CSR `.spec.usages` - add definition table for valid values

[brsolomon-deloitte]

This is a Feature Request

What would you like to be added

It would be useful to see https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/ do one or possibly two things:

• Display a 2-column table that gives the valid values of csr.spec.usages and a short definition of each in the second column
• A more prominent link to https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.3 as defining some of the usages. (Though notedly is does not define all; for example "ipsec end system" doesn't seem to be described directly there.) This doc links to that RFC but not in referneces to csr.spec.usages.

Why is this needed

The page referenced above does not show a clear mapping of each usage type to its definition/usage. Similarly, kubectl explain csr.spec.usages shows a list of valid values, but does not explain what any are, besides alluding to which are used in TLS client versus server certs. Many of these such as "content commitment" are not inherently obvious from name only.

Comments

For example:

Usage	Definition
"signing"	xxx
"email protection"	xxx

[sftim]

/sig auth
/language en

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[enj]

/triage accepted
/remove-lifecycle stale

@brsolomon-deloitte care to open a PR 😄 ?

[brsolomon-deloitte]

@enj I have since discovered https://pkg.go.dev/k8s.io/api/certificates/v1beta1#KeyUsage which serves to enumerate the possible values, but I myself am not well-versed in what each of these is used for. (The "Description" field.) Is there an external source(s) that contains these definitions?

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten