Merge pull request #58027 from mikedanese/id-api

Automatic merge from submit-queue (batch tested with PRs 55986, 59375, 59334, 59348, 58027). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. add minimal types for service account TokenRequest API Adds parts of the types in kubernetes/community#1460. ValidityDuration is omitted because we are still discussing how to surface non-expiring tokens but it should be easy to add in a backwards compatibly. #58790 @kubernetes/sig-auth-api-reviews
kubernetes · Feb 6, 2018 · 5aa68f5 · 5aa68f5
2 parents 8fbf21a + ee48da1
commit 5aa68f5
Show file tree

Hide file tree

Showing 23 changed files with 2,734 additions and 118 deletions.
diff --git a/pkg/apis/authentication/BUILD b/pkg/apis/authentication/BUILD
@@ -18,6 +18,7 @@ go_library(
         "//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
         "//vendor/k8s.io/apimachinery/pkg/runtime:go_default_library",
         "//vendor/k8s.io/apimachinery/pkg/runtime/schema:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/types:go_default_library",
     ],
 )
 

diff --git a/pkg/apis/authentication/register.go b/pkg/apis/authentication/register.go
@@ -45,6 +45,7 @@ var (
 func addKnownTypes(scheme *runtime.Scheme) error {
 	scheme.AddKnownTypes(SchemeGroupVersion,
 		&TokenReview{},
+		&TokenRequest{},
 	)
 	return nil
 }
diff --git a/pkg/apis/authentication/types.go b/pkg/apis/authentication/types.go
@@ -18,6 +18,7 @@ package authentication
 
 import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
 )
 
 const (
@@ -88,3 +89,57 @@ type UserInfo struct {
 
 // ExtraValue masks the value so protobuf can generate
 type ExtraValue []string
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// TokenRequest requests a token for a given service account.
+type TokenRequest struct {
+	metav1.TypeMeta
+	// ObjectMeta fulfills the metav1.ObjectMetaAccessor interface so that the stock
+	// REST handler paths work
+	metav1.ObjectMeta
+
+	Spec   TokenRequestSpec
+	Status TokenRequestStatus
+}
+
+// TokenRequestSpec contains client provided parameters of a token request.
+type TokenRequestSpec struct {
+	// Audiences are the intendend audiences of the token. A recipient of a
+	// token must identitfy themself with an identifier in the list of
+	// audiences of the token, and otherwise should reject the token. A
+	// token issued for multiple audiences may be used to authenticate
+	// against any of the audiences listed but implies a high degree of
+	// trust between the target audiences.
+	Audiences []string
+
+	// ExpirationSeconds is the requested duration of validity of the request. The
+	// token issuer may return a token with a different validity duration so a
+	// client needs to check the 'expiration' field in a response.
+	ExpirationSeconds int64
+
+	// BoundObjectRef is a reference to an object that the token will be bound to.
+	// The token will only be valid for as long as the bound objet exists.
+	BoundObjectRef *BoundObjectReference
+}
+
+// TokenRequestStatus is the result of a token request.
+type TokenRequestStatus struct {
+	// Token is the opaque bearer token.
+	Token string
+	// ExpirationTimestamp is the time of expiration of the returned token.
+	ExpirationTimestamp metav1.Time
+}
+
+// BoundObjectReference is a reference to an object that a token is bound to.
+type BoundObjectReference struct {
+	// Kind of the referent. Valid kinds are 'Pod' and 'Secret'.
+	Kind string
+	// API version of the referent.
+	APIVersion string
+
+	// Name of the referent.
+	Name string
+	// UID of the referent.
+	UID types.UID
+}
diff --git a/pkg/apis/authentication/v1/BUILD b/pkg/apis/authentication/v1/BUILD
@@ -19,9 +19,11 @@ go_library(
     deps = [
         "//pkg/apis/authentication:go_default_library",
         "//vendor/k8s.io/api/authentication/v1:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
         "//vendor/k8s.io/apimachinery/pkg/conversion:go_default_library",
         "//vendor/k8s.io/apimachinery/pkg/runtime:go_default_library",
         "//vendor/k8s.io/apimachinery/pkg/runtime/schema:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/types:go_default_library",
     ],
 )
 

diff --git a/pkg/apis/authentication/v1/zz_generated.conversion.go b/pkg/apis/authentication/v1/zz_generated.conversion.go
diff --git a/pkg/apis/authentication/v1beta1/BUILD b/pkg/apis/authentication/v1beta1/BUILD
@@ -19,9 +19,11 @@ go_library(
     deps = [
         "//pkg/apis/authentication:go_default_library",
         "//vendor/k8s.io/api/authentication/v1beta1:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
         "//vendor/k8s.io/apimachinery/pkg/conversion:go_default_library",
         "//vendor/k8s.io/apimachinery/pkg/runtime:go_default_library",
         "//vendor/k8s.io/apimachinery/pkg/runtime/schema:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/types:go_default_library",
     ],
 )
 

diff --git a/pkg/apis/authentication/v1beta1/zz_generated.conversion.go b/pkg/apis/authentication/v1beta1/zz_generated.conversion.go