diff --git a/api/openapi-spec/swagger.json b/api/openapi-spec/swagger.json
index a6defd83d53..503ed1be274 100644
--- a/api/openapi-spec/swagger.json
+++ b/api/openapi-spec/swagger.json
@@ -77370,12 +77370,9 @@
},
"io.k8s.api.admissionregistration.v1beta1.WebhookClientConfig": {
"description": "WebhookClientConfig contains the information to make a TLS connection with the webhook",
- "required": [
- "caBundle"
- ],
"properties": {
"caBundle": {
- "description": "`caBundle` is a PEM encoded CA bundle which will be used to validate the webhook's server certificate. Required.",
+ "description": "`caBundle` is a PEM encoded CA bundle which will be used to validate the webhook's server certificate. If unspecified, system trust roots on the apiserver are used.",
"type": "string",
"format": "byte"
},
@@ -79979,7 +79976,7 @@
"description": "WebhookClientConfig contains the information to make a connection with the webhook",
"properties": {
"caBundle": {
- "description": "`caBundle` is a PEM encoded CA bundle which will be used to validate the webhook's server certificate. defaults to the apiservers CA bundle for the endpoint type",
+ "description": "`caBundle` is a PEM encoded CA bundle which will be used to validate the webhook's server certificate. If unspecified, system trust roots on the apiserver are used.",
"type": "string",
"format": "byte"
},
@@ -93505,7 +93502,7 @@
],
"properties": {
"caBundle": {
- "description": "CABundle is a PEM encoded CA bundle which will be used to validate an API server's serving certificate.",
+ "description": "CABundle is a PEM encoded CA bundle which will be used to validate an API server's serving certificate. If unspecified, system trust roots on the apiserver are used.",
"type": "string",
"format": "byte"
},
@@ -93664,7 +93661,7 @@
],
"properties": {
"caBundle": {
- "description": "CABundle is a PEM encoded CA bundle which will be used to validate an API server's serving certificate.",
+ "description": "CABundle is a PEM encoded CA bundle which will be used to validate an API server's serving certificate. If unspecified, system trust roots on the apiserver are used.",
"type": "string",
"format": "byte"
},
diff --git a/api/swagger-spec/admissionregistration.k8s.io_v1beta1.json b/api/swagger-spec/admissionregistration.k8s.io_v1beta1.json
index 4cd641fc88a..80d0aa79c55 100644
--- a/api/swagger-spec/admissionregistration.k8s.io_v1beta1.json
+++ b/api/swagger-spec/admissionregistration.k8s.io_v1beta1.json
@@ -1860,10 +1860,6 @@
"v1beta1.WebhookClientConfig": {
"id": "v1beta1.WebhookClientConfig",
"description": "WebhookClientConfig contains the information to make a TLS connection with the webhook",
- "required": [
- "service",
- "caBundle"
- ],
"properties": {
"url": {
"type": "string",
@@ -1875,7 +1871,7 @@
},
"caBundle": {
"type": "string",
- "description": "`caBundle` is a PEM encoded CA bundle which will be used to validate the webhook's server certificate. Required."
+ "description": "`caBundle` is a PEM encoded CA bundle which will be used to validate the webhook's server certificate. If unspecified, system trust roots on the apiserver are used."
}
}
},
diff --git a/api/swagger-spec/auditregistration.k8s.io_v1alpha1.json b/api/swagger-spec/auditregistration.k8s.io_v1alpha1.json
index 64c8229ae5a..44634e05421 100644
--- a/api/swagger-spec/auditregistration.k8s.io_v1alpha1.json
+++ b/api/swagger-spec/auditregistration.k8s.io_v1alpha1.json
@@ -1155,10 +1155,6 @@
"v1alpha1.WebhookClientConfig": {
"id": "v1alpha1.WebhookClientConfig",
"description": "WebhookClientConfig contains the information to make a connection with the webhook",
- "required": [
- "service",
- "caBundle"
- ],
"properties": {
"url": {
"type": "string",
@@ -1170,7 +1166,7 @@
},
"caBundle": {
"type": "string",
- "description": "`caBundle` is a PEM encoded CA bundle which will be used to validate the webhook's server certificate. defaults to the apiservers CA bundle for the endpoint type"
+ "description": "`caBundle` is a PEM encoded CA bundle which will be used to validate the webhook's server certificate. If unspecified, system trust roots on the apiserver are used."
}
}
},
diff --git a/docs/api-reference/admissionregistration.k8s.io/v1beta1/definitions.html b/docs/api-reference/admissionregistration.k8s.io/v1beta1/definitions.html
index 51f3f9ae2bd..2b6ea0060b6 100755
--- a/docs/api-reference/admissionregistration.k8s.io/v1beta1/definitions.html
+++ b/docs/api-reference/admissionregistration.k8s.io/v1beta1/definitions.html
@@ -1613,14 +1613,14 @@ Attempting to use a user or basic auth e.g. "user:password@" is not allowed. Fra
If the webhook is running within the cluster, then you should use service.
Port 443 will be used if it is open, otherwise it is an error.
-true |
+false |
v1beta1.ServiceReference |
|
caBundle |
-caBundle is a PEM encoded CA bundle which will be used to validate the webhook’s server certificate. Required.
|
-true |
+caBundle is a PEM encoded CA bundle which will be used to validate the webhook’s server certificate. If unspecified, system trust roots on the apiserver are used.
|
+false |
string |
|
diff --git a/docs/api-reference/auditregistration.k8s.io/v1alpha1/definitions.html b/docs/api-reference/auditregistration.k8s.io/v1alpha1/definitions.html
index 083c31252e5..c2b69930434 100755
--- a/docs/api-reference/auditregistration.k8s.io/v1alpha1/definitions.html
+++ b/docs/api-reference/auditregistration.k8s.io/v1alpha1/definitions.html
@@ -525,14 +525,14 @@ Attempting to use a user or basic auth e.g. "user:password@" is not allowed. Fra
If the webhook is running within the cluster, then you should use service.
Port 443 will be used if it is open, otherwise it is an error.
-true |
+false |
v1alpha1.ServiceReference |
|
caBundle |
-caBundle is a PEM encoded CA bundle which will be used to validate the webhook’s server certificate. defaults to the apiservers CA bundle for the endpoint type
|
-true |
+caBundle is a PEM encoded CA bundle which will be used to validate the webhook’s server certificate. If unspecified, system trust roots on the apiserver are used.
|
+false |
string |
|
diff --git a/staging/src/k8s.io/api/admissionregistration/v1beta1/generated.proto b/staging/src/k8s.io/api/admissionregistration/v1beta1/generated.proto
index 4d55ca878a9..2a23a370916 100644
--- a/staging/src/k8s.io/api/admissionregistration/v1beta1/generated.proto
+++ b/staging/src/k8s.io/api/admissionregistration/v1beta1/generated.proto
@@ -261,9 +261,9 @@ message WebhookClientConfig {
// +optional
optional ServiceReference service = 1;
- // `caBundle` is a PEM encoded CA bundle which will be used to validate
- // the webhook's server certificate.
- // Required.
+ // `caBundle` is a PEM encoded CA bundle which will be used to validate the webhook's server certificate.
+ // If unspecified, system trust roots on the apiserver are used.
+ // +optional
optional bytes caBundle = 2;
}
diff --git a/staging/src/k8s.io/api/admissionregistration/v1beta1/types_swagger_doc_generated.go b/staging/src/k8s.io/api/admissionregistration/v1beta1/types_swagger_doc_generated.go
index aab917a4028..12c209b0b8a 100644
--- a/staging/src/k8s.io/api/admissionregistration/v1beta1/types_swagger_doc_generated.go
+++ b/staging/src/k8s.io/api/admissionregistration/v1beta1/types_swagger_doc_generated.go
@@ -116,7 +116,7 @@ var map_WebhookClientConfig = map[string]string{
"": "WebhookClientConfig contains the information to make a TLS connection with the webhook",
"url": "`url` gives the location of the webhook, in standard URL form (`[scheme://]host:port/path`). Exactly one of `url` or `service` must be specified.\n\nThe `host` should not refer to a service running in the cluster; use the `service` field instead. The host might be resolved via external DNS in some apiservers (e.g., `kube-apiserver` cannot resolve in-cluster DNS as that would be a layering violation). `host` may also be an IP address.\n\nPlease note that using `localhost` or `127.0.0.1` as a `host` is risky unless you take great care to run this webhook on all hosts which run an apiserver which might need to make calls to this webhook. Such installs are likely to be non-portable, i.e., not easy to turn up in a new cluster.\n\nThe scheme must be \"https\"; the URL must begin with \"https://\".\n\nA path is optional, and if present may be any string permissible in a URL. You may use the path to pass an arbitrary string to the webhook, for example, a cluster identifier.\n\nAttempting to use a user or basic auth e.g. \"user:password@\" is not allowed. Fragments (\"#...\") and query parameters (\"?...\") are not allowed, either.",
"service": "`service` is a reference to the service for this webhook. Either `service` or `url` must be specified.\n\nIf the webhook is running within the cluster, then you should use `service`.\n\nPort 443 will be used if it is open, otherwise it is an error.",
- "caBundle": "`caBundle` is a PEM encoded CA bundle which will be used to validate the webhook's server certificate. Required.",
+ "caBundle": "`caBundle` is a PEM encoded CA bundle which will be used to validate the webhook's server certificate. If unspecified, system trust roots on the apiserver are used.",
}
func (WebhookClientConfig) SwaggerDoc() map[string]string {
diff --git a/staging/src/k8s.io/api/auditregistration/v1alpha1/generated.proto b/staging/src/k8s.io/api/auditregistration/v1alpha1/generated.proto
index ba42a1cf38f..1b715f062e5 100644
--- a/staging/src/k8s.io/api/auditregistration/v1alpha1/generated.proto
+++ b/staging/src/k8s.io/api/auditregistration/v1alpha1/generated.proto
@@ -137,9 +137,8 @@ message WebhookClientConfig {
// +optional
optional ServiceReference service = 2;
- // `caBundle` is a PEM encoded CA bundle which will be used to validate
- // the webhook's server certificate.
- // defaults to the apiservers CA bundle for the endpoint type
+ // `caBundle` is a PEM encoded CA bundle which will be used to validate the webhook's server certificate.
+ // If unspecified, system trust roots on the apiserver are used.
// +optional
optional bytes caBundle = 3;
}
diff --git a/staging/src/k8s.io/api/auditregistration/v1alpha1/types_swagger_doc_generated.go b/staging/src/k8s.io/api/auditregistration/v1alpha1/types_swagger_doc_generated.go
index 914932e6aa7..0fe9133326e 100644
--- a/staging/src/k8s.io/api/auditregistration/v1alpha1/types_swagger_doc_generated.go
+++ b/staging/src/k8s.io/api/auditregistration/v1alpha1/types_swagger_doc_generated.go
@@ -90,7 +90,7 @@ var map_WebhookClientConfig = map[string]string{
"": "WebhookClientConfig contains the information to make a connection with the webhook",
"url": "`url` gives the location of the webhook, in standard URL form (`[scheme://]host:port/path`). Exactly one of `url` or `service` must be specified.\n\nThe `host` should not refer to a service running in the cluster; use the `service` field instead. The host might be resolved via external DNS in some apiservers (e.g., `kube-apiserver` cannot resolve in-cluster DNS as that would be a layering violation). `host` may also be an IP address.\n\nPlease note that using `localhost` or `127.0.0.1` as a `host` is risky unless you take great care to run this webhook on all hosts which run an apiserver which might need to make calls to this webhook. Such installs are likely to be non-portable, i.e., not easy to turn up in a new cluster.\n\nThe scheme must be \"https\"; the URL must begin with \"https://\".\n\nA path is optional, and if present may be any string permissible in a URL. You may use the path to pass an arbitrary string to the webhook, for example, a cluster identifier.\n\nAttempting to use a user or basic auth e.g. \"user:password@\" is not allowed. Fragments (\"#...\") and query parameters (\"?...\") are not allowed, either.",
"service": "`service` is a reference to the service for this webhook. Either `service` or `url` must be specified.\n\nIf the webhook is running within the cluster, then you should use `service`.\n\nPort 443 will be used if it is open, otherwise it is an error.",
- "caBundle": "`caBundle` is a PEM encoded CA bundle which will be used to validate the webhook's server certificate. defaults to the apiservers CA bundle for the endpoint type",
+ "caBundle": "`caBundle` is a PEM encoded CA bundle which will be used to validate the webhook's server certificate. If unspecified, system trust roots on the apiserver are used.",
}
func (WebhookClientConfig) SwaggerDoc() map[string]string {
diff --git a/staging/src/k8s.io/kube-aggregator/pkg/apis/apiregistration/v1/generated.proto b/staging/src/k8s.io/kube-aggregator/pkg/apis/apiregistration/v1/generated.proto
index 5e24aa5d0e7..f33fc31dc70 100644
--- a/staging/src/k8s.io/kube-aggregator/pkg/apis/apiregistration/v1/generated.proto
+++ b/staging/src/k8s.io/kube-aggregator/pkg/apis/apiregistration/v1/generated.proto
@@ -88,6 +88,7 @@ message APIServiceSpec {
optional bool insecureSkipTLSVerify = 4;
// CABundle is a PEM encoded CA bundle which will be used to validate an API server's serving certificate.
+ // If unspecified, system trust roots on the apiserver are used.
// +optional
optional bytes caBundle = 5;
diff --git a/staging/src/k8s.io/kube-aggregator/pkg/apis/apiregistration/v1beta1/generated.proto b/staging/src/k8s.io/kube-aggregator/pkg/apis/apiregistration/v1beta1/generated.proto
index 3a45347a796..d3b30e742b9 100644
--- a/staging/src/k8s.io/kube-aggregator/pkg/apis/apiregistration/v1beta1/generated.proto
+++ b/staging/src/k8s.io/kube-aggregator/pkg/apis/apiregistration/v1beta1/generated.proto
@@ -88,6 +88,7 @@ message APIServiceSpec {
optional bool insecureSkipTLSVerify = 4;
// CABundle is a PEM encoded CA bundle which will be used to validate an API server's serving certificate.
+ // If unspecified, system trust roots on the apiserver are used.
// +optional
optional bytes caBundle = 5;