apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.10.0 creationTimestamp: null name: quoteattestations.tcs.intel.com spec: group: tcs.intel.com names: kind: QuoteAttestation listKind: QuoteAttestationList plural: quoteattestations singular: quoteattestation scope: Namespaced versions: - name: v1alpha1 schema: openAPIV3Schema: description: QuoteAttestation is the Schema for the quoteattestations API properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object spec: description: QuoteAttestationSpec defines the desired state of QuoteAttestation properties: publicKey: description: PublicKey for encrypting the secret, hash is part of the quote data, base-64 encoded. format: byte type: string quote: description: Quote to be verified, base64-encoded. format: byte type: string quoteVersion: description: QuoteVersion used to for generated quote, default is ECDSA quote "3" type: string secretName: description: SecretName is name of the Secret object (in the same namespace) to keep the wrapped on secrets (only needed for KeyProvisioning request type) which is an opaque type. The secret data must contain two map elements `tls.key` and `tls.cert` and the values are the base64 encoded encrypted CA key and base64 encoded x509(PEM encoded) certificate. This must be added only after a successful quote validation and before updating the status condition. type: string serviceId: description: ServiceID holds the unique identifier(name?) that represents service which is requesting for the secret. To be decided whether this should be SPIFFE trust domain! type: string signerName: description: SignerName refers to the Kubernetes CSR signer name used by this request. type: string type: description: Type represents the type of the request, one of "QuoteAttestation", "KeyProvisioning". enum: - QuoteAttestation - KeyProvisioning type: string required: - publicKey - quote - serviceId - signerName - type type: object status: description: QuoteAttestationStatus defines the observed state of QuoteAttestation properties: conditions: description: conditions applied to the request. Known conditions are "QuoteVerified", "CASecretsReady" and "Ready". items: description: QuoteAttestationCondition describes a condition of a QuoteAttestation object properties: lastUpdateTime: description: lastUpdateTime is the time of the last update to this condition format: date-time type: string message: description: message contains a human readable message with details about the request state type: string reason: description: Reason indicates current request state type: string status: description: Status indicates the status of a condition (true, false, or unknown). type: string type: description: type of the condition. One of QuoteVerified, CASecretReady and Ready type: string type: object type: array type: object type: object served: true storage: false subresources: status: {} - name: v1alpha2 schema: openAPIV3Schema: description: QuoteAttestation is the Schema for the quote attestation API properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object spec: description: QuoteAttestationSpec defines the desired state of QuoteAttestation properties: nonce: description: Nonce base64-encoded nonce used for generating the SGX Quote. This is required for verifying the provided SGX quote by the key server(s). format: byte type: string publicKey: description: PublicKey for encrypting the secret, hash is part of the quote data, base-64 encoded. format: byte type: string quote: description: Quote to be verified, base64-encoded. format: byte type: string quoteVersion: description: QuoteVersion used to for generated quote, default is ECDSA quote "3" type: string secretName: description: SecretName is name of the Secret object (in the same namespace) to keep the wrapped on secrets (only needed for KeyProvisioning request type) which is an opaque type. The secret data must contain two map elements `tls.key` and `tls.cert` and the values are the base64 encoded encrypted CA key and base64 encoded x509(PEM encoded) certificate. This must be added only after a successful quote validation and before updating the status condition. type: string serviceId: description: ServiceID holds the unique identifier(name?) that represents service which is requesting for the secret. To be decided whether this should be SPIFFE trust domain! type: string signerName: description: SignerName refers to the Kubernetes CSR signer name used by this request. type: string type: description: Type represents the type of the request, one of "QuoteAttestation", "KeyProvisioning". enum: - QuoteAttestation - KeyProvisioning type: string required: - publicKey - quote - serviceId - signerName - type type: object status: description: QuoteAttestationStatus defines the observed state of QuoteAttestation properties: conditions: description: conditions applied to the request. Known conditions are "QuoteVerified", "CASecretsReady" and "Ready". items: description: QuoteAttestationCondition describes a condition of a QuoteAttestation object properties: lastUpdateTime: description: lastUpdateTime is the time of the last update to this condition format: date-time type: string message: description: message contains a human readable message with details about the request state type: string reason: description: Reason indicates current request state type: string status: description: Status indicates the status of a condition (true, false, or unknown). type: string type: description: type of the condition. One of QuoteVerified, CASecretReady and Ready type: string type: object type: array type: object type: object served: true storage: true subresources: status: {}