certmanager

package
v1.16.4 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 12, 2025 License: Apache-2.0 Imports: 6 Imported by: 0

Documentation

Overview

Package certmanager is the internal version of the API. +groupName=cert-manager.io

Index

Constants

View Source 
const (
	// Annotation key for DNS subjectAltNames.
	AltNamesAnnotationKey = "cert-manager.io/alt-names"

	// Annotation key for IP subjectAltNames.
	IPSANAnnotationKey = "cert-manager.io/ip-sans"

	// Annotation key for URI subjectAltNames.
	URISANAnnotationKey = "cert-manager.io/uri-sans"

	// Annotation key for certificate common name.
	CommonNameAnnotationKey = "cert-manager.io/common-name"

	// Annotation key for emails subjectAltNames.
	EmailsAnnotationKey = "cert-manager.io/email-sans"

	// Annotation key for subject organization.
	SubjectOrganizationsAnnotationKey = "cert-manager.io/subject-organizations"

	// Annotation key for subject organizational units.
	SubjectOrganizationalUnitsAnnotationKey = "cert-manager.io/subject-organizationalunits"

	// Annotation key for subject organizational units.
	SubjectCountriesAnnotationKey = "cert-manager.io/subject-countries"

	// Annotation key for subject provinces.
	SubjectProvincesAnnotationKey = "cert-manager.io/subject-provinces"

	// Annotation key for subject localities.
	SubjectLocalitiesAnnotationKey = "cert-manager.io/subject-localities"

	// Annotation key for subject provinces.
	SubjectStreetAddressesAnnotationKey = "cert-manager.io/subject-streetaddresses"

	// Annotation key for subject postal codes.
	SubjectPostalCodesAnnotationKey = "cert-manager.io/subject-postalcodes"

	// Annotation key for subject serial number.
	SubjectSerialNumberAnnotationKey = "cert-manager.io/subject-serialnumber"

	// Annotation key the 'name' of the Issuer resource.
	IssuerNameAnnotationKey = "cert-manager.io/issuer-name"

	// Annotation key for the 'kind' of the Issuer resource.
	IssuerKindAnnotationKey = "cert-manager.io/issuer-kind"

	// Annotation key for the 'group' of the Issuer resource.
	IssuerGroupAnnotationKey = "cert-manager.io/issuer-group"

	// Annotation key for the name of the certificate that a resource is related to.
	CertificateNameKey = "cert-manager.io/certificate-name"

	// Annotation key used to denote whether a Secret is named on a Certificate
	// as a 'next private key' Secret resource.
	IsNextPrivateKeySecretLabelKey = "cert-manager.io/next-private-key"
)

Common annotation keys added to resources.

View Source 
const (
	// issuerNameAnnotation can be used to override the issuer specified on the
	// created Certificate resource.
	IngressIssuerNameAnnotationKey = "cert-manager.io/issuer"
	// clusterIssuerNameAnnotation can be used to override the issuer specified on the
	// created Certificate resource. The Certificate will reference the
	// specified *ClusterIssuer* instead of normal issuer.
	IngressClusterIssuerNameAnnotationKey = "cert-manager.io/cluster-issuer"
	// acmeIssuerHTTP01IngressClassAnnotation can be used to override the http01 ingressClass
	// if the challenge type is set to http01
	IngressACMEIssuerHTTP01IngressClassAnnotationKey = "acme.cert-manager.io/http01-ingress-class"

	// IngressClassAnnotationKey picks a specific "class" for the Ingress. The
	// controller only processes Ingresses with this annotation either unset, or
	// set to either the configured value or the empty string.
	IngressClassAnnotationKey = "kubernetes.io/ingress.class"
)
View Source 
const (
	// Annotation added to CertificateRequest resources to denote the name of
	// a Secret resource containing the private key used to sign the CSR stored
	// on the resource.
	// This annotation *may* not be present, and is used by the 'self signing'
	// issuer type to self-sign certificates.
	CertificateRequestPrivateKeyAnnotationKey = "cert-manager.io/private-key-secret-name"

	// Annotation to declare the CertificateRequest "revision", belonging to a Certificate Resource
	CertificateRequestRevisionAnnotationKey = "cert-manager.io/certificate-revision"
)

Annotation names for CertificateRequests

View Source 
const (
	ClusterIssuerKind      = "ClusterIssuer"
	IssuerKind             = "Issuer"
	CertificateKind        = "Certificate"
	CertificateRequestKind = "CertificateRequest"
)

Common/known resource kinds.

View Source 
const (
	// WantInjectAnnotation is the annotation that specifies that a particular
	// object wants injection of CAs.  It takes the form of a reference to a certificate
	// as namespace/name.  The certificate is expected to have the is-serving-for annotations.
	WantInjectAnnotation = "cert-manager.io/inject-ca-from"

	// WantInjectAPIServerCAAnnotation, if set to "true", will make the cainjector
	// inject the CA certificate for the Kubernetes apiserver into the resource.
	// It discovers the apiserver's CA by inspecting the service account credentials
	// mounted into the cainjector pod.
	WantInjectAPIServerCAAnnotation = "cert-manager.io/inject-apiserver-ca"

	// WantInjectFromSecretAnnotation is the annotation that specifies that a particular
	// object wants injection of CAs.  It takes the form of a reference to a Secret
	// as namespace/name.
	WantInjectFromSecretAnnotation = "cert-manager.io/inject-ca-from-secret"

	// AllowsInjectionFromSecretAnnotation is an annotation that must be added
	// to Secret resource that want to denote that they can be directly
	// injected into injectables that have a `inject-ca-from-secret` annotation.
	// If an injectable references a Secret that does NOT have this annotation,
	// the cainjector will refuse to inject the secret.
	AllowsInjectionFromSecretAnnotation = "cert-manager.io/allow-direct-injection"
)
View Source 
const (
	// Pending indicates that a CertificateRequest is still in progress.
	CertificateRequestReasonPending = "Pending"

	// Failed indicates that a CertificateRequest has failed permanently,
	// either due to timing out or some other critical failure.
	// The `status.failureTime` field should be set in this case.
	CertificateRequestReasonFailed = "Failed"

	// Issued indicates that a CertificateRequest has been completed, and that
	// the `status.certificate` field is set.
	CertificateRequestReasonIssued = "Issued"

	// Denied is a Ready condition reason that indicates that a
	// CertificateRequest has been denied, and the CertificateRequest will never
	// be issued.
	// The `status.failureTime` field should be set in this case.
	CertificateRequestReasonDenied = "Denied"
)
View Source 
const (
	// IssueTemporaryCertificateAnnotation is an annotation that can be added to
	// Certificate resources.
	// If it is present, a temporary internally signed certificate will be
	// stored in the target Secret resource whilst the real Issuer is processing
	// the certificate request.
	IssueTemporaryCertificateAnnotation = "cert-manager.io/issue-temporary-certificate"
)
View Source 
const (
	// VenafiCustomFieldsAnnotationKey is the annotation that passes on JSON encoded custom fields to the Venafi issuer
	// This will only work with Venafi TPP v19.3 and higher
	// The value is an array with objects containing the name and value keys
	// for example: `[{"name": "custom-field", "value": "custom-value"}]`
	VenafiCustomFieldsAnnotationKey = "venafi.cert-manager.io/custom-fields"
)

Issuer specific Annotations

Variables

View Source 
var (
	SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes)
	AddToScheme   = SchemeBuilder.AddToScheme
)
View Source 
var SchemeGroupVersion = schema.GroupVersion{Group: certmanager.GroupName, Version: runtime.APIVersionInternal}

SchemeGroupVersion is group version used to register these objects

Functions

func Resource 

func Resource(resource string) schema.GroupResource

Resource takes an unqualified resource and returns a Group qualified GroupResource

Types

type CAIssuer 

type CAIssuer struct {
	// SecretName is the name of the secret used to sign Certificates issued
	// by this Issuer.
	SecretName string

	// The CRL distribution points is an X.509 v3 certificate extension which identifies
	// the location of the CRL from which the revocation of this certificate can be checked.
	// If not set, certificates will be issued without distribution points set.
	CRLDistributionPoints []string

	// The OCSP server list is an X.509 v3 extension that defines a list of
	// URLs of OCSP responders. The OCSP responders can be queried for the
	// revocation status of an issued certificate. If not set, the
	// certificate will be issued with no OCSP servers set. For example, an
	// OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org".
	OCSPServers []string

	// IssuingCertificateURLs is a list of URLs which this issuer should embed into certificates
	// it creates. See https://www.rfc-editor.org/rfc/rfc5280#section-4.2.2.1 for more details.
	// As an example, such a URL might be "http://ca.domain.com/ca.crt".
	// +optional
	IssuingCertificateURLs []string `json:"issuingCertificateURLs,omitempty"`
}

CAIssuer configures an issuer that can issue certificates from its provided CA certificate. It contains the name of the private key to sign certificates, holds the location for Certificate Revocation Lists (CRL) distribution points and list of URLs of Online Certificate Status Protocol (OCSP) responders.

func (*CAIssuer) DeepCopy 

func (in *CAIssuer) DeepCopy() *CAIssuer

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CAIssuer.

func (*CAIssuer) DeepCopyInto 

func (in *CAIssuer) DeepCopyInto(out *CAIssuer)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type Certificate 

type Certificate struct {
	metav1.TypeMeta
	// Standard object's metadata.
	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
	metav1.ObjectMeta

	// Specification of the desired state of the Certificate resource.
	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
	Spec CertificateSpec

	// Status of the Certificate.
	// This is set and managed automatically.
	// Read-only.
	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
	Status CertificateStatus
}

A Certificate resource should be created to ensure an up to date and signed X.509 certificate is stored in the Kubernetes Secret resource named in `spec.secretName`.

The stored certificate will be renewed before it expires (as configured by `spec.renewBefore`).

func (*Certificate) DeepCopy 

func (in *Certificate) DeepCopy() *Certificate

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Certificate.

func (*Certificate) DeepCopyInto 

func (in *Certificate) DeepCopyInto(out *Certificate)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*Certificate) DeepCopyObject 

func (in *Certificate) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type CertificateAdditionalOutputFormat 

type CertificateAdditionalOutputFormat struct {
	// Type is the name of the format type that should be written to the
	// Certificate's target Secret.
	Type CertificateOutputFormatType
}

CertificateAdditionalOutputFormat defines an additional output format of a Certificate resource. These contain supplementary data formats of the signed certificate chain and paired private key.

func (*CertificateAdditionalOutputFormat) DeepCopy 

func (in *CertificateAdditionalOutputFormat) DeepCopy() *CertificateAdditionalOutputFormat

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateAdditionalOutputFormat.

func (*CertificateAdditionalOutputFormat) DeepCopyInto 

func (in *CertificateAdditionalOutputFormat) DeepCopyInto(out *CertificateAdditionalOutputFormat)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type CertificateCondition 

type CertificateCondition struct {
	// Type of the condition, known values are (`Ready`, `Issuing`).
	Type CertificateConditionType

	// Status of the condition, one of (`True`, `False`, `Unknown`).
	Status cmmeta.ConditionStatus

	// LastTransitionTime is the timestamp corresponding to the last status
	// change of this condition.
	LastTransitionTime *metav1.Time

	// Reason is a brief machine readable explanation for the condition's last
	// transition.
	Reason string

	// Message is a human readable description of the details of the last
	// transition, complementing reason.
	Message string

	// If set, this represents the .metadata.generation that the condition was
	// set based upon.
	// For instance, if .metadata.generation is currently 12, but the
	// .status.condition[x].observedGeneration is 9, the condition is out of date
	// with respect to the current state of the Certificate.
	ObservedGeneration int64
}

CertificateCondition contains condition information for a Certificate.

func (*CertificateCondition) DeepCopy 

func (in *CertificateCondition) DeepCopy() *CertificateCondition

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateCondition.

func (*CertificateCondition) DeepCopyInto 

func (in *CertificateCondition) DeepCopyInto(out *CertificateCondition)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type CertificateConditionType 

type CertificateConditionType string

CertificateConditionType represents a Certificate condition value. 

const (
	// CertificateConditionReady indicates that a certificate is ready for use.
	// This is defined as:
	// - The target secret exists
	// - The target secret contains a certificate that has not expired
	// - The target secret contains a private key valid for the certificate
	// - The commonName and dnsNames attributes match those specified on the Certificate
	CertificateConditionReady CertificateConditionType = "Ready"

	// A condition added to Certificate resources when an issuance is required.
	// This condition will be automatically added and set to true if:
	//   * No keypair data exists in the target Secret
	//   * The data stored in the Secret cannot be decoded
	//   * The private key and certificate do not have matching public keys
	//   * If a CertificateRequest for the current revision exists and the
	//     certificate data stored in the Secret does not match the
	//    `status.certificate` on the CertificateRequest.
	//   * If no CertificateRequest resource exists for the current revision,
	//     the options on the Certificate resource are compared against the
	//     X.509 data in the Secret, similar to what's done in earlier versions.
	//     If there is a mismatch, an issuance is triggered.
	// This condition may also be added by external API consumers to trigger
	// a re-issuance manually for any other reason.
	//
	// It will be removed by the 'issuing' controller upon completing issuance.
	CertificateConditionIssuing CertificateConditionType = "Issuing"
)

type CertificateKeystores 

type CertificateKeystores struct {
	// JKS configures options for storing a JKS keystore in the
	// `spec.secretName` Secret resource.
	JKS *JKSKeystore

	// PKCS12 configures options for storing a PKCS12 keystore in the
	// `spec.secretName` Secret resource.
	PKCS12 *PKCS12Keystore
}

CertificateKeystores configures additional keystore output formats to be created in the Certificate's output Secret.

func (*CertificateKeystores) DeepCopy 

func (in *CertificateKeystores) DeepCopy() *CertificateKeystores

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateKeystores.

func (*CertificateKeystores) DeepCopyInto 

func (in *CertificateKeystores) DeepCopyInto(out *CertificateKeystores)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type CertificateList 

type CertificateList struct {
	metav1.TypeMeta
	// Standard list metadata.
	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
	metav1.ListMeta

	// List of Certificates
	Items []Certificate
}

CertificateList is a list of Certificates.

func (*CertificateList) DeepCopy 

func (in *CertificateList) DeepCopy() *CertificateList

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateList.

func (*CertificateList) DeepCopyInto 

func (in *CertificateList) DeepCopyInto(out *CertificateList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*CertificateList) DeepCopyObject 

func (in *CertificateList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type CertificateOutputFormatType 

type CertificateOutputFormatType string

CertificateOutputFormatType specifies which additional output formats should be written to the Certificate's target Secret. Allowed values are `DER` or `CombinedPEM`. When Type is set to `DER` an additional entry `key.der` will be written to the Secret, containing the binary format of the private key. When Type is set to `CombinedPEM` an additional entry `tls-combined.pem` will be written to the Secret, containing the PEM formatted private key and signed certificate chain (tls.key + tls.crt concatenated). 

const (
	// CertificateOutputFormatDER  writes the Certificate's private key in DER
	// binary format to the `key.der` target Secret Data key.
	CertificateOutputFormatDER CertificateOutputFormatType = "DER"

	// CertificateOutputFormatCombinedPEM  writes the Certificate's signed
	// certificate chain and private key, in PEM format, to the
	// `tls-combined.pem` target Secret Data key. The value at this key will
	// include the private key PEM document, followed by at least one new line
	// character, followed by the chain of signed certificate PEM documents
	// (`<private key> + \n + <signed certificate chain>`).
	CertificateOutputFormatCombinedPEM CertificateOutputFormatType = "CombinedPEM"
)

type CertificatePrivateKey 

type CertificatePrivateKey struct {
	// RotationPolicy controls how private keys should be regenerated when a
	// re-issuance is being processed.
	//
	// If set to `Never`, a private key will only be generated if one does not
	// already exist in the target `spec.secretName`. If one does exist but it
	// does not have the correct algorithm or size, a warning will be raised
	// to await user intervention.
	// If set to `Always`, a private key matching the specified requirements
	// will be generated whenever a re-issuance occurs.
	// Default is `Never` for backward compatibility.
	RotationPolicy PrivateKeyRotationPolicy

	// The private key cryptography standards (PKCS) encoding for this
	// certificate's private key to be encoded in.
	//
	// If provided, allowed values are `PKCS1` and `PKCS8` standing for PKCS#1
	// and PKCS#8, respectively.
	// Defaults to `PKCS1` if not specified.
	Encoding PrivateKeyEncoding

	// Algorithm is the private key algorithm of the corresponding private key
	// for this certificate.
	//
	// If provided, allowed values are either `RSA`, `ECDSA` or `Ed25519`.
	// If `algorithm` is specified and `size` is not provided,
	// key size of 2048 will be used for `RSA` key algorithm and
	// key size of 256 will be used for `ECDSA` key algorithm.
	// key size is ignored when using the `Ed25519` key algorithm.
	Algorithm PrivateKeyAlgorithm

	// Size is the key bit size of the corresponding private key for this certificate.
	//
	// If `algorithm` is set to `RSA`, valid values are `2048`, `4096` or `8192`,
	// and will default to `2048` if not specified.
	// If `algorithm` is set to `ECDSA`, valid values are `256`, `384` or `521`,
	// and will default to `256` if not specified.
	// If `algorithm` is set to `Ed25519`, Size is ignored.
	// No other values are allowed.
	Size int
}

CertificatePrivateKey contains configuration options for private keys used by the Certificate controller. These include the key algorithm and size, the used encoding and the rotation policy.

func (*CertificatePrivateKey) DeepCopy 

func (in *CertificatePrivateKey) DeepCopy() *CertificatePrivateKey

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificatePrivateKey.

func (*CertificatePrivateKey) DeepCopyInto 

func (in *CertificatePrivateKey) DeepCopyInto(out *CertificatePrivateKey)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type CertificateRequest 

type CertificateRequest struct {
	metav1.TypeMeta
	// Standard object's metadata.
	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
	metav1.ObjectMeta

	// Specification of the desired state of the CertificateRequest resource.
	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
	Spec CertificateRequestSpec

	// Status of the CertificateRequest.
	// This is set and managed automatically.
	// Read-only.
	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
	Status CertificateRequestStatus
}

A CertificateRequest is used to request a signed certificate from one of the configured issuers.

All fields within the CertificateRequest's `spec` are immutable after creation. A CertificateRequest will either succeed or fail, as denoted by its `Ready` status condition and its `status.failureTime` field.

A CertificateRequest is a one-shot resource, meaning it represents a single point in time request for a certificate and cannot be re-used.

func (*CertificateRequest) DeepCopy 

func (in *CertificateRequest) DeepCopy() *CertificateRequest

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateRequest.

func (*CertificateRequest) DeepCopyInto 

func (in *CertificateRequest) DeepCopyInto(out *CertificateRequest)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*CertificateRequest) DeepCopyObject 

func (in *CertificateRequest) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type CertificateRequestCondition 

type CertificateRequestCondition struct {
	// Type of the condition, known values are (`Ready`, `InvalidRequest`,
	// `Approved`, `Denied`).
	Type CertificateRequestConditionType

	// Status of the condition, one of (`True`, `False`, `Unknown`).
	Status cmmeta.ConditionStatus

	// LastTransitionTime is the timestamp corresponding to the last status
	// change of this condition.
	LastTransitionTime *metav1.Time

	// Reason is a brief machine readable explanation for the condition's last
	// transition.
	Reason string

	// Message is a human readable description of the details of the last
	// transition, complementing reason.
	Message string
}

CertificateRequestCondition contains condition information for a CertificateRequest.

func (*CertificateRequestCondition) DeepCopy 

func (in *CertificateRequestCondition) DeepCopy() *CertificateRequestCondition

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateRequestCondition.

func (*CertificateRequestCondition) DeepCopyInto 

func (in *CertificateRequestCondition) DeepCopyInto(out *CertificateRequestCondition)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type CertificateRequestConditionType 

type CertificateRequestConditionType string

CertificateRequestConditionType represents a Certificate condition value. 

const (
	// CertificateRequestConditionReady indicates that a certificate is ready for use.
	// This is defined as:
	// - The target certificate exists in CertificateRequest.Status
	CertificateRequestConditionReady CertificateRequestConditionType = "Ready"

	// CertificateRequestConditionInvalidRequest indicates that a certificate
	// signer has refused to sign the request due to at least one of the input
	// parameters being invalid. Additional information about why the request
	// was rejected can be found in the `reason` and `message` fields.
	CertificateRequestConditionInvalidRequest CertificateRequestConditionType = "InvalidRequest"

	// CertificateRequestConditionApproved indicates that a certificate request
	// is approved and ready for signing. Condition must never have a status of
	// `False`, and cannot be modified once set. Cannot be set alongside
	// `Denied`.
	CertificateRequestConditionApproved CertificateRequestConditionType = "Approved"

	// CertificateRequestConditionDenied indicates that a certificate request is
	// denied, and must never be signed. Condition must never have a status of
	// `False`, and cannot be modified once set. Cannot be set alongside
	// `Approved`.
	CertificateRequestConditionDenied CertificateRequestConditionType = "Denied"
)

type CertificateRequestList 

type CertificateRequestList struct {
	metav1.TypeMeta `json:",inline"`
	// Standard list metadata.
	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
	metav1.ListMeta

	// List of CertificateRequests
	Items []CertificateRequest
}

CertificateRequestList is a list of CertificateRequests.

func (*CertificateRequestList) DeepCopy 

func (in *CertificateRequestList) DeepCopy() *CertificateRequestList

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateRequestList.

func (*CertificateRequestList) DeepCopyInto 

func (in *CertificateRequestList) DeepCopyInto(out *CertificateRequestList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*CertificateRequestList) DeepCopyObject 

func (in *CertificateRequestList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type CertificateRequestSpec 

type CertificateRequestSpec struct {
	// Requested 'duration' (i.e. lifetime) of the Certificate. Note that the
	// issuer may choose to ignore the requested duration, just like any other
	// requested attribute.
	Duration *metav1.Duration

	// Reference to the issuer responsible for issuing the certificate.
	// If the issuer is namespace-scoped, it must be in the same namespace
	// as the Certificate. If the issuer is cluster-scoped, it can be used
	// from any namespace.
	//
	// The `name` field of the reference must always be specified.
	IssuerRef cmmeta.ObjectReference

	// The PEM-encoded X.509 certificate signing request to be submitted to the
	// issuer for signing.
	//
	// If the CSR has a BasicConstraints extension, its isCA attribute must
	// match the `isCA` value of this CertificateRequest.
	// If the CSR has a KeyUsage extension, its key usages must match the
	// key usages in the `usages` field of this CertificateRequest.
	// If the CSR has a ExtKeyUsage extension, its extended key usages
	// must match the extended key usages in the `usages` field of this
	// CertificateRequest.
	Request []byte

	// Requested basic constraints isCA value. Note that the issuer may choose
	// to ignore the requested isCA value, just like any other requested attribute.
	//
	// NOTE: If the CSR in the `Request` field has a BasicConstraints extension,
	// it must have the same isCA value as specified here.
	//
	// If true, this will automatically add the `cert sign` usage to the list
	// of requested `usages`.
	IsCA bool

	// Requested key usages and extended key usages.
	//
	// NOTE: If the CSR in the `Request` field has uses the KeyUsage or
	// ExtKeyUsage extension, these extensions must have the same values
	// as specified here without any additional values.
	//
	// If unset, defaults to `digital signature` and `key encipherment`.
	Usages []KeyUsage

	// Username contains the name of the user that created the CertificateRequest.
	// Populated by the cert-manager webhook on creation and immutable.
	Username string
	// UID contains the uid of the user that created the CertificateRequest.
	// Populated by the cert-manager webhook on creation and immutable.
	UID string
	// Groups contains group membership of the user that created the CertificateRequest.
	// Populated by the cert-manager webhook on creation and immutable.
	Groups []string
	// Extra contains extra attributes of the user that created the CertificateRequest.
	// Populated by the cert-manager webhook on creation and immutable.
	Extra map[string][]string
}

CertificateRequestSpec defines the desired state of CertificateRequest

NOTE: It is important to note that the issuer can choose to ignore or change any of the requested attributes. How the issuer maps a certificate request to a signed certificate is the full responsibility of the issuer itself. For example, as an edge case, an issuer that inverts the isCA value is free to do so.

func (*CertificateRequestSpec) DeepCopy 

func (in *CertificateRequestSpec) DeepCopy() *CertificateRequestSpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateRequestSpec.

func (*CertificateRequestSpec) DeepCopyInto 

func (in *CertificateRequestSpec) DeepCopyInto(out *CertificateRequestSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type CertificateRequestStatus 

type CertificateRequestStatus struct {
	// List of status conditions to indicate the status of a CertificateRequest.
	// Known condition types are `Ready`, `InvalidRequest`, `Approved` and `Denied`.
	Conditions []CertificateRequestCondition

	// The PEM encoded X.509 certificate resulting from the certificate
	// signing request.
	// If not set, the CertificateRequest has either not been completed or has
	// failed. More information on failure can be found by checking the
	// `conditions` field.
	Certificate []byte

	// The PEM encoded X.509 certificate of the signer, also known as the CA
	// (Certificate Authority).
	// This is set on a best-effort basis by different issuers.
	// If not set, the CA is assumed to be unknown/not available.
	CA []byte

	// FailureTime stores the time that this CertificateRequest failed. This is
	// used to influence garbage collection and back-off.
	FailureTime *metav1.Time
}

CertificateRequestStatus defines the observed state of CertificateRequest and resulting signed certificate.

func (*CertificateRequestStatus) DeepCopy 

func (in *CertificateRequestStatus) DeepCopy() *CertificateRequestStatus

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateRequestStatus.

func (*CertificateRequestStatus) DeepCopyInto 

func (in *CertificateRequestStatus) DeepCopyInto(out *CertificateRequestStatus)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type CertificateSecretTemplate 

type CertificateSecretTemplate struct {
	// Annotations is a key value map to be copied to the target Kubernetes Secret.
	// +optional
	Annotations map[string]string

	// Labels is a key value map to be copied to the target Kubernetes Secret.
	// +optional
	Labels map[string]string
}

CertificateSecretTemplate defines the default labels and annotations to be copied to the Kubernetes Secret resource named in `CertificateSpec.secretName`.

func (*CertificateSecretTemplate) DeepCopy 

func (in *CertificateSecretTemplate) DeepCopy() *CertificateSecretTemplate

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateSecretTemplate.

func (*CertificateSecretTemplate) DeepCopyInto 

func (in *CertificateSecretTemplate) DeepCopyInto(out *CertificateSecretTemplate)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type CertificateSpec 

type CertificateSpec struct {
	// Requested set of X509 certificate subject attributes.
	// More info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6
	//
	// The common name attribute is specified separately in the `commonName` field.
	// Cannot be set if the `literalSubject` field is set.
	Subject *X509Subject

	// Requested X.509 certificate subject, represented using the LDAP "String
	// Representation of a Distinguished Name" [1].
	// Important: the LDAP string format also specifies the order of the attributes
	// in the subject, this is important when issuing certs for LDAP authentication.
	// Example: `CN=foo,DC=corp,DC=example,DC=com`
	// More info [1]: https://datatracker.ietf.org/doc/html/rfc4514
	// More info: https://github.com/cert-manager/cert-manager/issues/3203
	// More info: https://github.com/cert-manager/cert-manager/issues/4424
	//
	// Cannot be set if the `subject` or `commonName` field is set.
	LiteralSubject string

	// Requested common name X509 certificate subject attribute.
	// More info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6
	// NOTE: TLS clients will ignore this value when any subject alternative name is
	// set (see https://tools.ietf.org/html/rfc6125#section-6.4.4).
	//
	// Should have a length of 64 characters or fewer to avoid generating invalid CSRs.
	// Cannot be set if the `literalSubject` field is set.
	CommonName string

	// Requested 'duration' (i.e. lifetime) of the Certificate. Note that the
	// issuer may choose to ignore the requested duration, just like any other
	// requested attribute.
	//
	// If unset, this defaults to 90 days.
	// Minimum accepted duration is 1 hour.
	// Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration.
	Duration *metav1.Duration

	// How long before the currently issued certificate's expiry cert-manager should
	// renew the certificate. For example, if a certificate is valid for 60 minutes,
	// and `renewBefore=10m`, cert-manager will begin to attempt to renew the certificate
	// 50 minutes after it was issued (i.e. when there are 10 minutes remaining until
	// the certificate is no longer valid).
	//
	// NOTE: The actual lifetime of the issued certificate is used to determine the
	// renewal time. If an issuer returns a certificate with a different lifetime than
	// the one requested, cert-manager will use the lifetime of the issued certificate.
	//
	// If unset, this defaults to 1/3 of the issued certificate's lifetime.
	// Minimum accepted value is 5 minutes.
	// Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration.
	// Cannot be set if the `renewBeforePercentage` field is set.
	// +optional
	RenewBefore *metav1.Duration

	// `renewBeforePercentage` is like `renewBefore`, except it is a relative percentage
	// rather than an absolute duration. For example, if a certificate is valid for 60
	// minutes, and  `renewBeforePercentage=25`, cert-manager will begin to attempt to
	// renew the certificate 45 minutes after it was issued (i.e. when there are 15
	// minutes (25%) remaining until the certificate is no longer valid).
	//
	// NOTE: The actual lifetime of the issued certificate is used to determine the
	// renewal time. If an issuer returns a certificate with a different lifetime than
	// the one requested, cert-manager will use the lifetime of the issued certificate.
	//
	// Value must be an integer in the range (0,100). The minimum effective
	// `renewBefore` derived from the `renewBeforePercentage` and `duration` fields is 5
	// minutes.
	// Cannot be set if the `renewBefore` field is set.
	// +optional
	RenewBeforePercentage *int32

	// Requested DNS subject alternative names.
	DNSNames []string

	// Requested IP address subject alternative names.
	IPAddresses []string

	// Requested URI subject alternative names.
	URIs []string

	// Requested email subject alternative names.
	EmailAddresses []string

	// `otherNames` is an escape hatch for subject alternative names (SANs) which allows any string-like
	// otherName as specified in RFC 5280 (https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.6).
	// All `otherName`s must include an OID and a UTF-8 string value. For example, the OID for the UPN
	// `otherName` is "1.3.6.1.4.1.311.20.2.3".
	// No validation is performed on the given UTF-8 string, so users must ensure that the value is correct before use
	// +optional
	OtherNames []OtherName `json:"otherNames,omitempty"`

	// Name of the Secret resource that will be automatically created and
	// managed by this Certificate resource. It will be populated with a
	// private key and certificate, signed by the denoted issuer. The Secret
	// resource lives in the same namespace as the Certificate resource.
	SecretName string

	// Defines annotations and labels to be copied to the Certificate's Secret.
	// Labels and annotations on the Secret will be changed as they appear on the
	// SecretTemplate when added or removed. SecretTemplate annotations are added
	// in conjunction with, and cannot overwrite, the base set of annotations
	// cert-manager sets on the Certificate's Secret.
	SecretTemplate *CertificateSecretTemplate

	// Additional keystore output formats to be stored in the Certificate's Secret.
	Keystores *CertificateKeystores

	// Reference to the issuer responsible for issuing the certificate.
	// If the issuer is namespace-scoped, it must be in the same namespace
	// as the Certificate. If the issuer is cluster-scoped, it can be used
	// from any namespace.
	//
	// The `name` field of the reference must always be specified.
	IssuerRef cmmeta.ObjectReference

	// Requested basic constraints isCA value.
	// The isCA value is used to set the `isCA` field on the created CertificateRequest
	// resources. Note that the issuer may choose to ignore the requested isCA value, just
	// like any other requested attribute.
	//
	// If true, this will automatically add the `cert sign` usage to the list
	// of requested `usages`.
	IsCA bool

	// Requested key usages and extended key usages.
	// These usages are used to set the `usages` field on the created CertificateRequest
	// resources. If `encodeUsagesInRequest` is unset or set to `true`, the usages
	// will additionally be encoded in the `request` field which contains the CSR blob.
	//
	// If unset, defaults to `digital signature` and `key encipherment`.
	Usages []KeyUsage

	// Private key options. These include the key algorithm and size, the used
	// encoding and the rotation policy.
	PrivateKey *CertificatePrivateKey

	// Whether the KeyUsage and ExtKeyUsage extensions should be set in the encoded CSR.
	//
	// This option defaults to true, and should only be disabled if the target
	// issuer does not support CSRs with these X509 KeyUsage/ ExtKeyUsage extensions.
	EncodeUsagesInRequest *bool

	// The maximum number of CertificateRequest revisions that are maintained in
	// the Certificate's history. Each revision represents a single `CertificateRequest`
	// created by this Certificate, either when it was created, renewed, or Spec
	// was changed. Revisions will be removed by oldest first if the number of
	// revisions exceeds this number.
	//
	// If set, revisionHistoryLimit must be a value of `1` or greater.
	// If unset (`nil`), revisions will not be garbage collected.
	// Default value is `nil`.
	RevisionHistoryLimit *int32

	// Defines extra output formats of the private key and signed certificate chain
	// to be written to this Certificate's target Secret.
	//
	// This is a Beta Feature enabled by default. It can be disabled with the
	// `--feature-gates=AdditionalCertificateOutputFormats=false` option set on both
	// the controller and webhook components.
	AdditionalOutputFormats []CertificateAdditionalOutputFormat

	// x.509 certificate NameConstraint extension which MUST NOT be used in a non-CA certificate.
	// More Info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10
	//
	// This is an Alpha Feature and is only enabled with the
	// `--feature-gates=NameConstraints=true` option set on both
	// the controller and webhook components.
	// +optional
	NameConstraints *NameConstraints
}

CertificateSpec defines the desired state of Certificate.

NOTE: The specification contains a lot of "requested" certificate attributes, it is important to note that the issuer can choose to ignore or change any of these requested attributes. How the issuer maps a certificate request to a signed certificate is the full responsibility of the issuer itself. For example, as an edge case, an issuer that inverts the isCA value is free to do so.

A valid Certificate requires at least one of a CommonName, LiteralSubject, DNSName, or URI to be valid.

func (*CertificateSpec) DeepCopy 

func (in *CertificateSpec) DeepCopy() *CertificateSpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateSpec.

func (*CertificateSpec) DeepCopyInto 

func (in *CertificateSpec) DeepCopyInto(out *CertificateSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type CertificateStatus 

type CertificateStatus struct {
	// List of status conditions to indicate the status of certificates.
	// Known condition types are `Ready` and `Issuing`.
	Conditions []CertificateCondition

	// LastFailureTime is set only if the latest issuance for this
	// Certificate failed and contains the time of the failure. If an
	// issuance has failed, the delay till the next issuance will be
	// calculated using formula time.Hour * 2 ^ (failedIssuanceAttempts -
	// 1). If the latest issuance has succeeded this field will be unset.
	LastFailureTime *metav1.Time

	// The time after which the certificate stored in the secret named
	// by this resource in `spec.secretName` is valid.
	NotBefore *metav1.Time

	// The expiration time of the certificate stored in the secret named
	// by this resource in `spec.secretName`.
	NotAfter *metav1.Time

	// RenewalTime is the time at which the certificate will be next
	// renewed.
	// If not set, no upcoming renewal is scheduled.
	RenewalTime *metav1.Time

	// The current 'revision' of the certificate as issued.
	//
	// When a CertificateRequest resource is created, it will have the
	// `cert-manager.io/certificate-revision` set to one greater than the
	// current value of this field.
	//
	// Upon issuance, this field will be set to the value of the annotation
	// on the CertificateRequest resource used to issue the certificate.
	//
	// Persisting the value on the CertificateRequest resource allows the
	// certificates controller to know whether a request is part of an old
	// issuance or if it is part of the ongoing revision's issuance by
	// checking if the revision value in the annotation is greater than this
	// field.
	Revision *int

	// The name of the Secret resource containing the private key to be used
	// for the next certificate iteration.
	// The keymanager controller will automatically set this field if the
	// `Issuing` condition is set to `True`.
	// It will automatically unset this field when the Issuing condition is
	// not set or False.
	NextPrivateKeySecretName *string

	// The number of continuous failed issuance attempts up till now. This
	// field gets removed (if set) on a successful issuance and gets set to
	// 1 if unset and an issuance has failed. If an issuance has failed, the
	// delay till the next issuance will be calculated using formula
	// time.Hour * 2 ^ (failedIssuanceAttempts - 1).
	FailedIssuanceAttempts *int
}

CertificateStatus defines the observed state of Certificate

func (*CertificateStatus) DeepCopy 

func (in *CertificateStatus) DeepCopy() *CertificateStatus

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateStatus.

func (*CertificateStatus) DeepCopyInto 

func (in *CertificateStatus) DeepCopyInto(out *CertificateStatus)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ClusterIssuer 

type ClusterIssuer struct {
	metav1.TypeMeta
	metav1.ObjectMeta

	// Desired state of the ClusterIssuer resource.
	Spec IssuerSpec

	// Status of the ClusterIssuer. This is set and managed automatically.
	Status IssuerStatus
}

A ClusterIssuer represents a certificate issuing authority which can be referenced as part of `issuerRef` fields. It is similar to an Issuer, however it is cluster-scoped and therefore can be referenced by resources that exist in *any* namespace, not just the same namespace as the referent.

func (*ClusterIssuer) Copy 

func (c *ClusterIssuer) Copy() GenericIssuer

func (*ClusterIssuer) DeepCopy 

func (in *ClusterIssuer) DeepCopy() *ClusterIssuer

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterIssuer.

func (*ClusterIssuer) DeepCopyInto 

func (in *ClusterIssuer) DeepCopyInto(out *ClusterIssuer)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*ClusterIssuer) DeepCopyObject 

func (in *ClusterIssuer) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

func (*ClusterIssuer) GetObjectMeta 

func (c *ClusterIssuer) GetObjectMeta() *metav1.ObjectMeta

func (*ClusterIssuer) GetSpec 

func (c *ClusterIssuer) GetSpec() *IssuerSpec

func (*ClusterIssuer) GetStatus 

func (c *ClusterIssuer) GetStatus() *IssuerStatus

func (*ClusterIssuer) SetSpec 

func (c *ClusterIssuer) SetSpec(spec IssuerSpec)

func (*ClusterIssuer) SetStatus 

func (c *ClusterIssuer) SetStatus(status IssuerStatus)

type ClusterIssuerList 

type ClusterIssuerList struct {
	metav1.TypeMeta
	metav1.ListMeta

	Items []ClusterIssuer
}

ClusterIssuerList is a list of Issuers

func (*ClusterIssuerList) DeepCopy 

func (in *ClusterIssuerList) DeepCopy() *ClusterIssuerList

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterIssuerList.

func (*ClusterIssuerList) DeepCopyInto 

func (in *ClusterIssuerList) DeepCopyInto(out *ClusterIssuerList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*ClusterIssuerList) DeepCopyObject 

func (in *ClusterIssuerList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type GenericIssuer 

type GenericIssuer interface {
	runtime.Object
	metav1.Object

	GetObjectMeta() *metav1.ObjectMeta
	GetSpec() *IssuerSpec
	GetStatus() *IssuerStatus
}

type Issuer 

type Issuer struct {
	metav1.TypeMeta
	metav1.ObjectMeta

	// Desired state of the Issuer resource.
	Spec IssuerSpec

	// Status of the Issuer. This is set and managed automatically.
	Status IssuerStatus
}

An Issuer represents a certificate issuing authority which can be referenced as part of `issuerRef` fields. It is scoped to a single namespace and can therefore only be referenced by resources within the same namespace.

func (*Issuer) Copy 

func (c *Issuer) Copy() GenericIssuer

func (*Issuer) DeepCopy 

func (in *Issuer) DeepCopy() *Issuer

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Issuer.

func (*Issuer) DeepCopyInto 

func (in *Issuer) DeepCopyInto(out *Issuer)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*Issuer) DeepCopyObject 

func (in *Issuer) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

func (*Issuer) GetObjectMeta 

func (c *Issuer) GetObjectMeta() *metav1.ObjectMeta

func (*Issuer) GetSpec 

func (c *Issuer) GetSpec() *IssuerSpec

func (*Issuer) GetStatus 

func (c *Issuer) GetStatus() *IssuerStatus

func (*Issuer) SetSpec 

func (c *Issuer) SetSpec(spec IssuerSpec)

func (*Issuer) SetStatus 

func (c *Issuer) SetStatus(status IssuerStatus)

type IssuerCondition 

type IssuerCondition struct {
	// Type of the condition, known values are (`Ready`).
	Type IssuerConditionType

	// Status of the condition, one of (`True`, `False`, `Unknown`).
	Status cmmeta.ConditionStatus

	// LastTransitionTime is the timestamp corresponding to the last status
	// change of this condition.
	LastTransitionTime *metav1.Time

	// Reason is a brief machine readable explanation for the condition's last
	// transition.
	Reason string

	// Message is a human readable description of the details of the last
	// transition, complementing reason.
	Message string

	// If set, this represents the .metadata.generation that the condition was
	// set based upon.
	// For instance, if .metadata.generation is currently 12, but the
	// .status.condition[x].observedGeneration is 9, the condition is out of date
	// with respect to the current state of the Issuer.
	ObservedGeneration int64
}

IssuerCondition contains condition information for an Issuer.

func (*IssuerCondition) DeepCopy 

func (in *IssuerCondition) DeepCopy() *IssuerCondition

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IssuerCondition.

func (*IssuerCondition) DeepCopyInto 

func (in *IssuerCondition) DeepCopyInto(out *IssuerCondition)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type IssuerConditionType 

type IssuerConditionType string

IssuerConditionType represents an Issuer condition value. 

const (
	// IssuerConditionReady represents the fact that a given Issuer condition
	// is in ready state and able to issue certificates.
	// If the `status` of this condition is `False`, CertificateRequest controllers
	// should prevent attempts to sign certificates.
	IssuerConditionReady IssuerConditionType = "Ready"
)

type IssuerConfig 

type IssuerConfig struct {
	// ACME configures this issuer to communicate with a RFC8555 (ACME) server
	// to obtain signed x509 certificates.
	ACME *cmacme.ACMEIssuer

	// CA configures this issuer to sign certificates using a signing CA keypair
	// stored in a Secret resource.
	// This is used to build internal PKIs that are managed by cert-manager.
	CA *CAIssuer

	// Vault configures this issuer to sign certificates using a HashiCorp Vault
	// PKI backend.
	Vault *VaultIssuer

	// SelfSigned configures this issuer to 'self sign' certificates using the
	// private key used to create the CertificateRequest object.
	SelfSigned *SelfSignedIssuer

	// Venafi configures this issuer to sign certificates using a Venafi TPP
	// or Venafi Cloud policy zone.
	Venafi *VenafiIssuer
}

IssuerConfig is a generic wrapper around custom issuer types

func (*IssuerConfig) DeepCopy 

func (in *IssuerConfig) DeepCopy() *IssuerConfig

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IssuerConfig.

func (*IssuerConfig) DeepCopyInto 

func (in *IssuerConfig) DeepCopyInto(out *IssuerConfig)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type IssuerList 

type IssuerList struct {
	metav1.TypeMeta
	metav1.ListMeta

	Items []Issuer
}

IssuerList is a list of Issuers

func (*IssuerList) DeepCopy 

func (in *IssuerList) DeepCopy() *IssuerList

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IssuerList.

func (*IssuerList) DeepCopyInto 

func (in *IssuerList) DeepCopyInto(out *IssuerList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*IssuerList) DeepCopyObject 

func (in *IssuerList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type IssuerSpec 

type IssuerSpec struct {
	IssuerConfig
}

IssuerSpec is the specification of an Issuer. This includes any configuration required for the issuer.

func (*IssuerSpec) DeepCopy 

func (in *IssuerSpec) DeepCopy() *IssuerSpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IssuerSpec.

func (*IssuerSpec) DeepCopyInto 

func (in *IssuerSpec) DeepCopyInto(out *IssuerSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type IssuerStatus 

type IssuerStatus struct {
	// List of status conditions to indicate the status of a CertificateRequest.
	// Known condition types are `Ready`.
	Conditions []IssuerCondition

	// ACME specific status options.
	// This field should only be set if the Issuer is configured to use an ACME
	// server to issue certificates.
	ACME *cmacme.ACMEIssuerStatus
}

IssuerStatus contains status information about an Issuer

func (*IssuerStatus) ACMEStatus 

func (i *IssuerStatus) ACMEStatus() *cmacme.ACMEIssuerStatus

TODO: refactor these functions away

func (*IssuerStatus) DeepCopy 

func (in *IssuerStatus) DeepCopy() *IssuerStatus

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IssuerStatus.

func (*IssuerStatus) DeepCopyInto 

func (in *IssuerStatus) DeepCopyInto(out *IssuerStatus)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type JKSKeystore 

type JKSKeystore struct {
	// Create enables JKS keystore creation for the Certificate.
	// If true, a file named `keystore.jks` will be created in the target
	// Secret resource, encrypted using the password stored in
	// `passwordSecretRef`.
	// The keystore file will be updated immediately.
	// If the issuer provided a CA certificate, a file named `truststore.jks`
	// will also be created in the target Secret resource, encrypted using the
	// password stored in `passwordSecretRef`
	// containing the issuing Certificate Authority
	Create bool

	// PasswordSecretRef is a reference to a key in a Secret resource
	// containing the password used to encrypt the JKS keystore.
	PasswordSecretRef cmmeta.SecretKeySelector

	// Alias specifies the alias of the key in the keystore, required by the JKS format.
	// If not provided, the default alias `certificate` will be used.
	// +optional
	Alias *string `json:"alias,omitempty"`
}

JKS configures options for storing a JKS keystore in the `spec.secretName` Secret resource.

func (*JKSKeystore) DeepCopy 

func (in *JKSKeystore) DeepCopy() *JKSKeystore

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JKSKeystore.

func (*JKSKeystore) DeepCopyInto 

func (in *JKSKeystore) DeepCopyInto(out *JKSKeystore)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type KeyUsage 

type KeyUsage string

KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12

Valid KeyUsage values are as follows: "signing", "digital signature", "content commitment", "key encipherment", "key agreement", "data encipherment", "cert sign", "crl sign", "encipher only", "decipher only", "any", "server auth", "client auth", "code signing", "email protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec user", "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc" 

const (
	UsageSigning           KeyUsage = "signing"
	UsageDigitalSignature  KeyUsage = "digital signature"
	UsageContentCommitment KeyUsage = "content commitment"
	UsageKeyEncipherment   KeyUsage = "key encipherment"
	UsageKeyAgreement      KeyUsage = "key agreement"
	UsageDataEncipherment  KeyUsage = "data encipherment"
	UsageCertSign          KeyUsage = "cert sign"
	UsageCRLSign           KeyUsage = "crl sign"
	UsageEncipherOnly      KeyUsage = "encipher only"
	UsageDecipherOnly      KeyUsage = "decipher only"
	UsageAny               KeyUsage = "any"
	UsageServerAuth        KeyUsage = "server auth"
	UsageClientAuth        KeyUsage = "client auth"
	UsageCodeSigning       KeyUsage = "code signing"
	UsageEmailProtection   KeyUsage = "email protection"
	UsageSMIME             KeyUsage = "s/mime"
	UsageIPsecEndSystem    KeyUsage = "ipsec end system"
	UsageIPsecTunnel       KeyUsage = "ipsec tunnel"
	UsageIPsecUser         KeyUsage = "ipsec user"
	UsageTimestamping      KeyUsage = "timestamping"
	UsageOCSPSigning       KeyUsage = "ocsp signing"
	UsageMicrosoftSGC      KeyUsage = "microsoft sgc"
	UsageNetscapeSGC       KeyUsage = "netscape sgc"
)

type NameConstraintItem added in v1.14.0 

type NameConstraintItem struct {
	// DNSDomains is a list of DNS domains that are permitted or excluded.
	//
	// +optional
	DNSDomains []string
	// IPRanges is a list of IP Ranges that are permitted or excluded.
	// This should be a valid CIDR notation.
	//
	// +optional
	IPRanges []string
	// EmailAddresses is a list of Email Addresses that are permitted or excluded.
	//
	// +optional
	EmailAddresses []string
	// URIDomains is a list of URI domains that are permitted or excluded.
	//
	// +optional
	URIDomains []string
}

func (*NameConstraintItem) DeepCopy added in v1.14.0 

func (in *NameConstraintItem) DeepCopy() *NameConstraintItem

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NameConstraintItem.

func (*NameConstraintItem) DeepCopyInto added in v1.14.0 

func (in *NameConstraintItem) DeepCopyInto(out *NameConstraintItem)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type NameConstraints added in v1.14.0 

type NameConstraints struct {
	// if true then the name constraints are marked critical.
	//
	// +optional
	Critical bool
	// Permitted contains the constraints in which the names must be located.
	//
	// +optional
	Permitted *NameConstraintItem
	// Excluded contains the constraints which must be disallowed. Any name matching a
	// restriction in the excluded field is invalid regardless
	// of information appearing in the permitted
	//
	// +optional
	Excluded *NameConstraintItem
}

NameConstraints is a type to represent x509 NameConstraints

func (*NameConstraints) DeepCopy added in v1.14.0 

func (in *NameConstraints) DeepCopy() *NameConstraints

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NameConstraints.

func (*NameConstraints) DeepCopyInto added in v1.14.0 

func (in *NameConstraints) DeepCopyInto(out *NameConstraints)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type OtherName added in v1.14.0 

type OtherName struct {
	// OID is the object identifier for the otherName SAN.
	// The object identifier must be expressed as a dotted string, for
	// example, "1.2.840.113556.1.4.221".
	OID string `json:"oid,omitempty"`

	// utf8Value is the string value of the otherName SAN. Any UTF-8 string can be used, but no
	// validation is performed.
	UTF8Value string `json:"utf8Value,omitempty"`
}

func (*OtherName) DeepCopy added in v1.14.0 

func (in *OtherName) DeepCopy() *OtherName

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OtherName.

func (*OtherName) DeepCopyInto added in v1.14.0 

func (in *OtherName) DeepCopyInto(out *OtherName)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type PKCS12Keystore 

type PKCS12Keystore struct {
	// Create enables PKCS12 keystore creation for the Certificate.
	// If true, a file named `keystore.p12` will be created in the target
	// Secret resource, encrypted using the password stored in
	// `passwordSecretRef`.
	// The keystore file will be updated immediately.
	// If the issuer provided a CA certificate, a file named `truststore.p12` will
	// also be created in the target Secret resource, encrypted using the
	// password stored in `passwordSecretRef` containing the issuing Certificate
	// Authority
	Create bool

	// PasswordSecretRef is a reference to a key in a Secret resource
	// containing the password used to encrypt the PKCS12 keystore.
	PasswordSecretRef cmmeta.SecretKeySelector

	// Profile specifies the key and certificate encryption algorithms and the HMAC algorithm
	// used to create the PKCS12 keystore. Default value is `LegacyRC2` for backward compatibility.
	//
	// If provided, allowed values are:
	// `LegacyRC2`: Deprecated. Not supported by default in OpenSSL 3 or Java 20.
	// `LegacyDES`: Less secure algorithm. Use this option for maximal compatibility.
	// `Modern2023`: Secure algorithm. Use this option in case you have to always use secure algorithms
	// (eg. because of company policy). Please note that the security of the algorithm is not that important
	// in reality, because the unencrypted certificate and private key are also stored in the Secret.
	Profile PKCS12Profile
}

PKCS12 configures options for storing a PKCS12 keystore in the `spec.secretName` Secret resource.

func (*PKCS12Keystore) DeepCopy 

func (in *PKCS12Keystore) DeepCopy() *PKCS12Keystore

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PKCS12Keystore.

func (*PKCS12Keystore) DeepCopyInto 

func (in *PKCS12Keystore) DeepCopyInto(out *PKCS12Keystore)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type PKCS12Profile added in v1.14.0 

type PKCS12Profile string
const (
	// see: https://pkg.go.dev/software.sslmate.com/src/go-pkcs12#LegacyRC2
	LegacyRC2PKCS12Profile PKCS12Profile = "LegacyRC2"

	// see: https://pkg.go.dev/software.sslmate.com/src/go-pkcs12#LegacyDES
	LegacyDESPKCS12Profile PKCS12Profile = "LegacyDES"

	// see: https://pkg.go.dev/software.sslmate.com/src/go-pkcs12#Modern2023
	Modern2023PKCS12Profile PKCS12Profile = "Modern2023"
)

type PrivateKeyAlgorithm 

type PrivateKeyAlgorithm string
const (
	// RSA private key algorithm.
	RSAKeyAlgorithm PrivateKeyAlgorithm = "RSA"

	// ECDSA private key algorithm.
	ECDSAKeyAlgorithm PrivateKeyAlgorithm = "ECDSA"

	// Ed25519 private key algorithm.
	Ed25519KeyAlgorithm PrivateKeyAlgorithm = "Ed25519"
)

type PrivateKeyEncoding 

type PrivateKeyEncoding string
const (
	// PKCS1 private key encoding.
	// PKCS1 produces a PEM block that contains the private key algorithm
	// in the header and the private key in the body. A key that uses this
	// can be recognised by its `BEGIN RSA PRIVATE KEY` or `BEGIN EC PRIVATE KEY` header.
	// NOTE: This encoding is not supported for Ed25519 keys. Attempting to use
	// this encoding with an Ed25519 key will be ignored and default to PKCS8.
	PKCS1 PrivateKeyEncoding = "PKCS1"

	// PKCS8 private key encoding.
	// PKCS8 produces a PEM block with a static header and both the private
	// key algorithm and the private key in the body. A key that uses this
	// encoding can be recognised by its `BEGIN PRIVATE KEY` header.
	PKCS8 PrivateKeyEncoding = "PKCS8"
)

type PrivateKeyRotationPolicy 

type PrivateKeyRotationPolicy string

Denotes how private keys should be generated or sourced when a Certificate is being issued. 

var (
	// RotationPolicyNever means a private key will only be generated if one
	// does not already exist in the target `spec.secretName`.
	// If one does exist but it does not have the correct algorithm or size,
	// a warning will be raised to await user intervention.
	RotationPolicyNever PrivateKeyRotationPolicy = "Never"

	// RotationPolicyAlways means a private key matching the specified
	// requirements will be generated whenever a re-issuance occurs.
	RotationPolicyAlways PrivateKeyRotationPolicy = "Always"
)

type SelfSignedIssuer 

type SelfSignedIssuer struct {
	// The CRL distribution points is an X.509 v3 certificate extension which identifies
	// the location of the CRL from which the revocation of this certificate can be checked.
	// If not set certificate will be issued without CDP. Values are strings.
	CRLDistributionPoints []string
}

SelfSignedIssuer configures an issuer to 'self sign' certificates using the private key used to create the CertificateRequest object.

func (*SelfSignedIssuer) DeepCopy 

func (in *SelfSignedIssuer) DeepCopy() *SelfSignedIssuer

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SelfSignedIssuer.

func (*SelfSignedIssuer) DeepCopyInto 

func (in *SelfSignedIssuer) DeepCopyInto(out *SelfSignedIssuer)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ServiceAccountRef added in v1.12.0 

type ServiceAccountRef struct {
	// Name of the ServiceAccount used to request a token.
	Name string

	// TokenAudiences is an optional list of extra audiences to include in the token passed to Vault. The default token
	// consisting of the issuer's namespace and name is always included.
	// +optional
	TokenAudiences []string
}

ServiceAccountRef is a service account used by cert-manager to request a token. The audience cannot be configured. The audience is generated by cert-manager and takes the form `vault://namespace-name/issuer-name` for an Issuer and `vault://issuer-name` for a ClusterIssuer. The expiration of the token is also set by cert-manager to 10 minutes.

func (*ServiceAccountRef) DeepCopy added in v1.12.0 

func (in *ServiceAccountRef) DeepCopy() *ServiceAccountRef

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServiceAccountRef.

func (*ServiceAccountRef) DeepCopyInto added in v1.12.0 

func (in *ServiceAccountRef) DeepCopyInto(out *ServiceAccountRef)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type VaultAppRole 

type VaultAppRole struct {
	// Path where the App Role authentication backend is mounted in Vault, e.g:
	// "approle"
	Path string

	// RoleID configured in the App Role authentication backend when setting
	// up the authentication backend in Vault.
	RoleId string

	// Reference to a key in a Secret that contains the App Role secret used
	// to authenticate with Vault.
	// The `key` field must be specified and denotes which entry within the Secret
	// resource is used as the app role secret.
	SecretRef cmmeta.SecretKeySelector
}

VaultAppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.

func (*VaultAppRole) DeepCopy 

func (in *VaultAppRole) DeepCopy() *VaultAppRole

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultAppRole.

func (*VaultAppRole) DeepCopyInto 

func (in *VaultAppRole) DeepCopyInto(out *VaultAppRole)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type VaultAuth 

type VaultAuth struct {
	// TokenSecretRef authenticates with Vault by presenting a token.
	TokenSecretRef *cmmeta.SecretKeySelector

	// AppRole authenticates with Vault using the App Role auth mechanism,
	// with the role and secret stored in a Kubernetes Secret resource.
	AppRole *VaultAppRole

	// ClientCertificate authenticates with Vault by presenting a client
	// certificate during the request's TLS handshake.
	// Works only when using HTTPS protocol.
	// +optional
	ClientCertificate *VaultClientCertificateAuth

	// Kubernetes authenticates with Vault by passing the ServiceAccount
	// token stored in the named Secret resource to the Vault server.
	Kubernetes *VaultKubernetesAuth
}

VaultAuth is configuration used to authenticate with a Vault server. The order of precedence is [`tokenSecretRef`, `appRole`, `clientCertificate` or `kubernetes`].

func (*VaultAuth) DeepCopy 

func (in *VaultAuth) DeepCopy() *VaultAuth

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultAuth.

func (*VaultAuth) DeepCopyInto 

func (in *VaultAuth) DeepCopyInto(out *VaultAuth)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type VaultClientCertificateAuth added in v1.16.0 

type VaultClientCertificateAuth struct {
	// The Vault mountPath here is the mount path to use when authenticating with
	// Vault. For example, setting a value to `/v1/auth/foo`, will use the path
	// `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the
	// default value "/v1/auth/cert" will be used.
	// +optional
	Path string

	// Reference to Kubernetes Secret of type "kubernetes.io/tls" (hence containing
	// tls.crt and tls.key) used to authenticate to Vault using TLS client
	// authentication.
	// +optional
	SecretName string

	// Name of the certificate role to authenticate against.
	// If not set, matching any certificate role, if available.
	// +optional
	Name string
}

VaultKubernetesAuth is used to authenticate against Vault using a client certificate stored in a Secret.

func (*VaultClientCertificateAuth) DeepCopy added in v1.16.0 

func (in *VaultClientCertificateAuth) DeepCopy() *VaultClientCertificateAuth

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultClientCertificateAuth.

func (*VaultClientCertificateAuth) DeepCopyInto added in v1.16.0 

func (in *VaultClientCertificateAuth) DeepCopyInto(out *VaultClientCertificateAuth)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type VaultIssuer 

type VaultIssuer struct {
	// Auth configures how cert-manager authenticates with the Vault server.
	Auth VaultAuth

	// Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".
	Server string

	// Path is the mount path of the Vault PKI backend's `sign` endpoint, e.g:
	// "my_pki_mount/sign/my-role-name".
	Path string

	// Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1"
	// More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
	Namespace string

	// Base64-encoded bundle of PEM CAs which will be used to validate the certificate
	// chain presented by Vault. Only used if using HTTPS to connect to Vault and
	// ignored for HTTP connections.
	// Mutually exclusive with CABundleSecretRef.
	// If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in
	// the cert-manager controller container is used to validate the TLS connection.
	// +optional
	CABundle []byte

	// Reference to a Secret containing a bundle of PEM-encoded CAs to use when
	// verifying the certificate chain presented by Vault when using HTTPS.
	// Mutually exclusive with CABundle.
	// If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in
	// the cert-manager controller container is used to validate the TLS connection.
	// If no key for the Secret is specified, cert-manager will default to 'ca.crt'.
	// +optional
	CABundleSecretRef *cmmeta.SecretKeySelector

	// Reference to a Secret containing a PEM-encoded Client Certificate to use when the
	// Vault server requires mTLS.
	// +optional
	ClientCertSecretRef *cmmeta.SecretKeySelector

	// Reference to a Secret containing a PEM-encoded Client Private Key to use when the
	// Vault server requires mTLS.
	// +optional
	ClientKeySecretRef *cmmeta.SecretKeySelector
}

VaultIssuer configures an issuer to sign certificates using a HashiCorp Vault PKI backend.

func (*VaultIssuer) DeepCopy 

func (in *VaultIssuer) DeepCopy() *VaultIssuer

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultIssuer.

func (*VaultIssuer) DeepCopyInto 

func (in *VaultIssuer) DeepCopyInto(out *VaultIssuer)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type VaultKubernetesAuth 

type VaultKubernetesAuth struct {
	// The Vault mountPath here is the mount path to use when authenticating with
	// Vault. For example, setting a value to `/v1/auth/foo`, will use the path
	// `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the
	// default value "/v1/auth/kubernetes" will be used.
	Path string

	// The required Secret field containing a Kubernetes ServiceAccount JWT used
	// for authenticating with Vault. Use of 'ambient credentials' is not
	// supported. This field should not be set if serviceAccountRef is set.
	// +optional
	SecretRef cmmeta.SecretKeySelector

	// A reference to a service account that will be used to request a bound
	// token (also known as "projected token"). Compared to using "secretRef",
	// using this field means that you don't rely on statically bound tokens. To
	// use this field, you must configure an RBAC rule to let cert-manager
	// request a token.
	// +optional
	ServiceAccountRef *ServiceAccountRef

	// A required field containing the Vault Role to assume. A Role binds a
	// Kubernetes ServiceAccount with a set of Vault policies.
	Role string
}

Authenticate against Vault using a Kubernetes ServiceAccount token stored in a Secret.

func (*VaultKubernetesAuth) DeepCopy 

func (in *VaultKubernetesAuth) DeepCopy() *VaultKubernetesAuth

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultKubernetesAuth.

func (*VaultKubernetesAuth) DeepCopyInto 

func (in *VaultKubernetesAuth) DeepCopyInto(out *VaultKubernetesAuth)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type VenafiCloud 

type VenafiCloud struct {
	// URL is the base URL for Venafi Cloud.
	// Defaults to "https://api.venafi.cloud/v1".
	URL string

	// APITokenSecretRef is a secret key selector for the Venafi Cloud API token.
	APITokenSecretRef cmmeta.SecretKeySelector
}

VenafiCloud defines connection configuration details for Venafi Cloud

func (*VenafiCloud) DeepCopy 

func (in *VenafiCloud) DeepCopy() *VenafiCloud

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VenafiCloud.

func (*VenafiCloud) DeepCopyInto 

func (in *VenafiCloud) DeepCopyInto(out *VenafiCloud)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type VenafiIssuer 

type VenafiIssuer struct {
	// Zone is the Venafi Policy Zone to use for this issuer.
	// All requests made to the Venafi platform will be restricted by the named
	// zone policy.
	// This field is required.
	Zone string

	// TPP specifies Trust Protection Platform configuration settings.
	// Only one of TPP or Cloud may be specified.
	TPP *VenafiTPP

	// Cloud specifies the Venafi cloud configuration settings.
	// Only one of TPP or Cloud may be specified.
	Cloud *VenafiCloud
}

VenafiIssuer configures an issuer to sign certificates using a Venafi TPP or Cloud policy zone.

func (*VenafiIssuer) DeepCopy 

func (in *VenafiIssuer) DeepCopy() *VenafiIssuer

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VenafiIssuer.

func (*VenafiIssuer) DeepCopyInto 

func (in *VenafiIssuer) DeepCopyInto(out *VenafiIssuer)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type VenafiTPP 

type VenafiTPP struct {
	// URL is the base URL for the vedsdk endpoint of the Venafi TPP instance,
	// for example: "https://tpp.example.com/vedsdk".
	URL string

	// CredentialsRef is a reference to a Secret containing the Venafi TPP API credentials.
	// The secret must contain the key 'access-token' for the Access Token Authentication,
	// or two keys, 'username' and 'password' for the API Keys Authentication.
	CredentialsRef cmmeta.LocalObjectReference

	// Base64-encoded bundle of PEM CAs which will be used to validate the certificate
	// chain presented by the TPP server. Only used if using HTTPS; ignored for HTTP.
	// If undefined, the certificate bundle in the cert-manager controller container
	// is used to validate the chain.
	CABundle []byte

	// Reference to a Secret containing a base64-encoded bundle of PEM CAs
	// which will be used to validate the certificate chain presented by the TPP server.
	// Only used if using HTTPS; ignored for HTTP. Mutually exclusive with CABundle.
	// If neither CABundle nor CABundleSecretRef is defined, the certificate bundle in
	// the cert-manager controller container is used to validate the TLS connection.
	CABundleSecretRef *cmmeta.SecretKeySelector `json:"caBundleSecretRef,omitempty"`
}

VenafiTPP defines connection configuration details for a Venafi TPP instance

func (*VenafiTPP) DeepCopy 

func (in *VenafiTPP) DeepCopy() *VenafiTPP

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VenafiTPP.

func (*VenafiTPP) DeepCopyInto 

func (in *VenafiTPP) DeepCopyInto(out *VenafiTPP)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type X509Subject 

type X509Subject struct {
	// Organizations to be used on the Certificate.
	Organizations []string
	// Countries to be used on the Certificate.
	Countries []string
	// Organizational Units to be used on the Certificate.
	OrganizationalUnits []string
	// Cities to be used on the Certificate.
	Localities []string
	// State/Provinces to be used on the Certificate.
	Provinces []string
	// Street addresses to be used on the Certificate.
	StreetAddresses []string
	// Postal codes to be used on the Certificate.
	PostalCodes []string
	// Serial number to be used on the Certificate.
	SerialNumber string
}

X509Subject Full X509 name specification

func (*X509Subject) DeepCopy 

func (in *X509Subject) DeepCopy() *X509Subject

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new X509Subject.

func (*X509Subject) DeepCopyInto 

func (in *X509Subject) DeepCopyInto(out *X509Subject)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

Source Files

View all Source files

Directories

Path Synopsis
Package install installs the API group, making it available as an option to all of the API encoding/decoding machinery.
 Package install installs the API group, making it available as an option to all of the API encoding/decoding machinery.
+groupName=cert-manager.io
 +groupName=cert-manager.io
util

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.