// It can be optionally associated with a particular assigner, in which case it
// contains one valid set of trust anchors for that signer. Signers may have
// multiple associated ClusterTrustBundles; each is an independent set of trust
// anchors for that signer. Admission control is used to enforce that only users
// with permissions on the signer can create or modify the corresponding bundle.
message ClusterTrustBundle {
  // metadata contains the object metadata.

  //
  // Certificate signers may not honor this field for various reasons:
  //
  //   1. Old signer that is unaware of the field (such as the in-tree
  //      implementations prior to v1.22)
  //   2. Signer whose configured maximum is shorter than the requested duration
  //   3. Signer whose configured minimum is longer than the requested duration
  //

MIT License
===========

Copyright (C) 2018-2020  Florian Lehner <******@****.***>

// the token is generated by kubectl under the workload group's namespace and service account
// TODO: Make the following accurate when using the Kubernetes certificate signer
func createCertsTokens(kubeClient kube.CLIClient, wg *clientv1alpha3.WorkloadGroup, dir string, out io.Writer) error {

  // indicating the request was approved and should be issued by the signer.
  //
  // A "Denied" condition is added via the /approval subresource,
  // indicating the request was denied and should not be issued by the signer.
  //
  // A "Failed" condition is added via the /status subresource,
  // indicating the signer failed to issue the certificate.
  //
  // Approved and Denied conditions are mutually exclusive.