diff --git a/Dockerfile b/Dockerfile index 0a091a6..e250c16 100644 --- a/Dockerfile +++ b/Dockerfile @@ -14,6 +14,7 @@ # Copy the go source COPY main.go main.go COPY pkg/ pkg/ +COPY cmd/ cmd/ # Build # the GOARCH has not a default value to allow the binary be built according to the host where the command # was called. For example, if we call make docker-build in a local env which has the Apple Silicon M1 SO diff --git a/Dockerfile b/Dockerfile index 0a091a6..e250c16 100644 --- a/Dockerfile +++ b/Dockerfile @@ -14,6 +14,7 @@ # Copy the go source COPY main.go main.go COPY pkg/ pkg/ +COPY cmd/ cmd/ # Build # the GOARCH has not a default value to allow the binary be built according to the host where the command # was called. For example, if we call make docker-build in a local env which has the Apple Silicon M1 SO diff --git a/Makefile b/Makefile index 5d146e4..fb9f77f 100644 --- a/Makefile +++ b/Makefile @@ -155,6 +155,9 @@ undeploy: ## Undeploy controller from the K8s cluster specified in ~/.kube/config. Call with ignore-not-found=true to ignore resource not found errors during deletion. $(KUSTOMIZE) build config/default | kubectl delete --ignore-not-found=$(ignore-not-found) -f - +.PHONY: stage +stage: docker-build docker-push undeploy deploy + ##@ Build Dependencies ## Location to install dependencies to diff --git a/Dockerfile b/Dockerfile index 0a091a6..e250c16 100644 --- a/Dockerfile +++ b/Dockerfile @@ -14,6 +14,7 @@ # Copy the go source COPY main.go main.go COPY pkg/ pkg/ +COPY cmd/ cmd/ # Build # the GOARCH has not a default value to allow the binary be built according to the host where the command # was called. For example, if we call make docker-build in a local env which has the Apple Silicon M1 SO diff --git a/Makefile b/Makefile index 5d146e4..fb9f77f 100644 --- a/Makefile +++ b/Makefile @@ -155,6 +155,9 @@ undeploy: ## Undeploy controller from the K8s cluster specified in ~/.kube/config. Call with ignore-not-found=true to ignore resource not found errors during deletion. $(KUSTOMIZE) build config/default | kubectl delete --ignore-not-found=$(ignore-not-found) -f - +.PHONY: stage +stage: docker-build docker-push undeploy deploy + ##@ Build Dependencies ## Location to install dependencies to diff --git a/cmd/controller/app/options/options.go b/cmd/controller/app/options/options.go index 1f05612..fa4c82c 100644 --- a/cmd/controller/app/options/options.go +++ b/cmd/controller/app/options/options.go @@ -50,7 +50,7 @@ "Enable leader election for controller manager. "+ "Enabling this will ensure there is only one active controller manager.") var controllerSet string - fs.StringVar(&controllerSet, "controllers", "", fmt.Sprintf(""+ + fs.StringVar(&controllerSet, "controllers", "*", fmt.Sprintf(""+ "A list of controllers to enable. '--controllers=*' enables all "+ "on-by-default controllers, '--controllers=foo' enables just the controller "+ "named 'foo', '--controllers=*,-foo' disables the controller named "+ diff --git a/Dockerfile b/Dockerfile index 0a091a6..e250c16 100644 --- a/Dockerfile +++ b/Dockerfile @@ -14,6 +14,7 @@ # Copy the go source COPY main.go main.go COPY pkg/ pkg/ +COPY cmd/ cmd/ # Build # the GOARCH has not a default value to allow the binary be built according to the host where the command # was called. For example, if we call make docker-build in a local env which has the Apple Silicon M1 SO diff --git a/Makefile b/Makefile index 5d146e4..fb9f77f 100644 --- a/Makefile +++ b/Makefile @@ -155,6 +155,9 @@ undeploy: ## Undeploy controller from the K8s cluster specified in ~/.kube/config. Call with ignore-not-found=true to ignore resource not found errors during deletion. $(KUSTOMIZE) build config/default | kubectl delete --ignore-not-found=$(ignore-not-found) -f - +.PHONY: stage +stage: docker-build docker-push undeploy deploy + ##@ Build Dependencies ## Location to install dependencies to diff --git a/cmd/controller/app/options/options.go b/cmd/controller/app/options/options.go index 1f05612..fa4c82c 100644 --- a/cmd/controller/app/options/options.go +++ b/cmd/controller/app/options/options.go @@ -50,7 +50,7 @@ "Enable leader election for controller manager. "+ "Enabling this will ensure there is only one active controller manager.") var controllerSet string - fs.StringVar(&controllerSet, "controllers", "", fmt.Sprintf(""+ + fs.StringVar(&controllerSet, "controllers", "*", fmt.Sprintf(""+ "A list of controllers to enable. '--controllers=*' enables all "+ "on-by-default controllers, '--controllers=foo' enables just the controller "+ "named 'foo', '--controllers=*,-foo' disables the controller named "+ diff --git a/config/crd/bases/anthos-cert-manager.io_certificaterequests.yaml b/config/crd/bases/anthos-cert-manager.io_certificaterequests.yaml new file mode 100644 index 0000000..dc53954 --- /dev/null +++ b/config/crd/bases/anthos-cert-manager.io_certificaterequests.yaml @@ -0,0 +1,224 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: certificaterequests.anthos-cert-manager.io +spec: + group: anthos-cert-manager.io + names: + kind: CertificateRequest + listKind: CertificateRequestList + plural: certificaterequests + singular: certificaterequest + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: "A CertificateRequest is used to request a signed certificate + from one of the configured issuers. \n All fields within the CertificateRequest's + `spec` are immutable after creation. A CertificateRequest will either succeed + or fail, as denoted by its `status.state` field. \n A CertificateRequest + is a one-shot resource, meaning it represents a single point in time request + for a certificate and cannot be re-used." + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Desired state of the CertificateRequest resource. + properties: + duration: + description: The requested 'duration' (i.e. lifetime) of the Certificate. + This option may be ignored/overridden by some issuer types. + type: string + extra: + additionalProperties: + items: + type: string + type: array + description: Extra contains extra attributes of the user that created + the CertificateRequest. Populated by the cert-manager webhook on + creation and immutable. + type: object + groups: + description: Groups contains group membership of the user that created + the CertificateRequest. Populated by the cert-manager webhook on + creation and immutable. + items: + type: string + type: array + x-kubernetes-list-type: atomic + isCA: + description: IsCA will request to mark the certificate as valid for + certificate signing when submitting to the issuer. This will automatically + add the `cert sign` usage to the list of `usages`. + type: boolean + issuerRef: + description: IssuerRef is a reference to the issuer for this CertificateRequest. If + the `kind` field is not set, or set to `Issuer`, an Issuer resource + with the given name in the same namespace as the CertificateRequest + will be used. If the `kind` field is set to `ClusterIssuer`, a + ClusterIssuer with the provided name will be used. The `name` field + in this stanza is required at all times. The group field refers + to the API group of the issuer which defaults to `cert-manager.io` + if empty. + properties: + group: + description: Group of the resource being referred to. + type: string + kind: + description: Kind of the resource being referred to. + type: string + name: + description: Name of the resource being referred to. + type: string + required: + - name + type: object + request: + description: The PEM-encoded x509 certificate signing request to be + submitted to the CA for signing. + format: byte + type: string + uid: + description: UID contains the uid of the user that created the CertificateRequest. + Populated by the cert-manager webhook on creation and immutable. + type: string + usages: + description: Usages is the set of x509 usages that are requested for + the certificate. If usages are set they SHOULD be encoded inside + the CSR spec Defaults to `digital signature` and `key encipherment` + if not specified. + items: + description: "KeyUsage specifies valid usage contexts for keys. + See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 + \n Valid KeyUsage values are as follows: \"signing\", \"digital + signature\", \"content commitment\", \"key encipherment\", \"key + agreement\", \"data encipherment\", \"cert sign\", \"crl sign\", + \"encipher only\", \"decipher only\", \"any\", \"server auth\", + \"client auth\", \"code signing\", \"email protection\", \"s/mime\", + \"ipsec end system\", \"ipsec tunnel\", \"ipsec user\", \"timestamping\", + \"ocsp signing\", \"microsoft sgc\", \"netscape sgc\"" + enum: + - signing + - digital signature + - content commitment + - key encipherment + - key agreement + - data encipherment + - cert sign + - crl sign + - encipher only + - decipher only + - any + - server auth + - client auth + - code signing + - email protection + - s/mime + - ipsec end system + - ipsec tunnel + - ipsec user + - timestamping + - ocsp signing + - microsoft sgc + - netscape sgc + type: string + type: array + username: + description: Username contains the name of the user that created the + CertificateRequest. Populated by the cert-manager webhook on creation + and immutable. + type: string + required: + - issuerRef + - request + type: object + status: + description: Status of the CertificateRequest. This is set and managed + automatically. + properties: + ca: + description: The PEM encoded x509 certificate of the signer, also + known as the CA (Certificate Authority). This is set on a best-effort + basis by different issuers. If not set, the CA is assumed to be + unknown/not available. + format: byte + type: string + certificate: + description: The PEM encoded x509 certificate resulting from the certificate + signing request. If not set, the CertificateRequest has either not + been completed or has failed. More information on failure can be + found by checking the `conditions` field. + format: byte + type: string + conditions: + description: List of status conditions to indicate the status of a + CertificateRequest. Known condition types are `Ready` and `InvalidRequest`. + items: + description: CertificateRequestCondition contains condition information + for a CertificateRequest. + properties: + lastTransitionTime: + description: LastTransitionTime is the timestamp corresponding + to the last status change of this condition. + format: date-time + type: string + message: + description: Message is a human readable description of the + details of the last transition, complementing reason. + type: string + reason: + description: Reason is a brief machine readable explanation + for the condition's last transition. + type: string + status: + description: Status of the condition, one of (`True`, `False`, + `Unknown`). + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: Type of the condition, known values are (`Ready`, + `InvalidRequest`, `Approved`, `Denied`). + type: string + required: + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + failureTime: + description: FailureTime stores the time that this CertificateRequest + failed. This is used to influence garbage collection and back-off. + format: date-time + type: string + type: object + required: + - spec + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/Dockerfile b/Dockerfile index 0a091a6..e250c16 100644 --- a/Dockerfile +++ b/Dockerfile @@ -14,6 +14,7 @@ # Copy the go source COPY main.go main.go COPY pkg/ pkg/ +COPY cmd/ cmd/ # Build # the GOARCH has not a default value to allow the binary be built according to the host where the command # was called. For example, if we call make docker-build in a local env which has the Apple Silicon M1 SO diff --git a/Makefile b/Makefile index 5d146e4..fb9f77f 100644 --- a/Makefile +++ b/Makefile @@ -155,6 +155,9 @@ undeploy: ## Undeploy controller from the K8s cluster specified in ~/.kube/config. Call with ignore-not-found=true to ignore resource not found errors during deletion. $(KUSTOMIZE) build config/default | kubectl delete --ignore-not-found=$(ignore-not-found) -f - +.PHONY: stage +stage: docker-build docker-push undeploy deploy + ##@ Build Dependencies ## Location to install dependencies to diff --git a/cmd/controller/app/options/options.go b/cmd/controller/app/options/options.go index 1f05612..fa4c82c 100644 --- a/cmd/controller/app/options/options.go +++ b/cmd/controller/app/options/options.go @@ -50,7 +50,7 @@ "Enable leader election for controller manager. "+ "Enabling this will ensure there is only one active controller manager.") var controllerSet string - fs.StringVar(&controllerSet, "controllers", "", fmt.Sprintf(""+ + fs.StringVar(&controllerSet, "controllers", "*", fmt.Sprintf(""+ "A list of controllers to enable. '--controllers=*' enables all "+ "on-by-default controllers, '--controllers=foo' enables just the controller "+ "named 'foo', '--controllers=*,-foo' disables the controller named "+ diff --git a/config/crd/bases/anthos-cert-manager.io_certificaterequests.yaml b/config/crd/bases/anthos-cert-manager.io_certificaterequests.yaml new file mode 100644 index 0000000..dc53954 --- /dev/null +++ b/config/crd/bases/anthos-cert-manager.io_certificaterequests.yaml @@ -0,0 +1,224 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: certificaterequests.anthos-cert-manager.io +spec: + group: anthos-cert-manager.io + names: + kind: CertificateRequest + listKind: CertificateRequestList + plural: certificaterequests + singular: certificaterequest + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: "A CertificateRequest is used to request a signed certificate + from one of the configured issuers. \n All fields within the CertificateRequest's + `spec` are immutable after creation. A CertificateRequest will either succeed + or fail, as denoted by its `status.state` field. \n A CertificateRequest + is a one-shot resource, meaning it represents a single point in time request + for a certificate and cannot be re-used." + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Desired state of the CertificateRequest resource. + properties: + duration: + description: The requested 'duration' (i.e. lifetime) of the Certificate. + This option may be ignored/overridden by some issuer types. + type: string + extra: + additionalProperties: + items: + type: string + type: array + description: Extra contains extra attributes of the user that created + the CertificateRequest. Populated by the cert-manager webhook on + creation and immutable. + type: object + groups: + description: Groups contains group membership of the user that created + the CertificateRequest. Populated by the cert-manager webhook on + creation and immutable. + items: + type: string + type: array + x-kubernetes-list-type: atomic + isCA: + description: IsCA will request to mark the certificate as valid for + certificate signing when submitting to the issuer. This will automatically + add the `cert sign` usage to the list of `usages`. + type: boolean + issuerRef: + description: IssuerRef is a reference to the issuer for this CertificateRequest. If + the `kind` field is not set, or set to `Issuer`, an Issuer resource + with the given name in the same namespace as the CertificateRequest + will be used. If the `kind` field is set to `ClusterIssuer`, a + ClusterIssuer with the provided name will be used. The `name` field + in this stanza is required at all times. The group field refers + to the API group of the issuer which defaults to `cert-manager.io` + if empty. + properties: + group: + description: Group of the resource being referred to. + type: string + kind: + description: Kind of the resource being referred to. + type: string + name: + description: Name of the resource being referred to. + type: string + required: + - name + type: object + request: + description: The PEM-encoded x509 certificate signing request to be + submitted to the CA for signing. + format: byte + type: string + uid: + description: UID contains the uid of the user that created the CertificateRequest. + Populated by the cert-manager webhook on creation and immutable. + type: string + usages: + description: Usages is the set of x509 usages that are requested for + the certificate. If usages are set they SHOULD be encoded inside + the CSR spec Defaults to `digital signature` and `key encipherment` + if not specified. + items: + description: "KeyUsage specifies valid usage contexts for keys. + See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 + \n Valid KeyUsage values are as follows: \"signing\", \"digital + signature\", \"content commitment\", \"key encipherment\", \"key + agreement\", \"data encipherment\", \"cert sign\", \"crl sign\", + \"encipher only\", \"decipher only\", \"any\", \"server auth\", + \"client auth\", \"code signing\", \"email protection\", \"s/mime\", + \"ipsec end system\", \"ipsec tunnel\", \"ipsec user\", \"timestamping\", + \"ocsp signing\", \"microsoft sgc\", \"netscape sgc\"" + enum: + - signing + - digital signature + - content commitment + - key encipherment + - key agreement + - data encipherment + - cert sign + - crl sign + - encipher only + - decipher only + - any + - server auth + - client auth + - code signing + - email protection + - s/mime + - ipsec end system + - ipsec tunnel + - ipsec user + - timestamping + - ocsp signing + - microsoft sgc + - netscape sgc + type: string + type: array + username: + description: Username contains the name of the user that created the + CertificateRequest. Populated by the cert-manager webhook on creation + and immutable. + type: string + required: + - issuerRef + - request + type: object + status: + description: Status of the CertificateRequest. This is set and managed + automatically. + properties: + ca: + description: The PEM encoded x509 certificate of the signer, also + known as the CA (Certificate Authority). This is set on a best-effort + basis by different issuers. If not set, the CA is assumed to be + unknown/not available. + format: byte + type: string + certificate: + description: The PEM encoded x509 certificate resulting from the certificate + signing request. If not set, the CertificateRequest has either not + been completed or has failed. More information on failure can be + found by checking the `conditions` field. + format: byte + type: string + conditions: + description: List of status conditions to indicate the status of a + CertificateRequest. Known condition types are `Ready` and `InvalidRequest`. + items: + description: CertificateRequestCondition contains condition information + for a CertificateRequest. + properties: + lastTransitionTime: + description: LastTransitionTime is the timestamp corresponding + to the last status change of this condition. + format: date-time + type: string + message: + description: Message is a human readable description of the + details of the last transition, complementing reason. + type: string + reason: + description: Reason is a brief machine readable explanation + for the condition's last transition. + type: string + status: + description: Status of the condition, one of (`True`, `False`, + `Unknown`). + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: Type of the condition, known values are (`Ready`, + `InvalidRequest`, `Approved`, `Denied`). + type: string + required: + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + failureTime: + description: FailureTime stores the time that this CertificateRequest + failed. This is used to influence garbage collection and back-off. + format: date-time + type: string + type: object + required: + - spec + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/config/crd/bases/anthos-cert-manager.io_certificates.yaml b/config/crd/bases/anthos-cert-manager.io_certificates.yaml new file mode 100644 index 0000000..720feb1 --- /dev/null +++ b/config/crd/bases/anthos-cert-manager.io_certificates.yaml @@ -0,0 +1,393 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: certificates.anthos-cert-manager.io +spec: + group: anthos-cert-manager.io + names: + kind: Certificate + listKind: CertificateList + plural: certificates + singular: certificate + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: Certificate is the Schema for the certificates API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: CertificateSpec defines the desired state of Certificate + properties: + commonName: + description: 'CommonName is a common name to be used on the Certificate. + The CommonName should have a length of 64 characters or fewer to + avoid generating invalid CSRs. This value is ignored by TLS clients + when any subject alt name is set. This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4' + type: string + dnsNames: + description: DNSNames is a list of DNS subjectAltNames to be set on + the Certificate. + items: + type: string + type: array + duration: + description: The requested 'duration' (i.e. lifetime) of the Certificate. + This option may be ignored/overridden by some issuer types. If unset + this defaults to 90 days. Certificate will be renewed either 2/3 + through its duration or `renewBefore` period before its expiry, + whichever is later. Minimum accepted duration is 1 hour. Value must + be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration + type: string + ipAddresses: + description: IPAddresses is a list of IP address subjectAltNames to + be set on the Certificate. + items: + type: string + type: array + isCA: + description: IsCA will mark this Certificate as valid for certificate + signing. This will automatically add the `cert sign` usage to the + list of `usages`. + type: boolean + issuerRef: + description: IssuerRef is a reference to the issuer for this certificate. + If the `kind` field is not set, or set to `Issuer`, an Issuer resource + with the given name in the same namespace as the Certificate will + be used. If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer + with the provided name will be used. The `name` field in this stanza + is required at all times. + properties: + group: + description: Group of the resource being referred to. + type: string + kind: + description: Kind of the resource being referred to. + type: string + name: + description: Name of the resource being referred to. + type: string + required: + - name + type: object + keystores: + description: Keystores configures additional keystore output formats + stored in the `secretName` Secret resource. + properties: + jks: + description: JKS configures options for storing a JKS keystore + in the `spec.secretName` Secret resource. + properties: + create: + description: Create enables JKS keystore creation for the + Certificate. If true, a file named `keystore.jks` will be + created in the target Secret resource, encrypted using the + password stored in `passwordSecretRef`. The keystore file + will only be updated upon re-issuance. A file named `truststore.jks` + will also be created in the target Secret resource, encrypted + using the password stored in `passwordSecretRef` containing + the issuing Certificate Authority + type: boolean + passwordSecretRef: + description: PasswordSecretRef is a reference to a key in + a Secret resource containing the password used to encrypt + the JKS keystore. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field + may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - create + - passwordSecretRef + type: object + pkcs12: + description: PKCS12 configures options for storing a PKCS12 keystore + in the `spec.secretName` Secret resource. + properties: + create: + description: Create enables PKCS12 keystore creation for the + Certificate. If true, a file named `keystore.p12` will be + created in the target Secret resource, encrypted using the + password stored in `passwordSecretRef`. The keystore file + will only be updated upon re-issuance. A file named `truststore.p12` + will also be created in the target Secret resource, encrypted + using the password stored in `passwordSecretRef` containing + the issuing Certificate Authority + type: boolean + passwordSecretRef: + description: PasswordSecretRef is a reference to a key in + a Secret resource containing the password used to encrypt + the PKCS12 keystore. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field + may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - create + - passwordSecretRef + type: object + type: object + privateKey: + description: Options to control private keys used for the Certificate. + properties: + algorithm: + description: Algorithm is the private key algorithm of the corresponding + private key for this certificate. If provided, allowed values + are either `RSA`,`Ed25519` or `ECDSA` If `algorithm` is specified + and `size` is not provided, key size of 256 will be used for + `ECDSA` key algorithm and key size of 2048 will be used for + `RSA` key algorithm. key size is ignored when using the `Ed25519` + key algorithm. + type: string + encoding: + description: The private key cryptography standards (PKCS) encoding + for this certificate's private key to be encoded in. If provided, + allowed values are `PKCS1` and `PKCS8` standing for PKCS#1 and + PKCS#8, respectively. Defaults to `PKCS1` if not specified. + type: string + rotationPolicy: + description: RotationPolicy controls how private keys should be + regenerated when a re-issuance is being processed. If set to + Never, a private key will only be generated if one does not + already exist in the target `spec.secretName`. If one does exists + but it does not have the correct algorithm or size, a warning + will be raised to await user intervention. If set to Always, + a private key matching the specified requirements will be generated + whenever a re-issuance occurs. Default is 'Never' for backward + compatibility. + enum: + - Never + - Always + type: string + size: + description: Size is the key bit size of the corresponding private + key for this certificate. If `algorithm` is set to `RSA`, valid + values are `2048`, `4096` or `8192`, and will default to `2048` + if not specified. If `algorithm` is set to `ECDSA`, valid values + are `256`, `384` or `521`, and will default to `256` if not + specified. If `algorithm` is set to `Ed25519`, Size is ignored. + No other values are allowed. + type: integer + type: object + renewBefore: + description: How long before the currently issued certificate's expiry + cert-manager should renew the certificate. The default is 2/3 of + the issued certificate's duration. Minimum accepted value is 5 minutes. + Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration + type: string + secretName: + description: SecretName is the name of the secret resource that will + be automatically created and managed by this Certificate resource. + It will be populated with a private key and certificate, signed + by the denoted issuer. + type: string + secretTemplate: + description: SecretTemplate defines annotations and labels to be copied + to the Certificate's Secret. Labels and annotations on the Secret + will be changed as they appear on the SecretTemplate when added + or removed. SecretTemplate annotations are added in conjunction + with, and cannot overwrite, the base set of annotations cert-manager + sets on the Certificate's Secret. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a key value map to be copied to the + target Kubernetes Secret. + type: object + labels: + additionalProperties: + type: string + description: Labels is a key value map to be copied to the target + Kubernetes Secret. + type: object + type: object + subject: + description: Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name). + properties: + countries: + description: Countries to be used on the Certificate. + items: + type: string + type: array + localities: + description: Cities to be used on the Certificate. + items: + type: string + type: array + organizationalUnits: + description: Organizational Units to be used on the Certificate. + items: + type: string + type: array + organizations: + description: Organizations to be used on the Certificate. + items: + type: string + type: array + postalCodes: + description: Postal codes to be used on the Certificate. + items: + type: string + type: array + provinces: + description: State/Provinces to be used on the Certificate. + items: + type: string + type: array + serialNumber: + description: Serial number to be used on the Certificate. + type: string + streetAddresses: + description: Street addresses to be used on the Certificate. + items: + type: string + type: array + type: object + required: + - issuerRef + - secretName + type: object + status: + description: CertificateStatus defines the observed state of Certificate + properties: + conditions: + description: List of status conditions to indicate the status of certificates. + Known condition types are `Ready` and `Issuing`. + items: + description: CertificateCondition contains condition information + for an Certificate. + properties: + lastTransitionTime: + description: LastTransitionTime is the timestamp corresponding + to the last status change of this condition. + format: date-time + type: string + message: + description: Message is a human readable description of the + details of the last transition, complementing reason. + type: string + observedGeneration: + description: If set, this represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.condition[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the Certificate. + format: int64 + type: integer + reason: + description: Reason is a brief machine readable explanation + for the condition's last transition. + type: string + status: + description: Status of the condition, one of (`True`, `False`, + `Unknown`). + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: Type of the condition, known values are (`Ready`, + `Issuing`). + type: string + required: + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + failedIssuanceAttempts: + description: The number of continuous failed issuance attempts up + till now. This field gets removed (if set) on a successful issuance + and gets set to 1 if unset and an issuance has failed. If an issuance + has failed, the delay till the next issuance will be calculated + using formula time.Hour * 2 ^ (failedIssuanceAttempts - 1). + type: integer + lastFailureTime: + description: LastFailureTime is the time as recorded by the Certificate + controller of the most recent failure to complete a CertificateRequest + for this Certificate resource. If set, cert-manager will not re-request + another Certificate until 1 hour has elapsed from this time. + format: date-time + type: string + nextPrivateKeySecretName: + description: The name of the Secret resource containing the private + key to be used for the next certificate iteration. The keymanager + controller will automatically set this field if the `Issuing` condition + is set to `True`. It will automatically unset this field when the + Issuing condition is not set or False. + type: string + notAfter: + description: The expiration time of the certificate stored in the + secret named by this resource in `spec.secretName`. + format: date-time + type: string + notBefore: + description: The time after which the certificate stored in the secret + named by this resource in spec.secretName is valid. + format: date-time + type: string + renewalTime: + description: RenewalTime is the time at which the certificate will + be next renewed. If not set, no upcoming renewal is scheduled. + format: date-time + type: string + revision: + description: "The current 'revision' of the certificate as issued. + \n When a CertificateRequest resource is created, it will have the + `cert-manager.io/certificate-revision` set to one greater than the + current value of this field. \n Upon issuance, this field will be + set to the value of the annotation on the CertificateRequest resource + used to issue the certificate. \n Persisting the value on the CertificateRequest + resource allows the certificates controller to know whether a request + is part of an old issuance or if it is part of the ongoing revision's + issuance by checking if the revision value in the annotation is + greater than this field." + type: integer + type: object + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/Dockerfile b/Dockerfile index 0a091a6..e250c16 100644 --- a/Dockerfile +++ b/Dockerfile @@ -14,6 +14,7 @@ # Copy the go source COPY main.go main.go COPY pkg/ pkg/ +COPY cmd/ cmd/ # Build # the GOARCH has not a default value to allow the binary be built according to the host where the command # was called. For example, if we call make docker-build in a local env which has the Apple Silicon M1 SO diff --git a/Makefile b/Makefile index 5d146e4..fb9f77f 100644 --- a/Makefile +++ b/Makefile @@ -155,6 +155,9 @@ undeploy: ## Undeploy controller from the K8s cluster specified in ~/.kube/config. Call with ignore-not-found=true to ignore resource not found errors during deletion. $(KUSTOMIZE) build config/default | kubectl delete --ignore-not-found=$(ignore-not-found) -f - +.PHONY: stage +stage: docker-build docker-push undeploy deploy + ##@ Build Dependencies ## Location to install dependencies to diff --git a/cmd/controller/app/options/options.go b/cmd/controller/app/options/options.go index 1f05612..fa4c82c 100644 --- a/cmd/controller/app/options/options.go +++ b/cmd/controller/app/options/options.go @@ -50,7 +50,7 @@ "Enable leader election for controller manager. "+ "Enabling this will ensure there is only one active controller manager.") var controllerSet string - fs.StringVar(&controllerSet, "controllers", "", fmt.Sprintf(""+ + fs.StringVar(&controllerSet, "controllers", "*", fmt.Sprintf(""+ "A list of controllers to enable. '--controllers=*' enables all "+ "on-by-default controllers, '--controllers=foo' enables just the controller "+ "named 'foo', '--controllers=*,-foo' disables the controller named "+ diff --git a/config/crd/bases/anthos-cert-manager.io_certificaterequests.yaml b/config/crd/bases/anthos-cert-manager.io_certificaterequests.yaml new file mode 100644 index 0000000..dc53954 --- /dev/null +++ b/config/crd/bases/anthos-cert-manager.io_certificaterequests.yaml @@ -0,0 +1,224 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: certificaterequests.anthos-cert-manager.io +spec: + group: anthos-cert-manager.io + names: + kind: CertificateRequest + listKind: CertificateRequestList + plural: certificaterequests + singular: certificaterequest + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: "A CertificateRequest is used to request a signed certificate + from one of the configured issuers. \n All fields within the CertificateRequest's + `spec` are immutable after creation. A CertificateRequest will either succeed + or fail, as denoted by its `status.state` field. \n A CertificateRequest + is a one-shot resource, meaning it represents a single point in time request + for a certificate and cannot be re-used." + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Desired state of the CertificateRequest resource. + properties: + duration: + description: The requested 'duration' (i.e. lifetime) of the Certificate. + This option may be ignored/overridden by some issuer types. + type: string + extra: + additionalProperties: + items: + type: string + type: array + description: Extra contains extra attributes of the user that created + the CertificateRequest. Populated by the cert-manager webhook on + creation and immutable. + type: object + groups: + description: Groups contains group membership of the user that created + the CertificateRequest. Populated by the cert-manager webhook on + creation and immutable. + items: + type: string + type: array + x-kubernetes-list-type: atomic + isCA: + description: IsCA will request to mark the certificate as valid for + certificate signing when submitting to the issuer. This will automatically + add the `cert sign` usage to the list of `usages`. + type: boolean + issuerRef: + description: IssuerRef is a reference to the issuer for this CertificateRequest. If + the `kind` field is not set, or set to `Issuer`, an Issuer resource + with the given name in the same namespace as the CertificateRequest + will be used. If the `kind` field is set to `ClusterIssuer`, a + ClusterIssuer with the provided name will be used. The `name` field + in this stanza is required at all times. The group field refers + to the API group of the issuer which defaults to `cert-manager.io` + if empty. + properties: + group: + description: Group of the resource being referred to. + type: string + kind: + description: Kind of the resource being referred to. + type: string + name: + description: Name of the resource being referred to. + type: string + required: + - name + type: object + request: + description: The PEM-encoded x509 certificate signing request to be + submitted to the CA for signing. + format: byte + type: string + uid: + description: UID contains the uid of the user that created the CertificateRequest. + Populated by the cert-manager webhook on creation and immutable. + type: string + usages: + description: Usages is the set of x509 usages that are requested for + the certificate. If usages are set they SHOULD be encoded inside + the CSR spec Defaults to `digital signature` and `key encipherment` + if not specified. + items: + description: "KeyUsage specifies valid usage contexts for keys. + See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 + \n Valid KeyUsage values are as follows: \"signing\", \"digital + signature\", \"content commitment\", \"key encipherment\", \"key + agreement\", \"data encipherment\", \"cert sign\", \"crl sign\", + \"encipher only\", \"decipher only\", \"any\", \"server auth\", + \"client auth\", \"code signing\", \"email protection\", \"s/mime\", + \"ipsec end system\", \"ipsec tunnel\", \"ipsec user\", \"timestamping\", + \"ocsp signing\", \"microsoft sgc\", \"netscape sgc\"" + enum: + - signing + - digital signature + - content commitment + - key encipherment + - key agreement + - data encipherment + - cert sign + - crl sign + - encipher only + - decipher only + - any + - server auth + - client auth + - code signing + - email protection + - s/mime + - ipsec end system + - ipsec tunnel + - ipsec user + - timestamping + - ocsp signing + - microsoft sgc + - netscape sgc + type: string + type: array + username: + description: Username contains the name of the user that created the + CertificateRequest. Populated by the cert-manager webhook on creation + and immutable. + type: string + required: + - issuerRef + - request + type: object + status: + description: Status of the CertificateRequest. This is set and managed + automatically. + properties: + ca: + description: The PEM encoded x509 certificate of the signer, also + known as the CA (Certificate Authority). This is set on a best-effort + basis by different issuers. If not set, the CA is assumed to be + unknown/not available. + format: byte + type: string + certificate: + description: The PEM encoded x509 certificate resulting from the certificate + signing request. If not set, the CertificateRequest has either not + been completed or has failed. More information on failure can be + found by checking the `conditions` field. + format: byte + type: string + conditions: + description: List of status conditions to indicate the status of a + CertificateRequest. Known condition types are `Ready` and `InvalidRequest`. + items: + description: CertificateRequestCondition contains condition information + for a CertificateRequest. + properties: + lastTransitionTime: + description: LastTransitionTime is the timestamp corresponding + to the last status change of this condition. + format: date-time + type: string + message: + description: Message is a human readable description of the + details of the last transition, complementing reason. + type: string + reason: + description: Reason is a brief machine readable explanation + for the condition's last transition. + type: string + status: + description: Status of the condition, one of (`True`, `False`, + `Unknown`). + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: Type of the condition, known values are (`Ready`, + `InvalidRequest`, `Approved`, `Denied`). + type: string + required: + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + failureTime: + description: FailureTime stores the time that this CertificateRequest + failed. This is used to influence garbage collection and back-off. + format: date-time + type: string + type: object + required: + - spec + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/config/crd/bases/anthos-cert-manager.io_certificates.yaml b/config/crd/bases/anthos-cert-manager.io_certificates.yaml new file mode 100644 index 0000000..720feb1 --- /dev/null +++ b/config/crd/bases/anthos-cert-manager.io_certificates.yaml @@ -0,0 +1,393 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: certificates.anthos-cert-manager.io +spec: + group: anthos-cert-manager.io + names: + kind: Certificate + listKind: CertificateList + plural: certificates + singular: certificate + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: Certificate is the Schema for the certificates API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: CertificateSpec defines the desired state of Certificate + properties: + commonName: + description: 'CommonName is a common name to be used on the Certificate. + The CommonName should have a length of 64 characters or fewer to + avoid generating invalid CSRs. This value is ignored by TLS clients + when any subject alt name is set. This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4' + type: string + dnsNames: + description: DNSNames is a list of DNS subjectAltNames to be set on + the Certificate. + items: + type: string + type: array + duration: + description: The requested 'duration' (i.e. lifetime) of the Certificate. + This option may be ignored/overridden by some issuer types. If unset + this defaults to 90 days. Certificate will be renewed either 2/3 + through its duration or `renewBefore` period before its expiry, + whichever is later. Minimum accepted duration is 1 hour. Value must + be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration + type: string + ipAddresses: + description: IPAddresses is a list of IP address subjectAltNames to + be set on the Certificate. + items: + type: string + type: array + isCA: + description: IsCA will mark this Certificate as valid for certificate + signing. This will automatically add the `cert sign` usage to the + list of `usages`. + type: boolean + issuerRef: + description: IssuerRef is a reference to the issuer for this certificate. + If the `kind` field is not set, or set to `Issuer`, an Issuer resource + with the given name in the same namespace as the Certificate will + be used. If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer + with the provided name will be used. The `name` field in this stanza + is required at all times. + properties: + group: + description: Group of the resource being referred to. + type: string + kind: + description: Kind of the resource being referred to. + type: string + name: + description: Name of the resource being referred to. + type: string + required: + - name + type: object + keystores: + description: Keystores configures additional keystore output formats + stored in the `secretName` Secret resource. + properties: + jks: + description: JKS configures options for storing a JKS keystore + in the `spec.secretName` Secret resource. + properties: + create: + description: Create enables JKS keystore creation for the + Certificate. If true, a file named `keystore.jks` will be + created in the target Secret resource, encrypted using the + password stored in `passwordSecretRef`. The keystore file + will only be updated upon re-issuance. A file named `truststore.jks` + will also be created in the target Secret resource, encrypted + using the password stored in `passwordSecretRef` containing + the issuing Certificate Authority + type: boolean + passwordSecretRef: + description: PasswordSecretRef is a reference to a key in + a Secret resource containing the password used to encrypt + the JKS keystore. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field + may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - create + - passwordSecretRef + type: object + pkcs12: + description: PKCS12 configures options for storing a PKCS12 keystore + in the `spec.secretName` Secret resource. + properties: + create: + description: Create enables PKCS12 keystore creation for the + Certificate. If true, a file named `keystore.p12` will be + created in the target Secret resource, encrypted using the + password stored in `passwordSecretRef`. The keystore file + will only be updated upon re-issuance. A file named `truststore.p12` + will also be created in the target Secret resource, encrypted + using the password stored in `passwordSecretRef` containing + the issuing Certificate Authority + type: boolean + passwordSecretRef: + description: PasswordSecretRef is a reference to a key in + a Secret resource containing the password used to encrypt + the PKCS12 keystore. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field + may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - create + - passwordSecretRef + type: object + type: object + privateKey: + description: Options to control private keys used for the Certificate. + properties: + algorithm: + description: Algorithm is the private key algorithm of the corresponding + private key for this certificate. If provided, allowed values + are either `RSA`,`Ed25519` or `ECDSA` If `algorithm` is specified + and `size` is not provided, key size of 256 will be used for + `ECDSA` key algorithm and key size of 2048 will be used for + `RSA` key algorithm. key size is ignored when using the `Ed25519` + key algorithm. + type: string + encoding: + description: The private key cryptography standards (PKCS) encoding + for this certificate's private key to be encoded in. If provided, + allowed values are `PKCS1` and `PKCS8` standing for PKCS#1 and + PKCS#8, respectively. Defaults to `PKCS1` if not specified. + type: string + rotationPolicy: + description: RotationPolicy controls how private keys should be + regenerated when a re-issuance is being processed. If set to + Never, a private key will only be generated if one does not + already exist in the target `spec.secretName`. If one does exists + but it does not have the correct algorithm or size, a warning + will be raised to await user intervention. If set to Always, + a private key matching the specified requirements will be generated + whenever a re-issuance occurs. Default is 'Never' for backward + compatibility. + enum: + - Never + - Always + type: string + size: + description: Size is the key bit size of the corresponding private + key for this certificate. If `algorithm` is set to `RSA`, valid + values are `2048`, `4096` or `8192`, and will default to `2048` + if not specified. If `algorithm` is set to `ECDSA`, valid values + are `256`, `384` or `521`, and will default to `256` if not + specified. If `algorithm` is set to `Ed25519`, Size is ignored. + No other values are allowed. + type: integer + type: object + renewBefore: + description: How long before the currently issued certificate's expiry + cert-manager should renew the certificate. The default is 2/3 of + the issued certificate's duration. Minimum accepted value is 5 minutes. + Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration + type: string + secretName: + description: SecretName is the name of the secret resource that will + be automatically created and managed by this Certificate resource. + It will be populated with a private key and certificate, signed + by the denoted issuer. + type: string + secretTemplate: + description: SecretTemplate defines annotations and labels to be copied + to the Certificate's Secret. Labels and annotations on the Secret + will be changed as they appear on the SecretTemplate when added + or removed. SecretTemplate annotations are added in conjunction + with, and cannot overwrite, the base set of annotations cert-manager + sets on the Certificate's Secret. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a key value map to be copied to the + target Kubernetes Secret. + type: object + labels: + additionalProperties: + type: string + description: Labels is a key value map to be copied to the target + Kubernetes Secret. + type: object + type: object + subject: + description: Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name). + properties: + countries: + description: Countries to be used on the Certificate. + items: + type: string + type: array + localities: + description: Cities to be used on the Certificate. + items: + type: string + type: array + organizationalUnits: + description: Organizational Units to be used on the Certificate. + items: + type: string + type: array + organizations: + description: Organizations to be used on the Certificate. + items: + type: string + type: array + postalCodes: + description: Postal codes to be used on the Certificate. + items: + type: string + type: array + provinces: + description: State/Provinces to be used on the Certificate. + items: + type: string + type: array + serialNumber: + description: Serial number to be used on the Certificate. + type: string + streetAddresses: + description: Street addresses to be used on the Certificate. + items: + type: string + type: array + type: object + required: + - issuerRef + - secretName + type: object + status: + description: CertificateStatus defines the observed state of Certificate + properties: + conditions: + description: List of status conditions to indicate the status of certificates. + Known condition types are `Ready` and `Issuing`. + items: + description: CertificateCondition contains condition information + for an Certificate. + properties: + lastTransitionTime: + description: LastTransitionTime is the timestamp corresponding + to the last status change of this condition. + format: date-time + type: string + message: + description: Message is a human readable description of the + details of the last transition, complementing reason. + type: string + observedGeneration: + description: If set, this represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.condition[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the Certificate. + format: int64 + type: integer + reason: + description: Reason is a brief machine readable explanation + for the condition's last transition. + type: string + status: + description: Status of the condition, one of (`True`, `False`, + `Unknown`). + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: Type of the condition, known values are (`Ready`, + `Issuing`). + type: string + required: + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + failedIssuanceAttempts: + description: The number of continuous failed issuance attempts up + till now. This field gets removed (if set) on a successful issuance + and gets set to 1 if unset and an issuance has failed. If an issuance + has failed, the delay till the next issuance will be calculated + using formula time.Hour * 2 ^ (failedIssuanceAttempts - 1). + type: integer + lastFailureTime: + description: LastFailureTime is the time as recorded by the Certificate + controller of the most recent failure to complete a CertificateRequest + for this Certificate resource. If set, cert-manager will not re-request + another Certificate until 1 hour has elapsed from this time. + format: date-time + type: string + nextPrivateKeySecretName: + description: The name of the Secret resource containing the private + key to be used for the next certificate iteration. The keymanager + controller will automatically set this field if the `Issuing` condition + is set to `True`. It will automatically unset this field when the + Issuing condition is not set or False. + type: string + notAfter: + description: The expiration time of the certificate stored in the + secret named by this resource in `spec.secretName`. + format: date-time + type: string + notBefore: + description: The time after which the certificate stored in the secret + named by this resource in spec.secretName is valid. + format: date-time + type: string + renewalTime: + description: RenewalTime is the time at which the certificate will + be next renewed. If not set, no upcoming renewal is scheduled. + format: date-time + type: string + revision: + description: "The current 'revision' of the certificate as issued. + \n When a CertificateRequest resource is created, it will have the + `cert-manager.io/certificate-revision` set to one greater than the + current value of this field. \n Upon issuance, this field will be + set to the value of the annotation on the CertificateRequest resource + used to issue the certificate. \n Persisting the value on the CertificateRequest + resource allows the certificates controller to know whether a request + is part of an old issuance or if it is part of the ongoing revision's + issuance by checking if the revision value in the annotation is + greater than this field." + type: integer + type: object + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/config/crd/bases/anthos-cert-manager.io_clusterissuers.yaml b/config/crd/bases/anthos-cert-manager.io_clusterissuers.yaml new file mode 100644 index 0000000..702afca --- /dev/null +++ b/config/crd/bases/anthos-cert-manager.io_clusterissuers.yaml @@ -0,0 +1,145 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: clusterissuers.anthos-cert-manager.io +spec: + group: anthos-cert-manager.io + names: + kind: ClusterIssuer + listKind: ClusterIssuerList + plural: clusterissuers + singular: clusterissuer + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: A ClusterIssuer represents a certificate issuing authority which + can be referenced as part of `issuerRef` fields. It is similar to an Issuer, + however it is cluster-scoped and therefore can be referenced by resources + that exist in *any* namespace, not just the same namespace as the referent. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Desired state of the ClusterIssuer resource. + properties: + ca: + description: CA configures this issuer to sign certificates using + a signing CA keypair stored in a Secret resource. This is used to + build internal PKIs that are managed by cert-manager. + properties: + crlDistributionPoints: + description: The CRL distribution points is an X.509 v3 certificate + extension which identifies the location of the CRL from which + the revocation of this certificate can be checked. If not set, + certificates will be issued without distribution points set. + items: + type: string + type: array + ocspServers: + description: The OCSP server list is an X.509 v3 extension that + defines a list of URLs of OCSP responders. The OCSP responders + can be queried for the revocation status of an issued certificate. + If not set, the certificate will be issued with no OCSP servers + set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org". + items: + type: string + type: array + secretName: + description: SecretName is the name of the secret used to sign + Certificates issued by this Issuer. + type: string + required: + - secretName + type: object + selfSigned: + description: SelfSigned configures this issuer to 'self sign' certificates + using the private key used to create the CertificateRequest object. + properties: + crlDistributionPoints: + description: The CRL distribution points is an X.509 v3 certificate + extension which identifies the location of the CRL from which + the revocation of this certificate can be checked. If not set + certificate will be issued without CDP. Values are strings. + items: + type: string + type: array + type: object + type: object + status: + description: Status of the ClusterIssuer. This is set and managed automatically. + properties: + conditions: + description: List of status conditions to indicate the status of a + CertificateRequest. Known condition types are `Ready`. + items: + description: IssuerCondition contains condition information for + an Issuer. + properties: + lastTransitionTime: + description: LastTransitionTime is the timestamp corresponding + to the last status change of this condition. + format: date-time + type: string + message: + description: Message is a human readable description of the + details of the last transition, complementing reason. + type: string + observedGeneration: + description: If set, this represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.condition[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the Issuer. + format: int64 + type: integer + reason: + description: Reason is a brief machine readable explanation + for the condition's last transition. + type: string + status: + description: Status of the condition, one of (`True`, `False`, + `Unknown`). + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: Type of the condition, known values are (`Ready`). + type: string + required: + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/Dockerfile b/Dockerfile index 0a091a6..e250c16 100644 --- a/Dockerfile +++ b/Dockerfile @@ -14,6 +14,7 @@ # Copy the go source COPY main.go main.go COPY pkg/ pkg/ +COPY cmd/ cmd/ # Build # the GOARCH has not a default value to allow the binary be built according to the host where the command # was called. For example, if we call make docker-build in a local env which has the Apple Silicon M1 SO diff --git a/Makefile b/Makefile index 5d146e4..fb9f77f 100644 --- a/Makefile +++ b/Makefile @@ -155,6 +155,9 @@ undeploy: ## Undeploy controller from the K8s cluster specified in ~/.kube/config. Call with ignore-not-found=true to ignore resource not found errors during deletion. $(KUSTOMIZE) build config/default | kubectl delete --ignore-not-found=$(ignore-not-found) -f - +.PHONY: stage +stage: docker-build docker-push undeploy deploy + ##@ Build Dependencies ## Location to install dependencies to diff --git a/cmd/controller/app/options/options.go b/cmd/controller/app/options/options.go index 1f05612..fa4c82c 100644 --- a/cmd/controller/app/options/options.go +++ b/cmd/controller/app/options/options.go @@ -50,7 +50,7 @@ "Enable leader election for controller manager. "+ "Enabling this will ensure there is only one active controller manager.") var controllerSet string - fs.StringVar(&controllerSet, "controllers", "", fmt.Sprintf(""+ + fs.StringVar(&controllerSet, "controllers", "*", fmt.Sprintf(""+ "A list of controllers to enable. '--controllers=*' enables all "+ "on-by-default controllers, '--controllers=foo' enables just the controller "+ "named 'foo', '--controllers=*,-foo' disables the controller named "+ diff --git a/config/crd/bases/anthos-cert-manager.io_certificaterequests.yaml b/config/crd/bases/anthos-cert-manager.io_certificaterequests.yaml new file mode 100644 index 0000000..dc53954 --- /dev/null +++ b/config/crd/bases/anthos-cert-manager.io_certificaterequests.yaml @@ -0,0 +1,224 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: certificaterequests.anthos-cert-manager.io +spec: + group: anthos-cert-manager.io + names: + kind: CertificateRequest + listKind: CertificateRequestList + plural: certificaterequests + singular: certificaterequest + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: "A CertificateRequest is used to request a signed certificate + from one of the configured issuers. \n All fields within the CertificateRequest's + `spec` are immutable after creation. A CertificateRequest will either succeed + or fail, as denoted by its `status.state` field. \n A CertificateRequest + is a one-shot resource, meaning it represents a single point in time request + for a certificate and cannot be re-used." + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Desired state of the CertificateRequest resource. + properties: + duration: + description: The requested 'duration' (i.e. lifetime) of the Certificate. + This option may be ignored/overridden by some issuer types. + type: string + extra: + additionalProperties: + items: + type: string + type: array + description: Extra contains extra attributes of the user that created + the CertificateRequest. Populated by the cert-manager webhook on + creation and immutable. + type: object + groups: + description: Groups contains group membership of the user that created + the CertificateRequest. Populated by the cert-manager webhook on + creation and immutable. + items: + type: string + type: array + x-kubernetes-list-type: atomic + isCA: + description: IsCA will request to mark the certificate as valid for + certificate signing when submitting to the issuer. This will automatically + add the `cert sign` usage to the list of `usages`. + type: boolean + issuerRef: + description: IssuerRef is a reference to the issuer for this CertificateRequest. If + the `kind` field is not set, or set to `Issuer`, an Issuer resource + with the given name in the same namespace as the CertificateRequest + will be used. If the `kind` field is set to `ClusterIssuer`, a + ClusterIssuer with the provided name will be used. The `name` field + in this stanza is required at all times. The group field refers + to the API group of the issuer which defaults to `cert-manager.io` + if empty. + properties: + group: + description: Group of the resource being referred to. + type: string + kind: + description: Kind of the resource being referred to. + type: string + name: + description: Name of the resource being referred to. + type: string + required: + - name + type: object + request: + description: The PEM-encoded x509 certificate signing request to be + submitted to the CA for signing. + format: byte + type: string + uid: + description: UID contains the uid of the user that created the CertificateRequest. + Populated by the cert-manager webhook on creation and immutable. + type: string + usages: + description: Usages is the set of x509 usages that are requested for + the certificate. If usages are set they SHOULD be encoded inside + the CSR spec Defaults to `digital signature` and `key encipherment` + if not specified. + items: + description: "KeyUsage specifies valid usage contexts for keys. + See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 + \n Valid KeyUsage values are as follows: \"signing\", \"digital + signature\", \"content commitment\", \"key encipherment\", \"key + agreement\", \"data encipherment\", \"cert sign\", \"crl sign\", + \"encipher only\", \"decipher only\", \"any\", \"server auth\", + \"client auth\", \"code signing\", \"email protection\", \"s/mime\", + \"ipsec end system\", \"ipsec tunnel\", \"ipsec user\", \"timestamping\", + \"ocsp signing\", \"microsoft sgc\", \"netscape sgc\"" + enum: + - signing + - digital signature + - content commitment + - key encipherment + - key agreement + - data encipherment + - cert sign + - crl sign + - encipher only + - decipher only + - any + - server auth + - client auth + - code signing + - email protection + - s/mime + - ipsec end system + - ipsec tunnel + - ipsec user + - timestamping + - ocsp signing + - microsoft sgc + - netscape sgc + type: string + type: array + username: + description: Username contains the name of the user that created the + CertificateRequest. Populated by the cert-manager webhook on creation + and immutable. + type: string + required: + - issuerRef + - request + type: object + status: + description: Status of the CertificateRequest. This is set and managed + automatically. + properties: + ca: + description: The PEM encoded x509 certificate of the signer, also + known as the CA (Certificate Authority). This is set on a best-effort + basis by different issuers. If not set, the CA is assumed to be + unknown/not available. + format: byte + type: string + certificate: + description: The PEM encoded x509 certificate resulting from the certificate + signing request. If not set, the CertificateRequest has either not + been completed or has failed. More information on failure can be + found by checking the `conditions` field. + format: byte + type: string + conditions: + description: List of status conditions to indicate the status of a + CertificateRequest. Known condition types are `Ready` and `InvalidRequest`. + items: + description: CertificateRequestCondition contains condition information + for a CertificateRequest. + properties: + lastTransitionTime: + description: LastTransitionTime is the timestamp corresponding + to the last status change of this condition. + format: date-time + type: string + message: + description: Message is a human readable description of the + details of the last transition, complementing reason. + type: string + reason: + description: Reason is a brief machine readable explanation + for the condition's last transition. + type: string + status: + description: Status of the condition, one of (`True`, `False`, + `Unknown`). + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: Type of the condition, known values are (`Ready`, + `InvalidRequest`, `Approved`, `Denied`). + type: string + required: + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + failureTime: + description: FailureTime stores the time that this CertificateRequest + failed. This is used to influence garbage collection and back-off. + format: date-time + type: string + type: object + required: + - spec + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/config/crd/bases/anthos-cert-manager.io_certificates.yaml b/config/crd/bases/anthos-cert-manager.io_certificates.yaml new file mode 100644 index 0000000..720feb1 --- /dev/null +++ b/config/crd/bases/anthos-cert-manager.io_certificates.yaml @@ -0,0 +1,393 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: certificates.anthos-cert-manager.io +spec: + group: anthos-cert-manager.io + names: + kind: Certificate + listKind: CertificateList + plural: certificates + singular: certificate + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: Certificate is the Schema for the certificates API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: CertificateSpec defines the desired state of Certificate + properties: + commonName: + description: 'CommonName is a common name to be used on the Certificate. + The CommonName should have a length of 64 characters or fewer to + avoid generating invalid CSRs. This value is ignored by TLS clients + when any subject alt name is set. This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4' + type: string + dnsNames: + description: DNSNames is a list of DNS subjectAltNames to be set on + the Certificate. + items: + type: string + type: array + duration: + description: The requested 'duration' (i.e. lifetime) of the Certificate. + This option may be ignored/overridden by some issuer types. If unset + this defaults to 90 days. Certificate will be renewed either 2/3 + through its duration or `renewBefore` period before its expiry, + whichever is later. Minimum accepted duration is 1 hour. Value must + be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration + type: string + ipAddresses: + description: IPAddresses is a list of IP address subjectAltNames to + be set on the Certificate. + items: + type: string + type: array + isCA: + description: IsCA will mark this Certificate as valid for certificate + signing. This will automatically add the `cert sign` usage to the + list of `usages`. + type: boolean + issuerRef: + description: IssuerRef is a reference to the issuer for this certificate. + If the `kind` field is not set, or set to `Issuer`, an Issuer resource + with the given name in the same namespace as the Certificate will + be used. If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer + with the provided name will be used. The `name` field in this stanza + is required at all times. + properties: + group: + description: Group of the resource being referred to. + type: string + kind: + description: Kind of the resource being referred to. + type: string + name: + description: Name of the resource being referred to. + type: string + required: + - name + type: object + keystores: + description: Keystores configures additional keystore output formats + stored in the `secretName` Secret resource. + properties: + jks: + description: JKS configures options for storing a JKS keystore + in the `spec.secretName` Secret resource. + properties: + create: + description: Create enables JKS keystore creation for the + Certificate. If true, a file named `keystore.jks` will be + created in the target Secret resource, encrypted using the + password stored in `passwordSecretRef`. The keystore file + will only be updated upon re-issuance. A file named `truststore.jks` + will also be created in the target Secret resource, encrypted + using the password stored in `passwordSecretRef` containing + the issuing Certificate Authority + type: boolean + passwordSecretRef: + description: PasswordSecretRef is a reference to a key in + a Secret resource containing the password used to encrypt + the JKS keystore. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field + may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - create + - passwordSecretRef + type: object + pkcs12: + description: PKCS12 configures options for storing a PKCS12 keystore + in the `spec.secretName` Secret resource. + properties: + create: + description: Create enables PKCS12 keystore creation for the + Certificate. If true, a file named `keystore.p12` will be + created in the target Secret resource, encrypted using the + password stored in `passwordSecretRef`. The keystore file + will only be updated upon re-issuance. A file named `truststore.p12` + will also be created in the target Secret resource, encrypted + using the password stored in `passwordSecretRef` containing + the issuing Certificate Authority + type: boolean + passwordSecretRef: + description: PasswordSecretRef is a reference to a key in + a Secret resource containing the password used to encrypt + the PKCS12 keystore. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field + may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - create + - passwordSecretRef + type: object + type: object + privateKey: + description: Options to control private keys used for the Certificate. + properties: + algorithm: + description: Algorithm is the private key algorithm of the corresponding + private key for this certificate. If provided, allowed values + are either `RSA`,`Ed25519` or `ECDSA` If `algorithm` is specified + and `size` is not provided, key size of 256 will be used for + `ECDSA` key algorithm and key size of 2048 will be used for + `RSA` key algorithm. key size is ignored when using the `Ed25519` + key algorithm. + type: string + encoding: + description: The private key cryptography standards (PKCS) encoding + for this certificate's private key to be encoded in. If provided, + allowed values are `PKCS1` and `PKCS8` standing for PKCS#1 and + PKCS#8, respectively. Defaults to `PKCS1` if not specified. + type: string + rotationPolicy: + description: RotationPolicy controls how private keys should be + regenerated when a re-issuance is being processed. If set to + Never, a private key will only be generated if one does not + already exist in the target `spec.secretName`. If one does exists + but it does not have the correct algorithm or size, a warning + will be raised to await user intervention. If set to Always, + a private key matching the specified requirements will be generated + whenever a re-issuance occurs. Default is 'Never' for backward + compatibility. + enum: + - Never + - Always + type: string + size: + description: Size is the key bit size of the corresponding private + key for this certificate. If `algorithm` is set to `RSA`, valid + values are `2048`, `4096` or `8192`, and will default to `2048` + if not specified. If `algorithm` is set to `ECDSA`, valid values + are `256`, `384` or `521`, and will default to `256` if not + specified. If `algorithm` is set to `Ed25519`, Size is ignored. + No other values are allowed. + type: integer + type: object + renewBefore: + description: How long before the currently issued certificate's expiry + cert-manager should renew the certificate. The default is 2/3 of + the issued certificate's duration. Minimum accepted value is 5 minutes. + Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration + type: string + secretName: + description: SecretName is the name of the secret resource that will + be automatically created and managed by this Certificate resource. + It will be populated with a private key and certificate, signed + by the denoted issuer. + type: string + secretTemplate: + description: SecretTemplate defines annotations and labels to be copied + to the Certificate's Secret. Labels and annotations on the Secret + will be changed as they appear on the SecretTemplate when added + or removed. SecretTemplate annotations are added in conjunction + with, and cannot overwrite, the base set of annotations cert-manager + sets on the Certificate's Secret. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a key value map to be copied to the + target Kubernetes Secret. + type: object + labels: + additionalProperties: + type: string + description: Labels is a key value map to be copied to the target + Kubernetes Secret. + type: object + type: object + subject: + description: Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name). + properties: + countries: + description: Countries to be used on the Certificate. + items: + type: string + type: array + localities: + description: Cities to be used on the Certificate. + items: + type: string + type: array + organizationalUnits: + description: Organizational Units to be used on the Certificate. + items: + type: string + type: array + organizations: + description: Organizations to be used on the Certificate. + items: + type: string + type: array + postalCodes: + description: Postal codes to be used on the Certificate. + items: + type: string + type: array + provinces: + description: State/Provinces to be used on the Certificate. + items: + type: string + type: array + serialNumber: + description: Serial number to be used on the Certificate. + type: string + streetAddresses: + description: Street addresses to be used on the Certificate. + items: + type: string + type: array + type: object + required: + - issuerRef + - secretName + type: object + status: + description: CertificateStatus defines the observed state of Certificate + properties: + conditions: + description: List of status conditions to indicate the status of certificates. + Known condition types are `Ready` and `Issuing`. + items: + description: CertificateCondition contains condition information + for an Certificate. + properties: + lastTransitionTime: + description: LastTransitionTime is the timestamp corresponding + to the last status change of this condition. + format: date-time + type: string + message: + description: Message is a human readable description of the + details of the last transition, complementing reason. + type: string + observedGeneration: + description: If set, this represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.condition[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the Certificate. + format: int64 + type: integer + reason: + description: Reason is a brief machine readable explanation + for the condition's last transition. + type: string + status: + description: Status of the condition, one of (`True`, `False`, + `Unknown`). + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: Type of the condition, known values are (`Ready`, + `Issuing`). + type: string + required: + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + failedIssuanceAttempts: + description: The number of continuous failed issuance attempts up + till now. This field gets removed (if set) on a successful issuance + and gets set to 1 if unset and an issuance has failed. If an issuance + has failed, the delay till the next issuance will be calculated + using formula time.Hour * 2 ^ (failedIssuanceAttempts - 1). + type: integer + lastFailureTime: + description: LastFailureTime is the time as recorded by the Certificate + controller of the most recent failure to complete a CertificateRequest + for this Certificate resource. If set, cert-manager will not re-request + another Certificate until 1 hour has elapsed from this time. + format: date-time + type: string + nextPrivateKeySecretName: + description: The name of the Secret resource containing the private + key to be used for the next certificate iteration. The keymanager + controller will automatically set this field if the `Issuing` condition + is set to `True`. It will automatically unset this field when the + Issuing condition is not set or False. + type: string + notAfter: + description: The expiration time of the certificate stored in the + secret named by this resource in `spec.secretName`. + format: date-time + type: string + notBefore: + description: The time after which the certificate stored in the secret + named by this resource in spec.secretName is valid. + format: date-time + type: string + renewalTime: + description: RenewalTime is the time at which the certificate will + be next renewed. If not set, no upcoming renewal is scheduled. + format: date-time + type: string + revision: + description: "The current 'revision' of the certificate as issued. + \n When a CertificateRequest resource is created, it will have the + `cert-manager.io/certificate-revision` set to one greater than the + current value of this field. \n Upon issuance, this field will be + set to the value of the annotation on the CertificateRequest resource + used to issue the certificate. \n Persisting the value on the CertificateRequest + resource allows the certificates controller to know whether a request + is part of an old issuance or if it is part of the ongoing revision's + issuance by checking if the revision value in the annotation is + greater than this field." + type: integer + type: object + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/config/crd/bases/anthos-cert-manager.io_clusterissuers.yaml b/config/crd/bases/anthos-cert-manager.io_clusterissuers.yaml new file mode 100644 index 0000000..702afca --- /dev/null +++ b/config/crd/bases/anthos-cert-manager.io_clusterissuers.yaml @@ -0,0 +1,145 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: clusterissuers.anthos-cert-manager.io +spec: + group: anthos-cert-manager.io + names: + kind: ClusterIssuer + listKind: ClusterIssuerList + plural: clusterissuers + singular: clusterissuer + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: A ClusterIssuer represents a certificate issuing authority which + can be referenced as part of `issuerRef` fields. It is similar to an Issuer, + however it is cluster-scoped and therefore can be referenced by resources + that exist in *any* namespace, not just the same namespace as the referent. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Desired state of the ClusterIssuer resource. + properties: + ca: + description: CA configures this issuer to sign certificates using + a signing CA keypair stored in a Secret resource. This is used to + build internal PKIs that are managed by cert-manager. + properties: + crlDistributionPoints: + description: The CRL distribution points is an X.509 v3 certificate + extension which identifies the location of the CRL from which + the revocation of this certificate can be checked. If not set, + certificates will be issued without distribution points set. + items: + type: string + type: array + ocspServers: + description: The OCSP server list is an X.509 v3 extension that + defines a list of URLs of OCSP responders. The OCSP responders + can be queried for the revocation status of an issued certificate. + If not set, the certificate will be issued with no OCSP servers + set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org". + items: + type: string + type: array + secretName: + description: SecretName is the name of the secret used to sign + Certificates issued by this Issuer. + type: string + required: + - secretName + type: object + selfSigned: + description: SelfSigned configures this issuer to 'self sign' certificates + using the private key used to create the CertificateRequest object. + properties: + crlDistributionPoints: + description: The CRL distribution points is an X.509 v3 certificate + extension which identifies the location of the CRL from which + the revocation of this certificate can be checked. If not set + certificate will be issued without CDP. Values are strings. + items: + type: string + type: array + type: object + type: object + status: + description: Status of the ClusterIssuer. This is set and managed automatically. + properties: + conditions: + description: List of status conditions to indicate the status of a + CertificateRequest. Known condition types are `Ready`. + items: + description: IssuerCondition contains condition information for + an Issuer. + properties: + lastTransitionTime: + description: LastTransitionTime is the timestamp corresponding + to the last status change of this condition. + format: date-time + type: string + message: + description: Message is a human readable description of the + details of the last transition, complementing reason. + type: string + observedGeneration: + description: If set, this represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.condition[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the Issuer. + format: int64 + type: integer + reason: + description: Reason is a brief machine readable explanation + for the condition's last transition. + type: string + status: + description: Status of the condition, one of (`True`, `False`, + `Unknown`). + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: Type of the condition, known values are (`Ready`). + type: string + required: + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/config/crd/bases/anthos-cert-manager.io_issuers.yaml b/config/crd/bases/anthos-cert-manager.io_issuers.yaml new file mode 100644 index 0000000..4415e79 --- /dev/null +++ b/config/crd/bases/anthos-cert-manager.io_issuers.yaml @@ -0,0 +1,145 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: issuers.anthos-cert-manager.io +spec: + group: anthos-cert-manager.io + names: + kind: Issuer + listKind: IssuerList + plural: issuers + singular: issuer + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: An Issuer represents a certificate issuing authority which can + be referenced as part of `issuerRef` fields. It is scoped to a single namespace + and can therefore only be referenced by resources within the same namespace. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Desired state of the Issuer resource. + properties: + ca: + description: CA configures this issuer to sign certificates using + a signing CA keypair stored in a Secret resource. This is used to + build internal PKIs that are managed by cert-manager. + properties: + crlDistributionPoints: + description: The CRL distribution points is an X.509 v3 certificate + extension which identifies the location of the CRL from which + the revocation of this certificate can be checked. If not set, + certificates will be issued without distribution points set. + items: + type: string + type: array + ocspServers: + description: The OCSP server list is an X.509 v3 extension that + defines a list of URLs of OCSP responders. The OCSP responders + can be queried for the revocation status of an issued certificate. + If not set, the certificate will be issued with no OCSP servers + set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org". + items: + type: string + type: array + secretName: + description: SecretName is the name of the secret used to sign + Certificates issued by this Issuer. + type: string + required: + - secretName + type: object + selfSigned: + description: SelfSigned configures this issuer to 'self sign' certificates + using the private key used to create the CertificateRequest object. + properties: + crlDistributionPoints: + description: The CRL distribution points is an X.509 v3 certificate + extension which identifies the location of the CRL from which + the revocation of this certificate can be checked. If not set + certificate will be issued without CDP. Values are strings. + items: + type: string + type: array + type: object + type: object + status: + description: Status of the Issuer. This is set and managed automatically. + properties: + conditions: + description: List of status conditions to indicate the status of a + CertificateRequest. Known condition types are `Ready`. + items: + description: IssuerCondition contains condition information for + an Issuer. + properties: + lastTransitionTime: + description: LastTransitionTime is the timestamp corresponding + to the last status change of this condition. + format: date-time + type: string + message: + description: Message is a human readable description of the + details of the last transition, complementing reason. + type: string + observedGeneration: + description: If set, this represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.condition[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the Issuer. + format: int64 + type: integer + reason: + description: Reason is a brief machine readable explanation + for the condition's last transition. + type: string + status: + description: Status of the condition, one of (`True`, `False`, + `Unknown`). + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: Type of the condition, known values are (`Ready`). + type: string + required: + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + required: + - spec + - status + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/Dockerfile b/Dockerfile index 0a091a6..e250c16 100644 --- a/Dockerfile +++ b/Dockerfile @@ -14,6 +14,7 @@ # Copy the go source COPY main.go main.go COPY pkg/ pkg/ +COPY cmd/ cmd/ # Build # the GOARCH has not a default value to allow the binary be built according to the host where the command # was called. For example, if we call make docker-build in a local env which has the Apple Silicon M1 SO diff --git a/Makefile b/Makefile index 5d146e4..fb9f77f 100644 --- a/Makefile +++ b/Makefile @@ -155,6 +155,9 @@ undeploy: ## Undeploy controller from the K8s cluster specified in ~/.kube/config. Call with ignore-not-found=true to ignore resource not found errors during deletion. $(KUSTOMIZE) build config/default | kubectl delete --ignore-not-found=$(ignore-not-found) -f - +.PHONY: stage +stage: docker-build docker-push undeploy deploy + ##@ Build Dependencies ## Location to install dependencies to diff --git a/cmd/controller/app/options/options.go b/cmd/controller/app/options/options.go index 1f05612..fa4c82c 100644 --- a/cmd/controller/app/options/options.go +++ b/cmd/controller/app/options/options.go @@ -50,7 +50,7 @@ "Enable leader election for controller manager. "+ "Enabling this will ensure there is only one active controller manager.") var controllerSet string - fs.StringVar(&controllerSet, "controllers", "", fmt.Sprintf(""+ + fs.StringVar(&controllerSet, "controllers", "*", fmt.Sprintf(""+ "A list of controllers to enable. '--controllers=*' enables all "+ "on-by-default controllers, '--controllers=foo' enables just the controller "+ "named 'foo', '--controllers=*,-foo' disables the controller named "+ diff --git a/config/crd/bases/anthos-cert-manager.io_certificaterequests.yaml b/config/crd/bases/anthos-cert-manager.io_certificaterequests.yaml new file mode 100644 index 0000000..dc53954 --- /dev/null +++ b/config/crd/bases/anthos-cert-manager.io_certificaterequests.yaml @@ -0,0 +1,224 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: certificaterequests.anthos-cert-manager.io +spec: + group: anthos-cert-manager.io + names: + kind: CertificateRequest + listKind: CertificateRequestList + plural: certificaterequests + singular: certificaterequest + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: "A CertificateRequest is used to request a signed certificate + from one of the configured issuers. \n All fields within the CertificateRequest's + `spec` are immutable after creation. A CertificateRequest will either succeed + or fail, as denoted by its `status.state` field. \n A CertificateRequest + is a one-shot resource, meaning it represents a single point in time request + for a certificate and cannot be re-used." + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Desired state of the CertificateRequest resource. + properties: + duration: + description: The requested 'duration' (i.e. lifetime) of the Certificate. + This option may be ignored/overridden by some issuer types. + type: string + extra: + additionalProperties: + items: + type: string + type: array + description: Extra contains extra attributes of the user that created + the CertificateRequest. Populated by the cert-manager webhook on + creation and immutable. + type: object + groups: + description: Groups contains group membership of the user that created + the CertificateRequest. Populated by the cert-manager webhook on + creation and immutable. + items: + type: string + type: array + x-kubernetes-list-type: atomic + isCA: + description: IsCA will request to mark the certificate as valid for + certificate signing when submitting to the issuer. This will automatically + add the `cert sign` usage to the list of `usages`. + type: boolean + issuerRef: + description: IssuerRef is a reference to the issuer for this CertificateRequest. If + the `kind` field is not set, or set to `Issuer`, an Issuer resource + with the given name in the same namespace as the CertificateRequest + will be used. If the `kind` field is set to `ClusterIssuer`, a + ClusterIssuer with the provided name will be used. The `name` field + in this stanza is required at all times. The group field refers + to the API group of the issuer which defaults to `cert-manager.io` + if empty. + properties: + group: + description: Group of the resource being referred to. + type: string + kind: + description: Kind of the resource being referred to. + type: string + name: + description: Name of the resource being referred to. + type: string + required: + - name + type: object + request: + description: The PEM-encoded x509 certificate signing request to be + submitted to the CA for signing. + format: byte + type: string + uid: + description: UID contains the uid of the user that created the CertificateRequest. + Populated by the cert-manager webhook on creation and immutable. + type: string + usages: + description: Usages is the set of x509 usages that are requested for + the certificate. If usages are set they SHOULD be encoded inside + the CSR spec Defaults to `digital signature` and `key encipherment` + if not specified. + items: + description: "KeyUsage specifies valid usage contexts for keys. + See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 + \n Valid KeyUsage values are as follows: \"signing\", \"digital + signature\", \"content commitment\", \"key encipherment\", \"key + agreement\", \"data encipherment\", \"cert sign\", \"crl sign\", + \"encipher only\", \"decipher only\", \"any\", \"server auth\", + \"client auth\", \"code signing\", \"email protection\", \"s/mime\", + \"ipsec end system\", \"ipsec tunnel\", \"ipsec user\", \"timestamping\", + \"ocsp signing\", \"microsoft sgc\", \"netscape sgc\"" + enum: + - signing + - digital signature + - content commitment + - key encipherment + - key agreement + - data encipherment + - cert sign + - crl sign + - encipher only + - decipher only + - any + - server auth + - client auth + - code signing + - email protection + - s/mime + - ipsec end system + - ipsec tunnel + - ipsec user + - timestamping + - ocsp signing + - microsoft sgc + - netscape sgc + type: string + type: array + username: + description: Username contains the name of the user that created the + CertificateRequest. Populated by the cert-manager webhook on creation + and immutable. + type: string + required: + - issuerRef + - request + type: object + status: + description: Status of the CertificateRequest. This is set and managed + automatically. + properties: + ca: + description: The PEM encoded x509 certificate of the signer, also + known as the CA (Certificate Authority). This is set on a best-effort + basis by different issuers. If not set, the CA is assumed to be + unknown/not available. + format: byte + type: string + certificate: + description: The PEM encoded x509 certificate resulting from the certificate + signing request. If not set, the CertificateRequest has either not + been completed or has failed. More information on failure can be + found by checking the `conditions` field. + format: byte + type: string + conditions: + description: List of status conditions to indicate the status of a + CertificateRequest. Known condition types are `Ready` and `InvalidRequest`. + items: + description: CertificateRequestCondition contains condition information + for a CertificateRequest. + properties: + lastTransitionTime: + description: LastTransitionTime is the timestamp corresponding + to the last status change of this condition. + format: date-time + type: string + message: + description: Message is a human readable description of the + details of the last transition, complementing reason. + type: string + reason: + description: Reason is a brief machine readable explanation + for the condition's last transition. + type: string + status: + description: Status of the condition, one of (`True`, `False`, + `Unknown`). + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: Type of the condition, known values are (`Ready`, + `InvalidRequest`, `Approved`, `Denied`). + type: string + required: + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + failureTime: + description: FailureTime stores the time that this CertificateRequest + failed. This is used to influence garbage collection and back-off. + format: date-time + type: string + type: object + required: + - spec + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/config/crd/bases/anthos-cert-manager.io_certificates.yaml b/config/crd/bases/anthos-cert-manager.io_certificates.yaml new file mode 100644 index 0000000..720feb1 --- /dev/null +++ b/config/crd/bases/anthos-cert-manager.io_certificates.yaml @@ -0,0 +1,393 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: certificates.anthos-cert-manager.io +spec: + group: anthos-cert-manager.io + names: + kind: Certificate + listKind: CertificateList + plural: certificates + singular: certificate + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: Certificate is the Schema for the certificates API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: CertificateSpec defines the desired state of Certificate + properties: + commonName: + description: 'CommonName is a common name to be used on the Certificate. + The CommonName should have a length of 64 characters or fewer to + avoid generating invalid CSRs. This value is ignored by TLS clients + when any subject alt name is set. This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4' + type: string + dnsNames: + description: DNSNames is a list of DNS subjectAltNames to be set on + the Certificate. + items: + type: string + type: array + duration: + description: The requested 'duration' (i.e. lifetime) of the Certificate. + This option may be ignored/overridden by some issuer types. If unset + this defaults to 90 days. Certificate will be renewed either 2/3 + through its duration or `renewBefore` period before its expiry, + whichever is later. Minimum accepted duration is 1 hour. Value must + be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration + type: string + ipAddresses: + description: IPAddresses is a list of IP address subjectAltNames to + be set on the Certificate. + items: + type: string + type: array + isCA: + description: IsCA will mark this Certificate as valid for certificate + signing. This will automatically add the `cert sign` usage to the + list of `usages`. + type: boolean + issuerRef: + description: IssuerRef is a reference to the issuer for this certificate. + If the `kind` field is not set, or set to `Issuer`, an Issuer resource + with the given name in the same namespace as the Certificate will + be used. If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer + with the provided name will be used. The `name` field in this stanza + is required at all times. + properties: + group: + description: Group of the resource being referred to. + type: string + kind: + description: Kind of the resource being referred to. + type: string + name: + description: Name of the resource being referred to. + type: string + required: + - name + type: object + keystores: + description: Keystores configures additional keystore output formats + stored in the `secretName` Secret resource. + properties: + jks: + description: JKS configures options for storing a JKS keystore + in the `spec.secretName` Secret resource. + properties: + create: + description: Create enables JKS keystore creation for the + Certificate. If true, a file named `keystore.jks` will be + created in the target Secret resource, encrypted using the + password stored in `passwordSecretRef`. The keystore file + will only be updated upon re-issuance. A file named `truststore.jks` + will also be created in the target Secret resource, encrypted + using the password stored in `passwordSecretRef` containing + the issuing Certificate Authority + type: boolean + passwordSecretRef: + description: PasswordSecretRef is a reference to a key in + a Secret resource containing the password used to encrypt + the JKS keystore. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field + may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - create + - passwordSecretRef + type: object + pkcs12: + description: PKCS12 configures options for storing a PKCS12 keystore + in the `spec.secretName` Secret resource. + properties: + create: + description: Create enables PKCS12 keystore creation for the + Certificate. If true, a file named `keystore.p12` will be + created in the target Secret resource, encrypted using the + password stored in `passwordSecretRef`. The keystore file + will only be updated upon re-issuance. A file named `truststore.p12` + will also be created in the target Secret resource, encrypted + using the password stored in `passwordSecretRef` containing + the issuing Certificate Authority + type: boolean + passwordSecretRef: + description: PasswordSecretRef is a reference to a key in + a Secret resource containing the password used to encrypt + the PKCS12 keystore. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field + may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - create + - passwordSecretRef + type: object + type: object + privateKey: + description: Options to control private keys used for the Certificate. + properties: + algorithm: + description: Algorithm is the private key algorithm of the corresponding + private key for this certificate. If provided, allowed values + are either `RSA`,`Ed25519` or `ECDSA` If `algorithm` is specified + and `size` is not provided, key size of 256 will be used for + `ECDSA` key algorithm and key size of 2048 will be used for + `RSA` key algorithm. key size is ignored when using the `Ed25519` + key algorithm. + type: string + encoding: + description: The private key cryptography standards (PKCS) encoding + for this certificate's private key to be encoded in. If provided, + allowed values are `PKCS1` and `PKCS8` standing for PKCS#1 and + PKCS#8, respectively. Defaults to `PKCS1` if not specified. + type: string + rotationPolicy: + description: RotationPolicy controls how private keys should be + regenerated when a re-issuance is being processed. If set to + Never, a private key will only be generated if one does not + already exist in the target `spec.secretName`. If one does exists + but it does not have the correct algorithm or size, a warning + will be raised to await user intervention. If set to Always, + a private key matching the specified requirements will be generated + whenever a re-issuance occurs. Default is 'Never' for backward + compatibility. + enum: + - Never + - Always + type: string + size: + description: Size is the key bit size of the corresponding private + key for this certificate. If `algorithm` is set to `RSA`, valid + values are `2048`, `4096` or `8192`, and will default to `2048` + if not specified. If `algorithm` is set to `ECDSA`, valid values + are `256`, `384` or `521`, and will default to `256` if not + specified. If `algorithm` is set to `Ed25519`, Size is ignored. + No other values are allowed. + type: integer + type: object + renewBefore: + description: How long before the currently issued certificate's expiry + cert-manager should renew the certificate. The default is 2/3 of + the issued certificate's duration. Minimum accepted value is 5 minutes. + Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration + type: string + secretName: + description: SecretName is the name of the secret resource that will + be automatically created and managed by this Certificate resource. + It will be populated with a private key and certificate, signed + by the denoted issuer. + type: string + secretTemplate: + description: SecretTemplate defines annotations and labels to be copied + to the Certificate's Secret. Labels and annotations on the Secret + will be changed as they appear on the SecretTemplate when added + or removed. SecretTemplate annotations are added in conjunction + with, and cannot overwrite, the base set of annotations cert-manager + sets on the Certificate's Secret. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a key value map to be copied to the + target Kubernetes Secret. + type: object + labels: + additionalProperties: + type: string + description: Labels is a key value map to be copied to the target + Kubernetes Secret. + type: object + type: object + subject: + description: Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name). + properties: + countries: + description: Countries to be used on the Certificate. + items: + type: string + type: array + localities: + description: Cities to be used on the Certificate. + items: + type: string + type: array + organizationalUnits: + description: Organizational Units to be used on the Certificate. + items: + type: string + type: array + organizations: + description: Organizations to be used on the Certificate. + items: + type: string + type: array + postalCodes: + description: Postal codes to be used on the Certificate. + items: + type: string + type: array + provinces: + description: State/Provinces to be used on the Certificate. + items: + type: string + type: array + serialNumber: + description: Serial number to be used on the Certificate. + type: string + streetAddresses: + description: Street addresses to be used on the Certificate. + items: + type: string + type: array + type: object + required: + - issuerRef + - secretName + type: object + status: + description: CertificateStatus defines the observed state of Certificate + properties: + conditions: + description: List of status conditions to indicate the status of certificates. + Known condition types are `Ready` and `Issuing`. + items: + description: CertificateCondition contains condition information + for an Certificate. + properties: + lastTransitionTime: + description: LastTransitionTime is the timestamp corresponding + to the last status change of this condition. + format: date-time + type: string + message: + description: Message is a human readable description of the + details of the last transition, complementing reason. + type: string + observedGeneration: + description: If set, this represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.condition[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the Certificate. + format: int64 + type: integer + reason: + description: Reason is a brief machine readable explanation + for the condition's last transition. + type: string + status: + description: Status of the condition, one of (`True`, `False`, + `Unknown`). + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: Type of the condition, known values are (`Ready`, + `Issuing`). + type: string + required: + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + failedIssuanceAttempts: + description: The number of continuous failed issuance attempts up + till now. This field gets removed (if set) on a successful issuance + and gets set to 1 if unset and an issuance has failed. If an issuance + has failed, the delay till the next issuance will be calculated + using formula time.Hour * 2 ^ (failedIssuanceAttempts - 1). + type: integer + lastFailureTime: + description: LastFailureTime is the time as recorded by the Certificate + controller of the most recent failure to complete a CertificateRequest + for this Certificate resource. If set, cert-manager will not re-request + another Certificate until 1 hour has elapsed from this time. + format: date-time + type: string + nextPrivateKeySecretName: + description: The name of the Secret resource containing the private + key to be used for the next certificate iteration. The keymanager + controller will automatically set this field if the `Issuing` condition + is set to `True`. It will automatically unset this field when the + Issuing condition is not set or False. + type: string + notAfter: + description: The expiration time of the certificate stored in the + secret named by this resource in `spec.secretName`. + format: date-time + type: string + notBefore: + description: The time after which the certificate stored in the secret + named by this resource in spec.secretName is valid. + format: date-time + type: string + renewalTime: + description: RenewalTime is the time at which the certificate will + be next renewed. If not set, no upcoming renewal is scheduled. + format: date-time + type: string + revision: + description: "The current 'revision' of the certificate as issued. + \n When a CertificateRequest resource is created, it will have the + `cert-manager.io/certificate-revision` set to one greater than the + current value of this field. \n Upon issuance, this field will be + set to the value of the annotation on the CertificateRequest resource + used to issue the certificate. \n Persisting the value on the CertificateRequest + resource allows the certificates controller to know whether a request + is part of an old issuance or if it is part of the ongoing revision's + issuance by checking if the revision value in the annotation is + greater than this field." + type: integer + type: object + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/config/crd/bases/anthos-cert-manager.io_clusterissuers.yaml b/config/crd/bases/anthos-cert-manager.io_clusterissuers.yaml new file mode 100644 index 0000000..702afca --- /dev/null +++ b/config/crd/bases/anthos-cert-manager.io_clusterissuers.yaml @@ -0,0 +1,145 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: clusterissuers.anthos-cert-manager.io +spec: + group: anthos-cert-manager.io + names: + kind: ClusterIssuer + listKind: ClusterIssuerList + plural: clusterissuers + singular: clusterissuer + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: A ClusterIssuer represents a certificate issuing authority which + can be referenced as part of `issuerRef` fields. It is similar to an Issuer, + however it is cluster-scoped and therefore can be referenced by resources + that exist in *any* namespace, not just the same namespace as the referent. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Desired state of the ClusterIssuer resource. + properties: + ca: + description: CA configures this issuer to sign certificates using + a signing CA keypair stored in a Secret resource. This is used to + build internal PKIs that are managed by cert-manager. + properties: + crlDistributionPoints: + description: The CRL distribution points is an X.509 v3 certificate + extension which identifies the location of the CRL from which + the revocation of this certificate can be checked. If not set, + certificates will be issued without distribution points set. + items: + type: string + type: array + ocspServers: + description: The OCSP server list is an X.509 v3 extension that + defines a list of URLs of OCSP responders. The OCSP responders + can be queried for the revocation status of an issued certificate. + If not set, the certificate will be issued with no OCSP servers + set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org". + items: + type: string + type: array + secretName: + description: SecretName is the name of the secret used to sign + Certificates issued by this Issuer. + type: string + required: + - secretName + type: object + selfSigned: + description: SelfSigned configures this issuer to 'self sign' certificates + using the private key used to create the CertificateRequest object. + properties: + crlDistributionPoints: + description: The CRL distribution points is an X.509 v3 certificate + extension which identifies the location of the CRL from which + the revocation of this certificate can be checked. If not set + certificate will be issued without CDP. Values are strings. + items: + type: string + type: array + type: object + type: object + status: + description: Status of the ClusterIssuer. This is set and managed automatically. + properties: + conditions: + description: List of status conditions to indicate the status of a + CertificateRequest. Known condition types are `Ready`. + items: + description: IssuerCondition contains condition information for + an Issuer. + properties: + lastTransitionTime: + description: LastTransitionTime is the timestamp corresponding + to the last status change of this condition. + format: date-time + type: string + message: + description: Message is a human readable description of the + details of the last transition, complementing reason. + type: string + observedGeneration: + description: If set, this represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.condition[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the Issuer. + format: int64 + type: integer + reason: + description: Reason is a brief machine readable explanation + for the condition's last transition. + type: string + status: + description: Status of the condition, one of (`True`, `False`, + `Unknown`). + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: Type of the condition, known values are (`Ready`). + type: string + required: + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/config/crd/bases/anthos-cert-manager.io_issuers.yaml b/config/crd/bases/anthos-cert-manager.io_issuers.yaml new file mode 100644 index 0000000..4415e79 --- /dev/null +++ b/config/crd/bases/anthos-cert-manager.io_issuers.yaml @@ -0,0 +1,145 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: issuers.anthos-cert-manager.io +spec: + group: anthos-cert-manager.io + names: + kind: Issuer + listKind: IssuerList + plural: issuers + singular: issuer + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: An Issuer represents a certificate issuing authority which can + be referenced as part of `issuerRef` fields. It is scoped to a single namespace + and can therefore only be referenced by resources within the same namespace. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Desired state of the Issuer resource. + properties: + ca: + description: CA configures this issuer to sign certificates using + a signing CA keypair stored in a Secret resource. This is used to + build internal PKIs that are managed by cert-manager. + properties: + crlDistributionPoints: + description: The CRL distribution points is an X.509 v3 certificate + extension which identifies the location of the CRL from which + the revocation of this certificate can be checked. If not set, + certificates will be issued without distribution points set. + items: + type: string + type: array + ocspServers: + description: The OCSP server list is an X.509 v3 extension that + defines a list of URLs of OCSP responders. The OCSP responders + can be queried for the revocation status of an issued certificate. + If not set, the certificate will be issued with no OCSP servers + set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org". + items: + type: string + type: array + secretName: + description: SecretName is the name of the secret used to sign + Certificates issued by this Issuer. + type: string + required: + - secretName + type: object + selfSigned: + description: SelfSigned configures this issuer to 'self sign' certificates + using the private key used to create the CertificateRequest object. + properties: + crlDistributionPoints: + description: The CRL distribution points is an X.509 v3 certificate + extension which identifies the location of the CRL from which + the revocation of this certificate can be checked. If not set + certificate will be issued without CDP. Values are strings. + items: + type: string + type: array + type: object + type: object + status: + description: Status of the Issuer. This is set and managed automatically. + properties: + conditions: + description: List of status conditions to indicate the status of a + CertificateRequest. Known condition types are `Ready`. + items: + description: IssuerCondition contains condition information for + an Issuer. + properties: + lastTransitionTime: + description: LastTransitionTime is the timestamp corresponding + to the last status change of this condition. + format: date-time + type: string + message: + description: Message is a human readable description of the + details of the last transition, complementing reason. + type: string + observedGeneration: + description: If set, this represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.condition[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the Issuer. + format: int64 + type: integer + reason: + description: Reason is a brief machine readable explanation + for the condition's last transition. + type: string + status: + description: Status of the condition, one of (`True`, `False`, + `Unknown`). + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: Type of the condition, known values are (`Ready`). + type: string + required: + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + required: + - spec + - status + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml index f36ba7f..9bc6d57 100644 --- a/config/default/kustomization.yaml +++ b/config/default/kustomization.yaml @@ -31,7 +31,7 @@ # If you want your controller-manager to expose the /metrics # endpoint w/o any authn/z, please comment the following line. - manager_auth_proxy_patch.yaml - +- manager_config_patch.yaml # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in diff --git a/Dockerfile b/Dockerfile index 0a091a6..e250c16 100644 --- a/Dockerfile +++ b/Dockerfile @@ -14,6 +14,7 @@ # Copy the go source COPY main.go main.go COPY pkg/ pkg/ +COPY cmd/ cmd/ # Build # the GOARCH has not a default value to allow the binary be built according to the host where the command # was called. For example, if we call make docker-build in a local env which has the Apple Silicon M1 SO diff --git a/Makefile b/Makefile index 5d146e4..fb9f77f 100644 --- a/Makefile +++ b/Makefile @@ -155,6 +155,9 @@ undeploy: ## Undeploy controller from the K8s cluster specified in ~/.kube/config. Call with ignore-not-found=true to ignore resource not found errors during deletion. $(KUSTOMIZE) build config/default | kubectl delete --ignore-not-found=$(ignore-not-found) -f - +.PHONY: stage +stage: docker-build docker-push undeploy deploy + ##@ Build Dependencies ## Location to install dependencies to diff --git a/cmd/controller/app/options/options.go b/cmd/controller/app/options/options.go index 1f05612..fa4c82c 100644 --- a/cmd/controller/app/options/options.go +++ b/cmd/controller/app/options/options.go @@ -50,7 +50,7 @@ "Enable leader election for controller manager. "+ "Enabling this will ensure there is only one active controller manager.") var controllerSet string - fs.StringVar(&controllerSet, "controllers", "", fmt.Sprintf(""+ + fs.StringVar(&controllerSet, "controllers", "*", fmt.Sprintf(""+ "A list of controllers to enable. '--controllers=*' enables all "+ "on-by-default controllers, '--controllers=foo' enables just the controller "+ "named 'foo', '--controllers=*,-foo' disables the controller named "+ diff --git a/config/crd/bases/anthos-cert-manager.io_certificaterequests.yaml b/config/crd/bases/anthos-cert-manager.io_certificaterequests.yaml new file mode 100644 index 0000000..dc53954 --- /dev/null +++ b/config/crd/bases/anthos-cert-manager.io_certificaterequests.yaml @@ -0,0 +1,224 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: certificaterequests.anthos-cert-manager.io +spec: + group: anthos-cert-manager.io + names: + kind: CertificateRequest + listKind: CertificateRequestList + plural: certificaterequests + singular: certificaterequest + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: "A CertificateRequest is used to request a signed certificate + from one of the configured issuers. \n All fields within the CertificateRequest's + `spec` are immutable after creation. A CertificateRequest will either succeed + or fail, as denoted by its `status.state` field. \n A CertificateRequest + is a one-shot resource, meaning it represents a single point in time request + for a certificate and cannot be re-used." + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Desired state of the CertificateRequest resource. + properties: + duration: + description: The requested 'duration' (i.e. lifetime) of the Certificate. + This option may be ignored/overridden by some issuer types. + type: string + extra: + additionalProperties: + items: + type: string + type: array + description: Extra contains extra attributes of the user that created + the CertificateRequest. Populated by the cert-manager webhook on + creation and immutable. + type: object + groups: + description: Groups contains group membership of the user that created + the CertificateRequest. Populated by the cert-manager webhook on + creation and immutable. + items: + type: string + type: array + x-kubernetes-list-type: atomic + isCA: + description: IsCA will request to mark the certificate as valid for + certificate signing when submitting to the issuer. This will automatically + add the `cert sign` usage to the list of `usages`. + type: boolean + issuerRef: + description: IssuerRef is a reference to the issuer for this CertificateRequest. If + the `kind` field is not set, or set to `Issuer`, an Issuer resource + with the given name in the same namespace as the CertificateRequest + will be used. If the `kind` field is set to `ClusterIssuer`, a + ClusterIssuer with the provided name will be used. The `name` field + in this stanza is required at all times. The group field refers + to the API group of the issuer which defaults to `cert-manager.io` + if empty. + properties: + group: + description: Group of the resource being referred to. + type: string + kind: + description: Kind of the resource being referred to. + type: string + name: + description: Name of the resource being referred to. + type: string + required: + - name + type: object + request: + description: The PEM-encoded x509 certificate signing request to be + submitted to the CA for signing. + format: byte + type: string + uid: + description: UID contains the uid of the user that created the CertificateRequest. + Populated by the cert-manager webhook on creation and immutable. + type: string + usages: + description: Usages is the set of x509 usages that are requested for + the certificate. If usages are set they SHOULD be encoded inside + the CSR spec Defaults to `digital signature` and `key encipherment` + if not specified. + items: + description: "KeyUsage specifies valid usage contexts for keys. + See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 + \n Valid KeyUsage values are as follows: \"signing\", \"digital + signature\", \"content commitment\", \"key encipherment\", \"key + agreement\", \"data encipherment\", \"cert sign\", \"crl sign\", + \"encipher only\", \"decipher only\", \"any\", \"server auth\", + \"client auth\", \"code signing\", \"email protection\", \"s/mime\", + \"ipsec end system\", \"ipsec tunnel\", \"ipsec user\", \"timestamping\", + \"ocsp signing\", \"microsoft sgc\", \"netscape sgc\"" + enum: + - signing + - digital signature + - content commitment + - key encipherment + - key agreement + - data encipherment + - cert sign + - crl sign + - encipher only + - decipher only + - any + - server auth + - client auth + - code signing + - email protection + - s/mime + - ipsec end system + - ipsec tunnel + - ipsec user + - timestamping + - ocsp signing + - microsoft sgc + - netscape sgc + type: string + type: array + username: + description: Username contains the name of the user that created the + CertificateRequest. Populated by the cert-manager webhook on creation + and immutable. + type: string + required: + - issuerRef + - request + type: object + status: + description: Status of the CertificateRequest. This is set and managed + automatically. + properties: + ca: + description: The PEM encoded x509 certificate of the signer, also + known as the CA (Certificate Authority). This is set on a best-effort + basis by different issuers. If not set, the CA is assumed to be + unknown/not available. + format: byte + type: string + certificate: + description: The PEM encoded x509 certificate resulting from the certificate + signing request. If not set, the CertificateRequest has either not + been completed or has failed. More information on failure can be + found by checking the `conditions` field. + format: byte + type: string + conditions: + description: List of status conditions to indicate the status of a + CertificateRequest. Known condition types are `Ready` and `InvalidRequest`. + items: + description: CertificateRequestCondition contains condition information + for a CertificateRequest. + properties: + lastTransitionTime: + description: LastTransitionTime is the timestamp corresponding + to the last status change of this condition. + format: date-time + type: string + message: + description: Message is a human readable description of the + details of the last transition, complementing reason. + type: string + reason: + description: Reason is a brief machine readable explanation + for the condition's last transition. + type: string + status: + description: Status of the condition, one of (`True`, `False`, + `Unknown`). + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: Type of the condition, known values are (`Ready`, + `InvalidRequest`, `Approved`, `Denied`). + type: string + required: + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + failureTime: + description: FailureTime stores the time that this CertificateRequest + failed. This is used to influence garbage collection and back-off. + format: date-time + type: string + type: object + required: + - spec + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/config/crd/bases/anthos-cert-manager.io_certificates.yaml b/config/crd/bases/anthos-cert-manager.io_certificates.yaml new file mode 100644 index 0000000..720feb1 --- /dev/null +++ b/config/crd/bases/anthos-cert-manager.io_certificates.yaml @@ -0,0 +1,393 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: certificates.anthos-cert-manager.io +spec: + group: anthos-cert-manager.io + names: + kind: Certificate + listKind: CertificateList + plural: certificates + singular: certificate + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: Certificate is the Schema for the certificates API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: CertificateSpec defines the desired state of Certificate + properties: + commonName: + description: 'CommonName is a common name to be used on the Certificate. + The CommonName should have a length of 64 characters or fewer to + avoid generating invalid CSRs. This value is ignored by TLS clients + when any subject alt name is set. This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4' + type: string + dnsNames: + description: DNSNames is a list of DNS subjectAltNames to be set on + the Certificate. + items: + type: string + type: array + duration: + description: The requested 'duration' (i.e. lifetime) of the Certificate. + This option may be ignored/overridden by some issuer types. If unset + this defaults to 90 days. Certificate will be renewed either 2/3 + through its duration or `renewBefore` period before its expiry, + whichever is later. Minimum accepted duration is 1 hour. Value must + be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration + type: string + ipAddresses: + description: IPAddresses is a list of IP address subjectAltNames to + be set on the Certificate. + items: + type: string + type: array + isCA: + description: IsCA will mark this Certificate as valid for certificate + signing. This will automatically add the `cert sign` usage to the + list of `usages`. + type: boolean + issuerRef: + description: IssuerRef is a reference to the issuer for this certificate. + If the `kind` field is not set, or set to `Issuer`, an Issuer resource + with the given name in the same namespace as the Certificate will + be used. If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer + with the provided name will be used. The `name` field in this stanza + is required at all times. + properties: + group: + description: Group of the resource being referred to. + type: string + kind: + description: Kind of the resource being referred to. + type: string + name: + description: Name of the resource being referred to. + type: string + required: + - name + type: object + keystores: + description: Keystores configures additional keystore output formats + stored in the `secretName` Secret resource. + properties: + jks: + description: JKS configures options for storing a JKS keystore + in the `spec.secretName` Secret resource. + properties: + create: + description: Create enables JKS keystore creation for the + Certificate. If true, a file named `keystore.jks` will be + created in the target Secret resource, encrypted using the + password stored in `passwordSecretRef`. The keystore file + will only be updated upon re-issuance. A file named `truststore.jks` + will also be created in the target Secret resource, encrypted + using the password stored in `passwordSecretRef` containing + the issuing Certificate Authority + type: boolean + passwordSecretRef: + description: PasswordSecretRef is a reference to a key in + a Secret resource containing the password used to encrypt + the JKS keystore. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field + may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - create + - passwordSecretRef + type: object + pkcs12: + description: PKCS12 configures options for storing a PKCS12 keystore + in the `spec.secretName` Secret resource. + properties: + create: + description: Create enables PKCS12 keystore creation for the + Certificate. If true, a file named `keystore.p12` will be + created in the target Secret resource, encrypted using the + password stored in `passwordSecretRef`. The keystore file + will only be updated upon re-issuance. A file named `truststore.p12` + will also be created in the target Secret resource, encrypted + using the password stored in `passwordSecretRef` containing + the issuing Certificate Authority + type: boolean + passwordSecretRef: + description: PasswordSecretRef is a reference to a key in + a Secret resource containing the password used to encrypt + the PKCS12 keystore. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field + may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - create + - passwordSecretRef + type: object + type: object + privateKey: + description: Options to control private keys used for the Certificate. + properties: + algorithm: + description: Algorithm is the private key algorithm of the corresponding + private key for this certificate. If provided, allowed values + are either `RSA`,`Ed25519` or `ECDSA` If `algorithm` is specified + and `size` is not provided, key size of 256 will be used for + `ECDSA` key algorithm and key size of 2048 will be used for + `RSA` key algorithm. key size is ignored when using the `Ed25519` + key algorithm. + type: string + encoding: + description: The private key cryptography standards (PKCS) encoding + for this certificate's private key to be encoded in. If provided, + allowed values are `PKCS1` and `PKCS8` standing for PKCS#1 and + PKCS#8, respectively. Defaults to `PKCS1` if not specified. + type: string + rotationPolicy: + description: RotationPolicy controls how private keys should be + regenerated when a re-issuance is being processed. If set to + Never, a private key will only be generated if one does not + already exist in the target `spec.secretName`. If one does exists + but it does not have the correct algorithm or size, a warning + will be raised to await user intervention. If set to Always, + a private key matching the specified requirements will be generated + whenever a re-issuance occurs. Default is 'Never' for backward + compatibility. + enum: + - Never + - Always + type: string + size: + description: Size is the key bit size of the corresponding private + key for this certificate. If `algorithm` is set to `RSA`, valid + values are `2048`, `4096` or `8192`, and will default to `2048` + if not specified. If `algorithm` is set to `ECDSA`, valid values + are `256`, `384` or `521`, and will default to `256` if not + specified. If `algorithm` is set to `Ed25519`, Size is ignored. + No other values are allowed. + type: integer + type: object + renewBefore: + description: How long before the currently issued certificate's expiry + cert-manager should renew the certificate. The default is 2/3 of + the issued certificate's duration. Minimum accepted value is 5 minutes. + Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration + type: string + secretName: + description: SecretName is the name of the secret resource that will + be automatically created and managed by this Certificate resource. + It will be populated with a private key and certificate, signed + by the denoted issuer. + type: string + secretTemplate: + description: SecretTemplate defines annotations and labels to be copied + to the Certificate's Secret. Labels and annotations on the Secret + will be changed as they appear on the SecretTemplate when added + or removed. SecretTemplate annotations are added in conjunction + with, and cannot overwrite, the base set of annotations cert-manager + sets on the Certificate's Secret. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a key value map to be copied to the + target Kubernetes Secret. + type: object + labels: + additionalProperties: + type: string + description: Labels is a key value map to be copied to the target + Kubernetes Secret. + type: object + type: object + subject: + description: Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name). + properties: + countries: + description: Countries to be used on the Certificate. + items: + type: string + type: array + localities: + description: Cities to be used on the Certificate. + items: + type: string + type: array + organizationalUnits: + description: Organizational Units to be used on the Certificate. + items: + type: string + type: array + organizations: + description: Organizations to be used on the Certificate. + items: + type: string + type: array + postalCodes: + description: Postal codes to be used on the Certificate. + items: + type: string + type: array + provinces: + description: State/Provinces to be used on the Certificate. + items: + type: string + type: array + serialNumber: + description: Serial number to be used on the Certificate. + type: string + streetAddresses: + description: Street addresses to be used on the Certificate. + items: + type: string + type: array + type: object + required: + - issuerRef + - secretName + type: object + status: + description: CertificateStatus defines the observed state of Certificate + properties: + conditions: + description: List of status conditions to indicate the status of certificates. + Known condition types are `Ready` and `Issuing`. + items: + description: CertificateCondition contains condition information + for an Certificate. + properties: + lastTransitionTime: + description: LastTransitionTime is the timestamp corresponding + to the last status change of this condition. + format: date-time + type: string + message: + description: Message is a human readable description of the + details of the last transition, complementing reason. + type: string + observedGeneration: + description: If set, this represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.condition[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the Certificate. + format: int64 + type: integer + reason: + description: Reason is a brief machine readable explanation + for the condition's last transition. + type: string + status: + description: Status of the condition, one of (`True`, `False`, + `Unknown`). + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: Type of the condition, known values are (`Ready`, + `Issuing`). + type: string + required: + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + failedIssuanceAttempts: + description: The number of continuous failed issuance attempts up + till now. This field gets removed (if set) on a successful issuance + and gets set to 1 if unset and an issuance has failed. If an issuance + has failed, the delay till the next issuance will be calculated + using formula time.Hour * 2 ^ (failedIssuanceAttempts - 1). + type: integer + lastFailureTime: + description: LastFailureTime is the time as recorded by the Certificate + controller of the most recent failure to complete a CertificateRequest + for this Certificate resource. If set, cert-manager will not re-request + another Certificate until 1 hour has elapsed from this time. + format: date-time + type: string + nextPrivateKeySecretName: + description: The name of the Secret resource containing the private + key to be used for the next certificate iteration. The keymanager + controller will automatically set this field if the `Issuing` condition + is set to `True`. It will automatically unset this field when the + Issuing condition is not set or False. + type: string + notAfter: + description: The expiration time of the certificate stored in the + secret named by this resource in `spec.secretName`. + format: date-time + type: string + notBefore: + description: The time after which the certificate stored in the secret + named by this resource in spec.secretName is valid. + format: date-time + type: string + renewalTime: + description: RenewalTime is the time at which the certificate will + be next renewed. If not set, no upcoming renewal is scheduled. + format: date-time + type: string + revision: + description: "The current 'revision' of the certificate as issued. + \n When a CertificateRequest resource is created, it will have the + `cert-manager.io/certificate-revision` set to one greater than the + current value of this field. \n Upon issuance, this field will be + set to the value of the annotation on the CertificateRequest resource + used to issue the certificate. \n Persisting the value on the CertificateRequest + resource allows the certificates controller to know whether a request + is part of an old issuance or if it is part of the ongoing revision's + issuance by checking if the revision value in the annotation is + greater than this field." + type: integer + type: object + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/config/crd/bases/anthos-cert-manager.io_clusterissuers.yaml b/config/crd/bases/anthos-cert-manager.io_clusterissuers.yaml new file mode 100644 index 0000000..702afca --- /dev/null +++ b/config/crd/bases/anthos-cert-manager.io_clusterissuers.yaml @@ -0,0 +1,145 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: clusterissuers.anthos-cert-manager.io +spec: + group: anthos-cert-manager.io + names: + kind: ClusterIssuer + listKind: ClusterIssuerList + plural: clusterissuers + singular: clusterissuer + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: A ClusterIssuer represents a certificate issuing authority which + can be referenced as part of `issuerRef` fields. It is similar to an Issuer, + however it is cluster-scoped and therefore can be referenced by resources + that exist in *any* namespace, not just the same namespace as the referent. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Desired state of the ClusterIssuer resource. + properties: + ca: + description: CA configures this issuer to sign certificates using + a signing CA keypair stored in a Secret resource. This is used to + build internal PKIs that are managed by cert-manager. + properties: + crlDistributionPoints: + description: The CRL distribution points is an X.509 v3 certificate + extension which identifies the location of the CRL from which + the revocation of this certificate can be checked. If not set, + certificates will be issued without distribution points set. + items: + type: string + type: array + ocspServers: + description: The OCSP server list is an X.509 v3 extension that + defines a list of URLs of OCSP responders. The OCSP responders + can be queried for the revocation status of an issued certificate. + If not set, the certificate will be issued with no OCSP servers + set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org". + items: + type: string + type: array + secretName: + description: SecretName is the name of the secret used to sign + Certificates issued by this Issuer. + type: string + required: + - secretName + type: object + selfSigned: + description: SelfSigned configures this issuer to 'self sign' certificates + using the private key used to create the CertificateRequest object. + properties: + crlDistributionPoints: + description: The CRL distribution points is an X.509 v3 certificate + extension which identifies the location of the CRL from which + the revocation of this certificate can be checked. If not set + certificate will be issued without CDP. Values are strings. + items: + type: string + type: array + type: object + type: object + status: + description: Status of the ClusterIssuer. This is set and managed automatically. + properties: + conditions: + description: List of status conditions to indicate the status of a + CertificateRequest. Known condition types are `Ready`. + items: + description: IssuerCondition contains condition information for + an Issuer. + properties: + lastTransitionTime: + description: LastTransitionTime is the timestamp corresponding + to the last status change of this condition. + format: date-time + type: string + message: + description: Message is a human readable description of the + details of the last transition, complementing reason. + type: string + observedGeneration: + description: If set, this represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.condition[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the Issuer. + format: int64 + type: integer + reason: + description: Reason is a brief machine readable explanation + for the condition's last transition. + type: string + status: + description: Status of the condition, one of (`True`, `False`, + `Unknown`). + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: Type of the condition, known values are (`Ready`). + type: string + required: + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/config/crd/bases/anthos-cert-manager.io_issuers.yaml b/config/crd/bases/anthos-cert-manager.io_issuers.yaml new file mode 100644 index 0000000..4415e79 --- /dev/null +++ b/config/crd/bases/anthos-cert-manager.io_issuers.yaml @@ -0,0 +1,145 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: issuers.anthos-cert-manager.io +spec: + group: anthos-cert-manager.io + names: + kind: Issuer + listKind: IssuerList + plural: issuers + singular: issuer + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: An Issuer represents a certificate issuing authority which can + be referenced as part of `issuerRef` fields. It is scoped to a single namespace + and can therefore only be referenced by resources within the same namespace. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Desired state of the Issuer resource. + properties: + ca: + description: CA configures this issuer to sign certificates using + a signing CA keypair stored in a Secret resource. This is used to + build internal PKIs that are managed by cert-manager. + properties: + crlDistributionPoints: + description: The CRL distribution points is an X.509 v3 certificate + extension which identifies the location of the CRL from which + the revocation of this certificate can be checked. If not set, + certificates will be issued without distribution points set. + items: + type: string + type: array + ocspServers: + description: The OCSP server list is an X.509 v3 extension that + defines a list of URLs of OCSP responders. The OCSP responders + can be queried for the revocation status of an issued certificate. + If not set, the certificate will be issued with no OCSP servers + set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org". + items: + type: string + type: array + secretName: + description: SecretName is the name of the secret used to sign + Certificates issued by this Issuer. + type: string + required: + - secretName + type: object + selfSigned: + description: SelfSigned configures this issuer to 'self sign' certificates + using the private key used to create the CertificateRequest object. + properties: + crlDistributionPoints: + description: The CRL distribution points is an X.509 v3 certificate + extension which identifies the location of the CRL from which + the revocation of this certificate can be checked. If not set + certificate will be issued without CDP. Values are strings. + items: + type: string + type: array + type: object + type: object + status: + description: Status of the Issuer. This is set and managed automatically. + properties: + conditions: + description: List of status conditions to indicate the status of a + CertificateRequest. Known condition types are `Ready`. + items: + description: IssuerCondition contains condition information for + an Issuer. + properties: + lastTransitionTime: + description: LastTransitionTime is the timestamp corresponding + to the last status change of this condition. + format: date-time + type: string + message: + description: Message is a human readable description of the + details of the last transition, complementing reason. + type: string + observedGeneration: + description: If set, this represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.condition[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the Issuer. + format: int64 + type: integer + reason: + description: Reason is a brief machine readable explanation + for the condition's last transition. + type: string + status: + description: Status of the condition, one of (`True`, `False`, + `Unknown`). + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: Type of the condition, known values are (`Ready`). + type: string + required: + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + required: + - spec + - status + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml index f36ba7f..9bc6d57 100644 --- a/config/default/kustomization.yaml +++ b/config/default/kustomization.yaml @@ -31,7 +31,7 @@ # If you want your controller-manager to expose the /metrics # endpoint w/o any authn/z, please comment the following line. - manager_auth_proxy_patch.yaml - +- manager_config_patch.yaml # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in diff --git a/config/default/manager_auth_proxy_patch.yaml b/config/default/manager_auth_proxy_patch.yaml index 46c38c2..ec7148f 100644 --- a/config/default/manager_auth_proxy_patch.yaml +++ b/config/default/manager_auth_proxy_patch.yaml @@ -48,8 +48,3 @@ requests: cpu: 5m memory: 64Mi - - name: manager - args: - - "--health-probe-bind-address=:8081" - - "--metrics-bind-address=127.0.0.1:8080" - - "--leader-elect" diff --git a/Dockerfile b/Dockerfile index 0a091a6..e250c16 100644 --- a/Dockerfile +++ b/Dockerfile @@ -14,6 +14,7 @@ # Copy the go source COPY main.go main.go COPY pkg/ pkg/ +COPY cmd/ cmd/ # Build # the GOARCH has not a default value to allow the binary be built according to the host where the command # was called. For example, if we call make docker-build in a local env which has the Apple Silicon M1 SO diff --git a/Makefile b/Makefile index 5d146e4..fb9f77f 100644 --- a/Makefile +++ b/Makefile @@ -155,6 +155,9 @@ undeploy: ## Undeploy controller from the K8s cluster specified in ~/.kube/config. Call with ignore-not-found=true to ignore resource not found errors during deletion. $(KUSTOMIZE) build config/default | kubectl delete --ignore-not-found=$(ignore-not-found) -f - +.PHONY: stage +stage: docker-build docker-push undeploy deploy + ##@ Build Dependencies ## Location to install dependencies to diff --git a/cmd/controller/app/options/options.go b/cmd/controller/app/options/options.go index 1f05612..fa4c82c 100644 --- a/cmd/controller/app/options/options.go +++ b/cmd/controller/app/options/options.go @@ -50,7 +50,7 @@ "Enable leader election for controller manager. "+ "Enabling this will ensure there is only one active controller manager.") var controllerSet string - fs.StringVar(&controllerSet, "controllers", "", fmt.Sprintf(""+ + fs.StringVar(&controllerSet, "controllers", "*", fmt.Sprintf(""+ "A list of controllers to enable. '--controllers=*' enables all "+ "on-by-default controllers, '--controllers=foo' enables just the controller "+ "named 'foo', '--controllers=*,-foo' disables the controller named "+ diff --git a/config/crd/bases/anthos-cert-manager.io_certificaterequests.yaml b/config/crd/bases/anthos-cert-manager.io_certificaterequests.yaml new file mode 100644 index 0000000..dc53954 --- /dev/null +++ b/config/crd/bases/anthos-cert-manager.io_certificaterequests.yaml @@ -0,0 +1,224 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: certificaterequests.anthos-cert-manager.io +spec: + group: anthos-cert-manager.io + names: + kind: CertificateRequest + listKind: CertificateRequestList + plural: certificaterequests + singular: certificaterequest + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: "A CertificateRequest is used to request a signed certificate + from one of the configured issuers. \n All fields within the CertificateRequest's + `spec` are immutable after creation. A CertificateRequest will either succeed + or fail, as denoted by its `status.state` field. \n A CertificateRequest + is a one-shot resource, meaning it represents a single point in time request + for a certificate and cannot be re-used." + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Desired state of the CertificateRequest resource. + properties: + duration: + description: The requested 'duration' (i.e. lifetime) of the Certificate. + This option may be ignored/overridden by some issuer types. + type: string + extra: + additionalProperties: + items: + type: string + type: array + description: Extra contains extra attributes of the user that created + the CertificateRequest. Populated by the cert-manager webhook on + creation and immutable. + type: object + groups: + description: Groups contains group membership of the user that created + the CertificateRequest. Populated by the cert-manager webhook on + creation and immutable. + items: + type: string + type: array + x-kubernetes-list-type: atomic + isCA: + description: IsCA will request to mark the certificate as valid for + certificate signing when submitting to the issuer. This will automatically + add the `cert sign` usage to the list of `usages`. + type: boolean + issuerRef: + description: IssuerRef is a reference to the issuer for this CertificateRequest. If + the `kind` field is not set, or set to `Issuer`, an Issuer resource + with the given name in the same namespace as the CertificateRequest + will be used. If the `kind` field is set to `ClusterIssuer`, a + ClusterIssuer with the provided name will be used. The `name` field + in this stanza is required at all times. The group field refers + to the API group of the issuer which defaults to `cert-manager.io` + if empty. + properties: + group: + description: Group of the resource being referred to. + type: string + kind: + description: Kind of the resource being referred to. + type: string + name: + description: Name of the resource being referred to. + type: string + required: + - name + type: object + request: + description: The PEM-encoded x509 certificate signing request to be + submitted to the CA for signing. + format: byte + type: string + uid: + description: UID contains the uid of the user that created the CertificateRequest. + Populated by the cert-manager webhook on creation and immutable. + type: string + usages: + description: Usages is the set of x509 usages that are requested for + the certificate. If usages are set they SHOULD be encoded inside + the CSR spec Defaults to `digital signature` and `key encipherment` + if not specified. + items: + description: "KeyUsage specifies valid usage contexts for keys. + See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 + \n Valid KeyUsage values are as follows: \"signing\", \"digital + signature\", \"content commitment\", \"key encipherment\", \"key + agreement\", \"data encipherment\", \"cert sign\", \"crl sign\", + \"encipher only\", \"decipher only\", \"any\", \"server auth\", + \"client auth\", \"code signing\", \"email protection\", \"s/mime\", + \"ipsec end system\", \"ipsec tunnel\", \"ipsec user\", \"timestamping\", + \"ocsp signing\", \"microsoft sgc\", \"netscape sgc\"" + enum: + - signing + - digital signature + - content commitment + - key encipherment + - key agreement + - data encipherment + - cert sign + - crl sign + - encipher only + - decipher only + - any + - server auth + - client auth + - code signing + - email protection + - s/mime + - ipsec end system + - ipsec tunnel + - ipsec user + - timestamping + - ocsp signing + - microsoft sgc + - netscape sgc + type: string + type: array + username: + description: Username contains the name of the user that created the + CertificateRequest. Populated by the cert-manager webhook on creation + and immutable. + type: string + required: + - issuerRef + - request + type: object + status: + description: Status of the CertificateRequest. This is set and managed + automatically. + properties: + ca: + description: The PEM encoded x509 certificate of the signer, also + known as the CA (Certificate Authority). This is set on a best-effort + basis by different issuers. If not set, the CA is assumed to be + unknown/not available. + format: byte + type: string + certificate: + description: The PEM encoded x509 certificate resulting from the certificate + signing request. If not set, the CertificateRequest has either not + been completed or has failed. More information on failure can be + found by checking the `conditions` field. + format: byte + type: string + conditions: + description: List of status conditions to indicate the status of a + CertificateRequest. Known condition types are `Ready` and `InvalidRequest`. + items: + description: CertificateRequestCondition contains condition information + for a CertificateRequest. + properties: + lastTransitionTime: + description: LastTransitionTime is the timestamp corresponding + to the last status change of this condition. + format: date-time + type: string + message: + description: Message is a human readable description of the + details of the last transition, complementing reason. + type: string + reason: + description: Reason is a brief machine readable explanation + for the condition's last transition. + type: string + status: + description: Status of the condition, one of (`True`, `False`, + `Unknown`). + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: Type of the condition, known values are (`Ready`, + `InvalidRequest`, `Approved`, `Denied`). + type: string + required: + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + failureTime: + description: FailureTime stores the time that this CertificateRequest + failed. This is used to influence garbage collection and back-off. + format: date-time + type: string + type: object + required: + - spec + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/config/crd/bases/anthos-cert-manager.io_certificates.yaml b/config/crd/bases/anthos-cert-manager.io_certificates.yaml new file mode 100644 index 0000000..720feb1 --- /dev/null +++ b/config/crd/bases/anthos-cert-manager.io_certificates.yaml @@ -0,0 +1,393 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: certificates.anthos-cert-manager.io +spec: + group: anthos-cert-manager.io + names: + kind: Certificate + listKind: CertificateList + plural: certificates + singular: certificate + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: Certificate is the Schema for the certificates API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: CertificateSpec defines the desired state of Certificate + properties: + commonName: + description: 'CommonName is a common name to be used on the Certificate. + The CommonName should have a length of 64 characters or fewer to + avoid generating invalid CSRs. This value is ignored by TLS clients + when any subject alt name is set. This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4' + type: string + dnsNames: + description: DNSNames is a list of DNS subjectAltNames to be set on + the Certificate. + items: + type: string + type: array + duration: + description: The requested 'duration' (i.e. lifetime) of the Certificate. + This option may be ignored/overridden by some issuer types. If unset + this defaults to 90 days. Certificate will be renewed either 2/3 + through its duration or `renewBefore` period before its expiry, + whichever is later. Minimum accepted duration is 1 hour. Value must + be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration + type: string + ipAddresses: + description: IPAddresses is a list of IP address subjectAltNames to + be set on the Certificate. + items: + type: string + type: array + isCA: + description: IsCA will mark this Certificate as valid for certificate + signing. This will automatically add the `cert sign` usage to the + list of `usages`. + type: boolean + issuerRef: + description: IssuerRef is a reference to the issuer for this certificate. + If the `kind` field is not set, or set to `Issuer`, an Issuer resource + with the given name in the same namespace as the Certificate will + be used. If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer + with the provided name will be used. The `name` field in this stanza + is required at all times. + properties: + group: + description: Group of the resource being referred to. + type: string + kind: + description: Kind of the resource being referred to. + type: string + name: + description: Name of the resource being referred to. + type: string + required: + - name + type: object + keystores: + description: Keystores configures additional keystore output formats + stored in the `secretName` Secret resource. + properties: + jks: + description: JKS configures options for storing a JKS keystore + in the `spec.secretName` Secret resource. + properties: + create: + description: Create enables JKS keystore creation for the + Certificate. If true, a file named `keystore.jks` will be + created in the target Secret resource, encrypted using the + password stored in `passwordSecretRef`. The keystore file + will only be updated upon re-issuance. A file named `truststore.jks` + will also be created in the target Secret resource, encrypted + using the password stored in `passwordSecretRef` containing + the issuing Certificate Authority + type: boolean + passwordSecretRef: + description: PasswordSecretRef is a reference to a key in + a Secret resource containing the password used to encrypt + the JKS keystore. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field + may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - create + - passwordSecretRef + type: object + pkcs12: + description: PKCS12 configures options for storing a PKCS12 keystore + in the `spec.secretName` Secret resource. + properties: + create: + description: Create enables PKCS12 keystore creation for the + Certificate. If true, a file named `keystore.p12` will be + created in the target Secret resource, encrypted using the + password stored in `passwordSecretRef`. The keystore file + will only be updated upon re-issuance. A file named `truststore.p12` + will also be created in the target Secret resource, encrypted + using the password stored in `passwordSecretRef` containing + the issuing Certificate Authority + type: boolean + passwordSecretRef: + description: PasswordSecretRef is a reference to a key in + a Secret resource containing the password used to encrypt + the PKCS12 keystore. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field + may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - create + - passwordSecretRef + type: object + type: object + privateKey: + description: Options to control private keys used for the Certificate. + properties: + algorithm: + description: Algorithm is the private key algorithm of the corresponding + private key for this certificate. If provided, allowed values + are either `RSA`,`Ed25519` or `ECDSA` If `algorithm` is specified + and `size` is not provided, key size of 256 will be used for + `ECDSA` key algorithm and key size of 2048 will be used for + `RSA` key algorithm. key size is ignored when using the `Ed25519` + key algorithm. + type: string + encoding: + description: The private key cryptography standards (PKCS) encoding + for this certificate's private key to be encoded in. If provided, + allowed values are `PKCS1` and `PKCS8` standing for PKCS#1 and + PKCS#8, respectively. Defaults to `PKCS1` if not specified. + type: string + rotationPolicy: + description: RotationPolicy controls how private keys should be + regenerated when a re-issuance is being processed. If set to + Never, a private key will only be generated if one does not + already exist in the target `spec.secretName`. If one does exists + but it does not have the correct algorithm or size, a warning + will be raised to await user intervention. If set to Always, + a private key matching the specified requirements will be generated + whenever a re-issuance occurs. Default is 'Never' for backward + compatibility. + enum: + - Never + - Always + type: string + size: + description: Size is the key bit size of the corresponding private + key for this certificate. If `algorithm` is set to `RSA`, valid + values are `2048`, `4096` or `8192`, and will default to `2048` + if not specified. If `algorithm` is set to `ECDSA`, valid values + are `256`, `384` or `521`, and will default to `256` if not + specified. If `algorithm` is set to `Ed25519`, Size is ignored. + No other values are allowed. + type: integer + type: object + renewBefore: + description: How long before the currently issued certificate's expiry + cert-manager should renew the certificate. The default is 2/3 of + the issued certificate's duration. Minimum accepted value is 5 minutes. + Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration + type: string + secretName: + description: SecretName is the name of the secret resource that will + be automatically created and managed by this Certificate resource. + It will be populated with a private key and certificate, signed + by the denoted issuer. + type: string + secretTemplate: + description: SecretTemplate defines annotations and labels to be copied + to the Certificate's Secret. Labels and annotations on the Secret + will be changed as they appear on the SecretTemplate when added + or removed. SecretTemplate annotations are added in conjunction + with, and cannot overwrite, the base set of annotations cert-manager + sets on the Certificate's Secret. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a key value map to be copied to the + target Kubernetes Secret. + type: object + labels: + additionalProperties: + type: string + description: Labels is a key value map to be copied to the target + Kubernetes Secret. + type: object + type: object + subject: + description: Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name). + properties: + countries: + description: Countries to be used on the Certificate. + items: + type: string + type: array + localities: + description: Cities to be used on the Certificate. + items: + type: string + type: array + organizationalUnits: + description: Organizational Units to be used on the Certificate. + items: + type: string + type: array + organizations: + description: Organizations to be used on the Certificate. + items: + type: string + type: array + postalCodes: + description: Postal codes to be used on the Certificate. + items: + type: string + type: array + provinces: + description: State/Provinces to be used on the Certificate. + items: + type: string + type: array + serialNumber: + description: Serial number to be used on the Certificate. + type: string + streetAddresses: + description: Street addresses to be used on the Certificate. + items: + type: string + type: array + type: object + required: + - issuerRef + - secretName + type: object + status: + description: CertificateStatus defines the observed state of Certificate + properties: + conditions: + description: List of status conditions to indicate the status of certificates. + Known condition types are `Ready` and `Issuing`. + items: + description: CertificateCondition contains condition information + for an Certificate. + properties: + lastTransitionTime: + description: LastTransitionTime is the timestamp corresponding + to the last status change of this condition. + format: date-time + type: string + message: + description: Message is a human readable description of the + details of the last transition, complementing reason. + type: string + observedGeneration: + description: If set, this represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.condition[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the Certificate. + format: int64 + type: integer + reason: + description: Reason is a brief machine readable explanation + for the condition's last transition. + type: string + status: + description: Status of the condition, one of (`True`, `False`, + `Unknown`). + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: Type of the condition, known values are (`Ready`, + `Issuing`). + type: string + required: + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + failedIssuanceAttempts: + description: The number of continuous failed issuance attempts up + till now. This field gets removed (if set) on a successful issuance + and gets set to 1 if unset and an issuance has failed. If an issuance + has failed, the delay till the next issuance will be calculated + using formula time.Hour * 2 ^ (failedIssuanceAttempts - 1). + type: integer + lastFailureTime: + description: LastFailureTime is the time as recorded by the Certificate + controller of the most recent failure to complete a CertificateRequest + for this Certificate resource. If set, cert-manager will not re-request + another Certificate until 1 hour has elapsed from this time. + format: date-time + type: string + nextPrivateKeySecretName: + description: The name of the Secret resource containing the private + key to be used for the next certificate iteration. The keymanager + controller will automatically set this field if the `Issuing` condition + is set to `True`. It will automatically unset this field when the + Issuing condition is not set or False. + type: string + notAfter: + description: The expiration time of the certificate stored in the + secret named by this resource in `spec.secretName`. + format: date-time + type: string + notBefore: + description: The time after which the certificate stored in the secret + named by this resource in spec.secretName is valid. + format: date-time + type: string + renewalTime: + description: RenewalTime is the time at which the certificate will + be next renewed. If not set, no upcoming renewal is scheduled. + format: date-time + type: string + revision: + description: "The current 'revision' of the certificate as issued. + \n When a CertificateRequest resource is created, it will have the + `cert-manager.io/certificate-revision` set to one greater than the + current value of this field. \n Upon issuance, this field will be + set to the value of the annotation on the CertificateRequest resource + used to issue the certificate. \n Persisting the value on the CertificateRequest + resource allows the certificates controller to know whether a request + is part of an old issuance or if it is part of the ongoing revision's + issuance by checking if the revision value in the annotation is + greater than this field." + type: integer + type: object + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/config/crd/bases/anthos-cert-manager.io_clusterissuers.yaml b/config/crd/bases/anthos-cert-manager.io_clusterissuers.yaml new file mode 100644 index 0000000..702afca --- /dev/null +++ b/config/crd/bases/anthos-cert-manager.io_clusterissuers.yaml @@ -0,0 +1,145 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: clusterissuers.anthos-cert-manager.io +spec: + group: anthos-cert-manager.io + names: + kind: ClusterIssuer + listKind: ClusterIssuerList + plural: clusterissuers + singular: clusterissuer + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: A ClusterIssuer represents a certificate issuing authority which + can be referenced as part of `issuerRef` fields. It is similar to an Issuer, + however it is cluster-scoped and therefore can be referenced by resources + that exist in *any* namespace, not just the same namespace as the referent. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Desired state of the ClusterIssuer resource. + properties: + ca: + description: CA configures this issuer to sign certificates using + a signing CA keypair stored in a Secret resource. This is used to + build internal PKIs that are managed by cert-manager. + properties: + crlDistributionPoints: + description: The CRL distribution points is an X.509 v3 certificate + extension which identifies the location of the CRL from which + the revocation of this certificate can be checked. If not set, + certificates will be issued without distribution points set. + items: + type: string + type: array + ocspServers: + description: The OCSP server list is an X.509 v3 extension that + defines a list of URLs of OCSP responders. The OCSP responders + can be queried for the revocation status of an issued certificate. + If not set, the certificate will be issued with no OCSP servers + set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org". + items: + type: string + type: array + secretName: + description: SecretName is the name of the secret used to sign + Certificates issued by this Issuer. + type: string + required: + - secretName + type: object + selfSigned: + description: SelfSigned configures this issuer to 'self sign' certificates + using the private key used to create the CertificateRequest object. + properties: + crlDistributionPoints: + description: The CRL distribution points is an X.509 v3 certificate + extension which identifies the location of the CRL from which + the revocation of this certificate can be checked. If not set + certificate will be issued without CDP. Values are strings. + items: + type: string + type: array + type: object + type: object + status: + description: Status of the ClusterIssuer. This is set and managed automatically. + properties: + conditions: + description: List of status conditions to indicate the status of a + CertificateRequest. Known condition types are `Ready`. + items: + description: IssuerCondition contains condition information for + an Issuer. + properties: + lastTransitionTime: + description: LastTransitionTime is the timestamp corresponding + to the last status change of this condition. + format: date-time + type: string + message: + description: Message is a human readable description of the + details of the last transition, complementing reason. + type: string + observedGeneration: + description: If set, this represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.condition[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the Issuer. + format: int64 + type: integer + reason: + description: Reason is a brief machine readable explanation + for the condition's last transition. + type: string + status: + description: Status of the condition, one of (`True`, `False`, + `Unknown`). + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: Type of the condition, known values are (`Ready`). + type: string + required: + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/config/crd/bases/anthos-cert-manager.io_issuers.yaml b/config/crd/bases/anthos-cert-manager.io_issuers.yaml new file mode 100644 index 0000000..4415e79 --- /dev/null +++ b/config/crd/bases/anthos-cert-manager.io_issuers.yaml @@ -0,0 +1,145 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: issuers.anthos-cert-manager.io +spec: + group: anthos-cert-manager.io + names: + kind: Issuer + listKind: IssuerList + plural: issuers + singular: issuer + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: An Issuer represents a certificate issuing authority which can + be referenced as part of `issuerRef` fields. It is scoped to a single namespace + and can therefore only be referenced by resources within the same namespace. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Desired state of the Issuer resource. + properties: + ca: + description: CA configures this issuer to sign certificates using + a signing CA keypair stored in a Secret resource. This is used to + build internal PKIs that are managed by cert-manager. + properties: + crlDistributionPoints: + description: The CRL distribution points is an X.509 v3 certificate + extension which identifies the location of the CRL from which + the revocation of this certificate can be checked. If not set, + certificates will be issued without distribution points set. + items: + type: string + type: array + ocspServers: + description: The OCSP server list is an X.509 v3 extension that + defines a list of URLs of OCSP responders. The OCSP responders + can be queried for the revocation status of an issued certificate. + If not set, the certificate will be issued with no OCSP servers + set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org". + items: + type: string + type: array + secretName: + description: SecretName is the name of the secret used to sign + Certificates issued by this Issuer. + type: string + required: + - secretName + type: object + selfSigned: + description: SelfSigned configures this issuer to 'self sign' certificates + using the private key used to create the CertificateRequest object. + properties: + crlDistributionPoints: + description: The CRL distribution points is an X.509 v3 certificate + extension which identifies the location of the CRL from which + the revocation of this certificate can be checked. If not set + certificate will be issued without CDP. Values are strings. + items: + type: string + type: array + type: object + type: object + status: + description: Status of the Issuer. This is set and managed automatically. + properties: + conditions: + description: List of status conditions to indicate the status of a + CertificateRequest. Known condition types are `Ready`. + items: + description: IssuerCondition contains condition information for + an Issuer. + properties: + lastTransitionTime: + description: LastTransitionTime is the timestamp corresponding + to the last status change of this condition. + format: date-time + type: string + message: + description: Message is a human readable description of the + details of the last transition, complementing reason. + type: string + observedGeneration: + description: If set, this represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.condition[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the Issuer. + format: int64 + type: integer + reason: + description: Reason is a brief machine readable explanation + for the condition's last transition. + type: string + status: + description: Status of the condition, one of (`True`, `False`, + `Unknown`). + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: Type of the condition, known values are (`Ready`). + type: string + required: + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + required: + - spec + - status + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml index f36ba7f..9bc6d57 100644 --- a/config/default/kustomization.yaml +++ b/config/default/kustomization.yaml @@ -31,7 +31,7 @@ # If you want your controller-manager to expose the /metrics # endpoint w/o any authn/z, please comment the following line. - manager_auth_proxy_patch.yaml - +- manager_config_patch.yaml # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in diff --git a/config/default/manager_auth_proxy_patch.yaml b/config/default/manager_auth_proxy_patch.yaml index 46c38c2..ec7148f 100644 --- a/config/default/manager_auth_proxy_patch.yaml +++ b/config/default/manager_auth_proxy_patch.yaml @@ -48,8 +48,3 @@ requests: cpu: 5m memory: 64Mi - - name: manager - args: - - "--health-probe-bind-address=:8081" - - "--metrics-bind-address=127.0.0.1:8080" - - "--leader-elect" diff --git a/config/default/manager_config_patch.yaml b/config/default/manager_config_patch.yaml index d9b77b6..84c7558 100644 --- a/config/default/manager_config_patch.yaml +++ b/config/default/manager_config_patch.yaml @@ -8,3 +8,6 @@ spec: containers: - name: manager + args: + - "--v=4" + - "--controllers=*" diff --git a/Dockerfile b/Dockerfile index 0a091a6..e250c16 100644 --- a/Dockerfile +++ b/Dockerfile @@ -14,6 +14,7 @@ # Copy the go source COPY main.go main.go COPY pkg/ pkg/ +COPY cmd/ cmd/ # Build # the GOARCH has not a default value to allow the binary be built according to the host where the command # was called. For example, if we call make docker-build in a local env which has the Apple Silicon M1 SO diff --git a/Makefile b/Makefile index 5d146e4..fb9f77f 100644 --- a/Makefile +++ b/Makefile @@ -155,6 +155,9 @@ undeploy: ## Undeploy controller from the K8s cluster specified in ~/.kube/config. Call with ignore-not-found=true to ignore resource not found errors during deletion. $(KUSTOMIZE) build config/default | kubectl delete --ignore-not-found=$(ignore-not-found) -f - +.PHONY: stage +stage: docker-build docker-push undeploy deploy + ##@ Build Dependencies ## Location to install dependencies to diff --git a/cmd/controller/app/options/options.go b/cmd/controller/app/options/options.go index 1f05612..fa4c82c 100644 --- a/cmd/controller/app/options/options.go +++ b/cmd/controller/app/options/options.go @@ -50,7 +50,7 @@ "Enable leader election for controller manager. "+ "Enabling this will ensure there is only one active controller manager.") var controllerSet string - fs.StringVar(&controllerSet, "controllers", "", fmt.Sprintf(""+ + fs.StringVar(&controllerSet, "controllers", "*", fmt.Sprintf(""+ "A list of controllers to enable. '--controllers=*' enables all "+ "on-by-default controllers, '--controllers=foo' enables just the controller "+ "named 'foo', '--controllers=*,-foo' disables the controller named "+ diff --git a/config/crd/bases/anthos-cert-manager.io_certificaterequests.yaml b/config/crd/bases/anthos-cert-manager.io_certificaterequests.yaml new file mode 100644 index 0000000..dc53954 --- /dev/null +++ b/config/crd/bases/anthos-cert-manager.io_certificaterequests.yaml @@ -0,0 +1,224 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: certificaterequests.anthos-cert-manager.io +spec: + group: anthos-cert-manager.io + names: + kind: CertificateRequest + listKind: CertificateRequestList + plural: certificaterequests + singular: certificaterequest + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: "A CertificateRequest is used to request a signed certificate + from one of the configured issuers. \n All fields within the CertificateRequest's + `spec` are immutable after creation. A CertificateRequest will either succeed + or fail, as denoted by its `status.state` field. \n A CertificateRequest + is a one-shot resource, meaning it represents a single point in time request + for a certificate and cannot be re-used." + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Desired state of the CertificateRequest resource. + properties: + duration: + description: The requested 'duration' (i.e. lifetime) of the Certificate. + This option may be ignored/overridden by some issuer types. + type: string + extra: + additionalProperties: + items: + type: string + type: array + description: Extra contains extra attributes of the user that created + the CertificateRequest. Populated by the cert-manager webhook on + creation and immutable. + type: object + groups: + description: Groups contains group membership of the user that created + the CertificateRequest. Populated by the cert-manager webhook on + creation and immutable. + items: + type: string + type: array + x-kubernetes-list-type: atomic + isCA: + description: IsCA will request to mark the certificate as valid for + certificate signing when submitting to the issuer. This will automatically + add the `cert sign` usage to the list of `usages`. + type: boolean + issuerRef: + description: IssuerRef is a reference to the issuer for this CertificateRequest. If + the `kind` field is not set, or set to `Issuer`, an Issuer resource + with the given name in the same namespace as the CertificateRequest + will be used. If the `kind` field is set to `ClusterIssuer`, a + ClusterIssuer with the provided name will be used. The `name` field + in this stanza is required at all times. The group field refers + to the API group of the issuer which defaults to `cert-manager.io` + if empty. + properties: + group: + description: Group of the resource being referred to. + type: string + kind: + description: Kind of the resource being referred to. + type: string + name: + description: Name of the resource being referred to. + type: string + required: + - name + type: object + request: + description: The PEM-encoded x509 certificate signing request to be + submitted to the CA for signing. + format: byte + type: string + uid: + description: UID contains the uid of the user that created the CertificateRequest. + Populated by the cert-manager webhook on creation and immutable. + type: string + usages: + description: Usages is the set of x509 usages that are requested for + the certificate. If usages are set they SHOULD be encoded inside + the CSR spec Defaults to `digital signature` and `key encipherment` + if not specified. + items: + description: "KeyUsage specifies valid usage contexts for keys. + See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 + \n Valid KeyUsage values are as follows: \"signing\", \"digital + signature\", \"content commitment\", \"key encipherment\", \"key + agreement\", \"data encipherment\", \"cert sign\", \"crl sign\", + \"encipher only\", \"decipher only\", \"any\", \"server auth\", + \"client auth\", \"code signing\", \"email protection\", \"s/mime\", + \"ipsec end system\", \"ipsec tunnel\", \"ipsec user\", \"timestamping\", + \"ocsp signing\", \"microsoft sgc\", \"netscape sgc\"" + enum: + - signing + - digital signature + - content commitment + - key encipherment + - key agreement + - data encipherment + - cert sign + - crl sign + - encipher only + - decipher only + - any + - server auth + - client auth + - code signing + - email protection + - s/mime + - ipsec end system + - ipsec tunnel + - ipsec user + - timestamping + - ocsp signing + - microsoft sgc + - netscape sgc + type: string + type: array + username: + description: Username contains the name of the user that created the + CertificateRequest. Populated by the cert-manager webhook on creation + and immutable. + type: string + required: + - issuerRef + - request + type: object + status: + description: Status of the CertificateRequest. This is set and managed + automatically. + properties: + ca: + description: The PEM encoded x509 certificate of the signer, also + known as the CA (Certificate Authority). This is set on a best-effort + basis by different issuers. If not set, the CA is assumed to be + unknown/not available. + format: byte + type: string + certificate: + description: The PEM encoded x509 certificate resulting from the certificate + signing request. If not set, the CertificateRequest has either not + been completed or has failed. More information on failure can be + found by checking the `conditions` field. + format: byte + type: string + conditions: + description: List of status conditions to indicate the status of a + CertificateRequest. Known condition types are `Ready` and `InvalidRequest`. + items: + description: CertificateRequestCondition contains condition information + for a CertificateRequest. + properties: + lastTransitionTime: + description: LastTransitionTime is the timestamp corresponding + to the last status change of this condition. + format: date-time + type: string + message: + description: Message is a human readable description of the + details of the last transition, complementing reason. + type: string + reason: + description: Reason is a brief machine readable explanation + for the condition's last transition. + type: string + status: + description: Status of the condition, one of (`True`, `False`, + `Unknown`). + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: Type of the condition, known values are (`Ready`, + `InvalidRequest`, `Approved`, `Denied`). + type: string + required: + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + failureTime: + description: FailureTime stores the time that this CertificateRequest + failed. This is used to influence garbage collection and back-off. + format: date-time + type: string + type: object + required: + - spec + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/config/crd/bases/anthos-cert-manager.io_certificates.yaml b/config/crd/bases/anthos-cert-manager.io_certificates.yaml new file mode 100644 index 0000000..720feb1 --- /dev/null +++ b/config/crd/bases/anthos-cert-manager.io_certificates.yaml @@ -0,0 +1,393 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: certificates.anthos-cert-manager.io +spec: + group: anthos-cert-manager.io + names: + kind: Certificate + listKind: CertificateList + plural: certificates + singular: certificate + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: Certificate is the Schema for the certificates API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: CertificateSpec defines the desired state of Certificate + properties: + commonName: + description: 'CommonName is a common name to be used on the Certificate. + The CommonName should have a length of 64 characters or fewer to + avoid generating invalid CSRs. This value is ignored by TLS clients + when any subject alt name is set. This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4' + type: string + dnsNames: + description: DNSNames is a list of DNS subjectAltNames to be set on + the Certificate. + items: + type: string + type: array + duration: + description: The requested 'duration' (i.e. lifetime) of the Certificate. + This option may be ignored/overridden by some issuer types. If unset + this defaults to 90 days. Certificate will be renewed either 2/3 + through its duration or `renewBefore` period before its expiry, + whichever is later. Minimum accepted duration is 1 hour. Value must + be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration + type: string + ipAddresses: + description: IPAddresses is a list of IP address subjectAltNames to + be set on the Certificate. + items: + type: string + type: array + isCA: + description: IsCA will mark this Certificate as valid for certificate + signing. This will automatically add the `cert sign` usage to the + list of `usages`. + type: boolean + issuerRef: + description: IssuerRef is a reference to the issuer for this certificate. + If the `kind` field is not set, or set to `Issuer`, an Issuer resource + with the given name in the same namespace as the Certificate will + be used. If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer + with the provided name will be used. The `name` field in this stanza + is required at all times. + properties: + group: + description: Group of the resource being referred to. + type: string + kind: + description: Kind of the resource being referred to. + type: string + name: + description: Name of the resource being referred to. + type: string + required: + - name + type: object + keystores: + description: Keystores configures additional keystore output formats + stored in the `secretName` Secret resource. + properties: + jks: + description: JKS configures options for storing a JKS keystore + in the `spec.secretName` Secret resource. + properties: + create: + description: Create enables JKS keystore creation for the + Certificate. If true, a file named `keystore.jks` will be + created in the target Secret resource, encrypted using the + password stored in `passwordSecretRef`. The keystore file + will only be updated upon re-issuance. A file named `truststore.jks` + will also be created in the target Secret resource, encrypted + using the password stored in `passwordSecretRef` containing + the issuing Certificate Authority + type: boolean + passwordSecretRef: + description: PasswordSecretRef is a reference to a key in + a Secret resource containing the password used to encrypt + the JKS keystore. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field + may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - create + - passwordSecretRef + type: object + pkcs12: + description: PKCS12 configures options for storing a PKCS12 keystore + in the `spec.secretName` Secret resource. + properties: + create: + description: Create enables PKCS12 keystore creation for the + Certificate. If true, a file named `keystore.p12` will be + created in the target Secret resource, encrypted using the + password stored in `passwordSecretRef`. The keystore file + will only be updated upon re-issuance. A file named `truststore.p12` + will also be created in the target Secret resource, encrypted + using the password stored in `passwordSecretRef` containing + the issuing Certificate Authority + type: boolean + passwordSecretRef: + description: PasswordSecretRef is a reference to a key in + a Secret resource containing the password used to encrypt + the PKCS12 keystore. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field + may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - create + - passwordSecretRef + type: object + type: object + privateKey: + description: Options to control private keys used for the Certificate. + properties: + algorithm: + description: Algorithm is the private key algorithm of the corresponding + private key for this certificate. If provided, allowed values + are either `RSA`,`Ed25519` or `ECDSA` If `algorithm` is specified + and `size` is not provided, key size of 256 will be used for + `ECDSA` key algorithm and key size of 2048 will be used for + `RSA` key algorithm. key size is ignored when using the `Ed25519` + key algorithm. + type: string + encoding: + description: The private key cryptography standards (PKCS) encoding + for this certificate's private key to be encoded in. If provided, + allowed values are `PKCS1` and `PKCS8` standing for PKCS#1 and + PKCS#8, respectively. Defaults to `PKCS1` if not specified. + type: string + rotationPolicy: + description: RotationPolicy controls how private keys should be + regenerated when a re-issuance is being processed. If set to + Never, a private key will only be generated if one does not + already exist in the target `spec.secretName`. If one does exists + but it does not have the correct algorithm or size, a warning + will be raised to await user intervention. If set to Always, + a private key matching the specified requirements will be generated + whenever a re-issuance occurs. Default is 'Never' for backward + compatibility. + enum: + - Never + - Always + type: string + size: + description: Size is the key bit size of the corresponding private + key for this certificate. If `algorithm` is set to `RSA`, valid + values are `2048`, `4096` or `8192`, and will default to `2048` + if not specified. If `algorithm` is set to `ECDSA`, valid values + are `256`, `384` or `521`, and will default to `256` if not + specified. If `algorithm` is set to `Ed25519`, Size is ignored. + No other values are allowed. + type: integer + type: object + renewBefore: + description: How long before the currently issued certificate's expiry + cert-manager should renew the certificate. The default is 2/3 of + the issued certificate's duration. Minimum accepted value is 5 minutes. + Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration + type: string + secretName: + description: SecretName is the name of the secret resource that will + be automatically created and managed by this Certificate resource. + It will be populated with a private key and certificate, signed + by the denoted issuer. + type: string + secretTemplate: + description: SecretTemplate defines annotations and labels to be copied + to the Certificate's Secret. Labels and annotations on the Secret + will be changed as they appear on the SecretTemplate when added + or removed. SecretTemplate annotations are added in conjunction + with, and cannot overwrite, the base set of annotations cert-manager + sets on the Certificate's Secret. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a key value map to be copied to the + target Kubernetes Secret. + type: object + labels: + additionalProperties: + type: string + description: Labels is a key value map to be copied to the target + Kubernetes Secret. + type: object + type: object + subject: + description: Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name). + properties: + countries: + description: Countries to be used on the Certificate. + items: + type: string + type: array + localities: + description: Cities to be used on the Certificate. + items: + type: string + type: array + organizationalUnits: + description: Organizational Units to be used on the Certificate. + items: + type: string + type: array + organizations: + description: Organizations to be used on the Certificate. + items: + type: string + type: array + postalCodes: + description: Postal codes to be used on the Certificate. + items: + type: string + type: array + provinces: + description: State/Provinces to be used on the Certificate. + items: + type: string + type: array + serialNumber: + description: Serial number to be used on the Certificate. + type: string + streetAddresses: + description: Street addresses to be used on the Certificate. + items: + type: string + type: array + type: object + required: + - issuerRef + - secretName + type: object + status: + description: CertificateStatus defines the observed state of Certificate + properties: + conditions: + description: List of status conditions to indicate the status of certificates. + Known condition types are `Ready` and `Issuing`. + items: + description: CertificateCondition contains condition information + for an Certificate. + properties: + lastTransitionTime: + description: LastTransitionTime is the timestamp corresponding + to the last status change of this condition. + format: date-time + type: string + message: + description: Message is a human readable description of the + details of the last transition, complementing reason. + type: string + observedGeneration: + description: If set, this represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.condition[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the Certificate. + format: int64 + type: integer + reason: + description: Reason is a brief machine readable explanation + for the condition's last transition. + type: string + status: + description: Status of the condition, one of (`True`, `False`, + `Unknown`). + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: Type of the condition, known values are (`Ready`, + `Issuing`). + type: string + required: + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + failedIssuanceAttempts: + description: The number of continuous failed issuance attempts up + till now. This field gets removed (if set) on a successful issuance + and gets set to 1 if unset and an issuance has failed. If an issuance + has failed, the delay till the next issuance will be calculated + using formula time.Hour * 2 ^ (failedIssuanceAttempts - 1). + type: integer + lastFailureTime: + description: LastFailureTime is the time as recorded by the Certificate + controller of the most recent failure to complete a CertificateRequest + for this Certificate resource. If set, cert-manager will not re-request + another Certificate until 1 hour has elapsed from this time. + format: date-time + type: string + nextPrivateKeySecretName: + description: The name of the Secret resource containing the private + key to be used for the next certificate iteration. The keymanager + controller will automatically set this field if the `Issuing` condition + is set to `True`. It will automatically unset this field when the + Issuing condition is not set or False. + type: string + notAfter: + description: The expiration time of the certificate stored in the + secret named by this resource in `spec.secretName`. + format: date-time + type: string + notBefore: + description: The time after which the certificate stored in the secret + named by this resource in spec.secretName is valid. + format: date-time + type: string + renewalTime: + description: RenewalTime is the time at which the certificate will + be next renewed. If not set, no upcoming renewal is scheduled. + format: date-time + type: string + revision: + description: "The current 'revision' of the certificate as issued. + \n When a CertificateRequest resource is created, it will have the + `cert-manager.io/certificate-revision` set to one greater than the + current value of this field. \n Upon issuance, this field will be + set to the value of the annotation on the CertificateRequest resource + used to issue the certificate. \n Persisting the value on the CertificateRequest + resource allows the certificates controller to know whether a request + is part of an old issuance or if it is part of the ongoing revision's + issuance by checking if the revision value in the annotation is + greater than this field." + type: integer + type: object + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/config/crd/bases/anthos-cert-manager.io_clusterissuers.yaml b/config/crd/bases/anthos-cert-manager.io_clusterissuers.yaml new file mode 100644 index 0000000..702afca --- /dev/null +++ b/config/crd/bases/anthos-cert-manager.io_clusterissuers.yaml @@ -0,0 +1,145 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: clusterissuers.anthos-cert-manager.io +spec: + group: anthos-cert-manager.io + names: + kind: ClusterIssuer + listKind: ClusterIssuerList + plural: clusterissuers + singular: clusterissuer + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: A ClusterIssuer represents a certificate issuing authority which + can be referenced as part of `issuerRef` fields. It is similar to an Issuer, + however it is cluster-scoped and therefore can be referenced by resources + that exist in *any* namespace, not just the same namespace as the referent. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Desired state of the ClusterIssuer resource. + properties: + ca: + description: CA configures this issuer to sign certificates using + a signing CA keypair stored in a Secret resource. This is used to + build internal PKIs that are managed by cert-manager. + properties: + crlDistributionPoints: + description: The CRL distribution points is an X.509 v3 certificate + extension which identifies the location of the CRL from which + the revocation of this certificate can be checked. If not set, + certificates will be issued without distribution points set. + items: + type: string + type: array + ocspServers: + description: The OCSP server list is an X.509 v3 extension that + defines a list of URLs of OCSP responders. The OCSP responders + can be queried for the revocation status of an issued certificate. + If not set, the certificate will be issued with no OCSP servers + set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org". + items: + type: string + type: array + secretName: + description: SecretName is the name of the secret used to sign + Certificates issued by this Issuer. + type: string + required: + - secretName + type: object + selfSigned: + description: SelfSigned configures this issuer to 'self sign' certificates + using the private key used to create the CertificateRequest object. + properties: + crlDistributionPoints: + description: The CRL distribution points is an X.509 v3 certificate + extension which identifies the location of the CRL from which + the revocation of this certificate can be checked. If not set + certificate will be issued without CDP. Values are strings. + items: + type: string + type: array + type: object + type: object + status: + description: Status of the ClusterIssuer. This is set and managed automatically. + properties: + conditions: + description: List of status conditions to indicate the status of a + CertificateRequest. Known condition types are `Ready`. + items: + description: IssuerCondition contains condition information for + an Issuer. + properties: + lastTransitionTime: + description: LastTransitionTime is the timestamp corresponding + to the last status change of this condition. + format: date-time + type: string + message: + description: Message is a human readable description of the + details of the last transition, complementing reason. + type: string + observedGeneration: + description: If set, this represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.condition[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the Issuer. + format: int64 + type: integer + reason: + description: Reason is a brief machine readable explanation + for the condition's last transition. + type: string + status: + description: Status of the condition, one of (`True`, `False`, + `Unknown`). + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: Type of the condition, known values are (`Ready`). + type: string + required: + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/config/crd/bases/anthos-cert-manager.io_issuers.yaml b/config/crd/bases/anthos-cert-manager.io_issuers.yaml new file mode 100644 index 0000000..4415e79 --- /dev/null +++ b/config/crd/bases/anthos-cert-manager.io_issuers.yaml @@ -0,0 +1,145 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: issuers.anthos-cert-manager.io +spec: + group: anthos-cert-manager.io + names: + kind: Issuer + listKind: IssuerList + plural: issuers + singular: issuer + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: An Issuer represents a certificate issuing authority which can + be referenced as part of `issuerRef` fields. It is scoped to a single namespace + and can therefore only be referenced by resources within the same namespace. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Desired state of the Issuer resource. + properties: + ca: + description: CA configures this issuer to sign certificates using + a signing CA keypair stored in a Secret resource. This is used to + build internal PKIs that are managed by cert-manager. + properties: + crlDistributionPoints: + description: The CRL distribution points is an X.509 v3 certificate + extension which identifies the location of the CRL from which + the revocation of this certificate can be checked. If not set, + certificates will be issued without distribution points set. + items: + type: string + type: array + ocspServers: + description: The OCSP server list is an X.509 v3 extension that + defines a list of URLs of OCSP responders. The OCSP responders + can be queried for the revocation status of an issued certificate. + If not set, the certificate will be issued with no OCSP servers + set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org". + items: + type: string + type: array + secretName: + description: SecretName is the name of the secret used to sign + Certificates issued by this Issuer. + type: string + required: + - secretName + type: object + selfSigned: + description: SelfSigned configures this issuer to 'self sign' certificates + using the private key used to create the CertificateRequest object. + properties: + crlDistributionPoints: + description: The CRL distribution points is an X.509 v3 certificate + extension which identifies the location of the CRL from which + the revocation of this certificate can be checked. If not set + certificate will be issued without CDP. Values are strings. + items: + type: string + type: array + type: object + type: object + status: + description: Status of the Issuer. This is set and managed automatically. + properties: + conditions: + description: List of status conditions to indicate the status of a + CertificateRequest. Known condition types are `Ready`. + items: + description: IssuerCondition contains condition information for + an Issuer. + properties: + lastTransitionTime: + description: LastTransitionTime is the timestamp corresponding + to the last status change of this condition. + format: date-time + type: string + message: + description: Message is a human readable description of the + details of the last transition, complementing reason. + type: string + observedGeneration: + description: If set, this represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.condition[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the Issuer. + format: int64 + type: integer + reason: + description: Reason is a brief machine readable explanation + for the condition's last transition. + type: string + status: + description: Status of the condition, one of (`True`, `False`, + `Unknown`). + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: Type of the condition, known values are (`Ready`). + type: string + required: + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + required: + - spec + - status + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml index f36ba7f..9bc6d57 100644 --- a/config/default/kustomization.yaml +++ b/config/default/kustomization.yaml @@ -31,7 +31,7 @@ # If you want your controller-manager to expose the /metrics # endpoint w/o any authn/z, please comment the following line. - manager_auth_proxy_patch.yaml - +- manager_config_patch.yaml # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in diff --git a/config/default/manager_auth_proxy_patch.yaml b/config/default/manager_auth_proxy_patch.yaml index 46c38c2..ec7148f 100644 --- a/config/default/manager_auth_proxy_patch.yaml +++ b/config/default/manager_auth_proxy_patch.yaml @@ -48,8 +48,3 @@ requests: cpu: 5m memory: 64Mi - - name: manager - args: - - "--health-probe-bind-address=:8081" - - "--metrics-bind-address=127.0.0.1:8080" - - "--leader-elect" diff --git a/config/default/manager_config_patch.yaml b/config/default/manager_config_patch.yaml index d9b77b6..84c7558 100644 --- a/config/default/manager_config_patch.yaml +++ b/config/default/manager_config_patch.yaml @@ -8,3 +8,6 @@ spec: containers: - name: manager + args: + - "--v=4" + - "--controllers=*" diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml index 95b0e5e..90c1a40 100644 --- a/config/manager/manager.yaml +++ b/config/manager/manager.yaml @@ -79,18 +79,18 @@ capabilities: drop: - "ALL" - livenessProbe: - httpGet: - path: /healthz - port: 8081 - initialDelaySeconds: 15 - periodSeconds: 20 - readinessProbe: - httpGet: - path: /readyz - port: 8081 - initialDelaySeconds: 5 - periodSeconds: 10 + # livenessProbe: + # httpGet: + # path: /healthz + # port: 8081 + # initialDelaySeconds: 15 + # periodSeconds: 20 + # readinessProbe: + # httpGet: + # path: /readyz + # port: 8081 + # initialDelaySeconds: 5 + # periodSeconds: 10 # TODO(user): Configure the resources accordingly based on the project requirements. # More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ resources: