-
Notifications
You must be signed in to change notification settings - Fork 2k
/
types_certificate.go
310 lines (254 loc) · 11.1 KB
/
types_certificate.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
/*
Copyright 2019 The Jetstack cert-manager contributors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package certmanager
import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
cmmeta "github.com/jetstack/cert-manager/pkg/internal/apis/meta"
)
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// Certificate is a type to represent a Certificate from ACME
type Certificate struct {
metav1.TypeMeta
metav1.ObjectMeta
Spec CertificateSpec
Status CertificateStatus
}
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// CertificateList is a list of Certificates
type CertificateList struct {
metav1.TypeMeta
metav1.ListMeta
Items []Certificate
}
type KeyAlgorithm string
const (
RSAKeyAlgorithm KeyAlgorithm = "rsa"
ECDSAKeyAlgorithm KeyAlgorithm = "ecdsa"
)
type KeyEncoding string
const (
PKCS1 KeyEncoding = "pkcs1"
PKCS8 KeyEncoding = "pkcs8"
)
// CertificateSpec defines the desired state of Certificate
type CertificateSpec struct {
// Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name).
Subject *X509Subject
// A valid Certificate requires at least one of a CommonName, DNSName, or
// URISAN to be valid.
// CommonName is a common name to be used on the Certificate.
// The CommonName should have a length of 64 characters or fewer to avoid
// generating invalid CSRs.
CommonName string
// Certificate default Duration
Duration *metav1.Duration
// Certificate renew before expiration duration
RenewBefore *metav1.Duration
// DNSNames is a list of subject alt names to be used on the Certificate.
DNSNames []string
// IPAddresses is a list of IP addresses to be used on the Certificate
IPAddresses []string
// URISANs is a list of URI Subject Alternative Names to be set on this
// Certificate.
URISANs []string
// EmailSANs is a list of Email Subject Alternative Names to be set on this
// Certificate.
EmailSANs []string
// SecretName is the name of the secret resource to store this secret in
SecretName string
// Keystores configures additional keystore output formats stored in the
// `secretName` Secret resource.
// +optional
Keystores *CertificateKeystores
// IssuerRef is a reference to the issuer for this certificate.
// If the 'kind' field is not set, or set to 'Issuer', an Issuer resource
// with the given name in the same namespace as the Certificate will be used.
// If the 'kind' field is set to 'ClusterIssuer', a ClusterIssuer with the
// provided name will be used.
// The 'name' field in this stanza is required at all times.
IssuerRef cmmeta.ObjectReference
// IsCA will mark this Certificate as valid for signing.
// This implies that the 'cert sign' usage is set
IsCA bool
// Usages is the set of x509 actions that are enabled for a given key. Defaults are ('digital signature', 'key encipherment') if empty
Usages []KeyUsage
// KeySize is the key bit size of the corresponding private key for this certificate.
// If provided, value must be between 2048 and 8192 inclusive when KeyAlgorithm is
// empty or is set to "rsa", and value must be one of (256, 384, 521) when
// KeyAlgorithm is set to "ecdsa".
KeySize int
// KeyAlgorithm is the private key algorithm of the corresponding private key
// for this certificate. If provided, allowed values are either "rsa" or "ecdsa"
// If KeyAlgorithm is specified and KeySize is not provided,
// key size of 256 will be used for "ecdsa" key algorithm and
// key size of 2048 will be used for "rsa" key algorithm.
KeyAlgorithm KeyAlgorithm
// KeyEncoding is the private key cryptography standards (PKCS)
// for this certificate's private key to be encoded in. If provided, allowed
// values are "pkcs1" and "pkcs8" standing for PKCS#1 and PKCS#8, respectively.
// If KeyEncoding is not specified, then PKCS#1 will be used by default.
KeyEncoding KeyEncoding
// Options to control private keys used for the Certificate.
// +optional
PrivateKey *CertificatePrivateKey
}
// CertificatePrivateKey contains configuration options for private keys
// used by the Certificate controller.
// This allows control of how private keys are rotated.
type CertificatePrivateKey struct {
// RotationPolicy controls how private keys should be regenerated when a
// re-issuance is being processed.
// If set to Never, a private key will only be generated if one does not
// already exist in the target `spec.secretName`. If one does exists but it
// does not have the correct algorithm or size, a warning will be raised
// to await user intervention.
// If set to Always, a private key matching the specified requirements
// will be generated whenever a re-issuance occurs.
// Default is 'Never' for backward compatibility.
// +optional
RotationPolicy PrivateKeyRotationPolicy
}
// Denotes how private keys should be generated or sourced when a Certificate
// is being issued.
type PrivateKeyRotationPolicy string
// X509Subject Full X509 name specification
type X509Subject struct {
// Organizations to be used on the Certificate.
Organizations []string
// Countries to be used on the Certificate.
Countries []string
// Organizational Units to be used on the Certificate.
OrganizationalUnits []string
// Cities to be used on the Certificate.
Localities []string
// State/Provinces to be used on the Certificate.
Provinces []string
// Street addresses to be used on the Certificate.
StreetAddresses []string
// Postal codes to be used on the Certificate.
PostalCodes []string
// Serial number to be used on the Certificate.
SerialNumber string
}
// CertificateKeystores configures additional keystore output formats to be
// created in the Certificate's output Secret.
type CertificateKeystores struct {
// JKS configures options for storing a JKS keystore in the
// `spec.secretName` Secret resource.
JKS *JKSKeystore
// PKCS12 configures options for storing a PKCS12 keystore in the
// `spec.secretName` Secret resource.
PKCS12 *PKCS12Keystore
}
// JKS configures options for storing a JKS keystore in the `spec.secretName`
// Secret resource.
type JKSKeystore struct {
// Create enables JKS keystore creation for the Certificate.
// If true, a file named `keystore.jks` will be created in the target
// Secret resource, encrypted using the password stored in
// `passwordSecretRef`.
// The keystore file will only be updated upon re-issuance.
Create bool
// PasswordSecretRef is a reference to a key in a Secret resource
// containing the password used to encrypt the JKS keystore.
PasswordSecretRef cmmeta.SecretKeySelector
}
// PKCS12 configures options for storing a PKCS12 keystore in the
// `spec.secretName` Secret resource.
type PKCS12Keystore struct {
// Create enables PKCS12 keystore creation for the Certificate.
// If true, a file named `keystore.p12` will be created in the target
// Secret resource, encrypted using the password stored in
// `passwordSecretRef`.
// The keystore file will only be updated upon re-issuance.
Create bool
// PasswordSecretRef is a reference to a key in a Secret resource
// containing the password used to encrypt the PKCS12 keystore.
PasswordSecretRef cmmeta.SecretKeySelector
}
// CertificateStatus defines the observed state of Certificate
type CertificateStatus struct {
Conditions []CertificateCondition
LastFailureTime *metav1.Time
// The expiration time of the certificate stored in the secret named
// by this resource in spec.secretName.
NotAfter *metav1.Time
// The current 'revision' of the certificate as issued.
//
// When a CertificateRequest resource is created, it will have the
// `cert-manager.io/certificate-revision` set to one greater than the
// current value of this field.
//
// Upon issuance, this field will be set to the value of the annotation
// on the CertificateRequest resource used to issue the certificate.
//
// Persisting the value on the CertificateRequest resource allows the
// certificates controller to know whether a request is part of an old
// issuance or if it is part of the ongoing revision's issuance by
// checking if the revision value in the annotation is greater than this
// field.
// +optional
Revision *int
// The name of the Secret resource containing the private key to be used
// for the next certificate iteration.
// The keymanager controller will automatically set this field if the
// `Issuing` condition is set to `True`.
// It will automatically unset this field when the Issuing condition is
// not set or False.
// +optional
NextPrivateKeySecretName *string
}
// CertificateCondition contains condition information for an Certificate.
type CertificateCondition struct {
// Type of the condition, currently ('Ready').
Type CertificateConditionType
// Status of the condition, one of ('True', 'False', 'Unknown').
Status cmmeta.ConditionStatus
// LastTransitionTime is the timestamp corresponding to the last status
// change of this condition.
LastTransitionTime *metav1.Time
// Reason is a brief machine readable explanation for the condition's last
// transition.
Reason string
// Message is a human readable description of the details of the last
// transition, complementing reason.
Message string
}
// CertificateConditionType represents an Certificate condition value.
type CertificateConditionType string
const (
// CertificateConditionReady indicates that a certificate is ready for use.
// This is defined as:
// - The target secret exists
// - The target secret contains a certificate that has not expired
// - The target secret contains a private key valid for the certificate
// - The commonName and dnsNames attributes match those specified on the Certificate
CertificateConditionReady CertificateConditionType = "Ready"
// A condition added to Certificate resources when an issuance is required.
// This condition will be automatically added and set to true if:
// * No keypair data exists in the target Secret
// * The data stored in the Secret cannot be decoded
// * The private key and certificate do not have matching public keys
// * If a CertificateRequest for the current revision exists and the
// certificate data stored in the Secret does not match the
// `status.certificate` on the CertificateRequest.
// * If no CertificateRequest resource exists for the current revision,
// the options on the Certificate resource are compared against the
// x509 data in the Secret, similar to what's done in earlier versions.
// If there is a mismatch, an issuance is triggered.
// This condition may also be added by external API consumers to trigger
// a re-issuance manually for any other reason.
//
// It will be removed by the 'issuing' controller upon completing issuance.
CertificateConditionIssuing CertificateConditionType = "Issuing"
)