Include all user.Info data in CSR object

pkg/apis/certificates/types.go

@@ -37,7 +37,7 @@ type CertificateSigningRequest struct {
 }
 
 // This information is immutable after the request is created. Only the Request
-// and ExtraInfo fields can be set on creation, other fields are derived by
+// and Usages fields can be set on creation, other fields are derived by
 // Kubernetes and cannot be modified by users.
 type CertificateSigningRequestSpec struct {
 	// Base64-encoded PKCS#10 CSR data
@@ -49,16 +49,27 @@ type CertificateSigningRequestSpec struct {
 	//      https://tools.ietf.org/html/rfc5280#section-4.2.1.12
 	Usages []KeyUsage
 
-	// Information about the requesting user (if relevant)
+	// Information about the requesting user.
-	// See user.Info interface for details
+	// See user.Info interface for details.
 	// +optional
 	Username string
+	// UID information about the requesting user.
+	// See user.Info interface for details.
 	// +optional
 	UID string
+	// Group information about the requesting user.
+	// See user.Info interface for details.
 	// +optional
 	Groups []string
+	// Extra information about the requesting user.
+	// See user.Info interface for details.
+	// +optional
+	Extra map[string]ExtraValue
 }
 
+// ExtraValue masks the value so protobuf can generate
+type ExtraValue []string
+
 type CertificateSigningRequestStatus struct {
 	// Conditions applied to the request, such as approval or denial.
 	// +optional

pkg/apis/certificates/v1beta1/types.go

@@ -17,6 +17,8 @@ limitations under the License.
 package v1beta1
 
 import (
+	"fmt"
+
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
@@ -39,7 +41,7 @@ type CertificateSigningRequest struct {
 }
 
 // This information is immutable after the request is created. Only the Request
-// and ExtraInfo fields can be set on creation, other fields are derived by
+// and Usages fields can be set on creation, other fields are derived by
 // Kubernetes and cannot be modified by users.
 type CertificateSigningRequestSpec struct {
 	// Base64-encoded PKCS#10 CSR data
@@ -51,14 +53,31 @@ type CertificateSigningRequestSpec struct {
 	//      https://tools.ietf.org/html/rfc5280#section-4.2.1.12
 	Usages []KeyUsage `json:"usages,omitempty" protobuf:"bytes,5,opt,name=keyUsage"`
 
-	// Information about the requesting user (if relevant)
+	// Information about the requesting user.
-	// See user.Info interface for details
+	// See user.Info interface for details.
 	// +optional
 	Username string `json:"username,omitempty" protobuf:"bytes,2,opt,name=username"`
+	// UID information about the requesting user.
+	// See user.Info interface for details.
 	// +optional
 	UID string `json:"uid,omitempty" protobuf:"bytes,3,opt,name=uid"`
+	// Group information about the requesting user.
+	// See user.Info interface for details.
 	// +optional
 	Groups []string `json:"groups,omitempty" protobuf:"bytes,4,rep,name=groups"`
+	// Extra information about the requesting user.
+	// See user.Info interface for details.
+	// +optional
+	Extra map[string]ExtraValue `json:"extra,omitempty" protobuf:"bytes,6,rep,name=extra"`
+}
+
+// ExtraValue masks the value so protobuf can generate
+// +protobuf.nullable=true
+// +protobuf.options.(gogoproto.goproto_stringer)=false
+type ExtraValue []string
+
+func (t ExtraValue) String() string {
+	return fmt.Sprintf("%v", []string(t))
 }
 
 type CertificateSigningRequestStatus struct {

pkg/registry/certificates/certificates/strategy.go

@@ -61,11 +61,18 @@ func (csrStrategy) PrepareForCreate(ctx genericapirequest.Context, obj runtime.O
 	csr.Spec.Username = ""
 	csr.Spec.UID = ""
 	csr.Spec.Groups = nil
+	csr.Spec.Extra = nil
 	// Inject user.Info from request context
 	if user, ok := genericapirequest.UserFrom(ctx); ok {
 		csr.Spec.Username = user.GetName()
 		csr.Spec.UID = user.GetUID()
 		csr.Spec.Groups = user.GetGroups()
+		if extra := user.GetExtra(); len(extra) > 0 {
+			csr.Spec.Extra = map[string]certificates.ExtraValue{}
+			for k, v := range extra {
+				csr.Spec.Extra[k] = certificates.ExtraValue(v)
+			}
+		}
 	}
 
 	// Be explicit that users cannot create pre-approved certificate requests.

pkg/registry/certificates/certificates/strategy_test.go

@@ -56,6 +56,7 @@ func TestStrategyCreate(t *testing.T) {
 					Username: "bob",
 					UID:      "123",
 					Groups:   []string{"group1"},
+					Extra:    map[string]certapi.ExtraValue{"foo": {"bar"}},
 				},
 				Status: certapi.CertificateSigningRequestStatus{Conditions: []certapi.CertificateSigningRequestCondition{}},
 			},