Package io.fabric8.kubernetes.api.model

Class PodCertificateProjection

    • Constructor Detail

      • PodCertificateProjection

        public PodCertificateProjection()
        No args constructor for use in serialization

    • Method Detail

      • getCertificateChainPath

        public String getCertificateChainPath()
        Write the certificate chain at this path in the projected volume.


        Most applications should use credentialBundlePath. When using keyPath and certificateChainPath, your application needs to check that the key and leaf certificate are consistent, because it is possible to read the files mid-rotation.

      • setCertificateChainPath

        public void setCertificateChainPath​(String certificateChainPath)
        Write the certificate chain at this path in the projected volume.


        Most applications should use credentialBundlePath. When using keyPath and certificateChainPath, your application needs to check that the key and leaf certificate are consistent, because it is possible to read the files mid-rotation.

      • getCredentialBundlePath

        public String getCredentialBundlePath()
        Write the credential bundle at this path in the projected volume.


        The credential bundle is a single file that contains multiple PEM blocks. The first PEM block is a PRIVATE KEY block, containing a PKCS#8 private key.


        The remaining blocks are CERTIFICATE blocks, containing the issued certificate chain from the signer (leaf and any intermediates).


        Using credentialBundlePath lets your Pod's application code make a single atomic read that retrieves a consistent key and certificate chain. If you project them to separate files, your application code will need to additionally check that the leaf certificate was issued to the key.

      • setCredentialBundlePath

        public void setCredentialBundlePath​(String credentialBundlePath)
        Write the credential bundle at this path in the projected volume.


        The credential bundle is a single file that contains multiple PEM blocks. The first PEM block is a PRIVATE KEY block, containing a PKCS#8 private key.


        The remaining blocks are CERTIFICATE blocks, containing the issued certificate chain from the signer (leaf and any intermediates).


        Using credentialBundlePath lets your Pod's application code make a single atomic read that retrieves a consistent key and certificate chain. If you project them to separate files, your application code will need to additionally check that the leaf certificate was issued to the key.

      • getKeyPath

        public String getKeyPath()
        Write the key at this path in the projected volume.


        Most applications should use credentialBundlePath. When using keyPath and certificateChainPath, your application needs to check that the key and leaf certificate are consistent, because it is possible to read the files mid-rotation.

      • setKeyPath

        public void setKeyPath​(String keyPath)
        Write the key at this path in the projected volume.


        Most applications should use credentialBundlePath. When using keyPath and certificateChainPath, your application needs to check that the key and leaf certificate are consistent, because it is possible to read the files mid-rotation.

      • getKeyType

        public String getKeyType()
        The type of keypair Kubelet will generate for the pod.


        Valid values are "RSA3072", "RSA4096", "ECDSAP256", "ECDSAP384", "ECDSAP521", and "ED25519".

      • setKeyType

        public void setKeyType​(String keyType)
        The type of keypair Kubelet will generate for the pod.


        Valid values are "RSA3072", "RSA4096", "ECDSAP256", "ECDSAP384", "ECDSAP521", and "ED25519".

      • getMaxExpirationSeconds

        public Integer getMaxExpirationSeconds()
        maxExpirationSeconds is the maximum lifetime permitted for the certificate.


        Kubelet copies this value verbatim into the PodCertificateRequests it generates for this projection.


        If omitted, kube-apiserver will set it to 86400(24 hours). kube-apiserver will reject values shorter than 3600 (1 hour). The maximum allowable value is 7862400 (91 days).


        The signer implementation is then free to issue a certificate with any lifetime *shorter* than MaxExpirationSeconds, but no shorter than 3600 seconds (1 hour). This constraint is enforced by kube-apiserver. `kubernetes.io` signers will never issue certificates with a lifetime longer than 24 hours.

      • setMaxExpirationSeconds

        public void setMaxExpirationSeconds​(Integer maxExpirationSeconds)
        maxExpirationSeconds is the maximum lifetime permitted for the certificate.


        Kubelet copies this value verbatim into the PodCertificateRequests it generates for this projection.


        If omitted, kube-apiserver will set it to 86400(24 hours). kube-apiserver will reject values shorter than 3600 (1 hour). The maximum allowable value is 7862400 (91 days).


        The signer implementation is then free to issue a certificate with any lifetime *shorter* than MaxExpirationSeconds, but no shorter than 3600 seconds (1 hour). This constraint is enforced by kube-apiserver. `kubernetes.io` signers will never issue certificates with a lifetime longer than 24 hours.

      • getSignerName

        public String getSignerName()
        Kubelet's generated CSRs will be addressed to this signer.

      • setSignerName

        public void setSignerName​(String signerName)
        Kubelet's generated CSRs will be addressed to this signer.

      • getUserAnnotations

        public Map<String,​String> getUserAnnotations()
        userAnnotations allow pod authors to pass additional information to the signer implementation. Kubernetes does not restrict or validate this metadata in any way.


        These values are copied verbatim into the `spec.unverifiedUserAnnotations` field of the PodCertificateRequest objects that Kubelet creates.


        Entries are subject to the same validation as object metadata annotations, with the addition that all keys must be domain-prefixed. No restrictions are placed on values, except an overall size limitation on the entire field.


        Signers should document the keys and values they support. Signers should deny requests that contain keys they do not recognize.

      • setUserAnnotations

        public void setUserAnnotations​(Map<String,​String> userAnnotations)
        userAnnotations allow pod authors to pass additional information to the signer implementation. Kubernetes does not restrict or validate this metadata in any way.


        These values are copied verbatim into the `spec.unverifiedUserAnnotations` field of the PodCertificateRequest objects that Kubelet creates.


        Entries are subject to the same validation as object metadata annotations, with the addition that all keys must be domain-prefixed. No restrictions are placed on values, except an overall size limitation on the entire field.


        Signers should document the keys and values they support. Signers should deny requests that contain keys they do not recognize.

      • getAdditionalProperties

        public Map<String,​Object> getAdditionalProperties()

      • setAdditionalProperty

        public void setAdditionalProperty​(String name,
                                  Object value)

      • setAdditionalProperties

        public void setAdditionalProperties​(Map<String,​Object> additionalProperties)