k8s_crds_cert_manager/certificates.rs
1// WARNING: generated by kopium - manual changes will be overwritten
2// kopium command: kopium -f certificates.yml --schema=derived --docs -b --derive=Default --derive=PartialEq --smart-derive-elision
3// kopium version: 0.21.2
4
5#[allow(unused_imports)]
6mod prelude {
7 pub use k8s_openapi::apimachinery::pkg::apis::meta::v1::Condition;
8 pub use kube_derive::CustomResource;
9 #[cfg(feature = "schemars")]
10 pub use schemars::JsonSchema;
11 pub use serde::{Deserialize, Serialize};
12 pub use std::collections::BTreeMap;
13 #[cfg(feature = "builder")]
14 pub use typed_builder::TypedBuilder;
15}
16use self::prelude::*;
17
18/// Specification of the desired state of the Certificate resource.
19/// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
20#[derive(CustomResource, Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
21#[cfg_attr(feature = "builder", derive(TypedBuilder))]
22#[cfg_attr(feature = "schemars", derive(JsonSchema))]
23#[cfg_attr(not(feature = "schemars"), kube(schema = "disabled"))]
24#[kube(
25 group = "cert-manager.io",
26 version = "v1",
27 kind = "Certificate",
28 plural = "certificates"
29)]
30#[kube(namespaced)]
31#[kube(status = "CertificateStatus")]
32#[kube(derive = "Default")]
33#[kube(derive = "PartialEq")]
34pub struct CertificateSpec {
35 /// Defines extra output formats of the private key and signed certificate chain
36 /// to be written to this Certificate's target Secret.
37 #[serde(
38 default,
39 skip_serializing_if = "Option::is_none",
40 rename = "additionalOutputFormats"
41 )]
42 #[cfg_attr(feature = "builder", builder(default, setter(strip_option)))]
43 pub additional_output_formats: Option<Vec<CertificateAdditionalOutputFormats>>,
44 /// Requested common name X509 certificate subject attribute.
45 /// More info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6
46 /// NOTE: TLS clients will ignore this value when any subject alternative name is
47 /// set (see https://tools.ietf.org/html/rfc6125#section-6.4.4).
48 ///
49 /// Should have a length of 64 characters or fewer to avoid generating invalid CSRs.
50 /// Cannot be set if the `literalSubject` field is set.
51 #[serde(
52 default,
53 skip_serializing_if = "Option::is_none",
54 rename = "commonName"
55 )]
56 #[cfg_attr(feature = "builder", builder(default, setter(strip_option)))]
57 pub common_name: Option<String>,
58 /// Requested DNS subject alternative names.
59 #[serde(default, skip_serializing_if = "Option::is_none", rename = "dnsNames")]
60 #[cfg_attr(feature = "builder", builder(default, setter(strip_option)))]
61 pub dns_names: Option<Vec<String>>,
62 /// Requested 'duration' (i.e. lifetime) of the Certificate. Note that the
63 /// issuer may choose to ignore the requested duration, just like any other
64 /// requested attribute.
65 ///
66 /// If unset, this defaults to 90 days.
67 /// Minimum accepted duration is 1 hour.
68 /// Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration.
69 #[serde(default, skip_serializing_if = "Option::is_none")]
70 #[cfg_attr(feature = "builder", builder(default, setter(strip_option)))]
71 pub duration: Option<String>,
72 /// Requested email subject alternative names.
73 #[serde(
74 default,
75 skip_serializing_if = "Option::is_none",
76 rename = "emailAddresses"
77 )]
78 #[cfg_attr(feature = "builder", builder(default, setter(strip_option)))]
79 pub email_addresses: Option<Vec<String>>,
80 /// Whether the KeyUsage and ExtKeyUsage extensions should be set in the encoded CSR.
81 ///
82 /// This option defaults to true, and should only be disabled if the target
83 /// issuer does not support CSRs with these X509 KeyUsage/ ExtKeyUsage extensions.
84 #[serde(
85 default,
86 skip_serializing_if = "Option::is_none",
87 rename = "encodeUsagesInRequest"
88 )]
89 #[cfg_attr(feature = "builder", builder(default, setter(strip_option)))]
90 pub encode_usages_in_request: Option<bool>,
91 /// Requested IP address subject alternative names.
92 #[serde(
93 default,
94 skip_serializing_if = "Option::is_none",
95 rename = "ipAddresses"
96 )]
97 #[cfg_attr(feature = "builder", builder(default, setter(strip_option)))]
98 pub ip_addresses: Option<Vec<String>>,
99 /// Requested basic constraints isCA value.
100 /// The isCA value is used to set the `isCA` field on the created CertificateRequest
101 /// resources. Note that the issuer may choose to ignore the requested isCA value, just
102 /// like any other requested attribute.
103 ///
104 /// If true, this will automatically add the `cert sign` usage to the list
105 /// of requested `usages`.
106 #[serde(default, skip_serializing_if = "Option::is_none", rename = "isCA")]
107 #[cfg_attr(feature = "builder", builder(default, setter(strip_option)))]
108 pub is_ca: Option<bool>,
109 /// Reference to the issuer responsible for issuing the certificate.
110 /// If the issuer is namespace-scoped, it must be in the same namespace
111 /// as the Certificate. If the issuer is cluster-scoped, it can be used
112 /// from any namespace.
113 ///
114 /// The `name` field of the reference must always be specified.
115 #[serde(rename = "issuerRef")]
116 pub issuer_ref: CertificateIssuerRef,
117 /// Additional keystore output formats to be stored in the Certificate's Secret.
118 #[serde(default, skip_serializing_if = "Option::is_none")]
119 #[cfg_attr(feature = "builder", builder(default, setter(strip_option)))]
120 pub keystores: Option<CertificateKeystores>,
121 /// Requested X.509 certificate subject, represented using the LDAP "String
122 /// Representation of a Distinguished Name" [1].
123 /// Important: the LDAP string format also specifies the order of the attributes
124 /// in the subject, this is important when issuing certs for LDAP authentication.
125 /// Example: `CN=foo,DC=corp,DC=example,DC=com`
126 /// More info [1]: https://datatracker.ietf.org/doc/html/rfc4514
127 /// More info: https://github.com/cert-manager/cert-manager/issues/3203
128 /// More info: https://github.com/cert-manager/cert-manager/issues/4424
129 ///
130 /// Cannot be set if the `subject` or `commonName` field is set.
131 #[serde(
132 default,
133 skip_serializing_if = "Option::is_none",
134 rename = "literalSubject"
135 )]
136 #[cfg_attr(feature = "builder", builder(default, setter(strip_option)))]
137 pub literal_subject: Option<String>,
138 /// x.509 certificate NameConstraint extension which MUST NOT be used in a non-CA certificate.
139 /// More Info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10
140 ///
141 /// This is an Alpha Feature and is only enabled with the
142 /// `--feature-gates=NameConstraints=true` option set on both
143 /// the controller and webhook components.
144 #[serde(
145 default,
146 skip_serializing_if = "Option::is_none",
147 rename = "nameConstraints"
148 )]
149 #[cfg_attr(feature = "builder", builder(default, setter(strip_option)))]
150 pub name_constraints: Option<CertificateNameConstraints>,
151 /// `otherNames` is an escape hatch for SAN that allows any type. We currently restrict the support to string like otherNames, cf RFC 5280 p 37
152 /// Any UTF8 String valued otherName can be passed with by setting the keys oid: x.x.x.x and UTF8Value: somevalue for `otherName`.
153 /// Most commonly this would be UPN set with oid: 1.3.6.1.4.1.311.20.2.3
154 /// You should ensure that any OID passed is valid for the UTF8String type as we do not explicitly validate this.
155 #[serde(
156 default,
157 skip_serializing_if = "Option::is_none",
158 rename = "otherNames"
159 )]
160 #[cfg_attr(feature = "builder", builder(default, setter(strip_option)))]
161 pub other_names: Option<Vec<CertificateOtherNames>>,
162 /// Private key options. These include the key algorithm and size, the used
163 /// encoding and the rotation policy.
164 #[serde(
165 default,
166 skip_serializing_if = "Option::is_none",
167 rename = "privateKey"
168 )]
169 #[cfg_attr(feature = "builder", builder(default, setter(strip_option)))]
170 pub private_key: Option<CertificatePrivateKey>,
171 /// How long before the currently issued certificate's expiry cert-manager should
172 /// renew the certificate. For example, if a certificate is valid for 60 minutes,
173 /// and `renewBefore=10m`, cert-manager will begin to attempt to renew the certificate
174 /// 50 minutes after it was issued (i.e. when there are 10 minutes remaining until
175 /// the certificate is no longer valid).
176 ///
177 /// NOTE: The actual lifetime of the issued certificate is used to determine the
178 /// renewal time. If an issuer returns a certificate with a different lifetime than
179 /// the one requested, cert-manager will use the lifetime of the issued certificate.
180 ///
181 /// If unset, this defaults to 1/3 of the issued certificate's lifetime.
182 /// Minimum accepted value is 5 minutes.
183 /// Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration.
184 /// Cannot be set if the `renewBeforePercentage` field is set.
185 #[serde(
186 default,
187 skip_serializing_if = "Option::is_none",
188 rename = "renewBefore"
189 )]
190 #[cfg_attr(feature = "builder", builder(default, setter(strip_option)))]
191 pub renew_before: Option<String>,
192 /// `renewBeforePercentage` is like `renewBefore`, except it is a relative percentage
193 /// rather than an absolute duration. For example, if a certificate is valid for 60
194 /// minutes, and `renewBeforePercentage=25`, cert-manager will begin to attempt to
195 /// renew the certificate 45 minutes after it was issued (i.e. when there are 15
196 /// minutes (25%) remaining until the certificate is no longer valid).
197 ///
198 /// NOTE: The actual lifetime of the issued certificate is used to determine the
199 /// renewal time. If an issuer returns a certificate with a different lifetime than
200 /// the one requested, cert-manager will use the lifetime of the issued certificate.
201 ///
202 /// Value must be an integer in the range (0,100). The minimum effective
203 /// `renewBefore` derived from the `renewBeforePercentage` and `duration` fields is 5
204 /// minutes.
205 /// Cannot be set if the `renewBefore` field is set.
206 #[serde(
207 default,
208 skip_serializing_if = "Option::is_none",
209 rename = "renewBeforePercentage"
210 )]
211 #[cfg_attr(feature = "builder", builder(default, setter(strip_option)))]
212 pub renew_before_percentage: Option<i32>,
213 /// The maximum number of CertificateRequest revisions that are maintained in
214 /// the Certificate's history. Each revision represents a single `CertificateRequest`
215 /// created by this Certificate, either when it was created, renewed, or Spec
216 /// was changed. Revisions will be removed by oldest first if the number of
217 /// revisions exceeds this number.
218 ///
219 /// If set, revisionHistoryLimit must be a value of `1` or greater.
220 /// Default value is `1`.
221 #[serde(
222 default,
223 skip_serializing_if = "Option::is_none",
224 rename = "revisionHistoryLimit"
225 )]
226 #[cfg_attr(feature = "builder", builder(default, setter(strip_option)))]
227 pub revision_history_limit: Option<i32>,
228 /// Name of the Secret resource that will be automatically created and
229 /// managed by this Certificate resource. It will be populated with a
230 /// private key and certificate, signed by the denoted issuer. The Secret
231 /// resource lives in the same namespace as the Certificate resource.
232 #[serde(rename = "secretName")]
233 pub secret_name: String,
234 /// Defines annotations and labels to be copied to the Certificate's Secret.
235 /// Labels and annotations on the Secret will be changed as they appear on the
236 /// SecretTemplate when added or removed. SecretTemplate annotations are added
237 /// in conjunction with, and cannot overwrite, the base set of annotations
238 /// cert-manager sets on the Certificate's Secret.
239 #[serde(
240 default,
241 skip_serializing_if = "Option::is_none",
242 rename = "secretTemplate"
243 )]
244 #[cfg_attr(feature = "builder", builder(default, setter(strip_option)))]
245 pub secret_template: Option<CertificateSecretTemplate>,
246 /// Signature algorithm to use.
247 /// Allowed values for RSA keys: SHA256WithRSA, SHA384WithRSA, SHA512WithRSA.
248 /// Allowed values for ECDSA keys: ECDSAWithSHA256, ECDSAWithSHA384, ECDSAWithSHA512.
249 /// Allowed values for Ed25519 keys: PureEd25519.
250 #[serde(
251 default,
252 skip_serializing_if = "Option::is_none",
253 rename = "signatureAlgorithm"
254 )]
255 #[cfg_attr(feature = "builder", builder(default, setter(strip_option)))]
256 pub signature_algorithm: Option<CertificateSignatureAlgorithm>,
257 /// Requested set of X509 certificate subject attributes.
258 /// More info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6
259 ///
260 /// The common name attribute is specified separately in the `commonName` field.
261 /// Cannot be set if the `literalSubject` field is set.
262 #[serde(default, skip_serializing_if = "Option::is_none")]
263 #[cfg_attr(feature = "builder", builder(default, setter(strip_option)))]
264 pub subject: Option<CertificateSubject>,
265 /// Requested URI subject alternative names.
266 #[serde(default, skip_serializing_if = "Option::is_none")]
267 #[cfg_attr(feature = "builder", builder(default, setter(strip_option)))]
268 pub uris: Option<Vec<String>>,
269 /// Requested key usages and extended key usages.
270 /// These usages are used to set the `usages` field on the created CertificateRequest
271 /// resources. If `encodeUsagesInRequest` is unset or set to `true`, the usages
272 /// will additionally be encoded in the `request` field which contains the CSR blob.
273 ///
274 /// If unset, defaults to `digital signature` and `key encipherment`.
275 #[serde(default, skip_serializing_if = "Option::is_none")]
276 #[cfg_attr(feature = "builder", builder(default, setter(strip_option)))]
277 pub usages: Option<Vec<String>>,
278}
279
280/// CertificateAdditionalOutputFormat defines an additional output format of a
281/// Certificate resource. These contain supplementary data formats of the signed
282/// certificate chain and paired private key.
283#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)]
284#[cfg_attr(feature = "builder", derive(TypedBuilder))]
285#[cfg_attr(feature = "schemars", derive(JsonSchema))]
286pub struct CertificateAdditionalOutputFormats {
287 /// Type is the name of the format type that should be written to the
288 /// Certificate's target Secret.
289 #[serde(rename = "type")]
290 pub r#type: CertificateAdditionalOutputFormatsType,
291}
292
293/// CertificateAdditionalOutputFormat defines an additional output format of a
294/// Certificate resource. These contain supplementary data formats of the signed
295/// certificate chain and paired private key.
296#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)]
297#[cfg_attr(feature = "schemars", derive(JsonSchema))]
298pub enum CertificateAdditionalOutputFormatsType {
299 #[serde(rename = "DER")]
300 Der,
301 #[serde(rename = "CombinedPEM")]
302 CombinedPem,
303}
304
305/// Reference to the issuer responsible for issuing the certificate.
306/// If the issuer is namespace-scoped, it must be in the same namespace
307/// as the Certificate. If the issuer is cluster-scoped, it can be used
308/// from any namespace.
309///
310/// The `name` field of the reference must always be specified.
311#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
312#[cfg_attr(feature = "builder", derive(TypedBuilder))]
313#[cfg_attr(feature = "schemars", derive(JsonSchema))]
314pub struct CertificateIssuerRef {
315 /// Group of the issuer being referred to.
316 /// Defaults to 'cert-manager.io'.
317 #[serde(default, skip_serializing_if = "Option::is_none")]
318 #[cfg_attr(feature = "builder", builder(default, setter(strip_option)))]
319 pub group: Option<String>,
320 /// Kind of the issuer being referred to.
321 /// Defaults to 'Issuer'.
322 #[serde(default, skip_serializing_if = "Option::is_none")]
323 #[cfg_attr(feature = "builder", builder(default, setter(strip_option)))]
324 pub kind: Option<String>,
325 /// Name of the issuer being referred to.
326 pub name: String,
327}
328
329/// Additional keystore output formats to be stored in the Certificate's Secret.
330#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
331#[cfg_attr(feature = "builder", derive(TypedBuilder))]
332#[cfg_attr(feature = "schemars", derive(JsonSchema))]
333pub struct CertificateKeystores {
334 /// JKS configures options for storing a JKS keystore in the
335 /// `spec.secretName` Secret resource.
336 #[serde(default, skip_serializing_if = "Option::is_none")]
337 #[cfg_attr(feature = "builder", builder(default, setter(strip_option)))]
338 pub jks: Option<CertificateKeystoresJks>,
339 /// PKCS12 configures options for storing a PKCS12 keystore in the
340 /// `spec.secretName` Secret resource.
341 #[serde(default, skip_serializing_if = "Option::is_none")]
342 #[cfg_attr(feature = "builder", builder(default, setter(strip_option)))]
343 pub pkcs12: Option<CertificateKeystoresPkcs12>,
344}
345
346/// JKS configures options for storing a JKS keystore in the
347/// `spec.secretName` Secret resource.
348#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
349#[cfg_attr(feature = "builder", derive(TypedBuilder))]
350#[cfg_attr(feature = "schemars", derive(JsonSchema))]
351pub struct CertificateKeystoresJks {
352 /// Alias specifies the alias of the key in the keystore, required by the JKS format.
353 /// If not provided, the default alias `certificate` will be used.
354 #[serde(default, skip_serializing_if = "Option::is_none")]
355 #[cfg_attr(feature = "builder", builder(default, setter(strip_option)))]
356 pub alias: Option<String>,
357 /// Create enables JKS keystore creation for the Certificate.
358 /// If true, a file named `keystore.jks` will be created in the target
359 /// Secret resource, encrypted using the password stored in
360 /// `passwordSecretRef` or `password`.
361 /// The keystore file will be updated immediately.
362 /// If the issuer provided a CA certificate, a file named `truststore.jks`
363 /// will also be created in the target Secret resource, encrypted using the
364 /// password stored in `passwordSecretRef`
365 /// containing the issuing Certificate Authority
366 pub create: bool,
367 /// Password provides a literal password used to encrypt the JKS keystore.
368 /// Mutually exclusive with passwordSecretRef.
369 /// One of password or passwordSecretRef must provide a password with a non-zero length.
370 #[serde(default, skip_serializing_if = "Option::is_none")]
371 #[cfg_attr(feature = "builder", builder(default, setter(strip_option)))]
372 pub password: Option<String>,
373 /// PasswordSecretRef is a reference to a non-empty key in a Secret resource
374 /// containing the password used to encrypt the JKS keystore.
375 /// Mutually exclusive with password.
376 /// One of password or passwordSecretRef must provide a password with a non-zero length.
377 #[serde(
378 default,
379 skip_serializing_if = "Option::is_none",
380 rename = "passwordSecretRef"
381 )]
382 #[cfg_attr(feature = "builder", builder(default, setter(strip_option)))]
383 pub password_secret_ref: Option<CertificateKeystoresJksPasswordSecretRef>,
384}
385
386/// PasswordSecretRef is a reference to a non-empty key in a Secret resource
387/// containing the password used to encrypt the JKS keystore.
388/// Mutually exclusive with password.
389/// One of password or passwordSecretRef must provide a password with a non-zero length.
390#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
391#[cfg_attr(feature = "builder", derive(TypedBuilder))]
392#[cfg_attr(feature = "schemars", derive(JsonSchema))]
393pub struct CertificateKeystoresJksPasswordSecretRef {
394 /// The key of the entry in the Secret resource's `data` field to be used.
395 /// Some instances of this field may be defaulted, in others it may be
396 /// required.
397 #[serde(default, skip_serializing_if = "Option::is_none")]
398 #[cfg_attr(feature = "builder", builder(default, setter(strip_option)))]
399 pub key: Option<String>,
400 /// Name of the resource being referred to.
401 /// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
402 pub name: String,
403}
404
405/// PKCS12 configures options for storing a PKCS12 keystore in the
406/// `spec.secretName` Secret resource.
407#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
408#[cfg_attr(feature = "builder", derive(TypedBuilder))]
409#[cfg_attr(feature = "schemars", derive(JsonSchema))]
410pub struct CertificateKeystoresPkcs12 {
411 /// Create enables PKCS12 keystore creation for the Certificate.
412 /// If true, a file named `keystore.p12` will be created in the target
413 /// Secret resource, encrypted using the password stored in
414 /// `passwordSecretRef` or in `password`.
415 /// The keystore file will be updated immediately.
416 /// If the issuer provided a CA certificate, a file named `truststore.p12` will
417 /// also be created in the target Secret resource, encrypted using the
418 /// password stored in `passwordSecretRef` containing the issuing Certificate
419 /// Authority
420 pub create: bool,
421 /// Password provides a literal password used to encrypt the PKCS#12 keystore.
422 /// Mutually exclusive with passwordSecretRef.
423 /// One of password or passwordSecretRef must provide a password with a non-zero length.
424 #[serde(default, skip_serializing_if = "Option::is_none")]
425 #[cfg_attr(feature = "builder", builder(default, setter(strip_option)))]
426 pub password: Option<String>,
427 /// PasswordSecretRef is a reference to a non-empty key in a Secret resource
428 /// containing the password used to encrypt the PKCS#12 keystore.
429 /// Mutually exclusive with password.
430 /// One of password or passwordSecretRef must provide a password with a non-zero length.
431 #[serde(
432 default,
433 skip_serializing_if = "Option::is_none",
434 rename = "passwordSecretRef"
435 )]
436 #[cfg_attr(feature = "builder", builder(default, setter(strip_option)))]
437 pub password_secret_ref: Option<CertificateKeystoresPkcs12PasswordSecretRef>,
438 /// Profile specifies the key and certificate encryption algorithms and the HMAC algorithm
439 /// used to create the PKCS12 keystore. Default value is `LegacyRC2` for backward compatibility.
440 ///
441 /// If provided, allowed values are:
442 /// `LegacyRC2`: Deprecated. Not supported by default in OpenSSL 3 or Java 20.
443 /// `LegacyDES`: Less secure algorithm. Use this option for maximal compatibility.
444 /// `Modern2023`: Secure algorithm. Use this option in case you have to always use secure algorithms
445 /// (e.g., because of company policy). Please note that the security of the algorithm is not that important
446 /// in reality, because the unencrypted certificate and private key are also stored in the Secret.
447 #[serde(default, skip_serializing_if = "Option::is_none")]
448 #[cfg_attr(feature = "builder", builder(default, setter(strip_option)))]
449 pub profile: Option<CertificateKeystoresPkcs12Profile>,
450}
451
452/// PasswordSecretRef is a reference to a non-empty key in a Secret resource
453/// containing the password used to encrypt the PKCS#12 keystore.
454/// Mutually exclusive with password.
455/// One of password or passwordSecretRef must provide a password with a non-zero length.
456#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
457#[cfg_attr(feature = "builder", derive(TypedBuilder))]
458#[cfg_attr(feature = "schemars", derive(JsonSchema))]
459pub struct CertificateKeystoresPkcs12PasswordSecretRef {
460 /// The key of the entry in the Secret resource's `data` field to be used.
461 /// Some instances of this field may be defaulted, in others it may be
462 /// required.
463 #[serde(default, skip_serializing_if = "Option::is_none")]
464 #[cfg_attr(feature = "builder", builder(default, setter(strip_option)))]
465 pub key: Option<String>,
466 /// Name of the resource being referred to.
467 /// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
468 pub name: String,
469}
470
471/// PKCS12 configures options for storing a PKCS12 keystore in the
472/// `spec.secretName` Secret resource.
473#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)]
474#[cfg_attr(feature = "schemars", derive(JsonSchema))]
475pub enum CertificateKeystoresPkcs12Profile {
476 #[serde(rename = "LegacyRC2")]
477 LegacyRc2,
478 #[serde(rename = "LegacyDES")]
479 LegacyDes,
480 Modern2023,
481}
482
483/// x.509 certificate NameConstraint extension which MUST NOT be used in a non-CA certificate.
484/// More Info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10
485///
486/// This is an Alpha Feature and is only enabled with the
487/// `--feature-gates=NameConstraints=true` option set on both
488/// the controller and webhook components.
489#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
490#[cfg_attr(feature = "builder", derive(TypedBuilder))]
491#[cfg_attr(feature = "schemars", derive(JsonSchema))]
492pub struct CertificateNameConstraints {
493 /// if true then the name constraints are marked critical.
494 #[serde(default, skip_serializing_if = "Option::is_none")]
495 #[cfg_attr(feature = "builder", builder(default, setter(strip_option)))]
496 pub critical: Option<bool>,
497 /// Excluded contains the constraints which must be disallowed. Any name matching a
498 /// restriction in the excluded field is invalid regardless
499 /// of information appearing in the permitted
500 #[serde(default, skip_serializing_if = "Option::is_none")]
501 #[cfg_attr(feature = "builder", builder(default, setter(strip_option)))]
502 pub excluded: Option<CertificateNameConstraintsExcluded>,
503 /// Permitted contains the constraints in which the names must be located.
504 #[serde(default, skip_serializing_if = "Option::is_none")]
505 #[cfg_attr(feature = "builder", builder(default, setter(strip_option)))]
506 pub permitted: Option<CertificateNameConstraintsPermitted>,
507}
508
509/// Excluded contains the constraints which must be disallowed. Any name matching a
510/// restriction in the excluded field is invalid regardless
511/// of information appearing in the permitted
512#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
513#[cfg_attr(feature = "builder", derive(TypedBuilder))]
514#[cfg_attr(feature = "schemars", derive(JsonSchema))]
515pub struct CertificateNameConstraintsExcluded {
516 /// DNSDomains is a list of DNS domains that are permitted or excluded.
517 #[serde(
518 default,
519 skip_serializing_if = "Option::is_none",
520 rename = "dnsDomains"
521 )]
522 #[cfg_attr(feature = "builder", builder(default, setter(strip_option)))]
523 pub dns_domains: Option<Vec<String>>,
524 /// EmailAddresses is a list of Email Addresses that are permitted or excluded.
525 #[serde(
526 default,
527 skip_serializing_if = "Option::is_none",
528 rename = "emailAddresses"
529 )]
530 #[cfg_attr(feature = "builder", builder(default, setter(strip_option)))]
531 pub email_addresses: Option<Vec<String>>,
532 /// IPRanges is a list of IP Ranges that are permitted or excluded.
533 /// This should be a valid CIDR notation.
534 #[serde(default, skip_serializing_if = "Option::is_none", rename = "ipRanges")]
535 #[cfg_attr(feature = "builder", builder(default, setter(strip_option)))]
536 pub ip_ranges: Option<Vec<String>>,
537 /// URIDomains is a list of URI domains that are permitted or excluded.
538 #[serde(
539 default,
540 skip_serializing_if = "Option::is_none",
541 rename = "uriDomains"
542 )]
543 #[cfg_attr(feature = "builder", builder(default, setter(strip_option)))]
544 pub uri_domains: Option<Vec<String>>,
545}
546
547/// Permitted contains the constraints in which the names must be located.
548#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
549#[cfg_attr(feature = "builder", derive(TypedBuilder))]
550#[cfg_attr(feature = "schemars", derive(JsonSchema))]
551pub struct CertificateNameConstraintsPermitted {
552 /// DNSDomains is a list of DNS domains that are permitted or excluded.
553 #[serde(
554 default,
555 skip_serializing_if = "Option::is_none",
556 rename = "dnsDomains"
557 )]
558 #[cfg_attr(feature = "builder", builder(default, setter(strip_option)))]
559 pub dns_domains: Option<Vec<String>>,
560 /// EmailAddresses is a list of Email Addresses that are permitted or excluded.
561 #[serde(
562 default,
563 skip_serializing_if = "Option::is_none",
564 rename = "emailAddresses"
565 )]
566 #[cfg_attr(feature = "builder", builder(default, setter(strip_option)))]
567 pub email_addresses: Option<Vec<String>>,
568 /// IPRanges is a list of IP Ranges that are permitted or excluded.
569 /// This should be a valid CIDR notation.
570 #[serde(default, skip_serializing_if = "Option::is_none", rename = "ipRanges")]
571 #[cfg_attr(feature = "builder", builder(default, setter(strip_option)))]
572 pub ip_ranges: Option<Vec<String>>,
573 /// URIDomains is a list of URI domains that are permitted or excluded.
574 #[serde(
575 default,
576 skip_serializing_if = "Option::is_none",
577 rename = "uriDomains"
578 )]
579 #[cfg_attr(feature = "builder", builder(default, setter(strip_option)))]
580 pub uri_domains: Option<Vec<String>>,
581}
582
583#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
584#[cfg_attr(feature = "builder", derive(TypedBuilder))]
585#[cfg_attr(feature = "schemars", derive(JsonSchema))]
586pub struct CertificateOtherNames {
587 /// OID is the object identifier for the otherName SAN.
588 /// The object identifier must be expressed as a dotted string, for
589 /// example, "1.2.840.113556.1.4.221".
590 #[serde(default, skip_serializing_if = "Option::is_none")]
591 #[cfg_attr(feature = "builder", builder(default, setter(strip_option)))]
592 pub oid: Option<String>,
593 /// utf8Value is the string value of the otherName SAN.
594 /// The utf8Value accepts any valid UTF8 string to set as value for the otherName SAN.
595 #[serde(default, skip_serializing_if = "Option::is_none", rename = "utf8Value")]
596 #[cfg_attr(feature = "builder", builder(default, setter(strip_option)))]
597 pub utf8_value: Option<String>,
598}
599
600/// Private key options. These include the key algorithm and size, the used
601/// encoding and the rotation policy.
602#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
603#[cfg_attr(feature = "builder", derive(TypedBuilder))]
604#[cfg_attr(feature = "schemars", derive(JsonSchema))]
605pub struct CertificatePrivateKey {
606 /// Algorithm is the private key algorithm of the corresponding private key
607 /// for this certificate.
608 ///
609 /// If provided, allowed values are either `RSA`, `ECDSA` or `Ed25519`.
610 /// If `algorithm` is specified and `size` is not provided,
611 /// key size of 2048 will be used for `RSA` key algorithm and
612 /// key size of 256 will be used for `ECDSA` key algorithm.
613 /// key size is ignored when using the `Ed25519` key algorithm.
614 #[serde(default, skip_serializing_if = "Option::is_none")]
615 #[cfg_attr(feature = "builder", builder(default, setter(strip_option)))]
616 pub algorithm: Option<CertificatePrivateKeyAlgorithm>,
617 /// The private key cryptography standards (PKCS) encoding for this
618 /// certificate's private key to be encoded in.
619 ///
620 /// If provided, allowed values are `PKCS1` and `PKCS8` standing for PKCS#1
621 /// and PKCS#8, respectively.
622 /// Defaults to `PKCS1` if not specified.
623 #[serde(default, skip_serializing_if = "Option::is_none")]
624 #[cfg_attr(feature = "builder", builder(default, setter(strip_option)))]
625 pub encoding: Option<CertificatePrivateKeyEncoding>,
626 /// RotationPolicy controls how private keys should be regenerated when a
627 /// re-issuance is being processed.
628 ///
629 /// If set to `Never`, a private key will only be generated if one does not
630 /// already exist in the target `spec.secretName`. If one does exist but it
631 /// does not have the correct algorithm or size, a warning will be raised
632 /// to await user intervention.
633 /// If set to `Always`, a private key matching the specified requirements
634 /// will be generated whenever a re-issuance occurs.
635 /// Default is `Always`.
636 /// The default was changed from `Never` to `Always` in cert-manager >=v1.18.0.
637 /// The new default can be disabled by setting the
638 /// `--feature-gates=DefaultPrivateKeyRotationPolicyAlways=false` option on
639 /// the controller component.
640 #[serde(
641 default,
642 skip_serializing_if = "Option::is_none",
643 rename = "rotationPolicy"
644 )]
645 #[cfg_attr(feature = "builder", builder(default, setter(strip_option)))]
646 pub rotation_policy: Option<CertificatePrivateKeyRotationPolicy>,
647 /// Size is the key bit size of the corresponding private key for this certificate.
648 ///
649 /// If `algorithm` is set to `RSA`, valid values are `2048`, `4096` or `8192`,
650 /// and will default to `2048` if not specified.
651 /// If `algorithm` is set to `ECDSA`, valid values are `256`, `384` or `521`,
652 /// and will default to `256` if not specified.
653 /// If `algorithm` is set to `Ed25519`, Size is ignored.
654 /// No other values are allowed.
655 #[serde(default, skip_serializing_if = "Option::is_none")]
656 #[cfg_attr(feature = "builder", builder(default, setter(strip_option)))]
657 pub size: Option<i64>,
658}
659
660/// Private key options. These include the key algorithm and size, the used
661/// encoding and the rotation policy.
662#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)]
663#[cfg_attr(feature = "schemars", derive(JsonSchema))]
664pub enum CertificatePrivateKeyAlgorithm {
665 #[serde(rename = "RSA")]
666 Rsa,
667 #[serde(rename = "ECDSA")]
668 Ecdsa,
669 Ed25519,
670}
671
672/// Private key options. These include the key algorithm and size, the used
673/// encoding and the rotation policy.
674#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)]
675#[cfg_attr(feature = "schemars", derive(JsonSchema))]
676pub enum CertificatePrivateKeyEncoding {
677 #[serde(rename = "PKCS1")]
678 Pkcs1,
679 #[serde(rename = "PKCS8")]
680 Pkcs8,
681}
682
683/// Private key options. These include the key algorithm and size, the used
684/// encoding and the rotation policy.
685#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)]
686#[cfg_attr(feature = "schemars", derive(JsonSchema))]
687pub enum CertificatePrivateKeyRotationPolicy {
688 Never,
689 Always,
690}
691
692/// Defines annotations and labels to be copied to the Certificate's Secret.
693/// Labels and annotations on the Secret will be changed as they appear on the
694/// SecretTemplate when added or removed. SecretTemplate annotations are added
695/// in conjunction with, and cannot overwrite, the base set of annotations
696/// cert-manager sets on the Certificate's Secret.
697#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
698#[cfg_attr(feature = "builder", derive(TypedBuilder))]
699#[cfg_attr(feature = "schemars", derive(JsonSchema))]
700pub struct CertificateSecretTemplate {
701 /// Annotations is a key value map to be copied to the target Kubernetes Secret.
702 #[serde(default, skip_serializing_if = "Option::is_none")]
703 #[cfg_attr(feature = "builder", builder(default, setter(strip_option)))]
704 pub annotations: Option<BTreeMap<String, String>>,
705 /// Labels is a key value map to be copied to the target Kubernetes Secret.
706 #[serde(default, skip_serializing_if = "Option::is_none")]
707 #[cfg_attr(feature = "builder", builder(default, setter(strip_option)))]
708 pub labels: Option<BTreeMap<String, String>>,
709}
710
711/// Specification of the desired state of the Certificate resource.
712/// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
713#[derive(Serialize, Deserialize, Clone, Debug, PartialEq)]
714#[cfg_attr(feature = "schemars", derive(JsonSchema))]
715pub enum CertificateSignatureAlgorithm {
716 #[serde(rename = "SHA256WithRSA")]
717 Sha256WithRsa,
718 #[serde(rename = "SHA384WithRSA")]
719 Sha384WithRsa,
720 #[serde(rename = "SHA512WithRSA")]
721 Sha512WithRsa,
722 #[serde(rename = "ECDSAWithSHA256")]
723 EcdsaWithSha256,
724 #[serde(rename = "ECDSAWithSHA384")]
725 EcdsaWithSha384,
726 #[serde(rename = "ECDSAWithSHA512")]
727 EcdsaWithSha512,
728 PureEd25519,
729}
730
731/// Requested set of X509 certificate subject attributes.
732/// More info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6
733///
734/// The common name attribute is specified separately in the `commonName` field.
735/// Cannot be set if the `literalSubject` field is set.
736#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
737#[cfg_attr(feature = "builder", derive(TypedBuilder))]
738#[cfg_attr(feature = "schemars", derive(JsonSchema))]
739pub struct CertificateSubject {
740 /// Countries to be used on the Certificate.
741 #[serde(default, skip_serializing_if = "Option::is_none")]
742 #[cfg_attr(feature = "builder", builder(default, setter(strip_option)))]
743 pub countries: Option<Vec<String>>,
744 /// Cities to be used on the Certificate.
745 #[serde(default, skip_serializing_if = "Option::is_none")]
746 #[cfg_attr(feature = "builder", builder(default, setter(strip_option)))]
747 pub localities: Option<Vec<String>>,
748 /// Organizational Units to be used on the Certificate.
749 #[serde(
750 default,
751 skip_serializing_if = "Option::is_none",
752 rename = "organizationalUnits"
753 )]
754 #[cfg_attr(feature = "builder", builder(default, setter(strip_option)))]
755 pub organizational_units: Option<Vec<String>>,
756 /// Organizations to be used on the Certificate.
757 #[serde(default, skip_serializing_if = "Option::is_none")]
758 #[cfg_attr(feature = "builder", builder(default, setter(strip_option)))]
759 pub organizations: Option<Vec<String>>,
760 /// Postal codes to be used on the Certificate.
761 #[serde(
762 default,
763 skip_serializing_if = "Option::is_none",
764 rename = "postalCodes"
765 )]
766 #[cfg_attr(feature = "builder", builder(default, setter(strip_option)))]
767 pub postal_codes: Option<Vec<String>>,
768 /// State/Provinces to be used on the Certificate.
769 #[serde(default, skip_serializing_if = "Option::is_none")]
770 #[cfg_attr(feature = "builder", builder(default, setter(strip_option)))]
771 pub provinces: Option<Vec<String>>,
772 /// Serial number to be used on the Certificate.
773 #[serde(
774 default,
775 skip_serializing_if = "Option::is_none",
776 rename = "serialNumber"
777 )]
778 #[cfg_attr(feature = "builder", builder(default, setter(strip_option)))]
779 pub serial_number: Option<String>,
780 /// Street addresses to be used on the Certificate.
781 #[serde(
782 default,
783 skip_serializing_if = "Option::is_none",
784 rename = "streetAddresses"
785 )]
786 #[cfg_attr(feature = "builder", builder(default, setter(strip_option)))]
787 pub street_addresses: Option<Vec<String>>,
788}
789
790/// Status of the Certificate.
791/// This is set and managed automatically.
792/// Read-only.
793/// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
794#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
795#[cfg_attr(feature = "builder", derive(TypedBuilder))]
796#[cfg_attr(feature = "schemars", derive(JsonSchema))]
797pub struct CertificateStatus {
798 /// List of status conditions to indicate the status of certificates.
799 /// Known condition types are `Ready` and `Issuing`.
800 #[serde(default, skip_serializing_if = "Option::is_none")]
801 #[cfg_attr(feature = "builder", builder(default, setter(strip_option)))]
802 pub conditions: Option<Vec<Condition>>,
803 /// The number of continuous failed issuance attempts up till now. This
804 /// field gets removed (if set) on a successful issuance and gets set to
805 /// 1 if unset and an issuance has failed. If an issuance has failed, the
806 /// delay till the next issuance will be calculated using formula
807 /// time.Hour * 2 ^ (failedIssuanceAttempts - 1).
808 #[serde(
809 default,
810 skip_serializing_if = "Option::is_none",
811 rename = "failedIssuanceAttempts"
812 )]
813 #[cfg_attr(feature = "builder", builder(default, setter(strip_option)))]
814 pub failed_issuance_attempts: Option<i64>,
815 /// LastFailureTime is set only if the latest issuance for this
816 /// Certificate failed and contains the time of the failure. If an
817 /// issuance has failed, the delay till the next issuance will be
818 /// calculated using formula time.Hour * 2 ^ (failedIssuanceAttempts -
819 /// 1). If the latest issuance has succeeded this field will be unset.
820 #[serde(
821 default,
822 skip_serializing_if = "Option::is_none",
823 rename = "lastFailureTime"
824 )]
825 #[cfg_attr(feature = "builder", builder(default, setter(strip_option)))]
826 pub last_failure_time: Option<String>,
827 /// The name of the Secret resource containing the private key to be used
828 /// for the next certificate iteration.
829 /// The keymanager controller will automatically set this field if the
830 /// `Issuing` condition is set to `True`.
831 /// It will automatically unset this field when the Issuing condition is
832 /// not set or False.
833 #[serde(
834 default,
835 skip_serializing_if = "Option::is_none",
836 rename = "nextPrivateKeySecretName"
837 )]
838 #[cfg_attr(feature = "builder", builder(default, setter(strip_option)))]
839 pub next_private_key_secret_name: Option<String>,
840 /// The expiration time of the certificate stored in the secret named
841 /// by this resource in `spec.secretName`.
842 #[serde(default, skip_serializing_if = "Option::is_none", rename = "notAfter")]
843 #[cfg_attr(feature = "builder", builder(default, setter(strip_option)))]
844 pub not_after: Option<String>,
845 /// The time after which the certificate stored in the secret named
846 /// by this resource in `spec.secretName` is valid.
847 #[serde(default, skip_serializing_if = "Option::is_none", rename = "notBefore")]
848 #[cfg_attr(feature = "builder", builder(default, setter(strip_option)))]
849 pub not_before: Option<String>,
850 /// RenewalTime is the time at which the certificate will be next
851 /// renewed.
852 /// If not set, no upcoming renewal is scheduled.
853 #[serde(
854 default,
855 skip_serializing_if = "Option::is_none",
856 rename = "renewalTime"
857 )]
858 #[cfg_attr(feature = "builder", builder(default, setter(strip_option)))]
859 pub renewal_time: Option<String>,
860 /// The current 'revision' of the certificate as issued.
861 ///
862 /// When a CertificateRequest resource is created, it will have the
863 /// `cert-manager.io/certificate-revision` set to one greater than the
864 /// current value of this field.
865 ///
866 /// Upon issuance, this field will be set to the value of the annotation
867 /// on the CertificateRequest resource used to issue the certificate.
868 ///
869 /// Persisting the value on the CertificateRequest resource allows the
870 /// certificates controller to know whether a request is part of an old
871 /// issuance or if it is part of the ongoing revision's issuance by
872 /// checking if the revision value in the annotation is greater than this
873 /// field.
874 #[serde(default, skip_serializing_if = "Option::is_none")]
875 #[cfg_attr(feature = "builder", builder(default, setter(strip_option)))]
876 pub revision: Option<i64>,
877}