Documentation ¶
Overview ¶
Package certmanager is the internal version of the API. +groupName=cert-manager.io
Index ¶
- Constants
- Variables
- func Resource(resource string) schema.GroupResource
- type CAIssuer
- type Certificate
- type CertificateAdditionalOutputFormat
- type CertificateCondition
- type CertificateConditionType
- type CertificateKeystores
- type CertificateList
- type CertificateOutputFormatType
- type CertificatePrivateKey
- type CertificateRequest
- type CertificateRequestCondition
- type CertificateRequestConditionType
- type CertificateRequestList
- type CertificateRequestSpec
- type CertificateRequestStatus
- type CertificateSecretTemplate
- type CertificateSpec
- type CertificateStatus
- type ClusterIssuer
- func (c *ClusterIssuer) Copy() GenericIssuer
- func (in *ClusterIssuer) DeepCopy() *ClusterIssuer
- func (in *ClusterIssuer) DeepCopyInto(out *ClusterIssuer)
- func (in *ClusterIssuer) DeepCopyObject() runtime.Object
- func (c *ClusterIssuer) GetObjectMeta() *metav1.ObjectMeta
- func (c *ClusterIssuer) GetSpec() *IssuerSpec
- func (c *ClusterIssuer) GetStatus() *IssuerStatus
- func (c *ClusterIssuer) SetSpec(spec IssuerSpec)
- func (c *ClusterIssuer) SetStatus(status IssuerStatus)
- type ClusterIssuerList
- type GenericIssuer
- type Issuer
- func (c *Issuer) Copy() GenericIssuer
- func (in *Issuer) DeepCopy() *Issuer
- func (in *Issuer) DeepCopyInto(out *Issuer)
- func (in *Issuer) DeepCopyObject() runtime.Object
- func (c *Issuer) GetObjectMeta() *metav1.ObjectMeta
- func (c *Issuer) GetSpec() *IssuerSpec
- func (c *Issuer) GetStatus() *IssuerStatus
- func (c *Issuer) SetSpec(spec IssuerSpec)
- func (c *Issuer) SetStatus(status IssuerStatus)
- type IssuerCondition
- type IssuerConditionType
- type IssuerConfig
- type IssuerList
- type IssuerSpec
- type IssuerStatus
- type JKSKeystore
- type KeyUsage
- type PKCS12Keystore
- type PrivateKeyAlgorithm
- type PrivateKeyEncoding
- type PrivateKeyRotationPolicy
- type SelfSignedIssuer
- type VaultAppRole
- type VaultAuth
- type VaultIssuer
- type VaultKubernetesAuth
- type VenafiCloud
- type VenafiIssuer
- type VenafiTPP
- type X509Subject
Constants ¶
const ( // Annotation key for DNS subjectAltNames. AltNamesAnnotationKey = "cert-manager.io/alt-names" // Annotation key for IP subjectAltNames. IPSANAnnotationKey = "cert-manager.io/ip-sans" // Annotation key for URI subjectAltNames. URISANAnnotationKey = "cert-manager.io/uri-sans" // Annotation key for certificate common name. CommonNameAnnotationKey = "cert-manager.io/common-name" // Annotation key the 'name' of the Issuer resource. IssuerNameAnnotationKey = "cert-manager.io/issuer-name" // Annotation key for the 'kind' of the Issuer resource. IssuerKindAnnotationKey = "cert-manager.io/issuer-kind" // Annotation key for the 'group' of the Issuer resource. IssuerGroupAnnotationKey = "cert-manager.io/issuer-group" // Annotation key for the name of the certificate that a resource is related to. CertificateNameKey = "cert-manager.io/certificate-name" // Annotation key used to denote whether a Secret is named on a Certificate // as a 'next private key' Secret resource. IsNextPrivateKeySecretLabelKey = "cert-manager.io/next-private-key" )
Common annotation keys added to resources.
const ( // issuerNameAnnotation can be used to override the issuer specified on the // created Certificate resource. IngressIssuerNameAnnotationKey = "cert-manager.io/issuer" // clusterIssuerNameAnnotation can be used to override the issuer specified on the // created Certificate resource. The Certificate will reference the // specified *ClusterIssuer* instead of normal issuer. IngressClusterIssuerNameAnnotationKey = "cert-manager.io/cluster-issuer" // acmeIssuerHTTP01IngressClassAnnotation can be used to override the http01 ingressClass // if the challenge type is set to http01 IngressACMEIssuerHTTP01IngressClassAnnotationKey = "acme.cert-manager.io/http01-ingress-class" // IngressClassAnnotationKey picks a specific "class" for the Ingress. The // controller only processes Ingresses with this annotation either unset, or // set to either the configured value or the empty string. IngressClassAnnotationKey = "kubernetes.io/ingress.class" )
const ( // Annotation added to CertificateRequest resources to denote the name of // a Secret resource containing the private key used to sign the CSR stored // on the resource. // This annotation *may* not be present, and is used by the 'self signing' // issuer type to self-sign certificates. CertificateRequestPrivateKeyAnnotationKey = "cert-manager.io/private-key-secret-name" // Annotation to declare the CertificateRequest "revision", belonging to a Certificate Resource CertificateRequestRevisionAnnotationKey = "cert-manager.io/certificate-revision" )
Annotation names for CertificateRequests
const ( ClusterIssuerKind = "ClusterIssuer" IssuerKind = "Issuer" CertificateKind = "Certificate" CertificateRequestKind = "CertificateRequest" )
Common/known resource kinds.
const ( // WantInjectAnnotation is the annotation that specifies that a particular // object wants injection of CAs. It takes the form of a reference to a certificate // as namespace/name. The certificate is expected to have the is-serving-for annotations. WantInjectAnnotation = "cert-manager.io/inject-ca-from" // WantInjectAPIServerCAAnnotation, if set to "true", will make the cainjector // inject the CA certificate for the Kubernetes apiserver into the resource. // It discovers the apiserver's CA by inspecting the service account credentials // mounted into the cainjector pod. WantInjectAPIServerCAAnnotation = "cert-manager.io/inject-apiserver-ca" // WantInjectFromSecretAnnotation is the annotation that specifies that a particular // object wants injection of CAs. It takes the form of a reference to a Secret // as namespace/name. WantInjectFromSecretAnnotation = "cert-manager.io/inject-ca-from-secret" // AllowsInjectionFromSecretAnnotation is an annotation that must be added // to Secret resource that want to denote that they can be directly // injected into injectables that have a `inject-ca-from-secret` annotation. // If an injectable references a Secret that does NOT have this annotation, // the cainjector will refuse to inject the secret. AllowsInjectionFromSecretAnnotation = "cert-manager.io/allow-direct-injection" )
const ( // Pending indicates that a CertificateRequest is still in progress. CertificateRequestReasonPending = "Pending" // Failed indicates that a CertificateRequest has failed, either due to // timing out or some other critical failure. CertificateRequestReasonFailed = "Failed" // Issued indicates that a CertificateRequest has been completed, and that // the `status.certificate` field is set. CertificateRequestReasonIssued = "Issued" )
const ( // IssueTemporaryCertificateAnnotation is an annotation that can be added to // Certificate resources. // If it is present, a temporary internally signed certificate will be // stored in the target Secret resource whilst the real Issuer is processing // the certificate request. IssueTemporaryCertificateAnnotation = "cert-manager.io/issue-temporary-certificate" )
const ( // VenafiCustomFieldsAnnotationKey is the annotation that passes on JSON encoded custom fields to the Venafi issuer // This will only work with Venafi TPP v19.3 and higher // The value is an array with objects containing the name and value keys // for example: `[{"name": "custom-field", "value": "custom-value"}]` VenafiCustomFieldsAnnotationKey = "venafi.cert-manager.io/custom-fields" )
Issuer specific Annotations
Variables ¶
var ( SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes) AddToScheme = SchemeBuilder.AddToScheme )
var SchemeGroupVersion = schema.GroupVersion{Group: certmanager.GroupName, Version: runtime.APIVersionInternal}
SchemeGroupVersion is group version used to register these objects
Functions ¶
func Resource ¶
func Resource(resource string) schema.GroupResource
Resource takes an unqualified resource and returns a Group qualified GroupResource
Types ¶
type CAIssuer ¶
type CAIssuer struct { // SecretName is the name of the secret used to sign Certificates issued // by this Issuer. SecretName string // The CRL distribution points is an X.509 v3 certificate extension which identifies // the location of the CRL from which the revocation of this certificate can be checked. // If not set, certificates will be issued without distribution points set. CRLDistributionPoints []string // The OCSP server list is an X.509 v3 extension that defines a list of // URLs of OCSP responders. The OCSP responders can be queried for the // revocation status of an issued certificate. If not set, the // certificate will be issued with no OCSP servers set. For example, an // OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org". OCSPServers []string }
CAIssuer configures an issuer that can issue certificates from its provided CA certificate. It contains the name of the private key to sign certificates, holds the location for Certificate Revocation Lists (CRL) distribution points and list of URLs of Online Certificate Status Protocol (OCSP) responders.
func (*CAIssuer) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CAIssuer.
func (*CAIssuer) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type Certificate ¶
type Certificate struct { metav1.TypeMeta metav1.ObjectMeta // Desired state of the Certificate resource. Spec CertificateSpec // Status of the Certificate. This is set and managed automatically. Status CertificateStatus }
A Certificate resource should be created to ensure an up to date and signed x509 certificate is stored in the Kubernetes Secret resource named in `spec.secretName`.
The stored certificate will be renewed before it expires (as configured by `spec.renewBefore`).
func (*Certificate) DeepCopy ¶
func (in *Certificate) DeepCopy() *Certificate
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Certificate.
func (*Certificate) DeepCopyInto ¶
func (in *Certificate) DeepCopyInto(out *Certificate)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*Certificate) DeepCopyObject ¶
func (in *Certificate) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type CertificateAdditionalOutputFormat ¶
type CertificateAdditionalOutputFormat struct { // Type is the name of the format type that should be written to the // Certificate's target Secret. Type CertificateOutputFormatType }
CertificateAdditionalOutputFormat defines an additional output format of a Certificate resource. These contain supplementary data formats of the signed certificate chain and paired private key.
func (*CertificateAdditionalOutputFormat) DeepCopy ¶
func (in *CertificateAdditionalOutputFormat) DeepCopy() *CertificateAdditionalOutputFormat
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateAdditionalOutputFormat.
func (*CertificateAdditionalOutputFormat) DeepCopyInto ¶
func (in *CertificateAdditionalOutputFormat) DeepCopyInto(out *CertificateAdditionalOutputFormat)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type CertificateCondition ¶
type CertificateCondition struct { // Type of the condition, known values are (`Ready`, `Issuing`). Type CertificateConditionType // Status of the condition, one of (`True`, `False`, `Unknown`). Status cmmeta.ConditionStatus // LastTransitionTime is the timestamp corresponding to the last status // change of this condition. LastTransitionTime *metav1.Time // Reason is a brief machine readable explanation for the condition's last // transition. Reason string // Message is a human readable description of the details of the last // transition, complementing reason. Message string // If set, this represents the .metadata.generation that the condition was // set based upon. // For instance, if .metadata.generation is currently 12, but the // .status.condition[x].observedGeneration is 9, the condition is out of date // with respect to the current state of the Certificate. ObservedGeneration int64 }
CertificateCondition contains condition information for an Certificate.
func (*CertificateCondition) DeepCopy ¶
func (in *CertificateCondition) DeepCopy() *CertificateCondition
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateCondition.
func (*CertificateCondition) DeepCopyInto ¶
func (in *CertificateCondition) DeepCopyInto(out *CertificateCondition)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type CertificateConditionType ¶
type CertificateConditionType string
CertificateConditionType represents an Certificate condition value.
const ( // CertificateConditionReady indicates that a certificate is ready for use. // This is defined as: // - The target secret exists // - The target secret contains a certificate that has not expired // - The target secret contains a private key valid for the certificate // - The commonName and dnsNames attributes match those specified on the Certificate CertificateConditionReady CertificateConditionType = "Ready" // A condition added to Certificate resources when an issuance is required. // This condition will be automatically added and set to true if: // * No keypair data exists in the target Secret // * The data stored in the Secret cannot be decoded // * The private key and certificate do not have matching public keys // * If a CertificateRequest for the current revision exists and the // certificate data stored in the Secret does not match the // `status.certificate` on the CertificateRequest. // * If no CertificateRequest resource exists for the current revision, // the options on the Certificate resource are compared against the // x509 data in the Secret, similar to what's done in earlier versions. // If there is a mismatch, an issuance is triggered. // This condition may also be added by external API consumers to trigger // a re-issuance manually for any other reason. // // It will be removed by the 'issuing' controller upon completing issuance. CertificateConditionIssuing CertificateConditionType = "Issuing" )
type CertificateKeystores ¶
type CertificateKeystores struct { // JKS configures options for storing a JKS keystore in the // `spec.secretName` Secret resource. JKS *JKSKeystore // PKCS12 configures options for storing a PKCS12 keystore in the // `spec.secretName` Secret resource. PKCS12 *PKCS12Keystore }
CertificateKeystores configures additional keystore output formats to be created in the Certificate's output Secret.
func (*CertificateKeystores) DeepCopy ¶
func (in *CertificateKeystores) DeepCopy() *CertificateKeystores
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateKeystores.
func (*CertificateKeystores) DeepCopyInto ¶
func (in *CertificateKeystores) DeepCopyInto(out *CertificateKeystores)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type CertificateList ¶
type CertificateList struct { metav1.TypeMeta metav1.ListMeta Items []Certificate }
CertificateList is a list of Certificates
func (*CertificateList) DeepCopy ¶
func (in *CertificateList) DeepCopy() *CertificateList
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateList.
func (*CertificateList) DeepCopyInto ¶
func (in *CertificateList) DeepCopyInto(out *CertificateList)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*CertificateList) DeepCopyObject ¶
func (in *CertificateList) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type CertificateOutputFormatType ¶
type CertificateOutputFormatType string
CertificateOutputFormatType specifies which additional output formats should be written to the Certificate's target Secret. Allowed values are `DER` or `CombinedPEM`. When Type is set to `DER` an additional entry `key.der` will be written to the Secret, containing the binary format of the private key. When Type is set to `CombinedPEM` an additional entry `tls-combined.pem` will be written to the Secret, containing the PEM formatted private key and signed certificate chain (tls.key + tls.crt concatenated).
const ( // AdditionalCertificateOutputFormatDER writes the Certificate's private key // in DER binary format to the `key.der` target Secret Data key. AdditionalCertificateOutputFormatDER CertificateOutputFormatType = "DER" // AdditionalCertificateOutputFormatCombinedPEM writes the Certificate's // signed certificate chain and private key, in PEM format, to the // `tls-combined.pem` target Secret Data key. The value at this key will // include the private key PEM document, followed by at least one new line // character, followed by the chain of signed certificate PEM documents // (`<private key> + \n + <signed certificate chain>`). AdditionalCertificateOutputFormatCombinedPEM CertificateOutputFormatType = "CombinedPEM" )
type CertificatePrivateKey ¶
type CertificatePrivateKey struct { // RotationPolicy controls how private keys should be regenerated when a // re-issuance is being processed. // If set to `Never`, a private key will only be generated if one does not // already exist in the target `spec.secretName`. If one does exists but it // does not have the correct algorithm or size, a warning will be raised // to await user intervention. // If set to `Always`, a private key matching the specified requirements // will be generated whenever a re-issuance occurs. // Default is `Never` for backward compatibility. RotationPolicy PrivateKeyRotationPolicy // The private key cryptography standards (PKCS) encoding for this // certificate's private key to be encoded in. // If provided, allowed values are `PKCS1` and `PKCS8` standing for PKCS#1 // and PKCS#8, respectively. // Defaults to `PKCS1` if not specified. Encoding PrivateKeyEncoding // Algorithm is the private key algorithm of the corresponding private key // for this certificate. If provided, allowed values are either `RSA` or `ECDSA` // If `algorithm` is specified and `size` is not provided, // key size of `256` will be used for `ECDSA` key algorithm and // key size of `2048` will be used for `RSA` key algorithm. Algorithm PrivateKeyAlgorithm // Size is the key bit size of the corresponding private key for this certificate. // If `algorithm` is set to `RSA`, valid values are `2048`, `4096` or `8192`, // and will default to `2048` if not specified. // If `algorithm` is set to `ECDSA`, valid values are `256`, `384` or `521`, // and will default to `256` if not specified. // No other values are allowed. Size int }
CertificatePrivateKey contains configuration options for private keys used by the Certificate controller. This allows control of how private keys are rotated.
func (*CertificatePrivateKey) DeepCopy ¶
func (in *CertificatePrivateKey) DeepCopy() *CertificatePrivateKey
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificatePrivateKey.
func (*CertificatePrivateKey) DeepCopyInto ¶
func (in *CertificatePrivateKey) DeepCopyInto(out *CertificatePrivateKey)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type CertificateRequest ¶
type CertificateRequest struct { metav1.TypeMeta metav1.ObjectMeta // Desired state of the CertificateRequest resource. Spec CertificateRequestSpec // Status of the CertificateRequest. This is set and managed automatically. Status CertificateRequestStatus }
A CertificateRequest is used to request a signed certificate from one of the configured issuers.
All fields within the CertificateRequest's `spec` are immutable after creation. A CertificateRequest will either succeed or fail, as denoted by its `status.state` field.
A CertificateRequest is a one-shot resource, meaning it represents a single point in time request for a certificate and cannot be re-used.
func (*CertificateRequest) DeepCopy ¶
func (in *CertificateRequest) DeepCopy() *CertificateRequest
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateRequest.
func (*CertificateRequest) DeepCopyInto ¶
func (in *CertificateRequest) DeepCopyInto(out *CertificateRequest)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*CertificateRequest) DeepCopyObject ¶
func (in *CertificateRequest) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type CertificateRequestCondition ¶
type CertificateRequestCondition struct { // Type of the condition, known values are (`Ready`, // `InvalidRequest`, `Approved`, `Denied`). Type CertificateRequestConditionType // Status of the condition, one of (`True`, `False`, `Unknown`). Status cmmeta.ConditionStatus // LastTransitionTime is the timestamp corresponding to the last status // change of this condition. LastTransitionTime *metav1.Time // Reason is a brief machine readable explanation for the condition's last // transition. Reason string // Message is a human readable description of the details of the last // transition, complementing reason. Message string }
CertificateRequestCondition contains condition information for a CertificateRequest.
func (*CertificateRequestCondition) DeepCopy ¶
func (in *CertificateRequestCondition) DeepCopy() *CertificateRequestCondition
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateRequestCondition.
func (*CertificateRequestCondition) DeepCopyInto ¶
func (in *CertificateRequestCondition) DeepCopyInto(out *CertificateRequestCondition)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type CertificateRequestConditionType ¶
type CertificateRequestConditionType string
CertificateRequestConditionType represents an Certificate condition value.
const ( // CertificateRequestConditionReady indicates that a certificate is ready for use. // This is defined as: // - The target certificate exists in CertificateRequest.Status CertificateRequestConditionReady CertificateRequestConditionType = "Ready" // CertificateRequestConditionInvalidRequest indicates that a certificate // signer has refused to sign the request due to at least one of the input // parameters being invalid. Additional information about why the request // was rejected can be found in the `reason` and `message` fields. CertificateRequestConditionInvalidRequest CertificateRequestConditionType = "InvalidRequest" // CertificateRequestConditionApproved indicates that a certificate request // is approved and ready for signing. Condition must never have a status of // `False`, and cannot be modified once set. CertificateRequestConditionApproved CertificateRequestConditionType = "Approved" // CertificateRequestConditionDenied indicates that a certificate request is // denied, and must never be signed. Condition must never have a status of // `False`, and cannot be modified once set. CertificateRequestConditionDenied CertificateRequestConditionType = "Denied" )
type CertificateRequestList ¶
type CertificateRequestList struct { metav1.TypeMeta metav1.ListMeta Items []CertificateRequest }
CertificateRequestList is a list of Certificates
func (*CertificateRequestList) DeepCopy ¶
func (in *CertificateRequestList) DeepCopy() *CertificateRequestList
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateRequestList.
func (*CertificateRequestList) DeepCopyInto ¶
func (in *CertificateRequestList) DeepCopyInto(out *CertificateRequestList)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*CertificateRequestList) DeepCopyObject ¶
func (in *CertificateRequestList) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type CertificateRequestSpec ¶
type CertificateRequestSpec struct { // The requested 'duration' (i.e. lifetime) of the Certificate. // This option may be ignored/overridden by some issuer types. Duration *metav1.Duration // IssuerRef is a reference to the issuer for this CertificateRequest. If // the `kind` field is not set, or set to `Issuer`, an Issuer resource with // the given name in the same namespace as the CertificateRequest will be // used. If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with // the provided name will be used. The `name` field in this stanza is // required at all times. The group field refers to the API group of the // issuer which defaults to `cert-manager.io` if empty. IssuerRef cmmeta.ObjectReference // The PEM-encoded x509 certificate signing request to be submitted to the // CA for signing. Request []byte // IsCA will request to mark the certificate as valid for certificate signing // when submitting to the issuer. // This will automatically add the `cert sign` usage to the list of `usages`. IsCA bool // Usages is the set of x509 usages that are requested for the certificate. // Defaults to `digital signature` and `key encipherment` if not specified. Usages []KeyUsage // Username contains the name of the user that created the CertificateRequest. // Populated by the cert-manager webhook on creation and immutable. Username string // UID contains the uid of the user that created the CertificateRequest. // Populated by the cert-manager webhook on creation and immutable. UID string // Groups contains group membership of the user that created the CertificateRequest. // Populated by the cert-manager webhook on creation and immutable. Groups []string // Extra contains extra attributes of the user that created the CertificateRequest. // Populated by the cert-manager webhook on creation and immutable. Extra map[string][]string }
CertificateRequestSpec defines the desired state of CertificateRequest
func (*CertificateRequestSpec) DeepCopy ¶
func (in *CertificateRequestSpec) DeepCopy() *CertificateRequestSpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateRequestSpec.
func (*CertificateRequestSpec) DeepCopyInto ¶
func (in *CertificateRequestSpec) DeepCopyInto(out *CertificateRequestSpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type CertificateRequestStatus ¶
type CertificateRequestStatus struct { // List of status conditions to indicate the status of a CertificateRequest. // Known condition types are `Ready` and `InvalidRequest`. Conditions []CertificateRequestCondition // The PEM encoded x509 certificate resulting from the certificate // signing request. // If not set, the CertificateRequest has either not been completed or has // failed. More information on failure can be found by checking the // `conditions` field. Certificate []byte // The PEM encoded x509 certificate of the signer, also known as the CA // (Certificate Authority). // This is set on a best-effort basis by different issuers. // If not set, the CA is assumed to be unknown/not available. CA []byte // FailureTime stores the time that this CertificateRequest failed. This is // used to influence garbage collection and back-off. FailureTime *metav1.Time }
CertificateRequestStatus defines the observed state of CertificateRequest and resulting signed certificate.
func (*CertificateRequestStatus) DeepCopy ¶
func (in *CertificateRequestStatus) DeepCopy() *CertificateRequestStatus
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateRequestStatus.
func (*CertificateRequestStatus) DeepCopyInto ¶
func (in *CertificateRequestStatus) DeepCopyInto(out *CertificateRequestStatus)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type CertificateSecretTemplate ¶
type CertificateSecretTemplate struct { // Annotations is a key value map to be copied to the target Kubernetes Secret. // +optional Annotations map[string]string // Labels is a key value map to be copied to the target Kubernetes Secret. // +optional Labels map[string]string }
CertificateSecretTemplate defines the default labels and annotations to be copied to the Kubernetes Secret resource named in `CertificateSpec.secretName`.
func (*CertificateSecretTemplate) DeepCopy ¶
func (in *CertificateSecretTemplate) DeepCopy() *CertificateSecretTemplate
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateSecretTemplate.
func (*CertificateSecretTemplate) DeepCopyInto ¶
func (in *CertificateSecretTemplate) DeepCopyInto(out *CertificateSecretTemplate)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type CertificateSpec ¶
type CertificateSpec struct { // Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name). Subject *X509Subject // CommonName is a common name to be used on the Certificate. // The CommonName should have a length of 64 characters or fewer to avoid // generating invalid CSRs. // This value is ignored by TLS clients when any subject alt name is set. // This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4 CommonName string // The requested 'duration' (i.e. lifetime) of the Certificate. // This option may be ignored/overridden by some issuer types. // If overridden and `renewBefore` is greater than the actual certificate // duration, the certificate will be automatically renewed 2/3rds of the // way through the certificate's duration. Duration *metav1.Duration // The amount of time before the currently issued certificate's `notAfter` // time that cert-manager will begin to attempt to renew the certificate. // If this value is greater than the total duration of the certificate // (i.e. notAfter - notBefore), it will be automatically renewed 2/3rds of // the way through the certificate's duration. RenewBefore *metav1.Duration // DNSNames is a list of DNS subjectAltNames to be set on the Certificate. DNSNames []string // IPAddresses is a list of IP address subjectAltNames to be set on the Certificate. IPAddresses []string // URISANs is a list of URI subjectAltNames to be set on the Certificate. URISANs []string // EmailSANs is a list of email subjectAltNames to be set on the Certificate. EmailSANs []string // SecretName is the name of the secret resource that will be automatically // created and managed by this Certificate resource. // It will be populated with a private key and certificate, signed by the // denoted issuer. SecretName string // SecretTemplate defines annotations and labels to be copied to the // Certificate's Secret. Labels and annotations on the Secret will be changed // as they appear on the SecretTemplate when added or removed. SecretTemplate // annotations are added in conjunction with, and cannot overwrite, the base // set of annotations cert-manager sets on the Certificate's Secret. SecretTemplate *CertificateSecretTemplate // Keystores configures additional keystore output formats stored in the // `secretName` Secret resource. Keystores *CertificateKeystores // IssuerRef is a reference to the issuer for this certificate. // If the `kind` field is not set, or set to `Issuer`, an Issuer resource // with the given name in the same namespace as the Certificate will be used. // If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with the // provided name will be used. // The `name` field in this stanza is required at all times. IssuerRef cmmeta.ObjectReference // IsCA will mark this Certificate as valid for certificate signing. // This will automatically add the `cert sign` usage to the list of `usages`. IsCA bool // Usages is the set of x509 usages that are requested for the certificate. // Defaults to `digital signature` and `key encipherment` if not specified. Usages []KeyUsage // Options to control private keys used for the Certificate. PrivateKey *CertificatePrivateKey // EncodeUsagesInRequest controls whether key usages should be present // in the CertificateRequest EncodeUsagesInRequest *bool // revisionHistoryLimit is the maximum number of CertificateRequest revisions // that are maintained in the Certificate's history. Each revision represents // a single `CertificateRequest` created by this Certificate, either when it // was created, renewed, or Spec was changed. Revisions will be removed by // oldest first if the number of revisions exceeds this number. If set, // revisionHistoryLimit must be a value of `1` or greater. If unset (`nil`), // revisions will not be garbage collected. Default value is `nil`. RevisionHistoryLimit *int32 // AdditionalOutputFormats defines extra output formats of the private key // and signed certificate chain to be written to this Certificate's target // Secret. This is an Alpha Feature and is only enabled with the // `--feature-gates=AdditionalCertificateOutputFormats=true` option on both // the controller and webhook components. AdditionalOutputFormats []CertificateAdditionalOutputFormat }
CertificateSpec defines the desired state of Certificate. A valid Certificate requires at least one of a CommonName, DNSName, or URISAN to be valid.
func (*CertificateSpec) DeepCopy ¶
func (in *CertificateSpec) DeepCopy() *CertificateSpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateSpec.
func (*CertificateSpec) DeepCopyInto ¶
func (in *CertificateSpec) DeepCopyInto(out *CertificateSpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type CertificateStatus ¶
type CertificateStatus struct { // List of status conditions to indicate the status of certificates. // Known condition types are `Ready` and `Issuing`. Conditions []CertificateCondition // LastFailureTime is the time as recorded by the Certificate controller // of the most recent failure to complete a CertificateRequest for this // Certificate resource. // If set, cert-manager will not re-request another Certificate until // 1 hour has elapsed from this time. LastFailureTime *metav1.Time // The time after which the certificate stored in the secret named // by this resource in spec.secretName is valid. NotBefore *metav1.Time // The expiration time of the certificate stored in the secret named // by this resource in `spec.secretName`. NotAfter *metav1.Time // RenewalTime is the time at which the certificate will be next // renewed. // If not set, no upcoming renewal is scheduled. RenewalTime *metav1.Time // The current 'revision' of the certificate as issued. // // When a CertificateRequest resource is created, it will have the // `cert-manager.io/certificate-revision` set to one greater than the // current value of this field. // // Upon issuance, this field will be set to the value of the annotation // on the CertificateRequest resource used to issue the certificate. // // Persisting the value on the CertificateRequest resource allows the // certificates controller to know whether a request is part of an old // issuance or if it is part of the ongoing revision's issuance by // checking if the revision value in the annotation is greater than this // field. Revision *int // The name of the Secret resource containing the private key to be used // for the next certificate iteration. // The keymanager controller will automatically set this field if the // `Issuing` condition is set to `True`. // It will automatically unset this field when the Issuing condition is // not set or False. NextPrivateKeySecretName *string }
CertificateStatus defines the observed state of Certificate
func (*CertificateStatus) DeepCopy ¶
func (in *CertificateStatus) DeepCopy() *CertificateStatus
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateStatus.
func (*CertificateStatus) DeepCopyInto ¶
func (in *CertificateStatus) DeepCopyInto(out *CertificateStatus)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type ClusterIssuer ¶
type ClusterIssuer struct { metav1.TypeMeta metav1.ObjectMeta // Desired state of the ClusterIssuer resource. Spec IssuerSpec // Status of the ClusterIssuer. This is set and managed automatically. Status IssuerStatus }
A ClusterIssuer represents a certificate issuing authority which can be referenced as part of `issuerRef` fields. It is similar to an Issuer, however it is cluster-scoped and therefore can be referenced by resources that exist in *any* namespace, not just the same namespace as the referent.
func (*ClusterIssuer) Copy ¶
func (c *ClusterIssuer) Copy() GenericIssuer
func (*ClusterIssuer) DeepCopy ¶
func (in *ClusterIssuer) DeepCopy() *ClusterIssuer
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterIssuer.
func (*ClusterIssuer) DeepCopyInto ¶
func (in *ClusterIssuer) DeepCopyInto(out *ClusterIssuer)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*ClusterIssuer) DeepCopyObject ¶
func (in *ClusterIssuer) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (*ClusterIssuer) GetObjectMeta ¶
func (c *ClusterIssuer) GetObjectMeta() *metav1.ObjectMeta
func (*ClusterIssuer) GetSpec ¶
func (c *ClusterIssuer) GetSpec() *IssuerSpec
func (*ClusterIssuer) GetStatus ¶
func (c *ClusterIssuer) GetStatus() *IssuerStatus
func (*ClusterIssuer) SetSpec ¶
func (c *ClusterIssuer) SetSpec(spec IssuerSpec)
func (*ClusterIssuer) SetStatus ¶
func (c *ClusterIssuer) SetStatus(status IssuerStatus)
type ClusterIssuerList ¶
type ClusterIssuerList struct { metav1.TypeMeta metav1.ListMeta Items []ClusterIssuer }
ClusterIssuerList is a list of Issuers
func (*ClusterIssuerList) DeepCopy ¶
func (in *ClusterIssuerList) DeepCopy() *ClusterIssuerList
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterIssuerList.
func (*ClusterIssuerList) DeepCopyInto ¶
func (in *ClusterIssuerList) DeepCopyInto(out *ClusterIssuerList)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*ClusterIssuerList) DeepCopyObject ¶
func (in *ClusterIssuerList) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type GenericIssuer ¶
type GenericIssuer interface { runtime.Object metav1.Object GetObjectMeta() *metav1.ObjectMeta GetSpec() *IssuerSpec GetStatus() *IssuerStatus }
type Issuer ¶
type Issuer struct { metav1.TypeMeta metav1.ObjectMeta // Desired state of the Issuer resource. Spec IssuerSpec // Status of the Issuer. This is set and managed automatically. Status IssuerStatus }
An Issuer represents a certificate issuing authority which can be referenced as part of `issuerRef` fields. It is scoped to a single namespace and can therefore only be referenced by resources within the same namespace.
func (*Issuer) Copy ¶
func (c *Issuer) Copy() GenericIssuer
func (*Issuer) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Issuer.
func (*Issuer) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*Issuer) DeepCopyObject ¶
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (*Issuer) GetObjectMeta ¶
func (c *Issuer) GetObjectMeta() *metav1.ObjectMeta
func (*Issuer) GetSpec ¶
func (c *Issuer) GetSpec() *IssuerSpec
func (*Issuer) GetStatus ¶
func (c *Issuer) GetStatus() *IssuerStatus
func (*Issuer) SetSpec ¶
func (c *Issuer) SetSpec(spec IssuerSpec)
func (*Issuer) SetStatus ¶
func (c *Issuer) SetStatus(status IssuerStatus)
type IssuerCondition ¶
type IssuerCondition struct { // Type of the condition, known values are (`Ready`). Type IssuerConditionType // Status of the condition, one of (`True`, `False`, `Unknown`). Status cmmeta.ConditionStatus // LastTransitionTime is the timestamp corresponding to the last status // change of this condition. LastTransitionTime *metav1.Time // Reason is a brief machine readable explanation for the condition's last // transition. Reason string // Message is a human readable description of the details of the last // transition, complementing reason. Message string // If set, this represents the .metadata.generation that the condition was // set based upon. // For instance, if .metadata.generation is currently 12, but the // .status.condition[x].observedGeneration is 9, the condition is out of date // with respect to the current state of the Issuer. ObservedGeneration int64 }
IssuerCondition contains condition information for an Issuer.
func (*IssuerCondition) DeepCopy ¶
func (in *IssuerCondition) DeepCopy() *IssuerCondition
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IssuerCondition.
func (*IssuerCondition) DeepCopyInto ¶
func (in *IssuerCondition) DeepCopyInto(out *IssuerCondition)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type IssuerConditionType ¶
type IssuerConditionType string
IssuerConditionType represents an Issuer condition value.
const ( // IssuerConditionReady represents the fact that a given Issuer condition // is in ready state and able to issue certificates. // If the `status` of this condition is `False`, CertificateRequest controllers // should prevent attempts to sign certificates. IssuerConditionReady IssuerConditionType = "Ready" )
type IssuerConfig ¶
type IssuerConfig struct { // ACME configures this issuer to communicate with a RFC8555 (ACME) server // to obtain signed x509 certificates. ACME *cmacme.ACMEIssuer // CA configures this issuer to sign certificates using a signing CA keypair // stored in a Secret resource. // This is used to build internal PKIs that are managed by cert-manager. CA *CAIssuer // Vault configures this issuer to sign certificates using a HashiCorp Vault // PKI backend. Vault *VaultIssuer // SelfSigned configures this issuer to 'self sign' certificates using the // private key used to create the CertificateRequest object. SelfSigned *SelfSignedIssuer // Venafi configures this issuer to sign certificates using a Venafi TPP // or Venafi Cloud policy zone. Venafi *VenafiIssuer }
IssuerConfig is a generic wrapper around custom issuer types
func (*IssuerConfig) DeepCopy ¶
func (in *IssuerConfig) DeepCopy() *IssuerConfig
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IssuerConfig.
func (*IssuerConfig) DeepCopyInto ¶
func (in *IssuerConfig) DeepCopyInto(out *IssuerConfig)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type IssuerList ¶
IssuerList is a list of Issuers
func (*IssuerList) DeepCopy ¶
func (in *IssuerList) DeepCopy() *IssuerList
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IssuerList.
func (*IssuerList) DeepCopyInto ¶
func (in *IssuerList) DeepCopyInto(out *IssuerList)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*IssuerList) DeepCopyObject ¶
func (in *IssuerList) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type IssuerSpec ¶
type IssuerSpec struct {
IssuerConfig
}
IssuerSpec is the specification of an Issuer. This includes any configuration required for the issuer.
func (*IssuerSpec) DeepCopy ¶
func (in *IssuerSpec) DeepCopy() *IssuerSpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IssuerSpec.
func (*IssuerSpec) DeepCopyInto ¶
func (in *IssuerSpec) DeepCopyInto(out *IssuerSpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type IssuerStatus ¶
type IssuerStatus struct { // List of status conditions to indicate the status of a CertificateRequest. // Known condition types are `Ready`. Conditions []IssuerCondition // ACME specific status options. // This field should only be set if the Issuer is configured to use an ACME // server to issue certificates. ACME *cmacme.ACMEIssuerStatus }
IssuerStatus contains status information about an Issuer
func (*IssuerStatus) ACMEStatus ¶
func (i *IssuerStatus) ACMEStatus() *cmacme.ACMEIssuerStatus
TODO: refactor these functions away
func (*IssuerStatus) DeepCopy ¶
func (in *IssuerStatus) DeepCopy() *IssuerStatus
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IssuerStatus.
func (*IssuerStatus) DeepCopyInto ¶
func (in *IssuerStatus) DeepCopyInto(out *IssuerStatus)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type JKSKeystore ¶
type JKSKeystore struct { // Create enables JKS keystore creation for the Certificate. // If true, a file named `keystore.jks` will be created in the target // Secret resource, encrypted using the password stored in // `passwordSecretRef`. // The keystore file will only be updated upon re-issuance. Create bool // PasswordSecretRef is a reference to a key in a Secret resource // containing the password used to encrypt the JKS keystore. PasswordSecretRef cmmeta.SecretKeySelector }
JKS configures options for storing a JKS keystore in the `spec.secretName` Secret resource.
func (*JKSKeystore) DeepCopy ¶
func (in *JKSKeystore) DeepCopy() *JKSKeystore
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JKSKeystore.
func (*JKSKeystore) DeepCopyInto ¶
func (in *JKSKeystore) DeepCopyInto(out *JKSKeystore)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type KeyUsage ¶
type KeyUsage string
KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3
https://tools.ietf.org/html/rfc5280#section-4.2.1.12
Valid KeyUsage values are as follows: "signing", "digital signature", "content commitment", "key encipherment", "key agreement", "data encipherment", "cert sign", "crl sign", "encipher only", "decipher only", "any", "server auth", "client auth", "code signing", "email protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec user", "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc"
const ( UsageSigning KeyUsage = "signing" UsageDigitalSignature KeyUsage = "digital signature" UsageContentCommitment KeyUsage = "content commitment" UsageKeyEncipherment KeyUsage = "key encipherment" UsageKeyAgreement KeyUsage = "key agreement" UsageDataEncipherment KeyUsage = "data encipherment" UsageCertSign KeyUsage = "cert sign" UsageCRLSign KeyUsage = "crl sign" UsageEncipherOnly KeyUsage = "encipher only" UsageDecipherOnly KeyUsage = "decipher only" UsageAny KeyUsage = "any" UsageServerAuth KeyUsage = "server auth" UsageClientAuth KeyUsage = "client auth" UsageCodeSigning KeyUsage = "code signing" UsageEmailProtection KeyUsage = "email protection" UsageSMIME KeyUsage = "s/mime" UsageIPsecEndSystem KeyUsage = "ipsec end system" UsageIPsecTunnel KeyUsage = "ipsec tunnel" UsageIPsecUser KeyUsage = "ipsec user" UsageTimestamping KeyUsage = "timestamping" UsageOCSPSigning KeyUsage = "ocsp signing" UsageMicrosoftSGC KeyUsage = "microsoft sgc" UsageNetscapeSGC KeyUsage = "netscape sgc" )
type PKCS12Keystore ¶
type PKCS12Keystore struct { // Create enables PKCS12 keystore creation for the Certificate. // If true, a file named `keystore.p12` will be created in the target // Secret resource, encrypted using the password stored in // `passwordSecretRef`. // The keystore file will only be updated upon re-issuance. Create bool // PasswordSecretRef is a reference to a key in a Secret resource // containing the password used to encrypt the PKCS12 keystore. PasswordSecretRef cmmeta.SecretKeySelector }
PKCS12 configures options for storing a PKCS12 keystore in the `spec.secretName` Secret resource.
func (*PKCS12Keystore) DeepCopy ¶
func (in *PKCS12Keystore) DeepCopy() *PKCS12Keystore
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PKCS12Keystore.
func (*PKCS12Keystore) DeepCopyInto ¶
func (in *PKCS12Keystore) DeepCopyInto(out *PKCS12Keystore)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type PrivateKeyAlgorithm ¶
type PrivateKeyAlgorithm string
const ( // Denotes the RSA private key type. RSAKeyAlgorithm PrivateKeyAlgorithm = "RSA" // Denotes the ECDSA private key type. ECDSAKeyAlgorithm PrivateKeyAlgorithm = "ECDSA" // Denotes the Ed25519 private key type. Ed25519KeyAlgorithm PrivateKeyAlgorithm = "Ed25519" )
type PrivateKeyEncoding ¶
type PrivateKeyEncoding string
const ( // PKCS1 key encoding will produce PEM files that include the type of // private key as part of the PEM header, e.g. `BEGIN RSA PRIVATE KEY`. // If the keyAlgorithm is set to 'ECDSA', this will produce private keys // that use the `BEGIN EC PRIVATE KEY` header. PKCS1 PrivateKeyEncoding = "PKCS1" // PKCS8 key encoding will produce PEM files with the `BEGIN PRIVATE KEY` // header. It encodes the keyAlgorithm of the private key as part of the // DER encoded PEM block. PKCS8 PrivateKeyEncoding = "PKCS8" )
type PrivateKeyRotationPolicy ¶
type PrivateKeyRotationPolicy string
Denotes how private keys should be generated or sourced when a Certificate is being issued.
var ( // RotationPolicyNever means a private key will only be generated if one // does not already exist in the target `spec.secretName`. // If one does exists but it does not have the correct algorithm or size, // a warning will be raised to await user intervention. RotationPolicyNever PrivateKeyRotationPolicy = "Never" // RotationPolicyAlways means a private key matching the specified // requirements will be generated whenever a re-issuance occurs. RotationPolicyAlways PrivateKeyRotationPolicy = "Always" )
type SelfSignedIssuer ¶
type SelfSignedIssuer struct { // The CRL distribution points is an X.509 v3 certificate extension which identifies // the location of the CRL from which the revocation of this certificate can be checked. // If not set certificate will be issued without CDP. Values are strings. CRLDistributionPoints []string }
SelfSignedIssuer configures an issuer to 'self sign' certificates using the private key used to create the CertificateRequest object.
func (*SelfSignedIssuer) DeepCopy ¶
func (in *SelfSignedIssuer) DeepCopy() *SelfSignedIssuer
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SelfSignedIssuer.
func (*SelfSignedIssuer) DeepCopyInto ¶
func (in *SelfSignedIssuer) DeepCopyInto(out *SelfSignedIssuer)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type VaultAppRole ¶
type VaultAppRole struct { // Path where the App Role authentication backend is mounted in Vault, e.g: // "approle" Path string // RoleID configured in the App Role authentication backend when setting // up the authentication backend in Vault. RoleId string // Reference to a key in a Secret that contains the App Role secret used // to authenticate with Vault. // The `key` field must be specified and denotes which entry within the Secret // resource is used as the app role secret. SecretRef cmmeta.SecretKeySelector }
VaultAppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
func (*VaultAppRole) DeepCopy ¶
func (in *VaultAppRole) DeepCopy() *VaultAppRole
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultAppRole.
func (*VaultAppRole) DeepCopyInto ¶
func (in *VaultAppRole) DeepCopyInto(out *VaultAppRole)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type VaultAuth ¶
type VaultAuth struct { // TokenSecretRef authenticates with Vault by presenting a token. TokenSecretRef *cmmeta.SecretKeySelector // AppRole authenticates with Vault using the App Role auth mechanism, // with the role and secret stored in a Kubernetes Secret resource. AppRole *VaultAppRole // Kubernetes authenticates with Vault by passing the ServiceAccount // token stored in the named Secret resource to the Vault server. Kubernetes *VaultKubernetesAuth }
VaultAuth is configuration used to authenticate with a Vault server. Only one of `tokenSecretRef`, `appRole` or `kubernetes` may be specified.
func (*VaultAuth) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultAuth.
func (*VaultAuth) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type VaultIssuer ¶
type VaultIssuer struct { // Auth configures how cert-manager authenticates with the Vault server. Auth VaultAuth // Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200". Server string // Path is the mount path of the Vault PKI backend's `sign` endpoint, e.g: // "my_pki_mount/sign/my-role-name". Path string // Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1" // More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces Namespace string // PEM-encoded CA bundle (base64-encoded) used to validate Vault server // certificate. Only used if the Server URL is using HTTPS protocol. This // parameter is ignored for plain HTTP protocol connection. If not set the // system root certificates are used to validate the TLS connection. CABundle []byte }
VaultIssuer configures an issuer to sign certificates using a HashiCorp Vault PKI backend.
func (*VaultIssuer) DeepCopy ¶
func (in *VaultIssuer) DeepCopy() *VaultIssuer
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultIssuer.
func (*VaultIssuer) DeepCopyInto ¶
func (in *VaultIssuer) DeepCopyInto(out *VaultIssuer)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type VaultKubernetesAuth ¶
type VaultKubernetesAuth struct { // The Vault mountPath here is the mount path to use when authenticating with // Vault. For example, setting a value to `/v1/auth/foo`, will use the path // `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the // default value "/v1/auth/kubernetes" will be used. Path string // The required Secret field containing a Kubernetes ServiceAccount JWT used // for authenticating with Vault. Use of 'ambient credentials' is not // supported. SecretRef cmmeta.SecretKeySelector // A required field containing the Vault Role to assume. A Role binds a // Kubernetes ServiceAccount with a set of Vault policies. Role string }
VaultKubernetesAuth is used to authenticate against Vault using a Kubernetes ServiceAccount token stored in a Secret.
func (*VaultKubernetesAuth) DeepCopy ¶
func (in *VaultKubernetesAuth) DeepCopy() *VaultKubernetesAuth
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultKubernetesAuth.
func (*VaultKubernetesAuth) DeepCopyInto ¶
func (in *VaultKubernetesAuth) DeepCopyInto(out *VaultKubernetesAuth)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type VenafiCloud ¶
type VenafiCloud struct { // URL is the base URL for Venafi Cloud. // Defaults to "https://api.venafi.cloud/v1". URL string // APITokenSecretRef is a secret key selector for the Venafi Cloud API token. APITokenSecretRef cmmeta.SecretKeySelector }
VenafiCloud defines connection configuration details for Venafi Cloud
func (*VenafiCloud) DeepCopy ¶
func (in *VenafiCloud) DeepCopy() *VenafiCloud
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VenafiCloud.
func (*VenafiCloud) DeepCopyInto ¶
func (in *VenafiCloud) DeepCopyInto(out *VenafiCloud)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type VenafiIssuer ¶
type VenafiIssuer struct { // Zone is the Venafi Policy Zone to use for this issuer. // All requests made to the Venafi platform will be restricted by the named // zone policy. // This field is required. Zone string // TPP specifies Trust Protection Platform configuration settings. // Only one of TPP or Cloud may be specified. TPP *VenafiTPP // Cloud specifies the Venafi cloud configuration settings. // Only one of TPP or Cloud may be specified. Cloud *VenafiCloud }
VenafiIssuer configures an issuer to sign certificates using a Venafi TPP or Cloud policy zone.
func (*VenafiIssuer) DeepCopy ¶
func (in *VenafiIssuer) DeepCopy() *VenafiIssuer
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VenafiIssuer.
func (*VenafiIssuer) DeepCopyInto ¶
func (in *VenafiIssuer) DeepCopyInto(out *VenafiIssuer)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type VenafiTPP ¶
type VenafiTPP struct { // URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, // for example: "https://tpp.example.com/vedsdk". URL string // CredentialsRef is a reference to a Secret containing the username and // password for the TPP server. // The secret must contain two keys, 'username' and 'password'. CredentialsRef cmmeta.LocalObjectReference // CABundle is a PEM encoded TLS certificate to use to verify connections to // the TPP instance. // If specified, system roots will not be used and the issuing CA for the // TPP instance must be verifiable using the provided root. // If not specified, the connection will be verified using the cert-manager // system root certificates. CABundle []byte }
VenafiTPP defines connection configuration details for a Venafi TPP instance
func (*VenafiTPP) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VenafiTPP.
func (*VenafiTPP) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type X509Subject ¶
type X509Subject struct { // Organizations to be used on the Certificate. Organizations []string // Countries to be used on the Certificate. Countries []string // Organizational Units to be used on the Certificate. OrganizationalUnits []string // Cities to be used on the Certificate. Localities []string // State/Provinces to be used on the Certificate. Provinces []string // Street addresses to be used on the Certificate. StreetAddresses []string // Postal codes to be used on the Certificate. PostalCodes []string // Serial number to be used on the Certificate. SerialNumber string }
X509Subject Full X509 name specification
func (*X509Subject) DeepCopy ¶
func (in *X509Subject) DeepCopy() *X509Subject
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new X509Subject.
func (*X509Subject) DeepCopyInto ¶
func (in *X509Subject) DeepCopyInto(out *X509Subject)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
Source Files ¶
Directories ¶
Path | Synopsis |
---|---|
Package install installs the API group, making it available as an option to all of the API encoding/decoding machinery.
|
Package install installs the API group, making it available as an option to all of the API encoding/decoding machinery. |
+groupName=cert-manager.io
|
+groupName=cert-manager.io |
+groupName=cert-manager.io
|
+groupName=cert-manager.io |
+groupName=cert-manager.io
|
+groupName=cert-manager.io |
+groupName=cert-manager.io
|
+groupName=cert-manager.io |