Documentation
¶
Overview ¶
+kubebuilder:object:generate=true
Index ¶
Constants ¶
View Source
const ( // Annotation key for DNS subjectAltNames. AltNamesAnnotationKey = "cert-manager.io/alt-names" // Annotation key for IP subjectAltNames. IPSANAnnotationKey = "cert-manager.io/ip-sans" // Annotation key for URI subjectAltNames. URISANAnnotationKey = "cert-manager.io/uri-sans" // Annotation key for certificate common name. CommonNameAnnotationKey = "cert-manager.io/common-name" // Duration key for certificate duration. DurationAnnotationKey = "cert-manager.io/duration" // Annotation key for certificate renewBefore. RenewBeforeAnnotationKey = "cert-manager.io/renew-before" // Annotation key for certificate key usages. UsagesAnnotationKey = "cert-manager.io/usages" // Annotation key the 'name' of the Issuer resource. IssuerNameAnnotationKey = "cert-manager.io/issuer-name" // Annotation key for the 'kind' of the Issuer resource. IssuerKindAnnotationKey = "cert-manager.io/issuer-kind" // Annotation key for the 'group' of the Issuer resource. IssuerGroupAnnotationKey = "cert-manager.io/issuer-group" // Annotation key for the name of the certificate that a resource is related to. CertificateNameKey = "cert-manager.io/certificate-name" // Annotation key used to denote whether a Secret is named on a Certificate // as a 'next private key' Secret resource. IsNextPrivateKeySecretLabelKey = "cert-manager.io/next-private-key" )
Common annotation keys added to resources.
View Source
const ( // issuerNameAnnotation can be used to override the issuer specified on the // created Certificate resource. IngressIssuerNameAnnotationKey = "cert-manager.io/issuer" // clusterIssuerNameAnnotation can be used to override the issuer specified on the // created Certificate resource. The Certificate will reference the // specified *ClusterIssuer* instead of normal issuer. IngressClusterIssuerNameAnnotationKey = "cert-manager.io/cluster-issuer" // acmeIssuerHTTP01IngressClassAnnotation can be used to override the http01 ingressClass // if the challenge type is set to http01 IngressACMEIssuerHTTP01IngressClassAnnotationKey = "acme.cert-manager.io/http01-ingress-class" // IngressClassAnnotationKey picks a specific "class" for the Ingress. The // controller only processes Ingresses with this annotation either unset, or // set to either the configured value or the empty string. IngressClassAnnotationKey = "kubernetes.io/ingress.class" )
View Source
const ( // Annotation added to CertificateRequest resources to denote the name of // a Secret resource containing the private key used to sign the CSR stored // on the resource. // This annotation *may* not be present, and is used by the 'self signing' // issuer type to self-sign certificates. CertificateRequestPrivateKeyAnnotationKey = "cert-manager.io/private-key-secret-name" // Annotation to declare the CertificateRequest "revision", belonging to a Certificate Resource CertificateRequestRevisionAnnotationKey = "cert-manager.io/certificate-revision" )
Annotation names for CertificateRequests
View Source
const ( ClusterIssuerKind = "ClusterIssuer" IssuerKind = "Issuer" CertificateKind = "Certificate" CertificateRequestKind = "CertificateRequest" )
Common/known resource kinds.
View Source
const ( // WantInjectAnnotation is the annotation that specifies that a particular // object wants injection of CAs. It takes the form of a reference to a certificate // as namespace/name. The certificate is expected to have the is-serving-for annotations. WantInjectAnnotation = "cert-manager.io/inject-ca-from" // WantInjectAPIServerCAAnnotation, if set to "true", will make the cainjector // inject the CA certificate for the Kubernetes apiserver into the resource. // It discovers the apiserver's CA by inspecting the service account credentials // mounted into the cainjector pod. WantInjectAPIServerCAAnnotation = "cert-manager.io/inject-apiserver-ca" // WantInjectFromSecretAnnotation is the annotation that specifies that a particular // object wants injection of CAs. It takes the form of a reference to a Secret // as namespace/name. WantInjectFromSecretAnnotation = "cert-manager.io/inject-ca-from-secret" // AllowsInjectionFromSecretAnnotation is an annotation that must be added // to Secret resource that want to denote that they can be directly // injected into injectables that have a `inject-ca-from-secret` annotation. // If an injectable references a Secret that does NOT have this annotation, // the cainjector will refuse to inject the secret. AllowsInjectionFromSecretAnnotation = "cert-manager.io/allow-direct-injection" )
View Source
const ( // VenafiCustomFieldsAnnotationKey is the annotation that passes on JSON encoded custom fields to the Venafi issuer // This will only work with Venafi TPP v19.3 and higher // The value is an array with objects containing the name and value keys // for example: `[{"name": "custom-field", "value": "custom-value"}]` VenafiCustomFieldsAnnotationKey = "venafi.cert-manager.io/custom-fields" // VenafiPickupIDAnnotationKey is the annotation key used to record the // Venafi Pickup ID of a certificate signing request that has been submitted // to the Venafi API for collection later. VenafiPickupIDAnnotationKey = "venafi.cert-manager.io/pickup-id" )
Issuer specific Annotations
View Source
const ( // Pending indicates that a CertificateRequest is still in progress. CertificateRequestReasonPending = "Pending" // Failed indicates that a CertificateRequest has failed, either due to // timing out or some other critical failure. CertificateRequestReasonFailed = "Failed" // Issued indicates that a CertificateRequest has been completed, and that // the `status.certificate` field is set. CertificateRequestReasonIssued = "Issued" // Denied is a Ready condition reason that indicates that a // CertificateRequest has been denied, and the CertificateRequest will never // be issued. CertificateRequestReasonDenied = "Denied" )
View Source
const ( // IssueTemporaryCertificateAnnotation is an annotation that can be added to // Certificate resources. // If it is present, a temporary internally signed certificate will be // stored in the target Secret resource whilst the real Issuer is processing // the certificate request. IssueTemporaryCertificateAnnotation = "cert-manager.io/issue-temporary-certificate" )
Variables ¶
View Source
var ( // SchemeGroupVersion is group version used to register these objects SchemeGroupVersion = schema.GroupVersion{Group: "cert-manager.io", Version: "v1"} // SchemeBuilder is used to add go types to the GroupVersionKind scheme SchemeBuilder = &scheme.Builder{GroupVersion: SchemeGroupVersion} // AddToScheme adds the types in this group-version to the given scheme. AddToScheme = SchemeBuilder.AddToScheme )
Functions ¶
This section is empty.
Types ¶
type CertificateRequest ¶
type CertificateRequest struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`
// Desired state of the CertificateRequest resource.
Spec CertificateRequestSpec `json:"spec"`
// Status of the CertificateRequest. This is set and managed automatically.
// +optional
Status CertificateRequestStatus `json:"status"`
}
A CertificateRequest is used to request a signed certificate from one of the configured issuers.
All fields within the CertificateRequest's `spec` are immutable after creation. A CertificateRequest will either succeed or fail, as denoted by its `status.state` field.
A CertificateRequest is a one-shot resource, meaning it represents a single point in time request for a certificate and cannot be re-used. +k8s:openapi-gen=true
func (*CertificateRequest) DeepCopy ¶
func (in *CertificateRequest) DeepCopy() *CertificateRequest
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateRequest.
func (*CertificateRequest) DeepCopyInto ¶
func (in *CertificateRequest) DeepCopyInto(out *CertificateRequest)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*CertificateRequest) DeepCopyObject ¶
func (in *CertificateRequest) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type CertificateRequestCondition ¶
type CertificateRequestCondition struct {
// Type of the condition, known values are (`Ready`, `InvalidRequest`,
// `Approved`, `Denied`).
Type CertificateRequestConditionType `json:"type"`
// Status of the condition, one of (`True`, `False`, `Unknown`).
Status metav1.ConditionStatus `json:"status"`
// LastTransitionTime is the timestamp corresponding to the last status
// change of this condition.
// +optional
LastTransitionTime *metav1.Time `json:"lastTransitionTime,omitempty"`
// Reason is a brief machine readable explanation for the condition's last
// transition.
// +optional
Reason string `json:"reason,omitempty"`
// Message is a human readable description of the details of the last
// transition, complementing reason.
// +optional
Message string `json:"message,omitempty"`
}
CertificateRequestCondition contains condition information for a CertificateRequest.
func (*CertificateRequestCondition) DeepCopy ¶
func (in *CertificateRequestCondition) DeepCopy() *CertificateRequestCondition
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateRequestCondition.
func (*CertificateRequestCondition) DeepCopyInto ¶
func (in *CertificateRequestCondition) DeepCopyInto(out *CertificateRequestCondition)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type CertificateRequestConditionType ¶
type CertificateRequestConditionType string
CertificateRequestConditionType represents an Certificate condition value.
const ( // CertificateRequestConditionReady indicates that a certificate is ready for use. // This is defined as: // - The target certificate exists in CertificateRequest.Status CertificateRequestConditionReady CertificateRequestConditionType = "Ready" // CertificateRequestConditionInvalidRequest indicates that a certificate // signer has refused to sign the request due to at least one of the input // parameters being invalid. Additional information about why the request // was rejected can be found in the `reason` and `message` fields. CertificateRequestConditionInvalidRequest CertificateRequestConditionType = "InvalidRequest" // CertificateRequestConditionApproved indicates that a certificate request // is approved and ready for signing. Condition must never have a status of // `False`, and cannot be modified once set. Cannot be set alongside // `Denied`. CertificateRequestConditionApproved CertificateRequestConditionType = "Approved" // CertificateRequestConditionDenied indicates that a certificate request is // denied, and must never be signed. Condition must never have a status of // `False`, and cannot be modified once set. Cannot be set alongside // `Approved`. CertificateRequestConditionDenied CertificateRequestConditionType = "Denied" )
type CertificateRequestList ¶
type CertificateRequestList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata"`
Items []CertificateRequest `json:"items"`
}
CertificateRequestList is a list of Certificates
func (*CertificateRequestList) DeepCopy ¶
func (in *CertificateRequestList) DeepCopy() *CertificateRequestList
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateRequestList.
func (*CertificateRequestList) DeepCopyInto ¶
func (in *CertificateRequestList) DeepCopyInto(out *CertificateRequestList)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*CertificateRequestList) DeepCopyObject ¶
func (in *CertificateRequestList) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type CertificateRequestSpec ¶
type CertificateRequestSpec struct {
// The requested 'duration' (i.e. lifetime) of the Certificate.
// This option may be ignored/overridden by some issuer types.
// +optional
Duration *metav1.Duration `json:"duration,omitempty"`
// IssuerRef is a reference to the issuer for this CertificateRequest. If
// the `kind` field is not set, or set to `Issuer`, an Issuer resource with
// the given name in the same namespace as the CertificateRequest will be
// used. If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with
// the provided name will be used. The `name` field in this stanza is
// required at all times. The group field refers to the API group of the
// issuer which defaults to `cert-manager.io` if empty.
IssuerRef corev1.ObjectReference `json:"issuerRef"`
// The PEM-encoded x509 certificate signing request to be submitted to the
// CA for signing.
Request []byte `json:"request"`
// IsCA will request to mark the certificate as valid for certificate signing
// when submitting to the issuer.
// This will automatically add the `cert sign` usage to the list of `usages`.
// +optional
IsCA bool `json:"isCA,omitempty"`
// Usages is the set of x509 usages that are requested for the certificate.
// If usages are set they SHOULD be encoded inside the CSR spec
// Defaults to `digital signature` and `key encipherment` if not specified.
// +optional
Usages []KeyUsage `json:"usages,omitempty"`
// Username contains the name of the user that created the CertificateRequest.
// Populated by the cert-manager webhook on creation and immutable.
// +optional
Username string `json:"username,omitempty"`
// UID contains the uid of the user that created the CertificateRequest.
// Populated by the cert-manager webhook on creation and immutable.
// +optional
UID string `json:"uid,omitempty"`
// Groups contains group membership of the user that created the CertificateRequest.
// Populated by the cert-manager webhook on creation and immutable.
// +listType=atomic
// +optional
Groups []string `json:"groups,omitempty"`
// Extra contains extra attributes of the user that created the CertificateRequest.
// Populated by the cert-manager webhook on creation and immutable.
// +optional
Extra map[string][]string `json:"extra,omitempty"`
}
CertificateRequestSpec defines the desired state of CertificateRequest
func (*CertificateRequestSpec) DeepCopy ¶
func (in *CertificateRequestSpec) DeepCopy() *CertificateRequestSpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateRequestSpec.
func (*CertificateRequestSpec) DeepCopyInto ¶
func (in *CertificateRequestSpec) DeepCopyInto(out *CertificateRequestSpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type CertificateRequestStatus ¶
type CertificateRequestStatus struct {
// List of status conditions to indicate the status of a CertificateRequest.
// Known condition types are `Ready` and `InvalidRequest`.
// +optional
Conditions []CertificateRequestCondition `json:"conditions,omitempty"`
// The PEM encoded x509 certificate resulting from the certificate
// signing request.
// If not set, the CertificateRequest has either not been completed or has
// failed. More information on failure can be found by checking the
// `conditions` field.
// +optional
Certificate []byte `json:"certificate,omitempty"`
// The PEM encoded x509 certificate of the signer, also known as the CA
// (Certificate Authority).
// This is set on a best-effort basis by different issuers.
// If not set, the CA is assumed to be unknown/not available.
// +optional
CA []byte `json:"ca,omitempty"`
// FailureTime stores the time that this CertificateRequest failed. This is
// used to influence garbage collection and back-off.
// +optional
FailureTime *metav1.Time `json:"failureTime,omitempty"`
}
CertificateRequestStatus defines the observed state of CertificateRequest and resulting signed certificate.
func (*CertificateRequestStatus) DeepCopy ¶
func (in *CertificateRequestStatus) DeepCopy() *CertificateRequestStatus
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateRequestStatus.
func (*CertificateRequestStatus) DeepCopyInto ¶
func (in *CertificateRequestStatus) DeepCopyInto(out *CertificateRequestStatus)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type KeyUsage ¶
type KeyUsage string
KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3
https://tools.ietf.org/html/rfc5280#section-4.2.1.12
Valid KeyUsage values are as follows: "signing", "digital signature", "content commitment", "key encipherment", "key agreement", "data encipherment", "cert sign", "crl sign", "encipher only", "decipher only", "any", "server auth", "client auth", "code signing", "email protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec user", "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc" +kubebuilder:validation:Enum="signing";"digital signature";"content commitment";"key encipherment";"key agreement";"data encipherment";"cert sign";"crl sign";"encipher only";"decipher only";"any";"server auth";"client auth";"code signing";"email protection";"s/mime";"ipsec end system";"ipsec tunnel";"ipsec user";"timestamping";"ocsp signing";"microsoft sgc";"netscape sgc"
const ( UsageSigning KeyUsage = "signing" UsageDigitalSignature KeyUsage = "digital signature" UsageContentCommitment KeyUsage = "content commitment" UsageKeyEncipherment KeyUsage = "key encipherment" UsageKeyAgreement KeyUsage = "key agreement" UsageDataEncipherment KeyUsage = "data encipherment" UsageCertSign KeyUsage = "cert sign" UsageCRLSign KeyUsage = "crl sign" UsageEncipherOnly KeyUsage = "encipher only" UsageDecipherOnly KeyUsage = "decipher only" UsageAny KeyUsage = "any" UsageServerAuth KeyUsage = "server auth" UsageClientAuth KeyUsage = "client auth" UsageCodeSigning KeyUsage = "code signing" UsageEmailProtection KeyUsage = "email protection" UsageSMIME KeyUsage = "s/mime" UsageIPsecEndSystem KeyUsage = "ipsec end system" UsageIPsecTunnel KeyUsage = "ipsec tunnel" UsageIPsecUser KeyUsage = "ipsec user" UsageTimestamping KeyUsage = "timestamping" UsageOCSPSigning KeyUsage = "ocsp signing" UsageMicrosoftSGC KeyUsage = "microsoft sgc" UsageNetscapeSGC KeyUsage = "netscape sgc" )
func DefaultKeyUsages ¶
func DefaultKeyUsages() []KeyUsage
DefaultKeyUsages contains the default list of key usages
Source Files
Click to show internal directories.
Click to hide internal directories.