Unverified Commit 1fe288ec authored by k8s-ci-robot's avatar k8s-ci-robot Committed by GitHub

Merge pull request #70138 from liggitt/optional-ca-bundle

Correct optional/omitempty indicator on webhook cabundle
parents 101d26c6 fbd5597e
...@@ -77370,12 +77370,9 @@ ...@@ -77370,12 +77370,9 @@
}, },
"io.k8s.api.admissionregistration.v1beta1.WebhookClientConfig": { "io.k8s.api.admissionregistration.v1beta1.WebhookClientConfig": {
"description": "WebhookClientConfig contains the information to make a TLS connection with the webhook", "description": "WebhookClientConfig contains the information to make a TLS connection with the webhook",
"required": [
"caBundle"
],
"properties": { "properties": {
"caBundle": { "caBundle": {
"description": "`caBundle` is a PEM encoded CA bundle which will be used to validate the webhook's server certificate. Required.", "description": "`caBundle` is a PEM encoded CA bundle which will be used to validate the webhook's server certificate. If unspecified, system trust roots on the apiserver are used.",
"type": "string", "type": "string",
"format": "byte" "format": "byte"
}, },
...@@ -79979,7 +79976,7 @@ ...@@ -79979,7 +79976,7 @@
"description": "WebhookClientConfig contains the information to make a connection with the webhook", "description": "WebhookClientConfig contains the information to make a connection with the webhook",
"properties": { "properties": {
"caBundle": { "caBundle": {
"description": "`caBundle` is a PEM encoded CA bundle which will be used to validate the webhook's server certificate. defaults to the apiservers CA bundle for the endpoint type", "description": "`caBundle` is a PEM encoded CA bundle which will be used to validate the webhook's server certificate. If unspecified, system trust roots on the apiserver are used.",
"type": "string", "type": "string",
"format": "byte" "format": "byte"
}, },
...@@ -93505,7 +93502,7 @@ ...@@ -93505,7 +93502,7 @@
], ],
"properties": { "properties": {
"caBundle": { "caBundle": {
"description": "CABundle is a PEM encoded CA bundle which will be used to validate an API server's serving certificate.", "description": "CABundle is a PEM encoded CA bundle which will be used to validate an API server's serving certificate. If unspecified, system trust roots on the apiserver are used.",
"type": "string", "type": "string",
"format": "byte" "format": "byte"
}, },
...@@ -93664,7 +93661,7 @@ ...@@ -93664,7 +93661,7 @@
], ],
"properties": { "properties": {
"caBundle": { "caBundle": {
"description": "CABundle is a PEM encoded CA bundle which will be used to validate an API server's serving certificate.", "description": "CABundle is a PEM encoded CA bundle which will be used to validate an API server's serving certificate. If unspecified, system trust roots on the apiserver are used.",
"type": "string", "type": "string",
"format": "byte" "format": "byte"
}, },
...@@ -1860,10 +1860,6 @@ ...@@ -1860,10 +1860,6 @@
"v1beta1.WebhookClientConfig": { "v1beta1.WebhookClientConfig": {
"id": "v1beta1.WebhookClientConfig", "id": "v1beta1.WebhookClientConfig",
"description": "WebhookClientConfig contains the information to make a TLS connection with the webhook", "description": "WebhookClientConfig contains the information to make a TLS connection with the webhook",
"required": [
"service",
"caBundle"
],
"properties": { "properties": {
"url": { "url": {
"type": "string", "type": "string",
...@@ -1875,7 +1871,7 @@ ...@@ -1875,7 +1871,7 @@
}, },
"caBundle": { "caBundle": {
"type": "string", "type": "string",
"description": "`caBundle` is a PEM encoded CA bundle which will be used to validate the webhook's server certificate. Required." "description": "`caBundle` is a PEM encoded CA bundle which will be used to validate the webhook's server certificate. If unspecified, system trust roots on the apiserver are used."
} }
} }
}, },
......
...@@ -1155,10 +1155,6 @@ ...@@ -1155,10 +1155,6 @@
"v1alpha1.WebhookClientConfig": { "v1alpha1.WebhookClientConfig": {
"id": "v1alpha1.WebhookClientConfig", "id": "v1alpha1.WebhookClientConfig",
"description": "WebhookClientConfig contains the information to make a connection with the webhook", "description": "WebhookClientConfig contains the information to make a connection with the webhook",
"required": [
"service",
"caBundle"
],
"properties": { "properties": {
"url": { "url": {
"type": "string", "type": "string",
...@@ -1170,7 +1166,7 @@ ...@@ -1170,7 +1166,7 @@
}, },
"caBundle": { "caBundle": {
"type": "string", "type": "string",
"description": "`caBundle` is a PEM encoded CA bundle which will be used to validate the webhook's server certificate. defaults to the apiservers CA bundle for the endpoint type" "description": "`caBundle` is a PEM encoded CA bundle which will be used to validate the webhook's server certificate. If unspecified, system trust roots on the apiserver are used."
} }
} }
}, },
......
...@@ -1613,14 +1613,14 @@ Attempting to use a user or basic auth e.g. "user:password@" is not allowed. Fra ...@@ -1613,14 +1613,14 @@ Attempting to use a user or basic auth e.g. "user:password@" is not allowed. Fra
If the webhook is running within the cluster, then you should use <code>service</code>.<br> If the webhook is running within the cluster, then you should use <code>service</code>.<br>
<br> <br>
Port 443 will be used if it is open, otherwise it is an error.</p></td> Port 443 will be used if it is open, otherwise it is an error.</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">true</p></td> <td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_v1beta1_servicereference">v1beta1.ServiceReference</a></p></td> <td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_v1beta1_servicereference">v1beta1.ServiceReference</a></p></td>
<td class="tableblock halign-left valign-top"></td> <td class="tableblock halign-left valign-top"></td>
</tr> </tr>
<tr> <tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">caBundle</p></td> <td class="tableblock halign-left valign-top"><p class="tableblock">caBundle</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><code>caBundle</code> is a PEM encoded CA bundle which will be used to validate the webhook&#8217;s server certificate. Required.</p></td> <td class="tableblock halign-left valign-top"><p class="tableblock"><code>caBundle</code> is a PEM encoded CA bundle which will be used to validate the webhook&#8217;s server certificate. If unspecified, system trust roots on the apiserver are used.</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">true</p></td> <td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">string</p></td> <td class="tableblock halign-left valign-top"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-top"></td> <td class="tableblock halign-left valign-top"></td>
</tr> </tr>
......
...@@ -525,14 +525,14 @@ Attempting to use a user or basic auth e.g. "user:password@" is not allowed. Fra ...@@ -525,14 +525,14 @@ Attempting to use a user or basic auth e.g. "user:password@" is not allowed. Fra
If the webhook is running within the cluster, then you should use <code>service</code>.<br> If the webhook is running within the cluster, then you should use <code>service</code>.<br>
<br> <br>
Port 443 will be used if it is open, otherwise it is an error.</p></td> Port 443 will be used if it is open, otherwise it is an error.</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">true</p></td> <td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_v1alpha1_servicereference">v1alpha1.ServiceReference</a></p></td> <td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_v1alpha1_servicereference">v1alpha1.ServiceReference</a></p></td>
<td class="tableblock halign-left valign-top"></td> <td class="tableblock halign-left valign-top"></td>
</tr> </tr>
<tr> <tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">caBundle</p></td> <td class="tableblock halign-left valign-top"><p class="tableblock">caBundle</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><code>caBundle</code> is a PEM encoded CA bundle which will be used to validate the webhook&#8217;s server certificate. defaults to the apiservers CA bundle for the endpoint type</p></td> <td class="tableblock halign-left valign-top"><p class="tableblock"><code>caBundle</code> is a PEM encoded CA bundle which will be used to validate the webhook&#8217;s server certificate. If unspecified, system trust roots on the apiserver are used.</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">true</p></td> <td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">string</p></td> <td class="tableblock halign-left valign-top"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-top"></td> <td class="tableblock halign-left valign-top"></td>
</tr> </tr>
......
...@@ -328,9 +328,9 @@ type WebhookClientConfig struct { ...@@ -328,9 +328,9 @@ type WebhookClientConfig struct {
// +optional // +optional
Service *ServiceReference Service *ServiceReference
// `caBundle` is a PEM encoded CA bundle which will be used to validate // `caBundle` is a PEM encoded CA bundle which will be used to validate the webhook's server certificate.
// the webhook's server certificate. // If unspecified, system trust roots on the apiserver are used.
// Required. // +optional
CABundle []byte CABundle []byte
} }
......
...@@ -173,9 +173,8 @@ type WebhookClientConfig struct { ...@@ -173,9 +173,8 @@ type WebhookClientConfig struct {
// +optional // +optional
Service *ServiceReference Service *ServiceReference
// `caBundle` is a PEM encoded CA bundle which will be used to validate // `caBundle` is a PEM encoded CA bundle which will be used to validate the webhook's server certificate.
// the webhook's server certificate. // If unspecified, system trust roots on the apiserver are used.
// defaults to the apiservers CA bundle for the endpoint type
// +optional // +optional
CABundle []byte CABundle []byte
} }
......
...@@ -261,9 +261,9 @@ message WebhookClientConfig { ...@@ -261,9 +261,9 @@ message WebhookClientConfig {
// +optional // +optional
optional ServiceReference service = 1; optional ServiceReference service = 1;
// `caBundle` is a PEM encoded CA bundle which will be used to validate // `caBundle` is a PEM encoded CA bundle which will be used to validate the webhook's server certificate.
// the webhook's server certificate. // If unspecified, system trust roots on the apiserver are used.
// Required. // +optional
optional bytes caBundle = 2; optional bytes caBundle = 2;
} }
...@@ -282,12 +282,12 @@ type WebhookClientConfig struct { ...@@ -282,12 +282,12 @@ type WebhookClientConfig struct {
// Port 443 will be used if it is open, otherwise it is an error. // Port 443 will be used if it is open, otherwise it is an error.
// //
// +optional // +optional
Service *ServiceReference `json:"service" protobuf:"bytes,1,opt,name=service"` Service *ServiceReference `json:"service,omitempty" protobuf:"bytes,1,opt,name=service"`
// `caBundle` is a PEM encoded CA bundle which will be used to validate // `caBundle` is a PEM encoded CA bundle which will be used to validate the webhook's server certificate.
// the webhook's server certificate. // If unspecified, system trust roots on the apiserver are used.
// Required. // +optional
CABundle []byte `json:"caBundle" protobuf:"bytes,2,opt,name=caBundle"` CABundle []byte `json:"caBundle,omitempty" protobuf:"bytes,2,opt,name=caBundle"`
} }
// ServiceReference holds a reference to Service.legacy.k8s.io // ServiceReference holds a reference to Service.legacy.k8s.io
......
...@@ -116,7 +116,7 @@ var map_WebhookClientConfig = map[string]string{ ...@@ -116,7 +116,7 @@ var map_WebhookClientConfig = map[string]string{
"": "WebhookClientConfig contains the information to make a TLS connection with the webhook", "": "WebhookClientConfig contains the information to make a TLS connection with the webhook",
"url": "`url` gives the location of the webhook, in standard URL form (`[scheme://]host:port/path`). Exactly one of `url` or `service` must be specified.\n\nThe `host` should not refer to a service running in the cluster; use the `service` field instead. The host might be resolved via external DNS in some apiservers (e.g., `kube-apiserver` cannot resolve in-cluster DNS as that would be a layering violation). `host` may also be an IP address.\n\nPlease note that using `localhost` or `127.0.0.1` as a `host` is risky unless you take great care to run this webhook on all hosts which run an apiserver which might need to make calls to this webhook. Such installs are likely to be non-portable, i.e., not easy to turn up in a new cluster.\n\nThe scheme must be \"https\"; the URL must begin with \"https://\".\n\nA path is optional, and if present may be any string permissible in a URL. You may use the path to pass an arbitrary string to the webhook, for example, a cluster identifier.\n\nAttempting to use a user or basic auth e.g. \"user:password@\" is not allowed. Fragments (\"#...\") and query parameters (\"?...\") are not allowed, either.", "url": "`url` gives the location of the webhook, in standard URL form (`[scheme://]host:port/path`). Exactly one of `url` or `service` must be specified.\n\nThe `host` should not refer to a service running in the cluster; use the `service` field instead. The host might be resolved via external DNS in some apiservers (e.g., `kube-apiserver` cannot resolve in-cluster DNS as that would be a layering violation). `host` may also be an IP address.\n\nPlease note that using `localhost` or `127.0.0.1` as a `host` is risky unless you take great care to run this webhook on all hosts which run an apiserver which might need to make calls to this webhook. Such installs are likely to be non-portable, i.e., not easy to turn up in a new cluster.\n\nThe scheme must be \"https\"; the URL must begin with \"https://\".\n\nA path is optional, and if present may be any string permissible in a URL. You may use the path to pass an arbitrary string to the webhook, for example, a cluster identifier.\n\nAttempting to use a user or basic auth e.g. \"user:password@\" is not allowed. Fragments (\"#...\") and query parameters (\"?...\") are not allowed, either.",
"service": "`service` is a reference to the service for this webhook. Either `service` or `url` must be specified.\n\nIf the webhook is running within the cluster, then you should use `service`.\n\nPort 443 will be used if it is open, otherwise it is an error.", "service": "`service` is a reference to the service for this webhook. Either `service` or `url` must be specified.\n\nIf the webhook is running within the cluster, then you should use `service`.\n\nPort 443 will be used if it is open, otherwise it is an error.",
"caBundle": "`caBundle` is a PEM encoded CA bundle which will be used to validate the webhook's server certificate. Required.", "caBundle": "`caBundle` is a PEM encoded CA bundle which will be used to validate the webhook's server certificate. If unspecified, system trust roots on the apiserver are used.",
} }
func (WebhookClientConfig) SwaggerDoc() map[string]string { func (WebhookClientConfig) SwaggerDoc() map[string]string {
......
...@@ -137,9 +137,8 @@ message WebhookClientConfig { ...@@ -137,9 +137,8 @@ message WebhookClientConfig {
// +optional // +optional
optional ServiceReference service = 2; optional ServiceReference service = 2;
// `caBundle` is a PEM encoded CA bundle which will be used to validate // `caBundle` is a PEM encoded CA bundle which will be used to validate the webhook's server certificate.
// the webhook's server certificate. // If unspecified, system trust roots on the apiserver are used.
// defaults to the apiservers CA bundle for the endpoint type
// +optional // +optional
optional bytes caBundle = 3; optional bytes caBundle = 3;
} }
......
...@@ -169,13 +169,12 @@ type WebhookClientConfig struct { ...@@ -169,13 +169,12 @@ type WebhookClientConfig struct {
// Port 443 will be used if it is open, otherwise it is an error. // Port 443 will be used if it is open, otherwise it is an error.
// //
// +optional // +optional
Service *ServiceReference `json:"service" protobuf:"bytes,2,opt,name=service"` Service *ServiceReference `json:"service,omitempty" protobuf:"bytes,2,opt,name=service"`
// `caBundle` is a PEM encoded CA bundle which will be used to validate // `caBundle` is a PEM encoded CA bundle which will be used to validate the webhook's server certificate.
// the webhook's server certificate. // If unspecified, system trust roots on the apiserver are used.
// defaults to the apiservers CA bundle for the endpoint type
// +optional // +optional
CABundle []byte `json:"caBundle" protobuf:"bytes,3,opt,name=caBundle"` CABundle []byte `json:"caBundle,omitempty" protobuf:"bytes,3,opt,name=caBundle"`
} }
// ServiceReference holds a reference to Service.legacy.k8s.io // ServiceReference holds a reference to Service.legacy.k8s.io
......
...@@ -90,7 +90,7 @@ var map_WebhookClientConfig = map[string]string{ ...@@ -90,7 +90,7 @@ var map_WebhookClientConfig = map[string]string{
"": "WebhookClientConfig contains the information to make a connection with the webhook", "": "WebhookClientConfig contains the information to make a connection with the webhook",
"url": "`url` gives the location of the webhook, in standard URL form (`[scheme://]host:port/path`). Exactly one of `url` or `service` must be specified.\n\nThe `host` should not refer to a service running in the cluster; use the `service` field instead. The host might be resolved via external DNS in some apiservers (e.g., `kube-apiserver` cannot resolve in-cluster DNS as that would be a layering violation). `host` may also be an IP address.\n\nPlease note that using `localhost` or `127.0.0.1` as a `host` is risky unless you take great care to run this webhook on all hosts which run an apiserver which might need to make calls to this webhook. Such installs are likely to be non-portable, i.e., not easy to turn up in a new cluster.\n\nThe scheme must be \"https\"; the URL must begin with \"https://\".\n\nA path is optional, and if present may be any string permissible in a URL. You may use the path to pass an arbitrary string to the webhook, for example, a cluster identifier.\n\nAttempting to use a user or basic auth e.g. \"user:password@\" is not allowed. Fragments (\"#...\") and query parameters (\"?...\") are not allowed, either.", "url": "`url` gives the location of the webhook, in standard URL form (`[scheme://]host:port/path`). Exactly one of `url` or `service` must be specified.\n\nThe `host` should not refer to a service running in the cluster; use the `service` field instead. The host might be resolved via external DNS in some apiservers (e.g., `kube-apiserver` cannot resolve in-cluster DNS as that would be a layering violation). `host` may also be an IP address.\n\nPlease note that using `localhost` or `127.0.0.1` as a `host` is risky unless you take great care to run this webhook on all hosts which run an apiserver which might need to make calls to this webhook. Such installs are likely to be non-portable, i.e., not easy to turn up in a new cluster.\n\nThe scheme must be \"https\"; the URL must begin with \"https://\".\n\nA path is optional, and if present may be any string permissible in a URL. You may use the path to pass an arbitrary string to the webhook, for example, a cluster identifier.\n\nAttempting to use a user or basic auth e.g. \"user:password@\" is not allowed. Fragments (\"#...\") and query parameters (\"?...\") are not allowed, either.",
"service": "`service` is a reference to the service for this webhook. Either `service` or `url` must be specified.\n\nIf the webhook is running within the cluster, then you should use `service`.\n\nPort 443 will be used if it is open, otherwise it is an error.", "service": "`service` is a reference to the service for this webhook. Either `service` or `url` must be specified.\n\nIf the webhook is running within the cluster, then you should use `service`.\n\nPort 443 will be used if it is open, otherwise it is an error.",
"caBundle": "`caBundle` is a PEM encoded CA bundle which will be used to validate the webhook's server certificate. defaults to the apiservers CA bundle for the endpoint type", "caBundle": "`caBundle` is a PEM encoded CA bundle which will be used to validate the webhook's server certificate. If unspecified, system trust roots on the apiserver are used.",
} }
func (WebhookClientConfig) SwaggerDoc() map[string]string { func (WebhookClientConfig) SwaggerDoc() map[string]string {
......
...@@ -93,20 +93,32 @@ stR0Yiw0buV6DL/moUO0HIM9Bjh96HJp+LxiIS6UCdIhMPp5HoQa ...@@ -93,20 +93,32 @@ stR0Yiw0buV6DL/moUO0HIM9Bjh96HJp+LxiIS6UCdIhMPp5HoQa
func TestNew(t *testing.T) { func TestNew(t *testing.T) {
testCases := map[string]struct { testCases := map[string]struct {
Config *Config Config *Config
Err bool Err bool
TLS bool TLS bool
TLSCert bool TLSCert bool
TLSErr bool TLSErr bool
Default bool Default bool
Insecure bool
DefaultRoots bool
}{ }{
"default transport": { "default transport": {
Default: true, Default: true,
Config: &Config{}, Config: &Config{},
}, },
"insecure": {
TLS: true,
Insecure: true,
DefaultRoots: true,
Config: &Config{TLS: TLSConfig{
Insecure: true,
}},
},
"server name": { "server name": {
TLS: true, TLS: true,
DefaultRoots: true,
Config: &Config{TLS: TLSConfig{ Config: &Config{TLS: TLSConfig{
ServerName: "foo", ServerName: "foo",
}}, }},
...@@ -267,6 +279,18 @@ func TestNew(t *testing.T) { ...@@ -267,6 +279,18 @@ func TestNew(t *testing.T) {
} }
switch { switch {
case testCase.DefaultRoots && transport.TLSClientConfig.RootCAs != nil:
t.Fatalf("got %#v, expected nil root CAs", transport.TLSClientConfig.RootCAs)
case !testCase.DefaultRoots && transport.TLSClientConfig.RootCAs == nil:
t.Fatalf("got %#v, expected non-nil root CAs", transport.TLSClientConfig.RootCAs)
}
switch {
case testCase.Insecure != transport.TLSClientConfig.InsecureSkipVerify:
t.Fatalf("got %#v, expected %#v", transport.TLSClientConfig.InsecureSkipVerify, testCase.Insecure)
}
switch {
case testCase.TLSCert && transport.TLSClientConfig.GetClientCertificate == nil: case testCase.TLSCert && transport.TLSClientConfig.GetClientCertificate == nil:
t.Fatalf("got %#v, expected TLSClientConfig.GetClientCertificate", transport.TLSClientConfig) t.Fatalf("got %#v, expected TLSClientConfig.GetClientCertificate", transport.TLSClientConfig)
case !testCase.TLSCert && transport.TLSClientConfig.GetClientCertificate != nil: case !testCase.TLSCert && transport.TLSClientConfig.GetClientCertificate != nil:
......
...@@ -53,6 +53,7 @@ type APIServiceSpec struct { ...@@ -53,6 +53,7 @@ type APIServiceSpec struct {
// This is strongly discouraged. You should use the CABundle instead. // This is strongly discouraged. You should use the CABundle instead.
InsecureSkipTLSVerify bool InsecureSkipTLSVerify bool
// CABundle is a PEM encoded CA bundle which will be used to validate an API server's serving certificate. // CABundle is a PEM encoded CA bundle which will be used to validate an API server's serving certificate.
// If unspecified, system trust roots on the apiserver are used.
// +optional // +optional
CABundle []byte CABundle []byte
......
...@@ -88,6 +88,7 @@ message APIServiceSpec { ...@@ -88,6 +88,7 @@ message APIServiceSpec {
optional bool insecureSkipTLSVerify = 4; optional bool insecureSkipTLSVerify = 4;
// CABundle is a PEM encoded CA bundle which will be used to validate an API server's serving certificate. // CABundle is a PEM encoded CA bundle which will be used to validate an API server's serving certificate.
// If unspecified, system trust roots on the apiserver are used.
// +optional // +optional
optional bytes caBundle = 5; optional bytes caBundle = 5;
......
...@@ -53,6 +53,7 @@ type APIServiceSpec struct { ...@@ -53,6 +53,7 @@ type APIServiceSpec struct {
// This is strongly discouraged. You should use the CABundle instead. // This is strongly discouraged. You should use the CABundle instead.
InsecureSkipTLSVerify bool `json:"insecureSkipTLSVerify,omitempty" protobuf:"varint,4,opt,name=insecureSkipTLSVerify"` InsecureSkipTLSVerify bool `json:"insecureSkipTLSVerify,omitempty" protobuf:"varint,4,opt,name=insecureSkipTLSVerify"`
// CABundle is a PEM encoded CA bundle which will be used to validate an API server's serving certificate. // CABundle is a PEM encoded CA bundle which will be used to validate an API server's serving certificate.
// If unspecified, system trust roots on the apiserver are used.
// +optional // +optional
CABundle []byte `json:"caBundle,omitempty" protobuf:"bytes,5,opt,name=caBundle"` CABundle []byte `json:"caBundle,omitempty" protobuf:"bytes,5,opt,name=caBundle"`
......
...@@ -88,6 +88,7 @@ message APIServiceSpec { ...@@ -88,6 +88,7 @@ message APIServiceSpec {
optional bool insecureSkipTLSVerify = 4; optional bool insecureSkipTLSVerify = 4;
// CABundle is a PEM encoded CA bundle which will be used to validate an API server's serving certificate. // CABundle is a PEM encoded CA bundle which will be used to validate an API server's serving certificate.
// If unspecified, system trust roots on the apiserver are used.
// +optional // +optional
optional bytes caBundle = 5; optional bytes caBundle = 5;
......
...@@ -53,6 +53,7 @@ type APIServiceSpec struct { ...@@ -53,6 +53,7 @@ type APIServiceSpec struct {
// This is strongly discouraged. You should use the CABundle instead. // This is strongly discouraged. You should use the CABundle instead.
InsecureSkipTLSVerify bool `json:"insecureSkipTLSVerify,omitempty" protobuf:"varint,4,opt,name=insecureSkipTLSVerify"` InsecureSkipTLSVerify bool `json:"insecureSkipTLSVerify,omitempty" protobuf:"varint,4,opt,name=insecureSkipTLSVerify"`
// CABundle is a PEM encoded CA bundle which will be used to validate an API server's serving certificate. // CABundle is a PEM encoded CA bundle which will be used to validate an API server's serving certificate.
// If unspecified, system trust roots on the apiserver are used.
// +optional // +optional
CABundle []byte `json:"caBundle,omitempty" protobuf:"bytes,5,opt,name=caBundle"` CABundle []byte `json:"caBundle,omitempty" protobuf:"bytes,5,opt,name=caBundle"`
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment