-
Notifications
You must be signed in to change notification settings - Fork 2k
/
types_certificate.go
406 lines (337 loc) · 16 KB
/
types_certificate.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package certmanager
import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
cmmeta "github.com/jetstack/cert-manager/pkg/internal/apis/meta"
)
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// A Certificate resource should be created to ensure an up to date and signed
// x509 certificate is stored in the Kubernetes Secret resource named in `spec.secretName`.
//
// The stored certificate will be renewed before it expires (as configured by `spec.renewBefore`).
type Certificate struct {
metav1.TypeMeta
metav1.ObjectMeta
// Desired state of the Certificate resource.
Spec CertificateSpec
// Status of the Certificate. This is set and managed automatically.
Status CertificateStatus
}
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// CertificateList is a list of Certificates
type CertificateList struct {
metav1.TypeMeta
metav1.ListMeta
Items []Certificate
}
type PrivateKeyAlgorithm string
const (
// Denotes the RSA private key type.
RSAKeyAlgorithm PrivateKeyAlgorithm = "RSA"
// Denotes the ECDSA private key type.
ECDSAKeyAlgorithm PrivateKeyAlgorithm = "ECDSA"
// Denotes the Ed25519 private key type.
Ed25519KeyAlgorithm PrivateKeyAlgorithm = "Ed25519"
)
type PrivateKeyEncoding string
const (
// PKCS1 key encoding will produce PEM files that include the type of
// private key as part of the PEM header, e.g. `BEGIN RSA PRIVATE KEY`.
// If the keyAlgorithm is set to 'ECDSA', this will produce private keys
// that use the `BEGIN EC PRIVATE KEY` header.
PKCS1 PrivateKeyEncoding = "PKCS1"
// PKCS8 key encoding will produce PEM files with the `BEGIN PRIVATE KEY`
// header. It encodes the keyAlgorithm of the private key as part of the
// DER encoded PEM block.
PKCS8 PrivateKeyEncoding = "PKCS8"
)
// CertificateSpec defines the desired state of Certificate.
// A valid Certificate requires at least one of a CommonName, DNSName, or
// URISAN to be valid.
type CertificateSpec struct {
// Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name).
Subject *X509Subject
// CommonName is a common name to be used on the Certificate.
// The CommonName should have a length of 64 characters or fewer to avoid
// generating invalid CSRs.
// This value is ignored by TLS clients when any subject alt name is set.
// This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4
CommonName string
// The requested 'duration' (i.e. lifetime) of the Certificate.
// This option may be ignored/overridden by some issuer types.
// If overridden and `renewBefore` is greater than the actual certificate
// duration, the certificate will be automatically renewed 2/3rds of the
// way through the certificate's duration.
Duration *metav1.Duration
// The amount of time before the currently issued certificate's `notAfter`
// time that cert-manager will begin to attempt to renew the certificate.
// If this value is greater than the total duration of the certificate
// (i.e. notAfter - notBefore), it will be automatically renewed 2/3rds of
// the way through the certificate's duration.
RenewBefore *metav1.Duration
// DNSNames is a list of DNS subjectAltNames to be set on the Certificate.
DNSNames []string
// IPAddresses is a list of IP address subjectAltNames to be set on the Certificate.
IPAddresses []string
// URISANs is a list of URI subjectAltNames to be set on the Certificate.
URISANs []string
// EmailSANs is a list of email subjectAltNames to be set on the Certificate.
EmailSANs []string
// SecretName is the name of the secret resource that will be automatically
// created and managed by this Certificate resource.
// It will be populated with a private key and certificate, signed by the
// denoted issuer.
SecretName string
// SecretTemplate defines annotations and labels to be propagated
// to the Kubernetes Secret when it is created or updated. Once created,
// labels and annotations are not yet removed from the Secret when they are
// removed from the template. See https://github.com/jetstack/cert-manager/issues/4292
// +optional
SecretTemplate *CertificateSecretTemplate `json:"secretTemplate,omitempty"`
// Keystores configures additional keystore output formats stored in the
// `secretName` Secret resource.
Keystores *CertificateKeystores
// IssuerRef is a reference to the issuer for this certificate.
// If the `kind` field is not set, or set to `Issuer`, an Issuer resource
// with the given name in the same namespace as the Certificate will be used.
// If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with the
// provided name will be used.
// The `name` field in this stanza is required at all times.
IssuerRef cmmeta.ObjectReference
// IsCA will mark this Certificate as valid for certificate signing.
// This will automatically add the `cert sign` usage to the list of `usages`.
IsCA bool
// Usages is the set of x509 usages that are requested for the certificate.
// Defaults to `digital signature` and `key encipherment` if not specified.
Usages []KeyUsage
// Options to control private keys used for the Certificate.
PrivateKey *CertificatePrivateKey
// EncodeUsagesInRequest controls whether key usages should be present
// in the CertificateRequest
EncodeUsagesInRequest *bool
// revisionHistoryLimit is the maximum number of CertificateRequest revisions
// that are maintained in the Certificate's history. Each revision represents
// a single `CertificateRequest` created by this Certificate, either when it
// was created, renewed, or Spec was changed. Revisions will be removed by
// oldest first if the number of revisions exceeds this number. If set,
// revisionHistoryLimit must be a value of `1` or greater. If unset (`nil`),
// revisions will not be garbage collected. Default value is `nil`.
RevisionHistoryLimit *int32
}
// CertificatePrivateKey contains configuration options for private keys
// used by the Certificate controller.
// This allows control of how private keys are rotated.
type CertificatePrivateKey struct {
// RotationPolicy controls how private keys should be regenerated when a
// re-issuance is being processed.
// If set to `Never`, a private key will only be generated if one does not
// already exist in the target `spec.secretName`. If one does exists but it
// does not have the correct algorithm or size, a warning will be raised
// to await user intervention.
// If set to `Always`, a private key matching the specified requirements
// will be generated whenever a re-issuance occurs.
// Default is `Never` for backward compatibility.
RotationPolicy PrivateKeyRotationPolicy
// The private key cryptography standards (PKCS) encoding for this
// certificate's private key to be encoded in.
// If provided, allowed values are `PKCS1` and `PKCS8` standing for PKCS#1
// and PKCS#8, respectively.
// Defaults to `PKCS1` if not specified.
Encoding PrivateKeyEncoding
// Algorithm is the private key algorithm of the corresponding private key
// for this certificate. If provided, allowed values are either `RSA` or `ECDSA`
// If `algorithm` is specified and `size` is not provided,
// key size of `256` will be used for `ECDSA` key algorithm and
// key size of `2048` will be used for `RSA` key algorithm.
Algorithm PrivateKeyAlgorithm
// Size is the key bit size of the corresponding private key for this certificate.
// If `algorithm` is set to `RSA`, valid values are `2048`, `4096` or `8192`,
// and will default to `2048` if not specified.
// If `algorithm` is set to `ECDSA`, valid values are `256`, `384` or `521`,
// and will default to `256` if not specified.
// No other values are allowed.
Size int
}
// Denotes how private keys should be generated or sourced when a Certificate
// is being issued.
type PrivateKeyRotationPolicy string
var (
// RotationPolicyNever means a private key will only be generated if one
// does not already exist in the target `spec.secretName`.
// If one does exists but it does not have the correct algorithm or size,
// a warning will be raised to await user intervention.
RotationPolicyNever PrivateKeyRotationPolicy = "Never"
// RotationPolicyAlways means a private key matching the specified
// requirements will be generated whenever a re-issuance occurs.
RotationPolicyAlways PrivateKeyRotationPolicy = "Always"
)
// X509Subject Full X509 name specification
type X509Subject struct {
// Organizations to be used on the Certificate.
Organizations []string
// Countries to be used on the Certificate.
Countries []string
// Organizational Units to be used on the Certificate.
OrganizationalUnits []string
// Cities to be used on the Certificate.
Localities []string
// State/Provinces to be used on the Certificate.
Provinces []string
// Street addresses to be used on the Certificate.
StreetAddresses []string
// Postal codes to be used on the Certificate.
PostalCodes []string
// Serial number to be used on the Certificate.
SerialNumber string
}
// CertificateKeystores configures additional keystore output formats to be
// created in the Certificate's output Secret.
type CertificateKeystores struct {
// JKS configures options for storing a JKS keystore in the
// `spec.secretName` Secret resource.
JKS *JKSKeystore
// PKCS12 configures options for storing a PKCS12 keystore in the
// `spec.secretName` Secret resource.
PKCS12 *PKCS12Keystore
}
// JKS configures options for storing a JKS keystore in the `spec.secretName`
// Secret resource.
type JKSKeystore struct {
// Create enables JKS keystore creation for the Certificate.
// If true, a file named `keystore.jks` will be created in the target
// Secret resource, encrypted using the password stored in
// `passwordSecretRef`.
// The keystore file will only be updated upon re-issuance.
Create bool
// PasswordSecretRef is a reference to a key in a Secret resource
// containing the password used to encrypt the JKS keystore.
PasswordSecretRef cmmeta.SecretKeySelector
}
// PKCS12 configures options for storing a PKCS12 keystore in the
// `spec.secretName` Secret resource.
type PKCS12Keystore struct {
// Create enables PKCS12 keystore creation for the Certificate.
// If true, a file named `keystore.p12` will be created in the target
// Secret resource, encrypted using the password stored in
// `passwordSecretRef`.
// The keystore file will only be updated upon re-issuance.
Create bool
// PasswordSecretRef is a reference to a key in a Secret resource
// containing the password used to encrypt the PKCS12 keystore.
PasswordSecretRef cmmeta.SecretKeySelector
}
// CertificateStatus defines the observed state of Certificate
type CertificateStatus struct {
// List of status conditions to indicate the status of certificates.
// Known condition types are `Ready` and `Issuing`.
Conditions []CertificateCondition
// LastFailureTime is the time as recorded by the Certificate controller
// of the most recent failure to complete a CertificateRequest for this
// Certificate resource.
// If set, cert-manager will not re-request another Certificate until
// 1 hour has elapsed from this time.
LastFailureTime *metav1.Time
// The time after which the certificate stored in the secret named
// by this resource in spec.secretName is valid.
NotBefore *metav1.Time
// The expiration time of the certificate stored in the secret named
// by this resource in `spec.secretName`.
NotAfter *metav1.Time
// RenewalTime is the time at which the certificate will be next
// renewed.
// If not set, no upcoming renewal is scheduled.
RenewalTime *metav1.Time
// The current 'revision' of the certificate as issued.
//
// When a CertificateRequest resource is created, it will have the
// `cert-manager.io/certificate-revision` set to one greater than the
// current value of this field.
//
// Upon issuance, this field will be set to the value of the annotation
// on the CertificateRequest resource used to issue the certificate.
//
// Persisting the value on the CertificateRequest resource allows the
// certificates controller to know whether a request is part of an old
// issuance or if it is part of the ongoing revision's issuance by
// checking if the revision value in the annotation is greater than this
// field.
Revision *int
// The name of the Secret resource containing the private key to be used
// for the next certificate iteration.
// The keymanager controller will automatically set this field if the
// `Issuing` condition is set to `True`.
// It will automatically unset this field when the Issuing condition is
// not set or False.
NextPrivateKeySecretName *string
}
// CertificateCondition contains condition information for an Certificate.
type CertificateCondition struct {
// Type of the condition, known values are (`Ready`, `Issuing`).
Type CertificateConditionType
// Status of the condition, one of (`True`, `False`, `Unknown`).
Status cmmeta.ConditionStatus
// LastTransitionTime is the timestamp corresponding to the last status
// change of this condition.
LastTransitionTime *metav1.Time
// Reason is a brief machine readable explanation for the condition's last
// transition.
Reason string
// Message is a human readable description of the details of the last
// transition, complementing reason.
Message string
// If set, this represents the .metadata.generation that the condition was
// set based upon.
// For instance, if .metadata.generation is currently 12, but the
// .status.condition[x].observedGeneration is 9, the condition is out of date
// with respect to the current state of the Certificate.
ObservedGeneration int64
}
// CertificateConditionType represents an Certificate condition value.
type CertificateConditionType string
const (
// CertificateConditionReady indicates that a certificate is ready for use.
// This is defined as:
// - The target secret exists
// - The target secret contains a certificate that has not expired
// - The target secret contains a private key valid for the certificate
// - The commonName and dnsNames attributes match those specified on the Certificate
CertificateConditionReady CertificateConditionType = "Ready"
// A condition added to Certificate resources when an issuance is required.
// This condition will be automatically added and set to true if:
// * No keypair data exists in the target Secret
// * The data stored in the Secret cannot be decoded
// * The private key and certificate do not have matching public keys
// * If a CertificateRequest for the current revision exists and the
// certificate data stored in the Secret does not match the
// `status.certificate` on the CertificateRequest.
// * If no CertificateRequest resource exists for the current revision,
// the options on the Certificate resource are compared against the
// x509 data in the Secret, similar to what's done in earlier versions.
// If there is a mismatch, an issuance is triggered.
// This condition may also be added by external API consumers to trigger
// a re-issuance manually for any other reason.
//
// It will be removed by the 'issuing' controller upon completing issuance.
CertificateConditionIssuing CertificateConditionType = "Issuing"
)
// CertificateSecretTemplate defines the default labels and annotations
// to be copied to the Kubernetes Secret resource named in `CertificateSpec.secretName`.
type CertificateSecretTemplate struct {
// Annotations is a key value map to be copied to the target Kubernetes Secret.
// +optional
Annotations map[string]string `json:"annotations,omitempty"`
// Labels is a key value map to be copied to the target Kubernetes Secret.
// +optional
Labels map[string]string `json:"labels,omitempty"`
}