@grucloud/module-k8s-cert-manager
Version:
Grucloud module for the k8s cert-manager
676 lines (675 loc) • 622 kB
JavaScript
// Generated by k8s-manifest2code from cert-manager.yaml
const assert = require("assert");
exports.createResources = ({ provider }) => {
const certManagerNamespace = provider.makeNamespace({
properties: () => ({
apiVersion: "v1",
metadata: {
name: "cert-manager",
},
}),
});
const clusterissuersCertManagerIoCustomResourceDefinition = provider.makeCustomResourceDefinition(
{
properties: () => ({
apiVersion: "apiextensions.k8s.io/v1",
metadata: {
name: "clusterissuers.cert-manager.io",
labels: {
app: "cert-manager",
"app.kubernetes.io/name": "cert-manager",
"app.kubernetes.io/instance": "cert-manager",
"app.kubernetes.io/version": "v1.10.1",
},
},
spec: {
group: "cert-manager.io",
names: {
kind: "ClusterIssuer",
listKind: "ClusterIssuerList",
plural: "clusterissuers",
singular: "clusterissuer",
categories: ["cert-manager"],
},
scope: "Cluster",
versions: [
{
name: "v1",
subresources: {
status: {},
},
additionalPrinterColumns: [
{
jsonPath: '.status.conditions[?(@.type=="Ready")].status',
name: "Ready",
type: "string",
},
{
jsonPath: '.status.conditions[?(@.type=="Ready")].message',
name: "Status",
priority: 1,
type: "string",
},
{
jsonPath: ".metadata.creationTimestamp",
description:
"CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.",
name: "Age",
type: "date",
},
],
schema: {
openAPIV3Schema: {
description:
"A ClusterIssuer represents a certificate issuing authority which can be referenced as part of `issuerRef` fields. It is similar to an Issuer, however it is cluster-scoped and therefore can be referenced by resources that exist in *any* namespace, not just the same namespace as the referent.",
type: "object",
required: ["spec"],
properties: {
apiVersion: {
description:
"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
type: "string",
},
kind: {
description:
"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
type: "string",
},
metadata: {
type: "object",
},
spec: {
description:
"Desired state of the ClusterIssuer resource.",
type: "object",
properties: {
acme: {
description:
"ACME configures this issuer to communicate with a RFC8555 (ACME) server to obtain signed x509 certificates.",
type: "object",
required: ["privateKeySecretRef", "server"],
properties: {
disableAccountKeyGeneration: {
description:
"Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new account but will expect the account key to be supplied via an existing secret. If false, the cert-manager system will generate a new ACME account key for the Issuer. Defaults to false.",
type: "boolean",
},
email: {
description:
"Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered.",
type: "string",
},
enableDurationFeature: {
description:
"Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false.",
type: "boolean",
},
externalAccountBinding: {
description:
"ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account.",
type: "object",
required: ["keyID", "keySecretRef"],
properties: {
keyAlgorithm: {
description:
"Deprecated: keyAlgorithm field exists for historical compatibility reasons and should not be used. The algorithm is now hardcoded to HS256 in golang/x/crypto/acme.",
type: "string",
enum: ["HS256", "HS384", "HS512"],
},
keyID: {
description:
"keyID is the ID of the CA key that the External Account is bound to.",
type: "string",
},
keySecretRef: {
description:
"keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes Secret which holds the symmetric MAC key of the External Account Binding. The `key` is the index string that is paired with the key data in the Secret and should not be confused with the key data itself, or indeed with the External Account Binding keyID above. The secret key stored in the Secret **must** be un-padded, base64 URL encoded data.",
type: "object",
required: ["name"],
properties: {
key: {
description:
"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.",
type: "string",
},
name: {
description:
"Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names",
type: "string",
},
},
},
},
},
preferredChain: {
description:
"PreferredChain is the chain to use if the ACME server outputs multiple. PreferredChain is no guarantee that this one gets delivered by the ACME endpoint. For example, for Let's Encrypt's DST crosssign you would use: \"DST Root CA X3\" or \"ISRG Root X1\" for the newer Let's Encrypt root CA. This value picks the first certificate bundle in the ACME alternative chains that has a certificate with this value as its issuer's CN",
type: "string",
maxLength: 64,
},
privateKeySecretRef: {
description:
"PrivateKey is the name of a Kubernetes Secret resource that will be used to store the automatically generated ACME account private key. Optionally, a `key` may be specified to select a specific entry within the named Secret resource. If `key` is not specified, a default of `tls.key` will be used.",
type: "object",
required: ["name"],
properties: {
key: {
description:
"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.",
type: "string",
},
name: {
description:
"Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names",
type: "string",
},
},
},
server: {
description:
"Server is the URL used to access the ACME server's 'directory' endpoint. For example, for Let's Encrypt's staging endpoint, you would use: \"https://acme-staging-v02.api.letsencrypt.org/directory\". Only ACME v2 endpoints (i.e. RFC 8555) are supported.",
type: "string",
},
skipTLSVerify: {
description:
"Enables or disables validation of the ACME server TLS certificate. If true, requests to the ACME server will not have their TLS certificate validated (i.e. insecure connections will be allowed). Only enable this option in development environments. The cert-manager system installed roots will be used to verify connections to the ACME server if this is false. Defaults to false.",
type: "boolean",
},
solvers: {
description:
"Solvers is a list of challenge solvers that will be used to solve ACME challenges for the matching domains. Solver configurations must be provided in order to obtain certificates from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/",
type: "array",
items: {
description:
"An ACMEChallengeSolver describes how to solve ACME challenges for the issuer it is part of. A selector may be provided to use different solving strategies for different DNS names. Only one of HTTP01 or DNS01 must be provided.",
type: "object",
properties: {
dns01: {
description:
"Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow.",
type: "object",
properties: {
acmeDNS: {
description:
"Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records.",
type: "object",
required: ["accountSecretRef", "host"],
properties: {
accountSecretRef: {
description:
"A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.",
type: "object",
required: ["name"],
properties: {
key: {
description:
"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.",
type: "string",
},
name: {
description:
"Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names",
type: "string",
},
},
},
host: {
type: "string",
},
},
},
akamai: {
description:
"Use the Akamai DNS zone management API to manage DNS01 challenge records.",
type: "object",
required: [
"accessTokenSecretRef",
"clientSecretSecretRef",
"clientTokenSecretRef",
"serviceConsumerDomain",
],
properties: {
accessTokenSecretRef: {
description:
"A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.",
type: "object",
required: ["name"],
properties: {
key: {
description:
"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.",
type: "string",
},
name: {
description:
"Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names",
type: "string",
},
},
},
clientSecretSecretRef: {
description:
"A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.",
type: "object",
required: ["name"],
properties: {
key: {
description:
"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.",
type: "string",
},
name: {
description:
"Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names",
type: "string",
},
},
},
clientTokenSecretRef: {
description:
"A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.",
type: "object",
required: ["name"],
properties: {
key: {
description:
"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.",
type: "string",
},
name: {
description:
"Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names",
type: "string",
},
},
},
serviceConsumerDomain: {
type: "string",
},
},
},
azureDNS: {
description:
"Use the Microsoft Azure DNS API to manage DNS01 challenge records.",
type: "object",
required: [
"resourceGroupName",
"subscriptionID",
],
properties: {
clientID: {
description:
"if both this and ClientSecret are left unset MSI will be used",
type: "string",
},
clientSecretSecretRef: {
description:
"if both this and ClientID are left unset MSI will be used",
type: "object",
required: ["name"],
properties: {
key: {
description:
"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.",
type: "string",
},
name: {
description:
"Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names",
type: "string",
},
},
},
environment: {
description:
"name of the Azure environment (default AzurePublicCloud)",
type: "string",
enum: [
"AzurePublicCloud",
"AzureChinaCloud",
"AzureGermanCloud",
"AzureUSGovernmentCloud",
],
},
hostedZoneName: {
description:
"name of the DNS zone that should be used",
type: "string",
},
managedIdentity: {
description:
"managed identity configuration, can not be used at the same time as clientID, clientSecretSecretRef or tenantID",
type: "object",
properties: {
clientID: {
description:
"client ID of the managed identity, can not be used at the same time as resourceID",
type: "string",
},
resourceID: {
description:
"resource ID of the managed identity, can not be used at the same time as clientID",
type: "string",
},
},
},
resourceGroupName: {
description:
"resource group the DNS zone is located in",
type: "string",
},
subscriptionID: {
description:
"ID of the Azure subscription",
type: "string",
},
tenantID: {
description:
"when specifying ClientID and ClientSecret then this field is also needed",
type: "string",
},
},
},
cloudDNS: {
description:
"Use the Google Cloud DNS API to manage DNS01 challenge records.",
type: "object",
required: ["project"],
properties: {
hostedZoneName: {
description:
"HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone.",
type: "string",
},
project: {
type: "string",
},
serviceAccountSecretRef: {
description:
"A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.",
type: "object",
required: ["name"],
properties: {
key: {
description:
"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.",
type: "string",
},
name: {
description:
"Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names",
type: "string",
},
},
},
},
},
cloudflare: {
description:
"Use the Cloudflare API to manage DNS01 challenge records.",
type: "object",
properties: {
apiKeySecretRef: {
description:
"API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.",
type: "object",
required: ["name"],
properties: {
key: {
description:
"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.",
type: "string",
},
name: {
description:
"Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names",
type: "string",
},
},
},
apiTokenSecretRef: {
description:
"API token used to authenticate with Cloudflare.",
type: "object",
required: ["name"],
properties: {
key: {
description:
"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.",
type: "string",
},
name: {
description:
"Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names",
type: "string",
},
},
},
email: {
description:
"Email of the account, only required when using API key based authentication.",
type: "string",
},
},
},
cnameStrategy: {
description:
"CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones.",
type: "string",
enum: ["None", "Follow"],
},
digitalocean: {
description:
"Use the DigitalOcean DNS API to manage DNS01 challenge records.",
type: "object",
required: ["tokenSecretRef"],
properties: {
tokenSecretRef: {
description:
"A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.",
type: "object",
required: ["name"],
properties: {
key: {
description:
"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.",
type: "string",
},
name: {
description:
"Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names",
type: "string",
},
},
},
},
},
rfc2136: {
description:
'Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records.',
type: "object",
required: ["nameserver"],
properties: {
nameserver: {
description:
"The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1]) ; port is optional. This field is required.",
type: "string",
},
tsigAlgorithm: {
description:
"The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.",
type: "string",
},
tsigKeyName: {
description:
"The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required.",
type: "string",
},
tsigSecretSecretRef: {
description:
"The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required.",
type: "object",
required: ["name"],
properties: {
key: {
description:
"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.",
type: "string",
},
name: {
description:
"Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names",
type: "string",
},
},
},
},
},
route53: {
description:
"Use the AWS Route53 API to manage DNS01 challenge records.",
type: "object",
required: ["region"],
properties: {
accessKeyID: {
description:
"The AccessKeyID is used for authentication. Cannot be set when SecretAccessKeyID is set. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials",
type: "string",
},
accessKeyIDSecretRef: {
description:
"The SecretAccessKey is used for authentication. If set, pull the AWS access key ID from a key within a Kubernetes Secret. Cannot be set when AccessKeyID is set. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials",
type: "object",
required: ["name"],
properties: {
key: {
description:
"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.",
type: "string",
},
name: {
description:
"Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names",
type: "string",
},
},
},
hostedZoneID: {
description:
"If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.",
type: "string",
},
region: {
description:
"Always set the region when using AccessKeyID and SecretAccessKey",
type: "string",
},
role: {
description:
"Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata",
type: "string",
},
secretAccessKeySecretRef: {
description:
"The SecretAccessKey is used for authentication. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials",
type: "object",
required: ["name"],
properties: {
key: {
description:
"The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.",
type: "string",
},
name: {
description:
"Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names",
type: "string",
},
},
},
},
},
webhook: {
description:
"Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records.",
type: "object",
required: ["groupName", "solverName"],
properties: {
config: {
description:
"Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation.",
"x-kubernetes-preserve-unknown-fields": true,
},
groupName: {
description:
"The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation.",
type: "string",
},
solverName: {
description:
"The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'.",
type: "string",
},
},
},
},
},
http01: {
description:
"Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism.",
type: "object",
properties: {
gatewayHTTPRoute: {
description:
"The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future.",
type: "object",
properties: {
labels: {
description:
"Custom labels that will be applied to HTTPRoutes created by cert-manager while solving HTTP-01 challenges.",
type: "object",
additionalProperties: {
type: "string",
},
},
parentRefs: {
description:
"When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute. cert-manager needs to know which parentRefs should be used when creating the HTTPRoute. Usually, the parentRef references a Gateway. See: https://gateway-api.sigs.k8s.io/v1alpha2/api-types/httproute/#attaching-to-gateways",
type: "array",
items: {
description:
'ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with "Core" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid.',
type: "object",
required: ["name"],
properties: {
group: {
description:
"Group is the group of the referent. \n Support: Core",
type: "string",
default:
"gateway.networking.k8s.io",
maxLength: 253,
pattern:
"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$",
},
kind: {
description:
"Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Custom (Other Resources)",
type: "string",
default: "Gateway",
maxLength: 63,
minLength: 1,
pattern:
"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$",
},
name: {
description:
"Name is the name of the referent. \n Support: Core",
type: "string",
maxLength: 253,
minLength: 1,
},
namespace: {
description:
"Namespace is the namespace of the referent. When unspecified (or empty string), this refers to the local namespace of the Route. \n Support: Core",
type: "