0xdd, 0xde, 0x92, 0x38, 0x5d, 0x8e, 0xf1,
0x3e, 0x31, 0x6d, 0xd3, 0x85, 0x62, 0x77, 0xfe, 0x5e, 0x2c, 0xfd, 0x5d, 0xbb, 0xe7, 0xe7, 0x7d,
0xbb, 0xf3, 0xdb, 0xef, 0x6e, 0xed, 0xe9, 0x5f, 0xeb, 0xb5, 0xe0, 0xce, 0xf1, 0x89, 0x53, 0x7b,
0x76, 0xe2, 0xd4, 0x9e, 0x9f, 0x38, 0xb5, 0xa7, 0x33, 0xc7, 0x3a, 0x9e, 0x39, 0xd6, 0xb3, 0x99,
0x63, 0x3d, 0x9f, 0x39, 0xd6, 0xdf, 0x33, 0xc7, 0xfa, 0xf5, 0x85, 0x53, 0xfb, 0xbe, 0x6d, 0xaa,
0xfb, 0x37, 0x00, 0x00, 0xff, 0xff, 0x21, 0x97, 0x54, 0xe9, 0x99, 0x08, 0x00, 0x00,
// 912 bytes of a gzipped FileDescriptorProto
0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xa4, 0x55, 0xdd, 0x6e, 0x1b, 0x45,
0x14, 0xf6, 0xc6, 0xff, 0xe3, 0x92, 0xb6, 0x23, 0xa8, 0x16, 0x4b, 0xf5, 0x5a, 0x16, 0xa0, 0xf0,
0xd3, 0x59, 0x52, 0x55, 0x10, 0xe5, 0x02, 0xc1, 0x86, 0x08, 0x22, 0x52, 0x90, 0x26, 0x09, 0x17,
0x08, 0x89, 0x8e, 0xd7, 0xa7, 0x9b, 0xa9, 0xbb, 0x3f, 0xec, 0xcc, 0x9a, 0xfa, 0xae, 0x8f, 0xc0,
0x25, 0x97, 0xbc, 0x03, 0x2f, 0x11, 0x2e, 0x90, 0x7a, 0xd9, 0x0b, 0x64, 0x11, 0xf7, 0x2d, 0x72,
0x85, 0x66, 0x76, 0xbc, 0x76, 0xec, 0x84, 0x94, 0xf6, 0xce, 0xf3, 0xcd, 0xf9, 0xbe, 0xef, 0x9c,
0xb3, 0xe7, 0x8c, 0xd1, 0xd7, 0xc3, 0x2d, 0x41, 0x78, 0xec, 0x0e, 0xb3, 0x3e, 0xa4, 0x11, 0x48,
0x10, 0xee, 0x08, 0xa2, 0x41, 0x9c, 0xba, 0xe6, 0x82, 0x25, 0xdc, 0xf5, 0x21, 0x95, 0xfc, 0x21,
0xf7, 0x99, 0xbe, 0xde, 0xec, 0x83, 0x64, 0x9b, 0x6e, 0x00, 0x11, 0xa4, 0x4c, 0xc2, 0x80, 0x24,
0x69, 0x2c, 0x63, 0xec, 0xe4, 0x04, 0xc2, 0x12, 0x4e, 0x16, 0x09, 0xc4, 0x10, 0xda, 0x77, 0x02,
0x2e, 0x8f, 0xb3, 0x3e, 0xf1, 0xe3, 0xd0, 0x0d, 0xe2, 0x20, 0x76, 0x35, 0xaf, 0x9f, 0x3d, 0xd4,
0x27, 0x7d, 0xd0, 0xbf, 0x72, 0xbd, 0x76, 0x6f, 0x31, 0x81, 0x38, 0x05, 0x77, 0xb4, 0xe2, 0xd9,
0xbe, 0x37, 0x8f, 0x09, 0x99, 0x7f, 0xcc, 0x23, 0x48, 0xc7, 0x6e, 0x32, 0x0c, 0x14, 0x20, 0xdc,
0x10, 0x24, 0xbb, 0x88, 0xe5, 0x5e, 0xc6, 0x4a, 0xb3, 0x48, 0xf2, 0x10, 0x56, 0x08, 0x9f, 0x5c,
0x45, 0x10, 0xfe, 0x31, 0x84, 0x6c, 0x99, 0xd7, 0xfb, 0x73, 0x0d, 0xbd, 0xbd, 0x33, 0x6f, 0xc5,
0x01, 0x0f, 0x22, 0x1e, 0x05, 0x14, 0x7e, 0xce, 0x40, 0x48, 0xfc, 0x00, 0x35, 0x54, 0x86, 0x03,
0x26, 0x99, 0x6d, 0x75, 0xad, 0x8d, 0xd6, 0xdd, 0x8f, 0xc9, 0xbc, 0x87, 0x85, 0x11, 0x49, 0x86,
0x81, 0x02, 0x04, 0x51, 0xd1, 0x64, 0xb4, 0x49, 0xbe, 0xeb, 0x3f, 0x02, 0x5f, 0xde, 0x07, 0xc9,
0x3c, 0x7c, 0x32, 0x71, 0x4a, 0xd3, 0x89, 0x83, 0xe6, 0x18, 0x2d, 0x54, 0xf1, 0x03, 0x54, 0x11,
0x09, 0xf8, 0xf6, 0x9a, 0x56, 0xff, 0x8c, 0x5c, 0xf1, 0x85, 0xc8, 0xa5, 0xb9, 0x1e, 0x24, 0xe0,
0x7b, 0xd7, 0x8c, 0x57, 0x45, 0x9d, 0xa8, 0x56, 0xc6, 0xc7, 0xa8, 0x26, 0x24, 0x93, 0x99, 0xb0,
0xcb, 0xda, 0xe3, 0xf3, 0xd7, 0xf0, 0xd0, 0x3a, 0xde, 0xba, 0x71, 0xa9, 0xe5, 0x67, 0x6a, 0xf4,
0x7b, 0x2f, 0xca, 0xa8, 0x77, 0x29, 0x77, 0x27, 0x8e, 0x06, 0x5c, 0xf2, 0x38, 0xc2, 0x5b, 0xa8,
0x22, 0xc7, 0x09, 0xe8, 0x86, 0x36, 0xbd, 0x77, 0x66, 0x29, 0x1f, 0x8e, 0x13, 0x38, 0x9b, 0x38,
0x6f, 0x2e, 0xc7, 0x2b, 0x9c, 0x6a, 0x06, 0xde, 0x2f, 0x4a, 0xa9, 0x69, 0xee, 0xbd, 0xf3, 0x89,
0x9c, 0x4d, 0x9c, 0x0b, 0x26, 0x92, 0x14, 0x4a, 0xe7, 0xd3, 0xc5, 0xef, 0xa1, 0x5a, 0x0a, 0x4c,
0xc4, 0x91, 0x6e, 0x7e, 0x73, 0x5e, 0x16, 0xd5, 0x28, 0x35, 0xb7, 0xf8, 0x7d, 0x54, 0x0f, 0x41,
0x08, 0x16, 0x80, 0xee, 0x60, 0xd3, 0xbb, 0x6e, 0x02, 0xeb, 0xf7, 0x73, 0x98, 0xce, 0xee, 0xf1,
0x23, 0xb4, 0xfe, 0x98, 0x09, 0x79, 0x94, 0x0c, 0x98, 0x84, 0x43, 0x1e, 0x82, 0x5d, 0xd1, 0x3d,
0xff, 0xe0, 0xe5, 0xa6, 0x46, 0x31, 0xbc, 0x5b, 0x46, 0x7d, 0x7d, 0xff, 0x9c, 0x12, 0x5d, 0x52,
0xc6, 0x23, 0x84, 0x15, 0x72, 0x98, 0xb2, 0x48, 0xe4, 0x8d, 0x52, 0x7e, 0xd5, 0xff, 0xed, 0xd7,
0x36, 0x7e, 0x78, 0x7f, 0x45, 0x8d, 0x5e, 0xe0, 0xd0, 0x9b, 0x58, 0xe8, 0xf6, 0xa5, 0x5f, 0x79,
0x9f, 0x0b, 0x89, 0x7f, 0x5c, 0xd9, 0x1a, 0xf2, 0x72, 0xf9, 0x28, 0xb6, 0xde, 0x99, 0x1b, 0x26,
0xa7, 0xc6, 0x0c, 0x59, 0xd8, 0x98, 0x9f, 0x50, 0x95, 0x4b, 0x08, 0x85, 0xbd, 0xd6, 0x2d, 0x6f,
0xb4, 0xee, 0x6e, 0xbf, 0xfa, 0x38, 0x7b, 0x6f, 0x18, 0x9b, 0xea, 0x9e, 0x12, 0xa4, 0xb9, 0x6e,
0xef, 0x8f, 0xca, 0x7f, 0x14, 0xa8, 0x16, 0x0b, 0xbf, 0x8b, 0xea, 0x69, 0x7e, 0xd4, 0xf5, 0x5d,
0xf3, 0x5a, 0x6a, 0x1a, 0x4c, 0x04, 0x9d, 0xdd, 0x61, 0x82, 0x90, 0xe0, 0x41, 0x04, 0xe9, 0xb7,
0x2c, 0x04, 0xbb, 0x9e, 0x0f, 0x99, 0x7a, 0x09, 0x0e, 0x0a, 0x94, 0x2e, 0x44, 0xe0, 0x1d, 0x74,
0x13, 0x9e, 0x24, 0x3c, 0x65, 0x7a, 0x58, 0xc1, 0x8f, 0xa3, 0x81, 0xb0, 0x1b, 0x5d, 0x6b, 0xa3,
0xea, 0xbd, 0x35, 0x9d, 0x38, 0x37, 0x77, 0x97, 0x2f, 0xe9, 0x6a, 0x3c, 0x26, 0xa8, 0x96, 0xa9,
0x59, 0x14, 0x76, 0xb5, 0x5b, 0xde, 0x68, 0x7a, 0xb7, 0xd4, 0x44, 0x1f, 0x69, 0xe4, 0x6c, 0xe2,
0x34, 0xbe, 0x81, 0xb1, 0x3e, 0x50, 0x13, 0x85, 0x3f, 0x42, 0x8d, 0x4c, 0x40, 0x1a, 0xa9, 0x14,
0xf3, 0x3d, 0x28, 0x9a, 0x7f, 0x64, 0x70, 0x5a, 0x44, 0xe0, 0xdb, 0xa8, 0x9c, 0xf1, 0x81, 0xd9,
0x83, 0x96, 0x09, 0x2c, 0x1f, 0xed, 0x7d, 0x49, 0x15, 0x8e, 0x7b, 0xa8, 0x16, 0xa4, 0x71, 0x96,
0x08, 0xbb, 0xa2, 0xcd, 0x91, 0x32, 0xff, 0x4a, 0x23, 0xd4, 0xdc, 0xe0, 0x08, 0x55, 0xe1, 0x89,
0x4c, 0x99, 0x5d, 0xd3, 0xdf, 0x6f, 0xef, 0xf5, 0x9e, 0x3c, 0xb2, 0xab, 0xb4, 0x76, 0x23, 0x99,
0x8e, 0xe7, 0x9f, 0x53, 0x63, 0x34, 0xb7, 0x69, 0x03, 0x42, 0xf3, 0x18, 0x7c, 0x03, 0x95, 0x87,
0x30, 0xce, 0xdf, 0x1e, 0xaa, 0x7e, 0xe2, 0x2f, 0x50, 0x75, 0xc4, 0x1e, 0x67, 0x60, 0x9e, 0xe0,
0x0f, 0xaf, 0xcc, 0x47, 0xab, 0x7d, 0xaf, 0x28, 0x34, 0x67, 0x6e, 0xaf, 0x6d, 0x59, 0xbd, 0xbf,
0x2c, 0xe4, 0x5c, 0xf1, 0x70, 0xe2, 0x5f, 0x10, 0xf2, 0x67, 0x8f, 0x91, 0xb0, 0x2d, 0x5d, 0xff,
0xce, 0xab, 0xd7, 0x5f, 0x3c, 0x6c, 0xf3, 0xff, 0x98, 0x02, 0x12, 0x74, 0xc1, 0x0a, 0x6f, 0xa2,
0xd6, 0x82, 0xb4, 0xae, 0xf4, 0x9a, 0x77, 0x7d, 0x3a, 0x71, 0x5a, 0x0b, 0xe2, 0x74, 0x31, 0xa6,
0xf7, 0xa9, 0x69, 0x9b, 0x2e, 0x14, 0x3b, 0xb3, 0xa5, 0xb3, 0xf4, 0x77, 0x6d, 0x2e, 0x2f, 0xcd,
0x76, 0xe3, 0xb7, 0xdf, 0x9d, 0xd2, 0xd3, 0xbf, 0xbb, 0x25, 0xef, 0xce, 0xc9, 0x69, 0xa7, 0xf4,
0xec, 0xb4, 0x53, 0x7a, 0x7e, 0xda, 0x29, 0x3d, 0x9d, 0x76, 0xac, 0x93, 0x69, 0xc7, 0x7a, 0x36,
0xed, 0x58, 0xcf, 0xa7, 0x1d, 0xeb, 0x9f, 0x69, 0xc7, 0xfa, 0xf5, 0x45, 0xa7, 0xf4, 0x43, 0xdd,
0x54, 0xf7, 0x6f, 0x00, 0x00, 0x00, 0xff, 0xff, 0x95, 0x4b, 0xd3, 0xe2, 0xde, 0x08, 0x00, 0x00,
}
func (m *CertificateSigningRequest) Marshal() (dAtA []byte, err error) {
@ -470,6 +472,11 @@ func (m *CertificateSigningRequestSpec) MarshalToSizedBuffer(dAtA []byte) (int,
_ = i
var l int
_ = l
if m.ExpirationSeconds != nil {
i = encodeVarintGenerated(dAtA, i, uint64(*m.ExpirationSeconds))
i--
dAtA[i] = 0x40
}
if m.SignerName != nil {
i -= len(*m.SignerName)
copy(dAtA[i:], *m.SignerName)
@ -723,6 +730,9 @@ func (m *CertificateSigningRequestSpec) Size() (n int) {
l = len(*m.SignerName)
n += 1 + l + sovGenerated(uint64(l))
}
if m.ExpirationSeconds != nil {
n += 1 + sovGenerated(uint64(*m.ExpirationSeconds))
}
return n
}
@ -831,6 +841,7 @@ func (this *CertificateSigningRequestSpec) String() string {
`Usages:` + fmt.Sprintf("%v", this.Usages) + `,`,
`Extra:` + mapStringForExtra + `,`,
`SignerName:` + valueToStringGenerated(this.SignerName) + `,`,
`ExpirationSeconds:` + valueToStringGenerated(this.ExpirationSeconds) + `,`,
`}`,
}, "")
return s
@ -1722,6 +1733,26 @@ func (m *CertificateSigningRequestSpec) Unmarshal(dAtA []byte) error {
s := string(dAtA[iNdEx:postIndex])
m.SignerName = &s
iNdEx = postIndex
case 8:
if wireType != 0 {
return fmt.Errorf("proto: wrong wireType = %d for field ExpirationSeconds", wireType)
}
var v int32
for shift := uint(0); ; shift += 7 {
if shift >= 64 {
return ErrIntOverflowGenerated
}
if iNdEx >= l {
return io.ErrUnexpectedEOF
}
b := dAtA[iNdEx]
iNdEx++
v |= int32(b&0x7F) << shift
if b < 0x80 {
break
}
}
m.ExpirationSeconds = &v
default:
iNdEx = preIndex
skippy, err := skipGenerated(dAtA[iNdEx:])

33
staging/src/k8s.io/api/certificates/v1beta1/generated.proto
View File

@ -34,8 +34,9 @@ message CertificateSigningRequest {
// +optional
optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
// The certificate request itself and any additional information.
// +optional
// spec contains the certificate request, and is immutable after creation.
// Only the request, signerName, expirationSeconds, and usages fields can be set on creation.
// Other fields are derived by Kubernetes and cannot be modified by users.
optional CertificateSigningRequestSpec spec = 2;
// Derived information about the request.
@ -80,9 +81,7 @@ message CertificateSigningRequestList {
repeated CertificateSigningRequest items = 2;
}
// This information is immutable after the request is created. Only the Request
// and Usages fields can be set on creation, other fields are derived by
// Kubernetes and cannot be modified by users.
// CertificateSigningRequestSpec contains the certificate request.
message CertificateSigningRequestSpec {
// Base64-encoded PKCS#10 CSR data
// +listType=atomic
@ -101,6 +100,30 @@ message CertificateSigningRequestSpec {
// +optional
optional string signerName = 7;
// expirationSeconds is the requested duration of validity of the issued
// certificate. The certificate signer may issue a certificate with a different
// validity duration so a client must check the delta between the notBefore and
// and notAfter fields in the issued certificate to determine the actual duration.
//
// The v1.22+ in-tree implementations of the well-known Kubernetes signers will
// honor this field as long as the requested duration is not greater than the
// maximum duration they will honor per the --cluster-signing-duration CLI
// flag to the Kubernetes controller manager.
//
// Certificate signers may not honor this field for various reasons:
//
// 1. Old signer that is unaware of the field (such as the in-tree
// implementations prior to v1.22)
// 2. Signer whose configured maximum is shorter than the requested duration
// 3. Signer whose configured minimum is longer than the requested duration
//
// The minimum valid value for expirationSeconds is 600, i.e. 10 minutes.
//
// As of v1.22, this field is beta and is controlled via the CSRDuration feature gate.
//
// +optional
optional int32 expirationSeconds = 8;
// allowedUsages specifies a set of usage contexts the key will be
// valid for.
// See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3

35
staging/src/k8s.io/api/certificates/v1beta1/types.go
View File

@ -36,18 +36,17 @@ type CertificateSigningRequest struct {
// +optional
metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
// The certificate request itself and any additional information.
// +optional
Spec CertificateSigningRequestSpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"`
// spec contains the certificate request, and is immutable after creation.
// Only the request, signerName, expirationSeconds, and usages fields can be set on creation.
// Other fields are derived by Kubernetes and cannot be modified by users.
Spec CertificateSigningRequestSpec `json:"spec" protobuf:"bytes,2,opt,name=spec"`
// Derived information about the request.
// +optional
Status CertificateSigningRequestStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"`
}
// This information is immutable after the request is created. Only the Request
// and Usages fields can be set on creation, other fields are derived by
// Kubernetes and cannot be modified by users.
// CertificateSigningRequestSpec contains the certificate request.
type CertificateSigningRequestSpec struct {
// Base64-encoded PKCS#10 CSR data
// +listType=atomic
@ -66,6 +65,30 @@ type CertificateSigningRequestSpec struct {
// +optional
SignerName *string `json:"signerName,omitempty" protobuf:"bytes,7,opt,name=signerName"`
// expirationSeconds is the requested duration of validity of the issued
// certificate. The certificate signer may issue a certificate with a different
// validity duration so a client must check the delta between the notBefore and
// and notAfter fields in the issued certificate to determine the actual duration.
//
// The v1.22+ in-tree implementations of the well-known Kubernetes signers will
// honor this field as long as the requested duration is not greater than the
// maximum duration they will honor per the --cluster-signing-duration CLI
// flag to the Kubernetes controller manager.
//
// Certificate signers may not honor this field for various reasons:
//
// 1. Old signer that is unaware of the field (such as the in-tree
// implementations prior to v1.22)
// 2. Signer whose configured maximum is shorter than the requested duration
// 3. Signer whose configured minimum is longer than the requested duration
//
// The minimum valid value for expirationSeconds is 600, i.e. 10 minutes.
//
// As of v1.22, this field is beta and is controlled via the CSRDuration feature gate.
//
// +optional
ExpirationSeconds *int32 `json:"expirationSeconds,omitempty" protobuf:"varint,8,opt,name=expirationSeconds"`
// allowedUsages specifies a set of usage contexts the key will be
// valid for.
// See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3

19
staging/src/k8s.io/api/certificates/v1beta1/types_swagger_doc_generated.go generated
View File

@ -29,7 +29,7 @@ package v1beta1
// AUTO-GENERATED FUNCTIONS START HERE. DO NOT EDIT.
var map_CertificateSigningRequest = map[string]string{
"": "Describes a certificate signing request",
"spec": "The certificate request itself and any additional information.",
"spec": "spec contains the certificate request, and is immutable after creation. Only the request, signerName, expirationSeconds, and usages fields can be set on creation. Other fields are derived by Kubernetes and cannot be modified by users.",
"status": "Derived information about the request.",
}
@ -51,14 +51,15 @@ func (CertificateSigningRequestCondition) SwaggerDoc() map[string]string {
}
var map_CertificateSigningRequestSpec = map[string]string{
"": "This information is immutable after the request is created. Only the Request and Usages fields can be set on creation, other fields are derived by Kubernetes and cannot be modified by users.",
"request": "Base64-encoded PKCS#10 CSR data",
"signerName": "Requested signer for the request. It is a qualified name in the form: `scope-hostname.io/name`. If empty, it will be defaulted:\n 1. If it's a kubelet client certificate, it is assigned\n \"kubernetes.io/kube-apiserver-client-kubelet\".\n 2. If it's a kubelet serving certificate, it is assigned\n \"kubernetes.io/kubelet-serving\".\n 3. Otherwise, it is assigned \"kubernetes.io/legacy-unknown\".\nDistribution of trust for signers happens out of band. You can select on this field using `spec.signerName`.",
"usages": "allowedUsages specifies a set of usage contexts the key will be valid for. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3\n https://tools.ietf.org/html/rfc5280#section-4.2.1.12\nValid values are:\n \"signing\",\n \"digital signature\",\n \"content commitment\",\n \"key encipherment\",\n \"key agreement\",\n \"data encipherment\",\n \"cert sign\",\n \"crl sign\",\n \"encipher only\",\n \"decipher only\",\n \"any\",\n \"server auth\",\n \"client auth\",\n \"code signing\",\n \"email protection\",\n \"s/mime\",\n \"ipsec end system\",\n \"ipsec tunnel\",\n \"ipsec user\",\n \"timestamping\",\n \"ocsp signing\",\n \"microsoft sgc\",\n \"netscape sgc\"",
"username": "Information about the requesting user. See user.Info interface for details.",
"uid": "UID information about the requesting user. See user.Info interface for details.",
"groups": "Group information about the requesting user. See user.Info interface for details.",
"extra": "Extra information about the requesting user. See user.Info interface for details.",
"": "CertificateSigningRequestSpec contains the certificate request.",
"request": "Base64-encoded PKCS#10 CSR data",
"signerName": "Requested signer for the request. It is a qualified name in the form: `scope-hostname.io/name`. If empty, it will be defaulted:\n 1. If it's a kubelet client certificate, it is assigned\n \"kubernetes.io/kube-apiserver-client-kubelet\".\n 2. If it's a kubelet serving certificate, it is assigned\n \"kubernetes.io/kubelet-serving\".\n 3. Otherwise, it is assigned \"kubernetes.io/legacy-unknown\".\nDistribution of trust for signers happens out of band. You can select on this field using `spec.signerName`.",
"expirationSeconds": "expirationSeconds is the requested duration of validity of the issued certificate. The certificate signer may issue a certificate with a different validity duration so a client must check the delta between the notBefore and and notAfter fields in the issued certificate to determine the actual duration.\n\nThe v1.22+ in-tree implementations of the well-known Kubernetes signers will honor this field as long as the requested duration is not greater than the maximum duration they will honor per the --cluster-signing-duration CLI flag to the Kubernetes controller manager.\n\nCertificate signers may not honor this field for various reasons:\n\n 1. Old signer that is unaware of the field (such as the in-tree\n implementations prior to v1.22)\n 2. Signer whose configured maximum is shorter than the requested duration\n 3. Signer whose configured minimum is longer than the requested duration\n\nThe minimum valid value for expirationSeconds is 600, i.e. 10 minutes.\n\nAs of v1.22, this field is beta and is controlled via the CSRDuration feature gate.",
"usages": "allowedUsages specifies a set of usage contexts the key will be valid for. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3\n https://tools.ietf.org/html/rfc5280#section-4.2.1.12\nValid values are:\n \"signing\",\n \"digital signature\",\n \"content commitment\",\n \"key encipherment\",\n \"key agreement\",\n \"data encipherment\",\n \"cert sign\",\n \"crl sign\",\n \"encipher only\",\n \"decipher only\",\n \"any\",\n \"server auth\",\n \"client auth\",\n \"code signing\",\n \"email protection\",\n \"s/mime\",\n \"ipsec end system\",\n \"ipsec tunnel\",\n \"ipsec user\",\n \"timestamping\",\n \"ocsp signing\",\n \"microsoft sgc\",\n \"netscape sgc\"",
"username": "Information about the requesting user. See user.Info interface for details.",
"uid": "UID information about the requesting user. See user.Info interface for details.",
"groups": "Group information about the requesting user. See user.Info interface for details.",
"extra": "Extra information about the requesting user. See user.Info interface for details.",
}
func (CertificateSigningRequestSpec) SwaggerDoc() map[string]string {

5
staging/src/k8s.io/api/certificates/v1beta1/zz_generated.deepcopy.go generated
View File

@ -116,6 +116,11 @@ func (in *CertificateSigningRequestSpec) DeepCopyInto(out *CertificateSigningReq
*out = new(string)
**out = **in
}
if in.ExpirationSeconds != nil {
in, out := &in.ExpirationSeconds, &out.ExpirationSeconds
*out = new(int32)
**out = **in
}
if in.Usages != nil {
in, out := &in.Usages, &out.Usages
*out = make([]KeyUsage, len(*in))

13
staging/src/k8s.io/api/testdata/HEAD/certificates.k8s.io.v1.CertificateSigningRequest.json vendored
View File

@ -44,8 +44,9 @@
"spec": {
"request": "OA==",
"signerName": "20",
"expirationSeconds": 1305381319,
"usages": [
"J枊a"
"鯹)晿\u003c"
],
"username": "21",
"uid": "22",
@ -61,14 +62,14 @@
"status": {
"conditions": [
{
"type": "o,c鮽ort昍řČ扷5Ɨ",
"status": "ěĂ凗蓏Ŋ蛊ĉy緅縕",
"type": ".蘯6ċV夸",
"status": "Č扷5ƗǸƢ6/ʕVŚ(ĿȊ甞谐颋DžS",
"reason": "26",
"message": "27",
"lastUpdateTime": "1985-03-23T14:10:57Z",
"lastTransitionTime": "2352-05-22T04:29:36Z"
"lastUpdateTime": "2762-08-27T06:50:32Z",
"lastTransitionTime": "2214-12-23T19:22:14Z"
}
],
"certificate": "cw=="
"certificate": "fQ=="
}
}

BIN
staging/src/k8s.io/api/testdata/HEAD/certificates.k8s.io.v1.CertificateSigningRequest.pb vendored
View File

Binary file not shown.

13
staging/src/k8s.io/api/testdata/HEAD/certificates.k8s.io.v1.CertificateSigningRequest.yaml vendored
View File

@ -31,6 +31,7 @@ metadata:
selfLink: "5"
uid: "7"
spec:
expirationSeconds: 1305381319
extra:
"24":
- "25"
@ -40,14 +41,14 @@ spec:
signerName: "20"
uid: "22"
usages:
- J枊a
- 鯹)晿<
username: "21"
status:
certificate: cw==
certificate: fQ==
conditions:
- lastTransitionTime: "2352-05-22T04:29:36Z"
lastUpdateTime: "1985-03-23T14:10:57Z"
- lastTransitionTime: "2214-12-23T19:22:14Z"
lastUpdateTime: "2762-08-27T06:50:32Z"
message: "27"
reason: "26"
status: ěĂ凗蓏Ŋ蛊ĉy緅縕
type: o,c鮽ort昍řČ扷5Ɨ
status: Č扷5ƗǸƢ6/ʕVŚ(ĿȊ甞谐颋DžS
type: .蘯6ċV夸

13
staging/src/k8s.io/api/testdata/HEAD/certificates.k8s.io.v1beta1.CertificateSigningRequest.json vendored
View File

@ -44,8 +44,9 @@
"spec": {
"request": "OA==",
"signerName": "20",
"expirationSeconds": 1305381319,
"usages": [
"J枊a"
"鯹)晿\u003c"
],
"username": "21",
"uid": "22",
@ -61,14 +62,14 @@
"status": {
"conditions": [
{
"type": "o,c鮽ort昍řČ扷5Ɨ",
"status": "ěĂ凗蓏Ŋ蛊ĉy緅縕",
"type": ".蘯6ċV夸",
"status": "Č扷5ƗǸƢ6/ʕVŚ(ĿȊ甞谐颋DžS",
"reason": "26",
"message": "27",
"lastUpdateTime": "1985-03-23T14:10:57Z",
"lastTransitionTime": "2352-05-22T04:29:36Z"
"lastUpdateTime": "2762-08-27T06:50:32Z",
"lastTransitionTime": "2214-12-23T19:22:14Z"
}
],
"certificate": "cw=="
"certificate": "fQ=="
}
}

BIN
staging/src/k8s.io/api/testdata/HEAD/certificates.k8s.io.v1beta1.CertificateSigningRequest.pb vendored
View File

Binary file not shown.

13
staging/src/k8s.io/api/testdata/HEAD/certificates.k8s.io.v1beta1.CertificateSigningRequest.yaml vendored
View File

@ -31,6 +31,7 @@ metadata:
selfLink: "5"
uid: "7"
spec:
expirationSeconds: 1305381319
extra:
"24":
- "25"
@ -40,14 +41,14 @@ spec:
signerName: "20"
uid: "22"
usages:
- J枊a
- 鯹)晿<
username: "21"
status:
certificate: cw==
certificate: fQ==
conditions:
- lastTransitionTime: "2352-05-22T04:29:36Z"
lastUpdateTime: "1985-03-23T14:10:57Z"
- lastTransitionTime: "2214-12-23T19:22:14Z"
lastUpdateTime: "2762-08-27T06:50:32Z"
message: "27"
reason: "26"
status: ěĂ凗蓏Ŋ蛊ĉy緅縕
type: o,c鮽ort昍řČ扷5Ɨ
status: Č扷5ƗǸƢ6/ʕVŚ(ĿȊ甞谐颋DžS
type: .蘯6ċV夸

23
staging/src/k8s.io/client-go/applyconfigurations/certificates/v1/certificatesigningrequestspec.go
View File

@ -25,13 +25,14 @@ import (
// CertificateSigningRequestSpecApplyConfiguration represents an declarative configuration of the CertificateSigningRequestSpec type for use
// with apply.
type CertificateSigningRequestSpecApplyConfiguration struct {
Request []byte `json:"request,omitempty"`
SignerName *string `json:"signerName,omitempty"`
Usages []v1.KeyUsage `json:"usages,omitempty"`
Username *string `json:"username,omitempty"`
UID *string `json:"uid,omitempty"`
Groups []string `json:"groups,omitempty"`
Extra map[string]v1.ExtraValue `json:"extra,omitempty"`
Request []byte `json:"request,omitempty"`
SignerName *string `json:"signerName,omitempty"`
ExpirationSeconds *int32 `json:"expirationSeconds,omitempty"`
Usages []v1.KeyUsage `json:"usages,omitempty"`
Username *string `json:"username,omitempty"`
UID *string `json:"uid,omitempty"`
Groups []string `json:"groups,omitempty"`
Extra map[string]v1.ExtraValue `json:"extra,omitempty"`
}
// CertificateSigningRequestSpecApplyConfiguration constructs an declarative configuration of the CertificateSigningRequestSpec type for use with
@ -58,6 +59,14 @@ func (b *CertificateSigningRequestSpecApplyConfiguration) WithSignerName(value s
return b
}
// WithExpirationSeconds sets the ExpirationSeconds field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the ExpirationSeconds field is set to the value of the last call.
func (b *CertificateSigningRequestSpecApplyConfiguration) WithExpirationSeconds(value int32) *CertificateSigningRequestSpecApplyConfiguration {
b.ExpirationSeconds = &value
return b
}
// WithUsages adds the given value to the Usages field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, values provided by each call will be appended to the Usages field.

23
staging/src/k8s.io/client-go/applyconfigurations/certificates/v1beta1/certificatesigningrequestspec.go
View File

@ -25,13 +25,14 @@ import (
// CertificateSigningRequestSpecApplyConfiguration represents an declarative configuration of the CertificateSigningRequestSpec type for use
// with apply.
type CertificateSigningRequestSpecApplyConfiguration struct {
Request []byte `json:"request,omitempty"`
SignerName *string `json:"signerName,omitempty"`
Usages []v1beta1.KeyUsage `json:"usages,omitempty"`
Username *string `json:"username,omitempty"`
UID *string `json:"uid,omitempty"`
Groups []string `json:"groups,omitempty"`
Extra map[string]v1beta1.ExtraValue `json:"extra,omitempty"`
Request []byte `json:"request,omitempty"`
SignerName *string `json:"signerName,omitempty"`
ExpirationSeconds *int32 `json:"expirationSeconds,omitempty"`
Usages []v1beta1.KeyUsage `json:"usages,omitempty"`
Username *string `json:"username,omitempty"`
UID *string `json:"uid,omitempty"`
Groups []string `json:"groups,omitempty"`
Extra map[string]v1beta1.ExtraValue `json:"extra,omitempty"`
}
// CertificateSigningRequestSpecApplyConfiguration constructs an declarative configuration of the CertificateSigningRequestSpec type for use with
@ -58,6 +59,14 @@ func (b *CertificateSigningRequestSpecApplyConfiguration) WithSignerName(value s
return b
}
// WithExpirationSeconds sets the ExpirationSeconds field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the ExpirationSeconds field is set to the value of the last call.
func (b *CertificateSigningRequestSpecApplyConfiguration) WithExpirationSeconds(value int32) *CertificateSigningRequestSpecApplyConfiguration {
b.ExpirationSeconds = &value
return b
}
// WithUsages adds the given value to the Usages field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, values provided by each call will be appended to the Usages field.

6
staging/src/k8s.io/client-go/applyconfigurations/internal/internal.go
View File

@ -2843,6 +2843,9 @@ var schemaYAML = typed.YAMLObject(`types:
- name: io.k8s.api.certificates.v1.CertificateSigningRequestSpec
map:
fields:
- name: expirationSeconds
type:
scalar: numeric
- name: extra
type:
map:
@ -2939,6 +2942,9 @@ var schemaYAML = typed.YAMLObject(`types:
- name: io.k8s.api.certificates.v1beta1.CertificateSigningRequestSpec
map:
fields:
- name: expirationSeconds
type:
scalar: numeric
- name: extra
type:
map:

41
staging/src/k8s.io/client-go/util/certificate/certificate_manager.go
View File

@ -88,6 +88,11 @@ type Config struct {
// SignerName is the name of the certificate signer that should sign certificates
// generated by the manager.
SignerName string
// RequestedCertificateLifetime is the requested lifetime length for certificates generated by the manager.
// Optional.
// This will set the spec.expirationSeconds field on the CSR. Controlling the lifetime of
// the issued certificate is not guaranteed as the signer may choose to ignore the request.
RequestedCertificateLifetime *time.Duration
// Usages is the types of usages that certificates generated by the manager
// can be used for.
Usages []certificates.KeyUsage
@ -184,10 +189,11 @@ type manager struct {
lastRequestCancel context.CancelFunc
lastRequest *x509.CertificateRequest
dynamicTemplate bool
signerName string
usages []certificates.KeyUsage
forceRotation bool
dynamicTemplate bool
signerName string
requestedCertificateLifetime *time.Duration
usages []certificates.KeyUsage
forceRotation bool
certStore Store
@ -230,18 +236,19 @@ func NewManager(config *Config) (Manager, error) {
}
m := manager{
stopCh: make(chan struct{}),
clientsetFn: config.ClientsetFn,
getTemplate: getTemplate,
dynamicTemplate: config.GetTemplate != nil,
signerName: config.SignerName,
usages: config.Usages,
certStore: config.CertificateStore,
cert: cert,
forceRotation: forceRotation,
certificateRotation: config.CertificateRotation,
certificateRenewFailure: config.CertificateRenewFailure,
now: time.Now,
stopCh: make(chan struct{}),
clientsetFn: config.ClientsetFn,
getTemplate: getTemplate,
dynamicTemplate: config.GetTemplate != nil,
signerName: config.SignerName,
requestedCertificateLifetime: config.RequestedCertificateLifetime,
usages: config.Usages,
certStore: config.CertificateStore,
cert: cert,
forceRotation: forceRotation,
certificateRotation: config.CertificateRotation,
certificateRenewFailure: config.CertificateRenewFailure,
now: time.Now,
}
name := config.Name
@ -459,7 +466,7 @@ func (m *manager) rotateCerts() (bool, error) {
// Call the Certificate Signing Request API to get a certificate for the
// new private key.
reqName, reqUID, err := csr.RequestCertificate(clientSet, csrPEM, "", m.signerName, m.usages, privateKey)
reqName, reqUID, err := csr.RequestCertificate(clientSet, csrPEM, "", m.signerName, m.requestedCertificateLifetime, m.usages, privateKey)
if err != nil {
utilruntime.HandleError(fmt.Errorf("%s: Failed while requesting a signed certificate from the control plane: %v", m.name, err))
if m.certificateRenewFailure != nil {

21
staging/src/k8s.io/client-go/util/certificate/csr/csr.go
View File

@ -25,8 +25,6 @@ import (
"reflect"
"time"
"k8s.io/klog/v2"
certificatesv1 "k8s.io/api/certificates/v1"
certificatesv1beta1 "k8s.io/api/certificates/v1beta1"
"k8s.io/apimachinery/pkg/api/errors"
@ -41,12 +39,16 @@ import (
"k8s.io/client-go/tools/cache"
watchtools "k8s.io/client-go/tools/watch"
certutil "k8s.io/client-go/util/cert"
"k8s.io/klog/v2"
"k8s.io/utils/pointer"
)
// RequestCertificate will either use an existing (if this process has run
// before but not to completion) or create a certificate signing request using the
// PEM encoded CSR and send it to API server.
func RequestCertificate(client clientset.Interface, csrData []byte, name string, signerName string, usages []certificatesv1.KeyUsage, privateKey interface{}) (reqName string, reqUID types.UID, err error) {
// PEM encoded CSR and send it to API server. An optional requestedDuration may be passed
// to set the spec.expirationSeconds field on the CSR to control the lifetime of the issued
// certificate. This is not guaranteed as the signer may choose to ignore the request.
func RequestCertificate(client clientset.Interface, csrData []byte, name, signerName string, requestedDuration *time.Duration, usages []certificatesv1.KeyUsage, privateKey interface{}) (reqName string, reqUID types.UID, err error) {
csr := &certificatesv1.CertificateSigningRequest{
// Username, UID, Groups will be injected by API server.
TypeMeta: metav1.TypeMeta{Kind: "CertificateSigningRequest"},
@ -62,6 +64,9 @@ func RequestCertificate(client clientset.Interface, csrData []byte, name string,
if len(csr.Name) == 0 {
csr.GenerateName = "csr-"
}
if requestedDuration != nil {
csr.Spec.ExpirationSeconds = DurationToExpirationSeconds(*requestedDuration)
}
reqName, reqUID, err = create(client, csr)
switch {
@ -85,6 +90,14 @@ func RequestCertificate(client clientset.Interface, csrData []byte, name string,
}
}
func DurationToExpirationSeconds(duration time.Duration) *int32 {
return pointer.Int32(int32(duration / time.Second))
}
func ExpirationSecondsToDuration(expirationSeconds int32) time.Duration {
return time.Duration(expirationSeconds) * time.Second
}
func get(client clientset.Interface, name string) (*certificatesv1.CertificateSigningRequest, error) {
v1req, v1err := client.CertificatesV1().CertificateSigningRequests().Get(context.TODO(), name, metav1.GetOptions{})
if v1err == nil || !apierrors.IsNotFound(v1err) {

4
staging/src/k8s.io/kube-controller-manager/config/v1alpha1/types.go
View File

@ -193,8 +193,8 @@ type CSRSigningControllerConfiguration struct {
// legacyUnknownSignerConfiguration holds the certificate and key used to issue certificates for the kubernetes.io/legacy-unknown
LegacyUnknownSignerConfiguration CSRSigningConfiguration
// clusterSigningDuration is the length of duration signed certificates
// will be given.
// clusterSigningDuration is the max length of duration signed certificates will be given.
// Individual CSRs may request shorter certs by setting spec.expirationSeconds.
ClusterSigningDuration metav1.Duration
}

25
staging/src/k8s.io/kubectl/pkg/describe/describe.go
View File

@ -33,7 +33,6 @@ import (
"unicode"
"github.com/fatih/camelcase"
"k8s.io/apimachinery/pkg/runtime"
appsv1 "k8s.io/api/apps/v1"
autoscalingv1 "k8s.io/api/autoscaling/v1"
@ -60,6 +59,7 @@ import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/fields"
"k8s.io/apimachinery/pkg/labels"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/runtime/schema"
"k8s.io/apimachinery/pkg/types"
"k8s.io/apimachinery/pkg/util/duration"
@ -72,6 +72,7 @@ import (
corev1client "k8s.io/client-go/kubernetes/typed/core/v1"
"k8s.io/client-go/rest"
"k8s.io/client-go/tools/reference"
utilcsr "k8s.io/client-go/util/certificate/csr"
"k8s.io/klog/v2"
"k8s.io/kubectl/pkg/scheme"
"k8s.io/kubectl/pkg/util/certificate"
@ -3690,12 +3691,13 @@ type CertificateSigningRequestDescriber struct {
func (p *CertificateSigningRequestDescriber) Describe(namespace, name string, describerSettings DescriberSettings) (string, error) {
var (
crBytes []byte
metadata metav1.ObjectMeta
status string
signerName string
username string
events *corev1.EventList
crBytes []byte
metadata metav1.ObjectMeta
status string
signerName string
expirationSeconds *int32
username string
events *corev1.EventList
)
if csr, err := p.client.CertificatesV1().CertificateSigningRequests().Get(context.TODO(), name, metav1.GetOptions{}); err == nil {
@ -3707,6 +3709,7 @@ func (p *CertificateSigningRequestDescriber) Describe(namespace, name string, de
}
status = extractCSRStatus(conditionTypes, csr.Status.Certificate)
signerName = csr.Spec.SignerName
expirationSeconds = csr.Spec.ExpirationSeconds
username = csr.Spec.Username
if describerSettings.ShowEvents {
events, _ = searchEvents(p.client.CoreV1(), csr, describerSettings.ChunkSize)
@ -3722,6 +3725,7 @@ func (p *CertificateSigningRequestDescriber) Describe(namespace, name string, de
if csr.Spec.SignerName != nil {
signerName = *csr.Spec.SignerName
}
expirationSeconds = csr.Spec.ExpirationSeconds
username = csr.Spec.Username
if describerSettings.ShowEvents {
events, _ = searchEvents(p.client.CoreV1(), csr, describerSettings.ChunkSize)
@ -3735,10 +3739,10 @@ func (p *CertificateSigningRequestDescriber) Describe(namespace, name string, de
return "", fmt.Errorf("Error parsing CSR: %v", err)
}
return describeCertificateSigningRequest(metadata, signerName, username, cr, status, events)
return describeCertificateSigningRequest(metadata, signerName, expirationSeconds, username, cr, status, events)
}
func describeCertificateSigningRequest(csr metav1.ObjectMeta, signerName string, username string, cr *x509.CertificateRequest, status string, events *corev1.EventList) (string, error) {
func describeCertificateSigningRequest(csr metav1.ObjectMeta, signerName string, expirationSeconds *int32, username string, cr *x509.CertificateRequest, status string, events *corev1.EventList) (string, error) {
printListHelper := func(w PrefixWriter, prefix, name string, values []string) {
if len(values) == 0 {
return
@ -3758,6 +3762,9 @@ func describeCertificateSigningRequest(csr metav1.ObjectMeta, signerName string,
if len(signerName) > 0 {
w.Write(LEVEL_0, "Signer:\t%s\n", signerName)
}
if expirationSeconds != nil {
w.Write(LEVEL_0, "Requested Duration:\t%s\n", duration.HumanDuration(utilcsr.ExpirationSecondsToDuration(*expirationSeconds)))
}
w.Write(LEVEL_0, "Status:\t%s\n", status)
w.Write(LEVEL_0, "Subject:\n")

23
test/e2e/auth/certificates.go
View File

@ -25,21 +25,23 @@ import (
"fmt"
"time"
"github.com/onsi/ginkgo"
certificatesv1 "k8s.io/api/certificates/v1"
v1 "k8s.io/api/core/v1"
rbacv1 "k8s.io/api/rbac/v1"
apierrors "k8s.io/apimachinery/pkg/api/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
types "k8s.io/apimachinery/pkg/types"
"k8s.io/apimachinery/pkg/types"
"k8s.io/apimachinery/pkg/util/wait"
"k8s.io/apimachinery/pkg/watch"
"k8s.io/apiserver/pkg/server/dynamiccertificates"
certificatesclient "k8s.io/client-go/kubernetes/typed/certificates/v1"
"k8s.io/client-go/rest"
"k8s.io/client-go/util/cert"
"k8s.io/client-go/util/certificate/csr"
"k8s.io/kubernetes/test/e2e/framework"
"k8s.io/kubernetes/test/utils"
"github.com/onsi/ginkgo"
)
var _ = SIGDescribe("Certificates API [Privileged:ClusterAdmin]", func() {
@ -80,7 +82,8 @@ var _ = SIGDescribe("Certificates API [Privileged:ClusterAdmin]", func() {
certificatesv1.UsageKeyEncipherment,
certificatesv1.UsageClientAuth,
},
SignerName: certificatesv1.KubeAPIServerClientSignerName,
SignerName: certificatesv1.KubeAPIServerClientSignerName,
ExpirationSeconds: csr.DurationToExpirationSeconds(time.Hour),
},
}
@ -159,6 +162,12 @@ var _ = SIGDescribe("Certificates API [Privileged:ClusterAdmin]", func() {
rcfg.TLSClientConfig.CertData = csr.Status.Certificate
rcfg.TLSClientConfig.KeyData = pkpem
certs, err := cert.ParseCertsPEM(csr.Status.Certificate)
framework.ExpectNoError(err)
framework.ExpectEqual(len(certs), 1, "expected a single cert, got %#v", certs)
cert := certs[0]
framework.ExpectEqual(cert.NotAfter.Sub(cert.NotBefore), time.Hour+5*time.Minute, "unexpected cert duration: %s", dynamiccertificates.GetHumanCertDetail(cert))
newClient, err := certificatesclient.NewForConfig(rcfg)
framework.ExpectNoError(err)
@ -207,7 +216,9 @@ var _ = SIGDescribe("Certificates API [Privileged:ClusterAdmin]", func() {
Spec: certificatesv1.CertificateSigningRequestSpec{
Request: csrData,
SignerName: signerName,
Usages: []certificatesv1.KeyUsage{certificatesv1.UsageDigitalSignature, certificatesv1.UsageKeyEncipherment, certificatesv1.UsageServerAuth},
// TODO(enj): check for expirationSeconds field persistence once the feature is GA
// ExpirationSeconds: csr.DurationToExpirationSeconds(time.Hour),
Usages: []certificatesv1.KeyUsage{certificatesv1.UsageDigitalSignature, certificatesv1.UsageKeyEncipherment, certificatesv1.UsageServerAuth},
},
}
@ -280,6 +291,8 @@ var _ = SIGDescribe("Certificates API [Privileged:ClusterAdmin]", func() {
gottenCSR, err := csrClient.Get(context.TODO(), createdCSR.Name, metav1.GetOptions{})
framework.ExpectNoError(err)
framework.ExpectEqual(gottenCSR.UID, createdCSR.UID)
// TODO(enj): check for expirationSeconds field persistence once the feature is GA
// framework.ExpectEqual(gottenCSR.Spec.ExpirationSeconds, csr.DurationToExpirationSeconds(time.Hour))
ginkgo.By("listing")
csrs, err := csrClient.List(context.TODO(), metav1.ListOptions{FieldSelector: "spec.signerName=" + signerName})

293
test/integration/certificates/duration_test.go Normal file
View File

@ -0,0 +1,293 @@
/*
Copyright 2021 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package certificates
import (
"context"
"crypto/ecdsa"
"crypto/elliptic"
"crypto/rand"
"crypto/x509/pkix"
"encoding/pem"
"io/ioutil"
"os"
"path"
"strings"
"testing"
"time"
"github.com/google/go-cmp/cmp"
certificatesv1 "k8s.io/api/certificates/v1"
v1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured/unstructuredscheme"
"k8s.io/apimachinery/pkg/runtime/schema"
"k8s.io/apiserver/pkg/server/dynamiccertificates"
"k8s.io/client-go/informers"
clientset "k8s.io/client-go/kubernetes"
"k8s.io/client-go/rest"
certutil "k8s.io/client-go/util/cert"
"k8s.io/client-go/util/certificate/csr"
"k8s.io/client-go/util/keyutil"
kubeapiservertesting "k8s.io/kubernetes/cmd/kube-apiserver/app/testing"
"k8s.io/kubernetes/pkg/controller/certificates/signer"
"k8s.io/kubernetes/test/integration/framework"
)
func TestCSRDuration(t *testing.T) {
t.Parallel()
ctx, cancel := context.WithTimeout(context.Background(), 3*time.Minute)
t.Cleanup(cancel)
s := kubeapiservertesting.StartTestServerOrDie(t, nil, nil, framework.SharedEtcd())
t.Cleanup(s.TearDownFn)
// assert that the metrics we collect during the test run match expectations
// we have 7 valid test cases below that request a duration of which 6 should have their duration honored
wantMetricStrings := []string{
`apiserver_certificates_registry_csr_honored_duration_total{signerName="kubernetes.io/kube-apiserver-client"} 6`,
`apiserver_certificates_registry_csr_requested_duration_total{signerName="kubernetes.io/kube-apiserver-client"} 7`,
}
t.Cleanup(func() {
copyConfig := rest.CopyConfig(s.ClientConfig)
copyConfig.GroupVersion = &schema.GroupVersion{}
copyConfig.NegotiatedSerializer = unstructuredscheme.NewUnstructuredNegotiatedSerializer()
rc, err := rest.RESTClientFor(copyConfig)
if err != nil {
t.Fatal(err)
}
body, err := rc.Get().AbsPath("/metrics").DoRaw(ctx)
if err != nil {
t.Fatal(err)
}
var gotMetricStrings []string
for _, line := range strings.Split(string(body), "\n") {
if strings.HasPrefix(line, "apiserver_certificates_registry_") {
gotMetricStrings = append(gotMetricStrings, line)
}
}
if diff := cmp.Diff(wantMetricStrings, gotMetricStrings); diff != "" {
t.Errorf("unexpected metrics diff (-want +got): %s", diff)
}
})
client := clientset.NewForConfigOrDie(s.ClientConfig)
informerFactory := informers.NewSharedInformerFactory(client, 0)
caPrivateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
if err != nil {
t.Fatal(err)
}
caCert, err := certutil.NewSelfSignedCACert(certutil.Config{CommonName: "test-ca"}, caPrivateKey)
if err != nil {
t.Fatal(err)
}
caPublicKeyFile := path.Join(s.TmpDir, "test-ca-public-key")
if err := ioutil.WriteFile(caPublicKeyFile, pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: caCert.Raw}), os.FileMode(0600)); err != nil {
t.Fatal(err)
}
caPrivateKeyBytes, err := keyutil.MarshalPrivateKeyToPEM(caPrivateKey)
if err != nil {
t.Fatal(err)
}
caPrivateKeyFile := path.Join(s.TmpDir, "test-ca-private-key")
if err := ioutil.WriteFile(caPrivateKeyFile, caPrivateKeyBytes, os.FileMode(0600)); err != nil {
t.Fatal(err)
}
c, err := signer.NewKubeAPIServerClientCSRSigningController(client, informerFactory.Certificates().V1().CertificateSigningRequests(), caPublicKeyFile, caPrivateKeyFile, 24*time.Hour)
if err != nil {
t.Fatal(err)
}
stopCh := make(chan struct{})
t.Cleanup(func() {
close(stopCh)
})
informerFactory.Start(stopCh)
go c.Run(1, stopCh)
tests := []struct {
name, csrName string
duration, wantDuration time.Duration
wantError string
}{
{
name: "no duration set",
duration: 0,
wantDuration: 24 * time.Hour,
wantError: "",
},
{
name: "same duration set as certTTL",
duration: 24 * time.Hour,
wantDuration: 24 * time.Hour,
wantError: "",
},
{
name: "longer duration than certTTL",
duration: 48 * time.Hour,
wantDuration: 24 * time.Hour,
wantError: "",
},
{
name: "slightly shorter duration set",
duration: 20 * time.Hour,
wantDuration: 20 * time.Hour,
wantError: "",
},
{
name: "even shorter duration set",
duration: 10 * time.Hour,
wantDuration: 10 * time.Hour,
wantError: "",
},
{
name: "short duration set",
duration: 2 * time.Hour,
wantDuration: 2*time.Hour + 5*time.Minute,
wantError: "",
},
{
name: "very short duration set",
duration: 30 * time.Minute,
wantDuration: 30*time.Minute + 5*time.Minute,
wantError: "",
},
{
name: "shortest duration set",
duration: 10 * time.Minute,
wantDuration: 10*time.Minute + 5*time.Minute,
wantError: "",
},
{
name: "just too short duration set",
csrName: "invalid-csr-001",
duration: 10*time.Minute - time.Second,
wantDuration: 0,
wantError: `cannot create certificate signing request: ` +
`CertificateSigningRequest.certificates.k8s.io "invalid-csr-001" is invalid: spec.expirationSeconds: Invalid value: 599: may not specify a duration less than 600 seconds (10 minutes)`,
},
{
name: "really too short duration set",
csrName: "invalid-csr-002",
duration: 3 * time.Minute,
wantDuration: 0,
wantError: `cannot create certificate signing request: ` +
`CertificateSigningRequest.certificates.k8s.io "invalid-csr-002" is invalid: spec.expirationSeconds: Invalid value: 180: may not specify a duration less than 600 seconds (10 minutes)`,
},
{
name: "negative duration set",
csrName: "invalid-csr-003",
duration: -7 * time.Minute,
wantDuration: 0,
wantError: `cannot create certificate signing request: ` +
`CertificateSigningRequest.certificates.k8s.io "invalid-csr-003" is invalid: spec.expirationSeconds: Invalid value: -420: may not specify a duration less than 600 seconds (10 minutes)`,
},
}
for _, tt := range tests {
tt := tt
t.Run(tt.name, func(t *testing.T) {
t.Parallel()
privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
if err != nil {
t.Fatal(err)
}
csrData, err := certutil.MakeCSR(privateKey, &pkix.Name{CommonName: "panda"}, nil, nil)
if err != nil {
t.Fatal(err)
}
csrName, csrUID, errReq := csr.RequestCertificate(client, csrData, tt.csrName, certificatesv1.KubeAPIServerClientSignerName,
durationPtr(tt.duration), []certificatesv1.KeyUsage{certificatesv1.UsageClientAuth}, privateKey)
if diff := cmp.Diff(tt.wantError, errStr(errReq)); len(diff) > 0 {
t.Fatalf("CSR input duration %v err diff (-want, +got):\n%s", tt.duration, diff)
}
if len(tt.wantError) > 0 {
return
}
csrObj, err := client.CertificatesV1().CertificateSigningRequests().Get(ctx, csrName, metav1.GetOptions{})
if err != nil {
t.Fatal(err)
}
csrObj.Status.Conditions = []certificatesv1.CertificateSigningRequestCondition{
{
Type: certificatesv1.CertificateApproved,
Status: v1.ConditionTrue,
Reason: "TestCSRDuration",
Message: t.Name(),
},
}
_, err = client.CertificatesV1().CertificateSigningRequests().UpdateApproval(ctx, csrName, csrObj, metav1.UpdateOptions{})
if err != nil {
t.Fatal(err)
}
certData, err := csr.WaitForCertificate(ctx, client, csrName, csrUID)
if err != nil {
t.Fatal(err)
}
certs, err := certutil.ParseCertsPEM(certData)
if err != nil {
t.Fatal(err)
}
switch l := len(certs); l {
case 1:
// good
default:
t.Errorf("expected 1 cert, got %d", l)
for i, certificate := range certs {
t.Log(i, dynamiccertificates.GetHumanCertDetail(certificate))
}
t.FailNow()
}
cert := certs[0]
if got := cert.NotAfter.Sub(cert.NotBefore); got != tt.wantDuration {
t.Errorf("CSR input duration %v got duration = %v, want %v\n%s", tt.duration, got, tt.wantDuration, dynamiccertificates.GetHumanCertDetail(cert))
}
})
}
}
func durationPtr(duration time.Duration) *time.Duration {
if duration == 0 {
return nil
}
return &duration
}
func errStr(err error) string {
if err == nil {
return ""
}
es := err.Error()
if len(es) == 0 {
panic("invalid empty error")
}
return es
}