fc61f8d52e
* Update cert manager to 0.16.1 * Update cert manager to 0.16.1 Co-authored-by: Barry Melbourne <9964974+bmelbourne@users.noreply.github.com>
1790 lines
87 KiB
Django/Jinja
1790 lines
87 KiB
Django/Jinja
# Copyright YEAR The Jetstack cert-manager contributors.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
---
|
|
apiVersion: apiextensions.k8s.io/v1beta1
|
|
kind: CustomResourceDefinition
|
|
metadata:
|
|
name: certificaterequests.cert-manager.io
|
|
annotations:
|
|
cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca
|
|
labels:
|
|
app: cert-manager
|
|
app.kubernetes.io/name: cert-manager
|
|
app.kubernetes.io/instance: cert-manager
|
|
app.kubernetes.io/managed-by: Helm
|
|
helm.sh/chart: cert-manager-{{ cert_manager_version }}
|
|
spec:
|
|
additionalPrinterColumns:
|
|
- JSONPath: .status.conditions[?(@.type=="Ready")].status
|
|
name: Ready
|
|
type: string
|
|
- JSONPath: .spec.issuerRef.name
|
|
name: Issuer
|
|
priority: 1
|
|
type: string
|
|
- JSONPath: .status.conditions[?(@.type=="Ready")].message
|
|
name: Status
|
|
priority: 1
|
|
type: string
|
|
- JSONPath: .metadata.creationTimestamp
|
|
description: CreationTimestamp is a timestamp representing the server time when
|
|
this object was created. It is not guaranteed to be set in happens-before order
|
|
across separate operations. Clients may not set this value. It is represented
|
|
in RFC3339 form and is in UTC.
|
|
name: Age
|
|
type: date
|
|
group: cert-manager.io
|
|
preserveUnknownFields: false
|
|
conversion:
|
|
# a Webhook strategy instruct API server to call an external webhook for any conversion between custom resources.
|
|
strategy: Webhook
|
|
# webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server.
|
|
webhookClientConfig:
|
|
service:
|
|
namespace: '{{ cert_manager_namespace }}'
|
|
name: 'cert-manager-webhook'
|
|
path: /convert
|
|
names:
|
|
kind: CertificateRequest
|
|
listKind: CertificateRequestList
|
|
plural: certificaterequests
|
|
shortNames:
|
|
- cr
|
|
- crs
|
|
singular: certificaterequest
|
|
scope: Namespaced
|
|
subresources:
|
|
status: {}
|
|
versions:
|
|
- name: v1alpha2
|
|
served: true
|
|
storage: true
|
|
"schema":
|
|
"openAPIV3Schema":
|
|
description: "A CertificateRequest is used to request a signed certificate
|
|
from one of the configured issuers. \n All fields within the CertificateRequest's
|
|
`spec` are immutable after creation. A CertificateRequest will either succeed
|
|
or fail, as denoted by its `status.state` field. \n A CertificateRequest
|
|
is a 'one-shot' resource, meaning it represents a single point in time request
|
|
for a certificate and cannot be re-used."
|
|
type: object
|
|
properties:
|
|
apiVersion:
|
|
description: 'APIVersion defines the versioned schema of this representation
|
|
of an object. Servers should convert recognized schemas to the latest
|
|
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
|
type: string
|
|
kind:
|
|
description: 'Kind is a string value representing the REST resource this
|
|
object represents. Servers may infer this from the endpoint the client
|
|
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
|
type: string
|
|
metadata:
|
|
type: object
|
|
spec:
|
|
description: Desired state of the CertificateRequest resource.
|
|
type: object
|
|
required:
|
|
- csr
|
|
- issuerRef
|
|
properties:
|
|
csr:
|
|
description: The PEM-encoded x509 certificate signing request to be
|
|
submitted to the CA for signing.
|
|
type: string
|
|
format: byte
|
|
duration:
|
|
description: The requested 'duration' (i.e. lifetime) of the Certificate.
|
|
This option may be ignored/overridden by some issuer types.
|
|
type: string
|
|
isCA:
|
|
description: IsCA will request to mark the certificate as valid for
|
|
certificate signing when submitting to the issuer. This will automatically
|
|
add the `cert sign` usage to the list of `usages`.
|
|
type: boolean
|
|
issuerRef:
|
|
description: IssuerRef is a reference to the issuer for this CertificateRequest. If
|
|
the 'kind' field is not set, or set to 'Issuer', an Issuer resource
|
|
with the given name in the same namespace as the CertificateRequest
|
|
will be used. If the 'kind' field is set to 'ClusterIssuer', a
|
|
ClusterIssuer with the provided name will be used. The 'name' field
|
|
in this stanza is required at all times. The group field refers
|
|
to the API group of the issuer which defaults to 'cert-manager.io'
|
|
if empty.
|
|
type: object
|
|
required:
|
|
- name
|
|
properties:
|
|
group:
|
|
description: Group of the resource being referred to.
|
|
type: string
|
|
kind:
|
|
description: Kind of the resource being referred to.
|
|
type: string
|
|
name:
|
|
description: Name of the resource being referred to.
|
|
type: string
|
|
usages:
|
|
description: Usages is the set of x509 usages that are requested for
|
|
the certificate. Defaults to `digital signature` and `key encipherment`
|
|
if not specified.
|
|
type: array
|
|
items:
|
|
description: 'KeyUsage specifies valid usage contexts for keys.
|
|
See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12
|
|
Valid KeyUsage values are as follows: "signing", "digital signature",
|
|
"content commitment", "key encipherment", "key agreement", "data
|
|
encipherment", "cert sign", "crl sign", "encipher only", "decipher
|
|
only", "any", "server auth", "client auth", "code signing", "email
|
|
protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec
|
|
user", "timestamping", "ocsp signing", "microsoft sgc", "netscape
|
|
sgc"'
|
|
type: string
|
|
enum:
|
|
- signing
|
|
- digital signature
|
|
- content commitment
|
|
- key encipherment
|
|
- key agreement
|
|
- data encipherment
|
|
- cert sign
|
|
- crl sign
|
|
- encipher only
|
|
- decipher only
|
|
- any
|
|
- server auth
|
|
- client auth
|
|
- code signing
|
|
- email protection
|
|
- s/mime
|
|
- ipsec end system
|
|
- ipsec tunnel
|
|
- ipsec user
|
|
- timestamping
|
|
- ocsp signing
|
|
- microsoft sgc
|
|
- netscape sgc
|
|
status:
|
|
description: Status of the CertificateRequest. This is set and managed
|
|
automatically.
|
|
type: object
|
|
properties:
|
|
ca:
|
|
description: The PEM encoded x509 certificate of the signer, also
|
|
known as the CA (Certificate Authority). This is set on a best-effort
|
|
basis by different issuers. If not set, the CA is assumed to be
|
|
unknown/not available.
|
|
type: string
|
|
format: byte
|
|
certificate:
|
|
description: The PEM encoded x509 certificate resulting from the certificate
|
|
signing request. If not set, the CertificateRequest has either not
|
|
been completed or has failed. More information on failure can be
|
|
found by checking the `conditions` field.
|
|
type: string
|
|
format: byte
|
|
conditions:
|
|
description: List of status conditions to indicate the status of a
|
|
CertificateRequest. Known condition types are `Ready` and `InvalidRequest`.
|
|
type: array
|
|
items:
|
|
description: CertificateRequestCondition contains condition information
|
|
for a CertificateRequest.
|
|
type: object
|
|
required:
|
|
- status
|
|
- type
|
|
properties:
|
|
lastTransitionTime:
|
|
description: LastTransitionTime is the timestamp corresponding
|
|
to the last status change of this condition.
|
|
type: string
|
|
format: date-time
|
|
message:
|
|
description: Message is a human readable description of the
|
|
details of the last transition, complementing reason.
|
|
type: string
|
|
reason:
|
|
description: Reason is a brief machine readable explanation
|
|
for the condition's last transition.
|
|
type: string
|
|
status:
|
|
description: Status of the condition, one of ('True', 'False',
|
|
'Unknown').
|
|
type: string
|
|
enum:
|
|
- "True"
|
|
- "False"
|
|
- Unknown
|
|
type:
|
|
description: Type of the condition, known values are ('Ready',
|
|
'InvalidRequest').
|
|
type: string
|
|
failureTime:
|
|
description: FailureTime stores the time that this CertificateRequest
|
|
failed. This is used to influence garbage collection and back-off.
|
|
type: string
|
|
format: date-time
|
|
- name: v1alpha3
|
|
served: true
|
|
storage: false
|
|
"schema":
|
|
"openAPIV3Schema":
|
|
description: "A CertificateRequest is used to request a signed certificate
|
|
from one of the configured issuers. \n All fields within the CertificateRequest's
|
|
`spec` are immutable after creation. A CertificateRequest will either succeed
|
|
or fail, as denoted by its `status.state` field. \n A CertificateRequest
|
|
is a 'one-shot' resource, meaning it represents a single point in time request
|
|
for a certificate and cannot be re-used."
|
|
type: object
|
|
properties:
|
|
apiVersion:
|
|
description: 'APIVersion defines the versioned schema of this representation
|
|
of an object. Servers should convert recognized schemas to the latest
|
|
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
|
type: string
|
|
kind:
|
|
description: 'Kind is a string value representing the REST resource this
|
|
object represents. Servers may infer this from the endpoint the client
|
|
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
|
type: string
|
|
metadata:
|
|
type: object
|
|
spec:
|
|
description: Desired state of the CertificateRequest resource.
|
|
type: object
|
|
required:
|
|
- csr
|
|
- issuerRef
|
|
properties:
|
|
csr:
|
|
description: The PEM-encoded x509 certificate signing request to be
|
|
submitted to the CA for signing.
|
|
type: string
|
|
format: byte
|
|
duration:
|
|
description: The requested 'duration' (i.e. lifetime) of the Certificate.
|
|
This option may be ignored/overridden by some issuer types.
|
|
type: string
|
|
isCA:
|
|
description: IsCA will request to mark the certificate as valid for
|
|
certificate signing when submitting to the issuer. This will automatically
|
|
add the `cert sign` usage to the list of `usages`.
|
|
type: boolean
|
|
issuerRef:
|
|
description: IssuerRef is a reference to the issuer for this CertificateRequest. If
|
|
the 'kind' field is not set, or set to 'Issuer', an Issuer resource
|
|
with the given name in the same namespace as the CertificateRequest
|
|
will be used. If the 'kind' field is set to 'ClusterIssuer', a
|
|
ClusterIssuer with the provided name will be used. The 'name' field
|
|
in this stanza is required at all times. The group field refers
|
|
to the API group of the issuer which defaults to 'cert-manager.io'
|
|
if empty.
|
|
type: object
|
|
required:
|
|
- name
|
|
properties:
|
|
group:
|
|
description: Group of the resource being referred to.
|
|
type: string
|
|
kind:
|
|
description: Kind of the resource being referred to.
|
|
type: string
|
|
name:
|
|
description: Name of the resource being referred to.
|
|
type: string
|
|
usages:
|
|
description: Usages is the set of x509 usages that are requested for
|
|
the certificate. Defaults to `digital signature` and `key encipherment`
|
|
if not specified.
|
|
type: array
|
|
items:
|
|
description: 'KeyUsage specifies valid usage contexts for keys.
|
|
See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12
|
|
Valid KeyUsage values are as follows: "signing", "digital signature",
|
|
"content commitment", "key encipherment", "key agreement", "data
|
|
encipherment", "cert sign", "crl sign", "encipher only", "decipher
|
|
only", "any", "server auth", "client auth", "code signing", "email
|
|
protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec
|
|
user", "timestamping", "ocsp signing", "microsoft sgc", "netscape
|
|
sgc"'
|
|
type: string
|
|
enum:
|
|
- signing
|
|
- digital signature
|
|
- content commitment
|
|
- key encipherment
|
|
- key agreement
|
|
- data encipherment
|
|
- cert sign
|
|
- crl sign
|
|
- encipher only
|
|
- decipher only
|
|
- any
|
|
- server auth
|
|
- client auth
|
|
- code signing
|
|
- email protection
|
|
- s/mime
|
|
- ipsec end system
|
|
- ipsec tunnel
|
|
- ipsec user
|
|
- timestamping
|
|
- ocsp signing
|
|
- microsoft sgc
|
|
- netscape sgc
|
|
status:
|
|
description: Status of the CertificateRequest. This is set and managed
|
|
automatically.
|
|
type: object
|
|
properties:
|
|
ca:
|
|
description: The PEM encoded x509 certificate of the signer, also
|
|
known as the CA (Certificate Authority). This is set on a best-effort
|
|
basis by different issuers. If not set, the CA is assumed to be
|
|
unknown/not available.
|
|
type: string
|
|
format: byte
|
|
certificate:
|
|
description: The PEM encoded x509 certificate resulting from the certificate
|
|
signing request. If not set, the CertificateRequest has either not
|
|
been completed or has failed. More information on failure can be
|
|
found by checking the `conditions` field.
|
|
type: string
|
|
format: byte
|
|
conditions:
|
|
description: List of status conditions to indicate the status of a
|
|
CertificateRequest. Known condition types are `Ready` and `InvalidRequest`.
|
|
type: array
|
|
items:
|
|
description: CertificateRequestCondition contains condition information
|
|
for a CertificateRequest.
|
|
type: object
|
|
required:
|
|
- status
|
|
- type
|
|
properties:
|
|
lastTransitionTime:
|
|
description: LastTransitionTime is the timestamp corresponding
|
|
to the last status change of this condition.
|
|
type: string
|
|
format: date-time
|
|
message:
|
|
description: Message is a human readable description of the
|
|
details of the last transition, complementing reason.
|
|
type: string
|
|
reason:
|
|
description: Reason is a brief machine readable explanation
|
|
for the condition's last transition.
|
|
type: string
|
|
status:
|
|
description: Status of the condition, one of ('True', 'False',
|
|
'Unknown').
|
|
type: string
|
|
enum:
|
|
- "True"
|
|
- "False"
|
|
- Unknown
|
|
type:
|
|
description: Type of the condition, known values are ('Ready',
|
|
'InvalidRequest').
|
|
type: string
|
|
failureTime:
|
|
description: FailureTime stores the time that this CertificateRequest
|
|
failed. This is used to influence garbage collection and back-off.
|
|
type: string
|
|
format: date-time
|
|
- name: v1beta1
|
|
served: true
|
|
storage: false
|
|
"schema":
|
|
"openAPIV3Schema":
|
|
description: "A CertificateRequest is used to request a signed certificate
|
|
from one of the configured issuers. \n All fields within the CertificateRequest's
|
|
`spec` are immutable after creation. A CertificateRequest will either succeed
|
|
or fail, as denoted by its `status.state` field. \n A CertificateRequest
|
|
is a 'one-shot' resource, meaning it represents a single point in time request
|
|
for a certificate and cannot be re-used."
|
|
type: object
|
|
required:
|
|
- spec
|
|
properties:
|
|
apiVersion:
|
|
description: 'APIVersion defines the versioned schema of this representation
|
|
of an object. Servers should convert recognized schemas to the latest
|
|
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
|
type: string
|
|
kind:
|
|
description: 'Kind is a string value representing the REST resource this
|
|
object represents. Servers may infer this from the endpoint the client
|
|
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
|
type: string
|
|
metadata:
|
|
type: object
|
|
spec:
|
|
description: Desired state of the CertificateRequest resource.
|
|
type: object
|
|
required:
|
|
- issuerRef
|
|
- request
|
|
properties:
|
|
duration:
|
|
description: The requested 'duration' (i.e. lifetime) of the Certificate.
|
|
This option may be ignored/overridden by some issuer types.
|
|
type: string
|
|
isCA:
|
|
description: IsCA will request to mark the certificate as valid for
|
|
certificate signing when submitting to the issuer. This will automatically
|
|
add the `cert sign` usage to the list of `usages`.
|
|
type: boolean
|
|
issuerRef:
|
|
description: IssuerRef is a reference to the issuer for this CertificateRequest. If
|
|
the 'kind' field is not set, or set to 'Issuer', an Issuer resource
|
|
with the given name in the same namespace as the CertificateRequest
|
|
will be used. If the 'kind' field is set to 'ClusterIssuer', a
|
|
ClusterIssuer with the provided name will be used. The 'name' field
|
|
in this stanza is required at all times. The group field refers
|
|
to the API group of the issuer which defaults to 'cert-manager.io'
|
|
if empty.
|
|
type: object
|
|
required:
|
|
- name
|
|
properties:
|
|
group:
|
|
description: Group of the resource being referred to.
|
|
type: string
|
|
kind:
|
|
description: Kind of the resource being referred to.
|
|
type: string
|
|
name:
|
|
description: Name of the resource being referred to.
|
|
type: string
|
|
request:
|
|
description: The PEM-encoded x509 certificate signing request to be
|
|
submitted to the CA for signing.
|
|
type: string
|
|
format: byte
|
|
usages:
|
|
description: Usages is the set of x509 usages that are requested for
|
|
the certificate. Defaults to `digital signature` and `key encipherment`
|
|
if not specified.
|
|
type: array
|
|
items:
|
|
description: 'KeyUsage specifies valid usage contexts for keys.
|
|
See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12
|
|
Valid KeyUsage values are as follows: "signing", "digital signature",
|
|
"content commitment", "key encipherment", "key agreement", "data
|
|
encipherment", "cert sign", "crl sign", "encipher only", "decipher
|
|
only", "any", "server auth", "client auth", "code signing", "email
|
|
protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec
|
|
user", "timestamping", "ocsp signing", "microsoft sgc", "netscape
|
|
sgc"'
|
|
type: string
|
|
enum:
|
|
- signing
|
|
- digital signature
|
|
- content commitment
|
|
- key encipherment
|
|
- key agreement
|
|
- data encipherment
|
|
- cert sign
|
|
- crl sign
|
|
- encipher only
|
|
- decipher only
|
|
- any
|
|
- server auth
|
|
- client auth
|
|
- code signing
|
|
- email protection
|
|
- s/mime
|
|
- ipsec end system
|
|
- ipsec tunnel
|
|
- ipsec user
|
|
- timestamping
|
|
- ocsp signing
|
|
- microsoft sgc
|
|
- netscape sgc
|
|
status:
|
|
description: Status of the CertificateRequest. This is set and managed
|
|
automatically.
|
|
type: object
|
|
properties:
|
|
ca:
|
|
description: The PEM encoded x509 certificate of the signer, also
|
|
known as the CA (Certificate Authority). This is set on a best-effort
|
|
basis by different issuers. If not set, the CA is assumed to be
|
|
unknown/not available.
|
|
type: string
|
|
format: byte
|
|
certificate:
|
|
description: The PEM encoded x509 certificate resulting from the certificate
|
|
signing request. If not set, the CertificateRequest has either not
|
|
been completed or has failed. More information on failure can be
|
|
found by checking the `conditions` field.
|
|
type: string
|
|
format: byte
|
|
conditions:
|
|
description: List of status conditions to indicate the status of a
|
|
CertificateRequest. Known condition types are `Ready` and `InvalidRequest`.
|
|
type: array
|
|
items:
|
|
description: CertificateRequestCondition contains condition information
|
|
for a CertificateRequest.
|
|
type: object
|
|
required:
|
|
- status
|
|
- type
|
|
properties:
|
|
lastTransitionTime:
|
|
description: LastTransitionTime is the timestamp corresponding
|
|
to the last status change of this condition.
|
|
type: string
|
|
format: date-time
|
|
message:
|
|
description: Message is a human readable description of the
|
|
details of the last transition, complementing reason.
|
|
type: string
|
|
reason:
|
|
description: Reason is a brief machine readable explanation
|
|
for the condition's last transition.
|
|
type: string
|
|
status:
|
|
description: Status of the condition, one of ('True', 'False',
|
|
'Unknown').
|
|
type: string
|
|
enum:
|
|
- "True"
|
|
- "False"
|
|
- Unknown
|
|
type:
|
|
description: Type of the condition, known values are ('Ready',
|
|
'InvalidRequest').
|
|
type: string
|
|
failureTime:
|
|
description: FailureTime stores the time that this CertificateRequest
|
|
failed. This is used to influence garbage collection and back-off.
|
|
type: string
|
|
format: date-time
|
|
---
|
|
apiVersion: apiextensions.k8s.io/v1beta1
|
|
kind: CustomResourceDefinition
|
|
metadata:
|
|
name: certificates.cert-manager.io
|
|
annotations:
|
|
cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca
|
|
labels:
|
|
app: cert-manager
|
|
app.kubernetes.io/name: cert-manager
|
|
app.kubernetes.io/instance: cert-manager
|
|
app.kubernetes.io/managed-by: Helm
|
|
helm.sh/chart: cert-manager-{{ cert_manager_version }}
|
|
spec:
|
|
additionalPrinterColumns:
|
|
- JSONPath: .status.conditions[?(@.type=="Ready")].status
|
|
name: Ready
|
|
type: string
|
|
- JSONPath: .spec.secretName
|
|
name: Secret
|
|
type: string
|
|
- JSONPath: .spec.issuerRef.name
|
|
name: Issuer
|
|
priority: 1
|
|
type: string
|
|
- JSONPath: .status.conditions[?(@.type=="Ready")].message
|
|
name: Status
|
|
priority: 1
|
|
type: string
|
|
- JSONPath: .metadata.creationTimestamp
|
|
description: CreationTimestamp is a timestamp representing the server time when
|
|
this object was created. It is not guaranteed to be set in happens-before order
|
|
across separate operations. Clients may not set this value. It is represented
|
|
in RFC3339 form and is in UTC.
|
|
name: Age
|
|
type: date
|
|
group: cert-manager.io
|
|
preserveUnknownFields: false
|
|
conversion:
|
|
# a Webhook strategy instruct API server to call an external webhook for any conversion between custom resources.
|
|
strategy: Webhook
|
|
# webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server.
|
|
webhookClientConfig:
|
|
service:
|
|
namespace: '{{ cert_manager_namespace }}'
|
|
name: 'cert-manager-webhook'
|
|
path: /convert
|
|
names:
|
|
kind: Certificate
|
|
listKind: CertificateList
|
|
plural: certificates
|
|
shortNames:
|
|
- cert
|
|
- certs
|
|
singular: certificate
|
|
scope: Namespaced
|
|
subresources:
|
|
status: {}
|
|
versions:
|
|
- name: v1alpha2
|
|
served: true
|
|
storage: true
|
|
"schema":
|
|
"openAPIV3Schema":
|
|
description: "A Certificate resource should be created to ensure an up to
|
|
date and signed x509 certificate is stored in the Kubernetes Secret resource
|
|
named in `spec.secretName`. \n The stored certificate will be renewed before
|
|
it expires (as configured by `spec.renewBefore`)."
|
|
type: object
|
|
properties:
|
|
apiVersion:
|
|
description: 'APIVersion defines the versioned schema of this representation
|
|
of an object. Servers should convert recognized schemas to the latest
|
|
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
|
type: string
|
|
kind:
|
|
description: 'Kind is a string value representing the REST resource this
|
|
object represents. Servers may infer this from the endpoint the client
|
|
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
|
type: string
|
|
metadata:
|
|
type: object
|
|
spec:
|
|
description: Desired state of the Certificate resource.
|
|
type: object
|
|
required:
|
|
- issuerRef
|
|
- secretName
|
|
properties:
|
|
commonName:
|
|
description: 'CommonName is a common name to be used on the Certificate.
|
|
The CommonName should have a length of 64 characters or fewer to
|
|
avoid generating invalid CSRs. This value is ignored by TLS clients
|
|
when any subject alt name is set. This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4'
|
|
type: string
|
|
dnsNames:
|
|
description: DNSNames is a list of DNS subjectAltNames to be set on
|
|
the Certificate.
|
|
type: array
|
|
items:
|
|
type: string
|
|
duration:
|
|
description: The requested 'duration' (i.e. lifetime) of the Certificate.
|
|
This option may be ignored/overridden by some issuer types. If overridden
|
|
and `renewBefore` is greater than the actual certificate duration,
|
|
the certificate will be automatically renewed 2/3rds of the way
|
|
through the certificate's duration.
|
|
type: string
|
|
emailSANs:
|
|
description: EmailSANs is a list of email subjectAltNames to be set
|
|
on the Certificate.
|
|
type: array
|
|
items:
|
|
type: string
|
|
ipAddresses:
|
|
description: IPAddresses is a list of IP address subjectAltNames to
|
|
be set on the Certificate.
|
|
type: array
|
|
items:
|
|
type: string
|
|
isCA:
|
|
description: IsCA will mark this Certificate as valid for certificate
|
|
signing. This will automatically add the `cert sign` usage to the
|
|
list of `usages`.
|
|
type: boolean
|
|
issuerRef:
|
|
description: IssuerRef is a reference to the issuer for this certificate.
|
|
If the 'kind' field is not set, or set to 'Issuer', an Issuer resource
|
|
with the given name in the same namespace as the Certificate will
|
|
be used. If the 'kind' field is set to 'ClusterIssuer', a ClusterIssuer
|
|
with the provided name will be used. The 'name' field in this stanza
|
|
is required at all times.
|
|
type: object
|
|
required:
|
|
- name
|
|
properties:
|
|
group:
|
|
description: Group of the resource being referred to.
|
|
type: string
|
|
kind:
|
|
description: Kind of the resource being referred to.
|
|
type: string
|
|
name:
|
|
description: Name of the resource being referred to.
|
|
type: string
|
|
keyAlgorithm:
|
|
description: KeyAlgorithm is the private key algorithm of the corresponding
|
|
private key for this certificate. If provided, allowed values are
|
|
either "rsa" or "ecdsa" If `keyAlgorithm` is specified and `keySize`
|
|
is not provided, key size of 256 will be used for "ecdsa" key algorithm
|
|
and key size of 2048 will be used for "rsa" key algorithm.
|
|
type: string
|
|
enum:
|
|
- rsa
|
|
- ecdsa
|
|
keyEncoding:
|
|
description: KeyEncoding is the private key cryptography standards
|
|
(PKCS) for this certificate's private key to be encoded in. If provided,
|
|
allowed values are "pkcs1" and "pkcs8" standing for PKCS#1 and PKCS#8,
|
|
respectively. If KeyEncoding is not specified, then PKCS#1 will
|
|
be used by default.
|
|
type: string
|
|
enum:
|
|
- pkcs1
|
|
- pkcs8
|
|
keySize:
|
|
description: KeySize is the key bit size of the corresponding private
|
|
key for this certificate. If `keyAlgorithm` is set to `RSA`, valid
|
|
values are `2048`, `4096` or `8192`, and will default to `2048`
|
|
if not specified. If `keyAlgorithm` is set to `ECDSA`, valid values
|
|
are `256`, `384` or `521`, and will default to `256` if not specified.
|
|
No other values are allowed.
|
|
type: integer
|
|
maximum: 8192
|
|
minimum: 0
|
|
keystores:
|
|
description: Keystores configures additional keystore output formats
|
|
stored in the `secretName` Secret resource.
|
|
type: object
|
|
properties:
|
|
jks:
|
|
description: JKS configures options for storing a JKS keystore
|
|
in the `spec.secretName` Secret resource.
|
|
type: object
|
|
required:
|
|
- create
|
|
- passwordSecretRef
|
|
properties:
|
|
create:
|
|
description: Create enables JKS keystore creation for the
|
|
Certificate. If true, a file named `keystore.jks` will be
|
|
created in the target Secret resource, encrypted using the
|
|
password stored in `passwordSecretRef`. The keystore file
|
|
will only be updated upon re-issuance.
|
|
type: boolean
|
|
passwordSecretRef:
|
|
description: PasswordSecretRef is a reference to a key in
|
|
a Secret resource containing the password used to encrypt
|
|
the JKS keystore.
|
|
type: object
|
|
required:
|
|
- name
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret resource's
|
|
`data` field to be used. Some instances of this field
|
|
may be defaulted, in others it may be required.
|
|
type: string
|
|
name:
|
|
description: 'Name of the resource being referred to.
|
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
type: string
|
|
pkcs12:
|
|
description: PKCS12 configures options for storing a PKCS12 keystore
|
|
in the `spec.secretName` Secret resource.
|
|
type: object
|
|
required:
|
|
- create
|
|
- passwordSecretRef
|
|
properties:
|
|
create:
|
|
description: Create enables PKCS12 keystore creation for the
|
|
Certificate. If true, a file named `keystore.p12` will be
|
|
created in the target Secret resource, encrypted using the
|
|
password stored in `passwordSecretRef`. The keystore file
|
|
will only be updated upon re-issuance.
|
|
type: boolean
|
|
passwordSecretRef:
|
|
description: PasswordSecretRef is a reference to a key in
|
|
a Secret resource containing the password used to encrypt
|
|
the PKCS12 keystore.
|
|
type: object
|
|
required:
|
|
- name
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret resource's
|
|
`data` field to be used. Some instances of this field
|
|
may be defaulted, in others it may be required.
|
|
type: string
|
|
name:
|
|
description: 'Name of the resource being referred to.
|
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
type: string
|
|
organization:
|
|
description: Organization is a list of organizations to be used on
|
|
the Certificate.
|
|
type: array
|
|
items:
|
|
type: string
|
|
privateKey:
|
|
description: Options to control private keys used for the Certificate.
|
|
type: object
|
|
properties:
|
|
rotationPolicy:
|
|
description: RotationPolicy controls how private keys should be
|
|
regenerated when a re-issuance is being processed. If set to
|
|
Never, a private key will only be generated if one does not
|
|
already exist in the target `spec.secretName`. If one does exists
|
|
but it does not have the correct algorithm or size, a warning
|
|
will be raised to await user intervention. If set to Always,
|
|
a private key matching the specified requirements will be generated
|
|
whenever a re-issuance occurs. Default is 'Never' for backward
|
|
compatibility.
|
|
type: string
|
|
renewBefore:
|
|
description: The amount of time before the currently issued certificate's
|
|
`notAfter` time that cert-manager will begin to attempt to renew
|
|
the certificate. If this value is greater than the total duration
|
|
of the certificate (i.e. notAfter - notBefore), it will be automatically
|
|
renewed 2/3rds of the way through the certificate's duration.
|
|
type: string
|
|
secretName:
|
|
description: SecretName is the name of the secret resource that will
|
|
be automatically created and managed by this Certificate resource.
|
|
It will be populated with a private key and certificate, signed
|
|
by the denoted issuer.
|
|
type: string
|
|
subject:
|
|
description: Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name).
|
|
type: object
|
|
properties:
|
|
countries:
|
|
description: Countries to be used on the Certificate.
|
|
type: array
|
|
items:
|
|
type: string
|
|
localities:
|
|
description: Cities to be used on the Certificate.
|
|
type: array
|
|
items:
|
|
type: string
|
|
organizationalUnits:
|
|
description: Organizational Units to be used on the Certificate.
|
|
type: array
|
|
items:
|
|
type: string
|
|
postalCodes:
|
|
description: Postal codes to be used on the Certificate.
|
|
type: array
|
|
items:
|
|
type: string
|
|
provinces:
|
|
description: State/Provinces to be used on the Certificate.
|
|
type: array
|
|
items:
|
|
type: string
|
|
serialNumber:
|
|
description: Serial number to be used on the Certificate.
|
|
type: string
|
|
streetAddresses:
|
|
description: Street addresses to be used on the Certificate.
|
|
type: array
|
|
items:
|
|
type: string
|
|
uriSANs:
|
|
description: URISANs is a list of URI subjectAltNames to be set on
|
|
the Certificate.
|
|
type: array
|
|
items:
|
|
type: string
|
|
usages:
|
|
description: Usages is the set of x509 usages that are requested for
|
|
the certificate. Defaults to `digital signature` and `key encipherment`
|
|
if not specified.
|
|
type: array
|
|
items:
|
|
description: 'KeyUsage specifies valid usage contexts for keys.
|
|
See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12
|
|
Valid KeyUsage values are as follows: "signing", "digital signature",
|
|
"content commitment", "key encipherment", "key agreement", "data
|
|
encipherment", "cert sign", "crl sign", "encipher only", "decipher
|
|
only", "any", "server auth", "client auth", "code signing", "email
|
|
protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec
|
|
user", "timestamping", "ocsp signing", "microsoft sgc", "netscape
|
|
sgc"'
|
|
type: string
|
|
enum:
|
|
- signing
|
|
- digital signature
|
|
- content commitment
|
|
- key encipherment
|
|
- key agreement
|
|
- data encipherment
|
|
- cert sign
|
|
- crl sign
|
|
- encipher only
|
|
- decipher only
|
|
- any
|
|
- server auth
|
|
- client auth
|
|
- code signing
|
|
- email protection
|
|
- s/mime
|
|
- ipsec end system
|
|
- ipsec tunnel
|
|
- ipsec user
|
|
- timestamping
|
|
- ocsp signing
|
|
- microsoft sgc
|
|
- netscape sgc
|
|
status:
|
|
description: Status of the Certificate. This is set and managed automatically.
|
|
type: object
|
|
properties:
|
|
conditions:
|
|
description: List of status conditions to indicate the status of certificates.
|
|
Known condition types are `Ready` and `Issuing`.
|
|
type: array
|
|
items:
|
|
description: CertificateCondition contains condition information
|
|
for an Certificate.
|
|
type: object
|
|
required:
|
|
- status
|
|
- type
|
|
properties:
|
|
lastTransitionTime:
|
|
description: LastTransitionTime is the timestamp corresponding
|
|
to the last status change of this condition.
|
|
type: string
|
|
format: date-time
|
|
message:
|
|
description: Message is a human readable description of the
|
|
details of the last transition, complementing reason.
|
|
type: string
|
|
reason:
|
|
description: Reason is a brief machine readable explanation
|
|
for the condition's last transition.
|
|
type: string
|
|
status:
|
|
description: Status of the condition, one of ('True', 'False',
|
|
'Unknown').
|
|
type: string
|
|
enum:
|
|
- "True"
|
|
- "False"
|
|
- Unknown
|
|
type:
|
|
description: Type of the condition, known values are ('Ready',
|
|
`Issuing`).
|
|
type: string
|
|
lastFailureTime:
|
|
description: LastFailureTime is the time as recorded by the Certificate
|
|
controller of the most recent failure to complete a CertificateRequest
|
|
for this Certificate resource. If set, cert-manager will not re-request
|
|
another Certificate until 1 hour has elapsed from this time.
|
|
type: string
|
|
format: date-time
|
|
nextPrivateKeySecretName:
|
|
description: The name of the Secret resource containing the private
|
|
key to be used for the next certificate iteration. The keymanager
|
|
controller will automatically set this field if the `Issuing` condition
|
|
is set to `True`. It will automatically unset this field when the
|
|
Issuing condition is not set or False.
|
|
type: string
|
|
notAfter:
|
|
description: The expiration time of the certificate stored in the
|
|
secret named by this resource in `spec.secretName`.
|
|
type: string
|
|
format: date-time
|
|
notBefore:
|
|
description: The time after which the certificate stored in the secret
|
|
named by this resource in spec.secretName is valid.
|
|
type: string
|
|
format: date-time
|
|
renewalTime:
|
|
description: RenewalTime is the time at which the certificate will
|
|
be next renewed. If not set, no upcoming renewal is scheduled.
|
|
type: string
|
|
format: date-time
|
|
revision:
|
|
description: "The current 'revision' of the certificate as issued.
|
|
\n When a CertificateRequest resource is created, it will have the
|
|
`cert-manager.io/certificate-revision` set to one greater than the
|
|
current value of this field. \n Upon issuance, this field will be
|
|
set to the value of the annotation on the CertificateRequest resource
|
|
used to issue the certificate. \n Persisting the value on the CertificateRequest
|
|
resource allows the certificates controller to know whether a request
|
|
is part of an old issuance or if it is part of the ongoing revision's
|
|
issuance by checking if the revision value in the annotation is
|
|
greater than this field."
|
|
type: integer
|
|
- name: v1alpha3
|
|
served: true
|
|
storage: false
|
|
"schema":
|
|
"openAPIV3Schema":
|
|
description: "A Certificate resource should be created to ensure an up to
|
|
date and signed x509 certificate is stored in the Kubernetes Secret resource
|
|
named in `spec.secretName`. \n The stored certificate will be renewed before
|
|
it expires (as configured by `spec.renewBefore`)."
|
|
type: object
|
|
properties:
|
|
apiVersion:
|
|
description: 'APIVersion defines the versioned schema of this representation
|
|
of an object. Servers should convert recognized schemas to the latest
|
|
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
|
type: string
|
|
kind:
|
|
description: 'Kind is a string value representing the REST resource this
|
|
object represents. Servers may infer this from the endpoint the client
|
|
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
|
type: string
|
|
metadata:
|
|
type: object
|
|
spec:
|
|
description: Desired state of the Certificate resource.
|
|
type: object
|
|
required:
|
|
- issuerRef
|
|
- secretName
|
|
properties:
|
|
commonName:
|
|
description: 'CommonName is a common name to be used on the Certificate.
|
|
The CommonName should have a length of 64 characters or fewer to
|
|
avoid generating invalid CSRs. This value is ignored by TLS clients
|
|
when any subject alt name is set. This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4'
|
|
type: string
|
|
dnsNames:
|
|
description: DNSNames is a list of DNS subjectAltNames to be set on
|
|
the Certificate.
|
|
type: array
|
|
items:
|
|
type: string
|
|
duration:
|
|
description: The requested 'duration' (i.e. lifetime) of the Certificate.
|
|
This option may be ignored/overridden by some issuer types. If overridden
|
|
and `renewBefore` is greater than the actual certificate duration,
|
|
the certificate will be automatically renewed 2/3rds of the way
|
|
through the certificate's duration.
|
|
type: string
|
|
emailSANs:
|
|
description: EmailSANs is a list of email subjectAltNames to be set
|
|
on the Certificate.
|
|
type: array
|
|
items:
|
|
type: string
|
|
ipAddresses:
|
|
description: IPAddresses is a list of IP address subjectAltNames to
|
|
be set on the Certificate.
|
|
type: array
|
|
items:
|
|
type: string
|
|
isCA:
|
|
description: IsCA will mark this Certificate as valid for certificate
|
|
signing. This will automatically add the `cert sign` usage to the
|
|
list of `usages`.
|
|
type: boolean
|
|
issuerRef:
|
|
description: IssuerRef is a reference to the issuer for this certificate.
|
|
If the 'kind' field is not set, or set to 'Issuer', an Issuer resource
|
|
with the given name in the same namespace as the Certificate will
|
|
be used. If the 'kind' field is set to 'ClusterIssuer', a ClusterIssuer
|
|
with the provided name will be used. The 'name' field in this stanza
|
|
is required at all times.
|
|
type: object
|
|
required:
|
|
- name
|
|
properties:
|
|
group:
|
|
description: Group of the resource being referred to.
|
|
type: string
|
|
kind:
|
|
description: Kind of the resource being referred to.
|
|
type: string
|
|
name:
|
|
description: Name of the resource being referred to.
|
|
type: string
|
|
keyAlgorithm:
|
|
description: KeyAlgorithm is the private key algorithm of the corresponding
|
|
private key for this certificate. If provided, allowed values are
|
|
either "rsa" or "ecdsa" If `keyAlgorithm` is specified and `keySize`
|
|
is not provided, key size of 256 will be used for "ecdsa" key algorithm
|
|
and key size of 2048 will be used for "rsa" key algorithm.
|
|
type: string
|
|
enum:
|
|
- rsa
|
|
- ecdsa
|
|
keyEncoding:
|
|
description: KeyEncoding is the private key cryptography standards
|
|
(PKCS) for this certificate's private key to be encoded in. If provided,
|
|
allowed values are "pkcs1" and "pkcs8" standing for PKCS#1 and PKCS#8,
|
|
respectively. If KeyEncoding is not specified, then PKCS#1 will
|
|
be used by default.
|
|
type: string
|
|
enum:
|
|
- pkcs1
|
|
- pkcs8
|
|
keySize:
|
|
description: KeySize is the key bit size of the corresponding private
|
|
key for this certificate. If `keyAlgorithm` is set to `RSA`, valid
|
|
values are `2048`, `4096` or `8192`, and will default to `2048`
|
|
if not specified. If `keyAlgorithm` is set to `ECDSA`, valid values
|
|
are `256`, `384` or `521`, and will default to `256` if not specified.
|
|
No other values are allowed.
|
|
type: integer
|
|
maximum: 8192
|
|
minimum: 0
|
|
keystores:
|
|
description: Keystores configures additional keystore output formats
|
|
stored in the `secretName` Secret resource.
|
|
type: object
|
|
properties:
|
|
jks:
|
|
description: JKS configures options for storing a JKS keystore
|
|
in the `spec.secretName` Secret resource.
|
|
type: object
|
|
required:
|
|
- create
|
|
- passwordSecretRef
|
|
properties:
|
|
create:
|
|
description: Create enables JKS keystore creation for the
|
|
Certificate. If true, a file named `keystore.jks` will be
|
|
created in the target Secret resource, encrypted using the
|
|
password stored in `passwordSecretRef`. The keystore file
|
|
will only be updated upon re-issuance.
|
|
type: boolean
|
|
passwordSecretRef:
|
|
description: PasswordSecretRef is a reference to a key in
|
|
a Secret resource containing the password used to encrypt
|
|
the JKS keystore.
|
|
type: object
|
|
required:
|
|
- name
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret resource's
|
|
`data` field to be used. Some instances of this field
|
|
may be defaulted, in others it may be required.
|
|
type: string
|
|
name:
|
|
description: 'Name of the resource being referred to.
|
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
type: string
|
|
pkcs12:
|
|
description: PKCS12 configures options for storing a PKCS12 keystore
|
|
in the `spec.secretName` Secret resource.
|
|
type: object
|
|
required:
|
|
- create
|
|
- passwordSecretRef
|
|
properties:
|
|
create:
|
|
description: Create enables PKCS12 keystore creation for the
|
|
Certificate. If true, a file named `keystore.p12` will be
|
|
created in the target Secret resource, encrypted using the
|
|
password stored in `passwordSecretRef`. The keystore file
|
|
will only be updated upon re-issuance.
|
|
type: boolean
|
|
passwordSecretRef:
|
|
description: PasswordSecretRef is a reference to a key in
|
|
a Secret resource containing the password used to encrypt
|
|
the PKCS12 keystore.
|
|
type: object
|
|
required:
|
|
- name
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret resource's
|
|
`data` field to be used. Some instances of this field
|
|
may be defaulted, in others it may be required.
|
|
type: string
|
|
name:
|
|
description: 'Name of the resource being referred to.
|
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
type: string
|
|
privateKey:
|
|
description: Options to control private keys used for the Certificate.
|
|
type: object
|
|
properties:
|
|
rotationPolicy:
|
|
description: RotationPolicy controls how private keys should be
|
|
regenerated when a re-issuance is being processed. If set to
|
|
Never, a private key will only be generated if one does not
|
|
already exist in the target `spec.secretName`. If one does exists
|
|
but it does not have the correct algorithm or size, a warning
|
|
will be raised to await user intervention. If set to Always,
|
|
a private key matching the specified requirements will be generated
|
|
whenever a re-issuance occurs. Default is 'Never' for backward
|
|
compatibility.
|
|
type: string
|
|
renewBefore:
|
|
description: The amount of time before the currently issued certificate's
|
|
`notAfter` time that cert-manager will begin to attempt to renew
|
|
the certificate. If this value is greater than the total duration
|
|
of the certificate (i.e. notAfter - notBefore), it will be automatically
|
|
renewed 2/3rds of the way through the certificate's duration.
|
|
type: string
|
|
secretName:
|
|
description: SecretName is the name of the secret resource that will
|
|
be automatically created and managed by this Certificate resource.
|
|
It will be populated with a private key and certificate, signed
|
|
by the denoted issuer.
|
|
type: string
|
|
subject:
|
|
description: Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name).
|
|
type: object
|
|
properties:
|
|
countries:
|
|
description: Countries to be used on the Certificate.
|
|
type: array
|
|
items:
|
|
type: string
|
|
localities:
|
|
description: Cities to be used on the Certificate.
|
|
type: array
|
|
items:
|
|
type: string
|
|
organizationalUnits:
|
|
description: Organizational Units to be used on the Certificate.
|
|
type: array
|
|
items:
|
|
type: string
|
|
organizations:
|
|
description: Organizations to be used on the Certificate.
|
|
type: array
|
|
items:
|
|
type: string
|
|
postalCodes:
|
|
description: Postal codes to be used on the Certificate.
|
|
type: array
|
|
items:
|
|
type: string
|
|
provinces:
|
|
description: State/Provinces to be used on the Certificate.
|
|
type: array
|
|
items:
|
|
type: string
|
|
serialNumber:
|
|
description: Serial number to be used on the Certificate.
|
|
type: string
|
|
streetAddresses:
|
|
description: Street addresses to be used on the Certificate.
|
|
type: array
|
|
items:
|
|
type: string
|
|
uriSANs:
|
|
description: URISANs is a list of URI subjectAltNames to be set on
|
|
the Certificate.
|
|
type: array
|
|
items:
|
|
type: string
|
|
usages:
|
|
description: Usages is the set of x509 usages that are requested for
|
|
the certificate. Defaults to `digital signature` and `key encipherment`
|
|
if not specified.
|
|
type: array
|
|
items:
|
|
description: 'KeyUsage specifies valid usage contexts for keys.
|
|
See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12
|
|
Valid KeyUsage values are as follows: "signing", "digital signature",
|
|
"content commitment", "key encipherment", "key agreement", "data
|
|
encipherment", "cert sign", "crl sign", "encipher only", "decipher
|
|
only", "any", "server auth", "client auth", "code signing", "email
|
|
protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec
|
|
user", "timestamping", "ocsp signing", "microsoft sgc", "netscape
|
|
sgc"'
|
|
type: string
|
|
enum:
|
|
- signing
|
|
- digital signature
|
|
- content commitment
|
|
- key encipherment
|
|
- key agreement
|
|
- data encipherment
|
|
- cert sign
|
|
- crl sign
|
|
- encipher only
|
|
- decipher only
|
|
- any
|
|
- server auth
|
|
- client auth
|
|
- code signing
|
|
- email protection
|
|
- s/mime
|
|
- ipsec end system
|
|
- ipsec tunnel
|
|
- ipsec user
|
|
- timestamping
|
|
- ocsp signing
|
|
- microsoft sgc
|
|
- netscape sgc
|
|
status:
|
|
description: Status of the Certificate. This is set and managed automatically.
|
|
type: object
|
|
properties:
|
|
conditions:
|
|
description: List of status conditions to indicate the status of certificates.
|
|
Known condition types are `Ready` and `Issuing`.
|
|
type: array
|
|
items:
|
|
description: CertificateCondition contains condition information
|
|
for an Certificate.
|
|
type: object
|
|
required:
|
|
- status
|
|
- type
|
|
properties:
|
|
lastTransitionTime:
|
|
description: LastTransitionTime is the timestamp corresponding
|
|
to the last status change of this condition.
|
|
type: string
|
|
format: date-time
|
|
message:
|
|
description: Message is a human readable description of the
|
|
details of the last transition, complementing reason.
|
|
type: string
|
|
reason:
|
|
description: Reason is a brief machine readable explanation
|
|
for the condition's last transition.
|
|
type: string
|
|
status:
|
|
description: Status of the condition, one of ('True', 'False',
|
|
'Unknown').
|
|
type: string
|
|
enum:
|
|
- "True"
|
|
- "False"
|
|
- Unknown
|
|
type:
|
|
description: Type of the condition, known values are ('Ready',
|
|
`Issuing`).
|
|
type: string
|
|
lastFailureTime:
|
|
description: LastFailureTime is the time as recorded by the Certificate
|
|
controller of the most recent failure to complete a CertificateRequest
|
|
for this Certificate resource. If set, cert-manager will not re-request
|
|
another Certificate until 1 hour has elapsed from this time.
|
|
type: string
|
|
format: date-time
|
|
nextPrivateKeySecretName:
|
|
description: The name of the Secret resource containing the private
|
|
key to be used for the next certificate iteration. The keymanager
|
|
controller will automatically set this field if the `Issuing` condition
|
|
is set to `True`. It will automatically unset this field when the
|
|
Issuing condition is not set or False.
|
|
type: string
|
|
notAfter:
|
|
description: The expiration time of the certificate stored in the
|
|
secret named by this resource in `spec.secretName`.
|
|
type: string
|
|
format: date-time
|
|
notBefore:
|
|
description: The time after which the certificate stored in the secret
|
|
named by this resource in spec.secretName is valid.
|
|
type: string
|
|
format: date-time
|
|
renewalTime:
|
|
description: RenewalTime is the time at which the certificate will
|
|
be next renewed. If not set, no upcoming renewal is scheduled.
|
|
type: string
|
|
format: date-time
|
|
revision:
|
|
description: "The current 'revision' of the certificate as issued.
|
|
\n When a CertificateRequest resource is created, it will have the
|
|
`cert-manager.io/certificate-revision` set to one greater than the
|
|
current value of this field. \n Upon issuance, this field will be
|
|
set to the value of the annotation on the CertificateRequest resource
|
|
used to issue the certificate. \n Persisting the value on the CertificateRequest
|
|
resource allows the certificates controller to know whether a request
|
|
is part of an old issuance or if it is part of the ongoing revision's
|
|
issuance by checking if the revision value in the annotation is
|
|
greater than this field."
|
|
type: integer
|
|
- name: v1beta1
|
|
served: true
|
|
storage: false
|
|
"schema":
|
|
"openAPIV3Schema":
|
|
description: "A Certificate resource should be created to ensure an up to
|
|
date and signed x509 certificate is stored in the Kubernetes Secret resource
|
|
named in `spec.secretName`. \n The stored certificate will be renewed before
|
|
it expires (as configured by `spec.renewBefore`)."
|
|
type: object
|
|
required:
|
|
- spec
|
|
properties:
|
|
apiVersion:
|
|
description: 'APIVersion defines the versioned schema of this representation
|
|
of an object. Servers should convert recognized schemas to the latest
|
|
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
|
type: string
|
|
kind:
|
|
description: 'Kind is a string value representing the REST resource this
|
|
object represents. Servers may infer this from the endpoint the client
|
|
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
|
type: string
|
|
metadata:
|
|
type: object
|
|
spec:
|
|
description: Desired state of the Certificate resource.
|
|
type: object
|
|
required:
|
|
- issuerRef
|
|
- secretName
|
|
properties:
|
|
commonName:
|
|
description: 'CommonName is a common name to be used on the Certificate.
|
|
The CommonName should have a length of 64 characters or fewer to
|
|
avoid generating invalid CSRs. This value is ignored by TLS clients
|
|
when any subject alt name is set. This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4'
|
|
type: string
|
|
dnsNames:
|
|
description: DNSNames is a list of DNS subjectAltNames to be set on
|
|
the Certificate.
|
|
type: array
|
|
items:
|
|
type: string
|
|
duration:
|
|
description: The requested 'duration' (i.e. lifetime) of the Certificate.
|
|
This option may be ignored/overridden by some issuer types. If overridden
|
|
and `renewBefore` is greater than the actual certificate duration,
|
|
the certificate will be automatically renewed 2/3rds of the way
|
|
through the certificate's duration.
|
|
type: string
|
|
emailSANs:
|
|
description: EmailSANs is a list of email subjectAltNames to be set
|
|
on the Certificate.
|
|
type: array
|
|
items:
|
|
type: string
|
|
ipAddresses:
|
|
description: IPAddresses is a list of IP address subjectAltNames to
|
|
be set on the Certificate.
|
|
type: array
|
|
items:
|
|
type: string
|
|
isCA:
|
|
description: IsCA will mark this Certificate as valid for certificate
|
|
signing. This will automatically add the `cert sign` usage to the
|
|
list of `usages`.
|
|
type: boolean
|
|
issuerRef:
|
|
description: IssuerRef is a reference to the issuer for this certificate.
|
|
If the 'kind' field is not set, or set to 'Issuer', an Issuer resource
|
|
with the given name in the same namespace as the Certificate will
|
|
be used. If the 'kind' field is set to 'ClusterIssuer', a ClusterIssuer
|
|
with the provided name will be used. The 'name' field in this stanza
|
|
is required at all times.
|
|
type: object
|
|
required:
|
|
- name
|
|
properties:
|
|
group:
|
|
description: Group of the resource being referred to.
|
|
type: string
|
|
kind:
|
|
description: Kind of the resource being referred to.
|
|
type: string
|
|
name:
|
|
description: Name of the resource being referred to.
|
|
type: string
|
|
keystores:
|
|
description: Keystores configures additional keystore output formats
|
|
stored in the `secretName` Secret resource.
|
|
type: object
|
|
properties:
|
|
jks:
|
|
description: JKS configures options for storing a JKS keystore
|
|
in the `spec.secretName` Secret resource.
|
|
type: object
|
|
required:
|
|
- create
|
|
- passwordSecretRef
|
|
properties:
|
|
create:
|
|
description: Create enables JKS keystore creation for the
|
|
Certificate. If true, a file named `keystore.jks` will be
|
|
created in the target Secret resource, encrypted using the
|
|
password stored in `passwordSecretRef`. The keystore file
|
|
will only be updated upon re-issuance.
|
|
type: boolean
|
|
passwordSecretRef:
|
|
description: PasswordSecretRef is a reference to a key in
|
|
a Secret resource containing the password used to encrypt
|
|
the JKS keystore.
|
|
type: object
|
|
required:
|
|
- name
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret resource's
|
|
`data` field to be used. Some instances of this field
|
|
may be defaulted, in others it may be required.
|
|
type: string
|
|
name:
|
|
description: 'Name of the resource being referred to.
|
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
type: string
|
|
pkcs12:
|
|
description: PKCS12 configures options for storing a PKCS12 keystore
|
|
in the `spec.secretName` Secret resource.
|
|
type: object
|
|
required:
|
|
- create
|
|
- passwordSecretRef
|
|
properties:
|
|
create:
|
|
description: Create enables PKCS12 keystore creation for the
|
|
Certificate. If true, a file named `keystore.p12` will be
|
|
created in the target Secret resource, encrypted using the
|
|
password stored in `passwordSecretRef`. The keystore file
|
|
will only be updated upon re-issuance.
|
|
type: boolean
|
|
passwordSecretRef:
|
|
description: PasswordSecretRef is a reference to a key in
|
|
a Secret resource containing the password used to encrypt
|
|
the PKCS12 keystore.
|
|
type: object
|
|
required:
|
|
- name
|
|
properties:
|
|
key:
|
|
description: The key of the entry in the Secret resource's
|
|
`data` field to be used. Some instances of this field
|
|
may be defaulted, in others it may be required.
|
|
type: string
|
|
name:
|
|
description: 'Name of the resource being referred to.
|
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
type: string
|
|
privateKey:
|
|
description: Options to control private keys used for the Certificate.
|
|
type: object
|
|
properties:
|
|
algorithm:
|
|
description: Algorithm is the private key algorithm of the corresponding
|
|
private key for this certificate. If provided, allowed values
|
|
are either "rsa" or "ecdsa" If `algorithm` is specified and
|
|
`size` is not provided, key size of 256 will be used for "ecdsa"
|
|
key algorithm and key size of 2048 will be used for "rsa" key
|
|
algorithm.
|
|
type: string
|
|
enum:
|
|
- RSA
|
|
- ECDSA
|
|
encoding:
|
|
description: The private key cryptography standards (PKCS) encoding
|
|
for this certificate's private key to be encoded in. If provided,
|
|
allowed values are "pkcs1" and "pkcs8" standing for PKCS#1 and
|
|
PKCS#8, respectively. Defaults to PKCS#1 if not specified.
|
|
type: string
|
|
enum:
|
|
- PKCS1
|
|
- PKCS8
|
|
rotationPolicy:
|
|
description: RotationPolicy controls how private keys should be
|
|
regenerated when a re-issuance is being processed. If set to
|
|
Never, a private key will only be generated if one does not
|
|
already exist in the target `spec.secretName`. If one does exists
|
|
but it does not have the correct algorithm or size, a warning
|
|
will be raised to await user intervention. If set to Always,
|
|
a private key matching the specified requirements will be generated
|
|
whenever a re-issuance occurs. Default is 'Never' for backward
|
|
compatibility.
|
|
type: string
|
|
size:
|
|
description: Size is the key bit size of the corresponding private
|
|
key for this certificate. If `algorithm` is set to `RSA`, valid
|
|
values are `2048`, `4096` or `8192`, and will default to `2048`
|
|
if not specified. If `algorithm` is set to `ECDSA`, valid values
|
|
are `256`, `384` or `521`, and will default to `256` if not
|
|
specified. No other values are allowed.
|
|
type: integer
|
|
maximum: 8192
|
|
minimum: 0
|
|
renewBefore:
|
|
description: The amount of time before the currently issued certificate's
|
|
`notAfter` time that cert-manager will begin to attempt to renew
|
|
the certificate. If this value is greater than the total duration
|
|
of the certificate (i.e. notAfter - notBefore), it will be automatically
|
|
renewed 2/3rds of the way through the certificate's duration.
|
|
type: string
|
|
secretName:
|
|
description: SecretName is the name of the secret resource that will
|
|
be automatically created and managed by this Certificate resource.
|
|
It will be populated with a private key and certificate, signed
|
|
by the denoted issuer.
|
|
type: string
|
|
subject:
|
|
description: Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name).
|
|
type: object
|
|
properties:
|
|
countries:
|
|
description: Countries to be used on the Certificate.
|
|
type: array
|
|
items:
|
|
type: string
|
|
localities:
|
|
description: Cities to be used on the Certificate.
|
|
type: array
|
|
items:
|
|
type: string
|
|
organizationalUnits:
|
|
description: Organizational Units to be used on the Certificate.
|
|
type: array
|
|
items:
|
|
type: string
|
|
organizations:
|
|
description: Organizations to be used on the Certificate.
|
|
type: array
|
|
items:
|
|
type: string
|
|
postalCodes:
|
|
description: Postal codes to be used on the Certificate.
|
|
type: array
|
|
items:
|
|
type: string
|
|
provinces:
|
|
description: State/Provinces to be used on the Certificate.
|
|
type: array
|
|
items:
|
|
type: string
|
|
serialNumber:
|
|
description: Serial number to be used on the Certificate.
|
|
type: string
|
|
streetAddresses:
|
|
description: Street addresses to be used on the Certificate.
|
|
type: array
|
|
items:
|
|
type: string
|
|
uriSANs:
|
|
description: URISANs is a list of URI subjectAltNames to be set on
|
|
the Certificate.
|
|
type: array
|
|
items:
|
|
type: string
|
|
usages:
|
|
description: Usages is the set of x509 usages that are requested for
|
|
the certificate. Defaults to `digital signature` and `key encipherment`
|
|
if not specified.
|
|
type: array
|
|
items:
|
|
description: 'KeyUsage specifies valid usage contexts for keys.
|
|
See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12
|
|
Valid KeyUsage values are as follows: "signing", "digital signature",
|
|
"content commitment", "key encipherment", "key agreement", "data
|
|
encipherment", "cert sign", "crl sign", "encipher only", "decipher
|
|
only", "any", "server auth", "client auth", "code signing", "email
|
|
protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec
|
|
user", "timestamping", "ocsp signing", "microsoft sgc", "netscape
|
|
sgc"'
|
|
type: string
|
|
enum:
|
|
- signing
|
|
- digital signature
|
|
- content commitment
|
|
- key encipherment
|
|
- key agreement
|
|
- data encipherment
|
|
- cert sign
|
|
- crl sign
|
|
- encipher only
|
|
- decipher only
|
|
- any
|
|
- server auth
|
|
- client auth
|
|
- code signing
|
|
- email protection
|
|
- s/mime
|
|
- ipsec end system
|
|
- ipsec tunnel
|
|
- ipsec user
|
|
- timestamping
|
|
- ocsp signing
|
|
- microsoft sgc
|
|
- netscape sgc
|
|
status:
|
|
description: Status of the Certificate. This is set and managed automatically.
|
|
type: object
|
|
properties:
|
|
conditions:
|
|
description: List of status conditions to indicate the status of certificates.
|
|
Known condition types are `Ready` and `Issuing`.
|
|
type: array
|
|
items:
|
|
description: CertificateCondition contains condition information
|
|
for an Certificate.
|
|
type: object
|
|
required:
|
|
- status
|
|
- type
|
|
properties:
|
|
lastTransitionTime:
|
|
description: LastTransitionTime is the timestamp corresponding
|
|
to the last status change of this condition.
|
|
type: string
|
|
format: date-time
|
|
message:
|
|
description: Message is a human readable description of the
|
|
details of the last transition, complementing reason.
|
|
type: string
|
|
reason:
|
|
description: Reason is a brief machine readable explanation
|
|
for the condition's last transition.
|
|
type: string
|
|
status:
|
|
description: Status of the condition, one of ('True', 'False',
|
|
'Unknown').
|
|
type: string
|
|
enum:
|
|
- "True"
|
|
- "False"
|
|
- Unknown
|
|
type:
|
|
description: Type of the condition, known values are ('Ready',
|
|
`Issuing`).
|
|
type: string
|
|
lastFailureTime:
|
|
description: LastFailureTime is the time as recorded by the Certificate
|
|
controller of the most recent failure to complete a CertificateRequest
|
|
for this Certificate resource. If set, cert-manager will not re-request
|
|
another Certificate until 1 hour has elapsed from this time.
|
|
type: string
|
|
format: date-time
|
|
nextPrivateKeySecretName:
|
|
description: The name of the Secret resource containing the private
|
|
key to be used for the next certificate iteration. The keymanager
|
|
controller will automatically set this field if the `Issuing` condition
|
|
is set to `True`. It will automatically unset this field when the
|
|
Issuing condition is not set or False.
|
|
type: string
|
|
notAfter:
|
|
description: The expiration time of the certificate stored in the
|
|
secret named by this resource in `spec.secretName`.
|
|
type: string
|
|
format: date-time
|
|
notBefore:
|
|
description: The time after which the certificate stored in the secret
|
|
named by this resource in spec.secretName is valid.
|
|
type: string
|
|
format: date-time
|
|
renewalTime:
|
|
description: RenewalTime is the time at which the certificate will
|
|
be next renewed. If not set, no upcoming renewal is scheduled.
|
|
type: string
|
|
format: date-time
|
|
revision:
|
|
description: "The current 'revision' of the certificate as issued.
|
|
\n When a CertificateRequest resource is created, it will have the
|
|
`cert-manager.io/certificate-revision` set to one greater than the
|
|
current value of this field. \n Upon issuance, this field will be
|
|
set to the value of the annotation on the CertificateRequest resource
|
|
used to issue the certificate. \n Persisting the value on the CertificateRequest
|
|
resource allows the certificates controller to know whether a request
|
|
is part of an old issuance or if it is part of the ongoing revision's
|
|
issuance by checking if the revision value in the annotation is
|
|
greater than this field."
|
|
type: integer
|