254 lines
11 KiB
Text
254 lines
11 KiB
Text
|
# Copyright YEAR The Jetstack cert-manager contributors.
|
||
|
#
|
||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||
|
# you may not use this file except in compliance with the License.
|
||
|
# You may obtain a copy of the License at
|
||
|
#
|
||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||
|
#
|
||
|
# Unless required by applicable law or agreed to in writing, software
|
||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||
|
# See the License for the specific language governing permissions and
|
||
|
# limitations under the License.
|
||
|
|
||
|
---
|
||
|
apiVersion: apiextensions.k8s.io/v1beta1
|
||
|
kind: CustomResourceDefinition
|
||
|
metadata:
|
||
|
name: orders.acme.cert-manager.io
|
||
|
annotations:
|
||
|
cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca
|
||
|
labels:
|
||
|
app: cert-manager
|
||
|
app.kubernetes.io/name: cert-manager
|
||
|
app.kubernetes.io/instance: cert-manager
|
||
|
app.kubernetes.io/managed-by: Helm
|
||
|
helm.sh/chart: cert-manager-{{ cert_manager_version }}
|
||
|
spec:
|
||
|
additionalPrinterColumns:
|
||
|
- JSONPath: .status.state
|
||
|
name: State
|
||
|
type: string
|
||
|
- JSONPath: .spec.issuerRef.name
|
||
|
name: Issuer
|
||
|
priority: 1
|
||
|
type: string
|
||
|
- JSONPath: .status.reason
|
||
|
name: Reason
|
||
|
priority: 1
|
||
|
type: string
|
||
|
- JSONPath: .metadata.creationTimestamp
|
||
|
description: CreationTimestamp is a timestamp representing the server time when
|
||
|
this object was created. It is not guaranteed to be set in happens-before order
|
||
|
across separate operations. Clients may not set this value. It is represented
|
||
|
in RFC3339 form and is in UTC.
|
||
|
name: Age
|
||
|
type: date
|
||
|
group: acme.cert-manager.io
|
||
|
preserveUnknownFields: false
|
||
|
conversion:
|
||
|
# a Webhook strategy instruct API server to call an external webhook for any conversion between custom resources.
|
||
|
strategy: Webhook
|
||
|
# webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server.
|
||
|
webhookClientConfig:
|
||
|
service:
|
||
|
namespace: '{{ cert_manager_namespace }}'
|
||
|
name: 'cert-manager-webhook'
|
||
|
path: /convert
|
||
|
names:
|
||
|
kind: Order
|
||
|
listKind: OrderList
|
||
|
plural: orders
|
||
|
singular: order
|
||
|
scope: Namespaced
|
||
|
subresources:
|
||
|
status: {}
|
||
|
versions:
|
||
|
- name: v1alpha2
|
||
|
served: true
|
||
|
storage: true
|
||
|
- name: v1alpha3
|
||
|
served: true
|
||
|
storage: false
|
||
|
"validation":
|
||
|
"openAPIV3Schema":
|
||
|
description: Order is a type to represent an Order with an ACME server
|
||
|
type: object
|
||
|
required:
|
||
|
- metadata
|
||
|
properties:
|
||
|
apiVersion:
|
||
|
description: 'APIVersion defines the versioned schema of this representation
|
||
|
of an object. Servers should convert recognized schemas to the latest
|
||
|
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
||
|
type: string
|
||
|
kind:
|
||
|
description: 'Kind is a string value representing the REST resource this
|
||
|
object represents. Servers may infer this from the endpoint the client
|
||
|
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
||
|
type: string
|
||
|
metadata:
|
||
|
type: object
|
||
|
spec:
|
||
|
type: object
|
||
|
required:
|
||
|
- csr
|
||
|
- issuerRef
|
||
|
properties:
|
||
|
commonName:
|
||
|
description: CommonName is the common name as specified on the DER encoded
|
||
|
CSR. If CommonName is not specified, the first DNSName specified will
|
||
|
be used as the CommonName. At least one of CommonName or a DNSNames
|
||
|
must be set. This field must match the corresponding field on the
|
||
|
DER encoded CSR.
|
||
|
type: string
|
||
|
csr:
|
||
|
description: Certificate signing request bytes in DER encoding. This
|
||
|
will be used when finalizing the order. This field must be set on
|
||
|
the order.
|
||
|
type: string
|
||
|
format: byte
|
||
|
dnsNames:
|
||
|
description: DNSNames is a list of DNS names that should be included
|
||
|
as part of the Order validation process. If CommonName is not specified,
|
||
|
the first DNSName specified will be used as the CommonName. At least
|
||
|
one of CommonName or a DNSNames must be set. This field must match
|
||
|
the corresponding field on the DER encoded CSR.
|
||
|
type: array
|
||
|
items:
|
||
|
type: string
|
||
|
issuerRef:
|
||
|
description: IssuerRef references a properly configured ACME-type Issuer
|
||
|
which should be used to create this Order. If the Issuer does not
|
||
|
exist, processing will be retried. If the Issuer is not an 'ACME'
|
||
|
Issuer, an error will be returned and the Order will be marked as
|
||
|
failed.
|
||
|
type: object
|
||
|
required:
|
||
|
- name
|
||
|
properties:
|
||
|
group:
|
||
|
type: string
|
||
|
kind:
|
||
|
type: string
|
||
|
name:
|
||
|
type: string
|
||
|
status:
|
||
|
type: object
|
||
|
properties:
|
||
|
authorizations:
|
||
|
description: Authorizations contains data returned from the ACME server
|
||
|
on what authorizations must be completed in order to validate the
|
||
|
DNS names specified on the Order.
|
||
|
type: array
|
||
|
items:
|
||
|
description: ACMEAuthorization contains data returned from the ACME
|
||
|
server on an authorization that must be completed in order validate
|
||
|
a DNS name on an ACME Order resource.
|
||
|
type: object
|
||
|
required:
|
||
|
- url
|
||
|
properties:
|
||
|
challenges:
|
||
|
description: Challenges specifies the challenge types offered
|
||
|
by the ACME server. One of these challenge types will be selected
|
||
|
when validating the DNS name and an appropriate Challenge resource
|
||
|
will be created to perform the ACME challenge process.
|
||
|
type: array
|
||
|
items:
|
||
|
description: Challenge specifies a challenge offered by the
|
||
|
ACME server for an Order. An appropriate Challenge resource
|
||
|
can be created to perform the ACME challenge process.
|
||
|
type: object
|
||
|
required:
|
||
|
- token
|
||
|
- type
|
||
|
- url
|
||
|
properties:
|
||
|
token:
|
||
|
description: Token is the token that must be presented for
|
||
|
this challenge. This is used to compute the 'key' that
|
||
|
must also be presented.
|
||
|
type: string
|
||
|
type:
|
||
|
description: Type is the type of challenge being offered,
|
||
|
e.g. http-01, dns-01
|
||
|
type: string
|
||
|
url:
|
||
|
description: URL is the URL of this challenge. It can be
|
||
|
used to retrieve additional metadata about the Challenge
|
||
|
from the ACME server.
|
||
|
type: string
|
||
|
identifier:
|
||
|
description: Identifier is the DNS name to be validated as part
|
||
|
of this authorization
|
||
|
type: string
|
||
|
initialState:
|
||
|
description: InitialState is the initial state of the ACME authorization
|
||
|
when first fetched from the ACME server. If an Authorization
|
||
|
is already 'valid', the Order controller will not create a Challenge
|
||
|
resource for the authorization. This will occur when working
|
||
|
with an ACME server that enables 'authz reuse' (such as Let's
|
||
|
Encrypt's production endpoint). If not set and 'identifier'
|
||
|
is set, the state is assumed to be pending and a Challenge will
|
||
|
be created.
|
||
|
type: string
|
||
|
enum:
|
||
|
- valid
|
||
|
- ready
|
||
|
- pending
|
||
|
- processing
|
||
|
- invalid
|
||
|
- expired
|
||
|
- errored
|
||
|
url:
|
||
|
description: URL is the URL of the Authorization that must be
|
||
|
completed
|
||
|
type: string
|
||
|
wildcard:
|
||
|
description: Wildcard will be true if this authorization is for
|
||
|
a wildcard DNS name. If this is true, the identifier will be
|
||
|
the *non-wildcard* version of the DNS name. For example, if
|
||
|
'*.example.com' is the DNS name being validated, this field
|
||
|
will be 'true' and the 'identifier' field will be 'example.com'.
|
||
|
type: boolean
|
||
|
certificate:
|
||
|
description: Certificate is a copy of the PEM encoded certificate for
|
||
|
this Order. This field will be populated after the order has been
|
||
|
successfully finalized with the ACME server, and the order has transitioned
|
||
|
to the 'valid' state.
|
||
|
type: string
|
||
|
format: byte
|
||
|
failureTime:
|
||
|
description: FailureTime stores the time that this order failed. This
|
||
|
is used to influence garbage collection and back-off.
|
||
|
type: string
|
||
|
format: date-time
|
||
|
finalizeURL:
|
||
|
description: FinalizeURL of the Order. This is used to obtain certificates
|
||
|
for this order once it has been completed.
|
||
|
type: string
|
||
|
reason:
|
||
|
description: Reason optionally provides more information about a why
|
||
|
the order is in the current state.
|
||
|
type: string
|
||
|
state:
|
||
|
description: State contains the current state of this Order resource.
|
||
|
States 'success' and 'expired' are 'final'
|
||
|
type: string
|
||
|
enum:
|
||
|
- valid
|
||
|
- ready
|
||
|
- pending
|
||
|
- processing
|
||
|
- invalid
|
||
|
- expired
|
||
|
- errored
|
||
|
url:
|
||
|
description: URL of the Order. This will initially be empty when the
|
||
|
resource is first created. The Order controller will populate this
|
||
|
field when the Order is first processed. This field will be immutable
|
||
|
after it is initially set.
|
||
|
type: string
|