Documentation ¶
Overview ¶
Package certmanager is the internal version of the API. +groupName=cert-manager.io
Index ¶
- Constants
- Variables
- func Resource(resource string) schema.GroupResource
- type CAIssuer
- type Certificate
- type CertificateCondition
- type CertificateConditionType
- type CertificateKeystores
- type CertificateList
- type CertificatePrivateKey
- type CertificateRequest
- type CertificateRequestCondition
- type CertificateRequestConditionType
- type CertificateRequestList
- type CertificateRequestSpec
- type CertificateRequestStatus
- type CertificateSecretTemplate
- type CertificateSpec
- type CertificateStatus
- type ClusterIssuer
- func (c *ClusterIssuer) Copy() GenericIssuer
- func (in *ClusterIssuer) DeepCopy() *ClusterIssuer
- func (in *ClusterIssuer) DeepCopyInto(out *ClusterIssuer)
- func (in *ClusterIssuer) DeepCopyObject() runtime.Object
- func (c *ClusterIssuer) GetObjectMeta() *metav1.ObjectMeta
- func (c *ClusterIssuer) GetSpec() *IssuerSpec
- func (c *ClusterIssuer) GetStatus() *IssuerStatus
- func (c *ClusterIssuer) SetSpec(spec IssuerSpec)
- func (c *ClusterIssuer) SetStatus(status IssuerStatus)
- type ClusterIssuerList
- type GenericIssuer
- type Issuer
- func (c *Issuer) Copy() GenericIssuer
- func (in *Issuer) DeepCopy() *Issuer
- func (in *Issuer) DeepCopyInto(out *Issuer)
- func (in *Issuer) DeepCopyObject() runtime.Object
- func (c *Issuer) GetObjectMeta() *metav1.ObjectMeta
- func (c *Issuer) GetSpec() *IssuerSpec
- func (c *Issuer) GetStatus() *IssuerStatus
- func (c *Issuer) SetSpec(spec IssuerSpec)
- func (c *Issuer) SetStatus(status IssuerStatus)
- type IssuerCondition
- type IssuerConditionType
- type IssuerConfig
- type IssuerList
- type IssuerSpec
- type IssuerStatus
- type JKSKeystore
- type KeyUsage
- type PKCS12Keystore
- type PrivateKeyAlgorithm
- type PrivateKeyEncoding
- type PrivateKeyRotationPolicy
- type SelfSignedIssuer
- type VaultAppRole
- type VaultAuth
- type VaultIssuer
- type VaultKubernetesAuth
- type VenafiCloud
- type VenafiIssuer
- type VenafiTPP
- type X509Subject
Constants ¶
const ( // Annotation key for DNS subjectAltNames. AltNamesAnnotationKey = "cert-manager.io/alt-names" // Annotation key for IP subjectAltNames. IPSANAnnotationKey = "cert-manager.io/ip-sans" // Annotation key for URI subjectAltNames. URISANAnnotationKey = "cert-manager.io/uri-sans" // Annotation key for certificate common name. CommonNameAnnotationKey = "cert-manager.io/common-name" // Annotation key the 'name' of the Issuer resource. IssuerNameAnnotationKey = "cert-manager.io/issuer-name" // Annotation key for the 'kind' of the Issuer resource. IssuerKindAnnotationKey = "cert-manager.io/issuer-kind" // Annotation key for the 'group' of the Issuer resource. IssuerGroupAnnotationKey = "cert-manager.io/issuer-group" // Annotation key for the name of the certificate that a resource is related to. CertificateNameKey = "cert-manager.io/certificate-name" // Annotation key used to denote whether a Secret is named on a Certificate // as a 'next private key' Secret resource. IsNextPrivateKeySecretLabelKey = "cert-manager.io/next-private-key" )
Common annotation keys added to resources.
const ( // issuerNameAnnotation can be used to override the issuer specified on the // created Certificate resource. IngressIssuerNameAnnotationKey = "cert-manager.io/issuer" // clusterIssuerNameAnnotation can be used to override the issuer specified on the // created Certificate resource. The Certificate will reference the // specified *ClusterIssuer* instead of normal issuer. IngressClusterIssuerNameAnnotationKey = "cert-manager.io/cluster-issuer" // acmeIssuerHTTP01IngressClassAnnotation can be used to override the http01 ingressClass // if the challenge type is set to http01 IngressACMEIssuerHTTP01IngressClassAnnotationKey = "acme.cert-manager.io/http01-ingress-class" // IngressClassAnnotationKey picks a specific "class" for the Ingress. The // controller only processes Ingresses with this annotation either unset, or // set to either the configured value or the empty string. IngressClassAnnotationKey = "kubernetes.io/ingress.class" )
const ( // Annotation added to CertificateRequest resources to denote the name of // a Secret resource containing the private key used to sign the CSR stored // on the resource. // This annotation *may* not be present, and is used by the 'self signing' // issuer type to self-sign certificates. CertificateRequestPrivateKeyAnnotationKey = "cert-manager.io/private-key-secret-name" // Annotation to declare the CertificateRequest "revision", belonging to a Certificate Resource CertificateRequestRevisionAnnotationKey = "cert-manager.io/certificate-revision" )
Annotation names for CertificateRequests
const ( ClusterIssuerKind = "ClusterIssuer" IssuerKind = "Issuer" CertificateKind = "Certificate" CertificateRequestKind = "CertificateRequest" )
Common/known resource kinds.
const ( // WantInjectAnnotation is the annotation that specifies that a particular // object wants injection of CAs. It takes the form of a reference to a certificate // as namespace/name. The certificate is expected to have the is-serving-for annotations. WantInjectAnnotation = "cert-manager.io/inject-ca-from" // WantInjectAPIServerCAAnnotation, if set to "true", will make the cainjector // inject the CA certificate for the Kubernetes apiserver into the resource. // It discovers the apiserver's CA by inspecting the service account credentials // mounted into the cainjector pod. WantInjectAPIServerCAAnnotation = "cert-manager.io/inject-apiserver-ca" // WantInjectFromSecretAnnotation is the annotation that specifies that a particular // object wants injection of CAs. It takes the form of a reference to a Secret // as namespace/name. WantInjectFromSecretAnnotation = "cert-manager.io/inject-ca-from-secret" // AllowsInjectionFromSecretAnnotation is an annotation that must be added // to Secret resource that want to denote that they can be directly // injected into injectables that have a `inject-ca-from-secret` annotation. // If an injectable references a Secret that does NOT have this annotation, // the cainjector will refuse to inject the secret. AllowsInjectionFromSecretAnnotation = "cert-manager.io/allow-direct-injection" )
const ( // Pending indicates that a CertificateRequest is still in progress. CertificateRequestReasonPending = "Pending" // Failed indicates that a CertificateRequest has failed, either due to // timing out or some other critical failure. CertificateRequestReasonFailed = "Failed" // Issued indicates that a CertificateRequest has been completed, and that // the `status.certificate` field is set. CertificateRequestReasonIssued = "Issued" )
const ( // IssueTemporaryCertificateAnnotation is an annotation that can be added to // Certificate resources. // If it is present, a temporary internally signed certificate will be // stored in the target Secret resource whilst the real Issuer is processing // the certificate request. IssueTemporaryCertificateAnnotation = "cert-manager.io/issue-temporary-certificate" )
const ( // VenafiCustomFieldsAnnotationKey is the annotation that passes on JSON encoded custom fields to the Venafi issuer // This will only work with Venafi TPP v19.3 and higher // The value is an array with objects containing the name and value keys // for example: `[{"name": "custom-field", "value": "custom-value"}]` VenafiCustomFieldsAnnotationKey = "venafi.cert-manager.io/custom-fields" )
Issuer specific Annotations
Variables ¶
var ( SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes) AddToScheme = SchemeBuilder.AddToScheme )
var SchemeGroupVersion = schema.GroupVersion{Group: certmanager.GroupName, Version: runtime.APIVersionInternal}
SchemeGroupVersion is group version used to register these objects
Functions ¶
func Resource ¶
func Resource(resource string) schema.GroupResource
Resource takes an unqualified resource and returns a Group qualified GroupResource
Types ¶
type CAIssuer ¶
type CAIssuer struct { // SecretName is the name of the secret used to sign Certificates issued // by this Issuer. SecretName string // The CRL distribution points is an X.509 v3 certificate extension which identifies // the location of the CRL from which the revocation of this certificate can be checked. // If not set, certificates will be issued without distribution points set. CRLDistributionPoints []string // The OCSP server list is an X.509 v3 extension that defines a list of // URLs of OCSP responders. The OCSP responders can be queried for the // revocation status of an issued certificate. If not set, the // certificate will be issued with no OCSP servers set. For example, an // OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org". OCSPServers []string }
func (*CAIssuer) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CAIssuer.
func (*CAIssuer) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type Certificate ¶
type Certificate struct { metav1.TypeMeta metav1.ObjectMeta // Desired state of the Certificate resource. Spec CertificateSpec // Status of the Certificate. This is set and managed automatically. Status CertificateStatus }
A Certificate resource should be created to ensure an up to date and signed x509 certificate is stored in the Kubernetes Secret resource named in `spec.secretName`.
The stored certificate will be renewed before it expires (as configured by `spec.renewBefore`).
func (*Certificate) DeepCopy ¶
func (in *Certificate) DeepCopy() *Certificate
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Certificate.
func (*Certificate) DeepCopyInto ¶
func (in *Certificate) DeepCopyInto(out *Certificate)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*Certificate) DeepCopyObject ¶
func (in *Certificate) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type CertificateCondition ¶
type CertificateCondition struct { // Type of the condition, known values are (`Ready`, `Issuing`). Type CertificateConditionType // Status of the condition, one of (`True`, `False`, `Unknown`). Status cmmeta.ConditionStatus // LastTransitionTime is the timestamp corresponding to the last status // change of this condition. LastTransitionTime *metav1.Time // Reason is a brief machine readable explanation for the condition's last // transition. Reason string // Message is a human readable description of the details of the last // transition, complementing reason. Message string // If set, this represents the .metadata.generation that the condition was // set based upon. // For instance, if .metadata.generation is currently 12, but the // .status.condition[x].observedGeneration is 9, the condition is out of date // with respect to the current state of the Certificate. ObservedGeneration int64 }
CertificateCondition contains condition information for an Certificate.
func (*CertificateCondition) DeepCopy ¶
func (in *CertificateCondition) DeepCopy() *CertificateCondition
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateCondition.
func (*CertificateCondition) DeepCopyInto ¶
func (in *CertificateCondition) DeepCopyInto(out *CertificateCondition)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type CertificateConditionType ¶
type CertificateConditionType string
CertificateConditionType represents an Certificate condition value.
const ( // CertificateConditionReady indicates that a certificate is ready for use. // This is defined as: // - The target secret exists // - The target secret contains a certificate that has not expired // - The target secret contains a private key valid for the certificate // - The commonName and dnsNames attributes match those specified on the Certificate CertificateConditionReady CertificateConditionType = "Ready" // A condition added to Certificate resources when an issuance is required. // This condition will be automatically added and set to true if: // * No keypair data exists in the target Secret // * The data stored in the Secret cannot be decoded // * The private key and certificate do not have matching public keys // * If a CertificateRequest for the current revision exists and the // certificate data stored in the Secret does not match the // `status.certificate` on the CertificateRequest. // * If no CertificateRequest resource exists for the current revision, // the options on the Certificate resource are compared against the // x509 data in the Secret, similar to what's done in earlier versions. // If there is a mismatch, an issuance is triggered. // This condition may also be added by external API consumers to trigger // a re-issuance manually for any other reason. // // It will be removed by the 'issuing' controller upon completing issuance. CertificateConditionIssuing CertificateConditionType = "Issuing" )
type CertificateKeystores ¶ added in v0.15.0
type CertificateKeystores struct { // JKS configures options for storing a JKS keystore in the // `spec.secretName` Secret resource. JKS *JKSKeystore // PKCS12 configures options for storing a PKCS12 keystore in the // `spec.secretName` Secret resource. PKCS12 *PKCS12Keystore }
CertificateKeystores configures additional keystore output formats to be created in the Certificate's output Secret.
func (*CertificateKeystores) DeepCopy ¶ added in v0.15.0
func (in *CertificateKeystores) DeepCopy() *CertificateKeystores
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateKeystores.
func (*CertificateKeystores) DeepCopyInto ¶ added in v0.15.0
func (in *CertificateKeystores) DeepCopyInto(out *CertificateKeystores)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type CertificateList ¶
type CertificateList struct { metav1.TypeMeta metav1.ListMeta Items []Certificate }
CertificateList is a list of Certificates
func (*CertificateList) DeepCopy ¶
func (in *CertificateList) DeepCopy() *CertificateList
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateList.
func (*CertificateList) DeepCopyInto ¶
func (in *CertificateList) DeepCopyInto(out *CertificateList)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*CertificateList) DeepCopyObject ¶
func (in *CertificateList) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type CertificatePrivateKey ¶ added in v0.15.0
type CertificatePrivateKey struct { // RotationPolicy controls how private keys should be regenerated when a // re-issuance is being processed. // If set to `Never`, a private key will only be generated if one does not // already exist in the target `spec.secretName`. If one does exists but it // does not have the correct algorithm or size, a warning will be raised // to await user intervention. // If set to `Always`, a private key matching the specified requirements // will be generated whenever a re-issuance occurs. // Default is `Never` for backward compatibility. RotationPolicy PrivateKeyRotationPolicy // The private key cryptography standards (PKCS) encoding for this // certificate's private key to be encoded in. // If provided, allowed values are `PKCS1` and `PKCS8` standing for PKCS#1 // and PKCS#8, respectively. // Defaults to `PKCS1` if not specified. Encoding PrivateKeyEncoding // Algorithm is the private key algorithm of the corresponding private key // for this certificate. If provided, allowed values are either `RSA` or `ECDSA` // If `algorithm` is specified and `size` is not provided, // key size of `256` will be used for `ECDSA` key algorithm and // key size of `2048` will be used for `RSA` key algorithm. Algorithm PrivateKeyAlgorithm // Size is the key bit size of the corresponding private key for this certificate. // If `algorithm` is set to `RSA`, valid values are `2048`, `4096` or `8192`, // and will default to `2048` if not specified. // If `algorithm` is set to `ECDSA`, valid values are `256`, `384` or `521`, // and will default to `256` if not specified. // No other values are allowed. Size int }
CertificatePrivateKey contains configuration options for private keys used by the Certificate controller. This allows control of how private keys are rotated.
func (*CertificatePrivateKey) DeepCopy ¶ added in v0.15.0
func (in *CertificatePrivateKey) DeepCopy() *CertificatePrivateKey
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificatePrivateKey.
func (*CertificatePrivateKey) DeepCopyInto ¶ added in v0.15.0
func (in *CertificatePrivateKey) DeepCopyInto(out *CertificatePrivateKey)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type CertificateRequest ¶
type CertificateRequest struct { metav1.TypeMeta metav1.ObjectMeta // Desired state of the CertificateRequest resource. Spec CertificateRequestSpec // Status of the CertificateRequest. This is set and managed automatically. Status CertificateRequestStatus }
A CertificateRequest is used to request a signed certificate from one of the configured issuers.
All fields within the CertificateRequest's `spec` are immutable after creation. A CertificateRequest will either succeed or fail, as denoted by its `status.state` field.
A CertificateRequest is a one-shot resource, meaning it represents a single point in time request for a certificate and cannot be re-used.
func (*CertificateRequest) DeepCopy ¶
func (in *CertificateRequest) DeepCopy() *CertificateRequest
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateRequest.
func (*CertificateRequest) DeepCopyInto ¶
func (in *CertificateRequest) DeepCopyInto(out *CertificateRequest)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*CertificateRequest) DeepCopyObject ¶
func (in *CertificateRequest) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type CertificateRequestCondition ¶
type CertificateRequestCondition struct { // Type of the condition, known values are (`Ready`, // `InvalidRequest`, `Approved`, `Denied`). Type CertificateRequestConditionType // Status of the condition, one of (`True`, `False`, `Unknown`). Status cmmeta.ConditionStatus // LastTransitionTime is the timestamp corresponding to the last status // change of this condition. LastTransitionTime *metav1.Time // Reason is a brief machine readable explanation for the condition's last // transition. Reason string // Message is a human readable description of the details of the last // transition, complementing reason. Message string }
CertificateRequestCondition contains condition information for a CertificateRequest.
func (*CertificateRequestCondition) DeepCopy ¶
func (in *CertificateRequestCondition) DeepCopy() *CertificateRequestCondition
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateRequestCondition.
func (*CertificateRequestCondition) DeepCopyInto ¶
func (in *CertificateRequestCondition) DeepCopyInto(out *CertificateRequestCondition)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type CertificateRequestConditionType ¶
type CertificateRequestConditionType string
CertificateRequestConditionType represents an Certificate condition value.
const ( // CertificateRequestConditionReady indicates that a certificate is ready for use. // This is defined as: // - The target certificate exists in CertificateRequest.Status CertificateRequestConditionReady CertificateRequestConditionType = "Ready" // CertificateRequestConditionInvalidRequest indicates that a certificate // signer has refused to sign the request due to at least one of the input // parameters being invalid. Additional information about why the request // was rejected can be found in the `reason` and `message` fields. CertificateRequestConditionInvalidRequest CertificateRequestConditionType = "InvalidRequest" // CertificateRequestConditionApproved indicates that a certificate request // is approved and ready for signing. Condition must never have a status of // `False`, and cannot be modified once set. CertificateRequestConditionApproved CertificateRequestConditionType = "Approved" // CertificateRequestConditionDenied indicates that a certificate request is // denied, and must never be signed. Condition must never have a status of // `False`, and cannot be modified once set. CertificateRequestConditionDenied CertificateRequestConditionType = "Denied" )
type CertificateRequestList ¶
type CertificateRequestList struct { metav1.TypeMeta metav1.ListMeta Items []CertificateRequest }
CertificateRequestList is a list of Certificates
func (*CertificateRequestList) DeepCopy ¶
func (in *CertificateRequestList) DeepCopy() *CertificateRequestList
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateRequestList.
func (*CertificateRequestList) DeepCopyInto ¶
func (in *CertificateRequestList) DeepCopyInto(out *CertificateRequestList)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*CertificateRequestList) DeepCopyObject ¶
func (in *CertificateRequestList) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type CertificateRequestSpec ¶
type CertificateRequestSpec struct { // The requested 'duration' (i.e. lifetime) of the Certificate. // This option may be ignored/overridden by some issuer types. Duration *metav1.Duration // IssuerRef is a reference to the issuer for this CertificateRequest. If // the `kind` field is not set, or set to `Issuer`, an Issuer resource with // the given name in the same namespace as the CertificateRequest will be // used. If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with // the provided name will be used. The `name` field in this stanza is // required at all times. The group field refers to the API group of the // issuer which defaults to `cert-manager.io` if empty. IssuerRef cmmeta.ObjectReference // The PEM-encoded x509 certificate signing request to be submitted to the // CA for signing. Request []byte // IsCA will request to mark the certificate as valid for certificate signing // when submitting to the issuer. // This will automatically add the `cert sign` usage to the list of `usages`. IsCA bool // Usages is the set of x509 usages that are requested for the certificate. // Defaults to `digital signature` and `key encipherment` if not specified. Usages []KeyUsage // Username contains the name of the user that created the CertificateRequest. // Populated by the cert-manager webhook on creation and immutable. Username string // UID contains the uid of the user that created the CertificateRequest. // Populated by the cert-manager webhook on creation and immutable. UID string // Groups contains group membership of the user that created the CertificateRequest. // Populated by the cert-manager webhook on creation and immutable. Groups []string // Extra contains extra attributes of the user that created the CertificateRequest. // Populated by the cert-manager webhook on creation and immutable. Extra map[string][]string }
CertificateRequestSpec defines the desired state of CertificateRequest
func (*CertificateRequestSpec) DeepCopy ¶
func (in *CertificateRequestSpec) DeepCopy() *CertificateRequestSpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateRequestSpec.
func (*CertificateRequestSpec) DeepCopyInto ¶
func (in *CertificateRequestSpec) DeepCopyInto(out *CertificateRequestSpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type CertificateRequestStatus ¶
type CertificateRequestStatus struct { // List of status conditions to indicate the status of a CertificateRequest. // Known condition types are `Ready` and `InvalidRequest`. Conditions []CertificateRequestCondition // The PEM encoded x509 certificate resulting from the certificate // signing request. // If not set, the CertificateRequest has either not been completed or has // failed. More information on failure can be found by checking the // `conditions` field. Certificate []byte // The PEM encoded x509 certificate of the signer, also known as the CA // (Certificate Authority). // This is set on a best-effort basis by different issuers. // If not set, the CA is assumed to be unknown/not available. CA []byte // FailureTime stores the time that this CertificateRequest failed. This is // used to influence garbage collection and back-off. FailureTime *metav1.Time }
CertificateRequestStatus defines the observed state of CertificateRequest and resulting signed certificate.
func (*CertificateRequestStatus) DeepCopy ¶
func (in *CertificateRequestStatus) DeepCopy() *CertificateRequestStatus
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateRequestStatus.
func (*CertificateRequestStatus) DeepCopyInto ¶
func (in *CertificateRequestStatus) DeepCopyInto(out *CertificateRequestStatus)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type CertificateSecretTemplate ¶ added in v1.5.1
type CertificateSecretTemplate struct { // Annotations is a key value map to be copied to the target Kubernetes Secret. // +optional Annotations map[string]string `json:"annotations,omitempty"` // Labels is a key value map to be copied to the target Kubernetes Secret. // +optional Labels map[string]string `json:"labels,omitempty"` }
CertificateSecretTemplate defines the default labels and annotations to be copied to the Kubernetes Secret resource named in `CertificateSpec.secretName`.
func (*CertificateSecretTemplate) DeepCopy ¶ added in v1.5.1
func (in *CertificateSecretTemplate) DeepCopy() *CertificateSecretTemplate
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateSecretTemplate.
func (*CertificateSecretTemplate) DeepCopyInto ¶ added in v1.5.1
func (in *CertificateSecretTemplate) DeepCopyInto(out *CertificateSecretTemplate)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type CertificateSpec ¶
type CertificateSpec struct { // Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name). Subject *X509Subject // CommonName is a common name to be used on the Certificate. // The CommonName should have a length of 64 characters or fewer to avoid // generating invalid CSRs. // This value is ignored by TLS clients when any subject alt name is set. // This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4 CommonName string // The requested 'duration' (i.e. lifetime) of the Certificate. // This option may be ignored/overridden by some issuer types. // If overridden and `renewBefore` is greater than the actual certificate // duration, the certificate will be automatically renewed 2/3rds of the // way through the certificate's duration. Duration *metav1.Duration // The amount of time before the currently issued certificate's `notAfter` // time that cert-manager will begin to attempt to renew the certificate. // If this value is greater than the total duration of the certificate // (i.e. notAfter - notBefore), it will be automatically renewed 2/3rds of // the way through the certificate's duration. RenewBefore *metav1.Duration // DNSNames is a list of DNS subjectAltNames to be set on the Certificate. DNSNames []string // IPAddresses is a list of IP address subjectAltNames to be set on the Certificate. IPAddresses []string // URISANs is a list of URI subjectAltNames to be set on the Certificate. URISANs []string // EmailSANs is a list of email subjectAltNames to be set on the Certificate. EmailSANs []string // SecretName is the name of the secret resource that will be automatically // created and managed by this Certificate resource. // It will be populated with a private key and certificate, signed by the // denoted issuer. SecretName string // SecretTemplate defines annotations and labels to be propagated // to the Kubernetes Secret when it is created or updated. Once created, // labels and annotations are not yet removed from the Secret when they are // removed from the template. See https://github.com/jetstack/cert-manager/issues/4292 // +optional SecretTemplate *CertificateSecretTemplate `json:"secretTemplate,omitempty"` // Keystores configures additional keystore output formats stored in the // `secretName` Secret resource. Keystores *CertificateKeystores // IssuerRef is a reference to the issuer for this certificate. // If the `kind` field is not set, or set to `Issuer`, an Issuer resource // with the given name in the same namespace as the Certificate will be used. // If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with the // provided name will be used. // The `name` field in this stanza is required at all times. IssuerRef cmmeta.ObjectReference // IsCA will mark this Certificate as valid for certificate signing. // This will automatically add the `cert sign` usage to the list of `usages`. IsCA bool // Usages is the set of x509 usages that are requested for the certificate. // Defaults to `digital signature` and `key encipherment` if not specified. Usages []KeyUsage // Options to control private keys used for the Certificate. PrivateKey *CertificatePrivateKey // EncodeUsagesInRequest controls whether key usages should be present // in the CertificateRequest EncodeUsagesInRequest *bool // revisionHistoryLimit is the maximum number of CertificateRequest revisions // that are maintained in the Certificate's history. Each revision represents // a single `CertificateRequest` created by this Certificate, either when it // was created, renewed, or Spec was changed. Revisions will be removed by // oldest first if the number of revisions exceeds this number. If set, // revisionHistoryLimit must be a value of `1` or greater. If unset (`nil`), // revisions will not be garbage collected. Default value is `nil`. RevisionHistoryLimit *int32 }
CertificateSpec defines the desired state of Certificate. A valid Certificate requires at least one of a CommonName, DNSName, or URISAN to be valid.
func (*CertificateSpec) DeepCopy ¶
func (in *CertificateSpec) DeepCopy() *CertificateSpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateSpec.
func (*CertificateSpec) DeepCopyInto ¶
func (in *CertificateSpec) DeepCopyInto(out *CertificateSpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type CertificateStatus ¶
type CertificateStatus struct { // List of status conditions to indicate the status of certificates. // Known condition types are `Ready` and `Issuing`. Conditions []CertificateCondition // LastFailureTime is the time as recorded by the Certificate controller // of the most recent failure to complete a CertificateRequest for this // Certificate resource. // If set, cert-manager will not re-request another Certificate until // 1 hour has elapsed from this time. LastFailureTime *metav1.Time // The time after which the certificate stored in the secret named // by this resource in spec.secretName is valid. NotBefore *metav1.Time // The expiration time of the certificate stored in the secret named // by this resource in `spec.secretName`. NotAfter *metav1.Time // RenewalTime is the time at which the certificate will be next // renewed. // If not set, no upcoming renewal is scheduled. RenewalTime *metav1.Time // The current 'revision' of the certificate as issued. // // When a CertificateRequest resource is created, it will have the // `cert-manager.io/certificate-revision` set to one greater than the // current value of this field. // // Upon issuance, this field will be set to the value of the annotation // on the CertificateRequest resource used to issue the certificate. // // Persisting the value on the CertificateRequest resource allows the // certificates controller to know whether a request is part of an old // issuance or if it is part of the ongoing revision's issuance by // checking if the revision value in the annotation is greater than this // field. Revision *int // The name of the Secret resource containing the private key to be used // for the next certificate iteration. // The keymanager controller will automatically set this field if the // `Issuing` condition is set to `True`. // It will automatically unset this field when the Issuing condition is // not set or False. NextPrivateKeySecretName *string }
CertificateStatus defines the observed state of Certificate
func (*CertificateStatus) DeepCopy ¶
func (in *CertificateStatus) DeepCopy() *CertificateStatus
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateStatus.
func (*CertificateStatus) DeepCopyInto ¶
func (in *CertificateStatus) DeepCopyInto(out *CertificateStatus)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type ClusterIssuer ¶
type ClusterIssuer struct { metav1.TypeMeta metav1.ObjectMeta // Desired state of the ClusterIssuer resource. Spec IssuerSpec // Status of the ClusterIssuer. This is set and managed automatically. Status IssuerStatus }
A ClusterIssuer represents a certificate issuing authority which can be referenced as part of `issuerRef` fields. It is similar to an Issuer, however it is cluster-scoped and therefore can be referenced by resources that exist in *any* namespace, not just the same namespace as the referent.
func (*ClusterIssuer) Copy ¶ added in v0.13.0
func (c *ClusterIssuer) Copy() GenericIssuer
func (*ClusterIssuer) DeepCopy ¶
func (in *ClusterIssuer) DeepCopy() *ClusterIssuer
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterIssuer.
func (*ClusterIssuer) DeepCopyInto ¶
func (in *ClusterIssuer) DeepCopyInto(out *ClusterIssuer)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*ClusterIssuer) DeepCopyObject ¶
func (in *ClusterIssuer) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (*ClusterIssuer) GetObjectMeta ¶ added in v0.13.0
func (c *ClusterIssuer) GetObjectMeta() *metav1.ObjectMeta
func (*ClusterIssuer) GetSpec ¶ added in v0.13.0
func (c *ClusterIssuer) GetSpec() *IssuerSpec
func (*ClusterIssuer) GetStatus ¶ added in v0.13.0
func (c *ClusterIssuer) GetStatus() *IssuerStatus
func (*ClusterIssuer) SetSpec ¶ added in v0.13.0
func (c *ClusterIssuer) SetSpec(spec IssuerSpec)
func (*ClusterIssuer) SetStatus ¶ added in v0.13.0
func (c *ClusterIssuer) SetStatus(status IssuerStatus)
type ClusterIssuerList ¶
type ClusterIssuerList struct { metav1.TypeMeta metav1.ListMeta Items []ClusterIssuer }
ClusterIssuerList is a list of Issuers
func (*ClusterIssuerList) DeepCopy ¶
func (in *ClusterIssuerList) DeepCopy() *ClusterIssuerList
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterIssuerList.
func (*ClusterIssuerList) DeepCopyInto ¶
func (in *ClusterIssuerList) DeepCopyInto(out *ClusterIssuerList)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*ClusterIssuerList) DeepCopyObject ¶
func (in *ClusterIssuerList) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type GenericIssuer ¶ added in v0.13.0
type GenericIssuer interface { runtime.Object metav1.Object GetObjectMeta() *metav1.ObjectMeta GetSpec() *IssuerSpec GetStatus() *IssuerStatus }
type Issuer ¶
type Issuer struct { metav1.TypeMeta metav1.ObjectMeta // Desired state of the Issuer resource. Spec IssuerSpec // Status of the Issuer. This is set and managed automatically. Status IssuerStatus }
An Issuer represents a certificate issuing authority which can be referenced as part of `issuerRef` fields. It is scoped to a single namespace and can therefore only be referenced by resources within the same namespace.
func (*Issuer) Copy ¶ added in v0.13.0
func (c *Issuer) Copy() GenericIssuer
func (*Issuer) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Issuer.
func (*Issuer) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*Issuer) DeepCopyObject ¶
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (*Issuer) GetObjectMeta ¶ added in v0.13.0
func (c *Issuer) GetObjectMeta() *metav1.ObjectMeta
func (*Issuer) GetSpec ¶ added in v0.13.0
func (c *Issuer) GetSpec() *IssuerSpec
func (*Issuer) GetStatus ¶ added in v0.13.0
func (c *Issuer) GetStatus() *IssuerStatus
func (*Issuer) SetSpec ¶ added in v0.13.0
func (c *Issuer) SetSpec(spec IssuerSpec)
func (*Issuer) SetStatus ¶ added in v0.13.0
func (c *Issuer) SetStatus(status IssuerStatus)
type IssuerCondition ¶
type IssuerCondition struct { // Type of the condition, known values are (`Ready`). Type IssuerConditionType // Status of the condition, one of (`True`, `False`, `Unknown`). Status cmmeta.ConditionStatus // LastTransitionTime is the timestamp corresponding to the last status // change of this condition. LastTransitionTime *metav1.Time // Reason is a brief machine readable explanation for the condition's last // transition. Reason string // Message is a human readable description of the details of the last // transition, complementing reason. Message string // If set, this represents the .metadata.generation that the condition was // set based upon. // For instance, if .metadata.generation is currently 12, but the // .status.condition[x].observedGeneration is 9, the condition is out of date // with respect to the current state of the Issuer. ObservedGeneration int64 }
IssuerCondition contains condition information for an Issuer.
func (*IssuerCondition) DeepCopy ¶
func (in *IssuerCondition) DeepCopy() *IssuerCondition
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IssuerCondition.
func (*IssuerCondition) DeepCopyInto ¶
func (in *IssuerCondition) DeepCopyInto(out *IssuerCondition)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type IssuerConditionType ¶
type IssuerConditionType string
IssuerConditionType represents an Issuer condition value.
const ( // IssuerConditionReady represents the fact that a given Issuer condition // is in ready state and able to issue certificates. // If the `status` of this condition is `False`, CertificateRequest controllers // should prevent attempts to sign certificates. IssuerConditionReady IssuerConditionType = "Ready" )
type IssuerConfig ¶
type IssuerConfig struct { // ACME configures this issuer to communicate with a RFC8555 (ACME) server // to obtain signed x509 certificates. ACME *cmacme.ACMEIssuer // CA configures this issuer to sign certificates using a signing CA keypair // stored in a Secret resource. // This is used to build internal PKIs that are managed by cert-manager. CA *CAIssuer // Vault configures this issuer to sign certificates using a HashiCorp Vault // PKI backend. Vault *VaultIssuer // SelfSigned configures this issuer to 'self sign' certificates using the // private key used to create the CertificateRequest object. SelfSigned *SelfSignedIssuer // Venafi configures this issuer to sign certificates using a Venafi TPP // or Venafi Cloud policy zone. Venafi *VenafiIssuer }
func (*IssuerConfig) DeepCopy ¶
func (in *IssuerConfig) DeepCopy() *IssuerConfig
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IssuerConfig.
func (*IssuerConfig) DeepCopyInto ¶
func (in *IssuerConfig) DeepCopyInto(out *IssuerConfig)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type IssuerList ¶
IssuerList is a list of Issuers
func (*IssuerList) DeepCopy ¶
func (in *IssuerList) DeepCopy() *IssuerList
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IssuerList.
func (*IssuerList) DeepCopyInto ¶
func (in *IssuerList) DeepCopyInto(out *IssuerList)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*IssuerList) DeepCopyObject ¶
func (in *IssuerList) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type IssuerSpec ¶
type IssuerSpec struct {
IssuerConfig
}
IssuerSpec is the specification of an Issuer. This includes any configuration required for the issuer.
func (*IssuerSpec) DeepCopy ¶
func (in *IssuerSpec) DeepCopy() *IssuerSpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IssuerSpec.
func (*IssuerSpec) DeepCopyInto ¶
func (in *IssuerSpec) DeepCopyInto(out *IssuerSpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type IssuerStatus ¶
type IssuerStatus struct { // List of status conditions to indicate the status of a CertificateRequest. // Known condition types are `Ready`. Conditions []IssuerCondition // ACME specific status options. // This field should only be set if the Issuer is configured to use an ACME // server to issue certificates. ACME *cmacme.ACMEIssuerStatus }
IssuerStatus contains status information about an Issuer
func (*IssuerStatus) ACMEStatus ¶ added in v0.13.0
func (i *IssuerStatus) ACMEStatus() *cmacme.ACMEIssuerStatus
TODO: refactor these functions away
func (*IssuerStatus) DeepCopy ¶
func (in *IssuerStatus) DeepCopy() *IssuerStatus
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IssuerStatus.
func (*IssuerStatus) DeepCopyInto ¶
func (in *IssuerStatus) DeepCopyInto(out *IssuerStatus)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type JKSKeystore ¶ added in v0.15.0
type JKSKeystore struct { // Create enables JKS keystore creation for the Certificate. // If true, a file named `keystore.jks` will be created in the target // Secret resource, encrypted using the password stored in // `passwordSecretRef`. // The keystore file will only be updated upon re-issuance. Create bool // PasswordSecretRef is a reference to a key in a Secret resource // containing the password used to encrypt the JKS keystore. PasswordSecretRef cmmeta.SecretKeySelector }
JKS configures options for storing a JKS keystore in the `spec.secretName` Secret resource.
func (*JKSKeystore) DeepCopy ¶ added in v0.15.0
func (in *JKSKeystore) DeepCopy() *JKSKeystore
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JKSKeystore.
func (*JKSKeystore) DeepCopyInto ¶ added in v0.15.0
func (in *JKSKeystore) DeepCopyInto(out *JKSKeystore)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type KeyUsage ¶
type KeyUsage string
KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3
https://tools.ietf.org/html/rfc5280#section-4.2.1.12
Valid KeyUsage values are as follows: "signing", "digital signature", "content commitment", "key encipherment", "key agreement", "data encipherment", "cert sign", "crl sign", "encipher only", "decipher only", "any", "server auth", "client auth", "code signing", "email protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec user", "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc"
const ( UsageSigning KeyUsage = "signing" UsageDigitalSignature KeyUsage = "digital signature" UsageContentCommitment KeyUsage = "content commitment" UsageKeyEncipherment KeyUsage = "key encipherment" UsageKeyAgreement KeyUsage = "key agreement" UsageDataEncipherment KeyUsage = "data encipherment" UsageCertSign KeyUsage = "cert sign" UsageCRLSign KeyUsage = "crl sign" UsageEncipherOnly KeyUsage = "encipher only" UsageDecipherOnly KeyUsage = "decipher only" UsageAny KeyUsage = "any" UsageServerAuth KeyUsage = "server auth" UsageClientAuth KeyUsage = "client auth" UsageCodeSigning KeyUsage = "code signing" UsageEmailProtection KeyUsage = "email protection" UsageSMIME KeyUsage = "s/mime" UsageIPsecEndSystem KeyUsage = "ipsec end system" UsageIPsecTunnel KeyUsage = "ipsec tunnel" UsageIPsecUser KeyUsage = "ipsec user" UsageTimestamping KeyUsage = "timestamping" UsageOCSPSigning KeyUsage = "ocsp signing" UsageMicrosoftSGC KeyUsage = "microsoft sgc" UsageNetscapeSGC KeyUsage = "netscape sgc" )
type PKCS12Keystore ¶ added in v0.15.0
type PKCS12Keystore struct { // Create enables PKCS12 keystore creation for the Certificate. // If true, a file named `keystore.p12` will be created in the target // Secret resource, encrypted using the password stored in // `passwordSecretRef`. // The keystore file will only be updated upon re-issuance. Create bool // PasswordSecretRef is a reference to a key in a Secret resource // containing the password used to encrypt the PKCS12 keystore. PasswordSecretRef cmmeta.SecretKeySelector }
PKCS12 configures options for storing a PKCS12 keystore in the `spec.secretName` Secret resource.
func (*PKCS12Keystore) DeepCopy ¶ added in v0.15.0
func (in *PKCS12Keystore) DeepCopy() *PKCS12Keystore
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PKCS12Keystore.
func (*PKCS12Keystore) DeepCopyInto ¶ added in v0.15.0
func (in *PKCS12Keystore) DeepCopyInto(out *PKCS12Keystore)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type PrivateKeyAlgorithm ¶ added in v0.16.0
type PrivateKeyAlgorithm string
const ( // Denotes the RSA private key type. RSAKeyAlgorithm PrivateKeyAlgorithm = "RSA" // Denotes the ECDSA private key type. ECDSAKeyAlgorithm PrivateKeyAlgorithm = "ECDSA" // Denotes the Ed25519 private key type. Ed25519KeyAlgorithm PrivateKeyAlgorithm = "Ed25519" )
type PrivateKeyEncoding ¶ added in v0.16.0
type PrivateKeyEncoding string
const ( // PKCS1 key encoding will produce PEM files that include the type of // private key as part of the PEM header, e.g. `BEGIN RSA PRIVATE KEY`. // If the keyAlgorithm is set to 'ECDSA', this will produce private keys // that use the `BEGIN EC PRIVATE KEY` header. PKCS1 PrivateKeyEncoding = "PKCS1" // PKCS8 key encoding will produce PEM files with the `BEGIN PRIVATE KEY` // header. It encodes the keyAlgorithm of the private key as part of the // DER encoded PEM block. PKCS8 PrivateKeyEncoding = "PKCS8" )
type PrivateKeyRotationPolicy ¶ added in v0.15.0
type PrivateKeyRotationPolicy string
Denotes how private keys should be generated or sourced when a Certificate is being issued.
var ( // RotationPolicyNever means a private key will only be generated if one // does not already exist in the target `spec.secretName`. // If one does exists but it does not have the correct algorithm or size, // a warning will be raised to await user intervention. RotationPolicyNever PrivateKeyRotationPolicy = "Never" // RotationPolicyAlways means a private key matching the specified // requirements will be generated whenever a re-issuance occurs. RotationPolicyAlways PrivateKeyRotationPolicy = "Always" )
type SelfSignedIssuer ¶
type SelfSignedIssuer struct { // The CRL distribution points is an X.509 v3 certificate extension which identifies // the location of the CRL from which the revocation of this certificate can be checked. // If not set certificate will be issued without CDP. Values are strings. CRLDistributionPoints []string }
Configures an issuer to 'self sign' certificates using the private key used to create the CertificateRequest object.
func (*SelfSignedIssuer) DeepCopy ¶
func (in *SelfSignedIssuer) DeepCopy() *SelfSignedIssuer
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SelfSignedIssuer.
func (*SelfSignedIssuer) DeepCopyInto ¶
func (in *SelfSignedIssuer) DeepCopyInto(out *SelfSignedIssuer)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type VaultAppRole ¶
type VaultAppRole struct { // Path where the App Role authentication backend is mounted in Vault, e.g: // "approle" Path string // RoleID configured in the App Role authentication backend when setting // up the authentication backend in Vault. RoleId string // Reference to a key in a Secret that contains the App Role secret used // to authenticate with Vault. // The `key` field must be specified and denotes which entry within the Secret // resource is used as the app role secret. SecretRef cmmeta.SecretKeySelector }
VaultAppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
func (*VaultAppRole) DeepCopy ¶
func (in *VaultAppRole) DeepCopy() *VaultAppRole
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultAppRole.
func (*VaultAppRole) DeepCopyInto ¶
func (in *VaultAppRole) DeepCopyInto(out *VaultAppRole)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type VaultAuth ¶
type VaultAuth struct { // TokenSecretRef authenticates with Vault by presenting a token. TokenSecretRef *cmmeta.SecretKeySelector // AppRole authenticates with Vault using the App Role auth mechanism, // with the role and secret stored in a Kubernetes Secret resource. AppRole *VaultAppRole // Kubernetes authenticates with Vault by passing the ServiceAccount // token stored in the named Secret resource to the Vault server. Kubernetes *VaultKubernetesAuth }
Configuration used to authenticate with a Vault server. Only one of `tokenSecretRef`, `appRole` or `kubernetes` may be specified.
func (*VaultAuth) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultAuth.
func (*VaultAuth) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type VaultIssuer ¶
type VaultIssuer struct { // Auth configures how cert-manager authenticates with the Vault server. Auth VaultAuth // Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200". Server string // Path is the mount path of the Vault PKI backend's `sign` endpoint, e.g: // "my_pki_mount/sign/my-role-name". Path string // Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1" // More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces Namespace string // PEM-encoded CA bundle (base64-encoded) used to validate Vault server // certificate. Only used if the Server URL is using HTTPS protocol. This // parameter is ignored for plain HTTP protocol connection. If not set the // system root certificates are used to validate the TLS connection. CABundle []byte }
Configures an issuer to sign certificates using a HashiCorp Vault PKI backend.
func (*VaultIssuer) DeepCopy ¶
func (in *VaultIssuer) DeepCopy() *VaultIssuer
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultIssuer.
func (*VaultIssuer) DeepCopyInto ¶
func (in *VaultIssuer) DeepCopyInto(out *VaultIssuer)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type VaultKubernetesAuth ¶ added in v0.11.0
type VaultKubernetesAuth struct { // The Vault mountPath here is the mount path to use when authenticating with // Vault. For example, setting a value to `/v1/auth/foo`, will use the path // `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the // default value "/v1/auth/kubernetes" will be used. Path string // The required Secret field containing a Kubernetes ServiceAccount JWT used // for authenticating with Vault. Use of 'ambient credentials' is not // supported. SecretRef cmmeta.SecretKeySelector // A required field containing the Vault Role to assume. A Role binds a // Kubernetes ServiceAccount with a set of Vault policies. Role string }
Authenticate against Vault using a Kubernetes ServiceAccount token stored in a Secret.
func (*VaultKubernetesAuth) DeepCopy ¶ added in v0.11.0
func (in *VaultKubernetesAuth) DeepCopy() *VaultKubernetesAuth
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultKubernetesAuth.
func (*VaultKubernetesAuth) DeepCopyInto ¶ added in v0.11.0
func (in *VaultKubernetesAuth) DeepCopyInto(out *VaultKubernetesAuth)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type VenafiCloud ¶
type VenafiCloud struct { // URL is the base URL for Venafi Cloud. // Defaults to "https://api.venafi.cloud/v1". URL string // APITokenSecretRef is a secret key selector for the Venafi Cloud API token. APITokenSecretRef cmmeta.SecretKeySelector }
VenafiCloud defines connection configuration details for Venafi Cloud
func (*VenafiCloud) DeepCopy ¶
func (in *VenafiCloud) DeepCopy() *VenafiCloud
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VenafiCloud.
func (*VenafiCloud) DeepCopyInto ¶
func (in *VenafiCloud) DeepCopyInto(out *VenafiCloud)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type VenafiIssuer ¶
type VenafiIssuer struct { // Zone is the Venafi Policy Zone to use for this issuer. // All requests made to the Venafi platform will be restricted by the named // zone policy. // This field is required. Zone string // TPP specifies Trust Protection Platform configuration settings. // Only one of TPP or Cloud may be specified. TPP *VenafiTPP // Cloud specifies the Venafi cloud configuration settings. // Only one of TPP or Cloud may be specified. Cloud *VenafiCloud }
Configures an issuer to sign certificates using a Venafi TPP or Cloud policy zone.
func (*VenafiIssuer) DeepCopy ¶
func (in *VenafiIssuer) DeepCopy() *VenafiIssuer
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VenafiIssuer.
func (*VenafiIssuer) DeepCopyInto ¶
func (in *VenafiIssuer) DeepCopyInto(out *VenafiIssuer)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type VenafiTPP ¶
type VenafiTPP struct { // URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, // for example: "https://tpp.example.com/vedsdk". URL string // CredentialsRef is a reference to a Secret containing the username and // password for the TPP server. // The secret must contain two keys, 'username' and 'password'. CredentialsRef cmmeta.LocalObjectReference // CABundle is a PEM encoded TLS certificate to use to verify connections to // the TPP instance. // If specified, system roots will not be used and the issuing CA for the // TPP instance must be verifiable using the provided root. // If not specified, the connection will be verified using the cert-manager // system root certificates. CABundle []byte }
VenafiTPP defines connection configuration details for a Venafi TPP instance
func (*VenafiTPP) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VenafiTPP.
func (*VenafiTPP) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type X509Subject ¶ added in v0.13.0
type X509Subject struct { // Organizations to be used on the Certificate. Organizations []string // Countries to be used on the Certificate. Countries []string // Organizational Units to be used on the Certificate. OrganizationalUnits []string // Cities to be used on the Certificate. Localities []string // State/Provinces to be used on the Certificate. Provinces []string // Street addresses to be used on the Certificate. StreetAddresses []string // Postal codes to be used on the Certificate. PostalCodes []string // Serial number to be used on the Certificate. SerialNumber string }
X509Subject Full X509 name specification
func (*X509Subject) DeepCopy ¶ added in v0.13.0
func (in *X509Subject) DeepCopy() *X509Subject
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new X509Subject.
func (*X509Subject) DeepCopyInto ¶ added in v0.13.0
func (in *X509Subject) DeepCopyInto(out *X509Subject)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
Source Files ¶
Directories ¶
Path | Synopsis |
---|---|
certificaterequests
Package certificaterequests populates and enforces identity on CertificateRequest resources.
|
Package certificaterequests populates and enforces identity on CertificateRequest resources. |
Package install installs the API group, making it available as an option to all of the API encoding/decoding machinery.
|
Package install installs the API group, making it available as an option to all of the API encoding/decoding machinery. |
+groupName=cert-manager.io
|
+groupName=cert-manager.io |
+groupName=cert-manager.io
|
+groupName=cert-manager.io |
+groupName=cert-manager.io
|
+groupName=cert-manager.io |
+groupName=cert-manager.io
|
+groupName=cert-manager.io |