Initial commit for cert-manager app
This introduces cert-manager as a system-managed application for certificate management on StarlingX. Cert-manager specification can be found here: https://opendev.org/starlingx/specs/src/branch/master/doc/source/specs/stx-4.0/approved/security-2007360-cert-manager.rst Story: 2007360 Task: 39222 Change-Id: I9761cd97ca758dc57a9fd0edbbfdc987584f7121 Signed-off-by: Sabeel Ansari <Sabeel.Ansari@windriver.com>
This commit is contained in:
parent
7eec52aaeb
commit
fec4b5dae0
16
CONTRIBUTING.rst
Normal file
16
CONTRIBUTING.rst
Normal file
@ -0,0 +1,16 @@
|
||||
If you would like to contribute to the development of OpenStack,
|
||||
you must follow the steps in this page:
|
||||
|
||||
https://docs.openstack.org/infra/manual/developers.html
|
||||
|
||||
Once those steps have been completed, changes to OpenStack
|
||||
should be submitted for review via the Gerrit tool, following
|
||||
the workflow documented at:
|
||||
|
||||
https://docs.openstack.org/infra/manual/developers.html#development-workflow
|
||||
|
||||
Pull requests submitted through GitHub will be ignored.
|
||||
|
||||
Bugs should be filed in Launchpad:
|
||||
|
||||
https://bugs.launchpad.net/starlingx
|
17
HACKING.rst
Normal file
17
HACKING.rst
Normal file
@ -0,0 +1,17 @@
|
||||
StarlingX Cert-Manager-Armada-App Style Commandments
|
||||
====================================================
|
||||
|
||||
- Step 1: Read the OpenStack style commandments
|
||||
https://docs.openstack.org/hacking/latest/
|
||||
- Step 2: Read on
|
||||
|
||||
Cert-Manager-Armada-App Specific Commandments
|
||||
---------------------------------------------
|
||||
|
||||
None so far
|
||||
|
||||
Running tests
|
||||
-------------
|
||||
The approach to running tests is to simply run the command ``tox``. This will
|
||||
create virtual environments, populate them with dependencies and run all of
|
||||
the tests that OpenStack CI systems run.
|
1
centos_build_layer.cfg
Normal file
1
centos_build_layer.cfg
Normal file
@ -0,0 +1 @@
|
||||
flock
|
1
centos_iso_image.inc
Normal file
1
centos_iso_image.inc
Normal file
@ -0,0 +1 @@
|
||||
stx-cert-manager-helm
|
2
centos_pkg_dirs
Normal file
2
centos_pkg_dirs
Normal file
@ -0,0 +1,2 @@
|
||||
cert-manager-helm
|
||||
stx-cert-manager-helm
|
1
centos_pkg_dirs_containers
Normal file
1
centos_pkg_dirs_containers
Normal file
@ -0,0 +1 @@
|
||||
stx-cert-manager-helm
|
1
centos_tarball-dl.lst
Normal file
1
centos_tarball-dl.lst
Normal file
@ -0,0 +1 @@
|
||||
helm-charts-certmanager-6da95758a4751b20cf85b29a3252e993449660eb.tar.gz#helm-charts-certmanager#https://github.com/jetstack/cert-manager/archive/6da95758a4751b20cf85b29a3252e993449660eb.tar.gz#http##
|
10
cert-manager-helm/Readme.rst
Normal file
10
cert-manager-helm/Readme.rst
Normal file
@ -0,0 +1,10 @@
|
||||
This repo is for
|
||||
https://github.com/jetstack/cert-manager/
|
||||
|
||||
Changes to this repo are needed for StarlingX and those changes are
|
||||
not yet merged.
|
||||
Rather than clone and diverge the repo, the repo is extracted at a particular
|
||||
git SHA, and patches are applied on top.
|
||||
|
||||
As those patches are merged, the SHA can be updated and
|
||||
the local patches removed.
|
8
cert-manager-helm/centos/build_srpm.data
Normal file
8
cert-manager-helm/centos/build_srpm.data
Normal file
@ -0,0 +1,8 @@
|
||||
TAR_NAME=helm-charts-certmanager
|
||||
SHA=6da95758a4751b20cf85b29a3252e993449660eb
|
||||
VERSION=1.0.0
|
||||
TAR="$TAR_NAME-$SHA.tar.gz"
|
||||
|
||||
COPY_LIST="${CGCS_BASE}/downloads/$TAR $PKG_BASE/files/* "
|
||||
|
||||
TIS_PATCH_VER=1
|
75
cert-manager-helm/centos/cert-manager-helm.spec
Normal file
75
cert-manager-helm/centos/cert-manager-helm.spec
Normal file
@ -0,0 +1,75 @@
|
||||
# Build variables
|
||||
%global helm_folder /usr/lib/helm
|
||||
|
||||
%global sha 6da95758a4751b20cf85b29a3252e993449660eb
|
||||
|
||||
Summary: Cert-Manager helm charts
|
||||
Name: cert-manager-helm
|
||||
Version: 1.0
|
||||
Release: %{tis_patch_ver}%{?_tis_dist}
|
||||
License: Apache-2.0
|
||||
Group: base
|
||||
Packager: Wind River <info@windriver.com>
|
||||
URL: https://cert-manager.io/docs/installation/kubernetes/
|
||||
|
||||
Source0: helm-charts-certmanager-%{sha}.tar.gz
|
||||
Source1: repositories.yaml
|
||||
Source2: index.yaml
|
||||
Source3: Makefile
|
||||
|
||||
BuildArch: noarch
|
||||
|
||||
## Patch definition goes here if required
|
||||
|
||||
BuildRequires: helm
|
||||
|
||||
%description
|
||||
StarlingX Cert-Manager Helm Charts
|
||||
|
||||
%prep
|
||||
%setup -n helm-charts-certmanager
|
||||
|
||||
## Apply patches here if required
|
||||
|
||||
%build
|
||||
# initialize helm and build the toolkit
|
||||
# helm init --client-only does not work if there is no networking
|
||||
# The following commands do essentially the same as: helm init
|
||||
%define helm_home %{getenv:HOME}/.helm
|
||||
mkdir %{helm_home}
|
||||
mkdir %{helm_home}/repository
|
||||
mkdir %{helm_home}/repository/cache
|
||||
mkdir %{helm_home}/repository/local
|
||||
mkdir %{helm_home}/plugins
|
||||
mkdir %{helm_home}/starters
|
||||
mkdir %{helm_home}/cache
|
||||
mkdir %{helm_home}/cache/archive
|
||||
|
||||
# Stage a repository file that only has a local repo
|
||||
cp %{SOURCE1} %{helm_home}/repository/repositories.yaml
|
||||
|
||||
# Stage a local repo index that can be updated by the build
|
||||
cp %{SOURCE2} %{helm_home}/repository/local/index.yaml
|
||||
|
||||
# Host a server for the charts
|
||||
helm serve --repo-path . &
|
||||
helm repo rm local
|
||||
helm repo add local http://localhost:8879/charts
|
||||
|
||||
# Create the tgz files
|
||||
cp %{SOURCE3} deploy/charts
|
||||
which make
|
||||
cd deploy/charts
|
||||
make cert-manager
|
||||
cd -
|
||||
|
||||
# terminate helm server (the last backgrounded task)
|
||||
kill %1
|
||||
|
||||
%install
|
||||
install -d -m 755 ${RPM_BUILD_ROOT}%{helm_folder}
|
||||
install -p -D -m 755 deploy/charts/*.tgz ${RPM_BUILD_ROOT}%{helm_folder}
|
||||
|
||||
%files
|
||||
%defattr(-,root,root,-)
|
||||
%{helm_folder}/*
|
43
cert-manager-helm/files/Makefile
Normal file
43
cert-manager-helm/files/Makefile
Normal file
@ -0,0 +1,43 @@
|
||||
#
|
||||
# Copyright 2017 The Openstack-Helm Authors.
|
||||
#
|
||||
# Copyright (c) 2020 Wind River Systems, Inc.
|
||||
#
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
#
|
||||
# It's necessary to set this because some environments don't link sh -> bash.
|
||||
SHELL := /bin/bash
|
||||
TASK := build
|
||||
|
||||
EXCLUDES := helm-toolkit doc tests tools logs tmp
|
||||
CHARTS := helm-toolkit $(filter-out $(EXCLUDES), $(patsubst %/.,%,$(wildcard */.)))
|
||||
|
||||
.PHONY: $(EXCLUDES) $(CHARTS)
|
||||
|
||||
all: $(CHARTS)
|
||||
|
||||
$(CHARTS):
|
||||
@if [ -d $@ ]; then \
|
||||
echo; \
|
||||
echo "===== Processing [$@] chart ====="; \
|
||||
make $(TASK)-$@; \
|
||||
fi
|
||||
|
||||
init-%:
|
||||
if [ -f $*/Makefile ]; then make -C $*; fi
|
||||
if [ -f $*/requirements.yaml ]; then helm dep up $*; fi
|
||||
|
||||
lint-%: init-%
|
||||
if [ -d $* ]; then helm lint $*; fi
|
||||
|
||||
build-%: lint-%
|
||||
if [ -d $* ]; then helm package $*; fi
|
||||
|
||||
clean:
|
||||
@echo "Clean all build artifacts"
|
||||
rm -f */templates/_partials.tpl */templates/_globals.tpl
|
||||
rm -f *tgz */charts/*tgz */requirements.lock
|
||||
rm -rf */charts */tmpcharts
|
||||
|
||||
%:
|
||||
@:
|
4
cert-manager-helm/files/index.yaml
Normal file
4
cert-manager-helm/files/index.yaml
Normal file
@ -0,0 +1,4 @@
|
||||
---
|
||||
apiVersion: v1
|
||||
entries: {}
|
||||
generated: 2019-01-07T12:33:46.098166523-06:00
|
12
cert-manager-helm/files/repositories.yaml
Normal file
12
cert-manager-helm/files/repositories.yaml
Normal file
@ -0,0 +1,12 @@
|
||||
---
|
||||
apiVersion: v1
|
||||
generated: 2019-01-02T15:19:36.215111369-06:00
|
||||
repositories:
|
||||
- caFile: ""
|
||||
cache: /builddir/.helm/repository/cache/local-index.yaml
|
||||
certFile: ""
|
||||
keyFile: ""
|
||||
name: local
|
||||
password: ""
|
||||
url: http://127.0.0.1:8879/charts
|
||||
username: ""
|
2
github_sync.trigger
Normal file
2
github_sync.trigger
Normal file
@ -0,0 +1,2 @@
|
||||
# to trigger the upload job to sync to GitHub
|
||||
1
|
3
stx-cert-manager-helm/centos/build_srpm.data
Normal file
3
stx-cert-manager-helm/centos/build_srpm.data
Normal file
@ -0,0 +1,3 @@
|
||||
SRC_DIR="stx-cert-manager-helm"
|
||||
|
||||
TIS_PATCH_VER=0
|
98
stx-cert-manager-helm/centos/stx-cert-manager-helm.spec
Normal file
98
stx-cert-manager-helm/centos/stx-cert-manager-helm.spec
Normal file
@ -0,0 +1,98 @@
|
||||
# Application tunables (maps to metadata)
|
||||
%global app_name cert-manager
|
||||
%global helm_repo stx-platform
|
||||
|
||||
# Install location
|
||||
%global app_folder /usr/local/share/applications/helm
|
||||
|
||||
# Build variables
|
||||
%global helm_folder /usr/lib/helm
|
||||
|
||||
Summary: StarlingX Cert-Manager Armada Helm Charts
|
||||
Name: stx-cert-manager-helm
|
||||
Version: 1.0
|
||||
Release: %{tis_patch_ver}%{?_tis_dist}
|
||||
License: Apache-2.0
|
||||
Group: base
|
||||
Packager: Wind River <info@windriver.com>
|
||||
URL: unknown
|
||||
|
||||
Source0: %{name}-%{version}.tar.gz
|
||||
|
||||
BuildArch: noarch
|
||||
|
||||
BuildRequires: helm
|
||||
BuildRequires: cert-manager-helm
|
||||
Requires: cert-manager-helm
|
||||
|
||||
%description
|
||||
StarlingX Cert-Manager Armada Helm Charts
|
||||
|
||||
%prep
|
||||
%setup
|
||||
|
||||
%build
|
||||
# initialize helm and build the toolkit
|
||||
# helm init --client-only does not work if there is no networking
|
||||
# The following commands do essentially the same as: helm init
|
||||
%define helm_home %{getenv:HOME}/.helm
|
||||
mkdir %{helm_home}
|
||||
mkdir %{helm_home}/repository
|
||||
mkdir %{helm_home}/repository/cache
|
||||
mkdir %{helm_home}/repository/local
|
||||
mkdir %{helm_home}/plugins
|
||||
mkdir %{helm_home}/starters
|
||||
mkdir %{helm_home}/cache
|
||||
mkdir %{helm_home}/cache/archive
|
||||
|
||||
# Stage a repository file that only has a local repo
|
||||
cp files/repositories.yaml %{helm_home}/repository/repositories.yaml
|
||||
|
||||
# Stage a local repo index that can be updated by the build
|
||||
cp files/index.yaml %{helm_home}/repository/local/index.yaml
|
||||
|
||||
# Host a server for the charts
|
||||
helm serve --repo-path . &
|
||||
helm repo rm local
|
||||
helm repo add local http://localhost:8879/charts
|
||||
|
||||
# Make the charts. These produce a tgz file
|
||||
cd helm-charts
|
||||
make certmgr-crds
|
||||
cd -
|
||||
|
||||
# terminate helm server (the last backgrounded task)
|
||||
kill %1
|
||||
|
||||
# Create a chart tarball compliant with sysinv kube-app.py
|
||||
%define app_staging %{_builddir}/staging
|
||||
%define app_tarball %{app_name}-%{version}-%{tis_patch_ver}.tgz
|
||||
|
||||
# Setup staging
|
||||
mkdir -p %{app_staging}
|
||||
cp files/metadata.yaml %{app_staging}
|
||||
cp manifests/*.yaml %{app_staging}
|
||||
mkdir -p %{app_staging}/charts
|
||||
cp helm-charts/*.tgz %{app_staging}/charts
|
||||
cp %{helm_folder}/cert*.tgz %{app_staging}/charts
|
||||
cd %{app_staging}
|
||||
|
||||
# Populate metadata
|
||||
sed -i 's/@APP_NAME@/%{app_name}/g' %{app_staging}/metadata.yaml
|
||||
sed -i 's/@APP_VERSION@/%{version}-%{tis_patch_ver}/g' %{app_staging}/metadata.yaml
|
||||
sed -i 's/@HELM_REPO@/%{helm_repo}/g' %{app_staging}/metadata.yaml
|
||||
|
||||
# package it up
|
||||
find . -type f ! -name '*.md5' -print0 | xargs -0 md5sum > checksum.md5
|
||||
tar -zcf %{_builddir}/%{app_tarball} -C %{app_staging}/ .
|
||||
|
||||
# Cleanup staging
|
||||
rm -fr %{app_staging}
|
||||
|
||||
%install
|
||||
install -d -m 755 %{buildroot}/%{app_folder}
|
||||
install -p -D -m 755 %{_builddir}/%{app_tarball} %{buildroot}/%{app_folder}
|
||||
|
||||
%files
|
||||
%defattr(-,root,root,-)
|
||||
%{app_folder}/*
|
5
stx-cert-manager-helm/stx-cert-manager-helm/README
Normal file
5
stx-cert-manager-helm/stx-cert-manager-helm/README
Normal file
@ -0,0 +1,5 @@
|
||||
This directory contains all StarlingX charts that need to be built for this
|
||||
application. Some charts are common across applications. These common charts
|
||||
reside in the stx-config/kubernetes/helm-charts directory. To include these in
|
||||
this application update the build_srpm.data file and use the COPY_LIST_TO_TAR
|
||||
mechanism to populate these common charts.
|
@ -0,0 +1,3 @@
|
||||
apiVersion: v1
|
||||
entries: {}
|
||||
generated: 2019-01-07T12:33:46.098166523-06:00
|
@ -0,0 +1,5 @@
|
||||
maintain_user_overrides: true
|
||||
|
||||
app_name: @APP_NAME@
|
||||
app_version: @APP_VERSION@
|
||||
helm_repo: @HELM_REPO@
|
@ -0,0 +1,12 @@
|
||||
apiVersion: v1
|
||||
generated: 2019-01-02T15:19:36.215111369-06:00
|
||||
repositories:
|
||||
- caFile: ""
|
||||
cache: /builddir/.helm/repository/cache/local-index.yaml
|
||||
certFile: ""
|
||||
keyFile: ""
|
||||
name: local
|
||||
password: ""
|
||||
url: http://127.0.0.1:8879/charts
|
||||
username: ""
|
||||
|
@ -0,0 +1,43 @@
|
||||
#
|
||||
# Copyright 2017 The Openstack-Helm Authors.
|
||||
#
|
||||
# Copyright (c) 2020 Wind River Systems, Inc.
|
||||
#
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
#
|
||||
# It's necessary to set this because some environments don't link sh -> bash.
|
||||
SHELL := /bin/bash
|
||||
TASK := build
|
||||
|
||||
EXCLUDES := helm-toolkit doc tests tools logs tmp
|
||||
CHARTS := helm-toolkit $(filter-out $(EXCLUDES), $(patsubst %/.,%,$(wildcard */.)))
|
||||
|
||||
.PHONY: $(EXCLUDES) $(CHARTS)
|
||||
|
||||
all: $(CHARTS)
|
||||
|
||||
$(CHARTS):
|
||||
@if [ -d $@ ]; then \
|
||||
echo; \
|
||||
echo "===== Processing [$@] chart ====="; \
|
||||
make $(TASK)-$@; \
|
||||
fi
|
||||
|
||||
init-%:
|
||||
if [ -f $*/Makefile ]; then make -C $*; fi
|
||||
if [ -f $*/requirements.yaml ]; then helm dep up $*; fi
|
||||
|
||||
lint-%: init-%
|
||||
if [ -d $* ]; then helm lint $*; fi
|
||||
|
||||
build-%: lint-%
|
||||
if [ -d $* ]; then helm package $*; fi
|
||||
|
||||
clean:
|
||||
@echo "Clean all build artifacts"
|
||||
rm -f */templates/_partials.tpl */templates/_globals.tpl
|
||||
rm -f *tgz */charts/*tgz */requirements.lock
|
||||
rm -rf */charts */tmpcharts
|
||||
|
||||
%:
|
||||
@:
|
@ -0,0 +1,5 @@
|
||||
apiVersion: v1
|
||||
appVersion: "1.0"
|
||||
description: A Helm chart for Kubernetes
|
||||
name: certmgr-crds
|
||||
version: 0.1.0
|
@ -0,0 +1,21 @@
|
||||
1. Get the application URL by running these commands:
|
||||
{{- if .Values.ingress.enabled }}
|
||||
{{- range $host := .Values.ingress.hosts }}
|
||||
{{- range .paths }}
|
||||
http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ . }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- else if contains "NodePort" .Values.service.type }}
|
||||
export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "certmgr-crds.fullname" . }})
|
||||
export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
|
||||
echo http://$NODE_IP:$NODE_PORT
|
||||
{{- else if contains "LoadBalancer" .Values.service.type }}
|
||||
NOTE: It may take a few minutes for the LoadBalancer IP to be available.
|
||||
You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "certmgr-crds.fullname" . }}'
|
||||
export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "certmgr-crds.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
|
||||
echo http://$SERVICE_IP:{{ .Values.service.port }}
|
||||
{{- else if contains "ClusterIP" .Values.service.type }}
|
||||
export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "certmgr-crds.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
|
||||
echo "Visit http://127.0.0.1:8080 to use your application"
|
||||
kubectl port-forward $POD_NAME 8080:80
|
||||
{{- end }}
|
@ -0,0 +1,56 @@
|
||||
{{/* vim: set filetype=mustache: */}}
|
||||
{{/*
|
||||
Expand the name of the chart.
|
||||
*/}}
|
||||
{{- define "certmgr-crds.name" -}}
|
||||
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create a default fully qualified app name.
|
||||
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
|
||||
If release name contains chart name it will be used as a full name.
|
||||
*/}}
|
||||
{{- define "certmgr-crds.fullname" -}}
|
||||
{{- if .Values.fullnameOverride -}}
|
||||
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
|
||||
{{- else -}}
|
||||
{{- $name := default .Chart.Name .Values.nameOverride -}}
|
||||
{{- if contains $name .Release.Name -}}
|
||||
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
|
||||
{{- else -}}
|
||||
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create chart name and version as used by the chart label.
|
||||
*/}}
|
||||
{{- define "certmgr-crds.chart" -}}
|
||||
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Common labels
|
||||
*/}}
|
||||
{{- define "certmgr-crds.labels" -}}
|
||||
app.kubernetes.io/name: {{ include "certmgr-crds.name" . }}
|
||||
helm.sh/chart: {{ include "certmgr-crds.chart" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
{{- if .Chart.AppVersion }}
|
||||
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
|
||||
{{- end }}
|
||||
app.kubernetes.io/managed-by: {{ .Release.Service }}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create the name of the service account to use
|
||||
*/}}
|
||||
{{- define "certmgr-crds.serviceAccountName" -}}
|
||||
{{- if .Values.serviceAccount.create -}}
|
||||
{{ default (include "certmgr-crds.fullname" .) .Values.serviceAccount.name }}
|
||||
{{- else -}}
|
||||
{{ default "default" .Values.serviceAccount.name }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
@ -0,0 +1,205 @@
|
||||
apiVersion: apiextensions.k8s.io/v1beta1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
name: certificaterequests.cert-manager.io
|
||||
annotations:
|
||||
cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-tls
|
||||
spec:
|
||||
additionalPrinterColumns:
|
||||
- JSONPath: .status.conditions[?(@.type=="Ready")].status
|
||||
name: Ready
|
||||
type: string
|
||||
- JSONPath: .spec.issuerRef.name
|
||||
name: Issuer
|
||||
priority: 1
|
||||
type: string
|
||||
- JSONPath: .status.conditions[?(@.type=="Ready")].message
|
||||
name: Status
|
||||
priority: 1
|
||||
type: string
|
||||
- JSONPath: .metadata.creationTimestamp
|
||||
description: CreationTimestamp is a timestamp representing the server time when
|
||||
this object was created. It is not guaranteed to be set in happens-before order
|
||||
across separate operations. Clients may not set this value. It is represented
|
||||
in RFC3339 form and is in UTC.
|
||||
name: Age
|
||||
type: date
|
||||
group: cert-manager.io
|
||||
preserveUnknownFields: false
|
||||
conversion:
|
||||
# a Webhook strategy instruct API server to call an external webhook for any conversion between custom resources.
|
||||
strategy: Webhook
|
||||
# webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server.
|
||||
webhookClientConfig:
|
||||
service:
|
||||
# If you have deployed cert-manager into a namespace other than
|
||||
# 'cert-manager', be sure to update this value.
|
||||
namespace: cert-manager
|
||||
name: cert-manager-webhook
|
||||
path: /convert
|
||||
names:
|
||||
kind: CertificateRequest
|
||||
listKind: CertificateRequestList
|
||||
plural: certificaterequests
|
||||
shortNames:
|
||||
- cr
|
||||
- crs
|
||||
singular: certificaterequest
|
||||
scope: Namespaced
|
||||
subresources:
|
||||
status: {}
|
||||
versions:
|
||||
- name: v1alpha2
|
||||
served: true
|
||||
storage: true
|
||||
- name: v1alpha3
|
||||
served: true
|
||||
storage: false
|
||||
"validation":
|
||||
"openAPIV3Schema":
|
||||
description: CertificateRequest is a type to represent a Certificate Signing
|
||||
Request
|
||||
type: object
|
||||
properties:
|
||||
apiVersion:
|
||||
description: 'APIVersion defines the versioned schema of this representation
|
||||
of an object. Servers should convert recognized schemas to the latest
|
||||
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
||||
type: string
|
||||
kind:
|
||||
description: 'Kind is a string value representing the REST resource this
|
||||
object represents. Servers may infer this from the endpoint the client
|
||||
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
||||
type: string
|
||||
metadata:
|
||||
type: object
|
||||
spec:
|
||||
description: CertificateRequestSpec defines the desired state of CertificateRequest
|
||||
type: object
|
||||
required:
|
||||
- csr
|
||||
- issuerRef
|
||||
properties:
|
||||
csr:
|
||||
description: Byte slice containing the PEM encoded CertificateSigningRequest
|
||||
type: string
|
||||
format: byte
|
||||
duration:
|
||||
description: Requested certificate default Duration
|
||||
type: string
|
||||
isCA:
|
||||
description: IsCA will mark the resulting certificate as valid for signing.
|
||||
This implies that the 'cert sign' usage is set
|
||||
type: boolean
|
||||
issuerRef:
|
||||
description: IssuerRef is a reference to the issuer for this CertificateRequest. If
|
||||
the 'kind' field is not set, or set to 'Issuer', an Issuer resource
|
||||
with the given name in the same namespace as the CertificateRequest
|
||||
will be used. If the 'kind' field is set to 'ClusterIssuer', a ClusterIssuer
|
||||
with the provided name will be used. The 'name' field in this stanza
|
||||
is required at all times. The group field refers to the API group
|
||||
of the issuer which defaults to 'cert-manager.io' if empty.
|
||||
type: object
|
||||
required:
|
||||
- name
|
||||
properties:
|
||||
group:
|
||||
type: string
|
||||
kind:
|
||||
type: string
|
||||
name:
|
||||
type: string
|
||||
usages:
|
||||
description: Usages is the set of x509 actions that are enabled for
|
||||
a given key. Defaults are ('digital signature', 'key encipherment')
|
||||
if empty
|
||||
type: array
|
||||
items:
|
||||
description: 'KeyUsage specifies valid usage contexts for keys. See:
|
||||
https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12
|
||||
Valid KeyUsage values are as follows: "signing", "digital signature",
|
||||
"content commitment", "key encipherment", "key agreement", "data
|
||||
encipherment", "cert sign", "crl sign", "encipher only", "decipher
|
||||
only", "any", "server auth", "client auth", "code signing", "email
|
||||
protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec
|
||||
user", "timestamping", "ocsp signing", "microsoft sgc", "netscape
|
||||
sgc"'
|
||||
type: string
|
||||
enum:
|
||||
- signing
|
||||
- digital signature
|
||||
- content commitment
|
||||
- key encipherment
|
||||
- key agreement
|
||||
- data encipherment
|
||||
- cert sign
|
||||
- crl sign
|
||||
- encipher only
|
||||
- decipher only
|
||||
- any
|
||||
- server auth
|
||||
- client auth
|
||||
- code signing
|
||||
- email protection
|
||||
- s/mime
|
||||
- ipsec end system
|
||||
- ipsec tunnel
|
||||
- ipsec user
|
||||
- timestamping
|
||||
- ocsp signing
|
||||
- microsoft sgc
|
||||
- netscape sgc
|
||||
status:
|
||||
description: CertificateStatus defines the observed state of CertificateRequest
|
||||
and resulting signed certificate.
|
||||
type: object
|
||||
properties:
|
||||
ca:
|
||||
description: Byte slice containing the PEM encoded certificate authority
|
||||
of the signed certificate.
|
||||
type: string
|
||||
format: byte
|
||||
certificate:
|
||||
description: Byte slice containing a PEM encoded signed certificate
|
||||
resulting from the given certificate signing request.
|
||||
type: string
|
||||
format: byte
|
||||
conditions:
|
||||
type: array
|
||||
items:
|
||||
description: CertificateRequestCondition contains condition information
|
||||
for a CertificateRequest.
|
||||
type: object
|
||||
required:
|
||||
- status
|
||||
- type
|
||||
properties:
|
||||
lastTransitionTime:
|
||||
description: LastTransitionTime is the timestamp corresponding
|
||||
to the last status change of this condition.
|
||||
type: string
|
||||
format: date-time
|
||||
message:
|
||||
description: Message is a human readable description of the details
|
||||
of the last transition, complementing reason.
|
||||
type: string
|
||||
reason:
|
||||
description: Reason is a brief machine readable explanation for
|
||||
the condition's last transition.
|
||||
type: string
|
||||
status:
|
||||
description: Status of the condition, one of ('True', 'False',
|
||||
'Unknown').
|
||||
type: string
|
||||
enum:
|
||||
- "True"
|
||||
- "False"
|
||||
- Unknown
|
||||
type:
|
||||
description: Type of the condition, currently ('Ready', 'InvalidRequest').
|
||||
type: string
|
||||
failureTime:
|
||||
description: FailureTime stores the time that this CertificateRequest
|
||||
failed. This is used to influence garbage collection and back-off.
|
||||
type: string
|
||||
format: date-time
|
@ -0,0 +1,548 @@
|
||||
apiVersion: apiextensions.k8s.io/v1beta1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
name: certificates.cert-manager.io
|
||||
annotations:
|
||||
cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-tls
|
||||
spec:
|
||||
additionalPrinterColumns:
|
||||
- JSONPath: .status.conditions[?(@.type=="Ready")].status
|
||||
name: Ready
|
||||
type: string
|
||||
- JSONPath: .spec.secretName
|
||||
name: Secret
|
||||
type: string
|
||||
- JSONPath: .spec.issuerRef.name
|
||||
name: Issuer
|
||||
priority: 1
|
||||
type: string
|
||||
- JSONPath: .status.conditions[?(@.type=="Ready")].message
|
||||
name: Status
|
||||
priority: 1
|
||||
type: string
|
||||
- JSONPath: .metadata.creationTimestamp
|
||||
description: CreationTimestamp is a timestamp representing the server time when
|
||||
this object was created. It is not guaranteed to be set in happens-before order
|
||||
across separate operations. Clients may not set this value. It is represented
|
||||
in RFC3339 form and is in UTC.
|
||||
name: Age
|
||||
type: date
|
||||
group: cert-manager.io
|
||||
preserveUnknownFields: false
|
||||
conversion:
|
||||
# a Webhook strategy instruct API server to call an external webhook for any conversion between custom resources.
|
||||
strategy: Webhook
|
||||
# webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server.
|
||||
webhookClientConfig:
|
||||
service:
|
||||
# If you have deployed cert-manager into a namespace other than
|
||||
# 'cert-manager', be sure to update this value.
|
||||
namespace: cert-manager
|
||||
name: cert-manager-webhook
|
||||
path: /convert
|
||||
names:
|
||||
kind: Certificate
|
||||
listKind: CertificateList
|
||||
plural: certificates
|
||||
shortNames:
|
||||
- cert
|
||||
- certs
|
||||
singular: certificate
|
||||
scope: Namespaced
|
||||
subresources:
|
||||
status: {}
|
||||
versions:
|
||||
- name: v1alpha2
|
||||
served: true
|
||||
storage: true
|
||||
"schema":
|
||||
"openAPIV3Schema":
|
||||
description: Certificate is a type to represent a Certificate from ACME
|
||||
type: object
|
||||
properties:
|
||||
apiVersion:
|
||||
description: 'APIVersion defines the versioned schema of this representation
|
||||
of an object. Servers should convert recognized schemas to the latest
|
||||
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
||||
type: string
|
||||
kind:
|
||||
description: 'Kind is a string value representing the REST resource this
|
||||
object represents. Servers may infer this from the endpoint the client
|
||||
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
||||
type: string
|
||||
metadata:
|
||||
type: object
|
||||
spec:
|
||||
description: CertificateSpec defines the desired state of Certificate.
|
||||
A valid Certificate requires at least one of a CommonName, DNSName,
|
||||
or URISAN to be valid.
|
||||
type: object
|
||||
required:
|
||||
- issuerRef
|
||||
- secretName
|
||||
properties:
|
||||
commonName:
|
||||
description: 'CommonName is a common name to be used on the Certificate.
|
||||
The CommonName should have a length of 64 characters or fewer to
|
||||
avoid generating invalid CSRs. This value is ignored by TLS clients
|
||||
when any subject alt name is set. This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4'
|
||||
type: string
|
||||
dnsNames:
|
||||
description: DNSNames is a list of subject alt names to be used on
|
||||
the Certificate.
|
||||
type: array
|
||||
items:
|
||||
type: string
|
||||
duration:
|
||||
description: Certificate default Duration
|
||||
type: string
|
||||
emailSANs:
|
||||
description: EmailSANs is a list of Email Subject Alternative Names
|
||||
to be set on this Certificate.
|
||||
type: array
|
||||
items:
|
||||
type: string
|
||||
ipAddresses:
|
||||
description: IPAddresses is a list of IP addresses to be used on the
|
||||
Certificate
|
||||
type: array
|
||||
items:
|
||||
type: string
|
||||
isCA:
|
||||
description: IsCA will mark this Certificate as valid for signing.
|
||||
This implies that the 'cert sign' usage is set
|
||||
type: boolean
|
||||
issuerRef:
|
||||
description: IssuerRef is a reference to the issuer for this certificate.
|
||||
If the 'kind' field is not set, or set to 'Issuer', an Issuer resource
|
||||
with the given name in the same namespace as the Certificate will
|
||||
be used. If the 'kind' field is set to 'ClusterIssuer', a ClusterIssuer
|
||||
with the provided name will be used. The 'name' field in this stanza
|
||||
is required at all times.
|
||||
type: object
|
||||
required:
|
||||
- name
|
||||
properties:
|
||||
group:
|
||||
type: string
|
||||
kind:
|
||||
type: string
|
||||
name:
|
||||
type: string
|
||||
keyAlgorithm:
|
||||
description: KeyAlgorithm is the private key algorithm of the corresponding
|
||||
private key for this certificate. If provided, allowed values are
|
||||
either "rsa" or "ecdsa" If KeyAlgorithm is specified and KeySize
|
||||
is not provided, key size of 256 will be used for "ecdsa" key algorithm
|
||||
and key size of 2048 will be used for "rsa" key algorithm.
|
||||
type: string
|
||||
enum:
|
||||
- rsa
|
||||
- ecdsa
|
||||
keyEncoding:
|
||||
description: KeyEncoding is the private key cryptography standards
|
||||
(PKCS) for this certificate's private key to be encoded in. If provided,
|
||||
allowed values are "pkcs1" and "pkcs8" standing for PKCS#1 and PKCS#8,
|
||||
respectively. If KeyEncoding is not specified, then PKCS#1 will
|
||||
be used by default.
|
||||
type: string
|
||||
enum:
|
||||
- pkcs1
|
||||
- pkcs8
|
||||
keySize:
|
||||
description: KeySize is the key bit size of the corresponding private
|
||||
key for this certificate. If provided, value must be between 2048
|
||||
and 8192 inclusive when KeyAlgorithm is empty or is set to "rsa",
|
||||
and value must be one of (256, 384, 521) when KeyAlgorithm is set
|
||||
to "ecdsa".
|
||||
type: integer
|
||||
maximum: 8192
|
||||
minimum: 0
|
||||
organization:
|
||||
description: Organization is the organization to be used on the Certificate
|
||||
type: array
|
||||
items:
|
||||
type: string
|
||||
renewBefore:
|
||||
description: Certificate renew before expiration duration
|
||||
type: string
|
||||
secretName:
|
||||
description: SecretName is the name of the secret resource to store
|
||||
this secret in
|
||||
type: string
|
||||
subject:
|
||||
description: Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name).
|
||||
type: object
|
||||
properties:
|
||||
countries:
|
||||
description: Countries to be used on the Certificate.
|
||||
type: array
|
||||
items:
|
||||
type: string
|
||||
localities:
|
||||
description: Cities to be used on the Certificate.
|
||||
type: array
|
||||
items:
|
||||
type: string
|
||||
organizationalUnits:
|
||||
description: Organizational Units to be used on the Certificate.
|
||||
type: array
|
||||
items:
|
||||
type: string
|
||||
postalCodes:
|
||||
description: Postal codes to be used on the Certificate.
|
||||
type: array
|
||||
items:
|
||||
type: string
|
||||
provinces:
|
||||
description: State/Provinces to be used on the Certificate.
|
||||
type: array
|
||||
items:
|
||||
type: string
|
||||
serialNumber:
|
||||
description: Serial number to be used on the Certificate.
|
||||
type: string
|
||||
streetAddresses:
|
||||
description: Street addresses to be used on the Certificate.
|
||||
type: array
|
||||
items:
|
||||
type: string
|
||||
uriSANs:
|
||||
description: URISANs is a list of URI Subject Alternative Names to
|
||||
be set on this Certificate.
|
||||
type: array
|
||||
items:
|
||||
type: string
|
||||
usages:
|
||||
description: Usages is the set of x509 actions that are enabled for
|
||||
a given key. Defaults are ('digital signature', 'key encipherment')
|
||||
if empty
|
||||
type: array
|
||||
items:
|
||||
description: 'KeyUsage specifies valid usage contexts for keys.
|
||||
See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12
|
||||
Valid KeyUsage values are as follows: "signing", "digital signature",
|
||||
"content commitment", "key encipherment", "key agreement", "data
|
||||
encipherment", "cert sign", "crl sign", "encipher only", "decipher
|
||||
only", "any", "server auth", "client auth", "code signing", "email
|
||||
protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec
|
||||
user", "timestamping", "ocsp signing", "microsoft sgc", "netscape
|
||||
sgc"'
|
||||
type: string
|
||||
enum:
|
||||
- signing
|
||||
- digital signature
|
||||
- content commitment
|
||||
- key encipherment
|
||||
- key agreement
|
||||
- data encipherment
|
||||
- cert sign
|
||||
- crl sign
|
||||
- encipher only
|
||||
- decipher only
|
||||
- any
|
||||
- server auth
|
||||
- client auth
|
||||
- code signing
|
||||
- email protection
|
||||
- s/mime
|
||||
- ipsec end system
|
||||
- ipsec tunnel
|
||||
- ipsec user
|
||||
- timestamping
|
||||
- ocsp signing
|
||||
- microsoft sgc
|
||||
- netscape sgc
|
||||
status:
|
||||
description: CertificateStatus defines the observed state of Certificate
|
||||
type: object
|
||||
properties:
|
||||
conditions:
|
||||
type: array
|
||||
items:
|
||||
description: CertificateCondition contains condition information
|
||||
for an Certificate.
|
||||
type: object
|
||||
required:
|
||||
- status
|
||||
- type
|
||||
properties:
|
||||
lastTransitionTime:
|
||||
description: LastTransitionTime is the timestamp corresponding
|
||||
to the last status change of this condition.
|
||||
type: string
|
||||
format: date-time
|
||||
message:
|
||||
description: Message is a human readable description of the
|
||||
details of the last transition, complementing reason.
|
||||
type: string
|
||||
reason:
|
||||
description: Reason is a brief machine readable explanation
|
||||
for the condition's last transition.
|
||||
type: string
|
||||
status:
|
||||
description: Status of the condition, one of ('True', 'False',
|
||||
'Unknown').
|
||||
type: string
|
||||
enum:
|
||||
- "True"
|
||||
- "False"
|
||||
- Unknown
|
||||
type:
|
||||
description: Type of the condition, currently ('Ready').
|
||||
type: string
|
||||
lastFailureTime:
|
||||
type: string
|
||||
format: date-time
|
||||
notAfter:
|
||||
description: The expiration time of the certificate stored in the
|
||||
secret named by this resource in spec.secretName.
|
||||
type: string
|
||||
format: date-time
|
||||
- name: v1alpha3
|
||||
served: true
|
||||
storage: false
|
||||
"schema":
|
||||
"openAPIV3Schema":
|
||||
description: Certificate is a type to represent a Certificate from ACME
|
||||
type: object
|
||||
properties:
|
||||
apiVersion:
|
||||
description: 'APIVersion defines the versioned schema of this representation
|
||||
of an object. Servers should convert recognized schemas to the latest
|
||||
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
||||
type: string
|
||||
kind:
|
||||
description: 'Kind is a string value representing the REST resource this
|
||||
object represents. Servers may infer this from the endpoint the client
|
||||
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
||||
type: string
|
||||
metadata:
|
||||
type: object
|
||||
spec:
|
||||
description: CertificateSpec defines the desired state of Certificate.
|
||||
A valid Certificate requires at least one of a CommonName, DNSName,
|
||||
or URISAN to be valid.
|
||||
type: object
|
||||
required:
|
||||
- issuerRef
|
||||
- secretName
|
||||
properties:
|
||||
commonName:
|
||||
description: 'CommonName is a common name to be used on the Certificate.
|
||||
The CommonName should have a length of 64 characters or fewer to
|
||||
avoid generating invalid CSRs. This value is ignored by TLS clients
|
||||
when any subject alt name is set. This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4'
|
||||
type: string
|
||||
dnsNames:
|
||||
description: DNSNames is a list of subject alt names to be used on
|
||||
the Certificate.
|
||||
type: array
|
||||
items:
|
||||
type: string
|
||||
duration:
|
||||
description: Certificate default Duration
|
||||
type: string
|
||||
emailSANs:
|
||||
description: EmailSANs is a list of Email Subject Alternative Names
|
||||
to be set on this Certificate.
|
||||
type: array
|
||||
items:
|
||||
type: string
|
||||
ipAddresses:
|
||||
description: IPAddresses is a list of IP addresses to be used on the
|
||||
Certificate
|
||||
type: array
|
||||
items:
|
||||
type: string
|
||||
isCA:
|
||||
description: IsCA will mark this Certificate as valid for signing.
|
||||
This implies that the 'cert sign' usage is set
|
||||
type: boolean
|
||||
issuerRef:
|
||||
description: IssuerRef is a reference to the issuer for this certificate.
|
||||
If the 'kind' field is not set, or set to 'Issuer', an Issuer resource
|
||||
with the given name in the same namespace as the Certificate will
|
||||
be used. If the 'kind' field is set to 'ClusterIssuer', a ClusterIssuer
|
||||
with the provided name will be used. The 'name' field in this stanza
|
||||
is required at all times.
|
||||
type: object
|
||||
required:
|
||||
- name
|
||||
properties:
|
||||
group:
|
||||
type: string
|
||||
kind:
|
||||
type: string
|
||||
name:
|
||||
type: string
|
||||
keyAlgorithm:
|
||||
description: KeyAlgorithm is the private key algorithm of the corresponding
|
||||
private key for this certificate. If provided, allowed values are
|
||||
either "rsa" or "ecdsa" If KeyAlgorithm is specified and KeySize
|
||||
is not provided, key size of 256 will be used for "ecdsa" key algorithm
|
||||
and key size of 2048 will be used for "rsa" key algorithm.
|
||||
type: string
|
||||
enum:
|
||||
- rsa
|
||||
- ecdsa
|
||||
keyEncoding:
|
||||
description: KeyEncoding is the private key cryptography standards
|
||||
(PKCS) for this certificate's private key to be encoded in. If provided,
|
||||
allowed values are "pkcs1" and "pkcs8" standing for PKCS#1 and PKCS#8,
|
||||
respectively. If KeyEncoding is not specified, then PKCS#1 will
|
||||
be used by default.
|
||||
type: string
|
||||
enum:
|
||||
- pkcs1
|
||||
- pkcs8
|
||||
keySize:
|
||||
description: KeySize is the key bit size of the corresponding private
|
||||
key for this certificate. If provided, value must be between 2048
|
||||
and 8192 inclusive when KeyAlgorithm is empty or is set to "rsa",
|
||||
and value must be one of (256, 384, 521) when KeyAlgorithm is set
|
||||
to "ecdsa".
|
||||
type: integer
|
||||
maximum: 8192
|
||||
minimum: 0
|
||||
renewBefore:
|
||||
description: Certificate renew before expiration duration
|
||||
type: string
|
||||
secretName:
|
||||
description: SecretName is the name of the secret resource to store
|
||||
this secret in
|
||||
type: string
|
||||
subject:
|
||||
description: Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name).
|
||||
type: object
|
||||
properties:
|
||||
countries:
|
||||
description: Countries to be used on the Certificate.
|
||||
type: array
|
||||
items:
|
||||
type: string
|
||||
localities:
|
||||
description: Cities to be used on the Certificate.
|
||||
type: array
|
||||
items:
|
||||
type: string
|
||||
organizationalUnits:
|
||||
description: Organizational Units to be used on the Certificate.
|
||||
type: array
|
||||
items:
|
||||
type: string
|
||||
organizations:
|
||||
description: Organizations to be used on the Certificate.
|
||||
type: array
|
||||
items:
|
||||
type: string
|
||||
postalCodes:
|
||||
description: Postal codes to be used on the Certificate.
|
||||
type: array
|
||||
items:
|
||||
type: string
|
||||
provinces:
|
||||
description: State/Provinces to be used on the Certificate.
|
||||
type: array
|
||||
items:
|
||||
type: string
|
||||
serialNumber:
|
||||
description: Serial number to be used on the Certificate.
|
||||
type: string
|
||||
streetAddresses:
|
||||
description: Street addresses to be used on the Certificate.
|
||||
type: array
|
||||
items:
|
||||
type: string
|
||||
uriSANs:
|
||||
description: URISANs is a list of URI Subject Alternative Names to
|
||||
be set on this Certificate.
|
||||
type: array
|
||||
items:
|
||||
type: string
|
||||
usages:
|
||||
description: Usages is the set of x509 actions that are enabled for
|
||||
a given key. Defaults are ('digital signature', 'key encipherment')
|
||||
if empty
|
||||
type: array
|
||||
items:
|
||||
description: 'KeyUsage specifies valid usage contexts for keys.
|
||||
See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12
|
||||
Valid KeyUsage values are as follows: "signing", "digital signature",
|
||||
"content commitment", "key encipherment", "key agreement", "data
|
||||
encipherment", "cert sign", "crl sign", "encipher only", "decipher
|
||||
only", "any", "server auth", "client auth", "code signing", "email
|
||||
protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec
|
||||
user", "timestamping", "ocsp signing", "microsoft sgc", "netscape
|
||||
sgc"'
|
||||
type: string
|
||||
enum:
|
||||
- signing
|
||||
- digital signature
|
||||
- content commitment
|
||||
- key encipherment
|
||||
- key agreement
|
||||
- data encipherment
|
||||
- cert sign
|
||||
- crl sign
|
||||
- encipher only
|
||||
- decipher only
|
||||
- any
|
||||
- server auth
|
||||
- client auth
|
||||
- code signing
|
||||
- email protection
|
||||
- s/mime
|
||||
- ipsec end system
|
||||
- ipsec tunnel
|
||||
- ipsec user
|
||||
- timestamping
|
||||
- ocsp signing
|
||||
- microsoft sgc
|
||||
- netscape sgc
|
||||
status:
|
||||
description: CertificateStatus defines the observed state of Certificate
|
||||
type: object
|
||||
properties:
|
||||
conditions:
|
||||
type: array
|
||||
items:
|
||||
description: CertificateCondition contains condition information
|
||||
for an Certificate.
|
||||
type: object
|
||||
required:
|
||||
- status
|
||||
- type
|
||||
properties:
|
||||
lastTransitionTime:
|
||||
description: LastTransitionTime is the timestamp corresponding
|
||||
to the last status change of this condition.
|
||||
type: string
|
||||
format: date-time
|
||||
message:
|
||||
description: Message is a human readable description of the
|
||||
details of the last transition, complementing reason.
|
||||
type: string
|
||||
reason:
|
||||
description: Reason is a brief machine readable explanation
|
||||
for the condition's last transition.
|
||||
type: string
|
||||
status:
|
||||
description: Status of the condition, one of ('True', 'False',
|
||||
'Unknown').
|
||||
type: string
|
||||
enum:
|
||||
- "True"
|
||||
- "False"
|
||||
- Unknown
|
||||
type:
|
||||
description: Type of the condition, currently ('Ready').
|
||||
type: string
|
||||
lastFailureTime:
|
||||
type: string
|
||||
format: date-time
|
||||
notAfter:
|
||||
description: The expiration time of the certificate stored in the
|
||||
secret named by this resource in spec.secretName.
|
||||
type: string
|
||||
format: date-time
|
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,216 @@
|
||||
apiVersion: apiextensions.k8s.io/v1beta1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
name: orders.acme.cert-manager.io
|
||||
annotations:
|
||||
cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-tls
|
||||
spec:
|
||||
additionalPrinterColumns:
|
||||
- JSONPath: .status.state
|
||||
name: State
|
||||
type: string
|
||||
- JSONPath: .spec.issuerRef.name
|
||||
name: Issuer
|
||||
priority: 1
|
||||
type: string
|
||||
- JSONPath: .status.reason
|
||||
name: Reason
|
||||
priority: 1
|
||||
type: string
|
||||
- JSONPath: .metadata.creationTimestamp
|
||||
description: CreationTimestamp is a timestamp representing the server time when
|
||||
this object was created. It is not guaranteed to be set in happens-before order
|
||||
across separate operations. Clients may not set this value. It is represented
|
||||
in RFC3339 form and is in UTC.
|
||||
name: Age
|
||||
type: date
|
||||
group: acme.cert-manager.io
|
||||
preserveUnknownFields: false
|
||||
conversion:
|
||||
# a Webhook strategy instruct API server to call an external webhook for any conversion between custom resources.
|
||||
strategy: Webhook
|
||||
# webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server.
|
||||
webhookClientConfig:
|
||||
service:
|
||||
# If you have deployed cert-manager into a namespace other than
|
||||
# 'cert-manager', be sure to update this value.
|
||||
namespace: cert-manager
|
||||
name: cert-manager-webhook
|
||||
path: /convert
|
||||
names:
|
||||
kind: Order
|
||||
listKind: OrderList
|
||||
plural: orders
|
||||
singular: order
|
||||
scope: Namespaced
|
||||
subresources:
|
||||
status: {}
|
||||
versions:
|
||||
- name: v1alpha2
|
||||
served: true
|
||||
storage: true
|
||||
- name: v1alpha3
|
||||
served: true
|
||||
storage: false
|
||||
"validation":
|
||||
"openAPIV3Schema":
|
||||
description: Order is a type to represent an Order with an ACME server
|
||||
type: object
|
||||
required:
|
||||
- metadata
|
||||
properties:
|
||||
apiVersion:
|
||||
description: 'APIVersion defines the versioned schema of this representation
|
||||
of an object. Servers should convert recognized schemas to the latest
|
||||
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
||||
type: string
|
||||
kind:
|
||||
description: 'Kind is a string value representing the REST resource this
|
||||
object represents. Servers may infer this from the endpoint the client
|
||||
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
||||
type: string
|
||||
metadata:
|
||||
type: object
|
||||
spec:
|
||||
type: object
|
||||
required:
|
||||
- csr
|
||||
- issuerRef
|
||||
properties:
|
||||
commonName:
|
||||
description: CommonName is the common name as specified on the DER encoded
|
||||
CSR. If CommonName is not specified, the first DNSName specified will
|
||||
be used as the CommonName. At least one of CommonName or a DNSNames
|
||||
must be set. This field must match the corresponding field on the
|
||||
DER encoded CSR.
|
||||
type: string
|
||||
csr:
|
||||
description: Certificate signing request bytes in DER encoding. This
|
||||
will be used when finalizing the order. This field must be set on
|
||||
the order.
|
||||
type: string
|
||||
format: byte
|
||||
dnsNames:
|
||||
description: DNSNames is a list of DNS names that should be included
|
||||
as part of the Order validation process. If CommonName is not specified,
|
||||
the first DNSName specified will be used as the CommonName. At least
|
||||
one of CommonName or a DNSNames must be set. This field must match
|
||||
the corresponding field on the DER encoded CSR.
|
||||
type: array
|
||||
items:
|
||||
type: string
|
||||
issuerRef:
|
||||
description: IssuerRef references a properly configured ACME-type Issuer
|
||||
which should be used to create this Order. If the Issuer does not
|
||||
exist, processing will be retried. If the Issuer is not an 'ACME'
|
||||
Issuer, an error will be returned and the Order will be marked as
|
||||
failed.
|
||||
type: object
|
||||
required:
|
||||
- name
|
||||
properties:
|
||||
group:
|
||||
type: string
|
||||
kind:
|
||||
type: string
|
||||
name:
|
||||
type: string
|
||||
status:
|
||||
type: object
|
||||
properties:
|
||||
authorizations:
|
||||
description: Authorizations contains data returned from the ACME server
|
||||
on what authorizations must be completed in order to validate the
|
||||
DNS names specified on the Order.
|
||||
type: array
|
||||
items:
|
||||
description: ACMEAuthorization contains data returned from the ACME
|
||||
server on an authorization that must be completed in order validate
|
||||
a DNS name on an ACME Order resource.
|
||||
type: object
|
||||
required:
|
||||
- url
|
||||
properties:
|
||||
challenges:
|
||||
description: Challenges specifies the challenge types offered
|
||||
by the ACME server. One of these challenge types will be selected
|
||||
when validating the DNS name and an appropriate Challenge resource
|
||||
will be created to perform the ACME challenge process.
|
||||
type: array
|
||||
items:
|
||||
description: Challenge specifies a challenge offered by the
|
||||
ACME server for an Order. An appropriate Challenge resource
|
||||
can be created to perform the ACME challenge process.
|
||||
type: object
|
||||
required:
|
||||
- token
|
||||
- type
|
||||
- url
|
||||
properties:
|
||||
token:
|
||||
description: Token is the token that must be presented for
|
||||
this challenge. This is used to compute the 'key' that
|
||||
must also be presented.
|
||||
type: string
|
||||
type:
|
||||
description: Type is the type of challenge being offered,
|
||||
e.g. http-01, dns-01
|
||||
type: string
|
||||
url:
|
||||
description: URL is the URL of this challenge. It can be
|
||||
used to retrieve additional metadata about the Challenge
|
||||
from the ACME server.
|
||||
type: string
|
||||
identifier:
|
||||
description: Identifier is the DNS name to be validated as part
|
||||
of this authorization
|
||||
type: string
|
||||
url:
|
||||
description: URL is the URL of the Authorization that must be
|
||||
completed
|
||||
type: string
|
||||
wildcard:
|
||||
description: Wildcard will be true if this authorization is for
|
||||
a wildcard DNS name. If this is true, the identifier will be
|
||||
the *non-wildcard* version of the DNS name. For example, if
|
||||
'*.example.com' is the DNS name being validated, this field
|
||||
will be 'true' and the 'identifier' field will be 'example.com'.
|
||||
type: boolean
|
||||
certificate:
|
||||
description: Certificate is a copy of the PEM encoded certificate for
|
||||
this Order. This field will be populated after the order has been
|
||||
successfully finalized with the ACME server, and the order has transitioned
|
||||
to the 'valid' state.
|
||||
type: string
|
||||
format: byte
|
||||
failureTime:
|
||||
description: FailureTime stores the time that this order failed. This
|
||||
is used to influence garbage collection and back-off.
|
||||
type: string
|
||||
format: date-time
|
||||
finalizeURL:
|
||||
description: FinalizeURL of the Order. This is used to obtain certificates
|
||||
for this order once it has been completed.
|
||||
type: string
|
||||
reason:
|
||||
description: Reason optionally provides more information about a why
|
||||
the order is in the current state.
|
||||
type: string
|
||||
state:
|
||||
description: State contains the current state of this Order resource.
|
||||
States 'success' and 'expired' are 'final'
|
||||
type: string
|
||||
enum:
|
||||
- valid
|
||||
- ready
|
||||
- pending
|
||||
- processing
|
||||
- invalid
|
||||
- expired
|
||||
- errored
|
||||
url:
|
||||
description: URL of the Order. This will initially be empty when the
|
||||
resource is first created. The Order controller will populate this
|
||||
field when the Order is first processed. This field will be immutable
|
||||
after it is initially set.
|
||||
type: string
|
@ -0,0 +1,63 @@
|
||||
# Default values for certmgr-crds.
|
||||
# This is a YAML-formatted file.
|
||||
# Declare variables to be passed into your templates.
|
||||
|
||||
replicaCount: 1
|
||||
|
||||
imagePullSecrets: []
|
||||
nameOverride: ""
|
||||
fullnameOverride: ""
|
||||
|
||||
serviceAccount:
|
||||
# Specifies whether a service account should be created
|
||||
create: true
|
||||
# The name of the service account to use.
|
||||
# If not set and create is true, a name is generated using the fullname template
|
||||
name:
|
||||
|
||||
podSecurityContext: {}
|
||||
# fsGroup: 2000
|
||||
|
||||
securityContext: {}
|
||||
# capabilities:
|
||||
# drop:
|
||||
# - ALL
|
||||
# readOnlyRootFilesystem: true
|
||||
# runAsNonRoot: true
|
||||
# runAsUser: 1000
|
||||
|
||||
service:
|
||||
type: ClusterIP
|
||||
port: 80
|
||||
|
||||
ingress:
|
||||
enabled: false
|
||||
annotations: {}
|
||||
# kubernetes.io/ingress.class: nginx
|
||||
# kubernetes.io/tls-acme: "true"
|
||||
hosts:
|
||||
- host: chart-example.local
|
||||
paths: []
|
||||
|
||||
tls: []
|
||||
# - secretName: chart-example-tls
|
||||
# hosts:
|
||||
# - chart-example.local
|
||||
|
||||
resources: {}
|
||||
# We usually recommend not to specify default resources and to leave this as a conscious
|
||||
# choice for the user. This also increases chances charts run on environments with little
|
||||
# resources, such as Minikube. If you do want to specify resources, uncomment the following
|
||||
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
|
||||
# limits:
|
||||
# cpu: 100m
|
||||
# memory: 128Mi
|
||||
# requests:
|
||||
# cpu: 100m
|
||||
# memory: 128Mi
|
||||
|
||||
nodeSelector: {}
|
||||
|
||||
tolerations: []
|
||||
|
||||
affinity: {}
|
@ -0,0 +1,89 @@
|
||||
---
|
||||
schema: armada/Chart/v1
|
||||
metadata:
|
||||
schema: metadata/Document/v1
|
||||
name: certmgr-crds
|
||||
data:
|
||||
chart_name: certmgr-crds
|
||||
release: certmgr-crds
|
||||
namespace: cert-manager
|
||||
wait:
|
||||
timeout: 60
|
||||
resources: []
|
||||
values:
|
||||
nodeSelector:
|
||||
node-role.kubernetes.io/master: ""
|
||||
source:
|
||||
type: tar
|
||||
location: http://172.17.0.1:8080/helm_charts/stx-platform/certmgr-crds-0.1.0.tgz
|
||||
subpath: certmgr-crds
|
||||
reference: master
|
||||
dependencies: []
|
||||
---
|
||||
schema: armada/Chart/v1
|
||||
metadata:
|
||||
schema: metadata/Document/v1
|
||||
name: cert-manager
|
||||
data:
|
||||
chart_name: cert-manager
|
||||
release: cert-manager
|
||||
namespace: cert-manager
|
||||
wait:
|
||||
timeout: 300
|
||||
labels:
|
||||
app: cert-manager
|
||||
install:
|
||||
no_hooks: false
|
||||
upgrade:
|
||||
no_hooks: false
|
||||
pre:
|
||||
delete:
|
||||
- type: job
|
||||
labels:
|
||||
app: cert-manager
|
||||
values:
|
||||
global:
|
||||
imagePullSecrets: [{"name": "default-registry-key"}]
|
||||
image:
|
||||
repository: quay.io/jetstack/cert-manager-controller
|
||||
tag: v0.14.0
|
||||
nodeSelector:
|
||||
node-role.kubernetes.io/master: ""
|
||||
webhook:
|
||||
image:
|
||||
repository: quay.io/jetstack/cert-manager-webhook
|
||||
tag: v0.14.0
|
||||
nodeSelector:
|
||||
node-role.kubernetes.io/master: ""
|
||||
cainjector:
|
||||
image:
|
||||
repository: quay.io/jetstack/cert-manager-cainjector
|
||||
tag: v0.14.0
|
||||
nodeSelector:
|
||||
node-role.kubernetes.io/master: ""
|
||||
source:
|
||||
type: tar
|
||||
location: http://172.17.0.1/helm_charts/stx-platform/cert-manager-v0.1.0.tgz
|
||||
subpath: cert-manager
|
||||
reference: master
|
||||
dependencies: []
|
||||
---
|
||||
schema: armada/ChartGroup/v1
|
||||
metadata:
|
||||
schema: metadata/Document/v1
|
||||
name: cert-manager
|
||||
data:
|
||||
description: "StarlingX Cert-Manager"
|
||||
sequenced: true
|
||||
chart_group:
|
||||
- certmgr-crds
|
||||
- cert-manager
|
||||
---
|
||||
schema: armada/Manifest/v1
|
||||
metadata:
|
||||
schema: metadata/Document/v1
|
||||
name: cert-manager-manifest
|
||||
data:
|
||||
release_prefix: cm
|
||||
chart_groups:
|
||||
- cert-manager
|
Loading…
Reference in New Issue
Block a user