github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-24 12:15:52 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #41755 from liggitt/cert-user-extra

Browse Source 
Automatic merge from submit-queue

Include all user.Info data in CSR object

In order to use authorization checks to auto-approve CSRs in the future, we need all the info from the user.Info interface.

This mirrors the API fields in the TokenReview API used to return user info, and in the SubjectAccessReview API we use to check authorization.

```release-note
The CertificateSigningRequest API added the `extra` field to persist all information about the requesting user. This mirrors the fields in the SubjectAccessReview API used to check authorization.
```
This commit is contained in:
Kubernetes Submit Queue 2017-02-23 02:24:32 -08:00 committed by GitHub
commit 713919990e
17 changed files with 910 additions and 1314 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
api/openapi-spec/swagger.json
View File

@ -41280,12 +41280,23 @@
]
},
"io.k8s.kubernetes.pkg.apis.certificates.v1beta1.CertificateSigningRequestSpec": {
"description": "This information is immutable after the request is created. Only the Request and ExtraInfo fields can be set on creation, other fields are derived by Kubernetes and cannot be modified by users.",
"description": "This information is immutable after the request is created. Only the Request and Usages fields can be set on creation, other fields are derived by Kubernetes and cannot be modified by users.",
"required": [
"request"
],
"properties": {
"extra": {
"description": "Extra information about the requesting user. See user.Info interface for details.",
"type": "object",
"additionalProperties": {
"type": "array",
"items": {
"type": "string"
}
}
},
"groups": {
"description": "Group information about the requesting user. See user.Info interface for details.",
"type": "array",
"items": {
"type": "string"
@ -41297,6 +41308,7 @@
"format": "byte"
},
"uid": {
"description": "UID information about the requesting user. See user.Info interface for details.",
"type": "string"
},
"usages": {
@ -41307,7 +41319,7 @@
}
},
"username": {
"description": "Information about the requesting user (if relevant) See user.Info interface for details",
"description": "Information about the requesting user. See user.Info interface for details.",
"type": "string"
}
}

1173
api/swagger-spec/certificates.k8s.io_v1alpha1.json
View File

File diff suppressed because it is too large Load Diff

14
api/swagger-spec/certificates.k8s.io_v1beta1.json
View File

@ -886,7 +886,7 @@
},
"v1beta1.CertificateSigningRequestSpec": {
"id": "v1beta1.CertificateSigningRequestSpec",
"description": "This information is immutable after the request is created. Only the Request and ExtraInfo fields can be set on creation, other fields are derived by Kubernetes and cannot be modified by users.",
"description": "This information is immutable after the request is created. Only the Request and Usages fields can be set on creation, other fields are derived by Kubernetes and cannot be modified by users.",
"required": [
"request"
],
@ -904,16 +904,22 @@
},
"username": {
"type": "string",
"description": "Information about the requesting user (if relevant) See user.Info interface for details"
"description": "Information about the requesting user. See user.Info interface for details."
},
"uid": {
"type": "string"
"type": "string",
"description": "UID information about the requesting user. See user.Info interface for details."
},
"groups": {
"type": "array",
"items": {
"type": "string"
}
},
"description": "Group information about the requesting user. See user.Info interface for details."
},
"extra": {
"type": "object",
"description": "Extra information about the requesting user. See user.Info interface for details."
}
}
},

17
docs/api-reference/certificates.k8s.io/v1beta1/definitions.html
View File

@ -549,7 +549,7 @@ span.icon > [class^="icon-"], span.icon > [class*=" icon-"] { cursor: default; }
<div class="sect2">
<h3 id="_v1beta1_certificatesigningrequestspec">v1beta1.CertificateSigningRequestSpec</h3>
<div class="paragraph">
<p>This information is immutable after the request is created. Only the Request and ExtraInfo fields can be set on creation, other fields are derived by Kubernetes and cannot be modified by users.</p>
<p>This information is immutable after the request is created. Only the Request and Usages fields can be set on creation, other fields are derived by Kubernetes and cannot be modified by users.</p>
</div>
<table class="tableblock frame-all grid-all" style="width:100%; ">
<colgroup>
@ -586,25 +586,32 @@ span.icon > [class^="icon-"], span.icon > [class*=" icon-"] { cursor: default; }
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">username</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Information about the requesting user (if relevant) See user.Info interface for details</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Information about the requesting user. See user.Info interface for details.</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">uid</p></td>
<td class="tableblock halign-left valign-top"></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">UID information about the requesting user. See user.Info interface for details.</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">groups</p></td>
<td class="tableblock halign-left valign-top"></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Group information about the requesting user. See user.Info interface for details.</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">string array</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">extra</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Extra information about the requesting user. See user.Info interface for details.</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">object</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
</tbody>
</table>
@ -1371,7 +1378,7 @@ Examples:<br>
</div>
<div id="footer">
<div id="footer-text">
Last updated 2017-01-25 20:38:59 UTC
Last updated 2017-02-20 18:28:59 UTC
</div>
</div>
</body>

17
pkg/apis/certificates/types.go
View File

@ -37,7 +37,7 @@ type CertificateSigningRequest struct {
}
// This information is immutable after the request is created. Only the Request
// and ExtraInfo fields can be set on creation, other fields are derived by
// and Usages fields can be set on creation, other fields are derived by
// Kubernetes and cannot be modified by users.
type CertificateSigningRequestSpec struct {
// Base64-encoded PKCS#10 CSR data
@ -49,16 +49,27 @@ type CertificateSigningRequestSpec struct {
// https://tools.ietf.org/html/rfc5280#section-4.2.1.12
Usages []KeyUsage
// Information about the requesting user (if relevant)
// See user.Info interface for details
// Information about the requesting user.
// See user.Info interface for details.
// +optional
Username string
// UID information about the requesting user.
// See user.Info interface for details.
// +optional
UID string
// Group information about the requesting user.
// See user.Info interface for details.
// +optional
Groups []string
// Extra information about the requesting user.
// See user.Info interface for details.
// +optional
Extra map[string]ExtraValue
}
// ExtraValue masks the value so protobuf can generate
type ExtraValue []string
type CertificateSigningRequestStatus struct {
// Conditions applied to the request, such as approval or denial.
// +optional

1
pkg/apis/certificates/v1beta1/BUILD
View File

@ -27,6 +27,7 @@ go_library(
deps = [
"//pkg/apis/certificates:go_default_library",
"//vendor:github.com/gogo/protobuf/proto",
"//vendor:github.com/gogo/protobuf/sortkeys",
"//vendor:github.com/ugorji/go/codec",
"//vendor:k8s.io/apimachinery/pkg/apis/meta/v1",
"//vendor:k8s.io/apimachinery/pkg/conversion",

390
pkg/apis/certificates/v1beta1/generated.pb.go
View File

@ -30,6 +30,7 @@ limitations under the License.
CertificateSigningRequestList
CertificateSigningRequestSpec
CertificateSigningRequestStatus
ExtraValue
*/
package v1beta1
@ -39,6 +40,7 @@ import math "math"
import strings "strings"
import reflect "reflect"
import github_com_gogo_protobuf_sortkeys "github.com/gogo/protobuf/sortkeys"
import io "io"
@ -81,12 +83,17 @@ func (*CertificateSigningRequestStatus) Descriptor() ([]byte, []int) {
return fileDescriptorGenerated, []int{4}
}
func (m *ExtraValue) Reset() { *m = ExtraValue{} }
func (*ExtraValue) ProtoMessage() {}
func (*ExtraValue) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{5} }
func init() {
proto.RegisterType((*CertificateSigningRequest)(nil), "k8s.io.kubernetes.pkg.apis.certificates.v1beta1.CertificateSigningRequest")
proto.RegisterType((*CertificateSigningRequestCondition)(nil), "k8s.io.kubernetes.pkg.apis.certificates.v1beta1.CertificateSigningRequestCondition")
proto.RegisterType((*CertificateSigningRequestList)(nil), "k8s.io.kubernetes.pkg.apis.certificates.v1beta1.CertificateSigningRequestList")
proto.RegisterType((*CertificateSigningRequestSpec)(nil), "k8s.io.kubernetes.pkg.apis.certificates.v1beta1.CertificateSigningRequestSpec")
proto.RegisterType((*CertificateSigningRequestStatus)(nil), "k8s.io.kubernetes.pkg.apis.certificates.v1beta1.CertificateSigningRequestStatus")
proto.RegisterType((*ExtraValue)(nil), "k8s.io.kubernetes.pkg.apis.certificates.v1beta1.ExtraValue")
}
func (m *CertificateSigningRequest) Marshal() (data []byte, err error) {
size := m.Size()
@ -265,6 +272,28 @@ func (m *CertificateSigningRequestSpec) MarshalTo(data []byte) (int, error) {
i += copy(data[i:], s)
}
}
if len(m.Extra) > 0 {
for k := range m.Extra {
data[i] = 0x32
i++
v := m.Extra[k]
msgSize := (&v).Size()
mapSize := 1 + len(k) + sovGenerated(uint64(len(k))) + 1 + msgSize + sovGenerated(uint64(msgSize))
i = encodeVarintGenerated(data, i, uint64(mapSize))
data[i] = 0xa
i++
i = encodeVarintGenerated(data, i, uint64(len(k)))
i += copy(data[i:], k)
data[i] = 0x12
i++
i = encodeVarintGenerated(data, i, uint64((&v).Size()))
n6, err := (&v).MarshalTo(data[i:])
if err != nil {
return 0, err
}
i += n6
}
}
return i, nil
}
@ -304,6 +333,39 @@ func (m *CertificateSigningRequestStatus) MarshalTo(data []byte) (int, error) {
return i, nil
}
func (m ExtraValue) Marshal() (data []byte, err error) {
size := m.Size()
data = make([]byte, size)
n, err := m.MarshalTo(data)
if err != nil {
return nil, err
}
return data[:n], nil
}
func (m ExtraValue) MarshalTo(data []byte) (int, error) {
var i int
_ = i
var l int
_ = l
if len(m) > 0 {
for _, s := range m {
data[i] = 0xa
i++
l = len(s)
for l >= 1<<7 {
data[i] = uint8(uint64(l)&0x7f | 0x80)
l >>= 7
i++
}
data[i] = uint8(l)
i++
i += copy(data[i:], s)
}
}
return i, nil
}
func encodeFixed64Generated(data []byte, offset int, v uint64) int {
data[offset] = uint8(v)
data[offset+1] = uint8(v >> 8)
@ -394,6 +456,15 @@ func (m *CertificateSigningRequestSpec) Size() (n int) {
n += 1 + l + sovGenerated(uint64(l))
}
}
if len(m.Extra) > 0 {
for k, v := range m.Extra {
_ = k
_ = v
l = v.Size()
mapEntrySize := 1 + len(k) + sovGenerated(uint64(len(k))) + 1 + l + sovGenerated(uint64(l))
n += mapEntrySize + 1 + sovGenerated(uint64(mapEntrySize))
}
}
return n
}
@ -413,6 +484,18 @@ func (m *CertificateSigningRequestStatus) Size() (n int) {
return n
}
func (m ExtraValue) Size() (n int) {
var l int
_ = l
if len(m) > 0 {
for _, s := range m {
l = len(s)
n += 1 + l + sovGenerated(uint64(l))
}
}
return n
}
func sovGenerated(x uint64) (n int) {
for {
n++
@ -466,12 +549,23 @@ func (this *CertificateSigningRequestSpec) String() string {
if this == nil {
return "nil"
}
keysForExtra := make([]string, 0, len(this.Extra))
for k := range this.Extra {
keysForExtra = append(keysForExtra, k)
}
github_com_gogo_protobuf_sortkeys.Strings(keysForExtra)
mapStringForExtra := "map[string]ExtraValue{"
for _, k := range keysForExtra {
mapStringForExtra += fmt.Sprintf("%v: %v,", k, this.Extra[k])
}
mapStringForExtra += "}"
s := strings.Join([]string{`&CertificateSigningRequestSpec{`,
`Request:` + valueToStringGenerated(this.Request) + `,`,
`Username:` + fmt.Sprintf("%v", this.Username) + `,`,
`UID:` + fmt.Sprintf("%v", this.UID) + `,`,
`Groups:` + fmt.Sprintf("%v", this.Groups) + `,`,
`Usages:` + fmt.Sprintf("%v", this.Usages) + `,`,
`Extra:` + mapStringForExtra + `,`,
`}`,
}, "")
return s
@ -1089,6 +1183,122 @@ func (m *CertificateSigningRequestSpec) Unmarshal(data []byte) error {
}
m.Usages = append(m.Usages, KeyUsage(data[iNdEx:postIndex]))
iNdEx = postIndex
case 6:
if wireType != 2 {
return fmt.Errorf("proto: wrong wireType = %d for field Extra", wireType)
}
var msglen int
for shift := uint(0); ; shift += 7 {
if shift >= 64 {
return ErrIntOverflowGenerated
}
if iNdEx >= l {
return io.ErrUnexpectedEOF
}
b := data[iNdEx]
iNdEx++
msglen |= (int(b) & 0x7F) << shift
if b < 0x80 {
break
}
}
if msglen < 0 {
return ErrInvalidLengthGenerated
}
postIndex := iNdEx + msglen
if postIndex > l {
return io.ErrUnexpectedEOF
}
var keykey uint64
for shift := uint(0); ; shift += 7 {
if shift >= 64 {
return ErrIntOverflowGenerated
}
if iNdEx >= l {
return io.ErrUnexpectedEOF
}
b := data[iNdEx]
iNdEx++
keykey |= (uint64(b) & 0x7F) << shift
if b < 0x80 {
break
}
}
var stringLenmapkey uint64
for shift := uint(0); ; shift += 7 {
if shift >= 64 {
return ErrIntOverflowGenerated
}
if iNdEx >= l {
return io.ErrUnexpectedEOF
}
b := data[iNdEx]
iNdEx++
stringLenmapkey |= (uint64(b) & 0x7F) << shift
if b < 0x80 {
break
}
}
intStringLenmapkey := int(stringLenmapkey)
if intStringLenmapkey < 0 {
return ErrInvalidLengthGenerated
}
postStringIndexmapkey := iNdEx + intStringLenmapkey
if postStringIndexmapkey > l {
return io.ErrUnexpectedEOF
}
mapkey := string(data[iNdEx:postStringIndexmapkey])
iNdEx = postStringIndexmapkey
var valuekey uint64
for shift := uint(0); ; shift += 7 {
if shift >= 64 {
return ErrIntOverflowGenerated
}
if iNdEx >= l {
return io.ErrUnexpectedEOF
}
b := data[iNdEx]
iNdEx++
valuekey |= (uint64(b) & 0x7F) << shift
if b < 0x80 {
break
}
}
var mapmsglen int
for shift := uint(0); ; shift += 7 {
if shift >= 64 {
return ErrIntOverflowGenerated
}
if iNdEx >= l {
return io.ErrUnexpectedEOF
}
b := data[iNdEx]
iNdEx++
mapmsglen |= (int(b) & 0x7F) << shift
if b < 0x80 {
break
}
}
if mapmsglen < 0 {
return ErrInvalidLengthGenerated
}
postmsgIndex := iNdEx + mapmsglen
if mapmsglen < 0 {
return ErrInvalidLengthGenerated
}
if postmsgIndex > l {
return io.ErrUnexpectedEOF
}
mapvalue := &ExtraValue{}
if err := mapvalue.Unmarshal(data[iNdEx:postmsgIndex]); err != nil {
return err
}
iNdEx = postmsgIndex
if m.Extra == nil {
m.Extra = make(map[string]ExtraValue)
}
m.Extra[mapkey] = *mapvalue
iNdEx = postIndex
default:
iNdEx = preIndex
skippy, err := skipGenerated(data[iNdEx:])
@ -1222,6 +1432,85 @@ func (m *CertificateSigningRequestStatus) Unmarshal(data []byte) error {
}
return nil
}
func (m *ExtraValue) Unmarshal(data []byte) error {
l := len(data)
iNdEx := 0
for iNdEx < l {
preIndex := iNdEx
var wire uint64
for shift := uint(0); ; shift += 7 {
if shift >= 64 {
return ErrIntOverflowGenerated
}
if iNdEx >= l {
return io.ErrUnexpectedEOF
}
b := data[iNdEx]
iNdEx++
wire |= (uint64(b) & 0x7F) << shift
if b < 0x80 {
break
}
}
fieldNum := int32(wire >> 3)
wireType := int(wire & 0x7)
if wireType == 4 {
return fmt.Errorf("proto: ExtraValue: wiretype end group for non-group")
}
if fieldNum <= 0 {
return fmt.Errorf("proto: ExtraValue: illegal tag %d (wire type %d)", fieldNum, wire)
}
switch fieldNum {
case 1:
if wireType != 2 {
return fmt.Errorf("proto: wrong wireType = %d for field Items", wireType)
}
var stringLen uint64
for shift := uint(0); ; shift += 7 {
if shift >= 64 {
return ErrIntOverflowGenerated
}
if iNdEx >= l {
return io.ErrUnexpectedEOF
}
b := data[iNdEx]
iNdEx++
stringLen |= (uint64(b) & 0x7F) << shift
if b < 0x80 {
break
}
}
intStringLen := int(stringLen)
if intStringLen < 0 {
return ErrInvalidLengthGenerated
}
postIndex := iNdEx + intStringLen
if postIndex > l {
return io.ErrUnexpectedEOF
}
*m = append(*m, string(data[iNdEx:postIndex]))
iNdEx = postIndex
default:
iNdEx = preIndex
skippy, err := skipGenerated(data[iNdEx:])
if err != nil {
return err
}
if skippy < 0 {
return ErrInvalidLengthGenerated
}
if (iNdEx + skippy) > l {
return io.ErrUnexpectedEOF
}
iNdEx += skippy
}
}
if iNdEx > l {
return io.ErrUnexpectedEOF
}
return nil
}
func skipGenerated(data []byte) (n int, err error) {
l := len(data)
iNdEx := 0
@ -1328,51 +1617,58 @@ var (
)
var fileDescriptorGenerated = []byte{
// 734 bytes of a gzipped FileDescriptorProto
0x1f, 0x8b, 0x08, 0x00, 0x00, 0x09, 0x6e, 0x88, 0x02, 0xff, 0xac, 0x54, 0x4f, 0x4f, 0x13, 0x4f,
0x18, 0xee, 0xb6, 0xa5, 0x7f, 0xa6, 0xfc, 0xe0, 0x97, 0x89, 0x21, 0x95, 0x84, 0x2d, 0x69, 0xd4,
0x80, 0xc1, 0x5d, 0x8b, 0xc6, 0x70, 0x33, 0x59, 0x4c, 0x0c, 0x0a, 0x6a, 0x06, 0x7a, 0x31, 0x1e,
0x9c, 0x6e, 0x5f, 0x96, 0xa1, 0xec, 0x1f, 0x77, 0x66, 0x1b, 0x7a, 0xf3, 0xe6, 0xd5, 0x2f, 0xe0,
0xf7, 0xe1, 0xc8, 0xd1, 0x53, 0x23, 0xf5, 0x64, 0x4c, 0xfc, 0x00, 0x9c, 0xcc, 0x4e, 0xa7, 0xdd,
0x95, 0x52, 0xc1, 0x84, 0x5b, 0xe7, 0x79, 0x9f, 0xf7, 0x79, 0xff, 0x3d, 0x5b, 0xf4, 0xb4, 0xb3,
0xc1, 0x0d, 0xe6, 0x9b, 0x9d, 0xa8, 0x05, 0xa1, 0x07, 0x02, 0xb8, 0x19, 0x74, 0x1c, 0x93, 0x06,
0x8c, 0x9b, 0x36, 0x84, 0x82, 0xed, 0x33, 0x9b, 0xc6, 0x68, 0xb7, 0xd1, 0x02, 0x41, 0x1b, 0xa6,
0x03, 0x1e, 0x84, 0x54, 0x40, 0xdb, 0x08, 0x42, 0x5f, 0xf8, 0xd8, 0x1c, 0x0a, 0x18, 0x89, 0x80,
0x11, 0x74, 0x1c, 0x23, 0x16, 0x30, 0xd2, 0x02, 0x86, 0x12, 0x58, 0x7c, 0xe0, 0x30, 0x71, 0x10,
0xb5, 0x0c, 0xdb, 0x77, 0x4d, 0xc7, 0x77, 0x7c, 0x53, 0xea, 0xb4, 0xa2, 0x7d, 0xf9, 0x92, 0x0f,
0xf9, 0x6b, 0xa8, 0xbf, 0xf8, 0x58, 0x35, 0x48, 0x03, 0xe6, 0x52, 0xfb, 0x80, 0x79, 0x10, 0xf6,
0x92, 0x16, 0x5d, 0x10, 0xd4, 0xec, 0x4e, 0x74, 0xb5, 0x68, 0x4e, 0xcb, 0x0a, 0x23, 0x4f, 0x30,
0x17, 0x26, 0x12, 0x9e, 0x5c, 0x95, 0xc0, 0xed, 0x03, 0x70, 0xe9, 0x44, 0xde, 0xa3, 0x69, 0x79,
0x91, 0x60, 0x47, 0x26, 0xf3, 0x04, 0x17, 0xe1, 0x44, 0x52, 0x6a, 0x26, 0x0e, 0x61, 0x17, 0xc2,
0x64, 0x20, 0x38, 0xa6, 0x6e, 0x70, 0x04, 0x97, 0xcd, 0xb4, 0x36, 0xf5, 0x54, 0x97, 0xb0, 0xeb,
0x3f, 0xb2, 0xe8, 0xf6, 0x66, 0xb2, 0xff, 0x5d, 0xe6, 0x78, 0xcc, 0x73, 0x08, 0x7c, 0x88, 0x80,
0x0b, 0xfc, 0x1e, 0x95, 0xe2, 0xd5, 0xb5, 0xa9, 0xa0, 0x55, 0x6d, 0x59, 0x5b, 0xa9, 0xac, 0x3f,
0x34, 0xd4, 0x21, 0xd3, 0x93, 0x24, 0xa7, 0x8c, 0xd9, 0x46, 0xb7, 0x61, 0xbc, 0x6e, 0x1d, 0x82,
0x2d, 0x76, 0x40, 0x50, 0x0b, 0x9f, 0xf4, 0x6b, 0x99, 0x41, 0xbf, 0x86, 0x12, 0x8c, 0x8c, 0x55,
0x71, 0x80, 0xf2, 0x3c, 0x00, 0xbb, 0x9a, 0x95, 0xea, 0xaf, 0x8c, 0x7f, 0xb4, 0x89, 0x31, 0xb5,
0xf7, 0xdd, 0x00, 0x6c, 0x6b, 0x56, 0xd5, 0xce, 0xc7, 0x2f, 0x22, 0x2b, 0xe1, 0x63, 0x54, 0xe0,
0x82, 0x8a, 0x88, 0x57, 0x73, 0xb2, 0xe6, 0x9b, 0x1b, 0xac, 0x29, 0x75, 0xad, 0x39, 0x55, 0xb5,
0x30, 0x7c, 0x13, 0x55, 0xaf, 0xfe, 0x25, 0x8b, 0xea, 0x53, 0x73, 0x37, 0x7d, 0xaf, 0xcd, 0x04,
0xf3, 0x3d, 0xbc, 0x81, 0xf2, 0xa2, 0x17, 0x80, 0x5c, 0x78, 0xd9, 0xba, 0x33, 0x1a, 0x61, 0xaf,
0x17, 0xc0, 0x79, 0xbf, 0x76, 0xeb, 0x22, 0x3f, 0xc6, 0x89, 0xcc, 0xc0, 0xf7, 0x50, 0x21, 0x04,
0xca, 0x7d, 0x4f, 0xae, 0xb3, 0x9c, 0x34, 0x42, 0x24, 0x4a, 0x54, 0x14, 0xaf, 0xa2, 0xa2, 0x0b,
0x9c, 0x53, 0x07, 0xe4, 0x0e, 0xca, 0xd6, 0xbc, 0x22, 0x16, 0x77, 0x86, 0x30, 0x19, 0xc5, 0xf1,
0x21, 0x9a, 0x3b, 0xa2, 0x5c, 0x34, 0x83, 0x36, 0x15, 0xb0, 0xc7, 0x5c, 0xa8, 0xe6, 0xe5, 0xd6,
0xee, 0x5f, 0xcf, 0x07, 0x71, 0x86, 0xb5, 0xa0, 0xd4, 0xe7, 0xb6, 0xff, 0x50, 0x22, 0x17, 0x94,
0xeb, 0xbf, 0x34, 0xb4, 0x34, 0x75, 0x3f, 0xdb, 0x8c, 0x0b, 0xfc, 0x6e, 0xc2, 0x8f, 0xc6, 0xf5,
0xfa, 0x88, 0xb3, 0xa5, 0x1b, 0xff, 0x57, 0xbd, 0x94, 0x46, 0x48, 0xca, 0x8b, 0x3e, 0x9a, 0x61,
0x02, 0x5c, 0x5e, 0xcd, 0x2e, 0xe7, 0x56, 0x2a, 0xeb, 0x2f, 0x6e, 0xce, 0x18, 0xd6, 0x7f, 0xaa,
0xec, 0xcc, 0x56, 0x5c, 0x80, 0x0c, 0xeb, 0xd4, 0x7f, 0xfe, 0x6d, 0xe0, 0xd8, 0xb2, 0xf8, 0x2e,
0x2a, 0x86, 0xc3, 0xa7, 0x9c, 0x77, 0xd6, 0xaa, 0xc4, 0x57, 0x52, 0x0c, 0x32, 0x8a, 0xe1, 0x35,
0x54, 0x8a, 0x38, 0x84, 0x1e, 0x75, 0x41, 0x9d, 0x7e, 0x3c, 0x67, 0x53, 0xe1, 0x64, 0xcc, 0xc0,
0x4b, 0x28, 0x17, 0xb1, 0xb6, 0x3a, 0x7d, 0x45, 0x11, 0x73, 0xcd, 0xad, 0x67, 0x24, 0xc6, 0x71,
0x1d, 0x15, 0x9c, 0xd0, 0x8f, 0x02, 0x5e, 0xcd, 0x2f, 0xe7, 0x56, 0xca, 0x16, 0x8a, 0x1d, 0xf4,
0x5c, 0x22, 0x44, 0x45, 0xf0, 0x3a, 0x2a, 0x75, 0xa0, 0xd7, 0x94, 0x16, 0x9a, 0x91, 0xac, 0x85,
0x98, 0x25, 0x01, 0x7e, 0xde, 0xaf, 0x95, 0x5e, 0xaa, 0x28, 0x19, 0xf3, 0xea, 0x7d, 0x0d, 0xd5,
0xae, 0xf8, 0x74, 0xf0, 0x27, 0x0d, 0x21, 0x7b, 0xe4, 0x6c, 0x5e, 0xd5, 0xe4, 0x21, 0x76, 0x6f,
0xee, 0x10, 0xe3, 0xaf, 0x26, 0xf9, 0x5b, 0x1a, 0x43, 0x9c, 0xa4, 0x4a, 0xe3, 0x06, 0xaa, 0xa4,
0xa4, 0xe5, 0x56, 0x67, 0xad, 0xf9, 0x41, 0xbf, 0x56, 0x49, 0x89, 0x93, 0x34, 0xc7, 0x5a, 0x3d,
0x39, 0xd3, 0x33, 0xa7, 0x67, 0x7a, 0xe6, 0xeb, 0x99, 0x9e, 0xf9, 0x38, 0xd0, 0xb5, 0x93, 0x81,
0xae, 0x9d, 0x0e, 0x74, 0xed, 0xdb, 0x40, 0xd7, 0x3e, 0x7f, 0xd7, 0x33, 0x6f, 0x8b, 0xaa, 0xc1,
0xdf, 0x01, 0x00, 0x00, 0xff, 0xff, 0x57, 0xf9, 0x1c, 0x67, 0x50, 0x07, 0x00, 0x00,
// 839 bytes of a gzipped FileDescriptorProto
0x1f, 0x8b, 0x08, 0x00, 0x00, 0x09, 0x6e, 0x88, 0x02, 0xff, 0xac, 0x54, 0xcf, 0x8f, 0xdb, 0x44,
0x14, 0x8e, 0xf3, 0x6b, 0x93, 0xc9, 0xb2, 0xad, 0x46, 0xa8, 0x32, 0x2b, 0xd5, 0x5e, 0x59, 0x80,
0xb6, 0xa8, 0xd8, 0x64, 0x41, 0xb0, 0x2a, 0x07, 0x24, 0x97, 0x0a, 0x15, 0x5a, 0x7e, 0xcc, 0x36,
0x48, 0x20, 0x0e, 0x4c, 0x9c, 0x57, 0xef, 0x34, 0xf1, 0x0f, 0x3c, 0xe3, 0x68, 0x73, 0x41, 0xbd,
0x71, 0xe5, 0xc8, 0x05, 0x89, 0x3f, 0x67, 0x8f, 0x3d, 0x72, 0x40, 0x11, 0x1b, 0x4e, 0x5c, 0xf8,
0x03, 0x7a, 0x42, 0x33, 0x9e, 0xc4, 0x66, 0xd3, 0xd0, 0x56, 0xca, 0xcd, 0xf3, 0xcd, 0xf7, 0xbe,
0xf7, 0xde, 0xf7, 0x9e, 0x07, 0x7d, 0x34, 0x3e, 0xe6, 0x2e, 0x4b, 0xbc, 0x71, 0x3e, 0x84, 0x2c,
0x06, 0x01, 0xdc, 0x4b, 0xc7, 0xa1, 0x47, 0x53, 0xc6, 0xbd, 0x00, 0x32, 0xc1, 0x1e, 0xb2, 0x80,
0x4a, 0x74, 0xda, 0x1f, 0x82, 0xa0, 0x7d, 0x2f, 0x84, 0x18, 0x32, 0x2a, 0x60, 0xe4, 0xa6, 0x59,
0x22, 0x12, 0xec, 0x15, 0x02, 0x6e, 0x29, 0xe0, 0xa6, 0xe3, 0xd0, 0x95, 0x02, 0x6e, 0x55, 0xc0,
0xd5, 0x02, 0xfb, 0x6f, 0x87, 0x4c, 0x9c, 0xe6, 0x43, 0x37, 0x48, 0x22, 0x2f, 0x4c, 0xc2, 0xc4,
0x53, 0x3a, 0xc3, 0xfc, 0xa1, 0x3a, 0xa9, 0x83, 0xfa, 0x2a, 0xf4, 0xf7, 0xdf, 0xd3, 0x05, 0xd2,
0x94, 0x45, 0x34, 0x38, 0x65, 0x31, 0x64, 0xb3, 0xb2, 0xc4, 0x08, 0x04, 0xf5, 0xa6, 0x6b, 0x55,
0xed, 0x7b, 0x9b, 0xa2, 0xb2, 0x3c, 0x16, 0x2c, 0x82, 0xb5, 0x80, 0xf7, 0x9f, 0x17, 0xc0, 0x83,
0x53, 0x88, 0xe8, 0x5a, 0xdc, 0xbb, 0x9b, 0xe2, 0x72, 0xc1, 0x26, 0x1e, 0x8b, 0x05, 0x17, 0xd9,
0x5a, 0x50, 0xa5, 0x27, 0x0e, 0xd9, 0x14, 0xb2, 0xb2, 0x21, 0x38, 0xa3, 0x51, 0x3a, 0x81, 0x67,
0xf5, 0x74, 0x73, 0xe3, 0xa8, 0x9e, 0xc1, 0x76, 0xfe, 0xae, 0xa3, 0xd7, 0x6e, 0x97, 0xfe, 0x9f,
0xb0, 0x30, 0x66, 0x71, 0x48, 0xe0, 0x87, 0x1c, 0xb8, 0xc0, 0xdf, 0xa3, 0x8e, 0xb4, 0x6e, 0x44,
0x05, 0x35, 0x8d, 0x03, 0xe3, 0xb0, 0x77, 0xf4, 0x8e, 0xab, 0x07, 0x59, 0xed, 0xa4, 0x1c, 0xa5,
0x64, 0xbb, 0xd3, 0xbe, 0xfb, 0xc5, 0xf0, 0x11, 0x04, 0xe2, 0x3e, 0x08, 0xea, 0xe3, 0xf3, 0xb9,
0x5d, 0x5b, 0xcc, 0x6d, 0x54, 0x62, 0x64, 0xa5, 0x8a, 0x53, 0xd4, 0xe4, 0x29, 0x04, 0x66, 0x5d,
0xa9, 0x7f, 0xee, 0xbe, 0xe4, 0x9a, 0xb8, 0x1b, 0x6b, 0x3f, 0x49, 0x21, 0xf0, 0x77, 0x75, 0xee,
0xa6, 0x3c, 0x11, 0x95, 0x09, 0x9f, 0xa1, 0x36, 0x17, 0x54, 0xe4, 0xdc, 0x6c, 0xa8, 0x9c, 0x5f,
0x6e, 0x31, 0xa7, 0xd2, 0xf5, 0xf7, 0x74, 0xd6, 0x76, 0x71, 0x26, 0x3a, 0x9f, 0xf3, 0x6b, 0x1d,
0x39, 0x1b, 0x63, 0x6f, 0x27, 0xf1, 0x88, 0x09, 0x96, 0xc4, 0xf8, 0x18, 0x35, 0xc5, 0x2c, 0x05,
0x65, 0x78, 0xd7, 0x7f, 0x7d, 0xd9, 0xc2, 0x83, 0x59, 0x0a, 0x4f, 0xe7, 0xf6, 0xab, 0x97, 0xf9,
0x12, 0x27, 0x2a, 0x02, 0xbf, 0x89, 0xda, 0x19, 0x50, 0x9e, 0xc4, 0xca, 0xce, 0x6e, 0x59, 0x08,
0x51, 0x28, 0xd1, 0xb7, 0xf8, 0x06, 0xda, 0x89, 0x80, 0x73, 0x1a, 0x82, 0xf2, 0xa0, 0xeb, 0x5f,
0xd1, 0xc4, 0x9d, 0xfb, 0x05, 0x4c, 0x96, 0xf7, 0xf8, 0x11, 0xda, 0x9b, 0x50, 0x2e, 0x06, 0xe9,
0x88, 0x0a, 0x78, 0xc0, 0x22, 0x30, 0x9b, 0xca, 0xb5, 0xb7, 0x5e, 0x6c, 0x0f, 0x64, 0x84, 0x7f,
0x4d, 0xab, 0xef, 0xdd, 0xfb, 0x8f, 0x12, 0xb9, 0xa4, 0xec, 0xfc, 0x63, 0xa0, 0xeb, 0x1b, 0xfd,
0xb9, 0xc7, 0xb8, 0xc0, 0xdf, 0xad, 0xed, 0xa3, 0xfb, 0x62, 0x75, 0xc8, 0x68, 0xb5, 0x8d, 0x57,
0x75, 0x2d, 0x9d, 0x25, 0x52, 0xd9, 0xc5, 0x04, 0xb5, 0x98, 0x80, 0x88, 0x9b, 0xf5, 0x83, 0xc6,
0x61, 0xef, 0xe8, 0xd3, 0xed, 0x2d, 0x86, 0xff, 0x8a, 0x4e, 0xdb, 0xba, 0x2b, 0x13, 0x90, 0x22,
0x8f, 0xb3, 0x68, 0xfc, 0x4f, 0xc3, 0x72, 0x65, 0xf1, 0x1b, 0x68, 0x27, 0x2b, 0x8e, 0xaa, 0xdf,
0x5d, 0xbf, 0x27, 0xa7, 0xa4, 0x19, 0x64, 0x79, 0x87, 0x6f, 0xa2, 0x4e, 0xce, 0x21, 0x8b, 0x69,
0x04, 0x7a, 0xf4, 0xab, 0x3e, 0x07, 0x1a, 0x27, 0x2b, 0x06, 0xbe, 0x8e, 0x1a, 0x39, 0x1b, 0xe9,
0xd1, 0xf7, 0x34, 0xb1, 0x31, 0xb8, 0xfb, 0x31, 0x91, 0x38, 0x76, 0x50, 0x3b, 0xcc, 0x92, 0x3c,
0xe5, 0x66, 0xf3, 0xa0, 0x71, 0xd8, 0xf5, 0x91, 0xdc, 0xa0, 0x4f, 0x14, 0x42, 0xf4, 0x0d, 0x3e,
0x42, 0x9d, 0x31, 0xcc, 0x06, 0x6a, 0x85, 0x5a, 0x8a, 0x75, 0x4d, 0xb2, 0x14, 0xc0, 0x9f, 0xce,
0xed, 0xce, 0x67, 0xfa, 0x96, 0xac, 0x78, 0xf8, 0x47, 0xd4, 0x82, 0x33, 0x91, 0x51, 0xb3, 0xad,
0xec, 0xfd, 0x66, 0xbb, 0xff, 0xba, 0x7b, 0x47, 0x6a, 0xdf, 0x89, 0x45, 0x36, 0x2b, 0xdd, 0x56,
0x18, 0x29, 0xd2, 0xee, 0xe7, 0x08, 0x95, 0x1c, 0x7c, 0x15, 0x35, 0xc6, 0x30, 0x2b, 0x7e, 0x32,
0x22, 0x3f, 0xf1, 0x57, 0xa8, 0x35, 0xa5, 0x93, 0x1c, 0xf4, 0x5b, 0xf4, 0xe1, 0x4b, 0xd7, 0xa7,
0xd4, 0xbf, 0x96, 0x12, 0xa4, 0x50, 0xba, 0x55, 0x3f, 0x36, 0x9c, 0xb9, 0x81, 0xec, 0xe7, 0xbc,
0x18, 0xf8, 0x27, 0x03, 0xa1, 0x60, 0xf9, 0x43, 0x73, 0xd3, 0x50, 0x06, 0x9d, 0x6c, 0xcf, 0xa0,
0xd5, 0x63, 0x51, 0xbe, 0xc6, 0x2b, 0x88, 0x93, 0x4a, 0x6a, 0xdc, 0x47, 0xbd, 0x8a, 0xb4, 0xb2,
0x62, 0xd7, 0xbf, 0xb2, 0x98, 0xdb, 0xbd, 0x8a, 0x38, 0xa9, 0x72, 0x9c, 0x0f, 0xb4, 0xaf, 0xaa,
0x73, 0x6c, 0x2f, 0x7f, 0x22, 0x43, 0xad, 0x45, 0xf7, 0xf2, 0xd2, 0xdf, 0xea, 0xfc, 0xf2, 0x9b,
0x5d, 0x7b, 0xfc, 0xc7, 0x41, 0xcd, 0xbf, 0x71, 0x7e, 0x61, 0xd5, 0x9e, 0x5c, 0x58, 0xb5, 0xdf,
0x2f, 0xac, 0xda, 0xe3, 0x85, 0x65, 0x9c, 0x2f, 0x2c, 0xe3, 0xc9, 0xc2, 0x32, 0xfe, 0x5c, 0x58,
0xc6, 0xcf, 0x7f, 0x59, 0xb5, 0x6f, 0x77, 0x74, 0x67, 0xff, 0x06, 0x00, 0x00, 0xff, 0xff, 0x07,
0x0c, 0x3b, 0x3a, 0x80, 0x08, 0x00, 0x00,
}

24
pkg/apis/certificates/v1beta1/generated.proto
View File

@ -70,7 +70,7 @@ message CertificateSigningRequestList {
}
// This information is immutable after the request is created. Only the Request
// and ExtraInfo fields can be set on creation, other fields are derived by
// and Usages fields can be set on creation, other fields are derived by
// Kubernetes and cannot be modified by users.
message CertificateSigningRequestSpec {
// Base64-encoded PKCS#10 CSR data
@ -82,16 +82,25 @@ message CertificateSigningRequestSpec {
// https://tools.ietf.org/html/rfc5280#section-4.2.1.12
repeated string keyUsage = 5;
// Information about the requesting user (if relevant)
// See user.Info interface for details
// Information about the requesting user.
// See user.Info interface for details.
// +optional
optional string username = 2;
// UID information about the requesting user.
// See user.Info interface for details.
// +optional
optional string uid = 3;
// Group information about the requesting user.
// See user.Info interface for details.
// +optional
repeated string groups = 4;
// Extra information about the requesting user.
// See user.Info interface for details.
// +optional
map<string, ExtraValue> extra = 6;
}
message CertificateSigningRequestStatus {
@ -104,3 +113,12 @@ message CertificateSigningRequestStatus {
optional bytes certificate = 2;
}
// ExtraValue masks the value so protobuf can generate
// +protobuf.nullable=true
// +protobuf.options.(gogoproto.goproto_stringer)=false
message ExtraValue {
// items, if empty, will result in an empty slice
repeated string items = 1;
}

475
pkg/apis/certificates/v1beta1/types.generated.go
View File

@ -474,16 +474,17 @@ func (x *CertificateSigningRequestSpec) CodecEncodeSelf(e *codec1978.Encoder) {
} else {
yysep2 := !z.EncBinary()
yy2arr2 := z.EncBasicHandle().StructToArray
var yyq2 [5]bool
var yyq2 [6]bool
_, _, _ = yysep2, yyq2, yy2arr2
const yyr2 bool = false
yyq2[1] = len(x.Usages) != 0
yyq2[2] = x.Username != ""
yyq2[3] = x.UID != ""
yyq2[4] = len(x.Groups) != 0
yyq2[5] = len(x.Extra) != 0
var yynn2 int
if yyr2 || yy2arr2 {
r.EncodeArrayStart(5)
r.EncodeArrayStart(6)
} else {
yynn2 = 1
for _, b := range yyq2 {
@ -637,6 +638,39 @@ func (x *CertificateSigningRequestSpec) CodecEncodeSelf(e *codec1978.Encoder) {
}
}
}
if yyr2 || yy2arr2 {
z.EncSendContainerState(codecSelfer_containerArrayElem1234)
if yyq2[5] {
if x.Extra == nil {
r.EncodeNil()
} else {
yym19 := z.EncBinary()
_ = yym19
if false {
} else {
h.encMapstringExtraValue((map[string]ExtraValue)(x.Extra), e)
}
}
} else {
r.EncodeNil()
}
} else {
if yyq2[5] {
z.EncSendContainerState(codecSelfer_containerMapKey1234)
r.EncodeString(codecSelferC_UTF81234, string("extra"))
z.EncSendContainerState(codecSelfer_containerMapValue1234)
if x.Extra == nil {
r.EncodeNil()
} else {
yym20 := z.EncBinary()
_ = yym20
if false {
} else {
h.encMapstringExtraValue((map[string]ExtraValue)(x.Extra), e)
}
}
}
}
if yyr2 || yy2arr2 {
z.EncSendContainerState(codecSelfer_containerArrayEnd1234)
} else {
@ -758,6 +792,18 @@ func (x *CertificateSigningRequestSpec) codecDecodeSelfFromMap(l int, d *codec19
z.F.DecSliceStringX(yyv12, false, d)
}
}
case "extra":
if r.TryDecodeAsNil() {
x.Extra = nil
} else {
yyv14 := &x.Extra
yym15 := z.DecBinary()
_ = yym15
if false {
} else {
h.decMapstringExtraValue((*map[string]ExtraValue)(yyv14), d)
}
}
default:
z.DecStructFieldNotFound(-1, yys3)
} // end switch yys3
@ -769,16 +815,16 @@ func (x *CertificateSigningRequestSpec) codecDecodeSelfFromArray(l int, d *codec
var h codecSelfer1234
z, r := codec1978.GenHelperDecoder(d)
_, _, _ = h, z, r
var yyj14 int
var yyb14 bool
var yyhl14 bool = l >= 0
yyj14++
if yyhl14 {
yyb14 = yyj14 > l
var yyj16 int
var yyb16 bool
var yyhl16 bool = l >= 0
yyj16++
if yyhl16 {
yyb16 = yyj16 > l
} else {
yyb14 = r.CheckBreak()
yyb16 = r.CheckBreak()
}
if yyb14 {
if yyb16 {
z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
return
}
@ -786,21 +832,21 @@ func (x *CertificateSigningRequestSpec) codecDecodeSelfFromArray(l int, d *codec
if r.TryDecodeAsNil() {
x.Request = nil
} else {
yyv15 := &x.Request
yym16 := z.DecBinary()
_ = yym16
yyv17 := &x.Request
yym18 := z.DecBinary()
_ = yym18
if false {
} else {
*yyv15 = r.DecodeBytes(*(*[]byte)(yyv15), false, false)
*yyv17 = r.DecodeBytes(*(*[]byte)(yyv17), false, false)
}
}
yyj14++
if yyhl14 {
yyb14 = yyj14 > l
yyj16++
if yyhl16 {
yyb16 = yyj16 > l
} else {
yyb14 = r.CheckBreak()
yyb16 = r.CheckBreak()
}
if yyb14 {
if yyb16 {
z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
return
}
@ -808,21 +854,21 @@ func (x *CertificateSigningRequestSpec) codecDecodeSelfFromArray(l int, d *codec
if r.TryDecodeAsNil() {
x.Usages = nil
} else {
yyv17 := &x.Usages
yym18 := z.DecBinary()
_ = yym18
yyv19 := &x.Usages
yym20 := z.DecBinary()
_ = yym20
if false {
} else {
h.decSliceKeyUsage((*[]KeyUsage)(yyv17), d)
h.decSliceKeyUsage((*[]KeyUsage)(yyv19), d)
}
}
yyj14++
if yyhl14 {
yyb14 = yyj14 > l
yyj16++
if yyhl16 {
yyb16 = yyj16 > l
} else {
yyb14 = r.CheckBreak()
yyb16 = r.CheckBreak()
}
if yyb14 {
if yyb16 {
z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
return
}
@ -830,29 +876,7 @@ func (x *CertificateSigningRequestSpec) codecDecodeSelfFromArray(l int, d *codec
if r.TryDecodeAsNil() {
x.Username = ""
} else {
yyv19 := &x.Username
yym20 := z.DecBinary()
_ = yym20
if false {
} else {
*((*string)(yyv19)) = r.DecodeString()
}
}
yyj14++
if yyhl14 {
yyb14 = yyj14 > l
} else {
yyb14 = r.CheckBreak()
}
if yyb14 {
z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
return
}
z.DecSendContainerState(codecSelfer_containerArrayElem1234)
if r.TryDecodeAsNil() {
x.UID = ""
} else {
yyv21 := &x.UID
yyv21 := &x.Username
yym22 := z.DecBinary()
_ = yym22
if false {
@ -860,13 +884,35 @@ func (x *CertificateSigningRequestSpec) codecDecodeSelfFromArray(l int, d *codec
*((*string)(yyv21)) = r.DecodeString()
}
}
yyj14++
if yyhl14 {
yyb14 = yyj14 > l
yyj16++
if yyhl16 {
yyb16 = yyj16 > l
} else {
yyb14 = r.CheckBreak()
yyb16 = r.CheckBreak()
}
if yyb14 {
if yyb16 {
z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
return
}
z.DecSendContainerState(codecSelfer_containerArrayElem1234)
if r.TryDecodeAsNil() {
x.UID = ""
} else {
yyv23 := &x.UID
yym24 := z.DecBinary()
_ = yym24
if false {
} else {
*((*string)(yyv23)) = r.DecodeString()
}
}
yyj16++
if yyhl16 {
yyb16 = yyj16 > l
} else {
yyb16 = r.CheckBreak()
}
if yyb16 {
z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
return
}
@ -874,30 +920,82 @@ func (x *CertificateSigningRequestSpec) codecDecodeSelfFromArray(l int, d *codec
if r.TryDecodeAsNil() {
x.Groups = nil
} else {
yyv23 := &x.Groups
yym24 := z.DecBinary()
_ = yym24
yyv25 := &x.Groups
yym26 := z.DecBinary()
_ = yym26
if false {
} else {
z.F.DecSliceStringX(yyv23, false, d)
z.F.DecSliceStringX(yyv25, false, d)
}
}
yyj16++
if yyhl16 {
yyb16 = yyj16 > l
} else {
yyb16 = r.CheckBreak()
}
if yyb16 {
z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
return
}
z.DecSendContainerState(codecSelfer_containerArrayElem1234)
if r.TryDecodeAsNil() {
x.Extra = nil
} else {
yyv27 := &x.Extra
yym28 := z.DecBinary()
_ = yym28
if false {
} else {
h.decMapstringExtraValue((*map[string]ExtraValue)(yyv27), d)
}
}
for {
yyj14++
if yyhl14 {
yyb14 = yyj14 > l
yyj16++
if yyhl16 {
yyb16 = yyj16 > l
} else {
yyb14 = r.CheckBreak()
yyb16 = r.CheckBreak()
}
if yyb14 {
if yyb16 {
break
}
z.DecSendContainerState(codecSelfer_containerArrayElem1234)
z.DecStructFieldNotFound(yyj14-1, "")
z.DecStructFieldNotFound(yyj16-1, "")
}
z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
}
func (x ExtraValue) CodecEncodeSelf(e *codec1978.Encoder) {
var h codecSelfer1234
z, r := codec1978.GenHelperEncoder(e)
_, _, _ = h, z, r
if x == nil {
r.EncodeNil()
} else {
yym1 := z.EncBinary()
_ = yym1
if false {
} else if z.HasExtensions() && z.EncExt(x) {
} else {
h.encExtraValue((ExtraValue)(x), e)
}
}
}
func (x *ExtraValue) CodecDecodeSelf(d *codec1978.Decoder) {
var h codecSelfer1234
z, r := codec1978.GenHelperDecoder(d)
_, _, _ = h, z, r
yym1 := z.DecBinary()
_ = yym1
if false {
} else if z.HasExtensions() && z.DecExt(x) {
} else {
h.decExtraValue((*ExtraValue)(x), d)
}
}
func (x *CertificateSigningRequestStatus) CodecEncodeSelf(e *codec1978.Encoder) {
var h codecSelfer1234
z, r := codec1978.GenHelperEncoder(e)
@ -2044,6 +2142,249 @@ func (x codecSelfer1234) decSliceKeyUsage(v *[]KeyUsage, d *codec1978.Decoder) {
}
}
func (x codecSelfer1234) encMapstringExtraValue(v map[string]ExtraValue, e *codec1978.Encoder) {
var h codecSelfer1234
z, r := codec1978.GenHelperEncoder(e)
_, _, _ = h, z, r
r.EncodeMapStart(len(v))
for yyk1, yyv1 := range v {
z.EncSendContainerState(codecSelfer_containerMapKey1234)
yym2 := z.EncBinary()
_ = yym2
if false {
} else {
r.EncodeString(codecSelferC_UTF81234, string(yyk1))
}
z.EncSendContainerState(codecSelfer_containerMapValue1234)
if yyv1 == nil {
r.EncodeNil()
} else {
yyv1.CodecEncodeSelf(e)
}
}
z.EncSendContainerState(codecSelfer_containerMapEnd1234)
}
func (x codecSelfer1234) decMapstringExtraValue(v *map[string]ExtraValue, d *codec1978.Decoder) {
var h codecSelfer1234
z, r := codec1978.GenHelperDecoder(d)
_, _, _ = h, z, r
yyv1 := *v
yyl1 := r.ReadMapStart()
yybh1 := z.DecBasicHandle()
if yyv1 == nil {
yyrl1, _ := z.DecInferLen(yyl1, yybh1.MaxInitLen, 40)
yyv1 = make(map[string]ExtraValue, yyrl1)
*v = yyv1
}
var yymk1 string
var yymv1 ExtraValue
var yymg1 bool
if yybh1.MapValueReset {
yymg1 = true
}
if yyl1 > 0 {
for yyj1 := 0; yyj1 < yyl1; yyj1++ {
z.DecSendContainerState(codecSelfer_containerMapKey1234)
if r.TryDecodeAsNil() {
yymk1 = ""
} else {
yyv2 := &yymk1
yym3 := z.DecBinary()
_ = yym3
if false {
} else {
*((*string)(yyv2)) = r.DecodeString()
}
}
if yymg1 {
yymv1 = yyv1[yymk1]
} else {
yymv1 = nil
}
z.DecSendContainerState(codecSelfer_containerMapValue1234)
if r.TryDecodeAsNil() {
yymv1 = nil
} else {
yyv4 := &yymv1
yyv4.CodecDecodeSelf(d)
}
if yyv1 != nil {
yyv1[yymk1] = yymv1
}
}
} else if yyl1 < 0 {
for yyj1 := 0; !r.CheckBreak(); yyj1++ {
z.DecSendContainerState(codecSelfer_containerMapKey1234)
if r.TryDecodeAsNil() {
yymk1 = ""
} else {
yyv5 := &yymk1
yym6 := z.DecBinary()
_ = yym6
if false {
} else {
*((*string)(yyv5)) = r.DecodeString()
}
}
if yymg1 {
yymv1 = yyv1[yymk1]
} else {
yymv1 = nil
}
z.DecSendContainerState(codecSelfer_containerMapValue1234)
if r.TryDecodeAsNil() {
yymv1 = nil
} else {
yyv7 := &yymv1
yyv7.CodecDecodeSelf(d)
}
if yyv1 != nil {
yyv1[yymk1] = yymv1
}
}
} // else len==0: TODO: Should we clear map entries?
z.DecSendContainerState(codecSelfer_containerMapEnd1234)
}
func (x codecSelfer1234) encExtraValue(v ExtraValue, e *codec1978.Encoder) {
var h codecSelfer1234
z, r := codec1978.GenHelperEncoder(e)
_, _, _ = h, z, r
r.EncodeArrayStart(len(v))
for _, yyv1 := range v {
z.EncSendContainerState(codecSelfer_containerArrayElem1234)
yym2 := z.EncBinary()
_ = yym2
if false {
} else {
r.EncodeString(codecSelferC_UTF81234, string(yyv1))
}
}
z.EncSendContainerState(codecSelfer_containerArrayEnd1234)
}
func (x codecSelfer1234) decExtraValue(v *ExtraValue, d *codec1978.Decoder) {
var h codecSelfer1234
z, r := codec1978.GenHelperDecoder(d)
_, _, _ = h, z, r
yyv1 := *v
yyh1, yyl1 := z.DecSliceHelperStart()
var yyc1 bool
_ = yyc1
if yyl1 == 0 {
if yyv1 == nil {
yyv1 = []string{}
yyc1 = true
} else if len(yyv1) != 0 {
yyv1 = yyv1[:0]
yyc1 = true
}
} else if yyl1 > 0 {
var yyrr1, yyrl1 int
var yyrt1 bool
_, _ = yyrl1, yyrt1
yyrr1 = yyl1 // len(yyv1)
if yyl1 > cap(yyv1) {
yyrl1, yyrt1 = z.DecInferLen(yyl1, z.DecBasicHandle().MaxInitLen, 16)
if yyrt1 {
if yyrl1 <= cap(yyv1) {
yyv1 = yyv1[:yyrl1]
} else {
yyv1 = make([]string, yyrl1)
}
} else {
yyv1 = make([]string, yyrl1)
}
yyc1 = true
yyrr1 = len(yyv1)
} else if yyl1 != len(yyv1) {
yyv1 = yyv1[:yyl1]
yyc1 = true
}
yyj1 := 0
for ; yyj1 < yyrr1; yyj1++ {
yyh1.ElemContainerState(yyj1)
if r.TryDecodeAsNil() {
yyv1[yyj1] = ""
} else {
yyv2 := &yyv1[yyj1]
yym3 := z.DecBinary()
_ = yym3
if false {
} else {
*((*string)(yyv2)) = r.DecodeString()
}
}
}
if yyrt1 {
for ; yyj1 < yyl1; yyj1++ {
yyv1 = append(yyv1, "")
yyh1.ElemContainerState(yyj1)
if r.TryDecodeAsNil() {
yyv1[yyj1] = ""
} else {
yyv4 := &yyv1[yyj1]
yym5 := z.DecBinary()
_ = yym5
if false {
} else {
*((*string)(yyv4)) = r.DecodeString()
}
}
}
}
} else {
yyj1 := 0
for ; !r.CheckBreak(); yyj1++ {
if yyj1 >= len(yyv1) {
yyv1 = append(yyv1, "") // var yyz1 string
yyc1 = true
}
yyh1.ElemContainerState(yyj1)
if yyj1 < len(yyv1) {
if r.TryDecodeAsNil() {
yyv1[yyj1] = ""
} else {
yyv6 := &yyv1[yyj1]
yym7 := z.DecBinary()
_ = yym7
if false {
} else {
*((*string)(yyv6)) = r.DecodeString()
}
}
} else {
z.DecSwallow()
}
}
if yyj1 < len(yyv1) {
yyv1 = yyv1[:yyj1]
yyc1 = true
} else if yyj1 == 0 && yyv1 == nil {
yyv1 = []string{}
yyc1 = true
}
}
yyh1.End()
if yyc1 {
*v = yyv1
}
}
func (x codecSelfer1234) encSliceCertificateSigningRequestCondition(v []CertificateSigningRequestCondition, e *codec1978.Encoder) {
var h codecSelfer1234
z, r := codec1978.GenHelperEncoder(e)
@ -2202,7 +2543,7 @@ func (x codecSelfer1234) decSliceCertificateSigningRequest(v *[]CertificateSigni
yyrg1 := len(yyv1) > 0
yyv21 := yyv1
yyrl1, yyrt1 = z.DecInferLen(yyl1, z.DecBasicHandle().MaxInitLen, 408)
yyrl1, yyrt1 = z.DecInferLen(yyl1, z.DecBasicHandle().MaxInitLen, 416)
if yyrt1 {
if yyrl1 <= cap(yyv1) {
yyv1 = yyv1[:yyrl1]

25
pkg/apis/certificates/v1beta1/types.go
View File

@ -17,6 +17,8 @@ limitations under the License.
package v1beta1
import (
"fmt"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
@ -39,7 +41,7 @@ type CertificateSigningRequest struct {
}
// This information is immutable after the request is created. Only the Request
// and ExtraInfo fields can be set on creation, other fields are derived by
// and Usages fields can be set on creation, other fields are derived by
// Kubernetes and cannot be modified by users.
type CertificateSigningRequestSpec struct {
// Base64-encoded PKCS#10 CSR data
@ -51,14 +53,31 @@ type CertificateSigningRequestSpec struct {
// https://tools.ietf.org/html/rfc5280#section-4.2.1.12
Usages []KeyUsage `json:"usages,omitempty" protobuf:"bytes,5,opt,name=keyUsage"`
// Information about the requesting user (if relevant)
// See user.Info interface for details
// Information about the requesting user.
// See user.Info interface for details.
// +optional
Username string `json:"username,omitempty" protobuf:"bytes,2,opt,name=username"`
// UID information about the requesting user.
// See user.Info interface for details.
// +optional
UID string `json:"uid,omitempty" protobuf:"bytes,3,opt,name=uid"`
// Group information about the requesting user.
// See user.Info interface for details.
// +optional
Groups []string `json:"groups,omitempty" protobuf:"bytes,4,rep,name=groups"`
// Extra information about the requesting user.
// See user.Info interface for details.
// +optional
Extra map[string]ExtraValue `json:"extra,omitempty" protobuf:"bytes,6,rep,name=extra"`
}
// ExtraValue masks the value so protobuf can generate
// +protobuf.nullable=true
// +protobuf.options.(gogoproto.goproto_stringer)=false
type ExtraValue []string
func (t ExtraValue) String() string {
return fmt.Sprintf("%v", []string(t))
}
type CertificateSigningRequestStatus struct {

7
pkg/apis/certificates/v1beta1/types_swagger_doc_generated.go
View File

@ -49,10 +49,13 @@ func (CertificateSigningRequestCondition) SwaggerDoc() map[string]string {
}
var map_CertificateSigningRequestSpec = map[string]string{
"": "This information is immutable after the request is created. Only the Request and ExtraInfo fields can be set on creation, other fields are derived by Kubernetes and cannot be modified by users.",
"": "This information is immutable after the request is created. Only the Request and Usages fields can be set on creation, other fields are derived by Kubernetes and cannot be modified by users.",
"request": "Base64-encoded PKCS#10 CSR data",
"usages": "allowedUsages specifies a set of usage contexts the key will be valid for. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3\n https://tools.ietf.org/html/rfc5280#section-4.2.1.12",
"username": "Information about the requesting user (if relevant) See user.Info interface for details",
"username": "Information about the requesting user. See user.Info interface for details.",
"uid": "UID information about the requesting user. See user.Info interface for details.",
"groups": "Group information about the requesting user. See user.Info interface for details.",
"extra": "Extra information about the requesting user. See user.Info interface for details.",
}
func (CertificateSigningRequestSpec) SwaggerDoc() map[string]string {

2
pkg/apis/certificates/v1beta1/zz_generated.conversion.go
View File

@ -128,6 +128,7 @@ func autoConvert_v1beta1_CertificateSigningRequestSpec_To_certificates_Certifica
out.Username = in.Username
out.UID = in.UID
out.Groups = *(*[]string)(unsafe.Pointer(&in.Groups))
out.Extra = *(*map[string]certificates.ExtraValue)(unsafe.Pointer(&in.Extra))
return nil
}
@ -141,6 +142,7 @@ func autoConvert_certificates_CertificateSigningRequestSpec_To_v1beta1_Certifica
out.Username = in.Username
out.UID = in.UID
out.Groups = *(*[]string)(unsafe.Pointer(&in.Groups))
out.Extra = *(*map[string]ExtraValue)(unsafe.Pointer(&in.Extra))
return nil
}

11
pkg/apis/certificates/v1beta1/zz_generated.deepcopy.go
View File

@ -111,6 +111,17 @@ func DeepCopy_v1beta1_CertificateSigningRequestSpec(in interface{}, out interfac
*out = make([]string, len(*in))
copy(*out, *in)
}
if in.Extra != nil {
in, out := &in.Extra, &out.Extra
*out = make(map[string]ExtraValue)
for key, val := range *in {
if newVal, err := c.DeepCopy(&val); err != nil {
return err
} else {
(*out)[key] = *newVal.(*ExtraValue)
}
}
}
return nil
}
}

11
pkg/apis/certificates/zz_generated.deepcopy.go
View File

@ -111,6 +111,17 @@ func DeepCopy_certificates_CertificateSigningRequestSpec(in interface{}, out int
*out = make([]string, len(*in))
copy(*out, *in)
}
if in.Extra != nil {
in, out := &in.Extra, &out.Extra
*out = make(map[string]ExtraValue)
for key, val := range *in {
if newVal, err := c.DeepCopy(&val); err != nil {
return err
} else {
(*out)[key] = *newVal.(*ExtraValue)
}
}
}
return nil
}
}

33
pkg/generated/openapi/zz_generated.openapi.go
View File

@ -12085,7 +12085,7 @@ func GetOpenAPIDefinitions(ref openapi.ReferenceCallback) map[string]openapi.Ope
"k8s.io/kubernetes/pkg/apis/certificates/v1beta1.CertificateSigningRequestSpec": {
Schema: spec.Schema{
SchemaProps: spec.SchemaProps{
Description: "This information is immutable after the request is created. Only the Request and ExtraInfo fields can be set on creation, other fields are derived by Kubernetes and cannot be modified by users.",
Description: "This information is immutable after the request is created. Only the Request and Usages fields can be set on creation, other fields are derived by Kubernetes and cannot be modified by users.",
Properties: map[string]spec.Schema{
"request": {
SchemaProps: spec.SchemaProps{
@ -12110,20 +12110,22 @@ func GetOpenAPIDefinitions(ref openapi.ReferenceCallback) map[string]openapi.Ope
},
"username": {
SchemaProps: spec.SchemaProps{
Description: "Information about the requesting user (if relevant) See user.Info interface for details",
Description: "Information about the requesting user. See user.Info interface for details.",
Type: []string{"string"},
Format: "",
},
},
"uid": {
SchemaProps: spec.SchemaProps{
Type: []string{"string"},
Format: "",
Description: "UID information about the requesting user. See user.Info interface for details.",
Type: []string{"string"},
Format: "",
},
},
"groups": {
SchemaProps: spec.SchemaProps{
Type: []string{"array"},
Description: "Group information about the requesting user. See user.Info interface for details.",
Type: []string{"array"},
Items: &spec.SchemaOrArray{
Schema: &spec.Schema{
SchemaProps: spec.SchemaProps{
@ -12134,6 +12136,27 @@ func GetOpenAPIDefinitions(ref openapi.ReferenceCallback) map[string]openapi.Ope
},
},
},
"extra": {
SchemaProps: spec.SchemaProps{
Description: "Extra information about the requesting user. See user.Info interface for details.",
Type: []string{"object"},
AdditionalProperties: &spec.SchemaOrBool{
Schema: &spec.Schema{
SchemaProps: spec.SchemaProps{
Type: []string{"array"},
Items: &spec.SchemaOrArray{
Schema: &spec.Schema{
SchemaProps: spec.SchemaProps{
Type: []string{"string"},
Format: "",
},
},
},
},
},
},
},
},
},
Required: []string{"request"},
},

7
pkg/registry/certificates/certificates/strategy.go
View File

@ -61,11 +61,18 @@ func (csrStrategy) PrepareForCreate(ctx genericapirequest.Context, obj runtime.O
csr.Spec.Username = ""
csr.Spec.UID = ""
csr.Spec.Groups = nil
csr.Spec.Extra = nil
// Inject user.Info from request context
if user, ok := genericapirequest.UserFrom(ctx); ok {
csr.Spec.Username = user.GetName()
csr.Spec.UID = user.GetUID()
csr.Spec.Groups = user.GetGroups()
if extra := user.GetExtra(); len(extra) > 0 {
csr.Spec.Extra = map[string]certificates.ExtraValue{}
for k, v := range extra {
csr.Spec.Extra[k] = certificates.ExtraValue(v)
}
}
}
// Be explicit that users cannot create pre-approved certificate requests.

1
pkg/registry/certificates/certificates/strategy_test.go
View File

@ -56,6 +56,7 @@ func TestStrategyCreate(t *testing.T) {
Username: "bob",
UID: "123",
Groups: []string{"group1"},
Extra: map[string]certapi.ExtraValue{"foo": {"bar"}},
},
Status: certapi.CertificateSigningRequestStatus{Conditions: []certapi.CertificateSigningRequestCondition{}},
},