300 lines
14 KiB
YAML
300 lines
14 KiB
YAML
apiVersion: apiextensions.k8s.io/v1beta1
|
|
kind: CustomResourceDefinition
|
|
metadata:
|
|
creationTimestamp: null
|
|
labels:
|
|
controller-tools.k8s.io: "1.0"
|
|
name: clusterissuers.certmanager.k8s.io
|
|
spec:
|
|
group: certmanager.k8s.io
|
|
names:
|
|
kind: ClusterIssuer
|
|
plural: clusterissuers
|
|
scope: Cluster
|
|
validation:
|
|
openAPIV3Schema:
|
|
properties:
|
|
apiVersion:
|
|
description: 'APIVersion defines the versioned schema of this representation
|
|
of an object. Servers should convert recognized schemas to the latest
|
|
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
|
|
type: string
|
|
kind:
|
|
description: 'Kind is a string value representing the REST resource this
|
|
object represents. Servers may infer this from the endpoint the client
|
|
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
|
|
type: string
|
|
metadata:
|
|
type: object
|
|
spec:
|
|
properties:
|
|
acme:
|
|
properties:
|
|
email:
|
|
description: Email is the email for this account
|
|
type: string
|
|
privateKeySecretRef:
|
|
description: PrivateKey is the name of a secret containing the private
|
|
key for this user account.
|
|
properties:
|
|
key:
|
|
description: The key of the secret to select from. Must be a
|
|
valid secret key.
|
|
type: string
|
|
name:
|
|
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
|
|
TODO: Add other useful fields. apiVersion, kind, uid?'
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
server:
|
|
description: Server is the ACME server URL
|
|
type: string
|
|
skipTLSVerify:
|
|
description: If true, skip verifying the ACME server TLS certificate
|
|
type: boolean
|
|
solvers:
|
|
description: Solvers is a list of challenge solvers that will be
|
|
used to solve ACME challenges for the matching domains.
|
|
items:
|
|
properties:
|
|
selector:
|
|
description: Selector selects a set of DNSNames on the Certificate
|
|
resource that should be solved using this challenge solver.
|
|
properties:
|
|
dnsNames:
|
|
description: List of DNSNames that this solver will be
|
|
used to solve. If specified and a match is found, a
|
|
dnsNames selector will take precedence over a dnsZones
|
|
selector. If multiple solvers match with the same dnsNames
|
|
value, the solver with the most matching labels in matchLabels
|
|
will be selected. If neither has more matches, the solver
|
|
defined earlier in the list will be selected.
|
|
items:
|
|
type: string
|
|
type: array
|
|
dnsZones:
|
|
description: List of DNSZones that this solver will be
|
|
used to solve. The most specific DNS zone match specified
|
|
here will take precedence over other DNS zone matches,
|
|
so a solver specifying sys.example.com will be selected
|
|
over one specifying example.com for the domain www.sys.example.com.
|
|
If multiple solvers match with the same dnsZones value,
|
|
the solver with the most matching labels in matchLabels
|
|
will be selected. If neither has more matches, the solver
|
|
defined earlier in the list will be selected.
|
|
items:
|
|
type: string
|
|
type: array
|
|
matchLabels:
|
|
description: A label selector that is used to refine the
|
|
set of certificate's that this challenge solver will
|
|
apply to.
|
|
type: object
|
|
type: object
|
|
type: object
|
|
type: array
|
|
required:
|
|
- server
|
|
- privateKeySecretRef
|
|
type: object
|
|
ca:
|
|
properties:
|
|
secretName:
|
|
description: SecretName is the name of the secret used to sign Certificates
|
|
issued by this Issuer.
|
|
type: string
|
|
required:
|
|
- secretName
|
|
type: object
|
|
selfSigned:
|
|
type: object
|
|
vault:
|
|
properties:
|
|
auth:
|
|
description: Vault authentication
|
|
properties:
|
|
appRole:
|
|
description: This Secret contains a AppRole and Secret
|
|
properties:
|
|
path:
|
|
description: Where the authentication path is mounted in
|
|
Vault.
|
|
type: string
|
|
roleId:
|
|
type: string
|
|
secretRef:
|
|
properties:
|
|
key:
|
|
description: The key of the secret to select from. Must
|
|
be a valid secret key.
|
|
type: string
|
|
name:
|
|
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
|
|
TODO: Add other useful fields. apiVersion, kind, uid?'
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
required:
|
|
- path
|
|
- roleId
|
|
- secretRef
|
|
type: object
|
|
tokenSecretRef:
|
|
description: This Secret contains the Vault token key
|
|
properties:
|
|
key:
|
|
description: The key of the secret to select from. Must
|
|
be a valid secret key.
|
|
type: string
|
|
name:
|
|
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
|
|
TODO: Add other useful fields. apiVersion, kind, uid?'
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
type: object
|
|
caBundle:
|
|
description: Base64 encoded CA bundle to validate Vault server certificate.
|
|
Only used if the Server URL is using HTTPS protocol. This parameter
|
|
is ignored for plain HTTP protocol connection. If not set the
|
|
system root certificates are used to validate the TLS connection.
|
|
format: byte
|
|
type: string
|
|
path:
|
|
description: Vault URL path to the certificate role
|
|
type: string
|
|
server:
|
|
description: Server is the vault connection address
|
|
type: string
|
|
required:
|
|
- auth
|
|
- server
|
|
- path
|
|
type: object
|
|
venafi:
|
|
properties:
|
|
cloud:
|
|
description: Cloud specifies the Venafi cloud configuration settings.
|
|
Only one of TPP or Cloud may be specified.
|
|
properties:
|
|
apiTokenSecretRef:
|
|
description: APITokenSecretRef is a secret key selector for
|
|
the Venafi Cloud API token.
|
|
properties:
|
|
key:
|
|
description: The key of the secret to select from. Must
|
|
be a valid secret key.
|
|
type: string
|
|
name:
|
|
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
|
|
TODO: Add other useful fields. apiVersion, kind, uid?'
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
url:
|
|
description: URL is the base URL for Venafi Cloud
|
|
type: string
|
|
required:
|
|
- url
|
|
- apiTokenSecretRef
|
|
type: object
|
|
tpp:
|
|
description: TPP specifies Trust Protection Platform configuration
|
|
settings. Only one of TPP or Cloud may be specified.
|
|
properties:
|
|
caBundle:
|
|
description: CABundle is a PEM encoded TLS certifiate to use
|
|
to verify connections to the TPP instance. If specified, system
|
|
roots will not be used and the issuing CA for the TPP instance
|
|
must be verifiable using the provided root. If not specified,
|
|
the connection will be verified using the cert-manager system
|
|
root certificates.
|
|
format: byte
|
|
type: string
|
|
credentialsRef:
|
|
description: CredentialsRef is a reference to a Secret containing
|
|
the username and password for the TPP server. The secret must
|
|
contain two keys, 'username' and 'password'.
|
|
properties:
|
|
name:
|
|
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
|
|
TODO: Add other useful fields. apiVersion, kind, uid?'
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
url:
|
|
description: URL is the base URL for the Venafi TPP instance
|
|
type: string
|
|
required:
|
|
- url
|
|
- credentialsRef
|
|
type: object
|
|
zone:
|
|
description: Zone is the Venafi Policy Zone to use for this issuer.
|
|
All requests made to the Venafi platform will be restricted by
|
|
the named zone policy. This field is required.
|
|
type: string
|
|
required:
|
|
- zone
|
|
type: object
|
|
type: object
|
|
status:
|
|
properties:
|
|
acme:
|
|
properties:
|
|
lastRegisteredEmail:
|
|
description: LastRegisteredEmail is the email associated with the
|
|
latest registered ACME account, in order to track changes made
|
|
to registered account associated with the Issuer
|
|
type: string
|
|
uri:
|
|
description: URI is the unique account identifier, which can also
|
|
be used to retrieve account details from the CA
|
|
type: string
|
|
type: object
|
|
conditions:
|
|
items:
|
|
properties:
|
|
lastTransitionTime:
|
|
description: LastTransitionTime is the timestamp corresponding
|
|
to the last status change of this condition.
|
|
format: date-time
|
|
type: string
|
|
message:
|
|
description: Message is a human readable description of the details
|
|
of the last transition, complementing reason.
|
|
type: string
|
|
reason:
|
|
description: Reason is a brief machine readable explanation for
|
|
the condition's last transition.
|
|
type: string
|
|
status:
|
|
description: Status of the condition, one of ('True', 'False',
|
|
'Unknown').
|
|
enum:
|
|
- "True"
|
|
- "False"
|
|
- Unknown
|
|
type: string
|
|
type:
|
|
description: Type of the condition, currently ('Ready').
|
|
type: string
|
|
required:
|
|
- type
|
|
- status
|
|
type: object
|
|
type: array
|
|
type: object
|
|
version: v1alpha1
|
|
status:
|
|
acceptedNames:
|
|
kind: ""
|
|
plural: ""
|
|
conditions: []
|
|
storedVersions: []
|