ClusterIssuer/v1

A ClusterIssuer represents a certificate issuing authority which can be referenced as part of issuerRef fields. It is similar to an Issuer, however it is cluster-scoped and therefore can be referenced by resources that exist in any namespace, not just the same namespace as the referent.

apiVersion

Description: APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources

Type: string

Table 1. Description of ClusterIssuer/v1 apiVersion
Property Type Description
apiVersion string APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources

kind

Description: Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds

Type: string

Table 1. Description of ClusterIssuer/v1 kind
Property Type Description
kind string Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds

metadata

Description: (No Description)

Type: object

Table 1. Description of ClusterIssuer/v1 metadata
Property Type Description
metadata object (No Description)

spec

Description: Desired state of the ClusterIssuer resource.

Type: object

Table 1. Description of ClusterIssuer/v1 spec
Property Type Description
spec object Desired state of the ClusterIssuer resource.
spec.acme object ACME configures this issuer to communicate with a RFC8555 (ACME) server to obtain signed x509 certificates.
spec.acme.disableAccountKeyGeneration boolean Enables or disables generating a new ACME account key. If true, the Issuer resource will not request a new account but will expect the account key to be supplied via an existing secret. If false, the cert-manager system will generate a new ACME account key for the Issuer. Defaults to false.
spec.acme.email string Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered.
spec.acme.enableDurationFeature boolean Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false.
spec.acme.externalAccountBinding object ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account.
spec.acme.externalAccountBinding.keyAlgorithm string Deprecated: keyAlgorithm field exists for historical compatibility reasons and should not be used. The algorithm is now hardcoded to HS256 in golang/x/crypto/acme.
spec.acme.externalAccountBinding.keyID string keyID is the ID of the CA key that the External Account is bound to.
spec.acme.externalAccountBinding.keySecretRef object keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes Secret which holds the symmetric MAC key of the External Account Binding. The key is the index string that is paired with the key data in the Secret and should not be confused with the key data itself, or indeed with the External Account Binding keyID in the preceding row. The secret key stored in the Secret must be un-padded, base64 URL encoded data.
spec.acme.externalAccountBinding.keySecretRef.key string The key of the entry in the Secret resource's data field to be used. Some instances of this field may be defaulted, in others it may be required.
spec.acme.externalAccountBinding.keySecretRef.name string Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
spec.acme.preferredChain string PreferredChain is the chain to use if the ACME server outputs multiple. PreferredChain is no guarantee that this one gets delivered by the ACME endpoint. For example, for Let's Encrypt's DST crosssign you would use: DST Root CA X3 or ISRG Root X1 for the newer Let's Encrypt root CA. This value picks the first certificate bundle in the ACME alternative chains that has a certificate with this value as its issuer's CN
spec.acme.privateKeySecretRef object PrivateKey is the name of a Kubernetes Secret resource that will be used to store the automatically generated ACME account private key. Optionally, a key may be specified to select a specific entry within the named Secret resource. If key is not specified, a default of tls.key will be used.
spec.acme.privateKeySecretRef.key string The key of the entry in the Secret resource's data field to be used. Some instances of this field may be defaulted, in others it may be required.
spec.acme.privateKeySecretRef.name string Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
spec.acme.server string Server is the URL used to access the ACME server's 'directory' endpoint. For example, for Let's Encrypt's staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.
spec.acme.skipTLSVerify boolean Enables or disables validation of the ACME server TLS certificate. If true, requests to the ACME server will not have their TLS certificate validated (i.e. insecure connections will be allowed). Only enable this option in development environments. The cert-manager system installed roots will be used to verify connections to the ACME server if this is false. Defaults to false.
spec.acme.solvers array Solvers is a list of challenge solvers that will be used to solve ACME challenges for the matching domains. Solver configurations must be provided in order to obtain certificates from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/
spec.ca object CA configures this issuer to sign certificates using a signing CA keypair stored in a Secret resource. This is used to build internal PKIs that are managed by cert-manager.
spec.ca.crlDistributionPoints array The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set, certificates will be issued without distribution points set.
spec.ca.ocspServers array The OCSP server list is an X.509 v3 extension that defines a list of URLs of OCSP responders. The OCSP responders can be queried for the revocation status of an issued certificate. If not set, the certificate will be issued with no OCSP servers set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org".
spec.ca.secretName string SecretName is the name of the secret used to sign Certificates issued by this Issuer.
spec.selfSigned object SelfSigned configures this issuer to 'self sign' certificates using the private key used to create the CertificateRequest object.
spec.selfSigned.crlDistributionPoints array The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set certificate will be issued without CDP. Values are strings.
spec.vault object Vault configures this issuer to sign certificates using a HashiCorp Vault PKI backend.
spec.vault.auth object Auth configures how cert-manager authenticates with the Vault server.
spec.vault.auth.appRole object AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
spec.vault.auth.appRole.path string Path where the App Role authentication backend is mounted in Vault, e.g: "approle"
spec.vault.auth.appRole.roleId string RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
spec.vault.auth.appRole.secretRef object Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The key field must be specified and denotes which entry within the Secret resource is used as the app role secret.
spec.vault.auth.appRole.secretRef.key string The key of the entry in the Secret resource's data field to be used. Some instances of this field may be defaulted, in others it may be required.
spec.vault.auth.appRole.secretRef.name string Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
spec.vault.auth.kubernetes object Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
spec.vault.auth.kubernetes.mountPath string The Vault mountPath here is the mount path to use when authenticating with Vault. For example, setting a value to /v1/auth/foo, will use the path /v1/auth/foo/login to authenticate with Vault. If unspecified, the default value "/v1/auth/kubernetes" will be used.
spec.vault.auth.kubernetes.role string A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
spec.vault.auth.kubernetes.secretRef object The required Secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. Use of 'ambient credentials' is not supported.
spec.vault.auth.kubernetes.secretRef.key string The key of the entry in the Secret resource's data field to be used. Some instances of this field may be defaulted, in others it may be required.
spec.vault.auth.kubernetes.secretRef.name string Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
spec.vault.auth.tokenSecretRef object TokenSecretRef authenticates with Vault by presenting a token.
spec.vault.auth.tokenSecretRef.key string The key of the entry in the Secret resource's data field to be used. Some instances of this field may be defaulted, in others it may be required.
spec.vault.auth.tokenSecretRef.name string Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
spec.vault.caBundle string PEM-encoded CA bundle (base64-encoded) used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. Mutually exclusive with CABundleSecretRef. If neither CABundle nor CABundleSecretRef are defined, the cert-manager controller system root certificates are used to validate the TLS connection.
spec.vault.caBundleSecretRef object CABundleSecretRef is a reference to a Secret which contains the CABundle which will be used when connecting to Vault when using HTTPS. Mutually exclusive with CABundle. If neither CABundleSecretRef nor CABundle are defined, the cert-manager controller system root certificates are used to validate the TLS connection. If no key for the Secret is specified, cert-manager will default to 'ca.crt'.
spec.vault.caBundleSecretRef.key string The key of the entry in the Secret resource's data field to be used. Some instances of this field may be defaulted, in others it may be required.
spec.vault.caBundleSecretRef.name string Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
spec.vault.namespace string Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1" More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
spec.vault.path string Path is the mount path of the Vault PKI backend's sign endpoint, e.g: "my_pki_mount/sign/my-role-name".
spec.vault.server string Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".
spec.venafi object Venafi configures this issuer to sign certificates using a Venafi TPP or Venafi Cloud policy zone.
spec.venafi.cloud object Cloud specifies the Venafi cloud configuration settings. Only one of TPP or Cloud may be specified.
spec.venafi.cloud.apiTokenSecretRef object APITokenSecretRef is a secret key selector for the Venafi Cloud API token.
spec.venafi.cloud.apiTokenSecretRef.key string The key of the entry in the Secret resource's data field to be used. Some instances of this field may be defaulted, in others it may be required.
spec.venafi.cloud.apiTokenSecretRef.name string Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
spec.venafi.cloud.url string URL is the base URL for Venafi Cloud. Defaults to "https://api.venafi.cloud/v1".
spec.venafi.tpp object TPP specifies Trust Protection Platform configuration settings. Only one of TPP or Cloud may be specified.
spec.venafi.tpp.caBundle string CABundle is a PEM encoded TLS certificate to use to verify connections to the TPP instance. If specified, system roots will not be used and the issuing CA for the TPP instance must be verifiable using the provided root. If not specified, the connection will be verified using the cert-manager system root certificates.
spec.venafi.tpp.credentialsRef object CredentialsRef is a reference to a Secret containing the username and password for the TPP server. The secret must contain two keys, 'username' and 'password'.
spec.venafi.tpp.credentialsRef.name string Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
spec.venafi.tpp.url string URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".
spec.venafi.zone string Zone is the Venafi Policy Zone to use for this issuer. All requests made to the Venafi platform will be restricted by the named zone policy. This field is required.

status

Description: Status of the ClusterIssuer. This is set and managed automatically.

Type: object

Table 1. Description of ClusterIssuer/v1 status
Property Type Description
status object Status of the ClusterIssuer. This is set and managed automatically.
status.acme object ACME specific status options. This field should only be set if the Issuer is configured to use an ACME server to issue certificates.
status.acme.lastRegisteredEmail string LastRegisteredEmail is the email associated with the latest registered ACME account, in order to track changes made to registered account associated with the Issuer
status.acme.uri string URI is the unique account identifier, which can also be used to retrieve account details from the CA
status.conditions array List of status conditions to indicate the status of a CertificateRequest. Known condition types are Ready.