-
Notifications
You must be signed in to change notification settings - Fork 16
/
Copy pathacm.services.k8s.aws_certificates.yaml
536 lines (522 loc) · 25.9 KB
/
acm.services.k8s.aws_certificates.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.16.2
name: certificates.acm.services.k8s.aws
spec:
group: acm.services.k8s.aws
names:
kind: Certificate
listKind: CertificateList
plural: certificates
singular: certificate
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: Certificate is the Schema for the Certificates API
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: CertificateSpec defines the desired state of Certificate.
properties:
certificate:
description: |-
The Certificate to import into AWS Certificate Manager (ACM) to use with services that are integrated with ACM.
This field is only valid when importing an existing certificate into ACM.
properties:
key:
description: Key is the key within the secret
type: string
name:
description: name is unique within a namespace to reference a
secret resource.
type: string
namespace:
description: namespace defines the space within which the secret
name must be unique.
type: string
required:
- key
type: object
x-kubernetes-map-type: atomic
x-kubernetes-validations:
- message: Value is immutable once set
rule: self == oldSelf
certificateARN:
description: |-
The Amazon Resource Name (ARN) of an imported certificate to replace. This field is only valid when importing
an existing certificate into ACM.
type: string
x-kubernetes-validations:
- message: Value is immutable once set
rule: self == oldSelf
certificateAuthorityARN:
description: |-
The Amazon Resource Name (ARN) of the private certificate authority (CA)
that will be used to issue the certificate. If you do not provide an ARN
and you are trying to request a private certificate, ACM will attempt to
issue a public certificate. For more information about private CAs, see the
Amazon Web Services Private Certificate Authority (https://docs.aws.amazon.com/privateca/latest/userguide/PcaWelcome.html)
user guide. The ARN must have the following form:
arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
type: string
x-kubernetes-validations:
- message: Value is immutable once set
rule: self == oldSelf
certificateAuthorityRef:
description: "AWSResourceReferenceWrapper provides a wrapper around
*AWSResourceReference\ntype to provide more user friendly syntax
for references using 'from' field\nEx:\nAPIIDRef:\n\n\tfrom:\n\t
\ name: my-api"
properties:
from:
description: |-
AWSResourceReference provides all the values necessary to reference another
k8s resource for finding the identifier(Id/ARN/Name)
properties:
name:
type: string
namespace:
type: string
type: object
type: object
certificateChain:
description: |-
SecretKeyReference combines a k8s corev1.SecretReference with a
specific key within the referred-to Secret
properties:
key:
description: Key is the key within the secret
type: string
name:
description: name is unique within a namespace to reference a
secret resource.
type: string
namespace:
description: namespace defines the space within which the secret
name must be unique.
type: string
required:
- key
type: object
x-kubernetes-map-type: atomic
x-kubernetes-validations:
- message: Value is immutable once set
rule: self == oldSelf
domainName:
description: |-
Fully qualified domain name (FQDN), such as www.example.com, that you want
to secure with an ACM certificate. Use an asterisk (*) to create a wildcard
certificate that protects several sites in the same domain. For example,
*.example.com protects www.example.com, site.example.com, and images.example.com.
In compliance with RFC 5280 (https://datatracker.ietf.org/doc/html/rfc5280),
the length of the domain name (technically, the Common Name) that you provide
cannot exceed 64 octets (characters), including periods. To add a longer
domain name, specify it in the Subject Alternative Name field, which supports
names up to 253 octets in length.
type: string
domainValidationOptions:
description: |-
The domain name that you want ACM to use to send you emails so that you can
validate domain ownership.
items:
description: |-
Contains information about the domain names that you want ACM to use to send
you emails that enable you to validate domain ownership.
properties:
domainName:
type: string
validationDomain:
type: string
type: object
type: array
keyAlgorithm:
description: |-
Specifies the algorithm of the public and private key pair that your certificate
uses to encrypt data. RSA is the default key algorithm for ACM certificates.
Elliptic Curve Digital Signature Algorithm (ECDSA) keys are smaller, offering
security comparable to RSA keys but with greater computing efficiency. However,
ECDSA is not supported by all network clients. Some Amazon Web Services services
may require RSA keys, or only support ECDSA keys of a particular size, while
others allow the use of either RSA and ECDSA keys to ensure that compatibility
is not broken. Check the requirements for the Amazon Web Services service
where you plan to deploy your certificate. For more information about selecting
an algorithm, see Key algorithms (https://docs.aws.amazon.com/acm/latest/userguide/acm-certificate.html#algorithms).
Algorithms supported for an ACM certificate request include:
- RSA_2048
- EC_prime256v1
- EC_secp384r1
Other listed algorithms are for imported certificates only.
When you request a private PKI certificate signed by a CA from Amazon Web
Services Private CA, the specified signing algorithm family (RSA or ECDSA)
must match the algorithm family of the CA's secret key.
Default: RSA_2048
type: string
options:
description: |-
Currently, you can use this parameter to specify whether to add the certificate
to a certificate transparency log. Certificate transparency makes it possible
to detect SSL/TLS certificates that have been mistakenly or maliciously issued.
Certificates that have not been logged typically produce an error message
in a browser. For more information, see Opting Out of Certificate Transparency
Logging (https://docs.aws.amazon.com/acm/latest/userguide/acm-bestpractices.html#best-practices-transparency).
properties:
certificateTransparencyLoggingPreference:
type: string
type: object
privateKey:
description: |-
The private key that matches the public key in the certificate. This field is only valid when importing
an existing certificate into ACM.
properties:
key:
description: Key is the key within the secret
type: string
name:
description: name is unique within a namespace to reference a
secret resource.
type: string
namespace:
description: namespace defines the space within which the secret
name must be unique.
type: string
required:
- key
type: object
x-kubernetes-map-type: atomic
x-kubernetes-validations:
- message: Value is immutable once set
rule: self == oldSelf
subjectAlternativeNames:
description: |-
Additional FQDNs to be included in the Subject Alternative Name extension
of the ACM certificate. For example, add the name www.example.net to a certificate
for which the DomainName field is www.example.com if users can reach your
site by using either name. The maximum number of domain names that you can
add to an ACM certificate is 100. However, the initial quota is 10 domain
names. If you need more than 10 names, you must request a quota increase.
For more information, see Quotas (https://docs.aws.amazon.com/acm/latest/userguide/acm-limits.html).
The maximum length of a SAN DNS name is 253 octets. The name is made up of
multiple labels separated by periods. No label can be longer than 63 octets.
Consider the following examples:
- (63 octets).(63 octets).(63 octets).(61 octets) is legal because the
total length is 253 octets (63+1+63+1+63+1+61) and no label exceeds 63
octets.
- (64 octets).(63 octets).(63 octets).(61 octets) is not legal because
the total length exceeds 253 octets (64+1+63+1+63+1+61) and the first
label exceeds 63 octets.
- (63 octets).(63 octets).(63 octets).(62 octets) is not legal because
the total length of the DNS name (63+1+63+1+63+1+62) exceeds 253 octets.
items:
type: string
type: array
tags:
description: One or more resource tags to associate with the certificate.
items:
description: A key-value pair that identifies or specifies metadata
about an ACM resource.
properties:
key:
type: string
value:
type: string
type: object
type: array
type: object
status:
description: CertificateStatus defines the observed state of Certificate
properties:
ackResourceMetadata:
description: |-
All CRs managed by ACK have a common `Status.ACKResourceMetadata` member
that is used to contain resource sync state, account ownership,
constructed ARN for the resource
properties:
arn:
description: |-
ARN is the Amazon Resource Name for the resource. This is a
globally-unique identifier and is set only by the ACK service controller
once the controller has orchestrated the creation of the resource OR
when it has verified that an "adopted" resource (a resource where the
ARN annotation was set by the Kubernetes user on the CR) exists and
matches the supplied CR's Spec field values.
https://github.com/aws/aws-controllers-k8s/issues/270
type: string
ownerAccountID:
description: |-
OwnerAccountID is the AWS Account ID of the account that owns the
backend AWS service API resource.
type: string
region:
description: Region is the AWS region in which the resource exists
or will exist.
type: string
required:
- ownerAccountID
- region
type: object
conditions:
description: |-
All CRs managed by ACK have a common `Status.Conditions` member that
contains a collection of `ackv1alpha1.Condition` objects that describe
the various terminal states of the CR and its backend AWS service API
resource
items:
description: |-
Condition is the common struct used by all CRDs managed by ACK service
controllers to indicate terminal states of the CR and its backend AWS
service API resource
properties:
lastTransitionTime:
description: Last time the condition transitioned from one status
to another.
format: date-time
type: string
message:
description: A human readable message indicating details about
the transition.
type: string
reason:
description: The reason for the condition's last transition.
type: string
status:
description: Status of the condition, one of True, False, Unknown.
type: string
type:
description: Type is the type of the Condition
type: string
required:
- status
- type
type: object
type: array
createdAt:
description: The time at which the certificate was requested.
format: date-time
type: string
domainValidations:
description: |-
Contains information about the initial validation of each domain name that
occurs as a result of the RequestCertificate request. This field exists only
when the certificate type is AMAZON_ISSUED.
items:
description: Contains information about the validation of each domain
name in the certificate.
properties:
domainName:
type: string
resourceRecord:
description: |-
Contains a DNS record value that you can use to validate ownership or control
of a domain. This is used by the DescribeCertificate action.
properties:
name:
type: string
type_:
type: string
value:
type: string
type: object
validationDomain:
type: string
validationEmails:
items:
type: string
type: array
validationMethod:
type: string
validationStatus:
type: string
type: object
type: array
extendedKeyUsages:
description: |-
Contains a list of Extended Key Usage X.509 v3 extension objects. Each object
specifies a purpose for which the certificate public key can be used and
consists of a name and an object identifier (OID).
items:
description: |-
The Extended Key Usage X.509 v3 extension defines one or more purposes for
which the public key can be used. This is in addition to or in place of the
basic purposes specified by the Key Usage extension.
properties:
name:
type: string
oid:
type: string
type: object
type: array
failureReason:
description: |-
The reason the certificate request failed. This value exists only when the
certificate status is FAILED. For more information, see Certificate Request
Failed (https://docs.aws.amazon.com/acm/latest/userguide/troubleshooting.html#troubleshooting-failed)
in the Certificate Manager User Guide.
type: string
importedAt:
description: |-
The date and time when the certificate was imported. This value exists only
when the certificate type is IMPORTED.
format: date-time
type: string
inUseBy:
description: |-
A list of ARNs for the Amazon Web Services resources that are using the certificate.
A certificate can be used by multiple Amazon Web Services resources.
items:
type: string
type: array
issuedAt:
description: |-
The time at which the certificate was issued. This value exists only when
the certificate type is AMAZON_ISSUED.
format: date-time
type: string
issuer:
description: The name of the certificate authority that issued and
signed the certificate.
type: string
keyUsages:
description: |-
A list of Key Usage X.509 v3 extension objects. Each object is a string value
that identifies the purpose of the public key contained in the certificate.
Possible extension values include DIGITAL_SIGNATURE, KEY_ENCHIPHERMENT, NON_REPUDIATION,
and more.
items:
description: |-
The Key Usage X.509 v3 extension defines the purpose of the public key contained
in the certificate.
properties:
name:
type: string
type: object
type: array
notAfter:
description: The time after which the certificate is not valid.
format: date-time
type: string
notBefore:
description: The time before which the certificate is not valid.
format: date-time
type: string
renewalEligibility:
description: |-
Specifies whether the certificate is eligible for renewal. At this time,
only exported private certificates can be renewed with the RenewCertificate
command.
type: string
renewalSummary:
description: |-
Contains information about the status of ACM's managed renewal (https://docs.aws.amazon.com/acm/latest/userguide/acm-renewal.html)
for the certificate. This field exists only when the certificate type is
AMAZON_ISSUED.
properties:
domainValidationOptions:
items:
description: Contains information about the validation of each
domain name in the certificate.
properties:
domainName:
type: string
resourceRecord:
description: |-
Contains a DNS record value that you can use to validate ownership or control
of a domain. This is used by the DescribeCertificate action.
properties:
name:
type: string
type_:
type: string
value:
type: string
type: object
validationDomain:
type: string
validationEmails:
items:
type: string
type: array
validationMethod:
type: string
validationStatus:
type: string
type: object
type: array
renewalStatus:
type: string
renewalStatusReason:
type: string
updatedAt:
format: date-time
type: string
type: object
revocationReason:
description: |-
The reason the certificate was revoked. This value exists only when the certificate
status is REVOKED.
type: string
revokedAt:
description: |-
The time at which the certificate was revoked. This value exists only when
the certificate status is REVOKED.
format: date-time
type: string
serial:
description: The serial number of the certificate.
type: string
signatureAlgorithm:
description: The algorithm that was used to sign the certificate.
type: string
status:
description: |-
The status of the certificate.
A certificate enters status PENDING_VALIDATION upon being requested, unless
it fails for any of the reasons given in the troubleshooting topic Certificate
request fails (https://docs.aws.amazon.com/acm/latest/userguide/troubleshooting-failed.html).
ACM makes repeated attempts to validate a certificate for 72 hours and then
times out. If a certificate shows status FAILED or VALIDATION_TIMED_OUT,
delete the request, correct the issue with DNS validation (https://docs.aws.amazon.com/acm/latest/userguide/dns-validation.html)
or Email validation (https://docs.aws.amazon.com/acm/latest/userguide/email-validation.html),
and try again. If validation succeeds, the certificate enters status ISSUED.
type: string
subject:
description: |-
The name of the entity that is associated with the public key contained in
the certificate.
type: string
type_:
description: |-
The source of the certificate. For certificates provided by ACM, this value
is AMAZON_ISSUED. For certificates that you imported with ImportCertificate,
this value is IMPORTED. ACM does not provide managed renewal (https://docs.aws.amazon.com/acm/latest/userguide/acm-renewal.html)
for imported certificates. For more information about the differences between
certificates that you import and those that ACM provides, see Importing Certificates
(https://docs.aws.amazon.com/acm/latest/userguide/import-certificate.html)
in the Certificate Manager User Guide.
type: string
type: object
type: object
served: true
storage: true
subresources:
status: {}