kubernetes-sigs · k8s-ci-robot · Sep 30, 2022 · Sep 28, 2022 · ybettan · Sep 28, 2022
diff --git a/api/v1beta1/module_types.go b/api/v1beta1/module_types.go
@@ -81,6 +81,22 @@ type Build struct {
 	KanikoParams *KanikoParams `json:"kanikoParams,omitempty"`
 }
 
+type Sign struct {
+	// +optional
+	// Image to sign, ignored if a Build is present, required otherwise
+	UnsignedImage string `json:"unsignedImage,omitempty"`
+
+	// a secret containing the private key used to sign kernel modules for secureboot
+	KeySecret *v1.LocalObjectReference `json:"keySecret"`
+
+	// a secret containing the public key used to sign kernel modules for secureboot
+	CertSecret *v1.LocalObjectReference `json:"certSecret"`
+
+	// +optional
+	// paths inside the image for the kernel modules to sign (if ommited all kmods are signed)
+	FilesToSign []string `json:"filesToSign,omitempty"`
+}
+
 // KernelMapping pairs kernel versions with a DriverContainer image.
 // Kernel versions can be matched literally or using a regular expression.
 type KernelMapping struct {
@@ -89,6 +105,10 @@ type KernelMapping struct {
 	// Build enables in-cluster builds for this mapping and allows overriding the Module's build settings.
 	Build *Build `json:"build"`
 
+	// +optional
+	// Sign enables in-cluster signing for this mapping
+	Sign *Sign `json:"sign,omitempty"`
+
 	// ContainerImage is the name of the DriverContainer image that should be used to deploy the module.
 	ContainerImage string `json:"containerImage"`
 
@@ -152,6 +172,10 @@ type ModuleLoaderContainerSpec struct {
 	// +optional
 	Build *Build `json:"build,omitempty"`
 
+	// +optional
+	// Sign provides default kmod signing settings
+	Sign *Sign `json:"sign,omitempty"`
+
 	// ContainerImage is a top-level field
 	// +optional
 	ContainerImage string `json:"containerImage,omitempty"`

diff --git a/api/v1beta1/zz_generated.deepcopy.go b/api/v1beta1/zz_generated.deepcopy.go