From c69e999f269624ae6700a129fd06c241da7c04a4 Mon Sep 17 00:00:00 2001 From: James Munnelly Date: Wed, 6 Feb 2019 13:42:51 +0000 Subject: [PATCH] Add optional tags and enum schema values Signed-off-by: James Munnelly --- deploy/manifests/00-crds.yaml | 4 - deploy/manifests/cert-manager-no-webhook.yaml | 4 - deploy/manifests/cert-manager.yaml | 4 - pkg/apis/certmanager/v1alpha1/types.go | 6 +- .../certmanager/v1alpha1/types_certificate.go | 17 +++++ .../certmanager/v1alpha1/types_challenge.go | 6 ++ pkg/apis/certmanager/v1alpha1/types_issuer.go | 75 ++++++++++++++++--- pkg/apis/certmanager/v1alpha1/types_order.go | 30 ++++++-- 8 files changed, 114 insertions(+), 32 deletions(-) diff --git a/deploy/manifests/00-crds.yaml b/deploy/manifests/00-crds.yaml index 87980d32a..c14e345c3 100644 --- a/deploy/manifests/00-crds.yaml +++ b/deploy/manifests/00-crds.yaml @@ -522,8 +522,6 @@ spec: - message type: object type: array - required: - - conditions type: object version: v1alpha1 status: @@ -716,8 +714,6 @@ spec: - message type: object type: array - required: - - conditions type: object version: v1alpha1 status: diff --git a/deploy/manifests/cert-manager-no-webhook.yaml b/deploy/manifests/cert-manager-no-webhook.yaml index fe02b8dc8..22132452e 100644 --- a/deploy/manifests/cert-manager-no-webhook.yaml +++ b/deploy/manifests/cert-manager-no-webhook.yaml @@ -522,8 +522,6 @@ spec: - message type: object type: array - required: - - conditions type: object version: v1alpha1 status: @@ -716,8 +714,6 @@ spec: - message type: object type: array - required: - - conditions type: object version: v1alpha1 status: diff --git a/deploy/manifests/cert-manager.yaml b/deploy/manifests/cert-manager.yaml index f999f59bc..ed1c5ffd9 100644 --- a/deploy/manifests/cert-manager.yaml +++ b/deploy/manifests/cert-manager.yaml @@ -522,8 +522,6 @@ spec: - message type: object type: array - required: - - conditions type: object version: v1alpha1 status: @@ -716,8 +714,6 @@ spec: - message type: object type: array - required: - - conditions type: object version: v1alpha1 status: diff --git a/pkg/apis/certmanager/v1alpha1/types.go b/pkg/apis/certmanager/v1alpha1/types.go index 4c4bed1b6..b93c30fa1 100644 --- a/pkg/apis/certmanager/v1alpha1/types.go +++ b/pkg/apis/certmanager/v1alpha1/types.go @@ -54,6 +54,7 @@ type LocalObjectReference struct { // ObjectReference is a reference to an object with a given name and kind. type ObjectReference struct { Name string `json:"name"` + // +optional Kind string `json:"kind,omitempty"` } @@ -66,6 +67,7 @@ const ( type SecretKeySelector struct { // The name of the secret in the pod's namespace to select from. LocalObjectReference `json:",inline"` - // The key of the secret to select from. Must be a valid secret key. - Key string `json:"key"` + // The key of the secret to select from. Must be a valid secret key. + // +optional + Key string `json:"key,omitempty"` } diff --git a/pkg/apis/certmanager/v1alpha1/types_certificate.go b/pkg/apis/certmanager/v1alpha1/types_certificate.go index 871db51c4..8946875e4 100644 --- a/pkg/apis/certmanager/v1alpha1/types_certificate.go +++ b/pkg/apis/certmanager/v1alpha1/types_certificate.go @@ -57,21 +57,27 @@ const ( // CertificateSpec defines the desired state of Certificate type CertificateSpec struct { // CommonName is a common name to be used on the Certificate + // +optional CommonName string `json:"commonName,omitempty"` // Organization is the organization to be used on the Certificate + // +optional Organization []string `json:"organization,omitempty"` // Certificate default Duration + // +optional Duration *metav1.Duration `json:"duration,omitempty"` // Certificate renew before expiration duration + // +optional RenewBefore *metav1.Duration `json:"renewBefore,omitempty"` // DNSNames is a list of subject alt names to be used on the Certificate + // +optional DNSNames []string `json:"dnsNames,omitempty"` // IPAddresses is a list of IP addresses to be used on the Certificate + // +optional IPAddresses []string `json:"ipAddresses,omitempty"` // SecretName is the name of the secret resource to store this secret in @@ -87,24 +93,30 @@ type CertificateSpec struct { // IsCA will mark this Certificate as valid for signing. // This implies that the 'signing' usage is set + // +optional IsCA bool `json:"isCA,omitempty"` // ACME contains configuration specific to ACME Certificates. // Notably, this contains details on how the domain names listed on this // Certificate resource should be 'solved', i.e. mapping HTTP01 and DNS01 // providers to DNS names. + // +optional ACME *ACMECertificateConfig `json:"acme,omitempty"` // KeySize is the key bit size of the corresponding private key for this certificate. // If provided, value must be between 2048 and 8192 inclusive when KeyAlgorithm is // empty or is set to "rsa", and value must be one of (256, 384, 521) when // KeyAlgorithm is set to "ecdsa". + // +optional KeySize int `json:"keySize,omitempty"` + // KeyAlgorithm is the private key algorithm of the corresponding private key // for this certificate. If provided, allowed values are either "rsa" or "ecdsa" // If KeyAlgorithm is specified and KeySize is not provided, // key size of 256 will be used for "ecdsa" key algorithm and // key size of 2048 will be used for "rsa" key algorithm. + // +kubebuilder:validation:Enum=rsa,ecdsa + // +optional KeyAlgorithm KeyAlgorithm `json:"keyAlgorithm,omitempty"` } @@ -115,11 +127,15 @@ type ACMECertificateConfig struct { // CertificateStatus defines the observed state of Certificate type CertificateStatus struct { + // +optional Conditions []CertificateCondition `json:"conditions,omitempty"` + + // +optional LastFailureTime *metav1.Time `json:"lastFailureTime,omitempty"` // The expiration time of the certificate stored in the secret named // by this resource in spec.secretName. + // +optional NotAfter *metav1.Time `json:"notAfter,omitempty"` } @@ -129,6 +145,7 @@ type CertificateCondition struct { Type CertificateConditionType `json:"type"` // Status of the condition, one of ('True', 'False', 'Unknown'). + // +kubebuilder:validation:Enum=True,False,Unknown Status ConditionStatus `json:"status"` // LastTransitionTime is the timestamp corresponding to the last status diff --git a/pkg/apis/certmanager/v1alpha1/types_challenge.go b/pkg/apis/certmanager/v1alpha1/types_challenge.go index 4f637aebf..a3390cb75 100644 --- a/pkg/apis/certmanager/v1alpha1/types_challenge.go +++ b/pkg/apis/certmanager/v1alpha1/types_challenge.go @@ -75,6 +75,7 @@ type ChallengeSpec struct { // Wildcard will be true if this challenge is for a wildcard identifier, // for example '*.example.com' + // +optional Wildcard bool `json:"wildcard"` // Config specifies the solver configuration for this challenge. @@ -96,6 +97,7 @@ type ChallengeStatus struct { // challenge has reached a final state or timed out. // If this field is set to false, the challenge controller will not take // any more action. + // +optional Processing bool `json:"processing"` // Presented will be set to true if the challenge values for this challenge @@ -104,13 +106,17 @@ type ChallengeStatus struct { // have been 'submitted' for the appropriate challenge mechanism (i.e. the // DNS01 TXT record has been presented, or the HTTP01 configuration has been // configured). + // +optional Presented bool `json:"presented"` // Reason contains human readable information on why the Challenge is in the // current state. + // +optional Reason string `json:"reason"` // State contains the current 'state' of the challenge. // If not set, the state of the challenge is unknown. + // +kubebuilder:validation:Enum=valid,ready,pending,processing,invalid,expired,errored + // +optional State State `json:"state"` } diff --git a/pkg/apis/certmanager/v1alpha1/types_issuer.go b/pkg/apis/certmanager/v1alpha1/types_issuer.go index bec8bb442..df501a6ed 100644 --- a/pkg/apis/certmanager/v1alpha1/types_issuer.go +++ b/pkg/apis/certmanager/v1alpha1/types_issuer.go @@ -75,9 +75,16 @@ type IssuerSpec struct { } type IssuerConfig struct { + // +optional ACME *ACMEIssuer `json:"acme,omitempty"` + + // +optional CA *CAIssuer `json:"ca,omitempty"` + + // +optional Vault *VaultIssuer `json:"vault,omitempty"` + + // +optional SelfSigned *SelfSignedIssuer `json:"selfSigned,omitempty"` } @@ -87,14 +94,18 @@ type SelfSignedIssuer struct { type VaultIssuer struct { // Vault authentication Auth VaultAuth `json:"auth"` + // Server is the vault connection address Server string `json:"server"` + // Vault URL path to the certificate role Path string `json:"path"` + // Base64 encoded CA bundle to validate Vault server certificate. Only used // if the Server URL is using HTTPS protocol. This parameter is ignored for // plain HTTP protocol connection. If not set the system root certificates // are used to validate the TLS connection. + // +optional CABundle []byte `json:"caBundle,omitempty"` } @@ -104,8 +115,11 @@ type VaultIssuer struct { // Vault and retrieve a token. type VaultAuth struct { // This Secret contains the Vault token key + // +optional TokenSecretRef SecretKeySelector `json:"tokenSecretRef,omitempty"` + // This Secret contains a AppRole and Secret + // +optional AppRole VaultAppRole `json:"appRole,omitempty"` } @@ -127,29 +141,39 @@ type CAIssuer struct { type ACMEIssuer struct { // Email is the email for this account Email string `json:"email"` + // Server is the ACME server URL Server string `json:"server"` + // If true, skip verifying the ACME server TLS certificate + // +optional SkipTLSVerify bool `json:"skipTLSVerify,omitempty"` + // PrivateKey is the name of a secret containing the private key for this // user account. PrivateKey SecretKeySelector `json:"privateKeySecretRef"` + // HTTP-01 config + // +optional HTTP01 *ACMEIssuerHTTP01Config `json:"http01,omitempty"` + // DNS-01 config + // +optional DNS01 *ACMEIssuerDNS01Config `json:"dns01,omitempty"` } // ACMEIssuerHTTP01Config is a structure containing the ACME HTTP configuration options type ACMEIssuerHTTP01Config struct { // Optional service type for Kubernetes solver service + // +optional ServiceType corev1.ServiceType `json:"serviceType,omitempty"` } // ACMEIssuerDNS01Config is a structure containing the ACME DNS configuration // options type ACMEIssuerDNS01Config struct { - Providers []ACMEIssuerDNS01Provider `json:"providers"` + // +optional + Providers []ACMEIssuerDNS01Provider `json:"providers,omitempty"` } // ACMEIssuerDNS01Provider contains configuration for a DNS provider that can @@ -161,15 +185,32 @@ type ACMEIssuerDNS01Provider struct { // CNAMEStrategy configures how the DNS01 provider should handle CNAME // records when found in DNS zones. - CNAMEStrategy CNAMEStrategy `json:"cnameStrategy"` + // +optional + // +kubebuilder:validation:Enum=None,Follow + CNAMEStrategy CNAMEStrategy `json:"cnameStrategy,omitempty"` + // +optional Akamai *ACMEIssuerDNS01ProviderAkamai `json:"akamai,omitempty"` + + // +optional CloudDNS *ACMEIssuerDNS01ProviderCloudDNS `json:"clouddns,omitempty"` + + // +optional Cloudflare *ACMEIssuerDNS01ProviderCloudflare `json:"cloudflare,omitempty"` + + // +optional Route53 *ACMEIssuerDNS01ProviderRoute53 `json:"route53,omitempty"` + + // +optional AzureDNS *ACMEIssuerDNS01ProviderAzureDNS `json:"azuredns,omitempty"` + + // +optional DigitalOcean *ACMEIssuerDNS01ProviderDigitalOcean `json:"digitalocean,omitempty"` + + // +optional AcmeDNS *ACMEIssuerDNS01ProviderAcmeDNS `json:"acmedns,omitempty"` + + // +optional RFC2136 *ACMEIssuerDNS01ProviderRFC2136 `json:"rfc2136,omitempty"` } @@ -224,8 +265,12 @@ type ACMEIssuerDNS01ProviderDigitalOcean struct { // configuration for AWS type ACMEIssuerDNS01ProviderRoute53 struct { AccessKeyID string `json:"accessKeyID"` + SecretAccessKey SecretKeySelector `json:"secretAccessKeySecretRef"` - HostedZoneID string `json:"hostedZoneID"` + + // +optional + HostedZoneID string `json:"hostedZoneID,omitempty"` + Region string `json:"region"` } @@ -233,19 +278,24 @@ type ACMEIssuerDNS01ProviderRoute53 struct { // configuration for Azure DNS type ACMEIssuerDNS01ProviderAzureDNS struct { ClientID string `json:"clientID"` + ClientSecret SecretKeySelector `json:"clientSecretSecretRef"` + SubscriptionID string `json:"subscriptionID"` + TenantID string `json:"tenantID"` + ResourceGroupName string `json:"resourceGroupName"` - // + optional - HostedZoneName string `json:"hostedZoneName"` + // +optional + HostedZoneName string `json:"hostedZoneName,omitempty"` } // ACMEIssuerDNS01ProviderAcmeDNS is a structure containing the // configuration for ACME-DNS servers type ACMEIssuerDNS01ProviderAcmeDNS struct { Host string `json:"host"` + AccountSecret SecretKeySelector `json:"accountSecretRef"` } @@ -259,31 +309,35 @@ type ACMEIssuerDNS01ProviderRFC2136 struct { // The name of the secret containing the TSIG value. // If ``tsigKeyName`` is defined, this field is required. // +optional - TSIGSecret SecretKeySelector `json:"tsigSecretSecretRef"` + TSIGSecret SecretKeySelector `json:"tsigSecretSecretRef,omitempty"` // The TSIG Key name configured in the DNS. // If ``tsigSecretSecretRef`` is defined, this field is required. // +optional - TSIGKeyName string `json:"tsigKeyName"` + TSIGKeyName string `json:"tsigKeyName,omitempty"` // The TSIG Algorithm configured in the DNS supporting RFC2136. Used only // when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. // Supported values are (case-insensitive): ``HMACMD5`` (default), // ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``. // +optional - TSIGAlgorithm string `json:"tsigAlgorithm"` + TSIGAlgorithm string `json:"tsigAlgorithm,omitempty"` } // IssuerStatus contains status information about an Issuer type IssuerStatus struct { - Conditions []IssuerCondition `json:"conditions"` + // +optional + Conditions []IssuerCondition `json:"conditions,omitempty"` + + // +optional ACME *ACMEIssuerStatus `json:"acme,omitempty"` } type ACMEIssuerStatus struct { // URI is the unique account identifier, which can also be used to retrieve // account details from the CA - URI string `json:"uri"` + // +optional + URI string `json:"uri,omitempty"` } // IssuerCondition contains condition information for an Issuer. @@ -292,6 +346,7 @@ type IssuerCondition struct { Type IssuerConditionType `json:"type"` // Status of the condition, one of ('True', 'False', 'Unknown'). + // +kubebuilder:validation:Enum=True,False,Unknown Status ConditionStatus `json:"status"` // LastTransitionTime is the timestamp corresponding to the last status diff --git a/pkg/apis/certmanager/v1alpha1/types_order.go b/pkg/apis/certmanager/v1alpha1/types_order.go index a1b868743..b8a369d54 100644 --- a/pkg/apis/certmanager/v1alpha1/types_order.go +++ b/pkg/apis/certmanager/v1alpha1/types_order.go @@ -67,16 +67,18 @@ type OrderSpec struct { // CommonName is the common name as specified on the DER encoded CSR. // If CommonName is not specified, the first DNSName specified will be used // as the CommonName. - // At least on of CommonName or a DNSName must be set. + // At least one of CommonName or a DNSNames must be set. // This field must match the corresponding field on the DER encoded CSR. + // +optional CommonName string `json:"commonName,omitempty"` // DNSNames is a list of DNS names that should be included as part of the Order // validation process. // If CommonName is not specified, the first DNSName specified will be used // as the CommonName. - // At least on of CommonName or a DNSName must be set. + // At least one of CommonName or a DNSNames must be set. // This field must match the corresponding field on the DER encoded CSR. + // +optional DNSNames []string `json:"dnsNames,omitempty"` // Config specifies a mapping from DNS identifiers to how those identifiers @@ -90,32 +92,40 @@ type OrderStatus struct { // This will initially be empty when the resource is first created. // The Order controller will populate this field when the Order is first processed. // This field will be immutable after it is initially set. - URL string `json:"url"` + // +optional + URL string `json:"url,omitempty"` // FinalizeURL of the Order. // This is used to obtain certificates for this order once it has been completed. - FinalizeURL string `json:"finalizeURL"` + // +optional + FinalizeURL string `json:"finalizeURL,omitempty"` // Certificate is a copy of the PEM encoded certificate for this Order. // This field will be populated after the order has been successfully // finalized with the ACME server, and the order has transitioned to the // 'valid' state. - Certificate []byte `json:"certificate"` + // +optional + Certificate []byte `json:"certificate,omitempty"` // State contains the current state of this Order resource. // States 'success' and 'expired' are 'final' - State State `json:"state"` + // +kubebuilder:validation:Enum=valid,ready,pending,processing,invalid,expired,errored + // +optional + State State `json:"state,omitempty"` // Reason optionally provides more information about a why the order is in // the current state. - Reason string `json:"reason"` + // +optional + Reason string `json:"reason,omitempty"` // Challenges is a list of ChallengeSpecs for Challenges that must be created // in order to complete this Order. + // +optional Challenges []ChallengeSpec `json:"challenges,omitempty"` // FailureTime stores the time that this order failed. // This is used to influence garbage collection and back-off. + // +optional FailureTime *metav1.Time `json:"failureTime,omitempty"` } @@ -178,9 +188,11 @@ const ( // Only one of HTTP01 or DNS01 should be non-nil. type SolverConfig struct { // HTTP01 contains HTTP01 challenge solving configuration + // +optional HTTP01 *HTTP01SolverConfig `json:"http01,omitempty"` // DNS01 contains DNS01 challenge solving configuration + // +optional DNS01 *DNS01SolverConfig `json:"dns01,omitempty"` } @@ -190,7 +202,8 @@ type HTTP01SolverConfig struct { // the ACME HTTP01 'well-known' challenge path in order to solve HTTP01 // challenges. // If this field is specified, 'ingressClass' **must not** be specified. - Ingress string `json:"ingress"` + // +optional + Ingress string `json:"ingress,omitempty"` // IngressClass is the ingress class that should be set on new ingress // resources that are created in order to solve HTTP01 challenges. @@ -200,6 +213,7 @@ type HTTP01SolverConfig struct { // If this field is not set, and 'ingress' is not set, then ingresses // without an ingress class set will be created to solve HTTP01 challenges. // If this field is specified, 'ingress' **must not** be specified. + // +optional IngressClass *string `json:"ingressClass,omitempty"` }