certmanager

package
v1.2.0-alpha.2 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Feb 5, 2021 License: Apache-2.0 Imports: 6 Imported by: 0

Documentation ¶

Overview ¶

Package certmanager is the internal version of the API. +groupName=cert-manager.io

Index ¶

Constants ¶

View Source
const (
	// Annotation key for DNS subjectAltNames.
	AltNamesAnnotationKey = "cert-manager.io/alt-names"

	// Annotation key for IP subjectAltNames.
	IPSANAnnotationKey = "cert-manager.io/ip-sans"

	// Annotation key for URI subjectAltNames.
	URISANAnnotationKey = "cert-manager.io/uri-sans"

	// Annotation key for certificate common name.
	CommonNameAnnotationKey = "cert-manager.io/common-name"

	// Annotation key the 'name' of the Issuer resource.
	IssuerNameAnnotationKey = "cert-manager.io/issuer-name"

	// Annotation key for the 'kind' of the Issuer resource.
	IssuerKindAnnotationKey = "cert-manager.io/issuer-kind"

	// Annotation key for the 'group' of the Issuer resource.
	IssuerGroupAnnotationKey = "cert-manager.io/issuer-group"

	// Annotation key for the name of the certificate that a resource is related to.
	CertificateNameKey = "cert-manager.io/certificate-name"

	// Annotation key used to denote whether a Secret is named on a Certificate
	// as a 'next private key' Secret resource.
	IsNextPrivateKeySecretLabelKey = "cert-manager.io/next-private-key"
)

Common annotation keys added to resources.

View Source
const (
	// issuerNameAnnotation can be used to override the issuer specified on the
	// created Certificate resource.
	IngressIssuerNameAnnotationKey = "cert-manager.io/issuer"
	// clusterIssuerNameAnnotation can be used to override the issuer specified on the
	// created Certificate resource. The Certificate will reference the
	// specified *ClusterIssuer* instead of normal issuer.
	IngressClusterIssuerNameAnnotationKey = "cert-manager.io/cluster-issuer"
	// acmeIssuerHTTP01IngressClassAnnotation can be used to override the http01 ingressClass
	// if the challenge type is set to http01
	IngressACMEIssuerHTTP01IngressClassAnnotationKey = "acme.cert-manager.io/http01-ingress-class"

	// IngressClassAnnotationKey picks a specific "class" for the Ingress. The
	// controller only processes Ingresses with this annotation either unset, or
	// set to either the configured value or the empty string.
	IngressClassAnnotationKey = "kubernetes.io/ingress.class"
)
View Source
const (
	// Annotation added to CertificateRequest resources to denote the name of
	// a Secret resource containing the private key used to sign the CSR stored
	// on the resource.
	// This annotation *may* not be present, and is used by the 'self signing'
	// issuer type to self-sign certificates.
	CertificateRequestPrivateKeyAnnotationKey = "cert-manager.io/private-key-secret-name"

	// Annotation to declare the CertificateRequest "revision", belonging to a Certificate Resource
	CertificateRequestRevisionAnnotationKey = "cert-manager.io/certificate-revision"
)

Annotation names for CertificateRequests

View Source
const (
	ClusterIssuerKind      = "ClusterIssuer"
	IssuerKind             = "Issuer"
	CertificateKind        = "Certificate"
	CertificateRequestKind = "CertificateRequest"
)

Common/known resource kinds.

View Source
const (
	// WantInjectAnnotation is the annotation that specifies that a particular
	// object wants injection of CAs.  It takes the form of a reference to a certificate
	// as namespace/name.  The certificate is expected to have the is-serving-for annotations.
	WantInjectAnnotation = "cert-manager.io/inject-ca-from"

	// WantInjectAPIServerCAAnnotation, if set to "true", will make the cainjector
	// inject the CA certificate for the Kubernetes apiserver into the resource.
	// It discovers the apiserver's CA by inspecting the service account credentials
	// mounted into the cainjector pod.
	WantInjectAPIServerCAAnnotation = "cert-manager.io/inject-apiserver-ca"

	// WantInjectFromSecretAnnotation is the annotation that specifies that a particular
	// object wants injection of CAs.  It takes the form of a reference to a Secret
	// as namespace/name.
	WantInjectFromSecretAnnotation = "cert-manager.io/inject-ca-from-secret"

	// AllowsInjectionFromSecretAnnotation is an annotation that must be added
	// to Secret resource that want to denote that they can be directly
	// injected into injectables that have a `inject-ca-from-secret` annotation.
	// If an injectable references a Secret that does NOT have this annotation,
	// the cainjector will refuse to inject the secret.
	AllowsInjectionFromSecretAnnotation = "cert-manager.io/allow-direct-injection"
)
View Source
const (
	// Pending indicates that a CertificateRequest is still in progress.
	CertificateRequestReasonPending = "Pending"

	// Failed indicates that a CertificateRequest has failed, either due to
	// timing out or some other critical failure.
	CertificateRequestReasonFailed = "Failed"

	// Issued indicates that a CertificateRequest has been completed, and that
	// the `status.certificate` field is set.
	CertificateRequestReasonIssued = "Issued"
)
View Source
const (
	// IssueTemporaryCertificateAnnotation is an annotation that can be added to
	// Certificate resources.
	// If it is present, a temporary internally signed certificate will be
	// stored in the target Secret resource whilst the real Issuer is processing
	// the certificate request.
	IssueTemporaryCertificateAnnotation = "cert-manager.io/issue-temporary-certificate"
)
View Source
const (
	// VenafiCustomFieldsAnnotationKey is the annotation that passes on JSON encoded custom fields to the Venafi issuer
	// This will only work with Venafi TPP v19.3 and higher
	// The value is an array with objects containing the name and value keys
	// for example: `[{"name": "custom-field", "value": "custom-value"}]`
	VenafiCustomFieldsAnnotationKey = "venafi.cert-manager.io/custom-fields"
)

Issuer specific Annotations

Variables ¶

View Source
var (
	SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes)
	AddToScheme   = SchemeBuilder.AddToScheme
)
View Source
var SchemeGroupVersion = schema.GroupVersion{Group: certmanager.GroupName, Version: runtime.APIVersionInternal}

SchemeGroupVersion is group version used to register these objects

Functions ¶

func Resource ¶

func Resource(resource string) schema.GroupResource

Resource takes an unqualified resource and returns a Group qualified GroupResource

Types ¶

type CAIssuer ¶

type CAIssuer struct {
	// SecretName is the name of the secret used to sign Certificates issued
	// by this Issuer.
	SecretName string

	// The CRL distribution points is an X.509 v3 certificate extension which identifies
	// the location of the CRL from which the revocation of this certificate can be checked.
	// If not set, certificates will be issued without distribution points set.
	CRLDistributionPoints []string

	// The OCSP server list is an X.509 v3 extension that defines a list of
	// URLs of OCSP responders. The OCSP responders can be queried for the
	// revocation status of an issued certificate. If not set, the
	// certificate wil be issued with no OCSP servers set. For example, an
	// OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org".
	OCSPServers []string
}

func (*CAIssuer) DeepCopy ¶

func (in *CAIssuer) DeepCopy() *CAIssuer

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CAIssuer.

func (*CAIssuer) DeepCopyInto ¶

func (in *CAIssuer) DeepCopyInto(out *CAIssuer)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type Certificate ¶

type Certificate struct {
	metav1.TypeMeta
	metav1.ObjectMeta

	// Desired state of the Certificate resource.
	Spec CertificateSpec

	// Status of the Certificate. This is set and managed automatically.
	Status CertificateStatus
}

A Certificate resource should be created to ensure an up to date and signed x509 certificate is stored in the Kubernetes Secret resource named in `spec.secretName`.

The stored certificate will be renewed before it expires (as configured by `spec.renewBefore`).

func (*Certificate) DeepCopy ¶

func (in *Certificate) DeepCopy() *Certificate

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Certificate.

func (*Certificate) DeepCopyInto ¶

func (in *Certificate) DeepCopyInto(out *Certificate)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*Certificate) DeepCopyObject ¶

func (in *Certificate) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type CertificateCondition ¶

type CertificateCondition struct {
	// Type of the condition, known values are (`Ready`, `Issuing`).
	Type CertificateConditionType

	// Status of the condition, one of (`True`, `False`, `Unknown`).
	Status cmmeta.ConditionStatus

	// LastTransitionTime is the timestamp corresponding to the last status
	// change of this condition.
	LastTransitionTime *metav1.Time

	// Reason is a brief machine readable explanation for the condition's last
	// transition.
	Reason string

	// Message is a human readable description of the details of the last
	// transition, complementing reason.
	Message string
}

CertificateCondition contains condition information for an Certificate.

func (*CertificateCondition) DeepCopy ¶

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateCondition.

func (*CertificateCondition) DeepCopyInto ¶

func (in *CertificateCondition) DeepCopyInto(out *CertificateCondition)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type CertificateConditionType ¶

type CertificateConditionType string

CertificateConditionType represents an Certificate condition value.

const (
	// CertificateConditionReady indicates that a certificate is ready for use.
	// This is defined as:
	// - The target secret exists
	// - The target secret contains a certificate that has not expired
	// - The target secret contains a private key valid for the certificate
	// - The commonName and dnsNames attributes match those specified on the Certificate
	CertificateConditionReady CertificateConditionType = "Ready"

	// A condition added to Certificate resources when an issuance is required.
	// This condition will be automatically added and set to true if:
	//   * No keypair data exists in the target Secret
	//   * The data stored in the Secret cannot be decoded
	//   * The private key and certificate do not have matching public keys
	//   * If a CertificateRequest for the current revision exists and the
	//     certificate data stored in the Secret does not match the
	//    `status.certificate` on the CertificateRequest.
	//   * If no CertificateRequest resource exists for the current revision,
	//     the options on the Certificate resource are compared against the
	//     x509 data in the Secret, similar to what's done in earlier versions.
	//     If there is a mismatch, an issuance is triggered.
	// This condition may also be added by external API consumers to trigger
	// a re-issuance manually for any other reason.
	//
	// It will be removed by the 'issuing' controller upon completing issuance.
	CertificateConditionIssuing CertificateConditionType = "Issuing"
)

type CertificateKeystores ¶ added in v0.15.0

type CertificateKeystores struct {
	// JKS configures options for storing a JKS keystore in the
	// `spec.secretName` Secret resource.
	JKS *JKSKeystore

	// PKCS12 configures options for storing a PKCS12 keystore in the
	// `spec.secretName` Secret resource.
	PKCS12 *PKCS12Keystore
}

CertificateKeystores configures additional keystore output formats to be created in the Certificate's output Secret.

func (*CertificateKeystores) DeepCopy ¶ added in v0.15.0

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateKeystores.

func (*CertificateKeystores) DeepCopyInto ¶ added in v0.15.0

func (in *CertificateKeystores) DeepCopyInto(out *CertificateKeystores)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type CertificateList ¶

type CertificateList struct {
	metav1.TypeMeta
	metav1.ListMeta

	Items []Certificate
}

CertificateList is a list of Certificates

func (*CertificateList) DeepCopy ¶

func (in *CertificateList) DeepCopy() *CertificateList

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateList.

func (*CertificateList) DeepCopyInto ¶

func (in *CertificateList) DeepCopyInto(out *CertificateList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*CertificateList) DeepCopyObject ¶

func (in *CertificateList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type CertificatePrivateKey ¶ added in v0.15.0

type CertificatePrivateKey struct {
	// RotationPolicy controls how private keys should be regenerated when a
	// re-issuance is being processed.
	// If set to `Never`, a private key will only be generated if one does not
	// already exist in the target `spec.secretName`. If one does exists but it
	// does not have the correct algorithm or size, a warning will be raised
	// to await user intervention.
	// If set to `Always`, a private key matching the specified requirements
	// will be generated whenever a re-issuance occurs.
	// Default is `Never` for backward compatibility.
	RotationPolicy PrivateKeyRotationPolicy

	// The private key cryptography standards (PKCS) encoding for this
	// certificate's private key to be encoded in.
	// If provided, allowed values are `PKCS1` and `PKCS8` standing for PKCS#1
	// and PKCS#8, respectively.
	// Defaults to `PKCS1` if not specified.
	Encoding PrivateKeyEncoding

	// Algorithm is the private key algorithm of the corresponding private key
	// for this certificate. If provided, allowed values are either `RSA` or `ECDSA`
	// If `algorithm` is specified and `size` is not provided,
	// key size of `256` will be used for `ECDSA` key algorithm and
	// key size of `2048` will be used for `RSA` key algorithm.
	Algorithm PrivateKeyAlgorithm

	// Size is the key bit size of the corresponding private key for this certificate.
	// If `algorithm` is set to `RSA`, valid values are `2048`, `4096` or `8192`,
	// and will default to `2048` if not specified.
	// If `algorithm` is set to `ECDSA`, valid values are `256`, `384` or `521`,
	// and will default to `256` if not specified.
	// No other values are allowed.
	Size int
}

CertificatePrivateKey contains configuration options for private keys used by the Certificate controller. This allows control of how private keys are rotated.

func (*CertificatePrivateKey) DeepCopy ¶ added in v0.15.0

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificatePrivateKey.

func (*CertificatePrivateKey) DeepCopyInto ¶ added in v0.15.0

func (in *CertificatePrivateKey) DeepCopyInto(out *CertificatePrivateKey)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type CertificateRequest ¶

type CertificateRequest struct {
	metav1.TypeMeta
	metav1.ObjectMeta

	// Desired state of the CertificateRequest resource.
	Spec CertificateRequestSpec

	// Status of the CertificateRequest. This is set and managed automatically.
	Status CertificateRequestStatus
}

A CertificateRequest is used to request a signed certificate from one of the configured issuers.

All fields within the CertificateRequest's `spec` are immutable after creation. A CertificateRequest will either succeed or fail, as denoted by its `status.state` field.

A CertificateRequest is a one-shot resource, meaning it represents a single point in time request for a certificate and cannot be re-used.

func (*CertificateRequest) DeepCopy ¶

func (in *CertificateRequest) DeepCopy() *CertificateRequest

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateRequest.

func (*CertificateRequest) DeepCopyInto ¶

func (in *CertificateRequest) DeepCopyInto(out *CertificateRequest)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*CertificateRequest) DeepCopyObject ¶

func (in *CertificateRequest) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type CertificateRequestCondition ¶

type CertificateRequestCondition struct {
	// Type of the condition, known values are (`Ready`, `InvalidRequest`).
	Type CertificateRequestConditionType

	// Status of the condition, one of (`True`, `False`, `Unknown`).
	Status cmmeta.ConditionStatus

	// LastTransitionTime is the timestamp corresponding to the last status
	// change of this condition.
	LastTransitionTime *metav1.Time

	// Reason is a brief machine readable explanation for the condition's last
	// transition.
	Reason string

	// Message is a human readable description of the details of the last
	// transition, complementing reason.
	Message string
}

CertificateRequestCondition contains condition information for a CertificateRequest.

func (*CertificateRequestCondition) DeepCopy ¶

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateRequestCondition.

func (*CertificateRequestCondition) DeepCopyInto ¶

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type CertificateRequestConditionType ¶

type CertificateRequestConditionType string

CertificateRequestConditionType represents an Certificate condition value.

const (
	// CertificateRequestConditionReady indicates that a certificate is ready for use.
	// This is defined as:
	// - The target certificate exists in CertificateRequest.Status
	CertificateRequestConditionReady CertificateRequestConditionType = "Ready"

	// CertificateRequestConditionInvalidRequest indicates that a certificate
	// signer has refused to sign the request due to at least one of the input
	// parameters being invalid. Additional information about why the request
	// was rejected can be found in the `reason` and `message` fields.
	CertificateRequestConditionInvalidRequest CertificateRequestConditionType = "InvalidRequest"
)

type CertificateRequestList ¶

type CertificateRequestList struct {
	metav1.TypeMeta
	metav1.ListMeta

	Items []CertificateRequest
}

CertificateRequestList is a list of Certificates

func (*CertificateRequestList) DeepCopy ¶

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateRequestList.

func (*CertificateRequestList) DeepCopyInto ¶

func (in *CertificateRequestList) DeepCopyInto(out *CertificateRequestList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*CertificateRequestList) DeepCopyObject ¶

func (in *CertificateRequestList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type CertificateRequestSpec ¶

type CertificateRequestSpec struct {
	// The requested 'duration' (i.e. lifetime) of the Certificate.
	// This option may be ignored/overridden by some issuer types.
	Duration *metav1.Duration

	// IssuerRef is a reference to the issuer for this CertificateRequest.  If
	// the `kind` field is not set, or set to `Issuer`, an Issuer resource with
	// the given name in the same namespace as the CertificateRequest will be
	// used.  If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with
	// the provided name will be used. The `name` field in this stanza is
	// required at all times. The group field refers to the API group of the
	// issuer which defaults to `cert-manager.io` if empty.
	IssuerRef cmmeta.ObjectReference

	// The PEM-encoded x509 certificate signing request to be submitted to the
	// CA for signing.
	Request []byte

	// IsCA will request to mark the certificate as valid for certificate signing
	// when submitting to the issuer.
	// This will automatically add the `cert sign` usage to the list of `usages`.
	IsCA bool

	// Usages is the set of x509 usages that are requested for the certificate.
	// Defaults to `digital signature` and `key encipherment` if not specified.
	Usages []KeyUsage
}

CertificateRequestSpec defines the desired state of CertificateRequest

func (*CertificateRequestSpec) DeepCopy ¶

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateRequestSpec.

func (*CertificateRequestSpec) DeepCopyInto ¶

func (in *CertificateRequestSpec) DeepCopyInto(out *CertificateRequestSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type CertificateRequestStatus ¶

type CertificateRequestStatus struct {
	// List of status conditions to indicate the status of a CertificateRequest.
	// Known condition types are `Ready` and `InvalidRequest`.
	Conditions []CertificateRequestCondition

	// The PEM encoded x509 certificate resulting from the certificate
	// signing request.
	// If not set, the CertificateRequest has either not been completed or has
	// failed. More information on failure can be found by checking the
	// `conditions` field.
	Certificate []byte

	// The PEM encoded x509 certificate of the signer, also known as the CA
	// (Certificate Authority).
	// This is set on a best-effort basis by different issuers.
	// If not set, the CA is assumed to be unknown/not available.
	CA []byte

	// FailureTime stores the time that this CertificateRequest failed. This is
	// used to influence garbage collection and back-off.
	FailureTime *metav1.Time
}

CertificateRequestStatus defines the observed state of CertificateRequest and resulting signed certificate.

func (*CertificateRequestStatus) DeepCopy ¶

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateRequestStatus.

func (*CertificateRequestStatus) DeepCopyInto ¶

func (in *CertificateRequestStatus) DeepCopyInto(out *CertificateRequestStatus)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type CertificateSpec ¶

type CertificateSpec struct {
	// Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name).
	Subject *X509Subject

	// CommonName is a common name to be used on the Certificate.
	// The CommonName should have a length of 64 characters or fewer to avoid
	// generating invalid CSRs.
	// This value is ignored by TLS clients when any subject alt name is set.
	// This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4
	CommonName string

	// The requested 'duration' (i.e. lifetime) of the Certificate.
	// This option may be ignored/overridden by some issuer types.
	// If overridden and `renewBefore` is greater than the actual certificate
	// duration, the certificate will be automatically renewed 2/3rds of the
	// way through the certificate's duration.
	Duration *metav1.Duration

	// The amount of time before the currently issued certificate's `notAfter`
	// time that cert-manager will begin to attempt to renew the certificate.
	// If this value is greater than the total duration of the certificate
	// (i.e. notAfter - notBefore), it will be automatically renewed 2/3rds of
	// the way through the certificate's duration.
	RenewBefore *metav1.Duration

	// DNSNames is a list of DNS subjectAltNames to be set on the Certificate.
	DNSNames []string

	// IPAddresses is a list of IP address subjectAltNames to be set on the Certificate.
	IPAddresses []string

	// URISANs is a list of URI subjectAltNames to be set on the Certificate.
	URISANs []string

	// EmailSANs is a list of email subjectAltNames to be set on the Certificate.
	EmailSANs []string

	// SecretName is the name of the secret resource that will be automatically
	// created and managed by this Certificate resource.
	// It will be populated with a private key and certificate, signed by the
	// denoted issuer.
	SecretName string

	// Keystores configures additional keystore output formats stored in the
	// `secretName` Secret resource.
	Keystores *CertificateKeystores

	// IssuerRef is a reference to the issuer for this certificate.
	// If the `kind` field is not set, or set to `Issuer`, an Issuer resource
	// with the given name in the same namespace as the Certificate will be used.
	// If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with the
	// provided name will be used.
	// The `name` field in this stanza is required at all times.
	IssuerRef cmmeta.ObjectReference

	// IsCA will mark this Certificate as valid for certificate signing.
	// This will automatically add the `cert sign` usage to the list of `usages`.
	IsCA bool

	// Usages is the set of x509 usages that are requested for the certificate.
	// Defaults to `digital signature` and `key encipherment` if not specified.
	Usages []KeyUsage

	// Options to control private keys used for the Certificate.
	PrivateKey *CertificatePrivateKey

	// EncodeUsagesInRequest controls whether key usages should be present
	// in the CertificateRequest
	EncodeUsagesInRequest *bool
}

CertificateSpec defines the desired state of Certificate. A valid Certificate requires at least one of a CommonName, DNSName, or URISAN to be valid.

func (*CertificateSpec) DeepCopy ¶

func (in *CertificateSpec) DeepCopy() *CertificateSpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateSpec.

func (*CertificateSpec) DeepCopyInto ¶

func (in *CertificateSpec) DeepCopyInto(out *CertificateSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type CertificateStatus ¶

type CertificateStatus struct {
	// List of status conditions to indicate the status of certificates.
	// Known condition types are `Ready` and `Issuing`.
	Conditions []CertificateCondition

	// LastFailureTime is the time as recorded by the Certificate controller
	// of the most recent failure to complete a CertificateRequest for this
	// Certificate resource.
	// If set, cert-manager will not re-request another Certificate until
	// 1 hour has elapsed from this time.
	LastFailureTime *metav1.Time

	// The time after which the certificate stored in the secret named
	// by this resource in spec.secretName is valid.
	NotBefore *metav1.Time

	// The expiration time of the certificate stored in the secret named
	// by this resource in `spec.secretName`.
	NotAfter *metav1.Time

	// RenewalTime is the time at which the certificate will be next
	// renewed.
	// If not set, no upcoming renewal is scheduled.
	RenewalTime *metav1.Time

	// The current 'revision' of the certificate as issued.
	//
	// When a CertificateRequest resource is created, it will have the
	// `cert-manager.io/certificate-revision` set to one greater than the
	// current value of this field.
	//
	// Upon issuance, this field will be set to the value of the annotation
	// on the CertificateRequest resource used to issue the certificate.
	//
	// Persisting the value on the CertificateRequest resource allows the
	// certificates controller to know whether a request is part of an old
	// issuance or if it is part of the ongoing revision's issuance by
	// checking if the revision value in the annotation is greater than this
	// field.
	Revision *int

	// The name of the Secret resource containing the private key to be used
	// for the next certificate iteration.
	// The keymanager controller will automatically set this field if the
	// `Issuing` condition is set to `True`.
	// It will automatically unset this field when the Issuing condition is
	// not set or False.
	NextPrivateKeySecretName *string
}

CertificateStatus defines the observed state of Certificate

func (*CertificateStatus) DeepCopy ¶

func (in *CertificateStatus) DeepCopy() *CertificateStatus

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateStatus.

func (*CertificateStatus) DeepCopyInto ¶

func (in *CertificateStatus) DeepCopyInto(out *CertificateStatus)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ClusterIssuer ¶

type ClusterIssuer struct {
	metav1.TypeMeta
	metav1.ObjectMeta

	// Desired state of the ClusterIssuer resource.
	Spec IssuerSpec

	// Status of the ClusterIssuer. This is set and managed automatically.
	Status IssuerStatus
}

A ClusterIssuer represents a certificate issuing authority which can be referenced as part of `issuerRef` fields. It is similar to an Issuer, however it is cluster-scoped and therefore can be referenced by resources that exist in *any* namespace, not just the same namespace as the referent.

func (*ClusterIssuer) Copy ¶ added in v0.13.0

func (c *ClusterIssuer) Copy() GenericIssuer

func (*ClusterIssuer) DeepCopy ¶

func (in *ClusterIssuer) DeepCopy() *ClusterIssuer

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterIssuer.

func (*ClusterIssuer) DeepCopyInto ¶

func (in *ClusterIssuer) DeepCopyInto(out *ClusterIssuer)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*ClusterIssuer) DeepCopyObject ¶

func (in *ClusterIssuer) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

func (*ClusterIssuer) GetObjectMeta ¶ added in v0.13.0

func (c *ClusterIssuer) GetObjectMeta() *metav1.ObjectMeta

func (*ClusterIssuer) GetSpec ¶ added in v0.13.0

func (c *ClusterIssuer) GetSpec() *IssuerSpec

func (*ClusterIssuer) GetStatus ¶ added in v0.13.0

func (c *ClusterIssuer) GetStatus() *IssuerStatus

func (*ClusterIssuer) SetSpec ¶ added in v0.13.0

func (c *ClusterIssuer) SetSpec(spec IssuerSpec)

func (*ClusterIssuer) SetStatus ¶ added in v0.13.0

func (c *ClusterIssuer) SetStatus(status IssuerStatus)

type ClusterIssuerList ¶

type ClusterIssuerList struct {
	metav1.TypeMeta
	metav1.ListMeta

	Items []ClusterIssuer
}

ClusterIssuerList is a list of Issuers

func (*ClusterIssuerList) DeepCopy ¶

func (in *ClusterIssuerList) DeepCopy() *ClusterIssuerList

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterIssuerList.

func (*ClusterIssuerList) DeepCopyInto ¶

func (in *ClusterIssuerList) DeepCopyInto(out *ClusterIssuerList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*ClusterIssuerList) DeepCopyObject ¶

func (in *ClusterIssuerList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type GenericIssuer ¶ added in v0.13.0

type GenericIssuer interface {
	runtime.Object
	metav1.Object

	GetObjectMeta() *metav1.ObjectMeta
	GetSpec() *IssuerSpec
	GetStatus() *IssuerStatus
}

type Issuer ¶

type Issuer struct {
	metav1.TypeMeta
	metav1.ObjectMeta

	// Desired state of the Issuer resource.
	Spec IssuerSpec

	// Status of the Issuer. This is set and managed automatically.
	Status IssuerStatus
}

An Issuer represents a certificate issuing authority which can be referenced as part of `issuerRef` fields. It is scoped to a single namespace and can therefore only be referenced by resources within the same namespace.

func (*Issuer) Copy ¶ added in v0.13.0

func (c *Issuer) Copy() GenericIssuer

func (*Issuer) DeepCopy ¶

func (in *Issuer) DeepCopy() *Issuer

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Issuer.

func (*Issuer) DeepCopyInto ¶

func (in *Issuer) DeepCopyInto(out *Issuer)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*Issuer) DeepCopyObject ¶

func (in *Issuer) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

func (*Issuer) GetObjectMeta ¶ added in v0.13.0

func (c *Issuer) GetObjectMeta() *metav1.ObjectMeta

func (*Issuer) GetSpec ¶ added in v0.13.0

func (c *Issuer) GetSpec() *IssuerSpec

func (*Issuer) GetStatus ¶ added in v0.13.0

func (c *Issuer) GetStatus() *IssuerStatus

func (*Issuer) SetSpec ¶ added in v0.13.0

func (c *Issuer) SetSpec(spec IssuerSpec)

func (*Issuer) SetStatus ¶ added in v0.13.0

func (c *Issuer) SetStatus(status IssuerStatus)

type IssuerCondition ¶

type IssuerCondition struct {
	// Type of the condition, known values are (`Ready`).
	Type IssuerConditionType

	// Status of the condition, one of (`True`, `False`, `Unknown`).
	Status cmmeta.ConditionStatus

	// LastTransitionTime is the timestamp corresponding to the last status
	// change of this condition.
	LastTransitionTime *metav1.Time

	// Reason is a brief machine readable explanation for the condition's last
	// transition.
	Reason string

	// Message is a human readable description of the details of the last
	// transition, complementing reason.
	Message string
}

IssuerCondition contains condition information for an Issuer.

func (*IssuerCondition) DeepCopy ¶

func (in *IssuerCondition) DeepCopy() *IssuerCondition

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IssuerCondition.

func (*IssuerCondition) DeepCopyInto ¶

func (in *IssuerCondition) DeepCopyInto(out *IssuerCondition)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type IssuerConditionType ¶

type IssuerConditionType string

IssuerConditionType represents an Issuer condition value.

const (
	// IssuerConditionReady represents the fact that a given Issuer condition
	// is in ready state and able to issue certificates.
	// If the `status` of this condition is `False`, CertificateRequest controllers
	// should prevent attempts to sign certificates.
	IssuerConditionReady IssuerConditionType = "Ready"
)

type IssuerConfig ¶

type IssuerConfig struct {
	// ACME configures this issuer to communicate with a RFC8555 (ACME) server
	// to obtain signed x509 certificates.
	ACME *cmacme.ACMEIssuer

	// CA configures this issuer to sign certificates using a signing CA keypair
	// stored in a Secret resource.
	// This is used to build internal PKIs that are managed by cert-manager.
	CA *CAIssuer

	// Vault configures this issuer to sign certificates using a HashiCorp Vault
	// PKI backend.
	Vault *VaultIssuer

	// SelfSigned configures this issuer to 'self sign' certificates using the
	// private key used to create the CertificateRequest object.
	SelfSigned *SelfSignedIssuer

	// Venafi configures this issuer to sign certificates using a Venafi TPP
	// or Venafi Cloud policy zone.
	Venafi *VenafiIssuer
}

func (*IssuerConfig) DeepCopy ¶

func (in *IssuerConfig) DeepCopy() *IssuerConfig

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IssuerConfig.

func (*IssuerConfig) DeepCopyInto ¶

func (in *IssuerConfig) DeepCopyInto(out *IssuerConfig)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type IssuerList ¶

type IssuerList struct {
	metav1.TypeMeta
	metav1.ListMeta

	Items []Issuer
}

IssuerList is a list of Issuers

func (*IssuerList) DeepCopy ¶

func (in *IssuerList) DeepCopy() *IssuerList

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IssuerList.

func (*IssuerList) DeepCopyInto ¶

func (in *IssuerList) DeepCopyInto(out *IssuerList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*IssuerList) DeepCopyObject ¶

func (in *IssuerList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type IssuerSpec ¶

type IssuerSpec struct {
	IssuerConfig
}

IssuerSpec is the specification of an Issuer. This includes any configuration required for the issuer.

func (*IssuerSpec) DeepCopy ¶

func (in *IssuerSpec) DeepCopy() *IssuerSpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IssuerSpec.

func (*IssuerSpec) DeepCopyInto ¶

func (in *IssuerSpec) DeepCopyInto(out *IssuerSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type IssuerStatus ¶

type IssuerStatus struct {
	// List of status conditions to indicate the status of a CertificateRequest.
	// Known condition types are `Ready`.
	Conditions []IssuerCondition

	// ACME specific status options.
	// This field should only be set if the Issuer is configured to use an ACME
	// server to issue certificates.
	ACME *cmacme.ACMEIssuerStatus
}

IssuerStatus contains status information about an Issuer

func (*IssuerStatus) ACMEStatus ¶ added in v0.13.0

func (i *IssuerStatus) ACMEStatus() *cmacme.ACMEIssuerStatus

TODO: refactor these functions away

func (*IssuerStatus) DeepCopy ¶

func (in *IssuerStatus) DeepCopy() *IssuerStatus

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IssuerStatus.

func (*IssuerStatus) DeepCopyInto ¶

func (in *IssuerStatus) DeepCopyInto(out *IssuerStatus)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type JKSKeystore ¶ added in v0.15.0

type JKSKeystore struct {
	// Create enables JKS keystore creation for the Certificate.
	// If true, a file named `keystore.jks` will be created in the target
	// Secret resource, encrypted using the password stored in
	// `passwordSecretRef`.
	// The keystore file will only be updated upon re-issuance.
	Create bool

	// PasswordSecretRef is a reference to a key in a Secret resource
	// containing the password used to encrypt the JKS keystore.
	PasswordSecretRef cmmeta.SecretKeySelector
}

JKS configures options for storing a JKS keystore in the `spec.secretName` Secret resource.

func (*JKSKeystore) DeepCopy ¶ added in v0.15.0

func (in *JKSKeystore) DeepCopy() *JKSKeystore

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JKSKeystore.

func (*JKSKeystore) DeepCopyInto ¶ added in v0.15.0

func (in *JKSKeystore) DeepCopyInto(out *JKSKeystore)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type KeyUsage ¶

type KeyUsage string

KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3

https://tools.ietf.org/html/rfc5280#section-4.2.1.12

Valid KeyUsage values are as follows: "signing", "digital signature", "content commitment", "key encipherment", "key agreement", "data encipherment", "cert sign", "crl sign", "encipher only", "decipher only", "any", "server auth", "client auth", "code signing", "email protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec user", "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc"

const (
	UsageSigning            KeyUsage = "signing"
	UsageDigitalSignature   KeyUsage = "digital signature"
	UsageContentCommittment KeyUsage = "content commitment"
	UsageKeyEncipherment    KeyUsage = "key encipherment"
	UsageKeyAgreement       KeyUsage = "key agreement"
	UsageDataEncipherment   KeyUsage = "data encipherment"
	UsageCertSign           KeyUsage = "cert sign"
	UsageCRLSign            KeyUsage = "crl sign"
	UsageEncipherOnly       KeyUsage = "encipher only"
	UsageDecipherOnly       KeyUsage = "decipher only"
	UsageAny                KeyUsage = "any"
	UsageServerAuth         KeyUsage = "server auth"
	UsageClientAuth         KeyUsage = "client auth"
	UsageCodeSigning        KeyUsage = "code signing"
	UsageEmailProtection    KeyUsage = "email protection"
	UsageSMIME              KeyUsage = "s/mime"
	UsageIPsecEndSystem     KeyUsage = "ipsec end system"
	UsageIPsecTunnel        KeyUsage = "ipsec tunnel"
	UsageIPsecUser          KeyUsage = "ipsec user"
	UsageTimestamping       KeyUsage = "timestamping"
	UsageOCSPSigning        KeyUsage = "ocsp signing"
	UsageMicrosoftSGC       KeyUsage = "microsoft sgc"
	UsageNetscapeSGC        KeyUsage = "netscape sgc"
)

type PKCS12Keystore ¶ added in v0.15.0

type PKCS12Keystore struct {
	// Create enables PKCS12 keystore creation for the Certificate.
	// If true, a file named `keystore.p12` will be created in the target
	// Secret resource, encrypted using the password stored in
	// `passwordSecretRef`.
	// The keystore file will only be updated upon re-issuance.
	Create bool

	// PasswordSecretRef is a reference to a key in a Secret resource
	// containing the password used to encrypt the PKCS12 keystore.
	PasswordSecretRef cmmeta.SecretKeySelector
}

PKCS12 configures options for storing a PKCS12 keystore in the `spec.secretName` Secret resource.

func (*PKCS12Keystore) DeepCopy ¶ added in v0.15.0

func (in *PKCS12Keystore) DeepCopy() *PKCS12Keystore

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PKCS12Keystore.

func (*PKCS12Keystore) DeepCopyInto ¶ added in v0.15.0

func (in *PKCS12Keystore) DeepCopyInto(out *PKCS12Keystore)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type PrivateKeyAlgorithm ¶ added in v0.16.0

type PrivateKeyAlgorithm string
const (
	// Denotes the RSA private key type.
	RSAKeyAlgorithm PrivateKeyAlgorithm = "RSA"

	// Denotes the ECDSA private key type.
	ECDSAKeyAlgorithm PrivateKeyAlgorithm = "ECDSA"
)

type PrivateKeyEncoding ¶ added in v0.16.0

type PrivateKeyEncoding string
const (
	// PKCS1 key encoding will produce PEM files that include the type of
	// private key as part of the PEM header, e.g. `BEGIN RSA PRIVATE KEY`.
	// If the keyAlgorithm is set to 'ECDSA', this will produce private keys
	// that use the `BEGIN EC PRIVATE KEY` header.
	PKCS1 PrivateKeyEncoding = "PKCS1"

	// PKCS8 key encoding will produce PEM files with the `BEGIN PRIVATE KEY`
	// header. It encodes the keyAlgorithm of the private key as part of the
	// DER encoded PEM block.
	PKCS8 PrivateKeyEncoding = "PKCS8"
)

type PrivateKeyRotationPolicy ¶ added in v0.15.0

type PrivateKeyRotationPolicy string

Denotes how private keys should be generated or sourced when a Certificate is being issued.

var (
	// RotationPolicyNever means a private key will only be generated if one
	// does not already exist in the target `spec.secretName`.
	// If one does exists but it does not have the correct algorithm or size,
	// a warning will be raised to await user intervention.
	RotationPolicyNever PrivateKeyRotationPolicy = "Never"

	// RotationPolicyAlways means a private key matching the specified
	// requirements will be generated whenever a re-issuance occurs.
	RotationPolicyAlways PrivateKeyRotationPolicy = "Always"
)

type SelfSignedIssuer ¶

type SelfSignedIssuer struct {
	// The CRL distribution points is an X.509 v3 certificate extension which identifies
	// the location of the CRL from which the revocation of this certificate can be checked.
	// If not set certificate will be issued without CDP. Values are strings.
	CRLDistributionPoints []string
}

Configures an issuer to 'self sign' certificates using the private key used to create the CertificateRequest object.

func (*SelfSignedIssuer) DeepCopy ¶

func (in *SelfSignedIssuer) DeepCopy() *SelfSignedIssuer

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SelfSignedIssuer.

func (*SelfSignedIssuer) DeepCopyInto ¶

func (in *SelfSignedIssuer) DeepCopyInto(out *SelfSignedIssuer)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type VaultAppRole ¶

type VaultAppRole struct {
	// Path where the App Role authentication backend is mounted in Vault, e.g:
	// "approle"
	Path string

	// RoleID configured in the App Role authentication backend when setting
	// up the authentication backend in Vault.
	RoleId string

	// Reference to a key in a Secret that contains the App Role secret used
	// to authenticate with Vault.
	// The `key` field must be specified and denotes which entry within the Secret
	// resource is used as the app role secret.
	SecretRef cmmeta.SecretKeySelector
}

VaultAppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.

func (*VaultAppRole) DeepCopy ¶

func (in *VaultAppRole) DeepCopy() *VaultAppRole

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultAppRole.

func (*VaultAppRole) DeepCopyInto ¶

func (in *VaultAppRole) DeepCopyInto(out *VaultAppRole)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type VaultAuth ¶

type VaultAuth struct {
	// TokenSecretRef authenticates with Vault by presenting a token.
	TokenSecretRef *cmmeta.SecretKeySelector

	// AppRole authenticates with Vault using the App Role auth mechanism,
	// with the role and secret stored in a Kubernetes Secret resource.
	AppRole *VaultAppRole

	// Kubernetes authenticates with Vault by passing the ServiceAccount
	// token stored in the named Secret resource to the Vault server.
	Kubernetes *VaultKubernetesAuth
}

Configuration used to authenticate with a Vault server. Only one of `tokenSecretRef`, `appRole` or `kubernetes` may be specified.

func (*VaultAuth) DeepCopy ¶

func (in *VaultAuth) DeepCopy() *VaultAuth

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultAuth.

func (*VaultAuth) DeepCopyInto ¶

func (in *VaultAuth) DeepCopyInto(out *VaultAuth)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type VaultIssuer ¶

type VaultIssuer struct {
	// Auth configures how cert-manager authenticates with the Vault server.
	Auth VaultAuth

	// Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".
	Server string

	// Path is the mount path of the Vault PKI backend's `sign` endpoint, e.g:
	// "my_pki_mount/sign/my-role-name".
	Path string

	// Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1"
	// More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
	Namespace string

	// PEM encoded CA bundle used to validate Vault server certificate. Only used
	// if the Server URL is using HTTPS protocol. This parameter is ignored for
	// plain HTTP protocol connection. If not set the system root certificates
	// are used to validate the TLS connection.
	CABundle []byte
}

Configures an issuer to sign certificates using a HashiCorp Vault PKI backend.

func (*VaultIssuer) DeepCopy ¶

func (in *VaultIssuer) DeepCopy() *VaultIssuer

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultIssuer.

func (*VaultIssuer) DeepCopyInto ¶

func (in *VaultIssuer) DeepCopyInto(out *VaultIssuer)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type VaultKubernetesAuth ¶ added in v0.11.0

type VaultKubernetesAuth struct {
	// The Vault mountPath here is the mount path to use when authenticating with
	// Vault. For example, setting a value to `/v1/auth/foo`, will use the path
	// `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the
	// default value "/v1/auth/kubernetes" will be used.
	Path string

	// The required Secret field containing a Kubernetes ServiceAccount JWT used
	// for authenticating with Vault. Use of 'ambient credentials' is not
	// supported.
	SecretRef cmmeta.SecretKeySelector

	// A required field containing the Vault Role to assume. A Role binds a
	// Kubernetes ServiceAccount with a set of Vault policies.
	Role string
}

Authenticate against Vault using a Kubernetes ServiceAccount token stored in a Secret.

func (*VaultKubernetesAuth) DeepCopy ¶ added in v0.11.0

func (in *VaultKubernetesAuth) DeepCopy() *VaultKubernetesAuth

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultKubernetesAuth.

func (*VaultKubernetesAuth) DeepCopyInto ¶ added in v0.11.0

func (in *VaultKubernetesAuth) DeepCopyInto(out *VaultKubernetesAuth)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type VenafiCloud ¶

type VenafiCloud struct {
	// URL is the base URL for Venafi Cloud.
	// Defaults to "https://api.venafi.cloud/v1".
	URL string

	// APITokenSecretRef is a secret key selector for the Venafi Cloud API token.
	APITokenSecretRef cmmeta.SecretKeySelector
}

VenafiCloud defines connection configuration details for Venafi Cloud

func (*VenafiCloud) DeepCopy ¶

func (in *VenafiCloud) DeepCopy() *VenafiCloud

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VenafiCloud.

func (*VenafiCloud) DeepCopyInto ¶

func (in *VenafiCloud) DeepCopyInto(out *VenafiCloud)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type VenafiIssuer ¶

type VenafiIssuer struct {
	// Zone is the Venafi Policy Zone to use for this issuer.
	// All requests made to the Venafi platform will be restricted by the named
	// zone policy.
	// This field is required.
	Zone string

	// TPP specifies Trust Protection Platform configuration settings.
	// Only one of TPP or Cloud may be specified.
	TPP *VenafiTPP

	// Cloud specifies the Venafi cloud configuration settings.
	// Only one of TPP or Cloud may be specified.
	Cloud *VenafiCloud
}

Configures an issuer to sign certificates using a Venafi TPP or Cloud policy zone.

func (*VenafiIssuer) DeepCopy ¶

func (in *VenafiIssuer) DeepCopy() *VenafiIssuer

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VenafiIssuer.

func (*VenafiIssuer) DeepCopyInto ¶

func (in *VenafiIssuer) DeepCopyInto(out *VenafiIssuer)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type VenafiTPP ¶

type VenafiTPP struct {
	// URL is the base URL for the vedsdk endpoint of the Venafi TPP instance,
	// for example: "https://tpp.example.com/vedsdk".
	URL string

	// CredentialsRef is a reference to a Secret containing the username and
	// password for the TPP server.
	// The secret must contain two keys, 'username' and 'password'.
	CredentialsRef cmmeta.LocalObjectReference

	// CABundle is a PEM encoded TLS certificate to use to verify connections to
	// the TPP instance.
	// If specified, system roots will not be used and the issuing CA for the
	// TPP instance must be verifiable using the provided root.
	// If not specified, the connection will be verified using the cert-manager
	// system root certificates.
	CABundle []byte
}

VenafiTPP defines connection configuration details for a Venafi TPP instance

func (*VenafiTPP) DeepCopy ¶

func (in *VenafiTPP) DeepCopy() *VenafiTPP

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VenafiTPP.

func (*VenafiTPP) DeepCopyInto ¶

func (in *VenafiTPP) DeepCopyInto(out *VenafiTPP)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type X509Subject ¶ added in v0.13.0

type X509Subject struct {
	// Organizations to be used on the Certificate.
	Organizations []string
	// Countries to be used on the Certificate.
	Countries []string
	// Organizational Units to be used on the Certificate.
	OrganizationalUnits []string
	// Cities to be used on the Certificate.
	Localities []string
	// State/Provinces to be used on the Certificate.
	Provinces []string
	// Street addresses to be used on the Certificate.
	StreetAddresses []string
	// Postal codes to be used on the Certificate.
	PostalCodes []string
	// Serial number to be used on the Certificate.
	SerialNumber string
}

X509Subject Full X509 name specification

func (*X509Subject) DeepCopy ¶ added in v0.13.0

func (in *X509Subject) DeepCopy() *X509Subject

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new X509Subject.

func (*X509Subject) DeepCopyInto ¶ added in v0.13.0

func (in *X509Subject) DeepCopyInto(out *X509Subject)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

Directories ¶

Path Synopsis
Package install installs the API group, making it available as an option to all of the API encoding/decoding machinery.
Package install installs the API group, making it available as an option to all of the API encoding/decoding machinery.
+groupName=cert-manager.io
+groupName=cert-manager.io
+groupName=cert-manager.io
+groupName=cert-manager.io
+groupName=cert-manager.io
+groupName=cert-manager.io
+groupName=cert-manager.io
+groupName=cert-manager.io

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL