Documentation
¶
Index ¶
Constants ¶
const ( // Pending indicates that a CertificateRequest is still in progress. CertificateRequestReasonPending = "Pending" // Failed indicates that a CertificateRequest has failed, either due to // timing out or some other critical failure. CertificateRequestReasonFailed = "Failed" // Issued indicates that a CertificateRequest has been completed, and that // the `status.certificate` field is set. CertificateRequestReasonIssued = "Issued" // Denied is a Ready condition reason that indicates that a // CertificateRequest has been denied, and the CertificateRequest will never // be issued. CertificateRequestReasonDenied = "Denied" )
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type CertificateRequest ¶
type CertificateRequest struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`
// Desired state of the CertificateRequest resource.
Spec CertificateRequestSpec `json:"spec"`
// Status of the CertificateRequest. This is set and managed automatically.
Status CertificateRequestStatus `json:"status"`
}
A CertificateRequest is used to request a signed certificate from one of the configured issuers.
All fields within the CertificateRequest's `spec` are immutable after creation. A CertificateRequest will either succeed or fail, as denoted by its `status.state` field.
A CertificateRequest is a one-shot resource, meaning it represents a single point in time request for a certificate and cannot be re-used.
func (*CertificateRequest) DeepCopy ¶
func (in *CertificateRequest) DeepCopy() *CertificateRequest
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateRequest.
func (*CertificateRequest) DeepCopyInto ¶
func (in *CertificateRequest) DeepCopyInto(out *CertificateRequest)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*CertificateRequest) DeepCopyObject ¶
func (in *CertificateRequest) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type CertificateRequestCondition ¶
type CertificateRequestCondition struct {
// Type of the condition, known values are (`Ready`, `InvalidRequest`,
// `Approved`, `Denied`).
Type CertificateRequestConditionType `json:"type"`
// Status of the condition, one of (`True`, `False`, `Unknown`).
Status ConditionStatus `json:"status"`
// LastTransitionTime is the timestamp corresponding to the last status
// change of this condition.
LastTransitionTime *metav1.Time `json:"lastTransitionTime,omitempty"`
// Reason is a brief machine readable explanation for the condition's last
// transition.
Reason string `json:"reason,omitempty"`
// Message is a human readable description of the details of the last
// transition, complementing reason.
Message string `json:"message,omitempty"`
}
CertificateRequestCondition contains condition information for a CertificateRequest.
func (*CertificateRequestCondition) DeepCopy ¶
func (in *CertificateRequestCondition) DeepCopy() *CertificateRequestCondition
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateRequestCondition.
func (*CertificateRequestCondition) DeepCopyInto ¶
func (in *CertificateRequestCondition) DeepCopyInto(out *CertificateRequestCondition)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type CertificateRequestConditionType ¶
type CertificateRequestConditionType string
CertificateRequestConditionType represents an Certificate condition value.
const ( // CertificateRequestConditionReady indicates that a certificate is ready for use. // This is defined as: // - The target certificate exists in CertificateRequest.Status CertificateRequestConditionReady CertificateRequestConditionType = "Ready" // CertificateRequestConditionInvalidRequest indicates that a certificate // signer has refused to sign the request due to at least one of the input // parameters being invalid. Additional information about why the request // was rejected can be found in the `reason` and `message` fields. CertificateRequestConditionInvalidRequest CertificateRequestConditionType = "InvalidRequest" // CertificateRequestConditionApproved indicates that a certificate request // is approved and ready for signing. Condition must never have a status of // `False`, and cannot be modified once set. Cannot be set alongside // `Denied`. CertificateRequestConditionApproved CertificateRequestConditionType = "Approved" // CertificateRequestConditionDenied indicates that a certificate request is // denied, and must never be signed. Condition must never have a status of // `False`, and cannot be modified once set. Cannot be set alongside // `Approved`. CertificateRequestConditionDenied CertificateRequestConditionType = "Denied" )
type CertificateRequestList ¶
type CertificateRequestList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata"`
Items []CertificateRequest `json:"items"`
}
CertificateRequestList is a list of Certificates
func (*CertificateRequestList) DeepCopy ¶
func (in *CertificateRequestList) DeepCopy() *CertificateRequestList
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateRequestList.
func (*CertificateRequestList) DeepCopyInto ¶
func (in *CertificateRequestList) DeepCopyInto(out *CertificateRequestList)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*CertificateRequestList) DeepCopyObject ¶
func (in *CertificateRequestList) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type CertificateRequestSpec ¶
type CertificateRequestSpec struct {
// The requested 'duration' (i.e. lifetime) of the Certificate.
// This option may be ignored/overridden by some issuer types.
Duration *metav1.Duration `json:"duration,omitempty"`
// IssuerRef is a reference to the issuer for this CertificateRequest. If
// the `kind` field is not set, or set to `Issuer`, an Issuer resource with
// the given name in the same namespace as the CertificateRequest will be
// used. If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with
// the provided name will be used. The `name` field in this stanza is
// required at all times. The group field refers to the API group of the
// issuer which defaults to `cert-manager.io` if empty.
IssuerRef ObjectReference `json:"issuerRef"`
// The PEM-encoded x509 certificate signing request to be submitted to the
// CA for signing.
Request []byte `json:"request"`
// IsCA will request to mark the certificate as valid for certificate signing
// when submitting to the issuer.
// This will automatically add the `cert sign` usage to the list of `usages`.
IsCA bool `json:"isCA,omitempty"`
// Usages is the set of x509 usages that are requested for the certificate.
// If usages are set they SHOULD be encoded inside the CSR spec
// Defaults to `digital signature` and `key encipherment` if not specified.
Usages []KeyUsage `json:"usages,omitempty"`
// Username contains the name of the user that created the CertificateRequest.
// Populated by the cert-manager webhook on creation and immutable.
Username string `json:"username,omitempty"`
// UID contains the uid of the user that created the CertificateRequest.
// Populated by the cert-manager webhook on creation and immutable.
UID string `json:"uid,omitempty"`
// Groups contains group membership of the user that created the CertificateRequest.
// Populated by the cert-manager webhook on creation and immutable.
Groups []string `json:"groups,omitempty"`
// Extra contains extra attributes of the user that created the CertificateRequest.
// Populated by the cert-manager webhook on creation and immutable.
Extra map[string][]string `json:"extra,omitempty"`
}
CertificateRequestSpec defines the desired state of CertificateRequest
func (*CertificateRequestSpec) DeepCopy ¶
func (in *CertificateRequestSpec) DeepCopy() *CertificateRequestSpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateRequestSpec.
func (*CertificateRequestSpec) DeepCopyInto ¶
func (in *CertificateRequestSpec) DeepCopyInto(out *CertificateRequestSpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type CertificateRequestStatus ¶
type CertificateRequestStatus struct {
// List of status conditions to indicate the status of a CertificateRequest.
// Known condition types are `Ready` and `InvalidRequest`.
Conditions []CertificateRequestCondition `json:"conditions,omitempty"`
// The PEM encoded x509 certificate resulting from the certificate
// signing request.
// If not set, the CertificateRequest has either not been completed or has
// failed. More information on failure can be found by checking the
// `conditions` field.
Certificate []byte `json:"certificate,omitempty"`
// The PEM encoded x509 certificate of the signer, also known as the CA
// (Certificate Authority).
// This is set on a best-effort basis by different issuers.
// If not set, the CA is assumed to be unknown/not available.
CA []byte `json:"ca,omitempty"`
// FailureTime stores the time that this CertificateRequest failed. This is
// used to influence garbage collection and back-off.
FailureTime *metav1.Time `json:"failureTime,omitempty"`
}
CertificateRequestStatus defines the observed state of CertificateRequest and resulting signed certificate.
func (*CertificateRequestStatus) DeepCopy ¶
func (in *CertificateRequestStatus) DeepCopy() *CertificateRequestStatus
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateRequestStatus.
func (*CertificateRequestStatus) DeepCopyInto ¶
func (in *CertificateRequestStatus) DeepCopyInto(out *CertificateRequestStatus)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type ConditionStatus ¶
type ConditionStatus string
ConditionStatus represents a condition's status.
const ( // ConditionTrue represents the fact that a given condition is true ConditionTrue ConditionStatus = "True" // ConditionFalse represents the fact that a given condition is false ConditionFalse ConditionStatus = "False" // ConditionUnknown represents the fact that a given condition is unknown ConditionUnknown ConditionStatus = "Unknown" )
These are valid condition statuses. "ConditionTrue" means a resource is in the condition; "ConditionFalse" means a resource is not in the condition; "ConditionUnknown" means Kubernetes can't decide if a resource is in the condition or not. In the future, we could add other intermediate conditions, e.g. ConditionDegraded.
type KeyUsage ¶
type KeyUsage string
KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3
https://tools.ietf.org/html/rfc5280#section-4.2.1.12
Valid KeyUsage values are as follows: "signing", "digital signature", "content commitment", "key encipherment", "key agreement", "data encipherment", "cert sign", "crl sign", "encipher only", "decipher only", "any", "server auth", "client auth", "code signing", "email protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec user", "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc"
const ( UsageSigning KeyUsage = "signing" UsageDigitalSignature KeyUsage = "digital signature" UsageContentCommitment KeyUsage = "content commitment" UsageKeyEncipherment KeyUsage = "key encipherment" UsageKeyAgreement KeyUsage = "key agreement" UsageDataEncipherment KeyUsage = "data encipherment" UsageCertSign KeyUsage = "cert sign" UsageCRLSign KeyUsage = "crl sign" UsageEncipherOnly KeyUsage = "encipher only" UsageDecipherOnly KeyUsage = "decipher only" UsageAny KeyUsage = "any" UsageServerAuth KeyUsage = "server auth" UsageClientAuth KeyUsage = "client auth" UsageCodeSigning KeyUsage = "code signing" UsageEmailProtection KeyUsage = "email protection" UsageSMIME KeyUsage = "s/mime" UsageIPsecEndSystem KeyUsage = "ipsec end system" UsageIPsecTunnel KeyUsage = "ipsec tunnel" UsageIPsecUser KeyUsage = "ipsec user" UsageTimestamping KeyUsage = "timestamping" UsageOCSPSigning KeyUsage = "ocsp signing" UsageMicrosoftSGC KeyUsage = "microsoft sgc" UsageNetscapeSGC KeyUsage = "netscape sgc" )
type ObjectReference ¶
type ObjectReference struct {
// Name of the resource being referred to.
Name string `json:"name"`
// Kind of the resource being referred to.
Kind string `json:"kind,omitempty"`
// Group of the resource being referred to.
Group string `json:"group,omitempty"`
}
ObjectReference is a reference to an object with a given name, kind and group.
Source Files