cert-manager: github.com/jetstack/cert-manager/pkg/apis/certmanager/v1alpha2 Index | Files

package v1alpha2

import "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1alpha2"

Package v1alpha2 is the v1alpha2 version of the API. +k8s:deepcopy-gen=package,register +k8s:conversion-gen=github.com/jetstack/cert-manager/pkg/apis/certmanager +k8s:openapi-gen=true +k8s:defaulter-gen=TypeMeta +groupName=cert-manager.io +groupGoName=Certmanager

Index

Package Files

const.go doc.go generic_issuer.go register.go types.go types_certificate.go types_certificaterequest.go types_issuer.go zz_generated.deepcopy.go

Constants

const (
    // minimum permitted certificate duration by cert-manager
    MinimumCertificateDuration = time.Hour

    // default certificate duration if Issuer.spec.duration is not set
    DefaultCertificateDuration = time.Hour * 24 * 90

    // minimum certificate duration before certificate expiration
    MinimumRenewBefore = time.Minute * 5

    // Default duration before certificate expiration if  Issuer.spec.renewBefore is not set
    DefaultRenewBefore = time.Hour * 24 * 30
)
const (
    // Default index key for the Secret reference for Token authentication
    DefaultVaultTokenAuthSecretKey = "token"

    // Default mount path location for Kubernetes ServiceAccount authentication
    // (/v1/auth/kubernetes). The endpoint will then be called at `/login`, so
    // left as the default, `/v1/auth/kubernetes/login` will be called.
    DefaultVaultKubernetesAuthMountPath = "/v1/auth/kubernetes"
)
const (
    // Annotation key for DNS subjectAltNames.
    AltNamesAnnotationKey = "cert-manager.io/alt-names"

    // Annotation key for IP subjectAltNames.
    IPSANAnnotationKey = "cert-manager.io/ip-sans"

    // Annotation key for URI subjectAltNames.
    URISANAnnotationKey = "cert-manager.io/uri-sans"

    // Annotation key for certificate common name.
    CommonNameAnnotationKey = "cert-manager.io/common-name"

    // Annotation key the 'name' of the Issuer resource.
    IssuerNameAnnotationKey = "cert-manager.io/issuer-name"

    // Annotation key for the 'kind' of the Issuer resource.
    IssuerKindAnnotationKey = "cert-manager.io/issuer-kind"

    // Annotation key for the 'group' of the Issuer resource.
    IssuerGroupAnnotationKey = "cert-manager.io/issuer-group"

    // Annotation key for the name of the certificate that a resource is related to.
    CertificateNameKey = "cert-manager.io/certificate-name"

    // Annotation key used to denote whether a Secret is named on a Certificate
    // as a 'next private key' Secret resource.
    IsNextPrivateKeySecretLabelKey = "cert-manager.io/next-private-key"
)

Common annotation keys added to resources.

const (
    DeprecatedIssuerNameAnnotationKey = "certmanager.k8s.io/issuer-name"
    DeprecatedIssuerKindAnnotationKey = "certmanager.k8s.io/issuer-kind"
)

Deprecated annotation names for Secrets These will be removed in a future release.

const (
    // issuerNameAnnotation can be used to override the issuer specified on the
    // created Certificate resource.
    IngressIssuerNameAnnotationKey = "cert-manager.io/issuer"
    // clusterIssuerNameAnnotation can be used to override the issuer specified on the
    // created Certificate resource. The Certificate will reference the
    // specified *ClusterIssuer* instead of normal issuer.
    IngressClusterIssuerNameAnnotationKey = "cert-manager.io/cluster-issuer"
    // acmeIssuerHTTP01IngressClassAnnotation can be used to override the http01 ingressClass
    // if the challenge type is set to http01
    IngressACMEIssuerHTTP01IngressClassAnnotationKey = "acme.cert-manager.io/http01-ingress-class"

    // IngressClassAnnotationKey picks a specific "class" for the Ingress. The
    // controller only processes Ingresses with this annotation either unset, or
    // set to either the configured value or the empty string.
    IngressClassAnnotationKey = "kubernetes.io/ingress.class"
)
const (
    // Annotation added to CertificateRequest resources to denote the name of
    // a Secret resource containing the private key used to sign the CSR stored
    // on the resource.
    // This annotation *may* not be present, and is used by the 'self signing'
    // issuer type to self-sign certificates.
    CertificateRequestPrivateKeyAnnotationKey = "cert-manager.io/private-key-secret-name"

    // Annotation to declare the CertificateRequest "revision", belonging to a Certificate Resource
    CertificateRequestRevisionAnnotationKey = "cert-manager.io/certificate-revision"
)

Annotation names for CertificateRequests

const (
    ClusterIssuerKind      = "ClusterIssuer"
    IssuerKind             = "Issuer"
    CertificateKind        = "Certificate"
    CertificateRequestKind = "CertificateRequest"
)

Common/known resource kinds.

const (
    // WantInjectAnnotation is the annotation that specifies that a particular
    // object wants injection of CAs.  It takes the form of a reference to a certificate
    // as namespace/name.
    WantInjectAnnotation = "cert-manager.io/inject-ca-from"

    // WantInjectAPIServerCAAnnotation, if set to "true", will make the cainjector
    // inject the CA certificate for the Kubernetes apiserver into the resource.
    // It discovers the apiserver's CA by inspecting the service account credentials
    // mounted into the cainjector pod.
    WantInjectAPIServerCAAnnotation = "cert-manager.io/inject-apiserver-ca"

    // WantInjectFromSecretAnnotation is the annotation that specifies that a particular
    // object wants injection of CAs. It takes the form of a reference to a Secret
    // as namespace/name.
    WantInjectFromSecretAnnotation = "cert-manager.io/inject-ca-from-secret"

    // AllowsInjectionFromSecretAnnotation is an annotation that must be added
    // to Secret resource that want to denote that they can be directly
    // injected into injectables that have a `inject-ca-from-secret` annotation.
    // If an injectable references a Secret that does NOT have this annotation,
    // the cainjector will refuse to inject the secret.
    AllowsInjectionFromSecretAnnotation = "cert-manager.io/allow-direct-injection"
)
const (
    // Pending indicates that a CertificateRequest is still in progress.
    CertificateRequestReasonPending = "Pending"

    // Failed indicates that a CertificateRequest has failed, either due to
    // timing out or some other critical failure.
    CertificateRequestReasonFailed = "Failed"

    // Issued indicates that a CertificateRequest has been completed, and that
    // the `status.certificate` field is set.
    CertificateRequestReasonIssued = "Issued"
)
const (
    // IssueTemporaryCertificateAnnotation is an annotation that can be added to
    // Certificate resources.
    // If it is present, a temporary internally signed certificate will be
    // stored in the target Secret resource whilst the real Issuer is processing
    // the certificate request.
    IssueTemporaryCertificateAnnotation = "cert-manager.io/issue-temporary-certificate"
)
const (
    // VenafiCustomFieldsAnnotationKey is the annotation that passes on JSON encoded custom fields to the Venafi issuer
    // This will only work with Venafi TPP v19.3 and higher
    // The value is an array with objects containing the name and value keys
    // for example: `[{"name": "custom-field", "value": "custom-value"}]`
    VenafiCustomFieldsAnnotationKey = "venafi.cert-manager.io/custom-fields"
)

Issuer specific Annotations

Variables

var (
    SchemeBuilder runtime.SchemeBuilder

    AddToScheme = localSchemeBuilder.AddToScheme
)
var SchemeGroupVersion = schema.GroupVersion{Group: certmanager.GroupName, Version: "v1alpha2"}

SchemeGroupVersion is group version used to register these objects

func Resource Uses

func Resource(resource string) schema.GroupResource

Resource takes an unqualified resource and returns a Group qualified GroupResource

type CAIssuer Uses

type CAIssuer struct {
    // SecretName is the name of the secret used to sign Certificates issued
    // by this Issuer.
    SecretName string `json:"secretName"`

    // The CRL distribution points is an X.509 v3 certificate extension which identifies
    // the location of the CRL from which the revocation of this certificate can be checked.
    // If not set, certificates will be issued without distribution points set.
    // +optional
    CRLDistributionPoints []string `json:"crlDistributionPoints,omitempty"`
}

func (*CAIssuer) DeepCopy Uses

func (in *CAIssuer) DeepCopy() *CAIssuer

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CAIssuer.

func (*CAIssuer) DeepCopyInto Uses

func (in *CAIssuer) DeepCopyInto(out *CAIssuer)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type Certificate Uses

type Certificate struct {
    metav1.TypeMeta   `json:",inline"`
    metav1.ObjectMeta `json:"metadata,omitempty"`

    // Desired state of the Certificate resource.
    Spec CertificateSpec `json:"spec,omitempty"`

    // Status of the Certificate. This is set and managed automatically.
    Status CertificateStatus `json:"status,omitempty"`
}

A Certificate resource should be created to ensure an up to date and signed x509 certificate is stored in the Kubernetes Secret resource named in `spec.secretName`.

The stored certificate will be renewed before it expires (as configured by `spec.renewBefore`). +k8s:openapi-gen=true

func (*Certificate) DeepCopy Uses

func (in *Certificate) DeepCopy() *Certificate

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Certificate.

func (*Certificate) DeepCopyInto Uses

func (in *Certificate) DeepCopyInto(out *Certificate)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*Certificate) DeepCopyObject Uses

func (in *Certificate) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type CertificateCondition Uses

type CertificateCondition struct {
    // Type of the condition, known values are ('Ready', `Issuing`).
    Type CertificateConditionType `json:"type"`

    // Status of the condition, one of ('True', 'False', 'Unknown').
    Status cmmeta.ConditionStatus `json:"status"`

    // LastTransitionTime is the timestamp corresponding to the last status
    // change of this condition.
    // +optional
    LastTransitionTime *metav1.Time `json:"lastTransitionTime,omitempty"`

    // Reason is a brief machine readable explanation for the condition's last
    // transition.
    // +optional
    Reason string `json:"reason,omitempty"`

    // Message is a human readable description of the details of the last
    // transition, complementing reason.
    // +optional
    Message string `json:"message,omitempty"`
}

CertificateCondition contains condition information for an Certificate.

func (*CertificateCondition) DeepCopy Uses

func (in *CertificateCondition) DeepCopy() *CertificateCondition

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateCondition.

func (*CertificateCondition) DeepCopyInto Uses

func (in *CertificateCondition) DeepCopyInto(out *CertificateCondition)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type CertificateConditionType Uses

type CertificateConditionType string

CertificateConditionType represents an Certificate condition value.

const (
    // CertificateConditionReady indicates that a certificate is ready for use.
    // This is defined as:
    // - The target secret exists
    // - The target secret contains a certificate that has not expired
    // - The target secret contains a private key valid for the certificate
    // - The commonName and dnsNames attributes match those specified on the Certificate
    CertificateConditionReady CertificateConditionType = "Ready"

    // A condition added to Certificate resources when an issuance is required.
    // This condition will be automatically added and set to true if:
    //   * No keypair data exists in the target Secret
    //   * The data stored in the Secret cannot be decoded
    //   * The private key and certificate do not have matching public keys
    //   * If a CertificateRequest for the current revision exists and the
    //     certificate data stored in the Secret does not match the
    //    `status.certificate` on the CertificateRequest.
    //   * If no CertificateRequest resource exists for the current revision,
    //     the options on the Certificate resource are compared against the
    //     x509 data in the Secret, similar to what's done in earlier versions.
    //     If there is a mismatch, an issuance is triggered.
    // This condition may also be added by external API consumers to trigger
    // a re-issuance manually for any other reason.
    //
    // It will be removed by the 'issuing' controller upon completing issuance.
    CertificateConditionIssuing CertificateConditionType = "Issuing"
)

type CertificateKeystores Uses

type CertificateKeystores struct {
    // JKS configures options for storing a JKS keystore in the
    // `spec.secretName` Secret resource.
    JKS *JKSKeystore `json:"jks,omitempty"`

    // PKCS12 configures options for storing a PKCS12 keystore in the
    // `spec.secretName` Secret resource.
    PKCS12 *PKCS12Keystore `json:"pkcs12,omitempty"`
}

CertificateKeystores configures additional keystore output formats to be created in the Certificate's output Secret.

func (*CertificateKeystores) DeepCopy Uses

func (in *CertificateKeystores) DeepCopy() *CertificateKeystores

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateKeystores.

func (*CertificateKeystores) DeepCopyInto Uses

func (in *CertificateKeystores) DeepCopyInto(out *CertificateKeystores)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type CertificateList Uses

type CertificateList struct {
    metav1.TypeMeta `json:",inline"`
    metav1.ListMeta `json:"metadata"`

    Items []Certificate `json:"items"`
}

CertificateList is a list of Certificates

func (*CertificateList) DeepCopy Uses

func (in *CertificateList) DeepCopy() *CertificateList

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateList.

func (*CertificateList) DeepCopyInto Uses

func (in *CertificateList) DeepCopyInto(out *CertificateList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*CertificateList) DeepCopyObject Uses

func (in *CertificateList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type CertificatePrivateKey Uses

type CertificatePrivateKey struct {
    // RotationPolicy controls how private keys should be regenerated when a
    // re-issuance is being processed.
    // If set to Never, a private key will only be generated if one does not
    // already exist in the target `spec.secretName`. If one does exists but it
    // does not have the correct algorithm or size, a warning will be raised
    // to await user intervention.
    // If set to Always, a private key matching the specified requirements
    // will be generated whenever a re-issuance occurs.
    // Default is 'Never' for backward compatibility.
    // +optional
    RotationPolicy PrivateKeyRotationPolicy `json:"rotationPolicy,omitempty"`
}

CertificatePrivateKey contains configuration options for private keys used by the Certificate controller. This allows control of how private keys are rotated.

func (*CertificatePrivateKey) DeepCopy Uses

func (in *CertificatePrivateKey) DeepCopy() *CertificatePrivateKey

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificatePrivateKey.

func (*CertificatePrivateKey) DeepCopyInto Uses

func (in *CertificatePrivateKey) DeepCopyInto(out *CertificatePrivateKey)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type CertificateRequest Uses

type CertificateRequest struct {
    metav1.TypeMeta   `json:",inline"`
    metav1.ObjectMeta `json:"metadata,omitempty"`

    // Desired state of the CertificateRequest resource.
    Spec CertificateRequestSpec `json:"spec,omitempty"`

    // Status of the CertificateRequest. This is set and managed automatically.
    Status CertificateRequestStatus `json:"status,omitempty"`
}

A CertificateRequest is used to request a signed certificate from one of the configured issuers.

All fields within the CertificateRequest's `spec` are immutable after creation. A CertificateRequest will either succeed or fail, as denoted by its `status.state` field.

A CertificateRequest is a 'one-shot' resource, meaning it represents a single point in time request for a certificate and cannot be re-used. +k8s:openapi-gen=true

func (*CertificateRequest) DeepCopy Uses

func (in *CertificateRequest) DeepCopy() *CertificateRequest

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateRequest.

func (*CertificateRequest) DeepCopyInto Uses

func (in *CertificateRequest) DeepCopyInto(out *CertificateRequest)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*CertificateRequest) DeepCopyObject Uses

func (in *CertificateRequest) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type CertificateRequestCondition Uses

type CertificateRequestCondition struct {
    // Type of the condition, known values are ('Ready', 'InvalidRequest').
    Type CertificateRequestConditionType `json:"type"`

    // Status of the condition, one of ('True', 'False', 'Unknown').
    Status cmmeta.ConditionStatus `json:"status"`

    // LastTransitionTime is the timestamp corresponding to the last status
    // change of this condition.
    // +optional
    LastTransitionTime *metav1.Time `json:"lastTransitionTime,omitempty"`

    // Reason is a brief machine readable explanation for the condition's last
    // transition.
    // +optional
    Reason string `json:"reason,omitempty"`

    // Message is a human readable description of the details of the last
    // transition, complementing reason.
    // +optional
    Message string `json:"message,omitempty"`
}

CertificateRequestCondition contains condition information for a CertificateRequest.

func (*CertificateRequestCondition) DeepCopy Uses

func (in *CertificateRequestCondition) DeepCopy() *CertificateRequestCondition

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateRequestCondition.

func (*CertificateRequestCondition) DeepCopyInto Uses

func (in *CertificateRequestCondition) DeepCopyInto(out *CertificateRequestCondition)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type CertificateRequestConditionType Uses

type CertificateRequestConditionType string

CertificateRequestConditionType represents an Certificate condition value.

const (
    // CertificateRequestConditionReady indicates that a certificate is ready for use.
    // This is defined as:
    // - The target certificate exists in CertificateRequest.Status
    CertificateRequestConditionReady CertificateRequestConditionType = "Ready"

    // CertificateRequestConditionInvalidRequest indicates that a certificate
    // signer has refused to sign the request due to at least one of the input
    // parameters being invalid. Additional information about why the request
    // was rejected can be found in the `reason` and `message` fields.
    CertificateRequestConditionInvalidRequest CertificateRequestConditionType = "InvalidRequest"
)

type CertificateRequestList Uses

type CertificateRequestList struct {
    metav1.TypeMeta `json:",inline"`
    metav1.ListMeta `json:"metadata"`

    Items []CertificateRequest `json:"items"`
}

CertificateRequestList is a list of Certificates

func (*CertificateRequestList) DeepCopy Uses

func (in *CertificateRequestList) DeepCopy() *CertificateRequestList

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateRequestList.

func (*CertificateRequestList) DeepCopyInto Uses

func (in *CertificateRequestList) DeepCopyInto(out *CertificateRequestList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*CertificateRequestList) DeepCopyObject Uses

func (in *CertificateRequestList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type CertificateRequestSpec Uses

type CertificateRequestSpec struct {
    // The requested 'duration' (i.e. lifetime) of the Certificate.
    // This option may be ignored/overridden by some issuer types.
    // +optional
    Duration *metav1.Duration `json:"duration,omitempty"`

    // IssuerRef is a reference to the issuer for this CertificateRequest.  If
    // the 'kind' field is not set, or set to 'Issuer', an Issuer resource with
    // the given name in the same namespace as the CertificateRequest will be
    // used.  If the 'kind' field is set to 'ClusterIssuer', a ClusterIssuer with
    // the provided name will be used. The 'name' field in this stanza is
    // required at all times. The group field refers to the API group of the
    // issuer which defaults to 'cert-manager.io' if empty.
    IssuerRef cmmeta.ObjectReference `json:"issuerRef"`

    // The PEM-encoded x509 certificate signing request to be submitted to the
    // CA for signing.
    CSRPEM []byte `json:"csr"`

    // IsCA will request to mark the certificate as valid for certificate signing
    // when submitting to the issuer.
    // This will automatically add the `cert sign` usage to the list of `usages`.
    // +optional
    IsCA bool `json:"isCA,omitempty"`

    // Usages is the set of x509 usages that are requested for the certificate.
    // Defaults to `digital signature` and `key encipherment` if not specified.
    // +optional
    Usages []KeyUsage `json:"usages,omitempty"`
}

CertificateRequestSpec defines the desired state of CertificateRequest

func (*CertificateRequestSpec) DeepCopy Uses

func (in *CertificateRequestSpec) DeepCopy() *CertificateRequestSpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateRequestSpec.

func (*CertificateRequestSpec) DeepCopyInto Uses

func (in *CertificateRequestSpec) DeepCopyInto(out *CertificateRequestSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type CertificateRequestStatus Uses

type CertificateRequestStatus struct {
    // List of status conditions to indicate the status of a CertificateRequest.
    // Known condition types are `Ready` and `InvalidRequest`.
    // +optional
    Conditions []CertificateRequestCondition `json:"conditions,omitempty"`

    // The PEM encoded x509 certificate resulting from the certificate
    // signing request.
    // If not set, the CertificateRequest has either not been completed or has
    // failed. More information on failure can be found by checking the
    // `conditions` field.
    // +optional
    Certificate []byte `json:"certificate,omitempty"`

    // The PEM encoded x509 certificate of the signer, also known as the CA
    // (Certificate Authority).
    // This is set on a best-effort basis by different issuers.
    // If not set, the CA is assumed to be unknown/not available.
    // +optional
    CA  []byte `json:"ca,omitempty"`

    // FailureTime stores the time that this CertificateRequest failed. This is
    // used to influence garbage collection and back-off.
    // +optional
    FailureTime *metav1.Time `json:"failureTime,omitempty"`
}

CertificateRequestStatus defines the observed state of CertificateRequest and resulting signed certificate.

func (*CertificateRequestStatus) DeepCopy Uses

func (in *CertificateRequestStatus) DeepCopy() *CertificateRequestStatus

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateRequestStatus.

func (*CertificateRequestStatus) DeepCopyInto Uses

func (in *CertificateRequestStatus) DeepCopyInto(out *CertificateRequestStatus)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type CertificateSpec Uses

type CertificateSpec struct {
    // Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name).
    // +optional
    Subject *X509Subject `json:"subject,omitempty"`

    // CommonName is a common name to be used on the Certificate.
    // The CommonName should have a length of 64 characters or fewer to avoid
    // generating invalid CSRs.
    // This value is ignored by TLS clients when any subject alt name is set.
    // This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4
    // +optional
    CommonName string `json:"commonName,omitempty"`

    // Organization is a list of organizations to be used on the Certificate.
    // +optional
    Organization []string `json:"organization,omitempty"`

    // The requested 'duration' (i.e. lifetime) of the Certificate.
    // This option may be ignored/overridden by some issuer types.
    // If overridden and `renewBefore` is greater than the actual certificate
    // duration, the certificate will be automatically renewed 2/3rds of the
    // way through the certificate's duration.
    // +optional
    Duration *metav1.Duration `json:"duration,omitempty"`

    // The amount of time before the currently issued certificate's `notAfter`
    // time that cert-manager will begin to attempt to renew the certificate.
    // If this value is greater than the total duration of the certificate
    // (i.e. notAfter - notBefore), it will be automatically renewed 2/3rds of
    // the way through the certificate's duration.
    // +optional
    RenewBefore *metav1.Duration `json:"renewBefore,omitempty"`

    // DNSNames is a list of DNS subjectAltNames to be set on the Certificate.
    // +optional
    DNSNames []string `json:"dnsNames,omitempty"`

    // IPAddresses is a list of IP address subjectAltNames to be set on the Certificate.
    // +optional
    IPAddresses []string `json:"ipAddresses,omitempty"`

    // URISANs is a list of URI subjectAltNames to be set on the Certificate.
    // +optional
    URISANs []string `json:"uriSANs,omitempty"`

    // EmailSANs is a list of email subjectAltNames to be set on the Certificate.
    // +optional
    EmailSANs []string `json:"emailSANs,omitempty"`

    // SecretName is the name of the secret resource that will be automatically
    // created and managed by this Certificate resource.
    // It will be populated with a private key and certificate, signed by the
    // denoted issuer.
    SecretName string `json:"secretName"`

    // Keystores configures additional keystore output formats stored in the
    // `secretName` Secret resource.
    // +optional
    Keystores *CertificateKeystores `json:"keystores,omitempty"`

    // IssuerRef is a reference to the issuer for this certificate.
    // If the 'kind' field is not set, or set to 'Issuer', an Issuer resource
    // with the given name in the same namespace as the Certificate will be used.
    // If the 'kind' field is set to 'ClusterIssuer', a ClusterIssuer with the
    // provided name will be used.
    // The 'name' field in this stanza is required at all times.
    IssuerRef cmmeta.ObjectReference `json:"issuerRef"`

    // IsCA will mark this Certificate as valid for certificate signing.
    // This will automatically add the `cert sign` usage to the list of `usages`.
    // +optional
    IsCA bool `json:"isCA,omitempty"`

    // Usages is the set of x509 usages that are requested for the certificate.
    // Defaults to `digital signature` and `key encipherment` if not specified.
    // +optional
    Usages []KeyUsage `json:"usages,omitempty"`

    // KeySize is the key bit size of the corresponding private key for this certificate.
    // If `keyAlgorithm` is set to `RSA`, valid values are `2048`, `4096` or `8192`,
    // and will default to `2048` if not specified.
    // If `keyAlgorithm` is set to `ECDSA`, valid values are `256`, `384` or `521`,
    // and will default to `256` if not specified.
    // No other values are allowed.
    // +kubebuilder:validation:ExclusiveMaximum=false
    // +kubebuilder:validation:Maximum=8192
    // +kubebuilder:validation:ExclusiveMinimum=false
    // +kubebuilder:validation:Minimum=0
    // +optional
    KeySize int `json:"keySize,omitempty"`

    // KeyAlgorithm is the private key algorithm of the corresponding private key
    // for this certificate. If provided, allowed values are either "rsa" or "ecdsa"
    // If `keyAlgorithm` is specified and `keySize` is not provided,
    // key size of 256 will be used for "ecdsa" key algorithm and
    // key size of 2048 will be used for "rsa" key algorithm.
    // +optional
    KeyAlgorithm KeyAlgorithm `json:"keyAlgorithm,omitempty"`

    // KeyEncoding is the private key cryptography standards (PKCS)
    // for this certificate's private key to be encoded in. If provided, allowed
    // values are "pkcs1" and "pkcs8" standing for PKCS#1 and PKCS#8, respectively.
    // If KeyEncoding is not specified, then PKCS#1 will be used by default.
    // +optional
    KeyEncoding KeyEncoding `json:"keyEncoding,omitempty"`

    // Options to control private keys used for the Certificate.
    // +optional
    PrivateKey *CertificatePrivateKey `json:"privateKey,omitempty"`
}

CertificateSpec defines the desired state of Certificate.

func (*CertificateSpec) DeepCopy Uses

func (in *CertificateSpec) DeepCopy() *CertificateSpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateSpec.

func (*CertificateSpec) DeepCopyInto Uses

func (in *CertificateSpec) DeepCopyInto(out *CertificateSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type CertificateStatus Uses

type CertificateStatus struct {
    // List of status conditions to indicate the status of certificates.
    // Known condition types are `Ready` and `Issuing`.
    // +optional
    Conditions []CertificateCondition `json:"conditions,omitempty"`

    // LastFailureTime is the time as recorded by the Certificate controller
    // of the most recent failure to complete a CertificateRequest for this
    // Certificate resource.
    // If set, cert-manager will not re-request another Certificate until
    // 1 hour has elapsed from this time.
    // +optional
    LastFailureTime *metav1.Time `json:"lastFailureTime,omitempty"`

    // The time after which the certificate stored in the secret named
    // by this resource in spec.secretName is valid.
    // +optional
    NotBefore *metav1.Time `json:"notBefore,omitempty"`

    // The expiration time of the certificate stored in the secret named
    // by this resource in `spec.secretName`.
    // +optional
    NotAfter *metav1.Time `json:"notAfter,omitempty"`

    // RenewalTime is the time at which the certificate will be next
    // renewed.
    // If not set, no upcoming renewal is scheduled.
    // +optional
    RenewalTime *metav1.Time `json:"renewalTime,omitempty"`

    // The current 'revision' of the certificate as issued.
    //
    // When a CertificateRequest resource is created, it will have the
    // `cert-manager.io/certificate-revision` set to one greater than the
    // current value of this field.
    //
    // Upon issuance, this field will be set to the value of the annotation
    // on the CertificateRequest resource used to issue the certificate.
    //
    // Persisting the value on the CertificateRequest resource allows the
    // certificates controller to know whether a request is part of an old
    // issuance or if it is part of the ongoing revision's issuance by
    // checking if the revision value in the annotation is greater than this
    // field.
    // +optional
    Revision *int `json:"revision,omitempty"`

    // The name of the Secret resource containing the private key to be used
    // for the next certificate iteration.
    // The keymanager controller will automatically set this field if the
    // `Issuing` condition is set to `True`.
    // It will automatically unset this field when the Issuing condition is
    // not set or False.
    // +optional
    NextPrivateKeySecretName *string `json:"nextPrivateKeySecretName,omitempty"`
}

CertificateStatus defines the observed state of Certificate

func (*CertificateStatus) DeepCopy Uses

func (in *CertificateStatus) DeepCopy() *CertificateStatus

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateStatus.

func (*CertificateStatus) DeepCopyInto Uses

func (in *CertificateStatus) DeepCopyInto(out *CertificateStatus)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ClusterIssuer Uses

type ClusterIssuer struct {
    metav1.TypeMeta   `json:",inline"`
    metav1.ObjectMeta `json:"metadata,omitempty"`

    // Desired state of the ClusterIssuer resource.
    Spec IssuerSpec `json:"spec,omitempty"`

    // Status of the ClusterIssuer. This is set and managed automatically.
    Status IssuerStatus `json:"status,omitempty"`
}

A ClusterIssuer represents a certificate issuing authority which can be referenced as part of `issuerRef` fields. It is similar to an Issuer, however it is cluster-scoped and therefore can be referenced by resources that exist in *any* namespace, not just the same namespace as the referent.

func (*ClusterIssuer) Copy Uses

func (c *ClusterIssuer) Copy() GenericIssuer

func (*ClusterIssuer) DeepCopy Uses

func (in *ClusterIssuer) DeepCopy() *ClusterIssuer

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterIssuer.

func (*ClusterIssuer) DeepCopyInto Uses

func (in *ClusterIssuer) DeepCopyInto(out *ClusterIssuer)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*ClusterIssuer) DeepCopyObject Uses

func (in *ClusterIssuer) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

func (*ClusterIssuer) GetObjectMeta Uses

func (c *ClusterIssuer) GetObjectMeta() *metav1.ObjectMeta

func (*ClusterIssuer) GetSpec Uses

func (c *ClusterIssuer) GetSpec() *IssuerSpec

func (*ClusterIssuer) GetStatus Uses

func (c *ClusterIssuer) GetStatus() *IssuerStatus

func (*ClusterIssuer) SetSpec Uses

func (c *ClusterIssuer) SetSpec(spec IssuerSpec)

func (*ClusterIssuer) SetStatus Uses

func (c *ClusterIssuer) SetStatus(status IssuerStatus)

type ClusterIssuerList Uses

type ClusterIssuerList struct {
    metav1.TypeMeta `json:",inline"`
    metav1.ListMeta `json:"metadata"`

    Items []ClusterIssuer `json:"items"`
}

ClusterIssuerList is a list of Issuers

func (*ClusterIssuerList) DeepCopy Uses

func (in *ClusterIssuerList) DeepCopy() *ClusterIssuerList

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterIssuerList.

func (*ClusterIssuerList) DeepCopyInto Uses

func (in *ClusterIssuerList) DeepCopyInto(out *ClusterIssuerList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*ClusterIssuerList) DeepCopyObject Uses

func (in *ClusterIssuerList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type GenericIssuer Uses

type GenericIssuer interface {
    runtime.Object
    metav1.Object

    GetObjectMeta() *metav1.ObjectMeta
    GetSpec() *IssuerSpec
    GetStatus() *IssuerStatus
}

type Issuer Uses

type Issuer struct {
    metav1.TypeMeta   `json:",inline"`
    metav1.ObjectMeta `json:"metadata,omitempty"`

    // Desired state of the Issuer resource.
    Spec IssuerSpec `json:"spec,omitempty"`

    // Status of the Issuer. This is set and managed automatically.
    Status IssuerStatus `json:"status,omitempty"`
}

An Issuer represents a certificate issuing authority which can be referenced as part of `issuerRef` fields. It is scoped to a single namespace and can therefore only be referenced by resources within the same namespace.

func (*Issuer) Copy Uses

func (c *Issuer) Copy() GenericIssuer

func (*Issuer) DeepCopy Uses

func (in *Issuer) DeepCopy() *Issuer

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Issuer.

func (*Issuer) DeepCopyInto Uses

func (in *Issuer) DeepCopyInto(out *Issuer)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*Issuer) DeepCopyObject Uses

func (in *Issuer) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

func (*Issuer) GetObjectMeta Uses

func (c *Issuer) GetObjectMeta() *metav1.ObjectMeta

func (*Issuer) GetSpec Uses

func (c *Issuer) GetSpec() *IssuerSpec

func (*Issuer) GetStatus Uses

func (c *Issuer) GetStatus() *IssuerStatus

func (*Issuer) SetSpec Uses

func (c *Issuer) SetSpec(spec IssuerSpec)

func (*Issuer) SetStatus Uses

func (c *Issuer) SetStatus(status IssuerStatus)

type IssuerCondition Uses

type IssuerCondition struct {
    // Type of the condition, known values are ('Ready').
    Type IssuerConditionType `json:"type"`

    // Status of the condition, one of ('True', 'False', 'Unknown').
    Status cmmeta.ConditionStatus `json:"status"`

    // LastTransitionTime is the timestamp corresponding to the last status
    // change of this condition.
    // +optional
    LastTransitionTime *metav1.Time `json:"lastTransitionTime,omitempty"`

    // Reason is a brief machine readable explanation for the condition's last
    // transition.
    // +optional
    Reason string `json:"reason,omitempty"`

    // Message is a human readable description of the details of the last
    // transition, complementing reason.
    // +optional
    Message string `json:"message,omitempty"`
}

IssuerCondition contains condition information for an Issuer.

func (*IssuerCondition) DeepCopy Uses

func (in *IssuerCondition) DeepCopy() *IssuerCondition

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IssuerCondition.

func (*IssuerCondition) DeepCopyInto Uses

func (in *IssuerCondition) DeepCopyInto(out *IssuerCondition)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type IssuerConditionType Uses

type IssuerConditionType string

IssuerConditionType represents an Issuer condition value.

const (
    // IssuerConditionReady represents the fact that a given Issuer condition
    // is in ready state and able to issue certificates.
    // If the `status` of this condition is `False`, CertificateRequest controllers
    // should prevent attempts to sign certificates.
    IssuerConditionReady IssuerConditionType = "Ready"
)

type IssuerConfig Uses

type IssuerConfig struct {
    // ACME configures this issuer to communicate with a RFC8555 (ACME) server
    // to obtain signed x509 certificates.
    // +optional
    ACME *cmacme.ACMEIssuer `json:"acme,omitempty"`

    // CA configures this issuer to sign certificates using a signing CA keypair
    // stored in a Secret resource.
    // This is used to build internal PKIs that are managed by cert-manager.
    // +optional
    CA  *CAIssuer `json:"ca,omitempty"`

    // Vault configures this issuer to sign certificates using a HashiCorp Vault
    // PKI backend.
    // +optional
    Vault *VaultIssuer `json:"vault,omitempty"`

    // SelfSigned configures this issuer to 'self sign' certificates using the
    // private key used to create the CertificateRequest object.
    // +optional
    SelfSigned *SelfSignedIssuer `json:"selfSigned,omitempty"`

    // Venafi configures this issuer to sign certificates using a Venafi TPP
    // or Venafi Cloud policy zone.
    // +optional
    Venafi *VenafiIssuer `json:"venafi,omitempty"`
}

func (*IssuerConfig) DeepCopy Uses

func (in *IssuerConfig) DeepCopy() *IssuerConfig

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IssuerConfig.

func (*IssuerConfig) DeepCopyInto Uses

func (in *IssuerConfig) DeepCopyInto(out *IssuerConfig)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type IssuerList Uses

type IssuerList struct {
    metav1.TypeMeta `json:",inline"`
    metav1.ListMeta `json:"metadata"`

    Items []Issuer `json:"items"`
}

IssuerList is a list of Issuers

func (*IssuerList) DeepCopy Uses

func (in *IssuerList) DeepCopy() *IssuerList

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IssuerList.

func (*IssuerList) DeepCopyInto Uses

func (in *IssuerList) DeepCopyInto(out *IssuerList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*IssuerList) DeepCopyObject Uses

func (in *IssuerList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type IssuerSpec Uses

type IssuerSpec struct {
    IssuerConfig `json:",inline"`
}

IssuerSpec is the specification of an Issuer. This includes any configuration required for the issuer.

func (*IssuerSpec) DeepCopy Uses

func (in *IssuerSpec) DeepCopy() *IssuerSpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IssuerSpec.

func (*IssuerSpec) DeepCopyInto Uses

func (in *IssuerSpec) DeepCopyInto(out *IssuerSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type IssuerStatus Uses

type IssuerStatus struct {
    // List of status conditions to indicate the status of a CertificateRequest.
    // Known condition types are `Ready`.
    // +optional
    Conditions []IssuerCondition `json:"conditions,omitempty"`

    // ACME specific status options.
    // This field should only be set if the Issuer is configured to use an ACME
    // server to issue certificates.
    // +optional
    ACME *cmacme.ACMEIssuerStatus `json:"acme,omitempty"`
}

IssuerStatus contains status information about an Issuer

func (*IssuerStatus) ACMEStatus Uses

func (i *IssuerStatus) ACMEStatus() *cmacme.ACMEIssuerStatus

TODO: refactor these functions away

func (*IssuerStatus) DeepCopy Uses

func (in *IssuerStatus) DeepCopy() *IssuerStatus

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IssuerStatus.

func (*IssuerStatus) DeepCopyInto Uses

func (in *IssuerStatus) DeepCopyInto(out *IssuerStatus)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type JKSKeystore Uses

type JKSKeystore struct {
    // Create enables JKS keystore creation for the Certificate.
    // If true, a file named `keystore.jks` will be created in the target
    // Secret resource, encrypted using the password stored in
    // `passwordSecretRef`.
    // The keystore file will only be updated upon re-issuance.
    Create bool `json:"create"`

    // PasswordSecretRef is a reference to a key in a Secret resource
    // containing the password used to encrypt the JKS keystore.
    PasswordSecretRef cmmeta.SecretKeySelector `json:"passwordSecretRef"`
}

JKS configures options for storing a JKS keystore in the `spec.secretName` Secret resource.

func (*JKSKeystore) DeepCopy Uses

func (in *JKSKeystore) DeepCopy() *JKSKeystore

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JKSKeystore.

func (*JKSKeystore) DeepCopyInto Uses

func (in *JKSKeystore) DeepCopyInto(out *JKSKeystore)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type KeyAlgorithm Uses

type KeyAlgorithm string

+kubebuilder:validation:Enum=rsa;ecdsa

const (
    // Denotes the RSA private key type.
    RSAKeyAlgorithm KeyAlgorithm = "rsa"

    // Denotes the ECDSA private key type.
    ECDSAKeyAlgorithm KeyAlgorithm = "ecdsa"
)

type KeyEncoding Uses

type KeyEncoding string

+kubebuilder:validation:Enum=pkcs1;pkcs8

const (
    // PKCS1 key encoding will produce PEM files that include the type of
    // private key as part of the PEM header, e.g. "BEGIN RSA PRIVATE KEY".
    // If the keyAlgorithm is set to 'ECDSA', this will produce private keys
    // that use the "BEGIN EC PRIVATE KEY" header.
    PKCS1 KeyEncoding = "pkcs1"

    // PKCS8 key encoding will produce PEM files with the "BEGIN PRIVATE KEY"
    // header. It encodes the keyAlgorithm of the private key as part of the
    // DER encoded PEM block.
    PKCS8 KeyEncoding = "pkcs8"
)

type KeyUsage Uses

type KeyUsage string

KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3

https://tools.ietf.org/html/rfc5280#section-4.2.1.12

Valid KeyUsage values are as follows: "signing", "digital signature", "content commitment", "key encipherment", "key agreement", "data encipherment", "cert sign", "crl sign", "encipher only", "decipher only", "any", "server auth", "client auth", "code signing", "email protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec user", "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc" +kubebuilder:validation:Enum="signing";"digital signature";"content commitment";"key encipherment";"key agreement";"data encipherment";"cert sign";"crl sign";"encipher only";"decipher only";"any";"server auth";"client auth";"code signing";"email protection";"s/mime";"ipsec end system";"ipsec tunnel";"ipsec user";"timestamping";"ocsp signing";"microsoft sgc";"netscape sgc"

const (
    UsageSigning            KeyUsage = "signing"
    UsageDigitalSignature   KeyUsage = "digital signature"
    UsageContentCommittment KeyUsage = "content commitment"
    UsageKeyEncipherment    KeyUsage = "key encipherment"
    UsageKeyAgreement       KeyUsage = "key agreement"
    UsageDataEncipherment   KeyUsage = "data encipherment"
    UsageCertSign           KeyUsage = "cert sign"
    UsageCRLSign            KeyUsage = "crl sign"
    UsageEncipherOnly       KeyUsage = "encipher only"
    UsageDecipherOnly       KeyUsage = "decipher only"
    UsageAny                KeyUsage = "any"
    UsageServerAuth         KeyUsage = "server auth"
    UsageClientAuth         KeyUsage = "client auth"
    UsageCodeSigning        KeyUsage = "code signing"
    UsageEmailProtection    KeyUsage = "email protection"
    UsageSMIME              KeyUsage = "s/mime"
    UsageIPsecEndSystem     KeyUsage = "ipsec end system"
    UsageIPsecTunnel        KeyUsage = "ipsec tunnel"
    UsageIPsecUser          KeyUsage = "ipsec user"
    UsageTimestamping       KeyUsage = "timestamping"
    UsageOCSPSigning        KeyUsage = "ocsp signing"
    UsageMicrosoftSGC       KeyUsage = "microsoft sgc"
    UsageNetscapeSGC        KeyUsage = "netscape sgc"
)

func DefaultKeyUsages Uses

func DefaultKeyUsages() []KeyUsage

DefaultKeyUsages contains the default list of key usages

type PKCS12Keystore Uses

type PKCS12Keystore struct {
    // Create enables PKCS12 keystore creation for the Certificate.
    // If true, a file named `keystore.p12` will be created in the target
    // Secret resource, encrypted using the password stored in
    // `passwordSecretRef`.
    // The keystore file will only be updated upon re-issuance.
    Create bool `json:"create"`

    // PasswordSecretRef is a reference to a key in a Secret resource
    // containing the password used to encrypt the PKCS12 keystore.
    PasswordSecretRef cmmeta.SecretKeySelector `json:"passwordSecretRef"`
}

PKCS12 configures options for storing a PKCS12 keystore in the `spec.secretName` Secret resource.

func (*PKCS12Keystore) DeepCopy Uses

func (in *PKCS12Keystore) DeepCopy() *PKCS12Keystore

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PKCS12Keystore.

func (*PKCS12Keystore) DeepCopyInto Uses

func (in *PKCS12Keystore) DeepCopyInto(out *PKCS12Keystore)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type PrivateKeyRotationPolicy Uses

type PrivateKeyRotationPolicy string

Denotes how private keys should be generated or sourced when a Certificate is being issued.

var (
    // RotationPolicyNever means a private key will only be generated if one
    // does not already exist in the target `spec.secretName`.
    // If one does exists but it does not have the correct algorithm or size,
    // a warning will be raised to await user intervention.
    RotationPolicyNever PrivateKeyRotationPolicy = "Never"

    // RotationPolicyAlways means a private key matching the specified
    // requirements will be generated whenever a re-issuance occurs.
    RotationPolicyAlways PrivateKeyRotationPolicy = "Always"
)

type SelfSignedIssuer Uses

type SelfSignedIssuer struct {
    // The CRL distribution points is an X.509 v3 certificate extension which identifies
    // the location of the CRL from which the revocation of this certificate can be checked.
    // If not set certificate will be issued without CDP. Values are strings.
    // +optional
    CRLDistributionPoints []string `json:"crlDistributionPoints,omitempty"`
}

Configures an issuer to 'self sign' certificates using the private key used to create the CertificateRequest object.

func (*SelfSignedIssuer) DeepCopy Uses

func (in *SelfSignedIssuer) DeepCopy() *SelfSignedIssuer

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SelfSignedIssuer.

func (*SelfSignedIssuer) DeepCopyInto Uses

func (in *SelfSignedIssuer) DeepCopyInto(out *SelfSignedIssuer)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type VaultAppRole Uses

type VaultAppRole struct {
    // Path where the App Role authentication backend is mounted in Vault, e.g:
    // "approle"
    Path string `json:"path"`

    // RoleID configured in the App Role authentication backend when setting
    // up the authentication backend in Vault.
    RoleId string `json:"roleId"`

    // Reference to a key in a Secret that contains the App Role secret used
    // to authenticate with Vault.
    // The `key` field must be specified and denotes which entry within the Secret
    // resource is used as the app role secret.
    SecretRef cmmeta.SecretKeySelector `json:"secretRef"`
}

VaultAppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.

func (*VaultAppRole) DeepCopy Uses

func (in *VaultAppRole) DeepCopy() *VaultAppRole

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultAppRole.

func (*VaultAppRole) DeepCopyInto Uses

func (in *VaultAppRole) DeepCopyInto(out *VaultAppRole)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type VaultAuth Uses

type VaultAuth struct {
    // TokenSecretRef authenticates with Vault by presenting a token.
    // +optional
    TokenSecretRef *cmmeta.SecretKeySelector `json:"tokenSecretRef,omitempty"`

    // AppRole authenticates with Vault using the App Role auth mechanism,
    // with the role and secret stored in a Kubernetes Secret resource.
    // +optional
    AppRole *VaultAppRole `json:"appRole,omitempty"`

    // Kubernetes authenticates with Vault by passing the ServiceAccount
    // token stored in the named Secret resource to the Vault server.
    // +optional
    Kubernetes *VaultKubernetesAuth `json:"kubernetes,omitempty"`
}

Configuration used to authenticate with a Vault server. Only one of `tokenSecretRef`, `appRole` or `kubernetes` may be specified.

func (*VaultAuth) DeepCopy Uses

func (in *VaultAuth) DeepCopy() *VaultAuth

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultAuth.

func (*VaultAuth) DeepCopyInto Uses

func (in *VaultAuth) DeepCopyInto(out *VaultAuth)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type VaultIssuer Uses

type VaultIssuer struct {
    // Auth configures how cert-manager authenticates with the Vault server.
    Auth VaultAuth `json:"auth"`

    // Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".
    Server string `json:"server"`

    // Path is the mount path of the Vault PKI backend's `sign` endpoint, e.g:
    // "my_pki_mount/sign/my-role-name".
    Path string `json:"path"`

    // Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1"
    // More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
    // +optional
    Namespace string `json:"namespace,omitempty"`

    // PEM encoded CA bundle used to validate Vault server certificate. Only used
    // if the Server URL is using HTTPS protocol. This parameter is ignored for
    // plain HTTP protocol connection. If not set the system root certificates
    // are used to validate the TLS connection.
    // +optional
    CABundle []byte `json:"caBundle,omitempty"`
}

Configures an issuer to sign certificates using a HashiCorp Vault PKI backend.

func (*VaultIssuer) DeepCopy Uses

func (in *VaultIssuer) DeepCopy() *VaultIssuer

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultIssuer.

func (*VaultIssuer) DeepCopyInto Uses

func (in *VaultIssuer) DeepCopyInto(out *VaultIssuer)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type VaultKubernetesAuth Uses

type VaultKubernetesAuth struct {
    // The Vault mountPath here is the mount path to use when authenticating with
    // Vault. For example, setting a value to `/v1/auth/foo`, will use the path
    // `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the
    // default value "/v1/auth/kubernetes" will be used.
    // +optional
    Path string `json:"mountPath,omitempty"`

    // The required Secret field containing a Kubernetes ServiceAccount JWT used
    // for authenticating with Vault. Use of 'ambient credentials' is not
    // supported.
    SecretRef cmmeta.SecretKeySelector `json:"secretRef"`

    // A required field containing the Vault Role to assume. A Role binds a
    // Kubernetes ServiceAccount with a set of Vault policies.
    Role string `json:"role"`
}

Authenticate against Vault using a Kubernetes ServiceAccount token stored in a Secret.

func (*VaultKubernetesAuth) DeepCopy Uses

func (in *VaultKubernetesAuth) DeepCopy() *VaultKubernetesAuth

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultKubernetesAuth.

func (*VaultKubernetesAuth) DeepCopyInto Uses

func (in *VaultKubernetesAuth) DeepCopyInto(out *VaultKubernetesAuth)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type VenafiCloud Uses

type VenafiCloud struct {
    // URL is the base URL for Venafi Cloud.
    // Defaults to "https://api.venafi.cloud/v1".
    // +optional
    URL string `json:"url,omitempty"`

    // APITokenSecretRef is a secret key selector for the Venafi Cloud API token.
    APITokenSecretRef cmmeta.SecretKeySelector `json:"apiTokenSecretRef"`
}

VenafiCloud defines connection configuration details for Venafi Cloud

func (*VenafiCloud) DeepCopy Uses

func (in *VenafiCloud) DeepCopy() *VenafiCloud

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VenafiCloud.

func (*VenafiCloud) DeepCopyInto Uses

func (in *VenafiCloud) DeepCopyInto(out *VenafiCloud)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type VenafiIssuer Uses

type VenafiIssuer struct {
    // Zone is the Venafi Policy Zone to use for this issuer.
    // All requests made to the Venafi platform will be restricted by the named
    // zone policy.
    // This field is required.
    Zone string `json:"zone"`

    // TPP specifies Trust Protection Platform configuration settings.
    // Only one of TPP or Cloud may be specified.
    // +optional
    TPP *VenafiTPP `json:"tpp,omitempty"`

    // Cloud specifies the Venafi cloud configuration settings.
    // Only one of TPP or Cloud may be specified.
    // +optional
    Cloud *VenafiCloud `json:"cloud,omitempty"`
}

Configures an issuer to sign certificates using a Venafi TPP or Cloud policy zone.

func (*VenafiIssuer) DeepCopy Uses

func (in *VenafiIssuer) DeepCopy() *VenafiIssuer

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VenafiIssuer.

func (*VenafiIssuer) DeepCopyInto Uses

func (in *VenafiIssuer) DeepCopyInto(out *VenafiIssuer)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type VenafiTPP Uses

type VenafiTPP struct {
    // URL is the base URL for the vedsdk endpoint of the Venafi TPP instance,
    // for example: "https://tpp.example.com/vedsdk".
    URL string `json:"url"`

    // CredentialsRef is a reference to a Secret containing the username and
    // password for the TPP server.
    // The secret must contain two keys, 'username' and 'password'.
    CredentialsRef cmmeta.LocalObjectReference `json:"credentialsRef"`

    // CABundle is a PEM encoded TLS certificate to use to verify connections to
    // the TPP instance.
    // If specified, system roots will not be used and the issuing CA for the
    // TPP instance must be verifiable using the provided root.
    // If not specified, the connection will be verified using the cert-manager
    // system root certificates.
    // +optional
    CABundle []byte `json:"caBundle,omitempty"`
}

VenafiTPP defines connection configuration details for a Venafi TPP instance

func (*VenafiTPP) DeepCopy Uses

func (in *VenafiTPP) DeepCopy() *VenafiTPP

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VenafiTPP.

func (*VenafiTPP) DeepCopyInto Uses

func (in *VenafiTPP) DeepCopyInto(out *VenafiTPP)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type X509Subject Uses

type X509Subject struct {
    // Countries to be used on the Certificate.
    // +optional
    Countries []string `json:"countries,omitempty"`
    // Organizational Units to be used on the Certificate.
    // +optional
    OrganizationalUnits []string `json:"organizationalUnits,omitempty"`
    // Cities to be used on the Certificate.
    // +optional
    Localities []string `json:"localities,omitempty"`
    // State/Provinces to be used on the Certificate.
    // +optional
    Provinces []string `json:"provinces,omitempty"`
    // Street addresses to be used on the Certificate.
    // +optional
    StreetAddresses []string `json:"streetAddresses,omitempty"`
    // Postal codes to be used on the Certificate.
    // +optional
    PostalCodes []string `json:"postalCodes,omitempty"`
    // Serial number to be used on the Certificate.
    // +optional
    SerialNumber string `json:"serialNumber,omitempty"`
}

X509Subject Full X509 name specification

func (*X509Subject) DeepCopy Uses

func (in *X509Subject) DeepCopy() *X509Subject

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new X509Subject.

func (*X509Subject) DeepCopyInto Uses

func (in *X509Subject) DeepCopyInto(out *X509Subject)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

Package v1alpha2 imports 7 packages (graph) and is imported by 102 packages. Updated 2020-08-20. Refresh now. Tools for package owners.