kilo/vendor/k8s.io/api/certificates/v1beta1/generated.proto

/*
Copyright The Kubernetes Authors.

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/


// This file was autogenerated by go-to-protobuf. Do not edit it manually!

syntax = "proto2";

package k8s.io.api.certificates.v1beta1;

import "k8s.io/api/core/v1/generated.proto";
import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
import "k8s.io/apimachinery/pkg/runtime/generated.proto";
import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";

// Package-wide variables from generator "generated".
option go_package = "k8s.io/api/certificates/v1beta1";

// Describes a certificate signing request
// +k8s:supportsSubresource=/status
// +k8s:supportsSubresource=/approval
message CertificateSigningRequest {
  // +optional
  optional .k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;

  // spec contains the certificate request, and is immutable after creation.
  // Only the request, signerName, expirationSeconds, and usages fields can be set on creation.
  // Other fields are derived by Kubernetes and cannot be modified by users.
  optional CertificateSigningRequestSpec spec = 2;

  // Derived information about the request.
  // +optional
  optional CertificateSigningRequestStatus status = 3;
}

message CertificateSigningRequestCondition {
  // type of the condition. Known conditions include "Approved", "Denied", and "Failed".
  optional string type = 1;

  // Status of the condition, one of True, False, Unknown.
  // Approved, Denied, and Failed conditions may not be "False" or "Unknown".
  // Defaults to "True".
  // If unset, should be treated as "True".
  // +optional
  optional string status = 6;

  // brief reason for the request state
  // +optional
  optional string reason = 2;

  // human readable message with details about the request state
  // +optional
  optional string message = 3;

  // timestamp for the last update to this condition
  // +optional
  optional .k8s.io.apimachinery.pkg.apis.meta.v1.Time lastUpdateTime = 4;

  // lastTransitionTime is the time the condition last transitioned from one status to another.
  // If unset, when a new condition type is added or an existing condition's status is changed,
  // the server defaults this to the current time.
  // +optional
  optional .k8s.io.apimachinery.pkg.apis.meta.v1.Time lastTransitionTime = 5;
}

message CertificateSigningRequestList {
  // +optional
  optional .k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;

  repeated CertificateSigningRequest items = 2;
}

// CertificateSigningRequestSpec contains the certificate request.
message CertificateSigningRequestSpec {
  // Base64-encoded PKCS#10 CSR data
  optional bytes request = 1;

  // Requested signer for the request. It is a qualified name in the form:
  // `scope-hostname.io/name`.
  // If empty, it will be defaulted:
  //  1. If it's a kubelet client certificate, it is assigned
  //     "kubernetes.io/kube-apiserver-client-kubelet".
  //  2. If it's a kubelet serving certificate, it is assigned
  //     "kubernetes.io/kubelet-serving".
  //  3. Otherwise, it is assigned "kubernetes.io/legacy-unknown".
  // Distribution of trust for signers happens out of band.
  // You can select on this field using `spec.signerName`.
  // +optional
  optional string signerName = 7;

  // expirationSeconds is the requested duration of validity of the issued
  // certificate. The certificate signer may issue a certificate with a different
  // validity duration so a client must check the delta between the notBefore and
  // and notAfter fields in the issued certificate to determine the actual duration.
  //
  // The v1.22+ in-tree implementations of the well-known Kubernetes signers will
  // honor this field as long as the requested duration is not greater than the
  // maximum duration they will honor per the --cluster-signing-duration CLI
  // flag to the Kubernetes controller manager.
  //
  // Certificate signers may not honor this field for various reasons:
  //
  //   1. Old signer that is unaware of the field (such as the in-tree
  //      implementations prior to v1.22)
  //   2. Signer whose configured maximum is shorter than the requested duration
  //   3. Signer whose configured minimum is longer than the requested duration
  //
  // The minimum valid value for expirationSeconds is 600, i.e. 10 minutes.
  //
  // +optional
  optional int32 expirationSeconds = 8;

  // allowedUsages specifies a set of usage contexts the key will be
  // valid for.
  // See:
  // 	https://tools.ietf.org/html/rfc5280#section-4.2.1.3
  // 	https://tools.ietf.org/html/rfc5280#section-4.2.1.12
  //
  // Valid values are:
  //  "signing",
  //  "digital signature",
  //  "content commitment",
  //  "key encipherment",
  //  "key agreement",
  //  "data encipherment",
  //  "cert sign",
  //  "crl sign",
  //  "encipher only",
  //  "decipher only",
  //  "any",
  //  "server auth",
  //  "client auth",
  //  "code signing",
  //  "email protection",
  //  "s/mime",
  //  "ipsec end system",
  //  "ipsec tunnel",
  //  "ipsec user",
  //  "timestamping",
  //  "ocsp signing",
  //  "microsoft sgc",
  //  "netscape sgc"
  // +listType=atomic
  repeated string usages = 5;

  // Information about the requesting user.
  // See user.Info interface for details.
  // +optional
  optional string username = 2;

  // UID information about the requesting user.
  // See user.Info interface for details.
  // +optional
  optional string uid = 3;

  // Group information about the requesting user.
  // See user.Info interface for details.
  // +listType=atomic
  // +optional
  repeated string groups = 4;

  // Extra information about the requesting user.
  // See user.Info interface for details.
  // +optional
  map<string, ExtraValue> extra = 6;
}

message CertificateSigningRequestStatus {
  // Conditions applied to the request, such as approval or denial.
  // +listType=map
  // +listMapKey=type
  // +optional
  // +k8s:listType=map
  // +k8s:listMapKey=type
  // +k8s:customUnique
  // +k8s:optional
  // +k8s:item(type: "Approved")=+k8s:zeroOrOneOfMember
  // +k8s:item(type: "Denied")=+k8s:zeroOrOneOfMember
  repeated CertificateSigningRequestCondition conditions = 1;

  // If request was approved, the controller will place the issued certificate here.
  // +optional
  optional bytes certificate = 2;
}

// ClusterTrustBundle is a cluster-scoped container for X.509 trust anchors
// (root certificates).
//
// ClusterTrustBundle objects are considered to be readable by any authenticated
// user in the cluster, because they can be mounted by pods using the
// `clusterTrustBundle` projection.  All service accounts have read access to
// ClusterTrustBundles by default.  Users who only have namespace-level access
// to a cluster can read ClusterTrustBundles by impersonating a serviceaccount
// that they have access to.
//
// It can be optionally associated with a particular assigner, in which case it
// contains one valid set of trust anchors for that signer. Signers may have
// multiple associated ClusterTrustBundles; each is an independent set of trust
// anchors for that signer. Admission control is used to enforce that only users
// with permissions on the signer can create or modify the corresponding bundle.
message ClusterTrustBundle {
  // metadata contains the object metadata.
  // +optional
  optional .k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;

  // spec contains the signer (if any) and trust anchors.
  optional ClusterTrustBundleSpec spec = 2;
}

// ClusterTrustBundleList is a collection of ClusterTrustBundle objects
message ClusterTrustBundleList {
  // metadata contains the list metadata.
  //
  // +optional
  optional .k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;

  // items is a collection of ClusterTrustBundle objects
  repeated ClusterTrustBundle items = 2;
}

// ClusterTrustBundleSpec contains the signer and trust anchors.
message ClusterTrustBundleSpec {
  // signerName indicates the associated signer, if any.
  //
  // In order to create or update a ClusterTrustBundle that sets signerName,
  // you must have the following cluster-scoped permission:
  // group=certificates.k8s.io resource=signers resourceName=<the signer name>
  // verb=attest.
  //
  // If signerName is not empty, then the ClusterTrustBundle object must be
  // named with the signer name as a prefix (translating slashes to colons).
  // For example, for the signer name `example.com/foo`, valid
  // ClusterTrustBundle object names include `example.com:foo:abc` and
  // `example.com:foo:v1`.
  //
  // If signerName is empty, then the ClusterTrustBundle object's name must
  // not have such a prefix.
  //
  // List/watch requests for ClusterTrustBundles can filter on this field
  // using a `spec.signerName=NAME` field selector.
  //
  // +optional
  optional string signerName = 1;

  // trustBundle contains the individual X.509 trust anchors for this
  // bundle, as PEM bundle of PEM-wrapped, DER-formatted X.509 certificates.
  //
  // The data must consist only of PEM certificate blocks that parse as valid
  // X.509 certificates.  Each certificate must include a basic constraints
  // extension with the CA bit set.  The API server will reject objects that
  // contain duplicate certificates, or that use PEM block headers.
  //
  // Users of ClusterTrustBundles, including Kubelet, are free to reorder and
  // deduplicate certificate blocks in this file according to their own logic,
  // as well as to drop PEM block headers and inter-block data.
  optional string trustBundle = 2;
}

// ExtraValue masks the value so protobuf can generate
// +protobuf.nullable=true
// +protobuf.options.(gogoproto.goproto_stringer)=false
message ExtraValue {
  // items, if empty, will result in an empty slice

  repeated string items = 1;
}

// PodCertificateRequest encodes a pod requesting a certificate from a given
// signer.
//
// Kubelets use this API to implement podCertificate projected volumes
message PodCertificateRequest {
  // metadata contains the object metadata.
  //
  // +optional
  optional .k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;

  // spec contains the details about the certificate being requested.
  optional PodCertificateRequestSpec spec = 2;

  // status contains the issued certificate, and a standard set of conditions.
  // +optional
  optional PodCertificateRequestStatus status = 3;
}

// PodCertificateRequestList is a collection of PodCertificateRequest objects
message PodCertificateRequestList {
  // metadata contains the list metadata.
  //
  // +optional
  optional .k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;

  // items is a collection of PodCertificateRequest objects
  repeated PodCertificateRequest items = 2;
}

// PodCertificateRequestSpec describes the certificate request.  All fields are
// immutable after creation.
message PodCertificateRequestSpec {
  // signerName indicates the requested signer.
  //
  // All signer names beginning with `kubernetes.io` are reserved for use by
  // the Kubernetes project.  There is currently one well-known signer
  // documented by the Kubernetes project,
  // `kubernetes.io/kube-apiserver-client-pod`, which will issue client
  // certificates understood by kube-apiserver.  It is currently
  // unimplemented.
  //
  // +required
  optional string signerName = 1;

  // podName is the name of the pod into which the certificate will be mounted.
  //
  // +required
  optional string podName = 2;

  // podUID is the UID of the pod into which the certificate will be mounted.
  //
  // +required
  optional string podUID = 3;

  // serviceAccountName is the name of the service account the pod is running as.
  //
  // +required
  optional string serviceAccountName = 4;

  // serviceAccountUID is the UID of the service account the pod is running as.
  //
  // +required
  optional string serviceAccountUID = 5;

  // nodeName is the name of the node the pod is assigned to.
  //
  // +required
  optional string nodeName = 6;

  // nodeUID is the UID of the node the pod is assigned to.
  //
  // +required
  optional string nodeUID = 7;

  // maxExpirationSeconds is the maximum lifetime permitted for the
  // certificate.
  //
  // If omitted, kube-apiserver will set it to 86400(24 hours). kube-apiserver
  // will reject values shorter than 3600 (1 hour).  The maximum allowable
  // value is 7862400 (91 days).
  //
  // The signer implementation is then free to issue a certificate with any
  // lifetime *shorter* than MaxExpirationSeconds, but no shorter than 3600
  // seconds (1 hour).  This constraint is enforced by kube-apiserver.
  // `kubernetes.io` signers will never issue certificates with a lifetime
  // longer than 24 hours.
  //
  // +optional
  // +default=86400
  optional int32 maxExpirationSeconds = 8;

  // pkixPublicKey is the PKIX-serialized public key the signer will issue the
  // certificate to.
  //
  // The key must be one of RSA3072, RSA4096, ECDSAP256, ECDSAP384, ECDSAP521,
  // or ED25519. Note that this list may be expanded in the future.
  //
  // Signer implementations do not need to support all key types supported by
  // kube-apiserver and kubelet.  If a signer does not support the key type
  // used for a given PodCertificateRequest, it must deny the request by
  // setting a status.conditions entry with a type of "Denied" and a reason of
  // "UnsupportedKeyType". It may also suggest a key type that it does support
  // in the message field.
  //
  // +required
  optional bytes pkixPublicKey = 9;

  // proofOfPossession proves that the requesting kubelet holds the private
  // key corresponding to pkixPublicKey.
  //
  // It is contructed by signing the ASCII bytes of the pod's UID using
  // `pkixPublicKey`.
  //
  // kube-apiserver validates the proof of possession during creation of the
  // PodCertificateRequest.
  //
  // If the key is an RSA key, then the signature is over the ASCII bytes of
  // the pod UID, using RSASSA-PSS from RFC 8017 (as implemented by the golang
  // function crypto/rsa.SignPSS with nil options).
  //
  // If the key is an ECDSA key, then the signature is as described by [SEC 1,
  // Version 2.0](https://www.secg.org/sec1-v2.pdf) (as implemented by the
  // golang library function crypto/ecdsa.SignASN1)
  //
  // If the key is an ED25519 key, the the signature is as described by the
  // [ED25519 Specification](https://ed25519.cr.yp.to/) (as implemented by
  // the golang library crypto/ed25519.Sign).
  //
  // +required
  optional bytes proofOfPossession = 10;

  // unverifiedUserAnnotations allow pod authors to pass additional information to
  // the signer implementation.  Kubernetes does not restrict or validate this
  // metadata in any way.
  //
  // Entries are subject to the same validation as object metadata annotations,
  // with the addition that all keys must be domain-prefixed. No restrictions
  // are placed on values, except an overall size limitation on the entire field.
  //
  // Signers should document the keys and values they support.  Signers should
  // deny requests that contain keys they do not recognize.
  map<string, string> unverifiedUserAnnotations = 11;
}

// PodCertificateRequestStatus describes the status of the request, and holds
// the certificate data if the request is issued.
message PodCertificateRequestStatus {
  // conditions applied to the request.
  //
  // The types "Issued", "Denied", and "Failed" have special handling.  At
  // most one of these conditions may be present, and they must have status
  // "True".
  //
  // If the request is denied with `Reason=UnsupportedKeyType`, the signer may
  // suggest a key type that will work in the message field.
  //
  // +patchMergeKey=type
  // +patchStrategy=merge
  // +listType=map
  // +listMapKey=type
  // +optional
  repeated .k8s.io.apimachinery.pkg.apis.meta.v1.Condition conditions = 1;

  // certificateChain is populated with an issued certificate by the signer.
  // This field is set via the /status subresource. Once populated, this field
  // is immutable.
  //
  // If the certificate signing request is denied, a condition of type
  // "Denied" is added and this field remains empty. If the signer cannot
  // issue the certificate, a condition of type "Failed" is added and this
  // field remains empty.
  //
  // Validation requirements:
  //  1. certificateChain must consist of one or more PEM-formatted certificates.
  //  2. Each entry must be a valid PEM-wrapped, DER-encoded ASN.1 Certificate as
  //     described in section 4 of RFC5280.
  //
  // If more than one block is present, and the definition of the requested
  // spec.signerName does not indicate otherwise, the first block is the
  // issued certificate, and subsequent blocks should be treated as
  // intermediate certificates and presented in TLS handshakes.  When
  // projecting the chain into a pod volume, kubelet will drop any data
  // in-between the PEM blocks, as well as any PEM block headers.
  //
  // +optional
  optional string certificateChain = 2;

  // notBefore is the time at which the certificate becomes valid.  The value
  // must be the same as the notBefore value in the leaf certificate in
  // certificateChain.  This field is set via the /status subresource.  Once
  // populated, it is immutable. The signer must set this field at the same
  // time it sets certificateChain.
  //
  // +optional
  optional .k8s.io.apimachinery.pkg.apis.meta.v1.Time notBefore = 4;

  // beginRefreshAt is the time at which the kubelet should begin trying to
  // refresh the certificate.  This field is set via the /status subresource,
  // and must be set at the same time as certificateChain.  Once populated,
  // this field is immutable.
  //
  // This field is only a hint.  Kubelet may start refreshing before or after
  // this time if necessary.
  //
  // +optional
  optional .k8s.io.apimachinery.pkg.apis.meta.v1.Time beginRefreshAt = 5;

  // notAfter is the time at which the certificate expires.  The value must be
  // the same as the notAfter value in the leaf certificate in
  // certificateChain.  This field is set via the /status subresource.  Once
  // populated, it is immutable.  The signer must set this field at the same
  // time it sets certificateChain.
  //
  // +optional
  optional .k8s.io.apimachinery.pkg.apis.meta.v1.Time notAfter = 6;
}