980 lines
44 KiB
Django/Jinja
980 lines
44 KiB
Django/Jinja
# Copyright YEAR The Jetstack cert-manager contributors.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
---
|
|
apiVersion: apiextensions.k8s.io/v1beta1
|
|
kind: CustomResourceDefinition
|
|
metadata:
|
|
name: certificaterequests.cert-manager.io
|
|
annotations:
|
|
cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca
|
|
labels:
|
|
app: cert-manager
|
|
app.kubernetes.io/name: cert-manager
|
|
app.kubernetes.io/instance: cert-manager
|
|
app.kubernetes.io/managed-by: Helm
|
|
helm.sh/chart: cert-manager-{{ cert_manager_version }}
|
|
spec:
|
|
additionalPrinterColumns:
|
|
- JSONPath: .status.conditions[?(@.type=="Ready")].status
|
|
name: Ready
|
|
type: string
|
|
- JSONPath: .spec.issuerRef.name
|
|
name: Issuer
|
|
priority: 1
|
|
type: string
|
|
- JSONPath: .status.conditions[?(@.type=="Ready")].message
|
|
name: Status
|
|
priority: 1
|
|
type: string
|
|
- JSONPath: .metadata.creationTimestamp
|
|
description: CreationTimestamp is a timestamp representing the server time when
|
|
this object was created. It is not guaranteed to be set in happens-before order
|
|
across separate operations. Clients may not set this value. It is represented
|
|
in RFC3339 form and is in UTC.
|
|
name: Age
|
|
type: date
|
|
group: cert-manager.io
|
|
preserveUnknownFields: false
|
|
conversion:
|
|
# a Webhook strategy instruct API server to call an external webhook for any conversion between custom resources.
|
|
strategy: Webhook
|
|
# webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server.
|
|
webhookClientConfig:
|
|
service:
|
|
namespace: '{{ cert_manager_namespace }}'
|
|
name: 'cert-manager-webhook'
|
|
path: /convert
|
|
names:
|
|
kind: CertificateRequest
|
|
listKind: CertificateRequestList
|
|
plural: certificaterequests
|
|
shortNames:
|
|
- cr
|
|
- crs
|
|
singular: certificaterequest
|
|
scope: Namespaced
|
|
subresources:
|
|
status: {}
|
|
versions:
|
|
- name: v1alpha2
|
|
served: true
|
|
storage: true
|
|
- name: v1alpha3
|
|
served: true
|
|
storage: false
|
|
"validation":
|
|
"openAPIV3Schema":
|
|
description: CertificateRequest is a type to represent a Certificate Signing
|
|
Request
|
|
type: object
|
|
properties:
|
|
apiVersion:
|
|
description: 'APIVersion defines the versioned schema of this representation
|
|
of an object. Servers should convert recognized schemas to the latest
|
|
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
|
type: string
|
|
kind:
|
|
description: 'Kind is a string value representing the REST resource this
|
|
object represents. Servers may infer this from the endpoint the client
|
|
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
|
type: string
|
|
metadata:
|
|
type: object
|
|
spec:
|
|
description: CertificateRequestSpec defines the desired state of CertificateRequest
|
|
type: object
|
|
required:
|
|
- csr
|
|
- issuerRef
|
|
properties:
|
|
csr:
|
|
description: Byte slice containing the PEM encoded CertificateSigningRequest
|
|
type: string
|
|
format: byte
|
|
duration:
|
|
description: Requested certificate default Duration
|
|
type: string
|
|
isCA:
|
|
description: IsCA will mark the resulting certificate as valid for signing.
|
|
This implies that the 'cert sign' usage is set
|
|
type: boolean
|
|
issuerRef:
|
|
description: IssuerRef is a reference to the issuer for this CertificateRequest. If
|
|
the 'kind' field is not set, or set to 'Issuer', an Issuer resource
|
|
with the given name in the same namespace as the CertificateRequest
|
|
will be used. If the 'kind' field is set to 'ClusterIssuer', a ClusterIssuer
|
|
with the provided name will be used. The 'name' field in this stanza
|
|
is required at all times. The group field refers to the API group
|
|
of the issuer which defaults to 'cert-manager.io' if empty.
|
|
type: object
|
|
required:
|
|
- name
|
|
properties:
|
|
group:
|
|
type: string
|
|
kind:
|
|
type: string
|
|
name:
|
|
type: string
|
|
usages:
|
|
description: Usages is the set of x509 actions that are enabled for
|
|
a given key. Defaults are ('digital signature', 'key encipherment')
|
|
if empty
|
|
type: array
|
|
items:
|
|
description: 'KeyUsage specifies valid usage contexts for keys. See:
|
|
https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12
|
|
Valid KeyUsage values are as follows: "signing", "digital signature",
|
|
"content commitment", "key encipherment", "key agreement", "data
|
|
encipherment", "cert sign", "crl sign", "encipher only", "decipher
|
|
only", "any", "server auth", "client auth", "code signing", "email
|
|
protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec
|
|
user", "timestamping", "ocsp signing", "microsoft sgc", "netscape
|
|
sgc"'
|
|
type: string
|
|
enum:
|
|
- signing
|
|
- digital signature
|
|
- content commitment
|
|
- key encipherment
|
|
- key agreement
|
|
- data encipherment
|
|
- cert sign
|
|
- crl sign
|
|
- encipher only
|
|
- decipher only
|
|
- any
|
|
- server auth
|
|
- client auth
|
|
- code signing
|
|
- email protection
|
|
- s/mime
|
|
- ipsec end system
|
|
- ipsec tunnel
|
|
- ipsec user
|
|
- timestamping
|
|
- ocsp signing
|
|
- microsoft sgc
|
|
- netscape sgc
|
|
status:
|
|
description: CertificateStatus defines the observed state of CertificateRequest
|
|
and resulting signed certificate.
|
|
type: object
|
|
properties:
|
|
ca:
|
|
description: Byte slice containing the PEM encoded certificate authority
|
|
of the signed certificate.
|
|
type: string
|
|
format: byte
|
|
certificate:
|
|
description: Byte slice containing a PEM encoded signed certificate
|
|
resulting from the given certificate signing request.
|
|
type: string
|
|
format: byte
|
|
conditions:
|
|
type: array
|
|
items:
|
|
description: CertificateRequestCondition contains condition information
|
|
for a CertificateRequest.
|
|
type: object
|
|
required:
|
|
- status
|
|
- type
|
|
properties:
|
|
lastTransitionTime:
|
|
description: LastTransitionTime is the timestamp corresponding
|
|
to the last status change of this condition.
|
|
type: string
|
|
format: date-time
|
|
message:
|
|
description: Message is a human readable description of the details
|
|
of the last transition, complementing reason.
|
|
type: string
|
|
reason:
|
|
description: Reason is a brief machine readable explanation for
|
|
the condition's last transition.
|
|
type: string
|
|
status:
|
|
description: Status of the condition, one of ('True', 'False',
|
|
'Unknown').
|
|
type: string
|
|
enum:
|
|
- "True"
|
|
- "False"
|
|
- Unknown
|
|
type:
|
|
description: Type of the condition, currently ('Ready', 'InvalidRequest').
|
|
type: string
|
|
failureTime:
|
|
description: FailureTime stores the time that this CertificateRequest
|
|
failed. This is used to influence garbage collection and back-off.
|
|
type: string
|
|
format: date-time
|
|
---
|
|
apiVersion: apiextensions.k8s.io/v1beta1
|
|
kind: CustomResourceDefinition
|
|
metadata:
|
|
name: certificates.cert-manager.io
|
|
annotations:
|
|
cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca
|
|
labels:
|
|
app: cert-manager
|
|
app.kubernetes.io/name: cert-manager
|
|
app.kubernetes.io/instance: cert-manager
|
|
app.kubernetes.io/managed-by: Helm
|
|
helm.sh/chart: cert-manager-{{ cert_manager_version }}
|
|
spec:
|
|
additionalPrinterColumns:
|
|
- JSONPath: .status.conditions[?(@.type=="Ready")].status
|
|
name: Ready
|
|
type: string
|
|
- JSONPath: .spec.secretName
|
|
name: Secret
|
|
type: string
|
|
- JSONPath: .spec.issuerRef.name
|
|
name: Issuer
|
|
priority: 1
|
|
type: string
|
|
- JSONPath: .status.conditions[?(@.type=="Ready")].message
|
|
name: Status
|
|
priority: 1
|
|
type: string
|
|
- JSONPath: .metadata.creationTimestamp
|
|
description: CreationTimestamp is a timestamp representing the server time when
|
|
this object was created. It is not guaranteed to be set in happens-before order
|
|
across separate operations. Clients may not set this value. It is represented
|
|
in RFC3339 form and is in UTC.
|
|
name: Age
|
|
type: date
|
|
group: cert-manager.io
|
|
preserveUnknownFields: false
|
|
conversion:
|
|
# a Webhook strategy instruct API server to call an external webhook for any conversion between custom resources.
|
|
strategy: Webhook
|
|
# webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server.
|
|
webhookClientConfig:
|
|
service:
|
|
namespace: '{{ cert_manager_namespace }}'
|
|
name: 'cert-manager-webhook'
|
|
path: /convert
|
|
names:
|
|
kind: Certificate
|
|
listKind: CertificateList
|
|
plural: certificates
|
|
shortNames:
|
|
- cert
|
|
- certs
|
|
singular: certificate
|
|
scope: Namespaced
|
|
subresources:
|
|
status: {}
|
|
versions:
|
|
- name: v1alpha2
|
|
served: true
|
|
storage: true
|
|
"schema":
|
|
"openAPIV3Schema":
|
|
description: Certificate is a type to represent a Certificate from ACME
|
|
type: object
|
|
properties:
|
|
apiVersion:
|
|
description: 'APIVersion defines the versioned schema of this representation
|
|
of an object. Servers should convert recognized schemas to the latest
|
|
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
|
type: string
|
|
kind:
|
|
description: 'Kind is a string value representing the REST resource this
|
|
object represents. Servers may infer this from the endpoint the client
|
|
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
|
type: string
|
|
metadata:
|
|
type: object
|
|
spec:
|
|
description: CertificateSpec defines the desired state of Certificate.
|
|
A valid Certificate requires at least one of a CommonName, DNSName,
|
|
or URISAN to be valid.
|
|
type: object
|
|
required:
|
|
- issuerRef
|
|
- secretName
|
|
properties:
|
|
commonName:
|
|
description: 'CommonName is a common name to be used on the Certificate.
|
|
The CommonName should have a length of 64 characters or fewer to
|
|
avoid generating invalid CSRs. This value is ignored by TLS clients
|
|
when any subject alt name is set. This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4'
|
|
type: string
|
|
dnsNames:
|
|
description: DNSNames is a list of subject alt names to be used on
|
|
the Certificate.
|
|
type: array
|
|
items:
|
|
type: string
|
|
duration:
|
|
description: Certificate default Duration
|
|
type: string
|
|
emailSANs:
|
|
description: EmailSANs is a list of Email Subject Alternative Names
|
|
to be set on this Certificate.
|
|
type: array
|
|
items:
|
|
type: string
|
|
ipAddresses:
|
|
description: IPAddresses is a list of IP addresses to be used on the
|
|
Certificate
|
|
type: array
|
|
items:
|
|
type: string
|
|
isCA:
|
|
description: IsCA will mark this Certificate as valid for signing.
|
|
This implies that the 'cert sign' usage is set
|
|
type: boolean
|
|
issuerRef:
|
|
description: IssuerRef is a reference to the issuer for this certificate.
|
|
If the 'kind' field is not set, or set to 'Issuer', an Issuer resource
|
|
with the given name in the same namespace as the Certificate will
|
|
be used. If the 'kind' field is set to 'ClusterIssuer', a ClusterIssuer
|
|
with the provided name will be used. The 'name' field in this stanza
|
|
is required at all times.
|
|
type: object
|
|
required:
|
|
- name
|
|
properties:
|
|
group:
|
|
type: string
|
|
kind:
|
|
type: string
|
|
name:
|
|
type: string
|
|
keyAlgorithm:
|
|
description: KeyAlgorithm is the private key algorithm of the corresponding
|
|
private key for this certificate. If provided, allowed values are
|
|
either "rsa" or "ecdsa" If KeyAlgorithm is specified and KeySize
|
|
is not provided, key size of 256 will be used for "ecdsa" key algorithm
|
|
and key size of 2048 will be used for "rsa" key algorithm.
|
|
type: string
|
|
enum:
|
|
- rsa
|
|
- ecdsa
|
|
keyEncoding:
|
|
description: KeyEncoding is the private key cryptography standards
|
|
(PKCS) for this certificate's private key to be encoded in. If provided,
|
|
allowed values are "pkcs1" and "pkcs8" standing for PKCS#1 and PKCS#8,
|
|
respectively. If KeyEncoding is not specified, then PKCS#1 will
|
|
be used by default.
|
|
type: string
|
|
enum:
|
|
- pkcs1
|
|
- pkcs8
|
|
keySize:
|
|
description: KeySize is the key bit size of the corresponding private
|
|
key for this certificate. If provided, value must be between 2048
|
|
and 8192 inclusive when KeyAlgorithm is empty or is set to "rsa",
|
|
and value must be one of (256, 384, 521) when KeyAlgorithm is set
|
|
to "ecdsa".
|
|
type: integer
|
|
maximum: 8192
|
|
minimum: 0
|
|
keystores:
|
|
description: Keystores configures additional keystore output formats
|
|
stored in the `secretName` Secret resource.
|
|
type: object
|
|
properties:
|
|
jks:
|
|
description: JKS configures options for storing a JKS keystore
|
|
in the `spec.secretName` Secret resource.
|
|
type: object
|
|
required:
|
|
- create
|
|
- passwordSecretRef
|
|
properties:
|
|
create:
|
|
description: Create enables JKS keystore creation for the
|
|
Certificate. If true, a file named `keystore.jks` will be
|
|
created in the target Secret resource, encrypted using the
|
|
password stored in `passwordSecretRef`. The keystore file
|
|
will only be updated upon re-issuance.
|
|
type: boolean
|
|
passwordSecretRef:
|
|
description: PasswordSecretRef is a reference to a key in
|
|
a Secret resource containing the password used to encrypt
|
|
the JKS keystore.
|
|
type: object
|
|
required:
|
|
- name
|
|
properties:
|
|
key:
|
|
description: The key of the secret to select from. Must
|
|
be a valid secret key.
|
|
type: string
|
|
name:
|
|
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
|
|
TODO: Add other useful fields. apiVersion, kind, uid?'
|
|
type: string
|
|
pkcs12:
|
|
description: PKCS12 configures options for storing a PKCS12 keystore
|
|
in the `spec.secretName` Secret resource.
|
|
type: object
|
|
required:
|
|
- create
|
|
- passwordSecretRef
|
|
properties:
|
|
create:
|
|
description: Create enables PKCS12 keystore creation for the
|
|
Certificate. If true, a file named `keystore.p12` will be
|
|
created in the target Secret resource, encrypted using the
|
|
password stored in `passwordSecretRef`. The keystore file
|
|
will only be updated upon re-issuance.
|
|
type: boolean
|
|
passwordSecretRef:
|
|
description: PasswordSecretRef is a reference to a key in
|
|
a Secret resource containing the password used to encrypt
|
|
the PKCS12 keystore.
|
|
type: object
|
|
required:
|
|
- name
|
|
properties:
|
|
key:
|
|
description: The key of the secret to select from. Must
|
|
be a valid secret key.
|
|
type: string
|
|
name:
|
|
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
|
|
TODO: Add other useful fields. apiVersion, kind, uid?'
|
|
type: string
|
|
organization:
|
|
description: Organization is the organization to be used on the Certificate
|
|
type: array
|
|
items:
|
|
type: string
|
|
privateKey:
|
|
description: Options to control private keys used for the Certificate.
|
|
type: object
|
|
properties:
|
|
rotationPolicy:
|
|
description: RotationPolicy controls how private keys should be
|
|
regenerated when a re-issuance is being processed. If set to
|
|
Never, a private key will only be generated if one does not
|
|
already exist in the target `spec.secretName`. If one does exists
|
|
but it does not have the correct algorithm or size, a warning
|
|
will be raised to await user intervention. If set to Always,
|
|
a private key matching the specified requirements will be generated
|
|
whenever a re-issuance occurs. Default is 'Never' for backward
|
|
compatibility.
|
|
type: string
|
|
renewBefore:
|
|
description: Certificate renew before expiration duration
|
|
type: string
|
|
secretName:
|
|
description: SecretName is the name of the secret resource to store
|
|
this secret in
|
|
type: string
|
|
subject:
|
|
description: Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name).
|
|
type: object
|
|
properties:
|
|
countries:
|
|
description: Countries to be used on the Certificate.
|
|
type: array
|
|
items:
|
|
type: string
|
|
localities:
|
|
description: Cities to be used on the Certificate.
|
|
type: array
|
|
items:
|
|
type: string
|
|
organizationalUnits:
|
|
description: Organizational Units to be used on the Certificate.
|
|
type: array
|
|
items:
|
|
type: string
|
|
postalCodes:
|
|
description: Postal codes to be used on the Certificate.
|
|
type: array
|
|
items:
|
|
type: string
|
|
provinces:
|
|
description: State/Provinces to be used on the Certificate.
|
|
type: array
|
|
items:
|
|
type: string
|
|
serialNumber:
|
|
description: Serial number to be used on the Certificate.
|
|
type: string
|
|
streetAddresses:
|
|
description: Street addresses to be used on the Certificate.
|
|
type: array
|
|
items:
|
|
type: string
|
|
uriSANs:
|
|
description: URISANs is a list of URI Subject Alternative Names to
|
|
be set on this Certificate.
|
|
type: array
|
|
items:
|
|
type: string
|
|
usages:
|
|
description: Usages is the set of x509 actions that are enabled for
|
|
a given key. Defaults are ('digital signature', 'key encipherment')
|
|
if empty
|
|
type: array
|
|
items:
|
|
description: 'KeyUsage specifies valid usage contexts for keys.
|
|
See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12
|
|
Valid KeyUsage values are as follows: "signing", "digital signature",
|
|
"content commitment", "key encipherment", "key agreement", "data
|
|
encipherment", "cert sign", "crl sign", "encipher only", "decipher
|
|
only", "any", "server auth", "client auth", "code signing", "email
|
|
protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec
|
|
user", "timestamping", "ocsp signing", "microsoft sgc", "netscape
|
|
sgc"'
|
|
type: string
|
|
enum:
|
|
- signing
|
|
- digital signature
|
|
- content commitment
|
|
- key encipherment
|
|
- key agreement
|
|
- data encipherment
|
|
- cert sign
|
|
- crl sign
|
|
- encipher only
|
|
- decipher only
|
|
- any
|
|
- server auth
|
|
- client auth
|
|
- code signing
|
|
- email protection
|
|
- s/mime
|
|
- ipsec end system
|
|
- ipsec tunnel
|
|
- ipsec user
|
|
- timestamping
|
|
- ocsp signing
|
|
- microsoft sgc
|
|
- netscape sgc
|
|
status:
|
|
description: CertificateStatus defines the observed state of Certificate
|
|
type: object
|
|
properties:
|
|
conditions:
|
|
type: array
|
|
items:
|
|
description: CertificateCondition contains condition information
|
|
for an Certificate.
|
|
type: object
|
|
required:
|
|
- status
|
|
- type
|
|
properties:
|
|
lastTransitionTime:
|
|
description: LastTransitionTime is the timestamp corresponding
|
|
to the last status change of this condition.
|
|
type: string
|
|
format: date-time
|
|
message:
|
|
description: Message is a human readable description of the
|
|
details of the last transition, complementing reason.
|
|
type: string
|
|
reason:
|
|
description: Reason is a brief machine readable explanation
|
|
for the condition's last transition.
|
|
type: string
|
|
status:
|
|
description: Status of the condition, one of ('True', 'False',
|
|
'Unknown').
|
|
type: string
|
|
enum:
|
|
- "True"
|
|
- "False"
|
|
- Unknown
|
|
type:
|
|
description: Type of the condition, currently ('Ready').
|
|
type: string
|
|
lastFailureTime:
|
|
type: string
|
|
format: date-time
|
|
nextPrivateKeySecretName:
|
|
description: The name of the Secret resource containing the private
|
|
key to be used for the next certificate iteration. The keymanager
|
|
controller will automatically set this field if the `Issuing` condition
|
|
is set to `True`. It will automatically unset this field when the
|
|
Issuing condition is not set or False.
|
|
type: string
|
|
notAfter:
|
|
description: The expiration time of the certificate stored in the
|
|
secret named by this resource in spec.secretName.
|
|
type: string
|
|
format: date-time
|
|
revision:
|
|
description: "The current 'revision' of the certificate as issued.
|
|
\n When a CertificateRequest resource is created, it will have the
|
|
`cert-manager.io/certificate-revision` set to one greater than the
|
|
current value of this field. \n Upon issuance, this field will be
|
|
set to the value of the annotation on the CertificateRequest resource
|
|
used to issue the certificate. \n Persisting the value on the CertificateRequest
|
|
resource allows the certificates controller to know whether a request
|
|
is part of an old issuance or if it is part of the ongoing revision's
|
|
issuance by checking if the revision value in the annotation is
|
|
greater than this field."
|
|
type: integer
|
|
- name: v1alpha3
|
|
served: true
|
|
storage: false
|
|
"schema":
|
|
"openAPIV3Schema":
|
|
description: Certificate is a type to represent a Certificate from ACME
|
|
type: object
|
|
properties:
|
|
apiVersion:
|
|
description: 'APIVersion defines the versioned schema of this representation
|
|
of an object. Servers should convert recognized schemas to the latest
|
|
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
|
type: string
|
|
kind:
|
|
description: 'Kind is a string value representing the REST resource this
|
|
object represents. Servers may infer this from the endpoint the client
|
|
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
|
type: string
|
|
metadata:
|
|
type: object
|
|
spec:
|
|
description: CertificateSpec defines the desired state of Certificate.
|
|
A valid Certificate requires at least one of a CommonName, DNSName,
|
|
or URISAN to be valid.
|
|
type: object
|
|
required:
|
|
- issuerRef
|
|
- secretName
|
|
properties:
|
|
commonName:
|
|
description: 'CommonName is a common name to be used on the Certificate.
|
|
The CommonName should have a length of 64 characters or fewer to
|
|
avoid generating invalid CSRs. This value is ignored by TLS clients
|
|
when any subject alt name is set. This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4'
|
|
type: string
|
|
dnsNames:
|
|
description: DNSNames is a list of subject alt names to be used on
|
|
the Certificate.
|
|
type: array
|
|
items:
|
|
type: string
|
|
duration:
|
|
description: Certificate default Duration
|
|
type: string
|
|
emailSANs:
|
|
description: EmailSANs is a list of Email Subject Alternative Names
|
|
to be set on this Certificate.
|
|
type: array
|
|
items:
|
|
type: string
|
|
ipAddresses:
|
|
description: IPAddresses is a list of IP addresses to be used on the
|
|
Certificate
|
|
type: array
|
|
items:
|
|
type: string
|
|
isCA:
|
|
description: IsCA will mark this Certificate as valid for signing.
|
|
This implies that the 'cert sign' usage is set
|
|
type: boolean
|
|
issuerRef:
|
|
description: IssuerRef is a reference to the issuer for this certificate.
|
|
If the 'kind' field is not set, or set to 'Issuer', an Issuer resource
|
|
with the given name in the same namespace as the Certificate will
|
|
be used. If the 'kind' field is set to 'ClusterIssuer', a ClusterIssuer
|
|
with the provided name will be used. The 'name' field in this stanza
|
|
is required at all times.
|
|
type: object
|
|
required:
|
|
- name
|
|
properties:
|
|
group:
|
|
type: string
|
|
kind:
|
|
type: string
|
|
name:
|
|
type: string
|
|
keyAlgorithm:
|
|
description: KeyAlgorithm is the private key algorithm of the corresponding
|
|
private key for this certificate. If provided, allowed values are
|
|
either "rsa" or "ecdsa" If KeyAlgorithm is specified and KeySize
|
|
is not provided, key size of 256 will be used for "ecdsa" key algorithm
|
|
and key size of 2048 will be used for "rsa" key algorithm.
|
|
type: string
|
|
enum:
|
|
- rsa
|
|
- ecdsa
|
|
keyEncoding:
|
|
description: KeyEncoding is the private key cryptography standards
|
|
(PKCS) for this certificate's private key to be encoded in. If provided,
|
|
allowed values are "pkcs1" and "pkcs8" standing for PKCS#1 and PKCS#8,
|
|
respectively. If KeyEncoding is not specified, then PKCS#1 will
|
|
be used by default.
|
|
type: string
|
|
enum:
|
|
- pkcs1
|
|
- pkcs8
|
|
keySize:
|
|
description: KeySize is the key bit size of the corresponding private
|
|
key for this certificate. If provided, value must be between 2048
|
|
and 8192 inclusive when KeyAlgorithm is empty or is set to "rsa",
|
|
and value must be one of (256, 384, 521) when KeyAlgorithm is set
|
|
to "ecdsa".
|
|
type: integer
|
|
maximum: 8192
|
|
minimum: 0
|
|
keystores:
|
|
description: Keystores configures additional keystore output formats
|
|
stored in the `secretName` Secret resource.
|
|
type: object
|
|
properties:
|
|
jks:
|
|
description: JKS configures options for storing a JKS keystore
|
|
in the `spec.secretName` Secret resource.
|
|
type: object
|
|
required:
|
|
- create
|
|
- passwordSecretRef
|
|
properties:
|
|
create:
|
|
description: Create enables JKS keystore creation for the
|
|
Certificate. If true, a file named `keystore.jks` will be
|
|
created in the target Secret resource, encrypted using the
|
|
password stored in `passwordSecretRef`. The keystore file
|
|
will only be updated upon re-issuance.
|
|
type: boolean
|
|
passwordSecretRef:
|
|
description: PasswordSecretRef is a reference to a key in
|
|
a Secret resource containing the password used to encrypt
|
|
the JKS keystore.
|
|
type: object
|
|
required:
|
|
- name
|
|
properties:
|
|
key:
|
|
description: The key of the secret to select from. Must
|
|
be a valid secret key.
|
|
type: string
|
|
name:
|
|
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
|
|
TODO: Add other useful fields. apiVersion, kind, uid?'
|
|
type: string
|
|
pkcs12:
|
|
description: PKCS12 configures options for storing a PKCS12 keystore
|
|
in the `spec.secretName` Secret resource.
|
|
type: object
|
|
required:
|
|
- create
|
|
- passwordSecretRef
|
|
properties:
|
|
create:
|
|
description: Create enables PKCS12 keystore creation for the
|
|
Certificate. If true, a file named `keystore.p12` will be
|
|
created in the target Secret resource, encrypted using the
|
|
password stored in `passwordSecretRef`. The keystore file
|
|
will only be updated upon re-issuance.
|
|
type: boolean
|
|
passwordSecretRef:
|
|
description: PasswordSecretRef is a reference to a key in
|
|
a Secret resource containing the password used to encrypt
|
|
the PKCS12 keystore.
|
|
type: object
|
|
required:
|
|
- name
|
|
properties:
|
|
key:
|
|
description: The key of the secret to select from. Must
|
|
be a valid secret key.
|
|
type: string
|
|
name:
|
|
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
|
|
TODO: Add other useful fields. apiVersion, kind, uid?'
|
|
type: string
|
|
privateKey:
|
|
description: Options to control private keys used for the Certificate.
|
|
type: object
|
|
properties:
|
|
rotationPolicy:
|
|
description: RotationPolicy controls how private keys should be
|
|
regenerated when a re-issuance is being processed. If set to
|
|
Never, a private key will only be generated if one does not
|
|
already exist in the target `spec.secretName`. If one does exists
|
|
but it does not have the correct algorithm or size, a warning
|
|
will be raised to await user intervention. If set to Always,
|
|
a private key matching the specified requirements will be generated
|
|
whenever a re-issuance occurs. Default is 'Never' for backward
|
|
compatibility.
|
|
type: string
|
|
renewBefore:
|
|
description: Certificate renew before expiration duration
|
|
type: string
|
|
secretName:
|
|
description: SecretName is the name of the secret resource to store
|
|
this secret in
|
|
type: string
|
|
subject:
|
|
description: Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name).
|
|
type: object
|
|
properties:
|
|
countries:
|
|
description: Countries to be used on the Certificate.
|
|
type: array
|
|
items:
|
|
type: string
|
|
localities:
|
|
description: Cities to be used on the Certificate.
|
|
type: array
|
|
items:
|
|
type: string
|
|
organizationalUnits:
|
|
description: Organizational Units to be used on the Certificate.
|
|
type: array
|
|
items:
|
|
type: string
|
|
organizations:
|
|
description: Organizations to be used on the Certificate.
|
|
type: array
|
|
items:
|
|
type: string
|
|
postalCodes:
|
|
description: Postal codes to be used on the Certificate.
|
|
type: array
|
|
items:
|
|
type: string
|
|
provinces:
|
|
description: State/Provinces to be used on the Certificate.
|
|
type: array
|
|
items:
|
|
type: string
|
|
serialNumber:
|
|
description: Serial number to be used on the Certificate.
|
|
type: string
|
|
streetAddresses:
|
|
description: Street addresses to be used on the Certificate.
|
|
type: array
|
|
items:
|
|
type: string
|
|
uriSANs:
|
|
description: URISANs is a list of URI Subject Alternative Names to
|
|
be set on this Certificate.
|
|
type: array
|
|
items:
|
|
type: string
|
|
usages:
|
|
description: Usages is the set of x509 actions that are enabled for
|
|
a given key. Defaults are ('digital signature', 'key encipherment')
|
|
if empty
|
|
type: array
|
|
items:
|
|
description: 'KeyUsage specifies valid usage contexts for keys.
|
|
See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12
|
|
Valid KeyUsage values are as follows: "signing", "digital signature",
|
|
"content commitment", "key encipherment", "key agreement", "data
|
|
encipherment", "cert sign", "crl sign", "encipher only", "decipher
|
|
only", "any", "server auth", "client auth", "code signing", "email
|
|
protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec
|
|
user", "timestamping", "ocsp signing", "microsoft sgc", "netscape
|
|
sgc"'
|
|
type: string
|
|
enum:
|
|
- signing
|
|
- digital signature
|
|
- content commitment
|
|
- key encipherment
|
|
- key agreement
|
|
- data encipherment
|
|
- cert sign
|
|
- crl sign
|
|
- encipher only
|
|
- decipher only
|
|
- any
|
|
- server auth
|
|
- client auth
|
|
- code signing
|
|
- email protection
|
|
- s/mime
|
|
- ipsec end system
|
|
- ipsec tunnel
|
|
- ipsec user
|
|
- timestamping
|
|
- ocsp signing
|
|
- microsoft sgc
|
|
- netscape sgc
|
|
status:
|
|
description: CertificateStatus defines the observed state of Certificate
|
|
type: object
|
|
properties:
|
|
conditions:
|
|
type: array
|
|
items:
|
|
description: CertificateCondition contains condition information
|
|
for an Certificate.
|
|
type: object
|
|
required:
|
|
- status
|
|
- type
|
|
properties:
|
|
lastTransitionTime:
|
|
description: LastTransitionTime is the timestamp corresponding
|
|
to the last status change of this condition.
|
|
type: string
|
|
format: date-time
|
|
message:
|
|
description: Message is a human readable description of the
|
|
details of the last transition, complementing reason.
|
|
type: string
|
|
reason:
|
|
description: Reason is a brief machine readable explanation
|
|
for the condition's last transition.
|
|
type: string
|
|
status:
|
|
description: Status of the condition, one of ('True', 'False',
|
|
'Unknown').
|
|
type: string
|
|
enum:
|
|
- "True"
|
|
- "False"
|
|
- Unknown
|
|
type:
|
|
description: Type of the condition, currently ('Ready').
|
|
type: string
|
|
lastFailureTime:
|
|
type: string
|
|
format: date-time
|
|
nextPrivateKeySecretName:
|
|
description: The name of the Secret resource containing the private
|
|
key to be used for the next certificate iteration. The keymanager
|
|
controller will automatically set this field if the `Issuing` condition
|
|
is set to `True`. It will automatically unset this field when the
|
|
Issuing condition is not set or False.
|
|
type: string
|
|
notAfter:
|
|
description: The expiration time of the certificate stored in the
|
|
secret named by this resource in spec.secretName.
|
|
type: string
|
|
format: date-time
|
|
revision:
|
|
description: "The current 'revision' of the certificate as issued.
|
|
\n When a CertificateRequest resource is created, it will have the
|
|
`cert-manager.io/certificate-revision` set to one greater than the
|
|
current value of this field. \n Upon issuance, this field will be
|
|
set to the value of the annotation on the CertificateRequest resource
|
|
used to issue the certificate. \n Persisting the value on the CertificateRequest
|
|
resource allows the certificates controller to know whether a request
|
|
is part of an old issuance or if it is part of the ongoing revision's
|
|
issuance by checking if the revision value in the annotation is
|
|
greater than this field."
|
|
type: integer
|