Documentation
¶
Overview ¶
Package v1 is the v1 version of the API. +k8s:deepcopy-gen=package,register +groupName=cert-manager.io +groupGoName=Certmanager
Index ¶
- Constants
- Variables
- func Resource(resource string) schema.GroupResource
- type CAIssuer
- type Certificate
- type CertificateAdditionalOutputFormat
- type CertificateCondition
- type CertificateConditionType
- type CertificateKeystores
- type CertificateList
- type CertificateOutputFormatType
- type CertificatePrivateKey
- type CertificateRequest
- type CertificateRequestCondition
- type CertificateRequestConditionType
- type CertificateRequestList
- type CertificateRequestSpec
- type CertificateRequestStatus
- type CertificateSecretTemplate
- type CertificateSpec
- type CertificateStatus
- type ClusterIssuer
- func (c *ClusterIssuer) Copy() GenericIssuer
- func (in *ClusterIssuer) DeepCopy() *ClusterIssuer
- func (in *ClusterIssuer) DeepCopyInto(out *ClusterIssuer)
- func (in *ClusterIssuer) DeepCopyObject() runtime.Object
- func (c *ClusterIssuer) GetObjectMeta() *metav1.ObjectMeta
- func (c *ClusterIssuer) GetSpec() *IssuerSpec
- func (c *ClusterIssuer) GetStatus() *IssuerStatus
- func (c *ClusterIssuer) SetSpec(spec IssuerSpec)
- func (c *ClusterIssuer) SetStatus(status IssuerStatus)
- type ClusterIssuerList
- type GenericIssuer
- type Issuer
- func (c *Issuer) Copy() GenericIssuer
- func (in *Issuer) DeepCopy() *Issuer
- func (in *Issuer) DeepCopyInto(out *Issuer)
- func (in *Issuer) DeepCopyObject() runtime.Object
- func (c *Issuer) GetObjectMeta() *metav1.ObjectMeta
- func (c *Issuer) GetSpec() *IssuerSpec
- func (c *Issuer) GetStatus() *IssuerStatus
- func (c *Issuer) SetSpec(spec IssuerSpec)
- func (c *Issuer) SetStatus(status IssuerStatus)
- type IssuerCondition
- type IssuerConditionType
- type IssuerConfig
- type IssuerList
- type IssuerSpec
- type IssuerStatus
- type JKSKeystore
- type KeyUsage
- type NameConstraintItem
- type NameConstraints
- type OtherName
- type PKCS12Keystore
- type PKCS12Profile
- type PrivateKeyAlgorithm
- type PrivateKeyEncoding
- type PrivateKeyRotationPolicy
- type SelfSignedIssuer
- type ServiceAccountRef
- type VaultAppRole
- type VaultAuth
- type VaultIssuer
- type VaultKubernetesAuth
- type VenafiCloud
- type VenafiIssuer
- type VenafiTPP
- type X509Subject
Constants ¶
View Source
const ( // minimum permitted certificate duration by cert-manager MinimumCertificateDuration = time.Hour // default certificate duration if Issuer.spec.duration is not set DefaultCertificateDuration = time.Hour * 24 * 90 // minimum certificate duration before certificate expiration MinimumRenewBefore = time.Minute * 5 // Deprecated: the default is now 2/3 of Certificate's duration DefaultRenewBefore = time.Hour * 24 * 30 )
View Source
const ( // Default index key for the Secret reference for Token authentication DefaultVaultTokenAuthSecretKey = "token" // Default mount path location for Kubernetes ServiceAccount authentication // (/v1/auth/kubernetes). The endpoint will then be called at `/login`, so // left as the default, `/v1/auth/kubernetes/login` will be called. DefaultVaultKubernetesAuthMountPath = "/v1/auth/kubernetes" )
View Source
const ( // Common label keys added to resources // Label key that indicates that a resource is of interest to // cert-manager controller By default this is set on // certificate.spec.secretName secret as well as on the temporary // private key Secret. If using SecretsFilteredCaching feature, you // might want to set this (with a value of 'true') to any other Secrets // that cert-manager controller needs to read, such as issuer // credentials Secrets. // fao = 'for attention of' // See https://github.com/cert-manager/cert-manager/blob/master/design/20221205-memory-management.md#risks-and-mitigations PartOfCertManagerControllerLabelKey = "controller.cert-manager.io/fao" // Annotation key for DNS subjectAltNames. AltNamesAnnotationKey = "cert-manager.io/alt-names" // Annotation key for IP subjectAltNames. IPSANAnnotationKey = "cert-manager.io/ip-sans" // Annotation key for URI subjectAltNames. URISANAnnotationKey = "cert-manager.io/uri-sans" // Annotation key for certificate common name. CommonNameAnnotationKey = "cert-manager.io/common-name" // Duration key for certificate duration. DurationAnnotationKey = "cert-manager.io/duration" // Annotation key for certificate renewBefore. RenewBeforeAnnotationKey = "cert-manager.io/renew-before" // Annotation key for emails subjectAltNames. EmailsAnnotationKey = "cert-manager.io/email-sans" // Annotation key for subject organization. SubjectOrganizationsAnnotationKey = "cert-manager.io/subject-organizations" // Annotation key for subject organizational units. SubjectOrganizationalUnitsAnnotationKey = "cert-manager.io/subject-organizationalunits" // Annotation key for subject organizational units. SubjectCountriesAnnotationKey = "cert-manager.io/subject-countries" // Annotation key for subject provinces. SubjectProvincesAnnotationKey = "cert-manager.io/subject-provinces" // Annotation key for subject localities. SubjectLocalitiesAnnotationKey = "cert-manager.io/subject-localities" // Annotation key for subject provinces. SubjectStreetAddressesAnnotationKey = "cert-manager.io/subject-streetaddresses" // Annotation key for subject postal codes. SubjectPostalCodesAnnotationKey = "cert-manager.io/subject-postalcodes" // Annotation key for subject serial number. SubjectSerialNumberAnnotationKey = "cert-manager.io/subject-serialnumber" // Annotation key for certificate key usages. UsagesAnnotationKey = "cert-manager.io/usages" // Annotation key the 'name' of the Issuer resource. IssuerNameAnnotationKey = "cert-manager.io/issuer-name" // Annotation key for the 'kind' of the Issuer resource. IssuerKindAnnotationKey = "cert-manager.io/issuer-kind" // Annotation key for the 'group' of the Issuer resource. IssuerGroupAnnotationKey = "cert-manager.io/issuer-group" // Annotation key for the name of the certificate that a resource is related to. CertificateNameKey = "cert-manager.io/certificate-name" // Annotation key used to denote whether a Secret is named on a Certificate // as a 'next private key' Secret resource. IsNextPrivateKeySecretLabelKey = "cert-manager.io/next-private-key" // Annotation key used to limit the number of CertificateRequests to be kept for a Certificate. // Minimum value is 1. // If unset all CertificateRequests will be kept. RevisionHistoryLimitAnnotationKey = "cert-manager.io/revision-history-limit" // Annotation key used to set the PrivateKeyAlgorithm for a Certificate. // If PrivateKeyAlgorithm is specified and `size` is not provided, // key size of 256 will be used for `ECDSA` key algorithm and // key size of 2048 will be used for `RSA` key algorithm. // key size is ignored when using the `Ed25519` key algorithm. // If unset an algorithm `RSA` will be used. PrivateKeyAlgorithmAnnotationKey = "cert-manager.io/private-key-algorithm" // Annotation key used to set the PrivateKeyEncoding for a Certificate. // If provided, allowed values are `PKCS1` and `PKCS8` standing for PKCS#1 // and PKCS#8, respectively. // If unset an encoding `PKCS1` will be used. PrivateKeyEncodingAnnotationKey = "cert-manager.io/private-key-encoding" // Annotation key used to set the size of the private key for a Certificate. // If PrivateKeyAlgorithm is set to `RSA`, valid values are `2048`, `4096` or `8192`, // and will default to `2048` if not specified. // If PrivateKeyAlgorithm is set to `ECDSA`, valid values are `256`, `384` or `521`, // and will default to `256` if not specified. // If PrivateKeyAlgorithm is set to `Ed25519`, Size is ignored. // No other values are allowed. PrivateKeySizeAnnotationKey = "cert-manager.io/private-key-size" // Annotation key used to set the PrivateKeyRotationPolicy for a Certificate. // If unset a policy `Never` will be used. PrivateKeyRotationPolicyAnnotationKey = "cert-manager.io/private-key-rotation-policy" )
View Source
const ( // IngressIssuerNameAnnotationKey holds the issuerNameAnnotation value which can be // used to override the issuer specified on the created Certificate resource. IngressIssuerNameAnnotationKey = "cert-manager.io/issuer" // IngressClusterIssuerNameAnnotationKey holds the clusterIssuerNameAnnotation value which // can be used to override the issuer specified on the created Certificate resource. The Certificate // will reference the specified *ClusterIssuer* instead of normal issuer. IngressClusterIssuerNameAnnotationKey = "cert-manager.io/cluster-issuer" // IngressACMEIssuerHTTP01IngressClassAnnotationKey holds the acmeIssuerHTTP01IngressClassAnnotation value // which can be used to override the http01 ingressClass if the challenge type is set to http01 IngressACMEIssuerHTTP01IngressClassAnnotationKey = "acme.cert-manager.io/http01-ingress-class" // IngressClassAnnotationKey picks a specific "class" for the Ingress. The // controller only processes Ingresses with this annotation either unset, or // set to either the configured value or the empty string. IngressClassAnnotationKey = "kubernetes.io/ingress.class" )
View Source
const ( // Annotation added to CertificateRequest resources to denote the name of // a Secret resource containing the private key used to sign the CSR stored // on the resource. // This annotation *may* not be present, and is used by the 'self signing' // issuer type to self-sign certificates. CertificateRequestPrivateKeyAnnotationKey = "cert-manager.io/private-key-secret-name" // Annotation to declare the CertificateRequest "revision", belonging to a Certificate Resource CertificateRequestRevisionAnnotationKey = "cert-manager.io/certificate-revision" )
Annotation names for CertificateRequests
View Source
const ( ClusterIssuerKind = "ClusterIssuer" IssuerKind = "Issuer" CertificateKind = "Certificate" CertificateRequestKind = "CertificateRequest" )
Common/known resource kinds.
View Source
const ( // WantInjectAnnotation is the annotation that specifies that a particular // object wants injection of CAs. It takes the form of a reference to a certificate // as namespace/name. The certificate is expected to have the is-serving-for annotations. WantInjectAnnotation = "cert-manager.io/inject-ca-from" // WantInjectAPIServerCAAnnotation will - if set to "true" - make the cainjector // inject the CA certificate for the Kubernetes apiserver into the resource. // It discovers the apiserver's CA by inspecting the service account credentials // mounted into the cainjector pod. WantInjectAPIServerCAAnnotation = "cert-manager.io/inject-apiserver-ca" // WantInjectFromSecretAnnotation is the annotation that specifies that a particular // object wants injection of CAs. It takes the form of a reference to a Secret // as namespace/name. WantInjectFromSecretAnnotation = "cert-manager.io/inject-ca-from-secret" // AllowsInjectionFromSecretAnnotation is an annotation that must be added // to Secret resource that want to denote that they can be directly // injected into injectables that have a `inject-ca-from-secret` annotation. // If an injectable references a Secret that does NOT have this annotation, // the cainjector will refuse to inject the secret. AllowsInjectionFromSecretAnnotation = "cert-manager.io/allow-direct-injection" )
View Source
const ( // VenafiCustomFieldsAnnotationKey is the annotation that passes on JSON encoded custom fields to the Venafi issuer // This will only work with Venafi TPP v19.3 and higher // The value is an array with objects containing the name and value keys // for example: `[{"name": "custom-field", "value": "custom-value"}]` VenafiCustomFieldsAnnotationKey = "venafi.cert-manager.io/custom-fields" // VenafiPickupIDAnnotationKey is the annotation key used to record the // Venafi Pickup ID of a certificate signing request that has been submitted // to the Venafi API for collection later. VenafiPickupIDAnnotationKey = "venafi.cert-manager.io/pickup-id" )
Issuer specific Annotations
View Source
const ( // PKCS12SecretKey is the name of the data entry in the Secret resource // used to store the p12 file. PKCS12SecretKey = "keystore.p12" // Data Entry Name in the Secret resource for PKCS12 containing Certificate Authority PKCS12TruststoreKey = "truststore.p12" // JKSSecretKey is the name of the data entry in the Secret resource // used to store the jks file. JKSSecretKey = "keystore.jks" // Data Entry Name in the Secret resource for JKS containing Certificate Authority JKSTruststoreKey = "truststore.jks" )
Keystore specific secret keys
View Source
const ( // CertificateOutputFormatDERKey is the name of the data entry in the Secret // resource used to store the DER formatted private key. CertificateOutputFormatDERKey string = "key.der" // CertificateOutputFormatDER writes the Certificate's private key in DER // binary format to the `key.der` target Secret Data key. CertificateOutputFormatDER CertificateOutputFormatType = "DER" // CertificateOutputFormatCombinedPEMKey is the name of the data entry in the Secret // resource used to store the combined PEM (key + signed certificate). CertificateOutputFormatCombinedPEMKey string = "tls-combined.pem" // CertificateOutputFormatCombinedPEM writes the Certificate's signed // certificate chain and private key, in PEM format, to the // `tls-combined.pem` target Secret Data key. The value at this key will // include the private key PEM document, followed by at least one new line // character, followed by the chain of signed certificate PEM documents // (`<private key> + \n + <signed certificate chain>`). CertificateOutputFormatCombinedPEM CertificateOutputFormatType = "CombinedPEM" )
View Source
const ( // Pending indicates that a CertificateRequest is still in progress. CertificateRequestReasonPending = "Pending" // Failed indicates that a CertificateRequest has failed permanently, // either due to timing out or some other critical failure. // The `status.failureTime` field should be set in this case. CertificateRequestReasonFailed = "Failed" // Issued indicates that a CertificateRequest has been completed, and that // the `status.certificate` field is set. CertificateRequestReasonIssued = "Issued" // Denied is a Ready condition reason that indicates that a // CertificateRequest has been denied, and the CertificateRequest will never // be issued. // The `status.failureTime` field should be set in this case. CertificateRequestReasonDenied = "Denied" )
View Source
const ( // IssueTemporaryCertificateAnnotation is an annotation that can be added to // Certificate resources. // If it is present, a temporary internally signed certificate will be // stored in the target Secret resource whilst the real Issuer is processing // the certificate request. IssueTemporaryCertificateAnnotation = "cert-manager.io/issue-temporary-certificate" )
Variables ¶
View Source
var ( SchemeBuilder runtime.SchemeBuilder AddToScheme = localSchemeBuilder.AddToScheme )
View Source
var SchemeGroupVersion = schema.GroupVersion{Group: certmanager.GroupName, Version: "v1"}
SchemeGroupVersion is group version used to register these objects
Functions ¶
func Resource ¶
func Resource(resource string) schema.GroupResource
Resource takes an unqualified resource and returns a Group qualified GroupResource
Types ¶
type CAIssuer ¶
type CAIssuer struct {
// SecretName is the name of the secret used to sign Certificates issued
// by this Issuer.
SecretName string `json:"secretName"`
// The CRL distribution points is an X.509 v3 certificate extension which identifies
// the location of the CRL from which the revocation of this certificate can be checked.
// If not set, certificates will be issued without distribution points set.
// +optional
CRLDistributionPoints []string `json:"crlDistributionPoints,omitempty"`
// The OCSP server list is an X.509 v3 extension that defines a list of
// URLs of OCSP responders. The OCSP responders can be queried for the
// revocation status of an issued certificate. If not set, the
// certificate will be issued with no OCSP servers set. For example, an
// OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org".
// +optional
OCSPServers []string `json:"ocspServers,omitempty"`
// IssuingCertificateURLs is a list of URLs which this issuer should embed into certificates
// it creates. See https://www.rfc-editor.org/rfc/rfc5280#section-4.2.2.1 for more details.
// As an example, such a URL might be "http://ca.domain.com/ca.crt".
// +optional
IssuingCertificateURLs []string `json:"issuingCertificateURLs,omitempty"`
}
func (*CAIssuer) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CAIssuer.
func (*CAIssuer) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type Certificate ¶
type Certificate struct {
metav1.TypeMeta `json:",inline"`
// Standard object's metadata.
// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
// +optional
metav1.ObjectMeta `json:"metadata,omitempty"`
// Specification of the desired state of the Certificate resource.
// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
// +optional
Spec CertificateSpec `json:"spec"`
// Status of the Certificate.
// This is set and managed automatically.
// Read-only.
// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
// +optional
Status CertificateStatus `json:"status"`
}
A Certificate resource should be created to ensure an up to date and signed X.509 certificate is stored in the Kubernetes Secret resource named in `spec.secretName`.
The stored certificate will be renewed before it expires (as configured by `spec.renewBefore`).
func (*Certificate) DeepCopy ¶
func (in *Certificate) DeepCopy() *Certificate
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Certificate.
func (*Certificate) DeepCopyInto ¶
func (in *Certificate) DeepCopyInto(out *Certificate)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*Certificate) DeepCopyObject ¶
func (in *Certificate) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type CertificateAdditionalOutputFormat ¶
type CertificateAdditionalOutputFormat struct {
// Type is the name of the format type that should be written to the
// Certificate's target Secret.
Type CertificateOutputFormatType `json:"type"`
}
CertificateAdditionalOutputFormat defines an additional output format of a Certificate resource. These contain supplementary data formats of the signed certificate chain and paired private key.
func (*CertificateAdditionalOutputFormat) DeepCopy ¶
func (in *CertificateAdditionalOutputFormat) DeepCopy() *CertificateAdditionalOutputFormat
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateAdditionalOutputFormat.
func (*CertificateAdditionalOutputFormat) DeepCopyInto ¶
func (in *CertificateAdditionalOutputFormat) DeepCopyInto(out *CertificateAdditionalOutputFormat)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type CertificateCondition ¶
type CertificateCondition struct {
// Type of the condition, known values are (`Ready`, `Issuing`).
Type CertificateConditionType `json:"type"`
// Status of the condition, one of (`True`, `False`, `Unknown`).
Status cmmeta.ConditionStatus `json:"status"`
// LastTransitionTime is the timestamp corresponding to the last status
// change of this condition.
// +optional
LastTransitionTime *metav1.Time `json:"lastTransitionTime,omitempty"`
// Reason is a brief machine readable explanation for the condition's last
// transition.
// +optional
Reason string `json:"reason,omitempty"`
// Message is a human readable description of the details of the last
// transition, complementing reason.
// +optional
Message string `json:"message,omitempty"`
// If set, this represents the .metadata.generation that the condition was
// set based upon.
// For instance, if .metadata.generation is currently 12, but the
// .status.condition[x].observedGeneration is 9, the condition is out of date
// with respect to the current state of the Certificate.
// +optional
ObservedGeneration int64 `json:"observedGeneration,omitempty"`
}
CertificateCondition contains condition information for an Certificate.
func (*CertificateCondition) DeepCopy ¶
func (in *CertificateCondition) DeepCopy() *CertificateCondition
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateCondition.
func (*CertificateCondition) DeepCopyInto ¶
func (in *CertificateCondition) DeepCopyInto(out *CertificateCondition)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type CertificateConditionType ¶
type CertificateConditionType string
CertificateConditionType represents an Certificate condition value.
const ( // CertificateConditionReady indicates that a certificate is ready for use. // This is defined as: // - The target secret exists // - The target secret contains a certificate that has not expired // - The target secret contains a private key valid for the certificate // - The commonName and dnsNames attributes match those specified on the Certificate CertificateConditionReady CertificateConditionType = "Ready" // A condition added to Certificate resources when an issuance is required. // This condition will be automatically added and set to true if: // * No keypair data exists in the target Secret // * The data stored in the Secret cannot be decoded // * The private key and certificate do not have matching public keys // * If a CertificateRequest for the current revision exists and the // certificate data stored in the Secret does not match the // `status.certificate` on the CertificateRequest. // * If no CertificateRequest resource exists for the current revision, // the options on the Certificate resource are compared against the // X.509 data in the Secret, similar to what's done in earlier versions. // If there is a mismatch, an issuance is triggered. // This condition may also be added by external API consumers to trigger // a re-issuance manually for any other reason. // // It will be removed by the 'issuing' controller upon completing issuance. CertificateConditionIssuing CertificateConditionType = "Issuing" )
type CertificateKeystores ¶
type CertificateKeystores struct {
// JKS configures options for storing a JKS keystore in the
// `spec.secretName` Secret resource.
// +optional
JKS *JKSKeystore `json:"jks,omitempty"`
// PKCS12 configures options for storing a PKCS12 keystore in the
// `spec.secretName` Secret resource.
// +optional
PKCS12 *PKCS12Keystore `json:"pkcs12,omitempty"`
}
CertificateKeystores configures additional keystore output formats to be created in the Certificate's output Secret.
func (*CertificateKeystores) DeepCopy ¶
func (in *CertificateKeystores) DeepCopy() *CertificateKeystores
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateKeystores.
func (*CertificateKeystores) DeepCopyInto ¶
func (in *CertificateKeystores) DeepCopyInto(out *CertificateKeystores)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type CertificateList ¶
type CertificateList struct {
metav1.TypeMeta `json:",inline"`
// Standard list metadata.
// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
// +optional
metav1.ListMeta `json:"metadata,omitempty"`
// List of Certificates
Items []Certificate `json:"items"`
}
CertificateList is a list of Certificates.
func (*CertificateList) DeepCopy ¶
func (in *CertificateList) DeepCopy() *CertificateList
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateList.
func (*CertificateList) DeepCopyInto ¶
func (in *CertificateList) DeepCopyInto(out *CertificateList)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*CertificateList) DeepCopyObject ¶
func (in *CertificateList) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type CertificateOutputFormatType ¶
type CertificateOutputFormatType string
CertificateOutputFormatType specifies which additional output formats should be written to the Certificate's target Secret. Allowed values are `DER` or `CombinedPEM`. When Type is set to `DER` an additional entry `key.der` will be written to the Secret, containing the binary format of the private key. When Type is set to `CombinedPEM` an additional entry `tls-combined.pem` will be written to the Secret, containing the PEM formatted private key and signed certificate chain (tls.key + tls.crt concatenated). +kubebuilder:validation:Enum=DER;CombinedPEM
type CertificatePrivateKey ¶
type CertificatePrivateKey struct {
// RotationPolicy controls how private keys should be regenerated when a
// re-issuance is being processed.
//
// If set to `Never`, a private key will only be generated if one does not
// already exist in the target `spec.secretName`. If one does exists but it
// does not have the correct algorithm or size, a warning will be raised
// to await user intervention.
// If set to `Always`, a private key matching the specified requirements
// will be generated whenever a re-issuance occurs.
// Default is `Never` for backward compatibility.
// +optional
RotationPolicy PrivateKeyRotationPolicy `json:"rotationPolicy,omitempty"`
// The private key cryptography standards (PKCS) encoding for this
// certificate's private key to be encoded in.
//
// If provided, allowed values are `PKCS1` and `PKCS8` standing for PKCS#1
// and PKCS#8, respectively.
// Defaults to `PKCS1` if not specified.
// +optional
Encoding PrivateKeyEncoding `json:"encoding,omitempty"`
// Algorithm is the private key algorithm of the corresponding private key
// for this certificate.
//
// If provided, allowed values are either `RSA`, `ECDSA` or `Ed25519`.
// If `algorithm` is specified and `size` is not provided,
// key size of 2048 will be used for `RSA` key algorithm and
// key size of 256 will be used for `ECDSA` key algorithm.
// key size is ignored when using the `Ed25519` key algorithm.
// +optional
Algorithm PrivateKeyAlgorithm `json:"algorithm,omitempty"`
// Size is the key bit size of the corresponding private key for this certificate.
//
// If `algorithm` is set to `RSA`, valid values are `2048`, `4096` or `8192`,
// and will default to `2048` if not specified.
// If `algorithm` is set to `ECDSA`, valid values are `256`, `384` or `521`,
// and will default to `256` if not specified.
// If `algorithm` is set to `Ed25519`, Size is ignored.
// No other values are allowed.
// +optional
Size int `json:"size,omitempty"`
}
CertificatePrivateKey contains configuration options for private keys used by the Certificate controller. These include the key algorithm and size, the used encoding and the rotation policy.
func (*CertificatePrivateKey) DeepCopy ¶
func (in *CertificatePrivateKey) DeepCopy() *CertificatePrivateKey
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificatePrivateKey.
func (*CertificatePrivateKey) DeepCopyInto ¶
func (in *CertificatePrivateKey) DeepCopyInto(out *CertificatePrivateKey)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type CertificateRequest ¶
type CertificateRequest struct {
metav1.TypeMeta `json:",inline"`
// Standard object's metadata.
// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
// +optional
metav1.ObjectMeta `json:"metadata,omitempty"`
// Specification of the desired state of the CertificateRequest resource.
// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
// +optional
Spec CertificateRequestSpec `json:"spec"`
// Status of the CertificateRequest.
// This is set and managed automatically.
// Read-only.
// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
// +optional
Status CertificateRequestStatus `json:"status"`
}
A CertificateRequest is used to request a signed certificate from one of the configured issuers.
All fields within the CertificateRequest's `spec` are immutable after creation. A CertificateRequest will either succeed or fail, as denoted by its `Ready` status condition and its `status.failureTime` field.
A CertificateRequest is a one-shot resource, meaning it represents a single point in time request for a certificate and cannot be re-used. +k8s:openapi-gen=true
func (*CertificateRequest) DeepCopy ¶
func (in *CertificateRequest) DeepCopy() *CertificateRequest
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateRequest.
func (*CertificateRequest) DeepCopyInto ¶
func (in *CertificateRequest) DeepCopyInto(out *CertificateRequest)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*CertificateRequest) DeepCopyObject ¶
func (in *CertificateRequest) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type CertificateRequestCondition ¶
type CertificateRequestCondition struct {
// Type of the condition, known values are (`Ready`, `InvalidRequest`,
// `Approved`, `Denied`).
Type CertificateRequestConditionType `json:"type"`
// Status of the condition, one of (`True`, `False`, `Unknown`).
Status cmmeta.ConditionStatus `json:"status"`
// LastTransitionTime is the timestamp corresponding to the last status
// change of this condition.
// +optional
LastTransitionTime *metav1.Time `json:"lastTransitionTime,omitempty"`
// Reason is a brief machine readable explanation for the condition's last
// transition.
// +optional
Reason string `json:"reason,omitempty"`
// Message is a human readable description of the details of the last
// transition, complementing reason.
// +optional
Message string `json:"message,omitempty"`
}
CertificateRequestCondition contains condition information for a CertificateRequest.
func (*CertificateRequestCondition) DeepCopy ¶
func (in *CertificateRequestCondition) DeepCopy() *CertificateRequestCondition
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateRequestCondition.
func (*CertificateRequestCondition) DeepCopyInto ¶
func (in *CertificateRequestCondition) DeepCopyInto(out *CertificateRequestCondition)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type CertificateRequestConditionType ¶
type CertificateRequestConditionType string
CertificateRequestConditionType represents an Certificate condition value.
const ( // CertificateRequestConditionReady indicates that a certificate is ready for use. // This is defined as: // - The target certificate exists in CertificateRequest.Status CertificateRequestConditionReady CertificateRequestConditionType = "Ready" // CertificateRequestConditionInvalidRequest indicates that a certificate // signer has refused to sign the request due to at least one of the input // parameters being invalid. Additional information about why the request // was rejected can be found in the `reason` and `message` fields. CertificateRequestConditionInvalidRequest CertificateRequestConditionType = "InvalidRequest" // CertificateRequestConditionApproved indicates that a certificate request // is approved and ready for signing. Condition must never have a status of // `False`, and cannot be modified once set. Cannot be set alongside // `Denied`. CertificateRequestConditionApproved CertificateRequestConditionType = "Approved" // CertificateRequestConditionDenied indicates that a certificate request is // denied, and must never be signed. Condition must never have a status of // `False`, and cannot be modified once set. Cannot be set alongside // `Approved`. CertificateRequestConditionDenied CertificateRequestConditionType = "Denied" )
type CertificateRequestList ¶
type CertificateRequestList struct {
metav1.TypeMeta `json:",inline"`
// Standard list metadata.
// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
// +optional
metav1.ListMeta `json:"metadata,omitempty"`
// List of CertificateRequests
Items []CertificateRequest `json:"items"`
}
CertificateRequestList is a list of CertificateRequests.
func (*CertificateRequestList) DeepCopy ¶
func (in *CertificateRequestList) DeepCopy() *CertificateRequestList
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateRequestList.
func (*CertificateRequestList) DeepCopyInto ¶
func (in *CertificateRequestList) DeepCopyInto(out *CertificateRequestList)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*CertificateRequestList) DeepCopyObject ¶
func (in *CertificateRequestList) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type CertificateRequestSpec ¶
type CertificateRequestSpec struct {
// Requested 'duration' (i.e. lifetime) of the Certificate. Note that the
// issuer may choose to ignore the requested duration, just like any other
// requested attribute.
// +optional
Duration *metav1.Duration `json:"duration,omitempty"`
// Reference to the issuer responsible for issuing the certificate.
// If the issuer is namespace-scoped, it must be in the same namespace
// as the Certificate. If the issuer is cluster-scoped, it can be used
// from any namespace.
//
// The `name` field of the reference must always be specified.
IssuerRef cmmeta.ObjectReference `json:"issuerRef"`
// The PEM-encoded X.509 certificate signing request to be submitted to the
// issuer for signing.
//
// If the CSR has a BasicConstraints extension, its isCA attribute must
// match the `isCA` value of this CertificateRequest.
// If the CSR has a KeyUsage extension, its key usages must match the
// key usages in the `usages` field of this CertificateRequest.
// If the CSR has a ExtKeyUsage extension, its extended key usages
// must match the extended key usages in the `usages` field of this
// CertificateRequest.
Request []byte `json:"request"`
// Requested basic constraints isCA value. Note that the issuer may choose
// to ignore the requested isCA value, just like any other requested attribute.
//
// NOTE: If the CSR in the `Request` field has a BasicConstraints extension,
// it must have the same isCA value as specified here.
//
// If true, this will automatically add the `cert sign` usage to the list
// of requested `usages`.
// +optional
IsCA bool `json:"isCA,omitempty"`
// Requested key usages and extended key usages.
//
// NOTE: If the CSR in the `Request` field has uses the KeyUsage or
// ExtKeyUsage extension, these extensions must have the same values
// as specified here without any additional values.
//
// If unset, defaults to `digital signature` and `key encipherment`.
// +optional
Usages []KeyUsage `json:"usages,omitempty"`
// Username contains the name of the user that created the CertificateRequest.
// Populated by the cert-manager webhook on creation and immutable.
// +optional
Username string `json:"username,omitempty"`
// UID contains the uid of the user that created the CertificateRequest.
// Populated by the cert-manager webhook on creation and immutable.
// +optional
UID string `json:"uid,omitempty"`
// Groups contains group membership of the user that created the CertificateRequest.
// Populated by the cert-manager webhook on creation and immutable.
// +listType=atomic
// +optional
Groups []string `json:"groups,omitempty"`
// Extra contains extra attributes of the user that created the CertificateRequest.
// Populated by the cert-manager webhook on creation and immutable.
// +optional
Extra map[string][]string `json:"extra,omitempty"`
}
CertificateRequestSpec defines the desired state of CertificateRequest
NOTE: It is important to note that the issuer can choose to ignore or change any of the requested attributes. How the issuer maps a certificate request to a signed certificate is the full responsibility of the issuer itself. For example, as an edge case, an issuer that inverts the isCA value is free to do so.
func (*CertificateRequestSpec) DeepCopy ¶
func (in *CertificateRequestSpec) DeepCopy() *CertificateRequestSpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateRequestSpec.
func (*CertificateRequestSpec) DeepCopyInto ¶
func (in *CertificateRequestSpec) DeepCopyInto(out *CertificateRequestSpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type CertificateRequestStatus ¶
type CertificateRequestStatus struct {
// List of status conditions to indicate the status of a CertificateRequest.
// Known condition types are `Ready`, `InvalidRequest`, `Approved` and `Denied`.
// +listType=map
// +listMapKey=type
// +optional
Conditions []CertificateRequestCondition `json:"conditions,omitempty"`
// The PEM encoded X.509 certificate resulting from the certificate
// signing request.
// If not set, the CertificateRequest has either not been completed or has
// failed. More information on failure can be found by checking the
// `conditions` field.
// +optional
Certificate []byte `json:"certificate,omitempty"`
// The PEM encoded X.509 certificate of the signer, also known as the CA
// (Certificate Authority).
// This is set on a best-effort basis by different issuers.
// If not set, the CA is assumed to be unknown/not available.
// +optional
CA []byte `json:"ca,omitempty"`
// FailureTime stores the time that this CertificateRequest failed. This is
// used to influence garbage collection and back-off.
// +optional
FailureTime *metav1.Time `json:"failureTime,omitempty"`
}
CertificateRequestStatus defines the observed state of CertificateRequest and resulting signed certificate.
func (*CertificateRequestStatus) DeepCopy ¶
func (in *CertificateRequestStatus) DeepCopy() *CertificateRequestStatus
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateRequestStatus.
func (*CertificateRequestStatus) DeepCopyInto ¶
func (in *CertificateRequestStatus) DeepCopyInto(out *CertificateRequestStatus)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type CertificateSecretTemplate ¶
type CertificateSecretTemplate struct {
// Annotations is a key value map to be copied to the target Kubernetes Secret.
// +optional
Annotations map[string]string `json:"annotations,omitempty"`
// Labels is a key value map to be copied to the target Kubernetes Secret.
// +optional
Labels map[string]string `json:"labels,omitempty"`
}
CertificateSecretTemplate defines the default labels and annotations to be copied to the Kubernetes Secret resource named in `CertificateSpec.secretName`.
func (*CertificateSecretTemplate) DeepCopy ¶
func (in *CertificateSecretTemplate) DeepCopy() *CertificateSecretTemplate
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateSecretTemplate.
func (*CertificateSecretTemplate) DeepCopyInto ¶
func (in *CertificateSecretTemplate) DeepCopyInto(out *CertificateSecretTemplate)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type CertificateSpec ¶
type CertificateSpec struct {
// Requested set of X509 certificate subject attributes.
// More info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6
//
// The common name attribute is specified separately in the `commonName` field.
// Cannot be set if the `literalSubject` field is set.
// +optional
Subject *X509Subject `json:"subject,omitempty"`
// Requested X.509 certificate subject, represented using the LDAP "String
// Representation of a Distinguished Name" [1].
// Important: the LDAP string format also specifies the order of the attributes
// in the subject, this is important when issuing certs for LDAP authentication.
// Example: `CN=foo,DC=corp,DC=example,DC=com`
// More info [1]: https://datatracker.ietf.org/doc/html/rfc4514
// More info: https://github.com/cert-manager/cert-manager/issues/3203
// More info: https://github.com/cert-manager/cert-manager/issues/4424
//
// Cannot be set if the `subject` or `commonName` field is set.
// This is an Alpha Feature and is only enabled with the
// `--feature-gates=LiteralCertificateSubject=true` option set on both
// the controller and webhook components.
// +optional
LiteralSubject string `json:"literalSubject,omitempty"`
// Requested common name X509 certificate subject attribute.
// More info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6
// NOTE: TLS clients will ignore this value when any subject alternative name is
// set (see https://tools.ietf.org/html/rfc6125#section-6.4.4).
//
// Should have a length of 64 characters or fewer to avoid generating invalid CSRs.
// Cannot be set if the `literalSubject` field is set.
// +optional
CommonName string `json:"commonName,omitempty"`
// Requested 'duration' (i.e. lifetime) of the Certificate. Note that the
// issuer may choose to ignore the requested duration, just like any other
// requested attribute.
//
// If unset, this defaults to 90 days.
// Minimum accepted duration is 1 hour.
// Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration.
// +optional
Duration *metav1.Duration `json:"duration,omitempty"`
// How long before the currently issued certificate's expiry cert-manager should
// renew the certificate. For example, if a certificate is valid for 60 minutes,
// and `renewBefore=10m`, cert-manager will begin to attempt to renew the certificate
// 50 minutes after it was issued (i.e. when there are 10 minutes remaining until
// the certificate is no longer valid).
//
// NOTE: The actual lifetime of the issued certificate is used to determine the
// renewal time. If an issuer returns a certificate with a different lifetime than
// the one requested, cert-manager will use the lifetime of the issued certificate.
//
// If unset, this defaults to 1/3 of the issued certificate's lifetime.
// Minimum accepted value is 5 minutes.
// Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration.
// +optional
RenewBefore *metav1.Duration `json:"renewBefore,omitempty"`
// Requested DNS subject alternative names.
// +optional
DNSNames []string `json:"dnsNames,omitempty"`
// Requested IP address subject alternative names.
// +optional
IPAddresses []string `json:"ipAddresses,omitempty"`
// Requested URI subject alternative names.
// +optional
URIs []string `json:"uris,omitempty"`
// `otherNames` is an escape hatch for SAN that allows any type. We currently restrict the support to string like otherNames, cf RFC 5280 p 37
// Any UTF8 String valued otherName can be passed with by setting the keys oid: x.x.x.x and UTF8Value: somevalue for `otherName`.
// Most commonly this would be UPN set with oid: 1.3.6.1.4.1.311.20.2.3
// You should ensure that any OID passed is valid for the UTF8String type as we do not explicitly validate this.
// +optional
OtherNames []OtherName `json:"otherNames,omitempty"`
// Requested email subject alternative names.
// +optional
EmailAddresses []string `json:"emailAddresses,omitempty"`
// Name of the Secret resource that will be automatically created and
// managed by this Certificate resource. It will be populated with a
// private key and certificate, signed by the denoted issuer. The Secret
// resource lives in the same namespace as the Certificate resource.
SecretName string `json:"secretName"`
// Defines annotations and labels to be copied to the Certificate's Secret.
// Labels and annotations on the Secret will be changed as they appear on the
// SecretTemplate when added or removed. SecretTemplate annotations are added
// in conjunction with, and cannot overwrite, the base set of annotations
// cert-manager sets on the Certificate's Secret.
// +optional
SecretTemplate *CertificateSecretTemplate `json:"secretTemplate,omitempty"`
// Additional keystore output formats to be stored in the Certificate's Secret.
// +optional
Keystores *CertificateKeystores `json:"keystores,omitempty"`
// Reference to the issuer responsible for issuing the certificate.
// If the issuer is namespace-scoped, it must be in the same namespace
// as the Certificate. If the issuer is cluster-scoped, it can be used
// from any namespace.
//
// The `name` field of the reference must always be specified.
IssuerRef cmmeta.ObjectReference `json:"issuerRef"`
// Requested basic constraints isCA value.
// The isCA value is used to set the `isCA` field on the created CertificateRequest
// resources. Note that the issuer may choose to ignore the requested isCA value, just
// like any other requested attribute.
//
// If true, this will automatically add the `cert sign` usage to the list
// of requested `usages`.
// +optional
IsCA bool `json:"isCA,omitempty"`
// Requested key usages and extended key usages.
// These usages are used to set the `usages` field on the created CertificateRequest
// resources. If `encodeUsagesInRequest` is unset or set to `true`, the usages
// will additionally be encoded in the `request` field which contains the CSR blob.
//
// If unset, defaults to `digital signature` and `key encipherment`.
// +optional
Usages []KeyUsage `json:"usages,omitempty"`
// Private key options. These include the key algorithm and size, the used
// encoding and the rotation policy.
// +optional
PrivateKey *CertificatePrivateKey `json:"privateKey,omitempty"`
// Whether the KeyUsage and ExtKeyUsage extensions should be set in the encoded CSR.
//
// This option defaults to true, and should only be disabled if the target
// issuer does not support CSRs with these X509 KeyUsage/ ExtKeyUsage extensions.
// +optional
EncodeUsagesInRequest *bool `json:"encodeUsagesInRequest,omitempty"`
// The maximum number of CertificateRequest revisions that are maintained in
// the Certificate's history. Each revision represents a single `CertificateRequest`
// created by this Certificate, either when it was created, renewed, or Spec
// was changed. Revisions will be removed by oldest first if the number of
// revisions exceeds this number.
//
// If set, revisionHistoryLimit must be a value of `1` or greater.
// If unset (`nil`), revisions will not be garbage collected.
// Default value is `nil`.
// +optional
RevisionHistoryLimit *int32 `json:"revisionHistoryLimit,omitempty"`
// Defines extra output formats of the private key and signed certificate chain
// to be written to this Certificate's target Secret.
//
// This is an Alpha Feature and is only enabled with the
// `--feature-gates=AdditionalCertificateOutputFormats=true` option set on both
// the controller and webhook components.
// +optional
AdditionalOutputFormats []CertificateAdditionalOutputFormat `json:"additionalOutputFormats,omitempty"`
// x.509 certificate NameConstraint extension which MUST NOT be used in a non-CA certificate.
// More Info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10
//
// This is an Alpha Feature and is only enabled with the
// `--feature-gates=NameConstraints=true` option set on both
// the controller and webhook components.
// +optional
NameConstraints *NameConstraints `json:"nameConstraints,omitempty"`
}
CertificateSpec defines the desired state of Certificate.
NOTE: The specification contains a lot of "requested" certificate attributes, it is important to note that the issuer can choose to ignore or change any of these requested attributes. How the issuer maps a certificate request to a signed certificate is the full responsibility of the issuer itself. For example, as an edge case, an issuer that inverts the isCA value is free to do so.
A valid Certificate requires at least one of a CommonName, LiteralSubject, DNSName, or URI to be valid.
func (*CertificateSpec) DeepCopy ¶
func (in *CertificateSpec) DeepCopy() *CertificateSpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateSpec.
func (*CertificateSpec) DeepCopyInto ¶
func (in *CertificateSpec) DeepCopyInto(out *CertificateSpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type CertificateStatus ¶
type CertificateStatus struct {
// List of status conditions to indicate the status of certificates.
// Known condition types are `Ready` and `Issuing`.
// +listType=map
// +listMapKey=type
// +optional
Conditions []CertificateCondition `json:"conditions,omitempty"`
// LastFailureTime is set only if the lastest issuance for this
// Certificate failed and contains the time of the failure. If an
// issuance has failed, the delay till the next issuance will be
// calculated using formula time.Hour * 2 ^ (failedIssuanceAttempts -
// 1). If the latest issuance has succeeded this field will be unset.
// +optional
LastFailureTime *metav1.Time `json:"lastFailureTime,omitempty"`
// The time after which the certificate stored in the secret named
// by this resource in `spec.secretName` is valid.
// +optional
NotBefore *metav1.Time `json:"notBefore,omitempty"`
// The expiration time of the certificate stored in the secret named
// by this resource in `spec.secretName`.
// +optional
NotAfter *metav1.Time `json:"notAfter,omitempty"`
// RenewalTime is the time at which the certificate will be next
// renewed.
// If not set, no upcoming renewal is scheduled.
// +optional
RenewalTime *metav1.Time `json:"renewalTime,omitempty"`
// The current 'revision' of the certificate as issued.
//
// When a CertificateRequest resource is created, it will have the
// `cert-manager.io/certificate-revision` set to one greater than the
// current value of this field.
//
// Upon issuance, this field will be set to the value of the annotation
// on the CertificateRequest resource used to issue the certificate.
//
// Persisting the value on the CertificateRequest resource allows the
// certificates controller to know whether a request is part of an old
// issuance or if it is part of the ongoing revision's issuance by
// checking if the revision value in the annotation is greater than this
// field.
// +optional
Revision *int `json:"revision,omitempty"`
// The name of the Secret resource containing the private key to be used
// for the next certificate iteration.
// The keymanager controller will automatically set this field if the
// `Issuing` condition is set to `True`.
// It will automatically unset this field when the Issuing condition is
// not set or False.
// +optional
NextPrivateKeySecretName *string `json:"nextPrivateKeySecretName,omitempty"`
// The number of continuous failed issuance attempts up till now. This
// field gets removed (if set) on a successful issuance and gets set to
// 1 if unset and an issuance has failed. If an issuance has failed, the
// delay till the next issuance will be calculated using formula
// time.Hour * 2 ^ (failedIssuanceAttempts - 1).
// +optional
FailedIssuanceAttempts *int `json:"failedIssuanceAttempts,omitempty"`
}
CertificateStatus defines the observed state of Certificate
func (*CertificateStatus) DeepCopy ¶
func (in *CertificateStatus) DeepCopy() *CertificateStatus
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateStatus.
func (*CertificateStatus) DeepCopyInto ¶
func (in *CertificateStatus) DeepCopyInto(out *CertificateStatus)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type ClusterIssuer ¶
type ClusterIssuer struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`
// Desired state of the ClusterIssuer resource.
Spec IssuerSpec `json:"spec"`
// Status of the ClusterIssuer. This is set and managed automatically.
// +optional
Status IssuerStatus `json:"status"`
}
A ClusterIssuer represents a certificate issuing authority which can be referenced as part of `issuerRef` fields. It is similar to an Issuer, however it is cluster-scoped and therefore can be referenced by resources that exist in *any* namespace, not just the same namespace as the referent.
func (*ClusterIssuer) Copy ¶
func (c *ClusterIssuer) Copy() GenericIssuer
func (*ClusterIssuer) DeepCopy ¶
func (in *ClusterIssuer) DeepCopy() *ClusterIssuer
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterIssuer.
func (*ClusterIssuer) DeepCopyInto ¶
func (in *ClusterIssuer) DeepCopyInto(out *ClusterIssuer)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*ClusterIssuer) DeepCopyObject ¶
func (in *ClusterIssuer) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (*ClusterIssuer) GetObjectMeta ¶
func (c *ClusterIssuer) GetObjectMeta() *metav1.ObjectMeta
func (*ClusterIssuer) GetSpec ¶
func (c *ClusterIssuer) GetSpec() *IssuerSpec
func (*ClusterIssuer) GetStatus ¶
func (c *ClusterIssuer) GetStatus() *IssuerStatus
func (*ClusterIssuer) SetSpec ¶
func (c *ClusterIssuer) SetSpec(spec IssuerSpec)
func (*ClusterIssuer) SetStatus ¶
func (c *ClusterIssuer) SetStatus(status IssuerStatus)
type ClusterIssuerList ¶
type ClusterIssuerList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata"`
Items []ClusterIssuer `json:"items"`
}
ClusterIssuerList is a list of Issuers
func (*ClusterIssuerList) DeepCopy ¶
func (in *ClusterIssuerList) DeepCopy() *ClusterIssuerList
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterIssuerList.
func (*ClusterIssuerList) DeepCopyInto ¶
func (in *ClusterIssuerList) DeepCopyInto(out *ClusterIssuerList)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*ClusterIssuerList) DeepCopyObject ¶
func (in *ClusterIssuerList) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type GenericIssuer ¶
type GenericIssuer interface {
runtime.Object
metav1.Object
GetObjectMeta() *metav1.ObjectMeta
GetSpec() *IssuerSpec
GetStatus() *IssuerStatus
}
type Issuer ¶
type Issuer struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`
// Desired state of the Issuer resource.
Spec IssuerSpec `json:"spec"`
// Status of the Issuer. This is set and managed automatically.
// +optional
Status IssuerStatus `json:"status"`
}
An Issuer represents a certificate issuing authority which can be referenced as part of `issuerRef` fields. It is scoped to a single namespace and can therefore only be referenced by resources within the same namespace.
func (*Issuer) Copy ¶
func (c *Issuer) Copy() GenericIssuer
func (*Issuer) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Issuer.
func (*Issuer) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*Issuer) DeepCopyObject ¶
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (*Issuer) GetObjectMeta ¶
func (c *Issuer) GetObjectMeta() *metav1.ObjectMeta
func (*Issuer) GetSpec ¶
func (c *Issuer) GetSpec() *IssuerSpec
func (*Issuer) GetStatus ¶
func (c *Issuer) GetStatus() *IssuerStatus
func (*Issuer) SetSpec ¶
func (c *Issuer) SetSpec(spec IssuerSpec)
func (*Issuer) SetStatus ¶
func (c *Issuer) SetStatus(status IssuerStatus)
type IssuerCondition ¶
type IssuerCondition struct {
// Type of the condition, known values are (`Ready`).
Type IssuerConditionType `json:"type"`
// Status of the condition, one of (`True`, `False`, `Unknown`).
Status cmmeta.ConditionStatus `json:"status"`
// LastTransitionTime is the timestamp corresponding to the last status
// change of this condition.
// +optional
LastTransitionTime *metav1.Time `json:"lastTransitionTime,omitempty"`
// Reason is a brief machine readable explanation for the condition's last
// transition.
// +optional
Reason string `json:"reason,omitempty"`
// Message is a human readable description of the details of the last
// transition, complementing reason.
// +optional
Message string `json:"message,omitempty"`
// If set, this represents the .metadata.generation that the condition was
// set based upon.
// For instance, if .metadata.generation is currently 12, but the
// .status.condition[x].observedGeneration is 9, the condition is out of date
// with respect to the current state of the Issuer.
// +optional
ObservedGeneration int64 `json:"observedGeneration,omitempty"`
}
IssuerCondition contains condition information for an Issuer.
func (*IssuerCondition) DeepCopy ¶
func (in *IssuerCondition) DeepCopy() *IssuerCondition
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IssuerCondition.
func (*IssuerCondition) DeepCopyInto ¶
func (in *IssuerCondition) DeepCopyInto(out *IssuerCondition)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type IssuerConditionType ¶
type IssuerConditionType string
IssuerConditionType represents an Issuer condition value.
const ( // IssuerConditionReady represents the fact that a given Issuer condition // is in ready state and able to issue certificates. // If the `status` of this condition is `False`, CertificateRequest controllers // should prevent attempts to sign certificates. IssuerConditionReady IssuerConditionType = "Ready" )
type IssuerConfig ¶
type IssuerConfig struct {
// ACME configures this issuer to communicate with a RFC8555 (ACME) server
// to obtain signed x509 certificates.
// +optional
ACME *cmacme.ACMEIssuer `json:"acme,omitempty"`
// CA configures this issuer to sign certificates using a signing CA keypair
// stored in a Secret resource.
// This is used to build internal PKIs that are managed by cert-manager.
// +optional
CA *CAIssuer `json:"ca,omitempty"`
// Vault configures this issuer to sign certificates using a HashiCorp Vault
// PKI backend.
// +optional
Vault *VaultIssuer `json:"vault,omitempty"`
// SelfSigned configures this issuer to 'self sign' certificates using the
// private key used to create the CertificateRequest object.
// +optional
SelfSigned *SelfSignedIssuer `json:"selfSigned,omitempty"`
// Venafi configures this issuer to sign certificates using a Venafi TPP
// or Venafi Cloud policy zone.
// +optional
Venafi *VenafiIssuer `json:"venafi,omitempty"`
}
The configuration for the issuer. Only one of these can be set.
func (*IssuerConfig) DeepCopy ¶
func (in *IssuerConfig) DeepCopy() *IssuerConfig
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IssuerConfig.
func (*IssuerConfig) DeepCopyInto ¶
func (in *IssuerConfig) DeepCopyInto(out *IssuerConfig)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type IssuerList ¶
type IssuerList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata"`
Items []Issuer `json:"items"`
}
IssuerList is a list of Issuers
func (*IssuerList) DeepCopy ¶
func (in *IssuerList) DeepCopy() *IssuerList
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IssuerList.
func (*IssuerList) DeepCopyInto ¶
func (in *IssuerList) DeepCopyInto(out *IssuerList)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*IssuerList) DeepCopyObject ¶
func (in *IssuerList) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type IssuerSpec ¶
type IssuerSpec struct {
IssuerConfig `json:",inline"`
}
IssuerSpec is the specification of an Issuer. This includes any configuration required for the issuer.
func (*IssuerSpec) DeepCopy ¶
func (in *IssuerSpec) DeepCopy() *IssuerSpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IssuerSpec.
func (*IssuerSpec) DeepCopyInto ¶
func (in *IssuerSpec) DeepCopyInto(out *IssuerSpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type IssuerStatus ¶
type IssuerStatus struct {
// List of status conditions to indicate the status of a CertificateRequest.
// Known condition types are `Ready`.
// +listType=map
// +listMapKey=type
// +optional
Conditions []IssuerCondition `json:"conditions,omitempty"`
// ACME specific status options.
// This field should only be set if the Issuer is configured to use an ACME
// server to issue certificates.
// +optional
ACME *cmacme.ACMEIssuerStatus `json:"acme,omitempty"`
}
IssuerStatus contains status information about an Issuer
func (*IssuerStatus) ACMEStatus ¶
func (i *IssuerStatus) ACMEStatus() *cmacme.ACMEIssuerStatus
TODO: refactor these functions away
func (*IssuerStatus) DeepCopy ¶
func (in *IssuerStatus) DeepCopy() *IssuerStatus
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IssuerStatus.
func (*IssuerStatus) DeepCopyInto ¶
func (in *IssuerStatus) DeepCopyInto(out *IssuerStatus)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type JKSKeystore ¶
type JKSKeystore struct {
// Create enables JKS keystore creation for the Certificate.
// If true, a file named `keystore.jks` will be created in the target
// Secret resource, encrypted using the password stored in
// `passwordSecretRef`.
// The keystore file will be updated immediately.
// If the issuer provided a CA certificate, a file named `truststore.jks`
// will also be created in the target Secret resource, encrypted using the
// password stored in `passwordSecretRef`
// containing the issuing Certificate Authority
Create bool `json:"create"`
// PasswordSecretRef is a reference to a key in a Secret resource
// containing the password used to encrypt the JKS keystore.
PasswordSecretRef cmmeta.SecretKeySelector `json:"passwordSecretRef"`
}
JKS configures options for storing a JKS keystore in the `spec.secretName` Secret resource.
func (*JKSKeystore) DeepCopy ¶
func (in *JKSKeystore) DeepCopy() *JKSKeystore
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JKSKeystore.
func (*JKSKeystore) DeepCopyInto ¶
func (in *JKSKeystore) DeepCopyInto(out *JKSKeystore)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type KeyUsage ¶
type KeyUsage string
KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12
Valid KeyUsage values are as follows: "signing", "digital signature", "content commitment", "key encipherment", "key agreement", "data encipherment", "cert sign", "crl sign", "encipher only", "decipher only", "any", "server auth", "client auth", "code signing", "email protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec user", "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc" +kubebuilder:validation:Enum="signing";"digital signature";"content commitment";"key encipherment";"key agreement";"data encipherment";"cert sign";"crl sign";"encipher only";"decipher only";"any";"server auth";"client auth";"code signing";"email protection";"s/mime";"ipsec end system";"ipsec tunnel";"ipsec user";"timestamping";"ocsp signing";"microsoft sgc";"netscape sgc"
const ( UsageSigning KeyUsage = "signing" UsageDigitalSignature KeyUsage = "digital signature" UsageContentCommitment KeyUsage = "content commitment" UsageKeyEncipherment KeyUsage = "key encipherment" UsageKeyAgreement KeyUsage = "key agreement" UsageDataEncipherment KeyUsage = "data encipherment" UsageCertSign KeyUsage = "cert sign" UsageCRLSign KeyUsage = "crl sign" UsageEncipherOnly KeyUsage = "encipher only" UsageDecipherOnly KeyUsage = "decipher only" UsageAny KeyUsage = "any" UsageServerAuth KeyUsage = "server auth" UsageClientAuth KeyUsage = "client auth" UsageCodeSigning KeyUsage = "code signing" UsageEmailProtection KeyUsage = "email protection" UsageSMIME KeyUsage = "s/mime" UsageIPsecEndSystem KeyUsage = "ipsec end system" UsageIPsecTunnel KeyUsage = "ipsec tunnel" UsageIPsecUser KeyUsage = "ipsec user" UsageTimestamping KeyUsage = "timestamping" UsageOCSPSigning KeyUsage = "ocsp signing" UsageMicrosoftSGC KeyUsage = "microsoft sgc" UsageNetscapeSGC KeyUsage = "netscape sgc" )
func DefaultKeyUsages ¶
func DefaultKeyUsages() []KeyUsage
DefaultKeyUsages contains the default list of key usages
type NameConstraintItem ¶ added in v1.14.0
type NameConstraintItem struct {
// DNSDomains is a list of DNS domains that are permitted or excluded.
//
// +optional
DNSDomains []string `json:"dnsDomains,omitempty"`
// IPRanges is a list of IP Ranges that are permitted or excluded.
// This should be a valid CIDR notation.
//
// +optional
IPRanges []string `json:"ipRanges,omitempty"`
// EmailAddresses is a list of Email Addresses that are permitted or excluded.
//
// +optional
EmailAddresses []string `json:"emailAddresses,omitempty"`
// URIDomains is a list of URI domains that are permitted or excluded.
//
// +optional
URIDomains []string `json:"uriDomains,omitempty"`
}
func (*NameConstraintItem) DeepCopy ¶ added in v1.14.0
func (in *NameConstraintItem) DeepCopy() *NameConstraintItem
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NameConstraintItem.
func (*NameConstraintItem) DeepCopyInto ¶ added in v1.14.0
func (in *NameConstraintItem) DeepCopyInto(out *NameConstraintItem)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type NameConstraints ¶ added in v1.14.0
type NameConstraints struct {
// if true then the name constraints are marked critical.
//
// +optional
Critical bool `json:"critical,omitempty"`
// Permitted contains the constraints in which the names must be located.
//
// +optional
Permitted *NameConstraintItem `json:"permitted,omitempty"`
// Excluded contains the constraints which must be disallowed. Any name matching a
// restriction in the excluded field is invalid regardless
// of information appearing in the permitted
//
// +optional
Excluded *NameConstraintItem `json:"excluded,omitempty"`
}
NameConstraints is a type to represent x509 NameConstraints
func (*NameConstraints) DeepCopy ¶ added in v1.14.0
func (in *NameConstraints) DeepCopy() *NameConstraints
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NameConstraints.
func (*NameConstraints) DeepCopyInto ¶ added in v1.14.0
func (in *NameConstraints) DeepCopyInto(out *NameConstraints)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type OtherName ¶ added in v1.14.0
type OtherName struct {
// OID is the object identifier for the otherName SAN.
// The object identifier must be expressed as a dotted string, for
// example, "1.2.840.113556.1.4.221".
OID string `json:"oid,omitempty"`
// utf8Value is the string value of the otherName SAN.
// The utf8Value accepts any valid UTF8 string to set as value for the otherName SAN.
UTF8Value string `json:"utf8Value,omitempty"`
}
func (*OtherName) DeepCopy ¶ added in v1.14.0
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OtherName.
func (*OtherName) DeepCopyInto ¶ added in v1.14.0
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type PKCS12Keystore ¶
type PKCS12Keystore struct {
// Create enables PKCS12 keystore creation for the Certificate.
// If true, a file named `keystore.p12` will be created in the target
// Secret resource, encrypted using the password stored in
// `passwordSecretRef`.
// The keystore file will be updated immediately.
// If the issuer provided a CA certificate, a file named `truststore.p12` will
// also be created in the target Secret resource, encrypted using the
// password stored in `passwordSecretRef` containing the issuing Certificate
// Authority
Create bool `json:"create"`
// PasswordSecretRef is a reference to a key in a Secret resource
// containing the password used to encrypt the PKCS12 keystore.
PasswordSecretRef cmmeta.SecretKeySelector `json:"passwordSecretRef"`
// Profile specifies the key and certificate encryption algorithms and the HMAC algorithm
// used to create the PKCS12 keystore. Default value is `LegacyRC2` for backward compatibility.
//
// If provided, allowed values are:
// `LegacyRC2`: Deprecated. Not supported by default in OpenSSL 3 or Java 20.
// `LegacyDES`: Less secure algorithm. Use this option for maximal compatibility.
// `Modern2023`: Secure algorithm. Use this option in case you have to always use secure algorithms
// (eg. because of company policy). Please note that the security of the algorithm is not that important
// in reality, because the unencrypted certificate and private key are also stored in the Secret.
// +optional
Profile PKCS12Profile `json:"profile,omitempty"`
}
PKCS12 configures options for storing a PKCS12 keystore in the `spec.secretName` Secret resource.
func (*PKCS12Keystore) DeepCopy ¶
func (in *PKCS12Keystore) DeepCopy() *PKCS12Keystore
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PKCS12Keystore.
func (*PKCS12Keystore) DeepCopyInto ¶
func (in *PKCS12Keystore) DeepCopyInto(out *PKCS12Keystore)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type PKCS12Profile ¶ added in v1.14.0
type PKCS12Profile string
+kubebuilder:validation:Enum=LegacyRC2;LegacyDES;Modern2023
const ( // see: https://pkg.go.dev/software.sslmate.com/src/go-pkcs12#LegacyRC2 LegacyRC2PKCS12Profile PKCS12Profile = "LegacyRC2" // see: https://pkg.go.dev/software.sslmate.com/src/go-pkcs12#LegacyDES LegacyDESPKCS12Profile PKCS12Profile = "LegacyDES" // see: https://pkg.go.dev/software.sslmate.com/src/go-pkcs12#Modern2023 Modern2023PKCS12Profile PKCS12Profile = "Modern2023" )
type PrivateKeyAlgorithm ¶
type PrivateKeyAlgorithm string
+kubebuilder:validation:Enum=RSA;ECDSA;Ed25519
const ( // RSA private key algorithm. RSAKeyAlgorithm PrivateKeyAlgorithm = "RSA" // ECDSA private key algorithm. ECDSAKeyAlgorithm PrivateKeyAlgorithm = "ECDSA" // Ed25519 private key algorithm. Ed25519KeyAlgorithm PrivateKeyAlgorithm = "Ed25519" )
type PrivateKeyEncoding ¶
type PrivateKeyEncoding string
+kubebuilder:validation:Enum=PKCS1;PKCS8
const ( // PKCS1 private key encoding. // PKCS1 produces a PEM block that contains the private key algorithm // in the header and the private key in the body. A key that uses this // can be recognised by its `BEGIN RSA PRIVATE KEY` or `BEGIN EC PRIVATE KEY` header. // NOTE: This encoding is not supported for Ed25519 keys. Attempting to use // this encoding with an Ed25519 key will be ignored and default to PKCS8. PKCS1 PrivateKeyEncoding = "PKCS1" // PKCS8 private key encoding. // PKCS8 produces a PEM block with a static header and both the private // key algorithm and the private key in the body. A key that uses this // encoding can be recognised by its `BEGIN PRIVATE KEY` header. PKCS8 PrivateKeyEncoding = "PKCS8" )
type PrivateKeyRotationPolicy ¶
type PrivateKeyRotationPolicy string
Denotes how private keys should be generated or sourced when a Certificate is being issued. +kubebuilder:validation:Enum=Never;Always
var ( // RotationPolicyNever means a private key will only be generated if one // does not already exist in the target `spec.secretName`. // If one does exists but it does not have the correct algorithm or size, // a warning will be raised to await user intervention. RotationPolicyNever PrivateKeyRotationPolicy = "Never" // RotationPolicyAlways means a private key matching the specified // requirements will be generated whenever a re-issuance occurs. RotationPolicyAlways PrivateKeyRotationPolicy = "Always" )
type SelfSignedIssuer ¶
type SelfSignedIssuer struct {
// The CRL distribution points is an X.509 v3 certificate extension which identifies
// the location of the CRL from which the revocation of this certificate can be checked.
// If not set certificate will be issued without CDP. Values are strings.
// +optional
CRLDistributionPoints []string `json:"crlDistributionPoints,omitempty"`
}
Configures an issuer to 'self sign' certificates using the private key used to create the CertificateRequest object.
func (*SelfSignedIssuer) DeepCopy ¶
func (in *SelfSignedIssuer) DeepCopy() *SelfSignedIssuer
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SelfSignedIssuer.
func (*SelfSignedIssuer) DeepCopyInto ¶
func (in *SelfSignedIssuer) DeepCopyInto(out *SelfSignedIssuer)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type ServiceAccountRef ¶ added in v1.12.0
type ServiceAccountRef struct {
// Name of the ServiceAccount used to request a token.
Name string `json:"name"`
}
ServiceAccountRef is a service account used by cert-manager to request a token. The audience cannot be configured. The audience is generated by cert-manager and takes the form `vault://namespace-name/issuer-name` for an Issuer and `vault://issuer-name` for a ClusterIssuer. The expiration of the token is also set by cert-manager to 10 minutes.
func (*ServiceAccountRef) DeepCopy ¶ added in v1.12.0
func (in *ServiceAccountRef) DeepCopy() *ServiceAccountRef
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServiceAccountRef.
func (*ServiceAccountRef) DeepCopyInto ¶ added in v1.12.0
func (in *ServiceAccountRef) DeepCopyInto(out *ServiceAccountRef)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type VaultAppRole ¶
type VaultAppRole struct {
// Path where the App Role authentication backend is mounted in Vault, e.g:
// "approle"
Path string `json:"path"`
// RoleID configured in the App Role authentication backend when setting
// up the authentication backend in Vault.
RoleId string `json:"roleId"`
// Reference to a key in a Secret that contains the App Role secret used
// to authenticate with Vault.
// The `key` field must be specified and denotes which entry within the Secret
// resource is used as the app role secret.
SecretRef cmmeta.SecretKeySelector `json:"secretRef"`
}
VaultAppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
func (*VaultAppRole) DeepCopy ¶
func (in *VaultAppRole) DeepCopy() *VaultAppRole
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultAppRole.
func (*VaultAppRole) DeepCopyInto ¶
func (in *VaultAppRole) DeepCopyInto(out *VaultAppRole)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type VaultAuth ¶
type VaultAuth struct {
// TokenSecretRef authenticates with Vault by presenting a token.
// +optional
TokenSecretRef *cmmeta.SecretKeySelector `json:"tokenSecretRef,omitempty"`
// AppRole authenticates with Vault using the App Role auth mechanism,
// with the role and secret stored in a Kubernetes Secret resource.
// +optional
AppRole *VaultAppRole `json:"appRole,omitempty"`
// Kubernetes authenticates with Vault by passing the ServiceAccount
// token stored in the named Secret resource to the Vault server.
// +optional
Kubernetes *VaultKubernetesAuth `json:"kubernetes,omitempty"`
}
VaultAuth is configuration used to authenticate with a Vault server. The order of precedence is [`tokenSecretRef`, `appRole` or `kubernetes`].
func (*VaultAuth) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultAuth.
func (*VaultAuth) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type VaultIssuer ¶
type VaultIssuer struct {
// Auth configures how cert-manager authenticates with the Vault server.
Auth VaultAuth `json:"auth"`
// Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".
Server string `json:"server"`
// Path is the mount path of the Vault PKI backend's `sign` endpoint, e.g:
// "my_pki_mount/sign/my-role-name".
Path string `json:"path"`
// Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1"
// More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
// +optional
Namespace string `json:"namespace,omitempty"`
// Base64-encoded bundle of PEM CAs which will be used to validate the certificate
// chain presented by Vault. Only used if using HTTPS to connect to Vault and
// ignored for HTTP connections.
// Mutually exclusive with CABundleSecretRef.
// If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in
// the cert-manager controller container is used to validate the TLS connection.
// +optional
CABundle []byte `json:"caBundle,omitempty"`
// Reference to a Secret containing a bundle of PEM-encoded CAs to use when
// verifying the certificate chain presented by Vault when using HTTPS.
// Mutually exclusive with CABundle.
// If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in
// the cert-manager controller container is used to validate the TLS connection.
// If no key for the Secret is specified, cert-manager will default to 'ca.crt'.
// +optional
CABundleSecretRef *cmmeta.SecretKeySelector `json:"caBundleSecretRef,omitempty"`
}
Configures an issuer to sign certificates using a HashiCorp Vault PKI backend.
func (*VaultIssuer) DeepCopy ¶
func (in *VaultIssuer) DeepCopy() *VaultIssuer
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultIssuer.
func (*VaultIssuer) DeepCopyInto ¶
func (in *VaultIssuer) DeepCopyInto(out *VaultIssuer)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type VaultKubernetesAuth ¶
type VaultKubernetesAuth struct {
// The Vault mountPath here is the mount path to use when authenticating with
// Vault. For example, setting a value to `/v1/auth/foo`, will use the path
// `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the
// default value "/v1/auth/kubernetes" will be used.
// +optional
Path string `json:"mountPath,omitempty"`
// The required Secret field containing a Kubernetes ServiceAccount JWT used
// for authenticating with Vault. Use of 'ambient credentials' is not
// supported.
// +optional
SecretRef cmmeta.SecretKeySelector `json:"secretRef,omitempty"`
// A reference to a service account that will be used to request a bound
// token (also known as "projected token"). Compared to using "secretRef",
// using this field means that you don't rely on statically bound tokens. To
// use this field, you must configure an RBAC rule to let cert-manager
// request a token.
// +optional
ServiceAccountRef *ServiceAccountRef `json:"serviceAccountRef,omitempty"`
// A required field containing the Vault Role to assume. A Role binds a
// Kubernetes ServiceAccount with a set of Vault policies.
Role string `json:"role"`
}
Authenticate against Vault using a Kubernetes ServiceAccount token stored in a Secret.
func (*VaultKubernetesAuth) DeepCopy ¶
func (in *VaultKubernetesAuth) DeepCopy() *VaultKubernetesAuth
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultKubernetesAuth.
func (*VaultKubernetesAuth) DeepCopyInto ¶
func (in *VaultKubernetesAuth) DeepCopyInto(out *VaultKubernetesAuth)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type VenafiCloud ¶
type VenafiCloud struct {
// URL is the base URL for Venafi Cloud.
// Defaults to "https://api.venafi.cloud/v1".
// +optional
URL string `json:"url,omitempty"`
// APITokenSecretRef is a secret key selector for the Venafi Cloud API token.
APITokenSecretRef cmmeta.SecretKeySelector `json:"apiTokenSecretRef"`
}
VenafiCloud defines connection configuration details for Venafi Cloud
func (*VenafiCloud) DeepCopy ¶
func (in *VenafiCloud) DeepCopy() *VenafiCloud
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VenafiCloud.
func (*VenafiCloud) DeepCopyInto ¶
func (in *VenafiCloud) DeepCopyInto(out *VenafiCloud)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type VenafiIssuer ¶
type VenafiIssuer struct {
// Zone is the Venafi Policy Zone to use for this issuer.
// All requests made to the Venafi platform will be restricted by the named
// zone policy.
// This field is required.
Zone string `json:"zone"`
// TPP specifies Trust Protection Platform configuration settings.
// Only one of TPP or Cloud may be specified.
// +optional
TPP *VenafiTPP `json:"tpp,omitempty"`
// Cloud specifies the Venafi cloud configuration settings.
// Only one of TPP or Cloud may be specified.
// +optional
Cloud *VenafiCloud `json:"cloud,omitempty"`
}
Configures an issuer to sign certificates using a Venafi TPP or Cloud policy zone.
func (*VenafiIssuer) DeepCopy ¶
func (in *VenafiIssuer) DeepCopy() *VenafiIssuer
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VenafiIssuer.
func (*VenafiIssuer) DeepCopyInto ¶
func (in *VenafiIssuer) DeepCopyInto(out *VenafiIssuer)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type VenafiTPP ¶
type VenafiTPP struct {
// URL is the base URL for the vedsdk endpoint of the Venafi TPP instance,
// for example: "https://tpp.example.com/vedsdk".
URL string `json:"url"`
// CredentialsRef is a reference to a Secret containing the username and
// password for the TPP server.
// The secret must contain two keys, 'username' and 'password'.
CredentialsRef cmmeta.LocalObjectReference `json:"credentialsRef"`
// Base64-encoded bundle of PEM CAs which will be used to validate the certificate
// chain presented by the TPP server. Only used if using HTTPS; ignored for HTTP.
// If undefined, the certificate bundle in the cert-manager controller container
// is used to validate the chain.
// +optional
CABundle []byte `json:"caBundle,omitempty"`
}
VenafiTPP defines connection configuration details for a Venafi TPP instance
func (*VenafiTPP) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VenafiTPP.
func (*VenafiTPP) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type X509Subject ¶
type X509Subject struct {
// Organizations to be used on the Certificate.
// +optional
Organizations []string `json:"organizations,omitempty"`
// Countries to be used on the Certificate.
// +optional
Countries []string `json:"countries,omitempty"`
// Organizational Units to be used on the Certificate.
// +optional
OrganizationalUnits []string `json:"organizationalUnits,omitempty"`
// Cities to be used on the Certificate.
// +optional
Localities []string `json:"localities,omitempty"`
// State/Provinces to be used on the Certificate.
// +optional
Provinces []string `json:"provinces,omitempty"`
// Street addresses to be used on the Certificate.
// +optional
StreetAddresses []string `json:"streetAddresses,omitempty"`
// Postal codes to be used on the Certificate.
// +optional
PostalCodes []string `json:"postalCodes,omitempty"`
// Serial number to be used on the Certificate.
// +optional
SerialNumber string `json:"serialNumber,omitempty"`
}
X509Subject Full X509 name specification
func (*X509Subject) DeepCopy ¶
func (in *X509Subject) DeepCopy() *X509Subject
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new X509Subject.
func (*X509Subject) DeepCopyInto ¶
func (in *X509Subject) DeepCopyInto(out *X509Subject)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
Source Files
Click to show internal directories.
Click to hide internal directories.