ClusterIssuer/v1
A ClusterIssuer represents a certificate issuing authority which can be referenced as part of issuerRef
fields. It is similar to an Issuer, however it is cluster-scoped and therefore can be referenced by resources that exist in any namespace, not just the same namespace as the referent.
apiVersion
Description: APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
Type: string
Property | Type | Description |
---|---|---|
apiVersion | string | APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources |
kind
Description: Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
Type: string
Property | Type | Description |
---|---|---|
kind | string | Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds |
metadata
Description: (No Description)
Type: object
Property | Type | Description |
---|---|---|
metadata | object | (No Description) |
spec
Description: Desired state of the ClusterIssuer resource.
Type: object
Property | Type | Description |
---|---|---|
spec | object | Desired state of the ClusterIssuer resource. |
spec.acme | object | ACME configures this issuer to communicate with a RFC8555 (ACME) server to obtain signed x509 certificates. |
spec.acme.disableAccountKeyGeneration | boolean | Enables or disables generating a new ACME account key. If true, the Issuer resource will not request a new account but will expect the account key to be supplied via an existing secret. If false, the cert-manager system will generate a new ACME account key for the Issuer. Defaults to false. |
spec.acme.email | string | Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered. |
spec.acme.enableDurationFeature | boolean | Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false. |
spec.acme.externalAccountBinding | object | ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account. |
spec.acme.externalAccountBinding.keyAlgorithm | string | Deprecated: keyAlgorithm field exists for historical compatibility reasons and should not be used. The algorithm is now hardcoded to HS256 in golang/x/crypto/acme. |
spec.acme.externalAccountBinding.keyID | string | keyID is the ID of the CA key that the External Account is bound to. |
spec.acme.externalAccountBinding.keySecretRef | object | keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes Secret which holds the symmetric MAC key of the External Account Binding. The key is the index string that is paired with the key data in the Secret
and should not be confused with the key data itself, or indeed with the External Account Binding keyID in the preceding row. The secret key stored in the Secret must be un-padded, base64 URL encoded data. |
spec.acme.externalAccountBinding.keySecretRef.key | string | The key of the entry in the Secret resource's data field to be used. Some instances of this field may be defaulted, in others it may be required. |
spec.acme.externalAccountBinding.keySecretRef.name | string | Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names |
spec.acme.preferredChain | string | PreferredChain is the chain to use if the ACME server outputs multiple. PreferredChain is no guarantee that this one gets delivered by the ACME endpoint. For example, for Let's Encrypt's DST crosssign you would use: DST Root CA X3 or ISRG Root X1 for the newer Let's Encrypt root CA. This value picks the first certificate bundle in the ACME alternative chains that has a certificate with this value as its issuer's CN |
spec.acme.privateKeySecretRef | object | PrivateKey is the name of a Kubernetes Secret resource that will be used to store the automatically generated ACME account private key. Optionally, a key may be specified to select a specific entry within the named Secret resource.
If key is not specified, a default of tls.key will be used. |
spec.acme.privateKeySecretRef.key | string | The key of the entry in the Secret resource's data field to be used. Some instances of this field may be defaulted, in others it may be required. |
spec.acme.privateKeySecretRef.name | string | Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names |
spec.acme.server | string | Server is the URL used to access the ACME server's 'directory' endpoint. For example, for Let's Encrypt's staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported. |
spec.acme.skipTLSVerify | boolean | Enables or disables validation of the ACME server TLS certificate. If true, requests to the ACME server will not have their TLS certificate validated (i.e. insecure connections will be allowed). Only enable this option in development environments. The cert-manager system installed roots will be used to verify connections to the ACME server if this is false. Defaults to false. |
spec.acme.solvers | array | Solvers is a list of challenge solvers that will be used to solve ACME challenges for the matching domains. Solver configurations must be provided in order to obtain certificates from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/ |
spec.ca | object | CA configures this issuer to sign certificates using a signing CA keypair stored in a Secret resource. This is used to build internal PKIs that are managed by cert-manager. |
spec.ca.crlDistributionPoints | array | The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set, certificates will be issued without distribution points set. |
spec.ca.ocspServers | array | The OCSP server list is an X.509 v3 extension that defines a list of URLs of OCSP responders. The OCSP responders can be queried for the revocation status of an issued certificate. If not set, the certificate will be issued with no OCSP servers set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org". |
spec.ca.secretName | string | SecretName is the name of the secret used to sign Certificates issued by this Issuer. |
spec.selfSigned | object | SelfSigned configures this issuer to 'self sign' certificates using the private key used to create the CertificateRequest object. |
spec.selfSigned.crlDistributionPoints | array | The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set certificate will be issued without CDP. Values are strings. |
spec.vault | object | Vault configures this issuer to sign certificates using a HashiCorp Vault PKI backend. |
spec.vault.auth | object | Auth configures how cert-manager authenticates with the Vault server. |
spec.vault.auth.appRole | object | AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource. |
spec.vault.auth.appRole.path | string | Path where the App Role authentication backend is mounted in Vault, e.g: "approle" |
spec.vault.auth.appRole.roleId | string | RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. |
spec.vault.auth.appRole.secretRef | object | Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The key field must be specified and denotes which entry within the Secret resource is used as the app role secret. |
spec.vault.auth.appRole.secretRef.key | string | The key of the entry in the Secret resource's data field to be used. Some instances of this field may be defaulted, in others it may be required. |
spec.vault.auth.appRole.secretRef.name | string | Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names |
spec.vault.auth.kubernetes | object | Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. |
spec.vault.auth.kubernetes.mountPath | string | The Vault mountPath here is the mount path to use when authenticating with Vault. For example, setting a value to /v1/auth/foo , will use the path /v1/auth/foo/login to authenticate with Vault. If unspecified, the
default value "/v1/auth/kubernetes" will be used. |
spec.vault.auth.kubernetes.role | string | A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. |
spec.vault.auth.kubernetes.secretRef | object | The required Secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. Use of 'ambient credentials' is not supported. |
spec.vault.auth.kubernetes.secretRef.key | string | The key of the entry in the Secret resource's data field to be used. Some instances of this field may be defaulted, in others it may be required. |
spec.vault.auth.kubernetes.secretRef.name | string | Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names |
spec.vault.auth.tokenSecretRef | object | TokenSecretRef authenticates with Vault by presenting a token. |
spec.vault.auth.tokenSecretRef.key | string | The key of the entry in the Secret resource's data field to be used. Some instances of this field may be defaulted, in others it may be required. |
spec.vault.auth.tokenSecretRef.name | string | Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names |
spec.vault.caBundle | string | PEM-encoded CA bundle (base64-encoded) used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. Mutually exclusive with CABundleSecretRef. If neither CABundle nor CABundleSecretRef are defined, the cert-manager controller system root certificates are used to validate the TLS connection. |
spec.vault.caBundleSecretRef | object | CABundleSecretRef is a reference to a Secret which contains the CABundle which will be used when connecting to Vault when using HTTPS. Mutually exclusive with CABundle. If neither CABundleSecretRef nor CABundle are defined, the cert-manager controller system root certificates are used to validate the TLS connection. If no key for the Secret is specified, cert-manager will default to 'ca.crt'. |
spec.vault.caBundleSecretRef.key | string | The key of the entry in the Secret resource's data field to be used. Some instances of this field may be defaulted, in others it may be required. |
spec.vault.caBundleSecretRef.name | string | Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names |
spec.vault.namespace | string | Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1" More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces |
spec.vault.path | string | Path is the mount path of the Vault PKI backend's sign endpoint, e.g: "my_pki_mount/sign/my-role-name". |
spec.vault.server | string | Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200". |
spec.venafi | object | Venafi configures this issuer to sign certificates using a Venafi TPP or Venafi Cloud policy zone. |
spec.venafi.cloud | object | Cloud specifies the Venafi cloud configuration settings. Only one of TPP or Cloud may be specified. |
spec.venafi.cloud.apiTokenSecretRef | object | APITokenSecretRef is a secret key selector for the Venafi Cloud API token. |
spec.venafi.cloud.apiTokenSecretRef.key | string | The key of the entry in the Secret resource's data field to be used. Some instances of this field may be defaulted, in others it may be required. |
spec.venafi.cloud.apiTokenSecretRef.name | string | Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names |
spec.venafi.cloud.url | string | URL is the base URL for Venafi Cloud. Defaults to "https://api.venafi.cloud/v1". |
spec.venafi.tpp | object | TPP specifies Trust Protection Platform configuration settings. Only one of TPP or Cloud may be specified. |
spec.venafi.tpp.caBundle | string | CABundle is a PEM encoded TLS certificate to use to verify connections to the TPP instance. If specified, system roots will not be used and the issuing CA for the TPP instance must be verifiable using the provided root. If not specified, the connection will be verified using the cert-manager system root certificates. |
spec.venafi.tpp.credentialsRef | object | CredentialsRef is a reference to a Secret containing the username and password for the TPP server. The secret must contain two keys, 'username' and 'password'. |
spec.venafi.tpp.credentialsRef.name | string | Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names |
spec.venafi.tpp.url | string | URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk". |
spec.venafi.zone | string | Zone is the Venafi Policy Zone to use for this issuer. All requests made to the Venafi platform will be restricted by the named zone policy. This field is required. |
status
Description: Status of the ClusterIssuer. This is set and managed automatically.
Type: object
Property | Type | Description |
---|---|---|
status | object | Status of the ClusterIssuer. This is set and managed automatically. |
status.acme | object | ACME specific status options. This field should only be set if the Issuer is configured to use an ACME server to issue certificates. |
status.acme.lastRegisteredEmail | string | LastRegisteredEmail is the email associated with the latest registered ACME account, in order to track changes made to registered account associated with the Issuer |
status.acme.uri | string | URI is the unique account identifier, which can also be used to retrieve account details from the CA |
status.conditions | array | List of status conditions to indicate the status of a CertificateRequest. Known condition types are Ready . |