updated vendor
This commit is contained in:
+44
-16
@@ -30,8 +30,8 @@ import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
|
||||
option go_package = "k8s.io/api/certificates/v1beta1";
|
||||
|
||||
// Describes a certificate signing request
|
||||
// +k8s:supportsSubresource=/status
|
||||
// +k8s:supportsSubresource=/approval
|
||||
// +k8s:supportsSubresource="/status"
|
||||
// +k8s:supportsSubresource="/approval"
|
||||
message CertificateSigningRequest {
|
||||
// +optional
|
||||
optional .k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
|
||||
@@ -183,12 +183,12 @@ message CertificateSigningRequestStatus {
|
||||
// +listType=map
|
||||
// +listMapKey=type
|
||||
// +optional
|
||||
// +k8s:listType=map
|
||||
// +k8s:listMapKey=type
|
||||
// +k8s:customUnique
|
||||
// +k8s:optional
|
||||
// +k8s:item(type: "Approved")=+k8s:zeroOrOneOfMember
|
||||
// +k8s:item(type: "Denied")=+k8s:zeroOrOneOfMember
|
||||
// +k8s:alpha(since: "1.36")=+k8s:listType=map
|
||||
// +k8s:alpha(since: "1.36")=+k8s:listMapKey=type
|
||||
// +k8s:alpha(since: "1.36")=+k8s:customUnique
|
||||
// +k8s:alpha(since: "1.36")=+k8s:optional
|
||||
// +k8s:alpha(since: "1.36")=+k8s:item(type: "Approved")=+k8s:zeroOrOneOfMember
|
||||
// +k8s:alpha(since: "1.36")=+k8s:item(type: "Denied")=+k8s:zeroOrOneOfMember
|
||||
repeated CertificateSigningRequestCondition conditions = 1;
|
||||
|
||||
// If request was approved, the controller will place the issued certificate here.
|
||||
@@ -289,6 +289,7 @@ message PodCertificateRequest {
|
||||
optional .k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
|
||||
|
||||
// spec contains the details about the certificate being requested.
|
||||
// +required
|
||||
optional PodCertificateRequestSpec spec = 2;
|
||||
|
||||
// status contains the issued certificate, and a standard set of conditions.
|
||||
@@ -369,8 +370,7 @@ message PodCertificateRequestSpec {
|
||||
// +default=86400
|
||||
optional int32 maxExpirationSeconds = 8;
|
||||
|
||||
// pkixPublicKey is the PKIX-serialized public key the signer will issue the
|
||||
// certificate to.
|
||||
// The PKIX-serialized public key the signer will issue the certificate to.
|
||||
//
|
||||
// The key must be one of RSA3072, RSA4096, ECDSAP256, ECDSAP384, ECDSAP521,
|
||||
// or ED25519. Note that this list may be expanded in the future.
|
||||
@@ -382,11 +382,16 @@ message PodCertificateRequestSpec {
|
||||
// "UnsupportedKeyType". It may also suggest a key type that it does support
|
||||
// in the message field.
|
||||
//
|
||||
// +required
|
||||
// Deprecated: This field is replaced by StubPKCS10Request. If
|
||||
// StubPKCS10Request is set, this field must be empty. Signer
|
||||
// implementations should extract the public key from the StubPKCS10Request
|
||||
// field.
|
||||
//
|
||||
// +optional
|
||||
optional bytes pkixPublicKey = 9;
|
||||
|
||||
// proofOfPossession proves that the requesting kubelet holds the private
|
||||
// key corresponding to pkixPublicKey.
|
||||
// A proof that the requesting kubelet holds the private key corresponding
|
||||
// to pkixPublicKey.
|
||||
//
|
||||
// It is contructed by signing the ASCII bytes of the pod's UID using
|
||||
// `pkixPublicKey`.
|
||||
@@ -403,12 +408,35 @@ message PodCertificateRequestSpec {
|
||||
// golang library function crypto/ecdsa.SignASN1)
|
||||
//
|
||||
// If the key is an ED25519 key, the the signature is as described by the
|
||||
// [ED25519 Specification](https://ed25519.cr.yp.to/) (as implemented by
|
||||
// the golang library crypto/ed25519.Sign).
|
||||
// [ED25519 Specification](https://ed25519.cr.yp.to/) (as implemented by the
|
||||
// golang library crypto/ed25519.Sign).
|
||||
//
|
||||
// +required
|
||||
// Deprecated: This field is replaced by StubPKCS10Request. If
|
||||
// StubPKCS10Request is set, this field must be empty.
|
||||
//
|
||||
// +optional
|
||||
optional bytes proofOfPossession = 10;
|
||||
|
||||
// A PKCS#10 certificate signing request (DER-serialized) generated by
|
||||
// Kubelet using the subject private key.
|
||||
//
|
||||
// Most signer implementations will ignore the contents of the CSR except to
|
||||
// extract the subject public key. The API server automatically verifies the
|
||||
// CSR signature during admission, so the signer does not need to repeat the
|
||||
// verification. CSRs generated by kubelet are completely empty.
|
||||
//
|
||||
// The subject public key must be one of RSA3072, RSA4096, ECDSAP256,
|
||||
// ECDSAP384, ECDSAP521, or ED25519. Note that this list may be expanded in
|
||||
// the future.
|
||||
//
|
||||
// Signer implementations do not need to support all key types supported by
|
||||
// kube-apiserver and kubelet. If a signer does not support the key type
|
||||
// used for a given PodCertificateRequest, it must deny the request by
|
||||
// setting a status.conditions entry with a type of "Denied" and a reason of
|
||||
// "UnsupportedKeyType". It may also suggest a key type that it does support
|
||||
// in the message field.
|
||||
optional bytes stubPKCS10Request = 12;
|
||||
|
||||
// unverifiedUserAnnotations allow pod authors to pass additional information to
|
||||
// the signer implementation. Kubernetes does not restrict or validate this
|
||||
// metadata in any way.
|
||||
|
||||
Reference in New Issue
Block a user