description: "A CertificateRequest is used to request a signed certificate
from one of the configured issuers. \n All fields within the CertificateRequest's
`spec` are immutable after creation. A CertificateRequest will either succeed
or fail, as denoted by its `status.state` field. \n A CertificateRequest
is a 'one-shot' resource, meaning it represents a single point in time request
for a certificate and cannot be re-used."
type: object
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: Desired state of the CertificateRequest resource.
type: object
required:
- csr
- issuerRef
properties:
csr:
description: The PEM-encoded x509 certificate signing request to be
submitted to the CA for signing.
type: string
format: byte
duration:
description: The requested 'duration' (i.e. lifetime) of the Certificate.
This option may be ignored/overridden by some issuer types.
type: string
isCA:
description: IsCA will request to mark the certificate as valid for
certificate signing when submitting to the issuer. This will automatically
add the `cert sign` usage to the list of `usages`.
type: boolean
issuerRef:
description: IssuerRef is a reference to the issuer for this CertificateRequest. If
the 'kind' field is not set, or set to 'Issuer', an Issuer resource
with the given name in the same namespace as the CertificateRequest
will be used. If the 'kind' field is set to 'ClusterIssuer', a
ClusterIssuer with the provided name will be used. The 'name' field
in this stanza is required at all times. The group field refers
to the API group of the issuer which defaults to 'cert-manager.io'
if empty.
type: object
required:
- name
properties:
group:
description: Group of the resource being referred to.
type: string
kind:
description: Kind of the resource being referred to.
type: string
name:
description: Name of the resource being referred to.
type: string
usages:
description: Usages is the set of x509 usages that are requested for
the certificate. Defaults to `digital signature` and `key encipherment`
if not specified.
type: array
items:
description: 'KeyUsage specifies valid usage contexts for keys.
description: "A CertificateRequest is used to request a signed certificate
from one of the configured issuers. \n All fields within the CertificateRequest's
`spec` are immutable after creation. A CertificateRequest will either succeed
or fail, as denoted by its `status.state` field. \n A CertificateRequest
is a 'one-shot' resource, meaning it represents a single point in time request
for a certificate and cannot be re-used."
type: object
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: Desired state of the CertificateRequest resource.
type: object
required:
- csr
- issuerRef
properties:
csr:
description: The PEM-encoded x509 certificate signing request to be
submitted to the CA for signing.
type: string
format: byte
duration:
description: The requested 'duration' (i.e. lifetime) of the Certificate.
This option may be ignored/overridden by some issuer types.
type: string
isCA:
description: IsCA will request to mark the certificate as valid for
certificate signing when submitting to the issuer. This will automatically
add the `cert sign` usage to the list of `usages`.
type: boolean
issuerRef:
description: IssuerRef is a reference to the issuer for this CertificateRequest. If
the 'kind' field is not set, or set to 'Issuer', an Issuer resource
with the given name in the same namespace as the CertificateRequest
will be used. If the 'kind' field is set to 'ClusterIssuer', a
ClusterIssuer with the provided name will be used. The 'name' field
in this stanza is required at all times. The group field refers
to the API group of the issuer which defaults to 'cert-manager.io'
if empty.
type: object
required:
- name
properties:
group:
description: Group of the resource being referred to.
type: string
kind:
description: Kind of the resource being referred to.
type: string
name:
description: Name of the resource being referred to.
type: string
usages:
description: Usages is the set of x509 usages that are requested for
the certificate. Defaults to `digital signature` and `key encipherment`
if not specified.
type: array
items:
description: 'KeyUsage specifies valid usage contexts for keys.
description: Status of the CertificateRequest. This is set and managed
automatically.
type: object
properties:
ca:
description: The PEM encoded x509 certificate of the signer, also
known as the CA (Certificate Authority). This is set on a best-effort
basis by different issuers. If not set, the CA is assumed to be
unknown/not available.
type: string
format: byte
certificate:
description: The PEM encoded x509 certificate resulting from the certificate
signing request. If not set, the CertificateRequest has either not
been completed or has failed. More information on failure can be
found by checking the `conditions` field.
type: string
format: byte
conditions:
description: List of status conditions to indicate the status of a
CertificateRequest. Known condition types are `Ready` and `InvalidRequest`.
type: array
items:
description: CertificateRequestCondition contains condition information
for a CertificateRequest.
type: object
required:
- status
- type
properties:
lastTransitionTime:
description: LastTransitionTime is the timestamp corresponding
to the last status change of this condition.
type: string
format: date-time
message:
description: Message is a human readable description of the
details of the last transition, complementing reason.
type: string
reason:
description: Reason is a brief machine readable explanation
for the condition's last transition.
type: string
status:
description: Status of the condition, one of ('True', 'False',
'Unknown').
type: string
enum:
- "True"
- "False"
- Unknown
type:
description: Type of the condition, known values are ('Ready',
'InvalidRequest').
type: string
failureTime:
description: FailureTime stores the time that this CertificateRequest
failed. This is used to influence garbage collection and back-off.
type: string
format: date-time
- name: v1beta1
served: true
storage: false
"schema":
"openAPIV3Schema":
description: "A CertificateRequest is used to request a signed certificate
from one of the configured issuers. \n All fields within the CertificateRequest's
`spec` are immutable after creation. A CertificateRequest will either succeed
or fail, as denoted by its `status.state` field. \n A CertificateRequest
is a 'one-shot' resource, meaning it represents a single point in time request
for a certificate and cannot be re-used."
type: object
required:
- spec
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: Desired state of the CertificateRequest resource.
type: object
required:
- issuerRef
- request
properties:
duration:
description: The requested 'duration' (i.e. lifetime) of the Certificate.
This option may be ignored/overridden by some issuer types.
type: string
isCA:
description: IsCA will request to mark the certificate as valid for
certificate signing when submitting to the issuer. This will automatically
add the `cert sign` usage to the list of `usages`.
type: boolean
issuerRef:
description: IssuerRef is a reference to the issuer for this CertificateRequest. If
the 'kind' field is not set, or set to 'Issuer', an Issuer resource
with the given name in the same namespace as the CertificateRequest
will be used. If the 'kind' field is set to 'ClusterIssuer', a
ClusterIssuer with the provided name will be used. The 'name' field
in this stanza is required at all times. The group field refers
to the API group of the issuer which defaults to 'cert-manager.io'
if empty.
type: object
required:
- name
properties:
group:
description: Group of the resource being referred to.
type: string
kind:
description: Kind of the resource being referred to.
type: string
name:
description: Name of the resource being referred to.
type: string
request:
description: The PEM-encoded x509 certificate signing request to be
submitted to the CA for signing.
type: string
format: byte
usages:
description: Usages is the set of x509 usages that are requested for
the certificate. Defaults to `digital signature` and `key encipherment`
if not specified.
type: array
items:
description: 'KeyUsage specifies valid usage contexts for keys.
description: CreationTimestamp is a timestamp representing the server time when
this object was created. It is not guaranteed to be set in happens-before order
across separate operations. Clients may not set this value. It is represented
in RFC3339 form and is in UTC.
name: Age
type: date
group: cert-manager.io
preserveUnknownFields: false
conversion:
# a Webhook strategy instruct API server to call an external webhook for any conversion between custom resources.
strategy: Webhook
# webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server.
webhookClientConfig:
service:
namespace: '{{ cert_manager_namespace }}'
name: 'cert-manager-webhook'
path: /convert
names:
kind: Certificate
listKind: CertificateList
plural: certificates
shortNames:
- cert
- certs
singular: certificate
scope: Namespaced
subresources:
status: {}
versions:
- name: v1alpha2
served: true
storage: true
"schema":
"openAPIV3Schema":
description: "A Certificate resource should be created to ensure an up to
date and signed x509 certificate is stored in the Kubernetes Secret resource
named in `spec.secretName`. \n The stored certificate will be renewed before
it expires (as configured by `spec.renewBefore`)."
type: object
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: Desired state of the Certificate resource.
type: object
required:
- issuerRef
- secretName
properties:
commonName:
description: 'CommonName is a common name to be used on the Certificate.
The CommonName should have a length of 64 characters or fewer to
avoid generating invalid CSRs. This value is ignored by TLS clients
when any subject alt name is set. This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4'
type: string
dnsNames:
description: DNSNames is a list of DNS subjectAltNames to be set on
the Certificate.
type: array
items:
type: string
duration:
description: The requested 'duration' (i.e. lifetime) of the Certificate.
This option may be ignored/overridden by some issuer types. If overridden
and `renewBefore` is greater than the actual certificate duration,
the certificate will be automatically renewed 2/3rds of the way
through the certificate's duration.
type: string
emailSANs:
description: EmailSANs is a list of email subjectAltNames to be set
on the Certificate.
type: array
items:
type: string
ipAddresses:
description: IPAddresses is a list of IP address subjectAltNames to
be set on the Certificate.
type: array
items:
type: string
isCA:
description: IsCA will mark this Certificate as valid for certificate
signing. This will automatically add the `cert sign` usage to the
list of `usages`.
type: boolean
issuerRef:
description: IssuerRef is a reference to the issuer for this certificate.
If the 'kind' field is not set, or set to 'Issuer', an Issuer resource
with the given name in the same namespace as the Certificate will
be used. If the 'kind' field is set to 'ClusterIssuer', a ClusterIssuer
with the provided name will be used. The 'name' field in this stanza
is required at all times.
type: object
required:
- name
properties:
group:
description: Group of the resource being referred to.
type: string
kind:
description: Kind of the resource being referred to.
type: string
name:
description: Name of the resource being referred to.
type: string
keyAlgorithm:
description: KeyAlgorithm is the private key algorithm of the corresponding
private key for this certificate. If provided, allowed values are
either "rsa" or "ecdsa" If `keyAlgorithm` is specified and `keySize`
is not provided, key size of 256 will be used for "ecdsa" key algorithm
and key size of 2048 will be used for "rsa" key algorithm.
type: string
enum:
- rsa
- ecdsa
keyEncoding:
description: KeyEncoding is the private key cryptography standards
(PKCS) for this certificate's private key to be encoded in. If provided,
allowed values are "pkcs1" and "pkcs8" standing for PKCS#1 and PKCS#8,
respectively. If KeyEncoding is not specified, then PKCS#1 will
be used by default.
type: string
enum:
- pkcs1
- pkcs8
keySize:
description: KeySize is the key bit size of the corresponding private
key for this certificate. If `keyAlgorithm` is set to `RSA`, valid
values are `2048`, `4096` or `8192`, and will default to `2048`
if not specified. If `keyAlgorithm` is set to `ECDSA`, valid values
are `256`, `384` or `521`, and will default to `256` if not specified.
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
