Skip to content

Commit

Permalink
CSR API to GA
Browse files Browse the repository at this point in the history
  • Loading branch information
liggitt committed Jun 1, 2020
1 parent 2512f76 commit 85f1e0d
Show file tree
Hide file tree
Showing 2 changed files with 31 additions and 7 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ weight: 20

{{% capture overview %}}

{{< feature-state for_k8s_version="v1.18" state="beta" >}}
{{< feature-state for_k8s_version="v1.19" state="stable" >}}

The Certificates API enables automation of
[X.509](https://www.itu.int/rec/T-REC-X.509) credential provisioning by providing
Expand Down Expand Up @@ -109,6 +109,7 @@ Kubernetes provides built-in signers that each have a well-known `signerName`:

1. `kubernetes.io/legacy-unknown`: has no guarantees for trust at all. Some distributions may honor these as client
certs, but that behavior is not standard Kubernetes behavior.
This signerName can only be requested in CertificateSigningRequests created via the `certificates.k8s.io/v1beta1` API version.
Never auto-approved by {{< glossary_tooltip term_id="kube-controller-manager" >}}.
1. Trust distribution: None. There is no standard trust or distribution for this signer in a Kubernetes cluster.
1. Permitted subjects - any
Expand Down Expand Up @@ -267,12 +268,13 @@ status condition based on the state you determine:
For `Approved` CSRs:

```yaml
apiVersion: certificates.k8s.io/v1beta1
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
...
status:
conditions:
- lastUpdateTime: "2020-02-08T11:37:35Z"
lastTransitionTime: "2020-02-08T11:37:35Z"
message: Approved by my custom approver controller
reason: ApprovedByMyPolicy # You can set this to any string
type: Approved
Expand All @@ -281,12 +283,13 @@ status:
For `Denied` CSRs:

```yaml
apiVersion: certificates.k8s.io/v1beta1
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
...
status:
conditions:
- lastUpdateTime: "2020-02-08T11:37:35Z"
lastTransitionTime: "2020-02-08T11:37:35Z"
message: Denied by my custom approver controller
reason: DeniedByMyPolicy # You can set this to any string
type: Denied
Expand Down Expand Up @@ -315,7 +318,24 @@ Users of the REST API can sign CSRs by submitting an UPDATE request to the `stat
subresource of the CSR to be signed.

As part of this request, the `status.certificate` field should be set to contain the
signed certificate.
signed certificate. This field contains one or more PEM-encoded certificates.

All PEM blocks must have the "CERTIFICATE" label, contain no headers,
and the encoded data must be a BER-encoded ASN.1 Certificate structure
as described in section 4 of RFC5280.

Non-PEM content may appear before or after the CERTIFICATE PEM blocks and is unvalidated,
to allow for explanatory text as described in section 5.2 of RFC7468.

When encoded in JSON or YAML, this field is base-64 encoded:

```yaml
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
...
status:
certificate: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0t...<one or more base64-encoded CERTIFICATE PEM blocks>..."
```

{{% /capture %}}

Expand Down
10 changes: 7 additions & 3 deletions content/en/docs/tasks/tls/managing-tls-in-a-cluster.md
Original file line number Diff line number Diff line change
Expand Up @@ -108,12 +108,13 @@ command:

```shell
cat <<EOF | kubectl apply -f -
apiVersion: certificates.k8s.io/v1beta1
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
name: my-svc.my-namespace
spec:
request: $(cat server.csr | base64 | tr -d '\n')
signerName: kubernetes.io/kubelet-serving
usages:
- digital signature
- key encipherment
Expand All @@ -124,10 +125,13 @@ EOF
Notice that the `server.csr` file created in step 1 is base64 encoded
and stashed in the `.spec.request` field. We are also requesting a
certificate with the "digital signature", "key encipherment", and "server
auth" key usages. We support all key usages and extended key usages listed
auth" key usages, signed by the `kubernetes.io/kubelet-serving` signer.
We support all key usages and extended key usages listed
[here](https://godoc.org/k8s.io/api/certificates/v1beta1#KeyUsage)
so you can request client certificates and other certificates using this
same API.
same API. A specific `signerName` must be requested.
View documentation for [supported signer names](/docs/reference/access-authn-authz/certificate-signing-requests/#signers)
for more information.

The CSR should now be visible from the API in a Pending state. You can see
it by running:
Expand Down

0 comments on commit 85f1e0d

Please sign in to comment.