Include all user.Info data in CSR object

2025-07-24 04:06:03 +00:00 · 2017-02-20 13:20:42 -05:00 · 2017-02-20 13:20:42 -05:00 · beb291d6d2
commit beb291d6d2
parent a3c8d1405b
4 changed files with 44 additions and 6 deletions
--- a/pkg/apis/certificates/types.go
+++ b/pkg/apis/certificates/types.go
@ -37,7 +37,7 @@ type CertificateSigningRequest struct {
 }

 // This information is immutable after the request is created. Only the Request
-// and ExtraInfo fields can be set on creation, other fields are derived by
+// and Usages fields can be set on creation, other fields are derived by
 // Kubernetes and cannot be modified by users.
 type CertificateSigningRequestSpec struct {
 	// Base64-encoded PKCS#10 CSR data
@ -49,16 +49,27 @@ type CertificateSigningRequestSpec struct {
 	//      https://tools.ietf.org/html/rfc5280#section-4.2.1.12
 	Usages []KeyUsage

-	// Information about the requesting user (if relevant)
-	// See user.Info interface for details
+	// Information about the requesting user.
+	// See user.Info interface for details.
 	// +optional
 	Username string
+	// UID information about the requesting user.
+	// See user.Info interface for details.
 	// +optional
 	UID string
+	// Group information about the requesting user.
+	// See user.Info interface for details.
 	// +optional
 	Groups []string
+	// Extra information about the requesting user.
+	// See user.Info interface for details.
+	// +optional
+	Extra map[string]ExtraValue
 }

+// ExtraValue masks the value so protobuf can generate
+type ExtraValue []string
+
 type CertificateSigningRequestStatus struct {
 	// Conditions applied to the request, such as approval or denial.
 	// +optional
--- a/pkg/apis/certificates/v1beta1/types.go
+++ b/pkg/apis/certificates/v1beta1/types.go
@ -17,6 +17,8 @@ limitations under the License.
 package v1beta1

 import (
+	"fmt"
+
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )

@ -39,7 +41,7 @@ type CertificateSigningRequest struct {
 }

 // This information is immutable after the request is created. Only the Request
-// and ExtraInfo fields can be set on creation, other fields are derived by
+// and Usages fields can be set on creation, other fields are derived by
 // Kubernetes and cannot be modified by users.
 type CertificateSigningRequestSpec struct {
 	// Base64-encoded PKCS#10 CSR data
@ -51,14 +53,31 @@ type CertificateSigningRequestSpec struct {
 	//      https://tools.ietf.org/html/rfc5280#section-4.2.1.12
 	Usages []KeyUsage `json:"usages,omitempty" protobuf:"bytes,5,opt,name=keyUsage"`

-	// Information about the requesting user (if relevant)
-	// See user.Info interface for details
+	// Information about the requesting user.
+	// See user.Info interface for details.
 	// +optional
 	Username string `json:"username,omitempty" protobuf:"bytes,2,opt,name=username"`
+	// UID information about the requesting user.
+	// See user.Info interface for details.
 	// +optional
 	UID string `json:"uid,omitempty" protobuf:"bytes,3,opt,name=uid"`
+	// Group information about the requesting user.
+	// See user.Info interface for details.
 	// +optional
 	Groups []string `json:"groups,omitempty" protobuf:"bytes,4,rep,name=groups"`
+	// Extra information about the requesting user.
+	// See user.Info interface for details.
+	// +optional
+	Extra map[string]ExtraValue `json:"extra,omitempty" protobuf:"bytes,6,rep,name=extra"`
+}
+
+// ExtraValue masks the value so protobuf can generate
+// +protobuf.nullable=true
+// +protobuf.options.(gogoproto.goproto_stringer)=false
+type ExtraValue []string
+
+func (t ExtraValue) String() string {
+	return fmt.Sprintf("%v", []string(t))
 }

 type CertificateSigningRequestStatus struct {
--- a/pkg/registry/certificates/certificates/strategy.go
+++ b/pkg/registry/certificates/certificates/strategy.go
@ -61,11 +61,18 @@ func (csrStrategy) PrepareForCreate(ctx genericapirequest.Context, obj runtime.O
 	csr.Spec.Username = ""
 	csr.Spec.UID = ""
 	csr.Spec.Groups = nil
+	csr.Spec.Extra = nil
 	// Inject user.Info from request context
 	if user, ok := genericapirequest.UserFrom(ctx); ok {
 		csr.Spec.Username = user.GetName()
 		csr.Spec.UID = user.GetUID()
 		csr.Spec.Groups = user.GetGroups()
+		if extra := user.GetExtra(); len(extra) > 0 {
+			csr.Spec.Extra = map[string]certificates.ExtraValue{}
+			for k, v := range extra {
+				csr.Spec.Extra[k] = certificates.ExtraValue(v)
+			}
+		}
 	}

 	// Be explicit that users cannot create pre-approved certificate requests.
--- a/pkg/registry/certificates/certificates/strategy_test.go
+++ b/pkg/registry/certificates/certificates/strategy_test.go
@ -56,6 +56,7 @@ func TestStrategyCreate(t *testing.T) {
 					Username: "bob",
 					UID:      "123",
 					Groups:   []string{"group1"},
+					Extra:    map[string]certapi.ExtraValue{"foo": {"bar"}},
 				},
 				Status: certapi.CertificateSigningRequestStatus{Conditions: []certapi.CertificateSigningRequestCondition{}},
 			},