/
types_certificate.go
199 lines (160 loc) · 7.78 KB
/
types_certificate.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
/*
Copyright 2019 The Jetstack cert-manager contributors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package v1alpha1
import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
// +genclient
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// Certificate is a type to represent a Certificate from ACME
// +k8s:openapi-gen=true
// +kubebuilder:printcolumn:name="Ready",type="string",JSONPath=".status.conditions[?(@.type=="Ready")].status",description=""
// +kubebuilder:printcolumn:name="Secret",type="string",JSONPath=".spec.secretName",description=""
// +kubebuilder:printcolumn:name="Issuer",type="string",JSONPath=".spec.issuerRef.name",description="",priority=1
// +kubebuilder:printcolumn:name="Status",type="string",JSONPath=".status.conditions[?(@.type=="Ready")].message",priority=1
// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp",description="CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC."
// +kubebuilder:resource:path=certificates,shortName=cert;certs
type Certificate struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`
Spec CertificateSpec `json:"spec,omitempty"`
Status CertificateStatus `json:"status,omitempty"`
}
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// CertificateList is a list of Certificates
type CertificateList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata"`
Items []Certificate `json:"items"`
}
type KeyAlgorithm string
const (
RSAKeyAlgorithm KeyAlgorithm = "rsa"
ECDSAKeyAlgorithm KeyAlgorithm = "ecdsa"
)
type KeyEncoding string
const (
PKCS1 KeyEncoding = "pkcs1"
PKCS8 KeyEncoding = "pkcs8"
)
// CertificateSpec defines the desired state of Certificate
type CertificateSpec struct {
// CommonName is a common name to be used on the Certificate.
// If no CommonName is given, then the first entry in DNSNames is used as
// the CommonName.
// The CommonName should have a length of 64 characters or fewer to avoid
// generating invalid CSRs; in order to have longer domain names, set the
// CommonName (or first DNSNames entry) to have 64 characters or fewer,
// and then add the longer domain name to DNSNames.
// +optional
CommonName string `json:"commonName,omitempty"`
// Organization is the organization to be used on the Certificate
// +optional
Organization []string `json:"organization,omitempty"`
// Certificate default Duration
// +optional
Duration *metav1.Duration `json:"duration,omitempty"`
// Certificate renew before expiration duration
// +optional
RenewBefore *metav1.Duration `json:"renewBefore,omitempty"`
// DNSNames is a list of subject alt names to be used on the Certificate.
// If no CommonName is given, then the first entry in DNSNames is used as
// the CommonName and must have a length of 64 characters or fewer.
// +optional
DNSNames []string `json:"dnsNames,omitempty"`
// IPAddresses is a list of IP addresses to be used on the Certificate
// +optional
IPAddresses []string `json:"ipAddresses,omitempty"`
// SecretName is the name of the secret resource to store this secret in
SecretName string `json:"secretName"`
// IssuerRef is a reference to the issuer for this certificate.
// If the 'kind' field is not set, or set to 'Issuer', an Issuer resource
// with the given name in the same namespace as the Certificate will be used.
// If the 'kind' field is set to 'ClusterIssuer', a ClusterIssuer with the
// provided name will be used.
// The 'name' field in this stanza is required at all times.
IssuerRef ObjectReference `json:"issuerRef"`
// IsCA will mark this Certificate as valid for signing.
// This implies that the 'signing' usage is set
// +optional
IsCA bool `json:"isCA,omitempty"`
// ACME contains configuration specific to ACME Certificates.
// Notably, this contains details on how the domain names listed on this
// Certificate resource should be 'solved', i.e. mapping HTTP01 and DNS01
// providers to DNS names.
// +optional
ACME *ACMECertificateConfig `json:"acme,omitempty"`
// KeySize is the key bit size of the corresponding private key for this certificate.
// If provided, value must be between 2048 and 8192 inclusive when KeyAlgorithm is
// empty or is set to "rsa", and value must be one of (256, 384, 521) when
// KeyAlgorithm is set to "ecdsa".
// +optional
KeySize int `json:"keySize,omitempty"`
// KeyAlgorithm is the private key algorithm of the corresponding private key
// for this certificate. If provided, allowed values are either "rsa" or "ecdsa"
// If KeyAlgorithm is specified and KeySize is not provided,
// key size of 256 will be used for "ecdsa" key algorithm and
// key size of 2048 will be used for "rsa" key algorithm.
// +kubebuilder:validation:Enum=rsa,ecdsa
// +optional
KeyAlgorithm KeyAlgorithm `json:"keyAlgorithm,omitempty"`
// KeyEncoding is the private key cryptography standards (PKCS)
// for this certificate's private key to be encoded in. If provided, allowed
// values are "pkcs1" and "pkcs8" standing for PKCS#1 and PKCS#8, respectively.
// If KeyEncoding is not specified, then PKCS#1 will be used by default.
KeyEncoding KeyEncoding `json:"keyEncoding,omitempty"`
}
// ACMECertificateConfig contains the configuration for the ACME certificate provider
type ACMECertificateConfig struct {
Config []DomainSolverConfig `json:"config"`
}
// CertificateStatus defines the observed state of Certificate
type CertificateStatus struct {
// +optional
Conditions []CertificateCondition `json:"conditions,omitempty"`
// +optional
LastFailureTime *metav1.Time `json:"lastFailureTime,omitempty"`
// The expiration time of the certificate stored in the secret named
// by this resource in spec.secretName.
// +optional
NotAfter *metav1.Time `json:"notAfter,omitempty"`
}
// CertificateCondition contains condition information for an Certificate.
type CertificateCondition struct {
// Type of the condition, currently ('Ready').
Type CertificateConditionType `json:"type"`
// Status of the condition, one of ('True', 'False', 'Unknown').
// +kubebuilder:validation:Enum=True,False,Unknown
Status ConditionStatus `json:"status"`
// LastTransitionTime is the timestamp corresponding to the last status
// change of this condition.
// +optional
LastTransitionTime *metav1.Time `json:"lastTransitionTime,omitempty"`
// Reason is a brief machine readable explanation for the condition's last
// transition.
// +optional
Reason string `json:"reason,omitempty"`
// Message is a human readable description of the details of the last
// transition, complementing reason.
// +optional
Message string `json:"message,omitempty"`
}
// CertificateConditionType represents an Certificate condition value.
type CertificateConditionType string
const (
// CertificateConditionReady indicates that a certificate is ready for use.
// This is defined as:
// - The target secret exists
// - The target secret contains a certificate that has not expired
// - The target secret contains a private key valid for the certificate
// - The commonName and dnsNames attributes match those specified on the Certificate
CertificateConditionReady CertificateConditionType = "Ready"
)