mz_cloud_resources/crd/generated/cert_manager/certificates.rs
1// Copyright Materialize, Inc. and contributors. All rights reserved.
2//
3// Use of this software is governed by the Business Source License
4// included in the LICENSE file.
5//
6// As of the Change Date specified in that file, in accordance with
7// the Business Source License, use of this software will be governed
8// by the Apache License, Version 2.0.
9
10#![allow(rustdoc::all)]
11
12// WARNING: generated by kopium - manual changes will be overwritten
13// kopium command: kopium certificates.cert-manager.io --docs --smart-derive-elision --derive Default --derive PartialEq --derive JsonSchema
14// kopium version: 0.21.1
15
16#[allow(unused_imports)]
17mod prelude {
18 pub use k8s_openapi::apimachinery::pkg::apis::meta::v1::Condition;
19 pub use kube::CustomResource;
20 pub use schemars::JsonSchema;
21 pub use serde::{Deserialize, Serialize};
22 pub use std::collections::BTreeMap;
23}
24use self::prelude::*;
25
26/// Specification of the desired state of the Certificate resource.
27/// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
28#[derive(CustomResource, Serialize, Deserialize, Clone, Debug, Default, PartialEq, JsonSchema)]
29#[kube(
30 group = "cert-manager.io",
31 version = "v1",
32 kind = "Certificate",
33 plural = "certificates"
34)]
35#[kube(namespaced)]
36#[kube(status = "CertificateStatus")]
37#[kube(schema = "disabled")]
38#[kube(derive = "Default")]
39#[kube(derive = "PartialEq")]
40pub struct CertificateSpec {
41 /// Defines extra output formats of the private key and signed certificate chain
42 /// to be written to this Certificate's target Secret.
43 ///
44 /// This is a Beta Feature enabled by default. It can be disabled with the
45 /// `--feature-gates=AdditionalCertificateOutputFormats=false` option set on both
46 /// the controller and webhook components.
47 #[serde(
48 default,
49 skip_serializing_if = "Option::is_none",
50 rename = "additionalOutputFormats"
51 )]
52 pub additional_output_formats: Option<Vec<CertificateAdditionalOutputFormats>>,
53 /// Requested common name X509 certificate subject attribute.
54 /// More info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6
55 /// NOTE: TLS clients will ignore this value when any subject alternative name is
56 /// set (see https://tools.ietf.org/html/rfc6125#section-6.4.4).
57 ///
58 /// Should have a length of 64 characters or fewer to avoid generating invalid CSRs.
59 /// Cannot be set if the `literalSubject` field is set.
60 #[serde(
61 default,
62 skip_serializing_if = "Option::is_none",
63 rename = "commonName"
64 )]
65 pub common_name: Option<String>,
66 /// Requested DNS subject alternative names.
67 #[serde(default, skip_serializing_if = "Option::is_none", rename = "dnsNames")]
68 pub dns_names: Option<Vec<String>>,
69 /// Requested 'duration' (i.e. lifetime) of the Certificate. Note that the
70 /// issuer may choose to ignore the requested duration, just like any other
71 /// requested attribute.
72 ///
73 /// If unset, this defaults to 90 days.
74 /// Minimum accepted duration is 1 hour.
75 /// Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration.
76 #[serde(default, skip_serializing_if = "Option::is_none")]
77 pub duration: Option<String>,
78 /// Requested email subject alternative names.
79 #[serde(
80 default,
81 skip_serializing_if = "Option::is_none",
82 rename = "emailAddresses"
83 )]
84 pub email_addresses: Option<Vec<String>>,
85 /// Whether the KeyUsage and ExtKeyUsage extensions should be set in the encoded CSR.
86 ///
87 /// This option defaults to true, and should only be disabled if the target
88 /// issuer does not support CSRs with these X509 KeyUsage/ ExtKeyUsage extensions.
89 #[serde(
90 default,
91 skip_serializing_if = "Option::is_none",
92 rename = "encodeUsagesInRequest"
93 )]
94 pub encode_usages_in_request: Option<bool>,
95 /// Requested IP address subject alternative names.
96 #[serde(
97 default,
98 skip_serializing_if = "Option::is_none",
99 rename = "ipAddresses"
100 )]
101 pub ip_addresses: Option<Vec<String>>,
102 /// Requested basic constraints isCA value.
103 /// The isCA value is used to set the `isCA` field on the created CertificateRequest
104 /// resources. Note that the issuer may choose to ignore the requested isCA value, just
105 /// like any other requested attribute.
106 ///
107 /// If true, this will automatically add the `cert sign` usage to the list
108 /// of requested `usages`.
109 #[serde(default, skip_serializing_if = "Option::is_none", rename = "isCA")]
110 pub is_ca: Option<bool>,
111 /// Reference to the issuer responsible for issuing the certificate.
112 /// If the issuer is namespace-scoped, it must be in the same namespace
113 /// as the Certificate. If the issuer is cluster-scoped, it can be used
114 /// from any namespace.
115 ///
116 /// The `name` field of the reference must always be specified.
117 #[serde(rename = "issuerRef")]
118 pub issuer_ref: CertificateIssuerRef,
119 /// Additional keystore output formats to be stored in the Certificate's Secret.
120 #[serde(default, skip_serializing_if = "Option::is_none")]
121 pub keystores: Option<CertificateKeystores>,
122 /// Requested X.509 certificate subject, represented using the LDAP "String
123 /// Representation of a Distinguished Name" [1].
124 /// Important: the LDAP string format also specifies the order of the attributes
125 /// in the subject, this is important when issuing certs for LDAP authentication.
126 /// Example: `CN=foo,DC=corp,DC=example,DC=com`
127 /// More info [1]: https://datatracker.ietf.org/doc/html/rfc4514
128 /// More info: https://github.com/cert-manager/cert-manager/issues/3203
129 /// More info: https://github.com/cert-manager/cert-manager/issues/4424
130 ///
131 /// Cannot be set if the `subject` or `commonName` field is set.
132 #[serde(
133 default,
134 skip_serializing_if = "Option::is_none",
135 rename = "literalSubject"
136 )]
137 pub literal_subject: Option<String>,
138 /// x.509 certificate NameConstraint extension which MUST NOT be used in a non-CA certificate.
139 /// More Info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10
140 ///
141 /// This is an Alpha Feature and is only enabled with the
142 /// `--feature-gates=NameConstraints=true` option set on both
143 /// the controller and webhook components.
144 #[serde(
145 default,
146 skip_serializing_if = "Option::is_none",
147 rename = "nameConstraints"
148 )]
149 pub name_constraints: Option<CertificateNameConstraints>,
150 /// `otherNames` is an escape hatch for SAN that allows any type. We currently restrict the support to string like otherNames, cf RFC 5280 p 37
151 /// Any UTF8 String valued otherName can be passed with by setting the keys oid: x.x.x.x and UTF8Value: somevalue for `otherName`.
152 /// Most commonly this would be UPN set with oid: 1.3.6.1.4.1.311.20.2.3
153 /// You should ensure that any OID passed is valid for the UTF8String type as we do not explicitly validate this.
154 #[serde(
155 default,
156 skip_serializing_if = "Option::is_none",
157 rename = "otherNames"
158 )]
159 pub other_names: Option<Vec<CertificateOtherNames>>,
160 /// Private key options. These include the key algorithm and size, the used
161 /// encoding and the rotation policy.
162 #[serde(
163 default,
164 skip_serializing_if = "Option::is_none",
165 rename = "privateKey"
166 )]
167 pub private_key: Option<CertificatePrivateKey>,
168 /// How long before the currently issued certificate's expiry cert-manager should
169 /// renew the certificate. For example, if a certificate is valid for 60 minutes,
170 /// and `renewBefore=10m`, cert-manager will begin to attempt to renew the certificate
171 /// 50 minutes after it was issued (i.e. when there are 10 minutes remaining until
172 /// the certificate is no longer valid).
173 ///
174 /// NOTE: The actual lifetime of the issued certificate is used to determine the
175 /// renewal time. If an issuer returns a certificate with a different lifetime than
176 /// the one requested, cert-manager will use the lifetime of the issued certificate.
177 ///
178 /// If unset, this defaults to 1/3 of the issued certificate's lifetime.
179 /// Minimum accepted value is 5 minutes.
180 /// Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration.
181 /// Cannot be set if the `renewBeforePercentage` field is set.
182 #[serde(
183 default,
184 skip_serializing_if = "Option::is_none",
185 rename = "renewBefore"
186 )]
187 pub renew_before: Option<String>,
188 /// `renewBeforePercentage` is like `renewBefore`, except it is a relative percentage
189 /// rather than an absolute duration. For example, if a certificate is valid for 60
190 /// minutes, and `renewBeforePercentage=25`, cert-manager will begin to attempt to
191 /// renew the certificate 45 minutes after it was issued (i.e. when there are 15
192 /// minutes (25%) remaining until the certificate is no longer valid).
193 ///
194 /// NOTE: The actual lifetime of the issued certificate is used to determine the
195 /// renewal time. If an issuer returns a certificate with a different lifetime than
196 /// the one requested, cert-manager will use the lifetime of the issued certificate.
197 ///
198 /// Value must be an integer in the range (0,100). The minimum effective
199 /// `renewBefore` derived from the `renewBeforePercentage` and `duration` fields is 5
200 /// minutes.
201 /// Cannot be set if the `renewBefore` field is set.
202 #[serde(
203 default,
204 skip_serializing_if = "Option::is_none",
205 rename = "renewBeforePercentage"
206 )]
207 pub renew_before_percentage: Option<i32>,
208 /// The maximum number of CertificateRequest revisions that are maintained in
209 /// the Certificate's history. Each revision represents a single `CertificateRequest`
210 /// created by this Certificate, either when it was created, renewed, or Spec
211 /// was changed. Revisions will be removed by oldest first if the number of
212 /// revisions exceeds this number.
213 ///
214 /// If set, revisionHistoryLimit must be a value of `1` or greater.
215 /// If unset (`nil`), revisions will not be garbage collected.
216 /// Default value is `nil`.
217 #[serde(
218 default,
219 skip_serializing_if = "Option::is_none",
220 rename = "revisionHistoryLimit"
221 )]
222 pub revision_history_limit: Option<i32>,
223 /// Name of the Secret resource that will be automatically created and
224 /// managed by this Certificate resource. It will be populated with a
225 /// private key and certificate, signed by the denoted issuer. The Secret
226 /// resource lives in the same namespace as the Certificate resource.
227 #[serde(rename = "secretName")]
228 pub secret_name: String,
229 /// Defines annotations and labels to be copied to the Certificate's Secret.
230 /// Labels and annotations on the Secret will be changed as they appear on the
231 /// SecretTemplate when added or removed. SecretTemplate annotations are added
232 /// in conjunction with, and cannot overwrite, the base set of annotations
233 /// cert-manager sets on the Certificate's Secret.
234 #[serde(
235 default,
236 skip_serializing_if = "Option::is_none",
237 rename = "secretTemplate"
238 )]
239 pub secret_template: Option<CertificateSecretTemplate>,
240 /// Requested set of X509 certificate subject attributes.
241 /// More info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6
242 ///
243 /// The common name attribute is specified separately in the `commonName` field.
244 /// Cannot be set if the `literalSubject` field is set.
245 #[serde(default, skip_serializing_if = "Option::is_none")]
246 pub subject: Option<CertificateSubject>,
247 /// Requested URI subject alternative names.
248 #[serde(default, skip_serializing_if = "Option::is_none")]
249 pub uris: Option<Vec<String>>,
250 /// Requested key usages and extended key usages.
251 /// These usages are used to set the `usages` field on the created CertificateRequest
252 /// resources. If `encodeUsagesInRequest` is unset or set to `true`, the usages
253 /// will additionally be encoded in the `request` field which contains the CSR blob.
254 ///
255 /// If unset, defaults to `digital signature` and `key encipherment`.
256 #[serde(default, skip_serializing_if = "Option::is_none")]
257 pub usages: Option<Vec<String>>,
258}
259
260/// CertificateAdditionalOutputFormat defines an additional output format of a
261/// Certificate resource. These contain supplementary data formats of the signed
262/// certificate chain and paired private key.
263#[derive(Serialize, Deserialize, Clone, Debug, PartialEq, JsonSchema)]
264pub struct CertificateAdditionalOutputFormats {
265 /// Type is the name of the format type that should be written to the
266 /// Certificate's target Secret.
267 #[serde(rename = "type")]
268 pub r#type: CertificateAdditionalOutputFormatsType,
269}
270
271/// CertificateAdditionalOutputFormat defines an additional output format of a
272/// Certificate resource. These contain supplementary data formats of the signed
273/// certificate chain and paired private key.
274#[derive(Serialize, Deserialize, Clone, Debug, PartialEq, JsonSchema)]
275pub enum CertificateAdditionalOutputFormatsType {
276 #[serde(rename = "DER")]
277 Der,
278 #[serde(rename = "CombinedPEM")]
279 CombinedPem,
280}
281
282/// Reference to the issuer responsible for issuing the certificate.
283/// If the issuer is namespace-scoped, it must be in the same namespace
284/// as the Certificate. If the issuer is cluster-scoped, it can be used
285/// from any namespace.
286///
287/// The `name` field of the reference must always be specified.
288#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq, JsonSchema)]
289pub struct CertificateIssuerRef {
290 /// Group of the resource being referred to.
291 #[serde(default, skip_serializing_if = "Option::is_none")]
292 pub group: Option<String>,
293 /// Kind of the resource being referred to.
294 #[serde(default, skip_serializing_if = "Option::is_none")]
295 pub kind: Option<String>,
296 /// Name of the resource being referred to.
297 pub name: String,
298}
299
300/// Additional keystore output formats to be stored in the Certificate's Secret.
301#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq, JsonSchema)]
302pub struct CertificateKeystores {
303 /// JKS configures options for storing a JKS keystore in the
304 /// `spec.secretName` Secret resource.
305 #[serde(default, skip_serializing_if = "Option::is_none")]
306 pub jks: Option<CertificateKeystoresJks>,
307 /// PKCS12 configures options for storing a PKCS12 keystore in the
308 /// `spec.secretName` Secret resource.
309 #[serde(default, skip_serializing_if = "Option::is_none")]
310 pub pkcs12: Option<CertificateKeystoresPkcs12>,
311}
312
313/// JKS configures options for storing a JKS keystore in the
314/// `spec.secretName` Secret resource.
315#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq, JsonSchema)]
316pub struct CertificateKeystoresJks {
317 /// Alias specifies the alias of the key in the keystore, required by the JKS format.
318 /// If not provided, the default alias `certificate` will be used.
319 #[serde(default, skip_serializing_if = "Option::is_none")]
320 pub alias: Option<String>,
321 /// Create enables JKS keystore creation for the Certificate.
322 /// If true, a file named `keystore.jks` will be created in the target
323 /// Secret resource, encrypted using the password stored in
324 /// `passwordSecretRef`.
325 /// The keystore file will be updated immediately.
326 /// If the issuer provided a CA certificate, a file named `truststore.jks`
327 /// will also be created in the target Secret resource, encrypted using the
328 /// password stored in `passwordSecretRef`
329 /// containing the issuing Certificate Authority
330 pub create: bool,
331 /// PasswordSecretRef is a reference to a key in a Secret resource
332 /// containing the password used to encrypt the JKS keystore.
333 #[serde(rename = "passwordSecretRef")]
334 pub password_secret_ref: CertificateKeystoresJksPasswordSecretRef,
335}
336
337/// PasswordSecretRef is a reference to a key in a Secret resource
338/// containing the password used to encrypt the JKS keystore.
339#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq, JsonSchema)]
340pub struct CertificateKeystoresJksPasswordSecretRef {
341 /// The key of the entry in the Secret resource's `data` field to be used.
342 /// Some instances of this field may be defaulted, in others it may be
343 /// required.
344 #[serde(default, skip_serializing_if = "Option::is_none")]
345 pub key: Option<String>,
346 /// Name of the resource being referred to.
347 /// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
348 pub name: String,
349}
350
351/// PKCS12 configures options for storing a PKCS12 keystore in the
352/// `spec.secretName` Secret resource.
353#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq, JsonSchema)]
354pub struct CertificateKeystoresPkcs12 {
355 /// Create enables PKCS12 keystore creation for the Certificate.
356 /// If true, a file named `keystore.p12` will be created in the target
357 /// Secret resource, encrypted using the password stored in
358 /// `passwordSecretRef`.
359 /// The keystore file will be updated immediately.
360 /// If the issuer provided a CA certificate, a file named `truststore.p12` will
361 /// also be created in the target Secret resource, encrypted using the
362 /// password stored in `passwordSecretRef` containing the issuing Certificate
363 /// Authority
364 pub create: bool,
365 /// PasswordSecretRef is a reference to a key in a Secret resource
366 /// containing the password used to encrypt the PKCS12 keystore.
367 #[serde(rename = "passwordSecretRef")]
368 pub password_secret_ref: CertificateKeystoresPkcs12PasswordSecretRef,
369 /// Profile specifies the key and certificate encryption algorithms and the HMAC algorithm
370 /// used to create the PKCS12 keystore. Default value is `LegacyRC2` for backward compatibility.
371 ///
372 /// If provided, allowed values are:
373 /// `LegacyRC2`: Deprecated. Not supported by default in OpenSSL 3 or Java 20.
374 /// `LegacyDES`: Less secure algorithm. Use this option for maximal compatibility.
375 /// `Modern2023`: Secure algorithm. Use this option in case you have to always use secure algorithms
376 /// (eg. because of company policy). Please note that the security of the algorithm is not that important
377 /// in reality, because the unencrypted certificate and private key are also stored in the Secret.
378 #[serde(default, skip_serializing_if = "Option::is_none")]
379 pub profile: Option<CertificateKeystoresPkcs12Profile>,
380}
381
382/// PasswordSecretRef is a reference to a key in a Secret resource
383/// containing the password used to encrypt the PKCS12 keystore.
384#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq, JsonSchema)]
385pub struct CertificateKeystoresPkcs12PasswordSecretRef {
386 /// The key of the entry in the Secret resource's `data` field to be used.
387 /// Some instances of this field may be defaulted, in others it may be
388 /// required.
389 #[serde(default, skip_serializing_if = "Option::is_none")]
390 pub key: Option<String>,
391 /// Name of the resource being referred to.
392 /// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
393 pub name: String,
394}
395
396/// PKCS12 configures options for storing a PKCS12 keystore in the
397/// `spec.secretName` Secret resource.
398#[derive(Serialize, Deserialize, Clone, Debug, PartialEq, JsonSchema)]
399pub enum CertificateKeystoresPkcs12Profile {
400 #[serde(rename = "LegacyRC2")]
401 LegacyRc2,
402 #[serde(rename = "LegacyDES")]
403 LegacyDes,
404 Modern2023,
405}
406
407/// x.509 certificate NameConstraint extension which MUST NOT be used in a non-CA certificate.
408/// More Info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10
409///
410/// This is an Alpha Feature and is only enabled with the
411/// `--feature-gates=NameConstraints=true` option set on both
412/// the controller and webhook components.
413#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq, JsonSchema)]
414pub struct CertificateNameConstraints {
415 /// if true then the name constraints are marked critical.
416 #[serde(default, skip_serializing_if = "Option::is_none")]
417 pub critical: Option<bool>,
418 /// Excluded contains the constraints which must be disallowed. Any name matching a
419 /// restriction in the excluded field is invalid regardless
420 /// of information appearing in the permitted
421 #[serde(default, skip_serializing_if = "Option::is_none")]
422 pub excluded: Option<CertificateNameConstraintsExcluded>,
423 /// Permitted contains the constraints in which the names must be located.
424 #[serde(default, skip_serializing_if = "Option::is_none")]
425 pub permitted: Option<CertificateNameConstraintsPermitted>,
426}
427
428/// Excluded contains the constraints which must be disallowed. Any name matching a
429/// restriction in the excluded field is invalid regardless
430/// of information appearing in the permitted
431#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq, JsonSchema)]
432pub struct CertificateNameConstraintsExcluded {
433 /// DNSDomains is a list of DNS domains that are permitted or excluded.
434 #[serde(
435 default,
436 skip_serializing_if = "Option::is_none",
437 rename = "dnsDomains"
438 )]
439 pub dns_domains: Option<Vec<String>>,
440 /// EmailAddresses is a list of Email Addresses that are permitted or excluded.
441 #[serde(
442 default,
443 skip_serializing_if = "Option::is_none",
444 rename = "emailAddresses"
445 )]
446 pub email_addresses: Option<Vec<String>>,
447 /// IPRanges is a list of IP Ranges that are permitted or excluded.
448 /// This should be a valid CIDR notation.
449 #[serde(default, skip_serializing_if = "Option::is_none", rename = "ipRanges")]
450 pub ip_ranges: Option<Vec<String>>,
451 /// URIDomains is a list of URI domains that are permitted or excluded.
452 #[serde(
453 default,
454 skip_serializing_if = "Option::is_none",
455 rename = "uriDomains"
456 )]
457 pub uri_domains: Option<Vec<String>>,
458}
459
460/// Permitted contains the constraints in which the names must be located.
461#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq, JsonSchema)]
462pub struct CertificateNameConstraintsPermitted {
463 /// DNSDomains is a list of DNS domains that are permitted or excluded.
464 #[serde(
465 default,
466 skip_serializing_if = "Option::is_none",
467 rename = "dnsDomains"
468 )]
469 pub dns_domains: Option<Vec<String>>,
470 /// EmailAddresses is a list of Email Addresses that are permitted or excluded.
471 #[serde(
472 default,
473 skip_serializing_if = "Option::is_none",
474 rename = "emailAddresses"
475 )]
476 pub email_addresses: Option<Vec<String>>,
477 /// IPRanges is a list of IP Ranges that are permitted or excluded.
478 /// This should be a valid CIDR notation.
479 #[serde(default, skip_serializing_if = "Option::is_none", rename = "ipRanges")]
480 pub ip_ranges: Option<Vec<String>>,
481 /// URIDomains is a list of URI domains that are permitted or excluded.
482 #[serde(
483 default,
484 skip_serializing_if = "Option::is_none",
485 rename = "uriDomains"
486 )]
487 pub uri_domains: Option<Vec<String>>,
488}
489
490#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq, JsonSchema)]
491pub struct CertificateOtherNames {
492 /// OID is the object identifier for the otherName SAN.
493 /// The object identifier must be expressed as a dotted string, for
494 /// example, "1.2.840.113556.1.4.221".
495 #[serde(default, skip_serializing_if = "Option::is_none")]
496 pub oid: Option<String>,
497 /// utf8Value is the string value of the otherName SAN.
498 /// The utf8Value accepts any valid UTF8 string to set as value for the otherName SAN.
499 #[serde(default, skip_serializing_if = "Option::is_none", rename = "utf8Value")]
500 pub utf8_value: Option<String>,
501}
502
503/// Private key options. These include the key algorithm and size, the used
504/// encoding and the rotation policy.
505#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq, JsonSchema)]
506pub struct CertificatePrivateKey {
507 /// Algorithm is the private key algorithm of the corresponding private key
508 /// for this certificate.
509 ///
510 /// If provided, allowed values are either `RSA`, `ECDSA` or `Ed25519`.
511 /// If `algorithm` is specified and `size` is not provided,
512 /// key size of 2048 will be used for `RSA` key algorithm and
513 /// key size of 256 will be used for `ECDSA` key algorithm.
514 /// key size is ignored when using the `Ed25519` key algorithm.
515 #[serde(default, skip_serializing_if = "Option::is_none")]
516 pub algorithm: Option<CertificatePrivateKeyAlgorithm>,
517 /// The private key cryptography standards (PKCS) encoding for this
518 /// certificate's private key to be encoded in.
519 ///
520 /// If provided, allowed values are `PKCS1` and `PKCS8` standing for PKCS#1
521 /// and PKCS#8, respectively.
522 /// Defaults to `PKCS1` if not specified.
523 #[serde(default, skip_serializing_if = "Option::is_none")]
524 pub encoding: Option<CertificatePrivateKeyEncoding>,
525 /// RotationPolicy controls how private keys should be regenerated when a
526 /// re-issuance is being processed.
527 ///
528 /// If set to `Never`, a private key will only be generated if one does not
529 /// already exist in the target `spec.secretName`. If one does exist but it
530 /// does not have the correct algorithm or size, a warning will be raised
531 /// to await user intervention.
532 /// If set to `Always`, a private key matching the specified requirements
533 /// will be generated whenever a re-issuance occurs.
534 /// Default is `Never` for backward compatibility.
535 #[serde(
536 default,
537 skip_serializing_if = "Option::is_none",
538 rename = "rotationPolicy"
539 )]
540 pub rotation_policy: Option<CertificatePrivateKeyRotationPolicy>,
541 /// Size is the key bit size of the corresponding private key for this certificate.
542 ///
543 /// If `algorithm` is set to `RSA`, valid values are `2048`, `4096` or `8192`,
544 /// and will default to `2048` if not specified.
545 /// If `algorithm` is set to `ECDSA`, valid values are `256`, `384` or `521`,
546 /// and will default to `256` if not specified.
547 /// If `algorithm` is set to `Ed25519`, Size is ignored.
548 /// No other values are allowed.
549 #[serde(default, skip_serializing_if = "Option::is_none")]
550 pub size: Option<i64>,
551}
552
553/// Private key options. These include the key algorithm and size, the used
554/// encoding and the rotation policy.
555#[derive(Serialize, Deserialize, Clone, Debug, PartialEq, JsonSchema)]
556pub enum CertificatePrivateKeyAlgorithm {
557 #[serde(rename = "RSA")]
558 Rsa,
559 #[serde(rename = "ECDSA")]
560 Ecdsa,
561 Ed25519,
562}
563
564/// Private key options. These include the key algorithm and size, the used
565/// encoding and the rotation policy.
566#[derive(Serialize, Deserialize, Clone, Debug, PartialEq, JsonSchema)]
567pub enum CertificatePrivateKeyEncoding {
568 #[serde(rename = "PKCS1")]
569 Pkcs1,
570 #[serde(rename = "PKCS8")]
571 Pkcs8,
572}
573
574/// Private key options. These include the key algorithm and size, the used
575/// encoding and the rotation policy.
576#[derive(Serialize, Deserialize, Clone, Debug, PartialEq, JsonSchema)]
577pub enum CertificatePrivateKeyRotationPolicy {
578 Never,
579 Always,
580}
581
582/// Defines annotations and labels to be copied to the Certificate's Secret.
583/// Labels and annotations on the Secret will be changed as they appear on the
584/// SecretTemplate when added or removed. SecretTemplate annotations are added
585/// in conjunction with, and cannot overwrite, the base set of annotations
586/// cert-manager sets on the Certificate's Secret.
587#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq, JsonSchema)]
588pub struct CertificateSecretTemplate {
589 /// Annotations is a key value map to be copied to the target Kubernetes Secret.
590 #[serde(default, skip_serializing_if = "Option::is_none")]
591 pub annotations: Option<BTreeMap<String, String>>,
592 /// Labels is a key value map to be copied to the target Kubernetes Secret.
593 #[serde(default, skip_serializing_if = "Option::is_none")]
594 pub labels: Option<BTreeMap<String, String>>,
595}
596
597/// Requested set of X509 certificate subject attributes.
598/// More info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6
599///
600/// The common name attribute is specified separately in the `commonName` field.
601/// Cannot be set if the `literalSubject` field is set.
602#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq, JsonSchema)]
603pub struct CertificateSubject {
604 /// Countries to be used on the Certificate.
605 #[serde(default, skip_serializing_if = "Option::is_none")]
606 pub countries: Option<Vec<String>>,
607 /// Cities to be used on the Certificate.
608 #[serde(default, skip_serializing_if = "Option::is_none")]
609 pub localities: Option<Vec<String>>,
610 /// Organizational Units to be used on the Certificate.
611 #[serde(
612 default,
613 skip_serializing_if = "Option::is_none",
614 rename = "organizationalUnits"
615 )]
616 pub organizational_units: Option<Vec<String>>,
617 /// Organizations to be used on the Certificate.
618 #[serde(default, skip_serializing_if = "Option::is_none")]
619 pub organizations: Option<Vec<String>>,
620 /// Postal codes to be used on the Certificate.
621 #[serde(
622 default,
623 skip_serializing_if = "Option::is_none",
624 rename = "postalCodes"
625 )]
626 pub postal_codes: Option<Vec<String>>,
627 /// State/Provinces to be used on the Certificate.
628 #[serde(default, skip_serializing_if = "Option::is_none")]
629 pub provinces: Option<Vec<String>>,
630 /// Serial number to be used on the Certificate.
631 #[serde(
632 default,
633 skip_serializing_if = "Option::is_none",
634 rename = "serialNumber"
635 )]
636 pub serial_number: Option<String>,
637 /// Street addresses to be used on the Certificate.
638 #[serde(
639 default,
640 skip_serializing_if = "Option::is_none",
641 rename = "streetAddresses"
642 )]
643 pub street_addresses: Option<Vec<String>>,
644}
645
646/// Status of the Certificate.
647/// This is set and managed automatically.
648/// Read-only.
649/// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
650#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq, JsonSchema)]
651pub struct CertificateStatus {
652 /// List of status conditions to indicate the status of certificates.
653 /// Known condition types are `Ready` and `Issuing`.
654 #[serde(default, skip_serializing_if = "Option::is_none")]
655 pub conditions: Option<Vec<Condition>>,
656 /// The number of continuous failed issuance attempts up till now. This
657 /// field gets removed (if set) on a successful issuance and gets set to
658 /// 1 if unset and an issuance has failed. If an issuance has failed, the
659 /// delay till the next issuance will be calculated using formula
660 /// time.Hour * 2 ^ (failedIssuanceAttempts - 1).
661 #[serde(
662 default,
663 skip_serializing_if = "Option::is_none",
664 rename = "failedIssuanceAttempts"
665 )]
666 pub failed_issuance_attempts: Option<i64>,
667 /// LastFailureTime is set only if the latest issuance for this
668 /// Certificate failed and contains the time of the failure. If an
669 /// issuance has failed, the delay till the next issuance will be
670 /// calculated using formula time.Hour * 2 ^ (failedIssuanceAttempts -
671 /// 1). If the latest issuance has succeeded this field will be unset.
672 #[serde(
673 default,
674 skip_serializing_if = "Option::is_none",
675 rename = "lastFailureTime"
676 )]
677 pub last_failure_time: Option<String>,
678 /// The name of the Secret resource containing the private key to be used
679 /// for the next certificate iteration.
680 /// The keymanager controller will automatically set this field if the
681 /// `Issuing` condition is set to `True`.
682 /// It will automatically unset this field when the Issuing condition is
683 /// not set or False.
684 #[serde(
685 default,
686 skip_serializing_if = "Option::is_none",
687 rename = "nextPrivateKeySecretName"
688 )]
689 pub next_private_key_secret_name: Option<String>,
690 /// The expiration time of the certificate stored in the secret named
691 /// by this resource in `spec.secretName`.
692 #[serde(default, skip_serializing_if = "Option::is_none", rename = "notAfter")]
693 pub not_after: Option<String>,
694 /// The time after which the certificate stored in the secret named
695 /// by this resource in `spec.secretName` is valid.
696 #[serde(default, skip_serializing_if = "Option::is_none", rename = "notBefore")]
697 pub not_before: Option<String>,
698 /// RenewalTime is the time at which the certificate will be next
699 /// renewed.
700 /// If not set, no upcoming renewal is scheduled.
701 #[serde(
702 default,
703 skip_serializing_if = "Option::is_none",
704 rename = "renewalTime"
705 )]
706 pub renewal_time: Option<String>,
707 /// The current 'revision' of the certificate as issued.
708 ///
709 /// When a CertificateRequest resource is created, it will have the
710 /// `cert-manager.io/certificate-revision` set to one greater than the
711 /// current value of this field.
712 ///
713 /// Upon issuance, this field will be set to the value of the annotation
714 /// on the CertificateRequest resource used to issue the certificate.
715 ///
716 /// Persisting the value on the CertificateRequest resource allows the
717 /// certificates controller to know whether a request is part of an old
718 /// issuance or if it is part of the ongoing revision's issuance by
719 /// checking if the revision value in the annotation is greater than this
720 /// field.
721 #[serde(default, skip_serializing_if = "Option::is_none")]
722 pub revision: Option<i64>,
723}