diff --git a/charts/internal/shoot-cert-management-shoot/templates/crds-v1.yaml b/charts/internal/shoot-cert-management-shoot/templates/crds-v1.yaml index b8c5ff6c..b1f8c522 100644 --- a/charts/internal/shoot-cert-management-shoot/templates/crds-v1.yaml +++ b/charts/internal/shoot-cert-management-shoot/templates/crds-v1.yaml @@ -4,6 +4,9 @@ metadata: name: certificates.cert.gardener.cloud labels: shoot.gardener.cloud/no-cleanup: "true" + app.kubernetes.io/name: gardener-extension-shoot-cert-service + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} spec: group: cert.gardener.cloud names: @@ -48,14 +51,19 @@ spec: description: Certificate is the certificate CR. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -77,6 +85,15 @@ spec: items: type: string type: array + duration: + description: |- + Requested 'duration' (i.e. lifetime) of the Certificate. Note that the + ACME issuer may choose to ignore the requested duration, just like any other + requested attribute. + If unset, this defaults to 90 days (2160h). + Must be greater than twice of the renewal window + Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration. + type: string ensureRenewedAfter: description: EnsureRenewedAfter specifies a time stamp in the past. Renewing is only triggered if certificate notBefore date is before @@ -88,6 +105,12 @@ spec: is used if CNAME record for DNS01 challange domain `_acme-challenge.` is set. type: boolean + isCA: + description: |- + IsCA value is used to set the `isCA` field on the certificate request. + Note that the issuer may choose to ignore the requested isCA value, just + like any other requested attribute. + type: boolean issuerRef: description: IssuerRef is the reference of the issuer to use. properties: @@ -112,16 +135,16 @@ spec: in the `spec.secretName`/`spec.secretRef` Secret resource. properties: create: - description: Create enables JKS keystore creation for the - Certificate. If true, a file named `keystore.jks` will be - created in the target Secret resource, encrypted using the - password stored in `passwordSecretRef`. The keystore file - will only be updated upon re-issuance. + description: |- + Create enables JKS keystore creation for the Certificate. + If true, a file named `keystore.jks` will be created in the target + Secret resource, encrypted using the password stored in `passwordSecretRef`. + The keystore file will only be updated upon re-issuance. type: boolean passwordSecretRef: - description: PasswordSecretRef is a reference to a key in - a Secret resource containing the password used to encrypt - the JKS keystore. + description: |- + PasswordSecretRef is a reference to a key in a Secret resource + containing the password used to encrypt the JKS keystore. properties: key: description: Key of the entry in the Secret resource's @@ -143,16 +166,16 @@ spec: in the `spec.secretName`/`spec.secretRef` Secret resource. properties: create: - description: Create enables PKCS12 keystore creation for the - Certificate. If true, a file named `keystore.p12` will be - created in the target Secret resource, encrypted using the - password stored in `passwordSecretRef`. The keystore file - will only be updated upon re-issuance. + description: |- + Create enables PKCS12 keystore creation for the Certificate. + If true, a file named `keystore.p12` will be created in the target + Secret resource, encrypted using the password stored in `passwordSecretRef`. + The keystore file will only be updated upon re-issuance. type: boolean passwordSecretRef: - description: PasswordSecretRef is a reference to a key in - a Secret resource containing the password used to encrypt - the PKCS12 keystore. + description: |- + PasswordSecretRef is a reference to a key in a Secret resource + containing the password used to encrypt the PKCS12 keystore. properties: key: description: Key of the entry in the Secret resource's @@ -172,32 +195,35 @@ spec: type: object preferredChain: description: 'PreferredChain allows to specify the preferred certificate - chain: if the CA offers multiple certificate chains, prefer the - chain with an issuer matching this Subject Common Name. If no match, - the default offered chain will be used.' + chain: if the CA offers multiple certificate chains, prefer the + chain with an issuer matching this Subject Common Name. If no match, + the default offered chain will be used.' type: string privateKey: description: Private key options. These include the key algorithm and size. properties: algorithm: - description: "Algorithm is the private key algorithm of the corresponding - private key for this certificate. \n If provided, allowed values - are either `RSA` or `ECDSA`. If `algorithm` is specified and - `size` is not provided, key size of 2048 will be used for `RSA` - key algorithm and key size of 256 will be used for `ECDSA` key - algorithm." + description: |- + Algorithm is the private key algorithm of the corresponding private key + for this certificate. + + If provided, allowed values are either `RSA` or `ECDSA`. + If `algorithm` is specified and `size` is not provided, + deployment specific default values will be used. enum: - RSA - ECDSA type: string size: - description: "Size is the key bit size of the corresponding private - key for this certificate. \n If `algorithm` is set to `RSA`, - valid values are `2048`, `3072` or `4096`, and will default - to `2048` if not specified. If `algorithm` is set to `ECDSA`, - valid values are `256` or `384`, and will default to `256` if - not specified. No other values are allowed." + description: |- + Size is the key bit size of the corresponding private key for this certificate. + + If `algorithm` is set to `RSA`, valid values are `2048`, `3072` or `4096`, + and will default to a deployment specific value if not specified. + If `algorithm` is set to `ECDSA`, valid values are `256` or `384`, + and will default to a deployment specific value if not specified. + No other values are allowed. enum: - 256 - 384 @@ -262,46 +288,39 @@ spec: description: CommonName is the current CN. type: string conditions: - description: List of status conditions to indicate the status of certificates. + description: |- + List of status conditions to indicate the status of certificates. Known condition types are `Ready`. items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + description: Condition contains details for one aspect of the current + state of this API Resource. properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -316,10 +335,6 @@ spec: type: string type: description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -343,8 +358,9 @@ spec: description: IssuerRef is the used issuer. properties: cluster: - description: Cluster is the cluster name of the issuer ('default' - or 'target'). optional because of backwards compatibility + description: |- + Cluster is the cluster name of the issuer ('default' or 'target'). + optional because of backwards compatibility type: string name: description: Name is the name of the issuer. @@ -389,6 +405,9 @@ metadata: name: certificaterevocations.cert.gardener.cloud labels: shoot.gardener.cloud/no-cleanup: "true" + app.kubernetes.io/name: gardener-extension-shoot-cert-service + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} spec: group: cert.gardener.cloud names: @@ -414,7 +433,8 @@ spec: name: REVOKED_AT priority: 500 type: date - - description: if true certificate objects should be renewed before revoking old certificates certificate(s) + - description: if true certificate objects should be renewed before revoking old + certificates certificate(s) jsonPath: .spec.renew name: RENEW type: boolean @@ -432,18 +452,29 @@ spec: description: CertificateRevocation is the certificate revocation custom resource. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: - description: CertificateRevocationSpec is the spec of the certificate revocation. + description: CertificateRevocationSpec is the spec of the certificate + revocation. properties: certificateRef: - description: CertificateRef is the references to the certificate to be revoked + description: CertificateRef is the references to the certificate to + be revoked properties: name: description: Name is the name of the certificate in the same namespace. @@ -456,32 +487,41 @@ spec: - namespace type: object qualifyingDate: - description: QualifyingDate specifies that any certificate with the same DNS names like the given 'certificateRef' should be revoked if it is valid before this date. If not specified, it will be filled with the current time. + description: |- + QualifyingDate specifies that any certificate with the same DNS names like the given 'certificateRef' should be revoked + if it is valid before this date. If not specified, it will be filled with the current time. format: date-time type: string renew: - description: Renew specifies if certificate objects should be renewed before revoking old certificates + description: Renew specifies if certificate objects should be renewed + before revoking old certificates type: boolean type: object status: - description: CertificateRevocationStatus is the status of the certificate request. + description: CertificateRevocationStatus is the status of the certificate + request. properties: message: description: Message is the status or error message. type: string objects: - description: ObjectStatuses contains the statuses of the involved certificate objects + description: ObjectStatuses contains the statuses of the involved + certificate objects properties: failed: - description: Failed is the list of certificate objects whose processing failed + description: Failed is the list of certificate objects whose processing + failed items: - description: CertificateRef is the reference of the issuer by name. + description: CertificateRef is the reference of the issuer by + name. properties: name: - description: Name is the name of the certificate in the same namespace. + description: Name is the name of the certificate in the + same namespace. type: string namespace: - description: Namespace is the namespace of the certificate CR. + description: Namespace is the namespace of the certificate + CR. type: string required: - name @@ -489,15 +529,19 @@ spec: type: object type: array processing: - description: Processing is the list of certificate objects to be processed + description: Processing is the list of certificate objects to + be processed items: - description: CertificateRef is the reference of the issuer by name. + description: CertificateRef is the reference of the issuer by + name. properties: name: - description: Name is the name of the certificate in the same namespace. + description: Name is the name of the certificate in the + same namespace. type: string namespace: - description: Namespace is the namespace of the certificate CR. + description: Namespace is the namespace of the certificate + CR. type: string required: - name @@ -505,15 +549,19 @@ spec: type: object type: array renewed: - description: Renewed is the list of certificate objects successfully renewed + description: Renewed is the list of certificate objects successfully + renewed items: - description: CertificateRef is the reference of the issuer by name. + description: CertificateRef is the reference of the issuer by + name. properties: name: - description: Name is the name of the certificate in the same namespace. + description: Name is the name of the certificate in the + same namespace. type: string namespace: - description: Namespace is the namespace of the certificate CR. + description: Namespace is the namespace of the certificate + CR. type: string required: - name @@ -521,15 +569,19 @@ spec: type: object type: array revoked: - description: Revoked is the list of certificate objects successfully revoked (without renewal) + description: Revoked is the list of certificate objects successfully + revoked (without renewal) items: - description: CertificateRef is the reference of the issuer by name. + description: CertificateRef is the reference of the issuer by + name. properties: name: - description: Name is the name of the certificate in the same namespace. + description: Name is the name of the certificate in the + same namespace. type: string namespace: - description: Namespace is the namespace of the certificate CR. + description: Namespace is the namespace of the certificate + CR. type: string required: - name @@ -538,26 +590,33 @@ spec: type: array type: object observedGeneration: - description: ObservedGeneration is the observed generation of the spec. + description: ObservedGeneration is the observed generation of the + spec. format: int64 type: integer revocationApplied: - description: RevocationApplied is the timestamp when the revocation was completed + description: RevocationApplied is the timestamp when the revocation + was completed format: date-time type: string secrets: - description: SecretStatuses contains the statuses of the involved certificate secrets + description: SecretStatuses contains the statuses of the involved + certificate secrets properties: failed: - description: Failed is the list of certificate secrets whose revocation failed + description: Failed is the list of certificate secrets whose revocation + failed items: - description: CertificateSecretRef is a reference to a secret together with the serial number + description: CertificateSecretRef is a reference to a secret + together with the serial number properties: name: - description: Name is unique within a namespace to reference a secret resource. + description: name is unique within a namespace to reference + a secret resource. type: string namespace: - description: Namespace defines the space within which the secret name must be unique. + description: namespace defines the space within which the + secret name must be unique. type: string serialNumber: description: SerialNumber is the serial number of the certificate @@ -565,17 +624,22 @@ spec: required: - serialNumber type: object + x-kubernetes-map-type: atomic type: array processing: - description: Processing is the list of certificate secrets to be processed + description: Processing is the list of certificate secrets to + be processed items: - description: CertificateSecretRef is a reference to a secret together with the serial number + description: CertificateSecretRef is a reference to a secret + together with the serial number properties: name: - description: Name is unique within a namespace to reference a secret resource. + description: name is unique within a namespace to reference + a secret resource. type: string namespace: - description: Namespace defines the space within which the secret name must be unique. + description: namespace defines the space within which the + secret name must be unique. type: string serialNumber: description: SerialNumber is the serial number of the certificate @@ -583,17 +647,22 @@ spec: required: - serialNumber type: object + x-kubernetes-map-type: atomic type: array revoked: - description: Revoked is the list of certificate secrets successfully revoked + description: Revoked is the list of certificate secrets successfully + revoked items: - description: CertificateSecretRef is a reference to a secret together with the serial number + description: CertificateSecretRef is a reference to a secret + together with the serial number properties: name: - description: Name is unique within a namespace to reference a secret resource. + description: name is unique within a namespace to reference + a secret resource. type: string namespace: - description: Namespace defines the space within which the secret name must be unique. + description: namespace defines the space within which the + secret name must be unique. type: string serialNumber: description: SerialNumber is the serial number of the certificate @@ -601,6 +670,7 @@ spec: required: - serialNumber type: object + x-kubernetes-map-type: atomic type: array type: object state: @@ -668,14 +738,19 @@ spec: description: Issuer is the issuer CR. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -718,28 +793,30 @@ spec: Account is bound to. type: string keySecretRef: - description: keySecretRef is the secret ref to the Secret - which holds the symmetric MAC key of the External Account - Binding with data key 'hmacKey'. The secret key stored in - the Secret **must** be un-padded, base64 URL encoded data. + description: |- + keySecretRef is the secret ref to the + Secret which holds the symmetric MAC key of the External Account Binding with data key 'hmacKey'. + The secret key stored in the Secret **must** be un-padded, base64 URL + encoded data. properties: name: - description: Name is unique within a namespace to reference + description: name is unique within a namespace to reference a secret resource. type: string namespace: - description: Namespace defines the space within which + description: namespace defines the space within which the secret name must be unique. type: string type: object + x-kubernetes-map-type: atomic required: - keyID - keySecretRef type: object precheckNameservers: - description: PrecheckNameservers overwrites the default precheck - nameservers used for checking DNS propagation. Format `host` - or `host:port`, e.g. "8.8.8.8" same as "8.8.8.8:53" or "google-public-dns-a.google.com:53". + description: |- + PrecheckNameservers overwrites the default precheck nameservers used for checking DNS propagation. + Format `host` or `host:port`, e.g. "8.8.8.8" same as "8.8.8.8:53" or "google-public-dns-a.google.com:53". items: type: string type: array @@ -748,21 +825,23 @@ spec: private key. properties: name: - description: Name is unique within a namespace to reference + description: name is unique within a namespace to reference a secret resource. type: string namespace: - description: Namespace defines the space within which the + description: namespace defines the space within which the secret name must be unique. type: string type: object + x-kubernetes-map-type: atomic server: description: Server is the URL of the ACME server. type: string skipDNSChallengeValidation: - description: SkipDNSChallengeValidation marks that this issuer - does not validate DNS challenges. In this case no DNS entries/records - are created for a DNS Challenge and DNS propagation is not checked. + description: |- + SkipDNSChallengeValidation marks that this issuer does not validate DNS challenges. + In this case no DNS entries/records are created for a DNS Challenge and DNS propagation + is not checked. type: boolean required: - email @@ -775,19 +854,23 @@ spec: description: PrivateKeySecretRef is the secret ref to the CA secret. properties: name: - description: Name is unique within a namespace to reference + description: name is unique within a namespace to reference a secret resource. type: string namespace: - description: Namespace defines the space within which the + description: namespace defines the space within which the secret name must be unique. type: string type: object + x-kubernetes-map-type: atomic type: object requestsPerDayQuota: description: RequestsPerDayQuota is the maximum number of certificate requests per days allowed for this issuer type: integer + selfSigned: + description: SelfSigned is the self signed specific spec. + type: object type: object status: description: IssuerStatus is the status of the issuer. @@ -816,8 +899,8 @@ spec: description: State is either empty, 'Pending', 'Error', or 'Ready'. type: string type: - description: Type is the issuer type. Currently only 'acme' and 'ca' - are supported. + description: Type is the issuer type. Currently only 'acme', 'ca' + and 'selfSigned' are supported. type: string required: - state