Package io.fabric8.kubernetes.api.model.certificates.v1alpha1

Class PodCertificateRequestSpec

  • All Implemented Interfaces:
    io.fabric8.kubernetes.api.builder.Editable<PodCertificateRequestSpecBuilder>, io.fabric8.kubernetes.api.model.KubernetesResource, Serializable
    @Generated("io.fabric8.kubernetes.schema.generator.model.ModelGenerator")
public class PodCertificateRequestSpec
extends Object
implements io.fabric8.kubernetes.api.builder.Editable<PodCertificateRequestSpecBuilder>, io.fabric8.kubernetes.api.model.KubernetesResource
    PodCertificateRequestSpec describes the certificate request. All fields are immutable after creation.
    See Also:
    Serialized Form

    • Constructor Detail

      • PodCertificateRequestSpec

        public PodCertificateRequestSpec()
        No args constructor for use in serialization

    • Method Detail

      • getMaxExpirationSeconds

        public Integer getMaxExpirationSeconds()
        maxExpirationSeconds is the maximum lifetime permitted for the certificate.


        If omitted, kube-apiserver will set it to 86400(24 hours). kube-apiserver will reject values shorter than 3600 (1 hour). The maximum allowable value is 7862400 (91 days).


        The signer implementation is then free to issue a certificate with any lifetime *shorter* than MaxExpirationSeconds, but no shorter than 3600 seconds (1 hour). This constraint is enforced by kube-apiserver. `kubernetes.io` signers will never issue certificates with a lifetime longer than 24 hours.

      • setMaxExpirationSeconds

        public void setMaxExpirationSeconds​(Integer maxExpirationSeconds)
        maxExpirationSeconds is the maximum lifetime permitted for the certificate.


        If omitted, kube-apiserver will set it to 86400(24 hours). kube-apiserver will reject values shorter than 3600 (1 hour). The maximum allowable value is 7862400 (91 days).


        The signer implementation is then free to issue a certificate with any lifetime *shorter* than MaxExpirationSeconds, but no shorter than 3600 seconds (1 hour). This constraint is enforced by kube-apiserver. `kubernetes.io` signers will never issue certificates with a lifetime longer than 24 hours.

      • getNodeName

        public String getNodeName()
        nodeName is the name of the node the pod is assigned to.

      • setNodeName

        public void setNodeName​(String nodeName)
        nodeName is the name of the node the pod is assigned to.

      • getNodeUID

        public String getNodeUID()
        nodeUID is the UID of the node the pod is assigned to.

      • setNodeUID

        public void setNodeUID​(String nodeUID)
        nodeUID is the UID of the node the pod is assigned to.

      • getPkixPublicKey

        public String getPkixPublicKey()
        pkixPublicKey is the PKIX-serialized public key the signer will issue the certificate to.


        The key must be one of RSA3072, RSA4096, ECDSAP256, ECDSAP384, ECDSAP521, or ED25519. Note that this list may be expanded in the future.


        Signer implementations do not need to support all key types supported by kube-apiserver and kubelet. If a signer does not support the key type used for a given PodCertificateRequest, it must deny the request by setting a status.conditions entry with a type of "Denied" and a reason of "UnsupportedKeyType". It may also suggest a key type that it does support in the message field.

      • setPkixPublicKey

        public void setPkixPublicKey​(String pkixPublicKey)
        pkixPublicKey is the PKIX-serialized public key the signer will issue the certificate to.


        The key must be one of RSA3072, RSA4096, ECDSAP256, ECDSAP384, ECDSAP521, or ED25519. Note that this list may be expanded in the future.


        Signer implementations do not need to support all key types supported by kube-apiserver and kubelet. If a signer does not support the key type used for a given PodCertificateRequest, it must deny the request by setting a status.conditions entry with a type of "Denied" and a reason of "UnsupportedKeyType". It may also suggest a key type that it does support in the message field.

      • getPodName

        public String getPodName()
        podName is the name of the pod into which the certificate will be mounted.

      • setPodName

        public void setPodName​(String podName)
        podName is the name of the pod into which the certificate will be mounted.

      • getPodUID

        public String getPodUID()
        podUID is the UID of the pod into which the certificate will be mounted.

      • setPodUID

        public void setPodUID​(String podUID)
        podUID is the UID of the pod into which the certificate will be mounted.

      • getProofOfPossession

        public String getProofOfPossession()
        proofOfPossession proves that the requesting kubelet holds the private key corresponding to pkixPublicKey.


        It is contructed by signing the ASCII bytes of the pod's UID using `pkixPublicKey`.


        kube-apiserver validates the proof of possession during creation of the PodCertificateRequest.


        If the key is an RSA key, then the signature is over the ASCII bytes of the pod UID, using RSASSA-PSS from RFC 8017 (as implemented by the golang function crypto/rsa.SignPSS with nil options).


        If the key is an ECDSA key, then the signature is as described by [SEC 1, Version 2.0](https://www.secg.org/sec1-v2.pdf) (as implemented by the golang library function crypto/ecdsa.SignASN1)


        If the key is an ED25519 key, the the signature is as described by the [ED25519 Specification](https://ed25519.cr.yp.to/) (as implemented by the golang library crypto/ed25519.Sign).

      • setProofOfPossession

        public void setProofOfPossession​(String proofOfPossession)
        proofOfPossession proves that the requesting kubelet holds the private key corresponding to pkixPublicKey.


        It is contructed by signing the ASCII bytes of the pod's UID using `pkixPublicKey`.


        kube-apiserver validates the proof of possession during creation of the PodCertificateRequest.


        If the key is an RSA key, then the signature is over the ASCII bytes of the pod UID, using RSASSA-PSS from RFC 8017 (as implemented by the golang function crypto/rsa.SignPSS with nil options).


        If the key is an ECDSA key, then the signature is as described by [SEC 1, Version 2.0](https://www.secg.org/sec1-v2.pdf) (as implemented by the golang library function crypto/ecdsa.SignASN1)


        If the key is an ED25519 key, the the signature is as described by the [ED25519 Specification](https://ed25519.cr.yp.to/) (as implemented by the golang library crypto/ed25519.Sign).

      • getServiceAccountName

        public String getServiceAccountName()
        serviceAccountName is the name of the service account the pod is running as.

      • setServiceAccountName

        public void setServiceAccountName​(String serviceAccountName)
        serviceAccountName is the name of the service account the pod is running as.

      • getServiceAccountUID

        public String getServiceAccountUID()
        serviceAccountUID is the UID of the service account the pod is running as.

      • setServiceAccountUID

        public void setServiceAccountUID​(String serviceAccountUID)
        serviceAccountUID is the UID of the service account the pod is running as.

      • getSignerName

        public String getSignerName()
        signerName indicates the requested signer.


        All signer names beginning with `kubernetes.io` are reserved for use by the Kubernetes project. There is currently one well-known signer documented by the Kubernetes project, `kubernetes.io/kube-apiserver-client-pod`, which will issue client certificates understood by kube-apiserver. It is currently unimplemented.

      • setSignerName

        public void setSignerName​(String signerName)
        signerName indicates the requested signer.


        All signer names beginning with `kubernetes.io` are reserved for use by the Kubernetes project. There is currently one well-known signer documented by the Kubernetes project, `kubernetes.io/kube-apiserver-client-pod`, which will issue client certificates understood by kube-apiserver. It is currently unimplemented.

      • getAdditionalProperties

        public Map<String,​Object> getAdditionalProperties()

      • setAdditionalProperty

        public void setAdditionalProperty​(String name,
                                  Object value)

      • setAdditionalProperties

        public void setAdditionalProperties​(Map<String,​Object> additionalProperties)