fc61f8d52e
* Update cert manager to 0.16.1 * Update cert manager to 0.16.1 Co-authored-by: Barry Melbourne <9964974+bmelbourne@users.noreply.github.com>
630 lines
30 KiB
Django/Jinja
630 lines
30 KiB
Django/Jinja
# Copyright YEAR The Jetstack cert-manager contributors.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
---
|
|
apiVersion: apiextensions.k8s.io/v1beta1
|
|
kind: CustomResourceDefinition
|
|
metadata:
|
|
name: orders.acme.cert-manager.io
|
|
annotations:
|
|
cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca
|
|
labels:
|
|
app: cert-manager
|
|
app.kubernetes.io/name: cert-manager
|
|
app.kubernetes.io/instance: cert-manager
|
|
app.kubernetes.io/managed-by: Helm
|
|
helm.sh/chart: cert-manager-{{ cert_manager_version }}
|
|
spec:
|
|
additionalPrinterColumns:
|
|
- JSONPath: .status.state
|
|
name: State
|
|
type: string
|
|
- JSONPath: .spec.issuerRef.name
|
|
name: Issuer
|
|
priority: 1
|
|
type: string
|
|
- JSONPath: .status.reason
|
|
name: Reason
|
|
priority: 1
|
|
type: string
|
|
- JSONPath: .metadata.creationTimestamp
|
|
description: CreationTimestamp is a timestamp representing the server time when
|
|
this object was created. It is not guaranteed to be set in happens-before order
|
|
across separate operations. Clients may not set this value. It is represented
|
|
in RFC3339 form and is in UTC.
|
|
name: Age
|
|
type: date
|
|
group: acme.cert-manager.io
|
|
preserveUnknownFields: false
|
|
conversion:
|
|
# a Webhook strategy instruct API server to call an external webhook for any conversion between custom resources.
|
|
strategy: Webhook
|
|
# webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server.
|
|
webhookClientConfig:
|
|
service:
|
|
namespace: '{{ cert_manager_namespace }}'
|
|
name: 'cert-manager-webhook'
|
|
path: /convert
|
|
names:
|
|
kind: Order
|
|
listKind: OrderList
|
|
plural: orders
|
|
singular: order
|
|
scope: Namespaced
|
|
subresources:
|
|
status: {}
|
|
versions:
|
|
- name: v1alpha2
|
|
served: true
|
|
storage: true
|
|
"schema":
|
|
"openAPIV3Schema":
|
|
description: Order is a type to represent an Order with an ACME server
|
|
type: object
|
|
required:
|
|
- metadata
|
|
properties:
|
|
apiVersion:
|
|
description: 'APIVersion defines the versioned schema of this representation
|
|
of an object. Servers should convert recognized schemas to the latest
|
|
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
|
type: string
|
|
kind:
|
|
description: 'Kind is a string value representing the REST resource this
|
|
object represents. Servers may infer this from the endpoint the client
|
|
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
|
type: string
|
|
metadata:
|
|
type: object
|
|
spec:
|
|
type: object
|
|
required:
|
|
- csr
|
|
- dnsNames
|
|
- issuerRef
|
|
properties:
|
|
commonName:
|
|
description: CommonName is the common name as specified on the DER
|
|
encoded CSR. If specified, this value must also be present in `dnsNames`.
|
|
This field must match the corresponding field on the DER encoded
|
|
CSR.
|
|
type: string
|
|
csr:
|
|
description: Certificate signing request bytes in DER encoding. This
|
|
will be used when finalizing the order. This field must be set on
|
|
the order.
|
|
type: string
|
|
format: byte
|
|
dnsNames:
|
|
description: DNSNames is a list of DNS names that should be included
|
|
as part of the Order validation process. This field must match the
|
|
corresponding field on the DER encoded CSR.
|
|
type: array
|
|
items:
|
|
type: string
|
|
issuerRef:
|
|
description: IssuerRef references a properly configured ACME-type
|
|
Issuer which should be used to create this Order. If the Issuer
|
|
does not exist, processing will be retried. If the Issuer is not
|
|
an 'ACME' Issuer, an error will be returned and the Order will be
|
|
marked as failed.
|
|
type: object
|
|
required:
|
|
- name
|
|
properties:
|
|
group:
|
|
description: Group of the resource being referred to.
|
|
type: string
|
|
kind:
|
|
description: Kind of the resource being referred to.
|
|
type: string
|
|
name:
|
|
description: Name of the resource being referred to.
|
|
type: string
|
|
status:
|
|
type: object
|
|
properties:
|
|
authorizations:
|
|
description: Authorizations contains data returned from the ACME server
|
|
on what authorizations must be completed in order to validate the
|
|
DNS names specified on the Order.
|
|
type: array
|
|
items:
|
|
description: ACMEAuthorization contains data returned from the ACME
|
|
server on an authorization that must be completed in order validate
|
|
a DNS name on an ACME Order resource.
|
|
type: object
|
|
required:
|
|
- url
|
|
properties:
|
|
challenges:
|
|
description: Challenges specifies the challenge types offered
|
|
by the ACME server. One of these challenge types will be selected
|
|
when validating the DNS name and an appropriate Challenge
|
|
resource will be created to perform the ACME challenge process.
|
|
type: array
|
|
items:
|
|
description: Challenge specifies a challenge offered by the
|
|
ACME server for an Order. An appropriate Challenge resource
|
|
can be created to perform the ACME challenge process.
|
|
type: object
|
|
required:
|
|
- token
|
|
- type
|
|
- url
|
|
properties:
|
|
token:
|
|
description: Token is the token that must be presented
|
|
for this challenge. This is used to compute the 'key'
|
|
that must also be presented.
|
|
type: string
|
|
type:
|
|
description: Type is the type of challenge being offered,
|
|
e.g. 'http-01', 'dns-01', 'tls-sni-01', etc. This is
|
|
the raw value retrieved from the ACME server. Only 'http-01'
|
|
and 'dns-01' are supported by cert-manager, other values
|
|
will be ignored.
|
|
type: string
|
|
url:
|
|
description: URL is the URL of this challenge. It can
|
|
be used to retrieve additional metadata about the Challenge
|
|
from the ACME server.
|
|
type: string
|
|
identifier:
|
|
description: Identifier is the DNS name to be validated as part
|
|
of this authorization
|
|
type: string
|
|
initialState:
|
|
description: InitialState is the initial state of the ACME authorization
|
|
when first fetched from the ACME server. If an Authorization
|
|
is already 'valid', the Order controller will not create a
|
|
Challenge resource for the authorization. This will occur
|
|
when working with an ACME server that enables 'authz reuse'
|
|
(such as Let's Encrypt's production endpoint). If not set
|
|
and 'identifier' is set, the state is assumed to be pending
|
|
and a Challenge will be created.
|
|
type: string
|
|
enum:
|
|
- valid
|
|
- ready
|
|
- pending
|
|
- processing
|
|
- invalid
|
|
- expired
|
|
- errored
|
|
url:
|
|
description: URL is the URL of the Authorization that must be
|
|
completed
|
|
type: string
|
|
wildcard:
|
|
description: Wildcard will be true if this authorization is
|
|
for a wildcard DNS name. If this is true, the identifier will
|
|
be the *non-wildcard* version of the DNS name. For example,
|
|
if '*.example.com' is the DNS name being validated, this field
|
|
will be 'true' and the 'identifier' field will be 'example.com'.
|
|
type: boolean
|
|
certificate:
|
|
description: Certificate is a copy of the PEM encoded certificate
|
|
for this Order. This field will be populated after the order has
|
|
been successfully finalized with the ACME server, and the order
|
|
has transitioned to the 'valid' state.
|
|
type: string
|
|
format: byte
|
|
failureTime:
|
|
description: FailureTime stores the time that this order failed. This
|
|
is used to influence garbage collection and back-off.
|
|
type: string
|
|
format: date-time
|
|
finalizeURL:
|
|
description: FinalizeURL of the Order. This is used to obtain certificates
|
|
for this order once it has been completed.
|
|
type: string
|
|
reason:
|
|
description: Reason optionally provides more information about a why
|
|
the order is in the current state.
|
|
type: string
|
|
state:
|
|
description: State contains the current state of this Order resource.
|
|
States 'success' and 'expired' are 'final'
|
|
type: string
|
|
enum:
|
|
- valid
|
|
- ready
|
|
- pending
|
|
- processing
|
|
- invalid
|
|
- expired
|
|
- errored
|
|
url:
|
|
description: URL of the Order. This will initially be empty when the
|
|
resource is first created. The Order controller will populate this
|
|
field when the Order is first processed. This field will be immutable
|
|
after it is initially set.
|
|
type: string
|
|
- name: v1alpha3
|
|
served: true
|
|
storage: false
|
|
"schema":
|
|
"openAPIV3Schema":
|
|
description: Order is a type to represent an Order with an ACME server
|
|
type: object
|
|
required:
|
|
- metadata
|
|
properties:
|
|
apiVersion:
|
|
description: 'APIVersion defines the versioned schema of this representation
|
|
of an object. Servers should convert recognized schemas to the latest
|
|
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
|
type: string
|
|
kind:
|
|
description: 'Kind is a string value representing the REST resource this
|
|
object represents. Servers may infer this from the endpoint the client
|
|
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
|
type: string
|
|
metadata:
|
|
type: object
|
|
spec:
|
|
type: object
|
|
required:
|
|
- csr
|
|
- dnsNames
|
|
- issuerRef
|
|
properties:
|
|
commonName:
|
|
description: CommonName is the common name as specified on the DER
|
|
encoded CSR. If specified, this value must also be present in `dnsNames`.
|
|
This field must match the corresponding field on the DER encoded
|
|
CSR.
|
|
type: string
|
|
csr:
|
|
description: Certificate signing request bytes in DER encoding. This
|
|
will be used when finalizing the order. This field must be set on
|
|
the order.
|
|
type: string
|
|
format: byte
|
|
dnsNames:
|
|
description: DNSNames is a list of DNS names that should be included
|
|
as part of the Order validation process. This field must match the
|
|
corresponding field on the DER encoded CSR.
|
|
type: array
|
|
items:
|
|
type: string
|
|
issuerRef:
|
|
description: IssuerRef references a properly configured ACME-type
|
|
Issuer which should be used to create this Order. If the Issuer
|
|
does not exist, processing will be retried. If the Issuer is not
|
|
an 'ACME' Issuer, an error will be returned and the Order will be
|
|
marked as failed.
|
|
type: object
|
|
required:
|
|
- name
|
|
properties:
|
|
group:
|
|
description: Group of the resource being referred to.
|
|
type: string
|
|
kind:
|
|
description: Kind of the resource being referred to.
|
|
type: string
|
|
name:
|
|
description: Name of the resource being referred to.
|
|
type: string
|
|
status:
|
|
type: object
|
|
properties:
|
|
authorizations:
|
|
description: Authorizations contains data returned from the ACME server
|
|
on what authorizations must be completed in order to validate the
|
|
DNS names specified on the Order.
|
|
type: array
|
|
items:
|
|
description: ACMEAuthorization contains data returned from the ACME
|
|
server on an authorization that must be completed in order validate
|
|
a DNS name on an ACME Order resource.
|
|
type: object
|
|
required:
|
|
- url
|
|
properties:
|
|
challenges:
|
|
description: Challenges specifies the challenge types offered
|
|
by the ACME server. One of these challenge types will be selected
|
|
when validating the DNS name and an appropriate Challenge
|
|
resource will be created to perform the ACME challenge process.
|
|
type: array
|
|
items:
|
|
description: Challenge specifies a challenge offered by the
|
|
ACME server for an Order. An appropriate Challenge resource
|
|
can be created to perform the ACME challenge process.
|
|
type: object
|
|
required:
|
|
- token
|
|
- type
|
|
- url
|
|
properties:
|
|
token:
|
|
description: Token is the token that must be presented
|
|
for this challenge. This is used to compute the 'key'
|
|
that must also be presented.
|
|
type: string
|
|
type:
|
|
description: Type is the type of challenge being offered,
|
|
e.g. 'http-01', 'dns-01', 'tls-sni-01', etc. This is
|
|
the raw value retrieved from the ACME server. Only 'http-01'
|
|
and 'dns-01' are supported by cert-manager, other values
|
|
will be ignored.
|
|
type: string
|
|
url:
|
|
description: URL is the URL of this challenge. It can
|
|
be used to retrieve additional metadata about the Challenge
|
|
from the ACME server.
|
|
type: string
|
|
identifier:
|
|
description: Identifier is the DNS name to be validated as part
|
|
of this authorization
|
|
type: string
|
|
initialState:
|
|
description: InitialState is the initial state of the ACME authorization
|
|
when first fetched from the ACME server. If an Authorization
|
|
is already 'valid', the Order controller will not create a
|
|
Challenge resource for the authorization. This will occur
|
|
when working with an ACME server that enables 'authz reuse'
|
|
(such as Let's Encrypt's production endpoint). If not set
|
|
and 'identifier' is set, the state is assumed to be pending
|
|
and a Challenge will be created.
|
|
type: string
|
|
enum:
|
|
- valid
|
|
- ready
|
|
- pending
|
|
- processing
|
|
- invalid
|
|
- expired
|
|
- errored
|
|
url:
|
|
description: URL is the URL of the Authorization that must be
|
|
completed
|
|
type: string
|
|
wildcard:
|
|
description: Wildcard will be true if this authorization is
|
|
for a wildcard DNS name. If this is true, the identifier will
|
|
be the *non-wildcard* version of the DNS name. For example,
|
|
if '*.example.com' is the DNS name being validated, this field
|
|
will be 'true' and the 'identifier' field will be 'example.com'.
|
|
type: boolean
|
|
certificate:
|
|
description: Certificate is a copy of the PEM encoded certificate
|
|
for this Order. This field will be populated after the order has
|
|
been successfully finalized with the ACME server, and the order
|
|
has transitioned to the 'valid' state.
|
|
type: string
|
|
format: byte
|
|
failureTime:
|
|
description: FailureTime stores the time that this order failed. This
|
|
is used to influence garbage collection and back-off.
|
|
type: string
|
|
format: date-time
|
|
finalizeURL:
|
|
description: FinalizeURL of the Order. This is used to obtain certificates
|
|
for this order once it has been completed.
|
|
type: string
|
|
reason:
|
|
description: Reason optionally provides more information about a why
|
|
the order is in the current state.
|
|
type: string
|
|
state:
|
|
description: State contains the current state of this Order resource.
|
|
States 'success' and 'expired' are 'final'
|
|
type: string
|
|
enum:
|
|
- valid
|
|
- ready
|
|
- pending
|
|
- processing
|
|
- invalid
|
|
- expired
|
|
- errored
|
|
url:
|
|
description: URL of the Order. This will initially be empty when the
|
|
resource is first created. The Order controller will populate this
|
|
field when the Order is first processed. This field will be immutable
|
|
after it is initially set.
|
|
type: string
|
|
- name: v1beta1
|
|
served: true
|
|
storage: false
|
|
"schema":
|
|
"openAPIV3Schema":
|
|
description: Order is a type to represent an Order with an ACME server
|
|
type: object
|
|
required:
|
|
- metadata
|
|
- spec
|
|
properties:
|
|
apiVersion:
|
|
description: 'APIVersion defines the versioned schema of this representation
|
|
of an object. Servers should convert recognized schemas to the latest
|
|
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
|
type: string
|
|
kind:
|
|
description: 'Kind is a string value representing the REST resource this
|
|
object represents. Servers may infer this from the endpoint the client
|
|
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
|
type: string
|
|
metadata:
|
|
type: object
|
|
spec:
|
|
type: object
|
|
required:
|
|
- dnsNames
|
|
- issuerRef
|
|
- request
|
|
properties:
|
|
commonName:
|
|
description: CommonName is the common name as specified on the DER
|
|
encoded CSR. If specified, this value must also be present in `dnsNames`.
|
|
This field must match the corresponding field on the DER encoded
|
|
CSR.
|
|
type: string
|
|
dnsNames:
|
|
description: DNSNames is a list of DNS names that should be included
|
|
as part of the Order validation process. This field must match the
|
|
corresponding field on the DER encoded CSR.
|
|
type: array
|
|
items:
|
|
type: string
|
|
issuerRef:
|
|
description: IssuerRef references a properly configured ACME-type
|
|
Issuer which should be used to create this Order. If the Issuer
|
|
does not exist, processing will be retried. If the Issuer is not
|
|
an 'ACME' Issuer, an error will be returned and the Order will be
|
|
marked as failed.
|
|
type: object
|
|
required:
|
|
- name
|
|
properties:
|
|
group:
|
|
description: Group of the resource being referred to.
|
|
type: string
|
|
kind:
|
|
description: Kind of the resource being referred to.
|
|
type: string
|
|
name:
|
|
description: Name of the resource being referred to.
|
|
type: string
|
|
request:
|
|
description: Certificate signing request bytes in DER encoding. This
|
|
will be used when finalizing the order. This field must be set on
|
|
the order.
|
|
type: string
|
|
format: byte
|
|
status:
|
|
type: object
|
|
properties:
|
|
authorizations:
|
|
description: Authorizations contains data returned from the ACME server
|
|
on what authorizations must be completed in order to validate the
|
|
DNS names specified on the Order.
|
|
type: array
|
|
items:
|
|
description: ACMEAuthorization contains data returned from the ACME
|
|
server on an authorization that must be completed in order validate
|
|
a DNS name on an ACME Order resource.
|
|
type: object
|
|
required:
|
|
- url
|
|
properties:
|
|
challenges:
|
|
description: Challenges specifies the challenge types offered
|
|
by the ACME server. One of these challenge types will be selected
|
|
when validating the DNS name and an appropriate Challenge
|
|
resource will be created to perform the ACME challenge process.
|
|
type: array
|
|
items:
|
|
description: Challenge specifies a challenge offered by the
|
|
ACME server for an Order. An appropriate Challenge resource
|
|
can be created to perform the ACME challenge process.
|
|
type: object
|
|
required:
|
|
- token
|
|
- type
|
|
- url
|
|
properties:
|
|
token:
|
|
description: Token is the token that must be presented
|
|
for this challenge. This is used to compute the 'key'
|
|
that must also be presented.
|
|
type: string
|
|
type:
|
|
description: Type is the type of challenge being offered,
|
|
e.g. 'http-01', 'dns-01', 'tls-sni-01', etc. This is
|
|
the raw value retrieved from the ACME server. Only 'http-01'
|
|
and 'dns-01' are supported by cert-manager, other values
|
|
will be ignored.
|
|
type: string
|
|
url:
|
|
description: URL is the URL of this challenge. It can
|
|
be used to retrieve additional metadata about the Challenge
|
|
from the ACME server.
|
|
type: string
|
|
identifier:
|
|
description: Identifier is the DNS name to be validated as part
|
|
of this authorization
|
|
type: string
|
|
initialState:
|
|
description: InitialState is the initial state of the ACME authorization
|
|
when first fetched from the ACME server. If an Authorization
|
|
is already 'valid', the Order controller will not create a
|
|
Challenge resource for the authorization. This will occur
|
|
when working with an ACME server that enables 'authz reuse'
|
|
(such as Let's Encrypt's production endpoint). If not set
|
|
and 'identifier' is set, the state is assumed to be pending
|
|
and a Challenge will be created.
|
|
type: string
|
|
enum:
|
|
- valid
|
|
- ready
|
|
- pending
|
|
- processing
|
|
- invalid
|
|
- expired
|
|
- errored
|
|
url:
|
|
description: URL is the URL of the Authorization that must be
|
|
completed
|
|
type: string
|
|
wildcard:
|
|
description: Wildcard will be true if this authorization is
|
|
for a wildcard DNS name. If this is true, the identifier will
|
|
be the *non-wildcard* version of the DNS name. For example,
|
|
if '*.example.com' is the DNS name being validated, this field
|
|
will be 'true' and the 'identifier' field will be 'example.com'.
|
|
type: boolean
|
|
certificate:
|
|
description: Certificate is a copy of the PEM encoded certificate
|
|
for this Order. This field will be populated after the order has
|
|
been successfully finalized with the ACME server, and the order
|
|
has transitioned to the 'valid' state.
|
|
type: string
|
|
format: byte
|
|
failureTime:
|
|
description: FailureTime stores the time that this order failed. This
|
|
is used to influence garbage collection and back-off.
|
|
type: string
|
|
format: date-time
|
|
finalizeURL:
|
|
description: FinalizeURL of the Order. This is used to obtain certificates
|
|
for this order once it has been completed.
|
|
type: string
|
|
reason:
|
|
description: Reason optionally provides more information about a why
|
|
the order is in the current state.
|
|
type: string
|
|
state:
|
|
description: State contains the current state of this Order resource.
|
|
States 'success' and 'expired' are 'final'
|
|
type: string
|
|
enum:
|
|
- valid
|
|
- ready
|
|
- pending
|
|
- processing
|
|
- invalid
|
|
- expired
|
|
- errored
|
|
url:
|
|
description: URL of the Order. This will initially be empty when the
|
|
resource is first created. The Order controller will populate this
|
|
field when the Order is first processed. This field will be immutable
|
|
after it is initially set.
|
|
type: string
|