mz_cloud_resources/crd/generated/cert_manager/
certificates.rs

1// Copyright Materialize, Inc. and contributors. All rights reserved.
2//
3// Use of this software is governed by the Business Source License
4// included in the LICENSE file.
5//
6// As of the Change Date specified in that file, in accordance with
7// the Business Source License, use of this software will be governed
8// by the Apache License, Version 2.0.
9
10#![allow(rustdoc::all)]
11
12// WARNING: generated by kopium - manual changes will be overwritten
13// kopium command: kopium certificates.cert-manager.io --docs --smart-derive-elision --derive Default --derive PartialEq --derive JsonSchema
14// kopium version: 0.21.1
15
16#[allow(unused_imports)]
17mod prelude {
18    pub use k8s_openapi::apimachinery::pkg::apis::meta::v1::Condition;
19    pub use kube::CustomResource;
20    pub use schemars::JsonSchema;
21    pub use serde::{Deserialize, Serialize};
22    pub use std::collections::BTreeMap;
23}
24use self::prelude::*;
25
26/// Specification of the desired state of the Certificate resource.
27/// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
28#[derive(CustomResource, Serialize, Deserialize, Clone, Debug, Default, PartialEq, JsonSchema)]
29#[kube(
30    group = "cert-manager.io",
31    version = "v1",
32    kind = "Certificate",
33    plural = "certificates"
34)]
35#[kube(namespaced)]
36#[kube(status = "CertificateStatus")]
37#[kube(schema = "disabled")]
38#[kube(derive = "Default")]
39#[kube(derive = "PartialEq")]
40pub struct CertificateSpec {
41    /// Defines extra output formats of the private key and signed certificate chain
42    /// to be written to this Certificate's target Secret.
43    ///
44    /// This is a Beta Feature enabled by default. It can be disabled with the
45    /// `--feature-gates=AdditionalCertificateOutputFormats=false` option set on both
46    /// the controller and webhook components.
47    #[serde(
48        default,
49        skip_serializing_if = "Option::is_none",
50        rename = "additionalOutputFormats"
51    )]
52    pub additional_output_formats: Option<Vec<CertificateAdditionalOutputFormats>>,
53    /// Requested common name X509 certificate subject attribute.
54    /// More info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6
55    /// NOTE: TLS clients will ignore this value when any subject alternative name is
56    /// set (see https://tools.ietf.org/html/rfc6125#section-6.4.4).
57    ///
58    /// Should have a length of 64 characters or fewer to avoid generating invalid CSRs.
59    /// Cannot be set if the `literalSubject` field is set.
60    #[serde(
61        default,
62        skip_serializing_if = "Option::is_none",
63        rename = "commonName"
64    )]
65    pub common_name: Option<String>,
66    /// Requested DNS subject alternative names.
67    #[serde(default, skip_serializing_if = "Option::is_none", rename = "dnsNames")]
68    pub dns_names: Option<Vec<String>>,
69    /// Requested 'duration' (i.e. lifetime) of the Certificate. Note that the
70    /// issuer may choose to ignore the requested duration, just like any other
71    /// requested attribute.
72    ///
73    /// If unset, this defaults to 90 days.
74    /// Minimum accepted duration is 1 hour.
75    /// Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration.
76    #[serde(default, skip_serializing_if = "Option::is_none")]
77    pub duration: Option<String>,
78    /// Requested email subject alternative names.
79    #[serde(
80        default,
81        skip_serializing_if = "Option::is_none",
82        rename = "emailAddresses"
83    )]
84    pub email_addresses: Option<Vec<String>>,
85    /// Whether the KeyUsage and ExtKeyUsage extensions should be set in the encoded CSR.
86    ///
87    /// This option defaults to true, and should only be disabled if the target
88    /// issuer does not support CSRs with these X509 KeyUsage/ ExtKeyUsage extensions.
89    #[serde(
90        default,
91        skip_serializing_if = "Option::is_none",
92        rename = "encodeUsagesInRequest"
93    )]
94    pub encode_usages_in_request: Option<bool>,
95    /// Requested IP address subject alternative names.
96    #[serde(
97        default,
98        skip_serializing_if = "Option::is_none",
99        rename = "ipAddresses"
100    )]
101    pub ip_addresses: Option<Vec<String>>,
102    /// Requested basic constraints isCA value.
103    /// The isCA value is used to set the `isCA` field on the created CertificateRequest
104    /// resources. Note that the issuer may choose to ignore the requested isCA value, just
105    /// like any other requested attribute.
106    ///
107    /// If true, this will automatically add the `cert sign` usage to the list
108    /// of requested `usages`.
109    #[serde(default, skip_serializing_if = "Option::is_none", rename = "isCA")]
110    pub is_ca: Option<bool>,
111    /// Reference to the issuer responsible for issuing the certificate.
112    /// If the issuer is namespace-scoped, it must be in the same namespace
113    /// as the Certificate. If the issuer is cluster-scoped, it can be used
114    /// from any namespace.
115    ///
116    /// The `name` field of the reference must always be specified.
117    #[serde(rename = "issuerRef")]
118    pub issuer_ref: CertificateIssuerRef,
119    /// Additional keystore output formats to be stored in the Certificate's Secret.
120    #[serde(default, skip_serializing_if = "Option::is_none")]
121    pub keystores: Option<CertificateKeystores>,
122    /// Requested X.509 certificate subject, represented using the LDAP "String
123    /// Representation of a Distinguished Name" [1].
124    /// Important: the LDAP string format also specifies the order of the attributes
125    /// in the subject, this is important when issuing certs for LDAP authentication.
126    /// Example: `CN=foo,DC=corp,DC=example,DC=com`
127    /// More info [1]: https://datatracker.ietf.org/doc/html/rfc4514
128    /// More info: https://github.com/cert-manager/cert-manager/issues/3203
129    /// More info: https://github.com/cert-manager/cert-manager/issues/4424
130    ///
131    /// Cannot be set if the `subject` or `commonName` field is set.
132    #[serde(
133        default,
134        skip_serializing_if = "Option::is_none",
135        rename = "literalSubject"
136    )]
137    pub literal_subject: Option<String>,
138    /// x.509 certificate NameConstraint extension which MUST NOT be used in a non-CA certificate.
139    /// More Info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10
140    ///
141    /// This is an Alpha Feature and is only enabled with the
142    /// `--feature-gates=NameConstraints=true` option set on both
143    /// the controller and webhook components.
144    #[serde(
145        default,
146        skip_serializing_if = "Option::is_none",
147        rename = "nameConstraints"
148    )]
149    pub name_constraints: Option<CertificateNameConstraints>,
150    /// `otherNames` is an escape hatch for SAN that allows any type. We currently restrict the support to string like otherNames, cf RFC 5280 p 37
151    /// Any UTF8 String valued otherName can be passed with by setting the keys oid: x.x.x.x and UTF8Value: somevalue for `otherName`.
152    /// Most commonly this would be UPN set with oid: 1.3.6.1.4.1.311.20.2.3
153    /// You should ensure that any OID passed is valid for the UTF8String type as we do not explicitly validate this.
154    #[serde(
155        default,
156        skip_serializing_if = "Option::is_none",
157        rename = "otherNames"
158    )]
159    pub other_names: Option<Vec<CertificateOtherNames>>,
160    /// Private key options. These include the key algorithm and size, the used
161    /// encoding and the rotation policy.
162    #[serde(
163        default,
164        skip_serializing_if = "Option::is_none",
165        rename = "privateKey"
166    )]
167    pub private_key: Option<CertificatePrivateKey>,
168    /// How long before the currently issued certificate's expiry cert-manager should
169    /// renew the certificate. For example, if a certificate is valid for 60 minutes,
170    /// and `renewBefore=10m`, cert-manager will begin to attempt to renew the certificate
171    /// 50 minutes after it was issued (i.e. when there are 10 minutes remaining until
172    /// the certificate is no longer valid).
173    ///
174    /// NOTE: The actual lifetime of the issued certificate is used to determine the
175    /// renewal time. If an issuer returns a certificate with a different lifetime than
176    /// the one requested, cert-manager will use the lifetime of the issued certificate.
177    ///
178    /// If unset, this defaults to 1/3 of the issued certificate's lifetime.
179    /// Minimum accepted value is 5 minutes.
180    /// Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration.
181    /// Cannot be set if the `renewBeforePercentage` field is set.
182    #[serde(
183        default,
184        skip_serializing_if = "Option::is_none",
185        rename = "renewBefore"
186    )]
187    pub renew_before: Option<String>,
188    /// `renewBeforePercentage` is like `renewBefore`, except it is a relative percentage
189    /// rather than an absolute duration. For example, if a certificate is valid for 60
190    /// minutes, and  `renewBeforePercentage=25`, cert-manager will begin to attempt to
191    /// renew the certificate 45 minutes after it was issued (i.e. when there are 15
192    /// minutes (25%) remaining until the certificate is no longer valid).
193    ///
194    /// NOTE: The actual lifetime of the issued certificate is used to determine the
195    /// renewal time. If an issuer returns a certificate with a different lifetime than
196    /// the one requested, cert-manager will use the lifetime of the issued certificate.
197    ///
198    /// Value must be an integer in the range (0,100). The minimum effective
199    /// `renewBefore` derived from the `renewBeforePercentage` and `duration` fields is 5
200    /// minutes.
201    /// Cannot be set if the `renewBefore` field is set.
202    #[serde(
203        default,
204        skip_serializing_if = "Option::is_none",
205        rename = "renewBeforePercentage"
206    )]
207    pub renew_before_percentage: Option<i32>,
208    /// The maximum number of CertificateRequest revisions that are maintained in
209    /// the Certificate's history. Each revision represents a single `CertificateRequest`
210    /// created by this Certificate, either when it was created, renewed, or Spec
211    /// was changed. Revisions will be removed by oldest first if the number of
212    /// revisions exceeds this number.
213    ///
214    /// If set, revisionHistoryLimit must be a value of `1` or greater.
215    /// If unset (`nil`), revisions will not be garbage collected.
216    /// Default value is `nil`.
217    #[serde(
218        default,
219        skip_serializing_if = "Option::is_none",
220        rename = "revisionHistoryLimit"
221    )]
222    pub revision_history_limit: Option<i32>,
223    /// Name of the Secret resource that will be automatically created and
224    /// managed by this Certificate resource. It will be populated with a
225    /// private key and certificate, signed by the denoted issuer. The Secret
226    /// resource lives in the same namespace as the Certificate resource.
227    #[serde(rename = "secretName")]
228    pub secret_name: String,
229    /// Defines annotations and labels to be copied to the Certificate's Secret.
230    /// Labels and annotations on the Secret will be changed as they appear on the
231    /// SecretTemplate when added or removed. SecretTemplate annotations are added
232    /// in conjunction with, and cannot overwrite, the base set of annotations
233    /// cert-manager sets on the Certificate's Secret.
234    #[serde(
235        default,
236        skip_serializing_if = "Option::is_none",
237        rename = "secretTemplate"
238    )]
239    pub secret_template: Option<CertificateSecretTemplate>,
240    /// Requested set of X509 certificate subject attributes.
241    /// More info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6
242    ///
243    /// The common name attribute is specified separately in the `commonName` field.
244    /// Cannot be set if the `literalSubject` field is set.
245    #[serde(default, skip_serializing_if = "Option::is_none")]
246    pub subject: Option<CertificateSubject>,
247    /// Requested URI subject alternative names.
248    #[serde(default, skip_serializing_if = "Option::is_none")]
249    pub uris: Option<Vec<String>>,
250    /// Requested key usages and extended key usages.
251    /// These usages are used to set the `usages` field on the created CertificateRequest
252    /// resources. If `encodeUsagesInRequest` is unset or set to `true`, the usages
253    /// will additionally be encoded in the `request` field which contains the CSR blob.
254    ///
255    /// If unset, defaults to `digital signature` and `key encipherment`.
256    #[serde(default, skip_serializing_if = "Option::is_none")]
257    pub usages: Option<Vec<String>>,
258}
259
260/// CertificateAdditionalOutputFormat defines an additional output format of a
261/// Certificate resource. These contain supplementary data formats of the signed
262/// certificate chain and paired private key.
263#[derive(Serialize, Deserialize, Clone, Debug, PartialEq, JsonSchema)]
264pub struct CertificateAdditionalOutputFormats {
265    /// Type is the name of the format type that should be written to the
266    /// Certificate's target Secret.
267    #[serde(rename = "type")]
268    pub r#type: CertificateAdditionalOutputFormatsType,
269}
270
271/// CertificateAdditionalOutputFormat defines an additional output format of a
272/// Certificate resource. These contain supplementary data formats of the signed
273/// certificate chain and paired private key.
274#[derive(Serialize, Deserialize, Clone, Debug, PartialEq, JsonSchema)]
275pub enum CertificateAdditionalOutputFormatsType {
276    #[serde(rename = "DER")]
277    Der,
278    #[serde(rename = "CombinedPEM")]
279    CombinedPem,
280}
281
282/// Reference to the issuer responsible for issuing the certificate.
283/// If the issuer is namespace-scoped, it must be in the same namespace
284/// as the Certificate. If the issuer is cluster-scoped, it can be used
285/// from any namespace.
286///
287/// The `name` field of the reference must always be specified.
288#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq, JsonSchema)]
289pub struct CertificateIssuerRef {
290    /// Group of the resource being referred to.
291    #[serde(default, skip_serializing_if = "Option::is_none")]
292    pub group: Option<String>,
293    /// Kind of the resource being referred to.
294    #[serde(default, skip_serializing_if = "Option::is_none")]
295    pub kind: Option<String>,
296    /// Name of the resource being referred to.
297    pub name: String,
298}
299
300/// Additional keystore output formats to be stored in the Certificate's Secret.
301#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq, JsonSchema)]
302pub struct CertificateKeystores {
303    /// JKS configures options for storing a JKS keystore in the
304    /// `spec.secretName` Secret resource.
305    #[serde(default, skip_serializing_if = "Option::is_none")]
306    pub jks: Option<CertificateKeystoresJks>,
307    /// PKCS12 configures options for storing a PKCS12 keystore in the
308    /// `spec.secretName` Secret resource.
309    #[serde(default, skip_serializing_if = "Option::is_none")]
310    pub pkcs12: Option<CertificateKeystoresPkcs12>,
311}
312
313/// JKS configures options for storing a JKS keystore in the
314/// `spec.secretName` Secret resource.
315#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq, JsonSchema)]
316pub struct CertificateKeystoresJks {
317    /// Alias specifies the alias of the key in the keystore, required by the JKS format.
318    /// If not provided, the default alias `certificate` will be used.
319    #[serde(default, skip_serializing_if = "Option::is_none")]
320    pub alias: Option<String>,
321    /// Create enables JKS keystore creation for the Certificate.
322    /// If true, a file named `keystore.jks` will be created in the target
323    /// Secret resource, encrypted using the password stored in
324    /// `passwordSecretRef`.
325    /// The keystore file will be updated immediately.
326    /// If the issuer provided a CA certificate, a file named `truststore.jks`
327    /// will also be created in the target Secret resource, encrypted using the
328    /// password stored in `passwordSecretRef`
329    /// containing the issuing Certificate Authority
330    pub create: bool,
331    /// PasswordSecretRef is a reference to a key in a Secret resource
332    /// containing the password used to encrypt the JKS keystore.
333    #[serde(rename = "passwordSecretRef")]
334    pub password_secret_ref: CertificateKeystoresJksPasswordSecretRef,
335}
336
337/// PasswordSecretRef is a reference to a key in a Secret resource
338/// containing the password used to encrypt the JKS keystore.
339#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq, JsonSchema)]
340pub struct CertificateKeystoresJksPasswordSecretRef {
341    /// The key of the entry in the Secret resource's `data` field to be used.
342    /// Some instances of this field may be defaulted, in others it may be
343    /// required.
344    #[serde(default, skip_serializing_if = "Option::is_none")]
345    pub key: Option<String>,
346    /// Name of the resource being referred to.
347    /// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
348    pub name: String,
349}
350
351/// PKCS12 configures options for storing a PKCS12 keystore in the
352/// `spec.secretName` Secret resource.
353#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq, JsonSchema)]
354pub struct CertificateKeystoresPkcs12 {
355    /// Create enables PKCS12 keystore creation for the Certificate.
356    /// If true, a file named `keystore.p12` will be created in the target
357    /// Secret resource, encrypted using the password stored in
358    /// `passwordSecretRef`.
359    /// The keystore file will be updated immediately.
360    /// If the issuer provided a CA certificate, a file named `truststore.p12` will
361    /// also be created in the target Secret resource, encrypted using the
362    /// password stored in `passwordSecretRef` containing the issuing Certificate
363    /// Authority
364    pub create: bool,
365    /// PasswordSecretRef is a reference to a key in a Secret resource
366    /// containing the password used to encrypt the PKCS12 keystore.
367    #[serde(rename = "passwordSecretRef")]
368    pub password_secret_ref: CertificateKeystoresPkcs12PasswordSecretRef,
369    /// Profile specifies the key and certificate encryption algorithms and the HMAC algorithm
370    /// used to create the PKCS12 keystore. Default value is `LegacyRC2` for backward compatibility.
371    ///
372    /// If provided, allowed values are:
373    /// `LegacyRC2`: Deprecated. Not supported by default in OpenSSL 3 or Java 20.
374    /// `LegacyDES`: Less secure algorithm. Use this option for maximal compatibility.
375    /// `Modern2023`: Secure algorithm. Use this option in case you have to always use secure algorithms
376    /// (eg. because of company policy). Please note that the security of the algorithm is not that important
377    /// in reality, because the unencrypted certificate and private key are also stored in the Secret.
378    #[serde(default, skip_serializing_if = "Option::is_none")]
379    pub profile: Option<CertificateKeystoresPkcs12Profile>,
380}
381
382/// PasswordSecretRef is a reference to a key in a Secret resource
383/// containing the password used to encrypt the PKCS12 keystore.
384#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq, JsonSchema)]
385pub struct CertificateKeystoresPkcs12PasswordSecretRef {
386    /// The key of the entry in the Secret resource's `data` field to be used.
387    /// Some instances of this field may be defaulted, in others it may be
388    /// required.
389    #[serde(default, skip_serializing_if = "Option::is_none")]
390    pub key: Option<String>,
391    /// Name of the resource being referred to.
392    /// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
393    pub name: String,
394}
395
396/// PKCS12 configures options for storing a PKCS12 keystore in the
397/// `spec.secretName` Secret resource.
398#[derive(Serialize, Deserialize, Clone, Debug, PartialEq, JsonSchema)]
399pub enum CertificateKeystoresPkcs12Profile {
400    #[serde(rename = "LegacyRC2")]
401    LegacyRc2,
402    #[serde(rename = "LegacyDES")]
403    LegacyDes,
404    Modern2023,
405}
406
407/// x.509 certificate NameConstraint extension which MUST NOT be used in a non-CA certificate.
408/// More Info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10
409///
410/// This is an Alpha Feature and is only enabled with the
411/// `--feature-gates=NameConstraints=true` option set on both
412/// the controller and webhook components.
413#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq, JsonSchema)]
414pub struct CertificateNameConstraints {
415    /// if true then the name constraints are marked critical.
416    #[serde(default, skip_serializing_if = "Option::is_none")]
417    pub critical: Option<bool>,
418    /// Excluded contains the constraints which must be disallowed. Any name matching a
419    /// restriction in the excluded field is invalid regardless
420    /// of information appearing in the permitted
421    #[serde(default, skip_serializing_if = "Option::is_none")]
422    pub excluded: Option<CertificateNameConstraintsExcluded>,
423    /// Permitted contains the constraints in which the names must be located.
424    #[serde(default, skip_serializing_if = "Option::is_none")]
425    pub permitted: Option<CertificateNameConstraintsPermitted>,
426}
427
428/// Excluded contains the constraints which must be disallowed. Any name matching a
429/// restriction in the excluded field is invalid regardless
430/// of information appearing in the permitted
431#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq, JsonSchema)]
432pub struct CertificateNameConstraintsExcluded {
433    /// DNSDomains is a list of DNS domains that are permitted or excluded.
434    #[serde(
435        default,
436        skip_serializing_if = "Option::is_none",
437        rename = "dnsDomains"
438    )]
439    pub dns_domains: Option<Vec<String>>,
440    /// EmailAddresses is a list of Email Addresses that are permitted or excluded.
441    #[serde(
442        default,
443        skip_serializing_if = "Option::is_none",
444        rename = "emailAddresses"
445    )]
446    pub email_addresses: Option<Vec<String>>,
447    /// IPRanges is a list of IP Ranges that are permitted or excluded.
448    /// This should be a valid CIDR notation.
449    #[serde(default, skip_serializing_if = "Option::is_none", rename = "ipRanges")]
450    pub ip_ranges: Option<Vec<String>>,
451    /// URIDomains is a list of URI domains that are permitted or excluded.
452    #[serde(
453        default,
454        skip_serializing_if = "Option::is_none",
455        rename = "uriDomains"
456    )]
457    pub uri_domains: Option<Vec<String>>,
458}
459
460/// Permitted contains the constraints in which the names must be located.
461#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq, JsonSchema)]
462pub struct CertificateNameConstraintsPermitted {
463    /// DNSDomains is a list of DNS domains that are permitted or excluded.
464    #[serde(
465        default,
466        skip_serializing_if = "Option::is_none",
467        rename = "dnsDomains"
468    )]
469    pub dns_domains: Option<Vec<String>>,
470    /// EmailAddresses is a list of Email Addresses that are permitted or excluded.
471    #[serde(
472        default,
473        skip_serializing_if = "Option::is_none",
474        rename = "emailAddresses"
475    )]
476    pub email_addresses: Option<Vec<String>>,
477    /// IPRanges is a list of IP Ranges that are permitted or excluded.
478    /// This should be a valid CIDR notation.
479    #[serde(default, skip_serializing_if = "Option::is_none", rename = "ipRanges")]
480    pub ip_ranges: Option<Vec<String>>,
481    /// URIDomains is a list of URI domains that are permitted or excluded.
482    #[serde(
483        default,
484        skip_serializing_if = "Option::is_none",
485        rename = "uriDomains"
486    )]
487    pub uri_domains: Option<Vec<String>>,
488}
489
490#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq, JsonSchema)]
491pub struct CertificateOtherNames {
492    /// OID is the object identifier for the otherName SAN.
493    /// The object identifier must be expressed as a dotted string, for
494    /// example, "1.2.840.113556.1.4.221".
495    #[serde(default, skip_serializing_if = "Option::is_none")]
496    pub oid: Option<String>,
497    /// utf8Value is the string value of the otherName SAN.
498    /// The utf8Value accepts any valid UTF8 string to set as value for the otherName SAN.
499    #[serde(default, skip_serializing_if = "Option::is_none", rename = "utf8Value")]
500    pub utf8_value: Option<String>,
501}
502
503/// Private key options. These include the key algorithm and size, the used
504/// encoding and the rotation policy.
505#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq, JsonSchema)]
506pub struct CertificatePrivateKey {
507    /// Algorithm is the private key algorithm of the corresponding private key
508    /// for this certificate.
509    ///
510    /// If provided, allowed values are either `RSA`, `ECDSA` or `Ed25519`.
511    /// If `algorithm` is specified and `size` is not provided,
512    /// key size of 2048 will be used for `RSA` key algorithm and
513    /// key size of 256 will be used for `ECDSA` key algorithm.
514    /// key size is ignored when using the `Ed25519` key algorithm.
515    #[serde(default, skip_serializing_if = "Option::is_none")]
516    pub algorithm: Option<CertificatePrivateKeyAlgorithm>,
517    /// The private key cryptography standards (PKCS) encoding for this
518    /// certificate's private key to be encoded in.
519    ///
520    /// If provided, allowed values are `PKCS1` and `PKCS8` standing for PKCS#1
521    /// and PKCS#8, respectively.
522    /// Defaults to `PKCS1` if not specified.
523    #[serde(default, skip_serializing_if = "Option::is_none")]
524    pub encoding: Option<CertificatePrivateKeyEncoding>,
525    /// RotationPolicy controls how private keys should be regenerated when a
526    /// re-issuance is being processed.
527    ///
528    /// If set to `Never`, a private key will only be generated if one does not
529    /// already exist in the target `spec.secretName`. If one does exist but it
530    /// does not have the correct algorithm or size, a warning will be raised
531    /// to await user intervention.
532    /// If set to `Always`, a private key matching the specified requirements
533    /// will be generated whenever a re-issuance occurs.
534    /// Default is `Never` for backward compatibility.
535    #[serde(
536        default,
537        skip_serializing_if = "Option::is_none",
538        rename = "rotationPolicy"
539    )]
540    pub rotation_policy: Option<CertificatePrivateKeyRotationPolicy>,
541    /// Size is the key bit size of the corresponding private key for this certificate.
542    ///
543    /// If `algorithm` is set to `RSA`, valid values are `2048`, `4096` or `8192`,
544    /// and will default to `2048` if not specified.
545    /// If `algorithm` is set to `ECDSA`, valid values are `256`, `384` or `521`,
546    /// and will default to `256` if not specified.
547    /// If `algorithm` is set to `Ed25519`, Size is ignored.
548    /// No other values are allowed.
549    #[serde(default, skip_serializing_if = "Option::is_none")]
550    pub size: Option<i64>,
551}
552
553/// Private key options. These include the key algorithm and size, the used
554/// encoding and the rotation policy.
555#[derive(Serialize, Deserialize, Clone, Debug, PartialEq, JsonSchema)]
556pub enum CertificatePrivateKeyAlgorithm {
557    #[serde(rename = "RSA")]
558    Rsa,
559    #[serde(rename = "ECDSA")]
560    Ecdsa,
561    Ed25519,
562}
563
564/// Private key options. These include the key algorithm and size, the used
565/// encoding and the rotation policy.
566#[derive(Serialize, Deserialize, Clone, Debug, PartialEq, JsonSchema)]
567pub enum CertificatePrivateKeyEncoding {
568    #[serde(rename = "PKCS1")]
569    Pkcs1,
570    #[serde(rename = "PKCS8")]
571    Pkcs8,
572}
573
574/// Private key options. These include the key algorithm and size, the used
575/// encoding and the rotation policy.
576#[derive(Serialize, Deserialize, Clone, Debug, PartialEq, JsonSchema)]
577pub enum CertificatePrivateKeyRotationPolicy {
578    Never,
579    Always,
580}
581
582/// Defines annotations and labels to be copied to the Certificate's Secret.
583/// Labels and annotations on the Secret will be changed as they appear on the
584/// SecretTemplate when added or removed. SecretTemplate annotations are added
585/// in conjunction with, and cannot overwrite, the base set of annotations
586/// cert-manager sets on the Certificate's Secret.
587#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq, JsonSchema)]
588pub struct CertificateSecretTemplate {
589    /// Annotations is a key value map to be copied to the target Kubernetes Secret.
590    #[serde(default, skip_serializing_if = "Option::is_none")]
591    pub annotations: Option<BTreeMap<String, String>>,
592    /// Labels is a key value map to be copied to the target Kubernetes Secret.
593    #[serde(default, skip_serializing_if = "Option::is_none")]
594    pub labels: Option<BTreeMap<String, String>>,
595}
596
597/// Requested set of X509 certificate subject attributes.
598/// More info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6
599///
600/// The common name attribute is specified separately in the `commonName` field.
601/// Cannot be set if the `literalSubject` field is set.
602#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq, JsonSchema)]
603pub struct CertificateSubject {
604    /// Countries to be used on the Certificate.
605    #[serde(default, skip_serializing_if = "Option::is_none")]
606    pub countries: Option<Vec<String>>,
607    /// Cities to be used on the Certificate.
608    #[serde(default, skip_serializing_if = "Option::is_none")]
609    pub localities: Option<Vec<String>>,
610    /// Organizational Units to be used on the Certificate.
611    #[serde(
612        default,
613        skip_serializing_if = "Option::is_none",
614        rename = "organizationalUnits"
615    )]
616    pub organizational_units: Option<Vec<String>>,
617    /// Organizations to be used on the Certificate.
618    #[serde(default, skip_serializing_if = "Option::is_none")]
619    pub organizations: Option<Vec<String>>,
620    /// Postal codes to be used on the Certificate.
621    #[serde(
622        default,
623        skip_serializing_if = "Option::is_none",
624        rename = "postalCodes"
625    )]
626    pub postal_codes: Option<Vec<String>>,
627    /// State/Provinces to be used on the Certificate.
628    #[serde(default, skip_serializing_if = "Option::is_none")]
629    pub provinces: Option<Vec<String>>,
630    /// Serial number to be used on the Certificate.
631    #[serde(
632        default,
633        skip_serializing_if = "Option::is_none",
634        rename = "serialNumber"
635    )]
636    pub serial_number: Option<String>,
637    /// Street addresses to be used on the Certificate.
638    #[serde(
639        default,
640        skip_serializing_if = "Option::is_none",
641        rename = "streetAddresses"
642    )]
643    pub street_addresses: Option<Vec<String>>,
644}
645
646/// Status of the Certificate.
647/// This is set and managed automatically.
648/// Read-only.
649/// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
650#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq, JsonSchema)]
651pub struct CertificateStatus {
652    /// List of status conditions to indicate the status of certificates.
653    /// Known condition types are `Ready` and `Issuing`.
654    #[serde(default, skip_serializing_if = "Option::is_none")]
655    pub conditions: Option<Vec<Condition>>,
656    /// The number of continuous failed issuance attempts up till now. This
657    /// field gets removed (if set) on a successful issuance and gets set to
658    /// 1 if unset and an issuance has failed. If an issuance has failed, the
659    /// delay till the next issuance will be calculated using formula
660    /// time.Hour * 2 ^ (failedIssuanceAttempts - 1).
661    #[serde(
662        default,
663        skip_serializing_if = "Option::is_none",
664        rename = "failedIssuanceAttempts"
665    )]
666    pub failed_issuance_attempts: Option<i64>,
667    /// LastFailureTime is set only if the latest issuance for this
668    /// Certificate failed and contains the time of the failure. If an
669    /// issuance has failed, the delay till the next issuance will be
670    /// calculated using formula time.Hour * 2 ^ (failedIssuanceAttempts -
671    /// 1). If the latest issuance has succeeded this field will be unset.
672    #[serde(
673        default,
674        skip_serializing_if = "Option::is_none",
675        rename = "lastFailureTime"
676    )]
677    pub last_failure_time: Option<String>,
678    /// The name of the Secret resource containing the private key to be used
679    /// for the next certificate iteration.
680    /// The keymanager controller will automatically set this field if the
681    /// `Issuing` condition is set to `True`.
682    /// It will automatically unset this field when the Issuing condition is
683    /// not set or False.
684    #[serde(
685        default,
686        skip_serializing_if = "Option::is_none",
687        rename = "nextPrivateKeySecretName"
688    )]
689    pub next_private_key_secret_name: Option<String>,
690    /// The expiration time of the certificate stored in the secret named
691    /// by this resource in `spec.secretName`.
692    #[serde(default, skip_serializing_if = "Option::is_none", rename = "notAfter")]
693    pub not_after: Option<String>,
694    /// The time after which the certificate stored in the secret named
695    /// by this resource in `spec.secretName` is valid.
696    #[serde(default, skip_serializing_if = "Option::is_none", rename = "notBefore")]
697    pub not_before: Option<String>,
698    /// RenewalTime is the time at which the certificate will be next
699    /// renewed.
700    /// If not set, no upcoming renewal is scheduled.
701    #[serde(
702        default,
703        skip_serializing_if = "Option::is_none",
704        rename = "renewalTime"
705    )]
706    pub renewal_time: Option<String>,
707    /// The current 'revision' of the certificate as issued.
708    ///
709    /// When a CertificateRequest resource is created, it will have the
710    /// `cert-manager.io/certificate-revision` set to one greater than the
711    /// current value of this field.
712    ///
713    /// Upon issuance, this field will be set to the value of the annotation
714    /// on the CertificateRequest resource used to issue the certificate.
715    ///
716    /// Persisting the value on the CertificateRequest resource allows the
717    /// certificates controller to know whether a request is part of an old
718    /// issuance or if it is part of the ongoing revision's issuance by
719    /// checking if the revision value in the annotation is greater than this
720    /// field.
721    #[serde(default, skip_serializing_if = "Option::is_none")]
722    pub revision: Option<i64>,
723}