scottk/kubernetes
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/kubernetes.git synced 2025-11-04 04:08:16 +00:00
Code Issues Packages Projects Releases Wiki Activity

docs/proposals: further review comments

Browse Source
This commit is contained in:
George Tankersley
2016-04-25 18:30:40 -07:00
parent 5d479cc971
commit a81beb3bde
1 changed files with 42 additions and 38 deletions
Download Patch File Download Diff File Expand all files Collapse all files

78
docs/proposals/kubelet-tls-bootstrap.md
View File

@@ -79,7 +79,7 @@ It will have the following structure:
```go ```go
// Describes a certificate signing request // Describes a certificate signing request
type CertificateSigningRequest struct { type CertificateSigningRequest struct {
api.TypeMeta `json:",inline"` unversioned.TypeMeta `json:",inline"`
api.ObjectMeta `json:"metadata,omitempty"` api.ObjectMeta `json:"metadata,omitempty"`
// The certificate request itself and any additonal information. // The certificate request itself and any additonal information.
@@ -87,18 +87,15 @@ type CertificateSigningRequest struct {
// Derived information about the request. // Derived information about the request.
Status CertificateSigningRequestStatus `json:"status,omitempty"` Status CertificateSigningRequestStatus `json:"status,omitempty"`
// The current approval state of the request.
Approve CertificateSigningRequestApproval `json:"approve,omitempty"`
} }
// This information is immutable after the request is created. // This information is immutable after the request is created.
type CertificateSigningRequestSpec struct { type CertificateSigningRequestSpec struct {
// base64-encoded PKCS#10 CSR data // Base64-encoded PKCS#10 CSR data
CertificateRequest string `json:"request"` Request string `json:"request"`
// Any extra information the node wishes to send with the request. // Any extra information the node wishes to send with the request.
ExtraInfo []string `json:"extra,omitempty"` ExtraInfo []string `json:"extrainfo,omitempty"`
} }
// This information is derived from the request by Kubernetes and cannot be // This information is derived from the request by Kubernetes and cannot be
@@ -116,36 +113,42 @@ type CertificateSigningRequestStatus struct {
Fingerprint string `json:"fingerprint,omitempty"` Fingerprint string `json:"fingerprint,omitempty"`
// Subject fields from the request // Subject fields from the request
Subject pkix.Name `json:"subject,omitempty"` Subject internal.Subject `json:"subject,omitempty"`
// DNS SANs from the request // DNS SANs from the request
Hostnames []string `json:"dns,omitempty"` Hostnames []string `json:"hostnames,omitempty"`
// IP SANs from the request // IP SANs from the request
IPAddresses []string `json:"ip,omitempty"` IPAddresses []string `json:"ipaddresses,omitempty"`
Conditions []CertificateSigningRequestCondition `json:"conditions,omitempty"`
} }
type CertificateSigningRequestApproval struct { type RequestConditionType string
// CSR approval state, one of Submitted, Approved, or Denied
State CertificateRequestState `json:"state"`
// These are the possible states for a certificate request.
const (
Approved RequestConditionType = "Approved"
Denied RequestConditionType = "Denied"
)
type CertificateSigningRequestCondition struct {
// request approval state, currently Approved or Denied.
Type RequestConditionType `json:"type"`
// brief reason for the request state // brief reason for the request state
Reason string `json:"reason,omitempty"` Reason string `json:"reason,omitempty"`
// human readable message with details about the request state // human readable message with details about the request state
Message string `json:"message,omitempty"` Message string `json:"message,omitempty"`
// If request was approved, the controller will place the issued certificate here. // If request was approved, the controller will place the issued certificate here.
Certificate []byte `json:"certificate,omitempty"` Certificate []byte `json:"certificate,omitempty"`
} }
type CertificateRequestState string type CertificateSigningRequestList struct {
unversioned.TypeMeta `json:",inline"`
unversioned.ListMeta `json:"metadata,omitempty"`
// These are the possible states for a certificate request. Items []CertificateSigningRequest `json:"items,omitempty"`
const ( }
RequestSubmitted CertificateRequestState = "Submitted"
RequestApproved CertificateRequestState = "Approved"
RequestDenied CertificateRequestState = "Denied"
)
``` ```
We also introduce CertificateSigningRequestList to allow listing all the CSRs in the cluster: We also introduce CertificateSigningRequestList to allow listing all the CSRs in the cluster:
@@ -181,26 +184,26 @@ The apiserver persists the CertificateSigningRequests and exposes the List of
all CSRs for an administrator to approve or reject. all CSRs for an administrator to approve or reject.
A new certificate controller watches for certificate requests. It must first A new certificate controller watches for certificate requests. It must first
validate the signature on each CSR and set `CertificateRequestState=Denied` on validate the signature on each CSR and add `Condition=Denied` on
any requests with invalid signatures. For valid requests, it will set any requests with invalid signatures (with Reason and Message incidicating
`CertificateRequestState=Submitted`. The controller will derive the information such). For valid requests, the controller will derive the information in
in `CertificateSigningRequestStatus` and update that object. The controller `CertificateSigningRequestStatus` and update that object. The controller should
should watch for updates the approval state of any CertificateSigningRequest. watch for updates to the approval condition of any CertificateSigningRequest.
When a request is approved (signified by CertificateRequestState changing from When a request is approved (signified by Conditions containing only Approved)
Submitted to Approved) the controller should generate and sign a certificate the controller should generate and sign a certificate based on that CSR, then
based on that CSR, then update the approval subresource with the certificate update the condition with the certificate data using the `/approval`
data. subresource.
### Manual CSR approval ### Manual CSR approval
An administrator using `kubectl` or another API client can query the An administrator using `kubectl` or another API client can query the
CertificateSigningRequestList and update the approval state of CertificateSigningRequestList and update the approval condition of
CertificateSigningRequests. The default state is empty, indicating that there CertificateSigningRequests. The default state is empty, indicating that there
has been no decision so far. Once a request has passed basic validation it will has been no decision so far. A state of "Approved" indicates that the admin has
be "Submitted". A state of "Approved" indicates that the admin has approved the approved the request and the certificate controller should issue the
request and the certificate controller should issue the certificate. A state of certificate. A state of "Denied" indicates that admin has denied the
"Denied" indicates that the admin has denied the request. An admin may also request. An admin may also supply Reason and Message fields to explain the
supply Reason and Message fields to explain the rejection. rejection.
## kube-apiserver support ## kube-apiserver support
@@ -222,7 +225,8 @@ interaction will be similar to
[salt-key](https://docs.saltstack.com/en/latest/ref/cli/salt-key.html). [salt-key](https://docs.saltstack.com/en/latest/ref/cli/salt-key.html).
Specifically, the admin will have the ability to retrieve the full list of Specifically, the admin will have the ability to retrieve the full list of
pending CSRs, inspect their contents, and set their states to one of: pending CSRs, inspect their contents, and set their approval conditions to one
of:
1. **Approved** if the controller should issue the cert 1. **Approved** if the controller should issue the cert
2. **Denied** if the controller should not issue the cert 2. **Denied** if the controller should not issue the cert