-
Notifications
You must be signed in to change notification settings - Fork 2k
/
types_issuer.go
310 lines (248 loc) · 10.8 KB
/
types_issuer.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package certmanager
import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
cmacme "github.com/jetstack/cert-manager/pkg/internal/apis/acme"
cmmeta "github.com/jetstack/cert-manager/pkg/internal/apis/meta"
)
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// A ClusterIssuer represents a certificate issuing authority which can be
// referenced as part of `issuerRef` fields.
// It is similar to an Issuer, however it is cluster-scoped and therefore can
// be referenced by resources that exist in *any* namespace, not just the same
// namespace as the referent.
type ClusterIssuer struct {
metav1.TypeMeta
metav1.ObjectMeta
// Desired state of the ClusterIssuer resource.
Spec IssuerSpec
// Status of the ClusterIssuer. This is set and managed automatically.
Status IssuerStatus
}
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// ClusterIssuerList is a list of Issuers
type ClusterIssuerList struct {
metav1.TypeMeta
metav1.ListMeta
Items []ClusterIssuer
}
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// An Issuer represents a certificate issuing authority which can be
// referenced as part of `issuerRef` fields.
// It is scoped to a single namespace and can therefore only be referenced by
// resources within the same namespace.
type Issuer struct {
metav1.TypeMeta
metav1.ObjectMeta
// Desired state of the Issuer resource.
Spec IssuerSpec
// Status of the Issuer. This is set and managed automatically.
Status IssuerStatus
}
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// IssuerList is a list of Issuers
type IssuerList struct {
metav1.TypeMeta
metav1.ListMeta
Items []Issuer
}
// IssuerSpec is the specification of an Issuer. This includes any
// configuration required for the issuer.
type IssuerSpec struct {
IssuerConfig
}
type IssuerConfig struct {
// ACME configures this issuer to communicate with a RFC8555 (ACME) server
// to obtain signed x509 certificates.
ACME *cmacme.ACMEIssuer
// CA configures this issuer to sign certificates using a signing CA keypair
// stored in a Secret resource.
// This is used to build internal PKIs that are managed by cert-manager.
CA *CAIssuer
// Vault configures this issuer to sign certificates using a HashiCorp Vault
// PKI backend.
Vault *VaultIssuer
// SelfSigned configures this issuer to 'self sign' certificates using the
// private key used to create the CertificateRequest object.
SelfSigned *SelfSignedIssuer
// Venafi configures this issuer to sign certificates using a Venafi TPP
// or Venafi Cloud policy zone.
Venafi *VenafiIssuer
}
// Configures an issuer to sign certificates using a Venafi TPP
// or Cloud policy zone.
type VenafiIssuer struct {
// Zone is the Venafi Policy Zone to use for this issuer.
// All requests made to the Venafi platform will be restricted by the named
// zone policy.
// This field is required.
Zone string
// TPP specifies Trust Protection Platform configuration settings.
// Only one of TPP or Cloud may be specified.
TPP *VenafiTPP
// Cloud specifies the Venafi cloud configuration settings.
// Only one of TPP or Cloud may be specified.
Cloud *VenafiCloud
}
// VenafiTPP defines connection configuration details for a Venafi TPP instance
type VenafiTPP struct {
// URL is the base URL for the vedsdk endpoint of the Venafi TPP instance,
// for example: "https://tpp.example.com/vedsdk".
URL string
// CredentialsRef is a reference to a Secret containing the username and
// password for the TPP server.
// The secret must contain two keys, 'username' and 'password'.
CredentialsRef cmmeta.LocalObjectReference
// CABundle is a PEM encoded TLS certificate to use to verify connections to
// the TPP instance.
// If specified, system roots will not be used and the issuing CA for the
// TPP instance must be verifiable using the provided root.
// If not specified, the connection will be verified using the cert-manager
// system root certificates.
CABundle []byte
}
// VenafiCloud defines connection configuration details for Venafi Cloud
type VenafiCloud struct {
// URL is the base URL for Venafi Cloud.
// Defaults to "https://api.venafi.cloud/v1".
URL string
// APITokenSecretRef is a secret key selector for the Venafi Cloud API token.
APITokenSecretRef cmmeta.SecretKeySelector
}
// Configures an issuer to 'self sign' certificates using the
// private key used to create the CertificateRequest object.
type SelfSignedIssuer struct {
// The CRL distribution points is an X.509 v3 certificate extension which identifies
// the location of the CRL from which the revocation of this certificate can be checked.
// If not set certificate will be issued without CDP. Values are strings.
CRLDistributionPoints []string
}
// Configures an issuer to sign certificates using a HashiCorp Vault
// PKI backend.
type VaultIssuer struct {
// Auth configures how cert-manager authenticates with the Vault server.
Auth VaultAuth
// Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".
Server string
// Path is the mount path of the Vault PKI backend's `sign` endpoint, e.g:
// "my_pki_mount/sign/my-role-name".
Path string
// Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1"
// More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
Namespace string
// PEM-encoded CA bundle (base64-encoded) used to validate Vault server
// certificate. Only used if the Server URL is using HTTPS protocol. This
// parameter is ignored for plain HTTP protocol connection. If not set the
// system root certificates are used to validate the TLS connection.
CABundle []byte
}
// Configuration used to authenticate with a Vault server.
// Only one of `tokenSecretRef`, `appRole` or `kubernetes` may be specified.
type VaultAuth struct {
// TokenSecretRef authenticates with Vault by presenting a token.
TokenSecretRef *cmmeta.SecretKeySelector
// AppRole authenticates with Vault using the App Role auth mechanism,
// with the role and secret stored in a Kubernetes Secret resource.
AppRole *VaultAppRole
// Kubernetes authenticates with Vault by passing the ServiceAccount
// token stored in the named Secret resource to the Vault server.
Kubernetes *VaultKubernetesAuth
}
// VaultAppRole authenticates with Vault using the App Role auth mechanism,
// with the role and secret stored in a Kubernetes Secret resource.
type VaultAppRole struct {
// Path where the App Role authentication backend is mounted in Vault, e.g:
// "approle"
Path string
// RoleID configured in the App Role authentication backend when setting
// up the authentication backend in Vault.
RoleId string
// Reference to a key in a Secret that contains the App Role secret used
// to authenticate with Vault.
// The `key` field must be specified and denotes which entry within the Secret
// resource is used as the app role secret.
SecretRef cmmeta.SecretKeySelector
}
// Authenticate against Vault using a Kubernetes ServiceAccount token stored in
// a Secret.
type VaultKubernetesAuth struct {
// The Vault mountPath here is the mount path to use when authenticating with
// Vault. For example, setting a value to `/v1/auth/foo`, will use the path
// `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the
// default value "/v1/auth/kubernetes" will be used.
Path string
// The required Secret field containing a Kubernetes ServiceAccount JWT used
// for authenticating with Vault. Use of 'ambient credentials' is not
// supported.
SecretRef cmmeta.SecretKeySelector
// A required field containing the Vault Role to assume. A Role binds a
// Kubernetes ServiceAccount with a set of Vault policies.
Role string
}
type CAIssuer struct {
// SecretName is the name of the secret used to sign Certificates issued
// by this Issuer.
SecretName string
// The CRL distribution points is an X.509 v3 certificate extension which identifies
// the location of the CRL from which the revocation of this certificate can be checked.
// If not set, certificates will be issued without distribution points set.
CRLDistributionPoints []string
// The OCSP server list is an X.509 v3 extension that defines a list of
// URLs of OCSP responders. The OCSP responders can be queried for the
// revocation status of an issued certificate. If not set, the
// certificate will be issued with no OCSP servers set. For example, an
// OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org".
OCSPServers []string
}
// IssuerStatus contains status information about an Issuer
type IssuerStatus struct {
// List of status conditions to indicate the status of a CertificateRequest.
// Known condition types are `Ready`.
Conditions []IssuerCondition
// ACME specific status options.
// This field should only be set if the Issuer is configured to use an ACME
// server to issue certificates.
ACME *cmacme.ACMEIssuerStatus
}
// IssuerCondition contains condition information for an Issuer.
type IssuerCondition struct {
// Type of the condition, known values are (`Ready`).
Type IssuerConditionType
// Status of the condition, one of (`True`, `False`, `Unknown`).
Status cmmeta.ConditionStatus
// LastTransitionTime is the timestamp corresponding to the last status
// change of this condition.
LastTransitionTime *metav1.Time
// Reason is a brief machine readable explanation for the condition's last
// transition.
Reason string
// Message is a human readable description of the details of the last
// transition, complementing reason.
Message string
// If set, this represents the .metadata.generation that the condition was
// set based upon.
// For instance, if .metadata.generation is currently 12, but the
// .status.condition[x].observedGeneration is 9, the condition is out of date
// with respect to the current state of the Issuer.
ObservedGeneration int64
}
// IssuerConditionType represents an Issuer condition value.
type IssuerConditionType string
const (
// IssuerConditionReady represents the fact that a given Issuer condition
// is in ready state and able to issue certificates.
// If the `status` of this condition is `False`, CertificateRequest controllers
// should prevent attempts to sign certificates.
IssuerConditionReady IssuerConditionType = "Ready"
)