mirror of https://github.com/k3s-io/k3s
Merge pull request #70138 from liggitt/optional-ca-bundle
Correct optional/omitempty indicator on webhook cabundlepull/58/head
k8s-ci-robot
GitHub
commit
1fe288ec02
|
|
@ -77370,12 +77370,9 @@
|
|||
},
|
||||
"io.k8s.api.admissionregistration.v1beta1.WebhookClientConfig": {
|
||||
"description": "WebhookClientConfig contains the information to make a TLS connection with the webhook",
|
||||
"required": [
|
||||
"caBundle"
|
||||
],
|
||||
"properties": {
|
||||
"caBundle": {
|
||||
"description": "`caBundle` is a PEM encoded CA bundle which will be used to validate the webhook's server certificate. Required.",
|
||||
"description": "`caBundle` is a PEM encoded CA bundle which will be used to validate the webhook's server certificate. If unspecified, system trust roots on the apiserver are used.",
|
||||
"type": "string",
|
||||
"format": "byte"
|
||||
},
|
||||
|
|
@ -79979,7 +79976,7 @@
|
|||
"description": "WebhookClientConfig contains the information to make a connection with the webhook",
|
||||
"properties": {
|
||||
"caBundle": {
|
||||
"description": "`caBundle` is a PEM encoded CA bundle which will be used to validate the webhook's server certificate. defaults to the apiservers CA bundle for the endpoint type",
|
||||
"description": "`caBundle` is a PEM encoded CA bundle which will be used to validate the webhook's server certificate. If unspecified, system trust roots on the apiserver are used.",
|
||||
"type": "string",
|
||||
"format": "byte"
|
||||
},
|
||||
|
|
@ -93505,7 +93502,7 @@
|
|||
],
|
||||
"properties": {
|
||||
"caBundle": {
|
||||
"description": "CABundle is a PEM encoded CA bundle which will be used to validate an API server's serving certificate.",
|
||||
"description": "CABundle is a PEM encoded CA bundle which will be used to validate an API server's serving certificate. If unspecified, system trust roots on the apiserver are used.",
|
||||
"type": "string",
|
||||
"format": "byte"
|
||||
},
|
||||
|
|
@ -93664,7 +93661,7 @@
|
|||
],
|
||||
"properties": {
|
||||
"caBundle": {
|
||||
"description": "CABundle is a PEM encoded CA bundle which will be used to validate an API server's serving certificate.",
|
||||
"description": "CABundle is a PEM encoded CA bundle which will be used to validate an API server's serving certificate. If unspecified, system trust roots on the apiserver are used.",
|
||||
"type": "string",
|
||||
"format": "byte"
|
||||
},
|
||||
|
|
|
|||
|
|
@ -1860,10 +1860,6 @@
|
|||
"v1beta1.WebhookClientConfig": {
|
||||
"id": "v1beta1.WebhookClientConfig",
|
||||
"description": "WebhookClientConfig contains the information to make a TLS connection with the webhook",
|
||||
"required": [
|
||||
"service",
|
||||
"caBundle"
|
||||
],
|
||||
"properties": {
|
||||
"url": {
|
||||
"type": "string",
|
||||
|
|
@ -1875,7 +1871,7 @@
|
|||
},
|
||||
"caBundle": {
|
||||
"type": "string",
|
||||
"description": "`caBundle` is a PEM encoded CA bundle which will be used to validate the webhook's server certificate. Required."
|
||||
"description": "`caBundle` is a PEM encoded CA bundle which will be used to validate the webhook's server certificate. If unspecified, system trust roots on the apiserver are used."
|
||||
}
|
||||
}
|
||||
},
|
||||
|
|
|
|||
|
|
@ -1155,10 +1155,6 @@
|
|||
"v1alpha1.WebhookClientConfig": {
|
||||
"id": "v1alpha1.WebhookClientConfig",
|
||||
"description": "WebhookClientConfig contains the information to make a connection with the webhook",
|
||||
"required": [
|
||||
"service",
|
||||
"caBundle"
|
||||
],
|
||||
"properties": {
|
||||
"url": {
|
||||
"type": "string",
|
||||
|
|
@ -1170,7 +1166,7 @@
|
|||
},
|
||||
"caBundle": {
|
||||
"type": "string",
|
||||
"description": "`caBundle` is a PEM encoded CA bundle which will be used to validate the webhook's server certificate. defaults to the apiservers CA bundle for the endpoint type"
|
||||
"description": "`caBundle` is a PEM encoded CA bundle which will be used to validate the webhook's server certificate. If unspecified, system trust roots on the apiserver are used."
|
||||
}
|
||||
}
|
||||
},
|
||||
|
|
|
|||
|
|
@ -1613,14 +1613,14 @@ Attempting to use a user or basic auth e.g. "user:password@" is not allowed. Fra
|
|||
If the webhook is running within the cluster, then you should use <code>service</code>.<br>
|
||||
<br>
|
||||
Port 443 will be used if it is open, otherwise it is an error.</p></td>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock">true</p></td>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_v1beta1_servicereference">v1beta1.ServiceReference</a></p></td>
|
||||
<td class="tableblock halign-left valign-top"></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock">caBundle</p></td>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock"><code>caBundle</code> is a PEM encoded CA bundle which will be used to validate the webhook’s server certificate. Required.</p></td>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock">true</p></td>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock"><code>caBundle</code> is a PEM encoded CA bundle which will be used to validate the webhook’s server certificate. If unspecified, system trust roots on the apiserver are used.</p></td>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock">string</p></td>
|
||||
<td class="tableblock halign-left valign-top"></td>
|
||||
</tr>
|
||||
|
|
|
|||
|
|
@ -525,14 +525,14 @@ Attempting to use a user or basic auth e.g. "user:password@" is not allowed. Fra
|
|||
If the webhook is running within the cluster, then you should use <code>service</code>.<br>
|
||||
<br>
|
||||
Port 443 will be used if it is open, otherwise it is an error.</p></td>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock">true</p></td>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_v1alpha1_servicereference">v1alpha1.ServiceReference</a></p></td>
|
||||
<td class="tableblock halign-left valign-top"></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock">caBundle</p></td>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock"><code>caBundle</code> is a PEM encoded CA bundle which will be used to validate the webhook’s server certificate. defaults to the apiservers CA bundle for the endpoint type</p></td>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock">true</p></td>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock"><code>caBundle</code> is a PEM encoded CA bundle which will be used to validate the webhook’s server certificate. If unspecified, system trust roots on the apiserver are used.</p></td>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock">string</p></td>
|
||||
<td class="tableblock halign-left valign-top"></td>
|
||||
</tr>
|
||||
|
|
|
|||
|
|
@ -328,9 +328,9 @@ type WebhookClientConfig struct {
|
|||
// +optional
|
||||
Service *ServiceReference
|
||||
|
||||
// `caBundle` is a PEM encoded CA bundle which will be used to validate
|
||||
// the webhook's server certificate.
|
||||
// Required.
|
||||
// `caBundle` is a PEM encoded CA bundle which will be used to validate the webhook's server certificate.
|
||||
// If unspecified, system trust roots on the apiserver are used.
|
||||
// +optional
|
||||
CABundle []byte
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -173,9 +173,8 @@ type WebhookClientConfig struct {
|
|||
// +optional
|
||||
Service *ServiceReference
|
||||
|
||||
// `caBundle` is a PEM encoded CA bundle which will be used to validate
|
||||
// the webhook's server certificate.
|
||||
// defaults to the apiservers CA bundle for the endpoint type
|
||||
// `caBundle` is a PEM encoded CA bundle which will be used to validate the webhook's server certificate.
|
||||
// If unspecified, system trust roots on the apiserver are used.
|
||||
// +optional
|
||||
CABundle []byte
|
||||
}
|
||||
|
|
|
|||
|
|
@ -261,9 +261,9 @@ message WebhookClientConfig {
|
|||
// +optional
|
||||
optional ServiceReference service = 1;
|
||||
|
||||
// `caBundle` is a PEM encoded CA bundle which will be used to validate
|
||||
// the webhook's server certificate.
|
||||
// Required.
|
||||
// `caBundle` is a PEM encoded CA bundle which will be used to validate the webhook's server certificate.
|
||||
// If unspecified, system trust roots on the apiserver are used.
|
||||
// +optional
|
||||
optional bytes caBundle = 2;
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -282,12 +282,12 @@ type WebhookClientConfig struct {
|
|||
// Port 443 will be used if it is open, otherwise it is an error.
|
||||
//
|
||||
// +optional
|
||||
Service *ServiceReference `json:"service" protobuf:"bytes,1,opt,name=service"`
|
||||
Service *ServiceReference `json:"service,omitempty" protobuf:"bytes,1,opt,name=service"`
|
||||
|
||||
// `caBundle` is a PEM encoded CA bundle which will be used to validate
|
||||
// the webhook's server certificate.
|
||||
// Required.
|
||||
CABundle []byte `json:"caBundle" protobuf:"bytes,2,opt,name=caBundle"`
|
||||
// `caBundle` is a PEM encoded CA bundle which will be used to validate the webhook's server certificate.
|
||||
// If unspecified, system trust roots on the apiserver are used.
|
||||
// +optional
|
||||
CABundle []byte `json:"caBundle,omitempty" protobuf:"bytes,2,opt,name=caBundle"`
|
||||
}
|
||||
|
||||
// ServiceReference holds a reference to Service.legacy.k8s.io
|
||||
|
|
|
|||
|
|
@ -116,7 +116,7 @@ var map_WebhookClientConfig = map[string]string{
|
|||
"": "WebhookClientConfig contains the information to make a TLS connection with the webhook",
|
||||
"url": "`url` gives the location of the webhook, in standard URL form (`[scheme://]host:port/path`). Exactly one of `url` or `service` must be specified.\n\nThe `host` should not refer to a service running in the cluster; use the `service` field instead. The host might be resolved via external DNS in some apiservers (e.g., `kube-apiserver` cannot resolve in-cluster DNS as that would be a layering violation). `host` may also be an IP address.\n\nPlease note that using `localhost` or `127.0.0.1` as a `host` is risky unless you take great care to run this webhook on all hosts which run an apiserver which might need to make calls to this webhook. Such installs are likely to be non-portable, i.e., not easy to turn up in a new cluster.\n\nThe scheme must be \"https\"; the URL must begin with \"https://\".\n\nA path is optional, and if present may be any string permissible in a URL. You may use the path to pass an arbitrary string to the webhook, for example, a cluster identifier.\n\nAttempting to use a user or basic auth e.g. \"user:password@\" is not allowed. Fragments (\"#...\") and query parameters (\"?...\") are not allowed, either.",
|
||||
"service": "`service` is a reference to the service for this webhook. Either `service` or `url` must be specified.\n\nIf the webhook is running within the cluster, then you should use `service`.\n\nPort 443 will be used if it is open, otherwise it is an error.",
|
||||
"caBundle": "`caBundle` is a PEM encoded CA bundle which will be used to validate the webhook's server certificate. Required.",
|
||||
"caBundle": "`caBundle` is a PEM encoded CA bundle which will be used to validate the webhook's server certificate. If unspecified, system trust roots on the apiserver are used.",
|
||||
}
|
||||
|
||||
func (WebhookClientConfig) SwaggerDoc() map[string]string {
|
||||
|
|
|
|||
|
|
@ -137,9 +137,8 @@ message WebhookClientConfig {
|
|||
// +optional
|
||||
optional ServiceReference service = 2;
|
||||
|
||||
// `caBundle` is a PEM encoded CA bundle which will be used to validate
|
||||
// the webhook's server certificate.
|
||||
// defaults to the apiservers CA bundle for the endpoint type
|
||||
// `caBundle` is a PEM encoded CA bundle which will be used to validate the webhook's server certificate.
|
||||
// If unspecified, system trust roots on the apiserver are used.
|
||||
// +optional
|
||||
optional bytes caBundle = 3;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -169,13 +169,12 @@ type WebhookClientConfig struct {
|
|||
// Port 443 will be used if it is open, otherwise it is an error.
|
||||
//
|
||||
// +optional
|
||||
Service *ServiceReference `json:"service" protobuf:"bytes,2,opt,name=service"`
|
||||
Service *ServiceReference `json:"service,omitempty" protobuf:"bytes,2,opt,name=service"`
|
||||
|
||||
// `caBundle` is a PEM encoded CA bundle which will be used to validate
|
||||
// the webhook's server certificate.
|
||||
// defaults to the apiservers CA bundle for the endpoint type
|
||||
// `caBundle` is a PEM encoded CA bundle which will be used to validate the webhook's server certificate.
|
||||
// If unspecified, system trust roots on the apiserver are used.
|
||||
// +optional
|
||||
CABundle []byte `json:"caBundle" protobuf:"bytes,3,opt,name=caBundle"`
|
||||
CABundle []byte `json:"caBundle,omitempty" protobuf:"bytes,3,opt,name=caBundle"`
|
||||
}
|
||||
|
||||
// ServiceReference holds a reference to Service.legacy.k8s.io
|
||||
|
|
|
|||
|
|
@ -90,7 +90,7 @@ var map_WebhookClientConfig = map[string]string{
|
|||
"": "WebhookClientConfig contains the information to make a connection with the webhook",
|
||||
"url": "`url` gives the location of the webhook, in standard URL form (`[scheme://]host:port/path`). Exactly one of `url` or `service` must be specified.\n\nThe `host` should not refer to a service running in the cluster; use the `service` field instead. The host might be resolved via external DNS in some apiservers (e.g., `kube-apiserver` cannot resolve in-cluster DNS as that would be a layering violation). `host` may also be an IP address.\n\nPlease note that using `localhost` or `127.0.0.1` as a `host` is risky unless you take great care to run this webhook on all hosts which run an apiserver which might need to make calls to this webhook. Such installs are likely to be non-portable, i.e., not easy to turn up in a new cluster.\n\nThe scheme must be \"https\"; the URL must begin with \"https://\".\n\nA path is optional, and if present may be any string permissible in a URL. You may use the path to pass an arbitrary string to the webhook, for example, a cluster identifier.\n\nAttempting to use a user or basic auth e.g. \"user:password@\" is not allowed. Fragments (\"#...\") and query parameters (\"?...\") are not allowed, either.",
|
||||
"service": "`service` is a reference to the service for this webhook. Either `service` or `url` must be specified.\n\nIf the webhook is running within the cluster, then you should use `service`.\n\nPort 443 will be used if it is open, otherwise it is an error.",
|
||||
"caBundle": "`caBundle` is a PEM encoded CA bundle which will be used to validate the webhook's server certificate. defaults to the apiservers CA bundle for the endpoint type",
|
||||
"caBundle": "`caBundle` is a PEM encoded CA bundle which will be used to validate the webhook's server certificate. If unspecified, system trust roots on the apiserver are used.",
|
||||
}
|
||||
|
||||
func (WebhookClientConfig) SwaggerDoc() map[string]string {
|
||||
|
|
|
|||
|
|
@ -99,14 +99,26 @@ func TestNew(t *testing.T) {
|
|||
TLSCert bool
|
||||
TLSErr bool
|
||||
Default bool
|
||||
Insecure bool
|
||||
DefaultRoots bool
|
||||
}{
|
||||
"default transport": {
|
||||
Default: true,
|
||||
Config: &Config{},
|
||||
},
|
||||
|
||||
"insecure": {
|
||||
TLS: true,
|
||||
Insecure: true,
|
||||
DefaultRoots: true,
|
||||
Config: &Config{TLS: TLSConfig{
|
||||
Insecure: true,
|
||||
}},
|
||||
},
|
||||
|
||||
"server name": {
|
||||
TLS: true,
|
||||
DefaultRoots: true,
|
||||
Config: &Config{TLS: TLSConfig{
|
||||
ServerName: "foo",
|
||||
}},
|
||||
|
|
@ -266,6 +278,18 @@ func TestNew(t *testing.T) {
|
|||
return
|
||||
}
|
||||
|
||||
switch {
|
||||
case testCase.DefaultRoots && transport.TLSClientConfig.RootCAs != nil:
|
||||
t.Fatalf("got %#v, expected nil root CAs", transport.TLSClientConfig.RootCAs)
|
||||
case !testCase.DefaultRoots && transport.TLSClientConfig.RootCAs == nil:
|
||||
t.Fatalf("got %#v, expected non-nil root CAs", transport.TLSClientConfig.RootCAs)
|
||||
}
|
||||
|
||||
switch {
|
||||
case testCase.Insecure != transport.TLSClientConfig.InsecureSkipVerify:
|
||||
t.Fatalf("got %#v, expected %#v", transport.TLSClientConfig.InsecureSkipVerify, testCase.Insecure)
|
||||
}
|
||||
|
||||
switch {
|
||||
case testCase.TLSCert && transport.TLSClientConfig.GetClientCertificate == nil:
|
||||
t.Fatalf("got %#v, expected TLSClientConfig.GetClientCertificate", transport.TLSClientConfig)
|
||||
|
|
|
|||
|
|
@ -53,6 +53,7 @@ type APIServiceSpec struct {
|
|||
// This is strongly discouraged. You should use the CABundle instead.
|
||||
InsecureSkipTLSVerify bool
|
||||
// CABundle is a PEM encoded CA bundle which will be used to validate an API server's serving certificate.
|
||||
// If unspecified, system trust roots on the apiserver are used.
|
||||
// +optional
|
||||
CABundle []byte
|
||||
|
||||
|
|
|
|||
|
|
@ -88,6 +88,7 @@ message APIServiceSpec {
|
|||
optional bool insecureSkipTLSVerify = 4;
|
||||
|
||||
// CABundle is a PEM encoded CA bundle which will be used to validate an API server's serving certificate.
|
||||
// If unspecified, system trust roots on the apiserver are used.
|
||||
// +optional
|
||||
optional bytes caBundle = 5;
|
||||
|
||||
|
|
|
|||
|
|
@ -53,6 +53,7 @@ type APIServiceSpec struct {
|
|||
// This is strongly discouraged. You should use the CABundle instead.
|
||||
InsecureSkipTLSVerify bool `json:"insecureSkipTLSVerify,omitempty" protobuf:"varint,4,opt,name=insecureSkipTLSVerify"`
|
||||
// CABundle is a PEM encoded CA bundle which will be used to validate an API server's serving certificate.
|
||||
// If unspecified, system trust roots on the apiserver are used.
|
||||
// +optional
|
||||
CABundle []byte `json:"caBundle,omitempty" protobuf:"bytes,5,opt,name=caBundle"`
|
||||
|
||||
|
|
|
|||
|
|
@ -88,6 +88,7 @@ message APIServiceSpec {
|
|||
optional bool insecureSkipTLSVerify = 4;
|
||||
|
||||
// CABundle is a PEM encoded CA bundle which will be used to validate an API server's serving certificate.
|
||||
// If unspecified, system trust roots on the apiserver are used.
|
||||
// +optional
|
||||
optional bytes caBundle = 5;
|
||||
|
||||
|
|
|
|||
|
|
@ -53,6 +53,7 @@ type APIServiceSpec struct {
|
|||
// This is strongly discouraged. You should use the CABundle instead.
|
||||
InsecureSkipTLSVerify bool `json:"insecureSkipTLSVerify,omitempty" protobuf:"varint,4,opt,name=insecureSkipTLSVerify"`
|
||||
// CABundle is a PEM encoded CA bundle which will be used to validate an API server's serving certificate.
|
||||
// If unspecified, system trust roots on the apiserver are used.
|
||||
// +optional
|
||||
CABundle []byte `json:"caBundle,omitempty" protobuf:"bytes,5,opt,name=caBundle"`
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue