Add optional tags and enum schema values

Signed-off-by: James Munnelly <james@munnelly.eu>

deploy/manifests/00-crds.yaml

@@ -522,8 +522,6 @@ spec:
                 - message
                 type: object
               type: array
-          required:
-          - conditions
           type: object
   version: v1alpha1
 status:
@@ -716,8 +714,6 @@ spec:
                 - message
                 type: object
               type: array
-          required:
-          - conditions
           type: object
   version: v1alpha1
 status:

deploy/manifests/cert-manager-no-webhook.yaml

@@ -522,8 +522,6 @@ spec:
                 - message
                 type: object
               type: array
-          required:
-          - conditions
           type: object
   version: v1alpha1
 status:
@@ -716,8 +714,6 @@ spec:
                 - message
                 type: object
               type: array
-          required:
-          - conditions
           type: object
   version: v1alpha1
 status:

deploy/manifests/cert-manager.yaml

@@ -522,8 +522,6 @@ spec:
                 - message
                 type: object
               type: array
-          required:
-          - conditions
           type: object
   version: v1alpha1
 status:
@@ -716,8 +714,6 @@ spec:
                 - message
                 type: object
               type: array
-          required:
-          - conditions
           type: object
   version: v1alpha1
 status:

pkg/apis/certmanager/v1alpha1/types.go

@@ -54,6 +54,7 @@ type LocalObjectReference struct {
 // ObjectReference is a reference to an object with a given name and kind.
 type ObjectReference struct {
 	Name string `json:"name"`
+	// +optional
 	Kind string `json:"kind,omitempty"`
 }
 
@@ -66,6 +67,7 @@ const (
 type SecretKeySelector struct {
 	// The name of the secret in the pod's namespace to select from.
 	LocalObjectReference `json:",inline"`
-	// The key of the secret to select from.  Must be a valid secret key.
-	Key string `json:"key"`
+	// The key of the secret to select from. Must be a valid secret key.
+	// +optional
+	Key string `json:"key,omitempty"`
 }

pkg/apis/certmanager/v1alpha1/types_certificate.go

@@ -57,21 +57,27 @@ const (
 // CertificateSpec defines the desired state of Certificate
 type CertificateSpec struct {
 	// CommonName is a common name to be used on the Certificate
+	// +optional
 	CommonName string `json:"commonName,omitempty"`
 
 	// Organization is the organization to be used on the Certificate
+	// +optional
 	Organization []string `json:"organization,omitempty"`
 
 	// Certificate default Duration
+	// +optional
 	Duration *metav1.Duration `json:"duration,omitempty"`
 
 	// Certificate renew before expiration duration
+	// +optional
 	RenewBefore *metav1.Duration `json:"renewBefore,omitempty"`
 
 	// DNSNames is a list of subject alt names to be used on the Certificate
+	// +optional
 	DNSNames []string `json:"dnsNames,omitempty"`
 
 	// IPAddresses is a list of IP addresses to be used on the Certificate
+	// +optional
 	IPAddresses []string `json:"ipAddresses,omitempty"`
 
 	// SecretName is the name of the secret resource to store this secret in
@@ -87,24 +93,30 @@ type CertificateSpec struct {
 
 	// IsCA will mark this Certificate as valid for signing.
 	// This implies that the 'signing' usage is set
+	// +optional
 	IsCA bool `json:"isCA,omitempty"`
 
 	// ACME contains configuration specific to ACME Certificates.
 	// Notably, this contains details on how the domain names listed on this
 	// Certificate resource should be 'solved', i.e. mapping HTTP01 and DNS01
 	// providers to DNS names.
+	// +optional
 	ACME *ACMECertificateConfig `json:"acme,omitempty"`
 
 	// KeySize is the key bit size of the corresponding private key for this certificate.
 	// If provided, value must be between 2048 and 8192 inclusive when KeyAlgorithm is
 	// empty or is set to "rsa", and value must be one of (256, 384, 521) when
 	// KeyAlgorithm is set to "ecdsa".
+	// +optional
 	KeySize int `json:"keySize,omitempty"`
+
 	// KeyAlgorithm is the private key algorithm of the corresponding private key
 	// for this certificate. If provided, allowed values are either "rsa" or "ecdsa"
 	// If KeyAlgorithm is specified and KeySize is not provided,
 	// key size of 256 will be used for "ecdsa" key algorithm and
 	// key size of 2048 will be used for "rsa" key algorithm.
+	// +kubebuilder:validation:Enum=rsa,ecdsa
+	// +optional
 	KeyAlgorithm KeyAlgorithm `json:"keyAlgorithm,omitempty"`
 }
 
@@ -115,11 +127,15 @@ type ACMECertificateConfig struct {
 
 // CertificateStatus defines the observed state of Certificate
 type CertificateStatus struct {
+	// +optional
 	Conditions      []CertificateCondition `json:"conditions,omitempty"`
+
+	// +optional
 	LastFailureTime *metav1.Time           `json:"lastFailureTime,omitempty"`
 
 	// The expiration time of the certificate stored in the secret named
 	// by this resource in spec.secretName.
+	// +optional
 	NotAfter *metav1.Time `json:"notAfter,omitempty"`
 }
 
@@ -129,6 +145,7 @@ type CertificateCondition struct {
 	Type CertificateConditionType `json:"type"`
 
 	// Status of the condition, one of ('True', 'False', 'Unknown').
+	// +kubebuilder:validation:Enum=True,False,Unknown
 	Status ConditionStatus `json:"status"`
 
 	// LastTransitionTime is the timestamp corresponding to the last status

pkg/apis/certmanager/v1alpha1/types_challenge.go

@@ -75,6 +75,7 @@ type ChallengeSpec struct {
 
 	// Wildcard will be true if this challenge is for a wildcard identifier,
 	// for example '*.example.com'
+	// +optional
 	Wildcard bool `json:"wildcard"`
 
 	// Config specifies the solver configuration for this challenge.
@@ -96,6 +97,7 @@ type ChallengeStatus struct {
 	// challenge has reached a final state or timed out.
 	// If this field is set to false, the challenge controller will not take
 	// any more action.
+	// +optional
 	Processing bool `json:"processing"`
 
 	// Presented will be set to true if the challenge values for this challenge
@@ -104,13 +106,17 @@ type ChallengeStatus struct {
 	// have been 'submitted' for the appropriate challenge mechanism (i.e. the
 	// DNS01 TXT record has been presented, or the HTTP01 configuration has been
 	// configured).
+	// +optional
 	Presented bool `json:"presented"`
 
 	// Reason contains human readable information on why the Challenge is in the
 	// current state.
+	// +optional
 	Reason string `json:"reason"`
 
 	// State contains the current 'state' of the challenge.
 	// If not set, the state of the challenge is unknown.
+	// +kubebuilder:validation:Enum=valid,ready,pending,processing,invalid,expired,errored
+	// +optional
 	State State `json:"state"`
 }

pkg/apis/certmanager/v1alpha1/types_issuer.go

@@ -75,9 +75,16 @@ type IssuerSpec struct {
 }
 
 type IssuerConfig struct {
+	// +optional
 	ACME       *ACMEIssuer       `json:"acme,omitempty"`
+
+	// +optional
 	CA         *CAIssuer         `json:"ca,omitempty"`
+
+	// +optional
 	Vault      *VaultIssuer      `json:"vault,omitempty"`
+
+	// +optional
 	SelfSigned *SelfSignedIssuer `json:"selfSigned,omitempty"`
 }
 
@@ -87,14 +94,18 @@ type SelfSignedIssuer struct {
 type VaultIssuer struct {
 	// Vault authentication
 	Auth VaultAuth `json:"auth"`
+
 	// Server is the vault connection address
 	Server string `json:"server"`
+
 	// Vault URL path to the certificate role
 	Path string `json:"path"`
+
 	// Base64 encoded CA bundle to validate Vault server certificate. Only used
 	// if the Server URL is using HTTPS protocol. This parameter is ignored for
 	// plain HTTP protocol connection. If not set the system root certificates
 	// are used to validate the TLS connection.
+	// +optional
 	CABundle []byte `json:"caBundle,omitempty"`
 }
 
@@ -104,8 +115,11 @@ type VaultIssuer struct {
 //   Vault and retrieve a token.
 type VaultAuth struct {
 	// This Secret contains the Vault token key
+	// +optional
 	TokenSecretRef SecretKeySelector `json:"tokenSecretRef,omitempty"`
+
 	// This Secret contains a AppRole and Secret
+	// +optional
 	AppRole VaultAppRole `json:"appRole,omitempty"`
 }
 
@@ -127,29 +141,39 @@ type CAIssuer struct {
 type ACMEIssuer struct {
 	// Email is the email for this account
 	Email string `json:"email"`
+
 	// Server is the ACME server URL
 	Server string `json:"server"`
+
 	// If true, skip verifying the ACME server TLS certificate
+	// +optional
 	SkipTLSVerify bool `json:"skipTLSVerify,omitempty"`
+
 	// PrivateKey is the name of a secret containing the private key for this
 	// user account.
 	PrivateKey SecretKeySelector `json:"privateKeySecretRef"`
+
 	// HTTP-01 config
+	// +optional
 	HTTP01 *ACMEIssuerHTTP01Config `json:"http01,omitempty"`
+
 	// DNS-01 config
+	// +optional
 	DNS01 *ACMEIssuerDNS01Config `json:"dns01,omitempty"`
 }
 
 // ACMEIssuerHTTP01Config is a structure containing the ACME HTTP configuration options
 type ACMEIssuerHTTP01Config struct {
 	// Optional service type for Kubernetes solver service
+	// +optional
 	ServiceType corev1.ServiceType `json:"serviceType,omitempty"`
 }
 
 // ACMEIssuerDNS01Config is a structure containing the ACME DNS configuration
 // options
 type ACMEIssuerDNS01Config struct {
-	Providers []ACMEIssuerDNS01Provider `json:"providers"`
+	// +optional
+	Providers []ACMEIssuerDNS01Provider `json:"providers,omitempty"`
 }
 
 // ACMEIssuerDNS01Provider contains configuration for a DNS provider that can
@@ -161,15 +185,32 @@ type ACMEIssuerDNS01Provider struct {
 
 	// CNAMEStrategy configures how the DNS01 provider should handle CNAME
 	// records when found in DNS zones.
-	CNAMEStrategy CNAMEStrategy `json:"cnameStrategy"`
+	// +optional
+	// +kubebuilder:validation:Enum=None,Follow
+	CNAMEStrategy CNAMEStrategy `json:"cnameStrategy,omitempty"`
 
+	// +optional
 	Akamai       *ACMEIssuerDNS01ProviderAkamai       `json:"akamai,omitempty"`
+
+	// +optional
 	CloudDNS     *ACMEIssuerDNS01ProviderCloudDNS     `json:"clouddns,omitempty"`
+
+	// +optional
 	Cloudflare   *ACMEIssuerDNS01ProviderCloudflare   `json:"cloudflare,omitempty"`
+
+	// +optional
 	Route53      *ACMEIssuerDNS01ProviderRoute53      `json:"route53,omitempty"`
+
+	// +optional
 	AzureDNS     *ACMEIssuerDNS01ProviderAzureDNS     `json:"azuredns,omitempty"`
+
+	// +optional
 	DigitalOcean *ACMEIssuerDNS01ProviderDigitalOcean `json:"digitalocean,omitempty"`
+
+	// +optional
 	AcmeDNS      *ACMEIssuerDNS01ProviderAcmeDNS      `json:"acmedns,omitempty"`
+
+	// +optional
 	RFC2136      *ACMEIssuerDNS01ProviderRFC2136      `json:"rfc2136,omitempty"`
 }
 
@@ -224,8 +265,12 @@ type ACMEIssuerDNS01ProviderDigitalOcean struct {
 // configuration for AWS
 type ACMEIssuerDNS01ProviderRoute53 struct {
 	AccessKeyID     string            `json:"accessKeyID"`
+
 	SecretAccessKey SecretKeySelector `json:"secretAccessKeySecretRef"`
-	HostedZoneID    string            `json:"hostedZoneID"`
+
+	// +optional
+	HostedZoneID    string            `json:"hostedZoneID,omitempty"`
+
 	Region          string            `json:"region"`
 }
 
@@ -233,19 +278,24 @@ type ACMEIssuerDNS01ProviderRoute53 struct {
 // configuration for Azure DNS
 type ACMEIssuerDNS01ProviderAzureDNS struct {
 	ClientID          string            `json:"clientID"`
+
 	ClientSecret      SecretKeySelector `json:"clientSecretSecretRef"`
+
 	SubscriptionID    string            `json:"subscriptionID"`
+
 	TenantID          string            `json:"tenantID"`
+
 	ResourceGroupName string            `json:"resourceGroupName"`
 
-	// + optional
-	HostedZoneName string `json:"hostedZoneName"`
+	// +optional
+	HostedZoneName string `json:"hostedZoneName,omitempty"`
 }
 
 // ACMEIssuerDNS01ProviderAcmeDNS is a structure containing the
 // configuration for ACME-DNS servers
 type ACMEIssuerDNS01ProviderAcmeDNS struct {
 	Host          string            `json:"host"`
+
 	AccountSecret SecretKeySelector `json:"accountSecretRef"`
 }
 
@@ -259,31 +309,35 @@ type ACMEIssuerDNS01ProviderRFC2136 struct {
 	// The name of the secret containing the TSIG value.
 	// If ``tsigKeyName`` is defined, this field is required.
 	// +optional
-	TSIGSecret SecretKeySelector `json:"tsigSecretSecretRef"`
+	TSIGSecret SecretKeySelector `json:"tsigSecretSecretRef,omitempty"`
 
 	// The TSIG Key name configured in the DNS.
 	// If ``tsigSecretSecretRef`` is defined, this field is required.
 	// +optional
-	TSIGKeyName string `json:"tsigKeyName"`
+	TSIGKeyName string `json:"tsigKeyName,omitempty"`
 
 	// The TSIG Algorithm configured in the DNS supporting RFC2136. Used only
 	// when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined.
 	// Supported values are (case-insensitive): ``HMACMD5`` (default),
 	// ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.
 	// +optional
-	TSIGAlgorithm string `json:"tsigAlgorithm"`
+	TSIGAlgorithm string `json:"tsigAlgorithm,omitempty"`
 }
 
 // IssuerStatus contains status information about an Issuer
 type IssuerStatus struct {
-	Conditions []IssuerCondition `json:"conditions"`
+	// +optional
+	Conditions []IssuerCondition `json:"conditions,omitempty"`
+
+	// +optional
 	ACME       *ACMEIssuerStatus `json:"acme,omitempty"`
 }
 
 type ACMEIssuerStatus struct {
 	// URI is the unique account identifier, which can also be used to retrieve
 	// account details from the CA
-	URI string `json:"uri"`
+	// +optional
+	URI string `json:"uri,omitempty"`
 }
 
 // IssuerCondition contains condition information for an Issuer.
@@ -292,6 +346,7 @@ type IssuerCondition struct {
 	Type IssuerConditionType `json:"type"`
 
 	// Status of the condition, one of ('True', 'False', 'Unknown').
+	// +kubebuilder:validation:Enum=True,False,Unknown
 	Status ConditionStatus `json:"status"`
 
 	// LastTransitionTime is the timestamp corresponding to the last status

pkg/apis/certmanager/v1alpha1/types_order.go

@@ -67,16 +67,18 @@ type OrderSpec struct {
 	// CommonName is the common name as specified on the DER encoded CSR.
 	// If CommonName is not specified, the first DNSName specified will be used
 	// as the CommonName.
-	// At least on of CommonName or a DNSName must be set.
+	// At least one of CommonName or a DNSNames must be set.
 	// This field must match the corresponding field on the DER encoded CSR.
+	// +optional
 	CommonName string `json:"commonName,omitempty"`
 
 	// DNSNames is a list of DNS names that should be included as part of the Order
 	// validation process.
 	// If CommonName is not specified, the first DNSName specified will be used
 	// as the CommonName.
-	// At least on of CommonName or a DNSName must be set.
+	// At least one of CommonName or a DNSNames must be set.
 	// This field must match the corresponding field on the DER encoded CSR.
+	// +optional
 	DNSNames []string `json:"dnsNames,omitempty"`
 
 	// Config specifies a mapping from DNS identifiers to how those identifiers
@@ -90,32 +92,40 @@ type OrderStatus struct {
 	// This will initially be empty when the resource is first created.
 	// The Order controller will populate this field when the Order is first processed.
 	// This field will be immutable after it is initially set.
-	URL string `json:"url"`
+	// +optional
+	URL string `json:"url,omitempty"`
 
 	// FinalizeURL of the Order.
 	// This is used to obtain certificates for this order once it has been completed.
-	FinalizeURL string `json:"finalizeURL"`
+	// +optional
+	FinalizeURL string `json:"finalizeURL,omitempty"`
 
 	// Certificate is a copy of the PEM encoded certificate for this Order.
 	// This field will be populated after the order has been successfully
 	// finalized with the ACME server, and the order has transitioned to the
 	// 'valid' state.
-	Certificate []byte `json:"certificate"`
+	// +optional
+	Certificate []byte `json:"certificate,omitempty"`
 
 	// State contains the current state of this Order resource.
 	// States 'success' and 'expired' are 'final'
-	State State `json:"state"`
+	// +kubebuilder:validation:Enum=valid,ready,pending,processing,invalid,expired,errored
+	// +optional
+	State State `json:"state,omitempty"`
 
 	// Reason optionally provides more information about a why the order is in
 	// the current state.
-	Reason string `json:"reason"`
+	// +optional
+	Reason string `json:"reason,omitempty"`
 
 	// Challenges is a list of ChallengeSpecs for Challenges that must be created
 	// in order to complete this Order.
+	// +optional
 	Challenges []ChallengeSpec `json:"challenges,omitempty"`
 
 	// FailureTime stores the time that this order failed.
 	// This is used to influence garbage collection and back-off.
+	// +optional
 	FailureTime *metav1.Time `json:"failureTime,omitempty"`
 }
 
@@ -178,9 +188,11 @@ const (
 // Only one of HTTP01 or DNS01 should be non-nil.
 type SolverConfig struct {
 	// HTTP01 contains HTTP01 challenge solving configuration
+	// +optional
 	HTTP01 *HTTP01SolverConfig `json:"http01,omitempty"`
 
 	// DNS01 contains DNS01 challenge solving configuration
+	// +optional
 	DNS01 *DNS01SolverConfig `json:"dns01,omitempty"`
 }
 
@@ -190,7 +202,8 @@ type HTTP01SolverConfig struct {
 	// the ACME HTTP01 'well-known' challenge path in order to solve HTTP01
 	// challenges.
 	// If this field is specified, 'ingressClass' **must not** be specified.
-	Ingress string `json:"ingress"`
+	// +optional
+	Ingress string `json:"ingress,omitempty"`
 
 	// IngressClass is the ingress class that should be set on new ingress
 	// resources that are created in order to solve HTTP01 challenges.
@@ -200,6 +213,7 @@ type HTTP01SolverConfig struct {
 	// If this field is not set, and 'ingress' is not set, then ingresses
 	// without an ingress class set will be created to solve HTTP01 challenges.
 	// If this field is specified, 'ingress' **must not** be specified.
+	// +optional
 	IngressClass *string `json:"ingressClass,omitempty"`
 }