v1

package
v1.16.2 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Nov 20, 2024 License: Apache-2.0 Imports: 7 Imported by: 318

Documentation

Overview

Package v1 is the v1 version of the API. +k8s:deepcopy-gen=package,register +groupName=cert-manager.io +groupGoName=Certmanager

Index

Constants

View Source
const (
	// minimum permitted certificate duration by cert-manager
	MinimumCertificateDuration = time.Hour

	// default certificate duration if Issuer.spec.duration is not set
	DefaultCertificateDuration = time.Hour * 24 * 90

	// minimum certificate duration before certificate expiration
	MinimumRenewBefore = time.Minute * 5

	// Deprecated: the default is now 2/3 of Certificate's duration
	DefaultRenewBefore = time.Hour * 24 * 30
)
View Source
const (
	// Default index key for the Secret reference for Token authentication
	DefaultVaultTokenAuthSecretKey = "token"

	// Default mount path location for Kubernetes ServiceAccount authentication
	// (/v1/auth/kubernetes). The endpoint will then be called at `/login`, so
	// left as the default, `/v1/auth/kubernetes/login` will be called.
	DefaultVaultKubernetesAuthMountPath = "/v1/auth/kubernetes"

	// Default mount path location for client certificate authentication
	// (/v1/auth/cert). The endpoint will then be called at `/login`, so
	// left as the default, `/v1/auth/cert/login` will be called.
	DefaultVaultClientCertificateAuthMountPath = "/v1/auth/cert"
)
View Source
const (

	// Common label keys added to resources
	// Label key that indicates that a resource is of interest to
	// cert-manager controller By default this is set on
	// certificate.spec.secretName secret as well as on the temporary
	// private key Secret. If using SecretsFilteredCaching feature, you
	// might want to set this (with a value of 'true') to any other Secrets
	// that cert-manager controller needs to read, such as issuer
	// credentials Secrets.
	// fao = 'for attention of'
	// See https://github.com/cert-manager/cert-manager/blob/master/design/20221205-memory-management.md#risks-and-mitigations
	PartOfCertManagerControllerLabelKey = "controller.cert-manager.io/fao"

	// Annotation key for DNS subjectAltNames.
	AltNamesAnnotationKey = "cert-manager.io/alt-names"

	// Annotation key for IP subjectAltNames.
	IPSANAnnotationKey = "cert-manager.io/ip-sans"

	// Annotation key for URI subjectAltNames.
	URISANAnnotationKey = "cert-manager.io/uri-sans"

	// Annotation key for certificate common name.
	CommonNameAnnotationKey = "cert-manager.io/common-name"

	// Duration key for certificate duration.
	DurationAnnotationKey = "cert-manager.io/duration"

	// Annotation key for certificate renewBefore.
	RenewBeforeAnnotationKey = "cert-manager.io/renew-before"

	// Annotation key for certificate renewBeforePercentage.
	RenewBeforePercentageAnnotationKey = "cert-manager.io/renew-before-percentage"

	// Annotation key for emails subjectAltNames.
	EmailsAnnotationKey = "cert-manager.io/email-sans"

	// Annotation key for subject organization.
	SubjectOrganizationsAnnotationKey = "cert-manager.io/subject-organizations"

	// Annotation key for subject organizational units.
	SubjectOrganizationalUnitsAnnotationKey = "cert-manager.io/subject-organizationalunits"

	// Annotation key for subject organizational units.
	SubjectCountriesAnnotationKey = "cert-manager.io/subject-countries"

	// Annotation key for subject provinces.
	SubjectProvincesAnnotationKey = "cert-manager.io/subject-provinces"

	// Annotation key for subject localities.
	SubjectLocalitiesAnnotationKey = "cert-manager.io/subject-localities"

	// Annotation key for subject provinces.
	SubjectStreetAddressesAnnotationKey = "cert-manager.io/subject-streetaddresses"

	// Annotation key for subject postal codes.
	SubjectPostalCodesAnnotationKey = "cert-manager.io/subject-postalcodes"

	// Annotation key for subject serial number.
	SubjectSerialNumberAnnotationKey = "cert-manager.io/subject-serialnumber"

	// Annotation key for certificate key usages.
	UsagesAnnotationKey = "cert-manager.io/usages"

	// Annotation key the 'name' of the Issuer resource.
	IssuerNameAnnotationKey = "cert-manager.io/issuer-name"

	// Annotation key for the 'kind' of the Issuer resource.
	IssuerKindAnnotationKey = "cert-manager.io/issuer-kind"

	// Annotation key for the 'group' of the Issuer resource.
	IssuerGroupAnnotationKey = "cert-manager.io/issuer-group"

	// Annotation key for the name of the certificate that a resource is related to.
	CertificateNameKey = "cert-manager.io/certificate-name"

	// Annotation key used to denote whether a Secret is named on a Certificate
	// as a 'next private key' Secret resource.
	IsNextPrivateKeySecretLabelKey = "cert-manager.io/next-private-key"

	// Annotation key used to limit the number of CertificateRequests to be kept for a Certificate.
	// Minimum value is 1.
	// If unset all CertificateRequests will be kept.
	RevisionHistoryLimitAnnotationKey = "cert-manager.io/revision-history-limit"

	// Annotation key used to set the PrivateKeyAlgorithm for a Certificate.
	// If PrivateKeyAlgorithm is specified and `size` is not provided,
	// key size of 256 will be used for `ECDSA` key algorithm and
	// key size of 2048 will be used for `RSA` key algorithm.
	// key size is ignored when using the `Ed25519` key algorithm.
	// If unset an algorithm `RSA` will be used.
	PrivateKeyAlgorithmAnnotationKey = "cert-manager.io/private-key-algorithm"

	// Annotation key used to set the PrivateKeyEncoding for a Certificate.
	// If provided, allowed values are `PKCS1` and `PKCS8` standing for PKCS#1
	// and PKCS#8, respectively.
	// If unset an encoding `PKCS1` will be used.
	PrivateKeyEncodingAnnotationKey = "cert-manager.io/private-key-encoding"

	// Annotation key used to set the size of the private key for a Certificate.
	// If PrivateKeyAlgorithm is set to `RSA`, valid values are `2048`, `4096` or `8192`,
	// and will default to `2048` if not specified.
	// If PrivateKeyAlgorithm is set to `ECDSA`, valid values are `256`, `384` or `521`,
	// and will default to `256` if not specified.
	// If PrivateKeyAlgorithm is set to `Ed25519`, Size is ignored.
	// No other values are allowed.
	PrivateKeySizeAnnotationKey = "cert-manager.io/private-key-size"

	// Annotation key used to set the PrivateKeyRotationPolicy for a Certificate.
	// If unset a policy `Never` will be used.
	PrivateKeyRotationPolicyAnnotationKey = "cert-manager.io/private-key-rotation-policy"
)
View Source
const (
	// IngressIssuerNameAnnotationKey holds the issuerNameAnnotation value which can be
	// used to override the issuer specified on the created Certificate resource.
	IngressIssuerNameAnnotationKey = "cert-manager.io/issuer"
	// IngressClusterIssuerNameAnnotationKey holds the clusterIssuerNameAnnotation value which
	// can be used to override the issuer specified on the created Certificate resource. The Certificate
	// will reference the specified *ClusterIssuer* instead of normal issuer.
	IngressClusterIssuerNameAnnotationKey = "cert-manager.io/cluster-issuer"
	// IngressACMEIssuerHTTP01IngressClassAnnotationKey holds the acmeIssuerHTTP01IngressClassAnnotation value
	// which can be used to override the http01 ingressClass if the challenge type is set to http01
	IngressACMEIssuerHTTP01IngressClassAnnotationKey = "acme.cert-manager.io/http01-ingress-class"

	// IngressClassAnnotationKey picks a specific "class" for the Ingress. The
	// controller only processes Ingresses with this annotation either unset, or
	// set to either the configured value or the empty string.
	IngressClassAnnotationKey = "kubernetes.io/ingress.class"

	// IngressSecretTemplate can be used to set the secretTemplate field in the generated Certificate.
	// The value is a JSON representation of secretTemplate and must not have any unknown fields.
	IngressSecretTemplate = "cert-manager.io/secret-template"
)
View Source
const (
	// Annotation added to CertificateRequest resources to denote the name of
	// a Secret resource containing the private key used to sign the CSR stored
	// on the resource.
	// This annotation *may* not be present, and is used by the 'self signing'
	// issuer type to self-sign certificates.
	CertificateRequestPrivateKeyAnnotationKey = "cert-manager.io/private-key-secret-name"

	// Annotation to declare the CertificateRequest "revision", belonging to a Certificate Resource
	CertificateRequestRevisionAnnotationKey = "cert-manager.io/certificate-revision"
)

Annotation names for CertificateRequests

View Source
const (
	ClusterIssuerKind      = "ClusterIssuer"
	IssuerKind             = "Issuer"
	CertificateKind        = "Certificate"
	CertificateRequestKind = "CertificateRequest"
)

Common/known resource kinds.

View Source
const (
	// WantInjectAnnotation is the annotation that specifies that a particular
	// object wants injection of CAs.  It takes the form of a reference to a certificate
	// as namespace/name.  The certificate is expected to have the is-serving-for annotations.
	WantInjectAnnotation = "cert-manager.io/inject-ca-from"

	// WantInjectAPIServerCAAnnotation will - if set to "true" - make the cainjector
	// inject the CA certificate for the Kubernetes apiserver into the resource.
	// It discovers the apiserver's CA by inspecting the service account credentials
	// mounted into the cainjector pod.
	WantInjectAPIServerCAAnnotation = "cert-manager.io/inject-apiserver-ca"

	// WantInjectFromSecretAnnotation is the annotation that specifies that a particular
	// object wants injection of CAs.  It takes the form of a reference to a Secret
	// as namespace/name.
	WantInjectFromSecretAnnotation = "cert-manager.io/inject-ca-from-secret"

	// AllowsInjectionFromSecretAnnotation is an annotation that must be added
	// to Secret resource that want to denote that they can be directly
	// injected into injectables that have a `inject-ca-from-secret` annotation.
	// If an injectable references a Secret that does NOT have this annotation,
	// the cainjector will refuse to inject the secret.
	AllowsInjectionFromSecretAnnotation = "cert-manager.io/allow-direct-injection"
)
View Source
const (
	// VenafiCustomFieldsAnnotationKey is the annotation that passes on JSON encoded custom fields to the Venafi issuer
	// This will only work with Venafi TPP v19.3 and higher
	// The value is an array with objects containing the name and value keys
	// for example: `[{"name": "custom-field", "value": "custom-value"}]`
	VenafiCustomFieldsAnnotationKey = "venafi.cert-manager.io/custom-fields"

	// VenafiPickupIDAnnotationKey is the annotation key used to record the
	// Venafi Pickup ID of a certificate signing request that has been submitted
	// to the Venafi API for collection later.
	VenafiPickupIDAnnotationKey = "venafi.cert-manager.io/pickup-id"
)

Issuer specific Annotations

View Source
const (
	// PKCS12SecretKey is the name of the data entry in the Secret resource
	// used to store the p12 file.
	PKCS12SecretKey = "keystore.p12"
	// Data Entry Name in the Secret resource for PKCS12 containing Certificate Authority
	PKCS12TruststoreKey = "truststore.p12"

	// JKSSecretKey is the name of the data entry in the Secret resource
	// used to store the jks file.
	JKSSecretKey = "keystore.jks"
	// Data Entry Name in the Secret resource for JKS containing Certificate Authority
	JKSTruststoreKey = "truststore.jks"
)

Keystore specific secret keys

View Source
const (
	// CertificateOutputFormatDERKey is the name of the data entry in the Secret
	// resource used to store the DER formatted private key.
	CertificateOutputFormatDERKey string = "key.der"

	// CertificateOutputFormatDER  writes the Certificate's private key in DER
	// binary format to the `key.der` target Secret Data key.
	CertificateOutputFormatDER CertificateOutputFormatType = "DER"

	// CertificateOutputFormatCombinedPEMKey is the name of the data entry in the Secret
	// resource used to store the combined PEM (key + signed certificate).
	CertificateOutputFormatCombinedPEMKey string = "tls-combined.pem"

	// CertificateOutputFormatCombinedPEM  writes the Certificate's signed
	// certificate chain and private key, in PEM format, to the
	// `tls-combined.pem` target Secret Data key. The value at this key will
	// include the private key PEM document, followed by at least one new line
	// character, followed by the chain of signed certificate PEM documents
	// (`<private key> + \n + <signed certificate chain>`).
	CertificateOutputFormatCombinedPEM CertificateOutputFormatType = "CombinedPEM"
)
View Source
const (
	// Pending indicates that a CertificateRequest is still in progress.
	CertificateRequestReasonPending = "Pending"

	// Failed indicates that a CertificateRequest has failed permanently,
	// either due to timing out or some other critical failure.
	// The `status.failureTime` field should be set in this case.
	CertificateRequestReasonFailed = "Failed"

	// Issued indicates that a CertificateRequest has been completed, and that
	// the `status.certificate` field is set.
	CertificateRequestReasonIssued = "Issued"

	// Denied is a Ready condition reason that indicates that a
	// CertificateRequest has been denied, and the CertificateRequest will never
	// be issued.
	// The `status.failureTime` field should be set in this case.
	CertificateRequestReasonDenied = "Denied"
)
View Source
const (
	// IssueTemporaryCertificateAnnotation is an annotation that can be added to
	// Certificate resources.
	// If it is present, a temporary internally signed certificate will be
	// stored in the target Secret resource whilst the real Issuer is processing
	// the certificate request.
	IssueTemporaryCertificateAnnotation = "cert-manager.io/issue-temporary-certificate"
)

Variables

View Source
var (
	SchemeBuilder runtime.SchemeBuilder

	AddToScheme = localSchemeBuilder.AddToScheme
)
View Source
var SchemeGroupVersion = schema.GroupVersion{Group: certmanager.GroupName, Version: "v1"}

SchemeGroupVersion is group version used to register these objects

Functions

func Resource

func Resource(resource string) schema.GroupResource

Resource takes an unqualified resource and returns a Group qualified GroupResource

Types

type CAIssuer

type CAIssuer struct {
	// SecretName is the name of the secret used to sign Certificates issued
	// by this Issuer.
	SecretName string `json:"secretName"`

	// The CRL distribution points is an X.509 v3 certificate extension which identifies
	// the location of the CRL from which the revocation of this certificate can be checked.
	// If not set, certificates will be issued without distribution points set.
	// +optional
	CRLDistributionPoints []string `json:"crlDistributionPoints,omitempty"`

	// The OCSP server list is an X.509 v3 extension that defines a list of
	// URLs of OCSP responders. The OCSP responders can be queried for the
	// revocation status of an issued certificate. If not set, the
	// certificate will be issued with no OCSP servers set. For example, an
	// OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org".
	// +optional
	OCSPServers []string `json:"ocspServers,omitempty"`

	// IssuingCertificateURLs is a list of URLs which this issuer should embed into certificates
	// it creates. See https://www.rfc-editor.org/rfc/rfc5280#section-4.2.2.1 for more details.
	// As an example, such a URL might be "http://ca.domain.com/ca.crt".
	// +optional
	IssuingCertificateURLs []string `json:"issuingCertificateURLs,omitempty"`
}

func (*CAIssuer) DeepCopy

func (in *CAIssuer) DeepCopy() *CAIssuer

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CAIssuer.

func (*CAIssuer) DeepCopyInto

func (in *CAIssuer) DeepCopyInto(out *CAIssuer)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type Certificate

type Certificate struct {
	metav1.TypeMeta `json:",inline"`
	// Standard object's metadata.
	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
	// +optional
	metav1.ObjectMeta `json:"metadata,omitempty"`

	// Specification of the desired state of the Certificate resource.
	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
	// +optional
	Spec CertificateSpec `json:"spec"`

	// Status of the Certificate.
	// This is set and managed automatically.
	// Read-only.
	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
	// +optional
	Status CertificateStatus `json:"status"`
}

A Certificate resource should be created to ensure an up to date and signed X.509 certificate is stored in the Kubernetes Secret resource named in `spec.secretName`.

The stored certificate will be renewed before it expires (as configured by `spec.renewBefore`).

func (*Certificate) DeepCopy

func (in *Certificate) DeepCopy() *Certificate

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Certificate.

func (*Certificate) DeepCopyInto

func (in *Certificate) DeepCopyInto(out *Certificate)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*Certificate) DeepCopyObject

func (in *Certificate) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type CertificateAdditionalOutputFormat

type CertificateAdditionalOutputFormat struct {
	// Type is the name of the format type that should be written to the
	// Certificate's target Secret.
	Type CertificateOutputFormatType `json:"type"`
}

CertificateAdditionalOutputFormat defines an additional output format of a Certificate resource. These contain supplementary data formats of the signed certificate chain and paired private key.

func (*CertificateAdditionalOutputFormat) DeepCopy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateAdditionalOutputFormat.

func (*CertificateAdditionalOutputFormat) DeepCopyInto

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type CertificateCondition

type CertificateCondition struct {
	// Type of the condition, known values are (`Ready`, `Issuing`).
	Type CertificateConditionType `json:"type"`

	// Status of the condition, one of (`True`, `False`, `Unknown`).
	Status cmmeta.ConditionStatus `json:"status"`

	// LastTransitionTime is the timestamp corresponding to the last status
	// change of this condition.
	// +optional
	LastTransitionTime *metav1.Time `json:"lastTransitionTime,omitempty"`

	// Reason is a brief machine readable explanation for the condition's last
	// transition.
	// +optional
	Reason string `json:"reason,omitempty"`

	// Message is a human readable description of the details of the last
	// transition, complementing reason.
	// +optional
	Message string `json:"message,omitempty"`

	// If set, this represents the .metadata.generation that the condition was
	// set based upon.
	// For instance, if .metadata.generation is currently 12, but the
	// .status.condition[x].observedGeneration is 9, the condition is out of date
	// with respect to the current state of the Certificate.
	// +optional
	ObservedGeneration int64 `json:"observedGeneration,omitempty"`
}

CertificateCondition contains condition information for a Certificate.

func (*CertificateCondition) DeepCopy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateCondition.

func (*CertificateCondition) DeepCopyInto

func (in *CertificateCondition) DeepCopyInto(out *CertificateCondition)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type CertificateConditionType

type CertificateConditionType string

CertificateConditionType represents a Certificate condition value.

const (
	// CertificateConditionReady indicates that a certificate is ready for use.
	// This is defined as:
	// - The target secret exists
	// - The target secret contains a certificate that has not expired
	// - The target secret contains a private key valid for the certificate
	// - The commonName and dnsNames attributes match those specified on the Certificate
	CertificateConditionReady CertificateConditionType = "Ready"

	// A condition added to Certificate resources when an issuance is required.
	// This condition will be automatically added and set to true if:
	//   * No keypair data exists in the target Secret
	//   * The data stored in the Secret cannot be decoded
	//   * The private key and certificate do not have matching public keys
	//   * If a CertificateRequest for the current revision exists and the
	//     certificate data stored in the Secret does not match the
	//    `status.certificate` on the CertificateRequest.
	//   * If no CertificateRequest resource exists for the current revision,
	//     the options on the Certificate resource are compared against the
	//     X.509 data in the Secret, similar to what's done in earlier versions.
	//     If there is a mismatch, an issuance is triggered.
	// This condition may also be added by external API consumers to trigger
	// a re-issuance manually for any other reason.
	//
	// It will be removed by the 'issuing' controller upon completing issuance.
	CertificateConditionIssuing CertificateConditionType = "Issuing"
)

type CertificateKeystores

type CertificateKeystores struct {
	// JKS configures options for storing a JKS keystore in the
	// `spec.secretName` Secret resource.
	// +optional
	JKS *JKSKeystore `json:"jks,omitempty"`

	// PKCS12 configures options for storing a PKCS12 keystore in the
	// `spec.secretName` Secret resource.
	// +optional
	PKCS12 *PKCS12Keystore `json:"pkcs12,omitempty"`
}

CertificateKeystores configures additional keystore output formats to be created in the Certificate's output Secret.

func (*CertificateKeystores) DeepCopy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateKeystores.

func (*CertificateKeystores) DeepCopyInto

func (in *CertificateKeystores) DeepCopyInto(out *CertificateKeystores)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type CertificateList

type CertificateList struct {
	metav1.TypeMeta `json:",inline"`
	// Standard list metadata.
	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
	// +optional
	metav1.ListMeta `json:"metadata,omitempty"`

	// List of Certificates
	Items []Certificate `json:"items"`
}

CertificateList is a list of Certificates.

func (*CertificateList) DeepCopy

func (in *CertificateList) DeepCopy() *CertificateList

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateList.

func (*CertificateList) DeepCopyInto

func (in *CertificateList) DeepCopyInto(out *CertificateList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*CertificateList) DeepCopyObject

func (in *CertificateList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type CertificateOutputFormatType

type CertificateOutputFormatType string

CertificateOutputFormatType specifies which additional output formats should be written to the Certificate's target Secret. Allowed values are `DER` or `CombinedPEM`. When Type is set to `DER` an additional entry `key.der` will be written to the Secret, containing the binary format of the private key. When Type is set to `CombinedPEM` an additional entry `tls-combined.pem` will be written to the Secret, containing the PEM formatted private key and signed certificate chain (tls.key + tls.crt concatenated). +kubebuilder:validation:Enum=DER;CombinedPEM

type CertificatePrivateKey

type CertificatePrivateKey struct {
	// RotationPolicy controls how private keys should be regenerated when a
	// re-issuance is being processed.
	//
	// If set to `Never`, a private key will only be generated if one does not
	// already exist in the target `spec.secretName`. If one does exist but it
	// does not have the correct algorithm or size, a warning will be raised
	// to await user intervention.
	// If set to `Always`, a private key matching the specified requirements
	// will be generated whenever a re-issuance occurs.
	// Default is `Never` for backward compatibility.
	// +optional
	RotationPolicy PrivateKeyRotationPolicy `json:"rotationPolicy,omitempty"`

	// The private key cryptography standards (PKCS) encoding for this
	// certificate's private key to be encoded in.
	//
	// If provided, allowed values are `PKCS1` and `PKCS8` standing for PKCS#1
	// and PKCS#8, respectively.
	// Defaults to `PKCS1` if not specified.
	// +optional
	Encoding PrivateKeyEncoding `json:"encoding,omitempty"`

	// Algorithm is the private key algorithm of the corresponding private key
	// for this certificate.
	//
	// If provided, allowed values are either `RSA`, `ECDSA` or `Ed25519`.
	// If `algorithm` is specified and `size` is not provided,
	// key size of 2048 will be used for `RSA` key algorithm and
	// key size of 256 will be used for `ECDSA` key algorithm.
	// key size is ignored when using the `Ed25519` key algorithm.
	// +optional
	Algorithm PrivateKeyAlgorithm `json:"algorithm,omitempty"`

	// Size is the key bit size of the corresponding private key for this certificate.
	//
	// If `algorithm` is set to `RSA`, valid values are `2048`, `4096` or `8192`,
	// and will default to `2048` if not specified.
	// If `algorithm` is set to `ECDSA`, valid values are `256`, `384` or `521`,
	// and will default to `256` if not specified.
	// If `algorithm` is set to `Ed25519`, Size is ignored.
	// No other values are allowed.
	// +optional
	Size int `json:"size,omitempty"`
}

CertificatePrivateKey contains configuration options for private keys used by the Certificate controller. These include the key algorithm and size, the used encoding and the rotation policy.

func (*CertificatePrivateKey) DeepCopy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificatePrivateKey.

func (*CertificatePrivateKey) DeepCopyInto

func (in *CertificatePrivateKey) DeepCopyInto(out *CertificatePrivateKey)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type CertificateRequest

type CertificateRequest struct {
	metav1.TypeMeta `json:",inline"`
	// Standard object's metadata.
	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
	// +optional
	metav1.ObjectMeta `json:"metadata,omitempty"`

	// Specification of the desired state of the CertificateRequest resource.
	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
	// +optional
	Spec CertificateRequestSpec `json:"spec"`

	// Status of the CertificateRequest.
	// This is set and managed automatically.
	// Read-only.
	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
	// +optional
	Status CertificateRequestStatus `json:"status"`
}

A CertificateRequest is used to request a signed certificate from one of the configured issuers.

All fields within the CertificateRequest's `spec` are immutable after creation. A CertificateRequest will either succeed or fail, as denoted by its `Ready` status condition and its `status.failureTime` field.

A CertificateRequest is a one-shot resource, meaning it represents a single point in time request for a certificate and cannot be re-used. +k8s:openapi-gen=true

func (*CertificateRequest) DeepCopy

func (in *CertificateRequest) DeepCopy() *CertificateRequest

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateRequest.

func (*CertificateRequest) DeepCopyInto

func (in *CertificateRequest) DeepCopyInto(out *CertificateRequest)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*CertificateRequest) DeepCopyObject

func (in *CertificateRequest) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type CertificateRequestCondition

type CertificateRequestCondition struct {
	// Type of the condition, known values are (`Ready`, `InvalidRequest`,
	// `Approved`, `Denied`).
	Type CertificateRequestConditionType `json:"type"`

	// Status of the condition, one of (`True`, `False`, `Unknown`).
	Status cmmeta.ConditionStatus `json:"status"`

	// LastTransitionTime is the timestamp corresponding to the last status
	// change of this condition.
	// +optional
	LastTransitionTime *metav1.Time `json:"lastTransitionTime,omitempty"`

	// Reason is a brief machine readable explanation for the condition's last
	// transition.
	// +optional
	Reason string `json:"reason,omitempty"`

	// Message is a human readable description of the details of the last
	// transition, complementing reason.
	// +optional
	Message string `json:"message,omitempty"`
}

CertificateRequestCondition contains condition information for a CertificateRequest.

func (*CertificateRequestCondition) DeepCopy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateRequestCondition.

func (*CertificateRequestCondition) DeepCopyInto

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type CertificateRequestConditionType

type CertificateRequestConditionType string

CertificateRequestConditionType represents a Certificate condition value.

const (
	// CertificateRequestConditionReady indicates that a certificate is ready for use.
	// This is defined as:
	// - The target certificate exists in CertificateRequest.Status
	CertificateRequestConditionReady CertificateRequestConditionType = "Ready"

	// CertificateRequestConditionInvalidRequest indicates that a certificate
	// signer has refused to sign the request due to at least one of the input
	// parameters being invalid. Additional information about why the request
	// was rejected can be found in the `reason` and `message` fields.
	CertificateRequestConditionInvalidRequest CertificateRequestConditionType = "InvalidRequest"

	// CertificateRequestConditionApproved indicates that a certificate request
	// is approved and ready for signing. Condition must never have a status of
	// `False`, and cannot be modified once set. Cannot be set alongside
	// `Denied`.
	CertificateRequestConditionApproved CertificateRequestConditionType = "Approved"

	// CertificateRequestConditionDenied indicates that a certificate request is
	// denied, and must never be signed. Condition must never have a status of
	// `False`, and cannot be modified once set. Cannot be set alongside
	// `Approved`.
	CertificateRequestConditionDenied CertificateRequestConditionType = "Denied"
)

type CertificateRequestList

type CertificateRequestList struct {
	metav1.TypeMeta `json:",inline"`
	// Standard list metadata.
	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
	// +optional
	metav1.ListMeta `json:"metadata,omitempty"`

	// List of CertificateRequests
	Items []CertificateRequest `json:"items"`
}

CertificateRequestList is a list of CertificateRequests.

func (*CertificateRequestList) DeepCopy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateRequestList.

func (*CertificateRequestList) DeepCopyInto

func (in *CertificateRequestList) DeepCopyInto(out *CertificateRequestList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*CertificateRequestList) DeepCopyObject

func (in *CertificateRequestList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type CertificateRequestSpec

type CertificateRequestSpec struct {
	// Requested 'duration' (i.e. lifetime) of the Certificate. Note that the
	// issuer may choose to ignore the requested duration, just like any other
	// requested attribute.
	// +optional
	Duration *metav1.Duration `json:"duration,omitempty"`

	// Reference to the issuer responsible for issuing the certificate.
	// If the issuer is namespace-scoped, it must be in the same namespace
	// as the Certificate. If the issuer is cluster-scoped, it can be used
	// from any namespace.
	//
	// The `name` field of the reference must always be specified.
	IssuerRef cmmeta.ObjectReference `json:"issuerRef"`

	// The PEM-encoded X.509 certificate signing request to be submitted to the
	// issuer for signing.
	//
	// If the CSR has a BasicConstraints extension, its isCA attribute must
	// match the `isCA` value of this CertificateRequest.
	// If the CSR has a KeyUsage extension, its key usages must match the
	// key usages in the `usages` field of this CertificateRequest.
	// If the CSR has a ExtKeyUsage extension, its extended key usages
	// must match the extended key usages in the `usages` field of this
	// CertificateRequest.
	Request []byte `json:"request"`

	// Requested basic constraints isCA value. Note that the issuer may choose
	// to ignore the requested isCA value, just like any other requested attribute.
	//
	// NOTE: If the CSR in the `Request` field has a BasicConstraints extension,
	// it must have the same isCA value as specified here.
	//
	// If true, this will automatically add the `cert sign` usage to the list
	// of requested `usages`.
	// +optional
	IsCA bool `json:"isCA,omitempty"`

	// Requested key usages and extended key usages.
	//
	// NOTE: If the CSR in the `Request` field has uses the KeyUsage or
	// ExtKeyUsage extension, these extensions must have the same values
	// as specified here without any additional values.
	//
	// If unset, defaults to `digital signature` and `key encipherment`.
	// +optional
	Usages []KeyUsage `json:"usages,omitempty"`

	// Username contains the name of the user that created the CertificateRequest.
	// Populated by the cert-manager webhook on creation and immutable.
	// +optional
	Username string `json:"username,omitempty"`
	// UID contains the uid of the user that created the CertificateRequest.
	// Populated by the cert-manager webhook on creation and immutable.
	// +optional
	UID string `json:"uid,omitempty"`
	// Groups contains group membership of the user that created the CertificateRequest.
	// Populated by the cert-manager webhook on creation and immutable.
	// +listType=atomic
	// +optional
	Groups []string `json:"groups,omitempty"`
	// Extra contains extra attributes of the user that created the CertificateRequest.
	// Populated by the cert-manager webhook on creation and immutable.
	// +optional
	Extra map[string][]string `json:"extra,omitempty"`
}

CertificateRequestSpec defines the desired state of CertificateRequest

NOTE: It is important to note that the issuer can choose to ignore or change any of the requested attributes. How the issuer maps a certificate request to a signed certificate is the full responsibility of the issuer itself. For example, as an edge case, an issuer that inverts the isCA value is free to do so.

func (*CertificateRequestSpec) DeepCopy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateRequestSpec.

func (*CertificateRequestSpec) DeepCopyInto

func (in *CertificateRequestSpec) DeepCopyInto(out *CertificateRequestSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type CertificateRequestStatus

type CertificateRequestStatus struct {
	// List of status conditions to indicate the status of a CertificateRequest.
	// Known condition types are `Ready`, `InvalidRequest`, `Approved` and `Denied`.
	// +listType=map
	// +listMapKey=type
	// +optional
	Conditions []CertificateRequestCondition `json:"conditions,omitempty"`

	// The PEM encoded X.509 certificate resulting from the certificate
	// signing request.
	// If not set, the CertificateRequest has either not been completed or has
	// failed. More information on failure can be found by checking the
	// `conditions` field.
	// +optional
	Certificate []byte `json:"certificate,omitempty"`

	// The PEM encoded X.509 certificate of the signer, also known as the CA
	// (Certificate Authority).
	// This is set on a best-effort basis by different issuers.
	// If not set, the CA is assumed to be unknown/not available.
	// +optional
	CA []byte `json:"ca,omitempty"`

	// FailureTime stores the time that this CertificateRequest failed. This is
	// used to influence garbage collection and back-off.
	// +optional
	FailureTime *metav1.Time `json:"failureTime,omitempty"`
}

CertificateRequestStatus defines the observed state of CertificateRequest and resulting signed certificate.

func (*CertificateRequestStatus) DeepCopy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateRequestStatus.

func (*CertificateRequestStatus) DeepCopyInto

func (in *CertificateRequestStatus) DeepCopyInto(out *CertificateRequestStatus)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type CertificateSecretTemplate

type CertificateSecretTemplate struct {
	// Annotations is a key value map to be copied to the target Kubernetes Secret.
	// +optional
	Annotations map[string]string `json:"annotations,omitempty"`

	// Labels is a key value map to be copied to the target Kubernetes Secret.
	// +optional
	Labels map[string]string `json:"labels,omitempty"`
}

CertificateSecretTemplate defines the default labels and annotations to be copied to the Kubernetes Secret resource named in `CertificateSpec.secretName`.

func (*CertificateSecretTemplate) DeepCopy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateSecretTemplate.

func (*CertificateSecretTemplate) DeepCopyInto

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type CertificateSpec

type CertificateSpec struct {
	// Requested set of X509 certificate subject attributes.
	// More info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6
	//
	// The common name attribute is specified separately in the `commonName` field.
	// Cannot be set if the `literalSubject` field is set.
	// +optional
	Subject *X509Subject `json:"subject,omitempty"`

	// Requested X.509 certificate subject, represented using the LDAP "String
	// Representation of a Distinguished Name" [1].
	// Important: the LDAP string format also specifies the order of the attributes
	// in the subject, this is important when issuing certs for LDAP authentication.
	// Example: `CN=foo,DC=corp,DC=example,DC=com`
	// More info [1]: https://datatracker.ietf.org/doc/html/rfc4514
	// More info: https://github.com/cert-manager/cert-manager/issues/3203
	// More info: https://github.com/cert-manager/cert-manager/issues/4424
	//
	// Cannot be set if the `subject` or `commonName` field is set.
	// +optional
	LiteralSubject string `json:"literalSubject,omitempty"`

	// Requested common name X509 certificate subject attribute.
	// More info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6
	// NOTE: TLS clients will ignore this value when any subject alternative name is
	// set (see https://tools.ietf.org/html/rfc6125#section-6.4.4).
	//
	// Should have a length of 64 characters or fewer to avoid generating invalid CSRs.
	// Cannot be set if the `literalSubject` field is set.
	// +optional
	CommonName string `json:"commonName,omitempty"`

	// Requested 'duration' (i.e. lifetime) of the Certificate. Note that the
	// issuer may choose to ignore the requested duration, just like any other
	// requested attribute.
	//
	// If unset, this defaults to 90 days.
	// Minimum accepted duration is 1 hour.
	// Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration.
	// +optional
	Duration *metav1.Duration `json:"duration,omitempty"`

	// How long before the currently issued certificate's expiry cert-manager should
	// renew the certificate. For example, if a certificate is valid for 60 minutes,
	// and `renewBefore=10m`, cert-manager will begin to attempt to renew the certificate
	// 50 minutes after it was issued (i.e. when there are 10 minutes remaining until
	// the certificate is no longer valid).
	//
	// NOTE: The actual lifetime of the issued certificate is used to determine the
	// renewal time. If an issuer returns a certificate with a different lifetime than
	// the one requested, cert-manager will use the lifetime of the issued certificate.
	//
	// If unset, this defaults to 1/3 of the issued certificate's lifetime.
	// Minimum accepted value is 5 minutes.
	// Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration.
	// Cannot be set if the `renewBeforePercentage` field is set.
	// +optional
	RenewBefore *metav1.Duration `json:"renewBefore,omitempty"`

	// `renewBeforePercentage` is like `renewBefore`, except it is a relative percentage
	// rather than an absolute duration. For example, if a certificate is valid for 60
	// minutes, and  `renewBeforePercentage=25`, cert-manager will begin to attempt to
	// renew the certificate 45 minutes after it was issued (i.e. when there are 15
	// minutes (25%) remaining until the certificate is no longer valid).
	//
	// NOTE: The actual lifetime of the issued certificate is used to determine the
	// renewal time. If an issuer returns a certificate with a different lifetime than
	// the one requested, cert-manager will use the lifetime of the issued certificate.
	//
	// Value must be an integer in the range (0,100). The minimum effective
	// `renewBefore` derived from the `renewBeforePercentage` and `duration` fields is 5
	// minutes.
	// Cannot be set if the `renewBefore` field is set.
	// +optional
	RenewBeforePercentage *int32 `json:"renewBeforePercentage,omitempty"`

	// Requested DNS subject alternative names.
	// +optional
	DNSNames []string `json:"dnsNames,omitempty"`

	// Requested IP address subject alternative names.
	// +optional
	IPAddresses []string `json:"ipAddresses,omitempty"`

	// Requested URI subject alternative names.
	// +optional
	URIs []string `json:"uris,omitempty"`

	// `otherNames` is an escape hatch for SAN that allows any type. We currently restrict the support to string like otherNames, cf RFC 5280 p 37
	// Any UTF8 String valued otherName can be passed with by setting the keys oid: x.x.x.x and UTF8Value: somevalue for `otherName`.
	// Most commonly this would be UPN set with oid: 1.3.6.1.4.1.311.20.2.3
	// You should ensure that any OID passed is valid for the UTF8String type as we do not explicitly validate this.
	// +optional
	OtherNames []OtherName `json:"otherNames,omitempty"`

	// Requested email subject alternative names.
	// +optional
	EmailAddresses []string `json:"emailAddresses,omitempty"`

	// Name of the Secret resource that will be automatically created and
	// managed by this Certificate resource. It will be populated with a
	// private key and certificate, signed by the denoted issuer. The Secret
	// resource lives in the same namespace as the Certificate resource.
	SecretName string `json:"secretName"`

	// Defines annotations and labels to be copied to the Certificate's Secret.
	// Labels and annotations on the Secret will be changed as they appear on the
	// SecretTemplate when added or removed. SecretTemplate annotations are added
	// in conjunction with, and cannot overwrite, the base set of annotations
	// cert-manager sets on the Certificate's Secret.
	// +optional
	SecretTemplate *CertificateSecretTemplate `json:"secretTemplate,omitempty"`

	// Additional keystore output formats to be stored in the Certificate's Secret.
	// +optional
	Keystores *CertificateKeystores `json:"keystores,omitempty"`

	// Reference to the issuer responsible for issuing the certificate.
	// If the issuer is namespace-scoped, it must be in the same namespace
	// as the Certificate. If the issuer is cluster-scoped, it can be used
	// from any namespace.
	//
	// The `name` field of the reference must always be specified.
	IssuerRef cmmeta.ObjectReference `json:"issuerRef"`

	// Requested basic constraints isCA value.
	// The isCA value is used to set the `isCA` field on the created CertificateRequest
	// resources. Note that the issuer may choose to ignore the requested isCA value, just
	// like any other requested attribute.
	//
	// If true, this will automatically add the `cert sign` usage to the list
	// of requested `usages`.
	// +optional
	IsCA bool `json:"isCA,omitempty"`

	// Requested key usages and extended key usages.
	// These usages are used to set the `usages` field on the created CertificateRequest
	// resources. If `encodeUsagesInRequest` is unset or set to `true`, the usages
	// will additionally be encoded in the `request` field which contains the CSR blob.
	//
	// If unset, defaults to `digital signature` and `key encipherment`.
	// +optional
	Usages []KeyUsage `json:"usages,omitempty"`

	// Private key options. These include the key algorithm and size, the used
	// encoding and the rotation policy.
	// +optional
	PrivateKey *CertificatePrivateKey `json:"privateKey,omitempty"`

	// Whether the KeyUsage and ExtKeyUsage extensions should be set in the encoded CSR.
	//
	// This option defaults to true, and should only be disabled if the target
	// issuer does not support CSRs with these X509 KeyUsage/ ExtKeyUsage extensions.
	// +optional
	EncodeUsagesInRequest *bool `json:"encodeUsagesInRequest,omitempty"`

	// The maximum number of CertificateRequest revisions that are maintained in
	// the Certificate's history. Each revision represents a single `CertificateRequest`
	// created by this Certificate, either when it was created, renewed, or Spec
	// was changed. Revisions will be removed by oldest first if the number of
	// revisions exceeds this number.
	//
	// If set, revisionHistoryLimit must be a value of `1` or greater.
	// If unset (`nil`), revisions will not be garbage collected.
	// Default value is `nil`.
	// +optional
	RevisionHistoryLimit *int32 `json:"revisionHistoryLimit,omitempty"`

	// Defines extra output formats of the private key and signed certificate chain
	// to be written to this Certificate's target Secret.
	//
	// This is a Beta Feature enabled by default. It can be disabled with the
	// `--feature-gates=AdditionalCertificateOutputFormats=false` option set on both
	// the controller and webhook components.
	// +optional
	AdditionalOutputFormats []CertificateAdditionalOutputFormat `json:"additionalOutputFormats,omitempty"`

	// x.509 certificate NameConstraint extension which MUST NOT be used in a non-CA certificate.
	// More Info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10
	//
	// This is an Alpha Feature and is only enabled with the
	// `--feature-gates=NameConstraints=true` option set on both
	// the controller and webhook components.
	// +optional
	NameConstraints *NameConstraints `json:"nameConstraints,omitempty"`
}

CertificateSpec defines the desired state of Certificate.

NOTE: The specification contains a lot of "requested" certificate attributes, it is important to note that the issuer can choose to ignore or change any of these requested attributes. How the issuer maps a certificate request to a signed certificate is the full responsibility of the issuer itself. For example, as an edge case, an issuer that inverts the isCA value is free to do so.

A valid Certificate requires at least one of a CommonName, LiteralSubject, DNSName, or URI to be valid.

func (*CertificateSpec) DeepCopy

func (in *CertificateSpec) DeepCopy() *CertificateSpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateSpec.

func (*CertificateSpec) DeepCopyInto

func (in *CertificateSpec) DeepCopyInto(out *CertificateSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type CertificateStatus

type CertificateStatus struct {
	// List of status conditions to indicate the status of certificates.
	// Known condition types are `Ready` and `Issuing`.
	// +listType=map
	// +listMapKey=type
	// +optional
	Conditions []CertificateCondition `json:"conditions,omitempty"`

	// LastFailureTime is set only if the latest issuance for this
	// Certificate failed and contains the time of the failure. If an
	// issuance has failed, the delay till the next issuance will be
	// calculated using formula time.Hour * 2 ^ (failedIssuanceAttempts -
	// 1). If the latest issuance has succeeded this field will be unset.
	// +optional
	LastFailureTime *metav1.Time `json:"lastFailureTime,omitempty"`

	// The time after which the certificate stored in the secret named
	// by this resource in `spec.secretName` is valid.
	// +optional
	NotBefore *metav1.Time `json:"notBefore,omitempty"`

	// The expiration time of the certificate stored in the secret named
	// by this resource in `spec.secretName`.
	// +optional
	NotAfter *metav1.Time `json:"notAfter,omitempty"`

	// RenewalTime is the time at which the certificate will be next
	// renewed.
	// If not set, no upcoming renewal is scheduled.
	// +optional
	RenewalTime *metav1.Time `json:"renewalTime,omitempty"`

	// The current 'revision' of the certificate as issued.
	//
	// When a CertificateRequest resource is created, it will have the
	// `cert-manager.io/certificate-revision` set to one greater than the
	// current value of this field.
	//
	// Upon issuance, this field will be set to the value of the annotation
	// on the CertificateRequest resource used to issue the certificate.
	//
	// Persisting the value on the CertificateRequest resource allows the
	// certificates controller to know whether a request is part of an old
	// issuance or if it is part of the ongoing revision's issuance by
	// checking if the revision value in the annotation is greater than this
	// field.
	// +optional
	Revision *int `json:"revision,omitempty"`

	// The name of the Secret resource containing the private key to be used
	// for the next certificate iteration.
	// The keymanager controller will automatically set this field if the
	// `Issuing` condition is set to `True`.
	// It will automatically unset this field when the Issuing condition is
	// not set or False.
	// +optional
	NextPrivateKeySecretName *string `json:"nextPrivateKeySecretName,omitempty"`

	// The number of continuous failed issuance attempts up till now. This
	// field gets removed (if set) on a successful issuance and gets set to
	// 1 if unset and an issuance has failed. If an issuance has failed, the
	// delay till the next issuance will be calculated using formula
	// time.Hour * 2 ^ (failedIssuanceAttempts - 1).
	// +optional
	FailedIssuanceAttempts *int `json:"failedIssuanceAttempts,omitempty"`
}

CertificateStatus defines the observed state of Certificate

func (*CertificateStatus) DeepCopy

func (in *CertificateStatus) DeepCopy() *CertificateStatus

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateStatus.

func (*CertificateStatus) DeepCopyInto

func (in *CertificateStatus) DeepCopyInto(out *CertificateStatus)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ClusterIssuer

type ClusterIssuer struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	// Desired state of the ClusterIssuer resource.
	Spec IssuerSpec `json:"spec"`

	// Status of the ClusterIssuer. This is set and managed automatically.
	// +optional
	Status IssuerStatus `json:"status"`
}

A ClusterIssuer represents a certificate issuing authority which can be referenced as part of `issuerRef` fields. It is similar to an Issuer, however it is cluster-scoped and therefore can be referenced by resources that exist in *any* namespace, not just the same namespace as the referent.

func (*ClusterIssuer) Copy

func (c *ClusterIssuer) Copy() GenericIssuer

func (*ClusterIssuer) DeepCopy

func (in *ClusterIssuer) DeepCopy() *ClusterIssuer

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterIssuer.

func (*ClusterIssuer) DeepCopyInto

func (in *ClusterIssuer) DeepCopyInto(out *ClusterIssuer)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*ClusterIssuer) DeepCopyObject

func (in *ClusterIssuer) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

func (*ClusterIssuer) GetObjectMeta

func (c *ClusterIssuer) GetObjectMeta() *metav1.ObjectMeta

func (*ClusterIssuer) GetSpec

func (c *ClusterIssuer) GetSpec() *IssuerSpec

func (*ClusterIssuer) GetStatus

func (c *ClusterIssuer) GetStatus() *IssuerStatus

func (*ClusterIssuer) SetSpec

func (c *ClusterIssuer) SetSpec(spec IssuerSpec)

func (*ClusterIssuer) SetStatus

func (c *ClusterIssuer) SetStatus(status IssuerStatus)

type ClusterIssuerList

type ClusterIssuerList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata"`

	Items []ClusterIssuer `json:"items"`
}

ClusterIssuerList is a list of Issuers

func (*ClusterIssuerList) DeepCopy

func (in *ClusterIssuerList) DeepCopy() *ClusterIssuerList

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterIssuerList.

func (*ClusterIssuerList) DeepCopyInto

func (in *ClusterIssuerList) DeepCopyInto(out *ClusterIssuerList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*ClusterIssuerList) DeepCopyObject

func (in *ClusterIssuerList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type GenericIssuer

type GenericIssuer interface {
	runtime.Object
	metav1.Object

	GetObjectMeta() *metav1.ObjectMeta
	GetSpec() *IssuerSpec
	GetStatus() *IssuerStatus
}

type Issuer

type Issuer struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	// Desired state of the Issuer resource.
	Spec IssuerSpec `json:"spec"`

	// Status of the Issuer. This is set and managed automatically.
	// +optional
	Status IssuerStatus `json:"status"`
}

An Issuer represents a certificate issuing authority which can be referenced as part of `issuerRef` fields. It is scoped to a single namespace and can therefore only be referenced by resources within the same namespace.

func (*Issuer) Copy

func (c *Issuer) Copy() GenericIssuer

func (*Issuer) DeepCopy

func (in *Issuer) DeepCopy() *Issuer

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Issuer.

func (*Issuer) DeepCopyInto

func (in *Issuer) DeepCopyInto(out *Issuer)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*Issuer) DeepCopyObject

func (in *Issuer) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

func (*Issuer) GetObjectMeta

func (c *Issuer) GetObjectMeta() *metav1.ObjectMeta

func (*Issuer) GetSpec

func (c *Issuer) GetSpec() *IssuerSpec

func (*Issuer) GetStatus

func (c *Issuer) GetStatus() *IssuerStatus

func (*Issuer) SetSpec

func (c *Issuer) SetSpec(spec IssuerSpec)

func (*Issuer) SetStatus

func (c *Issuer) SetStatus(status IssuerStatus)

type IssuerCondition

type IssuerCondition struct {
	// Type of the condition, known values are (`Ready`).
	Type IssuerConditionType `json:"type"`

	// Status of the condition, one of (`True`, `False`, `Unknown`).
	Status cmmeta.ConditionStatus `json:"status"`

	// LastTransitionTime is the timestamp corresponding to the last status
	// change of this condition.
	// +optional
	LastTransitionTime *metav1.Time `json:"lastTransitionTime,omitempty"`

	// Reason is a brief machine readable explanation for the condition's last
	// transition.
	// +optional
	Reason string `json:"reason,omitempty"`

	// Message is a human readable description of the details of the last
	// transition, complementing reason.
	// +optional
	Message string `json:"message,omitempty"`

	// If set, this represents the .metadata.generation that the condition was
	// set based upon.
	// For instance, if .metadata.generation is currently 12, but the
	// .status.condition[x].observedGeneration is 9, the condition is out of date
	// with respect to the current state of the Issuer.
	// +optional
	ObservedGeneration int64 `json:"observedGeneration,omitempty"`
}

IssuerCondition contains condition information for an Issuer.

func (*IssuerCondition) DeepCopy

func (in *IssuerCondition) DeepCopy() *IssuerCondition

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IssuerCondition.

func (*IssuerCondition) DeepCopyInto

func (in *IssuerCondition) DeepCopyInto(out *IssuerCondition)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type IssuerConditionType

type IssuerConditionType string

IssuerConditionType represents an Issuer condition value.

const (
	// IssuerConditionReady represents the fact that a given Issuer condition
	// is in ready state and able to issue certificates.
	// If the `status` of this condition is `False`, CertificateRequest controllers
	// should prevent attempts to sign certificates.
	IssuerConditionReady IssuerConditionType = "Ready"
)

type IssuerConfig

type IssuerConfig struct {
	// ACME configures this issuer to communicate with a RFC8555 (ACME) server
	// to obtain signed x509 certificates.
	// +optional
	ACME *cmacme.ACMEIssuer `json:"acme,omitempty"`

	// CA configures this issuer to sign certificates using a signing CA keypair
	// stored in a Secret resource.
	// This is used to build internal PKIs that are managed by cert-manager.
	// +optional
	CA *CAIssuer `json:"ca,omitempty"`

	// Vault configures this issuer to sign certificates using a HashiCorp Vault
	// PKI backend.
	// +optional
	Vault *VaultIssuer `json:"vault,omitempty"`

	// SelfSigned configures this issuer to 'self sign' certificates using the
	// private key used to create the CertificateRequest object.
	// +optional
	SelfSigned *SelfSignedIssuer `json:"selfSigned,omitempty"`

	// Venafi configures this issuer to sign certificates using a Venafi TPP
	// or Venafi Cloud policy zone.
	// +optional
	Venafi *VenafiIssuer `json:"venafi,omitempty"`
}

The configuration for the issuer. Only one of these can be set.

func (*IssuerConfig) DeepCopy

func (in *IssuerConfig) DeepCopy() *IssuerConfig

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IssuerConfig.

func (*IssuerConfig) DeepCopyInto

func (in *IssuerConfig) DeepCopyInto(out *IssuerConfig)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type IssuerList

type IssuerList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata"`

	Items []Issuer `json:"items"`
}

IssuerList is a list of Issuers

func (*IssuerList) DeepCopy

func (in *IssuerList) DeepCopy() *IssuerList

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IssuerList.

func (*IssuerList) DeepCopyInto

func (in *IssuerList) DeepCopyInto(out *IssuerList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*IssuerList) DeepCopyObject

func (in *IssuerList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type IssuerSpec

type IssuerSpec struct {
	IssuerConfig `json:",inline"`
}

IssuerSpec is the specification of an Issuer. This includes any configuration required for the issuer.

func (*IssuerSpec) DeepCopy

func (in *IssuerSpec) DeepCopy() *IssuerSpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IssuerSpec.

func (*IssuerSpec) DeepCopyInto

func (in *IssuerSpec) DeepCopyInto(out *IssuerSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type IssuerStatus

type IssuerStatus struct {
	// List of status conditions to indicate the status of a CertificateRequest.
	// Known condition types are `Ready`.
	// +listType=map
	// +listMapKey=type
	// +optional
	Conditions []IssuerCondition `json:"conditions,omitempty"`

	// ACME specific status options.
	// This field should only be set if the Issuer is configured to use an ACME
	// server to issue certificates.
	// +optional
	ACME *cmacme.ACMEIssuerStatus `json:"acme,omitempty"`
}

IssuerStatus contains status information about an Issuer

func (*IssuerStatus) ACMEStatus

func (i *IssuerStatus) ACMEStatus() *cmacme.ACMEIssuerStatus

TODO: refactor these functions away

func (*IssuerStatus) DeepCopy

func (in *IssuerStatus) DeepCopy() *IssuerStatus

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IssuerStatus.

func (*IssuerStatus) DeepCopyInto

func (in *IssuerStatus) DeepCopyInto(out *IssuerStatus)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type JKSKeystore

type JKSKeystore struct {
	// Create enables JKS keystore creation for the Certificate.
	// If true, a file named `keystore.jks` will be created in the target
	// Secret resource, encrypted using the password stored in
	// `passwordSecretRef`.
	// The keystore file will be updated immediately.
	// If the issuer provided a CA certificate, a file named `truststore.jks`
	// will also be created in the target Secret resource, encrypted using the
	// password stored in `passwordSecretRef`
	// containing the issuing Certificate Authority
	Create bool `json:"create"`

	// PasswordSecretRef is a reference to a key in a Secret resource
	// containing the password used to encrypt the JKS keystore.
	PasswordSecretRef cmmeta.SecretKeySelector `json:"passwordSecretRef"`

	// Alias specifies the alias of the key in the keystore, required by the JKS format.
	// If not provided, the default alias `certificate` will be used.
	// +optional
	Alias *string `json:"alias,omitempty"`
}

JKS configures options for storing a JKS keystore in the `spec.secretName` Secret resource.

func (*JKSKeystore) DeepCopy

func (in *JKSKeystore) DeepCopy() *JKSKeystore

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JKSKeystore.

func (*JKSKeystore) DeepCopyInto

func (in *JKSKeystore) DeepCopyInto(out *JKSKeystore)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type KeyUsage

type KeyUsage string

KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12

Valid KeyUsage values are as follows: "signing", "digital signature", "content commitment", "key encipherment", "key agreement", "data encipherment", "cert sign", "crl sign", "encipher only", "decipher only", "any", "server auth", "client auth", "code signing", "email protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec user", "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc" +kubebuilder:validation:Enum="signing";"digital signature";"content commitment";"key encipherment";"key agreement";"data encipherment";"cert sign";"crl sign";"encipher only";"decipher only";"any";"server auth";"client auth";"code signing";"email protection";"s/mime";"ipsec end system";"ipsec tunnel";"ipsec user";"timestamping";"ocsp signing";"microsoft sgc";"netscape sgc"

const (
	UsageSigning           KeyUsage = "signing"
	UsageDigitalSignature  KeyUsage = "digital signature"
	UsageContentCommitment KeyUsage = "content commitment"
	UsageKeyEncipherment   KeyUsage = "key encipherment"
	UsageKeyAgreement      KeyUsage = "key agreement"
	UsageDataEncipherment  KeyUsage = "data encipherment"
	UsageCertSign          KeyUsage = "cert sign"
	UsageCRLSign           KeyUsage = "crl sign"
	UsageEncipherOnly      KeyUsage = "encipher only"
	UsageDecipherOnly      KeyUsage = "decipher only"
	UsageAny               KeyUsage = "any"
	UsageServerAuth        KeyUsage = "server auth"
	UsageClientAuth        KeyUsage = "client auth"
	UsageCodeSigning       KeyUsage = "code signing"
	UsageEmailProtection   KeyUsage = "email protection"
	UsageSMIME             KeyUsage = "s/mime"
	UsageIPsecEndSystem    KeyUsage = "ipsec end system"
	UsageIPsecTunnel       KeyUsage = "ipsec tunnel"
	UsageIPsecUser         KeyUsage = "ipsec user"
	UsageTimestamping      KeyUsage = "timestamping"
	UsageOCSPSigning       KeyUsage = "ocsp signing"
	UsageMicrosoftSGC      KeyUsage = "microsoft sgc"
	UsageNetscapeSGC       KeyUsage = "netscape sgc"
)

func DefaultKeyUsages

func DefaultKeyUsages() []KeyUsage

DefaultKeyUsages contains the default list of key usages

type NameConstraintItem added in v1.14.0

type NameConstraintItem struct {
	// DNSDomains is a list of DNS domains that are permitted or excluded.
	//
	// +optional
	DNSDomains []string `json:"dnsDomains,omitempty"`
	// IPRanges is a list of IP Ranges that are permitted or excluded.
	// This should be a valid CIDR notation.
	//
	// +optional
	IPRanges []string `json:"ipRanges,omitempty"`
	// EmailAddresses is a list of Email Addresses that are permitted or excluded.
	//
	// +optional
	EmailAddresses []string `json:"emailAddresses,omitempty"`
	// URIDomains is a list of URI domains that are permitted or excluded.
	//
	// +optional
	URIDomains []string `json:"uriDomains,omitempty"`
}

func (*NameConstraintItem) DeepCopy added in v1.14.0

func (in *NameConstraintItem) DeepCopy() *NameConstraintItem

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NameConstraintItem.

func (*NameConstraintItem) DeepCopyInto added in v1.14.0

func (in *NameConstraintItem) DeepCopyInto(out *NameConstraintItem)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type NameConstraints added in v1.14.0

type NameConstraints struct {
	// if true then the name constraints are marked critical.
	//
	// +optional
	Critical bool `json:"critical,omitempty"`
	// Permitted contains the constraints in which the names must be located.
	//
	// +optional
	Permitted *NameConstraintItem `json:"permitted,omitempty"`
	// Excluded contains the constraints which must be disallowed. Any name matching a
	// restriction in the excluded field is invalid regardless
	// of information appearing in the permitted
	//
	// +optional
	Excluded *NameConstraintItem `json:"excluded,omitempty"`
}

NameConstraints is a type to represent x509 NameConstraints

func (*NameConstraints) DeepCopy added in v1.14.0

func (in *NameConstraints) DeepCopy() *NameConstraints

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NameConstraints.

func (*NameConstraints) DeepCopyInto added in v1.14.0

func (in *NameConstraints) DeepCopyInto(out *NameConstraints)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type OtherName added in v1.14.0

type OtherName struct {
	// OID is the object identifier for the otherName SAN.
	// The object identifier must be expressed as a dotted string, for
	// example, "1.2.840.113556.1.4.221".
	OID string `json:"oid,omitempty"`

	// utf8Value is the string value of the otherName SAN.
	// The utf8Value accepts any valid UTF8 string to set as value for the otherName SAN.
	UTF8Value string `json:"utf8Value,omitempty"`
}

func (*OtherName) DeepCopy added in v1.14.0

func (in *OtherName) DeepCopy() *OtherName

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OtherName.

func (*OtherName) DeepCopyInto added in v1.14.0

func (in *OtherName) DeepCopyInto(out *OtherName)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type PKCS12Keystore

type PKCS12Keystore struct {
	// Create enables PKCS12 keystore creation for the Certificate.
	// If true, a file named `keystore.p12` will be created in the target
	// Secret resource, encrypted using the password stored in
	// `passwordSecretRef`.
	// The keystore file will be updated immediately.
	// If the issuer provided a CA certificate, a file named `truststore.p12` will
	// also be created in the target Secret resource, encrypted using the
	// password stored in `passwordSecretRef` containing the issuing Certificate
	// Authority
	Create bool `json:"create"`

	// PasswordSecretRef is a reference to a key in a Secret resource
	// containing the password used to encrypt the PKCS12 keystore.
	PasswordSecretRef cmmeta.SecretKeySelector `json:"passwordSecretRef"`

	// Profile specifies the key and certificate encryption algorithms and the HMAC algorithm
	// used to create the PKCS12 keystore. Default value is `LegacyRC2` for backward compatibility.
	//
	// If provided, allowed values are:
	// `LegacyRC2`: Deprecated. Not supported by default in OpenSSL 3 or Java 20.
	// `LegacyDES`: Less secure algorithm. Use this option for maximal compatibility.
	// `Modern2023`: Secure algorithm. Use this option in case you have to always use secure algorithms
	// (eg. because of company policy). Please note that the security of the algorithm is not that important
	// in reality, because the unencrypted certificate and private key are also stored in the Secret.
	// +optional
	Profile PKCS12Profile `json:"profile,omitempty"`
}

PKCS12 configures options for storing a PKCS12 keystore in the `spec.secretName` Secret resource.

func (*PKCS12Keystore) DeepCopy

func (in *PKCS12Keystore) DeepCopy() *PKCS12Keystore

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PKCS12Keystore.

func (*PKCS12Keystore) DeepCopyInto

func (in *PKCS12Keystore) DeepCopyInto(out *PKCS12Keystore)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type PKCS12Profile added in v1.14.0

type PKCS12Profile string

+kubebuilder:validation:Enum=LegacyRC2;LegacyDES;Modern2023

const (
	// see: https://pkg.go.dev/software.sslmate.com/src/go-pkcs12#LegacyRC2
	LegacyRC2PKCS12Profile PKCS12Profile = "LegacyRC2"

	// see: https://pkg.go.dev/software.sslmate.com/src/go-pkcs12#LegacyDES
	LegacyDESPKCS12Profile PKCS12Profile = "LegacyDES"

	// see: https://pkg.go.dev/software.sslmate.com/src/go-pkcs12#Modern2023
	Modern2023PKCS12Profile PKCS12Profile = "Modern2023"
)

type PrivateKeyAlgorithm

type PrivateKeyAlgorithm string

+kubebuilder:validation:Enum=RSA;ECDSA;Ed25519

const (
	// RSA private key algorithm.
	RSAKeyAlgorithm PrivateKeyAlgorithm = "RSA"

	// ECDSA private key algorithm.
	ECDSAKeyAlgorithm PrivateKeyAlgorithm = "ECDSA"

	// Ed25519 private key algorithm.
	Ed25519KeyAlgorithm PrivateKeyAlgorithm = "Ed25519"
)

type PrivateKeyEncoding

type PrivateKeyEncoding string

+kubebuilder:validation:Enum=PKCS1;PKCS8

const (
	// PKCS1 private key encoding.
	// PKCS1 produces a PEM block that contains the private key algorithm
	// in the header and the private key in the body. A key that uses this
	// can be recognised by its `BEGIN RSA PRIVATE KEY` or `BEGIN EC PRIVATE KEY` header.
	// NOTE: This encoding is not supported for Ed25519 keys. Attempting to use
	// this encoding with an Ed25519 key will be ignored and default to PKCS8.
	PKCS1 PrivateKeyEncoding = "PKCS1"

	// PKCS8 private key encoding.
	// PKCS8 produces a PEM block with a static header and both the private
	// key algorithm and the private key in the body. A key that uses this
	// encoding can be recognised by its `BEGIN PRIVATE KEY` header.
	PKCS8 PrivateKeyEncoding = "PKCS8"
)

type PrivateKeyRotationPolicy

type PrivateKeyRotationPolicy string

Denotes how private keys should be generated or sourced when a Certificate is being issued. +kubebuilder:validation:Enum=Never;Always

var (
	// RotationPolicyNever means a private key will only be generated if one
	// does not already exist in the target `spec.secretName`.
	// If one does exist but it does not have the correct algorithm or size,
	// a warning will be raised to await user intervention.
	RotationPolicyNever PrivateKeyRotationPolicy = "Never"

	// RotationPolicyAlways means a private key matching the specified
	// requirements will be generated whenever a re-issuance occurs.
	RotationPolicyAlways PrivateKeyRotationPolicy = "Always"
)

type SelfSignedIssuer

type SelfSignedIssuer struct {
	// The CRL distribution points is an X.509 v3 certificate extension which identifies
	// the location of the CRL from which the revocation of this certificate can be checked.
	// If not set certificate will be issued without CDP. Values are strings.
	// +optional
	CRLDistributionPoints []string `json:"crlDistributionPoints,omitempty"`
}

Configures an issuer to 'self sign' certificates using the private key used to create the CertificateRequest object.

func (*SelfSignedIssuer) DeepCopy

func (in *SelfSignedIssuer) DeepCopy() *SelfSignedIssuer

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SelfSignedIssuer.

func (*SelfSignedIssuer) DeepCopyInto

func (in *SelfSignedIssuer) DeepCopyInto(out *SelfSignedIssuer)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ServiceAccountRef added in v1.12.0

type ServiceAccountRef struct {
	// Name of the ServiceAccount used to request a token.
	Name string `json:"name"`
	// TokenAudiences is an optional list of extra audiences to include in the token passed to Vault. The default token
	// consisting of the issuer's namespace and name is always included.
	// +optional
	TokenAudiences []string `json:"audiences,omitempty"`
}

ServiceAccountRef is a service account used by cert-manager to request a token. Default audience is generated by cert-manager and takes the form `vault://namespace-name/issuer-name` for an Issuer and `vault://issuer-name` for a ClusterIssuer. The expiration of the token is also set by cert-manager to 10 minutes.

func (*ServiceAccountRef) DeepCopy added in v1.12.0

func (in *ServiceAccountRef) DeepCopy() *ServiceAccountRef

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServiceAccountRef.

func (*ServiceAccountRef) DeepCopyInto added in v1.12.0

func (in *ServiceAccountRef) DeepCopyInto(out *ServiceAccountRef)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type VaultAppRole

type VaultAppRole struct {
	// Path where the App Role authentication backend is mounted in Vault, e.g:
	// "approle"
	Path string `json:"path"`

	// RoleID configured in the App Role authentication backend when setting
	// up the authentication backend in Vault.
	RoleId string `json:"roleId"`

	// Reference to a key in a Secret that contains the App Role secret used
	// to authenticate with Vault.
	// The `key` field must be specified and denotes which entry within the Secret
	// resource is used as the app role secret.
	SecretRef cmmeta.SecretKeySelector `json:"secretRef"`
}

VaultAppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.

func (*VaultAppRole) DeepCopy

func (in *VaultAppRole) DeepCopy() *VaultAppRole

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultAppRole.

func (*VaultAppRole) DeepCopyInto

func (in *VaultAppRole) DeepCopyInto(out *VaultAppRole)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type VaultAuth

type VaultAuth struct {
	// TokenSecretRef authenticates with Vault by presenting a token.
	// +optional
	TokenSecretRef *cmmeta.SecretKeySelector `json:"tokenSecretRef,omitempty"`

	// AppRole authenticates with Vault using the App Role auth mechanism,
	// with the role and secret stored in a Kubernetes Secret resource.
	// +optional
	AppRole *VaultAppRole `json:"appRole,omitempty"`

	// ClientCertificate authenticates with Vault by presenting a client
	// certificate during the request's TLS handshake.
	// Works only when using HTTPS protocol.
	// +optional
	ClientCertificate *VaultClientCertificateAuth `json:"clientCertificate,omitempty"`

	// Kubernetes authenticates with Vault by passing the ServiceAccount
	// token stored in the named Secret resource to the Vault server.
	// +optional
	Kubernetes *VaultKubernetesAuth `json:"kubernetes,omitempty"`
}

VaultAuth is configuration used to authenticate with a Vault server. The order of precedence is [`tokenSecretRef`, `appRole`, `clientCertificate` or `kubernetes`].

func (*VaultAuth) DeepCopy

func (in *VaultAuth) DeepCopy() *VaultAuth

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultAuth.

func (*VaultAuth) DeepCopyInto

func (in *VaultAuth) DeepCopyInto(out *VaultAuth)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type VaultClientCertificateAuth added in v1.16.0

type VaultClientCertificateAuth struct {
	// The Vault mountPath here is the mount path to use when authenticating with
	// Vault. For example, setting a value to `/v1/auth/foo`, will use the path
	// `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the
	// default value "/v1/auth/cert" will be used.
	// +optional
	Path string `json:"mountPath,omitempty"`

	// Reference to Kubernetes Secret of type "kubernetes.io/tls" (hence containing
	// tls.crt and tls.key) used to authenticate to Vault using TLS client
	// authentication.
	// +optional
	SecretName string `json:"secretName,omitempty"`

	// Name of the certificate role to authenticate against.
	// If not set, matching any certificate role, if available.
	// +optional
	Name string `json:"name,omitempty"`
}

VaultKubernetesAuth is used to authenticate against Vault using a client certificate stored in a Secret.

func (*VaultClientCertificateAuth) DeepCopy added in v1.16.0

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultClientCertificateAuth.

func (*VaultClientCertificateAuth) DeepCopyInto added in v1.16.0

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type VaultIssuer

type VaultIssuer struct {
	// Auth configures how cert-manager authenticates with the Vault server.
	Auth VaultAuth `json:"auth"`

	// Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".
	Server string `json:"server"`

	// Path is the mount path of the Vault PKI backend's `sign` endpoint, e.g:
	// "my_pki_mount/sign/my-role-name".
	Path string `json:"path"`

	// Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1"
	// More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
	// +optional
	Namespace string `json:"namespace,omitempty"`

	// Base64-encoded bundle of PEM CAs which will be used to validate the certificate
	// chain presented by Vault. Only used if using HTTPS to connect to Vault and
	// ignored for HTTP connections.
	// Mutually exclusive with CABundleSecretRef.
	// If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in
	// the cert-manager controller container is used to validate the TLS connection.
	// +optional
	CABundle []byte `json:"caBundle,omitempty"`

	// Reference to a Secret containing a bundle of PEM-encoded CAs to use when
	// verifying the certificate chain presented by Vault when using HTTPS.
	// Mutually exclusive with CABundle.
	// If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in
	// the cert-manager controller container is used to validate the TLS connection.
	// If no key for the Secret is specified, cert-manager will default to 'ca.crt'.
	// +optional
	CABundleSecretRef *cmmeta.SecretKeySelector `json:"caBundleSecretRef,omitempty"`

	// Reference to a Secret containing a PEM-encoded Client Certificate to use when the
	// Vault server requires mTLS.
	// +optional
	ClientCertSecretRef *cmmeta.SecretKeySelector `json:"clientCertSecretRef,omitempty"`

	// Reference to a Secret containing a PEM-encoded Client Private Key to use when the
	// Vault server requires mTLS.
	// +optional
	ClientKeySecretRef *cmmeta.SecretKeySelector `json:"clientKeySecretRef,omitempty"`
}

Configures an issuer to sign certificates using a HashiCorp Vault PKI backend.

func (*VaultIssuer) DeepCopy

func (in *VaultIssuer) DeepCopy() *VaultIssuer

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultIssuer.

func (*VaultIssuer) DeepCopyInto

func (in *VaultIssuer) DeepCopyInto(out *VaultIssuer)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type VaultKubernetesAuth

type VaultKubernetesAuth struct {
	// The Vault mountPath here is the mount path to use when authenticating with
	// Vault. For example, setting a value to `/v1/auth/foo`, will use the path
	// `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the
	// default value "/v1/auth/kubernetes" will be used.
	// +optional
	Path string `json:"mountPath,omitempty"`

	// The required Secret field containing a Kubernetes ServiceAccount JWT used
	// for authenticating with Vault. Use of 'ambient credentials' is not
	// supported.
	// +optional
	SecretRef cmmeta.SecretKeySelector `json:"secretRef,omitempty"`

	// A reference to a service account that will be used to request a bound
	// token (also known as "projected token"). Compared to using "secretRef",
	// using this field means that you don't rely on statically bound tokens. To
	// use this field, you must configure an RBAC rule to let cert-manager
	// request a token.
	// +optional
	ServiceAccountRef *ServiceAccountRef `json:"serviceAccountRef,omitempty"`

	// A required field containing the Vault Role to assume. A Role binds a
	// Kubernetes ServiceAccount with a set of Vault policies.
	Role string `json:"role"`
}

Authenticate against Vault using a Kubernetes ServiceAccount token stored in a Secret.

func (*VaultKubernetesAuth) DeepCopy

func (in *VaultKubernetesAuth) DeepCopy() *VaultKubernetesAuth

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultKubernetesAuth.

func (*VaultKubernetesAuth) DeepCopyInto

func (in *VaultKubernetesAuth) DeepCopyInto(out *VaultKubernetesAuth)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type VenafiCloud

type VenafiCloud struct {
	// URL is the base URL for Venafi Cloud.
	// Defaults to "https://api.venafi.cloud/v1".
	// +optional
	URL string `json:"url,omitempty"`

	// APITokenSecretRef is a secret key selector for the Venafi Cloud API token.
	APITokenSecretRef cmmeta.SecretKeySelector `json:"apiTokenSecretRef"`
}

VenafiCloud defines connection configuration details for Venafi Cloud

func (*VenafiCloud) DeepCopy

func (in *VenafiCloud) DeepCopy() *VenafiCloud

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VenafiCloud.

func (*VenafiCloud) DeepCopyInto

func (in *VenafiCloud) DeepCopyInto(out *VenafiCloud)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type VenafiIssuer

type VenafiIssuer struct {
	// Zone is the Venafi Policy Zone to use for this issuer.
	// All requests made to the Venafi platform will be restricted by the named
	// zone policy.
	// This field is required.
	Zone string `json:"zone"`

	// TPP specifies Trust Protection Platform configuration settings.
	// Only one of TPP or Cloud may be specified.
	// +optional
	TPP *VenafiTPP `json:"tpp,omitempty"`

	// Cloud specifies the Venafi cloud configuration settings.
	// Only one of TPP or Cloud may be specified.
	// +optional
	Cloud *VenafiCloud `json:"cloud,omitempty"`
}

Configures an issuer to sign certificates using a Venafi TPP or Cloud policy zone.

func (*VenafiIssuer) DeepCopy

func (in *VenafiIssuer) DeepCopy() *VenafiIssuer

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VenafiIssuer.

func (*VenafiIssuer) DeepCopyInto

func (in *VenafiIssuer) DeepCopyInto(out *VenafiIssuer)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type VenafiTPP

type VenafiTPP struct {
	// URL is the base URL for the vedsdk endpoint of the Venafi TPP instance,
	// for example: "https://tpp.example.com/vedsdk".
	URL string `json:"url"`

	// CredentialsRef is a reference to a Secret containing the Venafi TPP API credentials.
	// The secret must contain the key 'access-token' for the Access Token Authentication,
	// or two keys, 'username' and 'password' for the API Keys Authentication.
	CredentialsRef cmmeta.LocalObjectReference `json:"credentialsRef"`

	// Base64-encoded bundle of PEM CAs which will be used to validate the certificate
	// chain presented by the TPP server. Only used if using HTTPS; ignored for HTTP.
	// If undefined, the certificate bundle in the cert-manager controller container
	// is used to validate the chain.
	// +optional
	CABundle []byte `json:"caBundle,omitempty"`

	// Reference to a Secret containing a base64-encoded bundle of PEM CAs
	// which will be used to validate the certificate chain presented by the TPP server.
	// Only used if using HTTPS; ignored for HTTP. Mutually exclusive with CABundle.
	// If neither CABundle nor CABundleSecretRef is defined, the certificate bundle in
	// the cert-manager controller container is used to validate the TLS connection.
	// +optional
	CABundleSecretRef *cmmeta.SecretKeySelector `json:"caBundleSecretRef,omitempty"`
}

VenafiTPP defines connection configuration details for a Venafi TPP instance

func (*VenafiTPP) DeepCopy

func (in *VenafiTPP) DeepCopy() *VenafiTPP

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VenafiTPP.

func (*VenafiTPP) DeepCopyInto

func (in *VenafiTPP) DeepCopyInto(out *VenafiTPP)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type X509Subject

type X509Subject struct {
	// Organizations to be used on the Certificate.
	// +optional
	Organizations []string `json:"organizations,omitempty"`
	// Countries to be used on the Certificate.
	// +optional
	Countries []string `json:"countries,omitempty"`
	// Organizational Units to be used on the Certificate.
	// +optional
	OrganizationalUnits []string `json:"organizationalUnits,omitempty"`
	// Cities to be used on the Certificate.
	// +optional
	Localities []string `json:"localities,omitempty"`
	// State/Provinces to be used on the Certificate.
	// +optional
	Provinces []string `json:"provinces,omitempty"`
	// Street addresses to be used on the Certificate.
	// +optional
	StreetAddresses []string `json:"streetAddresses,omitempty"`
	// Postal codes to be used on the Certificate.
	// +optional
	PostalCodes []string `json:"postalCodes,omitempty"`
	// Serial number to be used on the Certificate.
	// +optional
	SerialNumber string `json:"serialNumber,omitempty"`
}

X509Subject Full X509 name specification

func (*X509Subject) DeepCopy

func (in *X509Subject) DeepCopy() *X509Subject

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new X509Subject.

func (*X509Subject) DeepCopyInto

func (in *X509Subject) DeepCopyInto(out *X509Subject)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL