acme

package
v0.0.0-...-5756e46 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Nov 3, 2024 License: Apache-2.0 Imports: 8 Imported by: 0

Documentation

Overview

Package acme is the internal version of the API. +groupName=acme.cert-manager.io

Index

Constants

View Source
const (
	// NoneStrategy indicates that no CNAME resolution strategy should be used
	// when determining which DNS zone to update during DNS01 challenges.
	NoneStrategy = "None"

	// FollowStrategy will cause cert-manager to recurse through CNAMEs in
	// order to determine which DNS zone to update during DNS01 challenges.
	// This is useful if you do not want to grant cert-manager access to your
	// root DNS zone, and instead delegate the _acme-challenge.example.com
	// subdomain to some other, less privileged domain.
	FollowStrategy = "Follow"
)

Variables

View Source
var (
	SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes)
	AddToScheme   = SchemeBuilder.AddToScheme
)
View Source
var SchemeGroupVersion = schema.GroupVersion{Group: acme.GroupName, Version: runtime.APIVersionInternal}

SchemeGroupVersion is group version used to register these objects

Functions

func Resource

func Resource(resource string) schema.GroupResource

Resource takes an unqualified resource and returns a Group qualified GroupResource

Types

type ACMEAuthorization

type ACMEAuthorization struct {
	// URL is the URL of the Authorization that must be completed
	URL string

	// Identifier is the DNS name to be validated as part of this authorization
	Identifier string

	// Wildcard will be true if this authorization is for a wildcard DNS name.
	// If this is true, the identifier will be the *non-wildcard* version of
	// the DNS name.
	// For example, if '*.example.com' is the DNS name being validated, this
	// field will be 'true' and the 'identifier' field will be 'example.com'.
	Wildcard *bool

	// InitialState is the initial state of the ACME authorization when first
	// fetched from the ACME server.
	// If an Authorization is already 'valid', the Order controller will not
	// create a Challenge resource for the authorization. This will occur when
	// working with an ACME server that enables 'authz reuse' (such as Let's
	// Encrypt's production endpoint).
	// If not set and 'identifier' is set, the state is assumed to be pending
	// and a Challenge will be created.
	// +optional
	InitialState State

	// Challenges specifies the challenge types offered by the ACME server.
	// One of these challenge types will be selected when validating the DNS
	// name and an appropriate Challenge resource will be created to perform
	// the ACME challenge process.
	Challenges []ACMEChallenge
}

ACMEAuthorization contains data returned from the ACME server on an authorization that must be completed in order validate a DNS name on an ACME Order resource.

func (*ACMEAuthorization) DeepCopy

func (in *ACMEAuthorization) DeepCopy() *ACMEAuthorization

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ACMEAuthorization.

func (*ACMEAuthorization) DeepCopyInto

func (in *ACMEAuthorization) DeepCopyInto(out *ACMEAuthorization)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ACMEChallenge

type ACMEChallenge struct {
	// URL is the URL of this challenge. It can be used to retrieve additional
	// metadata about the Challenge from the ACME server.
	URL string

	// Token is the token that must be presented for this challenge.
	// This is used to compute the 'key' that must also be presented.
	Token string

	// Type is the type of challenge being offered, e.g. 'http-01', 'dns-01',
	// 'tls-sni-01', etc.
	// This is the raw value retrieved from the ACME server.
	// Only 'http-01' and 'dns-01' are supported by cert-manager, other values
	// will be ignored.
	Type string
}

Challenge specifies a challenge offered by the ACME server for an Order. An appropriate Challenge resource can be created to perform the ACME challenge process.

func (*ACMEChallenge) DeepCopy

func (in *ACMEChallenge) DeepCopy() *ACMEChallenge

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ACMEChallenge.

func (*ACMEChallenge) DeepCopyInto

func (in *ACMEChallenge) DeepCopyInto(out *ACMEChallenge)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ACMEChallengeSolver

type ACMEChallengeSolver struct {
	// Selector selects a set of DNSNames on the Certificate resource that
	// should be solved using this challenge solver.
	// If not specified, the solver will be treated as the 'default' solver
	// with the lowest priority, i.e. if any other solver has a more specific
	// match, it will be used instead.
	Selector *CertificateDNSNameSelector

	// Configures cert-manager to attempt to complete authorizations by
	// performing the HTTP01 challenge flow.
	// It is not possible to obtain certificates for wildcard domain names
	// (e.g. `*.example.com`) using the HTTP01 challenge mechanism.
	HTTP01 *ACMEChallengeSolverHTTP01

	// Configures cert-manager to attempt to complete authorizations by
	// performing the DNS01 challenge flow.
	DNS01 *ACMEChallengeSolverDNS01
}

Configures an issuer to solve challenges using the specified options. Only one of HTTP01 or DNS01 may be provided.

func (*ACMEChallengeSolver) DeepCopy

func (in *ACMEChallengeSolver) DeepCopy() *ACMEChallengeSolver

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ACMEChallengeSolver.

func (*ACMEChallengeSolver) DeepCopyInto

func (in *ACMEChallengeSolver) DeepCopyInto(out *ACMEChallengeSolver)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ACMEChallengeSolverDNS01

type ACMEChallengeSolverDNS01 struct {
	// CNAMEStrategy configures how the DNS01 provider should handle CNAME
	// records when found in DNS zones.
	CNAMEStrategy CNAMEStrategy

	// Use the Akamai DNS zone management API to manage DNS01 challenge records.
	Akamai *ACMEIssuerDNS01ProviderAkamai

	// Use the Google Cloud DNS API to manage DNS01 challenge records.
	CloudDNS *ACMEIssuerDNS01ProviderCloudDNS

	// Use the Cloudflare API to manage DNS01 challenge records.
	Cloudflare *ACMEIssuerDNS01ProviderCloudflare

	// Use the AWS Route53 API to manage DNS01 challenge records.
	Route53 *ACMEIssuerDNS01ProviderRoute53

	// Use the Microsoft Azure DNS API to manage DNS01 challenge records.
	AzureDNS *ACMEIssuerDNS01ProviderAzureDNS

	// Use the DigitalOcean DNS API to manage DNS01 challenge records.
	DigitalOcean *ACMEIssuerDNS01ProviderDigitalOcean

	// Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage
	// DNS01 challenge records.
	AcmeDNS *ACMEIssuerDNS01ProviderAcmeDNS

	// Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/)
	// to manage DNS01 challenge records.
	RFC2136 *ACMEIssuerDNS01ProviderRFC2136

	// Configure an external webhook based DNS01 challenge solver to manage
	// DNS01 challenge records.
	Webhook *ACMEIssuerDNS01ProviderWebhook
}

Used to configure a DNS01 challenge provider to be used when solving DNS01 challenges. Only one DNS provider may be configured per solver.

func (*ACMEChallengeSolverDNS01) DeepCopy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ACMEChallengeSolverDNS01.

func (*ACMEChallengeSolverDNS01) DeepCopyInto

func (in *ACMEChallengeSolverDNS01) DeepCopyInto(out *ACMEChallengeSolverDNS01)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ACMEChallengeSolverHTTP01

type ACMEChallengeSolverHTTP01 struct {
	// The ingress based HTTP01 challenge solver will solve challenges by
	// creating or modifying Ingress resources in order to route requests for
	// '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are
	// provisioned by cert-manager for each Challenge to be completed.
	Ingress *ACMEChallengeSolverHTTP01Ingress

	// The Gateway API is a sig-network community API that models service networking
	// in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will
	// create HTTPRoutes with the specified labels in the same namespace as the challenge.
	// This solver is experimental, and fields / behaviour may change in the future.
	// +optional
	GatewayHTTPRoute *ACMEChallengeSolverHTTP01GatewayHTTPRoute
}

ACMEChallengeSolverHTTP01 contains configuration detailing how to solve HTTP01 challenges within a Kubernetes cluster. Typically this is accomplished through creating 'routes' of some description that configure ingress controllers to direct traffic to 'solver pods', which are responsible for responding to the ACME server's HTTP requests.

func (*ACMEChallengeSolverHTTP01) DeepCopy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ACMEChallengeSolverHTTP01.

func (*ACMEChallengeSolverHTTP01) DeepCopyInto

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ACMEChallengeSolverHTTP01GatewayHTTPRoute

type ACMEChallengeSolverHTTP01GatewayHTTPRoute struct {
	// Optional service type for Kubernetes solver service. Supported values
	// are NodePort or ClusterIP. If unset, defaults to NodePort.
	// +optional
	ServiceType corev1.ServiceType

	// Custom labels that will be applied to HTTPRoutes created by cert-manager
	// while solving HTTP-01 challenges.
	// +optional
	Labels map[string]string

	// When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute.
	// cert-manager needs to know which parentRefs should be used when creating
	// the HTTPRoute. Usually, the parentRef references a Gateway. See:
	// https://gateway-api.sigs.k8s.io/v1alpha2/api-types/httproute/#attaching-to-gateways
	ParentRefs []gwapi.ParentReference

	// Optional pod template used to configure the ACME challenge solver pods
	// used for HTTP01 challenges
	PodTemplate *ACMEChallengeSolverHTTP01IngressPodTemplate
}

func (*ACMEChallengeSolverHTTP01GatewayHTTPRoute) DeepCopy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ACMEChallengeSolverHTTP01GatewayHTTPRoute.

func (*ACMEChallengeSolverHTTP01GatewayHTTPRoute) DeepCopyInto

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ACMEChallengeSolverHTTP01Ingress

type ACMEChallengeSolverHTTP01Ingress struct {
	// Optional service type for Kubernetes solver service. Supported values
	// are NodePort or ClusterIP. If unset, defaults to NodePort.
	// +optional
	ServiceType corev1.ServiceType

	// This field configures the `ingressClassName` when creating Ingress
	// resources to solve ACME challenges that use this challenge solver. This
	// is the recommended way of configuring the ingress class. Only one of
	// `class`, `name` or `ingressClassName` may be specified.
	IngressClassName *string

	// This field configures the annotation `kubernetes.io/ingress.class` when
	// creating Ingress resources to solve ACME challenges that use this
	// challenge solver. Only one of `class`, `name` or `ingressClassName` may
	// be specified.
	Class *string

	// The name of the ingress resource that should have ACME challenge solving
	// routes inserted into it in order to solve HTTP01 challenges.
	// This is typically used in conjunction with ingress controllers like
	// ingress-gce, which maintains a 1:1 mapping between external IPs and
	// ingress resources. Only one of `class`, `name` or `ingressClassName` may
	// be specified.
	Name string

	// Optional pod template used to configure the ACME challenge solver pods
	// used for HTTP01 challenges
	PodTemplate *ACMEChallengeSolverHTTP01IngressPodTemplate

	// Optional ingress template used to configure the ACME challenge solver
	// ingress used for HTTP01 challenges
	IngressTemplate *ACMEChallengeSolverHTTP01IngressTemplate
}

func (*ACMEChallengeSolverHTTP01Ingress) DeepCopy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ACMEChallengeSolverHTTP01Ingress.

func (*ACMEChallengeSolverHTTP01Ingress) DeepCopyInto

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ACMEChallengeSolverHTTP01IngressObjectMeta

type ACMEChallengeSolverHTTP01IngressObjectMeta struct {
	// Annotations that should be added to the created ACME HTTP01 solver ingress.
	Annotations map[string]string

	// Labels that should be added to the created ACME HTTP01 solver ingress.
	Labels map[string]string
}

func (*ACMEChallengeSolverHTTP01IngressObjectMeta) DeepCopy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ACMEChallengeSolverHTTP01IngressObjectMeta.

func (*ACMEChallengeSolverHTTP01IngressObjectMeta) DeepCopyInto

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ACMEChallengeSolverHTTP01IngressPodObjectMeta

type ACMEChallengeSolverHTTP01IngressPodObjectMeta struct {
	// Annotations that should be added to the created ACME HTTP01 solver pods.
	Annotations map[string]string

	// Labels that should be added to the created ACME HTTP01 solver pods.
	Labels map[string]string
}

func (*ACMEChallengeSolverHTTP01IngressPodObjectMeta) DeepCopy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ACMEChallengeSolverHTTP01IngressPodObjectMeta.

func (*ACMEChallengeSolverHTTP01IngressPodObjectMeta) DeepCopyInto

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ACMEChallengeSolverHTTP01IngressPodSecurityContext

type ACMEChallengeSolverHTTP01IngressPodSecurityContext struct {
	// The SELinux context to be applied to all containers.
	// If unspecified, the container runtime will allocate a random SELinux context for each
	// container.  May also be set in SecurityContext.  If set in
	// both SecurityContext and PodSecurityContext, the value specified in SecurityContext
	// takes precedence for that container.
	// Note that this field cannot be set when spec.os.name is windows.
	// +optional
	SELinuxOptions *corev1.SELinuxOptions `json:"seLinuxOptions,omitempty"`
	// The UID to run the entrypoint of the container process.
	// Defaults to user specified in image metadata if unspecified.
	// May also be set in SecurityContext.  If set in both SecurityContext and
	// PodSecurityContext, the value specified in SecurityContext takes precedence
	// for that container.
	// Note that this field cannot be set when spec.os.name is windows.
	// +optional
	RunAsUser *int64 `json:"runAsUser,omitempty"`
	// The GID to run the entrypoint of the container process.
	// Uses runtime default if unset.
	// May also be set in SecurityContext.  If set in both SecurityContext and
	// PodSecurityContext, the value specified in SecurityContext takes precedence
	// for that container.
	// Note that this field cannot be set when spec.os.name is windows.
	// +optional
	RunAsGroup *int64 `json:"runAsGroup,omitempty"`
	// Indicates that the container must run as a non-root user.
	// If true, the Kubelet will validate the image at runtime to ensure that it
	// does not run as UID 0 (root) and fail to start the container if it does.
	// If unset or false, no such validation will be performed.
	// May also be set in SecurityContext.  If set in both SecurityContext and
	// PodSecurityContext, the value specified in SecurityContext takes precedence.
	// +optional
	RunAsNonRoot *bool `json:"runAsNonRoot,omitempty"`
	// A list of groups applied to the first process run in each container, in addition
	// to the container's primary GID, the fsGroup (if specified), and group memberships
	// defined in the container image for the uid of the container process. If unspecified,
	// no additional groups are added to any container. Note that group memberships
	// defined in the container image for the uid of the container process are still effective,
	// even if they are not included in this list.
	// Note that this field cannot be set when spec.os.name is windows.
	// +optional
	SupplementalGroups []int64 `json:"supplementalGroups,omitempty"`
	// A special supplemental group that applies to all containers in a pod.
	// Some volume types allow the Kubelet to change the ownership of that volume
	// to be owned by the pod:
	//
	// 1. The owning GID will be the FSGroup
	// 2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
	// 3. The permission bits are OR'd with rw-rw----
	//
	// If unset, the Kubelet will not modify the ownership and permissions of any volume.
	// Note that this field cannot be set when spec.os.name is windows.
	// +optional
	FSGroup *int64 `json:"fsGroup,omitempty"`
	// Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
	// sysctls (by the container runtime) might fail to launch.
	// Note that this field cannot be set when spec.os.name is windows.
	// +optional
	Sysctls []corev1.Sysctl `json:"sysctls,omitempty"`
	// fsGroupChangePolicy defines behavior of changing ownership and permission of the volume
	// before being exposed inside Pod. This field will only apply to
	// volume types which support fsGroup based ownership(and permissions).
	// It will have no effect on ephemeral volume types such as: secret, configmaps
	// and emptydir.
	// Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used.
	// Note that this field cannot be set when spec.os.name is windows.
	// +optional
	FSGroupChangePolicy *corev1.PodFSGroupChangePolicy `json:"fsGroupChangePolicy,omitempty"`
	// The seccomp options to use by the containers in this pod.
	// Note that this field cannot be set when spec.os.name is windows.
	// +optional
	SeccompProfile *corev1.SeccompProfile `json:"seccompProfile,omitempty"`
}

func (*ACMEChallengeSolverHTTP01IngressPodSecurityContext) DeepCopy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ACMEChallengeSolverHTTP01IngressPodSecurityContext.

func (*ACMEChallengeSolverHTTP01IngressPodSecurityContext) DeepCopyInto

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ACMEChallengeSolverHTTP01IngressPodSpec

type ACMEChallengeSolverHTTP01IngressPodSpec struct {
	// NodeSelector is a selector which must be true for the pod to fit on a node.
	// Selector which must match a node's labels for the pod to be scheduled on that node.
	// More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
	NodeSelector map[string]string

	// If specified, the pod's scheduling constraints
	Affinity *corev1.Affinity

	// If specified, the pod's tolerations.
	Tolerations []corev1.Toleration

	// If specified, the pod's priorityClassName.
	PriorityClassName string

	// If specified, the pod's service account
	// +optional
	ServiceAccountName string

	// If specified, the pod's imagePullSecrets
	// +optional
	ImagePullSecrets []corev1.LocalObjectReference `json:"imagePullSecrets,omitempty" patchMergeKey:"name" patchStrategy:"merge"`

	// If specified, the pod's security context
	// +optional
	SecurityContext *ACMEChallengeSolverHTTP01IngressPodSecurityContext `json:"securityContext,omitempty"`
}

func (*ACMEChallengeSolverHTTP01IngressPodSpec) DeepCopy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ACMEChallengeSolverHTTP01IngressPodSpec.

func (*ACMEChallengeSolverHTTP01IngressPodSpec) DeepCopyInto

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ACMEChallengeSolverHTTP01IngressPodTemplate

type ACMEChallengeSolverHTTP01IngressPodTemplate struct {
	// ObjectMeta overrides for the pod used to solve HTTP01 challenges.
	// Only the 'labels' and 'annotations' fields may be set.
	// If labels or §annotations overlap with in-built values, the values here
	// will override the in-built values.
	ACMEChallengeSolverHTTP01IngressPodObjectMeta

	// PodSpec defines overrides for the HTTP01 challenge solver pod.
	// Only the 'priorityClassName', 'nodeSelector', 'affinity',
	// 'serviceAccountName' and 'tolerations' fields are supported currently.
	// All other fields will be ignored.
	// +optional
	Spec ACMEChallengeSolverHTTP01IngressPodSpec
}

func (*ACMEChallengeSolverHTTP01IngressPodTemplate) DeepCopy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ACMEChallengeSolverHTTP01IngressPodTemplate.

func (*ACMEChallengeSolverHTTP01IngressPodTemplate) DeepCopyInto

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ACMEChallengeSolverHTTP01IngressTemplate

type ACMEChallengeSolverHTTP01IngressTemplate struct {
	// ObjectMeta overrides for the ingress used to solve HTTP01 challenges.
	// Only the 'labels' and 'annotations' fields may be set.
	// If labels or annotations overlap with in-built values, the values here
	// will override the in-built values.
	ACMEChallengeSolverHTTP01IngressObjectMeta
}

func (*ACMEChallengeSolverHTTP01IngressTemplate) DeepCopy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ACMEChallengeSolverHTTP01IngressTemplate.

func (*ACMEChallengeSolverHTTP01IngressTemplate) DeepCopyInto

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ACMEChallengeType

type ACMEChallengeType string

The type of ACME challenge. Only HTTP-01 and DNS-01 are supported.

const (
	// ACMEChallengeTypeHTTP01 denotes a Challenge is of type http-01
	// More info: https://letsencrypt.org/docs/challenge-types/#http-01-challenge
	ACMEChallengeTypeHTTP01 ACMEChallengeType = "HTTP-01"

	// ACMEChallengeTypeDNS01 denotes a Challenge is of type dns-01
	// More info: https://letsencrypt.org/docs/challenge-types/#dns-01-challenge
	ACMEChallengeTypeDNS01 ACMEChallengeType = "DNS-01"
)

type ACMEExternalAccountBinding

type ACMEExternalAccountBinding struct {
	// keyID is the ID of the CA key that the External Account is bound to.
	KeyID string

	// keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes
	// Secret which holds the symmetric MAC key of the External Account Binding.
	// The `key` is the index string that is paired with the key data in the
	// Secret and should not be confused with the key data itself, or indeed with
	// the External Account Binding keyID above.
	// The secret key stored in the Secret **must** be un-padded, base64 URL
	// encoded data.
	Key cmmeta.SecretKeySelector

	// Deprecated: keyAlgorithm exists for historical compatibility reasons and
	// should not be used. golang/x/crypto/acme hardcodes the algorithm to HS256
	// so setting this field will have no effect.
	// See https://github.com/nholuongut/cert-manager/issues/3220#issuecomment-809438314
	KeyAlgorithm HMACKeyAlgorithm
}

ACMEExternalAccountBinding is a reference to a CA external account of the ACME server.

func (*ACMEExternalAccountBinding) DeepCopy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ACMEExternalAccountBinding.

func (*ACMEExternalAccountBinding) DeepCopyInto

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ACMEIssuer

type ACMEIssuer struct {
	// Email is the email address to be associated with the ACME account.
	// This field is optional, but it is strongly recommended to be set.
	// It will be used to contact you in case of issues with your account or
	// certificates, including expiry notification emails.
	// This field may be updated after the account is initially registered.
	Email string

	// Server is the URL used to access the ACME server's 'directory' endpoint.
	// For example, for Let's Encrypt's staging endpoint, you would use:
	// "https://acme-staging-v02.api.letsencrypt.org/directory".
	// Only ACME v2 endpoints (i.e. RFC 8555) are supported.
	Server string

	// PreferredChain is the chain to use if the ACME server outputs multiple.
	// PreferredChain is no guarantee that this one gets delivered by the ACME
	// endpoint.
	// For example, for Let's Encrypt's DST crosssign you would use:
	// "DST Root CA X3" or "ISRG Root X1" for the newer Let's Encrypt root CA.
	PreferredChain string

	// Base64-encoded bundle of PEM CAs which can be used to validate the certificate
	// chain presented by the ACME server.
	// Mutually exclusive with SkipTLSVerify; prefer using CABundle to prevent various
	// kinds of security vulnerabilities.
	// If CABundle and SkipTLSVerify are unset, the system certificate bundle inside
	// the container is used to validate the TLS connection.
	CABundle []byte

	// INSECURE: Enables or disables validation of the ACME server TLS certificate.
	// If true, requests to the ACME server will not have the TLS certificate chain
	// validated.
	// Mutually exclusive with CABundle; prefer using CABundle to prevent various
	// kinds of security vulnerabilities.
	// Only enable this option in development environments.
	// If CABundle and SkipTLSVerify are unset, the system certificate bundle inside
	// the container is used to validate the TLS connection.
	// Defaults to false.
	SkipTLSVerify bool

	// ExternalAccountBinding is a reference to a CA external account of the ACME
	// server.
	// If set, upon registration cert-manager will attempt to associate the given
	// external account credentials with the registered ACME account.
	ExternalAccountBinding *ACMEExternalAccountBinding

	// PrivateKey is the name of a Kubernetes Secret resource that will be used to
	// store the automatically generated ACME account private key.
	// Optionally, a `key` may be specified to select a specific entry within
	// the named Secret resource.
	// If `key` is not specified, a default of `tls.key` will be used.
	PrivateKey cmmeta.SecretKeySelector

	// Solvers is a list of challenge solvers that will be used to solve
	// ACME challenges for the matching domains.
	// Solver configurations must be provided in order to obtain certificates
	// from an ACME server.
	// For more information, see: https://cert-manager.io/docs/configuration/acme/
	Solvers []ACMEChallengeSolver

	// Enables or disables generating a new ACME account key.
	// If true, the Issuer resource will *not* request a new account but will expect
	// the account key to be supplied via an existing secret.
	// If false, the cert-manager system will generate a new ACME account key
	// for the Issuer.
	// Defaults to false.
	DisableAccountKeyGeneration bool

	// Enables requesting a Not After date on certificates that matches the
	// duration of the certificate. This is not supported by all ACME servers
	// like Let's Encrypt. If set to true when the ACME server does not support
	// it, it will create an error on the Order.
	// Defaults to false.
	EnableDurationFeature bool
}

ACMEIssuer contains the specification for an ACME issuer. This uses the RFC8555 specification to obtain certificates by completing 'challenges' to prove ownership of domain identifiers. Earlier draft versions of the ACME specification are not supported.

func (*ACMEIssuer) DeepCopy

func (in *ACMEIssuer) DeepCopy() *ACMEIssuer

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ACMEIssuer.

func (*ACMEIssuer) DeepCopyInto

func (in *ACMEIssuer) DeepCopyInto(out *ACMEIssuer)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ACMEIssuerDNS01ProviderAcmeDNS

type ACMEIssuerDNS01ProviderAcmeDNS struct {
	Host string

	AccountSecret cmmeta.SecretKeySelector
}

ACMEIssuerDNS01ProviderAcmeDNS is a structure containing the configuration for ACME-DNS servers

func (*ACMEIssuerDNS01ProviderAcmeDNS) DeepCopy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ACMEIssuerDNS01ProviderAcmeDNS.

func (*ACMEIssuerDNS01ProviderAcmeDNS) DeepCopyInto

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ACMEIssuerDNS01ProviderAkamai

type ACMEIssuerDNS01ProviderAkamai struct {
	ServiceConsumerDomain string
	ClientToken           cmmeta.SecretKeySelector
	ClientSecret          cmmeta.SecretKeySelector
	AccessToken           cmmeta.SecretKeySelector
}

ACMEIssuerDNS01ProviderAkamai is a structure containing the DNS configuration for Akamai DNS—Zone Record Management API

func (*ACMEIssuerDNS01ProviderAkamai) DeepCopy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ACMEIssuerDNS01ProviderAkamai.

func (*ACMEIssuerDNS01ProviderAkamai) DeepCopyInto

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ACMEIssuerDNS01ProviderAzureDNS

type ACMEIssuerDNS01ProviderAzureDNS struct {
	// if both this and ClientSecret are left unset MSI will be used
	ClientID string

	// if both this and ClientID are left unset MSI will be used
	ClientSecret *cmmeta.SecretKeySelector

	SubscriptionID string

	// when specifying ClientID and ClientSecret then this field is also needed
	TenantID string

	ResourceGroupName string

	HostedZoneName string

	Environment AzureDNSEnvironment

	ManagedIdentity *AzureManagedIdentity
}

ACMEIssuerDNS01ProviderAzureDNS is a structure containing the configuration for Azure DNS

func (*ACMEIssuerDNS01ProviderAzureDNS) DeepCopy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ACMEIssuerDNS01ProviderAzureDNS.

func (*ACMEIssuerDNS01ProviderAzureDNS) DeepCopyInto

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ACMEIssuerDNS01ProviderCloudDNS

type ACMEIssuerDNS01ProviderCloudDNS struct {
	ServiceAccount *cmmeta.SecretKeySelector
	Project        string
	HostedZoneName string
}

ACMEIssuerDNS01ProviderCloudDNS is a structure containing the DNS configuration for Google Cloud DNS

func (*ACMEIssuerDNS01ProviderCloudDNS) DeepCopy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ACMEIssuerDNS01ProviderCloudDNS.

func (*ACMEIssuerDNS01ProviderCloudDNS) DeepCopyInto

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ACMEIssuerDNS01ProviderCloudflare

type ACMEIssuerDNS01ProviderCloudflare struct {
	// Email of the account, only required when using API key based authentication.
	Email string

	// API key to use to authenticate with Cloudflare.
	// Note: using an API token to authenticate is now the recommended method
	// as it allows greater control of permissions.
	APIKey *cmmeta.SecretKeySelector

	// API token used to authenticate with Cloudflare.
	APIToken *cmmeta.SecretKeySelector
}

ACMEIssuerDNS01ProviderCloudflare is a structure containing the DNS configuration for Cloudflare. One of `apiKeySecretRef` or `apiTokenSecretRef` must be provided.

func (*ACMEIssuerDNS01ProviderCloudflare) DeepCopy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ACMEIssuerDNS01ProviderCloudflare.

func (*ACMEIssuerDNS01ProviderCloudflare) DeepCopyInto

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ACMEIssuerDNS01ProviderDigitalOcean

type ACMEIssuerDNS01ProviderDigitalOcean struct {
	Token cmmeta.SecretKeySelector
}

ACMEIssuerDNS01ProviderDigitalOcean is a structure containing the DNS configuration for DigitalOcean Domains

func (*ACMEIssuerDNS01ProviderDigitalOcean) DeepCopy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ACMEIssuerDNS01ProviderDigitalOcean.

func (*ACMEIssuerDNS01ProviderDigitalOcean) DeepCopyInto

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ACMEIssuerDNS01ProviderRFC2136

type ACMEIssuerDNS01ProviderRFC2136 struct {
	// The IP address or hostname of an authoritative DNS server supporting
	// RFC2136 in the form host:port. If the host is an IPv6 address it must be
	// enclosed in square brackets (e.g [2001:db8::1]) ; port is optional.
	// This field is required.
	Nameserver string

	// The name of the secret containing the TSIG value.
	// If “tsigKeyName“ is defined, this field is required.
	TSIGSecret cmmeta.SecretKeySelector

	// The TSIG Key name configured in the DNS.
	// If “tsigSecretSecretRef“ is defined, this field is required.
	TSIGKeyName string

	// The TSIG Algorithm configured in the DNS supporting RFC2136. Used only
	// when “tsigSecretSecretRef“ and “tsigKeyName“ are defined.
	// Supported values are (case-insensitive): “HMACMD5“ (default),
	// “HMACSHA1“, “HMACSHA256“ or “HMACSHA512“.
	TSIGAlgorithm string
}

ACMEIssuerDNS01ProviderRFC2136 is a structure containing the configuration for RFC2136 DNS

func (*ACMEIssuerDNS01ProviderRFC2136) DeepCopy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ACMEIssuerDNS01ProviderRFC2136.

func (*ACMEIssuerDNS01ProviderRFC2136) DeepCopyInto

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ACMEIssuerDNS01ProviderRoute53

type ACMEIssuerDNS01ProviderRoute53 struct {
	// Auth configures how cert-manager authenticates.
	Auth *Route53Auth

	// The AccessKeyID is used for authentication.
	// Cannot be set when SecretAccessKeyID is set.
	// If neither the Access Key nor Key ID are set, we fall-back to using env
	// vars, shared credentials file or AWS Instance metadata,
	// see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
	AccessKeyID string

	// The SecretAccessKey is used for authentication. If set, pull the AWS
	// access key ID from a key within a Kubernetes Secret.
	// Cannot be set when AccessKeyID is set.
	// If neither the Access Key nor Key ID are set, we fall-back to using env
	// vars, shared credentials file or AWS Instance metadata,
	// see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
	SecretAccessKeyID *cmmeta.SecretKeySelector

	// The SecretAccessKey is used for authentication.
	// If neither the Access Key nor Key ID are set, we fall-back to using env
	// vars, shared credentials file or AWS Instance metadata,
	// see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
	SecretAccessKey cmmeta.SecretKeySelector

	// Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey
	// or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
	Role string

	// If set, the provider will manage only this zone in Route53 and will not do a lookup using the route53:ListHostedZonesByName api call.
	HostedZoneID string

	// Always set the region when using AccessKeyID and SecretAccessKey
	Region string
}

ACMEIssuerDNS01ProviderRoute53 is a structure containing the Route 53 configuration for AWS

func (*ACMEIssuerDNS01ProviderRoute53) DeepCopy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ACMEIssuerDNS01ProviderRoute53.

func (*ACMEIssuerDNS01ProviderRoute53) DeepCopyInto

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ACMEIssuerDNS01ProviderWebhook

type ACMEIssuerDNS01ProviderWebhook struct {
	// The API group name that should be used when POSTing ChallengePayload
	// resources to the webhook apiserver.
	// This should be the same as the GroupName specified in the webhook
	// provider implementation.
	GroupName string

	// The name of the solver to use, as defined in the webhook provider
	// implementation.
	// This will typically be the name of the provider, e.g. 'cloudflare'.
	SolverName string

	// Additional configuration that should be passed to the webhook apiserver
	// when challenges are processed.
	// This can contain arbitrary JSON data.
	// Secret values should not be specified in this stanza.
	// If secret values are needed (e.g. credentials for a DNS service), you
	// should use a SecretKeySelector to reference a Secret resource.
	// For details on the schema of this field, consult the webhook provider
	// implementation's documentation.
	Config *apiextensionsv1.JSON
}

ACMEIssuerDNS01ProviderWebhook specifies configuration for a webhook DNS01 provider, including where to POST ChallengePayload resources.

func (*ACMEIssuerDNS01ProviderWebhook) DeepCopy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ACMEIssuerDNS01ProviderWebhook.

func (*ACMEIssuerDNS01ProviderWebhook) DeepCopyInto

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ACMEIssuerStatus

type ACMEIssuerStatus struct {
	// URI is the unique account identifier, which can also be used to retrieve
	// account details from the CA
	URI string

	// LastRegisteredEmail is the email associated with the latest registered
	// ACME account, in order to track changes made to registered account
	// associated with the  Issuer
	LastRegisteredEmail string

	// LastPrivateKeyHash is a hash of the private key associated with the latest
	// registered ACME account, in order to track changes made to registered account
	// associated with the Issuer
	LastPrivateKeyHash string
}

func (*ACMEIssuerStatus) DeepCopy

func (in *ACMEIssuerStatus) DeepCopy() *ACMEIssuerStatus

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ACMEIssuerStatus.

func (*ACMEIssuerStatus) DeepCopyInto

func (in *ACMEIssuerStatus) DeepCopyInto(out *ACMEIssuerStatus)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type AzureDNSEnvironment

type AzureDNSEnvironment string
const (
	AzurePublicCloud       AzureDNSEnvironment = "AzurePublicCloud"
	AzureChinaCloud        AzureDNSEnvironment = "AzureChinaCloud"
	AzureGermanCloud       AzureDNSEnvironment = "AzureGermanCloud"
	AzureUSGovernmentCloud AzureDNSEnvironment = "AzureUSGovernmentCloud"
)

type AzureManagedIdentity

type AzureManagedIdentity struct {
	ClientID string

	ResourceID string

	TenantID string
}

func (*AzureManagedIdentity) DeepCopy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AzureManagedIdentity.

func (*AzureManagedIdentity) DeepCopyInto

func (in *AzureManagedIdentity) DeepCopyInto(out *AzureManagedIdentity)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type CNAMEStrategy

type CNAMEStrategy string

CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones. By default, the None strategy will be applied (i.e. do not follow CNAMEs).

type CertificateDNSNameSelector

type CertificateDNSNameSelector struct {
	// A label selector that is used to refine the set of certificate's that
	// this challenge solver will apply to.
	MatchLabels map[string]string

	// List of DNSNames that this solver will be used to solve.
	// If specified and a match is found, a dnsNames selector will take
	// precedence over a dnsZones selector.
	// If multiple solvers match with the same dnsNames value, the solver
	// with the most matching labels in matchLabels will be selected.
	// If neither has more matches, the solver defined earlier in the list
	// will be selected.
	DNSNames []string

	// List of DNSZones that this solver will be used to solve.
	// The most specific DNS zone match specified here will take precedence
	// over other DNS zone matches, so a solver specifying sys.example.com
	// will be selected over one specifying example.com for the domain
	// www.sys.example.com.
	// If multiple solvers match with the same dnsZones value, the solver
	// with the most matching labels in matchLabels will be selected.
	// If neither has more matches, the solver defined earlier in the list
	// will be selected.
	DNSZones []string
}

CertificateDomainSelector selects certificates using a label selector, and can optionally select individual DNS names within those certificates. If both MatchLabels and DNSNames are empty, this selector will match all certificates and DNS names within them.

func (*CertificateDNSNameSelector) DeepCopy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateDNSNameSelector.

func (*CertificateDNSNameSelector) DeepCopyInto

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type Challenge

type Challenge struct {
	metav1.TypeMeta
	metav1.ObjectMeta

	Spec   ChallengeSpec
	Status ChallengeStatus
}

Challenge is a type to represent a Challenge request with an ACME server

func (*Challenge) DeepCopy

func (in *Challenge) DeepCopy() *Challenge

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Challenge.

func (*Challenge) DeepCopyInto

func (in *Challenge) DeepCopyInto(out *Challenge)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*Challenge) DeepCopyObject

func (in *Challenge) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type ChallengeList

type ChallengeList struct {
	metav1.TypeMeta
	metav1.ListMeta

	Items []Challenge
}

ChallengeList is a list of Challenges

func (*ChallengeList) DeepCopy

func (in *ChallengeList) DeepCopy() *ChallengeList

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ChallengeList.

func (*ChallengeList) DeepCopyInto

func (in *ChallengeList) DeepCopyInto(out *ChallengeList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*ChallengeList) DeepCopyObject

func (in *ChallengeList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type ChallengeSpec

type ChallengeSpec struct {
	// The URL of the ACME Challenge resource for this challenge.
	// This can be used to lookup details about the status of this challenge.
	URL string

	// The URL to the ACME Authorization resource that this
	// challenge is a part of.
	AuthorizationURL string

	// dnsName is the identifier that this challenge is for, e.g. example.com.
	// If the requested DNSName is a 'wildcard', this field MUST be set to the
	// non-wildcard domain, e.g. for `*.example.com`, it must be `example.com`.
	DNSName string

	// wildcard will be true if this challenge is for a wildcard identifier,
	// for example '*.example.com'.
	Wildcard bool

	// The type of ACME challenge this resource represents.
	// One of "HTTP-01" or "DNS-01".
	Type ACMEChallengeType

	// The ACME challenge token for this challenge.
	// This is the raw value returned from the ACME server.
	Token string

	// The ACME challenge key for this challenge
	// For HTTP01 challenges, this is the value that must be responded with to
	// complete the HTTP01 challenge in the format:
	// `<private key JWK thumbprint>.<key from acme server for challenge>`.
	// For DNS01 challenges, this is the base64 encoded SHA256 sum of the
	// `<private key JWK thumbprint>.<key from acme server for challenge>`
	// text that must be set as the TXT record content.
	Key string

	// Contains the domain solving configuration that should be used to
	// solve this challenge resource.
	Solver ACMEChallengeSolver

	// References a properly configured ACME-type Issuer which should
	// be used to create this Challenge.
	// If the Issuer does not exist, processing will be retried.
	// If the Issuer is not an 'ACME' Issuer, an error will be returned and the
	// Challenge will be marked as failed.
	IssuerRef cmmeta.ObjectReference
}

func (*ChallengeSpec) DeepCopy

func (in *ChallengeSpec) DeepCopy() *ChallengeSpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ChallengeSpec.

func (*ChallengeSpec) DeepCopyInto

func (in *ChallengeSpec) DeepCopyInto(out *ChallengeSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ChallengeStatus

type ChallengeStatus struct {
	// Processing is used to denote whether this challenge should be processed
	// or not.
	// This field will only be set to true by the 'scheduling' component.
	// It will only be set to false by the 'challenges' controller, after the
	// challenge has reached a final state or timed out.
	// If this field is set to false, the challenge controller will not take
	// any more action.
	Processing bool

	// Presented will be set to true if the challenge values for this challenge
	// are currently 'presented'.
	// This *does not* imply the self check is passing. Only that the values
	// have been 'submitted' for the appropriate challenge mechanism (i.e. the
	// DNS01 TXT record has been presented, or the HTTP01 configuration has been
	// configured).
	Presented bool

	// Reason contains human readable information on why the Challenge is in the
	// current state.
	Reason string

	// State contains the current 'state' of the challenge.
	// If not set, the state of the challenge is unknown.
	State State
}

func (*ChallengeStatus) DeepCopy

func (in *ChallengeStatus) DeepCopy() *ChallengeStatus

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ChallengeStatus.

func (*ChallengeStatus) DeepCopyInto

func (in *ChallengeStatus) DeepCopyInto(out *ChallengeStatus)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type HMACKeyAlgorithm

type HMACKeyAlgorithm string

HMACKeyAlgorithm is the name of a key algorithm used for HMAC encryption

const (
	HS256 HMACKeyAlgorithm = "HS256"
	HS384 HMACKeyAlgorithm = "HS384"
	HS512 HMACKeyAlgorithm = "HS512"
)

type Order

type Order struct {
	metav1.TypeMeta
	metav1.ObjectMeta

	Spec   OrderSpec
	Status OrderStatus
}

Order is a type to represent an Order with an ACME server

func (*Order) DeepCopy

func (in *Order) DeepCopy() *Order

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Order.

func (*Order) DeepCopyInto

func (in *Order) DeepCopyInto(out *Order)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*Order) DeepCopyObject

func (in *Order) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type OrderList

type OrderList struct {
	metav1.TypeMeta
	metav1.ListMeta

	Items []Order
}

OrderList is a list of Orders

func (*OrderList) DeepCopy

func (in *OrderList) DeepCopy() *OrderList

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OrderList.

func (*OrderList) DeepCopyInto

func (in *OrderList) DeepCopyInto(out *OrderList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*OrderList) DeepCopyObject

func (in *OrderList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type OrderSpec

type OrderSpec struct {
	// Certificate signing request bytes in DER encoding.
	// This will be used when finalizing the order.
	// This field must be set on the order.
	Request []byte

	// IssuerRef references a properly configured ACME-type Issuer which should
	// be used to create this Order.
	// If the Issuer does not exist, processing will be retried.
	// If the Issuer is not an 'ACME' Issuer, an error will be returned and the
	// Order will be marked as failed.
	IssuerRef cmmeta.ObjectReference

	// CommonName is the common name as specified on the DER encoded CSR.
	// If specified, this value must also be present in `dnsNames` or `ipAddresses`.
	// This field must match the corresponding field on the DER encoded CSR.
	CommonName string

	// DNSNames is a list of DNS names that should be included as part of the Order
	// validation process.
	// This field must match the corresponding field on the DER encoded CSR.
	DNSNames []string

	// IPAddresses is a list of IP addresses that should be included as part of the Order
	// validation process.
	// This field must match the corresponding field on the DER encoded CSR.
	IPAddresses []string

	// Duration is the duration for the not after date for the requested certificate.
	// this is set on order creation as pe the ACME spec.
	Duration *metav1.Duration
}

func (*OrderSpec) DeepCopy

func (in *OrderSpec) DeepCopy() *OrderSpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OrderSpec.

func (*OrderSpec) DeepCopyInto

func (in *OrderSpec) DeepCopyInto(out *OrderSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type OrderStatus

type OrderStatus struct {
	// URL of the Order.
	// This will initially be empty when the resource is first created.
	// The Order controller will populate this field when the Order is first processed.
	// This field will be immutable after it is initially set.
	URL string

	// FinalizeURL of the Order.
	// This is used to obtain certificates for this order once it has been completed.
	FinalizeURL string

	// Certificate is a copy of the PEM encoded certificate for this Order.
	// This field will be populated after the order has been successfully
	// finalized with the ACME server, and the order has transitioned to the
	// 'valid' state.
	Certificate []byte

	// State contains the current state of this Order resource.
	// States 'success' and 'expired' are 'final'
	State State

	// Reason optionally provides more information about a why the order is in
	// the current state.
	Reason string

	// Authorizations contains data returned from the ACME server on what
	// authorizations must be completed in order to validate the DNS names
	// specified on the Order.
	Authorizations []ACMEAuthorization

	// FailureTime stores the time that this order failed.
	// This is used to influence garbage collection and back-off.
	FailureTime *metav1.Time
}

func (*OrderStatus) DeepCopy

func (in *OrderStatus) DeepCopy() *OrderStatus

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OrderStatus.

func (*OrderStatus) DeepCopyInto

func (in *OrderStatus) DeepCopyInto(out *OrderStatus)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type Route53Auth

type Route53Auth struct {
	// Kubernetes authenticates with Route53 using AssumeRoleWithWebIdentity
	// by passing a bound ServiceAccount token.
	Kubernetes *Route53KubernetesAuth
}

Route53Auth is configuration used to authenticate with a Route53.

func (*Route53Auth) DeepCopy

func (in *Route53Auth) DeepCopy() *Route53Auth

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Route53Auth.

func (*Route53Auth) DeepCopyInto

func (in *Route53Auth) DeepCopyInto(out *Route53Auth)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type Route53KubernetesAuth

type Route53KubernetesAuth struct {
	// A reference to a service account that will be used to request a bound
	// token (also known as "projected token"). To use this field, you must
	// configure an RBAC rule to let cert-manager request a token.
	ServiceAccountRef *ServiceAccountRef
}

Route53KubernetesAuth is a configuration to authenticate against Route53 using a bound Kubernetes ServiceAccount token.

func (*Route53KubernetesAuth) DeepCopy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Route53KubernetesAuth.

func (*Route53KubernetesAuth) DeepCopyInto

func (in *Route53KubernetesAuth) DeepCopyInto(out *Route53KubernetesAuth)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ServiceAccountRef

type ServiceAccountRef struct {
	// Name of the ServiceAccount used to request a token.
	Name string

	// TokenAudiences is an optional list of audiences to include in the
	// token passed to AWS. The default token consisting of the issuer's namespace
	// and name is always included.
	// If unset the audience defaults to `sts.amazonaws.com`.
	TokenAudiences []string
}

ServiceAccountRef is a service account used by cert-manager to request a token. The expiration of the token is also set by cert-manager to 10 minutes.

func (*ServiceAccountRef) DeepCopy

func (in *ServiceAccountRef) DeepCopy() *ServiceAccountRef

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServiceAccountRef.

func (*ServiceAccountRef) DeepCopyInto

func (in *ServiceAccountRef) DeepCopyInto(out *ServiceAccountRef)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type State

type State string

State represents the state of an ACME resource, such as an Order. The possible options here map to the corresponding values in the ACME specification. Full details of these values can be found here: https://tools.ietf.org/html/draft-ietf-acme-acme-15#section-7.1.6 Clients utilising this type must also gracefully handle unknown values, as the contents of this enumeration may be added to over time.

const (
	// Unknown is not a real state as part of the ACME spec.
	// It is used to represent an unrecognised value.
	Unknown State = ""

	// Valid signifies that an ACME resource is in a valid state.
	// If an order is 'valid', it has been finalized with the ACME server and
	// the certificate can be retrieved from the ACME server using the
	// certificate URL stored in the Order's status subresource.
	// This is a final state.
	Valid State = "valid"

	// Ready signifies that an ACME resource is in a ready state.
	// If an order is 'ready', all of its challenges have been completed
	// successfully and the order is ready to be finalized.
	// Once finalized, it will transition to the Valid state.
	// This is a transient state.
	Ready State = "ready"

	// Pending signifies that an ACME resource is still pending and is not yet ready.
	// If an Order is marked 'Pending', the validations for that Order are still in progress.
	// This is a transient state.
	Pending State = "pending"

	// Processing signifies that an ACME resource is being processed by the server.
	// If an Order is marked 'Processing', the validations for that Order are currently being processed.
	// This is a transient state.
	Processing State = "processing"

	// Invalid signifies that an ACME resource is invalid for some reason.
	// If an Order is marked 'invalid', one of its validations must be invalid for some reason.
	// This is a final state.
	Invalid State = "invalid"

	// Expired signifies that an ACME resource has expired.
	// If an Order is marked 'Expired', one of its validations may have expired or the Order itself.
	// This is a final state.
	Expired State = "expired"

	// Errored signifies that the ACME resource has errored for some reason.
	// This is a catch-all state, and is used for marking internal cert-manager
	// errors such as validation failures.
	// This is a final state.
	Errored State = "errored"
)

Directories

Path Synopsis
Package install installs the API group, making it available as an option to all of the API encoding/decoding machinery.
Package install installs the API group, making it available as an option to all of the API encoding/decoding machinery.
+groupName=acme.cert-manager.io
+groupName=acme.cert-manager.io

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL