github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #113218 from ahmedtd/kep-3257

Browse Source 
Add certificates.k8s.io/v1alpha1 ClusterTrustBundle
This commit is contained in:
Kubernetes Prow Robot 2023-03-16 11:13:20 -07:00 committed by GitHub
commit a34e37c996
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
94 changed files with 8818 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

983
api/openapi-spec/swagger.json generated
View File

File diff suppressed because it is too large Load Diff

10
api/openapi-spec/v3/api__v1_openapi.json
View File

@ -8343,6 +8343,11 @@
"kind": "DeleteOptions", "kind": "DeleteOptions",
"version": "v1" "version": "v1"
}, },
{
"group": "certificates.k8s.io",
"kind": "DeleteOptions",
"version": "v1alpha1"
},
{ {
"group": "certificates.k8s.io", "group": "certificates.k8s.io",
"kind": "DeleteOptions", "kind": "DeleteOptions",
@ -9073,6 +9078,11 @@
"kind": "WatchEvent", "kind": "WatchEvent",
"version": "v1" "version": "v1"
}, },
{
"group": "certificates.k8s.io",
"kind": "WatchEvent",
"version": "v1alpha1"
},
{ {
"group": "certificates.k8s.io", "group": "certificates.k8s.io",
"kind": "WatchEvent", "kind": "WatchEvent",

10
api/openapi-spec/v3/apis__admissionregistration.k8s.io__v1_openapi.json
View File

@ -774,6 +774,11 @@
"kind": "DeleteOptions", "kind": "DeleteOptions",
"version": "v1" "version": "v1"
}, },
{
"group": "certificates.k8s.io",
"kind": "DeleteOptions",
"version": "v1alpha1"
},
{ {
"group": "certificates.k8s.io", "group": "certificates.k8s.io",
"kind": "DeleteOptions", "kind": "DeleteOptions",
@ -1499,6 +1504,11 @@
"kind": "WatchEvent", "kind": "WatchEvent",
"version": "v1" "version": "v1"
}, },
{
"group": "certificates.k8s.io",
"kind": "WatchEvent",
"version": "v1alpha1"
},
{ {
"group": "certificates.k8s.io", "group": "certificates.k8s.io",
"kind": "WatchEvent", "kind": "WatchEvent",

10
api/openapi-spec/v3/apis__admissionregistration.k8s.io__v1alpha1_openapi.json
View File

@ -881,6 +881,11 @@
"kind": "DeleteOptions", "kind": "DeleteOptions",
"version": "v1" "version": "v1"
}, },
{
"group": "certificates.k8s.io",
"kind": "DeleteOptions",
"version": "v1alpha1"
},
{ {
"group": "certificates.k8s.io", "group": "certificates.k8s.io",
"kind": "DeleteOptions", "kind": "DeleteOptions",
@ -1606,6 +1611,11 @@
"kind": "WatchEvent", "kind": "WatchEvent",
"version": "v1" "version": "v1"
}, },
{
"group": "certificates.k8s.io",
"kind": "WatchEvent",
"version": "v1alpha1"
},
{ {
"group": "certificates.k8s.io", "group": "certificates.k8s.io",
"kind": "WatchEvent", "kind": "WatchEvent",

10
api/openapi-spec/v3/apis__apiextensions.k8s.io__v1_openapi.json
View File

@ -1107,6 +1107,11 @@
"kind": "DeleteOptions", "kind": "DeleteOptions",
"version": "v1" "version": "v1"
}, },
{
"group": "certificates.k8s.io",
"kind": "DeleteOptions",
"version": "v1alpha1"
},
{ {
"group": "certificates.k8s.io", "group": "certificates.k8s.io",
"kind": "DeleteOptions", "kind": "DeleteOptions",
@ -1775,6 +1780,11 @@
"kind": "WatchEvent", "kind": "WatchEvent",
"version": "v1" "version": "v1"
}, },
{
"group": "certificates.k8s.io",
"kind": "WatchEvent",
"version": "v1alpha1"
},
{ {
"group": "certificates.k8s.io", "group": "certificates.k8s.io",
"kind": "WatchEvent", "kind": "WatchEvent",

10
api/openapi-spec/v3/apis__apps__v1_openapi.json
View File

@ -5336,6 +5336,11 @@
"kind": "DeleteOptions", "kind": "DeleteOptions",
"version": "v1" "version": "v1"
}, },
{
"group": "certificates.k8s.io",
"kind": "DeleteOptions",
"version": "v1alpha1"
},
{ {
"group": "certificates.k8s.io", "group": "certificates.k8s.io",
"kind": "DeleteOptions", "kind": "DeleteOptions",
@ -6061,6 +6066,11 @@
"kind": "WatchEvent", "kind": "WatchEvent",
"version": "v1" "version": "v1"
}, },
{
"group": "certificates.k8s.io",
"kind": "WatchEvent",
"version": "v1alpha1"
},
{ {
"group": "certificates.k8s.io", "group": "certificates.k8s.io",
"kind": "WatchEvent", "kind": "WatchEvent",

10
api/openapi-spec/v3/apis__autoscaling__v1_openapi.json
View File

@ -473,6 +473,11 @@
"kind": "DeleteOptions", "kind": "DeleteOptions",
"version": "v1" "version": "v1"
}, },
{
"group": "certificates.k8s.io",
"kind": "DeleteOptions",
"version": "v1alpha1"
},
{ {
"group": "certificates.k8s.io", "group": "certificates.k8s.io",
"kind": "DeleteOptions", "kind": "DeleteOptions",
@ -1141,6 +1146,11 @@
"kind": "WatchEvent", "kind": "WatchEvent",
"version": "v1" "version": "v1"
}, },
{
"group": "certificates.k8s.io",
"kind": "WatchEvent",
"version": "v1alpha1"
},
{ {
"group": "certificates.k8s.io", "group": "certificates.k8s.io",
"kind": "WatchEvent", "kind": "WatchEvent",

10
api/openapi-spec/v3/apis__autoscaling__v2_openapi.json
View File

@ -1126,6 +1126,11 @@
"kind": "DeleteOptions", "kind": "DeleteOptions",
"version": "v1" "version": "v1"
}, },
{
"group": "certificates.k8s.io",
"kind": "DeleteOptions",
"version": "v1alpha1"
},
{ {
"group": "certificates.k8s.io", "group": "certificates.k8s.io",
"kind": "DeleteOptions", "kind": "DeleteOptions",
@ -1851,6 +1856,11 @@
"kind": "WatchEvent", "kind": "WatchEvent",
"version": "v1" "version": "v1"
}, },
{
"group": "certificates.k8s.io",
"kind": "WatchEvent",
"version": "v1alpha1"
},
{ {
"group": "certificates.k8s.io", "group": "certificates.k8s.io",
"kind": "WatchEvent", "kind": "WatchEvent",

10
api/openapi-spec/v3/apis__batch__v1_openapi.json
View File

@ -4510,6 +4510,11 @@
"kind": "DeleteOptions", "kind": "DeleteOptions",
"version": "v1" "version": "v1"
}, },
{
"group": "certificates.k8s.io",
"kind": "DeleteOptions",
"version": "v1alpha1"
},
{ {
"group": "certificates.k8s.io", "group": "certificates.k8s.io",
"kind": "DeleteOptions", "kind": "DeleteOptions",
@ -5235,6 +5240,11 @@
"kind": "WatchEvent", "kind": "WatchEvent",
"version": "v1" "version": "v1"
}, },
{
"group": "certificates.k8s.io",
"kind": "WatchEvent",
"version": "v1alpha1"
},
{ {
"group": "certificates.k8s.io", "group": "certificates.k8s.io",
"kind": "WatchEvent", "kind": "WatchEvent",

10
api/openapi-spec/v3/apis__certificates.k8s.io__v1_openapi.json
View File

@ -511,6 +511,11 @@
"kind": "DeleteOptions", "kind": "DeleteOptions",
"version": "v1" "version": "v1"
}, },
{
"group": "certificates.k8s.io",
"kind": "DeleteOptions",
"version": "v1alpha1"
},
{ {
"group": "certificates.k8s.io", "group": "certificates.k8s.io",
"kind": "DeleteOptions", "kind": "DeleteOptions",
@ -1179,6 +1184,11 @@
"kind": "WatchEvent", "kind": "WatchEvent",
"version": "v1" "version": "v1"
}, },
{
"group": "certificates.k8s.io",
"kind": "WatchEvent",
"version": "v1alpha1"
},
{ {
"group": "certificates.k8s.io", "group": "certificates.k8s.io",
"kind": "WatchEvent", "kind": "WatchEvent",

2403
api/openapi-spec/v3/apis__certificates.k8s.io__v1alpha1_openapi.json Normal file
View File

File diff suppressed because it is too large Load Diff

10
api/openapi-spec/v3/apis__coordination.k8s.io__v1_openapi.json
View File

@ -400,6 +400,11 @@
"kind": "DeleteOptions", "kind": "DeleteOptions",
"version": "v1" "version": "v1"
}, },
{
"group": "certificates.k8s.io",
"kind": "DeleteOptions",
"version": "v1alpha1"
},
{ {
"group": "certificates.k8s.io", "group": "certificates.k8s.io",
"kind": "DeleteOptions", "kind": "DeleteOptions",
@ -1073,6 +1078,11 @@
"kind": "WatchEvent", "kind": "WatchEvent",
"version": "v1" "version": "v1"
}, },
{
"group": "certificates.k8s.io",
"kind": "WatchEvent",
"version": "v1alpha1"
},
{ {
"group": "certificates.k8s.io", "group": "certificates.k8s.io",
"kind": "WatchEvent", "kind": "WatchEvent",

10
api/openapi-spec/v3/apis__discovery.k8s.io__v1_openapi.json
View File

@ -563,6 +563,11 @@
"kind": "DeleteOptions", "kind": "DeleteOptions",
"version": "v1" "version": "v1"
}, },
{
"group": "certificates.k8s.io",
"kind": "DeleteOptions",
"version": "v1alpha1"
},
{ {
"group": "certificates.k8s.io", "group": "certificates.k8s.io",
"kind": "DeleteOptions", "kind": "DeleteOptions",
@ -1231,6 +1236,11 @@
"kind": "WatchEvent", "kind": "WatchEvent",
"version": "v1" "version": "v1"
}, },
{
"group": "certificates.k8s.io",
"kind": "WatchEvent",
"version": "v1alpha1"
},
{ {
"group": "certificates.k8s.io", "group": "certificates.k8s.io",
"kind": "WatchEvent", "kind": "WatchEvent",

10
api/openapi-spec/v3/apis__events.k8s.io__v1_openapi.json
View File

@ -522,6 +522,11 @@
"kind": "DeleteOptions", "kind": "DeleteOptions",
"version": "v1" "version": "v1"
}, },
{
"group": "certificates.k8s.io",
"kind": "DeleteOptions",
"version": "v1alpha1"
},
{ {
"group": "certificates.k8s.io", "group": "certificates.k8s.io",
"kind": "DeleteOptions", "kind": "DeleteOptions",
@ -1195,6 +1200,11 @@
"kind": "WatchEvent", "kind": "WatchEvent",
"version": "v1" "version": "v1"
}, },
{
"group": "certificates.k8s.io",
"kind": "WatchEvent",
"version": "v1alpha1"
},
{ {
"group": "certificates.k8s.io", "group": "certificates.k8s.io",
"kind": "WatchEvent", "kind": "WatchEvent",

10
api/openapi-spec/v3/apis__flowcontrol.apiserver.k8s.io__v1beta2_openapi.json
View File

@ -983,6 +983,11 @@
"kind": "DeleteOptions", "kind": "DeleteOptions",
"version": "v1" "version": "v1"
}, },
{
"group": "certificates.k8s.io",
"kind": "DeleteOptions",
"version": "v1alpha1"
},
{ {
"group": "certificates.k8s.io", "group": "certificates.k8s.io",
"kind": "DeleteOptions", "kind": "DeleteOptions",
@ -1651,6 +1656,11 @@
"kind": "WatchEvent", "kind": "WatchEvent",
"version": "v1" "version": "v1"
}, },
{
"group": "certificates.k8s.io",
"kind": "WatchEvent",
"version": "v1alpha1"
},
{ {
"group": "certificates.k8s.io", "group": "certificates.k8s.io",
"kind": "WatchEvent", "kind": "WatchEvent",

10
api/openapi-spec/v3/apis__flowcontrol.apiserver.k8s.io__v1beta3_openapi.json
View File

@ -987,6 +987,11 @@
"kind": "DeleteOptions", "kind": "DeleteOptions",
"version": "v1" "version": "v1"
}, },
{
"group": "certificates.k8s.io",
"kind": "DeleteOptions",
"version": "v1alpha1"
},
{ {
"group": "certificates.k8s.io", "group": "certificates.k8s.io",
"kind": "DeleteOptions", "kind": "DeleteOptions",
@ -1655,6 +1660,11 @@
"kind": "WatchEvent", "kind": "WatchEvent",
"version": "v1" "version": "v1"
}, },
{
"group": "certificates.k8s.io",
"kind": "WatchEvent",
"version": "v1alpha1"
},
{ {
"group": "certificates.k8s.io", "group": "certificates.k8s.io",
"kind": "WatchEvent", "kind": "WatchEvent",

10
api/openapi-spec/v3/apis__internal.apiserver.k8s.io__v1alpha1_openapi.json
View File

@ -490,6 +490,11 @@
"kind": "DeleteOptions", "kind": "DeleteOptions",
"version": "v1" "version": "v1"
}, },
{
"group": "certificates.k8s.io",
"kind": "DeleteOptions",
"version": "v1alpha1"
},
{ {
"group": "certificates.k8s.io", "group": "certificates.k8s.io",
"kind": "DeleteOptions", "kind": "DeleteOptions",
@ -1158,6 +1163,11 @@
"kind": "WatchEvent", "kind": "WatchEvent",
"version": "v1" "version": "v1"
}, },
{
"group": "certificates.k8s.io",
"kind": "WatchEvent",
"version": "v1alpha1"
},
{ {
"group": "certificates.k8s.io", "group": "certificates.k8s.io",
"kind": "WatchEvent", "kind": "WatchEvent",

10
api/openapi-spec/v3/apis__networking.k8s.io__v1_openapi.json
View File

@ -1151,6 +1151,11 @@
"kind": "DeleteOptions", "kind": "DeleteOptions",
"version": "v1" "version": "v1"
}, },
{
"group": "certificates.k8s.io",
"kind": "DeleteOptions",
"version": "v1alpha1"
},
{ {
"group": "certificates.k8s.io", "group": "certificates.k8s.io",
"kind": "DeleteOptions", "kind": "DeleteOptions",
@ -1876,6 +1881,11 @@
"kind": "WatchEvent", "kind": "WatchEvent",
"version": "v1" "version": "v1"
}, },
{
"group": "certificates.k8s.io",
"kind": "WatchEvent",
"version": "v1alpha1"
},
{ {
"group": "certificates.k8s.io", "group": "certificates.k8s.io",
"kind": "WatchEvent", "kind": "WatchEvent",

10
api/openapi-spec/v3/apis__networking.k8s.io__v1alpha1_openapi.json
View File

@ -602,6 +602,11 @@
"kind": "DeleteOptions", "kind": "DeleteOptions",
"version": "v1" "version": "v1"
}, },
{
"group": "certificates.k8s.io",
"kind": "DeleteOptions",
"version": "v1alpha1"
},
{ {
"group": "certificates.k8s.io", "group": "certificates.k8s.io",
"kind": "DeleteOptions", "kind": "DeleteOptions",
@ -1270,6 +1275,11 @@
"kind": "WatchEvent", "kind": "WatchEvent",
"version": "v1" "version": "v1"
}, },
{
"group": "certificates.k8s.io",
"kind": "WatchEvent",
"version": "v1alpha1"
},
{ {
"group": "certificates.k8s.io", "group": "certificates.k8s.io",
"kind": "WatchEvent", "kind": "WatchEvent",

10
api/openapi-spec/v3/apis__node.k8s.io__v1_openapi.json
View File

@ -463,6 +463,11 @@
"kind": "DeleteOptions", "kind": "DeleteOptions",
"version": "v1" "version": "v1"
}, },
{
"group": "certificates.k8s.io",
"kind": "DeleteOptions",
"version": "v1alpha1"
},
{ {
"group": "certificates.k8s.io", "group": "certificates.k8s.io",
"kind": "DeleteOptions", "kind": "DeleteOptions",
@ -1131,6 +1136,11 @@
"kind": "WatchEvent", "kind": "WatchEvent",
"version": "v1" "version": "v1"
}, },
{
"group": "certificates.k8s.io",
"kind": "WatchEvent",
"version": "v1alpha1"
},
{ {
"group": "certificates.k8s.io", "group": "certificates.k8s.io",
"kind": "WatchEvent", "kind": "WatchEvent",

10
api/openapi-spec/v3/apis__policy__v1_openapi.json
View File

@ -526,6 +526,11 @@
"kind": "DeleteOptions", "kind": "DeleteOptions",
"version": "v1" "version": "v1"
}, },
{
"group": "certificates.k8s.io",
"kind": "DeleteOptions",
"version": "v1alpha1"
},
{ {
"group": "certificates.k8s.io", "group": "certificates.k8s.io",
"kind": "DeleteOptions", "kind": "DeleteOptions",
@ -1251,6 +1256,11 @@
"kind": "WatchEvent", "kind": "WatchEvent",
"version": "v1" "version": "v1"
}, },
{
"group": "certificates.k8s.io",
"kind": "WatchEvent",
"version": "v1alpha1"
},
{ {
"group": "certificates.k8s.io", "group": "certificates.k8s.io",
"kind": "WatchEvent", "kind": "WatchEvent",

10
api/openapi-spec/v3/apis__rbac.authorization.k8s.io__v1_openapi.json
View File

@ -783,6 +783,11 @@
"kind": "DeleteOptions", "kind": "DeleteOptions",
"version": "v1" "version": "v1"
}, },
{
"group": "certificates.k8s.io",
"kind": "DeleteOptions",
"version": "v1alpha1"
},
{ {
"group": "certificates.k8s.io", "group": "certificates.k8s.io",
"kind": "DeleteOptions", "kind": "DeleteOptions",
@ -1508,6 +1513,11 @@
"kind": "WatchEvent", "kind": "WatchEvent",
"version": "v1" "version": "v1"
}, },
{
"group": "certificates.k8s.io",
"kind": "WatchEvent",
"version": "v1alpha1"
},
{ {
"group": "certificates.k8s.io", "group": "certificates.k8s.io",
"kind": "WatchEvent", "kind": "WatchEvent",

10
api/openapi-spec/v3/apis__resource.k8s.io__v1alpha2_openapi.json
View File

@ -1017,6 +1017,11 @@
"kind": "DeleteOptions", "kind": "DeleteOptions",
"version": "v1" "version": "v1"
}, },
{
"group": "certificates.k8s.io",
"kind": "DeleteOptions",
"version": "v1alpha1"
},
{ {
"group": "certificates.k8s.io", "group": "certificates.k8s.io",
"kind": "DeleteOptions", "kind": "DeleteOptions",
@ -1685,6 +1690,11 @@
"kind": "WatchEvent", "kind": "WatchEvent",
"version": "v1" "version": "v1"
}, },
{
"group": "certificates.k8s.io",
"kind": "WatchEvent",
"version": "v1alpha1"
},
{ {
"group": "certificates.k8s.io", "group": "certificates.k8s.io",
"kind": "WatchEvent", "kind": "WatchEvent",

10
api/openapi-spec/v3/apis__scheduling.k8s.io__v1_openapi.json
View File

@ -376,6 +376,11 @@
"kind": "DeleteOptions", "kind": "DeleteOptions",
"version": "v1" "version": "v1"
}, },
{
"group": "certificates.k8s.io",
"kind": "DeleteOptions",
"version": "v1alpha1"
},
{ {
"group": "certificates.k8s.io", "group": "certificates.k8s.io",
"kind": "DeleteOptions", "kind": "DeleteOptions",
@ -1044,6 +1049,11 @@
"kind": "WatchEvent", "kind": "WatchEvent",
"version": "v1" "version": "v1"
}, },
{
"group": "certificates.k8s.io",
"kind": "WatchEvent",
"version": "v1alpha1"
},
{ {
"group": "certificates.k8s.io", "group": "certificates.k8s.io",
"kind": "WatchEvent", "kind": "WatchEvent",

10
api/openapi-spec/v3/apis__storage.k8s.io__v1_openapi.json
View File

@ -2215,6 +2215,11 @@
"kind": "DeleteOptions", "kind": "DeleteOptions",
"version": "v1" "version": "v1"
}, },
{
"group": "certificates.k8s.io",
"kind": "DeleteOptions",
"version": "v1alpha1"
},
{ {
"group": "certificates.k8s.io", "group": "certificates.k8s.io",
"kind": "DeleteOptions", "kind": "DeleteOptions",
@ -2940,6 +2945,11 @@
"kind": "WatchEvent", "kind": "WatchEvent",
"version": "v1" "version": "v1"
}, },
{
"group": "certificates.k8s.io",
"kind": "WatchEvent",
"version": "v1alpha1"
},
{ {
"group": "certificates.k8s.io", "group": "certificates.k8s.io",
"kind": "WatchEvent", "kind": "WatchEvent",

10
api/openapi-spec/v3/apis__storage.k8s.io__v1beta1_openapi.json
View File

@ -402,6 +402,11 @@
"kind": "DeleteOptions", "kind": "DeleteOptions",
"version": "v1" "version": "v1"
}, },
{
"group": "certificates.k8s.io",
"kind": "DeleteOptions",
"version": "v1alpha1"
},
{ {
"group": "certificates.k8s.io", "group": "certificates.k8s.io",
"kind": "DeleteOptions", "kind": "DeleteOptions",
@ -1127,6 +1132,11 @@
"kind": "WatchEvent", "kind": "WatchEvent",
"version": "v1" "version": "v1"
}, },
{
"group": "certificates.k8s.io",
"kind": "WatchEvent",
"version": "v1alpha1"
},
{ {
"group": "certificates.k8s.io", "group": "certificates.k8s.io",
"kind": "WatchEvent", "kind": "WatchEvent",

1
cmd/kube-apiserver/app/aggregator.go
View File

@ -261,6 +261,7 @@ var apiVersionPriorities = map[schema.GroupVersion]priority{
{Group: "batch", Version: "v1beta1"}: {group: 17400, version: 9}, {Group: "batch", Version: "v1beta1"}: {group: 17400, version: 9},
{Group: "batch", Version: "v2alpha1"}: {group: 17400, version: 9}, {Group: "batch", Version: "v2alpha1"}: {group: 17400, version: 9},
{Group: "certificates.k8s.io", Version: "v1"}: {group: 17300, version: 15}, {Group: "certificates.k8s.io", Version: "v1"}: {group: 17300, version: 15},
{Group: "certificates.k8s.io", Version: "v1alpha1"}: {group: 17300, version: 1},
{Group: "networking.k8s.io", Version: "v1"}: {group: 17200, version: 15}, {Group: "networking.k8s.io", Version: "v1"}: {group: 17200, version: 15},
{Group: "networking.k8s.io", Version: "v1alpha1"}: {group: 17200, version: 1}, {Group: "networking.k8s.io", Version: "v1alpha1"}: {group: 17200, version: 1},
{Group: "policy", Version: "v1"}: {group: 17100, version: 15}, {Group: "policy", Version: "v1"}: {group: 17100, version: 15},

1
hack/lib/init.sh
View File

@ -88,6 +88,7 @@ batch/v1 \
batch/v1beta1 \ batch/v1beta1 \
certificates.k8s.io/v1 \ certificates.k8s.io/v1 \
certificates.k8s.io/v1beta1 \ certificates.k8s.io/v1beta1 \
certificates.k8s.io/v1alpha1 \
coordination.k8s.io/v1beta1 \ coordination.k8s.io/v1beta1 \
coordination.k8s.io/v1 \ coordination.k8s.io/v1 \
discovery.k8s.io/v1 \ discovery.k8s.io/v1 \

4
pkg/apis/certificates/install/install.go
View File

@ -24,6 +24,7 @@ import (
"k8s.io/kubernetes/pkg/api/legacyscheme" "k8s.io/kubernetes/pkg/api/legacyscheme"
"k8s.io/kubernetes/pkg/apis/certificates" "k8s.io/kubernetes/pkg/apis/certificates"
v1 "k8s.io/kubernetes/pkg/apis/certificates/v1" v1 "k8s.io/kubernetes/pkg/apis/certificates/v1"
"k8s.io/kubernetes/pkg/apis/certificates/v1alpha1"
"k8s.io/kubernetes/pkg/apis/certificates/v1beta1" "k8s.io/kubernetes/pkg/apis/certificates/v1beta1"
) )
@ -36,5 +37,6 @@ func Install(scheme *runtime.Scheme) {
utilruntime.Must(certificates.AddToScheme(scheme)) utilruntime.Must(certificates.AddToScheme(scheme))
utilruntime.Must(v1.AddToScheme(scheme)) utilruntime.Must(v1.AddToScheme(scheme))
utilruntime.Must(v1beta1.AddToScheme(scheme)) utilruntime.Must(v1beta1.AddToScheme(scheme))
utilruntime.Must(scheme.SetVersionPriority(v1.SchemeGroupVersion, v1beta1.SchemeGroupVersion)) utilruntime.Must(v1alpha1.AddToScheme(scheme))
utilruntime.Must(scheme.SetVersionPriority(v1.SchemeGroupVersion, v1beta1.SchemeGroupVersion, v1alpha1.SchemeGroupVersion))
} }

2
pkg/apis/certificates/register.go
View File

@ -47,6 +47,8 @@ func addKnownTypes(scheme *runtime.Scheme) error {
scheme.AddKnownTypes(SchemeGroupVersion, scheme.AddKnownTypes(SchemeGroupVersion,
&CertificateSigningRequest{}, &CertificateSigningRequest{},
&CertificateSigningRequestList{}, &CertificateSigningRequestList{},
&ClusterTrustBundle{},
&ClusterTrustBundleList{},
) )
return nil return nil
} }

53
pkg/apis/certificates/types.go
View File

@ -224,3 +224,56 @@ const (
UsageMicrosoftSGC KeyUsage = "microsoft sgc" UsageMicrosoftSGC KeyUsage = "microsoft sgc"
UsageNetscapeSGC KeyUsage = "netscape sgc" UsageNetscapeSGC KeyUsage = "netscape sgc"
) )
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// ClusterTrustBundle is a cluster-scoped container for X.509 trust anchors
// (root certificates).
//
// ClusterTrustBundle objects are considered to be readable by any authenticated
// user in the cluster.
//
// It can be optionally associated with a particular assigner, in which case it
// contains one valid set of trust anchors for that signer. Signers may have
// multiple associated ClusterTrustBundles; each is an independent set of trust
// anchors for that signer.
type ClusterTrustBundle struct {
metav1.TypeMeta
// +optional
metav1.ObjectMeta
// Spec contains the signer (if any) and trust anchors.
// +optional
Spec ClusterTrustBundleSpec
}
// ClusterTrustBundleSpec contains the signer and trust anchors.
type ClusterTrustBundleSpec struct {
// SignerName indicates the associated signer, if any.
SignerName string
// TrustBundle contains the individual X.509 trust anchors for this
// bundle, as PEM bundle of PEM-wrapped, DER-formatted X.509 certificates.
//
// The data must consist only of PEM certificate blocks that parse as valid
// X.509 certificates. Each certificate must include a basic constraints
// extension with the CA bit set. The API server will reject objects that
// contain duplicate certificates, or that use PEM block headers.
//
// Users of ClusterTrustBundles, including Kubelet, are free to reorder and
// deduplicate certificate blocks in this file according to their own logic,
// as well as to drop PEM block headers and inter-block data.
TrustBundle string
}
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// ClusterTrustBundleList is a collection of ClusterTrustBundle objects
type ClusterTrustBundleList struct {
metav1.TypeMeta
// +optional
metav1.ListMeta
// Items is a collection of ClusterTrustBundle objects
Items []ClusterTrustBundle
}

37
pkg/apis/certificates/v1alpha1/conversion.go Normal file
View File

@ -0,0 +1,37 @@
/*
Copyright 2022 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package v1alpha1
import (
"fmt"
"k8s.io/apimachinery/pkg/runtime"
)
func addConversionFuncs(scheme *runtime.Scheme) error {
return scheme.AddFieldLabelConversionFunc(
SchemeGroupVersion.WithKind("ClusterTrustBundle"),
func(label, value string) (string, string, error) {
switch label {
case "metadata.name", "spec.signerName":
return label, value, nil
default:
return "", "", fmt.Errorf("field label not supported: %s", label)
}
},
)
}

23
pkg/apis/certificates/v1alpha1/defaults.go Normal file
View File

@ -0,0 +1,23 @@
/*
Copyright 2022 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package v1alpha1
import "k8s.io/apimachinery/pkg/runtime"
func addDefaultingFuncs(scheme *runtime.Scheme) error {
return RegisterDefaults(scheme)
}

24
pkg/apis/certificates/v1alpha1/doc.go Normal file
View File

@ -0,0 +1,24 @@
/*
Copyright 2022 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// +k8s:conversion-gen=k8s.io/kubernetes/pkg/apis/certificates
// +k8s:conversion-gen-external-types=k8s.io/api/certificates/v1alpha1
// +k8s:defaulter-gen=TypeMeta
// +k8s:defaulter-gen-input=k8s.io/api/certificates/v1alpha1
// +groupName=certificates.k8s.io
package v1alpha1 // import "k8s.io/kubernetes/pkg/apis/certificates/v1alpha1"

43
pkg/apis/certificates/v1alpha1/register.go Normal file
View File

@ -0,0 +1,43 @@
/*
Copyright 2022 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package v1alpha1
import (
certificatesv1alpha1 "k8s.io/api/certificates/v1alpha1"
"k8s.io/apimachinery/pkg/runtime/schema"
)
// GroupName is the group name used in this package.
const GroupName = "certificates.k8s.io"
// SchemeGroupVersion is the group and version used in this package.
var SchemeGroupVersion = schema.GroupVersion{
Group: GroupName,
Version: "v1alpha1",
}
var (
localSchemeBuilder = &certificatesv1alpha1.SchemeBuilder
AddToScheme = localSchemeBuilder.AddToScheme
)
func init() {
// We only register manually written functions here. The registration of the
// generated functions takes place in the generated files. The separation
// makes the code compile even when the generated files are missing.
localSchemeBuilder.Register(addDefaultingFuncs, addConversionFuncs)
}

141
pkg/apis/certificates/v1alpha1/zz_generated.conversion.go generated Normal file
View File

@ -0,0 +1,141 @@
//go:build !ignore_autogenerated
// +build !ignore_autogenerated
/*
Copyright The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by conversion-gen. DO NOT EDIT.
package v1alpha1
import (
unsafe "unsafe"
v1alpha1 "k8s.io/api/certificates/v1alpha1"
conversion "k8s.io/apimachinery/pkg/conversion"
runtime "k8s.io/apimachinery/pkg/runtime"
certificates "k8s.io/kubernetes/pkg/apis/certificates"
)
func init() {
localSchemeBuilder.Register(RegisterConversions)
}
// RegisterConversions adds conversion functions to the given scheme.
// Public to allow building arbitrary schemes.
func RegisterConversions(s *runtime.Scheme) error {
if err := s.AddGeneratedConversionFunc((*v1alpha1.ClusterTrustBundle)(nil), (*certificates.ClusterTrustBundle)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1alpha1_ClusterTrustBundle_To_certificates_ClusterTrustBundle(a.(*v1alpha1.ClusterTrustBundle), b.(*certificates.ClusterTrustBundle), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*certificates.ClusterTrustBundle)(nil), (*v1alpha1.ClusterTrustBundle)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_certificates_ClusterTrustBundle_To_v1alpha1_ClusterTrustBundle(a.(*certificates.ClusterTrustBundle), b.(*v1alpha1.ClusterTrustBundle), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*v1alpha1.ClusterTrustBundleList)(nil), (*certificates.ClusterTrustBundleList)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1alpha1_ClusterTrustBundleList_To_certificates_ClusterTrustBundleList(a.(*v1alpha1.ClusterTrustBundleList), b.(*certificates.ClusterTrustBundleList), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*certificates.ClusterTrustBundleList)(nil), (*v1alpha1.ClusterTrustBundleList)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_certificates_ClusterTrustBundleList_To_v1alpha1_ClusterTrustBundleList(a.(*certificates.ClusterTrustBundleList), b.(*v1alpha1.ClusterTrustBundleList), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*v1alpha1.ClusterTrustBundleSpec)(nil), (*certificates.ClusterTrustBundleSpec)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1alpha1_ClusterTrustBundleSpec_To_certificates_ClusterTrustBundleSpec(a.(*v1alpha1.ClusterTrustBundleSpec), b.(*certificates.ClusterTrustBundleSpec), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*certificates.ClusterTrustBundleSpec)(nil), (*v1alpha1.ClusterTrustBundleSpec)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_certificates_ClusterTrustBundleSpec_To_v1alpha1_ClusterTrustBundleSpec(a.(*certificates.ClusterTrustBundleSpec), b.(*v1alpha1.ClusterTrustBundleSpec), scope)
}); err != nil {
return err
}
return nil
}
func autoConvert_v1alpha1_ClusterTrustBundle_To_certificates_ClusterTrustBundle(in *v1alpha1.ClusterTrustBundle, out *certificates.ClusterTrustBundle, s conversion.Scope) error {
out.ObjectMeta = in.ObjectMeta
if err := Convert_v1alpha1_ClusterTrustBundleSpec_To_certificates_ClusterTrustBundleSpec(&in.Spec, &out.Spec, s); err != nil {
return err
}
return nil
}
// Convert_v1alpha1_ClusterTrustBundle_To_certificates_ClusterTrustBundle is an autogenerated conversion function.
func Convert_v1alpha1_ClusterTrustBundle_To_certificates_ClusterTrustBundle(in *v1alpha1.ClusterTrustBundle, out *certificates.ClusterTrustBundle, s conversion.Scope) error {
return autoConvert_v1alpha1_ClusterTrustBundle_To_certificates_ClusterTrustBundle(in, out, s)
}
func autoConvert_certificates_ClusterTrustBundle_To_v1alpha1_ClusterTrustBundle(in *certificates.ClusterTrustBundle, out *v1alpha1.ClusterTrustBundle, s conversion.Scope) error {
out.ObjectMeta = in.ObjectMeta
if err := Convert_certificates_ClusterTrustBundleSpec_To_v1alpha1_ClusterTrustBundleSpec(&in.Spec, &out.Spec, s); err != nil {
return err
}
return nil
}
// Convert_certificates_ClusterTrustBundle_To_v1alpha1_ClusterTrustBundle is an autogenerated conversion function.
func Convert_certificates_ClusterTrustBundle_To_v1alpha1_ClusterTrustBundle(in *certificates.ClusterTrustBundle, out *v1alpha1.ClusterTrustBundle, s conversion.Scope) error {
return autoConvert_certificates_ClusterTrustBundle_To_v1alpha1_ClusterTrustBundle(in, out, s)
}
func autoConvert_v1alpha1_ClusterTrustBundleList_To_certificates_ClusterTrustBundleList(in *v1alpha1.ClusterTrustBundleList, out *certificates.ClusterTrustBundleList, s conversion.Scope) error {
out.ListMeta = in.ListMeta
out.Items = *(*[]certificates.ClusterTrustBundle)(unsafe.Pointer(&in.Items))
return nil
}
// Convert_v1alpha1_ClusterTrustBundleList_To_certificates_ClusterTrustBundleList is an autogenerated conversion function.
func Convert_v1alpha1_ClusterTrustBundleList_To_certificates_ClusterTrustBundleList(in *v1alpha1.ClusterTrustBundleList, out *certificates.ClusterTrustBundleList, s conversion.Scope) error {
return autoConvert_v1alpha1_ClusterTrustBundleList_To_certificates_ClusterTrustBundleList(in, out, s)
}
func autoConvert_certificates_ClusterTrustBundleList_To_v1alpha1_ClusterTrustBundleList(in *certificates.ClusterTrustBundleList, out *v1alpha1.ClusterTrustBundleList, s conversion.Scope) error {
out.ListMeta = in.ListMeta
out.Items = *(*[]v1alpha1.ClusterTrustBundle)(unsafe.Pointer(&in.Items))
return nil
}
// Convert_certificates_ClusterTrustBundleList_To_v1alpha1_ClusterTrustBundleList is an autogenerated conversion function.
func Convert_certificates_ClusterTrustBundleList_To_v1alpha1_ClusterTrustBundleList(in *certificates.ClusterTrustBundleList, out *v1alpha1.ClusterTrustBundleList, s conversion.Scope) error {
return autoConvert_certificates_ClusterTrustBundleList_To_v1alpha1_ClusterTrustBundleList(in, out, s)
}
func autoConvert_v1alpha1_ClusterTrustBundleSpec_To_certificates_ClusterTrustBundleSpec(in *v1alpha1.ClusterTrustBundleSpec, out *certificates.ClusterTrustBundleSpec, s conversion.Scope) error {
out.SignerName = in.SignerName
out.TrustBundle = in.TrustBundle
return nil
}
// Convert_v1alpha1_ClusterTrustBundleSpec_To_certificates_ClusterTrustBundleSpec is an autogenerated conversion function.
func Convert_v1alpha1_ClusterTrustBundleSpec_To_certificates_ClusterTrustBundleSpec(in *v1alpha1.ClusterTrustBundleSpec, out *certificates.ClusterTrustBundleSpec, s conversion.Scope) error {
return autoConvert_v1alpha1_ClusterTrustBundleSpec_To_certificates_ClusterTrustBundleSpec(in, out, s)
}
func autoConvert_certificates_ClusterTrustBundleSpec_To_v1alpha1_ClusterTrustBundleSpec(in *certificates.ClusterTrustBundleSpec, out *v1alpha1.ClusterTrustBundleSpec, s conversion.Scope) error {
out.SignerName = in.SignerName
out.TrustBundle = in.TrustBundle
return nil
}
// Convert_certificates_ClusterTrustBundleSpec_To_v1alpha1_ClusterTrustBundleSpec is an autogenerated conversion function.
func Convert_certificates_ClusterTrustBundleSpec_To_v1alpha1_ClusterTrustBundleSpec(in *certificates.ClusterTrustBundleSpec, out *v1alpha1.ClusterTrustBundleSpec, s conversion.Scope) error {
return autoConvert_certificates_ClusterTrustBundleSpec_To_v1alpha1_ClusterTrustBundleSpec(in, out, s)
}

33
pkg/apis/certificates/v1alpha1/zz_generated.defaults.go generated Normal file
View File

@ -0,0 +1,33 @@
//go:build !ignore_autogenerated
// +build !ignore_autogenerated
/*
Copyright The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by defaulter-gen. DO NOT EDIT.
package v1alpha1
import (
runtime "k8s.io/apimachinery/pkg/runtime"
)
// RegisterDefaults adds defaulters functions to the given scheme.
// Public to allow building arbitrary schemes.
// All generated defaulters are covering - they call all nested defaulters.
func RegisterDefaults(scheme *runtime.Scheme) error {
return nil
}

131
pkg/apis/certificates/validation/validation.go
View File

@ -25,6 +25,7 @@ import (
v1 "k8s.io/api/core/v1" v1 "k8s.io/api/core/v1"
apiequality "k8s.io/apimachinery/pkg/api/equality" apiequality "k8s.io/apimachinery/pkg/api/equality"
apimachineryvalidation "k8s.io/apimachinery/pkg/api/validation"
"k8s.io/apimachinery/pkg/util/diff" "k8s.io/apimachinery/pkg/util/diff"
"k8s.io/apimachinery/pkg/util/sets" "k8s.io/apimachinery/pkg/util/sets"
utilvalidation "k8s.io/apimachinery/pkg/util/validation" utilvalidation "k8s.io/apimachinery/pkg/util/validation"
@ -197,7 +198,7 @@ func validateCertificateSigningRequest(csr *certificates.CertificateSigningReque
if !opts.allowLegacySignerName && csr.Spec.SignerName == certificates.LegacyUnknownSignerName { if !opts.allowLegacySignerName && csr.Spec.SignerName == certificates.LegacyUnknownSignerName {
allErrs = append(allErrs, field.Invalid(specPath.Child("signerName"), csr.Spec.SignerName, "the legacy signerName is not allowed via this API version")) allErrs = append(allErrs, field.Invalid(specPath.Child("signerName"), csr.Spec.SignerName, "the legacy signerName is not allowed via this API version"))
} else { } else {
allErrs = append(allErrs, ValidateCertificateSigningRequestSignerName(specPath.Child("signerName"), csr.Spec.SignerName)...) allErrs = append(allErrs, ValidateSignerName(specPath.Child("signerName"), csr.Spec.SignerName)...)
} }
if csr.Spec.ExpirationSeconds != nil && *csr.Spec.ExpirationSeconds < 600 { if csr.Spec.ExpirationSeconds != nil && *csr.Spec.ExpirationSeconds < 600 {
allErrs = append(allErrs, field.Invalid(specPath.Child("expirationSeconds"), *csr.Spec.ExpirationSeconds, "may not specify a duration less than 600 seconds (10 minutes)")) allErrs = append(allErrs, field.Invalid(specPath.Child("expirationSeconds"), *csr.Spec.ExpirationSeconds, "may not specify a duration less than 600 seconds (10 minutes)"))
@ -272,7 +273,7 @@ func validateConditions(fldPath *field.Path, csr *certificates.CertificateSignin
// The max length of a namespace name is 63 characters (DNS1123Label max length) // The max length of a namespace name is 63 characters (DNS1123Label max length)
// The max length of a resource name is 253 characters (DNS1123Subdomain max length) // The max length of a resource name is 253 characters (DNS1123Subdomain max length)
// We then add an additional 2 characters to account for the one '.' and one '/'. // We then add an additional 2 characters to account for the one '.' and one '/'.
func ValidateCertificateSigningRequestSignerName(fldPath *field.Path, signerName string) field.ErrorList { func ValidateSignerName(fldPath *field.Path, signerName string) field.ErrorList {
var el field.ErrorList var el field.ErrorList
if len(signerName) == 0 { if len(signerName) == 0 {
el = append(el, field.Required(fldPath, "")) el = append(el, field.Required(fldPath, ""))
@ -537,3 +538,129 @@ func hasDuplicateUsage(usages []certificates.KeyUsage) bool {
} }
return false return false
} }
// We require your name to be prefixed by .spec.signerName
func validateClusterTrustBundleName(signerName string) func(name string, prefix bool) []string {
return func(name string, isPrefix bool) []string {
if signerName == "" {
if strings.Contains(name, ":") {
return []string{"ClusterTrustBundle without signer name must not have \":\" in its name"}
}
return apimachineryvalidation.NameIsDNSSubdomain(name, isPrefix)
}
requiredPrefix := strings.ReplaceAll(signerName, "/", ":") + ":"
if !strings.HasPrefix(name, requiredPrefix) {
return []string{fmt.Sprintf("ClusterTrustBundle for signerName %s must be named with prefix %s", signerName, requiredPrefix)}
}
return apimachineryvalidation.NameIsDNSSubdomain(strings.TrimPrefix(name, requiredPrefix), isPrefix)
}
}
type ValidateClusterTrustBundleOptions struct {
SuppressBundleParsing bool
}
// ValidateClusterTrustBundle runs all validation checks on bundle.
func ValidateClusterTrustBundle(bundle *certificates.ClusterTrustBundle, opts ValidateClusterTrustBundleOptions) field.ErrorList {
var allErrors field.ErrorList
metaErrors := apivalidation.ValidateObjectMeta(&bundle.ObjectMeta, false, validateClusterTrustBundleName(bundle.Spec.SignerName), field.NewPath("metadata"))
allErrors = append(allErrors, metaErrors...)
if bundle.Spec.SignerName != "" {
signerNameErrors := ValidateSignerName(field.NewPath("spec", "signerName"), bundle.Spec.SignerName)
allErrors = append(allErrors, signerNameErrors...)
}
if !opts.SuppressBundleParsing {
pemErrors := validateTrustBundle(field.NewPath("spec", "trustBundle"), bundle.Spec.TrustBundle)
allErrors = append(allErrors, pemErrors...)
}
return allErrors
}
// ValidateClusterTrustBundleUpdate runs all update validation checks on an
// update.
func ValidateClusterTrustBundleUpdate(newBundle, oldBundle *certificates.ClusterTrustBundle) field.ErrorList {
// If the caller isn't changing the TrustBundle field, don't parse it.
// This helps smoothly handle changes in Go's PEM or X.509 parsing
// libraries.
opts := ValidateClusterTrustBundleOptions{}
if newBundle.Spec.TrustBundle == oldBundle.Spec.TrustBundle {
opts.SuppressBundleParsing = true
}
var allErrors field.ErrorList
allErrors = append(allErrors, ValidateClusterTrustBundle(newBundle, opts)...)
allErrors = append(allErrors, apivalidation.ValidateObjectMetaUpdate(&newBundle.ObjectMeta, &oldBundle.ObjectMeta, field.NewPath("metadata"))...)
allErrors = append(allErrors, apivalidation.ValidateImmutableField(newBundle.Spec.SignerName, oldBundle.Spec.SignerName, field.NewPath("spec", "signerName"))...)
return allErrors
}
// validateTrustBundle rejects intra-block headers, blocks
// that don't parse as X.509 CA certificates, and duplicate trust anchors. It
// requires that at least one trust anchor is provided.
func validateTrustBundle(path *field.Path, in string) field.ErrorList {
var allErrors field.ErrorList
blockDedupe := map[string][]int{}
rest := []byte(in)
var b *pem.Block
i := -1
for {
b, rest = pem.Decode(rest)
if b == nil {
break
}
i++
if b.Type != "CERTIFICATE" {
allErrors = append(allErrors, field.Invalid(path, "<value omitted>", fmt.Sprintf("entry %d has bad block type: %v", i, b.Type)))
continue
}
if len(b.Headers) != 0 {
allErrors = append(allErrors, field.Invalid(path, "<value omitted>", fmt.Sprintf("entry %d has PEM block headers", i)))
continue
}
cert, err := x509.ParseCertificate(b.Bytes)
if err != nil {
allErrors = append(allErrors, field.Invalid(path, "<value omitted>", fmt.Sprintf("entry %d does not parse as X.509", i)))
continue
}
if !cert.IsCA {
allErrors = append(allErrors, field.Invalid(path, "<value omitted>", fmt.Sprintf("entry %d does not have the CA bit set", i)))
continue
}
if !cert.BasicConstraintsValid {
allErrors = append(allErrors, field.Invalid(path, "<value omitted>", fmt.Sprintf("entry %d has invalid basic constraints", i)))
continue
}
blockDedupe[string(b.Bytes)] = append(blockDedupe[string(b.Bytes)], i)
}
// If we had a malformed block, don't also output potentially-redundant
// errors about duplicate or missing trust anchors.
if len(allErrors) != 0 {
return allErrors
}
if len(blockDedupe) == 0 {
allErrors = append(allErrors, field.Invalid(path, "<value omitted>", "at least one trust anchor must be provided"))
}
for _, indices := range blockDedupe {
if len(indices) > 1 {
allErrors = append(allErrors, field.Invalid(path, "<value omitted>", fmt.Sprintf("duplicate trust anchor (indices %v)", indices)))
}
}
return allErrors
}

468
pkg/apis/certificates/validation/validation_test.go
View File

@ -23,12 +23,15 @@ import (
"crypto/x509/pkix" "crypto/x509/pkix"
"encoding/pem" "encoding/pem"
"fmt" "fmt"
"math/big"
mathrand "math/rand"
"reflect" "reflect"
"regexp" "regexp"
"strings" "strings"
"testing" "testing"
"time" "time"
"github.com/google/go-cmp/cmp"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/util/sets" "k8s.io/apimachinery/pkg/util/sets"
"k8s.io/apimachinery/pkg/util/validation/field" "k8s.io/apimachinery/pkg/util/validation/field"
@ -1095,6 +1098,471 @@ func Test_validateCertificateSigningRequestOptions(t *testing.T) {
} }
} }
func mustMakeCertificate(t *testing.T, template *x509.Certificate) []byte {
gen := mathrand.New(mathrand.NewSource(12345))
pub, priv, err := ed25519.GenerateKey(gen)
if err != nil {
t.Fatalf("Error while generating key: %v", err)
}
cert, err := x509.CreateCertificate(gen, template, template, pub, priv)
if err != nil {
t.Fatalf("Error while making certificate: %v", err)
}
return cert
}
func mustMakePEMBlock(blockType string, headers map[string]string, data []byte) string {
return string(pem.EncodeToMemory(&pem.Block{
Type: blockType,
Headers: headers,
Bytes: data,
}))
}
func TestValidateClusterTrustBundle(t *testing.T) {
goodCert1 := mustMakeCertificate(t, &x509.Certificate{
SerialNumber: big.NewInt(0),
Subject: pkix.Name{
CommonName: "root1",
},
IsCA: true,
BasicConstraintsValid: true,
})
goodCert2 := mustMakeCertificate(t, &x509.Certificate{
SerialNumber: big.NewInt(0),
Subject: pkix.Name{
CommonName: "root2",
},
IsCA: true,
BasicConstraintsValid: true,
})
badNotCACert := mustMakeCertificate(t, &x509.Certificate{
SerialNumber: big.NewInt(0),
Subject: pkix.Name{
CommonName: "root3",
},
})
goodCert1Block := string(mustMakePEMBlock("CERTIFICATE", nil, goodCert1))
goodCert2Block := string(mustMakePEMBlock("CERTIFICATE", nil, goodCert2))
goodCert1AlternateBlock := strings.ReplaceAll(goodCert1Block, "\n", "\n\t\n")
badNotCACertBlock := string(mustMakePEMBlock("CERTIFICATE", nil, badNotCACert))
badBlockHeadersBlock := string(mustMakePEMBlock("CERTIFICATE", map[string]string{"key": "value"}, goodCert1))
badBlockTypeBlock := string(mustMakePEMBlock("NOTACERTIFICATE", nil, goodCert1))
badNonParseableBlock := string(mustMakePEMBlock("CERTIFICATE", nil, []byte("this is not a certificate")))
testCases := []struct {
description string
bundle *capi.ClusterTrustBundle
opts ValidateClusterTrustBundleOptions
wantErrors field.ErrorList
}{
{
description: "valid, no signer name",
bundle: &capi.ClusterTrustBundle{
ObjectMeta: metav1.ObjectMeta{
Name: "foo",
},
Spec: capi.ClusterTrustBundleSpec{
TrustBundle: goodCert1Block,
},
},
},
{
description: "invalid, no signer name, invalid name",
bundle: &capi.ClusterTrustBundle{
ObjectMeta: metav1.ObjectMeta{
Name: "k8s.io:bar:foo",
},
Spec: capi.ClusterTrustBundleSpec{
TrustBundle: goodCert1Block,
},
},
wantErrors: field.ErrorList{
field.Invalid(field.NewPath("metadata", "name"), "k8s.io:bar:foo", "ClusterTrustBundle without signer name must not have \":\" in its name"),
},
},
{
description: "valid, with signer name",
bundle: &capi.ClusterTrustBundle{
ObjectMeta: metav1.ObjectMeta{
Name: "k8s.io:foo:bar",
},
Spec: capi.ClusterTrustBundleSpec{
SignerName: "k8s.io/foo",
TrustBundle: goodCert1Block,
},
},
},
{
description: "invalid, with signer name, missing name prefix",
bundle: &capi.ClusterTrustBundle{
ObjectMeta: metav1.ObjectMeta{
Name: "look-ma-no-prefix",
},
Spec: capi.ClusterTrustBundleSpec{
SignerName: "k8s.io/foo",
TrustBundle: goodCert1Block,
},
},
wantErrors: field.ErrorList{
field.Invalid(field.NewPath("metadata", "name"), "look-ma-no-prefix", "ClusterTrustBundle for signerName k8s.io/foo must be named with prefix k8s.io:foo:"),
},
},
{
description: "invalid, with signer name, empty name suffix",
bundle: &capi.ClusterTrustBundle{
ObjectMeta: metav1.ObjectMeta{
Name: "k8s.io:foo:",
},
Spec: capi.ClusterTrustBundleSpec{
SignerName: "k8s.io/foo",
TrustBundle: goodCert1Block,
},
},
wantErrors: field.ErrorList{
field.Invalid(field.NewPath("metadata", "name"), "k8s.io:foo:", `a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. 'example.com', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*')`),
},
},
{
description: "invalid, with signer name, bad name suffix",
bundle: &capi.ClusterTrustBundle{
ObjectMeta: metav1.ObjectMeta{
Name: "k8s.io:foo:123notvalidDNSSubdomain",
},
Spec: capi.ClusterTrustBundleSpec{
SignerName: "k8s.io/foo",
TrustBundle: goodCert1Block,
},
},
wantErrors: field.ErrorList{
field.Invalid(field.NewPath("metadata", "name"), "k8s.io:foo:123notvalidDNSSubdomain", `a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. 'example.com', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*')`),
},
},
{
description: "valid, with signer name, with inter-block garbage",
bundle: &capi.ClusterTrustBundle{
ObjectMeta: metav1.ObjectMeta{
Name: "k8s.io:foo:abc",
},
Spec: capi.ClusterTrustBundleSpec{
SignerName: "k8s.io/foo",
TrustBundle: "garbage\n" + goodCert1Block + "\ngarbage\n" + goodCert2Block,
},
},
},
{
description: "invalid, no signer name, no trust anchors",
bundle: &capi.ClusterTrustBundle{
ObjectMeta: metav1.ObjectMeta{
Name: "foo",
},
Spec: capi.ClusterTrustBundleSpec{},
},
wantErrors: field.ErrorList{
field.Invalid(field.NewPath("spec", "trustBundle"), "<value omitted>", "at least one trust anchor must be provided"),
},
},
{
description: "invalid, no trust anchors",
bundle: &capi.ClusterTrustBundle{
ObjectMeta: metav1.ObjectMeta{
Name: "k8s.io:foo:abc",
},
Spec: capi.ClusterTrustBundleSpec{
SignerName: "k8s.io/foo",
},
},
wantErrors: field.ErrorList{
field.Invalid(field.NewPath("spec", "trustBundle"), "<value omitted>", "at least one trust anchor must be provided"),
},
},
{
description: "invalid, bad signer name",
bundle: &capi.ClusterTrustBundle{
ObjectMeta: metav1.ObjectMeta{
Name: "invalid:foo",
},
Spec: capi.ClusterTrustBundleSpec{
SignerName: "invalid",
TrustBundle: goodCert1Block,
},
},
wantErrors: field.ErrorList{
field.Invalid(field.NewPath("spec", "signerName"), "invalid", "must be a fully qualified domain and path of the form 'example.com/signer-name'"),
},
},
{
description: "invalid, no blocks",
bundle: &capi.ClusterTrustBundle{
ObjectMeta: metav1.ObjectMeta{
Name: "foo",
},
Spec: capi.ClusterTrustBundleSpec{
TrustBundle: "non block garbage",
},
},
wantErrors: field.ErrorList{
field.Invalid(field.NewPath("spec", "trustBundle"), "<value omitted>", "at least one trust anchor must be provided"),
},
},
{
description: "invalid, bad block type",
bundle: &capi.ClusterTrustBundle{
ObjectMeta: metav1.ObjectMeta{
Name: "foo",
},
Spec: capi.ClusterTrustBundleSpec{
TrustBundle: goodCert1Block + "\n" + badBlockTypeBlock,
},
},
wantErrors: field.ErrorList{
field.Invalid(field.NewPath("spec", "trustBundle"), "<value omitted>", "entry 1 has bad block type: NOTACERTIFICATE"),
},
},
{
description: "invalid, block with headers",
bundle: &capi.ClusterTrustBundle{
ObjectMeta: metav1.ObjectMeta{
Name: "foo",
},
Spec: capi.ClusterTrustBundleSpec{
TrustBundle: goodCert1Block + "\n" + badBlockHeadersBlock,
},
},
wantErrors: field.ErrorList{
field.Invalid(field.NewPath("spec", "trustBundle"), "<value omitted>", "entry 1 has PEM block headers"),
},
},
{
description: "invalid, cert is not a CA cert",
bundle: &capi.ClusterTrustBundle{
ObjectMeta: metav1.ObjectMeta{
Name: "foo",
},
Spec: capi.ClusterTrustBundleSpec{
TrustBundle: badNotCACertBlock,
},
},
wantErrors: field.ErrorList{
field.Invalid(field.NewPath("spec", "trustBundle"), "<value omitted>", "entry 0 does not have the CA bit set"),
},
},
{
description: "invalid, duplicated blocks",
bundle: &capi.ClusterTrustBundle{
ObjectMeta: metav1.ObjectMeta{
Name: "foo",
},
Spec: capi.ClusterTrustBundleSpec{
TrustBundle: goodCert1Block + "\n" + goodCert1AlternateBlock,
},
},
wantErrors: field.ErrorList{
field.Invalid(field.NewPath("spec", "trustBundle"), "<value omitted>", "duplicate trust anchor (indices [0 1])"),
},
},
{
description: "invalid, non-certificate entry",
bundle: &capi.ClusterTrustBundle{
ObjectMeta: metav1.ObjectMeta{
Name: "foo",
},
Spec: capi.ClusterTrustBundleSpec{
TrustBundle: goodCert1Block + "\n" + badNonParseableBlock,
},
},
wantErrors: field.ErrorList{
field.Invalid(field.NewPath("spec", "trustBundle"), "<value omitted>", "entry 1 does not parse as X.509"),
},
},
{
description: "allow any old garbage in the PEM field if we suppress parsing",
bundle: &capi.ClusterTrustBundle{
ObjectMeta: metav1.ObjectMeta{
Name: "foo",
},
Spec: capi.ClusterTrustBundleSpec{
TrustBundle: "garbage",
},
},
opts: ValidateClusterTrustBundleOptions{
SuppressBundleParsing: true,
},
},
}
for _, tc := range testCases {
t.Run(tc.description, func(t *testing.T) {
gotErrors := ValidateClusterTrustBundle(tc.bundle, tc.opts)
if diff := cmp.Diff(gotErrors, tc.wantErrors); diff != "" {
t.Fatalf("Unexpected error output from Validate; diff (-got +want)\n%s", diff)
}
// When there are no changes to the object,
// ValidateClusterTrustBundleUpdate should not report errors about
// the TrustBundle field.
tc.bundle.ObjectMeta.ResourceVersion = "1"
newBundle := tc.bundle.DeepCopy()
newBundle.ObjectMeta.ResourceVersion = "2"
gotErrors = ValidateClusterTrustBundleUpdate(newBundle, tc.bundle)
var filteredWantErrors field.ErrorList
for _, err := range tc.wantErrors {
if err.Field != "spec.trustBundle" {
filteredWantErrors = append(filteredWantErrors, err)
}
}
if diff := cmp.Diff(gotErrors, filteredWantErrors); diff != "" {
t.Fatalf("Unexpected error output from ValidateUpdate; diff (-got +want)\n%s", diff)
}
})
}
}
func TestValidateClusterTrustBundleUpdate(t *testing.T) {
goodCert1 := mustMakeCertificate(t, &x509.Certificate{
SerialNumber: big.NewInt(0),
Subject: pkix.Name{
CommonName: "root1",
},
IsCA: true,
BasicConstraintsValid: true,
})
goodCert2 := mustMakeCertificate(t, &x509.Certificate{
SerialNumber: big.NewInt(0),
Subject: pkix.Name{
CommonName: "root2",
},
IsCA: true,
BasicConstraintsValid: true,
})
goodCert1Block := string(mustMakePEMBlock("CERTIFICATE", nil, goodCert1))
goodCert2Block := string(mustMakePEMBlock("CERTIFICATE", nil, goodCert2))
testCases := []struct {
description string
oldBundle, newBundle *capi.ClusterTrustBundle
wantErrors field.ErrorList
}{
{
description: "changing signer name disallowed",
oldBundle: &capi.ClusterTrustBundle{
ObjectMeta: metav1.ObjectMeta{
Name: "k8s.io:foo:bar",
},
Spec: capi.ClusterTrustBundleSpec{
SignerName: "k8s.io/foo",
TrustBundle: goodCert1Block,
},
},
newBundle: &capi.ClusterTrustBundle{
ObjectMeta: metav1.ObjectMeta{
Name: "k8s.io:foo:bar",
},
Spec: capi.ClusterTrustBundleSpec{
SignerName: "k8s.io/bar",
TrustBundle: goodCert1Block,
},
},
wantErrors: field.ErrorList{
field.Invalid(field.NewPath("metadata", "name"), "k8s.io:foo:bar", "ClusterTrustBundle for signerName k8s.io/bar must be named with prefix k8s.io:bar:"),
field.Invalid(field.NewPath("spec", "signerName"), "k8s.io/bar", "field is immutable"),
},
},
{
description: "adding certificate allowed",
oldBundle: &capi.ClusterTrustBundle{
ObjectMeta: metav1.ObjectMeta{
Name: "k8s.io:foo:bar",
},
Spec: capi.ClusterTrustBundleSpec{
SignerName: "k8s.io/foo",
TrustBundle: goodCert1Block,
},
},
newBundle: &capi.ClusterTrustBundle{
ObjectMeta: metav1.ObjectMeta{
Name: "k8s.io:foo:bar",
},
Spec: capi.ClusterTrustBundleSpec{
SignerName: "k8s.io/foo",
TrustBundle: goodCert1Block + "\n" + goodCert2Block,
},
},
},
{
description: "emptying trustBundle disallowed",
oldBundle: &capi.ClusterTrustBundle{
ObjectMeta: metav1.ObjectMeta{
Name: "k8s.io:foo:bar",
},
Spec: capi.ClusterTrustBundleSpec{
SignerName: "k8s.io/foo",
TrustBundle: goodCert1Block,
},
},
newBundle: &capi.ClusterTrustBundle{
ObjectMeta: metav1.ObjectMeta{
Name: "k8s.io:foo:bar",
},
Spec: capi.ClusterTrustBundleSpec{
SignerName: "k8s.io/foo",
TrustBundle: "",
},
},
wantErrors: field.ErrorList{
field.Invalid(field.NewPath("spec", "trustBundle"), "<value omitted>", "at least one trust anchor must be provided"),
},
},
{
description: "emptying trustBundle (replace with non-block garbage) disallowed",
oldBundle: &capi.ClusterTrustBundle{
ObjectMeta: metav1.ObjectMeta{
Name: "k8s.io:foo:bar",
},
Spec: capi.ClusterTrustBundleSpec{
SignerName: "k8s.io/foo",
TrustBundle: goodCert1Block,
},
},
newBundle: &capi.ClusterTrustBundle{
ObjectMeta: metav1.ObjectMeta{
Name: "k8s.io:foo:bar",
},
Spec: capi.ClusterTrustBundleSpec{
SignerName: "k8s.io/foo",
TrustBundle: "non block garbage",
},
},
wantErrors: field.ErrorList{
field.Invalid(field.NewPath("spec", "trustBundle"), "<value omitted>", "at least one trust anchor must be provided"),
},
},
}
for _, tc := range testCases {
t.Run(tc.description, func(t *testing.T) {
tc.oldBundle.ObjectMeta.ResourceVersion = "1"
tc.newBundle.ObjectMeta.ResourceVersion = "2"
gotErrors := ValidateClusterTrustBundleUpdate(tc.newBundle, tc.oldBundle)
if diff := cmp.Diff(gotErrors, tc.wantErrors); diff != "" {
t.Errorf("Unexpected error output from ValidateUpdate; diff (-got +want)\n%s", diff)
}
})
}
}
var ( var (
validCertificate = []byte(` validCertificate = []byte(`
Leading non-PEM content Leading non-PEM content

76
pkg/apis/certificates/zz_generated.deepcopy.go generated
View File

@ -183,6 +183,82 @@ func (in *CertificateSigningRequestStatus) DeepCopy() *CertificateSigningRequest
return out return out
} }
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ClusterTrustBundle) DeepCopyInto(out *ClusterTrustBundle) {
*out = *in
out.TypeMeta = in.TypeMeta
in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
out.Spec = in.Spec
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterTrustBundle.
func (in *ClusterTrustBundle) DeepCopy() *ClusterTrustBundle {
if in == nil {
return nil
}
out := new(ClusterTrustBundle)
in.DeepCopyInto(out)
return out
}
// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (in *ClusterTrustBundle) DeepCopyObject() runtime.Object {
if c := in.DeepCopy(); c != nil {
return c
}
return nil
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ClusterTrustBundleList) DeepCopyInto(out *ClusterTrustBundleList) {
*out = *in
out.TypeMeta = in.TypeMeta
in.ListMeta.DeepCopyInto(&out.ListMeta)
if in.Items != nil {
in, out := &in.Items, &out.Items
*out = make([]ClusterTrustBundle, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterTrustBundleList.
func (in *ClusterTrustBundleList) DeepCopy() *ClusterTrustBundleList {
if in == nil {
return nil
}
out := new(ClusterTrustBundleList)
in.DeepCopyInto(out)
return out
}
// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (in *ClusterTrustBundleList) DeepCopyObject() runtime.Object {
if c := in.DeepCopy(); c != nil {
return c
}
return nil
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ClusterTrustBundleSpec) DeepCopyInto(out *ClusterTrustBundleSpec) {
*out = *in
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterTrustBundleSpec.
func (in *ClusterTrustBundleSpec) DeepCopy() *ClusterTrustBundleSpec {
if in == nil {
return nil
}
out := new(ClusterTrustBundleSpec)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in ExtraValue) DeepCopyInto(out *ExtraValue) { func (in ExtraValue) DeepCopyInto(out *ExtraValue) {
{ {

2
pkg/controlplane/instance.go
View File

@ -40,6 +40,7 @@ import (
batchapiv1 "k8s.io/api/batch/v1" batchapiv1 "k8s.io/api/batch/v1"
batchapiv1beta1 "k8s.io/api/batch/v1beta1" batchapiv1beta1 "k8s.io/api/batch/v1beta1"
certificatesapiv1 "k8s.io/api/certificates/v1" certificatesapiv1 "k8s.io/api/certificates/v1"
certificatesv1alpha1 "k8s.io/api/certificates/v1alpha1"
coordinationapiv1 "k8s.io/api/coordination/v1" coordinationapiv1 "k8s.io/api/coordination/v1"
apiv1 "k8s.io/api/core/v1" apiv1 "k8s.io/api/core/v1"
discoveryv1 "k8s.io/api/discovery/v1" discoveryv1 "k8s.io/api/discovery/v1"
@ -734,6 +735,7 @@ var (
apiserverinternalv1alpha1.SchemeGroupVersion, apiserverinternalv1alpha1.SchemeGroupVersion,
authenticationv1alpha1.SchemeGroupVersion, authenticationv1alpha1.SchemeGroupVersion,
resourcev1alpha2.SchemeGroupVersion, resourcev1alpha2.SchemeGroupVersion,
certificatesv1alpha1.SchemeGroupVersion,
networkingapiv1alpha1.SchemeGroupVersion, networkingapiv1alpha1.SchemeGroupVersion,
storageapiv1alpha1.SchemeGroupVersion, storageapiv1alpha1.SchemeGroupVersion,
flowcontrolv1alpha1.SchemeGroupVersion, flowcontrolv1alpha1.SchemeGroupVersion,

8
pkg/features/kube_features.go
View File

@ -67,6 +67,12 @@ const (
// Enables dual-stack --node-ip in kubelet with external cloud providers // Enables dual-stack --node-ip in kubelet with external cloud providers
CloudDualStackNodeIPs featuregate.Feature = "CloudDualStackNodeIPs" CloudDualStackNodeIPs featuregate.Feature = "CloudDualStackNodeIPs"
// owner: @ahmedtd
// alpha: v1.26
//
// Enable ClusterTrustBundle objects and Kubelet integration.
ClusterTrustBundle featuregate.Feature = "ClusterTrustBundle"
// owner: @szuecs // owner: @szuecs
// alpha: v1.12 // alpha: v1.12
// //
@ -934,6 +940,8 @@ var defaultKubernetesFeatureGates = map[featuregate.Feature]featuregate.FeatureS
CloudDualStackNodeIPs: {Default: false, PreRelease: featuregate.Alpha}, CloudDualStackNodeIPs: {Default: false, PreRelease: featuregate.Alpha},
ClusterTrustBundle: {Default: false, PreRelease: featuregate.Alpha},
CPUCFSQuotaPeriod: {Default: false, PreRelease: featuregate.Alpha}, CPUCFSQuotaPeriod: {Default: false, PreRelease: featuregate.Alpha},
CPUManager: {Default: true, PreRelease: featuregate.GA, LockToDefault: true}, // GA in 1.26 CPUManager: {Default: true, PreRelease: featuregate.GA, LockToDefault: true}, // GA in 1.26

127
pkg/generated/openapi/zz_generated.openapi.go generated
View File

@ -322,6 +322,9 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA
"k8s.io/api/certificates/v1.CertificateSigningRequestList": schema_k8sio_api_certificates_v1_CertificateSigningRequestList(ref), "k8s.io/api/certificates/v1.CertificateSigningRequestList": schema_k8sio_api_certificates_v1_CertificateSigningRequestList(ref),
"k8s.io/api/certificates/v1.CertificateSigningRequestSpec": schema_k8sio_api_certificates_v1_CertificateSigningRequestSpec(ref), "k8s.io/api/certificates/v1.CertificateSigningRequestSpec": schema_k8sio_api_certificates_v1_CertificateSigningRequestSpec(ref),
"k8s.io/api/certificates/v1.CertificateSigningRequestStatus": schema_k8sio_api_certificates_v1_CertificateSigningRequestStatus(ref), "k8s.io/api/certificates/v1.CertificateSigningRequestStatus": schema_k8sio_api_certificates_v1_CertificateSigningRequestStatus(ref),
"k8s.io/api/certificates/v1alpha1.ClusterTrustBundle": schema_k8sio_api_certificates_v1alpha1_ClusterTrustBundle(ref),
"k8s.io/api/certificates/v1alpha1.ClusterTrustBundleList": schema_k8sio_api_certificates_v1alpha1_ClusterTrustBundleList(ref),
"k8s.io/api/certificates/v1alpha1.ClusterTrustBundleSpec": schema_k8sio_api_certificates_v1alpha1_ClusterTrustBundleSpec(ref),
"k8s.io/api/certificates/v1beta1.CertificateSigningRequest": schema_k8sio_api_certificates_v1beta1_CertificateSigningRequest(ref), "k8s.io/api/certificates/v1beta1.CertificateSigningRequest": schema_k8sio_api_certificates_v1beta1_CertificateSigningRequest(ref),
"k8s.io/api/certificates/v1beta1.CertificateSigningRequestCondition": schema_k8sio_api_certificates_v1beta1_CertificateSigningRequestCondition(ref), "k8s.io/api/certificates/v1beta1.CertificateSigningRequestCondition": schema_k8sio_api_certificates_v1beta1_CertificateSigningRequestCondition(ref),
"k8s.io/api/certificates/v1beta1.CertificateSigningRequestList": schema_k8sio_api_certificates_v1beta1_CertificateSigningRequestList(ref), "k8s.io/api/certificates/v1beta1.CertificateSigningRequestList": schema_k8sio_api_certificates_v1beta1_CertificateSigningRequestList(ref),
@ -15516,6 +15519,130 @@ func schema_k8sio_api_certificates_v1_CertificateSigningRequestStatus(ref common
} }
} }
func schema_k8sio_api_certificates_v1alpha1_ClusterTrustBundle(ref common.ReferenceCallback) common.OpenAPIDefinition {
return common.OpenAPIDefinition{
Schema: spec.Schema{
SchemaProps: spec.SchemaProps{
Description: "ClusterTrustBundle is a cluster-scoped container for X.509 trust anchors (root certificates).\n\nClusterTrustBundle objects are considered to be readable by any authenticated user in the cluster, because they can be mounted by pods using the `clusterTrustBundle` projection. All service accounts have read access to ClusterTrustBundles by default. Users who only have namespace-level access to a cluster can read ClusterTrustBundles by impersonating a serviceaccount that they have access to.\n\nIt can be optionally associated with a particular assigner, in which case it contains one valid set of trust anchors for that signer. Signers may have multiple associated ClusterTrustBundles; each is an independent set of trust anchors for that signer. Admission control is used to enforce that only users with permissions on the signer can create or modify the corresponding bundle.",
Type: []string{"object"},
Properties: map[string]spec.Schema{
"kind": {
SchemaProps: spec.SchemaProps{
Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
Type: []string{"string"},
Format: "",
},
},
"apiVersion": {
SchemaProps: spec.SchemaProps{
Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
Type: []string{"string"},
Format: "",
},
},
"metadata": {
SchemaProps: spec.SchemaProps{
Description: "metadata contains the object metadata.",
Default: map[string]interface{}{},
Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
},
},
"spec": {
SchemaProps: spec.SchemaProps{
Description: "spec contains the signer (if any) and trust anchors.",
Default: map[string]interface{}{},
Ref: ref("k8s.io/api/certificates/v1alpha1.ClusterTrustBundleSpec"),
},
},
},
Required: []string{"spec"},
},
},
Dependencies: []string{
"k8s.io/api/certificates/v1alpha1.ClusterTrustBundleSpec", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
}
}
func schema_k8sio_api_certificates_v1alpha1_ClusterTrustBundleList(ref common.ReferenceCallback) common.OpenAPIDefinition {
return common.OpenAPIDefinition{
Schema: spec.Schema{
SchemaProps: spec.SchemaProps{
Description: "ClusterTrustBundleList is a collection of ClusterTrustBundle objects",
Type: []string{"object"},
Properties: map[string]spec.Schema{
"kind": {
SchemaProps: spec.SchemaProps{
Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
Type: []string{"string"},
Format: "",
},
},
"apiVersion": {
SchemaProps: spec.SchemaProps{
Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
Type: []string{"string"},
Format: "",
},
},
"metadata": {
SchemaProps: spec.SchemaProps{
Description: "metadata contains the list metadata.",
Default: map[string]interface{}{},
Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
},
},
"items": {
SchemaProps: spec.SchemaProps{
Description: "items is a collection of ClusterTrustBundle objects",
Type: []string{"array"},
Items: &spec.SchemaOrArray{
Schema: &spec.Schema{
SchemaProps: spec.SchemaProps{
Default: map[string]interface{}{},
Ref: ref("k8s.io/api/certificates/v1alpha1.ClusterTrustBundle"),
},
},
},
},
},
},
Required: []string{"items"},
},
},
Dependencies: []string{
"k8s.io/api/certificates/v1alpha1.ClusterTrustBundle", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
}
}
func schema_k8sio_api_certificates_v1alpha1_ClusterTrustBundleSpec(ref common.ReferenceCallback) common.OpenAPIDefinition {
return common.OpenAPIDefinition{
Schema: spec.Schema{
SchemaProps: spec.SchemaProps{
Description: "ClusterTrustBundleSpec contains the signer and trust anchors.",
Type: []string{"object"},
Properties: map[string]spec.Schema{
"signerName": {
SchemaProps: spec.SchemaProps{
Description: "signerName indicates the associated signer, if any.\n\nIn order to create or update a ClusterTrustBundle that sets signerName, you must have the following cluster-scoped permission: group=certificates.k8s.io resource=signers resourceName=<the signer name> verb=attest.\n\nIf signerName is not empty, then the ClusterTrustBundle object must be named with the signer name as a prefix (translating slashes to colons). For example, for the signer name `example.com/foo`, valid ClusterTrustBundle object names include `example.com:foo:abc` and `example.com:foo:v1`.\n\nIf signerName is empty, then the ClusterTrustBundle object's name must not have such a prefix.\n\nList/watch requests for ClusterTrustBundles can filter on this field using a `spec.signerName=NAME` field selector.",
Type: []string{"string"},
Format: "",
},
},
"trustBundle": {
SchemaProps: spec.SchemaProps{
Description: "trustBundle contains the individual X.509 trust anchors for this bundle, as PEM bundle of PEM-wrapped, DER-formatted X.509 certificates.\n\nThe data must consist only of PEM certificate blocks that parse as valid X.509 certificates. Each certificate must include a basic constraints extension with the CA bit set. The API server will reject objects that contain duplicate certificates, or that use PEM block headers.\n\nUsers of ClusterTrustBundles, including Kubelet, are free to reorder and deduplicate certificate blocks in this file according to their own logic, as well as to drop PEM block headers and inter-block data.",
Default: "",
Type: []string{"string"},
Format: "",
},
},
},
Required: []string{"trustBundle"},
},
},
}
}
func schema_k8sio_api_certificates_v1beta1_CertificateSigningRequest(ref common.ReferenceCallback) common.OpenAPIDefinition { func schema_k8sio_api_certificates_v1beta1_CertificateSigningRequest(ref common.ReferenceCallback) common.OpenAPIDefinition {
return common.OpenAPIDefinition{ return common.OpenAPIDefinition{
Schema: spec.Schema{ Schema: spec.Schema{

2
pkg/kubeapiserver/default_storage_factory_builder.go
View File

@ -28,6 +28,7 @@ import (
"k8s.io/kubernetes/pkg/api/legacyscheme" "k8s.io/kubernetes/pkg/api/legacyscheme"
"k8s.io/kubernetes/pkg/apis/admissionregistration" "k8s.io/kubernetes/pkg/apis/admissionregistration"
"k8s.io/kubernetes/pkg/apis/apps" "k8s.io/kubernetes/pkg/apis/apps"
"k8s.io/kubernetes/pkg/apis/certificates"
api "k8s.io/kubernetes/pkg/apis/core" api "k8s.io/kubernetes/pkg/apis/core"
"k8s.io/kubernetes/pkg/apis/events" "k8s.io/kubernetes/pkg/apis/events"
"k8s.io/kubernetes/pkg/apis/extensions" "k8s.io/kubernetes/pkg/apis/extensions"
@ -72,6 +73,7 @@ func NewStorageFactoryConfig() *StorageFactoryConfig {
admissionregistration.Resource("validatingadmissionpolicybindings").WithVersion("v1alpha1"), admissionregistration.Resource("validatingadmissionpolicybindings").WithVersion("v1alpha1"),
networking.Resource("clustercidrs").WithVersion("v1alpha1"), networking.Resource("clustercidrs").WithVersion("v1alpha1"),
networking.Resource("ipaddresses").WithVersion("v1alpha1"), networking.Resource("ipaddresses").WithVersion("v1alpha1"),
certificates.Resource("clustertrustbundles").WithVersion("v1alpha1"),
} }
return &StorageFactoryConfig{ return &StorageFactoryConfig{

4
pkg/kubeapiserver/options/plugins.go
View File

@ -26,6 +26,7 @@ import (
"k8s.io/kubernetes/plugin/pkg/admission/alwayspullimages" "k8s.io/kubernetes/plugin/pkg/admission/alwayspullimages"
"k8s.io/kubernetes/plugin/pkg/admission/antiaffinity" "k8s.io/kubernetes/plugin/pkg/admission/antiaffinity"
certapproval "k8s.io/kubernetes/plugin/pkg/admission/certificates/approval" certapproval "k8s.io/kubernetes/plugin/pkg/admission/certificates/approval"
"k8s.io/kubernetes/plugin/pkg/admission/certificates/ctbattest"
certsigning "k8s.io/kubernetes/plugin/pkg/admission/certificates/signing" certsigning "k8s.io/kubernetes/plugin/pkg/admission/certificates/signing"
certsubjectrestriction "k8s.io/kubernetes/plugin/pkg/admission/certificates/subjectrestriction" certsubjectrestriction "k8s.io/kubernetes/plugin/pkg/admission/certificates/subjectrestriction"
"k8s.io/kubernetes/plugin/pkg/admission/defaulttolerationseconds" "k8s.io/kubernetes/plugin/pkg/admission/defaulttolerationseconds"
@ -90,6 +91,7 @@ var AllOrderedPlugins = []string{
runtimeclass.PluginName, // RuntimeClass runtimeclass.PluginName, // RuntimeClass
certapproval.PluginName, // CertificateApproval certapproval.PluginName, // CertificateApproval
certsigning.PluginName, // CertificateSigning certsigning.PluginName, // CertificateSigning
ctbattest.PluginName, // ClusterTrustBundleAttest
certsubjectrestriction.PluginName, // CertificateSubjectRestriction certsubjectrestriction.PluginName, // CertificateSubjectRestriction
defaultingressclass.PluginName, // DefaultIngressClass defaultingressclass.PluginName, // DefaultIngressClass
denyserviceexternalips.PluginName, // DenyServiceExternalIPs denyserviceexternalips.PluginName, // DenyServiceExternalIPs
@ -137,6 +139,7 @@ func RegisterAllAdmissionPlugins(plugins *admission.Plugins) {
storageobjectinuseprotection.Register(plugins) storageobjectinuseprotection.Register(plugins)
certapproval.Register(plugins) certapproval.Register(plugins)
certsigning.Register(plugins) certsigning.Register(plugins)
ctbattest.Register(plugins)
certsubjectrestriction.Register(plugins) certsubjectrestriction.Register(plugins)
} }
@ -158,6 +161,7 @@ func DefaultOffAdmissionPlugins() sets.String {
runtimeclass.PluginName, // RuntimeClass runtimeclass.PluginName, // RuntimeClass
certapproval.PluginName, // CertificateApproval certapproval.PluginName, // CertificateApproval
certsigning.PluginName, // CertificateSigning certsigning.PluginName, // CertificateSigning
ctbattest.PluginName, // ClusterTrustBundleAttest
certsubjectrestriction.PluginName, // CertificateSubjectRestriction certsubjectrestriction.PluginName, // CertificateSubjectRestriction
defaultingressclass.PluginName, // DefaultIngressClass defaultingressclass.PluginName, // DefaultIngressClass
podsecurity.PluginName, // PodSecurity podsecurity.PluginName, // PodSecurity

32
pkg/printers/internalversion/printers.go
View File

@ -31,6 +31,7 @@ import (
autoscalingv2beta1 "k8s.io/api/autoscaling/v2beta1" autoscalingv2beta1 "k8s.io/api/autoscaling/v2beta1"
batchv1 "k8s.io/api/batch/v1" batchv1 "k8s.io/api/batch/v1"
batchv1beta1 "k8s.io/api/batch/v1beta1" batchv1beta1 "k8s.io/api/batch/v1beta1"
certificatesv1alpha1 "k8s.io/api/certificates/v1alpha1"
certificatesv1beta1 "k8s.io/api/certificates/v1beta1" certificatesv1beta1 "k8s.io/api/certificates/v1beta1"
coordinationv1 "k8s.io/api/coordination/v1" coordinationv1 "k8s.io/api/coordination/v1"
apiv1 "k8s.io/api/core/v1" apiv1 "k8s.io/api/core/v1"
@ -407,6 +408,13 @@ func AddHandlers(h printers.PrintHandler) {
_ = h.TableHandler(certificateSigningRequestColumnDefinitions, printCertificateSigningRequest) _ = h.TableHandler(certificateSigningRequestColumnDefinitions, printCertificateSigningRequest)
_ = h.TableHandler(certificateSigningRequestColumnDefinitions, printCertificateSigningRequestList) _ = h.TableHandler(certificateSigningRequestColumnDefinitions, printCertificateSigningRequestList)
clusterTrustBundleColumnDefinitions := []metav1.TableColumnDefinition{
{Name: "Name", Type: "string", Format: "name", Description: metav1.ObjectMeta{}.SwaggerDoc()["name"]},
{Name: "SignerName", Type: "string", Description: certificatesv1alpha1.ClusterTrustBundleSpec{}.SwaggerDoc()["signerName"]},
}
h.TableHandler(clusterTrustBundleColumnDefinitions, printClusterTrustBundle)
h.TableHandler(clusterTrustBundleColumnDefinitions, printClusterTrustBundleList)
leaseColumnDefinitions := []metav1.TableColumnDefinition{ leaseColumnDefinitions := []metav1.TableColumnDefinition{
{Name: "Name", Type: "string", Format: "name", Description: metav1.ObjectMeta{}.SwaggerDoc()["name"]}, {Name: "Name", Type: "string", Format: "name", Description: metav1.ObjectMeta{}.SwaggerDoc()["name"]},
{Name: "Holder", Type: "string", Description: coordinationv1.LeaseSpec{}.SwaggerDoc()["holderIdentity"]}, {Name: "Holder", Type: "string", Description: coordinationv1.LeaseSpec{}.SwaggerDoc()["holderIdentity"]},
@ -2095,6 +2103,30 @@ func printCertificateSigningRequestList(list *certificates.CertificateSigningReq
return rows, nil return rows, nil
} }
func printClusterTrustBundle(obj *certificates.ClusterTrustBundle, options printers.GenerateOptions) ([]metav1.TableRow, error) {
row := metav1.TableRow{
Object: runtime.RawExtension{Object: obj},
}
signerName := "<none>"
if obj.Spec.SignerName != "" {
signerName = obj.Spec.SignerName
}
row.Cells = append(row.Cells, obj.Name, signerName)
return []metav1.TableRow{row}, nil
}
func printClusterTrustBundleList(list *certificates.ClusterTrustBundleList, options printers.GenerateOptions) ([]metav1.TableRow, error) {
rows := make([]metav1.TableRow, 0, len(list.Items))
for i := range list.Items {
r, err := printClusterTrustBundle(&list.Items[i], options)
if err != nil {
return nil, err
}
rows = append(rows, r...)
}
return rows, nil
}
func printComponentStatus(obj *api.ComponentStatus, options printers.GenerateOptions) ([]metav1.TableRow, error) { func printComponentStatus(obj *api.ComponentStatus, options printers.GenerateOptions) ([]metav1.TableRow, error) {
row := metav1.TableRow{ row := metav1.TableRow{
Object: runtime.RawExtension{Object: obj}, Object: runtime.RawExtension{Object: obj},

79
pkg/registry/certificates/clustertrustbundle/storage/storage.go Normal file
View File

@ -0,0 +1,79 @@
/*
Copyright 2022 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package storage
import (
"fmt"
"k8s.io/apimachinery/pkg/fields"
"k8s.io/apimachinery/pkg/labels"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apiserver/pkg/registry/generic"
genericregistry "k8s.io/apiserver/pkg/registry/generic/registry"
"k8s.io/apiserver/pkg/registry/rest"
api "k8s.io/kubernetes/pkg/apis/certificates"
"k8s.io/kubernetes/pkg/printers"
printersinternal "k8s.io/kubernetes/pkg/printers/internalversion"
printerstorage "k8s.io/kubernetes/pkg/printers/storage"
"k8s.io/kubernetes/pkg/registry/certificates/clustertrustbundle"
)
// REST is a RESTStorage for ClusterTrustBundle.
type REST struct {
*genericregistry.Store
}
var _ rest.StandardStorage = &REST{}
var _ rest.TableConvertor = &REST{}
var _ genericregistry.GenericStore = &REST{}
// NewREST returns a RESTStorage object for ClusterTrustBundle objects.
func NewREST(optsGetter generic.RESTOptionsGetter) (*REST, error) {
store := &genericregistry.Store{
NewFunc: func() runtime.Object { return &api.ClusterTrustBundle{} },
NewListFunc: func() runtime.Object { return &api.ClusterTrustBundleList{} },
DefaultQualifiedResource: api.Resource("clustertrustbundles"),
SingularQualifiedResource: api.Resource("clustertrustbundle"),
CreateStrategy: clustertrustbundle.Strategy,
UpdateStrategy: clustertrustbundle.Strategy,
DeleteStrategy: clustertrustbundle.Strategy,
TableConvertor: printerstorage.TableConvertor{TableGenerator: printers.NewTableGenerator().With(printersinternal.AddHandlers)},
}
options := &generic.StoreOptions{
RESTOptions: optsGetter,
AttrFunc: getAttrs,
}
if err := store.CompleteWithOptions(options); err != nil {
return nil, err
}
return &REST{store}, nil
}
func getAttrs(obj runtime.Object) (labels.Set, fields.Set, error) {
bundle, ok := obj.(*api.ClusterTrustBundle)
if !ok {
return nil, nil, fmt.Errorf("not a clustertrustbundle")
}
selectableFields := generic.MergeFieldsSets(generic.ObjectMetaFieldsSet(&bundle.ObjectMeta, false), fields.Set{
"spec.signerName": bundle.Spec.SignerName,
})
return labels.Set(bundle.Labels), selectableFields, nil
}

250
pkg/registry/certificates/clustertrustbundle/storage/storage_test.go Normal file
View File

@ -0,0 +1,250 @@
/*
Copyright 2022 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package storage
import (
"strings"
"testing"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/fields"
"k8s.io/apimachinery/pkg/labels"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apiserver/pkg/registry/generic"
genericregistrytest "k8s.io/apiserver/pkg/registry/generic/testing"
etcd3testing "k8s.io/apiserver/pkg/storage/etcd3/testing"
"k8s.io/kubernetes/pkg/apis/certificates"
"k8s.io/kubernetes/pkg/registry/registrytest"
)
const validCert1 = `
-----BEGIN CERTIFICATE-----
MIIDmTCCAoGgAwIBAgIUUW9bIIsHU61w3yQR6amBuVvRFvcwDQYJKoZIhvcNAQEL
BQAwXDELMAkGA1UEBhMCeHgxCjAIBgNVBAgMAXgxCjAIBgNVBAcMAXgxCjAIBgNV
BAoMAXgxCjAIBgNVBAsMAXgxCzAJBgNVBAMMAmNhMRAwDgYJKoZIhvcNAQkBFgF4
MB4XDTIyMTAxODIzNTIyNFoXDTIzMTAxODIzNTIyNFowXDELMAkGA1UEBhMCeHgx
CjAIBgNVBAgMAXgxCjAIBgNVBAcMAXgxCjAIBgNVBAoMAXgxCjAIBgNVBAsMAXgx
CzAJBgNVBAMMAmNhMRAwDgYJKoZIhvcNAQkBFgF4MIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEA4PeK4SmlsNwpw97gTtjODQytUfyqhBIwdENwJUbc019Y
m3VTCRLCGXjUa22mV6/j7V+mZw114ePFYTiGAH+2dUzWAZOphvtzE5ttPuv6A6Zx
k2J69lNFwJ2fPd7XQIH7pEIXjiEBaszxKZKMsN9+jOGu6iFFAwYLMemFYDbZHuqb
OwdQcSEsy5wO2ANzFRuYzGXuNcS8jYLHftE8g2P+L0wXnV9eW6/lM2ZFxS/nzDJz
qtzrEvQrBsmskTNC8gCRRZ7askp3CVdPKjC90sxAPwhpi8JjJZxSe1Bn/WRHUz82
GFytEIJNx9hJY2GI316zkxgTbsxfRQe4QLJN7sRtpwIDAQABo1MwUTAdBgNVHQ4E
FgQU9FGsI8t+cu68fGkhtvO9FtUd174wHwYDVR0jBBgwFoAU9FGsI8t+cu68fGkh
tvO9FtUd174wDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAqDIp
In5h2xZfEZcijT3mjfG8Bo6taxM2biy1M7wEpmDrElmrjMLsflZepcjgkSoVz9hP
cSX/k9ls1zy1H799gcjs+afSpIa1N0nUIxAKF1RHsFa+dvXpSA8YdhUnbEcBnqx0
vN2nDBFpdCSNf+EXNEj12+9ZJm6TLzx22f9vHyRCg4D36X3Rj1FCBWxhf0mSt3ek
5px3H53Xu42MqzZCiJc8/m+IqZHaixZS4bsayssaxif2fNxzAIZhgTygo8P8QGjI
rUmstMbg4PPq62x1yLAxEo+8XCg05saWZs384JE+K1SDqxobm51EROWVwi8jUrNC
9nojtkQ+jDZD+1Stiw==
-----END CERTIFICATE-----
`
const validCert2 = `
-----BEGIN CERTIFICATE-----
MIIC/jCCAeagAwIBAgIBADANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwprdWJl
cm5ldGVzMB4XDTIyMTAxOTIzMTY0MFoXDTMyMTAxNjIzMTY0MFowFTETMBEGA1UE
AxMKa3ViZXJuZXRlczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAO+k
zbj35jHIjCd5mxP1FHMwMtvLFPeKUjtaLDP9Bs2jZ97Igmr7NTysn9QZkRP68/XX
j993Y8tOLg71N4vRggWiYP+T9Xfo0uHZJmzADKx5XkuC4Gqv79dUdb8IKfAbX9HB
ffGmWRnZLLTu8Bv/vfyl0CfE64a57DK+CzNJDwdK46CYYUnEH6Wb9finYrMQ+PLG
Oi2c0J4KAYc1WTId5npNwouzf/IMD33PvuXfE7r+/pDbP8u/X03e7U0cc9l7KRxr
3gpRQemCG74yRuy1dd3lJ1YCD8q96xVVZimGebnJ0IHi+lORRa2ix/o3OzW3FaP+
6kzHU6VnBRDr2rAhMh0CAwEAAaNZMFcwDgYDVR0PAQH/BAQDAgKkMA8GA1UdEwEB
/wQFMAMBAf8wHQYDVR0OBBYEFGUVOLM74t1TVoZjifsLl3Rwt1A6MBUGA1UdEQQO
MAyCCmt1YmVybmV0ZXMwDQYJKoZIhvcNAQELBQADggEBANHnPVDemZqRybYPN1as
Ywxi3iT1I3Wma1rZyxTWeIq8Ik0gnyvbtCD1cFB/5QU1xPW09YnmIFM/E73RIeWT
RmCNMgOGmegYxBQRe4UvmwWGJzKNA66c0MBmd2LDHrQlrvdewOCR667Sm9krsGt1
tS/t6N/uBXeRSkXKEDXa+jOpYrV3Oq3IntG6zUeCrVbrH2Bs9Ma5fU00TwK3ylw5
Ww8KzYdQaxxrLaiRRtFcpM9dFH/vwxl1QUa5vjHcmUjxmZunEmXKplATyLT0FXDw
JAo8AuwuuwRh2o+o8SxwzzA+/EBrIREgcv5uIkD352QnfGkEvGu6JOPGZVyd/kVg
KA0=
-----END CERTIFICATE-----
`
func newStorage(t *testing.T) (*REST, *etcd3testing.EtcdTestServer) {
etcdStorage, server := registrytest.NewEtcdStorageForResource(t, certificates.SchemeGroupVersion.WithResource("clustertrustbundles").GroupResource())
restOptions := generic.RESTOptions{
StorageConfig: etcdStorage,
Decorator: generic.UndecoratedStorage,
DeleteCollectionWorkers: 1,
ResourcePrefix: "clustertrustbundles",
}
storage, err := NewREST(restOptions)
if err != nil {
t.Fatalf("unexpected error from REST storage: %v", err)
}
return storage, server
}
func TestCreate(t *testing.T) {
storage, server := newStorage(t)
defer server.Terminate(t)
defer storage.Store.DestroyFunc()
validBundle := &certificates.ClusterTrustBundle{
ObjectMeta: metav1.ObjectMeta{
Name: "ctb1",
},
Spec: certificates.ClusterTrustBundleSpec{
TrustBundle: validCert1,
},
}
invalidBundle := &certificates.ClusterTrustBundle{
ObjectMeta: metav1.ObjectMeta{
Name: "ctb1",
},
Spec: certificates.ClusterTrustBundleSpec{
// Empty TrustBundle is invalid.
},
}
test := genericregistrytest.New(t, storage.Store)
test = test.ClusterScope()
test.TestCreate(validBundle, invalidBundle)
}
func TestUpdate(t *testing.T) {
storage, server := newStorage(t)
defer server.Terminate(t)
defer storage.Store.DestroyFunc()
test := genericregistrytest.New(t, storage.Store)
test = test.ClusterScope()
test.TestUpdate(
&certificates.ClusterTrustBundle{
ObjectMeta: metav1.ObjectMeta{
Name: "ctb1",
},
Spec: certificates.ClusterTrustBundleSpec{
TrustBundle: validCert1,
},
},
// Valid update
func(object runtime.Object) runtime.Object {
bundle := object.(*certificates.ClusterTrustBundle)
bundle.Spec.TrustBundle = strings.Join([]string{validCert1, validCert2}, "\n")
return bundle
},
// Invalid update
func(object runtime.Object) runtime.Object {
bundle := object.(*certificates.ClusterTrustBundle)
bundle.Spec.TrustBundle = ""
return bundle
},
)
}
func TestDelete(t *testing.T) {
storage, server := newStorage(t)
defer server.Terminate(t)
defer storage.Store.DestroyFunc()
test := genericregistrytest.New(t, storage.Store)
test = test.ClusterScope()
test.TestDelete(
&certificates.ClusterTrustBundle{
ObjectMeta: metav1.ObjectMeta{
Name: "ctb1",
},
Spec: certificates.ClusterTrustBundleSpec{
TrustBundle: validCert1,
},
},
)
}
func TestGet(t *testing.T) {
storage, server := newStorage(t)
defer server.Terminate(t)
defer storage.Store.DestroyFunc()
test := genericregistrytest.New(t, storage.Store)
test = test.ClusterScope()
test.TestGet(
&certificates.ClusterTrustBundle{
ObjectMeta: metav1.ObjectMeta{
Name: "ctb1",
},
Spec: certificates.ClusterTrustBundleSpec{
TrustBundle: validCert1,
},
},
)
}
func TestList(t *testing.T) {
storage, server := newStorage(t)
defer server.Terminate(t)
defer storage.Store.DestroyFunc()
test := genericregistrytest.New(t, storage.Store)
test = test.ClusterScope()
test.TestList(
&certificates.ClusterTrustBundle{
ObjectMeta: metav1.ObjectMeta{
Name: "ctb1",
},
Spec: certificates.ClusterTrustBundleSpec{
TrustBundle: validCert1,
},
},
)
}
func TestWatch(t *testing.T) {
storage, server := newStorage(t)
defer server.Terminate(t)
defer storage.Store.DestroyFunc()
test := genericregistrytest.New(t, storage.Store)
test = test.ClusterScope()
test.TestWatch(
&certificates.ClusterTrustBundle{
ObjectMeta: metav1.ObjectMeta{
Name: "ctb1",
},
Spec: certificates.ClusterTrustBundleSpec{
SignerName: "k8s.io/foo",
TrustBundle: validCert1,
},
},
// matching labels
[]labels.Set{},
// not matching labels
[]labels.Set{
{"foo": "bar"},
},
// matching fields
[]fields.Set{
{"metadata.name": "ctb1"},
},
// not matching fields
[]fields.Set{
{"metadata.name": "bar"},
},
)
}

81
pkg/registry/certificates/clustertrustbundle/strategy.go Normal file
View File

@ -0,0 +1,81 @@
/*
Copyright 2022 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Package clustertrustbundle provides Registry interface and its RESTStorage
// implementation for storing ClusterTrustBundle objects.
package clustertrustbundle // import "k8s.io/kubernetes/pkg/registry/certificates/clustertrustbundle"
import (
"context"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/util/validation/field"
"k8s.io/apiserver/pkg/registry/rest"
"k8s.io/apiserver/pkg/storage/names"
"k8s.io/kubernetes/pkg/api/legacyscheme"
"k8s.io/kubernetes/pkg/apis/certificates"
certvalidation "k8s.io/kubernetes/pkg/apis/certificates/validation"
)
// strategy implements behavior for ClusterTrustBundles.
type strategy struct {
runtime.ObjectTyper
names.NameGenerator
}
// Strategy is the create, update, and delete strategy for ClusterTrustBundles.
var Strategy = strategy{legacyscheme.Scheme, names.SimpleNameGenerator}
var _ rest.RESTCreateStrategy = Strategy
var _ rest.RESTUpdateStrategy = Strategy
var _ rest.RESTDeleteStrategy = Strategy
func (strategy) NamespaceScoped() bool {
return false
}
func (strategy) PrepareForCreate(ctx context.Context, obj runtime.Object) {}
func (strategy) Validate(ctx context.Context, obj runtime.Object) field.ErrorList {
bundle := obj.(*certificates.ClusterTrustBundle)
return certvalidation.ValidateClusterTrustBundle(bundle, certvalidation.ValidateClusterTrustBundleOptions{})
}
func (strategy) WarningsOnCreate(ctx context.Context, obj runtime.Object) []string {
return nil
}
func (strategy) Canonicalize(obj runtime.Object) {}
func (strategy) AllowCreateOnUpdate() bool {
return false
}
func (s strategy) PrepareForUpdate(ctx context.Context, new, old runtime.Object) {}
func (s strategy) ValidateUpdate(ctx context.Context, new, old runtime.Object) field.ErrorList {
newBundle := new.(*certificates.ClusterTrustBundle)
oldBundle := old.(*certificates.ClusterTrustBundle)
return certvalidation.ValidateClusterTrustBundleUpdate(newBundle, oldBundle)
}
func (strategy) WarningsOnUpdate(ctx context.Context, obj, old runtime.Object) []string {
return nil
}
func (strategy) AllowUnconditionalUpdate() bool {
return false
}

48
pkg/registry/certificates/clustertrustbundle/strategy_test.go Normal file
View File

@ -0,0 +1,48 @@
/*
Copyright 2022 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package clustertrustbundle
import (
"context"
"testing"
"k8s.io/kubernetes/pkg/apis/certificates"
)
func TestWarningsOnCreate(t *testing.T) {
if warnings := Strategy.WarningsOnCreate(context.Background(), &certificates.ClusterTrustBundle{}); warnings != nil {
t.Errorf("Got %v, want nil", warnings)
}
}
func TestAllowCreateOnUpdate(t *testing.T) {
if Strategy.AllowCreateOnUpdate() != false {
t.Errorf("Got true, want false")
}
}
func TestWarningsOnUpdate(t *testing.T) {
if warnings := Strategy.WarningsOnUpdate(context.Background(), &certificates.ClusterTrustBundle{}, &certificates.ClusterTrustBundle{}); warnings != nil {
t.Errorf("Got %v, want nil", warnings)
}
}
func TestAllowUnconditionalUpdate(t *testing.T) {
if Strategy.AllowUnconditionalUpdate() != false {
t.Errorf("Got true, want false")
}
}

32
pkg/registry/certificates/rest/storage_certificates.go
View File

@ -18,13 +18,18 @@ package rest
import ( import (
certificatesapiv1 "k8s.io/api/certificates/v1" certificatesapiv1 "k8s.io/api/certificates/v1"
certificatesapiv1alpha1 "k8s.io/api/certificates/v1alpha1"
"k8s.io/apiserver/pkg/registry/generic" "k8s.io/apiserver/pkg/registry/generic"
"k8s.io/apiserver/pkg/registry/rest" "k8s.io/apiserver/pkg/registry/rest"
genericapiserver "k8s.io/apiserver/pkg/server" genericapiserver "k8s.io/apiserver/pkg/server"
serverstorage "k8s.io/apiserver/pkg/server/storage" serverstorage "k8s.io/apiserver/pkg/server/storage"
utilfeature "k8s.io/apiserver/pkg/util/feature"
"k8s.io/klog/v2"
"k8s.io/kubernetes/pkg/api/legacyscheme" "k8s.io/kubernetes/pkg/api/legacyscheme"
"k8s.io/kubernetes/pkg/apis/certificates" "k8s.io/kubernetes/pkg/apis/certificates"
"k8s.io/kubernetes/pkg/features"
certificatestore "k8s.io/kubernetes/pkg/registry/certificates/certificates/storage" certificatestore "k8s.io/kubernetes/pkg/registry/certificates/certificates/storage"
clustertrustbundlestore "k8s.io/kubernetes/pkg/registry/certificates/clustertrustbundle/storage"
) )
type RESTStorageProvider struct{} type RESTStorageProvider struct{}
@ -40,17 +45,22 @@ func (p RESTStorageProvider) NewRESTStorage(apiResourceConfigSource serverstorag
apiGroupInfo.VersionedResourcesStorageMap[certificatesapiv1.SchemeGroupVersion.Version] = storageMap apiGroupInfo.VersionedResourcesStorageMap[certificatesapiv1.SchemeGroupVersion.Version] = storageMap
} }
if storageMap, err := p.v1alpha1Storage(apiResourceConfigSource, restOptionsGetter); err != nil {
return genericapiserver.APIGroupInfo{}, err
} else if len(storageMap) > 0 {
apiGroupInfo.VersionedResourcesStorageMap[certificatesapiv1alpha1.SchemeGroupVersion.Version] = storageMap
}
return apiGroupInfo, nil return apiGroupInfo, nil
} }
func (p RESTStorageProvider) v1Storage(apiResourceConfigSource serverstorage.APIResourceConfigSource, restOptionsGetter generic.RESTOptionsGetter) (map[string]rest.Storage, error) { func (p RESTStorageProvider) v1Storage(apiResourceConfigSource serverstorage.APIResourceConfigSource, restOptionsGetter generic.RESTOptionsGetter) (map[string]rest.Storage, error) {
storage := map[string]rest.Storage{} storage := map[string]rest.Storage{}
// certificatesigningrequests
if resource := "certificatesigningrequests"; apiResourceConfigSource.ResourceEnabled(certificatesapiv1.SchemeGroupVersion.WithResource(resource)) { if resource := "certificatesigningrequests"; apiResourceConfigSource.ResourceEnabled(certificatesapiv1.SchemeGroupVersion.WithResource(resource)) {
csrStorage, csrStatusStorage, csrApprovalStorage, err := certificatestore.NewREST(restOptionsGetter) csrStorage, csrStatusStorage, csrApprovalStorage, err := certificatestore.NewREST(restOptionsGetter)
if err != nil { if err != nil {
return storage, err return nil, err
} }
storage[resource] = csrStorage storage[resource] = csrStorage
storage[resource+"/status"] = csrStatusStorage storage[resource+"/status"] = csrStatusStorage
@ -60,6 +70,24 @@ func (p RESTStorageProvider) v1Storage(apiResourceConfigSource serverstorage.API
return storage, nil return storage, nil
} }
func (p RESTStorageProvider) v1alpha1Storage(apiResourceConfigSource serverstorage.APIResourceConfigSource, restOptionsGetter generic.RESTOptionsGetter) (map[string]rest.Storage, error) {
storage := map[string]rest.Storage{}
if resource := "clustertrustbundles"; apiResourceConfigSource.ResourceEnabled(certificatesapiv1alpha1.SchemeGroupVersion.WithResource(resource)) {
if utilfeature.DefaultFeatureGate.Enabled(features.ClusterTrustBundle) {
bundleStorage, err := clustertrustbundlestore.NewREST(restOptionsGetter)
if err != nil {
return nil, err
}
storage[resource] = bundleStorage
} else {
klog.Warning("ClusterTrustBundle storage is disabled because the ClusterTrustBundle feature gate is disabled")
}
}
return storage, nil
}
func (p RESTStorageProvider) GroupName() string { func (p RESTStorageProvider) GroupName() string {
return certificates.GroupName return certificates.GroupName
} }

4
pkg/registry/registrytest/etcd.go
View File

@ -42,11 +42,11 @@ func NewEtcdStorageForResource(t *testing.T, resource schema.GroupResource) (*st
completedConfig.APIResourceConfig = serverstorage.NewResourceConfig() completedConfig.APIResourceConfig = serverstorage.NewResourceConfig()
factory, err := completedConfig.New() factory, err := completedConfig.New()
if err != nil { if err != nil {
t.Fatal(err) t.Fatalf("Error while making storage factory: %v", err)
} }
resourceConfig, err := factory.NewConfig(resource) resourceConfig, err := factory.NewConfig(resource)
if err != nil { if err != nil {
t.Fatal(err) t.Fatalf("Error while finding storage destination: %v", err)
} }
return resourceConfig, server return resourceConfig, server
} }

118
plugin/pkg/admission/certificates/ctbattest/admission.go Normal file
View File

@ -0,0 +1,118 @@
/*
Copyright 2022 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package ctbattest
import (
"context"
"fmt"
"io"
"k8s.io/apiserver/pkg/admission"
genericadmissioninit "k8s.io/apiserver/pkg/admission/initializer"
"k8s.io/apiserver/pkg/authorization/authorizer"
"k8s.io/component-base/featuregate"
"k8s.io/klog/v2"
api "k8s.io/kubernetes/pkg/apis/certificates"
"k8s.io/kubernetes/pkg/features"
"k8s.io/kubernetes/plugin/pkg/admission/certificates"
)
const PluginName = "ClusterTrustBundleAttest"
func Register(plugins *admission.Plugins) {
plugins.Register(PluginName, func(config io.Reader) (admission.Interface, error) {
return NewPlugin(), nil
})
}
// Plugin is the ClusterTrustBundle attest plugin.
//
// In order to create or update a ClusterTrustBundle that sets signerName,
// you must have the following permission: group=certificates.k8s.io
// resource=signers resourceName=<the signer name> verb=attest.
type Plugin struct {
*admission.Handler
authz authorizer.Authorizer
inspectedFeatureGates bool
enabled bool
}
var _ admission.ValidationInterface = &Plugin{}
var _ admission.InitializationValidator = &Plugin{}
var _ genericadmissioninit.WantsAuthorizer = &Plugin{}
var _ genericadmissioninit.WantsFeatures = &Plugin{}
func NewPlugin() *Plugin {
return &Plugin{
Handler: admission.NewHandler(admission.Create, admission.Update),
}
}
// SetAuthorizer sets the plugin's authorizer.
func (p *Plugin) SetAuthorizer(authz authorizer.Authorizer) {
p.authz = authz
}
// InspectFeatureGates implements WantsFeatures.
func (p *Plugin) InspectFeatureGates(featureGates featuregate.FeatureGate) {
p.enabled = featureGates.Enabled(features.ClusterTrustBundle)
p.inspectedFeatureGates = true
}
// ValidateInitialization checks that the plugin was initialized correctly.
func (p *Plugin) ValidateInitialization() error {
if p.authz == nil {
return fmt.Errorf("%s requires an authorizer", PluginName)
}
if !p.inspectedFeatureGates {
return fmt.Errorf("%s did not see feature gates", PluginName)
}
return nil
}
var clusterTrustBundleGroupResource = api.Resource("clustertrustbundles")
func (p *Plugin) Validate(ctx context.Context, a admission.Attributes, _ admission.ObjectInterfaces) error {
if !p.enabled {
return nil
}
if a.GetResource().GroupResource() != clusterTrustBundleGroupResource {
return nil
}
newBundle, ok := a.GetObject().(*api.ClusterTrustBundle)
if !ok {
return admission.NewForbidden(a, fmt.Errorf("expected type ClusterTrustBundle, got: %T", a.GetOldObject()))
}
// Unlike CSRs, it's OK to validate against the *new* object, because
// updates to signer name will be rejected during validation.
// If signer name isn't specified, we don't need to perform the
// attest check.
if newBundle.Spec.SignerName == "" {
return nil
}
if !certificates.IsAuthorizedForSignerName(ctx, p.authz, a.GetUserInfo(), "attest", newBundle.Spec.SignerName) {
klog.V(4).Infof("user not permitted to attest ClusterTrustBundle %q with signerName %q", newBundle.Name, newBundle.Spec.SignerName)
return admission.NewForbidden(a, fmt.Errorf("user not permitted to attest for signerName %q", newBundle.Spec.SignerName))
}
return nil
}

306
plugin/pkg/admission/certificates/ctbattest/admission_test.go Normal file
View File

@ -0,0 +1,306 @@
/*
Copyright 2022 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package ctbattest
import (
"context"
"errors"
"fmt"
"testing"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/runtime/schema"
"k8s.io/apiserver/pkg/admission"
"k8s.io/apiserver/pkg/authentication/user"
"k8s.io/apiserver/pkg/authorization/authorizer"
"k8s.io/apiserver/pkg/util/feature"
featuregatetesting "k8s.io/component-base/featuregate/testing"
certificatesapi "k8s.io/kubernetes/pkg/apis/certificates"
"k8s.io/kubernetes/pkg/features"
)
func TestPluginValidate(t *testing.T) {
tests := []struct {
description string
clusterTrustBundleFeatureEnabled bool
attributes admission.Attributes
allowedName string
allowed bool
authzErr error
}{
{
description: "wrong type on create",
clusterTrustBundleFeatureEnabled: true,
attributes: &testAttributes{
resource: certificatesapi.Resource("clustertrustbundles"),
obj: &certificatesapi.ClusterTrustBundleList{},
operation: admission.Create,
},
allowed: false,
},
{
description: "wrong type on update",
clusterTrustBundleFeatureEnabled: true,
attributes: &testAttributes{
resource: certificatesapi.Resource("clustertrustbundles"),
obj: &certificatesapi.ClusterTrustBundleList{},
operation: admission.Update,
},
allowed: false,
},
{
description: "reject requests if looking up permissions fails",
clusterTrustBundleFeatureEnabled: true,
attributes: &testAttributes{
resource: certificatesapi.Resource("clustertrustbundles"),
obj: &certificatesapi.ClusterTrustBundle{
Spec: certificatesapi.ClusterTrustBundleSpec{
SignerName: "abc.com/xyz",
},
},
operation: admission.Update,
},
authzErr: errors.New("forced error"),
allowed: false,
},
{
description: "should allow create if no signer name is specified",
clusterTrustBundleFeatureEnabled: true,
allowedName: "abc.com/xyz",
attributes: &testAttributes{
resource: certificatesapi.Resource("clustertrustbundles"),
obj: &certificatesapi.ClusterTrustBundle{
Spec: certificatesapi.ClusterTrustBundleSpec{},
},
operation: admission.Create,
},
allowed: true,
},
{
description: "should allow update if no signer name is specified",
clusterTrustBundleFeatureEnabled: true,
allowedName: "abc.com/xyz",
attributes: &testAttributes{
resource: certificatesapi.Resource("clustertrustbundles"),
oldObj: &certificatesapi.ClusterTrustBundle{
Spec: certificatesapi.ClusterTrustBundleSpec{},
},
obj: &certificatesapi.ClusterTrustBundle{
Spec: certificatesapi.ClusterTrustBundleSpec{},
},
operation: admission.Update,
},
allowed: true,
},
{
description: "should allow create if user is authorized for specific signerName",
clusterTrustBundleFeatureEnabled: true,
allowedName: "abc.com/xyz",
attributes: &testAttributes{
resource: certificatesapi.Resource("clustertrustbundles"),
obj: &certificatesapi.ClusterTrustBundle{
Spec: certificatesapi.ClusterTrustBundleSpec{
SignerName: "abc.com/xyz",
},
},
operation: admission.Create,
},
allowed: true,
},
{
description: "should allow update if user is authorized for specific signerName",
clusterTrustBundleFeatureEnabled: true,
allowedName: "abc.com/xyz",
attributes: &testAttributes{
resource: certificatesapi.Resource("clustertrustbundles"),
oldObj: &certificatesapi.ClusterTrustBundle{
Spec: certificatesapi.ClusterTrustBundleSpec{
SignerName: "abc.com/xyz",
},
},
obj: &certificatesapi.ClusterTrustBundle{
Spec: certificatesapi.ClusterTrustBundleSpec{
SignerName: "abc.com/xyz",
},
},
operation: admission.Update,
},
allowed: true,
},
{
description: "should allow create if user is authorized with wildcard",
clusterTrustBundleFeatureEnabled: true,
allowedName: "abc.com/*",
attributes: &testAttributes{
resource: certificatesapi.Resource("clustertrustbundles"),
obj: &certificatesapi.ClusterTrustBundle{
Spec: certificatesapi.ClusterTrustBundleSpec{
SignerName: "abc.com/xyz",
},
},
operation: admission.Create,
},
allowed: true,
},
{
description: "should allow update if user is authorized with wildcard",
clusterTrustBundleFeatureEnabled: true,
allowedName: "abc.com/*",
attributes: &testAttributes{
resource: certificatesapi.Resource("clustertrustbundles"),
oldObj: &certificatesapi.ClusterTrustBundle{
Spec: certificatesapi.ClusterTrustBundleSpec{
SignerName: "abc.com/xyz",
},
},
obj: &certificatesapi.ClusterTrustBundle{
Spec: certificatesapi.ClusterTrustBundleSpec{
SignerName: "abc.com/xyz",
},
},
operation: admission.Update,
},
allowed: true,
},
{
description: "should deny create if user does not have permission for this signerName",
clusterTrustBundleFeatureEnabled: true,
allowedName: "notabc.com/xyz",
attributes: &testAttributes{
resource: certificatesapi.Resource("clustertrustbundles"),
obj: &certificatesapi.ClusterTrustBundle{
Spec: certificatesapi.ClusterTrustBundleSpec{
SignerName: "abc.com/xyz",
},
},
operation: admission.Create,
},
allowed: false,
},
{
description: "should deny update if user does not have permission for this signerName",
clusterTrustBundleFeatureEnabled: true,
allowedName: "notabc.com/xyz",
attributes: &testAttributes{
resource: certificatesapi.Resource("clustertrustbundles"),
obj: &certificatesapi.ClusterTrustBundle{
Spec: certificatesapi.ClusterTrustBundleSpec{
SignerName: "abc.com/xyz",
},
},
operation: admission.Update,
},
allowed: false,
},
}
for _, tc := range tests {
t.Run(tc.description, func(t *testing.T) {
p := Plugin{
authz: fakeAuthorizer{
t: t,
verb: "attest",
allowedName: tc.allowedName,
decision: authorizer.DecisionAllow,
err: tc.authzErr,
},
}
defer featuregatetesting.SetFeatureGateDuringTest(t, feature.DefaultFeatureGate, features.ClusterTrustBundle, tc.clusterTrustBundleFeatureEnabled)()
p.InspectFeatureGates(feature.DefaultFeatureGate)
err := p.Validate(context.Background(), tc.attributes, nil)
if err == nil && !tc.allowed {
t.Errorf("Expected authorization policy to reject ClusterTrustBundle but it was allowed")
}
if err != nil && tc.allowed {
t.Errorf("Expected authorization policy to accept ClusterTrustBundle but it was rejected: %v", err)
}
})
}
}
type fakeAuthorizer struct {
t *testing.T
verb string
allowedName string
decision authorizer.Decision
err error
}
func (f fakeAuthorizer) Authorize(ctx context.Context, a authorizer.Attributes) (authorizer.Decision, string, error) {
if f.err != nil {
return f.decision, "forced error", f.err
}
if a.GetVerb() != f.verb {
return authorizer.DecisionDeny, fmt.Sprintf("unrecognised verb '%s'", a.GetVerb()), nil
}
if a.GetAPIGroup() != "certificates.k8s.io" {
return authorizer.DecisionDeny, fmt.Sprintf("unrecognised groupName '%s'", a.GetAPIGroup()), nil
}
if a.GetAPIVersion() != "*" {
return authorizer.DecisionDeny, fmt.Sprintf("unrecognised apiVersion '%s'", a.GetAPIVersion()), nil
}
if a.GetResource() != "signers" {
return authorizer.DecisionDeny, fmt.Sprintf("unrecognised resource '%s'", a.GetResource()), nil
}
if a.GetName() != f.allowedName {
return authorizer.DecisionDeny, fmt.Sprintf("unrecognised resource name '%s'", a.GetName()), nil
}
if !a.IsResourceRequest() {
return authorizer.DecisionDeny, fmt.Sprintf("unrecognised IsResourceRequest '%t'", a.IsResourceRequest()), nil
}
return f.decision, "", nil
}
type testAttributes struct {
resource schema.GroupResource
subresource string
operation admission.Operation
obj, oldObj runtime.Object
name string
admission.Attributes // nil panic if any other methods called
}
func (t *testAttributes) GetResource() schema.GroupVersionResource {
return t.resource.WithVersion("ignored")
}
func (t *testAttributes) GetSubresource() string {
return t.subresource
}
func (t *testAttributes) GetObject() runtime.Object {
return t.obj
}
func (t *testAttributes) GetOldObject() runtime.Object {
return t.oldObj
}
func (t *testAttributes) GetName() string {
return t.name
}
func (t *testAttributes) GetOperation() admission.Operation {
return t.operation
}
func (t *testAttributes) GetUserInfo() user.Info {
return &user.DefaultInfo{Name: "ignored"}
}

19
plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go
View File

@ -180,6 +180,10 @@ func NodeRules() []rbacv1.PolicyRule {
if utilfeature.DefaultFeatureGate.Enabled(features.DynamicResourceAllocation) { if utilfeature.DefaultFeatureGate.Enabled(features.DynamicResourceAllocation) {
nodePolicyRules = append(nodePolicyRules, rbacv1helpers.NewRule("get").Groups(resourceGroup).Resources("resourceclaims").RuleOrDie()) nodePolicyRules = append(nodePolicyRules, rbacv1helpers.NewRule("get").Groups(resourceGroup).Resources("resourceclaims").RuleOrDie())
} }
// Kubelet needs access to ClusterTrustBundles to support the pemTrustAnchors volume type.
if utilfeature.DefaultFeatureGate.Enabled(features.ClusterTrustBundle) {
nodePolicyRules = append(nodePolicyRules, rbacv1helpers.NewRule("get", "list", "watch").Groups(certificatesGroup).Resources("clustertrustbundles").RuleOrDie())
}
return nodePolicyRules return nodePolicyRules
} }
@ -585,6 +589,16 @@ func ClusterRoles() []rbacv1.ClusterRole {
Rules: kubeSchedulerRules, Rules: kubeSchedulerRules,
}) })
// Default ClusterRole to allow reading ClusterTrustBundle objects
if utilfeature.DefaultFeatureGate.Enabled(features.ClusterTrustBundle) {
roles = append(roles, rbacv1.ClusterRole{
ObjectMeta: metav1.ObjectMeta{Name: "system:cluster-trust-bundle-discovery"},
Rules: []rbacv1.PolicyRule{
rbacv1helpers.NewRule(Read...).Groups(certificatesGroup).Resources("clustertrustbundles").RuleOrDie(),
},
})
}
addClusterRoleLabel(roles) addClusterRoleLabel(roles)
return roles return roles
} }
@ -625,6 +639,11 @@ func ClusterRoleBindings() []rbacv1.ClusterRoleBinding {
rbacv1helpers.NewClusterBinding("system:service-account-issuer-discovery").Groups(serviceaccount.AllServiceAccountsGroup).BindingOrDie(), rbacv1helpers.NewClusterBinding("system:service-account-issuer-discovery").Groups(serviceaccount.AllServiceAccountsGroup).BindingOrDie(),
) )
// Service accounts can read ClusterTrustBundle objects.
if utilfeature.DefaultFeatureGate.Enabled(features.ClusterTrustBundle) {
rolebindings = append(rolebindings, rbacv1helpers.NewClusterBinding("system:cluster-trust-bundle-discovery").Groups(serviceaccount.AllServiceAccountsGroup).BindingOrDie())
}
addClusterRoleBindingLabel(rolebindings) addClusterRoleBindingLabel(rolebindings)
return rolebindings return rolebindings

24
staging/src/k8s.io/api/certificates/v1alpha1/doc.go Normal file
View File

@ -0,0 +1,24 @@
/*
Copyright 2022 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// +k8s:deepcopy-gen=package
// +k8s:protobuf-gen=package
// +k8s:openapi-gen=true
// +k8s:prerelease-lifecycle-gen=true
// +groupName=certificates.k8s.io
package v1alpha1 // import "k8s.io/api/certificates/v1alpha1"

831
staging/src/k8s.io/api/certificates/v1alpha1/generated.pb.go generated Normal file
View File

@ -0,0 +1,831 @@
/*
Copyright The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by protoc-gen-gogo. DO NOT EDIT.
// source: k8s.io/kubernetes/vendor/k8s.io/api/certificates/v1alpha1/generated.proto
package v1alpha1
import (
fmt "fmt"
io "io"
proto "github.com/gogo/protobuf/proto"
math "math"
math_bits "math/bits"
reflect "reflect"
strings "strings"
)
// Reference imports to suppress errors if they are not otherwise used.
var _ = proto.Marshal
var _ = fmt.Errorf
var _ = math.Inf
// This is a compile-time assertion to ensure that this generated file
// is compatible with the proto package it is being compiled against.
// A compilation error at this line likely means your copy of the
// proto package needs to be updated.
const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
func (m *ClusterTrustBundle) Reset() { *m = ClusterTrustBundle{} }
func (*ClusterTrustBundle) ProtoMessage() {}
func (*ClusterTrustBundle) Descriptor() ([]byte, []int) {
return fileDescriptor_8915b0d419f9eda6, []int{0}
}
func (m *ClusterTrustBundle) XXX_Unmarshal(b []byte) error {
return m.Unmarshal(b)
}
func (m *ClusterTrustBundle) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
b = b[:cap(b)]
n, err := m.MarshalToSizedBuffer(b)
if err != nil {
return nil, err
}
return b[:n], nil
}
func (m *ClusterTrustBundle) XXX_Merge(src proto.Message) {
xxx_messageInfo_ClusterTrustBundle.Merge(m, src)
}
func (m *ClusterTrustBundle) XXX_Size() int {
return m.Size()
}
func (m *ClusterTrustBundle) XXX_DiscardUnknown() {
xxx_messageInfo_ClusterTrustBundle.DiscardUnknown(m)
}
var xxx_messageInfo_ClusterTrustBundle proto.InternalMessageInfo
func (m *ClusterTrustBundleList) Reset() { *m = ClusterTrustBundleList{} }
func (*ClusterTrustBundleList) ProtoMessage() {}
func (*ClusterTrustBundleList) Descriptor() ([]byte, []int) {
return fileDescriptor_8915b0d419f9eda6, []int{1}
}
func (m *ClusterTrustBundleList) XXX_Unmarshal(b []byte) error {
return m.Unmarshal(b)
}
func (m *ClusterTrustBundleList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
b = b[:cap(b)]
n, err := m.MarshalToSizedBuffer(b)
if err != nil {
return nil, err
}
return b[:n], nil
}
func (m *ClusterTrustBundleList) XXX_Merge(src proto.Message) {
xxx_messageInfo_ClusterTrustBundleList.Merge(m, src)
}
func (m *ClusterTrustBundleList) XXX_Size() int {
return m.Size()
}
func (m *ClusterTrustBundleList) XXX_DiscardUnknown() {
xxx_messageInfo_ClusterTrustBundleList.DiscardUnknown(m)
}
var xxx_messageInfo_ClusterTrustBundleList proto.InternalMessageInfo
func (m *ClusterTrustBundleSpec) Reset() { *m = ClusterTrustBundleSpec{} }
func (*ClusterTrustBundleSpec) ProtoMessage() {}
func (*ClusterTrustBundleSpec) Descriptor() ([]byte, []int) {
return fileDescriptor_8915b0d419f9eda6, []int{2}
}
func (m *ClusterTrustBundleSpec) XXX_Unmarshal(b []byte) error {
return m.Unmarshal(b)
}
func (m *ClusterTrustBundleSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
b = b[:cap(b)]
n, err := m.MarshalToSizedBuffer(b)
if err != nil {
return nil, err
}
return b[:n], nil
}
func (m *ClusterTrustBundleSpec) XXX_Merge(src proto.Message) {
xxx_messageInfo_ClusterTrustBundleSpec.Merge(m, src)
}
func (m *ClusterTrustBundleSpec) XXX_Size() int {
return m.Size()
}
func (m *ClusterTrustBundleSpec) XXX_DiscardUnknown() {
xxx_messageInfo_ClusterTrustBundleSpec.DiscardUnknown(m)
}
var xxx_messageInfo_ClusterTrustBundleSpec proto.InternalMessageInfo
func init() {
proto.RegisterType((*ClusterTrustBundle)(nil), "k8s.io.api.certificates.v1alpha1.ClusterTrustBundle")
proto.RegisterType((*ClusterTrustBundleList)(nil), "k8s.io.api.certificates.v1alpha1.ClusterTrustBundleList")
proto.RegisterType((*ClusterTrustBundleSpec)(nil), "k8s.io.api.certificates.v1alpha1.ClusterTrustBundleSpec")
}
func init() {
proto.RegisterFile("k8s.io/kubernetes/vendor/k8s.io/api/certificates/v1alpha1/generated.proto", fileDescriptor_8915b0d419f9eda6)
}
var fileDescriptor_8915b0d419f9eda6 = []byte{
// 448 bytes of a gzipped FileDescriptorProto
0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x9c, 0x93, 0xcf, 0x6b, 0x13, 0x41,
0x14, 0xc7, 0x77, 0x6a, 0x0b, 0xed, 0x44, 0x41, 0x56, 0x90, 0x90, 0xc3, 0x34, 0xe4, 0xd4, 0x8b,
0x33, 0x26, 0x54, 0xe9, 0x79, 0x05, 0xa1, 0xe0, 0x0f, 0xd8, 0x7a, 0xb1, 0x78, 0x70, 0x32, 0x79,
0xdd, 0x8c, 0xc9, 0xee, 0x0e, 0x33, 0xb3, 0x01, 0x6f, 0x82, 0xff, 0x80, 0x7f, 0x56, 0x8e, 0xd5,
0x53, 0x4f, 0xc5, 0xac, 0xff, 0x88, 0xcc, 0x64, 0x93, 0x5d, 0x5c, 0x25, 0xd2, 0xdb, 0xbe, 0x1f,
0x9f, 0xef, 0x7b, 0xdf, 0xb7, 0x0c, 0x3e, 0x9f, 0x9d, 0x19, 0x2a, 0x73, 0x36, 0x2b, 0xc6, 0xa0,
0x33, 0xb0, 0x60, 0xd8, 0x02, 0xb2, 0x49, 0xae, 0x59, 0x55, 0xe0, 0x4a, 0x32, 0x01, 0xda, 0xca,
0x2b, 0x29, 0xb8, 0x2f, 0x0f, 0xf9, 0x5c, 0x4d, 0xf9, 0x90, 0x25, 0x90, 0x81, 0xe6, 0x16, 0x26,
0x54, 0xe9, 0xdc, 0xe6, 0x61, 0x7f, 0x4d, 0x50, 0xae, 0x24, 0x6d, 0x12, 0x74, 0x43, 0xf4, 0x9e,
0x24, 0xd2, 0x4e, 0x8b, 0x31, 0x15, 0x79, 0xca, 0x92, 0x3c, 0xc9, 0x99, 0x07, 0xc7, 0xc5, 0x95,
0x8f, 0x7c, 0xe0, 0xbf, 0xd6, 0x82, 0xbd, 0xd3, 0x7a, 0x85, 0x94, 0x8b, 0xa9, 0xcc, 0x40, 0x7f,
0x66, 0x6a, 0x96, 0xb8, 0x84, 0x61, 0x29, 0x58, 0xce, 0x16, 0xad, 0x35, 0x7a, 0xec, 0x5f, 0x94,
0x2e, 0x32, 0x2b, 0x53, 0x68, 0x01, 0xcf, 0x77, 0x01, 0x46, 0x4c, 0x21, 0xe5, 0x7f, 0x72, 0x83,
0x1f, 0x08, 0x87, 0x2f, 0xe6, 0x85, 0xb1, 0xa0, 0xdf, 0xe9, 0xc2, 0xd8, 0xa8, 0xc8, 0x26, 0x73,
0x08, 0x3f, 0xe2, 0x43, 0xb7, 0xda, 0x84, 0x5b, 0xde, 0x45, 0x7d, 0x74, 0xd2, 0x19, 0x3d, 0xa5,
0xf5, 0x65, 0xb6, 0x13, 0xa8, 0x9a, 0x25, 0x2e, 0x61, 0xa8, 0xeb, 0xa6, 0x8b, 0x21, 0x7d, 0x3b,
0xfe, 0x04, 0xc2, 0xbe, 0x06, 0xcb, 0xa3, 0x70, 0x79, 0x7b, 0x1c, 0x94, 0xb7, 0xc7, 0xb8, 0xce,
0xc5, 0x5b, 0xd5, 0xf0, 0x12, 0xef, 0x1b, 0x05, 0xa2, 0xbb, 0xe7, 0xd5, 0xcf, 0xe8, 0xae, 0xbb,
0xd3, 0xf6, 0x96, 0x17, 0x0a, 0x44, 0x74, 0xbf, 0x9a, 0xb2, 0xef, 0xa2, 0xd8, 0x6b, 0x0e, 0xbe,
0x23, 0xfc, 0xb8, 0xdd, 0xfe, 0x4a, 0x1a, 0x1b, 0x7e, 0x68, 0x19, 0xa3, 0xff, 0x67, 0xcc, 0xd1,
0xde, 0xd6, 0xc3, 0x6a, 0xe0, 0xe1, 0x26, 0xd3, 0x30, 0xf5, 0x1e, 0x1f, 0x48, 0x0b, 0xa9, 0xe9,
0xee, 0xf5, 0xef, 0x9d, 0x74, 0x46, 0xa7, 0x77, 0x71, 0x15, 0x3d, 0xa8, 0x06, 0x1c, 0x9c, 0x3b,
0xa9, 0x78, 0xad, 0x38, 0xf8, 0xfa, 0x57, 0x4f, 0xce, 0x74, 0x38, 0xc2, 0xd8, 0xc8, 0x24, 0x03,
0xfd, 0x86, 0xa7, 0xe0, 0x5d, 0x1d, 0xd5, 0xc7, 0xbf, 0xd8, 0x56, 0xe2, 0x46, 0x57, 0xf8, 0x0c,
0x77, 0x6c, 0x2d, 0xe3, 0xff, 0xc2, 0x51, 0xf4, 0xa8, 0x82, 0x3a, 0x8d, 0x09, 0x71, 0xb3, 0x2f,
0x7a, 0xb9, 0x5c, 0x91, 0xe0, 0x7a, 0x45, 0x82, 0x9b, 0x15, 0x09, 0xbe, 0x94, 0x04, 0x2d, 0x4b,
0x82, 0xae, 0x4b, 0x82, 0x6e, 0x4a, 0x82, 0x7e, 0x96, 0x04, 0x7d, 0xfb, 0x45, 0x82, 0xcb, 0xfe,
0xae, 0x67, 0xf7, 0x3b, 0x00, 0x00, 0xff, 0xff, 0x05, 0xe9, 0xaa, 0x07, 0xb2, 0x03, 0x00, 0x00,
}
func (m *ClusterTrustBundle) Marshal() (dAtA []byte, err error) {
size := m.Size()
dAtA = make([]byte, size)
n, err := m.MarshalToSizedBuffer(dAtA[:size])
if err != nil {
return nil, err
}
return dAtA[:n], nil
}
func (m *ClusterTrustBundle) MarshalTo(dAtA []byte) (int, error) {
size := m.Size()
return m.MarshalToSizedBuffer(dAtA[:size])
}
func (m *ClusterTrustBundle) MarshalToSizedBuffer(dAtA []byte) (int, error) {
i := len(dAtA)
_ = i
var l int
_ = l
{
size, err := m.Spec.MarshalToSizedBuffer(dAtA[:i])
if err != nil {
return 0, err
}
i -= size
i = encodeVarintGenerated(dAtA, i, uint64(size))
}
i--
dAtA[i] = 0x12
{
size, err := m.ObjectMeta.MarshalToSizedBuffer(dAtA[:i])
if err != nil {
return 0, err
}
i -= size
i = encodeVarintGenerated(dAtA, i, uint64(size))
}
i--
dAtA[i] = 0xa
return len(dAtA) - i, nil
}
func (m *ClusterTrustBundleList) Marshal() (dAtA []byte, err error) {
size := m.Size()
dAtA = make([]byte, size)
n, err := m.MarshalToSizedBuffer(dAtA[:size])
if err != nil {
return nil, err
}
return dAtA[:n], nil
}
func (m *ClusterTrustBundleList) MarshalTo(dAtA []byte) (int, error) {
size := m.Size()
return m.MarshalToSizedBuffer(dAtA[:size])
}
func (m *ClusterTrustBundleList) MarshalToSizedBuffer(dAtA []byte) (int, error) {
i := len(dAtA)
_ = i
var l int
_ = l
if len(m.Items) > 0 {
for iNdEx := len(m.Items) - 1; iNdEx >= 0; iNdEx-- {
{
size, err := m.Items[iNdEx].MarshalToSizedBuffer(dAtA[:i])
if err != nil {
return 0, err
}
i -= size
i = encodeVarintGenerated(dAtA, i, uint64(size))
}
i--
dAtA[i] = 0x12
}
}
{
size, err := m.ListMeta.MarshalToSizedBuffer(dAtA[:i])
if err != nil {
return 0, err
}
i -= size
i = encodeVarintGenerated(dAtA, i, uint64(size))
}
i--
dAtA[i] = 0xa
return len(dAtA) - i, nil
}
func (m *ClusterTrustBundleSpec) Marshal() (dAtA []byte, err error) {
size := m.Size()
dAtA = make([]byte, size)
n, err := m.MarshalToSizedBuffer(dAtA[:size])
if err != nil {
return nil, err
}
return dAtA[:n], nil
}
func (m *ClusterTrustBundleSpec) MarshalTo(dAtA []byte) (int, error) {
size := m.Size()
return m.MarshalToSizedBuffer(dAtA[:size])
}
func (m *ClusterTrustBundleSpec) MarshalToSizedBuffer(dAtA []byte) (int, error) {
i := len(dAtA)
_ = i
var l int
_ = l
i -= len(m.TrustBundle)
copy(dAtA[i:], m.TrustBundle)
i = encodeVarintGenerated(dAtA, i, uint64(len(m.TrustBundle)))
i--
dAtA[i] = 0x12
i -= len(m.SignerName)
copy(dAtA[i:], m.SignerName)
i = encodeVarintGenerated(dAtA, i, uint64(len(m.SignerName)))
i--
dAtA[i] = 0xa
return len(dAtA) - i, nil
}
func encodeVarintGenerated(dAtA []byte, offset int, v uint64) int {
offset -= sovGenerated(v)
base := offset
for v >= 1<<7 {
dAtA[offset] = uint8(v&0x7f | 0x80)
v >>= 7
offset++
}
dAtA[offset] = uint8(v)
return base
}
func (m *ClusterTrustBundle) Size() (n int) {
if m == nil {
return 0
}
var l int
_ = l
l = m.ObjectMeta.Size()
n += 1 + l + sovGenerated(uint64(l))
l = m.Spec.Size()
n += 1 + l + sovGenerated(uint64(l))
return n
}
func (m *ClusterTrustBundleList) Size() (n int) {
if m == nil {
return 0
}
var l int
_ = l
l = m.ListMeta.Size()
n += 1 + l + sovGenerated(uint64(l))
if len(m.Items) > 0 {
for _, e := range m.Items {
l = e.Size()
n += 1 + l + sovGenerated(uint64(l))
}
}
return n
}
func (m *ClusterTrustBundleSpec) Size() (n int) {
if m == nil {
return 0
}
var l int
_ = l
l = len(m.SignerName)
n += 1 + l + sovGenerated(uint64(l))
l = len(m.TrustBundle)
n += 1 + l + sovGenerated(uint64(l))
return n
}
func sovGenerated(x uint64) (n int) {
return (math_bits.Len64(x|1) + 6) / 7
}
func sozGenerated(x uint64) (n int) {
return sovGenerated(uint64((x << 1) ^ uint64((int64(x) >> 63))))
}
func (this *ClusterTrustBundle) String() string {
if this == nil {
return "nil"
}
s := strings.Join([]string{`&ClusterTrustBundle{`,
`ObjectMeta:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.ObjectMeta), "ObjectMeta", "v1.ObjectMeta", 1), `&`, ``, 1) + `,`,
`Spec:` + strings.Replace(strings.Replace(this.Spec.String(), "ClusterTrustBundleSpec", "ClusterTrustBundleSpec", 1), `&`, ``, 1) + `,`,
`}`,
}, "")
return s
}
func (this *ClusterTrustBundleList) String() string {
if this == nil {
return "nil"
}
repeatedStringForItems := "[]ClusterTrustBundle{"
for _, f := range this.Items {
repeatedStringForItems += strings.Replace(strings.Replace(f.String(), "ClusterTrustBundle", "ClusterTrustBundle", 1), `&`, ``, 1) + ","
}
repeatedStringForItems += "}"
s := strings.Join([]string{`&ClusterTrustBundleList{`,
`ListMeta:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.ListMeta), "ListMeta", "v1.ListMeta", 1), `&`, ``, 1) + `,`,
`Items:` + repeatedStringForItems + `,`,
`}`,
}, "")
return s
}
func (this *ClusterTrustBundleSpec) String() string {
if this == nil {
return "nil"
}
s := strings.Join([]string{`&ClusterTrustBundleSpec{`,
`SignerName:` + fmt.Sprintf("%v", this.SignerName) + `,`,
`TrustBundle:` + fmt.Sprintf("%v", this.TrustBundle) + `,`,
`}`,
}, "")
return s
}
func valueToStringGenerated(v interface{}) string {
rv := reflect.ValueOf(v)
if rv.IsNil() {
return "nil"
}
pv := reflect.Indirect(rv).Interface()
return fmt.Sprintf("*%v", pv)
}
func (m *ClusterTrustBundle) Unmarshal(dAtA []byte) error {
l := len(dAtA)
iNdEx := 0
for iNdEx < l {
preIndex := iNdEx
var wire uint64
for shift := uint(0); ; shift += 7 {
if shift >= 64 {
return ErrIntOverflowGenerated
}
if iNdEx >= l {
return io.ErrUnexpectedEOF
}
b := dAtA[iNdEx]
iNdEx++
wire |= uint64(b&0x7F) << shift
if b < 0x80 {
break
}
}
fieldNum := int32(wire >> 3)
wireType := int(wire & 0x7)
if wireType == 4 {
return fmt.Errorf("proto: ClusterTrustBundle: wiretype end group for non-group")
}
if fieldNum <= 0 {
return fmt.Errorf("proto: ClusterTrustBundle: illegal tag %d (wire type %d)", fieldNum, wire)
}
switch fieldNum {
case 1:
if wireType != 2 {
return fmt.Errorf("proto: wrong wireType = %d for field ObjectMeta", wireType)
}
var msglen int
for shift := uint(0); ; shift += 7 {
if shift >= 64 {
return ErrIntOverflowGenerated
}
if iNdEx >= l {
return io.ErrUnexpectedEOF
}
b := dAtA[iNdEx]
iNdEx++
msglen |= int(b&0x7F) << shift
if b < 0x80 {
break
}
}
if msglen < 0 {
return ErrInvalidLengthGenerated
}
postIndex := iNdEx + msglen
if postIndex < 0 {
return ErrInvalidLengthGenerated
}
if postIndex > l {
return io.ErrUnexpectedEOF
}
if err := m.ObjectMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
return err
}
iNdEx = postIndex
case 2:
if wireType != 2 {
return fmt.Errorf("proto: wrong wireType = %d for field Spec", wireType)
}
var msglen int
for shift := uint(0); ; shift += 7 {
if shift >= 64 {
return ErrIntOverflowGenerated
}
if iNdEx >= l {
return io.ErrUnexpectedEOF
}
b := dAtA[iNdEx]
iNdEx++
msglen |= int(b&0x7F) << shift
if b < 0x80 {
break
}
}
if msglen < 0 {
return ErrInvalidLengthGenerated
}
postIndex := iNdEx + msglen
if postIndex < 0 {
return ErrInvalidLengthGenerated
}
if postIndex > l {
return io.ErrUnexpectedEOF
}
if err := m.Spec.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
return err
}
iNdEx = postIndex
default:
iNdEx = preIndex
skippy, err := skipGenerated(dAtA[iNdEx:])
if err != nil {
return err
}
if (skippy < 0) || (iNdEx+skippy) < 0 {
return ErrInvalidLengthGenerated
}
if (iNdEx + skippy) > l {
return io.ErrUnexpectedEOF
}
iNdEx += skippy
}
}
if iNdEx > l {
return io.ErrUnexpectedEOF
}
return nil
}
func (m *ClusterTrustBundleList) Unmarshal(dAtA []byte) error {
l := len(dAtA)
iNdEx := 0
for iNdEx < l {
preIndex := iNdEx
var wire uint64
for shift := uint(0); ; shift += 7 {
if shift >= 64 {
return ErrIntOverflowGenerated
}
if iNdEx >= l {
return io.ErrUnexpectedEOF
}
b := dAtA[iNdEx]
iNdEx++
wire |= uint64(b&0x7F) << shift
if b < 0x80 {
break
}
}
fieldNum := int32(wire >> 3)
wireType := int(wire & 0x7)
if wireType == 4 {
return fmt.Errorf("proto: ClusterTrustBundleList: wiretype end group for non-group")
}
if fieldNum <= 0 {
return fmt.Errorf("proto: ClusterTrustBundleList: illegal tag %d (wire type %d)", fieldNum, wire)
}
switch fieldNum {
case 1:
if wireType != 2 {
return fmt.Errorf("proto: wrong wireType = %d for field ListMeta", wireType)
}
var msglen int
for shift := uint(0); ; shift += 7 {
if shift >= 64 {
return ErrIntOverflowGenerated
}
if iNdEx >= l {
return io.ErrUnexpectedEOF
}
b := dAtA[iNdEx]
iNdEx++
msglen |= int(b&0x7F) << shift
if b < 0x80 {
break
}
}
if msglen < 0 {
return ErrInvalidLengthGenerated
}
postIndex := iNdEx + msglen
if postIndex < 0 {
return ErrInvalidLengthGenerated
}
if postIndex > l {
return io.ErrUnexpectedEOF
}
if err := m.ListMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
return err
}
iNdEx = postIndex
case 2:
if wireType != 2 {
return fmt.Errorf("proto: wrong wireType = %d for field Items", wireType)
}
var msglen int
for shift := uint(0); ; shift += 7 {
if shift >= 64 {
return ErrIntOverflowGenerated
}
if iNdEx >= l {
return io.ErrUnexpectedEOF
}
b := dAtA[iNdEx]
iNdEx++
msglen |= int(b&0x7F) << shift
if b < 0x80 {
break
}
}
if msglen < 0 {
return ErrInvalidLengthGenerated
}
postIndex := iNdEx + msglen
if postIndex < 0 {
return ErrInvalidLengthGenerated
}
if postIndex > l {
return io.ErrUnexpectedEOF
}
m.Items = append(m.Items, ClusterTrustBundle{})
if err := m.Items[len(m.Items)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
return err
}
iNdEx = postIndex
default:
iNdEx = preIndex
skippy, err := skipGenerated(dAtA[iNdEx:])
if err != nil {
return err
}
if (skippy < 0) || (iNdEx+skippy) < 0 {
return ErrInvalidLengthGenerated
}
if (iNdEx + skippy) > l {
return io.ErrUnexpectedEOF
}
iNdEx += skippy
}
}
if iNdEx > l {
return io.ErrUnexpectedEOF
}
return nil
}
func (m *ClusterTrustBundleSpec) Unmarshal(dAtA []byte) error {
l := len(dAtA)
iNdEx := 0
for iNdEx < l {
preIndex := iNdEx
var wire uint64
for shift := uint(0); ; shift += 7 {
if shift >= 64 {
return ErrIntOverflowGenerated
}
if iNdEx >= l {
return io.ErrUnexpectedEOF
}
b := dAtA[iNdEx]
iNdEx++
wire |= uint64(b&0x7F) << shift
if b < 0x80 {
break
}
}
fieldNum := int32(wire >> 3)
wireType := int(wire & 0x7)
if wireType == 4 {
return fmt.Errorf("proto: ClusterTrustBundleSpec: wiretype end group for non-group")
}
if fieldNum <= 0 {
return fmt.Errorf("proto: ClusterTrustBundleSpec: illegal tag %d (wire type %d)", fieldNum, wire)
}
switch fieldNum {
case 1:
if wireType != 2 {
return fmt.Errorf("proto: wrong wireType = %d for field SignerName", wireType)
}
var stringLen uint64
for shift := uint(0); ; shift += 7 {
if shift >= 64 {
return ErrIntOverflowGenerated
}
if iNdEx >= l {
return io.ErrUnexpectedEOF
}
b := dAtA[iNdEx]
iNdEx++
stringLen |= uint64(b&0x7F) << shift
if b < 0x80 {
break
}
}
intStringLen := int(stringLen)
if intStringLen < 0 {
return ErrInvalidLengthGenerated
}
postIndex := iNdEx + intStringLen
if postIndex < 0 {
return ErrInvalidLengthGenerated
}
if postIndex > l {
return io.ErrUnexpectedEOF
}
m.SignerName = string(dAtA[iNdEx:postIndex])
iNdEx = postIndex
case 2:
if wireType != 2 {
return fmt.Errorf("proto: wrong wireType = %d for field TrustBundle", wireType)
}
var stringLen uint64
for shift := uint(0); ; shift += 7 {
if shift >= 64 {
return ErrIntOverflowGenerated
}
if iNdEx >= l {
return io.ErrUnexpectedEOF
}
b := dAtA[iNdEx]
iNdEx++
stringLen |= uint64(b&0x7F) << shift
if b < 0x80 {
break
}
}
intStringLen := int(stringLen)
if intStringLen < 0 {
return ErrInvalidLengthGenerated
}
postIndex := iNdEx + intStringLen
if postIndex < 0 {
return ErrInvalidLengthGenerated
}
if postIndex > l {
return io.ErrUnexpectedEOF
}
m.TrustBundle = string(dAtA[iNdEx:postIndex])
iNdEx = postIndex
default:
iNdEx = preIndex
skippy, err := skipGenerated(dAtA[iNdEx:])
if err != nil {
return err
}
if (skippy < 0) || (iNdEx+skippy) < 0 {
return ErrInvalidLengthGenerated
}
if (iNdEx + skippy) > l {
return io.ErrUnexpectedEOF
}
iNdEx += skippy
}
}
if iNdEx > l {
return io.ErrUnexpectedEOF
}
return nil
}
func skipGenerated(dAtA []byte) (n int, err error) {
l := len(dAtA)
iNdEx := 0
depth := 0
for iNdEx < l {
var wire uint64
for shift := uint(0); ; shift += 7 {
if shift >= 64 {
return 0, ErrIntOverflowGenerated
}
if iNdEx >= l {
return 0, io.ErrUnexpectedEOF
}
b := dAtA[iNdEx]
iNdEx++
wire |= (uint64(b) & 0x7F) << shift
if b < 0x80 {
break
}
}
wireType := int(wire & 0x7)
switch wireType {
case 0:
for shift := uint(0); ; shift += 7 {
if shift >= 64 {
return 0, ErrIntOverflowGenerated
}
if iNdEx >= l {
return 0, io.ErrUnexpectedEOF
}
iNdEx++
if dAtA[iNdEx-1] < 0x80 {
break
}
}
case 1:
iNdEx += 8
case 2:
var length int
for shift := uint(0); ; shift += 7 {
if shift >= 64 {
return 0, ErrIntOverflowGenerated
}
if iNdEx >= l {
return 0, io.ErrUnexpectedEOF
}
b := dAtA[iNdEx]
iNdEx++
length |= (int(b) & 0x7F) << shift
if b < 0x80 {
break
}
}
if length < 0 {
return 0, ErrInvalidLengthGenerated
}
iNdEx += length
case 3:
depth++
case 4:
if depth == 0 {
return 0, ErrUnexpectedEndOfGroupGenerated
}
depth--
case 5:
iNdEx += 4
default:
return 0, fmt.Errorf("proto: illegal wireType %d", wireType)
}
if iNdEx < 0 {
return 0, ErrInvalidLengthGenerated
}
if depth == 0 {
return iNdEx, nil
}
}
return 0, io.ErrUnexpectedEOF
}
var (
ErrInvalidLengthGenerated = fmt.Errorf("proto: negative length found during unmarshaling")
ErrIntOverflowGenerated = fmt.Errorf("proto: integer overflow")
ErrUnexpectedEndOfGroupGenerated = fmt.Errorf("proto: unexpected end of group")
)

103
staging/src/k8s.io/api/certificates/v1alpha1/generated.proto Normal file
View File

@ -0,0 +1,103 @@
/*
Copyright The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// This file was autogenerated by go-to-protobuf. Do not edit it manually!
syntax = "proto2";
package k8s.io.api.certificates.v1alpha1;
import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
import "k8s.io/apimachinery/pkg/runtime/generated.proto";
import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
// Package-wide variables from generator "generated".
option go_package = "k8s.io/api/certificates/v1alpha1";
// ClusterTrustBundle is a cluster-scoped container for X.509 trust anchors
// (root certificates).
//
// ClusterTrustBundle objects are considered to be readable by any authenticated
// user in the cluster, because they can be mounted by pods using the
// `clusterTrustBundle` projection. All service accounts have read access to
// ClusterTrustBundles by default. Users who only have namespace-level access
// to a cluster can read ClusterTrustBundles by impersonating a serviceaccount
// that they have access to.
//
// It can be optionally associated with a particular assigner, in which case it
// contains one valid set of trust anchors for that signer. Signers may have
// multiple associated ClusterTrustBundles; each is an independent set of trust
// anchors for that signer. Admission control is used to enforce that only users
// with permissions on the signer can create or modify the corresponding bundle.
message ClusterTrustBundle {
// metadata contains the object metadata.
// +optional
optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
// spec contains the signer (if any) and trust anchors.
optional ClusterTrustBundleSpec spec = 2;
}
// ClusterTrustBundleList is a collection of ClusterTrustBundle objects
message ClusterTrustBundleList {
// metadata contains the list metadata.
//
// +optional
optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
// items is a collection of ClusterTrustBundle objects
repeated ClusterTrustBundle items = 2;
}
// ClusterTrustBundleSpec contains the signer and trust anchors.
message ClusterTrustBundleSpec {
// signerName indicates the associated signer, if any.
//
// In order to create or update a ClusterTrustBundle that sets signerName,
// you must have the following cluster-scoped permission:
// group=certificates.k8s.io resource=signers resourceName=<the signer name>
// verb=attest.
//
// If signerName is not empty, then the ClusterTrustBundle object must be
// named with the signer name as a prefix (translating slashes to colons).
// For example, for the signer name `example.com/foo`, valid
// ClusterTrustBundle object names include `example.com:foo:abc` and
// `example.com:foo:v1`.
//
// If signerName is empty, then the ClusterTrustBundle object's name must
// not have such a prefix.
//
// List/watch requests for ClusterTrustBundles can filter on this field
// using a `spec.signerName=NAME` field selector.
//
// +optional
optional string signerName = 1;
// trustBundle contains the individual X.509 trust anchors for this
// bundle, as PEM bundle of PEM-wrapped, DER-formatted X.509 certificates.
//
// The data must consist only of PEM certificate blocks that parse as valid
// X.509 certificates. Each certificate must include a basic constraints
// extension with the CA bit set. The API server will reject objects that
// contain duplicate certificates, or that use PEM block headers.
//
// Users of ClusterTrustBundles, including Kubelet, are free to reorder and
// deduplicate certificate blocks in this file according to their own logic,
// as well as to drop PEM block headers and inter-block data.
optional string trustBundle = 2;
}

61
staging/src/k8s.io/api/certificates/v1alpha1/register.go Normal file
View File

@ -0,0 +1,61 @@
/*
Copyright 2022 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package v1alpha1
import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/runtime/schema"
)
// GroupName is the group name use in this package
const GroupName = "certificates.k8s.io"
// SchemeGroupVersion is group version used to register these objects
var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"}
// Kind takes an unqualified kind and returns a Group qualified GroupKind
func Kind(kind string) schema.GroupKind {
return SchemeGroupVersion.WithKind(kind).GroupKind()
}
// Resource takes an unqualified resource and returns a Group qualified GroupResource
func Resource(resource string) schema.GroupResource {
return SchemeGroupVersion.WithResource(resource).GroupResource()
}
var (
// SchemeBuilder is the scheme builder with scheme init functions to run for this API package
SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes)
localSchemeBuilder = &SchemeBuilder
// AddToScheme is a global function that registers this API group & version to a scheme
AddToScheme = localSchemeBuilder.AddToScheme
)
// Adds the list of known types to the given scheme.
func addKnownTypes(scheme *runtime.Scheme) error {
scheme.AddKnownTypes(SchemeGroupVersion,
&ClusterTrustBundle{},
&ClusterTrustBundleList{},
)
// Add the watch version that applies
metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
return nil
}

106
staging/src/k8s.io/api/certificates/v1alpha1/types.go Normal file
View File

@ -0,0 +1,106 @@
/*
Copyright 2023 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package v1alpha1
import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
// +genclient
// +genclient:nonNamespaced
// +k8s:prerelease-lifecycle-gen:introduced=1.26
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// ClusterTrustBundle is a cluster-scoped container for X.509 trust anchors
// (root certificates).
//
// ClusterTrustBundle objects are considered to be readable by any authenticated
// user in the cluster, because they can be mounted by pods using the
// `clusterTrustBundle` projection. All service accounts have read access to
// ClusterTrustBundles by default. Users who only have namespace-level access
// to a cluster can read ClusterTrustBundles by impersonating a serviceaccount
// that they have access to.
//
// It can be optionally associated with a particular assigner, in which case it
// contains one valid set of trust anchors for that signer. Signers may have
// multiple associated ClusterTrustBundles; each is an independent set of trust
// anchors for that signer. Admission control is used to enforce that only users
// with permissions on the signer can create or modify the corresponding bundle.
type ClusterTrustBundle struct {
metav1.TypeMeta `json:",inline"`
// metadata contains the object metadata.
// +optional
metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
// spec contains the signer (if any) and trust anchors.
Spec ClusterTrustBundleSpec `json:"spec" protobuf:"bytes,2,opt,name=spec"`
}
// ClusterTrustBundleSpec contains the signer and trust anchors.
type ClusterTrustBundleSpec struct {
// signerName indicates the associated signer, if any.
//
// In order to create or update a ClusterTrustBundle that sets signerName,
// you must have the following cluster-scoped permission:
// group=certificates.k8s.io resource=signers resourceName=<the signer name>
// verb=attest.
//
// If signerName is not empty, then the ClusterTrustBundle object must be
// named with the signer name as a prefix (translating slashes to colons).
// For example, for the signer name `example.com/foo`, valid
// ClusterTrustBundle object names include `example.com:foo:abc` and
// `example.com:foo:v1`.
//
// If signerName is empty, then the ClusterTrustBundle object's name must
// not have such a prefix.
//
// List/watch requests for ClusterTrustBundles can filter on this field
// using a `spec.signerName=NAME` field selector.
//
// +optional
SignerName string `json:"signerName,omitempty" protobuf:"bytes,1,opt,name=signerName"`
// trustBundle contains the individual X.509 trust anchors for this
// bundle, as PEM bundle of PEM-wrapped, DER-formatted X.509 certificates.
//
// The data must consist only of PEM certificate blocks that parse as valid
// X.509 certificates. Each certificate must include a basic constraints
// extension with the CA bit set. The API server will reject objects that
// contain duplicate certificates, or that use PEM block headers.
//
// Users of ClusterTrustBundles, including Kubelet, are free to reorder and
// deduplicate certificate blocks in this file according to their own logic,
// as well as to drop PEM block headers and inter-block data.
TrustBundle string `json:"trustBundle" protobuf:"bytes,2,opt,name=trustBundle"`
}
// +k8s:prerelease-lifecycle-gen:introduced=1.26
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// ClusterTrustBundleList is a collection of ClusterTrustBundle objects
type ClusterTrustBundleList struct {
metav1.TypeMeta `json:",inline"`
// metadata contains the list metadata.
//
// +optional
metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
// items is a collection of ClusterTrustBundle objects
Items []ClusterTrustBundle `json:"items" protobuf:"bytes,2,rep,name=items"`
}

60
staging/src/k8s.io/api/certificates/v1alpha1/types_swagger_doc_generated.go generated Normal file
View File

@ -0,0 +1,60 @@
/*
Copyright The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package v1alpha1
// This file contains a collection of methods that can be used from go-restful to
// generate Swagger API documentation for its models. Please read this PR for more
// information on the implementation: https://github.com/emicklei/go-restful/pull/215
//
// TODOs are ignored from the parser (e.g. TODO(andronat):... || TODO:...) if and only if
// they are on one line! For multiple line or blocks that you want to ignore use ---.
// Any context after a --- is ignored.
//
// Those methods can be generated by using hack/update-codegen.sh
// AUTO-GENERATED FUNCTIONS START HERE. DO NOT EDIT.
var map_ClusterTrustBundle = map[string]string{
"": "ClusterTrustBundle is a cluster-scoped container for X.509 trust anchors (root certificates).\n\nClusterTrustBundle objects are considered to be readable by any authenticated user in the cluster, because they can be mounted by pods using the `clusterTrustBundle` projection. All service accounts have read access to ClusterTrustBundles by default. Users who only have namespace-level access to a cluster can read ClusterTrustBundles by impersonating a serviceaccount that they have access to.\n\nIt can be optionally associated with a particular assigner, in which case it contains one valid set of trust anchors for that signer. Signers may have multiple associated ClusterTrustBundles; each is an independent set of trust anchors for that signer. Admission control is used to enforce that only users with permissions on the signer can create or modify the corresponding bundle.",
"metadata": "metadata contains the object metadata.",
"spec": "spec contains the signer (if any) and trust anchors.",
}
func (ClusterTrustBundle) SwaggerDoc() map[string]string {
return map_ClusterTrustBundle
}
var map_ClusterTrustBundleList = map[string]string{
"": "ClusterTrustBundleList is a collection of ClusterTrustBundle objects",
"metadata": "metadata contains the list metadata.",
"items": "items is a collection of ClusterTrustBundle objects",
}
func (ClusterTrustBundleList) SwaggerDoc() map[string]string {
return map_ClusterTrustBundleList
}
var map_ClusterTrustBundleSpec = map[string]string{
"": "ClusterTrustBundleSpec contains the signer and trust anchors.",
"signerName": "signerName indicates the associated signer, if any.\n\nIn order to create or update a ClusterTrustBundle that sets signerName, you must have the following cluster-scoped permission: group=certificates.k8s.io resource=signers resourceName=<the signer name> verb=attest.\n\nIf signerName is not empty, then the ClusterTrustBundle object must be named with the signer name as a prefix (translating slashes to colons). For example, for the signer name `example.com/foo`, valid ClusterTrustBundle object names include `example.com:foo:abc` and `example.com:foo:v1`.\n\nIf signerName is empty, then the ClusterTrustBundle object's name must not have such a prefix.\n\nList/watch requests for ClusterTrustBundles can filter on this field using a `spec.signerName=NAME` field selector.",
"trustBundle": "trustBundle contains the individual X.509 trust anchors for this bundle, as PEM bundle of PEM-wrapped, DER-formatted X.509 certificates.\n\nThe data must consist only of PEM certificate blocks that parse as valid X.509 certificates. Each certificate must include a basic constraints extension with the CA bit set. The API server will reject objects that contain duplicate certificates, or that use PEM block headers.\n\nUsers of ClusterTrustBundles, including Kubelet, are free to reorder and deduplicate certificate blocks in this file according to their own logic, as well as to drop PEM block headers and inter-block data.",
}
func (ClusterTrustBundleSpec) SwaggerDoc() map[string]string {
return map_ClusterTrustBundleSpec
}
// AUTO-GENERATED FUNCTIONS END HERE

102
staging/src/k8s.io/api/certificates/v1alpha1/zz_generated.deepcopy.go generated Normal file
View File

@ -0,0 +1,102 @@
//go:build !ignore_autogenerated
// +build !ignore_autogenerated
/*
Copyright The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by deepcopy-gen. DO NOT EDIT.
package v1alpha1
import (
runtime "k8s.io/apimachinery/pkg/runtime"
)
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ClusterTrustBundle) DeepCopyInto(out *ClusterTrustBundle) {
*out = *in
out.TypeMeta = in.TypeMeta
in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
out.Spec = in.Spec
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterTrustBundle.
func (in *ClusterTrustBundle) DeepCopy() *ClusterTrustBundle {
if in == nil {
return nil
}
out := new(ClusterTrustBundle)
in.DeepCopyInto(out)
return out
}
// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (in *ClusterTrustBundle) DeepCopyObject() runtime.Object {
if c := in.DeepCopy(); c != nil {
return c
}
return nil
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ClusterTrustBundleList) DeepCopyInto(out *ClusterTrustBundleList) {
*out = *in
out.TypeMeta = in.TypeMeta
in.ListMeta.DeepCopyInto(&out.ListMeta)
if in.Items != nil {
in, out := &in.Items, &out.Items
*out = make([]ClusterTrustBundle, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterTrustBundleList.
func (in *ClusterTrustBundleList) DeepCopy() *ClusterTrustBundleList {
if in == nil {
return nil
}
out := new(ClusterTrustBundleList)
in.DeepCopyInto(out)
return out
}
// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (in *ClusterTrustBundleList) DeepCopyObject() runtime.Object {
if c := in.DeepCopy(); c != nil {
return c
}
return nil
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ClusterTrustBundleSpec) DeepCopyInto(out *ClusterTrustBundleSpec) {
*out = *in
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterTrustBundleSpec.
func (in *ClusterTrustBundleSpec) DeepCopy() *ClusterTrustBundleSpec {
if in == nil {
return nil
}
out := new(ClusterTrustBundleSpec)
in.DeepCopyInto(out)
return out
}

58
staging/src/k8s.io/api/certificates/v1alpha1/zz_generated.prerelease-lifecycle.go generated Normal file
View File

@ -0,0 +1,58 @@
//go:build !ignore_autogenerated
// +build !ignore_autogenerated
/*
Copyright The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by prerelease-lifecycle-gen. DO NOT EDIT.
package v1alpha1
// APILifecycleIntroduced is an autogenerated function, returning the release in which the API struct was introduced as int versions of major and minor for comparison.
// It is controlled by "k8s:prerelease-lifecycle-gen:introduced" tags in types.go.
func (in *ClusterTrustBundle) APILifecycleIntroduced() (major, minor int) {
return 1, 26
}
// APILifecycleDeprecated is an autogenerated function, returning the release in which the API struct was or will be deprecated as int versions of major and minor for comparison.
// It is controlled by "k8s:prerelease-lifecycle-gen:deprecated" tags in types.go or "k8s:prerelease-lifecycle-gen:introduced" plus three minor.
func (in *ClusterTrustBundle) APILifecycleDeprecated() (major, minor int) {
return 1, 29
}
// APILifecycleRemoved is an autogenerated function, returning the release in which the API is no longer served as int versions of major and minor for comparison.
// It is controlled by "k8s:prerelease-lifecycle-gen:removed" tags in types.go or "k8s:prerelease-lifecycle-gen:deprecated" plus three minor.
func (in *ClusterTrustBundle) APILifecycleRemoved() (major, minor int) {
return 1, 32
}
// APILifecycleIntroduced is an autogenerated function, returning the release in which the API struct was introduced as int versions of major and minor for comparison.
// It is controlled by "k8s:prerelease-lifecycle-gen:introduced" tags in types.go.
func (in *ClusterTrustBundleList) APILifecycleIntroduced() (major, minor int) {
return 1, 26
}
// APILifecycleDeprecated is an autogenerated function, returning the release in which the API struct was or will be deprecated as int versions of major and minor for comparison.
// It is controlled by "k8s:prerelease-lifecycle-gen:deprecated" tags in types.go or "k8s:prerelease-lifecycle-gen:introduced" plus three minor.
func (in *ClusterTrustBundleList) APILifecycleDeprecated() (major, minor int) {
return 1, 29
}
// APILifecycleRemoved is an autogenerated function, returning the release in which the API is no longer served as int versions of major and minor for comparison.
// It is controlled by "k8s:prerelease-lifecycle-gen:removed" tags in types.go or "k8s:prerelease-lifecycle-gen:deprecated" plus three minor.
func (in *ClusterTrustBundleList) APILifecycleRemoved() (major, minor int) {
return 1, 32
}

2
staging/src/k8s.io/api/roundtrip_test.go
View File

@ -41,6 +41,7 @@ import (
batchv1 "k8s.io/api/batch/v1" batchv1 "k8s.io/api/batch/v1"
batchv1beta1 "k8s.io/api/batch/v1beta1" batchv1beta1 "k8s.io/api/batch/v1beta1"
certificatesv1 "k8s.io/api/certificates/v1" certificatesv1 "k8s.io/api/certificates/v1"
certificatesv1alpha1 "k8s.io/api/certificates/v1alpha1"
certificatesv1beta1 "k8s.io/api/certificates/v1beta1" certificatesv1beta1 "k8s.io/api/certificates/v1beta1"
coordinationv1 "k8s.io/api/coordination/v1" coordinationv1 "k8s.io/api/coordination/v1"
coordinationv1beta1 "k8s.io/api/coordination/v1beta1" coordinationv1beta1 "k8s.io/api/coordination/v1beta1"
@ -105,6 +106,7 @@ var groups = []runtime.SchemeBuilder{
batchv1.SchemeBuilder, batchv1.SchemeBuilder,
certificatesv1.SchemeBuilder, certificatesv1.SchemeBuilder,
certificatesv1beta1.SchemeBuilder, certificatesv1beta1.SchemeBuilder,
certificatesv1alpha1.SchemeBuilder,
coordinationv1.SchemeBuilder, coordinationv1.SchemeBuilder,
coordinationv1beta1.SchemeBuilder, coordinationv1beta1.SchemeBuilder,
corev1.SchemeBuilder, corev1.SchemeBuilder,

50
staging/src/k8s.io/api/testdata/HEAD/certificates.k8s.io.v1alpha1.ClusterTrustBundle.json vendored Normal file
View File

@ -0,0 +1,50 @@
{
"kind": "ClusterTrustBundle",
"apiVersion": "certificates.k8s.io/v1alpha1",
"metadata": {
"name": "nameValue",
"generateName": "generateNameValue",
"namespace": "namespaceValue",
"selfLink": "selfLinkValue",
"uid": "uidValue",
"resourceVersion": "resourceVersionValue",
"generation": 7,
"creationTimestamp": "2008-01-01T01:01:01Z",
"deletionTimestamp": "2009-01-01T01:01:01Z",
"deletionGracePeriodSeconds": 10,
"labels": {
"labelsKey": "labelsValue"
},
"annotations": {
"annotationsKey": "annotationsValue"
},
"ownerReferences": [
{
"apiVersion": "apiVersionValue",
"kind": "kindValue",
"name": "nameValue",
"uid": "uidValue",
"controller": true,
"blockOwnerDeletion": true
}
],
"finalizers": [
"finalizersValue"
],
"managedFields": [
{
"manager": "managerValue",
"operation": "operationValue",
"apiVersion": "apiVersionValue",
"time": "2004-01-01T01:01:01Z",
"fieldsType": "fieldsTypeValue",
"fieldsV1": {},
"subresource": "subresourceValue"
}
]
},
"spec": {
"signerName": "signerNameValue",
"trustBundle": "trustBundleValue"
}
}

BIN
staging/src/k8s.io/api/testdata/HEAD/certificates.k8s.io.v1alpha1.ClusterTrustBundle.pb vendored Normal file
View File

Binary file not shown.

37
staging/src/k8s.io/api/testdata/HEAD/certificates.k8s.io.v1alpha1.ClusterTrustBundle.yaml vendored Normal file
View File

@ -0,0 +1,37 @@
apiVersion: certificates.k8s.io/v1alpha1
kind: ClusterTrustBundle
metadata:
annotations:
annotationsKey: annotationsValue
creationTimestamp: "2008-01-01T01:01:01Z"
deletionGracePeriodSeconds: 10
deletionTimestamp: "2009-01-01T01:01:01Z"
finalizers:
- finalizersValue
generateName: generateNameValue
generation: 7
labels:
labelsKey: labelsValue
managedFields:
- apiVersion: apiVersionValue
fieldsType: fieldsTypeValue
fieldsV1: {}
manager: managerValue
operation: operationValue
subresource: subresourceValue
time: "2004-01-01T01:01:01Z"
name: nameValue
namespace: namespaceValue
ownerReferences:
- apiVersion: apiVersionValue
blockOwnerDeletion: true
controller: true
kind: kindValue
name: nameValue
uid: uidValue
resourceVersion: resourceVersionValue
selfLink: selfLinkValue
uid: uidValue
spec:
signerName: signerNameValue
trustBundle: trustBundleValue

247
staging/src/k8s.io/client-go/applyconfigurations/certificates/v1alpha1/clustertrustbundle.go Normal file
View File

@ -0,0 +1,247 @@
/*
Copyright The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by applyconfiguration-gen. DO NOT EDIT.
package v1alpha1
import (
certificatesv1alpha1 "k8s.io/api/certificates/v1alpha1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
types "k8s.io/apimachinery/pkg/types"
managedfields "k8s.io/apimachinery/pkg/util/managedfields"
internal "k8s.io/client-go/applyconfigurations/internal"
v1 "k8s.io/client-go/applyconfigurations/meta/v1"
)
// ClusterTrustBundleApplyConfiguration represents an declarative configuration of the ClusterTrustBundle type for use
// with apply.
type ClusterTrustBundleApplyConfiguration struct {
v1.TypeMetaApplyConfiguration `json:",inline"`
*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
Spec *ClusterTrustBundleSpecApplyConfiguration `json:"spec,omitempty"`
}
// ClusterTrustBundle constructs an declarative configuration of the ClusterTrustBundle type for use with
// apply.
func ClusterTrustBundle(name string) *ClusterTrustBundleApplyConfiguration {
b := &ClusterTrustBundleApplyConfiguration{}
b.WithName(name)
b.WithKind("ClusterTrustBundle")
b.WithAPIVersion("certificates.k8s.io/v1alpha1")
return b
}
// ExtractClusterTrustBundle extracts the applied configuration owned by fieldManager from
// clusterTrustBundle. If no managedFields are found in clusterTrustBundle for fieldManager, a
// ClusterTrustBundleApplyConfiguration is returned with only the Name, Namespace (if applicable),
// APIVersion and Kind populated. It is possible that no managed fields were found for because other
// field managers have taken ownership of all the fields previously owned by fieldManager, or because
// the fieldManager never owned fields any fields.
// clusterTrustBundle must be a unmodified ClusterTrustBundle API object that was retrieved from the Kubernetes API.
// ExtractClusterTrustBundle provides a way to perform a extract/modify-in-place/apply workflow.
// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
// applied if another fieldManager has updated or force applied any of the previously applied fields.
// Experimental!
func ExtractClusterTrustBundle(clusterTrustBundle *certificatesv1alpha1.ClusterTrustBundle, fieldManager string) (*ClusterTrustBundleApplyConfiguration, error) {
return extractClusterTrustBundle(clusterTrustBundle, fieldManager, "")
}
// ExtractClusterTrustBundleStatus is the same as ExtractClusterTrustBundle except
// that it extracts the status subresource applied configuration.
// Experimental!
func ExtractClusterTrustBundleStatus(clusterTrustBundle *certificatesv1alpha1.ClusterTrustBundle, fieldManager string) (*ClusterTrustBundleApplyConfiguration, error) {
return extractClusterTrustBundle(clusterTrustBundle, fieldManager, "status")
}
func extractClusterTrustBundle(clusterTrustBundle *certificatesv1alpha1.ClusterTrustBundle, fieldManager string, subresource string) (*ClusterTrustBundleApplyConfiguration, error) {
b := &ClusterTrustBundleApplyConfiguration{}
err := managedfields.ExtractInto(clusterTrustBundle, internal.Parser().Type("io.k8s.api.certificates.v1alpha1.ClusterTrustBundle"), fieldManager, b, subresource)
if err != nil {
return nil, err
}
b.WithName(clusterTrustBundle.Name)
b.WithKind("ClusterTrustBundle")
b.WithAPIVersion("certificates.k8s.io/v1alpha1")
return b, nil
}
// WithKind sets the Kind field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Kind field is set to the value of the last call.
func (b *ClusterTrustBundleApplyConfiguration) WithKind(value string) *ClusterTrustBundleApplyConfiguration {
b.Kind = &value
return b
}
// WithAPIVersion sets the APIVersion field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the APIVersion field is set to the value of the last call.
func (b *ClusterTrustBundleApplyConfiguration) WithAPIVersion(value string) *ClusterTrustBundleApplyConfiguration {
b.APIVersion = &value
return b
}
// WithName sets the Name field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Name field is set to the value of the last call.
func (b *ClusterTrustBundleApplyConfiguration) WithName(value string) *ClusterTrustBundleApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
b.Name = &value
return b
}
// WithGenerateName sets the GenerateName field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the GenerateName field is set to the value of the last call.
func (b *ClusterTrustBundleApplyConfiguration) WithGenerateName(value string) *ClusterTrustBundleApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
b.GenerateName = &value
return b
}
// WithNamespace sets the Namespace field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Namespace field is set to the value of the last call.
func (b *ClusterTrustBundleApplyConfiguration) WithNamespace(value string) *ClusterTrustBundleApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
b.Namespace = &value
return b
}
// WithUID sets the UID field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the UID field is set to the value of the last call.
func (b *ClusterTrustBundleApplyConfiguration) WithUID(value types.UID) *ClusterTrustBundleApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
b.UID = &value
return b
}
// WithResourceVersion sets the ResourceVersion field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the ResourceVersion field is set to the value of the last call.
func (b *ClusterTrustBundleApplyConfiguration) WithResourceVersion(value string) *ClusterTrustBundleApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
b.ResourceVersion = &value
return b
}
// WithGeneration sets the Generation field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Generation field is set to the value of the last call.
func (b *ClusterTrustBundleApplyConfiguration) WithGeneration(value int64) *ClusterTrustBundleApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
b.Generation = &value
return b
}
// WithCreationTimestamp sets the CreationTimestamp field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the CreationTimestamp field is set to the value of the last call.
func (b *ClusterTrustBundleApplyConfiguration) WithCreationTimestamp(value metav1.Time) *ClusterTrustBundleApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
b.CreationTimestamp = &value
return b
}
// WithDeletionTimestamp sets the DeletionTimestamp field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the DeletionTimestamp field is set to the value of the last call.
func (b *ClusterTrustBundleApplyConfiguration) WithDeletionTimestamp(value metav1.Time) *ClusterTrustBundleApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
b.DeletionTimestamp = &value
return b
}
// WithDeletionGracePeriodSeconds sets the DeletionGracePeriodSeconds field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the DeletionGracePeriodSeconds field is set to the value of the last call.
func (b *ClusterTrustBundleApplyConfiguration) WithDeletionGracePeriodSeconds(value int64) *ClusterTrustBundleApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
b.DeletionGracePeriodSeconds = &value
return b
}
// WithLabels puts the entries into the Labels field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, the entries provided by each call will be put on the Labels field,
// overwriting an existing map entries in Labels field with the same key.
func (b *ClusterTrustBundleApplyConfiguration) WithLabels(entries map[string]string) *ClusterTrustBundleApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
if b.Labels == nil && len(entries) > 0 {
b.Labels = make(map[string]string, len(entries))
}
for k, v := range entries {
b.Labels[k] = v
}
return b
}
// WithAnnotations puts the entries into the Annotations field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, the entries provided by each call will be put on the Annotations field,
// overwriting an existing map entries in Annotations field with the same key.
func (b *ClusterTrustBundleApplyConfiguration) WithAnnotations(entries map[string]string) *ClusterTrustBundleApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
if b.Annotations == nil && len(entries) > 0 {
b.Annotations = make(map[string]string, len(entries))
}
for k, v := range entries {
b.Annotations[k] = v
}
return b
}
// WithOwnerReferences adds the given value to the OwnerReferences field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, values provided by each call will be appended to the OwnerReferences field.
func (b *ClusterTrustBundleApplyConfiguration) WithOwnerReferences(values ...*v1.OwnerReferenceApplyConfiguration) *ClusterTrustBundleApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
for i := range values {
if values[i] == nil {
panic("nil value passed to WithOwnerReferences")
}
b.OwnerReferences = append(b.OwnerReferences, *values[i])
}
return b
}
// WithFinalizers adds the given value to the Finalizers field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, values provided by each call will be appended to the Finalizers field.
func (b *ClusterTrustBundleApplyConfiguration) WithFinalizers(values ...string) *ClusterTrustBundleApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
for i := range values {
b.Finalizers = append(b.Finalizers, values[i])
}
return b
}
func (b *ClusterTrustBundleApplyConfiguration) ensureObjectMetaApplyConfigurationExists() {
if b.ObjectMetaApplyConfiguration == nil {
b.ObjectMetaApplyConfiguration = &v1.ObjectMetaApplyConfiguration{}
}
}
// WithSpec sets the Spec field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Spec field is set to the value of the last call.
func (b *ClusterTrustBundleApplyConfiguration) WithSpec(value *ClusterTrustBundleSpecApplyConfiguration) *ClusterTrustBundleApplyConfiguration {
b.Spec = value
return b
}

48
staging/src/k8s.io/client-go/applyconfigurations/certificates/v1alpha1/clustertrustbundlespec.go Normal file
View File

@ -0,0 +1,48 @@
/*
Copyright The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by applyconfiguration-gen. DO NOT EDIT.
package v1alpha1
// ClusterTrustBundleSpecApplyConfiguration represents an declarative configuration of the ClusterTrustBundleSpec type for use
// with apply.
type ClusterTrustBundleSpecApplyConfiguration struct {
SignerName *string `json:"signerName,omitempty"`
TrustBundle *string `json:"trustBundle,omitempty"`
}
// ClusterTrustBundleSpecApplyConfiguration constructs an declarative configuration of the ClusterTrustBundleSpec type for use with
// apply.
func ClusterTrustBundleSpec() *ClusterTrustBundleSpecApplyConfiguration {
return &ClusterTrustBundleSpecApplyConfiguration{}
}
// WithSignerName sets the SignerName field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the SignerName field is set to the value of the last call.
func (b *ClusterTrustBundleSpecApplyConfiguration) WithSignerName(value string) *ClusterTrustBundleSpecApplyConfiguration {
b.SignerName = &value
return b
}
// WithTrustBundle sets the TrustBundle field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the TrustBundle field is set to the value of the last call.
func (b *ClusterTrustBundleSpecApplyConfiguration) WithTrustBundle(value string) *ClusterTrustBundleSpecApplyConfiguration {
b.TrustBundle = &value
return b
}

27
staging/src/k8s.io/client-go/applyconfigurations/internal/internal.go
View File

@ -3642,6 +3642,33 @@ var schemaYAML = typed.YAMLObject(`types:
elementRelationship: associative elementRelationship: associative
keys: keys:
- type - type
- name: io.k8s.api.certificates.v1alpha1.ClusterTrustBundle
map:
fields:
- name: apiVersion
type:
scalar: string
- name: kind
type:
scalar: string
- name: metadata
type:
namedType: io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta
default: {}
- name: spec
type:
namedType: io.k8s.api.certificates.v1alpha1.ClusterTrustBundleSpec
default: {}
- name: io.k8s.api.certificates.v1alpha1.ClusterTrustBundleSpec
map:
fields:
- name: signerName
type:
scalar: string
- name: trustBundle
type:
scalar: string
default: ""
- name: io.k8s.api.certificates.v1beta1.CertificateSigningRequest - name: io.k8s.api.certificates.v1beta1.CertificateSigningRequest
map: map:
fields: fields:

8
staging/src/k8s.io/client-go/applyconfigurations/utils.go
View File

@ -33,6 +33,7 @@ import (
batchv1 "k8s.io/api/batch/v1" batchv1 "k8s.io/api/batch/v1"
batchv1beta1 "k8s.io/api/batch/v1beta1" batchv1beta1 "k8s.io/api/batch/v1beta1"
certificatesv1 "k8s.io/api/certificates/v1" certificatesv1 "k8s.io/api/certificates/v1"
certificatesv1alpha1 "k8s.io/api/certificates/v1alpha1"
certificatesv1beta1 "k8s.io/api/certificates/v1beta1" certificatesv1beta1 "k8s.io/api/certificates/v1beta1"
coordinationv1 "k8s.io/api/coordination/v1" coordinationv1 "k8s.io/api/coordination/v1"
coordinationv1beta1 "k8s.io/api/coordination/v1beta1" coordinationv1beta1 "k8s.io/api/coordination/v1beta1"
@ -81,6 +82,7 @@ import (
applyconfigurationsbatchv1 "k8s.io/client-go/applyconfigurations/batch/v1" applyconfigurationsbatchv1 "k8s.io/client-go/applyconfigurations/batch/v1"
applyconfigurationsbatchv1beta1 "k8s.io/client-go/applyconfigurations/batch/v1beta1" applyconfigurationsbatchv1beta1 "k8s.io/client-go/applyconfigurations/batch/v1beta1"
applyconfigurationscertificatesv1 "k8s.io/client-go/applyconfigurations/certificates/v1" applyconfigurationscertificatesv1 "k8s.io/client-go/applyconfigurations/certificates/v1"
applyconfigurationscertificatesv1alpha1 "k8s.io/client-go/applyconfigurations/certificates/v1alpha1"
applyconfigurationscertificatesv1beta1 "k8s.io/client-go/applyconfigurations/certificates/v1beta1" applyconfigurationscertificatesv1beta1 "k8s.io/client-go/applyconfigurations/certificates/v1beta1"
applyconfigurationscoordinationv1 "k8s.io/client-go/applyconfigurations/coordination/v1" applyconfigurationscoordinationv1 "k8s.io/client-go/applyconfigurations/coordination/v1"
applyconfigurationscoordinationv1beta1 "k8s.io/client-go/applyconfigurations/coordination/v1beta1" applyconfigurationscoordinationv1beta1 "k8s.io/client-go/applyconfigurations/coordination/v1beta1"
@ -522,6 +524,12 @@ func ForKind(kind schema.GroupVersionKind) interface{} {
case certificatesv1.SchemeGroupVersion.WithKind("CertificateSigningRequestStatus"): case certificatesv1.SchemeGroupVersion.WithKind("CertificateSigningRequestStatus"):
return &applyconfigurationscertificatesv1.CertificateSigningRequestStatusApplyConfiguration{} return &applyconfigurationscertificatesv1.CertificateSigningRequestStatusApplyConfiguration{}
// Group=certificates.k8s.io, Version=v1alpha1
case certificatesv1alpha1.SchemeGroupVersion.WithKind("ClusterTrustBundle"):
return &applyconfigurationscertificatesv1alpha1.ClusterTrustBundleApplyConfiguration{}
case certificatesv1alpha1.SchemeGroupVersion.WithKind("ClusterTrustBundleSpec"):
return &applyconfigurationscertificatesv1alpha1.ClusterTrustBundleSpecApplyConfiguration{}
// Group=certificates.k8s.io, Version=v1beta1 // Group=certificates.k8s.io, Version=v1beta1
case certificatesv1beta1.SchemeGroupVersion.WithKind("CertificateSigningRequest"): case certificatesv1beta1.SchemeGroupVersion.WithKind("CertificateSigningRequest"):
return &applyconfigurationscertificatesv1beta1.CertificateSigningRequestApplyConfiguration{} return &applyconfigurationscertificatesv1beta1.CertificateSigningRequestApplyConfiguration{}

8
staging/src/k8s.io/client-go/informers/certificates/interface.go
View File

@ -20,6 +20,7 @@ package certificates
import ( import (
v1 "k8s.io/client-go/informers/certificates/v1" v1 "k8s.io/client-go/informers/certificates/v1"
v1alpha1 "k8s.io/client-go/informers/certificates/v1alpha1"
v1beta1 "k8s.io/client-go/informers/certificates/v1beta1" v1beta1 "k8s.io/client-go/informers/certificates/v1beta1"
internalinterfaces "k8s.io/client-go/informers/internalinterfaces" internalinterfaces "k8s.io/client-go/informers/internalinterfaces"
) )
@ -28,6 +29,8 @@ import (
type Interface interface { type Interface interface {
// V1 provides access to shared informers for resources in V1. // V1 provides access to shared informers for resources in V1.
V1() v1.Interface V1() v1.Interface
// V1alpha1 provides access to shared informers for resources in V1alpha1.
V1alpha1() v1alpha1.Interface
// V1beta1 provides access to shared informers for resources in V1beta1. // V1beta1 provides access to shared informers for resources in V1beta1.
V1beta1() v1beta1.Interface V1beta1() v1beta1.Interface
} }
@ -48,6 +51,11 @@ func (g *group) V1() v1.Interface {
return v1.New(g.factory, g.namespace, g.tweakListOptions) return v1.New(g.factory, g.namespace, g.tweakListOptions)
} }
// V1alpha1 returns a new v1alpha1.Interface.
func (g *group) V1alpha1() v1alpha1.Interface {
return v1alpha1.New(g.factory, g.namespace, g.tweakListOptions)
}
// V1beta1 returns a new v1beta1.Interface. // V1beta1 returns a new v1beta1.Interface.
func (g *group) V1beta1() v1beta1.Interface { func (g *group) V1beta1() v1beta1.Interface {
return v1beta1.New(g.factory, g.namespace, g.tweakListOptions) return v1beta1.New(g.factory, g.namespace, g.tweakListOptions)

89
staging/src/k8s.io/client-go/informers/certificates/v1alpha1/clustertrustbundle.go Normal file
View File

@ -0,0 +1,89 @@
/*
Copyright The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by informer-gen. DO NOT EDIT.
package v1alpha1
import (
"context"
time "time"
certificatesv1alpha1 "k8s.io/api/certificates/v1alpha1"
v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
runtime "k8s.io/apimachinery/pkg/runtime"
watch "k8s.io/apimachinery/pkg/watch"
internalinterfaces "k8s.io/client-go/informers/internalinterfaces"
kubernetes "k8s.io/client-go/kubernetes"
v1alpha1 "k8s.io/client-go/listers/certificates/v1alpha1"
cache "k8s.io/client-go/tools/cache"
)
// ClusterTrustBundleInformer provides access to a shared informer and lister for
// ClusterTrustBundles.
type ClusterTrustBundleInformer interface {
Informer() cache.SharedIndexInformer
Lister() v1alpha1.ClusterTrustBundleLister
}
type clusterTrustBundleInformer struct {
factory internalinterfaces.SharedInformerFactory
tweakListOptions internalinterfaces.TweakListOptionsFunc
}
// NewClusterTrustBundleInformer constructs a new informer for ClusterTrustBundle type.
// Always prefer using an informer factory to get a shared informer instead of getting an independent
// one. This reduces memory footprint and number of connections to the server.
func NewClusterTrustBundleInformer(client kubernetes.Interface, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {
return NewFilteredClusterTrustBundleInformer(client, resyncPeriod, indexers, nil)
}
// NewFilteredClusterTrustBundleInformer constructs a new informer for ClusterTrustBundle type.
// Always prefer using an informer factory to get a shared informer instead of getting an independent
// one. This reduces memory footprint and number of connections to the server.
func NewFilteredClusterTrustBundleInformer(client kubernetes.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
return cache.NewSharedIndexInformer(
&cache.ListWatch{
ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
if tweakListOptions != nil {
tweakListOptions(&options)
}
return client.CertificatesV1alpha1().ClusterTrustBundles().List(context.TODO(), options)
},
WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
if tweakListOptions != nil {
tweakListOptions(&options)
}
return client.CertificatesV1alpha1().ClusterTrustBundles().Watch(context.TODO(), options)
},
},
&certificatesv1alpha1.ClusterTrustBundle{},
resyncPeriod,
indexers,
)
}
func (f *clusterTrustBundleInformer) defaultInformer(client kubernetes.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
return NewFilteredClusterTrustBundleInformer(client, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)
}
func (f *clusterTrustBundleInformer) Informer() cache.SharedIndexInformer {
return f.factory.InformerFor(&certificatesv1alpha1.ClusterTrustBundle{}, f.defaultInformer)
}
func (f *clusterTrustBundleInformer) Lister() v1alpha1.ClusterTrustBundleLister {
return v1alpha1.NewClusterTrustBundleLister(f.Informer().GetIndexer())
}

45
staging/src/k8s.io/client-go/informers/certificates/v1alpha1/interface.go Normal file
View File

@ -0,0 +1,45 @@
/*
Copyright The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by informer-gen. DO NOT EDIT.
package v1alpha1
import (
internalinterfaces "k8s.io/client-go/informers/internalinterfaces"
)
// Interface provides access to all the informers in this group version.
type Interface interface {
// ClusterTrustBundles returns a ClusterTrustBundleInformer.
ClusterTrustBundles() ClusterTrustBundleInformer
}
type version struct {
factory internalinterfaces.SharedInformerFactory
namespace string
tweakListOptions internalinterfaces.TweakListOptionsFunc
}
// New returns a new Interface.
func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) Interface {
return &version{factory: f, namespace: namespace, tweakListOptions: tweakListOptions}
}
// ClusterTrustBundles returns a ClusterTrustBundleInformer.
func (v *version) ClusterTrustBundles() ClusterTrustBundleInformer {
return &clusterTrustBundleInformer{factory: v.factory, tweakListOptions: v.tweakListOptions}
}

5
staging/src/k8s.io/client-go/informers/generic.go
View File

@ -35,6 +35,7 @@ import (
batchv1 "k8s.io/api/batch/v1" batchv1 "k8s.io/api/batch/v1"
batchv1beta1 "k8s.io/api/batch/v1beta1" batchv1beta1 "k8s.io/api/batch/v1beta1"
certificatesv1 "k8s.io/api/certificates/v1" certificatesv1 "k8s.io/api/certificates/v1"
certificatesv1alpha1 "k8s.io/api/certificates/v1alpha1"
certificatesv1beta1 "k8s.io/api/certificates/v1beta1" certificatesv1beta1 "k8s.io/api/certificates/v1beta1"
coordinationv1 "k8s.io/api/coordination/v1" coordinationv1 "k8s.io/api/coordination/v1"
coordinationv1beta1 "k8s.io/api/coordination/v1beta1" coordinationv1beta1 "k8s.io/api/coordination/v1beta1"
@ -176,6 +177,10 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource
case certificatesv1.SchemeGroupVersion.WithResource("certificatesigningrequests"): case certificatesv1.SchemeGroupVersion.WithResource("certificatesigningrequests"):
return &genericInformer{resource: resource.GroupResource(), informer: f.Certificates().V1().CertificateSigningRequests().Informer()}, nil return &genericInformer{resource: resource.GroupResource(), informer: f.Certificates().V1().CertificateSigningRequests().Informer()}, nil
// Group=certificates.k8s.io, Version=v1alpha1
case certificatesv1alpha1.SchemeGroupVersion.WithResource("clustertrustbundles"):
return &genericInformer{resource: resource.GroupResource(), informer: f.Certificates().V1alpha1().ClusterTrustBundles().Informer()}, nil
// Group=certificates.k8s.io, Version=v1beta1 // Group=certificates.k8s.io, Version=v1beta1
case certificatesv1beta1.SchemeGroupVersion.WithResource("certificatesigningrequests"): case certificatesv1beta1.SchemeGroupVersion.WithResource("certificatesigningrequests"):
return &genericInformer{resource: resource.GroupResource(), informer: f.Certificates().V1beta1().CertificateSigningRequests().Informer()}, nil return &genericInformer{resource: resource.GroupResource(), informer: f.Certificates().V1beta1().CertificateSigningRequests().Informer()}, nil

13
staging/src/k8s.io/client-go/kubernetes/clientset.go
View File

@ -42,6 +42,7 @@ import (
batchv1 "k8s.io/client-go/kubernetes/typed/batch/v1" batchv1 "k8s.io/client-go/kubernetes/typed/batch/v1"
batchv1beta1 "k8s.io/client-go/kubernetes/typed/batch/v1beta1" batchv1beta1 "k8s.io/client-go/kubernetes/typed/batch/v1beta1"
certificatesv1 "k8s.io/client-go/kubernetes/typed/certificates/v1" certificatesv1 "k8s.io/client-go/kubernetes/typed/certificates/v1"
certificatesv1alpha1 "k8s.io/client-go/kubernetes/typed/certificates/v1alpha1"
certificatesv1beta1 "k8s.io/client-go/kubernetes/typed/certificates/v1beta1" certificatesv1beta1 "k8s.io/client-go/kubernetes/typed/certificates/v1beta1"
coordinationv1 "k8s.io/client-go/kubernetes/typed/coordination/v1" coordinationv1 "k8s.io/client-go/kubernetes/typed/coordination/v1"
coordinationv1beta1 "k8s.io/client-go/kubernetes/typed/coordination/v1beta1" coordinationv1beta1 "k8s.io/client-go/kubernetes/typed/coordination/v1beta1"
@ -99,6 +100,7 @@ type Interface interface {
BatchV1beta1() batchv1beta1.BatchV1beta1Interface BatchV1beta1() batchv1beta1.BatchV1beta1Interface
CertificatesV1() certificatesv1.CertificatesV1Interface CertificatesV1() certificatesv1.CertificatesV1Interface
CertificatesV1beta1() certificatesv1beta1.CertificatesV1beta1Interface CertificatesV1beta1() certificatesv1beta1.CertificatesV1beta1Interface
CertificatesV1alpha1() certificatesv1alpha1.CertificatesV1alpha1Interface
CoordinationV1beta1() coordinationv1beta1.CoordinationV1beta1Interface CoordinationV1beta1() coordinationv1beta1.CoordinationV1beta1Interface
CoordinationV1() coordinationv1.CoordinationV1Interface CoordinationV1() coordinationv1.CoordinationV1Interface
CoreV1() corev1.CoreV1Interface CoreV1() corev1.CoreV1Interface
@ -154,6 +156,7 @@ type Clientset struct {
batchV1beta1 *batchv1beta1.BatchV1beta1Client batchV1beta1 *batchv1beta1.BatchV1beta1Client
certificatesV1 *certificatesv1.CertificatesV1Client certificatesV1 *certificatesv1.CertificatesV1Client
certificatesV1beta1 *certificatesv1beta1.CertificatesV1beta1Client certificatesV1beta1 *certificatesv1beta1.CertificatesV1beta1Client
certificatesV1alpha1 *certificatesv1alpha1.CertificatesV1alpha1Client
coordinationV1beta1 *coordinationv1beta1.CoordinationV1beta1Client coordinationV1beta1 *coordinationv1beta1.CoordinationV1beta1Client
coordinationV1 *coordinationv1.CoordinationV1Client coordinationV1 *coordinationv1.CoordinationV1Client
coreV1 *corev1.CoreV1Client coreV1 *corev1.CoreV1Client
@ -286,6 +289,11 @@ func (c *Clientset) CertificatesV1beta1() certificatesv1beta1.CertificatesV1beta
return c.certificatesV1beta1 return c.certificatesV1beta1
} }
// CertificatesV1alpha1 retrieves the CertificatesV1alpha1Client
func (c *Clientset) CertificatesV1alpha1() certificatesv1alpha1.CertificatesV1alpha1Interface {
return c.certificatesV1alpha1
}
// CoordinationV1beta1 retrieves the CoordinationV1beta1Client // CoordinationV1beta1 retrieves the CoordinationV1beta1Client
func (c *Clientset) CoordinationV1beta1() coordinationv1beta1.CoordinationV1beta1Interface { func (c *Clientset) CoordinationV1beta1() coordinationv1beta1.CoordinationV1beta1Interface {
return c.coordinationV1beta1 return c.coordinationV1beta1
@ -560,6 +568,10 @@ func NewForConfigAndClient(c *rest.Config, httpClient *http.Client) (*Clientset,
if err != nil { if err != nil {
return nil, err return nil, err
} }
cs.certificatesV1alpha1, err = certificatesv1alpha1.NewForConfigAndClient(&configShallowCopy, httpClient)
if err != nil {
return nil, err
}
cs.coordinationV1beta1, err = coordinationv1beta1.NewForConfigAndClient(&configShallowCopy, httpClient) cs.coordinationV1beta1, err = coordinationv1beta1.NewForConfigAndClient(&configShallowCopy, httpClient)
if err != nil { if err != nil {
return nil, err return nil, err
@ -721,6 +733,7 @@ func New(c rest.Interface) *Clientset {
cs.batchV1beta1 = batchv1beta1.New(c) cs.batchV1beta1 = batchv1beta1.New(c)
cs.certificatesV1 = certificatesv1.New(c) cs.certificatesV1 = certificatesv1.New(c)
cs.certificatesV1beta1 = certificatesv1beta1.New(c) cs.certificatesV1beta1 = certificatesv1beta1.New(c)
cs.certificatesV1alpha1 = certificatesv1alpha1.New(c)
cs.coordinationV1beta1 = coordinationv1beta1.New(c) cs.coordinationV1beta1 = coordinationv1beta1.New(c)
cs.coordinationV1 = coordinationv1.New(c) cs.coordinationV1 = coordinationv1.New(c)
cs.coreV1 = corev1.New(c) cs.coreV1 = corev1.New(c)

7
staging/src/k8s.io/client-go/kubernetes/fake/clientset_generated.go
View File

@ -62,6 +62,8 @@ import (
fakebatchv1beta1 "k8s.io/client-go/kubernetes/typed/batch/v1beta1/fake" fakebatchv1beta1 "k8s.io/client-go/kubernetes/typed/batch/v1beta1/fake"
certificatesv1 "k8s.io/client-go/kubernetes/typed/certificates/v1" certificatesv1 "k8s.io/client-go/kubernetes/typed/certificates/v1"
fakecertificatesv1 "k8s.io/client-go/kubernetes/typed/certificates/v1/fake" fakecertificatesv1 "k8s.io/client-go/kubernetes/typed/certificates/v1/fake"
certificatesv1alpha1 "k8s.io/client-go/kubernetes/typed/certificates/v1alpha1"
fakecertificatesv1alpha1 "k8s.io/client-go/kubernetes/typed/certificates/v1alpha1/fake"
certificatesv1beta1 "k8s.io/client-go/kubernetes/typed/certificates/v1beta1" certificatesv1beta1 "k8s.io/client-go/kubernetes/typed/certificates/v1beta1"
fakecertificatesv1beta1 "k8s.io/client-go/kubernetes/typed/certificates/v1beta1/fake" fakecertificatesv1beta1 "k8s.io/client-go/kubernetes/typed/certificates/v1beta1/fake"
coordinationv1 "k8s.io/client-go/kubernetes/typed/coordination/v1" coordinationv1 "k8s.io/client-go/kubernetes/typed/coordination/v1"
@ -277,6 +279,11 @@ func (c *Clientset) CertificatesV1beta1() certificatesv1beta1.CertificatesV1beta
return &fakecertificatesv1beta1.FakeCertificatesV1beta1{Fake: &c.Fake} return &fakecertificatesv1beta1.FakeCertificatesV1beta1{Fake: &c.Fake}
} }
// CertificatesV1alpha1 retrieves the CertificatesV1alpha1Client
func (c *Clientset) CertificatesV1alpha1() certificatesv1alpha1.CertificatesV1alpha1Interface {
return &fakecertificatesv1alpha1.FakeCertificatesV1alpha1{Fake: &c.Fake}
}
// CoordinationV1beta1 retrieves the CoordinationV1beta1Client // CoordinationV1beta1 retrieves the CoordinationV1beta1Client
func (c *Clientset) CoordinationV1beta1() coordinationv1beta1.CoordinationV1beta1Interface { func (c *Clientset) CoordinationV1beta1() coordinationv1beta1.CoordinationV1beta1Interface {
return &fakecoordinationv1beta1.FakeCoordinationV1beta1{Fake: &c.Fake} return &fakecoordinationv1beta1.FakeCoordinationV1beta1{Fake: &c.Fake}

2
staging/src/k8s.io/client-go/kubernetes/fake/register.go
View File

@ -38,6 +38,7 @@ import (
batchv1 "k8s.io/api/batch/v1" batchv1 "k8s.io/api/batch/v1"
batchv1beta1 "k8s.io/api/batch/v1beta1" batchv1beta1 "k8s.io/api/batch/v1beta1"
certificatesv1 "k8s.io/api/certificates/v1" certificatesv1 "k8s.io/api/certificates/v1"
certificatesv1alpha1 "k8s.io/api/certificates/v1alpha1"
certificatesv1beta1 "k8s.io/api/certificates/v1beta1" certificatesv1beta1 "k8s.io/api/certificates/v1beta1"
coordinationv1 "k8s.io/api/coordination/v1" coordinationv1 "k8s.io/api/coordination/v1"
coordinationv1beta1 "k8s.io/api/coordination/v1beta1" coordinationv1beta1 "k8s.io/api/coordination/v1beta1"
@ -100,6 +101,7 @@ var localSchemeBuilder = runtime.SchemeBuilder{
batchv1beta1.AddToScheme, batchv1beta1.AddToScheme,
certificatesv1.AddToScheme, certificatesv1.AddToScheme,
certificatesv1beta1.AddToScheme, certificatesv1beta1.AddToScheme,
certificatesv1alpha1.AddToScheme,
coordinationv1beta1.AddToScheme, coordinationv1beta1.AddToScheme,
coordinationv1.AddToScheme, coordinationv1.AddToScheme,
corev1.AddToScheme, corev1.AddToScheme,

2
staging/src/k8s.io/client-go/kubernetes/scheme/register.go
View File

@ -38,6 +38,7 @@ import (
batchv1 "k8s.io/api/batch/v1" batchv1 "k8s.io/api/batch/v1"
batchv1beta1 "k8s.io/api/batch/v1beta1" batchv1beta1 "k8s.io/api/batch/v1beta1"
certificatesv1 "k8s.io/api/certificates/v1" certificatesv1 "k8s.io/api/certificates/v1"
certificatesv1alpha1 "k8s.io/api/certificates/v1alpha1"
certificatesv1beta1 "k8s.io/api/certificates/v1beta1" certificatesv1beta1 "k8s.io/api/certificates/v1beta1"
coordinationv1 "k8s.io/api/coordination/v1" coordinationv1 "k8s.io/api/coordination/v1"
coordinationv1beta1 "k8s.io/api/coordination/v1beta1" coordinationv1beta1 "k8s.io/api/coordination/v1beta1"
@ -100,6 +101,7 @@ var localSchemeBuilder = runtime.SchemeBuilder{
batchv1beta1.AddToScheme, batchv1beta1.AddToScheme,
certificatesv1.AddToScheme, certificatesv1.AddToScheme,
certificatesv1beta1.AddToScheme, certificatesv1beta1.AddToScheme,
certificatesv1alpha1.AddToScheme,
coordinationv1beta1.AddToScheme, coordinationv1beta1.AddToScheme,
coordinationv1.AddToScheme, coordinationv1.AddToScheme,
corev1.AddToScheme, corev1.AddToScheme,

107
staging/src/k8s.io/client-go/kubernetes/typed/certificates/v1alpha1/certificates_client.go Normal file
View File

@ -0,0 +1,107 @@
/*
Copyright The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by client-gen. DO NOT EDIT.
package v1alpha1
import (
"net/http"
v1alpha1 "k8s.io/api/certificates/v1alpha1"
"k8s.io/client-go/kubernetes/scheme"
rest "k8s.io/client-go/rest"
)
type CertificatesV1alpha1Interface interface {
RESTClient() rest.Interface
ClusterTrustBundlesGetter
}
// CertificatesV1alpha1Client is used to interact with features provided by the certificates.k8s.io group.
type CertificatesV1alpha1Client struct {
restClient rest.Interface
}
func (c *CertificatesV1alpha1Client) ClusterTrustBundles() ClusterTrustBundleInterface {
return newClusterTrustBundles(c)
}
// NewForConfig creates a new CertificatesV1alpha1Client for the given config.
// NewForConfig is equivalent to NewForConfigAndClient(c, httpClient),
// where httpClient was generated with rest.HTTPClientFor(c).
func NewForConfig(c *rest.Config) (*CertificatesV1alpha1Client, error) {
config := *c
if err := setConfigDefaults(&config); err != nil {
return nil, err
}
httpClient, err := rest.HTTPClientFor(&config)
if err != nil {
return nil, err
}
return NewForConfigAndClient(&config, httpClient)
}
// NewForConfigAndClient creates a new CertificatesV1alpha1Client for the given config and http client.
// Note the http client provided takes precedence over the configured transport values.
func NewForConfigAndClient(c *rest.Config, h *http.Client) (*CertificatesV1alpha1Client, error) {
config := *c
if err := setConfigDefaults(&config); err != nil {
return nil, err
}
client, err := rest.RESTClientForConfigAndClient(&config, h)
if err != nil {
return nil, err
}
return &CertificatesV1alpha1Client{client}, nil
}
// NewForConfigOrDie creates a new CertificatesV1alpha1Client for the given config and
// panics if there is an error in the config.
func NewForConfigOrDie(c *rest.Config) *CertificatesV1alpha1Client {
client, err := NewForConfig(c)
if err != nil {
panic(err)
}
return client
}
// New creates a new CertificatesV1alpha1Client for the given RESTClient.
func New(c rest.Interface) *CertificatesV1alpha1Client {
return &CertificatesV1alpha1Client{c}
}
func setConfigDefaults(config *rest.Config) error {
gv := v1alpha1.SchemeGroupVersion
config.GroupVersion = &gv
config.APIPath = "/apis"
config.NegotiatedSerializer = scheme.Codecs.WithoutConversion()
if config.UserAgent == "" {
config.UserAgent = rest.DefaultKubernetesUserAgent()
}
return nil
}
// RESTClient returns a RESTClient that is used to communicate
// with API server by this client implementation.
func (c *CertificatesV1alpha1Client) RESTClient() rest.Interface {
if c == nil {
return nil
}
return c.restClient
}

197
staging/src/k8s.io/client-go/kubernetes/typed/certificates/v1alpha1/clustertrustbundle.go Normal file
View File

@ -0,0 +1,197 @@
/*
Copyright The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by client-gen. DO NOT EDIT.
package v1alpha1
import (
"context"
json "encoding/json"
"fmt"
"time"
v1alpha1 "k8s.io/api/certificates/v1alpha1"
v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
types "k8s.io/apimachinery/pkg/types"
watch "k8s.io/apimachinery/pkg/watch"
certificatesv1alpha1 "k8s.io/client-go/applyconfigurations/certificates/v1alpha1"
scheme "k8s.io/client-go/kubernetes/scheme"
rest "k8s.io/client-go/rest"
)
// ClusterTrustBundlesGetter has a method to return a ClusterTrustBundleInterface.
// A group's client should implement this interface.
type ClusterTrustBundlesGetter interface {
ClusterTrustBundles() ClusterTrustBundleInterface
}
// ClusterTrustBundleInterface has methods to work with ClusterTrustBundle resources.
type ClusterTrustBundleInterface interface {
Create(ctx context.Context, clusterTrustBundle *v1alpha1.ClusterTrustBundle, opts v1.CreateOptions) (*v1alpha1.ClusterTrustBundle, error)
Update(ctx context.Context, clusterTrustBundle *v1alpha1.ClusterTrustBundle, opts v1.UpdateOptions) (*v1alpha1.ClusterTrustBundle, error)
Delete(ctx context.Context, name string, opts v1.DeleteOptions) error
DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error
Get(ctx context.Context, name string, opts v1.GetOptions) (*v1alpha1.ClusterTrustBundle, error)
List(ctx context.Context, opts v1.ListOptions) (*v1alpha1.ClusterTrustBundleList, error)
Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error)
Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.ClusterTrustBundle, err error)
Apply(ctx context.Context, clusterTrustBundle *certificatesv1alpha1.ClusterTrustBundleApplyConfiguration, opts v1.ApplyOptions) (result *v1alpha1.ClusterTrustBundle, err error)
ClusterTrustBundleExpansion
}
// clusterTrustBundles implements ClusterTrustBundleInterface
type clusterTrustBundles struct {
client rest.Interface
}
// newClusterTrustBundles returns a ClusterTrustBundles
func newClusterTrustBundles(c *CertificatesV1alpha1Client) *clusterTrustBundles {
return &clusterTrustBundles{
client: c.RESTClient(),
}
}
// Get takes name of the clusterTrustBundle, and returns the corresponding clusterTrustBundle object, and an error if there is any.
func (c *clusterTrustBundles) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.ClusterTrustBundle, err error) {
result = &v1alpha1.ClusterTrustBundle{}
err = c.client.Get().
Resource("clustertrustbundles").
Name(name).
VersionedParams(&options, scheme.ParameterCodec).
Do(ctx).
Into(result)
return
}
// List takes label and field selectors, and returns the list of ClusterTrustBundles that match those selectors.
func (c *clusterTrustBundles) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.ClusterTrustBundleList, err error) {
var timeout time.Duration
if opts.TimeoutSeconds != nil {
timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
}
result = &v1alpha1.ClusterTrustBundleList{}
err = c.client.Get().
Resource("clustertrustbundles").
VersionedParams(&opts, scheme.ParameterCodec).
Timeout(timeout).
Do(ctx).
Into(result)
return
}
// Watch returns a watch.Interface that watches the requested clusterTrustBundles.
func (c *clusterTrustBundles) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
var timeout time.Duration
if opts.TimeoutSeconds != nil {
timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
}
opts.Watch = true
return c.client.Get().
Resource("clustertrustbundles").
VersionedParams(&opts, scheme.ParameterCodec).
Timeout(timeout).
Watch(ctx)
}
// Create takes the representation of a clusterTrustBundle and creates it. Returns the server's representation of the clusterTrustBundle, and an error, if there is any.
func (c *clusterTrustBundles) Create(ctx context.Context, clusterTrustBundle *v1alpha1.ClusterTrustBundle, opts v1.CreateOptions) (result *v1alpha1.ClusterTrustBundle, err error) {
result = &v1alpha1.ClusterTrustBundle{}
err = c.client.Post().
Resource("clustertrustbundles").
VersionedParams(&opts, scheme.ParameterCodec).
Body(clusterTrustBundle).
Do(ctx).
Into(result)
return
}
// Update takes the representation of a clusterTrustBundle and updates it. Returns the server's representation of the clusterTrustBundle, and an error, if there is any.
func (c *clusterTrustBundles) Update(ctx context.Context, clusterTrustBundle *v1alpha1.ClusterTrustBundle, opts v1.UpdateOptions) (result *v1alpha1.ClusterTrustBundle, err error) {
result = &v1alpha1.ClusterTrustBundle{}
err = c.client.Put().
Resource("clustertrustbundles").
Name(clusterTrustBundle.Name).
VersionedParams(&opts, scheme.ParameterCodec).
Body(clusterTrustBundle).
Do(ctx).
Into(result)
return
}
// Delete takes name of the clusterTrustBundle and deletes it. Returns an error if one occurs.
func (c *clusterTrustBundles) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
return c.client.Delete().
Resource("clustertrustbundles").
Name(name).
Body(&opts).
Do(ctx).
Error()
}
// DeleteCollection deletes a collection of objects.
func (c *clusterTrustBundles) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
var timeout time.Duration
if listOpts.TimeoutSeconds != nil {
timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second
}
return c.client.Delete().
Resource("clustertrustbundles").
VersionedParams(&listOpts, scheme.ParameterCodec).
Timeout(timeout).
Body(&opts).
Do(ctx).
Error()
}
// Patch applies the patch and returns the patched clusterTrustBundle.
func (c *clusterTrustBundles) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.ClusterTrustBundle, err error) {
result = &v1alpha1.ClusterTrustBundle{}
err = c.client.Patch(pt).
Resource("clustertrustbundles").
Name(name).
SubResource(subresources...).
VersionedParams(&opts, scheme.ParameterCodec).
Body(data).
Do(ctx).
Into(result)
return
}
// Apply takes the given apply declarative configuration, applies it and returns the applied clusterTrustBundle.
func (c *clusterTrustBundles) Apply(ctx context.Context, clusterTrustBundle *certificatesv1alpha1.ClusterTrustBundleApplyConfiguration, opts v1.ApplyOptions) (result *v1alpha1.ClusterTrustBundle, err error) {
if clusterTrustBundle == nil {
return nil, fmt.Errorf("clusterTrustBundle provided to Apply must not be nil")
}
patchOpts := opts.ToPatchOptions()
data, err := json.Marshal(clusterTrustBundle)
if err != nil {
return nil, err
}
name := clusterTrustBundle.Name
if name == nil {
return nil, fmt.Errorf("clusterTrustBundle.Name must be provided to Apply")
}
result = &v1alpha1.ClusterTrustBundle{}
err = c.client.Patch(types.ApplyPatchType).
Resource("clustertrustbundles").
Name(*name).
VersionedParams(&patchOpts, scheme.ParameterCodec).
Body(data).
Do(ctx).
Into(result)
return
}

20
staging/src/k8s.io/client-go/kubernetes/typed/certificates/v1alpha1/doc.go Normal file
View File

@ -0,0 +1,20 @@
/*
Copyright The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by client-gen. DO NOT EDIT.
// This package has the automatically generated typed clients.
package v1alpha1

20
staging/src/k8s.io/client-go/kubernetes/typed/certificates/v1alpha1/fake/doc.go Normal file
View File

@ -0,0 +1,20 @@
/*
Copyright The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by client-gen. DO NOT EDIT.
// Package fake has the automatically generated clients.
package fake

40
staging/src/k8s.io/client-go/kubernetes/typed/certificates/v1alpha1/fake/fake_certificates_client.go Normal file
View File

@ -0,0 +1,40 @@
/*
Copyright The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by client-gen. DO NOT EDIT.
package fake
import (
v1alpha1 "k8s.io/client-go/kubernetes/typed/certificates/v1alpha1"
rest "k8s.io/client-go/rest"
testing "k8s.io/client-go/testing"
)
type FakeCertificatesV1alpha1 struct {
*testing.Fake
}
func (c *FakeCertificatesV1alpha1) ClusterTrustBundles() v1alpha1.ClusterTrustBundleInterface {
return &FakeClusterTrustBundles{c}
}
// RESTClient returns a RESTClient that is used to communicate
// with API server by this client implementation.
func (c *FakeCertificatesV1alpha1) RESTClient() rest.Interface {
var ret *rest.RESTClient
return ret
}

145
staging/src/k8s.io/client-go/kubernetes/typed/certificates/v1alpha1/fake/fake_clustertrustbundle.go Normal file
View File

@ -0,0 +1,145 @@
/*
Copyright The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by client-gen. DO NOT EDIT.
package fake
import (
"context"
json "encoding/json"
"fmt"
v1alpha1 "k8s.io/api/certificates/v1alpha1"
v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
labels "k8s.io/apimachinery/pkg/labels"
types "k8s.io/apimachinery/pkg/types"
watch "k8s.io/apimachinery/pkg/watch"
certificatesv1alpha1 "k8s.io/client-go/applyconfigurations/certificates/v1alpha1"
testing "k8s.io/client-go/testing"
)
// FakeClusterTrustBundles implements ClusterTrustBundleInterface
type FakeClusterTrustBundles struct {
Fake *FakeCertificatesV1alpha1
}
var clustertrustbundlesResource = v1alpha1.SchemeGroupVersion.WithResource("clustertrustbundles")
var clustertrustbundlesKind = v1alpha1.SchemeGroupVersion.WithKind("ClusterTrustBundle")
// Get takes name of the clusterTrustBundle, and returns the corresponding clusterTrustBundle object, and an error if there is any.
func (c *FakeClusterTrustBundles) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.ClusterTrustBundle, err error) {
obj, err := c.Fake.
Invokes(testing.NewRootGetAction(clustertrustbundlesResource, name), &v1alpha1.ClusterTrustBundle{})
if obj == nil {
return nil, err
}
return obj.(*v1alpha1.ClusterTrustBundle), err
}
// List takes label and field selectors, and returns the list of ClusterTrustBundles that match those selectors.
func (c *FakeClusterTrustBundles) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.ClusterTrustBundleList, err error) {
obj, err := c.Fake.
Invokes(testing.NewRootListAction(clustertrustbundlesResource, clustertrustbundlesKind, opts), &v1alpha1.ClusterTrustBundleList{})
if obj == nil {
return nil, err
}
label, _, _ := testing.ExtractFromListOptions(opts)
if label == nil {
label = labels.Everything()
}
list := &v1alpha1.ClusterTrustBundleList{ListMeta: obj.(*v1alpha1.ClusterTrustBundleList).ListMeta}
for _, item := range obj.(*v1alpha1.ClusterTrustBundleList).Items {
if label.Matches(labels.Set(item.Labels)) {
list.Items = append(list.Items, item)
}
}
return list, err
}
// Watch returns a watch.Interface that watches the requested clusterTrustBundles.
func (c *FakeClusterTrustBundles) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
return c.Fake.
InvokesWatch(testing.NewRootWatchAction(clustertrustbundlesResource, opts))
}
// Create takes the representation of a clusterTrustBundle and creates it. Returns the server's representation of the clusterTrustBundle, and an error, if there is any.
func (c *FakeClusterTrustBundles) Create(ctx context.Context, clusterTrustBundle *v1alpha1.ClusterTrustBundle, opts v1.CreateOptions) (result *v1alpha1.ClusterTrustBundle, err error) {
obj, err := c.Fake.
Invokes(testing.NewRootCreateAction(clustertrustbundlesResource, clusterTrustBundle), &v1alpha1.ClusterTrustBundle{})
if obj == nil {
return nil, err
}
return obj.(*v1alpha1.ClusterTrustBundle), err
}
// Update takes the representation of a clusterTrustBundle and updates it. Returns the server's representation of the clusterTrustBundle, and an error, if there is any.
func (c *FakeClusterTrustBundles) Update(ctx context.Context, clusterTrustBundle *v1alpha1.ClusterTrustBundle, opts v1.UpdateOptions) (result *v1alpha1.ClusterTrustBundle, err error) {
obj, err := c.Fake.
Invokes(testing.NewRootUpdateAction(clustertrustbundlesResource, clusterTrustBundle), &v1alpha1.ClusterTrustBundle{})
if obj == nil {
return nil, err
}
return obj.(*v1alpha1.ClusterTrustBundle), err
}
// Delete takes name of the clusterTrustBundle and deletes it. Returns an error if one occurs.
func (c *FakeClusterTrustBundles) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
_, err := c.Fake.
Invokes(testing.NewRootDeleteActionWithOptions(clustertrustbundlesResource, name, opts), &v1alpha1.ClusterTrustBundle{})
return err
}
// DeleteCollection deletes a collection of objects.
func (c *FakeClusterTrustBundles) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
action := testing.NewRootDeleteCollectionAction(clustertrustbundlesResource, listOpts)
_, err := c.Fake.Invokes(action, &v1alpha1.ClusterTrustBundleList{})
return err
}
// Patch applies the patch and returns the patched clusterTrustBundle.
func (c *FakeClusterTrustBundles) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.ClusterTrustBundle, err error) {
obj, err := c.Fake.
Invokes(testing.NewRootPatchSubresourceAction(clustertrustbundlesResource, name, pt, data, subresources...), &v1alpha1.ClusterTrustBundle{})
if obj == nil {
return nil, err
}
return obj.(*v1alpha1.ClusterTrustBundle), err
}
// Apply takes the given apply declarative configuration, applies it and returns the applied clusterTrustBundle.
func (c *FakeClusterTrustBundles) Apply(ctx context.Context, clusterTrustBundle *certificatesv1alpha1.ClusterTrustBundleApplyConfiguration, opts v1.ApplyOptions) (result *v1alpha1.ClusterTrustBundle, err error) {
if clusterTrustBundle == nil {
return nil, fmt.Errorf("clusterTrustBundle provided to Apply must not be nil")
}
data, err := json.Marshal(clusterTrustBundle)
if err != nil {
return nil, err
}
name := clusterTrustBundle.Name
if name == nil {
return nil, fmt.Errorf("clusterTrustBundle.Name must be provided to Apply")
}
obj, err := c.Fake.
Invokes(testing.NewRootPatchSubresourceAction(clustertrustbundlesResource, *name, types.ApplyPatchType, data), &v1alpha1.ClusterTrustBundle{})
if obj == nil {
return nil, err
}
return obj.(*v1alpha1.ClusterTrustBundle), err
}

21
staging/src/k8s.io/client-go/kubernetes/typed/certificates/v1alpha1/generated_expansion.go Normal file
View File

@ -0,0 +1,21 @@
/*
Copyright The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by client-gen. DO NOT EDIT.
package v1alpha1
type ClusterTrustBundleExpansion interface{}

68
staging/src/k8s.io/client-go/listers/certificates/v1alpha1/clustertrustbundle.go Normal file
View File

@ -0,0 +1,68 @@
/*
Copyright The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by lister-gen. DO NOT EDIT.
package v1alpha1
import (
v1alpha1 "k8s.io/api/certificates/v1alpha1"
"k8s.io/apimachinery/pkg/api/errors"
"k8s.io/apimachinery/pkg/labels"
"k8s.io/client-go/tools/cache"
)
// ClusterTrustBundleLister helps list ClusterTrustBundles.
// All objects returned here must be treated as read-only.
type ClusterTrustBundleLister interface {
// List lists all ClusterTrustBundles in the indexer.
// Objects returned here must be treated as read-only.
List(selector labels.Selector) (ret []*v1alpha1.ClusterTrustBundle, err error)
// Get retrieves the ClusterTrustBundle from the index for a given name.
// Objects returned here must be treated as read-only.
Get(name string) (*v1alpha1.ClusterTrustBundle, error)
ClusterTrustBundleListerExpansion
}
// clusterTrustBundleLister implements the ClusterTrustBundleLister interface.
type clusterTrustBundleLister struct {
indexer cache.Indexer
}
// NewClusterTrustBundleLister returns a new ClusterTrustBundleLister.
func NewClusterTrustBundleLister(indexer cache.Indexer) ClusterTrustBundleLister {
return &clusterTrustBundleLister{indexer: indexer}
}
// List lists all ClusterTrustBundles in the indexer.
func (s *clusterTrustBundleLister) List(selector labels.Selector) (ret []*v1alpha1.ClusterTrustBundle, err error) {
err = cache.ListAll(s.indexer, selector, func(m interface{}) {
ret = append(ret, m.(*v1alpha1.ClusterTrustBundle))
})
return ret, err
}
// Get retrieves the ClusterTrustBundle from the index for a given name.
func (s *clusterTrustBundleLister) Get(name string) (*v1alpha1.ClusterTrustBundle, error) {
obj, exists, err := s.indexer.GetByKey(name)
if err != nil {
return nil, err
}
if !exists {
return nil, errors.NewNotFound(v1alpha1.Resource("clustertrustbundle"), name)
}
return obj.(*v1alpha1.ClusterTrustBundle), nil
}

23
staging/src/k8s.io/client-go/listers/certificates/v1alpha1/expansion_generated.go Normal file
View File

@ -0,0 +1,23 @@
/*
Copyright The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by lister-gen. DO NOT EDIT.
package v1alpha1
// ClusterTrustBundleListerExpansion allows custom methods to be added to
// ClusterTrustBundleLister.
type ClusterTrustBundleListerExpansion interface{}

170
test/integration/clustertrustbundles/admission_establishtrust_test.go Normal file
View File

@ -0,0 +1,170 @@
/*
Copyright 2022 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package clustertrustbundles
import (
"context"
"crypto/x509"
"crypto/x509/pkix"
"math/big"
"testing"
certsv1alpha1 "k8s.io/api/certificates/v1alpha1"
rbacv1 "k8s.io/api/rbac/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime/schema"
"k8s.io/client-go/kubernetes"
"k8s.io/client-go/rest"
kubeapiservertesting "k8s.io/kubernetes/cmd/kube-apiserver/app/testing"
"k8s.io/kubernetes/test/integration/authutil"
"k8s.io/kubernetes/test/integration/framework"
)
// Verifies that the ClusterTrustBundle attest admission plugin correctly
// enforces that a user has "attest" on the affected signer name.
func TestCTBAttestPlugin(t *testing.T) {
testCases := []struct {
description string
trustBundleName string
allowedSignerName string
targetSignerName string
wantError string
}{
{
description: "should admit if the clustertrustbundle doesn't target a signer",
trustBundleName: "foo",
allowedSignerName: "foo.com/bar",
},
{
description: "should admit if the user has attest for the exact signer name",
trustBundleName: "foo.com:bar:abc",
allowedSignerName: "foo.com/bar",
targetSignerName: "foo.com/bar",
},
{
description: "should admit if the user has attest for the wildcard-suffixed signer name",
trustBundleName: "foo.com:bar:abc",
allowedSignerName: "foo.com/*",
targetSignerName: "foo.com/bar",
},
{
description: "should deny if the user does not have permission for the signer name",
trustBundleName: "foo.com:bar:abc",
allowedSignerName: "abc.com/def",
targetSignerName: "foo.com/bar",
wantError: "clustertrustbundles.certificates.k8s.io \"foo.com:bar:abc\" is forbidden: user not permitted to attest for signerName \"foo.com/bar\"",
},
}
for _, tc := range testCases {
t.Run(tc.description, func(t *testing.T) {
ctx := context.Background()
server := kubeapiservertesting.StartTestServerOrDie(t, nil, []string{"--authorization-mode=RBAC", "--feature-gates=ClusterTrustBundle=true"}, framework.SharedEtcd())
defer server.TearDownFn()
client := kubernetes.NewForConfigOrDie(server.ClientConfig)
if tc.allowedSignerName != "" {
grantUserPermissionToAttestFor(ctx, t, client, "test-user", tc.allowedSignerName)
}
// Create a second client that impersonates test-user.
testUserConfig := rest.CopyConfig(server.ClientConfig)
testUserConfig.Impersonate = rest.ImpersonationConfig{UserName: "test-user"}
testUserClient := kubernetes.NewForConfigOrDie(testUserConfig)
bundle := &certsv1alpha1.ClusterTrustBundle{
ObjectMeta: metav1.ObjectMeta{
Name: tc.trustBundleName,
},
Spec: certsv1alpha1.ClusterTrustBundleSpec{
SignerName: tc.targetSignerName,
TrustBundle: mustMakePEMBlock("CERTIFICATE", nil, mustMakeCertificate(t, &x509.Certificate{
SerialNumber: big.NewInt(0),
Subject: pkix.Name{
CommonName: "root1",
},
IsCA: true,
BasicConstraintsValid: true,
})),
},
}
_, err := testUserClient.CertificatesV1alpha1().ClusterTrustBundles().Create(ctx, bundle, metav1.CreateOptions{})
if err != nil && err.Error() != tc.wantError {
t.Fatalf("Bad error while creating ClusterTrustBundle; got %q want %q", err.Error(), tc.wantError)
} else if err == nil && tc.wantError != "" {
t.Fatalf("Bad error while creating ClusterTrustBundle; got nil want %q", tc.wantError)
}
})
}
}
func grantUserPermissionToAttestFor(ctx context.Context, t *testing.T, client kubernetes.Interface, username string, signerNames ...string) {
resourceName := "signername-" + username
cr := buildApprovalClusterRoleForSigners(resourceName, signerNames...)
crb := buildClusterRoleBindingForUser(resourceName, username, cr.Name)
if _, err := client.RbacV1().ClusterRoles().Create(ctx, cr, metav1.CreateOptions{}); err != nil {
t.Fatalf("unable to create test fixture RBAC rules: %v", err)
}
if _, err := client.RbacV1().ClusterRoleBindings().Create(ctx, crb, metav1.CreateOptions{}); err != nil {
t.Fatalf("unable to create test fixture RBAC rules: %v", err)
}
attestRule := cr.Rules[0]
createRule := cr.Rules[1]
authutil.WaitForNamedAuthorizationUpdate(t, ctx, client.AuthorizationV1(), username, "", attestRule.Verbs[0], attestRule.ResourceNames[0], schema.GroupResource{Group: attestRule.APIGroups[0], Resource: attestRule.Resources[0]}, true)
authutil.WaitForNamedAuthorizationUpdate(t, ctx, client.AuthorizationV1(), username, "", createRule.Verbs[0], "", schema.GroupResource{Group: createRule.APIGroups[0], Resource: createRule.Resources[0]}, true)
}
func buildApprovalClusterRoleForSigners(name string, signerNames ...string) *rbacv1.ClusterRole {
return &rbacv1.ClusterRole{
ObjectMeta: metav1.ObjectMeta{
Name: name,
},
Rules: []rbacv1.PolicyRule{
{
Verbs: []string{"attest"},
APIGroups: []string{"certificates.k8s.io"},
Resources: []string{"signers"},
ResourceNames: signerNames,
},
{
Verbs: []string{"create"},
APIGroups: []string{"certificates.k8s.io"},
Resources: []string{"clustertrustbundles"},
},
},
}
}
func buildClusterRoleBindingForUser(name, username, clusterRoleName string) *rbacv1.ClusterRoleBinding {
return &rbacv1.ClusterRoleBinding{
ObjectMeta: metav1.ObjectMeta{
Name: name,
},
Subjects: []rbacv1.Subject{
{
Kind: rbacv1.UserKind,
Name: username,
},
},
RoleRef: rbacv1.RoleRef{
APIGroup: rbacv1.SchemeGroupVersion.Group,
Kind: "ClusterRole",
Name: clusterRoleName,
},
}
}

135
test/integration/clustertrustbundles/field_selector_test.go Normal file
View File

@ -0,0 +1,135 @@
/*
Copyright 2022 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package clustertrustbundles
import (
"context"
"crypto/x509"
"crypto/x509/pkix"
"math/big"
"testing"
certsv1alpha1 "k8s.io/api/certificates/v1alpha1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/client-go/kubernetes"
kubeapiservertesting "k8s.io/kubernetes/cmd/kube-apiserver/app/testing"
"k8s.io/kubernetes/test/integration/framework"
)
func TestCTBSignerNameFieldSelector(t *testing.T) {
ctx := context.Background()
server := kubeapiservertesting.StartTestServerOrDie(t, nil, []string{"--feature-gates=ClusterTrustBundle=true"}, framework.SharedEtcd())
defer server.TearDownFn()
client := kubernetes.NewForConfigOrDie(server.ClientConfig)
bundle1 := &certsv1alpha1.ClusterTrustBundle{
ObjectMeta: metav1.ObjectMeta{
Name: "foo.com:bar:v1",
},
Spec: certsv1alpha1.ClusterTrustBundleSpec{
SignerName: "foo.com/bar",
TrustBundle: mustMakePEMBlock("CERTIFICATE", nil, mustMakeCertificate(t, &x509.Certificate{
SerialNumber: big.NewInt(0),
Subject: pkix.Name{
CommonName: "root1",
},
IsCA: true,
BasicConstraintsValid: true,
})),
},
}
if _, err := client.CertificatesV1alpha1().ClusterTrustBundles().Create(ctx, bundle1, metav1.CreateOptions{}); err != nil {
t.Fatalf("Error while creating bundle1: %v", err)
}
bundle2 := &certsv1alpha1.ClusterTrustBundle{
ObjectMeta: metav1.ObjectMeta{
Name: "foo.com:bar:v2",
},
Spec: certsv1alpha1.ClusterTrustBundleSpec{
SignerName: "foo.com/bar",
TrustBundle: mustMakePEMBlock("CERTIFICATE", nil, mustMakeCertificate(t, &x509.Certificate{
SerialNumber: big.NewInt(0),
Subject: pkix.Name{
CommonName: "root2",
},
IsCA: true,
BasicConstraintsValid: true,
})),
},
}
if _, err := client.CertificatesV1alpha1().ClusterTrustBundles().Create(ctx, bundle2, metav1.CreateOptions{}); err != nil {
t.Fatalf("Error while creating bundle2: %v", err)
}
bundle3 := &certsv1alpha1.ClusterTrustBundle{
ObjectMeta: metav1.ObjectMeta{
Name: "baz.com:bar:v1",
},
Spec: certsv1alpha1.ClusterTrustBundleSpec{
SignerName: "baz.com/bar",
TrustBundle: mustMakePEMBlock("CERTIFICATE", nil, mustMakeCertificate(t, &x509.Certificate{
SerialNumber: big.NewInt(0),
Subject: pkix.Name{
CommonName: "root3",
},
IsCA: true,
BasicConstraintsValid: true,
})),
},
}
if _, err := client.CertificatesV1alpha1().ClusterTrustBundles().Create(ctx, bundle3, metav1.CreateOptions{}); err != nil {
t.Fatalf("Error while creating bundle3: %v", err)
}
fooList, err := client.CertificatesV1alpha1().ClusterTrustBundles().List(ctx, metav1.ListOptions{FieldSelector: "spec.signerName=foo.com/bar"})
if err != nil {
t.Fatalf("Unable to list ClusterTrustBundles with spec.signerName=foo.com/bar")
}
if len(fooList.Items) != 2 {
t.Errorf("Wrong number of items in list for foo.com/bar; got %d, want 2", len(fooList.Items))
}
found1 := false
found2 := false
for _, ctb := range fooList.Items {
if ctb.ObjectMeta.Name == "foo.com:bar:v1" {
found1 = true
}
if ctb.ObjectMeta.Name == "foo.com:bar:v2" {
found2 = true
}
}
if !found1 {
t.Errorf("Didn't find foo.com:bar:v1 in the list when listing for foo.com/bar")
}
if !found2 {
t.Errorf("Didn't find foo.com:bar:v2 in the list when listing for foo.com/bar")
}
bazList, err := client.CertificatesV1alpha1().ClusterTrustBundles().List(ctx, metav1.ListOptions{FieldSelector: "spec.signerName=baz.com/bar"})
if err != nil {
t.Fatalf("Unable to list ClusterTrustBundles with spec.signerName=baz.com/bar")
}
if len(bazList.Items) != 1 {
t.Fatalf("Wrong number of items in list for baz.com/bar; got %d, want 1", len(bazList.Items))
}
if bazList.Items[0].ObjectMeta.Name != "baz.com:bar:v1" {
t.Errorf("Didn't find baz.com:bar:v1 in the list when listing for baz.com/bar")
}
}

55
test/integration/clustertrustbundles/main_test.go Normal file
View File

@ -0,0 +1,55 @@
/*
Copyright 2022 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package clustertrustbundles
import (
"crypto/ed25519"
"crypto/x509"
"encoding/pem"
mathrand "math/rand"
"testing"
"k8s.io/kubernetes/test/integration/framework"
)
func TestMain(m *testing.M) {
framework.EtcdMain(m.Run)
}
func mustMakeCertificate(t *testing.T, template *x509.Certificate) []byte {
gen := mathrand.New(mathrand.NewSource(12345))
pub, priv, err := ed25519.GenerateKey(gen)
if err != nil {
t.Fatalf("Error while generating key: %v", err)
}
cert, err := x509.CreateCertificate(gen, template, template, pub, priv)
if err != nil {
t.Fatalf("Error while making certificate: %v", err)
}
return cert
}
func mustMakePEMBlock(blockType string, headers map[string]string, data []byte) string {
return string(pem.EncodeToMemory(&pem.Block{
Type: blockType,
Headers: headers,
Bytes: data,
}))
}

101
test/integration/clustertrustbundles/signer_name_change_forbidden_test.go Normal file
View File

@ -0,0 +1,101 @@
/*
Copyright 2022 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package clustertrustbundles
import (
"context"
"crypto/x509"
"crypto/x509/pkix"
"fmt"
"math/big"
"testing"
certsv1alpha1 "k8s.io/api/certificates/v1alpha1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/client-go/kubernetes"
kubeapiservertesting "k8s.io/kubernetes/cmd/kube-apiserver/app/testing"
"k8s.io/kubernetes/test/integration/framework"
)
func TestCTBSignerNameChangeForbidden(t *testing.T) {
testCases := []struct {
objectName string
signer1 string
signer2 string
}{
{
objectName: "foo",
signer1: "",
signer2: "foo.com/bar",
},
{
objectName: "foo.com:bar:abc",
signer1: "foo.com/bar",
signer2: "",
},
{
objectName: "foo.com:bar:abc",
signer1: "foo.com/bar",
signer2: "foo.com/bar2",
},
}
for _, tc := range testCases {
t.Run(fmt.Sprintf("%s -> %s", tc.signer1, tc.signer2), func(t *testing.T) {
ctx := context.Background()
server := kubeapiservertesting.StartTestServerOrDie(t, nil, []string{"--feature-gates=ClusterTrustBundle=true"}, framework.SharedEtcd())
defer server.TearDownFn()
client := kubernetes.NewForConfigOrDie(server.ClientConfig)
bundle1 := &certsv1alpha1.ClusterTrustBundle{
ObjectMeta: metav1.ObjectMeta{
Name: tc.objectName,
},
Spec: certsv1alpha1.ClusterTrustBundleSpec{
SignerName: tc.signer1,
TrustBundle: mustMakePEMBlock("CERTIFICATE", nil, mustMakeCertificate(t, &x509.Certificate{
SerialNumber: big.NewInt(0),
Subject: pkix.Name{
CommonName: "root1",
},
IsCA: true,
BasicConstraintsValid: true,
})),
},
}
bundle1, err := client.CertificatesV1alpha1().ClusterTrustBundles().Create(ctx, bundle1, metav1.CreateOptions{})
if err != nil {
t.Fatalf("Error while creating bundle1: %v", err)
}
// Pick a new signer name that is still compatible with the admission
// restrictions on object name. That way the admission plugin won't get in
// the way by forbidding the update due to an incompatible name on the
// cluster trust bundle.
bundle1.Spec.SignerName = tc.signer2
_, err = client.CertificatesV1alpha1().ClusterTrustBundles().Update(ctx, bundle1, metav1.UpdateOptions{})
if err == nil {
t.Fatalf("Got nil error from updating bundle foo-com--bar from signerName=foo.com/bar to signerName=foo.com/bar2, but wanted an error")
}
})
}
}

7
test/integration/etcd/data.go
View File

@ -182,6 +182,13 @@ func GetEtcdStorageDataForNamespace(namespace string) map[schema.GroupVersionRes
}, },
// -- // --
// k8s.io/kubernetes/pkg/apis/certificates/v1alpha1
gvr("certificates.k8s.io", "v1alpha1", "clustertrustbundles"): {
Stub: `{"metadata": {"name": "example.com:signer:abc"}, "spec": {"signerName":"example.com/signer", "trustBundle": "-----BEGIN CERTIFICATE-----\nMIIBBDCBt6ADAgECAgEAMAUGAytlcDAQMQ4wDAYDVQQDEwVyb290MTAiGA8wMDAx\nMDEwMTAwMDAwMFoYDzAwMDEwMTAxMDAwMDAwWjAQMQ4wDAYDVQQDEwVyb290MTAq\nMAUGAytlcAMhAF2MoFeGa97gK2NGT1h6p1/a1GlMXAXbcjI/OShyIobPozIwMDAP\nBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTWDdK2CNQiHqRjPaAWYPPtIykQgjAF\nBgMrZXADQQCtom9WGl7m2SAa4tXM9Soo/mbInBsRhn187BMoqTAHInHchKup5/3y\nl1tYJSZZsEXnXrCvw2qLCBNif6+2YYgE\n-----END CERTIFICATE-----\n"}}`,
ExpectedEtcdPath: "/registry/clustertrustbundles/example.com:signer:abc",
},
// --
// k8s.io/kubernetes/pkg/apis/coordination/v1 // k8s.io/kubernetes/pkg/apis/coordination/v1
gvr("coordination.k8s.io", "v1", "leases"): { gvr("coordination.k8s.io", "v1", "leases"): {
Stub: `{"metadata": {"name": "leasev1"}, "spec": {"holderIdentity": "holder", "leaseDurationSeconds": 5}}`, Stub: `{"metadata": {"name": "leasev1"}, "spec": {"holderIdentity": "holder", "leaseDurationSeconds": 5}}`,

6
vendor/modules.txt vendored
View File

@ -1234,6 +1234,7 @@ k8s.io/api/autoscaling/v2beta2
k8s.io/api/batch/v1 k8s.io/api/batch/v1
k8s.io/api/batch/v1beta1 k8s.io/api/batch/v1beta1
k8s.io/api/certificates/v1 k8s.io/api/certificates/v1
k8s.io/api/certificates/v1alpha1
k8s.io/api/certificates/v1beta1 k8s.io/api/certificates/v1beta1
k8s.io/api/coordination/v1 k8s.io/api/coordination/v1
k8s.io/api/coordination/v1beta1 k8s.io/api/coordination/v1beta1
@ -1576,6 +1577,7 @@ k8s.io/client-go/applyconfigurations/autoscaling/v2beta2
k8s.io/client-go/applyconfigurations/batch/v1 k8s.io/client-go/applyconfigurations/batch/v1
k8s.io/client-go/applyconfigurations/batch/v1beta1 k8s.io/client-go/applyconfigurations/batch/v1beta1
k8s.io/client-go/applyconfigurations/certificates/v1 k8s.io/client-go/applyconfigurations/certificates/v1
k8s.io/client-go/applyconfigurations/certificates/v1alpha1
k8s.io/client-go/applyconfigurations/certificates/v1beta1 k8s.io/client-go/applyconfigurations/certificates/v1beta1
k8s.io/client-go/applyconfigurations/coordination/v1 k8s.io/client-go/applyconfigurations/coordination/v1
k8s.io/client-go/applyconfigurations/coordination/v1beta1 k8s.io/client-go/applyconfigurations/coordination/v1beta1
@ -1640,6 +1642,7 @@ k8s.io/client-go/informers/batch/v1
k8s.io/client-go/informers/batch/v1beta1 k8s.io/client-go/informers/batch/v1beta1
k8s.io/client-go/informers/certificates k8s.io/client-go/informers/certificates
k8s.io/client-go/informers/certificates/v1 k8s.io/client-go/informers/certificates/v1
k8s.io/client-go/informers/certificates/v1alpha1
k8s.io/client-go/informers/certificates/v1beta1 k8s.io/client-go/informers/certificates/v1beta1
k8s.io/client-go/informers/coordination k8s.io/client-go/informers/coordination
k8s.io/client-go/informers/coordination/v1 k8s.io/client-go/informers/coordination/v1
@ -1726,6 +1729,8 @@ k8s.io/client-go/kubernetes/typed/batch/v1beta1
k8s.io/client-go/kubernetes/typed/batch/v1beta1/fake k8s.io/client-go/kubernetes/typed/batch/v1beta1/fake
k8s.io/client-go/kubernetes/typed/certificates/v1 k8s.io/client-go/kubernetes/typed/certificates/v1
k8s.io/client-go/kubernetes/typed/certificates/v1/fake k8s.io/client-go/kubernetes/typed/certificates/v1/fake
k8s.io/client-go/kubernetes/typed/certificates/v1alpha1
k8s.io/client-go/kubernetes/typed/certificates/v1alpha1/fake
k8s.io/client-go/kubernetes/typed/certificates/v1beta1 k8s.io/client-go/kubernetes/typed/certificates/v1beta1
k8s.io/client-go/kubernetes/typed/certificates/v1beta1/fake k8s.io/client-go/kubernetes/typed/certificates/v1beta1/fake
k8s.io/client-go/kubernetes/typed/coordination/v1 k8s.io/client-go/kubernetes/typed/coordination/v1
@ -1802,6 +1807,7 @@ k8s.io/client-go/listers/autoscaling/v2beta2
k8s.io/client-go/listers/batch/v1 k8s.io/client-go/listers/batch/v1
k8s.io/client-go/listers/batch/v1beta1 k8s.io/client-go/listers/batch/v1beta1
k8s.io/client-go/listers/certificates/v1 k8s.io/client-go/listers/certificates/v1
k8s.io/client-go/listers/certificates/v1alpha1
k8s.io/client-go/listers/certificates/v1beta1 k8s.io/client-go/listers/certificates/v1beta1
k8s.io/client-go/listers/coordination/v1 k8s.io/client-go/listers/coordination/v1
k8s.io/client-go/listers/coordination/v1beta1 k8s.io/client-go/listers/coordination/v1beta1