Order is a type to represent an Order with an ACME server
commonNamestring |
-CommonName is the common name as specified on the DER encoded CSR. If CommonName is not specified, the first DNSName specified will be used as the CommonName. At least on of CommonName or a DNSName must be set. This field must match the corresponding field on the DER encoded CSR. | +CommonName is the common name as specified on the DER encoded CSR. If CommonName is not specified, the first DNSName specified will be used as the CommonName. At least one of CommonName or a DNSNames must be set. This field must match the corresponding field on the DER encoded CSR. |
configDomainSolverConfig array |
@@ -400,7 +401,7 @@ Appears In:
||
dnsNamesstring array |
-DNSNames is a list of DNS names that should be included as part of the Order validation process. If CommonName is not specified, the first DNSName specified will be used as the CommonName. At least on of CommonName or a DNSName must be set. This field must match the corresponding field on the DER encoded CSR. | +DNSNames is a list of DNS names that should be included as part of the Order validation process. If CommonName is not specified, the first DNSName specified will be used as the CommonName. At least one of CommonName or a DNSNames must be set. This field must match the corresponding field on the DER encoded CSR. |
issuerRefObjectReference |
@@ -472,6 +473,7 @@ Appears In:
Challenge is a type to represent a Challenge request with an ACME server
keystring |
-The key of the secret to select from. Must be a valid secret key. | +The key of the secret to select from. Must be a valid secret key. |
namestring |
diff --git a/hack/BUILD.bazel b/hack/BUILD.bazel
index 4bec2cb4b..f616038bf 100644
--- a/hack/BUILD.bazel
+++ b/hack/BUILD.bazel
@@ -150,6 +150,30 @@ sh_test(
],
)
+sh_binary(
+ name = "update-crds",
+ srcs = ["update-crds.sh"],
+ data = [
+ ":update-deploy-gen",
+ "//hack/bin:gencrd",
+ "//pkg/apis:all-srcs",
+ "//vendor/k8s.io/api/core/v1:go_default_library",
+ "//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:all-srcs",
+ "//vendor/k8s.io/apimachinery/pkg/runtime:all-srcs",
+ ],
+)
+
+sh_test(
+ name = "verify-crds",
+ srcs = ["verify-crds.sh"],
+ data = [
+ ":update-crds",
+ "//deploy:all-srcs",
+ "//hack/bin:gencrd",
+ "//pkg/apis:all-srcs",
+ ],
+)
+
filegroup(
name = "package-srcs",
srcs = glob(["**"]),
diff --git a/hack/bin/BUILD.bazel b/hack/bin/BUILD.bazel
index 020c7cc8a..a819d9637 100644
--- a/hack/bin/BUILD.bazel
+++ b/hack/bin/BUILD.bazel
@@ -63,6 +63,14 @@ genrule(
visibility = ["//visibility:public"],
)
+genrule(
+ name = "fetch_gencrd",
+ srcs = ["@io_kubernetes_sigs_controller-tools//cmd/crd"],
+ outs = ["gencrd"],
+ cmd = "cp $(SRCS) $@",
+ visibility = ["//visibility:public"],
+)
+
config_setting(
name = "k8",
values = {"host_cpu": "k8"},
diff --git a/hack/update-crds.sh b/hack/update-crds.sh
new file mode 100755
index 000000000..38af45e9f
--- /dev/null
+++ b/hack/update-crds.sh
@@ -0,0 +1,42 @@
+#!/usr/bin/env bash
+
+# Copyright 2019 The Jetstack cert-manager contributors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+# This script should be run via `bazel run //hack:update-crds`
+REPO_ROOT=${BUILD_WORKSPACE_DIRECTORY:-"$(cd "$(dirname "$0")" && pwd -P)"/..}
+runfiles="$(pwd)"
+export PATH="${runfiles}/hack/bin:${PATH}"
+cd "${REPO_ROOT}"
+
+output="$(mktemp -d)"
+gencrd generate \
+ --domain "k8s.io" \
+ --output-dir "${output}"
+
+echo "Copying files to output file"
+out="deploy/manifests/00-crds.yaml"
+rm "$out" > /dev/null 2>&1 || true
+mkdir -p "$(dirname $out)"
+touch "$out"
+for file in ${output}/*; do
+ cat "$file" >> "$out"
+ echo "---" >> "$out"
+done
+
+hack/update-deploy-gen.sh
diff --git a/hack/verify-crds.sh b/hack/verify-crds.sh
new file mode 100755
index 000000000..9a8232ab1
--- /dev/null
+++ b/hack/verify-crds.sh
@@ -0,0 +1,55 @@
+#!/usr/bin/env bash
+
+# Copyright 2019 The Jetstack cert-manager contributors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+RULE_NAME="crds"
+
+SCRIPT_ROOT=$(dirname "${BASH_SOURCE}")/..
+
+_tmp="$(mktemp -d)"
+DIFFROOT="${SCRIPT_ROOT}/"
+
+cleanup() {
+ rm -rf "${_tmp}"
+}
+trap "cleanup" EXIT SIGINT
+
+# Create a fake GOPATH
+export GOPATH="${_tmp}"
+TMP_DIFFROOT="${GOPATH}/src/github.com/jetstack/cert-manager"
+
+mkdir -p "${TMP_DIFFROOT}"
+rsync -avvL "${DIFFROOT}"/ "${TMP_DIFFROOT}" >/dev/null
+# remove __main__ directory copied to tmp
+rm -Rf "${TMP_DIFFROOT}/__main__"
+
+cd "${TMP_DIFFROOT}"
+export BUILD_WORKSPACE_DIRECTORY="$(pwd)"
+"hack/update-${RULE_NAME}.sh"
+
+echo "diffing ${DIFFROOT} against freshly generated codegen"
+ret=0
+diff -Naupr "${DIFFROOT}/deploy/manifests/00-crds.yaml" "${TMP_DIFFROOT}/deploy/manifests/00-crds.yaml" || ret=$?
+if [[ $ret -eq 0 ]]
+then
+ echo "${DIFFROOT} up to date."
+else
+ echo "${DIFFROOT} is out of date. Please run 'bazel run //hack:update-${RULE_NAME}'"
+ exit 1
+fi
diff --git a/pkg/apis/certmanager/v1alpha1/types.go b/pkg/apis/certmanager/v1alpha1/types.go
index 4c4bed1b6..b93c30fa1 100644
--- a/pkg/apis/certmanager/v1alpha1/types.go
+++ b/pkg/apis/certmanager/v1alpha1/types.go
@@ -54,6 +54,7 @@ type LocalObjectReference struct {
// ObjectReference is a reference to an object with a given name and kind.
type ObjectReference struct {
Name string `json:"name"`
+ // +optional
Kind string `json:"kind,omitempty"`
}
@@ -66,6 +67,7 @@ const (
type SecretKeySelector struct {
// The name of the secret in the pod's namespace to select from.
LocalObjectReference `json:",inline"`
- // The key of the secret to select from. Must be a valid secret key.
- Key string `json:"key"`
+ // The key of the secret to select from. Must be a valid secret key.
+ // +optional
+ Key string `json:"key,omitempty"`
}
diff --git a/pkg/apis/certmanager/v1alpha1/types_certificate.go b/pkg/apis/certmanager/v1alpha1/types_certificate.go
index 8c366de67..a92a63074 100644
--- a/pkg/apis/certmanager/v1alpha1/types_certificate.go
+++ b/pkg/apis/certmanager/v1alpha1/types_certificate.go
@@ -19,11 +19,16 @@ package v1alpha1
import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
// +genclient
-// +k8s:openapi-gen=true
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
-// +kubebuilder:resource:path=certificates
// Certificate is a type to represent a Certificate from ACME
+// +k8s:openapi-gen=true
+// +kubebuilder:printcolumn:name="Ready",type="string",JSONPath=".status.conditions[?(@.type==\"Ready\")].status",description=""
+// +kubebuilder:printcolumn:name="Secret",type="string",JSONPath=".spec.secretName",description=""
+// +kubebuilder:printcolumn:name="Issuer",type="string",JSONPath=".spec.issuerRef.name",description="",priority=1
+// +kubebuilder:printcolumn:name="Status",type="string",JSONPath=".status.conditions[?(@.type==\"Ready\")].message",priority=1
+// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp",description="CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC."
+// +kubebuilder:resource:path=certificates,shortName=cert;certs
type Certificate struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`
@@ -52,21 +57,27 @@ const (
// CertificateSpec defines the desired state of Certificate
type CertificateSpec struct {
// CommonName is a common name to be used on the Certificate
+ // +optional
CommonName string `json:"commonName,omitempty"`
// Organization is the organization to be used on the Certificate
+ // +optional
Organization []string `json:"organization,omitempty"`
// Certificate default Duration
+ // +optional
Duration *metav1.Duration `json:"duration,omitempty"`
// Certificate renew before expiration duration
+ // +optional
RenewBefore *metav1.Duration `json:"renewBefore,omitempty"`
// DNSNames is a list of subject alt names to be used on the Certificate
+ // +optional
DNSNames []string `json:"dnsNames,omitempty"`
// IPAddresses is a list of IP addresses to be used on the Certificate
+ // +optional
IPAddresses []string `json:"ipAddresses,omitempty"`
// SecretName is the name of the secret resource to store this secret in
@@ -82,24 +93,30 @@ type CertificateSpec struct {
// IsCA will mark this Certificate as valid for signing.
// This implies that the 'signing' usage is set
+ // +optional
IsCA bool `json:"isCA,omitempty"`
// ACME contains configuration specific to ACME Certificates.
// Notably, this contains details on how the domain names listed on this
// Certificate resource should be 'solved', i.e. mapping HTTP01 and DNS01
// providers to DNS names.
+ // +optional
ACME *ACMECertificateConfig `json:"acme,omitempty"`
// KeySize is the key bit size of the corresponding private key for this certificate.
// If provided, value must be between 2048 and 8192 inclusive when KeyAlgorithm is
// empty or is set to "rsa", and value must be one of (256, 384, 521) when
// KeyAlgorithm is set to "ecdsa".
+ // +optional
KeySize int `json:"keySize,omitempty"`
+
// KeyAlgorithm is the private key algorithm of the corresponding private key
// for this certificate. If provided, allowed values are either "rsa" or "ecdsa"
// If KeyAlgorithm is specified and KeySize is not provided,
// key size of 256 will be used for "ecdsa" key algorithm and
// key size of 2048 will be used for "rsa" key algorithm.
+ // +kubebuilder:validation:Enum=rsa,ecdsa
+ // +optional
KeyAlgorithm KeyAlgorithm `json:"keyAlgorithm,omitempty"`
}
@@ -110,11 +127,15 @@ type ACMECertificateConfig struct {
// CertificateStatus defines the observed state of Certificate
type CertificateStatus struct {
- Conditions []CertificateCondition `json:"conditions,omitempty"`
- LastFailureTime *metav1.Time `json:"lastFailureTime,omitempty"`
+ // +optional
+ Conditions []CertificateCondition `json:"conditions,omitempty"`
+
+ // +optional
+ LastFailureTime *metav1.Time `json:"lastFailureTime,omitempty"`
// The expiration time of the certificate stored in the secret named
// by this resource in spec.secretName.
+ // +optional
NotAfter *metav1.Time `json:"notAfter,omitempty"`
}
@@ -124,6 +145,7 @@ type CertificateCondition struct {
Type CertificateConditionType `json:"type"`
// Status of the condition, one of ('True', 'False', 'Unknown').
+ // +kubebuilder:validation:Enum=True,False,Unknown
Status ConditionStatus `json:"status"`
// LastTransitionTime is the timestamp corresponding to the last status
diff --git a/pkg/apis/certmanager/v1alpha1/types_challenge.go b/pkg/apis/certmanager/v1alpha1/types_challenge.go
index 5f6ae2e42..7d15961d3 100644
--- a/pkg/apis/certmanager/v1alpha1/types_challenge.go
+++ b/pkg/apis/certmanager/v1alpha1/types_challenge.go
@@ -24,9 +24,14 @@ import (
// coupling between ACME Issuers and their solver configurations (see: Solver proposal)
// +genclient
-// +k8s:openapi-gen=true
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// Challenge is a type to represent a Challenge request with an ACME server
+// +k8s:openapi-gen=true
+// +kubebuilder:printcolumn:name="State",type="string",JSONPath=".status.state"
+// +kubebuilder:printcolumn:name="Domain",type="string",JSONPath=".spec.dnsName"
+// +kubebuilder:printcolumn:name="Reason",type="string",JSONPath=".status.reason",description="",priority=1
+// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp",description="CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC."
// +kubebuilder:resource:path=challenges
type Challenge struct {
metav1.TypeMeta `json:",inline"`
@@ -70,6 +75,7 @@ type ChallengeSpec struct {
// Wildcard will be true if this challenge is for a wildcard identifier,
// for example '*.example.com'
+ // +optional
Wildcard bool `json:"wildcard"`
// Config specifies the solver configuration for this challenge.
@@ -91,6 +97,7 @@ type ChallengeStatus struct {
// challenge has reached a final state or timed out.
// If this field is set to false, the challenge controller will not take
// any more action.
+ // +optional
Processing bool `json:"processing"`
// Presented will be set to true if the challenge values for this challenge
@@ -99,13 +106,17 @@ type ChallengeStatus struct {
// have been 'submitted' for the appropriate challenge mechanism (i.e. the
// DNS01 TXT record has been presented, or the HTTP01 configuration has been
// configured).
+ // +optional
Presented bool `json:"presented"`
// Reason contains human readable information on why the Challenge is in the
// current state.
+ // +optional
Reason string `json:"reason"`
// State contains the current 'state' of the challenge.
// If not set, the state of the challenge is unknown.
- State State `json:"state"`
+ // +kubebuilder:validation:Enum=,valid,ready,pending,processing,invalid,expired,errored
+ // +optional
+ State State `json:"state,omitempty"`
}
diff --git a/pkg/apis/certmanager/v1alpha1/types_issuer.go b/pkg/apis/certmanager/v1alpha1/types_issuer.go
index bec8bb442..d1b9078bd 100644
--- a/pkg/apis/certmanager/v1alpha1/types_issuer.go
+++ b/pkg/apis/certmanager/v1alpha1/types_issuer.go
@@ -75,9 +75,16 @@ type IssuerSpec struct {
}
type IssuerConfig struct {
- ACME *ACMEIssuer `json:"acme,omitempty"`
- CA *CAIssuer `json:"ca,omitempty"`
- Vault *VaultIssuer `json:"vault,omitempty"`
+ // +optional
+ ACME *ACMEIssuer `json:"acme,omitempty"`
+
+ // +optional
+ CA *CAIssuer `json:"ca,omitempty"`
+
+ // +optional
+ Vault *VaultIssuer `json:"vault,omitempty"`
+
+ // +optional
SelfSigned *SelfSignedIssuer `json:"selfSigned,omitempty"`
}
@@ -87,14 +94,18 @@ type SelfSignedIssuer struct {
type VaultIssuer struct {
// Vault authentication
Auth VaultAuth `json:"auth"`
+
// Server is the vault connection address
Server string `json:"server"`
+
// Vault URL path to the certificate role
Path string `json:"path"`
+
// Base64 encoded CA bundle to validate Vault server certificate. Only used
// if the Server URL is using HTTPS protocol. This parameter is ignored for
// plain HTTP protocol connection. If not set the system root certificates
// are used to validate the TLS connection.
+ // +optional
CABundle []byte `json:"caBundle,omitempty"`
}
@@ -104,8 +115,11 @@ type VaultIssuer struct {
// Vault and retrieve a token.
type VaultAuth struct {
// This Secret contains the Vault token key
+ // +optional
TokenSecretRef SecretKeySelector `json:"tokenSecretRef,omitempty"`
+
// This Secret contains a AppRole and Secret
+ // +optional
AppRole VaultAppRole `json:"appRole,omitempty"`
}
@@ -127,29 +141,39 @@ type CAIssuer struct {
type ACMEIssuer struct {
// Email is the email for this account
Email string `json:"email"`
+
// Server is the ACME server URL
Server string `json:"server"`
+
// If true, skip verifying the ACME server TLS certificate
+ // +optional
SkipTLSVerify bool `json:"skipTLSVerify,omitempty"`
+
// PrivateKey is the name of a secret containing the private key for this
// user account.
PrivateKey SecretKeySelector `json:"privateKeySecretRef"`
+
// HTTP-01 config
+ // +optional
HTTP01 *ACMEIssuerHTTP01Config `json:"http01,omitempty"`
+
// DNS-01 config
+ // +optional
DNS01 *ACMEIssuerDNS01Config `json:"dns01,omitempty"`
}
// ACMEIssuerHTTP01Config is a structure containing the ACME HTTP configuration options
type ACMEIssuerHTTP01Config struct {
// Optional service type for Kubernetes solver service
+ // +optional
ServiceType corev1.ServiceType `json:"serviceType,omitempty"`
}
// ACMEIssuerDNS01Config is a structure containing the ACME DNS configuration
// options
type ACMEIssuerDNS01Config struct {
- Providers []ACMEIssuerDNS01Provider `json:"providers"`
+ // +optional
+ Providers []ACMEIssuerDNS01Provider `json:"providers,omitempty"`
}
// ACMEIssuerDNS01Provider contains configuration for a DNS provider that can
@@ -161,16 +185,33 @@ type ACMEIssuerDNS01Provider struct {
// CNAMEStrategy configures how the DNS01 provider should handle CNAME
// records when found in DNS zones.
- CNAMEStrategy CNAMEStrategy `json:"cnameStrategy"`
+ // +optional
+ // +kubebuilder:validation:Enum=None,Follow
+ CNAMEStrategy CNAMEStrategy `json:"cnameStrategy,omitempty"`
- Akamai *ACMEIssuerDNS01ProviderAkamai `json:"akamai,omitempty"`
- CloudDNS *ACMEIssuerDNS01ProviderCloudDNS `json:"clouddns,omitempty"`
- Cloudflare *ACMEIssuerDNS01ProviderCloudflare `json:"cloudflare,omitempty"`
- Route53 *ACMEIssuerDNS01ProviderRoute53 `json:"route53,omitempty"`
- AzureDNS *ACMEIssuerDNS01ProviderAzureDNS `json:"azuredns,omitempty"`
+ // +optional
+ Akamai *ACMEIssuerDNS01ProviderAkamai `json:"akamai,omitempty"`
+
+ // +optional
+ CloudDNS *ACMEIssuerDNS01ProviderCloudDNS `json:"clouddns,omitempty"`
+
+ // +optional
+ Cloudflare *ACMEIssuerDNS01ProviderCloudflare `json:"cloudflare,omitempty"`
+
+ // +optional
+ Route53 *ACMEIssuerDNS01ProviderRoute53 `json:"route53,omitempty"`
+
+ // +optional
+ AzureDNS *ACMEIssuerDNS01ProviderAzureDNS `json:"azuredns,omitempty"`
+
+ // +optional
DigitalOcean *ACMEIssuerDNS01ProviderDigitalOcean `json:"digitalocean,omitempty"`
- AcmeDNS *ACMEIssuerDNS01ProviderAcmeDNS `json:"acmedns,omitempty"`
- RFC2136 *ACMEIssuerDNS01ProviderRFC2136 `json:"rfc2136,omitempty"`
+
+ // +optional
+ AcmeDNS *ACMEIssuerDNS01ProviderAcmeDNS `json:"acmedns,omitempty"`
+
+ // +optional
+ RFC2136 *ACMEIssuerDNS01ProviderRFC2136 `json:"rfc2136,omitempty"`
}
// CNAMEStrategy configures how the DNS01 provider should handle CNAME records
@@ -223,29 +264,38 @@ type ACMEIssuerDNS01ProviderDigitalOcean struct {
// ACMEIssuerDNS01ProviderRoute53 is a structure containing the Route 53
// configuration for AWS
type ACMEIssuerDNS01ProviderRoute53 struct {
- AccessKeyID string `json:"accessKeyID"`
+ AccessKeyID string `json:"accessKeyID"`
+
SecretAccessKey SecretKeySelector `json:"secretAccessKeySecretRef"`
- HostedZoneID string `json:"hostedZoneID"`
- Region string `json:"region"`
+
+ // +optional
+ HostedZoneID string `json:"hostedZoneID,omitempty"`
+
+ Region string `json:"region"`
}
// ACMEIssuerDNS01ProviderAzureDNS is a structure containing the
// configuration for Azure DNS
type ACMEIssuerDNS01ProviderAzureDNS struct {
- ClientID string `json:"clientID"`
- ClientSecret SecretKeySelector `json:"clientSecretSecretRef"`
- SubscriptionID string `json:"subscriptionID"`
- TenantID string `json:"tenantID"`
- ResourceGroupName string `json:"resourceGroupName"`
+ ClientID string `json:"clientID"`
- // + optional
- HostedZoneName string `json:"hostedZoneName"`
+ ClientSecret SecretKeySelector `json:"clientSecretSecretRef"`
+
+ SubscriptionID string `json:"subscriptionID"`
+
+ TenantID string `json:"tenantID"`
+
+ ResourceGroupName string `json:"resourceGroupName"`
+
+ // +optional
+ HostedZoneName string `json:"hostedZoneName,omitempty"`
}
// ACMEIssuerDNS01ProviderAcmeDNS is a structure containing the
// configuration for ACME-DNS servers
type ACMEIssuerDNS01ProviderAcmeDNS struct {
- Host string `json:"host"`
+ Host string `json:"host"`
+
AccountSecret SecretKeySelector `json:"accountSecretRef"`
}
@@ -259,31 +309,35 @@ type ACMEIssuerDNS01ProviderRFC2136 struct {
// The name of the secret containing the TSIG value.
// If ``tsigKeyName`` is defined, this field is required.
// +optional
- TSIGSecret SecretKeySelector `json:"tsigSecretSecretRef"`
+ TSIGSecret SecretKeySelector `json:"tsigSecretSecretRef,omitempty"`
// The TSIG Key name configured in the DNS.
// If ``tsigSecretSecretRef`` is defined, this field is required.
// +optional
- TSIGKeyName string `json:"tsigKeyName"`
+ TSIGKeyName string `json:"tsigKeyName,omitempty"`
// The TSIG Algorithm configured in the DNS supporting RFC2136. Used only
// when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined.
// Supported values are (case-insensitive): ``HMACMD5`` (default),
// ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.
// +optional
- TSIGAlgorithm string `json:"tsigAlgorithm"`
+ TSIGAlgorithm string `json:"tsigAlgorithm,omitempty"`
}
// IssuerStatus contains status information about an Issuer
type IssuerStatus struct {
- Conditions []IssuerCondition `json:"conditions"`
- ACME *ACMEIssuerStatus `json:"acme,omitempty"`
+ // +optional
+ Conditions []IssuerCondition `json:"conditions,omitempty"`
+
+ // +optional
+ ACME *ACMEIssuerStatus `json:"acme,omitempty"`
}
type ACMEIssuerStatus struct {
// URI is the unique account identifier, which can also be used to retrieve
// account details from the CA
- URI string `json:"uri"`
+ // +optional
+ URI string `json:"uri,omitempty"`
}
// IssuerCondition contains condition information for an Issuer.
@@ -292,6 +346,7 @@ type IssuerCondition struct {
Type IssuerConditionType `json:"type"`
// Status of the condition, one of ('True', 'False', 'Unknown').
+ // +kubebuilder:validation:Enum=True,False,Unknown
Status ConditionStatus `json:"status"`
// LastTransitionTime is the timestamp corresponding to the last status
diff --git a/pkg/apis/certmanager/v1alpha1/types_order.go b/pkg/apis/certmanager/v1alpha1/types_order.go
index 8836f2e05..fbcf83b07 100644
--- a/pkg/apis/certmanager/v1alpha1/types_order.go
+++ b/pkg/apis/certmanager/v1alpha1/types_order.go
@@ -24,9 +24,14 @@ import (
// coupling between ACME Issuers and their solver configurations (see: Solver proposal)
// +genclient
-// +k8s:openapi-gen=true
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// Order is a type to represent an Order with an ACME server
+// +k8s:openapi-gen=true
+// +kubebuilder:printcolumn:name="State",type="string",JSONPath=".status.state"
+// +kubebuilder:printcolumn:name="Issuer",type="string",JSONPath=".spec.issuerRef.name",description="",priority=1
+// +kubebuilder:printcolumn:name="Reason",type="string",JSONPath=".status.reason",description="",priority=1
+// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp",description="CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC."
// +kubebuilder:resource:path=orders
type Order struct {
metav1.TypeMeta `json:",inline"`
@@ -62,16 +67,18 @@ type OrderSpec struct {
// CommonName is the common name as specified on the DER encoded CSR.
// If CommonName is not specified, the first DNSName specified will be used
// as the CommonName.
- // At least on of CommonName or a DNSName must be set.
+ // At least one of CommonName or a DNSNames must be set.
// This field must match the corresponding field on the DER encoded CSR.
+ // +optional
CommonName string `json:"commonName,omitempty"`
// DNSNames is a list of DNS names that should be included as part of the Order
// validation process.
// If CommonName is not specified, the first DNSName specified will be used
// as the CommonName.
- // At least on of CommonName or a DNSName must be set.
+ // At least one of CommonName or a DNSNames must be set.
// This field must match the corresponding field on the DER encoded CSR.
+ // +optional
DNSNames []string `json:"dnsNames,omitempty"`
// Config specifies a mapping from DNS identifiers to how those identifiers
@@ -85,32 +92,40 @@ type OrderStatus struct {
// This will initially be empty when the resource is first created.
// The Order controller will populate this field when the Order is first processed.
// This field will be immutable after it is initially set.
- URL string `json:"url"`
+ // +optional
+ URL string `json:"url,omitempty"`
// FinalizeURL of the Order.
// This is used to obtain certificates for this order once it has been completed.
- FinalizeURL string `json:"finalizeURL"`
+ // +optional
+ FinalizeURL string `json:"finalizeURL,omitempty"`
// Certificate is a copy of the PEM encoded certificate for this Order.
// This field will be populated after the order has been successfully
// finalized with the ACME server, and the order has transitioned to the
// 'valid' state.
- Certificate []byte `json:"certificate"`
+ // +optional
+ Certificate []byte `json:"certificate,omitempty"`
// State contains the current state of this Order resource.
// States 'success' and 'expired' are 'final'
- State State `json:"state"`
+ // +kubebuilder:validation:Enum=,valid,ready,pending,processing,invalid,expired,errored
+ // +optional
+ State State `json:"state,omitempty"`
// Reason optionally provides more information about a why the order is in
// the current state.
- Reason string `json:"reason"`
+ // +optional
+ Reason string `json:"reason,omitempty"`
// Challenges is a list of ChallengeSpecs for Challenges that must be created
// in order to complete this Order.
+ // +optional
Challenges []ChallengeSpec `json:"challenges,omitempty"`
// FailureTime stores the time that this order failed.
// This is used to influence garbage collection and back-off.
+ // +optional
FailureTime *metav1.Time `json:"failureTime,omitempty"`
}
@@ -173,9 +188,11 @@ const (
// Only one of HTTP01 or DNS01 should be non-nil.
type SolverConfig struct {
// HTTP01 contains HTTP01 challenge solving configuration
+ // +optional
HTTP01 *HTTP01SolverConfig `json:"http01,omitempty"`
// DNS01 contains DNS01 challenge solving configuration
+ // +optional
DNS01 *DNS01SolverConfig `json:"dns01,omitempty"`
}
@@ -185,7 +202,8 @@ type HTTP01SolverConfig struct {
// the ACME HTTP01 'well-known' challenge path in order to solve HTTP01
// challenges.
// If this field is specified, 'ingressClass' **must not** be specified.
- Ingress string `json:"ingress"`
+ // +optional
+ Ingress string `json:"ingress,omitempty"`
// IngressClass is the ingress class that should be set on new ingress
// resources that are created in order to solve HTTP01 challenges.
@@ -195,6 +213,7 @@ type HTTP01SolverConfig struct {
// If this field is not set, and 'ingress' is not set, then ingresses
// without an ingress class set will be created to solve HTTP01 challenges.
// If this field is specified, 'ingress' **must not** be specified.
+ // +optional
IngressClass *string `json:"ingressClass,omitempty"`
}