v1

package
v1.2.3 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Apr 13, 2022 License: Apache-2.0 Imports: 2 Imported by: 0

Documentation

Index

Constants

View Source
const (
	// Pending indicates that a CertificateRequest is still in progress.
	CertificateRequestReasonPending = "Pending"

	// Failed indicates that a CertificateRequest has failed, either due to
	// timing out or some other critical failure.
	CertificateRequestReasonFailed = "Failed"

	// Issued indicates that a CertificateRequest has been completed, and that
	// the `status.certificate` field is set.
	CertificateRequestReasonIssued = "Issued"

	// Denied is a Ready condition reason that indicates that a
	// CertificateRequest has been denied, and the CertificateRequest will never
	// be issued.
	CertificateRequestReasonDenied = "Denied"
)

Variables

This section is empty.

Functions

This section is empty.

Types

type CertificateRequest

type CertificateRequest struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	// Desired state of the CertificateRequest resource.
	Spec CertificateRequestSpec `json:"spec"`

	// Status of the CertificateRequest. This is set and managed automatically.
	Status CertificateRequestStatus `json:"status"`
}

A CertificateRequest is used to request a signed certificate from one of the configured issuers.

All fields within the CertificateRequest's `spec` are immutable after creation. A CertificateRequest will either succeed or fail, as denoted by its `status.state` field.

A CertificateRequest is a one-shot resource, meaning it represents a single point in time request for a certificate and cannot be re-used.

func (*CertificateRequest) DeepCopy

func (in *CertificateRequest) DeepCopy() *CertificateRequest

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateRequest.

func (*CertificateRequest) DeepCopyInto

func (in *CertificateRequest) DeepCopyInto(out *CertificateRequest)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*CertificateRequest) DeepCopyObject

func (in *CertificateRequest) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type CertificateRequestCondition

type CertificateRequestCondition struct {
	// Type of the condition, known values are (`Ready`, `InvalidRequest`,
	// `Approved`, `Denied`).
	Type CertificateRequestConditionType `json:"type"`

	// Status of the condition, one of (`True`, `False`, `Unknown`).
	Status ConditionStatus `json:"status"`

	// LastTransitionTime is the timestamp corresponding to the last status
	// change of this condition.
	LastTransitionTime *metav1.Time `json:"lastTransitionTime,omitempty"`

	// Reason is a brief machine readable explanation for the condition's last
	// transition.
	Reason string `json:"reason,omitempty"`

	// Message is a human readable description of the details of the last
	// transition, complementing reason.
	Message string `json:"message,omitempty"`
}

CertificateRequestCondition contains condition information for a CertificateRequest.

func (*CertificateRequestCondition) DeepCopy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateRequestCondition.

func (*CertificateRequestCondition) DeepCopyInto

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type CertificateRequestConditionType

type CertificateRequestConditionType string

CertificateRequestConditionType represents an Certificate condition value.

const (
	// CertificateRequestConditionReady indicates that a certificate is ready for use.
	// This is defined as:
	// - The target certificate exists in CertificateRequest.Status
	CertificateRequestConditionReady CertificateRequestConditionType = "Ready"

	// CertificateRequestConditionInvalidRequest indicates that a certificate
	// signer has refused to sign the request due to at least one of the input
	// parameters being invalid. Additional information about why the request
	// was rejected can be found in the `reason` and `message` fields.
	CertificateRequestConditionInvalidRequest CertificateRequestConditionType = "InvalidRequest"

	// CertificateRequestConditionApproved indicates that a certificate request
	// is approved and ready for signing. Condition must never have a status of
	// `False`, and cannot be modified once set. Cannot be set alongside
	// `Denied`.
	CertificateRequestConditionApproved CertificateRequestConditionType = "Approved"

	// CertificateRequestConditionDenied indicates that a certificate request is
	// denied, and must never be signed. Condition must never have a status of
	// `False`, and cannot be modified once set. Cannot be set alongside
	// `Approved`.
	CertificateRequestConditionDenied CertificateRequestConditionType = "Denied"
)

type CertificateRequestList

type CertificateRequestList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata"`

	Items []CertificateRequest `json:"items"`
}

CertificateRequestList is a list of Certificates

func (*CertificateRequestList) DeepCopy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateRequestList.

func (*CertificateRequestList) DeepCopyInto

func (in *CertificateRequestList) DeepCopyInto(out *CertificateRequestList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*CertificateRequestList) DeepCopyObject

func (in *CertificateRequestList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type CertificateRequestSpec

type CertificateRequestSpec struct {
	// The requested 'duration' (i.e. lifetime) of the Certificate.
	// This option may be ignored/overridden by some issuer types.
	Duration *metav1.Duration `json:"duration,omitempty"`

	// IssuerRef is a reference to the issuer for this CertificateRequest.  If
	// the `kind` field is not set, or set to `Issuer`, an Issuer resource with
	// the given name in the same namespace as the CertificateRequest will be
	// used.  If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with
	// the provided name will be used. The `name` field in this stanza is
	// required at all times. The group field refers to the API group of the
	// issuer which defaults to `cert-manager.io` if empty.
	IssuerRef ObjectReference `json:"issuerRef"`

	// The PEM-encoded x509 certificate signing request to be submitted to the
	// CA for signing.
	Request []byte `json:"request"`

	// IsCA will request to mark the certificate as valid for certificate signing
	// when submitting to the issuer.
	// This will automatically add the `cert sign` usage to the list of `usages`.
	IsCA bool `json:"isCA,omitempty"`

	// Usages is the set of x509 usages that are requested for the certificate.
	// If usages are set they SHOULD be encoded inside the CSR spec
	// Defaults to `digital signature` and `key encipherment` if not specified.
	Usages []KeyUsage `json:"usages,omitempty"`

	// Username contains the name of the user that created the CertificateRequest.
	// Populated by the cert-manager webhook on creation and immutable.
	Username string `json:"username,omitempty"`
	// UID contains the uid of the user that created the CertificateRequest.
	// Populated by the cert-manager webhook on creation and immutable.
	UID string `json:"uid,omitempty"`
	// Groups contains group membership of the user that created the CertificateRequest.
	// Populated by the cert-manager webhook on creation and immutable.
	Groups []string `json:"groups,omitempty"`
	// Extra contains extra attributes of the user that created the CertificateRequest.
	// Populated by the cert-manager webhook on creation and immutable.
	Extra map[string][]string `json:"extra,omitempty"`
}

CertificateRequestSpec defines the desired state of CertificateRequest

func (*CertificateRequestSpec) DeepCopy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateRequestSpec.

func (*CertificateRequestSpec) DeepCopyInto

func (in *CertificateRequestSpec) DeepCopyInto(out *CertificateRequestSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type CertificateRequestStatus

type CertificateRequestStatus struct {
	// List of status conditions to indicate the status of a CertificateRequest.
	// Known condition types are `Ready` and `InvalidRequest`.
	Conditions []CertificateRequestCondition `json:"conditions,omitempty"`

	// The PEM encoded x509 certificate resulting from the certificate
	// signing request.
	// If not set, the CertificateRequest has either not been completed or has
	// failed. More information on failure can be found by checking the
	// `conditions` field.
	Certificate []byte `json:"certificate,omitempty"`

	// The PEM encoded x509 certificate of the signer, also known as the CA
	// (Certificate Authority).
	// This is set on a best-effort basis by different issuers.
	// If not set, the CA is assumed to be unknown/not available.
	CA []byte `json:"ca,omitempty"`

	// FailureTime stores the time that this CertificateRequest failed. This is
	// used to influence garbage collection and back-off.
	FailureTime *metav1.Time `json:"failureTime,omitempty"`
}

CertificateRequestStatus defines the observed state of CertificateRequest and resulting signed certificate.

func (*CertificateRequestStatus) DeepCopy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateRequestStatus.

func (*CertificateRequestStatus) DeepCopyInto

func (in *CertificateRequestStatus) DeepCopyInto(out *CertificateRequestStatus)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ConditionStatus

type ConditionStatus string

ConditionStatus represents a condition's status.

const (
	// ConditionTrue represents the fact that a given condition is true
	ConditionTrue ConditionStatus = "True"

	// ConditionFalse represents the fact that a given condition is false
	ConditionFalse ConditionStatus = "False"

	// ConditionUnknown represents the fact that a given condition is unknown
	ConditionUnknown ConditionStatus = "Unknown"
)

These are valid condition statuses. "ConditionTrue" means a resource is in the condition; "ConditionFalse" means a resource is not in the condition; "ConditionUnknown" means kubernetes can't decide if a resource is in the condition or not. In the future, we could add other intermediate conditions, e.g. ConditionDegraded.

type KeyUsage

type KeyUsage string

KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3

https://tools.ietf.org/html/rfc5280#section-4.2.1.12

Valid KeyUsage values are as follows: "signing", "digital signature", "content commitment", "key encipherment", "key agreement", "data encipherment", "cert sign", "crl sign", "encipher only", "decipher only", "any", "server auth", "client auth", "code signing", "email protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec user", "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc"

const (
	UsageSigning           KeyUsage = "signing"
	UsageDigitalSignature  KeyUsage = "digital signature"
	UsageContentCommitment KeyUsage = "content commitment"
	UsageKeyEncipherment   KeyUsage = "key encipherment"
	UsageKeyAgreement      KeyUsage = "key agreement"
	UsageDataEncipherment  KeyUsage = "data encipherment"
	UsageCertSign          KeyUsage = "cert sign"
	UsageCRLSign           KeyUsage = "crl sign"
	UsageEncipherOnly      KeyUsage = "encipher only"
	UsageDecipherOnly      KeyUsage = "decipher only"
	UsageAny               KeyUsage = "any"
	UsageServerAuth        KeyUsage = "server auth"
	UsageClientAuth        KeyUsage = "client auth"
	UsageCodeSigning       KeyUsage = "code signing"
	UsageEmailProtection   KeyUsage = "email protection"
	UsageSMIME             KeyUsage = "s/mime"
	UsageIPsecEndSystem    KeyUsage = "ipsec end system"
	UsageIPsecTunnel       KeyUsage = "ipsec tunnel"
	UsageIPsecUser         KeyUsage = "ipsec user"
	UsageTimestamping      KeyUsage = "timestamping"
	UsageOCSPSigning       KeyUsage = "ocsp signing"
	UsageMicrosoftSGC      KeyUsage = "microsoft sgc"
	UsageNetscapeSGC       KeyUsage = "netscape sgc"
)

type ObjectReference

type ObjectReference struct {
	// Name of the resource being referred to.
	Name string `json:"name"`
	// Kind of the resource being referred to.
	Kind string `json:"kind,omitempty"`
	// Group of the resource being referred to.
	Group string `json:"group,omitempty"`
}

ObjectReference is a reference to an object with a given name, kind and group.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL