/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package acme
import (
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/runtime/schema"
"github.com/cert-manager/cert-manager/pkg/apis/acme"
)
var (
SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes)
AddToScheme = SchemeBuilder.AddToScheme
)
// SchemeGroupVersion is group version used to register these objects
var SchemeGroupVersion = schema.GroupVersion{Group: acme.GroupName, Version: runtime.APIVersionInternal}
// Resource takes an unqualified resource and returns a Group qualified GroupResource
func Resource(resource string) schema.GroupResource {
return SchemeGroupVersion.WithResource(resource).GroupResource()
}
// Adds the list of known types to api.Scheme.
func addKnownTypes(scheme *runtime.Scheme) error {
scheme.AddKnownTypes(SchemeGroupVersion,
&Order{},
&OrderList{},
&Challenge{},
&ChallengeList{},
)
return nil
}
/*
Copyright 2021 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package v1
import (
"k8s.io/apimachinery/pkg/conversion"
"github.com/cert-manager/cert-manager/internal/apis/acme"
v1 "github.com/cert-manager/cert-manager/pkg/apis/acme/v1"
)
// Convert_acme_ACMEIssuer_To_v1_ACMEIssuer is explicitly defined to avoid issues in conversion-gen
// when referencing types in other API groups.
func Convert_acme_ACMEIssuer_To_v1_ACMEIssuer(in *acme.ACMEIssuer, out *v1.ACMEIssuer, s conversion.Scope) error {
return autoConvert_acme_ACMEIssuer_To_v1_ACMEIssuer(in, out, s)
}
// Convert_v1_ACMEIssuer_To_acme_ACMEIssuer is explicitly defined to avoid issues in conversion-gen
// when referencing types in other API groups.
func Convert_v1_ACMEIssuer_To_acme_ACMEIssuer(in *v1.ACMEIssuer, out *acme.ACMEIssuer, s conversion.Scope) error {
return autoConvert_v1_ACMEIssuer_To_acme_ACMEIssuer(in, out, s)
}
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package v1
import (
"k8s.io/apimachinery/pkg/runtime"
)
func addDefaultingFuncs(scheme *runtime.Scheme) error {
return RegisterDefaults(scheme)
}
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package v1
import (
"k8s.io/apimachinery/pkg/runtime/schema"
"github.com/cert-manager/cert-manager/pkg/apis/acme"
cmacme "github.com/cert-manager/cert-manager/pkg/apis/acme/v1"
)
// SchemeGroupVersion is group version used to register these objects
var SchemeGroupVersion = schema.GroupVersion{Group: acme.GroupName, Version: "v1"}
// Resource takes an unqualified resource and returns a Group qualified GroupResource
func Resource(resource string) schema.GroupResource {
return SchemeGroupVersion.WithResource(resource).GroupResource()
}
var (
localSchemeBuilder = &cmacme.SchemeBuilder
AddToScheme = localSchemeBuilder.AddToScheme
)
func init() {
// We only register manually written functions here. The registration of the
// generated functions takes place in the generated files. The separation
// makes the code compile even when the generated files are missing.
localSchemeBuilder.Register(addDefaultingFuncs)
}
//go:build !ignore_autogenerated
// +build !ignore_autogenerated
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by conversion-gen. DO NOT EDIT.
package v1
import (
unsafe "unsafe"
acme "github.com/cert-manager/cert-manager/internal/apis/acme"
meta "github.com/cert-manager/cert-manager/internal/apis/meta"
metav1 "github.com/cert-manager/cert-manager/internal/apis/meta/v1"
acmev1 "github.com/cert-manager/cert-manager/pkg/apis/acme/v1"
apismetav1 "github.com/cert-manager/cert-manager/pkg/apis/meta/v1"
corev1 "k8s.io/api/core/v1"
apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
pkgapismetav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
conversion "k8s.io/apimachinery/pkg/conversion"
runtime "k8s.io/apimachinery/pkg/runtime"
apisv1 "sigs.k8s.io/gateway-api/apis/v1"
)
func init() {
localSchemeBuilder.Register(RegisterConversions)
}
// RegisterConversions adds conversion functions to the given scheme.
// Public to allow building arbitrary schemes.
func RegisterConversions(s *runtime.Scheme) error {
if err := s.AddGeneratedConversionFunc((*acmev1.ACMEAuthorization)(nil), (*acme.ACMEAuthorization)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1_ACMEAuthorization_To_acme_ACMEAuthorization(a.(*acmev1.ACMEAuthorization), b.(*acme.ACMEAuthorization), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*acme.ACMEAuthorization)(nil), (*acmev1.ACMEAuthorization)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_acme_ACMEAuthorization_To_v1_ACMEAuthorization(a.(*acme.ACMEAuthorization), b.(*acmev1.ACMEAuthorization), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*acmev1.ACMEChallenge)(nil), (*acme.ACMEChallenge)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1_ACMEChallenge_To_acme_ACMEChallenge(a.(*acmev1.ACMEChallenge), b.(*acme.ACMEChallenge), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*acme.ACMEChallenge)(nil), (*acmev1.ACMEChallenge)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_acme_ACMEChallenge_To_v1_ACMEChallenge(a.(*acme.ACMEChallenge), b.(*acmev1.ACMEChallenge), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*acmev1.ACMEChallengeSolver)(nil), (*acme.ACMEChallengeSolver)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1_ACMEChallengeSolver_To_acme_ACMEChallengeSolver(a.(*acmev1.ACMEChallengeSolver), b.(*acme.ACMEChallengeSolver), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*acme.ACMEChallengeSolver)(nil), (*acmev1.ACMEChallengeSolver)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_acme_ACMEChallengeSolver_To_v1_ACMEChallengeSolver(a.(*acme.ACMEChallengeSolver), b.(*acmev1.ACMEChallengeSolver), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*acmev1.ACMEChallengeSolverDNS01)(nil), (*acme.ACMEChallengeSolverDNS01)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1_ACMEChallengeSolverDNS01_To_acme_ACMEChallengeSolverDNS01(a.(*acmev1.ACMEChallengeSolverDNS01), b.(*acme.ACMEChallengeSolverDNS01), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*acme.ACMEChallengeSolverDNS01)(nil), (*acmev1.ACMEChallengeSolverDNS01)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_acme_ACMEChallengeSolverDNS01_To_v1_ACMEChallengeSolverDNS01(a.(*acme.ACMEChallengeSolverDNS01), b.(*acmev1.ACMEChallengeSolverDNS01), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*acmev1.ACMEChallengeSolverHTTP01)(nil), (*acme.ACMEChallengeSolverHTTP01)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1_ACMEChallengeSolverHTTP01_To_acme_ACMEChallengeSolverHTTP01(a.(*acmev1.ACMEChallengeSolverHTTP01), b.(*acme.ACMEChallengeSolverHTTP01), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*acme.ACMEChallengeSolverHTTP01)(nil), (*acmev1.ACMEChallengeSolverHTTP01)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_acme_ACMEChallengeSolverHTTP01_To_v1_ACMEChallengeSolverHTTP01(a.(*acme.ACMEChallengeSolverHTTP01), b.(*acmev1.ACMEChallengeSolverHTTP01), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*acmev1.ACMEChallengeSolverHTTP01GatewayHTTPRoute)(nil), (*acme.ACMEChallengeSolverHTTP01GatewayHTTPRoute)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1_ACMEChallengeSolverHTTP01GatewayHTTPRoute_To_acme_ACMEChallengeSolverHTTP01GatewayHTTPRoute(a.(*acmev1.ACMEChallengeSolverHTTP01GatewayHTTPRoute), b.(*acme.ACMEChallengeSolverHTTP01GatewayHTTPRoute), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*acme.ACMEChallengeSolverHTTP01GatewayHTTPRoute)(nil), (*acmev1.ACMEChallengeSolverHTTP01GatewayHTTPRoute)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_acme_ACMEChallengeSolverHTTP01GatewayHTTPRoute_To_v1_ACMEChallengeSolverHTTP01GatewayHTTPRoute(a.(*acme.ACMEChallengeSolverHTTP01GatewayHTTPRoute), b.(*acmev1.ACMEChallengeSolverHTTP01GatewayHTTPRoute), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*acmev1.ACMEChallengeSolverHTTP01Ingress)(nil), (*acme.ACMEChallengeSolverHTTP01Ingress)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1_ACMEChallengeSolverHTTP01Ingress_To_acme_ACMEChallengeSolverHTTP01Ingress(a.(*acmev1.ACMEChallengeSolverHTTP01Ingress), b.(*acme.ACMEChallengeSolverHTTP01Ingress), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*acme.ACMEChallengeSolverHTTP01Ingress)(nil), (*acmev1.ACMEChallengeSolverHTTP01Ingress)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_acme_ACMEChallengeSolverHTTP01Ingress_To_v1_ACMEChallengeSolverHTTP01Ingress(a.(*acme.ACMEChallengeSolverHTTP01Ingress), b.(*acmev1.ACMEChallengeSolverHTTP01Ingress), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*acmev1.ACMEChallengeSolverHTTP01IngressObjectMeta)(nil), (*acme.ACMEChallengeSolverHTTP01IngressObjectMeta)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1_ACMEChallengeSolverHTTP01IngressObjectMeta_To_acme_ACMEChallengeSolverHTTP01IngressObjectMeta(a.(*acmev1.ACMEChallengeSolverHTTP01IngressObjectMeta), b.(*acme.ACMEChallengeSolverHTTP01IngressObjectMeta), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*acme.ACMEChallengeSolverHTTP01IngressObjectMeta)(nil), (*acmev1.ACMEChallengeSolverHTTP01IngressObjectMeta)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_acme_ACMEChallengeSolverHTTP01IngressObjectMeta_To_v1_ACMEChallengeSolverHTTP01IngressObjectMeta(a.(*acme.ACMEChallengeSolverHTTP01IngressObjectMeta), b.(*acmev1.ACMEChallengeSolverHTTP01IngressObjectMeta), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*acmev1.ACMEChallengeSolverHTTP01IngressPodObjectMeta)(nil), (*acme.ACMEChallengeSolverHTTP01IngressPodObjectMeta)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1_ACMEChallengeSolverHTTP01IngressPodObjectMeta_To_acme_ACMEChallengeSolverHTTP01IngressPodObjectMeta(a.(*acmev1.ACMEChallengeSolverHTTP01IngressPodObjectMeta), b.(*acme.ACMEChallengeSolverHTTP01IngressPodObjectMeta), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*acme.ACMEChallengeSolverHTTP01IngressPodObjectMeta)(nil), (*acmev1.ACMEChallengeSolverHTTP01IngressPodObjectMeta)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_acme_ACMEChallengeSolverHTTP01IngressPodObjectMeta_To_v1_ACMEChallengeSolverHTTP01IngressPodObjectMeta(a.(*acme.ACMEChallengeSolverHTTP01IngressPodObjectMeta), b.(*acmev1.ACMEChallengeSolverHTTP01IngressPodObjectMeta), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*acmev1.ACMEChallengeSolverHTTP01IngressPodResources)(nil), (*acme.ACMEChallengeSolverHTTP01IngressPodResources)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1_ACMEChallengeSolverHTTP01IngressPodResources_To_acme_ACMEChallengeSolverHTTP01IngressPodResources(a.(*acmev1.ACMEChallengeSolverHTTP01IngressPodResources), b.(*acme.ACMEChallengeSolverHTTP01IngressPodResources), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*acme.ACMEChallengeSolverHTTP01IngressPodResources)(nil), (*acmev1.ACMEChallengeSolverHTTP01IngressPodResources)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_acme_ACMEChallengeSolverHTTP01IngressPodResources_To_v1_ACMEChallengeSolverHTTP01IngressPodResources(a.(*acme.ACMEChallengeSolverHTTP01IngressPodResources), b.(*acmev1.ACMEChallengeSolverHTTP01IngressPodResources), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*acmev1.ACMEChallengeSolverHTTP01IngressPodSecurityContext)(nil), (*acme.ACMEChallengeSolverHTTP01IngressPodSecurityContext)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1_ACMEChallengeSolverHTTP01IngressPodSecurityContext_To_acme_ACMEChallengeSolverHTTP01IngressPodSecurityContext(a.(*acmev1.ACMEChallengeSolverHTTP01IngressPodSecurityContext), b.(*acme.ACMEChallengeSolverHTTP01IngressPodSecurityContext), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*acme.ACMEChallengeSolverHTTP01IngressPodSecurityContext)(nil), (*acmev1.ACMEChallengeSolverHTTP01IngressPodSecurityContext)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_acme_ACMEChallengeSolverHTTP01IngressPodSecurityContext_To_v1_ACMEChallengeSolverHTTP01IngressPodSecurityContext(a.(*acme.ACMEChallengeSolverHTTP01IngressPodSecurityContext), b.(*acmev1.ACMEChallengeSolverHTTP01IngressPodSecurityContext), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*acmev1.ACMEChallengeSolverHTTP01IngressPodSpec)(nil), (*acme.ACMEChallengeSolverHTTP01IngressPodSpec)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1_ACMEChallengeSolverHTTP01IngressPodSpec_To_acme_ACMEChallengeSolverHTTP01IngressPodSpec(a.(*acmev1.ACMEChallengeSolverHTTP01IngressPodSpec), b.(*acme.ACMEChallengeSolverHTTP01IngressPodSpec), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*acme.ACMEChallengeSolverHTTP01IngressPodSpec)(nil), (*acmev1.ACMEChallengeSolverHTTP01IngressPodSpec)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_acme_ACMEChallengeSolverHTTP01IngressPodSpec_To_v1_ACMEChallengeSolverHTTP01IngressPodSpec(a.(*acme.ACMEChallengeSolverHTTP01IngressPodSpec), b.(*acmev1.ACMEChallengeSolverHTTP01IngressPodSpec), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*acmev1.ACMEChallengeSolverHTTP01IngressPodTemplate)(nil), (*acme.ACMEChallengeSolverHTTP01IngressPodTemplate)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1_ACMEChallengeSolverHTTP01IngressPodTemplate_To_acme_ACMEChallengeSolverHTTP01IngressPodTemplate(a.(*acmev1.ACMEChallengeSolverHTTP01IngressPodTemplate), b.(*acme.ACMEChallengeSolverHTTP01IngressPodTemplate), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*acme.ACMEChallengeSolverHTTP01IngressPodTemplate)(nil), (*acmev1.ACMEChallengeSolverHTTP01IngressPodTemplate)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_acme_ACMEChallengeSolverHTTP01IngressPodTemplate_To_v1_ACMEChallengeSolverHTTP01IngressPodTemplate(a.(*acme.ACMEChallengeSolverHTTP01IngressPodTemplate), b.(*acmev1.ACMEChallengeSolverHTTP01IngressPodTemplate), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*acmev1.ACMEChallengeSolverHTTP01IngressTemplate)(nil), (*acme.ACMEChallengeSolverHTTP01IngressTemplate)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1_ACMEChallengeSolverHTTP01IngressTemplate_To_acme_ACMEChallengeSolverHTTP01IngressTemplate(a.(*acmev1.ACMEChallengeSolverHTTP01IngressTemplate), b.(*acme.ACMEChallengeSolverHTTP01IngressTemplate), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*acme.ACMEChallengeSolverHTTP01IngressTemplate)(nil), (*acmev1.ACMEChallengeSolverHTTP01IngressTemplate)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_acme_ACMEChallengeSolverHTTP01IngressTemplate_To_v1_ACMEChallengeSolverHTTP01IngressTemplate(a.(*acme.ACMEChallengeSolverHTTP01IngressTemplate), b.(*acmev1.ACMEChallengeSolverHTTP01IngressTemplate), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*acmev1.ACMEExternalAccountBinding)(nil), (*acme.ACMEExternalAccountBinding)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1_ACMEExternalAccountBinding_To_acme_ACMEExternalAccountBinding(a.(*acmev1.ACMEExternalAccountBinding), b.(*acme.ACMEExternalAccountBinding), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*acme.ACMEExternalAccountBinding)(nil), (*acmev1.ACMEExternalAccountBinding)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_acme_ACMEExternalAccountBinding_To_v1_ACMEExternalAccountBinding(a.(*acme.ACMEExternalAccountBinding), b.(*acmev1.ACMEExternalAccountBinding), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*acmev1.ACMEIssuerDNS01ProviderAcmeDNS)(nil), (*acme.ACMEIssuerDNS01ProviderAcmeDNS)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1_ACMEIssuerDNS01ProviderAcmeDNS_To_acme_ACMEIssuerDNS01ProviderAcmeDNS(a.(*acmev1.ACMEIssuerDNS01ProviderAcmeDNS), b.(*acme.ACMEIssuerDNS01ProviderAcmeDNS), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*acme.ACMEIssuerDNS01ProviderAcmeDNS)(nil), (*acmev1.ACMEIssuerDNS01ProviderAcmeDNS)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_acme_ACMEIssuerDNS01ProviderAcmeDNS_To_v1_ACMEIssuerDNS01ProviderAcmeDNS(a.(*acme.ACMEIssuerDNS01ProviderAcmeDNS), b.(*acmev1.ACMEIssuerDNS01ProviderAcmeDNS), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*acmev1.ACMEIssuerDNS01ProviderAkamai)(nil), (*acme.ACMEIssuerDNS01ProviderAkamai)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1_ACMEIssuerDNS01ProviderAkamai_To_acme_ACMEIssuerDNS01ProviderAkamai(a.(*acmev1.ACMEIssuerDNS01ProviderAkamai), b.(*acme.ACMEIssuerDNS01ProviderAkamai), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*acme.ACMEIssuerDNS01ProviderAkamai)(nil), (*acmev1.ACMEIssuerDNS01ProviderAkamai)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_acme_ACMEIssuerDNS01ProviderAkamai_To_v1_ACMEIssuerDNS01ProviderAkamai(a.(*acme.ACMEIssuerDNS01ProviderAkamai), b.(*acmev1.ACMEIssuerDNS01ProviderAkamai), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*acmev1.ACMEIssuerDNS01ProviderAzureDNS)(nil), (*acme.ACMEIssuerDNS01ProviderAzureDNS)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1_ACMEIssuerDNS01ProviderAzureDNS_To_acme_ACMEIssuerDNS01ProviderAzureDNS(a.(*acmev1.ACMEIssuerDNS01ProviderAzureDNS), b.(*acme.ACMEIssuerDNS01ProviderAzureDNS), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*acme.ACMEIssuerDNS01ProviderAzureDNS)(nil), (*acmev1.ACMEIssuerDNS01ProviderAzureDNS)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_acme_ACMEIssuerDNS01ProviderAzureDNS_To_v1_ACMEIssuerDNS01ProviderAzureDNS(a.(*acme.ACMEIssuerDNS01ProviderAzureDNS), b.(*acmev1.ACMEIssuerDNS01ProviderAzureDNS), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*acmev1.ACMEIssuerDNS01ProviderCloudDNS)(nil), (*acme.ACMEIssuerDNS01ProviderCloudDNS)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1_ACMEIssuerDNS01ProviderCloudDNS_To_acme_ACMEIssuerDNS01ProviderCloudDNS(a.(*acmev1.ACMEIssuerDNS01ProviderCloudDNS), b.(*acme.ACMEIssuerDNS01ProviderCloudDNS), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*acme.ACMEIssuerDNS01ProviderCloudDNS)(nil), (*acmev1.ACMEIssuerDNS01ProviderCloudDNS)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_acme_ACMEIssuerDNS01ProviderCloudDNS_To_v1_ACMEIssuerDNS01ProviderCloudDNS(a.(*acme.ACMEIssuerDNS01ProviderCloudDNS), b.(*acmev1.ACMEIssuerDNS01ProviderCloudDNS), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*acmev1.ACMEIssuerDNS01ProviderCloudflare)(nil), (*acme.ACMEIssuerDNS01ProviderCloudflare)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1_ACMEIssuerDNS01ProviderCloudflare_To_acme_ACMEIssuerDNS01ProviderCloudflare(a.(*acmev1.ACMEIssuerDNS01ProviderCloudflare), b.(*acme.ACMEIssuerDNS01ProviderCloudflare), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*acme.ACMEIssuerDNS01ProviderCloudflare)(nil), (*acmev1.ACMEIssuerDNS01ProviderCloudflare)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_acme_ACMEIssuerDNS01ProviderCloudflare_To_v1_ACMEIssuerDNS01ProviderCloudflare(a.(*acme.ACMEIssuerDNS01ProviderCloudflare), b.(*acmev1.ACMEIssuerDNS01ProviderCloudflare), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*acmev1.ACMEIssuerDNS01ProviderDigitalOcean)(nil), (*acme.ACMEIssuerDNS01ProviderDigitalOcean)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1_ACMEIssuerDNS01ProviderDigitalOcean_To_acme_ACMEIssuerDNS01ProviderDigitalOcean(a.(*acmev1.ACMEIssuerDNS01ProviderDigitalOcean), b.(*acme.ACMEIssuerDNS01ProviderDigitalOcean), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*acme.ACMEIssuerDNS01ProviderDigitalOcean)(nil), (*acmev1.ACMEIssuerDNS01ProviderDigitalOcean)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_acme_ACMEIssuerDNS01ProviderDigitalOcean_To_v1_ACMEIssuerDNS01ProviderDigitalOcean(a.(*acme.ACMEIssuerDNS01ProviderDigitalOcean), b.(*acmev1.ACMEIssuerDNS01ProviderDigitalOcean), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*acmev1.ACMEIssuerDNS01ProviderRFC2136)(nil), (*acme.ACMEIssuerDNS01ProviderRFC2136)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1_ACMEIssuerDNS01ProviderRFC2136_To_acme_ACMEIssuerDNS01ProviderRFC2136(a.(*acmev1.ACMEIssuerDNS01ProviderRFC2136), b.(*acme.ACMEIssuerDNS01ProviderRFC2136), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*acme.ACMEIssuerDNS01ProviderRFC2136)(nil), (*acmev1.ACMEIssuerDNS01ProviderRFC2136)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_acme_ACMEIssuerDNS01ProviderRFC2136_To_v1_ACMEIssuerDNS01ProviderRFC2136(a.(*acme.ACMEIssuerDNS01ProviderRFC2136), b.(*acmev1.ACMEIssuerDNS01ProviderRFC2136), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*acmev1.ACMEIssuerDNS01ProviderRoute53)(nil), (*acme.ACMEIssuerDNS01ProviderRoute53)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1_ACMEIssuerDNS01ProviderRoute53_To_acme_ACMEIssuerDNS01ProviderRoute53(a.(*acmev1.ACMEIssuerDNS01ProviderRoute53), b.(*acme.ACMEIssuerDNS01ProviderRoute53), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*acme.ACMEIssuerDNS01ProviderRoute53)(nil), (*acmev1.ACMEIssuerDNS01ProviderRoute53)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_acme_ACMEIssuerDNS01ProviderRoute53_To_v1_ACMEIssuerDNS01ProviderRoute53(a.(*acme.ACMEIssuerDNS01ProviderRoute53), b.(*acmev1.ACMEIssuerDNS01ProviderRoute53), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*acmev1.ACMEIssuerDNS01ProviderWebhook)(nil), (*acme.ACMEIssuerDNS01ProviderWebhook)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1_ACMEIssuerDNS01ProviderWebhook_To_acme_ACMEIssuerDNS01ProviderWebhook(a.(*acmev1.ACMEIssuerDNS01ProviderWebhook), b.(*acme.ACMEIssuerDNS01ProviderWebhook), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*acme.ACMEIssuerDNS01ProviderWebhook)(nil), (*acmev1.ACMEIssuerDNS01ProviderWebhook)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_acme_ACMEIssuerDNS01ProviderWebhook_To_v1_ACMEIssuerDNS01ProviderWebhook(a.(*acme.ACMEIssuerDNS01ProviderWebhook), b.(*acmev1.ACMEIssuerDNS01ProviderWebhook), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*acmev1.ACMEIssuerStatus)(nil), (*acme.ACMEIssuerStatus)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1_ACMEIssuerStatus_To_acme_ACMEIssuerStatus(a.(*acmev1.ACMEIssuerStatus), b.(*acme.ACMEIssuerStatus), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*acme.ACMEIssuerStatus)(nil), (*acmev1.ACMEIssuerStatus)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_acme_ACMEIssuerStatus_To_v1_ACMEIssuerStatus(a.(*acme.ACMEIssuerStatus), b.(*acmev1.ACMEIssuerStatus), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*acmev1.AzureManagedIdentity)(nil), (*acme.AzureManagedIdentity)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1_AzureManagedIdentity_To_acme_AzureManagedIdentity(a.(*acmev1.AzureManagedIdentity), b.(*acme.AzureManagedIdentity), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*acme.AzureManagedIdentity)(nil), (*acmev1.AzureManagedIdentity)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_acme_AzureManagedIdentity_To_v1_AzureManagedIdentity(a.(*acme.AzureManagedIdentity), b.(*acmev1.AzureManagedIdentity), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*acmev1.CertificateDNSNameSelector)(nil), (*acme.CertificateDNSNameSelector)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1_CertificateDNSNameSelector_To_acme_CertificateDNSNameSelector(a.(*acmev1.CertificateDNSNameSelector), b.(*acme.CertificateDNSNameSelector), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*acme.CertificateDNSNameSelector)(nil), (*acmev1.CertificateDNSNameSelector)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_acme_CertificateDNSNameSelector_To_v1_CertificateDNSNameSelector(a.(*acme.CertificateDNSNameSelector), b.(*acmev1.CertificateDNSNameSelector), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*acmev1.Challenge)(nil), (*acme.Challenge)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1_Challenge_To_acme_Challenge(a.(*acmev1.Challenge), b.(*acme.Challenge), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*acme.Challenge)(nil), (*acmev1.Challenge)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_acme_Challenge_To_v1_Challenge(a.(*acme.Challenge), b.(*acmev1.Challenge), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*acmev1.ChallengeList)(nil), (*acme.ChallengeList)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1_ChallengeList_To_acme_ChallengeList(a.(*acmev1.ChallengeList), b.(*acme.ChallengeList), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*acme.ChallengeList)(nil), (*acmev1.ChallengeList)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_acme_ChallengeList_To_v1_ChallengeList(a.(*acme.ChallengeList), b.(*acmev1.ChallengeList), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*acmev1.ChallengeSpec)(nil), (*acme.ChallengeSpec)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1_ChallengeSpec_To_acme_ChallengeSpec(a.(*acmev1.ChallengeSpec), b.(*acme.ChallengeSpec), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*acme.ChallengeSpec)(nil), (*acmev1.ChallengeSpec)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_acme_ChallengeSpec_To_v1_ChallengeSpec(a.(*acme.ChallengeSpec), b.(*acmev1.ChallengeSpec), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*acmev1.ChallengeStatus)(nil), (*acme.ChallengeStatus)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1_ChallengeStatus_To_acme_ChallengeStatus(a.(*acmev1.ChallengeStatus), b.(*acme.ChallengeStatus), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*acme.ChallengeStatus)(nil), (*acmev1.ChallengeStatus)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_acme_ChallengeStatus_To_v1_ChallengeStatus(a.(*acme.ChallengeStatus), b.(*acmev1.ChallengeStatus), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*acmev1.Order)(nil), (*acme.Order)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1_Order_To_acme_Order(a.(*acmev1.Order), b.(*acme.Order), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*acme.Order)(nil), (*acmev1.Order)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_acme_Order_To_v1_Order(a.(*acme.Order), b.(*acmev1.Order), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*acmev1.OrderList)(nil), (*acme.OrderList)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1_OrderList_To_acme_OrderList(a.(*acmev1.OrderList), b.(*acme.OrderList), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*acme.OrderList)(nil), (*acmev1.OrderList)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_acme_OrderList_To_v1_OrderList(a.(*acme.OrderList), b.(*acmev1.OrderList), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*acmev1.OrderSpec)(nil), (*acme.OrderSpec)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1_OrderSpec_To_acme_OrderSpec(a.(*acmev1.OrderSpec), b.(*acme.OrderSpec), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*acme.OrderSpec)(nil), (*acmev1.OrderSpec)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_acme_OrderSpec_To_v1_OrderSpec(a.(*acme.OrderSpec), b.(*acmev1.OrderSpec), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*acmev1.OrderStatus)(nil), (*acme.OrderStatus)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1_OrderStatus_To_acme_OrderStatus(a.(*acmev1.OrderStatus), b.(*acme.OrderStatus), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*acme.OrderStatus)(nil), (*acmev1.OrderStatus)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_acme_OrderStatus_To_v1_OrderStatus(a.(*acme.OrderStatus), b.(*acmev1.OrderStatus), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*acmev1.Route53Auth)(nil), (*acme.Route53Auth)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1_Route53Auth_To_acme_Route53Auth(a.(*acmev1.Route53Auth), b.(*acme.Route53Auth), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*acme.Route53Auth)(nil), (*acmev1.Route53Auth)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_acme_Route53Auth_To_v1_Route53Auth(a.(*acme.Route53Auth), b.(*acmev1.Route53Auth), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*acmev1.Route53KubernetesAuth)(nil), (*acme.Route53KubernetesAuth)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1_Route53KubernetesAuth_To_acme_Route53KubernetesAuth(a.(*acmev1.Route53KubernetesAuth), b.(*acme.Route53KubernetesAuth), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*acme.Route53KubernetesAuth)(nil), (*acmev1.Route53KubernetesAuth)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_acme_Route53KubernetesAuth_To_v1_Route53KubernetesAuth(a.(*acme.Route53KubernetesAuth), b.(*acmev1.Route53KubernetesAuth), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*acmev1.ServiceAccountRef)(nil), (*acme.ServiceAccountRef)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1_ServiceAccountRef_To_acme_ServiceAccountRef(a.(*acmev1.ServiceAccountRef), b.(*acme.ServiceAccountRef), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*acme.ServiceAccountRef)(nil), (*acmev1.ServiceAccountRef)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_acme_ServiceAccountRef_To_v1_ServiceAccountRef(a.(*acme.ServiceAccountRef), b.(*acmev1.ServiceAccountRef), scope)
}); err != nil {
return err
}
if err := s.AddConversionFunc((*acme.ACMEIssuer)(nil), (*acmev1.ACMEIssuer)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_acme_ACMEIssuer_To_v1_ACMEIssuer(a.(*acme.ACMEIssuer), b.(*acmev1.ACMEIssuer), scope)
}); err != nil {
return err
}
if err := s.AddConversionFunc((*acmev1.ACMEIssuer)(nil), (*acme.ACMEIssuer)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1_ACMEIssuer_To_acme_ACMEIssuer(a.(*acmev1.ACMEIssuer), b.(*acme.ACMEIssuer), scope)
}); err != nil {
return err
}
return nil
}
func autoConvert_v1_ACMEAuthorization_To_acme_ACMEAuthorization(in *acmev1.ACMEAuthorization, out *acme.ACMEAuthorization, s conversion.Scope) error {
out.URL = in.URL
out.Identifier = in.Identifier
out.Wildcard = (*bool)(unsafe.Pointer(in.Wildcard))
out.InitialState = acme.State(in.InitialState)
out.Challenges = *(*[]acme.ACMEChallenge)(unsafe.Pointer(&in.Challenges))
return nil
}
// Convert_v1_ACMEAuthorization_To_acme_ACMEAuthorization is an autogenerated conversion function.
func Convert_v1_ACMEAuthorization_To_acme_ACMEAuthorization(in *acmev1.ACMEAuthorization, out *acme.ACMEAuthorization, s conversion.Scope) error {
return autoConvert_v1_ACMEAuthorization_To_acme_ACMEAuthorization(in, out, s)
}
func autoConvert_acme_ACMEAuthorization_To_v1_ACMEAuthorization(in *acme.ACMEAuthorization, out *acmev1.ACMEAuthorization, s conversion.Scope) error {
out.URL = in.URL
out.Identifier = in.Identifier
out.Wildcard = (*bool)(unsafe.Pointer(in.Wildcard))
out.InitialState = acmev1.State(in.InitialState)
out.Challenges = *(*[]acmev1.ACMEChallenge)(unsafe.Pointer(&in.Challenges))
return nil
}
// Convert_acme_ACMEAuthorization_To_v1_ACMEAuthorization is an autogenerated conversion function.
func Convert_acme_ACMEAuthorization_To_v1_ACMEAuthorization(in *acme.ACMEAuthorization, out *acmev1.ACMEAuthorization, s conversion.Scope) error {
return autoConvert_acme_ACMEAuthorization_To_v1_ACMEAuthorization(in, out, s)
}
func autoConvert_v1_ACMEChallenge_To_acme_ACMEChallenge(in *acmev1.ACMEChallenge, out *acme.ACMEChallenge, s conversion.Scope) error {
out.URL = in.URL
out.Token = in.Token
out.Type = in.Type
return nil
}
// Convert_v1_ACMEChallenge_To_acme_ACMEChallenge is an autogenerated conversion function.
func Convert_v1_ACMEChallenge_To_acme_ACMEChallenge(in *acmev1.ACMEChallenge, out *acme.ACMEChallenge, s conversion.Scope) error {
return autoConvert_v1_ACMEChallenge_To_acme_ACMEChallenge(in, out, s)
}
func autoConvert_acme_ACMEChallenge_To_v1_ACMEChallenge(in *acme.ACMEChallenge, out *acmev1.ACMEChallenge, s conversion.Scope) error {
out.URL = in.URL
out.Token = in.Token
out.Type = in.Type
return nil
}
// Convert_acme_ACMEChallenge_To_v1_ACMEChallenge is an autogenerated conversion function.
func Convert_acme_ACMEChallenge_To_v1_ACMEChallenge(in *acme.ACMEChallenge, out *acmev1.ACMEChallenge, s conversion.Scope) error {
return autoConvert_acme_ACMEChallenge_To_v1_ACMEChallenge(in, out, s)
}
func autoConvert_v1_ACMEChallengeSolver_To_acme_ACMEChallengeSolver(in *acmev1.ACMEChallengeSolver, out *acme.ACMEChallengeSolver, s conversion.Scope) error {
out.Selector = (*acme.CertificateDNSNameSelector)(unsafe.Pointer(in.Selector))
out.HTTP01 = (*acme.ACMEChallengeSolverHTTP01)(unsafe.Pointer(in.HTTP01))
if in.DNS01 != nil {
in, out := &in.DNS01, &out.DNS01
*out = new(acme.ACMEChallengeSolverDNS01)
if err := Convert_v1_ACMEChallengeSolverDNS01_To_acme_ACMEChallengeSolverDNS01(*in, *out, s); err != nil {
return err
}
} else {
out.DNS01 = nil
}
return nil
}
// Convert_v1_ACMEChallengeSolver_To_acme_ACMEChallengeSolver is an autogenerated conversion function.
func Convert_v1_ACMEChallengeSolver_To_acme_ACMEChallengeSolver(in *acmev1.ACMEChallengeSolver, out *acme.ACMEChallengeSolver, s conversion.Scope) error {
return autoConvert_v1_ACMEChallengeSolver_To_acme_ACMEChallengeSolver(in, out, s)
}
func autoConvert_acme_ACMEChallengeSolver_To_v1_ACMEChallengeSolver(in *acme.ACMEChallengeSolver, out *acmev1.ACMEChallengeSolver, s conversion.Scope) error {
out.Selector = (*acmev1.CertificateDNSNameSelector)(unsafe.Pointer(in.Selector))
out.HTTP01 = (*acmev1.ACMEChallengeSolverHTTP01)(unsafe.Pointer(in.HTTP01))
if in.DNS01 != nil {
in, out := &in.DNS01, &out.DNS01
*out = new(acmev1.ACMEChallengeSolverDNS01)
if err := Convert_acme_ACMEChallengeSolverDNS01_To_v1_ACMEChallengeSolverDNS01(*in, *out, s); err != nil {
return err
}
} else {
out.DNS01 = nil
}
return nil
}
// Convert_acme_ACMEChallengeSolver_To_v1_ACMEChallengeSolver is an autogenerated conversion function.
func Convert_acme_ACMEChallengeSolver_To_v1_ACMEChallengeSolver(in *acme.ACMEChallengeSolver, out *acmev1.ACMEChallengeSolver, s conversion.Scope) error {
return autoConvert_acme_ACMEChallengeSolver_To_v1_ACMEChallengeSolver(in, out, s)
}
func autoConvert_v1_ACMEChallengeSolverDNS01_To_acme_ACMEChallengeSolverDNS01(in *acmev1.ACMEChallengeSolverDNS01, out *acme.ACMEChallengeSolverDNS01, s conversion.Scope) error {
out.CNAMEStrategy = acme.CNAMEStrategy(in.CNAMEStrategy)
if in.Akamai != nil {
in, out := &in.Akamai, &out.Akamai
*out = new(acme.ACMEIssuerDNS01ProviderAkamai)
if err := Convert_v1_ACMEIssuerDNS01ProviderAkamai_To_acme_ACMEIssuerDNS01ProviderAkamai(*in, *out, s); err != nil {
return err
}
} else {
out.Akamai = nil
}
if in.CloudDNS != nil {
in, out := &in.CloudDNS, &out.CloudDNS
*out = new(acme.ACMEIssuerDNS01ProviderCloudDNS)
if err := Convert_v1_ACMEIssuerDNS01ProviderCloudDNS_To_acme_ACMEIssuerDNS01ProviderCloudDNS(*in, *out, s); err != nil {
return err
}
} else {
out.CloudDNS = nil
}
if in.Cloudflare != nil {
in, out := &in.Cloudflare, &out.Cloudflare
*out = new(acme.ACMEIssuerDNS01ProviderCloudflare)
if err := Convert_v1_ACMEIssuerDNS01ProviderCloudflare_To_acme_ACMEIssuerDNS01ProviderCloudflare(*in, *out, s); err != nil {
return err
}
} else {
out.Cloudflare = nil
}
if in.Route53 != nil {
in, out := &in.Route53, &out.Route53
*out = new(acme.ACMEIssuerDNS01ProviderRoute53)
if err := Convert_v1_ACMEIssuerDNS01ProviderRoute53_To_acme_ACMEIssuerDNS01ProviderRoute53(*in, *out, s); err != nil {
return err
}
} else {
out.Route53 = nil
}
if in.AzureDNS != nil {
in, out := &in.AzureDNS, &out.AzureDNS
*out = new(acme.ACMEIssuerDNS01ProviderAzureDNS)
if err := Convert_v1_ACMEIssuerDNS01ProviderAzureDNS_To_acme_ACMEIssuerDNS01ProviderAzureDNS(*in, *out, s); err != nil {
return err
}
} else {
out.AzureDNS = nil
}
if in.DigitalOcean != nil {
in, out := &in.DigitalOcean, &out.DigitalOcean
*out = new(acme.ACMEIssuerDNS01ProviderDigitalOcean)
if err := Convert_v1_ACMEIssuerDNS01ProviderDigitalOcean_To_acme_ACMEIssuerDNS01ProviderDigitalOcean(*in, *out, s); err != nil {
return err
}
} else {
out.DigitalOcean = nil
}
if in.AcmeDNS != nil {
in, out := &in.AcmeDNS, &out.AcmeDNS
*out = new(acme.ACMEIssuerDNS01ProviderAcmeDNS)
if err := Convert_v1_ACMEIssuerDNS01ProviderAcmeDNS_To_acme_ACMEIssuerDNS01ProviderAcmeDNS(*in, *out, s); err != nil {
return err
}
} else {
out.AcmeDNS = nil
}
if in.RFC2136 != nil {
in, out := &in.RFC2136, &out.RFC2136
*out = new(acme.ACMEIssuerDNS01ProviderRFC2136)
if err := Convert_v1_ACMEIssuerDNS01ProviderRFC2136_To_acme_ACMEIssuerDNS01ProviderRFC2136(*in, *out, s); err != nil {
return err
}
} else {
out.RFC2136 = nil
}
out.Webhook = (*acme.ACMEIssuerDNS01ProviderWebhook)(unsafe.Pointer(in.Webhook))
return nil
}
// Convert_v1_ACMEChallengeSolverDNS01_To_acme_ACMEChallengeSolverDNS01 is an autogenerated conversion function.
func Convert_v1_ACMEChallengeSolverDNS01_To_acme_ACMEChallengeSolverDNS01(in *acmev1.ACMEChallengeSolverDNS01, out *acme.ACMEChallengeSolverDNS01, s conversion.Scope) error {
return autoConvert_v1_ACMEChallengeSolverDNS01_To_acme_ACMEChallengeSolverDNS01(in, out, s)
}
func autoConvert_acme_ACMEChallengeSolverDNS01_To_v1_ACMEChallengeSolverDNS01(in *acme.ACMEChallengeSolverDNS01, out *acmev1.ACMEChallengeSolverDNS01, s conversion.Scope) error {
out.CNAMEStrategy = acmev1.CNAMEStrategy(in.CNAMEStrategy)
if in.Akamai != nil {
in, out := &in.Akamai, &out.Akamai
*out = new(acmev1.ACMEIssuerDNS01ProviderAkamai)
if err := Convert_acme_ACMEIssuerDNS01ProviderAkamai_To_v1_ACMEIssuerDNS01ProviderAkamai(*in, *out, s); err != nil {
return err
}
} else {
out.Akamai = nil
}
if in.CloudDNS != nil {
in, out := &in.CloudDNS, &out.CloudDNS
*out = new(acmev1.ACMEIssuerDNS01ProviderCloudDNS)
if err := Convert_acme_ACMEIssuerDNS01ProviderCloudDNS_To_v1_ACMEIssuerDNS01ProviderCloudDNS(*in, *out, s); err != nil {
return err
}
} else {
out.CloudDNS = nil
}
if in.Cloudflare != nil {
in, out := &in.Cloudflare, &out.Cloudflare
*out = new(acmev1.ACMEIssuerDNS01ProviderCloudflare)
if err := Convert_acme_ACMEIssuerDNS01ProviderCloudflare_To_v1_ACMEIssuerDNS01ProviderCloudflare(*in, *out, s); err != nil {
return err
}
} else {
out.Cloudflare = nil
}
if in.Route53 != nil {
in, out := &in.Route53, &out.Route53
*out = new(acmev1.ACMEIssuerDNS01ProviderRoute53)
if err := Convert_acme_ACMEIssuerDNS01ProviderRoute53_To_v1_ACMEIssuerDNS01ProviderRoute53(*in, *out, s); err != nil {
return err
}
} else {
out.Route53 = nil
}
if in.AzureDNS != nil {
in, out := &in.AzureDNS, &out.AzureDNS
*out = new(acmev1.ACMEIssuerDNS01ProviderAzureDNS)
if err := Convert_acme_ACMEIssuerDNS01ProviderAzureDNS_To_v1_ACMEIssuerDNS01ProviderAzureDNS(*in, *out, s); err != nil {
return err
}
} else {
out.AzureDNS = nil
}
if in.DigitalOcean != nil {
in, out := &in.DigitalOcean, &out.DigitalOcean
*out = new(acmev1.ACMEIssuerDNS01ProviderDigitalOcean)
if err := Convert_acme_ACMEIssuerDNS01ProviderDigitalOcean_To_v1_ACMEIssuerDNS01ProviderDigitalOcean(*in, *out, s); err != nil {
return err
}
} else {
out.DigitalOcean = nil
}
if in.AcmeDNS != nil {
in, out := &in.AcmeDNS, &out.AcmeDNS
*out = new(acmev1.ACMEIssuerDNS01ProviderAcmeDNS)
if err := Convert_acme_ACMEIssuerDNS01ProviderAcmeDNS_To_v1_ACMEIssuerDNS01ProviderAcmeDNS(*in, *out, s); err != nil {
return err
}
} else {
out.AcmeDNS = nil
}
if in.RFC2136 != nil {
in, out := &in.RFC2136, &out.RFC2136
*out = new(acmev1.ACMEIssuerDNS01ProviderRFC2136)
if err := Convert_acme_ACMEIssuerDNS01ProviderRFC2136_To_v1_ACMEIssuerDNS01ProviderRFC2136(*in, *out, s); err != nil {
return err
}
} else {
out.RFC2136 = nil
}
out.Webhook = (*acmev1.ACMEIssuerDNS01ProviderWebhook)(unsafe.Pointer(in.Webhook))
return nil
}
// Convert_acme_ACMEChallengeSolverDNS01_To_v1_ACMEChallengeSolverDNS01 is an autogenerated conversion function.
func Convert_acme_ACMEChallengeSolverDNS01_To_v1_ACMEChallengeSolverDNS01(in *acme.ACMEChallengeSolverDNS01, out *acmev1.ACMEChallengeSolverDNS01, s conversion.Scope) error {
return autoConvert_acme_ACMEChallengeSolverDNS01_To_v1_ACMEChallengeSolverDNS01(in, out, s)
}
func autoConvert_v1_ACMEChallengeSolverHTTP01_To_acme_ACMEChallengeSolverHTTP01(in *acmev1.ACMEChallengeSolverHTTP01, out *acme.ACMEChallengeSolverHTTP01, s conversion.Scope) error {
out.Ingress = (*acme.ACMEChallengeSolverHTTP01Ingress)(unsafe.Pointer(in.Ingress))
out.GatewayHTTPRoute = (*acme.ACMEChallengeSolverHTTP01GatewayHTTPRoute)(unsafe.Pointer(in.GatewayHTTPRoute))
return nil
}
// Convert_v1_ACMEChallengeSolverHTTP01_To_acme_ACMEChallengeSolverHTTP01 is an autogenerated conversion function.
func Convert_v1_ACMEChallengeSolverHTTP01_To_acme_ACMEChallengeSolverHTTP01(in *acmev1.ACMEChallengeSolverHTTP01, out *acme.ACMEChallengeSolverHTTP01, s conversion.Scope) error {
return autoConvert_v1_ACMEChallengeSolverHTTP01_To_acme_ACMEChallengeSolverHTTP01(in, out, s)
}
func autoConvert_acme_ACMEChallengeSolverHTTP01_To_v1_ACMEChallengeSolverHTTP01(in *acme.ACMEChallengeSolverHTTP01, out *acmev1.ACMEChallengeSolverHTTP01, s conversion.Scope) error {
out.Ingress = (*acmev1.ACMEChallengeSolverHTTP01Ingress)(unsafe.Pointer(in.Ingress))
out.GatewayHTTPRoute = (*acmev1.ACMEChallengeSolverHTTP01GatewayHTTPRoute)(unsafe.Pointer(in.GatewayHTTPRoute))
return nil
}
// Convert_acme_ACMEChallengeSolverHTTP01_To_v1_ACMEChallengeSolverHTTP01 is an autogenerated conversion function.
func Convert_acme_ACMEChallengeSolverHTTP01_To_v1_ACMEChallengeSolverHTTP01(in *acme.ACMEChallengeSolverHTTP01, out *acmev1.ACMEChallengeSolverHTTP01, s conversion.Scope) error {
return autoConvert_acme_ACMEChallengeSolverHTTP01_To_v1_ACMEChallengeSolverHTTP01(in, out, s)
}
func autoConvert_v1_ACMEChallengeSolverHTTP01GatewayHTTPRoute_To_acme_ACMEChallengeSolverHTTP01GatewayHTTPRoute(in *acmev1.ACMEChallengeSolverHTTP01GatewayHTTPRoute, out *acme.ACMEChallengeSolverHTTP01GatewayHTTPRoute, s conversion.Scope) error {
out.ServiceType = corev1.ServiceType(in.ServiceType)
out.Labels = *(*map[string]string)(unsafe.Pointer(&in.Labels))
out.ParentRefs = *(*[]apisv1.ParentReference)(unsafe.Pointer(&in.ParentRefs))
out.PodTemplate = (*acme.ACMEChallengeSolverHTTP01IngressPodTemplate)(unsafe.Pointer(in.PodTemplate))
return nil
}
// Convert_v1_ACMEChallengeSolverHTTP01GatewayHTTPRoute_To_acme_ACMEChallengeSolverHTTP01GatewayHTTPRoute is an autogenerated conversion function.
func Convert_v1_ACMEChallengeSolverHTTP01GatewayHTTPRoute_To_acme_ACMEChallengeSolverHTTP01GatewayHTTPRoute(in *acmev1.ACMEChallengeSolverHTTP01GatewayHTTPRoute, out *acme.ACMEChallengeSolverHTTP01GatewayHTTPRoute, s conversion.Scope) error {
return autoConvert_v1_ACMEChallengeSolverHTTP01GatewayHTTPRoute_To_acme_ACMEChallengeSolverHTTP01GatewayHTTPRoute(in, out, s)
}
func autoConvert_acme_ACMEChallengeSolverHTTP01GatewayHTTPRoute_To_v1_ACMEChallengeSolverHTTP01GatewayHTTPRoute(in *acme.ACMEChallengeSolverHTTP01GatewayHTTPRoute, out *acmev1.ACMEChallengeSolverHTTP01GatewayHTTPRoute, s conversion.Scope) error {
out.ServiceType = corev1.ServiceType(in.ServiceType)
out.Labels = *(*map[string]string)(unsafe.Pointer(&in.Labels))
out.ParentRefs = *(*[]apisv1.ParentReference)(unsafe.Pointer(&in.ParentRefs))
out.PodTemplate = (*acmev1.ACMEChallengeSolverHTTP01IngressPodTemplate)(unsafe.Pointer(in.PodTemplate))
return nil
}
// Convert_acme_ACMEChallengeSolverHTTP01GatewayHTTPRoute_To_v1_ACMEChallengeSolverHTTP01GatewayHTTPRoute is an autogenerated conversion function.
func Convert_acme_ACMEChallengeSolverHTTP01GatewayHTTPRoute_To_v1_ACMEChallengeSolverHTTP01GatewayHTTPRoute(in *acme.ACMEChallengeSolverHTTP01GatewayHTTPRoute, out *acmev1.ACMEChallengeSolverHTTP01GatewayHTTPRoute, s conversion.Scope) error {
return autoConvert_acme_ACMEChallengeSolverHTTP01GatewayHTTPRoute_To_v1_ACMEChallengeSolverHTTP01GatewayHTTPRoute(in, out, s)
}
func autoConvert_v1_ACMEChallengeSolverHTTP01Ingress_To_acme_ACMEChallengeSolverHTTP01Ingress(in *acmev1.ACMEChallengeSolverHTTP01Ingress, out *acme.ACMEChallengeSolverHTTP01Ingress, s conversion.Scope) error {
out.ServiceType = corev1.ServiceType(in.ServiceType)
out.IngressClassName = (*string)(unsafe.Pointer(in.IngressClassName))
out.Class = (*string)(unsafe.Pointer(in.Class))
out.Name = in.Name
out.PodTemplate = (*acme.ACMEChallengeSolverHTTP01IngressPodTemplate)(unsafe.Pointer(in.PodTemplate))
out.IngressTemplate = (*acme.ACMEChallengeSolverHTTP01IngressTemplate)(unsafe.Pointer(in.IngressTemplate))
return nil
}
// Convert_v1_ACMEChallengeSolverHTTP01Ingress_To_acme_ACMEChallengeSolverHTTP01Ingress is an autogenerated conversion function.
func Convert_v1_ACMEChallengeSolverHTTP01Ingress_To_acme_ACMEChallengeSolverHTTP01Ingress(in *acmev1.ACMEChallengeSolverHTTP01Ingress, out *acme.ACMEChallengeSolverHTTP01Ingress, s conversion.Scope) error {
return autoConvert_v1_ACMEChallengeSolverHTTP01Ingress_To_acme_ACMEChallengeSolverHTTP01Ingress(in, out, s)
}
func autoConvert_acme_ACMEChallengeSolverHTTP01Ingress_To_v1_ACMEChallengeSolverHTTP01Ingress(in *acme.ACMEChallengeSolverHTTP01Ingress, out *acmev1.ACMEChallengeSolverHTTP01Ingress, s conversion.Scope) error {
out.ServiceType = corev1.ServiceType(in.ServiceType)
out.IngressClassName = (*string)(unsafe.Pointer(in.IngressClassName))
out.Class = (*string)(unsafe.Pointer(in.Class))
out.Name = in.Name
out.PodTemplate = (*acmev1.ACMEChallengeSolverHTTP01IngressPodTemplate)(unsafe.Pointer(in.PodTemplate))
out.IngressTemplate = (*acmev1.ACMEChallengeSolverHTTP01IngressTemplate)(unsafe.Pointer(in.IngressTemplate))
return nil
}
// Convert_acme_ACMEChallengeSolverHTTP01Ingress_To_v1_ACMEChallengeSolverHTTP01Ingress is an autogenerated conversion function.
func Convert_acme_ACMEChallengeSolverHTTP01Ingress_To_v1_ACMEChallengeSolverHTTP01Ingress(in *acme.ACMEChallengeSolverHTTP01Ingress, out *acmev1.ACMEChallengeSolverHTTP01Ingress, s conversion.Scope) error {
return autoConvert_acme_ACMEChallengeSolverHTTP01Ingress_To_v1_ACMEChallengeSolverHTTP01Ingress(in, out, s)
}
func autoConvert_v1_ACMEChallengeSolverHTTP01IngressObjectMeta_To_acme_ACMEChallengeSolverHTTP01IngressObjectMeta(in *acmev1.ACMEChallengeSolverHTTP01IngressObjectMeta, out *acme.ACMEChallengeSolverHTTP01IngressObjectMeta, s conversion.Scope) error {
out.Annotations = *(*map[string]string)(unsafe.Pointer(&in.Annotations))
out.Labels = *(*map[string]string)(unsafe.Pointer(&in.Labels))
return nil
}
// Convert_v1_ACMEChallengeSolverHTTP01IngressObjectMeta_To_acme_ACMEChallengeSolverHTTP01IngressObjectMeta is an autogenerated conversion function.
func Convert_v1_ACMEChallengeSolverHTTP01IngressObjectMeta_To_acme_ACMEChallengeSolverHTTP01IngressObjectMeta(in *acmev1.ACMEChallengeSolverHTTP01IngressObjectMeta, out *acme.ACMEChallengeSolverHTTP01IngressObjectMeta, s conversion.Scope) error {
return autoConvert_v1_ACMEChallengeSolverHTTP01IngressObjectMeta_To_acme_ACMEChallengeSolverHTTP01IngressObjectMeta(in, out, s)
}
func autoConvert_acme_ACMEChallengeSolverHTTP01IngressObjectMeta_To_v1_ACMEChallengeSolverHTTP01IngressObjectMeta(in *acme.ACMEChallengeSolverHTTP01IngressObjectMeta, out *acmev1.ACMEChallengeSolverHTTP01IngressObjectMeta, s conversion.Scope) error {
out.Annotations = *(*map[string]string)(unsafe.Pointer(&in.Annotations))
out.Labels = *(*map[string]string)(unsafe.Pointer(&in.Labels))
return nil
}
// Convert_acme_ACMEChallengeSolverHTTP01IngressObjectMeta_To_v1_ACMEChallengeSolverHTTP01IngressObjectMeta is an autogenerated conversion function.
func Convert_acme_ACMEChallengeSolverHTTP01IngressObjectMeta_To_v1_ACMEChallengeSolverHTTP01IngressObjectMeta(in *acme.ACMEChallengeSolverHTTP01IngressObjectMeta, out *acmev1.ACMEChallengeSolverHTTP01IngressObjectMeta, s conversion.Scope) error {
return autoConvert_acme_ACMEChallengeSolverHTTP01IngressObjectMeta_To_v1_ACMEChallengeSolverHTTP01IngressObjectMeta(in, out, s)
}
func autoConvert_v1_ACMEChallengeSolverHTTP01IngressPodObjectMeta_To_acme_ACMEChallengeSolverHTTP01IngressPodObjectMeta(in *acmev1.ACMEChallengeSolverHTTP01IngressPodObjectMeta, out *acme.ACMEChallengeSolverHTTP01IngressPodObjectMeta, s conversion.Scope) error {
out.Annotations = *(*map[string]string)(unsafe.Pointer(&in.Annotations))
out.Labels = *(*map[string]string)(unsafe.Pointer(&in.Labels))
return nil
}
// Convert_v1_ACMEChallengeSolverHTTP01IngressPodObjectMeta_To_acme_ACMEChallengeSolverHTTP01IngressPodObjectMeta is an autogenerated conversion function.
func Convert_v1_ACMEChallengeSolverHTTP01IngressPodObjectMeta_To_acme_ACMEChallengeSolverHTTP01IngressPodObjectMeta(in *acmev1.ACMEChallengeSolverHTTP01IngressPodObjectMeta, out *acme.ACMEChallengeSolverHTTP01IngressPodObjectMeta, s conversion.Scope) error {
return autoConvert_v1_ACMEChallengeSolverHTTP01IngressPodObjectMeta_To_acme_ACMEChallengeSolverHTTP01IngressPodObjectMeta(in, out, s)
}
func autoConvert_acme_ACMEChallengeSolverHTTP01IngressPodObjectMeta_To_v1_ACMEChallengeSolverHTTP01IngressPodObjectMeta(in *acme.ACMEChallengeSolverHTTP01IngressPodObjectMeta, out *acmev1.ACMEChallengeSolverHTTP01IngressPodObjectMeta, s conversion.Scope) error {
out.Annotations = *(*map[string]string)(unsafe.Pointer(&in.Annotations))
out.Labels = *(*map[string]string)(unsafe.Pointer(&in.Labels))
return nil
}
// Convert_acme_ACMEChallengeSolverHTTP01IngressPodObjectMeta_To_v1_ACMEChallengeSolverHTTP01IngressPodObjectMeta is an autogenerated conversion function.
func Convert_acme_ACMEChallengeSolverHTTP01IngressPodObjectMeta_To_v1_ACMEChallengeSolverHTTP01IngressPodObjectMeta(in *acme.ACMEChallengeSolverHTTP01IngressPodObjectMeta, out *acmev1.ACMEChallengeSolverHTTP01IngressPodObjectMeta, s conversion.Scope) error {
return autoConvert_acme_ACMEChallengeSolverHTTP01IngressPodObjectMeta_To_v1_ACMEChallengeSolverHTTP01IngressPodObjectMeta(in, out, s)
}
func autoConvert_v1_ACMEChallengeSolverHTTP01IngressPodResources_To_acme_ACMEChallengeSolverHTTP01IngressPodResources(in *acmev1.ACMEChallengeSolverHTTP01IngressPodResources, out *acme.ACMEChallengeSolverHTTP01IngressPodResources, s conversion.Scope) error {
out.Limits = *(*corev1.ResourceList)(unsafe.Pointer(&in.Limits))
out.Requests = *(*corev1.ResourceList)(unsafe.Pointer(&in.Requests))
return nil
}
// Convert_v1_ACMEChallengeSolverHTTP01IngressPodResources_To_acme_ACMEChallengeSolverHTTP01IngressPodResources is an autogenerated conversion function.
func Convert_v1_ACMEChallengeSolverHTTP01IngressPodResources_To_acme_ACMEChallengeSolverHTTP01IngressPodResources(in *acmev1.ACMEChallengeSolverHTTP01IngressPodResources, out *acme.ACMEChallengeSolverHTTP01IngressPodResources, s conversion.Scope) error {
return autoConvert_v1_ACMEChallengeSolverHTTP01IngressPodResources_To_acme_ACMEChallengeSolverHTTP01IngressPodResources(in, out, s)
}
func autoConvert_acme_ACMEChallengeSolverHTTP01IngressPodResources_To_v1_ACMEChallengeSolverHTTP01IngressPodResources(in *acme.ACMEChallengeSolverHTTP01IngressPodResources, out *acmev1.ACMEChallengeSolverHTTP01IngressPodResources, s conversion.Scope) error {
out.Limits = *(*corev1.ResourceList)(unsafe.Pointer(&in.Limits))
out.Requests = *(*corev1.ResourceList)(unsafe.Pointer(&in.Requests))
return nil
}
// Convert_acme_ACMEChallengeSolverHTTP01IngressPodResources_To_v1_ACMEChallengeSolverHTTP01IngressPodResources is an autogenerated conversion function.
func Convert_acme_ACMEChallengeSolverHTTP01IngressPodResources_To_v1_ACMEChallengeSolverHTTP01IngressPodResources(in *acme.ACMEChallengeSolverHTTP01IngressPodResources, out *acmev1.ACMEChallengeSolverHTTP01IngressPodResources, s conversion.Scope) error {
return autoConvert_acme_ACMEChallengeSolverHTTP01IngressPodResources_To_v1_ACMEChallengeSolverHTTP01IngressPodResources(in, out, s)
}
func autoConvert_v1_ACMEChallengeSolverHTTP01IngressPodSecurityContext_To_acme_ACMEChallengeSolverHTTP01IngressPodSecurityContext(in *acmev1.ACMEChallengeSolverHTTP01IngressPodSecurityContext, out *acme.ACMEChallengeSolverHTTP01IngressPodSecurityContext, s conversion.Scope) error {
out.SELinuxOptions = (*corev1.SELinuxOptions)(unsafe.Pointer(in.SELinuxOptions))
out.RunAsUser = (*int64)(unsafe.Pointer(in.RunAsUser))
out.RunAsGroup = (*int64)(unsafe.Pointer(in.RunAsGroup))
out.RunAsNonRoot = (*bool)(unsafe.Pointer(in.RunAsNonRoot))
out.SupplementalGroups = *(*[]int64)(unsafe.Pointer(&in.SupplementalGroups))
out.FSGroup = (*int64)(unsafe.Pointer(in.FSGroup))
out.Sysctls = *(*[]corev1.Sysctl)(unsafe.Pointer(&in.Sysctls))
out.FSGroupChangePolicy = (*corev1.PodFSGroupChangePolicy)(unsafe.Pointer(in.FSGroupChangePolicy))
out.SeccompProfile = (*corev1.SeccompProfile)(unsafe.Pointer(in.SeccompProfile))
return nil
}
// Convert_v1_ACMEChallengeSolverHTTP01IngressPodSecurityContext_To_acme_ACMEChallengeSolverHTTP01IngressPodSecurityContext is an autogenerated conversion function.
func Convert_v1_ACMEChallengeSolverHTTP01IngressPodSecurityContext_To_acme_ACMEChallengeSolverHTTP01IngressPodSecurityContext(in *acmev1.ACMEChallengeSolverHTTP01IngressPodSecurityContext, out *acme.ACMEChallengeSolverHTTP01IngressPodSecurityContext, s conversion.Scope) error {
return autoConvert_v1_ACMEChallengeSolverHTTP01IngressPodSecurityContext_To_acme_ACMEChallengeSolverHTTP01IngressPodSecurityContext(in, out, s)
}
func autoConvert_acme_ACMEChallengeSolverHTTP01IngressPodSecurityContext_To_v1_ACMEChallengeSolverHTTP01IngressPodSecurityContext(in *acme.ACMEChallengeSolverHTTP01IngressPodSecurityContext, out *acmev1.ACMEChallengeSolverHTTP01IngressPodSecurityContext, s conversion.Scope) error {
out.SELinuxOptions = (*corev1.SELinuxOptions)(unsafe.Pointer(in.SELinuxOptions))
out.RunAsUser = (*int64)(unsafe.Pointer(in.RunAsUser))
out.RunAsGroup = (*int64)(unsafe.Pointer(in.RunAsGroup))
out.RunAsNonRoot = (*bool)(unsafe.Pointer(in.RunAsNonRoot))
out.SupplementalGroups = *(*[]int64)(unsafe.Pointer(&in.SupplementalGroups))
out.FSGroup = (*int64)(unsafe.Pointer(in.FSGroup))
out.Sysctls = *(*[]corev1.Sysctl)(unsafe.Pointer(&in.Sysctls))
out.FSGroupChangePolicy = (*corev1.PodFSGroupChangePolicy)(unsafe.Pointer(in.FSGroupChangePolicy))
out.SeccompProfile = (*corev1.SeccompProfile)(unsafe.Pointer(in.SeccompProfile))
return nil
}
// Convert_acme_ACMEChallengeSolverHTTP01IngressPodSecurityContext_To_v1_ACMEChallengeSolverHTTP01IngressPodSecurityContext is an autogenerated conversion function.
func Convert_acme_ACMEChallengeSolverHTTP01IngressPodSecurityContext_To_v1_ACMEChallengeSolverHTTP01IngressPodSecurityContext(in *acme.ACMEChallengeSolverHTTP01IngressPodSecurityContext, out *acmev1.ACMEChallengeSolverHTTP01IngressPodSecurityContext, s conversion.Scope) error {
return autoConvert_acme_ACMEChallengeSolverHTTP01IngressPodSecurityContext_To_v1_ACMEChallengeSolverHTTP01IngressPodSecurityContext(in, out, s)
}
func autoConvert_v1_ACMEChallengeSolverHTTP01IngressPodSpec_To_acme_ACMEChallengeSolverHTTP01IngressPodSpec(in *acmev1.ACMEChallengeSolverHTTP01IngressPodSpec, out *acme.ACMEChallengeSolverHTTP01IngressPodSpec, s conversion.Scope) error {
out.NodeSelector = *(*map[string]string)(unsafe.Pointer(&in.NodeSelector))
out.Affinity = (*corev1.Affinity)(unsafe.Pointer(in.Affinity))
out.Tolerations = *(*[]corev1.Toleration)(unsafe.Pointer(&in.Tolerations))
out.PriorityClassName = in.PriorityClassName
out.ServiceAccountName = in.ServiceAccountName
out.ImagePullSecrets = *(*[]corev1.LocalObjectReference)(unsafe.Pointer(&in.ImagePullSecrets))
out.SecurityContext = (*acme.ACMEChallengeSolverHTTP01IngressPodSecurityContext)(unsafe.Pointer(in.SecurityContext))
out.Resources = (*acme.ACMEChallengeSolverHTTP01IngressPodResources)(unsafe.Pointer(in.Resources))
return nil
}
// Convert_v1_ACMEChallengeSolverHTTP01IngressPodSpec_To_acme_ACMEChallengeSolverHTTP01IngressPodSpec is an autogenerated conversion function.
func Convert_v1_ACMEChallengeSolverHTTP01IngressPodSpec_To_acme_ACMEChallengeSolverHTTP01IngressPodSpec(in *acmev1.ACMEChallengeSolverHTTP01IngressPodSpec, out *acme.ACMEChallengeSolverHTTP01IngressPodSpec, s conversion.Scope) error {
return autoConvert_v1_ACMEChallengeSolverHTTP01IngressPodSpec_To_acme_ACMEChallengeSolverHTTP01IngressPodSpec(in, out, s)
}
func autoConvert_acme_ACMEChallengeSolverHTTP01IngressPodSpec_To_v1_ACMEChallengeSolverHTTP01IngressPodSpec(in *acme.ACMEChallengeSolverHTTP01IngressPodSpec, out *acmev1.ACMEChallengeSolverHTTP01IngressPodSpec, s conversion.Scope) error {
out.NodeSelector = *(*map[string]string)(unsafe.Pointer(&in.NodeSelector))
out.Affinity = (*corev1.Affinity)(unsafe.Pointer(in.Affinity))
out.Tolerations = *(*[]corev1.Toleration)(unsafe.Pointer(&in.Tolerations))
out.PriorityClassName = in.PriorityClassName
out.ServiceAccountName = in.ServiceAccountName
out.ImagePullSecrets = *(*[]corev1.LocalObjectReference)(unsafe.Pointer(&in.ImagePullSecrets))
out.SecurityContext = (*acmev1.ACMEChallengeSolverHTTP01IngressPodSecurityContext)(unsafe.Pointer(in.SecurityContext))
out.Resources = (*acmev1.ACMEChallengeSolverHTTP01IngressPodResources)(unsafe.Pointer(in.Resources))
return nil
}
// Convert_acme_ACMEChallengeSolverHTTP01IngressPodSpec_To_v1_ACMEChallengeSolverHTTP01IngressPodSpec is an autogenerated conversion function.
func Convert_acme_ACMEChallengeSolverHTTP01IngressPodSpec_To_v1_ACMEChallengeSolverHTTP01IngressPodSpec(in *acme.ACMEChallengeSolverHTTP01IngressPodSpec, out *acmev1.ACMEChallengeSolverHTTP01IngressPodSpec, s conversion.Scope) error {
return autoConvert_acme_ACMEChallengeSolverHTTP01IngressPodSpec_To_v1_ACMEChallengeSolverHTTP01IngressPodSpec(in, out, s)
}
func autoConvert_v1_ACMEChallengeSolverHTTP01IngressPodTemplate_To_acme_ACMEChallengeSolverHTTP01IngressPodTemplate(in *acmev1.ACMEChallengeSolverHTTP01IngressPodTemplate, out *acme.ACMEChallengeSolverHTTP01IngressPodTemplate, s conversion.Scope) error {
if err := Convert_v1_ACMEChallengeSolverHTTP01IngressPodObjectMeta_To_acme_ACMEChallengeSolverHTTP01IngressPodObjectMeta(&in.ACMEChallengeSolverHTTP01IngressPodObjectMeta, &out.ACMEChallengeSolverHTTP01IngressPodObjectMeta, s); err != nil {
return err
}
if err := Convert_v1_ACMEChallengeSolverHTTP01IngressPodSpec_To_acme_ACMEChallengeSolverHTTP01IngressPodSpec(&in.Spec, &out.Spec, s); err != nil {
return err
}
return nil
}
// Convert_v1_ACMEChallengeSolverHTTP01IngressPodTemplate_To_acme_ACMEChallengeSolverHTTP01IngressPodTemplate is an autogenerated conversion function.
func Convert_v1_ACMEChallengeSolverHTTP01IngressPodTemplate_To_acme_ACMEChallengeSolverHTTP01IngressPodTemplate(in *acmev1.ACMEChallengeSolverHTTP01IngressPodTemplate, out *acme.ACMEChallengeSolverHTTP01IngressPodTemplate, s conversion.Scope) error {
return autoConvert_v1_ACMEChallengeSolverHTTP01IngressPodTemplate_To_acme_ACMEChallengeSolverHTTP01IngressPodTemplate(in, out, s)
}
func autoConvert_acme_ACMEChallengeSolverHTTP01IngressPodTemplate_To_v1_ACMEChallengeSolverHTTP01IngressPodTemplate(in *acme.ACMEChallengeSolverHTTP01IngressPodTemplate, out *acmev1.ACMEChallengeSolverHTTP01IngressPodTemplate, s conversion.Scope) error {
if err := Convert_acme_ACMEChallengeSolverHTTP01IngressPodObjectMeta_To_v1_ACMEChallengeSolverHTTP01IngressPodObjectMeta(&in.ACMEChallengeSolverHTTP01IngressPodObjectMeta, &out.ACMEChallengeSolverHTTP01IngressPodObjectMeta, s); err != nil {
return err
}
if err := Convert_acme_ACMEChallengeSolverHTTP01IngressPodSpec_To_v1_ACMEChallengeSolverHTTP01IngressPodSpec(&in.Spec, &out.Spec, s); err != nil {
return err
}
return nil
}
// Convert_acme_ACMEChallengeSolverHTTP01IngressPodTemplate_To_v1_ACMEChallengeSolverHTTP01IngressPodTemplate is an autogenerated conversion function.
func Convert_acme_ACMEChallengeSolverHTTP01IngressPodTemplate_To_v1_ACMEChallengeSolverHTTP01IngressPodTemplate(in *acme.ACMEChallengeSolverHTTP01IngressPodTemplate, out *acmev1.ACMEChallengeSolverHTTP01IngressPodTemplate, s conversion.Scope) error {
return autoConvert_acme_ACMEChallengeSolverHTTP01IngressPodTemplate_To_v1_ACMEChallengeSolverHTTP01IngressPodTemplate(in, out, s)
}
func autoConvert_v1_ACMEChallengeSolverHTTP01IngressTemplate_To_acme_ACMEChallengeSolverHTTP01IngressTemplate(in *acmev1.ACMEChallengeSolverHTTP01IngressTemplate, out *acme.ACMEChallengeSolverHTTP01IngressTemplate, s conversion.Scope) error {
if err := Convert_v1_ACMEChallengeSolverHTTP01IngressObjectMeta_To_acme_ACMEChallengeSolverHTTP01IngressObjectMeta(&in.ACMEChallengeSolverHTTP01IngressObjectMeta, &out.ACMEChallengeSolverHTTP01IngressObjectMeta, s); err != nil {
return err
}
return nil
}
// Convert_v1_ACMEChallengeSolverHTTP01IngressTemplate_To_acme_ACMEChallengeSolverHTTP01IngressTemplate is an autogenerated conversion function.
func Convert_v1_ACMEChallengeSolverHTTP01IngressTemplate_To_acme_ACMEChallengeSolverHTTP01IngressTemplate(in *acmev1.ACMEChallengeSolverHTTP01IngressTemplate, out *acme.ACMEChallengeSolverHTTP01IngressTemplate, s conversion.Scope) error {
return autoConvert_v1_ACMEChallengeSolverHTTP01IngressTemplate_To_acme_ACMEChallengeSolverHTTP01IngressTemplate(in, out, s)
}
func autoConvert_acme_ACMEChallengeSolverHTTP01IngressTemplate_To_v1_ACMEChallengeSolverHTTP01IngressTemplate(in *acme.ACMEChallengeSolverHTTP01IngressTemplate, out *acmev1.ACMEChallengeSolverHTTP01IngressTemplate, s conversion.Scope) error {
if err := Convert_acme_ACMEChallengeSolverHTTP01IngressObjectMeta_To_v1_ACMEChallengeSolverHTTP01IngressObjectMeta(&in.ACMEChallengeSolverHTTP01IngressObjectMeta, &out.ACMEChallengeSolverHTTP01IngressObjectMeta, s); err != nil {
return err
}
return nil
}
// Convert_acme_ACMEChallengeSolverHTTP01IngressTemplate_To_v1_ACMEChallengeSolverHTTP01IngressTemplate is an autogenerated conversion function.
func Convert_acme_ACMEChallengeSolverHTTP01IngressTemplate_To_v1_ACMEChallengeSolverHTTP01IngressTemplate(in *acme.ACMEChallengeSolverHTTP01IngressTemplate, out *acmev1.ACMEChallengeSolverHTTP01IngressTemplate, s conversion.Scope) error {
return autoConvert_acme_ACMEChallengeSolverHTTP01IngressTemplate_To_v1_ACMEChallengeSolverHTTP01IngressTemplate(in, out, s)
}
func autoConvert_v1_ACMEExternalAccountBinding_To_acme_ACMEExternalAccountBinding(in *acmev1.ACMEExternalAccountBinding, out *acme.ACMEExternalAccountBinding, s conversion.Scope) error {
out.KeyID = in.KeyID
if err := metav1.Convert_v1_SecretKeySelector_To_meta_SecretKeySelector(&in.Key, &out.Key, s); err != nil {
return err
}
out.KeyAlgorithm = acme.HMACKeyAlgorithm(in.KeyAlgorithm)
return nil
}
// Convert_v1_ACMEExternalAccountBinding_To_acme_ACMEExternalAccountBinding is an autogenerated conversion function.
func Convert_v1_ACMEExternalAccountBinding_To_acme_ACMEExternalAccountBinding(in *acmev1.ACMEExternalAccountBinding, out *acme.ACMEExternalAccountBinding, s conversion.Scope) error {
return autoConvert_v1_ACMEExternalAccountBinding_To_acme_ACMEExternalAccountBinding(in, out, s)
}
func autoConvert_acme_ACMEExternalAccountBinding_To_v1_ACMEExternalAccountBinding(in *acme.ACMEExternalAccountBinding, out *acmev1.ACMEExternalAccountBinding, s conversion.Scope) error {
out.KeyID = in.KeyID
if err := metav1.Convert_meta_SecretKeySelector_To_v1_SecretKeySelector(&in.Key, &out.Key, s); err != nil {
return err
}
out.KeyAlgorithm = acmev1.HMACKeyAlgorithm(in.KeyAlgorithm)
return nil
}
// Convert_acme_ACMEExternalAccountBinding_To_v1_ACMEExternalAccountBinding is an autogenerated conversion function.
func Convert_acme_ACMEExternalAccountBinding_To_v1_ACMEExternalAccountBinding(in *acme.ACMEExternalAccountBinding, out *acmev1.ACMEExternalAccountBinding, s conversion.Scope) error {
return autoConvert_acme_ACMEExternalAccountBinding_To_v1_ACMEExternalAccountBinding(in, out, s)
}
func autoConvert_v1_ACMEIssuer_To_acme_ACMEIssuer(in *acmev1.ACMEIssuer, out *acme.ACMEIssuer, s conversion.Scope) error {
out.Email = in.Email
out.Server = in.Server
out.PreferredChain = in.PreferredChain
out.CABundle = *(*[]byte)(unsafe.Pointer(&in.CABundle))
out.SkipTLSVerify = in.SkipTLSVerify
if in.ExternalAccountBinding != nil {
in, out := &in.ExternalAccountBinding, &out.ExternalAccountBinding
*out = new(acme.ACMEExternalAccountBinding)
if err := Convert_v1_ACMEExternalAccountBinding_To_acme_ACMEExternalAccountBinding(*in, *out, s); err != nil {
return err
}
} else {
out.ExternalAccountBinding = nil
}
if err := metav1.Convert_v1_SecretKeySelector_To_meta_SecretKeySelector(&in.PrivateKey, &out.PrivateKey, s); err != nil {
return err
}
if in.Solvers != nil {
in, out := &in.Solvers, &out.Solvers
*out = make([]acme.ACMEChallengeSolver, len(*in))
for i := range *in {
if err := Convert_v1_ACMEChallengeSolver_To_acme_ACMEChallengeSolver(&(*in)[i], &(*out)[i], s); err != nil {
return err
}
}
} else {
out.Solvers = nil
}
out.DisableAccountKeyGeneration = in.DisableAccountKeyGeneration
out.EnableDurationFeature = in.EnableDurationFeature
out.Profile = in.Profile
return nil
}
func autoConvert_acme_ACMEIssuer_To_v1_ACMEIssuer(in *acme.ACMEIssuer, out *acmev1.ACMEIssuer, s conversion.Scope) error {
out.Email = in.Email
out.Server = in.Server
out.PreferredChain = in.PreferredChain
out.CABundle = *(*[]byte)(unsafe.Pointer(&in.CABundle))
out.SkipTLSVerify = in.SkipTLSVerify
if in.ExternalAccountBinding != nil {
in, out := &in.ExternalAccountBinding, &out.ExternalAccountBinding
*out = new(acmev1.ACMEExternalAccountBinding)
if err := Convert_acme_ACMEExternalAccountBinding_To_v1_ACMEExternalAccountBinding(*in, *out, s); err != nil {
return err
}
} else {
out.ExternalAccountBinding = nil
}
if err := metav1.Convert_meta_SecretKeySelector_To_v1_SecretKeySelector(&in.PrivateKey, &out.PrivateKey, s); err != nil {
return err
}
if in.Solvers != nil {
in, out := &in.Solvers, &out.Solvers
*out = make([]acmev1.ACMEChallengeSolver, len(*in))
for i := range *in {
if err := Convert_acme_ACMEChallengeSolver_To_v1_ACMEChallengeSolver(&(*in)[i], &(*out)[i], s); err != nil {
return err
}
}
} else {
out.Solvers = nil
}
out.DisableAccountKeyGeneration = in.DisableAccountKeyGeneration
out.EnableDurationFeature = in.EnableDurationFeature
out.Profile = in.Profile
return nil
}
func autoConvert_v1_ACMEIssuerDNS01ProviderAcmeDNS_To_acme_ACMEIssuerDNS01ProviderAcmeDNS(in *acmev1.ACMEIssuerDNS01ProviderAcmeDNS, out *acme.ACMEIssuerDNS01ProviderAcmeDNS, s conversion.Scope) error {
out.Host = in.Host
if err := metav1.Convert_v1_SecretKeySelector_To_meta_SecretKeySelector(&in.AccountSecret, &out.AccountSecret, s); err != nil {
return err
}
return nil
}
// Convert_v1_ACMEIssuerDNS01ProviderAcmeDNS_To_acme_ACMEIssuerDNS01ProviderAcmeDNS is an autogenerated conversion function.
func Convert_v1_ACMEIssuerDNS01ProviderAcmeDNS_To_acme_ACMEIssuerDNS01ProviderAcmeDNS(in *acmev1.ACMEIssuerDNS01ProviderAcmeDNS, out *acme.ACMEIssuerDNS01ProviderAcmeDNS, s conversion.Scope) error {
return autoConvert_v1_ACMEIssuerDNS01ProviderAcmeDNS_To_acme_ACMEIssuerDNS01ProviderAcmeDNS(in, out, s)
}
func autoConvert_acme_ACMEIssuerDNS01ProviderAcmeDNS_To_v1_ACMEIssuerDNS01ProviderAcmeDNS(in *acme.ACMEIssuerDNS01ProviderAcmeDNS, out *acmev1.ACMEIssuerDNS01ProviderAcmeDNS, s conversion.Scope) error {
out.Host = in.Host
if err := metav1.Convert_meta_SecretKeySelector_To_v1_SecretKeySelector(&in.AccountSecret, &out.AccountSecret, s); err != nil {
return err
}
return nil
}
// Convert_acme_ACMEIssuerDNS01ProviderAcmeDNS_To_v1_ACMEIssuerDNS01ProviderAcmeDNS is an autogenerated conversion function.
func Convert_acme_ACMEIssuerDNS01ProviderAcmeDNS_To_v1_ACMEIssuerDNS01ProviderAcmeDNS(in *acme.ACMEIssuerDNS01ProviderAcmeDNS, out *acmev1.ACMEIssuerDNS01ProviderAcmeDNS, s conversion.Scope) error {
return autoConvert_acme_ACMEIssuerDNS01ProviderAcmeDNS_To_v1_ACMEIssuerDNS01ProviderAcmeDNS(in, out, s)
}
func autoConvert_v1_ACMEIssuerDNS01ProviderAkamai_To_acme_ACMEIssuerDNS01ProviderAkamai(in *acmev1.ACMEIssuerDNS01ProviderAkamai, out *acme.ACMEIssuerDNS01ProviderAkamai, s conversion.Scope) error {
out.ServiceConsumerDomain = in.ServiceConsumerDomain
if err := metav1.Convert_v1_SecretKeySelector_To_meta_SecretKeySelector(&in.ClientToken, &out.ClientToken, s); err != nil {
return err
}
if err := metav1.Convert_v1_SecretKeySelector_To_meta_SecretKeySelector(&in.ClientSecret, &out.ClientSecret, s); err != nil {
return err
}
if err := metav1.Convert_v1_SecretKeySelector_To_meta_SecretKeySelector(&in.AccessToken, &out.AccessToken, s); err != nil {
return err
}
return nil
}
// Convert_v1_ACMEIssuerDNS01ProviderAkamai_To_acme_ACMEIssuerDNS01ProviderAkamai is an autogenerated conversion function.
func Convert_v1_ACMEIssuerDNS01ProviderAkamai_To_acme_ACMEIssuerDNS01ProviderAkamai(in *acmev1.ACMEIssuerDNS01ProviderAkamai, out *acme.ACMEIssuerDNS01ProviderAkamai, s conversion.Scope) error {
return autoConvert_v1_ACMEIssuerDNS01ProviderAkamai_To_acme_ACMEIssuerDNS01ProviderAkamai(in, out, s)
}
func autoConvert_acme_ACMEIssuerDNS01ProviderAkamai_To_v1_ACMEIssuerDNS01ProviderAkamai(in *acme.ACMEIssuerDNS01ProviderAkamai, out *acmev1.ACMEIssuerDNS01ProviderAkamai, s conversion.Scope) error {
out.ServiceConsumerDomain = in.ServiceConsumerDomain
if err := metav1.Convert_meta_SecretKeySelector_To_v1_SecretKeySelector(&in.ClientToken, &out.ClientToken, s); err != nil {
return err
}
if err := metav1.Convert_meta_SecretKeySelector_To_v1_SecretKeySelector(&in.ClientSecret, &out.ClientSecret, s); err != nil {
return err
}
if err := metav1.Convert_meta_SecretKeySelector_To_v1_SecretKeySelector(&in.AccessToken, &out.AccessToken, s); err != nil {
return err
}
return nil
}
// Convert_acme_ACMEIssuerDNS01ProviderAkamai_To_v1_ACMEIssuerDNS01ProviderAkamai is an autogenerated conversion function.
func Convert_acme_ACMEIssuerDNS01ProviderAkamai_To_v1_ACMEIssuerDNS01ProviderAkamai(in *acme.ACMEIssuerDNS01ProviderAkamai, out *acmev1.ACMEIssuerDNS01ProviderAkamai, s conversion.Scope) error {
return autoConvert_acme_ACMEIssuerDNS01ProviderAkamai_To_v1_ACMEIssuerDNS01ProviderAkamai(in, out, s)
}
func autoConvert_v1_ACMEIssuerDNS01ProviderAzureDNS_To_acme_ACMEIssuerDNS01ProviderAzureDNS(in *acmev1.ACMEIssuerDNS01ProviderAzureDNS, out *acme.ACMEIssuerDNS01ProviderAzureDNS, s conversion.Scope) error {
out.ClientID = in.ClientID
if in.ClientSecret != nil {
in, out := &in.ClientSecret, &out.ClientSecret
*out = new(meta.SecretKeySelector)
if err := metav1.Convert_v1_SecretKeySelector_To_meta_SecretKeySelector(*in, *out, s); err != nil {
return err
}
} else {
out.ClientSecret = nil
}
out.SubscriptionID = in.SubscriptionID
out.TenantID = in.TenantID
out.ResourceGroupName = in.ResourceGroupName
out.HostedZoneName = in.HostedZoneName
out.Environment = acme.AzureDNSEnvironment(in.Environment)
out.ManagedIdentity = (*acme.AzureManagedIdentity)(unsafe.Pointer(in.ManagedIdentity))
return nil
}
// Convert_v1_ACMEIssuerDNS01ProviderAzureDNS_To_acme_ACMEIssuerDNS01ProviderAzureDNS is an autogenerated conversion function.
func Convert_v1_ACMEIssuerDNS01ProviderAzureDNS_To_acme_ACMEIssuerDNS01ProviderAzureDNS(in *acmev1.ACMEIssuerDNS01ProviderAzureDNS, out *acme.ACMEIssuerDNS01ProviderAzureDNS, s conversion.Scope) error {
return autoConvert_v1_ACMEIssuerDNS01ProviderAzureDNS_To_acme_ACMEIssuerDNS01ProviderAzureDNS(in, out, s)
}
func autoConvert_acme_ACMEIssuerDNS01ProviderAzureDNS_To_v1_ACMEIssuerDNS01ProviderAzureDNS(in *acme.ACMEIssuerDNS01ProviderAzureDNS, out *acmev1.ACMEIssuerDNS01ProviderAzureDNS, s conversion.Scope) error {
out.ClientID = in.ClientID
if in.ClientSecret != nil {
in, out := &in.ClientSecret, &out.ClientSecret
*out = new(apismetav1.SecretKeySelector)
if err := metav1.Convert_meta_SecretKeySelector_To_v1_SecretKeySelector(*in, *out, s); err != nil {
return err
}
} else {
out.ClientSecret = nil
}
out.SubscriptionID = in.SubscriptionID
out.TenantID = in.TenantID
out.ResourceGroupName = in.ResourceGroupName
out.HostedZoneName = in.HostedZoneName
out.Environment = acmev1.AzureDNSEnvironment(in.Environment)
out.ManagedIdentity = (*acmev1.AzureManagedIdentity)(unsafe.Pointer(in.ManagedIdentity))
return nil
}
// Convert_acme_ACMEIssuerDNS01ProviderAzureDNS_To_v1_ACMEIssuerDNS01ProviderAzureDNS is an autogenerated conversion function.
func Convert_acme_ACMEIssuerDNS01ProviderAzureDNS_To_v1_ACMEIssuerDNS01ProviderAzureDNS(in *acme.ACMEIssuerDNS01ProviderAzureDNS, out *acmev1.ACMEIssuerDNS01ProviderAzureDNS, s conversion.Scope) error {
return autoConvert_acme_ACMEIssuerDNS01ProviderAzureDNS_To_v1_ACMEIssuerDNS01ProviderAzureDNS(in, out, s)
}
func autoConvert_v1_ACMEIssuerDNS01ProviderCloudDNS_To_acme_ACMEIssuerDNS01ProviderCloudDNS(in *acmev1.ACMEIssuerDNS01ProviderCloudDNS, out *acme.ACMEIssuerDNS01ProviderCloudDNS, s conversion.Scope) error {
if in.ServiceAccount != nil {
in, out := &in.ServiceAccount, &out.ServiceAccount
*out = new(meta.SecretKeySelector)
if err := metav1.Convert_v1_SecretKeySelector_To_meta_SecretKeySelector(*in, *out, s); err != nil {
return err
}
} else {
out.ServiceAccount = nil
}
out.Project = in.Project
out.HostedZoneName = in.HostedZoneName
return nil
}
// Convert_v1_ACMEIssuerDNS01ProviderCloudDNS_To_acme_ACMEIssuerDNS01ProviderCloudDNS is an autogenerated conversion function.
func Convert_v1_ACMEIssuerDNS01ProviderCloudDNS_To_acme_ACMEIssuerDNS01ProviderCloudDNS(in *acmev1.ACMEIssuerDNS01ProviderCloudDNS, out *acme.ACMEIssuerDNS01ProviderCloudDNS, s conversion.Scope) error {
return autoConvert_v1_ACMEIssuerDNS01ProviderCloudDNS_To_acme_ACMEIssuerDNS01ProviderCloudDNS(in, out, s)
}
func autoConvert_acme_ACMEIssuerDNS01ProviderCloudDNS_To_v1_ACMEIssuerDNS01ProviderCloudDNS(in *acme.ACMEIssuerDNS01ProviderCloudDNS, out *acmev1.ACMEIssuerDNS01ProviderCloudDNS, s conversion.Scope) error {
if in.ServiceAccount != nil {
in, out := &in.ServiceAccount, &out.ServiceAccount
*out = new(apismetav1.SecretKeySelector)
if err := metav1.Convert_meta_SecretKeySelector_To_v1_SecretKeySelector(*in, *out, s); err != nil {
return err
}
} else {
out.ServiceAccount = nil
}
out.Project = in.Project
out.HostedZoneName = in.HostedZoneName
return nil
}
// Convert_acme_ACMEIssuerDNS01ProviderCloudDNS_To_v1_ACMEIssuerDNS01ProviderCloudDNS is an autogenerated conversion function.
func Convert_acme_ACMEIssuerDNS01ProviderCloudDNS_To_v1_ACMEIssuerDNS01ProviderCloudDNS(in *acme.ACMEIssuerDNS01ProviderCloudDNS, out *acmev1.ACMEIssuerDNS01ProviderCloudDNS, s conversion.Scope) error {
return autoConvert_acme_ACMEIssuerDNS01ProviderCloudDNS_To_v1_ACMEIssuerDNS01ProviderCloudDNS(in, out, s)
}
func autoConvert_v1_ACMEIssuerDNS01ProviderCloudflare_To_acme_ACMEIssuerDNS01ProviderCloudflare(in *acmev1.ACMEIssuerDNS01ProviderCloudflare, out *acme.ACMEIssuerDNS01ProviderCloudflare, s conversion.Scope) error {
out.Email = in.Email
if in.APIKey != nil {
in, out := &in.APIKey, &out.APIKey
*out = new(meta.SecretKeySelector)
if err := metav1.Convert_v1_SecretKeySelector_To_meta_SecretKeySelector(*in, *out, s); err != nil {
return err
}
} else {
out.APIKey = nil
}
if in.APIToken != nil {
in, out := &in.APIToken, &out.APIToken
*out = new(meta.SecretKeySelector)
if err := metav1.Convert_v1_SecretKeySelector_To_meta_SecretKeySelector(*in, *out, s); err != nil {
return err
}
} else {
out.APIToken = nil
}
return nil
}
// Convert_v1_ACMEIssuerDNS01ProviderCloudflare_To_acme_ACMEIssuerDNS01ProviderCloudflare is an autogenerated conversion function.
func Convert_v1_ACMEIssuerDNS01ProviderCloudflare_To_acme_ACMEIssuerDNS01ProviderCloudflare(in *acmev1.ACMEIssuerDNS01ProviderCloudflare, out *acme.ACMEIssuerDNS01ProviderCloudflare, s conversion.Scope) error {
return autoConvert_v1_ACMEIssuerDNS01ProviderCloudflare_To_acme_ACMEIssuerDNS01ProviderCloudflare(in, out, s)
}
func autoConvert_acme_ACMEIssuerDNS01ProviderCloudflare_To_v1_ACMEIssuerDNS01ProviderCloudflare(in *acme.ACMEIssuerDNS01ProviderCloudflare, out *acmev1.ACMEIssuerDNS01ProviderCloudflare, s conversion.Scope) error {
out.Email = in.Email
if in.APIKey != nil {
in, out := &in.APIKey, &out.APIKey
*out = new(apismetav1.SecretKeySelector)
if err := metav1.Convert_meta_SecretKeySelector_To_v1_SecretKeySelector(*in, *out, s); err != nil {
return err
}
} else {
out.APIKey = nil
}
if in.APIToken != nil {
in, out := &in.APIToken, &out.APIToken
*out = new(apismetav1.SecretKeySelector)
if err := metav1.Convert_meta_SecretKeySelector_To_v1_SecretKeySelector(*in, *out, s); err != nil {
return err
}
} else {
out.APIToken = nil
}
return nil
}
// Convert_acme_ACMEIssuerDNS01ProviderCloudflare_To_v1_ACMEIssuerDNS01ProviderCloudflare is an autogenerated conversion function.
func Convert_acme_ACMEIssuerDNS01ProviderCloudflare_To_v1_ACMEIssuerDNS01ProviderCloudflare(in *acme.ACMEIssuerDNS01ProviderCloudflare, out *acmev1.ACMEIssuerDNS01ProviderCloudflare, s conversion.Scope) error {
return autoConvert_acme_ACMEIssuerDNS01ProviderCloudflare_To_v1_ACMEIssuerDNS01ProviderCloudflare(in, out, s)
}
func autoConvert_v1_ACMEIssuerDNS01ProviderDigitalOcean_To_acme_ACMEIssuerDNS01ProviderDigitalOcean(in *acmev1.ACMEIssuerDNS01ProviderDigitalOcean, out *acme.ACMEIssuerDNS01ProviderDigitalOcean, s conversion.Scope) error {
if err := metav1.Convert_v1_SecretKeySelector_To_meta_SecretKeySelector(&in.Token, &out.Token, s); err != nil {
return err
}
return nil
}
// Convert_v1_ACMEIssuerDNS01ProviderDigitalOcean_To_acme_ACMEIssuerDNS01ProviderDigitalOcean is an autogenerated conversion function.
func Convert_v1_ACMEIssuerDNS01ProviderDigitalOcean_To_acme_ACMEIssuerDNS01ProviderDigitalOcean(in *acmev1.ACMEIssuerDNS01ProviderDigitalOcean, out *acme.ACMEIssuerDNS01ProviderDigitalOcean, s conversion.Scope) error {
return autoConvert_v1_ACMEIssuerDNS01ProviderDigitalOcean_To_acme_ACMEIssuerDNS01ProviderDigitalOcean(in, out, s)
}
func autoConvert_acme_ACMEIssuerDNS01ProviderDigitalOcean_To_v1_ACMEIssuerDNS01ProviderDigitalOcean(in *acme.ACMEIssuerDNS01ProviderDigitalOcean, out *acmev1.ACMEIssuerDNS01ProviderDigitalOcean, s conversion.Scope) error {
if err := metav1.Convert_meta_SecretKeySelector_To_v1_SecretKeySelector(&in.Token, &out.Token, s); err != nil {
return err
}
return nil
}
// Convert_acme_ACMEIssuerDNS01ProviderDigitalOcean_To_v1_ACMEIssuerDNS01ProviderDigitalOcean is an autogenerated conversion function.
func Convert_acme_ACMEIssuerDNS01ProviderDigitalOcean_To_v1_ACMEIssuerDNS01ProviderDigitalOcean(in *acme.ACMEIssuerDNS01ProviderDigitalOcean, out *acmev1.ACMEIssuerDNS01ProviderDigitalOcean, s conversion.Scope) error {
return autoConvert_acme_ACMEIssuerDNS01ProviderDigitalOcean_To_v1_ACMEIssuerDNS01ProviderDigitalOcean(in, out, s)
}
func autoConvert_v1_ACMEIssuerDNS01ProviderRFC2136_To_acme_ACMEIssuerDNS01ProviderRFC2136(in *acmev1.ACMEIssuerDNS01ProviderRFC2136, out *acme.ACMEIssuerDNS01ProviderRFC2136, s conversion.Scope) error {
out.Nameserver = in.Nameserver
if err := metav1.Convert_v1_SecretKeySelector_To_meta_SecretKeySelector(&in.TSIGSecret, &out.TSIGSecret, s); err != nil {
return err
}
out.TSIGKeyName = in.TSIGKeyName
out.TSIGAlgorithm = in.TSIGAlgorithm
out.Protocol = acme.RFC2136UpdateProtocol(in.Protocol)
return nil
}
// Convert_v1_ACMEIssuerDNS01ProviderRFC2136_To_acme_ACMEIssuerDNS01ProviderRFC2136 is an autogenerated conversion function.
func Convert_v1_ACMEIssuerDNS01ProviderRFC2136_To_acme_ACMEIssuerDNS01ProviderRFC2136(in *acmev1.ACMEIssuerDNS01ProviderRFC2136, out *acme.ACMEIssuerDNS01ProviderRFC2136, s conversion.Scope) error {
return autoConvert_v1_ACMEIssuerDNS01ProviderRFC2136_To_acme_ACMEIssuerDNS01ProviderRFC2136(in, out, s)
}
func autoConvert_acme_ACMEIssuerDNS01ProviderRFC2136_To_v1_ACMEIssuerDNS01ProviderRFC2136(in *acme.ACMEIssuerDNS01ProviderRFC2136, out *acmev1.ACMEIssuerDNS01ProviderRFC2136, s conversion.Scope) error {
out.Nameserver = in.Nameserver
if err := metav1.Convert_meta_SecretKeySelector_To_v1_SecretKeySelector(&in.TSIGSecret, &out.TSIGSecret, s); err != nil {
return err
}
out.TSIGKeyName = in.TSIGKeyName
out.TSIGAlgorithm = in.TSIGAlgorithm
out.Protocol = acmev1.RFC2136UpdateProtocol(in.Protocol)
return nil
}
// Convert_acme_ACMEIssuerDNS01ProviderRFC2136_To_v1_ACMEIssuerDNS01ProviderRFC2136 is an autogenerated conversion function.
func Convert_acme_ACMEIssuerDNS01ProviderRFC2136_To_v1_ACMEIssuerDNS01ProviderRFC2136(in *acme.ACMEIssuerDNS01ProviderRFC2136, out *acmev1.ACMEIssuerDNS01ProviderRFC2136, s conversion.Scope) error {
return autoConvert_acme_ACMEIssuerDNS01ProviderRFC2136_To_v1_ACMEIssuerDNS01ProviderRFC2136(in, out, s)
}
func autoConvert_v1_ACMEIssuerDNS01ProviderRoute53_To_acme_ACMEIssuerDNS01ProviderRoute53(in *acmev1.ACMEIssuerDNS01ProviderRoute53, out *acme.ACMEIssuerDNS01ProviderRoute53, s conversion.Scope) error {
out.Auth = (*acme.Route53Auth)(unsafe.Pointer(in.Auth))
out.AccessKeyID = in.AccessKeyID
if in.SecretAccessKeyID != nil {
in, out := &in.SecretAccessKeyID, &out.SecretAccessKeyID
*out = new(meta.SecretKeySelector)
if err := metav1.Convert_v1_SecretKeySelector_To_meta_SecretKeySelector(*in, *out, s); err != nil {
return err
}
} else {
out.SecretAccessKeyID = nil
}
if err := metav1.Convert_v1_SecretKeySelector_To_meta_SecretKeySelector(&in.SecretAccessKey, &out.SecretAccessKey, s); err != nil {
return err
}
out.Role = in.Role
out.HostedZoneID = in.HostedZoneID
out.Region = in.Region
return nil
}
// Convert_v1_ACMEIssuerDNS01ProviderRoute53_To_acme_ACMEIssuerDNS01ProviderRoute53 is an autogenerated conversion function.
func Convert_v1_ACMEIssuerDNS01ProviderRoute53_To_acme_ACMEIssuerDNS01ProviderRoute53(in *acmev1.ACMEIssuerDNS01ProviderRoute53, out *acme.ACMEIssuerDNS01ProviderRoute53, s conversion.Scope) error {
return autoConvert_v1_ACMEIssuerDNS01ProviderRoute53_To_acme_ACMEIssuerDNS01ProviderRoute53(in, out, s)
}
func autoConvert_acme_ACMEIssuerDNS01ProviderRoute53_To_v1_ACMEIssuerDNS01ProviderRoute53(in *acme.ACMEIssuerDNS01ProviderRoute53, out *acmev1.ACMEIssuerDNS01ProviderRoute53, s conversion.Scope) error {
out.Auth = (*acmev1.Route53Auth)(unsafe.Pointer(in.Auth))
out.AccessKeyID = in.AccessKeyID
if in.SecretAccessKeyID != nil {
in, out := &in.SecretAccessKeyID, &out.SecretAccessKeyID
*out = new(apismetav1.SecretKeySelector)
if err := metav1.Convert_meta_SecretKeySelector_To_v1_SecretKeySelector(*in, *out, s); err != nil {
return err
}
} else {
out.SecretAccessKeyID = nil
}
if err := metav1.Convert_meta_SecretKeySelector_To_v1_SecretKeySelector(&in.SecretAccessKey, &out.SecretAccessKey, s); err != nil {
return err
}
out.Role = in.Role
out.HostedZoneID = in.HostedZoneID
out.Region = in.Region
return nil
}
// Convert_acme_ACMEIssuerDNS01ProviderRoute53_To_v1_ACMEIssuerDNS01ProviderRoute53 is an autogenerated conversion function.
func Convert_acme_ACMEIssuerDNS01ProviderRoute53_To_v1_ACMEIssuerDNS01ProviderRoute53(in *acme.ACMEIssuerDNS01ProviderRoute53, out *acmev1.ACMEIssuerDNS01ProviderRoute53, s conversion.Scope) error {
return autoConvert_acme_ACMEIssuerDNS01ProviderRoute53_To_v1_ACMEIssuerDNS01ProviderRoute53(in, out, s)
}
func autoConvert_v1_ACMEIssuerDNS01ProviderWebhook_To_acme_ACMEIssuerDNS01ProviderWebhook(in *acmev1.ACMEIssuerDNS01ProviderWebhook, out *acme.ACMEIssuerDNS01ProviderWebhook, s conversion.Scope) error {
out.GroupName = in.GroupName
out.SolverName = in.SolverName
out.Config = (*apiextensionsv1.JSON)(unsafe.Pointer(in.Config))
return nil
}
// Convert_v1_ACMEIssuerDNS01ProviderWebhook_To_acme_ACMEIssuerDNS01ProviderWebhook is an autogenerated conversion function.
func Convert_v1_ACMEIssuerDNS01ProviderWebhook_To_acme_ACMEIssuerDNS01ProviderWebhook(in *acmev1.ACMEIssuerDNS01ProviderWebhook, out *acme.ACMEIssuerDNS01ProviderWebhook, s conversion.Scope) error {
return autoConvert_v1_ACMEIssuerDNS01ProviderWebhook_To_acme_ACMEIssuerDNS01ProviderWebhook(in, out, s)
}
func autoConvert_acme_ACMEIssuerDNS01ProviderWebhook_To_v1_ACMEIssuerDNS01ProviderWebhook(in *acme.ACMEIssuerDNS01ProviderWebhook, out *acmev1.ACMEIssuerDNS01ProviderWebhook, s conversion.Scope) error {
out.GroupName = in.GroupName
out.SolverName = in.SolverName
out.Config = (*apiextensionsv1.JSON)(unsafe.Pointer(in.Config))
return nil
}
// Convert_acme_ACMEIssuerDNS01ProviderWebhook_To_v1_ACMEIssuerDNS01ProviderWebhook is an autogenerated conversion function.
func Convert_acme_ACMEIssuerDNS01ProviderWebhook_To_v1_ACMEIssuerDNS01ProviderWebhook(in *acme.ACMEIssuerDNS01ProviderWebhook, out *acmev1.ACMEIssuerDNS01ProviderWebhook, s conversion.Scope) error {
return autoConvert_acme_ACMEIssuerDNS01ProviderWebhook_To_v1_ACMEIssuerDNS01ProviderWebhook(in, out, s)
}
func autoConvert_v1_ACMEIssuerStatus_To_acme_ACMEIssuerStatus(in *acmev1.ACMEIssuerStatus, out *acme.ACMEIssuerStatus, s conversion.Scope) error {
out.URI = in.URI
out.LastRegisteredEmail = in.LastRegisteredEmail
out.LastPrivateKeyHash = in.LastPrivateKeyHash
return nil
}
// Convert_v1_ACMEIssuerStatus_To_acme_ACMEIssuerStatus is an autogenerated conversion function.
func Convert_v1_ACMEIssuerStatus_To_acme_ACMEIssuerStatus(in *acmev1.ACMEIssuerStatus, out *acme.ACMEIssuerStatus, s conversion.Scope) error {
return autoConvert_v1_ACMEIssuerStatus_To_acme_ACMEIssuerStatus(in, out, s)
}
func autoConvert_acme_ACMEIssuerStatus_To_v1_ACMEIssuerStatus(in *acme.ACMEIssuerStatus, out *acmev1.ACMEIssuerStatus, s conversion.Scope) error {
out.URI = in.URI
out.LastRegisteredEmail = in.LastRegisteredEmail
out.LastPrivateKeyHash = in.LastPrivateKeyHash
return nil
}
// Convert_acme_ACMEIssuerStatus_To_v1_ACMEIssuerStatus is an autogenerated conversion function.
func Convert_acme_ACMEIssuerStatus_To_v1_ACMEIssuerStatus(in *acme.ACMEIssuerStatus, out *acmev1.ACMEIssuerStatus, s conversion.Scope) error {
return autoConvert_acme_ACMEIssuerStatus_To_v1_ACMEIssuerStatus(in, out, s)
}
func autoConvert_v1_AzureManagedIdentity_To_acme_AzureManagedIdentity(in *acmev1.AzureManagedIdentity, out *acme.AzureManagedIdentity, s conversion.Scope) error {
out.ClientID = in.ClientID
out.ResourceID = in.ResourceID
out.TenantID = in.TenantID
return nil
}
// Convert_v1_AzureManagedIdentity_To_acme_AzureManagedIdentity is an autogenerated conversion function.
func Convert_v1_AzureManagedIdentity_To_acme_AzureManagedIdentity(in *acmev1.AzureManagedIdentity, out *acme.AzureManagedIdentity, s conversion.Scope) error {
return autoConvert_v1_AzureManagedIdentity_To_acme_AzureManagedIdentity(in, out, s)
}
func autoConvert_acme_AzureManagedIdentity_To_v1_AzureManagedIdentity(in *acme.AzureManagedIdentity, out *acmev1.AzureManagedIdentity, s conversion.Scope) error {
out.ClientID = in.ClientID
out.ResourceID = in.ResourceID
out.TenantID = in.TenantID
return nil
}
// Convert_acme_AzureManagedIdentity_To_v1_AzureManagedIdentity is an autogenerated conversion function.
func Convert_acme_AzureManagedIdentity_To_v1_AzureManagedIdentity(in *acme.AzureManagedIdentity, out *acmev1.AzureManagedIdentity, s conversion.Scope) error {
return autoConvert_acme_AzureManagedIdentity_To_v1_AzureManagedIdentity(in, out, s)
}
func autoConvert_v1_CertificateDNSNameSelector_To_acme_CertificateDNSNameSelector(in *acmev1.CertificateDNSNameSelector, out *acme.CertificateDNSNameSelector, s conversion.Scope) error {
out.MatchLabels = *(*map[string]string)(unsafe.Pointer(&in.MatchLabels))
out.DNSNames = *(*[]string)(unsafe.Pointer(&in.DNSNames))
out.DNSZones = *(*[]string)(unsafe.Pointer(&in.DNSZones))
return nil
}
// Convert_v1_CertificateDNSNameSelector_To_acme_CertificateDNSNameSelector is an autogenerated conversion function.
func Convert_v1_CertificateDNSNameSelector_To_acme_CertificateDNSNameSelector(in *acmev1.CertificateDNSNameSelector, out *acme.CertificateDNSNameSelector, s conversion.Scope) error {
return autoConvert_v1_CertificateDNSNameSelector_To_acme_CertificateDNSNameSelector(in, out, s)
}
func autoConvert_acme_CertificateDNSNameSelector_To_v1_CertificateDNSNameSelector(in *acme.CertificateDNSNameSelector, out *acmev1.CertificateDNSNameSelector, s conversion.Scope) error {
out.MatchLabels = *(*map[string]string)(unsafe.Pointer(&in.MatchLabels))
out.DNSNames = *(*[]string)(unsafe.Pointer(&in.DNSNames))
out.DNSZones = *(*[]string)(unsafe.Pointer(&in.DNSZones))
return nil
}
// Convert_acme_CertificateDNSNameSelector_To_v1_CertificateDNSNameSelector is an autogenerated conversion function.
func Convert_acme_CertificateDNSNameSelector_To_v1_CertificateDNSNameSelector(in *acme.CertificateDNSNameSelector, out *acmev1.CertificateDNSNameSelector, s conversion.Scope) error {
return autoConvert_acme_CertificateDNSNameSelector_To_v1_CertificateDNSNameSelector(in, out, s)
}
func autoConvert_v1_Challenge_To_acme_Challenge(in *acmev1.Challenge, out *acme.Challenge, s conversion.Scope) error {
out.ObjectMeta = in.ObjectMeta
if err := Convert_v1_ChallengeSpec_To_acme_ChallengeSpec(&in.Spec, &out.Spec, s); err != nil {
return err
}
if err := Convert_v1_ChallengeStatus_To_acme_ChallengeStatus(&in.Status, &out.Status, s); err != nil {
return err
}
return nil
}
// Convert_v1_Challenge_To_acme_Challenge is an autogenerated conversion function.
func Convert_v1_Challenge_To_acme_Challenge(in *acmev1.Challenge, out *acme.Challenge, s conversion.Scope) error {
return autoConvert_v1_Challenge_To_acme_Challenge(in, out, s)
}
func autoConvert_acme_Challenge_To_v1_Challenge(in *acme.Challenge, out *acmev1.Challenge, s conversion.Scope) error {
out.ObjectMeta = in.ObjectMeta
if err := Convert_acme_ChallengeSpec_To_v1_ChallengeSpec(&in.Spec, &out.Spec, s); err != nil {
return err
}
if err := Convert_acme_ChallengeStatus_To_v1_ChallengeStatus(&in.Status, &out.Status, s); err != nil {
return err
}
return nil
}
// Convert_acme_Challenge_To_v1_Challenge is an autogenerated conversion function.
func Convert_acme_Challenge_To_v1_Challenge(in *acme.Challenge, out *acmev1.Challenge, s conversion.Scope) error {
return autoConvert_acme_Challenge_To_v1_Challenge(in, out, s)
}
func autoConvert_v1_ChallengeList_To_acme_ChallengeList(in *acmev1.ChallengeList, out *acme.ChallengeList, s conversion.Scope) error {
out.ListMeta = in.ListMeta
if in.Items != nil {
in, out := &in.Items, &out.Items
*out = make([]acme.Challenge, len(*in))
for i := range *in {
if err := Convert_v1_Challenge_To_acme_Challenge(&(*in)[i], &(*out)[i], s); err != nil {
return err
}
}
} else {
out.Items = nil
}
return nil
}
// Convert_v1_ChallengeList_To_acme_ChallengeList is an autogenerated conversion function.
func Convert_v1_ChallengeList_To_acme_ChallengeList(in *acmev1.ChallengeList, out *acme.ChallengeList, s conversion.Scope) error {
return autoConvert_v1_ChallengeList_To_acme_ChallengeList(in, out, s)
}
func autoConvert_acme_ChallengeList_To_v1_ChallengeList(in *acme.ChallengeList, out *acmev1.ChallengeList, s conversion.Scope) error {
out.ListMeta = in.ListMeta
if in.Items != nil {
in, out := &in.Items, &out.Items
*out = make([]acmev1.Challenge, len(*in))
for i := range *in {
if err := Convert_acme_Challenge_To_v1_Challenge(&(*in)[i], &(*out)[i], s); err != nil {
return err
}
}
} else {
out.Items = nil
}
return nil
}
// Convert_acme_ChallengeList_To_v1_ChallengeList is an autogenerated conversion function.
func Convert_acme_ChallengeList_To_v1_ChallengeList(in *acme.ChallengeList, out *acmev1.ChallengeList, s conversion.Scope) error {
return autoConvert_acme_ChallengeList_To_v1_ChallengeList(in, out, s)
}
func autoConvert_v1_ChallengeSpec_To_acme_ChallengeSpec(in *acmev1.ChallengeSpec, out *acme.ChallengeSpec, s conversion.Scope) error {
out.URL = in.URL
out.AuthorizationURL = in.AuthorizationURL
out.DNSName = in.DNSName
out.Wildcard = in.Wildcard
out.Type = acme.ACMEChallengeType(in.Type)
out.Token = in.Token
out.Key = in.Key
if err := Convert_v1_ACMEChallengeSolver_To_acme_ACMEChallengeSolver(&in.Solver, &out.Solver, s); err != nil {
return err
}
if err := metav1.Convert_v1_IssuerReference_To_meta_IssuerReference(&in.IssuerRef, &out.IssuerRef, s); err != nil {
return err
}
return nil
}
// Convert_v1_ChallengeSpec_To_acme_ChallengeSpec is an autogenerated conversion function.
func Convert_v1_ChallengeSpec_To_acme_ChallengeSpec(in *acmev1.ChallengeSpec, out *acme.ChallengeSpec, s conversion.Scope) error {
return autoConvert_v1_ChallengeSpec_To_acme_ChallengeSpec(in, out, s)
}
func autoConvert_acme_ChallengeSpec_To_v1_ChallengeSpec(in *acme.ChallengeSpec, out *acmev1.ChallengeSpec, s conversion.Scope) error {
out.URL = in.URL
out.AuthorizationURL = in.AuthorizationURL
out.DNSName = in.DNSName
out.Wildcard = in.Wildcard
out.Type = acmev1.ACMEChallengeType(in.Type)
out.Token = in.Token
out.Key = in.Key
if err := Convert_acme_ACMEChallengeSolver_To_v1_ACMEChallengeSolver(&in.Solver, &out.Solver, s); err != nil {
return err
}
if err := metav1.Convert_meta_IssuerReference_To_v1_IssuerReference(&in.IssuerRef, &out.IssuerRef, s); err != nil {
return err
}
return nil
}
// Convert_acme_ChallengeSpec_To_v1_ChallengeSpec is an autogenerated conversion function.
func Convert_acme_ChallengeSpec_To_v1_ChallengeSpec(in *acme.ChallengeSpec, out *acmev1.ChallengeSpec, s conversion.Scope) error {
return autoConvert_acme_ChallengeSpec_To_v1_ChallengeSpec(in, out, s)
}
func autoConvert_v1_ChallengeStatus_To_acme_ChallengeStatus(in *acmev1.ChallengeStatus, out *acme.ChallengeStatus, s conversion.Scope) error {
out.Processing = in.Processing
out.Presented = in.Presented
out.Reason = in.Reason
out.State = acme.State(in.State)
return nil
}
// Convert_v1_ChallengeStatus_To_acme_ChallengeStatus is an autogenerated conversion function.
func Convert_v1_ChallengeStatus_To_acme_ChallengeStatus(in *acmev1.ChallengeStatus, out *acme.ChallengeStatus, s conversion.Scope) error {
return autoConvert_v1_ChallengeStatus_To_acme_ChallengeStatus(in, out, s)
}
func autoConvert_acme_ChallengeStatus_To_v1_ChallengeStatus(in *acme.ChallengeStatus, out *acmev1.ChallengeStatus, s conversion.Scope) error {
out.Processing = in.Processing
out.Presented = in.Presented
out.Reason = in.Reason
out.State = acmev1.State(in.State)
return nil
}
// Convert_acme_ChallengeStatus_To_v1_ChallengeStatus is an autogenerated conversion function.
func Convert_acme_ChallengeStatus_To_v1_ChallengeStatus(in *acme.ChallengeStatus, out *acmev1.ChallengeStatus, s conversion.Scope) error {
return autoConvert_acme_ChallengeStatus_To_v1_ChallengeStatus(in, out, s)
}
func autoConvert_v1_Order_To_acme_Order(in *acmev1.Order, out *acme.Order, s conversion.Scope) error {
out.ObjectMeta = in.ObjectMeta
if err := Convert_v1_OrderSpec_To_acme_OrderSpec(&in.Spec, &out.Spec, s); err != nil {
return err
}
if err := Convert_v1_OrderStatus_To_acme_OrderStatus(&in.Status, &out.Status, s); err != nil {
return err
}
return nil
}
// Convert_v1_Order_To_acme_Order is an autogenerated conversion function.
func Convert_v1_Order_To_acme_Order(in *acmev1.Order, out *acme.Order, s conversion.Scope) error {
return autoConvert_v1_Order_To_acme_Order(in, out, s)
}
func autoConvert_acme_Order_To_v1_Order(in *acme.Order, out *acmev1.Order, s conversion.Scope) error {
out.ObjectMeta = in.ObjectMeta
if err := Convert_acme_OrderSpec_To_v1_OrderSpec(&in.Spec, &out.Spec, s); err != nil {
return err
}
if err := Convert_acme_OrderStatus_To_v1_OrderStatus(&in.Status, &out.Status, s); err != nil {
return err
}
return nil
}
// Convert_acme_Order_To_v1_Order is an autogenerated conversion function.
func Convert_acme_Order_To_v1_Order(in *acme.Order, out *acmev1.Order, s conversion.Scope) error {
return autoConvert_acme_Order_To_v1_Order(in, out, s)
}
func autoConvert_v1_OrderList_To_acme_OrderList(in *acmev1.OrderList, out *acme.OrderList, s conversion.Scope) error {
out.ListMeta = in.ListMeta
if in.Items != nil {
in, out := &in.Items, &out.Items
*out = make([]acme.Order, len(*in))
for i := range *in {
if err := Convert_v1_Order_To_acme_Order(&(*in)[i], &(*out)[i], s); err != nil {
return err
}
}
} else {
out.Items = nil
}
return nil
}
// Convert_v1_OrderList_To_acme_OrderList is an autogenerated conversion function.
func Convert_v1_OrderList_To_acme_OrderList(in *acmev1.OrderList, out *acme.OrderList, s conversion.Scope) error {
return autoConvert_v1_OrderList_To_acme_OrderList(in, out, s)
}
func autoConvert_acme_OrderList_To_v1_OrderList(in *acme.OrderList, out *acmev1.OrderList, s conversion.Scope) error {
out.ListMeta = in.ListMeta
if in.Items != nil {
in, out := &in.Items, &out.Items
*out = make([]acmev1.Order, len(*in))
for i := range *in {
if err := Convert_acme_Order_To_v1_Order(&(*in)[i], &(*out)[i], s); err != nil {
return err
}
}
} else {
out.Items = nil
}
return nil
}
// Convert_acme_OrderList_To_v1_OrderList is an autogenerated conversion function.
func Convert_acme_OrderList_To_v1_OrderList(in *acme.OrderList, out *acmev1.OrderList, s conversion.Scope) error {
return autoConvert_acme_OrderList_To_v1_OrderList(in, out, s)
}
func autoConvert_v1_OrderSpec_To_acme_OrderSpec(in *acmev1.OrderSpec, out *acme.OrderSpec, s conversion.Scope) error {
out.Request = *(*[]byte)(unsafe.Pointer(&in.Request))
if err := metav1.Convert_v1_IssuerReference_To_meta_IssuerReference(&in.IssuerRef, &out.IssuerRef, s); err != nil {
return err
}
out.CommonName = in.CommonName
out.DNSNames = *(*[]string)(unsafe.Pointer(&in.DNSNames))
out.IPAddresses = *(*[]string)(unsafe.Pointer(&in.IPAddresses))
out.Duration = (*pkgapismetav1.Duration)(unsafe.Pointer(in.Duration))
out.Profile = in.Profile
return nil
}
// Convert_v1_OrderSpec_To_acme_OrderSpec is an autogenerated conversion function.
func Convert_v1_OrderSpec_To_acme_OrderSpec(in *acmev1.OrderSpec, out *acme.OrderSpec, s conversion.Scope) error {
return autoConvert_v1_OrderSpec_To_acme_OrderSpec(in, out, s)
}
func autoConvert_acme_OrderSpec_To_v1_OrderSpec(in *acme.OrderSpec, out *acmev1.OrderSpec, s conversion.Scope) error {
out.Request = *(*[]byte)(unsafe.Pointer(&in.Request))
if err := metav1.Convert_meta_IssuerReference_To_v1_IssuerReference(&in.IssuerRef, &out.IssuerRef, s); err != nil {
return err
}
out.CommonName = in.CommonName
out.DNSNames = *(*[]string)(unsafe.Pointer(&in.DNSNames))
out.IPAddresses = *(*[]string)(unsafe.Pointer(&in.IPAddresses))
out.Duration = (*pkgapismetav1.Duration)(unsafe.Pointer(in.Duration))
out.Profile = in.Profile
return nil
}
// Convert_acme_OrderSpec_To_v1_OrderSpec is an autogenerated conversion function.
func Convert_acme_OrderSpec_To_v1_OrderSpec(in *acme.OrderSpec, out *acmev1.OrderSpec, s conversion.Scope) error {
return autoConvert_acme_OrderSpec_To_v1_OrderSpec(in, out, s)
}
func autoConvert_v1_OrderStatus_To_acme_OrderStatus(in *acmev1.OrderStatus, out *acme.OrderStatus, s conversion.Scope) error {
out.URL = in.URL
out.FinalizeURL = in.FinalizeURL
out.Authorizations = *(*[]acme.ACMEAuthorization)(unsafe.Pointer(&in.Authorizations))
out.Certificate = *(*[]byte)(unsafe.Pointer(&in.Certificate))
out.State = acme.State(in.State)
out.Reason = in.Reason
out.FailureTime = (*pkgapismetav1.Time)(unsafe.Pointer(in.FailureTime))
return nil
}
// Convert_v1_OrderStatus_To_acme_OrderStatus is an autogenerated conversion function.
func Convert_v1_OrderStatus_To_acme_OrderStatus(in *acmev1.OrderStatus, out *acme.OrderStatus, s conversion.Scope) error {
return autoConvert_v1_OrderStatus_To_acme_OrderStatus(in, out, s)
}
func autoConvert_acme_OrderStatus_To_v1_OrderStatus(in *acme.OrderStatus, out *acmev1.OrderStatus, s conversion.Scope) error {
out.URL = in.URL
out.FinalizeURL = in.FinalizeURL
out.Certificate = *(*[]byte)(unsafe.Pointer(&in.Certificate))
out.State = acmev1.State(in.State)
out.Reason = in.Reason
out.Authorizations = *(*[]acmev1.ACMEAuthorization)(unsafe.Pointer(&in.Authorizations))
out.FailureTime = (*pkgapismetav1.Time)(unsafe.Pointer(in.FailureTime))
return nil
}
// Convert_acme_OrderStatus_To_v1_OrderStatus is an autogenerated conversion function.
func Convert_acme_OrderStatus_To_v1_OrderStatus(in *acme.OrderStatus, out *acmev1.OrderStatus, s conversion.Scope) error {
return autoConvert_acme_OrderStatus_To_v1_OrderStatus(in, out, s)
}
func autoConvert_v1_Route53Auth_To_acme_Route53Auth(in *acmev1.Route53Auth, out *acme.Route53Auth, s conversion.Scope) error {
out.Kubernetes = (*acme.Route53KubernetesAuth)(unsafe.Pointer(in.Kubernetes))
return nil
}
// Convert_v1_Route53Auth_To_acme_Route53Auth is an autogenerated conversion function.
func Convert_v1_Route53Auth_To_acme_Route53Auth(in *acmev1.Route53Auth, out *acme.Route53Auth, s conversion.Scope) error {
return autoConvert_v1_Route53Auth_To_acme_Route53Auth(in, out, s)
}
func autoConvert_acme_Route53Auth_To_v1_Route53Auth(in *acme.Route53Auth, out *acmev1.Route53Auth, s conversion.Scope) error {
out.Kubernetes = (*acmev1.Route53KubernetesAuth)(unsafe.Pointer(in.Kubernetes))
return nil
}
// Convert_acme_Route53Auth_To_v1_Route53Auth is an autogenerated conversion function.
func Convert_acme_Route53Auth_To_v1_Route53Auth(in *acme.Route53Auth, out *acmev1.Route53Auth, s conversion.Scope) error {
return autoConvert_acme_Route53Auth_To_v1_Route53Auth(in, out, s)
}
func autoConvert_v1_Route53KubernetesAuth_To_acme_Route53KubernetesAuth(in *acmev1.Route53KubernetesAuth, out *acme.Route53KubernetesAuth, s conversion.Scope) error {
out.ServiceAccountRef = (*acme.ServiceAccountRef)(unsafe.Pointer(in.ServiceAccountRef))
return nil
}
// Convert_v1_Route53KubernetesAuth_To_acme_Route53KubernetesAuth is an autogenerated conversion function.
func Convert_v1_Route53KubernetesAuth_To_acme_Route53KubernetesAuth(in *acmev1.Route53KubernetesAuth, out *acme.Route53KubernetesAuth, s conversion.Scope) error {
return autoConvert_v1_Route53KubernetesAuth_To_acme_Route53KubernetesAuth(in, out, s)
}
func autoConvert_acme_Route53KubernetesAuth_To_v1_Route53KubernetesAuth(in *acme.Route53KubernetesAuth, out *acmev1.Route53KubernetesAuth, s conversion.Scope) error {
out.ServiceAccountRef = (*acmev1.ServiceAccountRef)(unsafe.Pointer(in.ServiceAccountRef))
return nil
}
// Convert_acme_Route53KubernetesAuth_To_v1_Route53KubernetesAuth is an autogenerated conversion function.
func Convert_acme_Route53KubernetesAuth_To_v1_Route53KubernetesAuth(in *acme.Route53KubernetesAuth, out *acmev1.Route53KubernetesAuth, s conversion.Scope) error {
return autoConvert_acme_Route53KubernetesAuth_To_v1_Route53KubernetesAuth(in, out, s)
}
func autoConvert_v1_ServiceAccountRef_To_acme_ServiceAccountRef(in *acmev1.ServiceAccountRef, out *acme.ServiceAccountRef, s conversion.Scope) error {
out.Name = in.Name
out.TokenAudiences = *(*[]string)(unsafe.Pointer(&in.TokenAudiences))
return nil
}
// Convert_v1_ServiceAccountRef_To_acme_ServiceAccountRef is an autogenerated conversion function.
func Convert_v1_ServiceAccountRef_To_acme_ServiceAccountRef(in *acmev1.ServiceAccountRef, out *acme.ServiceAccountRef, s conversion.Scope) error {
return autoConvert_v1_ServiceAccountRef_To_acme_ServiceAccountRef(in, out, s)
}
func autoConvert_acme_ServiceAccountRef_To_v1_ServiceAccountRef(in *acme.ServiceAccountRef, out *acmev1.ServiceAccountRef, s conversion.Scope) error {
out.Name = in.Name
out.TokenAudiences = *(*[]string)(unsafe.Pointer(&in.TokenAudiences))
return nil
}
// Convert_acme_ServiceAccountRef_To_v1_ServiceAccountRef is an autogenerated conversion function.
func Convert_acme_ServiceAccountRef_To_v1_ServiceAccountRef(in *acme.ServiceAccountRef, out *acmev1.ServiceAccountRef, s conversion.Scope) error {
return autoConvert_acme_ServiceAccountRef_To_v1_ServiceAccountRef(in, out, s)
}
//go:build !ignore_autogenerated
// +build !ignore_autogenerated
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by defaulter-gen. DO NOT EDIT.
package v1
import (
acmev1 "github.com/cert-manager/cert-manager/pkg/apis/acme/v1"
runtime "k8s.io/apimachinery/pkg/runtime"
)
// RegisterDefaults adds defaulters functions to the given scheme.
// Public to allow building arbitrary schemes.
// All generated defaulters are covering - they call all nested defaulters.
func RegisterDefaults(scheme *runtime.Scheme) error {
scheme.AddTypeDefaultingFunc(&acmev1.Challenge{}, func(obj interface{}) { SetObjectDefaults_Challenge(obj.(*acmev1.Challenge)) })
scheme.AddTypeDefaultingFunc(&acmev1.ChallengeList{}, func(obj interface{}) { SetObjectDefaults_ChallengeList(obj.(*acmev1.ChallengeList)) })
scheme.AddTypeDefaultingFunc(&acmev1.Order{}, func(obj interface{}) { SetObjectDefaults_Order(obj.(*acmev1.Order)) })
scheme.AddTypeDefaultingFunc(&acmev1.OrderList{}, func(obj interface{}) { SetObjectDefaults_OrderList(obj.(*acmev1.OrderList)) })
return nil
}
func SetObjectDefaults_Challenge(in *acmev1.Challenge) {
if in.Spec.IssuerRef.Kind == "" {
in.Spec.IssuerRef.Kind = "Issuer"
}
if in.Spec.IssuerRef.Group == "" {
in.Spec.IssuerRef.Group = "cert-manager.io"
}
}
func SetObjectDefaults_ChallengeList(in *acmev1.ChallengeList) {
for i := range in.Items {
a := &in.Items[i]
SetObjectDefaults_Challenge(a)
}
}
func SetObjectDefaults_Order(in *acmev1.Order) {
if in.Spec.IssuerRef.Kind == "" {
in.Spec.IssuerRef.Kind = "Issuer"
}
if in.Spec.IssuerRef.Group == "" {
in.Spec.IssuerRef.Group = "cert-manager.io"
}
}
func SetObjectDefaults_OrderList(in *acmev1.OrderList) {
for i := range in.Items {
a := &in.Items[i]
SetObjectDefaults_Order(a)
}
}
//go:build !ignore_autogenerated
// +build !ignore_autogenerated
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by deepcopy-gen. DO NOT EDIT.
package acme
import (
meta "github.com/cert-manager/cert-manager/internal/apis/meta"
corev1 "k8s.io/api/core/v1"
apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
runtime "k8s.io/apimachinery/pkg/runtime"
v1 "sigs.k8s.io/gateway-api/apis/v1"
)
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ACMEAuthorization) DeepCopyInto(out *ACMEAuthorization) {
*out = *in
if in.Wildcard != nil {
in, out := &in.Wildcard, &out.Wildcard
*out = new(bool)
**out = **in
}
if in.Challenges != nil {
in, out := &in.Challenges, &out.Challenges
*out = make([]ACMEChallenge, len(*in))
copy(*out, *in)
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ACMEAuthorization.
func (in *ACMEAuthorization) DeepCopy() *ACMEAuthorization {
if in == nil {
return nil
}
out := new(ACMEAuthorization)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ACMEChallenge) DeepCopyInto(out *ACMEChallenge) {
*out = *in
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ACMEChallenge.
func (in *ACMEChallenge) DeepCopy() *ACMEChallenge {
if in == nil {
return nil
}
out := new(ACMEChallenge)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ACMEChallengeSolver) DeepCopyInto(out *ACMEChallengeSolver) {
*out = *in
if in.Selector != nil {
in, out := &in.Selector, &out.Selector
*out = new(CertificateDNSNameSelector)
(*in).DeepCopyInto(*out)
}
if in.HTTP01 != nil {
in, out := &in.HTTP01, &out.HTTP01
*out = new(ACMEChallengeSolverHTTP01)
(*in).DeepCopyInto(*out)
}
if in.DNS01 != nil {
in, out := &in.DNS01, &out.DNS01
*out = new(ACMEChallengeSolverDNS01)
(*in).DeepCopyInto(*out)
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ACMEChallengeSolver.
func (in *ACMEChallengeSolver) DeepCopy() *ACMEChallengeSolver {
if in == nil {
return nil
}
out := new(ACMEChallengeSolver)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ACMEChallengeSolverDNS01) DeepCopyInto(out *ACMEChallengeSolverDNS01) {
*out = *in
if in.Akamai != nil {
in, out := &in.Akamai, &out.Akamai
*out = new(ACMEIssuerDNS01ProviderAkamai)
**out = **in
}
if in.CloudDNS != nil {
in, out := &in.CloudDNS, &out.CloudDNS
*out = new(ACMEIssuerDNS01ProviderCloudDNS)
(*in).DeepCopyInto(*out)
}
if in.Cloudflare != nil {
in, out := &in.Cloudflare, &out.Cloudflare
*out = new(ACMEIssuerDNS01ProviderCloudflare)
(*in).DeepCopyInto(*out)
}
if in.Route53 != nil {
in, out := &in.Route53, &out.Route53
*out = new(ACMEIssuerDNS01ProviderRoute53)
(*in).DeepCopyInto(*out)
}
if in.AzureDNS != nil {
in, out := &in.AzureDNS, &out.AzureDNS
*out = new(ACMEIssuerDNS01ProviderAzureDNS)
(*in).DeepCopyInto(*out)
}
if in.DigitalOcean != nil {
in, out := &in.DigitalOcean, &out.DigitalOcean
*out = new(ACMEIssuerDNS01ProviderDigitalOcean)
**out = **in
}
if in.AcmeDNS != nil {
in, out := &in.AcmeDNS, &out.AcmeDNS
*out = new(ACMEIssuerDNS01ProviderAcmeDNS)
**out = **in
}
if in.RFC2136 != nil {
in, out := &in.RFC2136, &out.RFC2136
*out = new(ACMEIssuerDNS01ProviderRFC2136)
**out = **in
}
if in.Webhook != nil {
in, out := &in.Webhook, &out.Webhook
*out = new(ACMEIssuerDNS01ProviderWebhook)
(*in).DeepCopyInto(*out)
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ACMEChallengeSolverDNS01.
func (in *ACMEChallengeSolverDNS01) DeepCopy() *ACMEChallengeSolverDNS01 {
if in == nil {
return nil
}
out := new(ACMEChallengeSolverDNS01)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ACMEChallengeSolverHTTP01) DeepCopyInto(out *ACMEChallengeSolverHTTP01) {
*out = *in
if in.Ingress != nil {
in, out := &in.Ingress, &out.Ingress
*out = new(ACMEChallengeSolverHTTP01Ingress)
(*in).DeepCopyInto(*out)
}
if in.GatewayHTTPRoute != nil {
in, out := &in.GatewayHTTPRoute, &out.GatewayHTTPRoute
*out = new(ACMEChallengeSolverHTTP01GatewayHTTPRoute)
(*in).DeepCopyInto(*out)
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ACMEChallengeSolverHTTP01.
func (in *ACMEChallengeSolverHTTP01) DeepCopy() *ACMEChallengeSolverHTTP01 {
if in == nil {
return nil
}
out := new(ACMEChallengeSolverHTTP01)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ACMEChallengeSolverHTTP01GatewayHTTPRoute) DeepCopyInto(out *ACMEChallengeSolverHTTP01GatewayHTTPRoute) {
*out = *in
if in.Labels != nil {
in, out := &in.Labels, &out.Labels
*out = make(map[string]string, len(*in))
for key, val := range *in {
(*out)[key] = val
}
}
if in.ParentRefs != nil {
in, out := &in.ParentRefs, &out.ParentRefs
*out = make([]v1.ParentReference, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
if in.PodTemplate != nil {
in, out := &in.PodTemplate, &out.PodTemplate
*out = new(ACMEChallengeSolverHTTP01IngressPodTemplate)
(*in).DeepCopyInto(*out)
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ACMEChallengeSolverHTTP01GatewayHTTPRoute.
func (in *ACMEChallengeSolverHTTP01GatewayHTTPRoute) DeepCopy() *ACMEChallengeSolverHTTP01GatewayHTTPRoute {
if in == nil {
return nil
}
out := new(ACMEChallengeSolverHTTP01GatewayHTTPRoute)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ACMEChallengeSolverHTTP01Ingress) DeepCopyInto(out *ACMEChallengeSolverHTTP01Ingress) {
*out = *in
if in.IngressClassName != nil {
in, out := &in.IngressClassName, &out.IngressClassName
*out = new(string)
**out = **in
}
if in.Class != nil {
in, out := &in.Class, &out.Class
*out = new(string)
**out = **in
}
if in.PodTemplate != nil {
in, out := &in.PodTemplate, &out.PodTemplate
*out = new(ACMEChallengeSolverHTTP01IngressPodTemplate)
(*in).DeepCopyInto(*out)
}
if in.IngressTemplate != nil {
in, out := &in.IngressTemplate, &out.IngressTemplate
*out = new(ACMEChallengeSolverHTTP01IngressTemplate)
(*in).DeepCopyInto(*out)
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ACMEChallengeSolverHTTP01Ingress.
func (in *ACMEChallengeSolverHTTP01Ingress) DeepCopy() *ACMEChallengeSolverHTTP01Ingress {
if in == nil {
return nil
}
out := new(ACMEChallengeSolverHTTP01Ingress)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ACMEChallengeSolverHTTP01IngressObjectMeta) DeepCopyInto(out *ACMEChallengeSolverHTTP01IngressObjectMeta) {
*out = *in
if in.Annotations != nil {
in, out := &in.Annotations, &out.Annotations
*out = make(map[string]string, len(*in))
for key, val := range *in {
(*out)[key] = val
}
}
if in.Labels != nil {
in, out := &in.Labels, &out.Labels
*out = make(map[string]string, len(*in))
for key, val := range *in {
(*out)[key] = val
}
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ACMEChallengeSolverHTTP01IngressObjectMeta.
func (in *ACMEChallengeSolverHTTP01IngressObjectMeta) DeepCopy() *ACMEChallengeSolverHTTP01IngressObjectMeta {
if in == nil {
return nil
}
out := new(ACMEChallengeSolverHTTP01IngressObjectMeta)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ACMEChallengeSolverHTTP01IngressPodObjectMeta) DeepCopyInto(out *ACMEChallengeSolverHTTP01IngressPodObjectMeta) {
*out = *in
if in.Annotations != nil {
in, out := &in.Annotations, &out.Annotations
*out = make(map[string]string, len(*in))
for key, val := range *in {
(*out)[key] = val
}
}
if in.Labels != nil {
in, out := &in.Labels, &out.Labels
*out = make(map[string]string, len(*in))
for key, val := range *in {
(*out)[key] = val
}
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ACMEChallengeSolverHTTP01IngressPodObjectMeta.
func (in *ACMEChallengeSolverHTTP01IngressPodObjectMeta) DeepCopy() *ACMEChallengeSolverHTTP01IngressPodObjectMeta {
if in == nil {
return nil
}
out := new(ACMEChallengeSolverHTTP01IngressPodObjectMeta)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ACMEChallengeSolverHTTP01IngressPodResources) DeepCopyInto(out *ACMEChallengeSolverHTTP01IngressPodResources) {
*out = *in
if in.Limits != nil {
in, out := &in.Limits, &out.Limits
*out = make(corev1.ResourceList, len(*in))
for key, val := range *in {
(*out)[key] = val.DeepCopy()
}
}
if in.Requests != nil {
in, out := &in.Requests, &out.Requests
*out = make(corev1.ResourceList, len(*in))
for key, val := range *in {
(*out)[key] = val.DeepCopy()
}
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ACMEChallengeSolverHTTP01IngressPodResources.
func (in *ACMEChallengeSolverHTTP01IngressPodResources) DeepCopy() *ACMEChallengeSolverHTTP01IngressPodResources {
if in == nil {
return nil
}
out := new(ACMEChallengeSolverHTTP01IngressPodResources)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ACMEChallengeSolverHTTP01IngressPodSecurityContext) DeepCopyInto(out *ACMEChallengeSolverHTTP01IngressPodSecurityContext) {
*out = *in
if in.SELinuxOptions != nil {
in, out := &in.SELinuxOptions, &out.SELinuxOptions
*out = new(corev1.SELinuxOptions)
**out = **in
}
if in.RunAsUser != nil {
in, out := &in.RunAsUser, &out.RunAsUser
*out = new(int64)
**out = **in
}
if in.RunAsGroup != nil {
in, out := &in.RunAsGroup, &out.RunAsGroup
*out = new(int64)
**out = **in
}
if in.RunAsNonRoot != nil {
in, out := &in.RunAsNonRoot, &out.RunAsNonRoot
*out = new(bool)
**out = **in
}
if in.SupplementalGroups != nil {
in, out := &in.SupplementalGroups, &out.SupplementalGroups
*out = make([]int64, len(*in))
copy(*out, *in)
}
if in.FSGroup != nil {
in, out := &in.FSGroup, &out.FSGroup
*out = new(int64)
**out = **in
}
if in.Sysctls != nil {
in, out := &in.Sysctls, &out.Sysctls
*out = make([]corev1.Sysctl, len(*in))
copy(*out, *in)
}
if in.FSGroupChangePolicy != nil {
in, out := &in.FSGroupChangePolicy, &out.FSGroupChangePolicy
*out = new(corev1.PodFSGroupChangePolicy)
**out = **in
}
if in.SeccompProfile != nil {
in, out := &in.SeccompProfile, &out.SeccompProfile
*out = new(corev1.SeccompProfile)
(*in).DeepCopyInto(*out)
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ACMEChallengeSolverHTTP01IngressPodSecurityContext.
func (in *ACMEChallengeSolverHTTP01IngressPodSecurityContext) DeepCopy() *ACMEChallengeSolverHTTP01IngressPodSecurityContext {
if in == nil {
return nil
}
out := new(ACMEChallengeSolverHTTP01IngressPodSecurityContext)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ACMEChallengeSolverHTTP01IngressPodSpec) DeepCopyInto(out *ACMEChallengeSolverHTTP01IngressPodSpec) {
*out = *in
if in.NodeSelector != nil {
in, out := &in.NodeSelector, &out.NodeSelector
*out = make(map[string]string, len(*in))
for key, val := range *in {
(*out)[key] = val
}
}
if in.Affinity != nil {
in, out := &in.Affinity, &out.Affinity
*out = new(corev1.Affinity)
(*in).DeepCopyInto(*out)
}
if in.Tolerations != nil {
in, out := &in.Tolerations, &out.Tolerations
*out = make([]corev1.Toleration, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
if in.ImagePullSecrets != nil {
in, out := &in.ImagePullSecrets, &out.ImagePullSecrets
*out = make([]corev1.LocalObjectReference, len(*in))
copy(*out, *in)
}
if in.SecurityContext != nil {
in, out := &in.SecurityContext, &out.SecurityContext
*out = new(ACMEChallengeSolverHTTP01IngressPodSecurityContext)
(*in).DeepCopyInto(*out)
}
if in.Resources != nil {
in, out := &in.Resources, &out.Resources
*out = new(ACMEChallengeSolverHTTP01IngressPodResources)
(*in).DeepCopyInto(*out)
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ACMEChallengeSolverHTTP01IngressPodSpec.
func (in *ACMEChallengeSolverHTTP01IngressPodSpec) DeepCopy() *ACMEChallengeSolverHTTP01IngressPodSpec {
if in == nil {
return nil
}
out := new(ACMEChallengeSolverHTTP01IngressPodSpec)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ACMEChallengeSolverHTTP01IngressPodTemplate) DeepCopyInto(out *ACMEChallengeSolverHTTP01IngressPodTemplate) {
*out = *in
in.ACMEChallengeSolverHTTP01IngressPodObjectMeta.DeepCopyInto(&out.ACMEChallengeSolverHTTP01IngressPodObjectMeta)
in.Spec.DeepCopyInto(&out.Spec)
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ACMEChallengeSolverHTTP01IngressPodTemplate.
func (in *ACMEChallengeSolverHTTP01IngressPodTemplate) DeepCopy() *ACMEChallengeSolverHTTP01IngressPodTemplate {
if in == nil {
return nil
}
out := new(ACMEChallengeSolverHTTP01IngressPodTemplate)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ACMEChallengeSolverHTTP01IngressTemplate) DeepCopyInto(out *ACMEChallengeSolverHTTP01IngressTemplate) {
*out = *in
in.ACMEChallengeSolverHTTP01IngressObjectMeta.DeepCopyInto(&out.ACMEChallengeSolverHTTP01IngressObjectMeta)
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ACMEChallengeSolverHTTP01IngressTemplate.
func (in *ACMEChallengeSolverHTTP01IngressTemplate) DeepCopy() *ACMEChallengeSolverHTTP01IngressTemplate {
if in == nil {
return nil
}
out := new(ACMEChallengeSolverHTTP01IngressTemplate)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ACMEExternalAccountBinding) DeepCopyInto(out *ACMEExternalAccountBinding) {
*out = *in
out.Key = in.Key
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ACMEExternalAccountBinding.
func (in *ACMEExternalAccountBinding) DeepCopy() *ACMEExternalAccountBinding {
if in == nil {
return nil
}
out := new(ACMEExternalAccountBinding)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ACMEIssuer) DeepCopyInto(out *ACMEIssuer) {
*out = *in
if in.CABundle != nil {
in, out := &in.CABundle, &out.CABundle
*out = make([]byte, len(*in))
copy(*out, *in)
}
if in.ExternalAccountBinding != nil {
in, out := &in.ExternalAccountBinding, &out.ExternalAccountBinding
*out = new(ACMEExternalAccountBinding)
**out = **in
}
out.PrivateKey = in.PrivateKey
if in.Solvers != nil {
in, out := &in.Solvers, &out.Solvers
*out = make([]ACMEChallengeSolver, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ACMEIssuer.
func (in *ACMEIssuer) DeepCopy() *ACMEIssuer {
if in == nil {
return nil
}
out := new(ACMEIssuer)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ACMEIssuerDNS01ProviderAcmeDNS) DeepCopyInto(out *ACMEIssuerDNS01ProviderAcmeDNS) {
*out = *in
out.AccountSecret = in.AccountSecret
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ACMEIssuerDNS01ProviderAcmeDNS.
func (in *ACMEIssuerDNS01ProviderAcmeDNS) DeepCopy() *ACMEIssuerDNS01ProviderAcmeDNS {
if in == nil {
return nil
}
out := new(ACMEIssuerDNS01ProviderAcmeDNS)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ACMEIssuerDNS01ProviderAkamai) DeepCopyInto(out *ACMEIssuerDNS01ProviderAkamai) {
*out = *in
out.ClientToken = in.ClientToken
out.ClientSecret = in.ClientSecret
out.AccessToken = in.AccessToken
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ACMEIssuerDNS01ProviderAkamai.
func (in *ACMEIssuerDNS01ProviderAkamai) DeepCopy() *ACMEIssuerDNS01ProviderAkamai {
if in == nil {
return nil
}
out := new(ACMEIssuerDNS01ProviderAkamai)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ACMEIssuerDNS01ProviderAzureDNS) DeepCopyInto(out *ACMEIssuerDNS01ProviderAzureDNS) {
*out = *in
if in.ClientSecret != nil {
in, out := &in.ClientSecret, &out.ClientSecret
*out = new(meta.SecretKeySelector)
**out = **in
}
if in.ManagedIdentity != nil {
in, out := &in.ManagedIdentity, &out.ManagedIdentity
*out = new(AzureManagedIdentity)
**out = **in
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ACMEIssuerDNS01ProviderAzureDNS.
func (in *ACMEIssuerDNS01ProviderAzureDNS) DeepCopy() *ACMEIssuerDNS01ProviderAzureDNS {
if in == nil {
return nil
}
out := new(ACMEIssuerDNS01ProviderAzureDNS)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ACMEIssuerDNS01ProviderCloudDNS) DeepCopyInto(out *ACMEIssuerDNS01ProviderCloudDNS) {
*out = *in
if in.ServiceAccount != nil {
in, out := &in.ServiceAccount, &out.ServiceAccount
*out = new(meta.SecretKeySelector)
**out = **in
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ACMEIssuerDNS01ProviderCloudDNS.
func (in *ACMEIssuerDNS01ProviderCloudDNS) DeepCopy() *ACMEIssuerDNS01ProviderCloudDNS {
if in == nil {
return nil
}
out := new(ACMEIssuerDNS01ProviderCloudDNS)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ACMEIssuerDNS01ProviderCloudflare) DeepCopyInto(out *ACMEIssuerDNS01ProviderCloudflare) {
*out = *in
if in.APIKey != nil {
in, out := &in.APIKey, &out.APIKey
*out = new(meta.SecretKeySelector)
**out = **in
}
if in.APIToken != nil {
in, out := &in.APIToken, &out.APIToken
*out = new(meta.SecretKeySelector)
**out = **in
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ACMEIssuerDNS01ProviderCloudflare.
func (in *ACMEIssuerDNS01ProviderCloudflare) DeepCopy() *ACMEIssuerDNS01ProviderCloudflare {
if in == nil {
return nil
}
out := new(ACMEIssuerDNS01ProviderCloudflare)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ACMEIssuerDNS01ProviderDigitalOcean) DeepCopyInto(out *ACMEIssuerDNS01ProviderDigitalOcean) {
*out = *in
out.Token = in.Token
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ACMEIssuerDNS01ProviderDigitalOcean.
func (in *ACMEIssuerDNS01ProviderDigitalOcean) DeepCopy() *ACMEIssuerDNS01ProviderDigitalOcean {
if in == nil {
return nil
}
out := new(ACMEIssuerDNS01ProviderDigitalOcean)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ACMEIssuerDNS01ProviderRFC2136) DeepCopyInto(out *ACMEIssuerDNS01ProviderRFC2136) {
*out = *in
out.TSIGSecret = in.TSIGSecret
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ACMEIssuerDNS01ProviderRFC2136.
func (in *ACMEIssuerDNS01ProviderRFC2136) DeepCopy() *ACMEIssuerDNS01ProviderRFC2136 {
if in == nil {
return nil
}
out := new(ACMEIssuerDNS01ProviderRFC2136)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ACMEIssuerDNS01ProviderRoute53) DeepCopyInto(out *ACMEIssuerDNS01ProviderRoute53) {
*out = *in
if in.Auth != nil {
in, out := &in.Auth, &out.Auth
*out = new(Route53Auth)
(*in).DeepCopyInto(*out)
}
if in.SecretAccessKeyID != nil {
in, out := &in.SecretAccessKeyID, &out.SecretAccessKeyID
*out = new(meta.SecretKeySelector)
**out = **in
}
out.SecretAccessKey = in.SecretAccessKey
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ACMEIssuerDNS01ProviderRoute53.
func (in *ACMEIssuerDNS01ProviderRoute53) DeepCopy() *ACMEIssuerDNS01ProviderRoute53 {
if in == nil {
return nil
}
out := new(ACMEIssuerDNS01ProviderRoute53)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ACMEIssuerDNS01ProviderWebhook) DeepCopyInto(out *ACMEIssuerDNS01ProviderWebhook) {
*out = *in
if in.Config != nil {
in, out := &in.Config, &out.Config
*out = new(apiextensionsv1.JSON)
(*in).DeepCopyInto(*out)
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ACMEIssuerDNS01ProviderWebhook.
func (in *ACMEIssuerDNS01ProviderWebhook) DeepCopy() *ACMEIssuerDNS01ProviderWebhook {
if in == nil {
return nil
}
out := new(ACMEIssuerDNS01ProviderWebhook)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ACMEIssuerStatus) DeepCopyInto(out *ACMEIssuerStatus) {
*out = *in
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ACMEIssuerStatus.
func (in *ACMEIssuerStatus) DeepCopy() *ACMEIssuerStatus {
if in == nil {
return nil
}
out := new(ACMEIssuerStatus)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *AzureManagedIdentity) DeepCopyInto(out *AzureManagedIdentity) {
*out = *in
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AzureManagedIdentity.
func (in *AzureManagedIdentity) DeepCopy() *AzureManagedIdentity {
if in == nil {
return nil
}
out := new(AzureManagedIdentity)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *CertificateDNSNameSelector) DeepCopyInto(out *CertificateDNSNameSelector) {
*out = *in
if in.MatchLabels != nil {
in, out := &in.MatchLabels, &out.MatchLabels
*out = make(map[string]string, len(*in))
for key, val := range *in {
(*out)[key] = val
}
}
if in.DNSNames != nil {
in, out := &in.DNSNames, &out.DNSNames
*out = make([]string, len(*in))
copy(*out, *in)
}
if in.DNSZones != nil {
in, out := &in.DNSZones, &out.DNSZones
*out = make([]string, len(*in))
copy(*out, *in)
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateDNSNameSelector.
func (in *CertificateDNSNameSelector) DeepCopy() *CertificateDNSNameSelector {
if in == nil {
return nil
}
out := new(CertificateDNSNameSelector)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *Challenge) DeepCopyInto(out *Challenge) {
*out = *in
out.TypeMeta = in.TypeMeta
in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
in.Spec.DeepCopyInto(&out.Spec)
out.Status = in.Status
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Challenge.
func (in *Challenge) DeepCopy() *Challenge {
if in == nil {
return nil
}
out := new(Challenge)
in.DeepCopyInto(out)
return out
}
// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (in *Challenge) DeepCopyObject() runtime.Object {
if c := in.DeepCopy(); c != nil {
return c
}
return nil
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ChallengeList) DeepCopyInto(out *ChallengeList) {
*out = *in
out.TypeMeta = in.TypeMeta
in.ListMeta.DeepCopyInto(&out.ListMeta)
if in.Items != nil {
in, out := &in.Items, &out.Items
*out = make([]Challenge, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ChallengeList.
func (in *ChallengeList) DeepCopy() *ChallengeList {
if in == nil {
return nil
}
out := new(ChallengeList)
in.DeepCopyInto(out)
return out
}
// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (in *ChallengeList) DeepCopyObject() runtime.Object {
if c := in.DeepCopy(); c != nil {
return c
}
return nil
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ChallengeSpec) DeepCopyInto(out *ChallengeSpec) {
*out = *in
in.Solver.DeepCopyInto(&out.Solver)
out.IssuerRef = in.IssuerRef
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ChallengeSpec.
func (in *ChallengeSpec) DeepCopy() *ChallengeSpec {
if in == nil {
return nil
}
out := new(ChallengeSpec)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ChallengeStatus) DeepCopyInto(out *ChallengeStatus) {
*out = *in
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ChallengeStatus.
func (in *ChallengeStatus) DeepCopy() *ChallengeStatus {
if in == nil {
return nil
}
out := new(ChallengeStatus)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *Order) DeepCopyInto(out *Order) {
*out = *in
out.TypeMeta = in.TypeMeta
in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
in.Spec.DeepCopyInto(&out.Spec)
in.Status.DeepCopyInto(&out.Status)
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Order.
func (in *Order) DeepCopy() *Order {
if in == nil {
return nil
}
out := new(Order)
in.DeepCopyInto(out)
return out
}
// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (in *Order) DeepCopyObject() runtime.Object {
if c := in.DeepCopy(); c != nil {
return c
}
return nil
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *OrderList) DeepCopyInto(out *OrderList) {
*out = *in
out.TypeMeta = in.TypeMeta
in.ListMeta.DeepCopyInto(&out.ListMeta)
if in.Items != nil {
in, out := &in.Items, &out.Items
*out = make([]Order, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OrderList.
func (in *OrderList) DeepCopy() *OrderList {
if in == nil {
return nil
}
out := new(OrderList)
in.DeepCopyInto(out)
return out
}
// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (in *OrderList) DeepCopyObject() runtime.Object {
if c := in.DeepCopy(); c != nil {
return c
}
return nil
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *OrderSpec) DeepCopyInto(out *OrderSpec) {
*out = *in
if in.Request != nil {
in, out := &in.Request, &out.Request
*out = make([]byte, len(*in))
copy(*out, *in)
}
out.IssuerRef = in.IssuerRef
if in.DNSNames != nil {
in, out := &in.DNSNames, &out.DNSNames
*out = make([]string, len(*in))
copy(*out, *in)
}
if in.IPAddresses != nil {
in, out := &in.IPAddresses, &out.IPAddresses
*out = make([]string, len(*in))
copy(*out, *in)
}
if in.Duration != nil {
in, out := &in.Duration, &out.Duration
*out = new(metav1.Duration)
**out = **in
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OrderSpec.
func (in *OrderSpec) DeepCopy() *OrderSpec {
if in == nil {
return nil
}
out := new(OrderSpec)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *OrderStatus) DeepCopyInto(out *OrderStatus) {
*out = *in
if in.Certificate != nil {
in, out := &in.Certificate, &out.Certificate
*out = make([]byte, len(*in))
copy(*out, *in)
}
if in.Authorizations != nil {
in, out := &in.Authorizations, &out.Authorizations
*out = make([]ACMEAuthorization, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
if in.FailureTime != nil {
in, out := &in.FailureTime, &out.FailureTime
*out = (*in).DeepCopy()
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OrderStatus.
func (in *OrderStatus) DeepCopy() *OrderStatus {
if in == nil {
return nil
}
out := new(OrderStatus)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *Route53Auth) DeepCopyInto(out *Route53Auth) {
*out = *in
if in.Kubernetes != nil {
in, out := &in.Kubernetes, &out.Kubernetes
*out = new(Route53KubernetesAuth)
(*in).DeepCopyInto(*out)
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Route53Auth.
func (in *Route53Auth) DeepCopy() *Route53Auth {
if in == nil {
return nil
}
out := new(Route53Auth)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *Route53KubernetesAuth) DeepCopyInto(out *Route53KubernetesAuth) {
*out = *in
if in.ServiceAccountRef != nil {
in, out := &in.ServiceAccountRef, &out.ServiceAccountRef
*out = new(ServiceAccountRef)
(*in).DeepCopyInto(*out)
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Route53KubernetesAuth.
func (in *Route53KubernetesAuth) DeepCopy() *Route53KubernetesAuth {
if in == nil {
return nil
}
out := new(Route53KubernetesAuth)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ServiceAccountRef) DeepCopyInto(out *ServiceAccountRef) {
*out = *in
if in.TokenAudiences != nil {
in, out := &in.TokenAudiences, &out.TokenAudiences
*out = make([]string, len(*in))
copy(*out, *in)
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServiceAccountRef.
func (in *ServiceAccountRef) DeepCopy() *ServiceAccountRef {
if in == nil {
return nil
}
out := new(ServiceAccountRef)
in.DeepCopyInto(out)
return out
}
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package certmanager
import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"
cmacme "github.com/cert-manager/cert-manager/internal/apis/acme"
)
type GenericIssuer interface {
runtime.Object
metav1.Object
GetObjectMeta() *metav1.ObjectMeta
GetSpec() *IssuerSpec
GetStatus() *IssuerStatus
}
var _ GenericIssuer = &Issuer{}
var _ GenericIssuer = &ClusterIssuer{}
func (c *ClusterIssuer) GetObjectMeta() *metav1.ObjectMeta {
return &c.ObjectMeta
}
func (c *ClusterIssuer) GetSpec() *IssuerSpec {
return &c.Spec
}
func (c *ClusterIssuer) GetStatus() *IssuerStatus {
return &c.Status
}
func (c *ClusterIssuer) SetSpec(spec IssuerSpec) {
c.Spec = spec
}
func (c *ClusterIssuer) SetStatus(status IssuerStatus) {
c.Status = status
}
func (c *ClusterIssuer) Copy() GenericIssuer {
return c.DeepCopy()
}
func (c *Issuer) GetObjectMeta() *metav1.ObjectMeta {
return &c.ObjectMeta
}
func (c *Issuer) GetSpec() *IssuerSpec {
return &c.Spec
}
func (c *Issuer) GetStatus() *IssuerStatus {
return &c.Status
}
func (c *Issuer) SetSpec(spec IssuerSpec) {
c.Spec = spec
}
func (c *Issuer) SetStatus(status IssuerStatus) {
c.Status = status
}
func (c *Issuer) Copy() GenericIssuer {
return c.DeepCopy()
}
// TODO: refactor these functions away
func (i *IssuerStatus) ACMEStatus() *cmacme.ACMEIssuerStatus {
// this is an edge case, but this will prevent panics
if i == nil {
return &cmacme.ACMEIssuerStatus{}
}
if i.ACME == nil {
i.ACME = &cmacme.ACMEIssuerStatus{}
}
return i.ACME
}
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package certmanager
import (
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/runtime/schema"
"github.com/cert-manager/cert-manager/pkg/apis/certmanager"
)
var (
SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes)
AddToScheme = SchemeBuilder.AddToScheme
)
// SchemeGroupVersion is group version used to register these objects
var SchemeGroupVersion = schema.GroupVersion{Group: certmanager.GroupName, Version: runtime.APIVersionInternal}
// Resource takes an unqualified resource and returns a Group qualified GroupResource
func Resource(resource string) schema.GroupResource {
return SchemeGroupVersion.WithResource(resource).GroupResource()
}
// Adds the list of known types to api.Scheme.
func addKnownTypes(scheme *runtime.Scheme) error {
scheme.AddKnownTypes(SchemeGroupVersion,
&Certificate{},
&CertificateList{},
&Issuer{},
&IssuerList{},
&ClusterIssuer{},
&ClusterIssuerList{},
&CertificateRequest{},
&CertificateRequestList{},
)
return nil
}
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package v1
import (
"k8s.io/apimachinery/pkg/runtime"
"github.com/cert-manager/cert-manager/internal/controller/feature"
cmapi "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
utilfeature "github.com/cert-manager/cert-manager/pkg/util/feature"
)
func addDefaultingFuncs(scheme *runtime.Scheme) error {
return RegisterDefaults(scheme)
}
// SetRuntimeDefaults_Certificate mutates the supplied Certificate object,
// setting defaults for certain missing fields:
// - Sets the default private key rotation policy to:
// - Always, if the DefaultPrivateKeyRotationPolicyAlways feature is enabled
// - Never, if the DefaultPrivateKeyRotationPolicyAlways feature is disabled.
//
// NOTE: Do not supply Certificate objects retrieved from a client-go lister
// because you may corrupt the cache. Do a DeepCopy first. See:
// https://pkg.go.dev/github.com/cert-manager/cert-manager@v1.17.2/pkg/client/listers/certmanager/v1#CertificateNamespaceLister
//
// NOTE: This is deliberately not called `SetObjectDefault_`, because that would
// cause defaultergen to add this to the scheme default, which would be
// confusing because we don't (yet) have a defaulting webhook or use API default
// annotations.
//
// TODO(wallrj): When DefaultPrivateKeyRotationPolicyAlways is GA, the default
// value can probably be added as an API default by adding:
//
// `// +default="Always"`
//
// ... to the API struct.
func SetRuntimeDefaults_Certificate(in *cmapi.Certificate) {
if in.Spec.PrivateKey == nil {
in.Spec.PrivateKey = &cmapi.CertificatePrivateKey{}
}
if in.Spec.PrivateKey.RotationPolicy == "" {
defaultRotationPolicy := cmapi.RotationPolicyNever
if utilfeature.DefaultFeatureGate.Enabled(feature.DefaultPrivateKeyRotationPolicyAlways) {
defaultRotationPolicy = cmapi.RotationPolicyAlways
}
in.Spec.PrivateKey.RotationPolicy = defaultRotationPolicy
}
}
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package v1
import (
"k8s.io/apimachinery/pkg/runtime/schema"
"github.com/cert-manager/cert-manager/pkg/apis/certmanager"
cmapi "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
)
// SchemeGroupVersion is group version used to register these objects
var SchemeGroupVersion = schema.GroupVersion{Group: certmanager.GroupName, Version: "v1"}
// Resource takes an unqualified resource and returns a Group qualified GroupResource
func Resource(resource string) schema.GroupResource {
return SchemeGroupVersion.WithResource(resource).GroupResource()
}
var (
localSchemeBuilder = &cmapi.SchemeBuilder
AddToScheme = localSchemeBuilder.AddToScheme
)
func init() {
// We only register manually written functions here. The registration of the
// generated functions takes place in the generated files. The separation
// makes the code compile even when the generated files are missing.
localSchemeBuilder.Register(addDefaultingFuncs)
}
//go:build !ignore_autogenerated
// +build !ignore_autogenerated
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by conversion-gen. DO NOT EDIT.
package v1
import (
unsafe "unsafe"
acme "github.com/cert-manager/cert-manager/internal/apis/acme"
acmev1 "github.com/cert-manager/cert-manager/internal/apis/acme/v1"
certmanager "github.com/cert-manager/cert-manager/internal/apis/certmanager"
meta "github.com/cert-manager/cert-manager/internal/apis/meta"
internalapismetav1 "github.com/cert-manager/cert-manager/internal/apis/meta/v1"
apisacmev1 "github.com/cert-manager/cert-manager/pkg/apis/acme/v1"
certmanagerv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
apismetav1 "github.com/cert-manager/cert-manager/pkg/apis/meta/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
conversion "k8s.io/apimachinery/pkg/conversion"
runtime "k8s.io/apimachinery/pkg/runtime"
)
func init() {
localSchemeBuilder.Register(RegisterConversions)
}
// RegisterConversions adds conversion functions to the given scheme.
// Public to allow building arbitrary schemes.
func RegisterConversions(s *runtime.Scheme) error {
if err := s.AddGeneratedConversionFunc((*certmanagerv1.CAIssuer)(nil), (*certmanager.CAIssuer)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1_CAIssuer_To_certmanager_CAIssuer(a.(*certmanagerv1.CAIssuer), b.(*certmanager.CAIssuer), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*certmanager.CAIssuer)(nil), (*certmanagerv1.CAIssuer)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_certmanager_CAIssuer_To_v1_CAIssuer(a.(*certmanager.CAIssuer), b.(*certmanagerv1.CAIssuer), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*certmanagerv1.Certificate)(nil), (*certmanager.Certificate)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1_Certificate_To_certmanager_Certificate(a.(*certmanagerv1.Certificate), b.(*certmanager.Certificate), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*certmanager.Certificate)(nil), (*certmanagerv1.Certificate)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_certmanager_Certificate_To_v1_Certificate(a.(*certmanager.Certificate), b.(*certmanagerv1.Certificate), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*certmanagerv1.CertificateAdditionalOutputFormat)(nil), (*certmanager.CertificateAdditionalOutputFormat)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1_CertificateAdditionalOutputFormat_To_certmanager_CertificateAdditionalOutputFormat(a.(*certmanagerv1.CertificateAdditionalOutputFormat), b.(*certmanager.CertificateAdditionalOutputFormat), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*certmanager.CertificateAdditionalOutputFormat)(nil), (*certmanagerv1.CertificateAdditionalOutputFormat)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_certmanager_CertificateAdditionalOutputFormat_To_v1_CertificateAdditionalOutputFormat(a.(*certmanager.CertificateAdditionalOutputFormat), b.(*certmanagerv1.CertificateAdditionalOutputFormat), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*certmanagerv1.CertificateCondition)(nil), (*certmanager.CertificateCondition)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1_CertificateCondition_To_certmanager_CertificateCondition(a.(*certmanagerv1.CertificateCondition), b.(*certmanager.CertificateCondition), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*certmanager.CertificateCondition)(nil), (*certmanagerv1.CertificateCondition)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_certmanager_CertificateCondition_To_v1_CertificateCondition(a.(*certmanager.CertificateCondition), b.(*certmanagerv1.CertificateCondition), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*certmanagerv1.CertificateKeystores)(nil), (*certmanager.CertificateKeystores)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1_CertificateKeystores_To_certmanager_CertificateKeystores(a.(*certmanagerv1.CertificateKeystores), b.(*certmanager.CertificateKeystores), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*certmanager.CertificateKeystores)(nil), (*certmanagerv1.CertificateKeystores)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_certmanager_CertificateKeystores_To_v1_CertificateKeystores(a.(*certmanager.CertificateKeystores), b.(*certmanagerv1.CertificateKeystores), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*certmanagerv1.CertificateList)(nil), (*certmanager.CertificateList)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1_CertificateList_To_certmanager_CertificateList(a.(*certmanagerv1.CertificateList), b.(*certmanager.CertificateList), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*certmanager.CertificateList)(nil), (*certmanagerv1.CertificateList)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_certmanager_CertificateList_To_v1_CertificateList(a.(*certmanager.CertificateList), b.(*certmanagerv1.CertificateList), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*certmanagerv1.CertificatePrivateKey)(nil), (*certmanager.CertificatePrivateKey)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1_CertificatePrivateKey_To_certmanager_CertificatePrivateKey(a.(*certmanagerv1.CertificatePrivateKey), b.(*certmanager.CertificatePrivateKey), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*certmanager.CertificatePrivateKey)(nil), (*certmanagerv1.CertificatePrivateKey)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_certmanager_CertificatePrivateKey_To_v1_CertificatePrivateKey(a.(*certmanager.CertificatePrivateKey), b.(*certmanagerv1.CertificatePrivateKey), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*certmanagerv1.CertificateRequest)(nil), (*certmanager.CertificateRequest)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1_CertificateRequest_To_certmanager_CertificateRequest(a.(*certmanagerv1.CertificateRequest), b.(*certmanager.CertificateRequest), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*certmanager.CertificateRequest)(nil), (*certmanagerv1.CertificateRequest)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_certmanager_CertificateRequest_To_v1_CertificateRequest(a.(*certmanager.CertificateRequest), b.(*certmanagerv1.CertificateRequest), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*certmanagerv1.CertificateRequestCondition)(nil), (*certmanager.CertificateRequestCondition)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1_CertificateRequestCondition_To_certmanager_CertificateRequestCondition(a.(*certmanagerv1.CertificateRequestCondition), b.(*certmanager.CertificateRequestCondition), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*certmanager.CertificateRequestCondition)(nil), (*certmanagerv1.CertificateRequestCondition)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_certmanager_CertificateRequestCondition_To_v1_CertificateRequestCondition(a.(*certmanager.CertificateRequestCondition), b.(*certmanagerv1.CertificateRequestCondition), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*certmanagerv1.CertificateRequestList)(nil), (*certmanager.CertificateRequestList)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1_CertificateRequestList_To_certmanager_CertificateRequestList(a.(*certmanagerv1.CertificateRequestList), b.(*certmanager.CertificateRequestList), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*certmanager.CertificateRequestList)(nil), (*certmanagerv1.CertificateRequestList)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_certmanager_CertificateRequestList_To_v1_CertificateRequestList(a.(*certmanager.CertificateRequestList), b.(*certmanagerv1.CertificateRequestList), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*certmanagerv1.CertificateRequestSpec)(nil), (*certmanager.CertificateRequestSpec)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1_CertificateRequestSpec_To_certmanager_CertificateRequestSpec(a.(*certmanagerv1.CertificateRequestSpec), b.(*certmanager.CertificateRequestSpec), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*certmanager.CertificateRequestSpec)(nil), (*certmanagerv1.CertificateRequestSpec)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_certmanager_CertificateRequestSpec_To_v1_CertificateRequestSpec(a.(*certmanager.CertificateRequestSpec), b.(*certmanagerv1.CertificateRequestSpec), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*certmanagerv1.CertificateRequestStatus)(nil), (*certmanager.CertificateRequestStatus)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1_CertificateRequestStatus_To_certmanager_CertificateRequestStatus(a.(*certmanagerv1.CertificateRequestStatus), b.(*certmanager.CertificateRequestStatus), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*certmanager.CertificateRequestStatus)(nil), (*certmanagerv1.CertificateRequestStatus)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_certmanager_CertificateRequestStatus_To_v1_CertificateRequestStatus(a.(*certmanager.CertificateRequestStatus), b.(*certmanagerv1.CertificateRequestStatus), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*certmanagerv1.CertificateSecretTemplate)(nil), (*certmanager.CertificateSecretTemplate)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1_CertificateSecretTemplate_To_certmanager_CertificateSecretTemplate(a.(*certmanagerv1.CertificateSecretTemplate), b.(*certmanager.CertificateSecretTemplate), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*certmanager.CertificateSecretTemplate)(nil), (*certmanagerv1.CertificateSecretTemplate)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_certmanager_CertificateSecretTemplate_To_v1_CertificateSecretTemplate(a.(*certmanager.CertificateSecretTemplate), b.(*certmanagerv1.CertificateSecretTemplate), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*certmanagerv1.CertificateSpec)(nil), (*certmanager.CertificateSpec)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1_CertificateSpec_To_certmanager_CertificateSpec(a.(*certmanagerv1.CertificateSpec), b.(*certmanager.CertificateSpec), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*certmanager.CertificateSpec)(nil), (*certmanagerv1.CertificateSpec)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_certmanager_CertificateSpec_To_v1_CertificateSpec(a.(*certmanager.CertificateSpec), b.(*certmanagerv1.CertificateSpec), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*certmanagerv1.CertificateStatus)(nil), (*certmanager.CertificateStatus)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1_CertificateStatus_To_certmanager_CertificateStatus(a.(*certmanagerv1.CertificateStatus), b.(*certmanager.CertificateStatus), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*certmanager.CertificateStatus)(nil), (*certmanagerv1.CertificateStatus)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_certmanager_CertificateStatus_To_v1_CertificateStatus(a.(*certmanager.CertificateStatus), b.(*certmanagerv1.CertificateStatus), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*certmanagerv1.ClusterIssuer)(nil), (*certmanager.ClusterIssuer)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1_ClusterIssuer_To_certmanager_ClusterIssuer(a.(*certmanagerv1.ClusterIssuer), b.(*certmanager.ClusterIssuer), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*certmanager.ClusterIssuer)(nil), (*certmanagerv1.ClusterIssuer)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_certmanager_ClusterIssuer_To_v1_ClusterIssuer(a.(*certmanager.ClusterIssuer), b.(*certmanagerv1.ClusterIssuer), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*certmanagerv1.ClusterIssuerList)(nil), (*certmanager.ClusterIssuerList)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1_ClusterIssuerList_To_certmanager_ClusterIssuerList(a.(*certmanagerv1.ClusterIssuerList), b.(*certmanager.ClusterIssuerList), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*certmanager.ClusterIssuerList)(nil), (*certmanagerv1.ClusterIssuerList)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_certmanager_ClusterIssuerList_To_v1_ClusterIssuerList(a.(*certmanager.ClusterIssuerList), b.(*certmanagerv1.ClusterIssuerList), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*certmanagerv1.Issuer)(nil), (*certmanager.Issuer)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1_Issuer_To_certmanager_Issuer(a.(*certmanagerv1.Issuer), b.(*certmanager.Issuer), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*certmanager.Issuer)(nil), (*certmanagerv1.Issuer)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_certmanager_Issuer_To_v1_Issuer(a.(*certmanager.Issuer), b.(*certmanagerv1.Issuer), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*certmanagerv1.IssuerCondition)(nil), (*certmanager.IssuerCondition)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1_IssuerCondition_To_certmanager_IssuerCondition(a.(*certmanagerv1.IssuerCondition), b.(*certmanager.IssuerCondition), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*certmanager.IssuerCondition)(nil), (*certmanagerv1.IssuerCondition)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_certmanager_IssuerCondition_To_v1_IssuerCondition(a.(*certmanager.IssuerCondition), b.(*certmanagerv1.IssuerCondition), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*certmanagerv1.IssuerConfig)(nil), (*certmanager.IssuerConfig)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1_IssuerConfig_To_certmanager_IssuerConfig(a.(*certmanagerv1.IssuerConfig), b.(*certmanager.IssuerConfig), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*certmanager.IssuerConfig)(nil), (*certmanagerv1.IssuerConfig)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_certmanager_IssuerConfig_To_v1_IssuerConfig(a.(*certmanager.IssuerConfig), b.(*certmanagerv1.IssuerConfig), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*certmanagerv1.IssuerList)(nil), (*certmanager.IssuerList)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1_IssuerList_To_certmanager_IssuerList(a.(*certmanagerv1.IssuerList), b.(*certmanager.IssuerList), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*certmanager.IssuerList)(nil), (*certmanagerv1.IssuerList)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_certmanager_IssuerList_To_v1_IssuerList(a.(*certmanager.IssuerList), b.(*certmanagerv1.IssuerList), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*certmanagerv1.IssuerSpec)(nil), (*certmanager.IssuerSpec)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1_IssuerSpec_To_certmanager_IssuerSpec(a.(*certmanagerv1.IssuerSpec), b.(*certmanager.IssuerSpec), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*certmanager.IssuerSpec)(nil), (*certmanagerv1.IssuerSpec)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_certmanager_IssuerSpec_To_v1_IssuerSpec(a.(*certmanager.IssuerSpec), b.(*certmanagerv1.IssuerSpec), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*certmanagerv1.IssuerStatus)(nil), (*certmanager.IssuerStatus)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1_IssuerStatus_To_certmanager_IssuerStatus(a.(*certmanagerv1.IssuerStatus), b.(*certmanager.IssuerStatus), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*certmanager.IssuerStatus)(nil), (*certmanagerv1.IssuerStatus)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_certmanager_IssuerStatus_To_v1_IssuerStatus(a.(*certmanager.IssuerStatus), b.(*certmanagerv1.IssuerStatus), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*certmanagerv1.JKSKeystore)(nil), (*certmanager.JKSKeystore)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1_JKSKeystore_To_certmanager_JKSKeystore(a.(*certmanagerv1.JKSKeystore), b.(*certmanager.JKSKeystore), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*certmanager.JKSKeystore)(nil), (*certmanagerv1.JKSKeystore)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_certmanager_JKSKeystore_To_v1_JKSKeystore(a.(*certmanager.JKSKeystore), b.(*certmanagerv1.JKSKeystore), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*certmanagerv1.NameConstraintItem)(nil), (*certmanager.NameConstraintItem)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1_NameConstraintItem_To_certmanager_NameConstraintItem(a.(*certmanagerv1.NameConstraintItem), b.(*certmanager.NameConstraintItem), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*certmanager.NameConstraintItem)(nil), (*certmanagerv1.NameConstraintItem)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_certmanager_NameConstraintItem_To_v1_NameConstraintItem(a.(*certmanager.NameConstraintItem), b.(*certmanagerv1.NameConstraintItem), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*certmanagerv1.NameConstraints)(nil), (*certmanager.NameConstraints)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1_NameConstraints_To_certmanager_NameConstraints(a.(*certmanagerv1.NameConstraints), b.(*certmanager.NameConstraints), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*certmanager.NameConstraints)(nil), (*certmanagerv1.NameConstraints)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_certmanager_NameConstraints_To_v1_NameConstraints(a.(*certmanager.NameConstraints), b.(*certmanagerv1.NameConstraints), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*certmanagerv1.OtherName)(nil), (*certmanager.OtherName)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1_OtherName_To_certmanager_OtherName(a.(*certmanagerv1.OtherName), b.(*certmanager.OtherName), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*certmanager.OtherName)(nil), (*certmanagerv1.OtherName)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_certmanager_OtherName_To_v1_OtherName(a.(*certmanager.OtherName), b.(*certmanagerv1.OtherName), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*certmanagerv1.PKCS12Keystore)(nil), (*certmanager.PKCS12Keystore)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1_PKCS12Keystore_To_certmanager_PKCS12Keystore(a.(*certmanagerv1.PKCS12Keystore), b.(*certmanager.PKCS12Keystore), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*certmanager.PKCS12Keystore)(nil), (*certmanagerv1.PKCS12Keystore)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_certmanager_PKCS12Keystore_To_v1_PKCS12Keystore(a.(*certmanager.PKCS12Keystore), b.(*certmanagerv1.PKCS12Keystore), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*certmanagerv1.SelfSignedIssuer)(nil), (*certmanager.SelfSignedIssuer)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1_SelfSignedIssuer_To_certmanager_SelfSignedIssuer(a.(*certmanagerv1.SelfSignedIssuer), b.(*certmanager.SelfSignedIssuer), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*certmanager.SelfSignedIssuer)(nil), (*certmanagerv1.SelfSignedIssuer)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_certmanager_SelfSignedIssuer_To_v1_SelfSignedIssuer(a.(*certmanager.SelfSignedIssuer), b.(*certmanagerv1.SelfSignedIssuer), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*certmanagerv1.ServiceAccountRef)(nil), (*certmanager.ServiceAccountRef)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1_ServiceAccountRef_To_certmanager_ServiceAccountRef(a.(*certmanagerv1.ServiceAccountRef), b.(*certmanager.ServiceAccountRef), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*certmanager.ServiceAccountRef)(nil), (*certmanagerv1.ServiceAccountRef)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_certmanager_ServiceAccountRef_To_v1_ServiceAccountRef(a.(*certmanager.ServiceAccountRef), b.(*certmanagerv1.ServiceAccountRef), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*certmanagerv1.VaultAppRole)(nil), (*certmanager.VaultAppRole)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1_VaultAppRole_To_certmanager_VaultAppRole(a.(*certmanagerv1.VaultAppRole), b.(*certmanager.VaultAppRole), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*certmanager.VaultAppRole)(nil), (*certmanagerv1.VaultAppRole)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_certmanager_VaultAppRole_To_v1_VaultAppRole(a.(*certmanager.VaultAppRole), b.(*certmanagerv1.VaultAppRole), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*certmanagerv1.VaultAuth)(nil), (*certmanager.VaultAuth)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1_VaultAuth_To_certmanager_VaultAuth(a.(*certmanagerv1.VaultAuth), b.(*certmanager.VaultAuth), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*certmanager.VaultAuth)(nil), (*certmanagerv1.VaultAuth)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_certmanager_VaultAuth_To_v1_VaultAuth(a.(*certmanager.VaultAuth), b.(*certmanagerv1.VaultAuth), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*certmanagerv1.VaultClientCertificateAuth)(nil), (*certmanager.VaultClientCertificateAuth)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1_VaultClientCertificateAuth_To_certmanager_VaultClientCertificateAuth(a.(*certmanagerv1.VaultClientCertificateAuth), b.(*certmanager.VaultClientCertificateAuth), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*certmanager.VaultClientCertificateAuth)(nil), (*certmanagerv1.VaultClientCertificateAuth)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_certmanager_VaultClientCertificateAuth_To_v1_VaultClientCertificateAuth(a.(*certmanager.VaultClientCertificateAuth), b.(*certmanagerv1.VaultClientCertificateAuth), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*certmanagerv1.VaultIssuer)(nil), (*certmanager.VaultIssuer)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1_VaultIssuer_To_certmanager_VaultIssuer(a.(*certmanagerv1.VaultIssuer), b.(*certmanager.VaultIssuer), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*certmanager.VaultIssuer)(nil), (*certmanagerv1.VaultIssuer)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_certmanager_VaultIssuer_To_v1_VaultIssuer(a.(*certmanager.VaultIssuer), b.(*certmanagerv1.VaultIssuer), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*certmanagerv1.VaultKubernetesAuth)(nil), (*certmanager.VaultKubernetesAuth)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1_VaultKubernetesAuth_To_certmanager_VaultKubernetesAuth(a.(*certmanagerv1.VaultKubernetesAuth), b.(*certmanager.VaultKubernetesAuth), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*certmanager.VaultKubernetesAuth)(nil), (*certmanagerv1.VaultKubernetesAuth)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_certmanager_VaultKubernetesAuth_To_v1_VaultKubernetesAuth(a.(*certmanager.VaultKubernetesAuth), b.(*certmanagerv1.VaultKubernetesAuth), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*certmanagerv1.VenafiCloud)(nil), (*certmanager.VenafiCloud)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1_VenafiCloud_To_certmanager_VenafiCloud(a.(*certmanagerv1.VenafiCloud), b.(*certmanager.VenafiCloud), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*certmanager.VenafiCloud)(nil), (*certmanagerv1.VenafiCloud)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_certmanager_VenafiCloud_To_v1_VenafiCloud(a.(*certmanager.VenafiCloud), b.(*certmanagerv1.VenafiCloud), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*certmanagerv1.VenafiIssuer)(nil), (*certmanager.VenafiIssuer)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1_VenafiIssuer_To_certmanager_VenafiIssuer(a.(*certmanagerv1.VenafiIssuer), b.(*certmanager.VenafiIssuer), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*certmanager.VenafiIssuer)(nil), (*certmanagerv1.VenafiIssuer)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_certmanager_VenafiIssuer_To_v1_VenafiIssuer(a.(*certmanager.VenafiIssuer), b.(*certmanagerv1.VenafiIssuer), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*certmanagerv1.VenafiTPP)(nil), (*certmanager.VenafiTPP)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1_VenafiTPP_To_certmanager_VenafiTPP(a.(*certmanagerv1.VenafiTPP), b.(*certmanager.VenafiTPP), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*certmanager.VenafiTPP)(nil), (*certmanagerv1.VenafiTPP)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_certmanager_VenafiTPP_To_v1_VenafiTPP(a.(*certmanager.VenafiTPP), b.(*certmanagerv1.VenafiTPP), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*certmanagerv1.X509Subject)(nil), (*certmanager.X509Subject)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1_X509Subject_To_certmanager_X509Subject(a.(*certmanagerv1.X509Subject), b.(*certmanager.X509Subject), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*certmanager.X509Subject)(nil), (*certmanagerv1.X509Subject)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_certmanager_X509Subject_To_v1_X509Subject(a.(*certmanager.X509Subject), b.(*certmanagerv1.X509Subject), scope)
}); err != nil {
return err
}
return nil
}
func autoConvert_v1_CAIssuer_To_certmanager_CAIssuer(in *certmanagerv1.CAIssuer, out *certmanager.CAIssuer, s conversion.Scope) error {
out.SecretName = in.SecretName
out.CRLDistributionPoints = *(*[]string)(unsafe.Pointer(&in.CRLDistributionPoints))
out.OCSPServers = *(*[]string)(unsafe.Pointer(&in.OCSPServers))
out.IssuingCertificateURLs = *(*[]string)(unsafe.Pointer(&in.IssuingCertificateURLs))
return nil
}
// Convert_v1_CAIssuer_To_certmanager_CAIssuer is an autogenerated conversion function.
func Convert_v1_CAIssuer_To_certmanager_CAIssuer(in *certmanagerv1.CAIssuer, out *certmanager.CAIssuer, s conversion.Scope) error {
return autoConvert_v1_CAIssuer_To_certmanager_CAIssuer(in, out, s)
}
func autoConvert_certmanager_CAIssuer_To_v1_CAIssuer(in *certmanager.CAIssuer, out *certmanagerv1.CAIssuer, s conversion.Scope) error {
out.SecretName = in.SecretName
out.CRLDistributionPoints = *(*[]string)(unsafe.Pointer(&in.CRLDistributionPoints))
out.OCSPServers = *(*[]string)(unsafe.Pointer(&in.OCSPServers))
out.IssuingCertificateURLs = *(*[]string)(unsafe.Pointer(&in.IssuingCertificateURLs))
return nil
}
// Convert_certmanager_CAIssuer_To_v1_CAIssuer is an autogenerated conversion function.
func Convert_certmanager_CAIssuer_To_v1_CAIssuer(in *certmanager.CAIssuer, out *certmanagerv1.CAIssuer, s conversion.Scope) error {
return autoConvert_certmanager_CAIssuer_To_v1_CAIssuer(in, out, s)
}
func autoConvert_v1_Certificate_To_certmanager_Certificate(in *certmanagerv1.Certificate, out *certmanager.Certificate, s conversion.Scope) error {
out.ObjectMeta = in.ObjectMeta
if err := Convert_v1_CertificateSpec_To_certmanager_CertificateSpec(&in.Spec, &out.Spec, s); err != nil {
return err
}
if err := Convert_v1_CertificateStatus_To_certmanager_CertificateStatus(&in.Status, &out.Status, s); err != nil {
return err
}
return nil
}
// Convert_v1_Certificate_To_certmanager_Certificate is an autogenerated conversion function.
func Convert_v1_Certificate_To_certmanager_Certificate(in *certmanagerv1.Certificate, out *certmanager.Certificate, s conversion.Scope) error {
return autoConvert_v1_Certificate_To_certmanager_Certificate(in, out, s)
}
func autoConvert_certmanager_Certificate_To_v1_Certificate(in *certmanager.Certificate, out *certmanagerv1.Certificate, s conversion.Scope) error {
out.ObjectMeta = in.ObjectMeta
if err := Convert_certmanager_CertificateSpec_To_v1_CertificateSpec(&in.Spec, &out.Spec, s); err != nil {
return err
}
if err := Convert_certmanager_CertificateStatus_To_v1_CertificateStatus(&in.Status, &out.Status, s); err != nil {
return err
}
return nil
}
// Convert_certmanager_Certificate_To_v1_Certificate is an autogenerated conversion function.
func Convert_certmanager_Certificate_To_v1_Certificate(in *certmanager.Certificate, out *certmanagerv1.Certificate, s conversion.Scope) error {
return autoConvert_certmanager_Certificate_To_v1_Certificate(in, out, s)
}
func autoConvert_v1_CertificateAdditionalOutputFormat_To_certmanager_CertificateAdditionalOutputFormat(in *certmanagerv1.CertificateAdditionalOutputFormat, out *certmanager.CertificateAdditionalOutputFormat, s conversion.Scope) error {
out.Type = certmanager.CertificateOutputFormatType(in.Type)
return nil
}
// Convert_v1_CertificateAdditionalOutputFormat_To_certmanager_CertificateAdditionalOutputFormat is an autogenerated conversion function.
func Convert_v1_CertificateAdditionalOutputFormat_To_certmanager_CertificateAdditionalOutputFormat(in *certmanagerv1.CertificateAdditionalOutputFormat, out *certmanager.CertificateAdditionalOutputFormat, s conversion.Scope) error {
return autoConvert_v1_CertificateAdditionalOutputFormat_To_certmanager_CertificateAdditionalOutputFormat(in, out, s)
}
func autoConvert_certmanager_CertificateAdditionalOutputFormat_To_v1_CertificateAdditionalOutputFormat(in *certmanager.CertificateAdditionalOutputFormat, out *certmanagerv1.CertificateAdditionalOutputFormat, s conversion.Scope) error {
out.Type = certmanagerv1.CertificateOutputFormatType(in.Type)
return nil
}
// Convert_certmanager_CertificateAdditionalOutputFormat_To_v1_CertificateAdditionalOutputFormat is an autogenerated conversion function.
func Convert_certmanager_CertificateAdditionalOutputFormat_To_v1_CertificateAdditionalOutputFormat(in *certmanager.CertificateAdditionalOutputFormat, out *certmanagerv1.CertificateAdditionalOutputFormat, s conversion.Scope) error {
return autoConvert_certmanager_CertificateAdditionalOutputFormat_To_v1_CertificateAdditionalOutputFormat(in, out, s)
}
func autoConvert_v1_CertificateCondition_To_certmanager_CertificateCondition(in *certmanagerv1.CertificateCondition, out *certmanager.CertificateCondition, s conversion.Scope) error {
out.Type = certmanager.CertificateConditionType(in.Type)
out.Status = meta.ConditionStatus(in.Status)
out.LastTransitionTime = (*metav1.Time)(unsafe.Pointer(in.LastTransitionTime))
out.Reason = in.Reason
out.Message = in.Message
out.ObservedGeneration = in.ObservedGeneration
return nil
}
// Convert_v1_CertificateCondition_To_certmanager_CertificateCondition is an autogenerated conversion function.
func Convert_v1_CertificateCondition_To_certmanager_CertificateCondition(in *certmanagerv1.CertificateCondition, out *certmanager.CertificateCondition, s conversion.Scope) error {
return autoConvert_v1_CertificateCondition_To_certmanager_CertificateCondition(in, out, s)
}
func autoConvert_certmanager_CertificateCondition_To_v1_CertificateCondition(in *certmanager.CertificateCondition, out *certmanagerv1.CertificateCondition, s conversion.Scope) error {
out.Type = certmanagerv1.CertificateConditionType(in.Type)
out.Status = apismetav1.ConditionStatus(in.Status)
out.LastTransitionTime = (*metav1.Time)(unsafe.Pointer(in.LastTransitionTime))
out.Reason = in.Reason
out.Message = in.Message
out.ObservedGeneration = in.ObservedGeneration
return nil
}
// Convert_certmanager_CertificateCondition_To_v1_CertificateCondition is an autogenerated conversion function.
func Convert_certmanager_CertificateCondition_To_v1_CertificateCondition(in *certmanager.CertificateCondition, out *certmanagerv1.CertificateCondition, s conversion.Scope) error {
return autoConvert_certmanager_CertificateCondition_To_v1_CertificateCondition(in, out, s)
}
func autoConvert_v1_CertificateKeystores_To_certmanager_CertificateKeystores(in *certmanagerv1.CertificateKeystores, out *certmanager.CertificateKeystores, s conversion.Scope) error {
if in.JKS != nil {
in, out := &in.JKS, &out.JKS
*out = new(certmanager.JKSKeystore)
if err := Convert_v1_JKSKeystore_To_certmanager_JKSKeystore(*in, *out, s); err != nil {
return err
}
} else {
out.JKS = nil
}
if in.PKCS12 != nil {
in, out := &in.PKCS12, &out.PKCS12
*out = new(certmanager.PKCS12Keystore)
if err := Convert_v1_PKCS12Keystore_To_certmanager_PKCS12Keystore(*in, *out, s); err != nil {
return err
}
} else {
out.PKCS12 = nil
}
return nil
}
// Convert_v1_CertificateKeystores_To_certmanager_CertificateKeystores is an autogenerated conversion function.
func Convert_v1_CertificateKeystores_To_certmanager_CertificateKeystores(in *certmanagerv1.CertificateKeystores, out *certmanager.CertificateKeystores, s conversion.Scope) error {
return autoConvert_v1_CertificateKeystores_To_certmanager_CertificateKeystores(in, out, s)
}
func autoConvert_certmanager_CertificateKeystores_To_v1_CertificateKeystores(in *certmanager.CertificateKeystores, out *certmanagerv1.CertificateKeystores, s conversion.Scope) error {
if in.JKS != nil {
in, out := &in.JKS, &out.JKS
*out = new(certmanagerv1.JKSKeystore)
if err := Convert_certmanager_JKSKeystore_To_v1_JKSKeystore(*in, *out, s); err != nil {
return err
}
} else {
out.JKS = nil
}
if in.PKCS12 != nil {
in, out := &in.PKCS12, &out.PKCS12
*out = new(certmanagerv1.PKCS12Keystore)
if err := Convert_certmanager_PKCS12Keystore_To_v1_PKCS12Keystore(*in, *out, s); err != nil {
return err
}
} else {
out.PKCS12 = nil
}
return nil
}
// Convert_certmanager_CertificateKeystores_To_v1_CertificateKeystores is an autogenerated conversion function.
func Convert_certmanager_CertificateKeystores_To_v1_CertificateKeystores(in *certmanager.CertificateKeystores, out *certmanagerv1.CertificateKeystores, s conversion.Scope) error {
return autoConvert_certmanager_CertificateKeystores_To_v1_CertificateKeystores(in, out, s)
}
func autoConvert_v1_CertificateList_To_certmanager_CertificateList(in *certmanagerv1.CertificateList, out *certmanager.CertificateList, s conversion.Scope) error {
out.ListMeta = in.ListMeta
if in.Items != nil {
in, out := &in.Items, &out.Items
*out = make([]certmanager.Certificate, len(*in))
for i := range *in {
if err := Convert_v1_Certificate_To_certmanager_Certificate(&(*in)[i], &(*out)[i], s); err != nil {
return err
}
}
} else {
out.Items = nil
}
return nil
}
// Convert_v1_CertificateList_To_certmanager_CertificateList is an autogenerated conversion function.
func Convert_v1_CertificateList_To_certmanager_CertificateList(in *certmanagerv1.CertificateList, out *certmanager.CertificateList, s conversion.Scope) error {
return autoConvert_v1_CertificateList_To_certmanager_CertificateList(in, out, s)
}
func autoConvert_certmanager_CertificateList_To_v1_CertificateList(in *certmanager.CertificateList, out *certmanagerv1.CertificateList, s conversion.Scope) error {
out.ListMeta = in.ListMeta
if in.Items != nil {
in, out := &in.Items, &out.Items
*out = make([]certmanagerv1.Certificate, len(*in))
for i := range *in {
if err := Convert_certmanager_Certificate_To_v1_Certificate(&(*in)[i], &(*out)[i], s); err != nil {
return err
}
}
} else {
out.Items = nil
}
return nil
}
// Convert_certmanager_CertificateList_To_v1_CertificateList is an autogenerated conversion function.
func Convert_certmanager_CertificateList_To_v1_CertificateList(in *certmanager.CertificateList, out *certmanagerv1.CertificateList, s conversion.Scope) error {
return autoConvert_certmanager_CertificateList_To_v1_CertificateList(in, out, s)
}
func autoConvert_v1_CertificatePrivateKey_To_certmanager_CertificatePrivateKey(in *certmanagerv1.CertificatePrivateKey, out *certmanager.CertificatePrivateKey, s conversion.Scope) error {
out.RotationPolicy = certmanager.PrivateKeyRotationPolicy(in.RotationPolicy)
out.Encoding = certmanager.PrivateKeyEncoding(in.Encoding)
out.Algorithm = certmanager.PrivateKeyAlgorithm(in.Algorithm)
out.Size = in.Size
return nil
}
// Convert_v1_CertificatePrivateKey_To_certmanager_CertificatePrivateKey is an autogenerated conversion function.
func Convert_v1_CertificatePrivateKey_To_certmanager_CertificatePrivateKey(in *certmanagerv1.CertificatePrivateKey, out *certmanager.CertificatePrivateKey, s conversion.Scope) error {
return autoConvert_v1_CertificatePrivateKey_To_certmanager_CertificatePrivateKey(in, out, s)
}
func autoConvert_certmanager_CertificatePrivateKey_To_v1_CertificatePrivateKey(in *certmanager.CertificatePrivateKey, out *certmanagerv1.CertificatePrivateKey, s conversion.Scope) error {
out.RotationPolicy = certmanagerv1.PrivateKeyRotationPolicy(in.RotationPolicy)
out.Encoding = certmanagerv1.PrivateKeyEncoding(in.Encoding)
out.Algorithm = certmanagerv1.PrivateKeyAlgorithm(in.Algorithm)
out.Size = in.Size
return nil
}
// Convert_certmanager_CertificatePrivateKey_To_v1_CertificatePrivateKey is an autogenerated conversion function.
func Convert_certmanager_CertificatePrivateKey_To_v1_CertificatePrivateKey(in *certmanager.CertificatePrivateKey, out *certmanagerv1.CertificatePrivateKey, s conversion.Scope) error {
return autoConvert_certmanager_CertificatePrivateKey_To_v1_CertificatePrivateKey(in, out, s)
}
func autoConvert_v1_CertificateRequest_To_certmanager_CertificateRequest(in *certmanagerv1.CertificateRequest, out *certmanager.CertificateRequest, s conversion.Scope) error {
out.ObjectMeta = in.ObjectMeta
if err := Convert_v1_CertificateRequestSpec_To_certmanager_CertificateRequestSpec(&in.Spec, &out.Spec, s); err != nil {
return err
}
if err := Convert_v1_CertificateRequestStatus_To_certmanager_CertificateRequestStatus(&in.Status, &out.Status, s); err != nil {
return err
}
return nil
}
// Convert_v1_CertificateRequest_To_certmanager_CertificateRequest is an autogenerated conversion function.
func Convert_v1_CertificateRequest_To_certmanager_CertificateRequest(in *certmanagerv1.CertificateRequest, out *certmanager.CertificateRequest, s conversion.Scope) error {
return autoConvert_v1_CertificateRequest_To_certmanager_CertificateRequest(in, out, s)
}
func autoConvert_certmanager_CertificateRequest_To_v1_CertificateRequest(in *certmanager.CertificateRequest, out *certmanagerv1.CertificateRequest, s conversion.Scope) error {
out.ObjectMeta = in.ObjectMeta
if err := Convert_certmanager_CertificateRequestSpec_To_v1_CertificateRequestSpec(&in.Spec, &out.Spec, s); err != nil {
return err
}
if err := Convert_certmanager_CertificateRequestStatus_To_v1_CertificateRequestStatus(&in.Status, &out.Status, s); err != nil {
return err
}
return nil
}
// Convert_certmanager_CertificateRequest_To_v1_CertificateRequest is an autogenerated conversion function.
func Convert_certmanager_CertificateRequest_To_v1_CertificateRequest(in *certmanager.CertificateRequest, out *certmanagerv1.CertificateRequest, s conversion.Scope) error {
return autoConvert_certmanager_CertificateRequest_To_v1_CertificateRequest(in, out, s)
}
func autoConvert_v1_CertificateRequestCondition_To_certmanager_CertificateRequestCondition(in *certmanagerv1.CertificateRequestCondition, out *certmanager.CertificateRequestCondition, s conversion.Scope) error {
out.Type = certmanager.CertificateRequestConditionType(in.Type)
out.Status = meta.ConditionStatus(in.Status)
out.LastTransitionTime = (*metav1.Time)(unsafe.Pointer(in.LastTransitionTime))
out.Reason = in.Reason
out.Message = in.Message
return nil
}
// Convert_v1_CertificateRequestCondition_To_certmanager_CertificateRequestCondition is an autogenerated conversion function.
func Convert_v1_CertificateRequestCondition_To_certmanager_CertificateRequestCondition(in *certmanagerv1.CertificateRequestCondition, out *certmanager.CertificateRequestCondition, s conversion.Scope) error {
return autoConvert_v1_CertificateRequestCondition_To_certmanager_CertificateRequestCondition(in, out, s)
}
func autoConvert_certmanager_CertificateRequestCondition_To_v1_CertificateRequestCondition(in *certmanager.CertificateRequestCondition, out *certmanagerv1.CertificateRequestCondition, s conversion.Scope) error {
out.Type = certmanagerv1.CertificateRequestConditionType(in.Type)
out.Status = apismetav1.ConditionStatus(in.Status)
out.LastTransitionTime = (*metav1.Time)(unsafe.Pointer(in.LastTransitionTime))
out.Reason = in.Reason
out.Message = in.Message
return nil
}
// Convert_certmanager_CertificateRequestCondition_To_v1_CertificateRequestCondition is an autogenerated conversion function.
func Convert_certmanager_CertificateRequestCondition_To_v1_CertificateRequestCondition(in *certmanager.CertificateRequestCondition, out *certmanagerv1.CertificateRequestCondition, s conversion.Scope) error {
return autoConvert_certmanager_CertificateRequestCondition_To_v1_CertificateRequestCondition(in, out, s)
}
func autoConvert_v1_CertificateRequestList_To_certmanager_CertificateRequestList(in *certmanagerv1.CertificateRequestList, out *certmanager.CertificateRequestList, s conversion.Scope) error {
out.ListMeta = in.ListMeta
if in.Items != nil {
in, out := &in.Items, &out.Items
*out = make([]certmanager.CertificateRequest, len(*in))
for i := range *in {
if err := Convert_v1_CertificateRequest_To_certmanager_CertificateRequest(&(*in)[i], &(*out)[i], s); err != nil {
return err
}
}
} else {
out.Items = nil
}
return nil
}
// Convert_v1_CertificateRequestList_To_certmanager_CertificateRequestList is an autogenerated conversion function.
func Convert_v1_CertificateRequestList_To_certmanager_CertificateRequestList(in *certmanagerv1.CertificateRequestList, out *certmanager.CertificateRequestList, s conversion.Scope) error {
return autoConvert_v1_CertificateRequestList_To_certmanager_CertificateRequestList(in, out, s)
}
func autoConvert_certmanager_CertificateRequestList_To_v1_CertificateRequestList(in *certmanager.CertificateRequestList, out *certmanagerv1.CertificateRequestList, s conversion.Scope) error {
out.ListMeta = in.ListMeta
if in.Items != nil {
in, out := &in.Items, &out.Items
*out = make([]certmanagerv1.CertificateRequest, len(*in))
for i := range *in {
if err := Convert_certmanager_CertificateRequest_To_v1_CertificateRequest(&(*in)[i], &(*out)[i], s); err != nil {
return err
}
}
} else {
out.Items = nil
}
return nil
}
// Convert_certmanager_CertificateRequestList_To_v1_CertificateRequestList is an autogenerated conversion function.
func Convert_certmanager_CertificateRequestList_To_v1_CertificateRequestList(in *certmanager.CertificateRequestList, out *certmanagerv1.CertificateRequestList, s conversion.Scope) error {
return autoConvert_certmanager_CertificateRequestList_To_v1_CertificateRequestList(in, out, s)
}
func autoConvert_v1_CertificateRequestSpec_To_certmanager_CertificateRequestSpec(in *certmanagerv1.CertificateRequestSpec, out *certmanager.CertificateRequestSpec, s conversion.Scope) error {
out.Duration = (*metav1.Duration)(unsafe.Pointer(in.Duration))
if err := internalapismetav1.Convert_v1_IssuerReference_To_meta_IssuerReference(&in.IssuerRef, &out.IssuerRef, s); err != nil {
return err
}
out.Request = *(*[]byte)(unsafe.Pointer(&in.Request))
out.IsCA = in.IsCA
out.Usages = *(*[]certmanager.KeyUsage)(unsafe.Pointer(&in.Usages))
out.Username = in.Username
out.UID = in.UID
out.Groups = *(*[]string)(unsafe.Pointer(&in.Groups))
out.Extra = *(*map[string][]string)(unsafe.Pointer(&in.Extra))
return nil
}
// Convert_v1_CertificateRequestSpec_To_certmanager_CertificateRequestSpec is an autogenerated conversion function.
func Convert_v1_CertificateRequestSpec_To_certmanager_CertificateRequestSpec(in *certmanagerv1.CertificateRequestSpec, out *certmanager.CertificateRequestSpec, s conversion.Scope) error {
return autoConvert_v1_CertificateRequestSpec_To_certmanager_CertificateRequestSpec(in, out, s)
}
func autoConvert_certmanager_CertificateRequestSpec_To_v1_CertificateRequestSpec(in *certmanager.CertificateRequestSpec, out *certmanagerv1.CertificateRequestSpec, s conversion.Scope) error {
out.Duration = (*metav1.Duration)(unsafe.Pointer(in.Duration))
if err := internalapismetav1.Convert_meta_IssuerReference_To_v1_IssuerReference(&in.IssuerRef, &out.IssuerRef, s); err != nil {
return err
}
out.Request = *(*[]byte)(unsafe.Pointer(&in.Request))
out.IsCA = in.IsCA
out.Usages = *(*[]certmanagerv1.KeyUsage)(unsafe.Pointer(&in.Usages))
out.Username = in.Username
out.UID = in.UID
out.Groups = *(*[]string)(unsafe.Pointer(&in.Groups))
out.Extra = *(*map[string][]string)(unsafe.Pointer(&in.Extra))
return nil
}
// Convert_certmanager_CertificateRequestSpec_To_v1_CertificateRequestSpec is an autogenerated conversion function.
func Convert_certmanager_CertificateRequestSpec_To_v1_CertificateRequestSpec(in *certmanager.CertificateRequestSpec, out *certmanagerv1.CertificateRequestSpec, s conversion.Scope) error {
return autoConvert_certmanager_CertificateRequestSpec_To_v1_CertificateRequestSpec(in, out, s)
}
func autoConvert_v1_CertificateRequestStatus_To_certmanager_CertificateRequestStatus(in *certmanagerv1.CertificateRequestStatus, out *certmanager.CertificateRequestStatus, s conversion.Scope) error {
out.Conditions = *(*[]certmanager.CertificateRequestCondition)(unsafe.Pointer(&in.Conditions))
out.Certificate = *(*[]byte)(unsafe.Pointer(&in.Certificate))
out.CA = *(*[]byte)(unsafe.Pointer(&in.CA))
out.FailureTime = (*metav1.Time)(unsafe.Pointer(in.FailureTime))
return nil
}
// Convert_v1_CertificateRequestStatus_To_certmanager_CertificateRequestStatus is an autogenerated conversion function.
func Convert_v1_CertificateRequestStatus_To_certmanager_CertificateRequestStatus(in *certmanagerv1.CertificateRequestStatus, out *certmanager.CertificateRequestStatus, s conversion.Scope) error {
return autoConvert_v1_CertificateRequestStatus_To_certmanager_CertificateRequestStatus(in, out, s)
}
func autoConvert_certmanager_CertificateRequestStatus_To_v1_CertificateRequestStatus(in *certmanager.CertificateRequestStatus, out *certmanagerv1.CertificateRequestStatus, s conversion.Scope) error {
out.Conditions = *(*[]certmanagerv1.CertificateRequestCondition)(unsafe.Pointer(&in.Conditions))
out.Certificate = *(*[]byte)(unsafe.Pointer(&in.Certificate))
out.CA = *(*[]byte)(unsafe.Pointer(&in.CA))
out.FailureTime = (*metav1.Time)(unsafe.Pointer(in.FailureTime))
return nil
}
// Convert_certmanager_CertificateRequestStatus_To_v1_CertificateRequestStatus is an autogenerated conversion function.
func Convert_certmanager_CertificateRequestStatus_To_v1_CertificateRequestStatus(in *certmanager.CertificateRequestStatus, out *certmanagerv1.CertificateRequestStatus, s conversion.Scope) error {
return autoConvert_certmanager_CertificateRequestStatus_To_v1_CertificateRequestStatus(in, out, s)
}
func autoConvert_v1_CertificateSecretTemplate_To_certmanager_CertificateSecretTemplate(in *certmanagerv1.CertificateSecretTemplate, out *certmanager.CertificateSecretTemplate, s conversion.Scope) error {
out.Annotations = *(*map[string]string)(unsafe.Pointer(&in.Annotations))
out.Labels = *(*map[string]string)(unsafe.Pointer(&in.Labels))
return nil
}
// Convert_v1_CertificateSecretTemplate_To_certmanager_CertificateSecretTemplate is an autogenerated conversion function.
func Convert_v1_CertificateSecretTemplate_To_certmanager_CertificateSecretTemplate(in *certmanagerv1.CertificateSecretTemplate, out *certmanager.CertificateSecretTemplate, s conversion.Scope) error {
return autoConvert_v1_CertificateSecretTemplate_To_certmanager_CertificateSecretTemplate(in, out, s)
}
func autoConvert_certmanager_CertificateSecretTemplate_To_v1_CertificateSecretTemplate(in *certmanager.CertificateSecretTemplate, out *certmanagerv1.CertificateSecretTemplate, s conversion.Scope) error {
out.Annotations = *(*map[string]string)(unsafe.Pointer(&in.Annotations))
out.Labels = *(*map[string]string)(unsafe.Pointer(&in.Labels))
return nil
}
// Convert_certmanager_CertificateSecretTemplate_To_v1_CertificateSecretTemplate is an autogenerated conversion function.
func Convert_certmanager_CertificateSecretTemplate_To_v1_CertificateSecretTemplate(in *certmanager.CertificateSecretTemplate, out *certmanagerv1.CertificateSecretTemplate, s conversion.Scope) error {
return autoConvert_certmanager_CertificateSecretTemplate_To_v1_CertificateSecretTemplate(in, out, s)
}
func autoConvert_v1_CertificateSpec_To_certmanager_CertificateSpec(in *certmanagerv1.CertificateSpec, out *certmanager.CertificateSpec, s conversion.Scope) error {
out.Subject = (*certmanager.X509Subject)(unsafe.Pointer(in.Subject))
out.LiteralSubject = in.LiteralSubject
out.CommonName = in.CommonName
out.Duration = (*metav1.Duration)(unsafe.Pointer(in.Duration))
out.RenewBefore = (*metav1.Duration)(unsafe.Pointer(in.RenewBefore))
out.RenewBeforePercentage = (*int32)(unsafe.Pointer(in.RenewBeforePercentage))
out.DNSNames = *(*[]string)(unsafe.Pointer(&in.DNSNames))
out.IPAddresses = *(*[]string)(unsafe.Pointer(&in.IPAddresses))
out.URIs = *(*[]string)(unsafe.Pointer(&in.URIs))
out.OtherNames = *(*[]certmanager.OtherName)(unsafe.Pointer(&in.OtherNames))
out.EmailAddresses = *(*[]string)(unsafe.Pointer(&in.EmailAddresses))
out.SecretName = in.SecretName
out.SecretTemplate = (*certmanager.CertificateSecretTemplate)(unsafe.Pointer(in.SecretTemplate))
if in.Keystores != nil {
in, out := &in.Keystores, &out.Keystores
*out = new(certmanager.CertificateKeystores)
if err := Convert_v1_CertificateKeystores_To_certmanager_CertificateKeystores(*in, *out, s); err != nil {
return err
}
} else {
out.Keystores = nil
}
if err := internalapismetav1.Convert_v1_IssuerReference_To_meta_IssuerReference(&in.IssuerRef, &out.IssuerRef, s); err != nil {
return err
}
out.IsCA = in.IsCA
out.Usages = *(*[]certmanager.KeyUsage)(unsafe.Pointer(&in.Usages))
out.PrivateKey = (*certmanager.CertificatePrivateKey)(unsafe.Pointer(in.PrivateKey))
out.SignatureAlgorithm = certmanager.SignatureAlgorithm(in.SignatureAlgorithm)
out.EncodeUsagesInRequest = (*bool)(unsafe.Pointer(in.EncodeUsagesInRequest))
out.RevisionHistoryLimit = (*int32)(unsafe.Pointer(in.RevisionHistoryLimit))
out.AdditionalOutputFormats = *(*[]certmanager.CertificateAdditionalOutputFormat)(unsafe.Pointer(&in.AdditionalOutputFormats))
out.NameConstraints = (*certmanager.NameConstraints)(unsafe.Pointer(in.NameConstraints))
return nil
}
// Convert_v1_CertificateSpec_To_certmanager_CertificateSpec is an autogenerated conversion function.
func Convert_v1_CertificateSpec_To_certmanager_CertificateSpec(in *certmanagerv1.CertificateSpec, out *certmanager.CertificateSpec, s conversion.Scope) error {
return autoConvert_v1_CertificateSpec_To_certmanager_CertificateSpec(in, out, s)
}
func autoConvert_certmanager_CertificateSpec_To_v1_CertificateSpec(in *certmanager.CertificateSpec, out *certmanagerv1.CertificateSpec, s conversion.Scope) error {
out.Subject = (*certmanagerv1.X509Subject)(unsafe.Pointer(in.Subject))
out.LiteralSubject = in.LiteralSubject
out.CommonName = in.CommonName
out.Duration = (*metav1.Duration)(unsafe.Pointer(in.Duration))
out.RenewBefore = (*metav1.Duration)(unsafe.Pointer(in.RenewBefore))
out.RenewBeforePercentage = (*int32)(unsafe.Pointer(in.RenewBeforePercentage))
out.DNSNames = *(*[]string)(unsafe.Pointer(&in.DNSNames))
out.IPAddresses = *(*[]string)(unsafe.Pointer(&in.IPAddresses))
out.URIs = *(*[]string)(unsafe.Pointer(&in.URIs))
out.EmailAddresses = *(*[]string)(unsafe.Pointer(&in.EmailAddresses))
out.OtherNames = *(*[]certmanagerv1.OtherName)(unsafe.Pointer(&in.OtherNames))
out.SecretName = in.SecretName
out.SecretTemplate = (*certmanagerv1.CertificateSecretTemplate)(unsafe.Pointer(in.SecretTemplate))
if in.Keystores != nil {
in, out := &in.Keystores, &out.Keystores
*out = new(certmanagerv1.CertificateKeystores)
if err := Convert_certmanager_CertificateKeystores_To_v1_CertificateKeystores(*in, *out, s); err != nil {
return err
}
} else {
out.Keystores = nil
}
if err := internalapismetav1.Convert_meta_IssuerReference_To_v1_IssuerReference(&in.IssuerRef, &out.IssuerRef, s); err != nil {
return err
}
out.IsCA = in.IsCA
out.Usages = *(*[]certmanagerv1.KeyUsage)(unsafe.Pointer(&in.Usages))
out.PrivateKey = (*certmanagerv1.CertificatePrivateKey)(unsafe.Pointer(in.PrivateKey))
out.SignatureAlgorithm = certmanagerv1.SignatureAlgorithm(in.SignatureAlgorithm)
out.EncodeUsagesInRequest = (*bool)(unsafe.Pointer(in.EncodeUsagesInRequest))
out.RevisionHistoryLimit = (*int32)(unsafe.Pointer(in.RevisionHistoryLimit))
out.AdditionalOutputFormats = *(*[]certmanagerv1.CertificateAdditionalOutputFormat)(unsafe.Pointer(&in.AdditionalOutputFormats))
out.NameConstraints = (*certmanagerv1.NameConstraints)(unsafe.Pointer(in.NameConstraints))
return nil
}
// Convert_certmanager_CertificateSpec_To_v1_CertificateSpec is an autogenerated conversion function.
func Convert_certmanager_CertificateSpec_To_v1_CertificateSpec(in *certmanager.CertificateSpec, out *certmanagerv1.CertificateSpec, s conversion.Scope) error {
return autoConvert_certmanager_CertificateSpec_To_v1_CertificateSpec(in, out, s)
}
func autoConvert_v1_CertificateStatus_To_certmanager_CertificateStatus(in *certmanagerv1.CertificateStatus, out *certmanager.CertificateStatus, s conversion.Scope) error {
out.Conditions = *(*[]certmanager.CertificateCondition)(unsafe.Pointer(&in.Conditions))
out.LastFailureTime = (*metav1.Time)(unsafe.Pointer(in.LastFailureTime))
out.NotBefore = (*metav1.Time)(unsafe.Pointer(in.NotBefore))
out.NotAfter = (*metav1.Time)(unsafe.Pointer(in.NotAfter))
out.RenewalTime = (*metav1.Time)(unsafe.Pointer(in.RenewalTime))
out.Revision = (*int)(unsafe.Pointer(in.Revision))
out.NextPrivateKeySecretName = (*string)(unsafe.Pointer(in.NextPrivateKeySecretName))
out.FailedIssuanceAttempts = (*int)(unsafe.Pointer(in.FailedIssuanceAttempts))
return nil
}
// Convert_v1_CertificateStatus_To_certmanager_CertificateStatus is an autogenerated conversion function.
func Convert_v1_CertificateStatus_To_certmanager_CertificateStatus(in *certmanagerv1.CertificateStatus, out *certmanager.CertificateStatus, s conversion.Scope) error {
return autoConvert_v1_CertificateStatus_To_certmanager_CertificateStatus(in, out, s)
}
func autoConvert_certmanager_CertificateStatus_To_v1_CertificateStatus(in *certmanager.CertificateStatus, out *certmanagerv1.CertificateStatus, s conversion.Scope) error {
out.Conditions = *(*[]certmanagerv1.CertificateCondition)(unsafe.Pointer(&in.Conditions))
out.LastFailureTime = (*metav1.Time)(unsafe.Pointer(in.LastFailureTime))
out.NotBefore = (*metav1.Time)(unsafe.Pointer(in.NotBefore))
out.NotAfter = (*metav1.Time)(unsafe.Pointer(in.NotAfter))
out.RenewalTime = (*metav1.Time)(unsafe.Pointer(in.RenewalTime))
out.Revision = (*int)(unsafe.Pointer(in.Revision))
out.NextPrivateKeySecretName = (*string)(unsafe.Pointer(in.NextPrivateKeySecretName))
out.FailedIssuanceAttempts = (*int)(unsafe.Pointer(in.FailedIssuanceAttempts))
return nil
}
// Convert_certmanager_CertificateStatus_To_v1_CertificateStatus is an autogenerated conversion function.
func Convert_certmanager_CertificateStatus_To_v1_CertificateStatus(in *certmanager.CertificateStatus, out *certmanagerv1.CertificateStatus, s conversion.Scope) error {
return autoConvert_certmanager_CertificateStatus_To_v1_CertificateStatus(in, out, s)
}
func autoConvert_v1_ClusterIssuer_To_certmanager_ClusterIssuer(in *certmanagerv1.ClusterIssuer, out *certmanager.ClusterIssuer, s conversion.Scope) error {
out.ObjectMeta = in.ObjectMeta
if err := Convert_v1_IssuerSpec_To_certmanager_IssuerSpec(&in.Spec, &out.Spec, s); err != nil {
return err
}
if err := Convert_v1_IssuerStatus_To_certmanager_IssuerStatus(&in.Status, &out.Status, s); err != nil {
return err
}
return nil
}
// Convert_v1_ClusterIssuer_To_certmanager_ClusterIssuer is an autogenerated conversion function.
func Convert_v1_ClusterIssuer_To_certmanager_ClusterIssuer(in *certmanagerv1.ClusterIssuer, out *certmanager.ClusterIssuer, s conversion.Scope) error {
return autoConvert_v1_ClusterIssuer_To_certmanager_ClusterIssuer(in, out, s)
}
func autoConvert_certmanager_ClusterIssuer_To_v1_ClusterIssuer(in *certmanager.ClusterIssuer, out *certmanagerv1.ClusterIssuer, s conversion.Scope) error {
out.ObjectMeta = in.ObjectMeta
if err := Convert_certmanager_IssuerSpec_To_v1_IssuerSpec(&in.Spec, &out.Spec, s); err != nil {
return err
}
if err := Convert_certmanager_IssuerStatus_To_v1_IssuerStatus(&in.Status, &out.Status, s); err != nil {
return err
}
return nil
}
// Convert_certmanager_ClusterIssuer_To_v1_ClusterIssuer is an autogenerated conversion function.
func Convert_certmanager_ClusterIssuer_To_v1_ClusterIssuer(in *certmanager.ClusterIssuer, out *certmanagerv1.ClusterIssuer, s conversion.Scope) error {
return autoConvert_certmanager_ClusterIssuer_To_v1_ClusterIssuer(in, out, s)
}
func autoConvert_v1_ClusterIssuerList_To_certmanager_ClusterIssuerList(in *certmanagerv1.ClusterIssuerList, out *certmanager.ClusterIssuerList, s conversion.Scope) error {
out.ListMeta = in.ListMeta
if in.Items != nil {
in, out := &in.Items, &out.Items
*out = make([]certmanager.ClusterIssuer, len(*in))
for i := range *in {
if err := Convert_v1_ClusterIssuer_To_certmanager_ClusterIssuer(&(*in)[i], &(*out)[i], s); err != nil {
return err
}
}
} else {
out.Items = nil
}
return nil
}
// Convert_v1_ClusterIssuerList_To_certmanager_ClusterIssuerList is an autogenerated conversion function.
func Convert_v1_ClusterIssuerList_To_certmanager_ClusterIssuerList(in *certmanagerv1.ClusterIssuerList, out *certmanager.ClusterIssuerList, s conversion.Scope) error {
return autoConvert_v1_ClusterIssuerList_To_certmanager_ClusterIssuerList(in, out, s)
}
func autoConvert_certmanager_ClusterIssuerList_To_v1_ClusterIssuerList(in *certmanager.ClusterIssuerList, out *certmanagerv1.ClusterIssuerList, s conversion.Scope) error {
out.ListMeta = in.ListMeta
if in.Items != nil {
in, out := &in.Items, &out.Items
*out = make([]certmanagerv1.ClusterIssuer, len(*in))
for i := range *in {
if err := Convert_certmanager_ClusterIssuer_To_v1_ClusterIssuer(&(*in)[i], &(*out)[i], s); err != nil {
return err
}
}
} else {
out.Items = nil
}
return nil
}
// Convert_certmanager_ClusterIssuerList_To_v1_ClusterIssuerList is an autogenerated conversion function.
func Convert_certmanager_ClusterIssuerList_To_v1_ClusterIssuerList(in *certmanager.ClusterIssuerList, out *certmanagerv1.ClusterIssuerList, s conversion.Scope) error {
return autoConvert_certmanager_ClusterIssuerList_To_v1_ClusterIssuerList(in, out, s)
}
func autoConvert_v1_Issuer_To_certmanager_Issuer(in *certmanagerv1.Issuer, out *certmanager.Issuer, s conversion.Scope) error {
out.ObjectMeta = in.ObjectMeta
if err := Convert_v1_IssuerSpec_To_certmanager_IssuerSpec(&in.Spec, &out.Spec, s); err != nil {
return err
}
if err := Convert_v1_IssuerStatus_To_certmanager_IssuerStatus(&in.Status, &out.Status, s); err != nil {
return err
}
return nil
}
// Convert_v1_Issuer_To_certmanager_Issuer is an autogenerated conversion function.
func Convert_v1_Issuer_To_certmanager_Issuer(in *certmanagerv1.Issuer, out *certmanager.Issuer, s conversion.Scope) error {
return autoConvert_v1_Issuer_To_certmanager_Issuer(in, out, s)
}
func autoConvert_certmanager_Issuer_To_v1_Issuer(in *certmanager.Issuer, out *certmanagerv1.Issuer, s conversion.Scope) error {
out.ObjectMeta = in.ObjectMeta
if err := Convert_certmanager_IssuerSpec_To_v1_IssuerSpec(&in.Spec, &out.Spec, s); err != nil {
return err
}
if err := Convert_certmanager_IssuerStatus_To_v1_IssuerStatus(&in.Status, &out.Status, s); err != nil {
return err
}
return nil
}
// Convert_certmanager_Issuer_To_v1_Issuer is an autogenerated conversion function.
func Convert_certmanager_Issuer_To_v1_Issuer(in *certmanager.Issuer, out *certmanagerv1.Issuer, s conversion.Scope) error {
return autoConvert_certmanager_Issuer_To_v1_Issuer(in, out, s)
}
func autoConvert_v1_IssuerCondition_To_certmanager_IssuerCondition(in *certmanagerv1.IssuerCondition, out *certmanager.IssuerCondition, s conversion.Scope) error {
out.Type = certmanager.IssuerConditionType(in.Type)
out.Status = meta.ConditionStatus(in.Status)
out.LastTransitionTime = (*metav1.Time)(unsafe.Pointer(in.LastTransitionTime))
out.Reason = in.Reason
out.Message = in.Message
out.ObservedGeneration = in.ObservedGeneration
return nil
}
// Convert_v1_IssuerCondition_To_certmanager_IssuerCondition is an autogenerated conversion function.
func Convert_v1_IssuerCondition_To_certmanager_IssuerCondition(in *certmanagerv1.IssuerCondition, out *certmanager.IssuerCondition, s conversion.Scope) error {
return autoConvert_v1_IssuerCondition_To_certmanager_IssuerCondition(in, out, s)
}
func autoConvert_certmanager_IssuerCondition_To_v1_IssuerCondition(in *certmanager.IssuerCondition, out *certmanagerv1.IssuerCondition, s conversion.Scope) error {
out.Type = certmanagerv1.IssuerConditionType(in.Type)
out.Status = apismetav1.ConditionStatus(in.Status)
out.LastTransitionTime = (*metav1.Time)(unsafe.Pointer(in.LastTransitionTime))
out.Reason = in.Reason
out.Message = in.Message
out.ObservedGeneration = in.ObservedGeneration
return nil
}
// Convert_certmanager_IssuerCondition_To_v1_IssuerCondition is an autogenerated conversion function.
func Convert_certmanager_IssuerCondition_To_v1_IssuerCondition(in *certmanager.IssuerCondition, out *certmanagerv1.IssuerCondition, s conversion.Scope) error {
return autoConvert_certmanager_IssuerCondition_To_v1_IssuerCondition(in, out, s)
}
func autoConvert_v1_IssuerConfig_To_certmanager_IssuerConfig(in *certmanagerv1.IssuerConfig, out *certmanager.IssuerConfig, s conversion.Scope) error {
if in.ACME != nil {
in, out := &in.ACME, &out.ACME
*out = new(acme.ACMEIssuer)
if err := acmev1.Convert_v1_ACMEIssuer_To_acme_ACMEIssuer(*in, *out, s); err != nil {
return err
}
} else {
out.ACME = nil
}
out.CA = (*certmanager.CAIssuer)(unsafe.Pointer(in.CA))
if in.Vault != nil {
in, out := &in.Vault, &out.Vault
*out = new(certmanager.VaultIssuer)
if err := Convert_v1_VaultIssuer_To_certmanager_VaultIssuer(*in, *out, s); err != nil {
return err
}
} else {
out.Vault = nil
}
out.SelfSigned = (*certmanager.SelfSignedIssuer)(unsafe.Pointer(in.SelfSigned))
if in.Venafi != nil {
in, out := &in.Venafi, &out.Venafi
*out = new(certmanager.VenafiIssuer)
if err := Convert_v1_VenafiIssuer_To_certmanager_VenafiIssuer(*in, *out, s); err != nil {
return err
}
} else {
out.Venafi = nil
}
return nil
}
// Convert_v1_IssuerConfig_To_certmanager_IssuerConfig is an autogenerated conversion function.
func Convert_v1_IssuerConfig_To_certmanager_IssuerConfig(in *certmanagerv1.IssuerConfig, out *certmanager.IssuerConfig, s conversion.Scope) error {
return autoConvert_v1_IssuerConfig_To_certmanager_IssuerConfig(in, out, s)
}
func autoConvert_certmanager_IssuerConfig_To_v1_IssuerConfig(in *certmanager.IssuerConfig, out *certmanagerv1.IssuerConfig, s conversion.Scope) error {
if in.ACME != nil {
in, out := &in.ACME, &out.ACME
*out = new(apisacmev1.ACMEIssuer)
if err := acmev1.Convert_acme_ACMEIssuer_To_v1_ACMEIssuer(*in, *out, s); err != nil {
return err
}
} else {
out.ACME = nil
}
out.CA = (*certmanagerv1.CAIssuer)(unsafe.Pointer(in.CA))
if in.Vault != nil {
in, out := &in.Vault, &out.Vault
*out = new(certmanagerv1.VaultIssuer)
if err := Convert_certmanager_VaultIssuer_To_v1_VaultIssuer(*in, *out, s); err != nil {
return err
}
} else {
out.Vault = nil
}
out.SelfSigned = (*certmanagerv1.SelfSignedIssuer)(unsafe.Pointer(in.SelfSigned))
if in.Venafi != nil {
in, out := &in.Venafi, &out.Venafi
*out = new(certmanagerv1.VenafiIssuer)
if err := Convert_certmanager_VenafiIssuer_To_v1_VenafiIssuer(*in, *out, s); err != nil {
return err
}
} else {
out.Venafi = nil
}
return nil
}
// Convert_certmanager_IssuerConfig_To_v1_IssuerConfig is an autogenerated conversion function.
func Convert_certmanager_IssuerConfig_To_v1_IssuerConfig(in *certmanager.IssuerConfig, out *certmanagerv1.IssuerConfig, s conversion.Scope) error {
return autoConvert_certmanager_IssuerConfig_To_v1_IssuerConfig(in, out, s)
}
func autoConvert_v1_IssuerList_To_certmanager_IssuerList(in *certmanagerv1.IssuerList, out *certmanager.IssuerList, s conversion.Scope) error {
out.ListMeta = in.ListMeta
if in.Items != nil {
in, out := &in.Items, &out.Items
*out = make([]certmanager.Issuer, len(*in))
for i := range *in {
if err := Convert_v1_Issuer_To_certmanager_Issuer(&(*in)[i], &(*out)[i], s); err != nil {
return err
}
}
} else {
out.Items = nil
}
return nil
}
// Convert_v1_IssuerList_To_certmanager_IssuerList is an autogenerated conversion function.
func Convert_v1_IssuerList_To_certmanager_IssuerList(in *certmanagerv1.IssuerList, out *certmanager.IssuerList, s conversion.Scope) error {
return autoConvert_v1_IssuerList_To_certmanager_IssuerList(in, out, s)
}
func autoConvert_certmanager_IssuerList_To_v1_IssuerList(in *certmanager.IssuerList, out *certmanagerv1.IssuerList, s conversion.Scope) error {
out.ListMeta = in.ListMeta
if in.Items != nil {
in, out := &in.Items, &out.Items
*out = make([]certmanagerv1.Issuer, len(*in))
for i := range *in {
if err := Convert_certmanager_Issuer_To_v1_Issuer(&(*in)[i], &(*out)[i], s); err != nil {
return err
}
}
} else {
out.Items = nil
}
return nil
}
// Convert_certmanager_IssuerList_To_v1_IssuerList is an autogenerated conversion function.
func Convert_certmanager_IssuerList_To_v1_IssuerList(in *certmanager.IssuerList, out *certmanagerv1.IssuerList, s conversion.Scope) error {
return autoConvert_certmanager_IssuerList_To_v1_IssuerList(in, out, s)
}
func autoConvert_v1_IssuerSpec_To_certmanager_IssuerSpec(in *certmanagerv1.IssuerSpec, out *certmanager.IssuerSpec, s conversion.Scope) error {
if err := Convert_v1_IssuerConfig_To_certmanager_IssuerConfig(&in.IssuerConfig, &out.IssuerConfig, s); err != nil {
return err
}
return nil
}
// Convert_v1_IssuerSpec_To_certmanager_IssuerSpec is an autogenerated conversion function.
func Convert_v1_IssuerSpec_To_certmanager_IssuerSpec(in *certmanagerv1.IssuerSpec, out *certmanager.IssuerSpec, s conversion.Scope) error {
return autoConvert_v1_IssuerSpec_To_certmanager_IssuerSpec(in, out, s)
}
func autoConvert_certmanager_IssuerSpec_To_v1_IssuerSpec(in *certmanager.IssuerSpec, out *certmanagerv1.IssuerSpec, s conversion.Scope) error {
if err := Convert_certmanager_IssuerConfig_To_v1_IssuerConfig(&in.IssuerConfig, &out.IssuerConfig, s); err != nil {
return err
}
return nil
}
// Convert_certmanager_IssuerSpec_To_v1_IssuerSpec is an autogenerated conversion function.
func Convert_certmanager_IssuerSpec_To_v1_IssuerSpec(in *certmanager.IssuerSpec, out *certmanagerv1.IssuerSpec, s conversion.Scope) error {
return autoConvert_certmanager_IssuerSpec_To_v1_IssuerSpec(in, out, s)
}
func autoConvert_v1_IssuerStatus_To_certmanager_IssuerStatus(in *certmanagerv1.IssuerStatus, out *certmanager.IssuerStatus, s conversion.Scope) error {
out.Conditions = *(*[]certmanager.IssuerCondition)(unsafe.Pointer(&in.Conditions))
out.ACME = (*acme.ACMEIssuerStatus)(unsafe.Pointer(in.ACME))
return nil
}
// Convert_v1_IssuerStatus_To_certmanager_IssuerStatus is an autogenerated conversion function.
func Convert_v1_IssuerStatus_To_certmanager_IssuerStatus(in *certmanagerv1.IssuerStatus, out *certmanager.IssuerStatus, s conversion.Scope) error {
return autoConvert_v1_IssuerStatus_To_certmanager_IssuerStatus(in, out, s)
}
func autoConvert_certmanager_IssuerStatus_To_v1_IssuerStatus(in *certmanager.IssuerStatus, out *certmanagerv1.IssuerStatus, s conversion.Scope) error {
out.Conditions = *(*[]certmanagerv1.IssuerCondition)(unsafe.Pointer(&in.Conditions))
out.ACME = (*apisacmev1.ACMEIssuerStatus)(unsafe.Pointer(in.ACME))
return nil
}
// Convert_certmanager_IssuerStatus_To_v1_IssuerStatus is an autogenerated conversion function.
func Convert_certmanager_IssuerStatus_To_v1_IssuerStatus(in *certmanager.IssuerStatus, out *certmanagerv1.IssuerStatus, s conversion.Scope) error {
return autoConvert_certmanager_IssuerStatus_To_v1_IssuerStatus(in, out, s)
}
func autoConvert_v1_JKSKeystore_To_certmanager_JKSKeystore(in *certmanagerv1.JKSKeystore, out *certmanager.JKSKeystore, s conversion.Scope) error {
out.Create = in.Create
out.Alias = (*string)(unsafe.Pointer(in.Alias))
if err := internalapismetav1.Convert_v1_SecretKeySelector_To_meta_SecretKeySelector(&in.PasswordSecretRef, &out.PasswordSecretRef, s); err != nil {
return err
}
out.Password = (*string)(unsafe.Pointer(in.Password))
return nil
}
// Convert_v1_JKSKeystore_To_certmanager_JKSKeystore is an autogenerated conversion function.
func Convert_v1_JKSKeystore_To_certmanager_JKSKeystore(in *certmanagerv1.JKSKeystore, out *certmanager.JKSKeystore, s conversion.Scope) error {
return autoConvert_v1_JKSKeystore_To_certmanager_JKSKeystore(in, out, s)
}
func autoConvert_certmanager_JKSKeystore_To_v1_JKSKeystore(in *certmanager.JKSKeystore, out *certmanagerv1.JKSKeystore, s conversion.Scope) error {
out.Create = in.Create
out.Alias = (*string)(unsafe.Pointer(in.Alias))
if err := internalapismetav1.Convert_meta_SecretKeySelector_To_v1_SecretKeySelector(&in.PasswordSecretRef, &out.PasswordSecretRef, s); err != nil {
return err
}
out.Password = (*string)(unsafe.Pointer(in.Password))
return nil
}
// Convert_certmanager_JKSKeystore_To_v1_JKSKeystore is an autogenerated conversion function.
func Convert_certmanager_JKSKeystore_To_v1_JKSKeystore(in *certmanager.JKSKeystore, out *certmanagerv1.JKSKeystore, s conversion.Scope) error {
return autoConvert_certmanager_JKSKeystore_To_v1_JKSKeystore(in, out, s)
}
func autoConvert_v1_NameConstraintItem_To_certmanager_NameConstraintItem(in *certmanagerv1.NameConstraintItem, out *certmanager.NameConstraintItem, s conversion.Scope) error {
out.DNSDomains = *(*[]string)(unsafe.Pointer(&in.DNSDomains))
out.IPRanges = *(*[]string)(unsafe.Pointer(&in.IPRanges))
out.EmailAddresses = *(*[]string)(unsafe.Pointer(&in.EmailAddresses))
out.URIDomains = *(*[]string)(unsafe.Pointer(&in.URIDomains))
return nil
}
// Convert_v1_NameConstraintItem_To_certmanager_NameConstraintItem is an autogenerated conversion function.
func Convert_v1_NameConstraintItem_To_certmanager_NameConstraintItem(in *certmanagerv1.NameConstraintItem, out *certmanager.NameConstraintItem, s conversion.Scope) error {
return autoConvert_v1_NameConstraintItem_To_certmanager_NameConstraintItem(in, out, s)
}
func autoConvert_certmanager_NameConstraintItem_To_v1_NameConstraintItem(in *certmanager.NameConstraintItem, out *certmanagerv1.NameConstraintItem, s conversion.Scope) error {
out.DNSDomains = *(*[]string)(unsafe.Pointer(&in.DNSDomains))
out.IPRanges = *(*[]string)(unsafe.Pointer(&in.IPRanges))
out.EmailAddresses = *(*[]string)(unsafe.Pointer(&in.EmailAddresses))
out.URIDomains = *(*[]string)(unsafe.Pointer(&in.URIDomains))
return nil
}
// Convert_certmanager_NameConstraintItem_To_v1_NameConstraintItem is an autogenerated conversion function.
func Convert_certmanager_NameConstraintItem_To_v1_NameConstraintItem(in *certmanager.NameConstraintItem, out *certmanagerv1.NameConstraintItem, s conversion.Scope) error {
return autoConvert_certmanager_NameConstraintItem_To_v1_NameConstraintItem(in, out, s)
}
func autoConvert_v1_NameConstraints_To_certmanager_NameConstraints(in *certmanagerv1.NameConstraints, out *certmanager.NameConstraints, s conversion.Scope) error {
out.Critical = in.Critical
out.Permitted = (*certmanager.NameConstraintItem)(unsafe.Pointer(in.Permitted))
out.Excluded = (*certmanager.NameConstraintItem)(unsafe.Pointer(in.Excluded))
return nil
}
// Convert_v1_NameConstraints_To_certmanager_NameConstraints is an autogenerated conversion function.
func Convert_v1_NameConstraints_To_certmanager_NameConstraints(in *certmanagerv1.NameConstraints, out *certmanager.NameConstraints, s conversion.Scope) error {
return autoConvert_v1_NameConstraints_To_certmanager_NameConstraints(in, out, s)
}
func autoConvert_certmanager_NameConstraints_To_v1_NameConstraints(in *certmanager.NameConstraints, out *certmanagerv1.NameConstraints, s conversion.Scope) error {
out.Critical = in.Critical
out.Permitted = (*certmanagerv1.NameConstraintItem)(unsafe.Pointer(in.Permitted))
out.Excluded = (*certmanagerv1.NameConstraintItem)(unsafe.Pointer(in.Excluded))
return nil
}
// Convert_certmanager_NameConstraints_To_v1_NameConstraints is an autogenerated conversion function.
func Convert_certmanager_NameConstraints_To_v1_NameConstraints(in *certmanager.NameConstraints, out *certmanagerv1.NameConstraints, s conversion.Scope) error {
return autoConvert_certmanager_NameConstraints_To_v1_NameConstraints(in, out, s)
}
func autoConvert_v1_OtherName_To_certmanager_OtherName(in *certmanagerv1.OtherName, out *certmanager.OtherName, s conversion.Scope) error {
out.OID = in.OID
out.UTF8Value = in.UTF8Value
return nil
}
// Convert_v1_OtherName_To_certmanager_OtherName is an autogenerated conversion function.
func Convert_v1_OtherName_To_certmanager_OtherName(in *certmanagerv1.OtherName, out *certmanager.OtherName, s conversion.Scope) error {
return autoConvert_v1_OtherName_To_certmanager_OtherName(in, out, s)
}
func autoConvert_certmanager_OtherName_To_v1_OtherName(in *certmanager.OtherName, out *certmanagerv1.OtherName, s conversion.Scope) error {
out.OID = in.OID
out.UTF8Value = in.UTF8Value
return nil
}
// Convert_certmanager_OtherName_To_v1_OtherName is an autogenerated conversion function.
func Convert_certmanager_OtherName_To_v1_OtherName(in *certmanager.OtherName, out *certmanagerv1.OtherName, s conversion.Scope) error {
return autoConvert_certmanager_OtherName_To_v1_OtherName(in, out, s)
}
func autoConvert_v1_PKCS12Keystore_To_certmanager_PKCS12Keystore(in *certmanagerv1.PKCS12Keystore, out *certmanager.PKCS12Keystore, s conversion.Scope) error {
out.Create = in.Create
out.Profile = certmanager.PKCS12Profile(in.Profile)
if err := internalapismetav1.Convert_v1_SecretKeySelector_To_meta_SecretKeySelector(&in.PasswordSecretRef, &out.PasswordSecretRef, s); err != nil {
return err
}
out.Password = (*string)(unsafe.Pointer(in.Password))
return nil
}
// Convert_v1_PKCS12Keystore_To_certmanager_PKCS12Keystore is an autogenerated conversion function.
func Convert_v1_PKCS12Keystore_To_certmanager_PKCS12Keystore(in *certmanagerv1.PKCS12Keystore, out *certmanager.PKCS12Keystore, s conversion.Scope) error {
return autoConvert_v1_PKCS12Keystore_To_certmanager_PKCS12Keystore(in, out, s)
}
func autoConvert_certmanager_PKCS12Keystore_To_v1_PKCS12Keystore(in *certmanager.PKCS12Keystore, out *certmanagerv1.PKCS12Keystore, s conversion.Scope) error {
out.Create = in.Create
out.Profile = certmanagerv1.PKCS12Profile(in.Profile)
if err := internalapismetav1.Convert_meta_SecretKeySelector_To_v1_SecretKeySelector(&in.PasswordSecretRef, &out.PasswordSecretRef, s); err != nil {
return err
}
out.Password = (*string)(unsafe.Pointer(in.Password))
return nil
}
// Convert_certmanager_PKCS12Keystore_To_v1_PKCS12Keystore is an autogenerated conversion function.
func Convert_certmanager_PKCS12Keystore_To_v1_PKCS12Keystore(in *certmanager.PKCS12Keystore, out *certmanagerv1.PKCS12Keystore, s conversion.Scope) error {
return autoConvert_certmanager_PKCS12Keystore_To_v1_PKCS12Keystore(in, out, s)
}
func autoConvert_v1_SelfSignedIssuer_To_certmanager_SelfSignedIssuer(in *certmanagerv1.SelfSignedIssuer, out *certmanager.SelfSignedIssuer, s conversion.Scope) error {
out.CRLDistributionPoints = *(*[]string)(unsafe.Pointer(&in.CRLDistributionPoints))
return nil
}
// Convert_v1_SelfSignedIssuer_To_certmanager_SelfSignedIssuer is an autogenerated conversion function.
func Convert_v1_SelfSignedIssuer_To_certmanager_SelfSignedIssuer(in *certmanagerv1.SelfSignedIssuer, out *certmanager.SelfSignedIssuer, s conversion.Scope) error {
return autoConvert_v1_SelfSignedIssuer_To_certmanager_SelfSignedIssuer(in, out, s)
}
func autoConvert_certmanager_SelfSignedIssuer_To_v1_SelfSignedIssuer(in *certmanager.SelfSignedIssuer, out *certmanagerv1.SelfSignedIssuer, s conversion.Scope) error {
out.CRLDistributionPoints = *(*[]string)(unsafe.Pointer(&in.CRLDistributionPoints))
return nil
}
// Convert_certmanager_SelfSignedIssuer_To_v1_SelfSignedIssuer is an autogenerated conversion function.
func Convert_certmanager_SelfSignedIssuer_To_v1_SelfSignedIssuer(in *certmanager.SelfSignedIssuer, out *certmanagerv1.SelfSignedIssuer, s conversion.Scope) error {
return autoConvert_certmanager_SelfSignedIssuer_To_v1_SelfSignedIssuer(in, out, s)
}
func autoConvert_v1_ServiceAccountRef_To_certmanager_ServiceAccountRef(in *certmanagerv1.ServiceAccountRef, out *certmanager.ServiceAccountRef, s conversion.Scope) error {
out.Name = in.Name
out.TokenAudiences = *(*[]string)(unsafe.Pointer(&in.TokenAudiences))
return nil
}
// Convert_v1_ServiceAccountRef_To_certmanager_ServiceAccountRef is an autogenerated conversion function.
func Convert_v1_ServiceAccountRef_To_certmanager_ServiceAccountRef(in *certmanagerv1.ServiceAccountRef, out *certmanager.ServiceAccountRef, s conversion.Scope) error {
return autoConvert_v1_ServiceAccountRef_To_certmanager_ServiceAccountRef(in, out, s)
}
func autoConvert_certmanager_ServiceAccountRef_To_v1_ServiceAccountRef(in *certmanager.ServiceAccountRef, out *certmanagerv1.ServiceAccountRef, s conversion.Scope) error {
out.Name = in.Name
out.TokenAudiences = *(*[]string)(unsafe.Pointer(&in.TokenAudiences))
return nil
}
// Convert_certmanager_ServiceAccountRef_To_v1_ServiceAccountRef is an autogenerated conversion function.
func Convert_certmanager_ServiceAccountRef_To_v1_ServiceAccountRef(in *certmanager.ServiceAccountRef, out *certmanagerv1.ServiceAccountRef, s conversion.Scope) error {
return autoConvert_certmanager_ServiceAccountRef_To_v1_ServiceAccountRef(in, out, s)
}
func autoConvert_v1_VaultAppRole_To_certmanager_VaultAppRole(in *certmanagerv1.VaultAppRole, out *certmanager.VaultAppRole, s conversion.Scope) error {
out.Path = in.Path
out.RoleId = in.RoleId
if err := internalapismetav1.Convert_v1_SecretKeySelector_To_meta_SecretKeySelector(&in.SecretRef, &out.SecretRef, s); err != nil {
return err
}
return nil
}
// Convert_v1_VaultAppRole_To_certmanager_VaultAppRole is an autogenerated conversion function.
func Convert_v1_VaultAppRole_To_certmanager_VaultAppRole(in *certmanagerv1.VaultAppRole, out *certmanager.VaultAppRole, s conversion.Scope) error {
return autoConvert_v1_VaultAppRole_To_certmanager_VaultAppRole(in, out, s)
}
func autoConvert_certmanager_VaultAppRole_To_v1_VaultAppRole(in *certmanager.VaultAppRole, out *certmanagerv1.VaultAppRole, s conversion.Scope) error {
out.Path = in.Path
out.RoleId = in.RoleId
if err := internalapismetav1.Convert_meta_SecretKeySelector_To_v1_SecretKeySelector(&in.SecretRef, &out.SecretRef, s); err != nil {
return err
}
return nil
}
// Convert_certmanager_VaultAppRole_To_v1_VaultAppRole is an autogenerated conversion function.
func Convert_certmanager_VaultAppRole_To_v1_VaultAppRole(in *certmanager.VaultAppRole, out *certmanagerv1.VaultAppRole, s conversion.Scope) error {
return autoConvert_certmanager_VaultAppRole_To_v1_VaultAppRole(in, out, s)
}
func autoConvert_v1_VaultAuth_To_certmanager_VaultAuth(in *certmanagerv1.VaultAuth, out *certmanager.VaultAuth, s conversion.Scope) error {
if in.TokenSecretRef != nil {
in, out := &in.TokenSecretRef, &out.TokenSecretRef
*out = new(meta.SecretKeySelector)
if err := internalapismetav1.Convert_v1_SecretKeySelector_To_meta_SecretKeySelector(*in, *out, s); err != nil {
return err
}
} else {
out.TokenSecretRef = nil
}
if in.AppRole != nil {
in, out := &in.AppRole, &out.AppRole
*out = new(certmanager.VaultAppRole)
if err := Convert_v1_VaultAppRole_To_certmanager_VaultAppRole(*in, *out, s); err != nil {
return err
}
} else {
out.AppRole = nil
}
out.ClientCertificate = (*certmanager.VaultClientCertificateAuth)(unsafe.Pointer(in.ClientCertificate))
if in.Kubernetes != nil {
in, out := &in.Kubernetes, &out.Kubernetes
*out = new(certmanager.VaultKubernetesAuth)
if err := Convert_v1_VaultKubernetesAuth_To_certmanager_VaultKubernetesAuth(*in, *out, s); err != nil {
return err
}
} else {
out.Kubernetes = nil
}
return nil
}
// Convert_v1_VaultAuth_To_certmanager_VaultAuth is an autogenerated conversion function.
func Convert_v1_VaultAuth_To_certmanager_VaultAuth(in *certmanagerv1.VaultAuth, out *certmanager.VaultAuth, s conversion.Scope) error {
return autoConvert_v1_VaultAuth_To_certmanager_VaultAuth(in, out, s)
}
func autoConvert_certmanager_VaultAuth_To_v1_VaultAuth(in *certmanager.VaultAuth, out *certmanagerv1.VaultAuth, s conversion.Scope) error {
if in.TokenSecretRef != nil {
in, out := &in.TokenSecretRef, &out.TokenSecretRef
*out = new(apismetav1.SecretKeySelector)
if err := internalapismetav1.Convert_meta_SecretKeySelector_To_v1_SecretKeySelector(*in, *out, s); err != nil {
return err
}
} else {
out.TokenSecretRef = nil
}
if in.AppRole != nil {
in, out := &in.AppRole, &out.AppRole
*out = new(certmanagerv1.VaultAppRole)
if err := Convert_certmanager_VaultAppRole_To_v1_VaultAppRole(*in, *out, s); err != nil {
return err
}
} else {
out.AppRole = nil
}
out.ClientCertificate = (*certmanagerv1.VaultClientCertificateAuth)(unsafe.Pointer(in.ClientCertificate))
if in.Kubernetes != nil {
in, out := &in.Kubernetes, &out.Kubernetes
*out = new(certmanagerv1.VaultKubernetesAuth)
if err := Convert_certmanager_VaultKubernetesAuth_To_v1_VaultKubernetesAuth(*in, *out, s); err != nil {
return err
}
} else {
out.Kubernetes = nil
}
return nil
}
// Convert_certmanager_VaultAuth_To_v1_VaultAuth is an autogenerated conversion function.
func Convert_certmanager_VaultAuth_To_v1_VaultAuth(in *certmanager.VaultAuth, out *certmanagerv1.VaultAuth, s conversion.Scope) error {
return autoConvert_certmanager_VaultAuth_To_v1_VaultAuth(in, out, s)
}
func autoConvert_v1_VaultClientCertificateAuth_To_certmanager_VaultClientCertificateAuth(in *certmanagerv1.VaultClientCertificateAuth, out *certmanager.VaultClientCertificateAuth, s conversion.Scope) error {
out.Path = in.Path
out.SecretName = in.SecretName
out.Name = in.Name
return nil
}
// Convert_v1_VaultClientCertificateAuth_To_certmanager_VaultClientCertificateAuth is an autogenerated conversion function.
func Convert_v1_VaultClientCertificateAuth_To_certmanager_VaultClientCertificateAuth(in *certmanagerv1.VaultClientCertificateAuth, out *certmanager.VaultClientCertificateAuth, s conversion.Scope) error {
return autoConvert_v1_VaultClientCertificateAuth_To_certmanager_VaultClientCertificateAuth(in, out, s)
}
func autoConvert_certmanager_VaultClientCertificateAuth_To_v1_VaultClientCertificateAuth(in *certmanager.VaultClientCertificateAuth, out *certmanagerv1.VaultClientCertificateAuth, s conversion.Scope) error {
out.Path = in.Path
out.SecretName = in.SecretName
out.Name = in.Name
return nil
}
// Convert_certmanager_VaultClientCertificateAuth_To_v1_VaultClientCertificateAuth is an autogenerated conversion function.
func Convert_certmanager_VaultClientCertificateAuth_To_v1_VaultClientCertificateAuth(in *certmanager.VaultClientCertificateAuth, out *certmanagerv1.VaultClientCertificateAuth, s conversion.Scope) error {
return autoConvert_certmanager_VaultClientCertificateAuth_To_v1_VaultClientCertificateAuth(in, out, s)
}
func autoConvert_v1_VaultIssuer_To_certmanager_VaultIssuer(in *certmanagerv1.VaultIssuer, out *certmanager.VaultIssuer, s conversion.Scope) error {
if err := Convert_v1_VaultAuth_To_certmanager_VaultAuth(&in.Auth, &out.Auth, s); err != nil {
return err
}
out.Server = in.Server
out.ServerName = in.ServerName
out.Path = in.Path
out.Namespace = in.Namespace
out.CABundle = *(*[]byte)(unsafe.Pointer(&in.CABundle))
if in.CABundleSecretRef != nil {
in, out := &in.CABundleSecretRef, &out.CABundleSecretRef
*out = new(meta.SecretKeySelector)
if err := internalapismetav1.Convert_v1_SecretKeySelector_To_meta_SecretKeySelector(*in, *out, s); err != nil {
return err
}
} else {
out.CABundleSecretRef = nil
}
if in.ClientCertSecretRef != nil {
in, out := &in.ClientCertSecretRef, &out.ClientCertSecretRef
*out = new(meta.SecretKeySelector)
if err := internalapismetav1.Convert_v1_SecretKeySelector_To_meta_SecretKeySelector(*in, *out, s); err != nil {
return err
}
} else {
out.ClientCertSecretRef = nil
}
if in.ClientKeySecretRef != nil {
in, out := &in.ClientKeySecretRef, &out.ClientKeySecretRef
*out = new(meta.SecretKeySelector)
if err := internalapismetav1.Convert_v1_SecretKeySelector_To_meta_SecretKeySelector(*in, *out, s); err != nil {
return err
}
} else {
out.ClientKeySecretRef = nil
}
return nil
}
// Convert_v1_VaultIssuer_To_certmanager_VaultIssuer is an autogenerated conversion function.
func Convert_v1_VaultIssuer_To_certmanager_VaultIssuer(in *certmanagerv1.VaultIssuer, out *certmanager.VaultIssuer, s conversion.Scope) error {
return autoConvert_v1_VaultIssuer_To_certmanager_VaultIssuer(in, out, s)
}
func autoConvert_certmanager_VaultIssuer_To_v1_VaultIssuer(in *certmanager.VaultIssuer, out *certmanagerv1.VaultIssuer, s conversion.Scope) error {
if err := Convert_certmanager_VaultAuth_To_v1_VaultAuth(&in.Auth, &out.Auth, s); err != nil {
return err
}
out.Server = in.Server
out.ServerName = in.ServerName
out.Path = in.Path
out.Namespace = in.Namespace
out.CABundle = *(*[]byte)(unsafe.Pointer(&in.CABundle))
if in.CABundleSecretRef != nil {
in, out := &in.CABundleSecretRef, &out.CABundleSecretRef
*out = new(apismetav1.SecretKeySelector)
if err := internalapismetav1.Convert_meta_SecretKeySelector_To_v1_SecretKeySelector(*in, *out, s); err != nil {
return err
}
} else {
out.CABundleSecretRef = nil
}
if in.ClientCertSecretRef != nil {
in, out := &in.ClientCertSecretRef, &out.ClientCertSecretRef
*out = new(apismetav1.SecretKeySelector)
if err := internalapismetav1.Convert_meta_SecretKeySelector_To_v1_SecretKeySelector(*in, *out, s); err != nil {
return err
}
} else {
out.ClientCertSecretRef = nil
}
if in.ClientKeySecretRef != nil {
in, out := &in.ClientKeySecretRef, &out.ClientKeySecretRef
*out = new(apismetav1.SecretKeySelector)
if err := internalapismetav1.Convert_meta_SecretKeySelector_To_v1_SecretKeySelector(*in, *out, s); err != nil {
return err
}
} else {
out.ClientKeySecretRef = nil
}
return nil
}
// Convert_certmanager_VaultIssuer_To_v1_VaultIssuer is an autogenerated conversion function.
func Convert_certmanager_VaultIssuer_To_v1_VaultIssuer(in *certmanager.VaultIssuer, out *certmanagerv1.VaultIssuer, s conversion.Scope) error {
return autoConvert_certmanager_VaultIssuer_To_v1_VaultIssuer(in, out, s)
}
func autoConvert_v1_VaultKubernetesAuth_To_certmanager_VaultKubernetesAuth(in *certmanagerv1.VaultKubernetesAuth, out *certmanager.VaultKubernetesAuth, s conversion.Scope) error {
out.Path = in.Path
if err := internalapismetav1.Convert_v1_SecretKeySelector_To_meta_SecretKeySelector(&in.SecretRef, &out.SecretRef, s); err != nil {
return err
}
out.ServiceAccountRef = (*certmanager.ServiceAccountRef)(unsafe.Pointer(in.ServiceAccountRef))
out.Role = in.Role
return nil
}
// Convert_v1_VaultKubernetesAuth_To_certmanager_VaultKubernetesAuth is an autogenerated conversion function.
func Convert_v1_VaultKubernetesAuth_To_certmanager_VaultKubernetesAuth(in *certmanagerv1.VaultKubernetesAuth, out *certmanager.VaultKubernetesAuth, s conversion.Scope) error {
return autoConvert_v1_VaultKubernetesAuth_To_certmanager_VaultKubernetesAuth(in, out, s)
}
func autoConvert_certmanager_VaultKubernetesAuth_To_v1_VaultKubernetesAuth(in *certmanager.VaultKubernetesAuth, out *certmanagerv1.VaultKubernetesAuth, s conversion.Scope) error {
out.Path = in.Path
if err := internalapismetav1.Convert_meta_SecretKeySelector_To_v1_SecretKeySelector(&in.SecretRef, &out.SecretRef, s); err != nil {
return err
}
out.ServiceAccountRef = (*certmanagerv1.ServiceAccountRef)(unsafe.Pointer(in.ServiceAccountRef))
out.Role = in.Role
return nil
}
// Convert_certmanager_VaultKubernetesAuth_To_v1_VaultKubernetesAuth is an autogenerated conversion function.
func Convert_certmanager_VaultKubernetesAuth_To_v1_VaultKubernetesAuth(in *certmanager.VaultKubernetesAuth, out *certmanagerv1.VaultKubernetesAuth, s conversion.Scope) error {
return autoConvert_certmanager_VaultKubernetesAuth_To_v1_VaultKubernetesAuth(in, out, s)
}
func autoConvert_v1_VenafiCloud_To_certmanager_VenafiCloud(in *certmanagerv1.VenafiCloud, out *certmanager.VenafiCloud, s conversion.Scope) error {
out.URL = in.URL
if err := internalapismetav1.Convert_v1_SecretKeySelector_To_meta_SecretKeySelector(&in.APITokenSecretRef, &out.APITokenSecretRef, s); err != nil {
return err
}
return nil
}
// Convert_v1_VenafiCloud_To_certmanager_VenafiCloud is an autogenerated conversion function.
func Convert_v1_VenafiCloud_To_certmanager_VenafiCloud(in *certmanagerv1.VenafiCloud, out *certmanager.VenafiCloud, s conversion.Scope) error {
return autoConvert_v1_VenafiCloud_To_certmanager_VenafiCloud(in, out, s)
}
func autoConvert_certmanager_VenafiCloud_To_v1_VenafiCloud(in *certmanager.VenafiCloud, out *certmanagerv1.VenafiCloud, s conversion.Scope) error {
out.URL = in.URL
if err := internalapismetav1.Convert_meta_SecretKeySelector_To_v1_SecretKeySelector(&in.APITokenSecretRef, &out.APITokenSecretRef, s); err != nil {
return err
}
return nil
}
// Convert_certmanager_VenafiCloud_To_v1_VenafiCloud is an autogenerated conversion function.
func Convert_certmanager_VenafiCloud_To_v1_VenafiCloud(in *certmanager.VenafiCloud, out *certmanagerv1.VenafiCloud, s conversion.Scope) error {
return autoConvert_certmanager_VenafiCloud_To_v1_VenafiCloud(in, out, s)
}
func autoConvert_v1_VenafiIssuer_To_certmanager_VenafiIssuer(in *certmanagerv1.VenafiIssuer, out *certmanager.VenafiIssuer, s conversion.Scope) error {
out.Zone = in.Zone
if in.TPP != nil {
in, out := &in.TPP, &out.TPP
*out = new(certmanager.VenafiTPP)
if err := Convert_v1_VenafiTPP_To_certmanager_VenafiTPP(*in, *out, s); err != nil {
return err
}
} else {
out.TPP = nil
}
if in.Cloud != nil {
in, out := &in.Cloud, &out.Cloud
*out = new(certmanager.VenafiCloud)
if err := Convert_v1_VenafiCloud_To_certmanager_VenafiCloud(*in, *out, s); err != nil {
return err
}
} else {
out.Cloud = nil
}
return nil
}
// Convert_v1_VenafiIssuer_To_certmanager_VenafiIssuer is an autogenerated conversion function.
func Convert_v1_VenafiIssuer_To_certmanager_VenafiIssuer(in *certmanagerv1.VenafiIssuer, out *certmanager.VenafiIssuer, s conversion.Scope) error {
return autoConvert_v1_VenafiIssuer_To_certmanager_VenafiIssuer(in, out, s)
}
func autoConvert_certmanager_VenafiIssuer_To_v1_VenafiIssuer(in *certmanager.VenafiIssuer, out *certmanagerv1.VenafiIssuer, s conversion.Scope) error {
out.Zone = in.Zone
if in.TPP != nil {
in, out := &in.TPP, &out.TPP
*out = new(certmanagerv1.VenafiTPP)
if err := Convert_certmanager_VenafiTPP_To_v1_VenafiTPP(*in, *out, s); err != nil {
return err
}
} else {
out.TPP = nil
}
if in.Cloud != nil {
in, out := &in.Cloud, &out.Cloud
*out = new(certmanagerv1.VenafiCloud)
if err := Convert_certmanager_VenafiCloud_To_v1_VenafiCloud(*in, *out, s); err != nil {
return err
}
} else {
out.Cloud = nil
}
return nil
}
// Convert_certmanager_VenafiIssuer_To_v1_VenafiIssuer is an autogenerated conversion function.
func Convert_certmanager_VenafiIssuer_To_v1_VenafiIssuer(in *certmanager.VenafiIssuer, out *certmanagerv1.VenafiIssuer, s conversion.Scope) error {
return autoConvert_certmanager_VenafiIssuer_To_v1_VenafiIssuer(in, out, s)
}
func autoConvert_v1_VenafiTPP_To_certmanager_VenafiTPP(in *certmanagerv1.VenafiTPP, out *certmanager.VenafiTPP, s conversion.Scope) error {
out.URL = in.URL
if err := internalapismetav1.Convert_v1_LocalObjectReference_To_meta_LocalObjectReference(&in.CredentialsRef, &out.CredentialsRef, s); err != nil {
return err
}
out.CABundle = *(*[]byte)(unsafe.Pointer(&in.CABundle))
if in.CABundleSecretRef != nil {
in, out := &in.CABundleSecretRef, &out.CABundleSecretRef
*out = new(meta.SecretKeySelector)
if err := internalapismetav1.Convert_v1_SecretKeySelector_To_meta_SecretKeySelector(*in, *out, s); err != nil {
return err
}
} else {
out.CABundleSecretRef = nil
}
return nil
}
// Convert_v1_VenafiTPP_To_certmanager_VenafiTPP is an autogenerated conversion function.
func Convert_v1_VenafiTPP_To_certmanager_VenafiTPP(in *certmanagerv1.VenafiTPP, out *certmanager.VenafiTPP, s conversion.Scope) error {
return autoConvert_v1_VenafiTPP_To_certmanager_VenafiTPP(in, out, s)
}
func autoConvert_certmanager_VenafiTPP_To_v1_VenafiTPP(in *certmanager.VenafiTPP, out *certmanagerv1.VenafiTPP, s conversion.Scope) error {
out.URL = in.URL
if err := internalapismetav1.Convert_meta_LocalObjectReference_To_v1_LocalObjectReference(&in.CredentialsRef, &out.CredentialsRef, s); err != nil {
return err
}
out.CABundle = *(*[]byte)(unsafe.Pointer(&in.CABundle))
if in.CABundleSecretRef != nil {
in, out := &in.CABundleSecretRef, &out.CABundleSecretRef
*out = new(apismetav1.SecretKeySelector)
if err := internalapismetav1.Convert_meta_SecretKeySelector_To_v1_SecretKeySelector(*in, *out, s); err != nil {
return err
}
} else {
out.CABundleSecretRef = nil
}
return nil
}
// Convert_certmanager_VenafiTPP_To_v1_VenafiTPP is an autogenerated conversion function.
func Convert_certmanager_VenafiTPP_To_v1_VenafiTPP(in *certmanager.VenafiTPP, out *certmanagerv1.VenafiTPP, s conversion.Scope) error {
return autoConvert_certmanager_VenafiTPP_To_v1_VenafiTPP(in, out, s)
}
func autoConvert_v1_X509Subject_To_certmanager_X509Subject(in *certmanagerv1.X509Subject, out *certmanager.X509Subject, s conversion.Scope) error {
out.Organizations = *(*[]string)(unsafe.Pointer(&in.Organizations))
out.Countries = *(*[]string)(unsafe.Pointer(&in.Countries))
out.OrganizationalUnits = *(*[]string)(unsafe.Pointer(&in.OrganizationalUnits))
out.Localities = *(*[]string)(unsafe.Pointer(&in.Localities))
out.Provinces = *(*[]string)(unsafe.Pointer(&in.Provinces))
out.StreetAddresses = *(*[]string)(unsafe.Pointer(&in.StreetAddresses))
out.PostalCodes = *(*[]string)(unsafe.Pointer(&in.PostalCodes))
out.SerialNumber = in.SerialNumber
return nil
}
// Convert_v1_X509Subject_To_certmanager_X509Subject is an autogenerated conversion function.
func Convert_v1_X509Subject_To_certmanager_X509Subject(in *certmanagerv1.X509Subject, out *certmanager.X509Subject, s conversion.Scope) error {
return autoConvert_v1_X509Subject_To_certmanager_X509Subject(in, out, s)
}
func autoConvert_certmanager_X509Subject_To_v1_X509Subject(in *certmanager.X509Subject, out *certmanagerv1.X509Subject, s conversion.Scope) error {
out.Organizations = *(*[]string)(unsafe.Pointer(&in.Organizations))
out.Countries = *(*[]string)(unsafe.Pointer(&in.Countries))
out.OrganizationalUnits = *(*[]string)(unsafe.Pointer(&in.OrganizationalUnits))
out.Localities = *(*[]string)(unsafe.Pointer(&in.Localities))
out.Provinces = *(*[]string)(unsafe.Pointer(&in.Provinces))
out.StreetAddresses = *(*[]string)(unsafe.Pointer(&in.StreetAddresses))
out.PostalCodes = *(*[]string)(unsafe.Pointer(&in.PostalCodes))
out.SerialNumber = in.SerialNumber
return nil
}
// Convert_certmanager_X509Subject_To_v1_X509Subject is an autogenerated conversion function.
func Convert_certmanager_X509Subject_To_v1_X509Subject(in *certmanager.X509Subject, out *certmanagerv1.X509Subject, s conversion.Scope) error {
return autoConvert_certmanager_X509Subject_To_v1_X509Subject(in, out, s)
}
//go:build !ignore_autogenerated
// +build !ignore_autogenerated
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by defaulter-gen. DO NOT EDIT.
package v1
import (
certmanagerv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
runtime "k8s.io/apimachinery/pkg/runtime"
)
// RegisterDefaults adds defaulters functions to the given scheme.
// Public to allow building arbitrary schemes.
// All generated defaulters are covering - they call all nested defaulters.
func RegisterDefaults(scheme *runtime.Scheme) error {
scheme.AddTypeDefaultingFunc(&certmanagerv1.Certificate{}, func(obj interface{}) { SetObjectDefaults_Certificate(obj.(*certmanagerv1.Certificate)) })
scheme.AddTypeDefaultingFunc(&certmanagerv1.CertificateList{}, func(obj interface{}) { SetObjectDefaults_CertificateList(obj.(*certmanagerv1.CertificateList)) })
scheme.AddTypeDefaultingFunc(&certmanagerv1.CertificateRequest{}, func(obj interface{}) { SetObjectDefaults_CertificateRequest(obj.(*certmanagerv1.CertificateRequest)) })
scheme.AddTypeDefaultingFunc(&certmanagerv1.CertificateRequestList{}, func(obj interface{}) {
SetObjectDefaults_CertificateRequestList(obj.(*certmanagerv1.CertificateRequestList))
})
return nil
}
func SetObjectDefaults_Certificate(in *certmanagerv1.Certificate) {
if in.Spec.IssuerRef.Kind == "" {
in.Spec.IssuerRef.Kind = "Issuer"
}
if in.Spec.IssuerRef.Group == "" {
in.Spec.IssuerRef.Group = "cert-manager.io"
}
}
func SetObjectDefaults_CertificateList(in *certmanagerv1.CertificateList) {
for i := range in.Items {
a := &in.Items[i]
SetObjectDefaults_Certificate(a)
}
}
func SetObjectDefaults_CertificateRequest(in *certmanagerv1.CertificateRequest) {
if in.Spec.IssuerRef.Kind == "" {
in.Spec.IssuerRef.Kind = "Issuer"
}
if in.Spec.IssuerRef.Group == "" {
in.Spec.IssuerRef.Group = "cert-manager.io"
}
}
func SetObjectDefaults_CertificateRequestList(in *certmanagerv1.CertificateRequestList) {
for i := range in.Items {
a := &in.Items[i]
SetObjectDefaults_CertificateRequest(a)
}
}
/*
Copyright 2021 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package util
import (
cmapi "github.com/cert-manager/cert-manager/internal/apis/certmanager"
)
func GetCertificateRequestCondition(conds []cmapi.CertificateRequestCondition, conditionType cmapi.CertificateRequestConditionType) *cmapi.CertificateRequestCondition {
for _, cond := range conds {
if cond.Type == conditionType {
return &cond
}
}
return nil
}
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package util
import (
"fmt"
"net"
"strings"
)
var defaultRFC2136Port = "53"
// ValidNameserver validates the given nameserver for the RFC2136 provider, returning the sanitized nameserver - if valid - in the form "<host>:<port>".
func ValidNameserver(nameserver string) (string, error) {
nameserver = strings.TrimSpace(nameserver)
if nameserver == "" {
return "", fmt.Errorf("RFC2136 nameserver missing")
}
// SplitHostPort Behavior
// nameserver host port err
// 8.8.8.8 "" "" missing port in address
// 8.8.8.8: "8.8.8.8" "" <nil>
// 8.8.8.8.8:53 "8.8.8.8" 53 <nil>
// [2001:db8::1] "" "" missing port in address
// [2001:db8::1]: "2001:db8::1" "" <nil>
// [2001:db8::1]:53 "2001:db8::1" 53 <nil>
// nameserver.com "" "" missing port in address
// nameserver.com: "nameserver.com" "" <nil>
// nameserver.com:53 "nameserver.com" 53 <nil>
// :53 "" 53 <nil>
host, port, err := net.SplitHostPort(nameserver)
if err != nil {
if strings.Contains(err.Error(), "missing port") {
// net.JoinHostPort expect IPv6 address to be unenclosed
host = strings.Trim(nameserver, "[]")
} else {
return "", fmt.Errorf("RFC2136 nameserver is invalid: %s", err.Error())
}
}
if host == "" {
return "", fmt.Errorf("RFC2136 nameserver has no host defined, %v", nameserver)
}
if port == "" {
port = defaultRFC2136Port
}
return net.JoinHostPort(host, port), nil
}
//go:build !ignore_autogenerated
// +build !ignore_autogenerated
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by deepcopy-gen. DO NOT EDIT.
package certmanager
import (
acme "github.com/cert-manager/cert-manager/internal/apis/acme"
meta "github.com/cert-manager/cert-manager/internal/apis/meta"
v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
runtime "k8s.io/apimachinery/pkg/runtime"
)
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *CAIssuer) DeepCopyInto(out *CAIssuer) {
*out = *in
if in.CRLDistributionPoints != nil {
in, out := &in.CRLDistributionPoints, &out.CRLDistributionPoints
*out = make([]string, len(*in))
copy(*out, *in)
}
if in.OCSPServers != nil {
in, out := &in.OCSPServers, &out.OCSPServers
*out = make([]string, len(*in))
copy(*out, *in)
}
if in.IssuingCertificateURLs != nil {
in, out := &in.IssuingCertificateURLs, &out.IssuingCertificateURLs
*out = make([]string, len(*in))
copy(*out, *in)
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CAIssuer.
func (in *CAIssuer) DeepCopy() *CAIssuer {
if in == nil {
return nil
}
out := new(CAIssuer)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *Certificate) DeepCopyInto(out *Certificate) {
*out = *in
out.TypeMeta = in.TypeMeta
in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
in.Spec.DeepCopyInto(&out.Spec)
in.Status.DeepCopyInto(&out.Status)
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Certificate.
func (in *Certificate) DeepCopy() *Certificate {
if in == nil {
return nil
}
out := new(Certificate)
in.DeepCopyInto(out)
return out
}
// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (in *Certificate) DeepCopyObject() runtime.Object {
if c := in.DeepCopy(); c != nil {
return c
}
return nil
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *CertificateAdditionalOutputFormat) DeepCopyInto(out *CertificateAdditionalOutputFormat) {
*out = *in
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateAdditionalOutputFormat.
func (in *CertificateAdditionalOutputFormat) DeepCopy() *CertificateAdditionalOutputFormat {
if in == nil {
return nil
}
out := new(CertificateAdditionalOutputFormat)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *CertificateCondition) DeepCopyInto(out *CertificateCondition) {
*out = *in
if in.LastTransitionTime != nil {
in, out := &in.LastTransitionTime, &out.LastTransitionTime
*out = (*in).DeepCopy()
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateCondition.
func (in *CertificateCondition) DeepCopy() *CertificateCondition {
if in == nil {
return nil
}
out := new(CertificateCondition)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *CertificateKeystores) DeepCopyInto(out *CertificateKeystores) {
*out = *in
if in.JKS != nil {
in, out := &in.JKS, &out.JKS
*out = new(JKSKeystore)
(*in).DeepCopyInto(*out)
}
if in.PKCS12 != nil {
in, out := &in.PKCS12, &out.PKCS12
*out = new(PKCS12Keystore)
(*in).DeepCopyInto(*out)
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateKeystores.
func (in *CertificateKeystores) DeepCopy() *CertificateKeystores {
if in == nil {
return nil
}
out := new(CertificateKeystores)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *CertificateList) DeepCopyInto(out *CertificateList) {
*out = *in
out.TypeMeta = in.TypeMeta
in.ListMeta.DeepCopyInto(&out.ListMeta)
if in.Items != nil {
in, out := &in.Items, &out.Items
*out = make([]Certificate, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateList.
func (in *CertificateList) DeepCopy() *CertificateList {
if in == nil {
return nil
}
out := new(CertificateList)
in.DeepCopyInto(out)
return out
}
// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (in *CertificateList) DeepCopyObject() runtime.Object {
if c := in.DeepCopy(); c != nil {
return c
}
return nil
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *CertificatePrivateKey) DeepCopyInto(out *CertificatePrivateKey) {
*out = *in
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificatePrivateKey.
func (in *CertificatePrivateKey) DeepCopy() *CertificatePrivateKey {
if in == nil {
return nil
}
out := new(CertificatePrivateKey)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *CertificateRequest) DeepCopyInto(out *CertificateRequest) {
*out = *in
out.TypeMeta = in.TypeMeta
in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
in.Spec.DeepCopyInto(&out.Spec)
in.Status.DeepCopyInto(&out.Status)
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateRequest.
func (in *CertificateRequest) DeepCopy() *CertificateRequest {
if in == nil {
return nil
}
out := new(CertificateRequest)
in.DeepCopyInto(out)
return out
}
// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (in *CertificateRequest) DeepCopyObject() runtime.Object {
if c := in.DeepCopy(); c != nil {
return c
}
return nil
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *CertificateRequestCondition) DeepCopyInto(out *CertificateRequestCondition) {
*out = *in
if in.LastTransitionTime != nil {
in, out := &in.LastTransitionTime, &out.LastTransitionTime
*out = (*in).DeepCopy()
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateRequestCondition.
func (in *CertificateRequestCondition) DeepCopy() *CertificateRequestCondition {
if in == nil {
return nil
}
out := new(CertificateRequestCondition)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *CertificateRequestList) DeepCopyInto(out *CertificateRequestList) {
*out = *in
out.TypeMeta = in.TypeMeta
in.ListMeta.DeepCopyInto(&out.ListMeta)
if in.Items != nil {
in, out := &in.Items, &out.Items
*out = make([]CertificateRequest, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateRequestList.
func (in *CertificateRequestList) DeepCopy() *CertificateRequestList {
if in == nil {
return nil
}
out := new(CertificateRequestList)
in.DeepCopyInto(out)
return out
}
// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (in *CertificateRequestList) DeepCopyObject() runtime.Object {
if c := in.DeepCopy(); c != nil {
return c
}
return nil
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *CertificateRequestSpec) DeepCopyInto(out *CertificateRequestSpec) {
*out = *in
if in.Duration != nil {
in, out := &in.Duration, &out.Duration
*out = new(v1.Duration)
**out = **in
}
out.IssuerRef = in.IssuerRef
if in.Request != nil {
in, out := &in.Request, &out.Request
*out = make([]byte, len(*in))
copy(*out, *in)
}
if in.Usages != nil {
in, out := &in.Usages, &out.Usages
*out = make([]KeyUsage, len(*in))
copy(*out, *in)
}
if in.Groups != nil {
in, out := &in.Groups, &out.Groups
*out = make([]string, len(*in))
copy(*out, *in)
}
if in.Extra != nil {
in, out := &in.Extra, &out.Extra
*out = make(map[string][]string, len(*in))
for key, val := range *in {
var outVal []string
if val == nil {
(*out)[key] = nil
} else {
in, out := &val, &outVal
*out = make([]string, len(*in))
copy(*out, *in)
}
(*out)[key] = outVal
}
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateRequestSpec.
func (in *CertificateRequestSpec) DeepCopy() *CertificateRequestSpec {
if in == nil {
return nil
}
out := new(CertificateRequestSpec)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *CertificateRequestStatus) DeepCopyInto(out *CertificateRequestStatus) {
*out = *in
if in.Conditions != nil {
in, out := &in.Conditions, &out.Conditions
*out = make([]CertificateRequestCondition, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
if in.Certificate != nil {
in, out := &in.Certificate, &out.Certificate
*out = make([]byte, len(*in))
copy(*out, *in)
}
if in.CA != nil {
in, out := &in.CA, &out.CA
*out = make([]byte, len(*in))
copy(*out, *in)
}
if in.FailureTime != nil {
in, out := &in.FailureTime, &out.FailureTime
*out = (*in).DeepCopy()
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateRequestStatus.
func (in *CertificateRequestStatus) DeepCopy() *CertificateRequestStatus {
if in == nil {
return nil
}
out := new(CertificateRequestStatus)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *CertificateSecretTemplate) DeepCopyInto(out *CertificateSecretTemplate) {
*out = *in
if in.Annotations != nil {
in, out := &in.Annotations, &out.Annotations
*out = make(map[string]string, len(*in))
for key, val := range *in {
(*out)[key] = val
}
}
if in.Labels != nil {
in, out := &in.Labels, &out.Labels
*out = make(map[string]string, len(*in))
for key, val := range *in {
(*out)[key] = val
}
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateSecretTemplate.
func (in *CertificateSecretTemplate) DeepCopy() *CertificateSecretTemplate {
if in == nil {
return nil
}
out := new(CertificateSecretTemplate)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *CertificateSpec) DeepCopyInto(out *CertificateSpec) {
*out = *in
if in.Subject != nil {
in, out := &in.Subject, &out.Subject
*out = new(X509Subject)
(*in).DeepCopyInto(*out)
}
if in.Duration != nil {
in, out := &in.Duration, &out.Duration
*out = new(v1.Duration)
**out = **in
}
if in.RenewBefore != nil {
in, out := &in.RenewBefore, &out.RenewBefore
*out = new(v1.Duration)
**out = **in
}
if in.RenewBeforePercentage != nil {
in, out := &in.RenewBeforePercentage, &out.RenewBeforePercentage
*out = new(int32)
**out = **in
}
if in.DNSNames != nil {
in, out := &in.DNSNames, &out.DNSNames
*out = make([]string, len(*in))
copy(*out, *in)
}
if in.IPAddresses != nil {
in, out := &in.IPAddresses, &out.IPAddresses
*out = make([]string, len(*in))
copy(*out, *in)
}
if in.URIs != nil {
in, out := &in.URIs, &out.URIs
*out = make([]string, len(*in))
copy(*out, *in)
}
if in.EmailAddresses != nil {
in, out := &in.EmailAddresses, &out.EmailAddresses
*out = make([]string, len(*in))
copy(*out, *in)
}
if in.OtherNames != nil {
in, out := &in.OtherNames, &out.OtherNames
*out = make([]OtherName, len(*in))
copy(*out, *in)
}
if in.SecretTemplate != nil {
in, out := &in.SecretTemplate, &out.SecretTemplate
*out = new(CertificateSecretTemplate)
(*in).DeepCopyInto(*out)
}
if in.Keystores != nil {
in, out := &in.Keystores, &out.Keystores
*out = new(CertificateKeystores)
(*in).DeepCopyInto(*out)
}
out.IssuerRef = in.IssuerRef
if in.Usages != nil {
in, out := &in.Usages, &out.Usages
*out = make([]KeyUsage, len(*in))
copy(*out, *in)
}
if in.PrivateKey != nil {
in, out := &in.PrivateKey, &out.PrivateKey
*out = new(CertificatePrivateKey)
**out = **in
}
if in.EncodeUsagesInRequest != nil {
in, out := &in.EncodeUsagesInRequest, &out.EncodeUsagesInRequest
*out = new(bool)
**out = **in
}
if in.RevisionHistoryLimit != nil {
in, out := &in.RevisionHistoryLimit, &out.RevisionHistoryLimit
*out = new(int32)
**out = **in
}
if in.AdditionalOutputFormats != nil {
in, out := &in.AdditionalOutputFormats, &out.AdditionalOutputFormats
*out = make([]CertificateAdditionalOutputFormat, len(*in))
copy(*out, *in)
}
if in.NameConstraints != nil {
in, out := &in.NameConstraints, &out.NameConstraints
*out = new(NameConstraints)
(*in).DeepCopyInto(*out)
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateSpec.
func (in *CertificateSpec) DeepCopy() *CertificateSpec {
if in == nil {
return nil
}
out := new(CertificateSpec)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *CertificateStatus) DeepCopyInto(out *CertificateStatus) {
*out = *in
if in.Conditions != nil {
in, out := &in.Conditions, &out.Conditions
*out = make([]CertificateCondition, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
if in.LastFailureTime != nil {
in, out := &in.LastFailureTime, &out.LastFailureTime
*out = (*in).DeepCopy()
}
if in.NotBefore != nil {
in, out := &in.NotBefore, &out.NotBefore
*out = (*in).DeepCopy()
}
if in.NotAfter != nil {
in, out := &in.NotAfter, &out.NotAfter
*out = (*in).DeepCopy()
}
if in.RenewalTime != nil {
in, out := &in.RenewalTime, &out.RenewalTime
*out = (*in).DeepCopy()
}
if in.Revision != nil {
in, out := &in.Revision, &out.Revision
*out = new(int)
**out = **in
}
if in.NextPrivateKeySecretName != nil {
in, out := &in.NextPrivateKeySecretName, &out.NextPrivateKeySecretName
*out = new(string)
**out = **in
}
if in.FailedIssuanceAttempts != nil {
in, out := &in.FailedIssuanceAttempts, &out.FailedIssuanceAttempts
*out = new(int)
**out = **in
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateStatus.
func (in *CertificateStatus) DeepCopy() *CertificateStatus {
if in == nil {
return nil
}
out := new(CertificateStatus)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ClusterIssuer) DeepCopyInto(out *ClusterIssuer) {
*out = *in
out.TypeMeta = in.TypeMeta
in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
in.Spec.DeepCopyInto(&out.Spec)
in.Status.DeepCopyInto(&out.Status)
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterIssuer.
func (in *ClusterIssuer) DeepCopy() *ClusterIssuer {
if in == nil {
return nil
}
out := new(ClusterIssuer)
in.DeepCopyInto(out)
return out
}
// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (in *ClusterIssuer) DeepCopyObject() runtime.Object {
if c := in.DeepCopy(); c != nil {
return c
}
return nil
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ClusterIssuerList) DeepCopyInto(out *ClusterIssuerList) {
*out = *in
out.TypeMeta = in.TypeMeta
in.ListMeta.DeepCopyInto(&out.ListMeta)
if in.Items != nil {
in, out := &in.Items, &out.Items
*out = make([]ClusterIssuer, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterIssuerList.
func (in *ClusterIssuerList) DeepCopy() *ClusterIssuerList {
if in == nil {
return nil
}
out := new(ClusterIssuerList)
in.DeepCopyInto(out)
return out
}
// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (in *ClusterIssuerList) DeepCopyObject() runtime.Object {
if c := in.DeepCopy(); c != nil {
return c
}
return nil
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *Issuer) DeepCopyInto(out *Issuer) {
*out = *in
out.TypeMeta = in.TypeMeta
in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
in.Spec.DeepCopyInto(&out.Spec)
in.Status.DeepCopyInto(&out.Status)
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Issuer.
func (in *Issuer) DeepCopy() *Issuer {
if in == nil {
return nil
}
out := new(Issuer)
in.DeepCopyInto(out)
return out
}
// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (in *Issuer) DeepCopyObject() runtime.Object {
if c := in.DeepCopy(); c != nil {
return c
}
return nil
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *IssuerCondition) DeepCopyInto(out *IssuerCondition) {
*out = *in
if in.LastTransitionTime != nil {
in, out := &in.LastTransitionTime, &out.LastTransitionTime
*out = (*in).DeepCopy()
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IssuerCondition.
func (in *IssuerCondition) DeepCopy() *IssuerCondition {
if in == nil {
return nil
}
out := new(IssuerCondition)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *IssuerConfig) DeepCopyInto(out *IssuerConfig) {
*out = *in
if in.ACME != nil {
in, out := &in.ACME, &out.ACME
*out = new(acme.ACMEIssuer)
(*in).DeepCopyInto(*out)
}
if in.CA != nil {
in, out := &in.CA, &out.CA
*out = new(CAIssuer)
(*in).DeepCopyInto(*out)
}
if in.Vault != nil {
in, out := &in.Vault, &out.Vault
*out = new(VaultIssuer)
(*in).DeepCopyInto(*out)
}
if in.SelfSigned != nil {
in, out := &in.SelfSigned, &out.SelfSigned
*out = new(SelfSignedIssuer)
(*in).DeepCopyInto(*out)
}
if in.Venafi != nil {
in, out := &in.Venafi, &out.Venafi
*out = new(VenafiIssuer)
(*in).DeepCopyInto(*out)
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IssuerConfig.
func (in *IssuerConfig) DeepCopy() *IssuerConfig {
if in == nil {
return nil
}
out := new(IssuerConfig)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *IssuerList) DeepCopyInto(out *IssuerList) {
*out = *in
out.TypeMeta = in.TypeMeta
in.ListMeta.DeepCopyInto(&out.ListMeta)
if in.Items != nil {
in, out := &in.Items, &out.Items
*out = make([]Issuer, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IssuerList.
func (in *IssuerList) DeepCopy() *IssuerList {
if in == nil {
return nil
}
out := new(IssuerList)
in.DeepCopyInto(out)
return out
}
// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (in *IssuerList) DeepCopyObject() runtime.Object {
if c := in.DeepCopy(); c != nil {
return c
}
return nil
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *IssuerSpec) DeepCopyInto(out *IssuerSpec) {
*out = *in
in.IssuerConfig.DeepCopyInto(&out.IssuerConfig)
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IssuerSpec.
func (in *IssuerSpec) DeepCopy() *IssuerSpec {
if in == nil {
return nil
}
out := new(IssuerSpec)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *IssuerStatus) DeepCopyInto(out *IssuerStatus) {
*out = *in
if in.Conditions != nil {
in, out := &in.Conditions, &out.Conditions
*out = make([]IssuerCondition, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
if in.ACME != nil {
in, out := &in.ACME, &out.ACME
*out = new(acme.ACMEIssuerStatus)
**out = **in
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IssuerStatus.
func (in *IssuerStatus) DeepCopy() *IssuerStatus {
if in == nil {
return nil
}
out := new(IssuerStatus)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *JKSKeystore) DeepCopyInto(out *JKSKeystore) {
*out = *in
if in.Alias != nil {
in, out := &in.Alias, &out.Alias
*out = new(string)
**out = **in
}
out.PasswordSecretRef = in.PasswordSecretRef
if in.Password != nil {
in, out := &in.Password, &out.Password
*out = new(string)
**out = **in
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JKSKeystore.
func (in *JKSKeystore) DeepCopy() *JKSKeystore {
if in == nil {
return nil
}
out := new(JKSKeystore)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *NameConstraintItem) DeepCopyInto(out *NameConstraintItem) {
*out = *in
if in.DNSDomains != nil {
in, out := &in.DNSDomains, &out.DNSDomains
*out = make([]string, len(*in))
copy(*out, *in)
}
if in.IPRanges != nil {
in, out := &in.IPRanges, &out.IPRanges
*out = make([]string, len(*in))
copy(*out, *in)
}
if in.EmailAddresses != nil {
in, out := &in.EmailAddresses, &out.EmailAddresses
*out = make([]string, len(*in))
copy(*out, *in)
}
if in.URIDomains != nil {
in, out := &in.URIDomains, &out.URIDomains
*out = make([]string, len(*in))
copy(*out, *in)
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NameConstraintItem.
func (in *NameConstraintItem) DeepCopy() *NameConstraintItem {
if in == nil {
return nil
}
out := new(NameConstraintItem)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *NameConstraints) DeepCopyInto(out *NameConstraints) {
*out = *in
if in.Permitted != nil {
in, out := &in.Permitted, &out.Permitted
*out = new(NameConstraintItem)
(*in).DeepCopyInto(*out)
}
if in.Excluded != nil {
in, out := &in.Excluded, &out.Excluded
*out = new(NameConstraintItem)
(*in).DeepCopyInto(*out)
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NameConstraints.
func (in *NameConstraints) DeepCopy() *NameConstraints {
if in == nil {
return nil
}
out := new(NameConstraints)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *OtherName) DeepCopyInto(out *OtherName) {
*out = *in
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OtherName.
func (in *OtherName) DeepCopy() *OtherName {
if in == nil {
return nil
}
out := new(OtherName)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *PKCS12Keystore) DeepCopyInto(out *PKCS12Keystore) {
*out = *in
out.PasswordSecretRef = in.PasswordSecretRef
if in.Password != nil {
in, out := &in.Password, &out.Password
*out = new(string)
**out = **in
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PKCS12Keystore.
func (in *PKCS12Keystore) DeepCopy() *PKCS12Keystore {
if in == nil {
return nil
}
out := new(PKCS12Keystore)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *SelfSignedIssuer) DeepCopyInto(out *SelfSignedIssuer) {
*out = *in
if in.CRLDistributionPoints != nil {
in, out := &in.CRLDistributionPoints, &out.CRLDistributionPoints
*out = make([]string, len(*in))
copy(*out, *in)
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SelfSignedIssuer.
func (in *SelfSignedIssuer) DeepCopy() *SelfSignedIssuer {
if in == nil {
return nil
}
out := new(SelfSignedIssuer)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ServiceAccountRef) DeepCopyInto(out *ServiceAccountRef) {
*out = *in
if in.TokenAudiences != nil {
in, out := &in.TokenAudiences, &out.TokenAudiences
*out = make([]string, len(*in))
copy(*out, *in)
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServiceAccountRef.
func (in *ServiceAccountRef) DeepCopy() *ServiceAccountRef {
if in == nil {
return nil
}
out := new(ServiceAccountRef)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *VaultAppRole) DeepCopyInto(out *VaultAppRole) {
*out = *in
out.SecretRef = in.SecretRef
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultAppRole.
func (in *VaultAppRole) DeepCopy() *VaultAppRole {
if in == nil {
return nil
}
out := new(VaultAppRole)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *VaultAuth) DeepCopyInto(out *VaultAuth) {
*out = *in
if in.TokenSecretRef != nil {
in, out := &in.TokenSecretRef, &out.TokenSecretRef
*out = new(meta.SecretKeySelector)
**out = **in
}
if in.AppRole != nil {
in, out := &in.AppRole, &out.AppRole
*out = new(VaultAppRole)
**out = **in
}
if in.ClientCertificate != nil {
in, out := &in.ClientCertificate, &out.ClientCertificate
*out = new(VaultClientCertificateAuth)
**out = **in
}
if in.Kubernetes != nil {
in, out := &in.Kubernetes, &out.Kubernetes
*out = new(VaultKubernetesAuth)
(*in).DeepCopyInto(*out)
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultAuth.
func (in *VaultAuth) DeepCopy() *VaultAuth {
if in == nil {
return nil
}
out := new(VaultAuth)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *VaultClientCertificateAuth) DeepCopyInto(out *VaultClientCertificateAuth) {
*out = *in
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultClientCertificateAuth.
func (in *VaultClientCertificateAuth) DeepCopy() *VaultClientCertificateAuth {
if in == nil {
return nil
}
out := new(VaultClientCertificateAuth)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *VaultIssuer) DeepCopyInto(out *VaultIssuer) {
*out = *in
in.Auth.DeepCopyInto(&out.Auth)
if in.CABundle != nil {
in, out := &in.CABundle, &out.CABundle
*out = make([]byte, len(*in))
copy(*out, *in)
}
if in.CABundleSecretRef != nil {
in, out := &in.CABundleSecretRef, &out.CABundleSecretRef
*out = new(meta.SecretKeySelector)
**out = **in
}
if in.ClientCertSecretRef != nil {
in, out := &in.ClientCertSecretRef, &out.ClientCertSecretRef
*out = new(meta.SecretKeySelector)
**out = **in
}
if in.ClientKeySecretRef != nil {
in, out := &in.ClientKeySecretRef, &out.ClientKeySecretRef
*out = new(meta.SecretKeySelector)
**out = **in
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultIssuer.
func (in *VaultIssuer) DeepCopy() *VaultIssuer {
if in == nil {
return nil
}
out := new(VaultIssuer)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *VaultKubernetesAuth) DeepCopyInto(out *VaultKubernetesAuth) {
*out = *in
out.SecretRef = in.SecretRef
if in.ServiceAccountRef != nil {
in, out := &in.ServiceAccountRef, &out.ServiceAccountRef
*out = new(ServiceAccountRef)
(*in).DeepCopyInto(*out)
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultKubernetesAuth.
func (in *VaultKubernetesAuth) DeepCopy() *VaultKubernetesAuth {
if in == nil {
return nil
}
out := new(VaultKubernetesAuth)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *VenafiCloud) DeepCopyInto(out *VenafiCloud) {
*out = *in
out.APITokenSecretRef = in.APITokenSecretRef
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VenafiCloud.
func (in *VenafiCloud) DeepCopy() *VenafiCloud {
if in == nil {
return nil
}
out := new(VenafiCloud)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *VenafiIssuer) DeepCopyInto(out *VenafiIssuer) {
*out = *in
if in.TPP != nil {
in, out := &in.TPP, &out.TPP
*out = new(VenafiTPP)
(*in).DeepCopyInto(*out)
}
if in.Cloud != nil {
in, out := &in.Cloud, &out.Cloud
*out = new(VenafiCloud)
**out = **in
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VenafiIssuer.
func (in *VenafiIssuer) DeepCopy() *VenafiIssuer {
if in == nil {
return nil
}
out := new(VenafiIssuer)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *VenafiTPP) DeepCopyInto(out *VenafiTPP) {
*out = *in
out.CredentialsRef = in.CredentialsRef
if in.CABundle != nil {
in, out := &in.CABundle, &out.CABundle
*out = make([]byte, len(*in))
copy(*out, *in)
}
if in.CABundleSecretRef != nil {
in, out := &in.CABundleSecretRef, &out.CABundleSecretRef
*out = new(meta.SecretKeySelector)
**out = **in
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VenafiTPP.
func (in *VenafiTPP) DeepCopy() *VenafiTPP {
if in == nil {
return nil
}
out := new(VenafiTPP)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *X509Subject) DeepCopyInto(out *X509Subject) {
*out = *in
if in.Organizations != nil {
in, out := &in.Organizations, &out.Organizations
*out = make([]string, len(*in))
copy(*out, *in)
}
if in.Countries != nil {
in, out := &in.Countries, &out.Countries
*out = make([]string, len(*in))
copy(*out, *in)
}
if in.OrganizationalUnits != nil {
in, out := &in.OrganizationalUnits, &out.OrganizationalUnits
*out = make([]string, len(*in))
copy(*out, *in)
}
if in.Localities != nil {
in, out := &in.Localities, &out.Localities
*out = make([]string, len(*in))
copy(*out, *in)
}
if in.Provinces != nil {
in, out := &in.Provinces, &out.Provinces
*out = make([]string, len(*in))
copy(*out, *in)
}
if in.StreetAddresses != nil {
in, out := &in.StreetAddresses, &out.StreetAddresses
*out = make([]string, len(*in))
copy(*out, *in)
}
if in.PostalCodes != nil {
in, out := &in.PostalCodes, &out.PostalCodes
*out = make([]string, len(*in))
copy(*out, *in)
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new X509Subject.
func (in *X509Subject) DeepCopy() *X509Subject {
if in == nil {
return nil
}
out := new(X509Subject)
in.DeepCopyInto(out)
return out
}
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package meta
import (
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/runtime/schema"
"github.com/cert-manager/cert-manager/pkg/apis/meta"
)
var (
SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes)
AddToScheme = SchemeBuilder.AddToScheme
)
// SchemeGroupVersion is group version used to register these objects
var SchemeGroupVersion = schema.GroupVersion{Group: meta.GroupName, Version: runtime.APIVersionInternal}
// Resource takes an unqualified resource and returns a Group qualified GroupResource
func Resource(resource string) schema.GroupResource {
return SchemeGroupVersion.WithResource(resource).GroupResource()
}
// Adds the list of known types to api.Scheme.
func addKnownTypes(scheme *runtime.Scheme) error {
// No types to register in the meta group
return nil
}
/*
Copyright 2021 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package v1
import (
"k8s.io/apimachinery/pkg/conversion"
"github.com/cert-manager/cert-manager/internal/apis/meta"
cmmeta "github.com/cert-manager/cert-manager/pkg/apis/meta/v1"
)
// Convert_meta_LocalObjectReference_To_v1_LocalObjectReference is explicitly defined to avoid issues in conversion-gen
// when referencing types in other API groups.
func Convert_meta_LocalObjectReference_To_v1_LocalObjectReference(in *meta.LocalObjectReference, out *cmmeta.LocalObjectReference, s conversion.Scope) error {
return autoConvert_meta_LocalObjectReference_To_v1_LocalObjectReference(in, out, s)
}
// Convert_v1_LocalObjectReference_To_meta_LocalObjectReference is explicitly defined to avoid issues in conversion-gen
// when referencing types in other API groups.
func Convert_v1_LocalObjectReference_To_meta_LocalObjectReference(in *cmmeta.LocalObjectReference, out *meta.LocalObjectReference, s conversion.Scope) error {
return autoConvert_v1_LocalObjectReference_To_meta_LocalObjectReference(in, out, s)
}
// Convert_meta_IssuerReference_To_v1_IssuerReference is explicitly defined to avoid issues in conversion-gen
// when referencing types in other API groups.
func Convert_meta_IssuerReference_To_v1_IssuerReference(in *meta.IssuerReference, out *cmmeta.IssuerReference, s conversion.Scope) error {
return autoConvert_meta_IssuerReference_To_v1_IssuerReference(in, out, s)
}
// Convert_v1_IssuerReference_To_meta_IssuerReference is explicitly defined to avoid issues in conversion-gen
// when referencing types in other API groups.
func Convert_v1_IssuerReference_To_meta_IssuerReference(in *cmmeta.IssuerReference, out *meta.IssuerReference, s conversion.Scope) error {
return autoConvert_v1_IssuerReference_To_meta_IssuerReference(in, out, s)
}
// Convert_meta_SecretKeySelector_To_v1_SecretKeySelector is explicitly defined to avoid issues in conversion-gen
// when referencing types in other API groups.
func Convert_meta_SecretKeySelector_To_v1_SecretKeySelector(in *meta.SecretKeySelector, out *cmmeta.SecretKeySelector, s conversion.Scope) error {
return autoConvert_meta_SecretKeySelector_To_v1_SecretKeySelector(in, out, s)
}
// Convert_v1_SecretKeySelector_To_meta_SecretKeySelector is explicitly defined to avoid issues in conversion-gen
// when referencing types in other API groups.
func Convert_v1_SecretKeySelector_To_meta_SecretKeySelector(in *cmmeta.SecretKeySelector, out *meta.SecretKeySelector, s conversion.Scope) error {
return autoConvert_v1_SecretKeySelector_To_meta_SecretKeySelector(in, out, s)
}
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package v1
import (
"k8s.io/apimachinery/pkg/runtime"
)
func addDefaultingFuncs(scheme *runtime.Scheme) error {
return RegisterDefaults(scheme)
}
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package v1
import (
"k8s.io/apimachinery/pkg/runtime/schema"
"github.com/cert-manager/cert-manager/pkg/apis/meta"
cmmeta "github.com/cert-manager/cert-manager/pkg/apis/meta/v1"
)
// SchemeGroupVersion is group version used to register these objects
var SchemeGroupVersion = schema.GroupVersion{Group: meta.GroupName, Version: "v1"}
// Resource takes an unqualified resource and returns a Group qualified GroupResource
func Resource(resource string) schema.GroupResource {
return SchemeGroupVersion.WithResource(resource).GroupResource()
}
var (
localSchemeBuilder = &cmmeta.SchemeBuilder
AddToScheme = localSchemeBuilder.AddToScheme
)
func init() {
// We only register manually written functions here. The registration of the
// generated functions takes place in the generated files. The separation
// makes the code compile even when the generated files are missing.
localSchemeBuilder.Register(addDefaultingFuncs)
}
//go:build !ignore_autogenerated
// +build !ignore_autogenerated
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by conversion-gen. DO NOT EDIT.
package v1
import (
meta "github.com/cert-manager/cert-manager/internal/apis/meta"
metav1 "github.com/cert-manager/cert-manager/pkg/apis/meta/v1"
conversion "k8s.io/apimachinery/pkg/conversion"
runtime "k8s.io/apimachinery/pkg/runtime"
)
func init() {
localSchemeBuilder.Register(RegisterConversions)
}
// RegisterConversions adds conversion functions to the given scheme.
// Public to allow building arbitrary schemes.
func RegisterConversions(s *runtime.Scheme) error {
if err := s.AddConversionFunc((*meta.IssuerReference)(nil), (*metav1.IssuerReference)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_meta_IssuerReference_To_v1_IssuerReference(a.(*meta.IssuerReference), b.(*metav1.IssuerReference), scope)
}); err != nil {
return err
}
if err := s.AddConversionFunc((*meta.LocalObjectReference)(nil), (*metav1.LocalObjectReference)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_meta_LocalObjectReference_To_v1_LocalObjectReference(a.(*meta.LocalObjectReference), b.(*metav1.LocalObjectReference), scope)
}); err != nil {
return err
}
if err := s.AddConversionFunc((*meta.SecretKeySelector)(nil), (*metav1.SecretKeySelector)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_meta_SecretKeySelector_To_v1_SecretKeySelector(a.(*meta.SecretKeySelector), b.(*metav1.SecretKeySelector), scope)
}); err != nil {
return err
}
if err := s.AddConversionFunc((*metav1.IssuerReference)(nil), (*meta.IssuerReference)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1_IssuerReference_To_meta_IssuerReference(a.(*metav1.IssuerReference), b.(*meta.IssuerReference), scope)
}); err != nil {
return err
}
if err := s.AddConversionFunc((*metav1.LocalObjectReference)(nil), (*meta.LocalObjectReference)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1_LocalObjectReference_To_meta_LocalObjectReference(a.(*metav1.LocalObjectReference), b.(*meta.LocalObjectReference), scope)
}); err != nil {
return err
}
if err := s.AddConversionFunc((*metav1.SecretKeySelector)(nil), (*meta.SecretKeySelector)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1_SecretKeySelector_To_meta_SecretKeySelector(a.(*metav1.SecretKeySelector), b.(*meta.SecretKeySelector), scope)
}); err != nil {
return err
}
return nil
}
func autoConvert_v1_IssuerReference_To_meta_IssuerReference(in *metav1.IssuerReference, out *meta.IssuerReference, s conversion.Scope) error {
out.Name = in.Name
out.Kind = in.Kind
out.Group = in.Group
return nil
}
func autoConvert_meta_IssuerReference_To_v1_IssuerReference(in *meta.IssuerReference, out *metav1.IssuerReference, s conversion.Scope) error {
out.Name = in.Name
out.Kind = in.Kind
out.Group = in.Group
return nil
}
func autoConvert_v1_LocalObjectReference_To_meta_LocalObjectReference(in *metav1.LocalObjectReference, out *meta.LocalObjectReference, s conversion.Scope) error {
out.Name = in.Name
return nil
}
func autoConvert_meta_LocalObjectReference_To_v1_LocalObjectReference(in *meta.LocalObjectReference, out *metav1.LocalObjectReference, s conversion.Scope) error {
out.Name = in.Name
return nil
}
func autoConvert_v1_SecretKeySelector_To_meta_SecretKeySelector(in *metav1.SecretKeySelector, out *meta.SecretKeySelector, s conversion.Scope) error {
if err := Convert_v1_LocalObjectReference_To_meta_LocalObjectReference(&in.LocalObjectReference, &out.LocalObjectReference, s); err != nil {
return err
}
out.Key = in.Key
return nil
}
func autoConvert_meta_SecretKeySelector_To_v1_SecretKeySelector(in *meta.SecretKeySelector, out *metav1.SecretKeySelector, s conversion.Scope) error {
if err := Convert_meta_LocalObjectReference_To_v1_LocalObjectReference(&in.LocalObjectReference, &out.LocalObjectReference, s); err != nil {
return err
}
out.Key = in.Key
return nil
}
//go:build !ignore_autogenerated
// +build !ignore_autogenerated
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by defaulter-gen. DO NOT EDIT.
package v1
import (
runtime "k8s.io/apimachinery/pkg/runtime"
)
// RegisterDefaults adds defaulters functions to the given scheme.
// Public to allow building arbitrary schemes.
// All generated defaulters are covering - they call all nested defaulters.
func RegisterDefaults(scheme *runtime.Scheme) error {
return nil
}
//go:build !ignore_autogenerated
// +build !ignore_autogenerated
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by deepcopy-gen. DO NOT EDIT.
package meta
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *IssuerReference) DeepCopyInto(out *IssuerReference) {
*out = *in
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IssuerReference.
func (in *IssuerReference) DeepCopy() *IssuerReference {
if in == nil {
return nil
}
out := new(IssuerReference)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *LocalObjectReference) DeepCopyInto(out *LocalObjectReference) {
*out = *in
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LocalObjectReference.
func (in *LocalObjectReference) DeepCopy() *LocalObjectReference {
if in == nil {
return nil
}
out := new(LocalObjectReference)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *SecretKeySelector) DeepCopyInto(out *SecretKeySelector) {
*out = *in
out.LocalObjectReference = in.LocalObjectReference
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretKeySelector.
func (in *SecretKeySelector) DeepCopy() *SecretKeySelector {
if in == nil {
return nil
}
out := new(SecretKeySelector)
in.DeepCopyInto(out)
return out
}
/*
Copyright 2025 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package collectors
import (
"fmt"
"github.com/prometheus/client_golang/prometheus"
"k8s.io/apimachinery/pkg/labels"
acmemeta "github.com/cert-manager/cert-manager/pkg/apis/acme/v1"
cmacmelisters "github.com/cert-manager/cert-manager/pkg/client/listers/acme/v1"
)
var (
challengeValidStatuses = [...]acmemeta.State{acmemeta.Ready, acmemeta.Valid, acmemeta.Errored, acmemeta.Expired, acmemeta.Invalid, acmemeta.Processing, acmemeta.Unknown, acmemeta.Pending}
certChallengeMetricDesc = prometheus.NewDesc("certmanager_certificate_challenge_status", "The status of certificate challenges", []string{"status", "domain", "reason", "processing", "name", "namespace", "type"}, nil)
)
type ACMECollector struct {
challengesLister cmacmelisters.ChallengeLister
certificateChallengeStatusMetric *prometheus.Desc
}
func NewACMECollector(acmeInformers cmacmelisters.ChallengeLister) prometheus.Collector {
return &ACMECollector{
challengesLister: acmeInformers,
certificateChallengeStatusMetric: certChallengeMetricDesc,
}
}
func (ac *ACMECollector) Describe(ch chan<- *prometheus.Desc) {
ch <- ac.certificateChallengeStatusMetric
}
func (ac *ACMECollector) Collect(ch chan<- prometheus.Metric) {
challengesList, err := ac.challengesLister.List(labels.Everything())
if err != nil {
return
}
for _, challenge := range challengesList {
for _, status := range challengeValidStatuses {
value := 0.0
if string(challenge.Status.State) == string(status) {
value = 1.0
}
metric := prometheus.MustNewConstMetric(
ac.certificateChallengeStatusMetric, prometheus.GaugeValue,
value,
string(status),
challenge.Spec.DNSName,
challenge.Status.Reason,
fmt.Sprint(challenge.Status.Processing),
challenge.Name,
challenge.Namespace,
string(challenge.Spec.Type),
)
ch <- metric
}
}
}
/*
Copyright 2025 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package collectors
import (
"github.com/prometheus/client_golang/prometheus"
"k8s.io/apimachinery/pkg/labels"
cmapi "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
cmmeta "github.com/cert-manager/cert-manager/pkg/apis/meta/v1"
cmlisters "github.com/cert-manager/cert-manager/pkg/client/listers/certmanager/v1"
)
var (
certReadyConditionStatuses = [...]cmmeta.ConditionStatus{cmmeta.ConditionTrue, cmmeta.ConditionFalse, cmmeta.ConditionUnknown}
certReadyStatusMetric = prometheus.NewDesc("certmanager_certificate_ready_status", "The ready status of the certificate.", []string{"name", "namespace", "condition", "issuer_name", "issuer_kind", "issuer_group"}, nil)
certNotAfterTimeSecondMetric = prometheus.NewDesc("certmanager_certificate_not_after_timestamp_seconds", "The timestamp after which the certificate is invalid, expressed as a Unix Epoch Time.", []string{"name", "namespace", "issuer_name", "issuer_kind", "issuer_group"}, nil)
certNotBeforeTimeSecondMetric = prometheus.NewDesc("certmanager_certificate_not_before_timestamp_seconds", "The timestamp before which the certificate is invalid, expressed as a Unix Epoch Time.", []string{"name", "namespace", "issuer_name", "issuer_kind", "issuer_group"}, nil)
certExpirationTimestampSeconds = prometheus.NewDesc("certmanager_certificate_expiration_timestamp_seconds", "The timestamp after which the certificate expires, expressed in Unix Epoch Time.", []string{"name", "namespace", "issuer_name", "issuer_kind", "issuer_group"}, nil)
certRenewalTimestampSeconds = prometheus.NewDesc("certmanager_certificate_renewal_timestamp_seconds", "The timestamp after which the certificate should be renewed, expressed in Unix Epoch Time.", []string{"name", "namespace", "issuer_name", "issuer_kind", "issuer_group"}, nil)
)
type CertificateCollector struct {
certificatesLister cmlisters.CertificateLister
certificateReadyStatusMetric *prometheus.Desc
certificateNotAfterTimeSecondMetric *prometheus.Desc
certificateNotBeforeTimeSecondMetric *prometheus.Desc
certificateExpirationTimestampSeconds *prometheus.Desc
certificateRenewalTimestampSeconds *prometheus.Desc
}
func NewCertificateCollector(certificatesLister cmlisters.CertificateLister) prometheus.Collector {
return &CertificateCollector{
certificatesLister: certificatesLister,
certificateReadyStatusMetric: certReadyStatusMetric,
certificateNotAfterTimeSecondMetric: certNotAfterTimeSecondMetric,
certificateNotBeforeTimeSecondMetric: certNotBeforeTimeSecondMetric,
certificateExpirationTimestampSeconds: certExpirationTimestampSeconds,
certificateRenewalTimestampSeconds: certRenewalTimestampSeconds,
}
}
func (cc *CertificateCollector) Describe(ch chan<- *prometheus.Desc) {
ch <- cc.certificateReadyStatusMetric
ch <- cc.certificateNotAfterTimeSecondMetric
ch <- cc.certificateNotBeforeTimeSecondMetric
ch <- cc.certificateExpirationTimestampSeconds
ch <- cc.certificateRenewalTimestampSeconds
}
func (cc *CertificateCollector) Collect(ch chan<- prometheus.Metric) {
certsList, err := cc.certificatesLister.List(labels.Everything())
if err != nil {
return
}
for _, cert := range certsList {
cc.updateCertificateReadyStatus(cert, ch)
cc.updateCertificateNotAfter(cert, ch)
cc.updateCertificateNotBefore(cert, ch)
cc.updateCertificateExpiry(cert, ch)
cc.updateCertificateRenewalTime(cert, ch)
}
}
func (cc *CertificateCollector) updateCertificateReadyStatus(cert *cmapi.Certificate, ch chan<- prometheus.Metric) {
setMetric := func(cert *cmapi.Certificate, ch chan<- prometheus.Metric, status cmmeta.ConditionStatus) {
for _, condition := range certReadyConditionStatuses {
value := 0.0
if status == condition {
value = 1.0
}
metric := prometheus.MustNewConstMetric(
cc.certificateReadyStatusMetric, prometheus.GaugeValue,
value,
cert.Name,
cert.Namespace,
string(condition),
cert.Spec.IssuerRef.Name,
cert.Spec.IssuerRef.Kind,
cert.Spec.IssuerRef.Group,
)
ch <- metric
}
}
for _, st := range cert.Status.Conditions {
if st.Type == cmapi.CertificateConditionReady {
setMetric(cert, ch, st.Status)
return
}
}
setMetric(cert, ch, cmmeta.ConditionUnknown)
}
func (cc *CertificateCollector) updateCertificateNotAfter(cert *cmapi.Certificate, ch chan<- prometheus.Metric) {
notAfterTime := 0.0
if cert.Status.NotAfter != nil {
notAfterTime = float64(cert.Status.NotAfter.Unix())
}
metric := prometheus.MustNewConstMetric(
cc.certificateNotAfterTimeSecondMetric,
prometheus.GaugeValue,
notAfterTime,
cert.Name,
cert.Namespace,
cert.Spec.IssuerRef.Name,
cert.Spec.IssuerRef.Kind,
cert.Spec.IssuerRef.Group,
)
ch <- metric
}
func (cc *CertificateCollector) updateCertificateNotBefore(cert *cmapi.Certificate, ch chan<- prometheus.Metric) {
notBeforeTime := 0.0
if cert.Status.NotBefore != nil {
notBeforeTime = float64(cert.Status.NotBefore.Unix())
}
metric := prometheus.MustNewConstMetric(
cc.certificateNotBeforeTimeSecondMetric,
prometheus.GaugeValue,
notBeforeTime,
cert.Name,
cert.Namespace,
cert.Spec.IssuerRef.Name,
cert.Spec.IssuerRef.Kind,
cert.Spec.IssuerRef.Group,
)
ch <- metric
}
func (cc *CertificateCollector) updateCertificateExpiry(cert *cmapi.Certificate, ch chan<- prometheus.Metric) {
expiryTime := 0.0
if cert.Status.NotAfter != nil {
expiryTime = float64(cert.Status.NotAfter.Unix())
}
metric := prometheus.MustNewConstMetric(
cc.certificateExpirationTimestampSeconds,
prometheus.GaugeValue,
expiryTime,
cert.Name,
cert.Namespace,
cert.Spec.IssuerRef.Name,
cert.Spec.IssuerRef.Kind,
cert.Spec.IssuerRef.Group,
)
ch <- metric
}
func (cc *CertificateCollector) updateCertificateRenewalTime(cert *cmapi.Certificate, ch chan<- prometheus.Metric) {
renewalTime := 0.0
if cert.Status.RenewalTime != nil {
renewalTime = float64(cert.Status.RenewalTime.Unix())
}
metric := prometheus.MustNewConstMetric(
cc.certificateRenewalTimestampSeconds,
prometheus.GaugeValue,
renewalTime,
cert.Name,
cert.Namespace,
cert.Spec.IssuerRef.Name,
cert.Spec.IssuerRef.Kind,
cert.Spec.IssuerRef.Group,
)
ch <- metric
}
/*
Copyright 2022 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package certificaterequests
import (
"context"
"encoding/json"
"fmt"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
apitypes "k8s.io/apimachinery/pkg/types"
"k8s.io/utils/ptr"
cmapi "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
cmclient "github.com/cert-manager/cert-manager/pkg/client/clientset/versioned"
)
// Apply will make an Apply API call with the given client to the
// CertificateRequest's resource endpoint. All status data in the given
// CertificateRequest object is dropped.
// The given fieldManager will be used as the FieldManager in the Apply call.
// Always sets Force Apply to true.
func Apply(ctx context.Context, cl cmclient.Interface, fieldManager string, req *cmapi.CertificateRequest) (*cmapi.CertificateRequest, error) {
reqData, err := serializeApply(req)
if err != nil {
return nil, err
}
return cl.CertmanagerV1().CertificateRequests(req.Namespace).Patch(
ctx, req.Name, apitypes.ApplyPatchType, reqData,
metav1.PatchOptions{Force: ptr.To(true), FieldManager: fieldManager})
}
// ApplyStatus will make an Apply API call with the given client to the
// CertificateRequests's status sub-resource endpoint. All data in the given
// CertificateRequest object is dropped; expect for the name, namespace, and
// status object.
// The given fieldManager will be used as the FieldManager in the Apply call.
// Always sets Force Apply to true.
func ApplyStatus(ctx context.Context, cl cmclient.Interface, fieldManager string, req *cmapi.CertificateRequest) error {
reqData, err := serializeApplyStatus(req)
if err != nil {
return err
}
_, err = cl.CertmanagerV1().CertificateRequests(req.Namespace).Patch(
ctx, req.Name, apitypes.ApplyPatchType, reqData,
metav1.PatchOptions{Force: ptr.To(true), FieldManager: fieldManager}, "status",
)
return err
}
// serializeApply converts the given CertificateRequest object to JSON.
// The status object is unset.
// TypeMeta will be populated with the Kind "CertificateRequest" and API
// Version "cert-manager.io/v1" respectively.
// Manually marshalling the object into JSON is required when using the Patch
// API call for the cert-manager client.
func serializeApply(req *cmapi.CertificateRequest) ([]byte, error) {
req = &cmapi.CertificateRequest{
TypeMeta: metav1.TypeMeta{Kind: cmapi.CertificateRequestKind, APIVersion: cmapi.SchemeGroupVersion.Identifier()},
ObjectMeta: *req.ObjectMeta.DeepCopy(),
Spec: *req.Spec.DeepCopy(),
Status: cmapi.CertificateRequestStatus{},
}
req.ObjectMeta.ManagedFields = nil
reqData, err := json.Marshal(req)
if err != nil {
return nil, fmt.Errorf("failed to marshal certificaterequest object: %w", err)
}
return reqData, nil
}
// serializeApplyStatus converts the given CertificateRequest object to JSON.
// Only the name, namespace, and status field values will be copied and encoded
// into the serialized slice. All other fields will be left at their zero
// value.
// TypeMeta will be populated with the Kind "CertificateRequest" and API
// Version "cert-manager.io/v1" respectively.
// Manually marshalling the object into JSON is required when using the Patch
// API call for the cert-manager client.
func serializeApplyStatus(req *cmapi.CertificateRequest) ([]byte, error) {
req = &cmapi.CertificateRequest{
TypeMeta: metav1.TypeMeta{Kind: cmapi.CertificateRequestKind, APIVersion: cmapi.SchemeGroupVersion.Identifier()},
ObjectMeta: metav1.ObjectMeta{Namespace: req.Namespace, Name: req.Name},
Spec: cmapi.CertificateRequestSpec{},
Status: *req.Status.DeepCopy(),
}
reqData, err := json.Marshal(req)
if err != nil {
return nil, fmt.Errorf("failed to marshal certificaterequest object: %w", err)
}
return reqData, nil
}
/*
Copyright 2022 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package certificates
import (
"context"
"encoding/json"
"fmt"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
apitypes "k8s.io/apimachinery/pkg/types"
"k8s.io/utils/ptr"
cmapi "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
cmclient "github.com/cert-manager/cert-manager/pkg/client/clientset/versioned"
)
// Apply will make an Apply API call with the given client to the certificates
// resource endpoint. All data in the given Certificate's status field is
// dropped.
// The given fieldManager is will be used as the FieldManager in the Apply
// call.
// Always sets Force Apply to true.
func Apply(ctx context.Context, cl cmclient.Interface, fieldManager string, crt *cmapi.Certificate) error {
crtData, err := serializeApply(crt)
if err != nil {
return err
}
_, err = cl.CertmanagerV1().Certificates(crt.Namespace).Patch(
ctx, crt.Name, apitypes.ApplyPatchType, crtData,
metav1.PatchOptions{Force: ptr.To(true), FieldManager: fieldManager},
)
return err
}
// ApplyStatus will make a Patch API call with the given client to the
// certificates status sub-resource endpoint. All data in the given Certificate
// object is dropped; expect for the name, namespace, and status object. The
// given fieldManager is will be used as the FieldManager in the Patch call.
// Always sets Force Patch to true.
func ApplyStatus(ctx context.Context, cl cmclient.Interface, fieldManager string, crt *cmapi.Certificate) error {
crtData, err := serializeApplyStatus(crt)
if err != nil {
return err
}
_, err = cl.CertmanagerV1().Certificates(crt.Namespace).Patch(
ctx, crt.Name, apitypes.ApplyPatchType, crtData,
metav1.PatchOptions{Force: ptr.To(true), FieldManager: fieldManager}, "status",
)
return err
}
// serializeApply converts the given Certificate object in JSON.
// The status field will be set empty before serializing.
// TypeMeta will be populated with the Kind "Certificate" and API Version
// "cert-manager.io/v1" respectively.
func serializeApply(crt *cmapi.Certificate) ([]byte, error) {
crt = &cmapi.Certificate{
TypeMeta: metav1.TypeMeta{Kind: cmapi.CertificateKind, APIVersion: cmapi.SchemeGroupVersion.Identifier()},
ObjectMeta: *crt.ObjectMeta.DeepCopy(),
Spec: *crt.Spec.DeepCopy(),
Status: cmapi.CertificateStatus{},
}
crtData, err := json.Marshal(crt)
if err != nil {
return nil, fmt.Errorf("failed to marshal certificate object: %w", err)
}
return crtData, nil
}
// serializeApplyStatus converts the given Certificate object in JSON. Only the
// name, namespace, and status field values will be copied and encoded into the
// serialized slice. All other fields will be left at their zero value.
// TypeMeta will be populated with the Kind "Certificate" and API Version
// "cert-manager.io/v1" respectively.
func serializeApplyStatus(crt *cmapi.Certificate) ([]byte, error) {
crt = &cmapi.Certificate{
TypeMeta: metav1.TypeMeta{Kind: cmapi.CertificateKind, APIVersion: cmapi.SchemeGroupVersion.Identifier()},
ObjectMeta: metav1.ObjectMeta{Namespace: crt.Namespace, Name: crt.Name},
Status: crt.Status,
}
crtData, err := json.Marshal(crt)
if err != nil {
return nil, fmt.Errorf("failed to marshal certificate object: %w", err)
}
return crtData, nil
}
/*
Copyright 2022 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package certificates
import (
"context"
"slices"
"strings"
apierrors "k8s.io/apimachinery/pkg/api/errors"
"k8s.io/apimachinery/pkg/labels"
internalinformers "github.com/cert-manager/cert-manager/internal/informers"
cmapi "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
cmlisters "github.com/cert-manager/cert-manager/pkg/client/listers/certmanager/v1"
)
// We determine whether a Certificate owns its Secret in order to prevent a CertificateRequest
// creation runaway. We use an annotation on the Secret to determine whether it is owned by a
// Certificate. We do not use the ownerReferences field on the Secret because the owner reference
// will not be set if the `--enable-certificate-owner-ref` flag is not set.
//
// We determine if the passed Certificate owns its Secret as follows:
// 1. If the target Secret exists and it is annotated with the name of this
// Certificate, then this Certificate is the owner.
// 2. If the target Secret exists and it is annotated with the name of another
// Certificate that has the Secret as its secretRef, then that Certificate
// is the owner instead.
// 3. If the target Secret exists and it is not annotated with the name of any
// Certificate, or it is annotated with the name of a Certificate that does
// not exist, or does not have the Secret as its secretRef, then the oldest
// Certificate which references it will be assumed to be the future owner.
func CertificateOwnsSecret(
ctx context.Context,
certificateLister cmlisters.CertificateLister,
secretLister internalinformers.SecretLister,
crt *cmapi.Certificate,
) (bool, []string, error) {
crts, err := certificateLister.Certificates(crt.Namespace).List(labels.Everything())
if err != nil {
return false, nil, err
}
var duplicateCrts []*cmapi.Certificate
for _, namespaceCrt := range crts {
// Check if it has the same Secret.
if namespaceCrt.Spec.SecretName == crt.Spec.SecretName {
// If it does, mark the Certificate as having a duplicate Secret.
duplicateCrts = append(duplicateCrts, namespaceCrt)
}
}
// If there are no duplicates, return early.
if len(duplicateCrts) == 1 && duplicateCrts[0].Name == crt.Name {
return true, nil, nil
}
slices.SortFunc(duplicateCrts, func(a, b *cmapi.Certificate) int {
switch {
case a.CreationTimestamp.Equal(&b.CreationTimestamp):
// If both Certificates were created at the same time, compare
// the names of the Certificates instead.
return strings.Compare(a.Name, b.Name)
case a.CreationTimestamp.Before(&b.CreationTimestamp):
// a was created before b
return -1
default:
// b was created before a
return 1
}
})
duplicateNames := make([]string, len(duplicateCrts))
for i, duplicateCrt := range duplicateCrts {
duplicateNames[i] = duplicateCrt.Name
}
// If the Secret does not exist, only the first Certificate in the list
// is the owner of the Secret.
ownerCertificate := duplicateNames[0]
// Fetch the Secret and determine if it is owned by any of the Certificates.
secret, err := secretLister.Secrets(crt.Namespace).Get(crt.Spec.SecretName)
if err != nil && !apierrors.IsNotFound(err) {
return false, nil, err
} else if err == nil {
if annotation, hasAnnotation := secret.GetAnnotations()[cmapi.CertificateNameKey]; hasAnnotation && slices.Contains(duplicateNames, annotation) {
ownerCertificate = annotation
}
}
// Return true in case the passed crt is the owner.
// Additionally, return the names of all other certificates that have the same SecretName value set.
isOwner := crt.Name == ownerCertificate
otherCertificatesWithSameSecretName := slices.DeleteFunc(duplicateNames, func(s string) bool {
return s == crt.Name
})
return isOwner, otherCertificatesWithSameSecretName, nil
}
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package policies
import (
"bytes"
"cmp"
"crypto/x509"
"fmt"
"slices"
"strings"
"time"
corev1 "k8s.io/api/core/v1"
apiequality "k8s.io/apimachinery/pkg/api/equality"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/util/sets"
"k8s.io/utils/clock"
"k8s.io/utils/ptr"
"sigs.k8s.io/structured-merge-diff/v6/fieldpath"
"sigs.k8s.io/structured-merge-diff/v6/value"
cmmeta "github.com/cert-manager/cert-manager/internal/apis/meta"
internalcertificates "github.com/cert-manager/cert-manager/internal/controller/certificates"
cmapi "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
"github.com/cert-manager/cert-manager/pkg/util/pki"
)
func SecretDoesNotExist(input Input) (string, string, bool) {
if input.Secret == nil {
return DoesNotExist, "Issuing certificate as Secret does not exist", true
}
return "", "", false
}
func SecretIsMissingData(input Input) (string, string, bool) {
if input.Secret.Data == nil {
return MissingData, "Issuing certificate as Secret does not contain any data", true
}
pkData := input.Secret.Data[corev1.TLSPrivateKeyKey]
certData := input.Secret.Data[corev1.TLSCertKey]
if len(pkData) == 0 {
return MissingData, "Issuing certificate as Secret does not contain a private key", true
}
if len(certData) == 0 {
return MissingData, "Issuing certificate as Secret does not contain a certificate", true
}
return "", "", false
}
func SecretPublicKeysDiffer(input Input) (string, string, bool) {
pk, err := pki.DecodePrivateKeyBytes(input.Secret.Data[corev1.TLSPrivateKeyKey])
if err != nil {
return InvalidKeyPair, fmt.Sprintf("Issuing certificate as Secret contains invalid private key data: %v", err), true
}
x509Cert, err := pki.DecodeX509CertificateBytes(input.Secret.Data[corev1.TLSCertKey])
if err != nil {
return InvalidCertificate, fmt.Sprintf("Issuing certificate as Secret contains an invalid certificate: %v", err), true
}
equal, err := pki.PublicKeysEqual(x509Cert.PublicKey, pk.Public())
if err != nil {
return InvalidKeyPair, fmt.Sprintf("Secret contains an invalid key-pair: %v", err), true
}
if !equal {
return InvalidKeyPair, "Issuing certificate as Secret contains a private key that does not match the certificate", true
}
return "", "", false
}
func SecretPrivateKeyMismatchesSpec(input Input) (string, string, bool) {
pk, err := pki.DecodePrivateKeyBytes(input.Secret.Data[corev1.TLSPrivateKeyKey])
if err != nil {
return InvalidKeyPair, fmt.Sprintf("Issuing certificate as Secret contains invalid private key data: %v", err), true
}
violations := pki.PrivateKeyMatchesSpec(pk, input.Certificate.Spec)
if len(violations) > 0 {
return SecretMismatch, fmt.Sprintf("Existing private key is not up to date for spec: %v", violations), true
}
return "", "", false
}
// SecretKeystoreFormatMismatch - When the keystore is not defined, the keystore
// related fields are removed from the secret.
// When one or more key stores are defined, the
// corresponding secrets are generated.
// If the private key rotation is set to "Never", the key store related values are re-encoded
// as per the certificate specification
func SecretKeystoreFormatMismatch(input Input) (string, string, bool) {
_, issuerProvidesCA := input.Secret.Data[cmmeta.TLSCAKey]
if input.Certificate.Spec.Keystores == nil {
if len(input.Secret.Data[cmapi.PKCS12SecretKey]) != 0 ||
len(input.Secret.Data[cmapi.PKCS12TruststoreKey]) != 0 ||
len(input.Secret.Data[cmapi.JKSSecretKey]) != 0 ||
len(input.Secret.Data[cmapi.JKSTruststoreKey]) != 0 {
return SecretMismatch, "Keystore is not defined", true
}
return "", "", false
}
if input.Certificate.Spec.Keystores.JKS != nil {
if input.Certificate.Spec.Keystores.JKS.Create {
if len(input.Secret.Data[cmapi.JKSSecretKey]) == 0 ||
(len(input.Secret.Data[cmapi.JKSTruststoreKey]) == 0 && issuerProvidesCA) {
return SecretMismatch, "JKS Keystore key does not contain data", true
}
} else {
if len(input.Secret.Data[cmapi.JKSSecretKey]) != 0 ||
len(input.Secret.Data[cmapi.JKSTruststoreKey]) != 0 {
return SecretMismatch, "JKS Keystore create disabled", true
}
}
} else {
if len(input.Secret.Data[cmapi.JKSSecretKey]) != 0 ||
len(input.Secret.Data[cmapi.JKSTruststoreKey]) != 0 {
return SecretMismatch, "JKS Keystore not defined", true
}
}
if input.Certificate.Spec.Keystores.PKCS12 != nil {
if input.Certificate.Spec.Keystores.PKCS12.Create {
if len(input.Secret.Data[cmapi.PKCS12SecretKey]) == 0 ||
(len(input.Secret.Data[cmapi.PKCS12TruststoreKey]) == 0 && issuerProvidesCA) {
return SecretMismatch, "PKCS12 Keystore key does not contain data", true
}
} else {
if len(input.Secret.Data[cmapi.PKCS12SecretKey]) != 0 ||
len(input.Secret.Data[cmapi.PKCS12TruststoreKey]) != 0 {
return SecretMismatch, "PKCS12 Keystore create disabled", true
}
}
} else {
if len(input.Secret.Data[cmapi.PKCS12SecretKey]) != 0 ||
len(input.Secret.Data[cmapi.PKCS12TruststoreKey]) != 0 {
return SecretMismatch, "PKCS12 Keystore not defined", true
}
}
return "", "", false
}
// SecretIssuerAnnotationsMismatch - When the issuer annotations are defined,
// it must match the issuer ref.
func SecretIssuerAnnotationsMismatch(input Input) (string, string, bool) {
name, ok1 := input.Secret.Annotations[cmapi.IssuerNameAnnotationKey]
kind, ok2 := input.Secret.Annotations[cmapi.IssuerKindAnnotationKey]
group, ok3 := input.Secret.Annotations[cmapi.IssuerGroupAnnotationKey]
if (ok1 || ok2 || ok3) && // only check if an annotation is present
name != input.Certificate.Spec.IssuerRef.Name ||
!issuerKindsEqual(kind, input.Certificate.Spec.IssuerRef.Kind) ||
!issuerGroupsEqual(group, input.Certificate.Spec.IssuerRef.Group) {
return IncorrectIssuer, fmt.Sprintf("Issuing certificate as Secret was previously issued by %q", formatIssuerRef(name, kind, group)), true
}
return "", "", false
}
// SecretCertificateNameAnnotationsMismatch - When the CertificateName annotation is defined,
// it must match the name of the Certificate.
func SecretCertificateNameAnnotationsMismatch(input Input) (string, string, bool) {
name, ok := input.Secret.Annotations[cmapi.CertificateNameKey]
if (ok) && // only check if an annotation is present
name != input.Certificate.Name {
return IncorrectCertificate, fmt.Sprintf("Secret was issued for %q. If this message is not transient, you might have two conflicting Certificates pointing to the same secret.", name), true
}
return "", "", false
}
// SecretPublicKeyDiffersFromCurrentCertificateRequest checks that the current CertificateRequest
// contains a CSR that is signed by the key stored in the Secret. A failure is often caused by the
// Secret being changed outside of the control of cert-manager, causing the current CertificateRequest
// to no longer match what is stored in the Secret.
func SecretPublicKeyDiffersFromCurrentCertificateRequest(input Input) (string, string, bool) {
if input.CurrentRevisionRequest == nil {
return "", "", false
}
pk, err := pki.DecodePrivateKeyBytes(input.Secret.Data[corev1.TLSPrivateKeyKey])
if err != nil {
return InvalidKeyPair, fmt.Sprintf("Issuing certificate as Secret contains invalid private key data: %v", err), true
}
csr, err := pki.DecodeX509CertificateRequestBytes(input.CurrentRevisionRequest.Spec.Request)
if err != nil {
return InvalidCertificateRequest, fmt.Sprintf("Failed to decode current CertificateRequest: %v", err), true
}
equal, err := pki.PublicKeysEqual(csr.PublicKey, pk.Public())
if err != nil {
return InvalidCertificateRequest, fmt.Sprintf("CertificateRequest's public key is invalid: %v", err), true
}
if !equal {
return SecretMismatch, "Secret contains a private key that does not match the current CertificateRequest", true
}
return "", "", false
}
func CurrentCertificateRequestMismatchesSpec(input Input) (string, string, bool) {
if input.CurrentRevisionRequest == nil {
// Fallback to comparing the Certificate spec with the issued certificate.
// This case is encountered if the CertificateRequest that issued the current
// Secret is not available (most likely due to it being deleted).
// This comparison is a lot less robust than comparing against the CertificateRequest
// as it has to tolerate/permit certain fields being overridden or ignored by the
// signer/issuer implementation.
return currentSecretValidForSpec(input)
}
violations, err := pki.RequestMatchesSpec(input.CurrentRevisionRequest, input.Certificate.Spec)
if err != nil {
// If parsing the request fails, we don't immediately trigger a re-issuance as
// the existing certificate stored in the Secret may still be valid/up to date.
return "", "", false
}
if len(violations) > 0 {
return RequestChanged, fmt.Sprintf("Fields on existing CertificateRequest resource not up to date: %v", violations), true
}
return "", "", false
}
// currentSecretValidForSpec is not actually registered as part of the policy chain
// and is instead called by currentCertificateRequestValidForSpec if no there
// is no existing CertificateRequest resource.
func currentSecretValidForSpec(input Input) (string, string, bool) {
x509Cert, err := pki.DecodeX509CertificateBytes(input.Secret.Data[corev1.TLSCertKey])
if err != nil {
return InvalidCertificate, fmt.Sprintf("Issuing certificate as Secret contains an invalid certificate: %v", err), true
}
// nolint: staticcheck // FuzzyX509AltNamesMatchSpec is used here for backwards compatibility
violations := pki.FuzzyX509AltNamesMatchSpec(x509Cert, input.Certificate.Spec)
if len(violations) > 0 {
return SecretMismatch, fmt.Sprintf("Issuing certificate as Existing issued Secret is not up to date for spec: %v", violations), true
}
return "", "", false
}
// CurrentCertificateNearingExpiry returns a policy function that can be used to
// check whether an X.509 cert currently issued for a Certificate should be
// renewed.
func CurrentCertificateNearingExpiry(c clock.Clock) Func {
return func(input Input) (string, string, bool) {
x509Cert, err := pki.DecodeX509CertificateBytes(input.Secret.Data[corev1.TLSCertKey])
if err != nil {
return InvalidCertificate, fmt.Sprintf("Issuing certificate as Secret contains an invalid certificate: %v", err), true
}
// Determine if the certificate is nearing expiry solely by looking at
// the actual cert, if it exists. We assume that at this point we have
// called policy functions that check that input.Secret and
// input.Secret.Data exists (SecretDoesNotExist and SecretIsMissingData).
notBefore := metav1.NewTime(x509Cert.NotBefore)
notAfter := metav1.NewTime(x509Cert.NotAfter)
crt := input.Certificate
renewalTime := pki.RenewalTime(notBefore.Time, notAfter.Time, crt.Spec.RenewBefore, crt.Spec.RenewBeforePercentage)
renewIn := renewalTime.Time.Sub(c.Now())
if renewIn > 0 {
// renewal time is in the future, no need to renew
return "", "", false
}
return Renewing, fmt.Sprintf("Renewing certificate as renewal was scheduled at %s", input.Certificate.Status.RenewalTime), true
}
}
// CurrentCertificateHasExpired is used exclusively to check if the current
// issued certificate has actually expired rather than just nearing expiry.
func CurrentCertificateHasExpired(c clock.Clock) Func {
return func(input Input) (string, string, bool) {
x509Cert, err := pki.DecodeX509CertificateBytes(input.Secret.Data[corev1.TLSCertKey])
if err != nil {
return InvalidCertificate, fmt.Sprintf("Issuing certificate as Secret contains an invalid certificate: %v", err), true
}
if c.Now().After(x509Cert.NotAfter) {
return Expired, fmt.Sprintf("Certificate expired on %s", x509Cert.NotAfter.Format(time.RFC1123)), true
}
return "", "", false
}
}
func formatIssuerRef(name, kind, group string) string {
if group == "" {
group = "cert-manager.io"
}
if kind == "" {
kind = "Issuer"
}
return fmt.Sprintf("%s.%s/%s", kind, group, name)
}
const defaultIssuerKind = "Issuer"
const defaultIssuerGroup = "cert-manager.io"
func issuerKindsEqual(l, r string) bool {
if l == "" {
l = defaultIssuerKind
}
if r == "" {
r = defaultIssuerKind
}
return l == r
}
func issuerGroupsEqual(l, r string) bool {
if l == "" {
l = defaultIssuerGroup
}
if r == "" {
r = defaultIssuerGroup
}
return l == r
}
// SecretSecretTemplateMismatch will inspect the given Secret's Annotations
// and Labels, and compare these maps against those that appear on the given
// Certificate's SecretTemplate.
// NOTE: This function only compares the values of annotations and labels that
// exist both in the Certificate's SecretTemplate and the Secret. Missing and
// extra annotations or labels are detected by the SecretManagedLabelsAndAnnotationsManagedFieldsMismatch
// and SecretSecretTemplateManagedFieldsMismatch functions instead.
func SecretSecretTemplateMismatch(input Input) (string, string, bool) {
if input.Certificate.Spec.SecretTemplate == nil {
return "", "", false
}
if match, _ := mapsHaveMatchingValues(input.Certificate.Spec.SecretTemplate.Annotations, input.Secret.Annotations); !match {
return SecretTemplateMismatch, "Certificate's SecretTemplate Annotations missing or incorrect value on Secret", true
}
if match, _ := mapsHaveMatchingValues(input.Certificate.Spec.SecretTemplate.Labels, input.Secret.Labels); !match {
return SecretTemplateMismatch, "Certificate's SecretTemplate Labels missing or incorrect value on Secret", true
}
return "", "", false
}
func certificateDataAnnotationsForSecret(secret *corev1.Secret) (annotations map[string]string, err error) {
var certificate *x509.Certificate
if len(secret.Data[corev1.TLSCertKey]) > 0 {
certificate, err = pki.DecodeX509CertificateBytes(secret.Data[corev1.TLSCertKey])
if err != nil {
return nil, err
}
}
certificateAnnotations, err := internalcertificates.AnnotationsForCertificate(certificate)
if err != nil {
return nil, err
}
return certificateAnnotations, nil
}
func secretLabelsAndAnnotationsManagedFields(secret *corev1.Secret, fieldManager string) (labels, annotations sets.Set[string], err error) {
managedLabels, managedAnnotations := sets.New[string](), sets.New[string]()
for _, managedField := range secret.ManagedFields {
// If the managed field isn't owned by the cert-manager controller, ignore.
if managedField.Manager != fieldManager || managedField.FieldsV1 == nil {
continue
}
// Decode the managed field.
var fieldset fieldpath.Set
if err := fieldset.FromJSON(bytes.NewReader(managedField.FieldsV1.Raw)); err != nil {
return nil, nil, err
}
// Extract the labels and annotations of the managed fields.
metadata := fieldset.Children.Descend(fieldpath.PathElement{
FieldName: ptr.To("metadata"),
})
labels := metadata.Children.Descend(fieldpath.PathElement{
FieldName: ptr.To("labels"),
})
annotations := metadata.Children.Descend(fieldpath.PathElement{
FieldName: ptr.To("annotations"),
})
// Gather the annotations and labels on the managed fields. Remove the '.'
// prefix which appears on managed field keys.
labels.Iterate(func(path fieldpath.Path) {
managedLabels.Insert(strings.TrimPrefix(path.String(), "."))
})
annotations.Iterate(func(path fieldpath.Path) {
managedAnnotations.Insert(strings.TrimPrefix(path.String(), "."))
})
}
return managedLabels, managedAnnotations, nil
}
// SecretManagedLabelsAndAnnotationsManagedFieldsMismatch will inspect the given Secret's
// managed fields for its Annotations and Labels, and compare this against the
// Labels and Annotations that are managed by cert-manager. Returns false if Annotations and
// Labels match on both the Certificate's SecretTemplate and the Secret's
// managed fields, true otherwise.
// Also returns true if the managed fields or signed certificate were not able
// to be decoded.
func SecretManagedLabelsAndAnnotationsManagedFieldsMismatch(fieldManager string) Func {
return func(input Input) (string, string, bool) {
managedLabels, managedAnnotations, err := secretLabelsAndAnnotationsManagedFields(input.Secret, fieldManager)
if err != nil {
return ManagedFieldsParseError, fmt.Sprintf("failed to decode managed fields on Secret: %s", err), true
}
// Remove the non cert-manager annotations from the managed Annotations so we can compare
// 1 to 1 all the cert-manager annotations.
for k := range managedAnnotations {
if strings.HasPrefix(k, "cert-manager.io/") ||
strings.HasPrefix(k, "controller.cert-manager.io/") {
continue
}
delete(managedAnnotations, k)
}
// Ignore the CertificateName and IssuerRef annotations as these cannot be set by the postIssuance controller.
managedAnnotations.Delete(
cmapi.CertificateNameKey, // SecretCertificateNameAnnotationMismatch checks the value
cmapi.IssuerNameAnnotationKey, // SecretIssuerAnnotationsMismatch checks the value
cmapi.IssuerKindAnnotationKey, // SecretIssuerAnnotationsMismatch checks the value
cmapi.IssuerGroupAnnotationKey, // SecretIssuerAnnotationsMismatch checks the value
)
// Remove the non cert-manager labels from the managed labels so we can compare
// 1 to 1 all the cert-manager labels.
for k := range managedLabels {
if strings.HasPrefix(k, "cert-manager.io/") ||
strings.HasPrefix(k, "controller.cert-manager.io/") {
continue
}
delete(managedLabels, k)
}
expCertificateDataAnnotations, err := certificateDataAnnotationsForSecret(input.Secret)
if err != nil {
return InvalidCertificate, fmt.Sprintf("Failed getting secret annotations: %v", err), true
}
expLabels := sets.New[string](
cmapi.PartOfCertManagerControllerLabelKey, // SecretBaseLabelsMismatch checks the value
)
expAnnotations := sets.New[string]()
for k := range expCertificateDataAnnotations { // SecretCertificateDetailsAnnotationsMismatch checks the value
expAnnotations.Insert(k)
}
if !managedLabels.Equal(expLabels) {
missingLabels := expLabels.Difference(managedLabels)
if len(missingLabels) > 0 {
return SecretManagedMetadataMismatch, fmt.Sprintf("Secret is missing these Managed Labels: %v", sets.List(missingLabels)), true
}
extraLabels := managedLabels.Difference(expLabels)
return SecretManagedMetadataMismatch, fmt.Sprintf("Secret has these extra Labels: %v", sets.List(extraLabels)), true
}
if !managedAnnotations.Equal(expAnnotations) {
missingAnnotations := expAnnotations.Difference(managedAnnotations)
if len(missingAnnotations) > 0 {
return SecretManagedMetadataMismatch, fmt.Sprintf("Secret is missing these Managed Annotations: %v", sets.List(missingAnnotations)), true
}
extraAnnotations := managedAnnotations.Difference(expAnnotations)
return SecretManagedMetadataMismatch, fmt.Sprintf("Secret has these extra Annotations: %v", sets.List(extraAnnotations)), true
}
return "", "", false
}
}
// SecretSecretTemplateManagedFieldsMismatch will inspect the given Secret's
// managed fields for its Annotations and Labels, and compare this against the
// SecretTemplate on the given Certificate. Returns false if Annotations and
// Labels match on both the Certificate's SecretTemplate and the Secret's
// managed fields, true otherwise.
// Also returns true if the managed fields or signed certificate were not able
// to be decoded.
func SecretSecretTemplateManagedFieldsMismatch(fieldManager string) Func {
return func(input Input) (string, string, bool) {
managedLabels, managedAnnotations, err := secretLabelsAndAnnotationsManagedFields(input.Secret, fieldManager)
if err != nil {
return ManagedFieldsParseError, fmt.Sprintf("failed to decode managed fields on Secret: %s", err), true
}
// Remove the cert-manager annotations from the managed Annotations so we can compare
// 1 to 1 against the SecretTemplate.
for k := range managedAnnotations {
if !strings.HasPrefix(k, "cert-manager.io/") &&
!strings.HasPrefix(k, "controller.cert-manager.io/") {
continue
}
delete(managedAnnotations, k)
}
// Remove the cert-manager labels from the managed Labels so we can
// compare 1 to 1 against the SecretTemplate
for k := range managedLabels {
if !strings.HasPrefix(k, "cert-manager.io/") &&
!strings.HasPrefix(k, "controller.cert-manager.io/") {
continue
}
delete(managedLabels, k)
}
expLabels := sets.New[string]()
expAnnotations := sets.New[string]()
if input.Certificate.Spec.SecretTemplate != nil {
for k := range input.Certificate.Spec.SecretTemplate.Labels {
expLabels.Insert(k)
}
for k := range input.Certificate.Spec.SecretTemplate.Annotations {
expAnnotations.Insert(k)
}
}
if !managedLabels.Equal(expLabels) {
missingLabels := expLabels.Difference(managedLabels)
if len(missingLabels) > 0 {
return SecretTemplateMismatch, fmt.Sprintf("Secret is missing these Template Labels: %v", sets.List(missingLabels)), true
}
extraLabels := managedLabels.Difference(expLabels)
return SecretTemplateMismatch, fmt.Sprintf("Secret has these extra Labels: %v", sets.List(extraLabels)), true
}
if !managedAnnotations.Equal(expAnnotations) {
missingAnnotations := expAnnotations.Difference(managedAnnotations)
if len(missingAnnotations) > 0 {
return SecretTemplateMismatch, fmt.Sprintf("Secret is missing these Template Annotations: %v", sets.List(missingAnnotations)), true
}
extraAnnotations := managedAnnotations.Difference(expAnnotations)
return SecretTemplateMismatch, fmt.Sprintf("Secret has these extra Annotations: %v", sets.List(extraAnnotations)), true
}
return "", "", false
}
}
// NOTE: The presence of the controller.cert-manager.io/fao label is checked
// by the SecretManagedLabelsAndAnnotationsManagedFieldsMismatch function.
func SecretBaseLabelsMismatch(input Input) (string, string, bool) {
// check if Secret has the base labels. Currently there is only one base label
if input.Secret.Labels == nil {
return "", "", false
}
value, ok := input.Secret.Labels[cmapi.PartOfCertManagerControllerLabelKey]
if !ok || value == "true" {
return "", "", false
}
return SecretManagedMetadataMismatch, fmt.Sprintf("wrong base label %s value %q, expected \"true\"", cmapi.PartOfCertManagerControllerLabelKey, value), true
}
// SecretCertificateDetailsAnnotationsMismatch returns a validation violation when
// annotations on the Secret do not match the details of the x509 certificate that
// is stored in the Secret. This function will only compare the annotations that
// already exist on the Secret and are also present in the certificate metadata.
// NOTE: Missing and extra annotations are detected by the SecretManagedLabelsAndAnnotationsManagedFieldsMismatch
// function instead.
func SecretCertificateDetailsAnnotationsMismatch(input Input) (string, string, bool) {
dataAnnotations, err := certificateDataAnnotationsForSecret(input.Secret)
if err != nil {
return InvalidCertificate, fmt.Sprintf("Failed getting secret annotations: %v", err), true
}
if match, key := mapsHaveMatchingValues(dataAnnotations, input.Secret.Annotations); !match {
return SecretTemplateMismatch, fmt.Sprintf("Secret metadata %s does not match certificate metadata %s", input.Secret.Annotations[key], dataAnnotations[key]), true
}
return "", "", false
}
// SecretAdditionalOutputFormatsMismatch validates that the Secret has the
// expected Certificate AdditionalOutputFormats.
// Returns true (violation) if AdditionalOutputFormat(s) are present and any of
// the following:
// - Secret key is missing
// - Secret value is incorrect
func SecretAdditionalOutputFormatsMismatch(input Input) (string, string, bool) {
const message = "Certificate's AdditionalOutputFormats doesn't match Secret Data"
for _, format := range input.Certificate.Spec.AdditionalOutputFormats {
switch format.Type {
case cmapi.CertificateOutputFormatCombinedPEM:
v, ok := input.Secret.Data[cmapi.CertificateOutputFormatCombinedPEMKey]
if !ok || !bytes.Equal(v, internalcertificates.OutputFormatCombinedPEM(
input.Secret.Data[corev1.TLSPrivateKeyKey],
input.Secret.Data[corev1.TLSCertKey],
)) {
return AdditionalOutputFormatsMismatch, message, true
}
case cmapi.CertificateOutputFormatDER:
v, ok := input.Secret.Data[cmapi.CertificateOutputFormatDERKey]
if !ok || !bytes.Equal(v, internalcertificates.OutputFormatDER(input.Secret.Data[corev1.TLSPrivateKeyKey])) {
return AdditionalOutputFormatsMismatch, message, true
}
}
}
return "", "", false
}
// SecretAdditionalOutputFormatsManagedFieldsMismatch validates that the field manager
// owns the correct Certificate's AdditionalOutputFormats in the Secret.
// Returns true (violation) if:
// - missing AdditionalOutputFormat key owned by the field manager
// - AdditionalOutputFormat key owned by the field manager shouldn't exist
//
// A violation with the reason `ManagedFieldsParseError` should be considered a
// non re-triable error.
func SecretAdditionalOutputFormatsManagedFieldsMismatch(fieldManager string) Func {
const message = "Certificate's AdditionalOutputFormats doesn't match Secret ManagedFields"
return func(input Input) (string, string, bool) {
var (
crtHasCombinedPEM, crtHasDER bool
secretHasCombinedPEM, secretHasDER bool
)
// Gather which additional output formats have been defined on the
// Certificate.
for _, format := range input.Certificate.Spec.AdditionalOutputFormats {
switch format.Type {
case cmapi.CertificateOutputFormatCombinedPEM:
crtHasCombinedPEM = true
case cmapi.CertificateOutputFormatDER:
crtHasDER = true
}
}
// Determine whether an output format key exists on the Secret which is
// owned my the field manager.
for _, managedField := range input.Secret.ManagedFields {
if managedField.Manager != fieldManager || managedField.FieldsV1 == nil {
continue
}
var fieldset fieldpath.Set
if err := fieldset.FromJSON(bytes.NewReader(managedField.FieldsV1.Raw)); err != nil {
return ManagedFieldsParseError, fmt.Sprintf("failed to decode managed fields on Secret: %s", err), true
}
if fieldset.Has(fieldpath.Path{
{FieldName: ptr.To("data")},
{FieldName: ptr.To(cmapi.CertificateOutputFormatCombinedPEMKey)},
}) {
secretHasCombinedPEM = true
}
if fieldset.Has(fieldpath.Path{
{FieldName: ptr.To("data")},
{FieldName: ptr.To(cmapi.CertificateOutputFormatDERKey)},
}) {
secretHasDER = true
}
}
// Format present or missing on the Certificate should be reflected on the
// Secret.
if crtHasCombinedPEM != secretHasCombinedPEM || crtHasDER != secretHasDER {
return AdditionalOutputFormatsMismatch, message, true
}
return "", "", false
}
}
// SecretOwnerReferenceManagedFieldMismatch validates that the Secret has an
// owner reference to the Certificate if enabled. Returns true (violation) if:
// * the Secret doesn't have an owner reference and is expecting one
// * has an owner reference but is not expecting one
// A violation with the reason `ManagedFieldsParseError` should be considered a
// non re-triable error.
func SecretOwnerReferenceManagedFieldMismatch(ownerRefEnabled bool, fieldManager string) Func {
return func(input Input) (string, string, bool) {
var hasOwnerRefManagedField bool
// Determine whether the Secret has the Certificate as an owner reference
// which is owned by the field manager.
for _, managedField := range input.Secret.ManagedFields {
if managedField.Manager != fieldManager || managedField.FieldsV1 == nil {
continue
}
var fieldset fieldpath.Set
if err := fieldset.FromJSON(bytes.NewReader(managedField.FieldsV1.Raw)); err != nil {
return ManagedFieldsParseError, fmt.Sprintf("failed to decode managed fields on Secret: %s", err), true
}
if fieldset.Has(fieldpath.Path{
{FieldName: ptr.To("metadata")},
{FieldName: ptr.To("ownerReferences")},
{Key: &value.FieldList{{Name: "uid", Value: value.NewValueInterface(string(input.Certificate.UID))}}},
}) {
hasOwnerRefManagedField = true
break
}
}
// The presence of the Certificate owner reference should match owner
// reference being enabled.
if ownerRefEnabled != hasOwnerRefManagedField {
return SecretOwnerRefMismatch,
fmt.Sprintf("unexpected managed Secret Owner Reference field on Secret --enable-certificate-owner-ref=%t", ownerRefEnabled), true
}
return "", "", false
}
}
// SecretOwnerReferenceMismatch validates that the Secret has the expected
// owner reference if it is enabled. Returns true (violation) if:
// * owner reference is enabled, but the reference has an incorrect value
func SecretOwnerReferenceMismatch(ownerRefEnabled bool) Func {
return func(input Input) (string, string, bool) {
// If the Owner Reference is not enabled, we don't need to check the value
// and can exit early.
if !ownerRefEnabled {
return "", "", false
}
var (
expRef = *metav1.NewControllerRef(input.Certificate, cmapi.SchemeGroupVersion.WithKind("Certificate"))
hasOwnerRefMatchingCertificate bool
)
for _, ownerRef := range input.Secret.OwnerReferences {
// Owner Reference slice is keyed by UID, so only one Owner Reference
// with a particular UID can exist meaning we can break early.
// https://github.com/kubernetes/apimachinery/blob/04356ed4cbb061c810a5e3d655802fd1e24284da/pkg/apis/meta/v1/types.go#L251
if ownerRef.UID == input.Certificate.UID {
if apiequality.Semantic.DeepEqual(ownerRef, expRef) {
// Break early, there can only be one owner ref with this UID.
hasOwnerRefMatchingCertificate = true
break
}
}
}
// Owner reference is enabled at this point. If the Owner Reference value
// doesn't match the expected value, return violation.
if !hasOwnerRefMatchingCertificate {
return SecretOwnerRefMismatch,
fmt.Sprintf("unexpected Secret Owner Reference value on Secret --enable-certificate-owner-ref=%t", ownerRefEnabled), true
}
return "", "", false
}
}
// mapsHaveMatchingValues returns true if the two maps have the same values for
// all common keys. Otherwise, the first key for which the values differ is returned.
// This function is stable and will always return the same key if the maps are
// the same.
func mapsHaveMatchingValues[Key cmp.Ordered, Value comparable](a, b map[Key]Value) (bool, Key) {
keys := make([]Key, 0, len(a))
for k := range a {
if _, ok := b[k]; !ok {
continue
}
keys = append(keys, k)
}
slices.Sort(keys)
for _, k := range keys {
if b[k] != a[k] {
return false, k
}
}
var zero Key
return true, zero
}
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package policies
// In order to decide whether or not to reissue a certificate, we want to gather
// the "state of the world" regarding that particular certificate, which is the
// entire purpose of DataForCertificate. Along with the certificate's secret,
// DataForCertificate also returns two separate certificate requests: the
// "current" one and the "next" one.
//
// To understand the roles of the "current" and "next" certificate requests, let
// us look at three different scenarios: A, B and C.
//
// DIAGRAM (A1): in the first scenario, a user just created a cert-manager
// Kubernetes Certificate object. Since the object is new, only the "next"
// certificate request exists. You can see below that the first revision is "1":
//
// user creates
// certificate
// | "current"+---------------------------------------------+
// | +------->| No current CertificateRequest yet. |
// v | +---------------------------------------------+
// +---------------------+ |
// CERTIFICATE | kind: Certificate | | +---------------------------------------------+
// NOT READY | status: | | | kind: CertificateRequest |
// | revision: nil -------+ | metadata: |
// | conditions: | | | annotations: |
// | - type: Issuing | | | cert-manager.io/certificate-revision: 1 |
// | status: True | +------->| status: |
// +---------------------+ "next" | conditions: |
// | | - type: Ready |
// | | status: False |
// v | reason: Pending |
// ... +---------------------------------------------+
//
// DIAGRAM (A2): the certificate in (A1) gets reconciled. Eventually, it becomes
// ready. Since the issuance is done, the "next" CR does not exist anymore:
// ...
// |
// v +---------------------------------------------+
// +---------------------+ | kind: CertificateRequest |
// CERTIFICATE | kind: Certificate | | metadata: |
// READY | status: | "current"| annotations: |
// | revision: 1 ---------+------->| cert-manager.io/certificate-revision: 1 |
// | conditions: | | | status: |
// | - type: Issuing | | | conditions: |
// | status: False | | | - type: Ready |
// | reason: Issued | | | status: True |
// | - type: Ready | | +---------------------------------------------+
// | status: True | |
// +---------------------+ |
// | | +---------------------------------------------+
// v +------> | No next CertificateRequest. |
// new certificate "next" +---------------------------------------------+
// secret ready
// to be used
//
// Now that we've covered the base scenario A, let's dig into why we need the
// notion of the "current" certificate request. The second scenario B will help
// us understand the reason why DataForCertificate needs to be able to fetch the
// "current" certificate request.
//
// The "current" certificate request is important to us because the "current" CR
// contains the "source of truth" of the current certificate. The "current" CR
// allows us to check whether the current certificate still matches the
// already-issued certificate request.
//
// DIAGRAM (B1): the "current" certificate request can be pictured as the
// "current state of the world". When the certificate does not match its
// "current" certificate request, then certificate is in "mismatch" state and
// needs to be reissued.
//
// +-MISMATCH---------MISMATCH----------MISMATCH-+
// existing | kind: CertificateRequest |
// ready | metadata: |
// certificate | annotations: |
// | | cert-manager.io/certificate-revision: 7 |
// | | status: |
// | "current"| conditions: |
// v +------->| - type: Ready |
// +--------------------+ | | status: True |
// CERTIFICATE | kind: Certificate | | +-MISMATCH---------MISMATCH----------MISMATCH-+
// DOES NOT | status: | |
// MATCH THE | revision: 7 ---------+
// CURRENT | conditions: | | +--------------------------------------------+
// CERTIFICATE | - type: Ready | |------->| No "next" CertificateRequest |
// REQUEST | status: True | "next" +--------------------------------------------+
// +--------------------+
// |
// v
// ...
//
// DIAGRAM (B2): since the "current" CR does not match the certificate's spec,
// the trigger controller sets Issuing=True, and the "next" CR gets created:
//
// ... +-MISMATCH---------MISMATCH----------MISMATCH-+
// | | kind: CertificateRequest |
// | | metadata: |
// | | annotations: |
// | | cert-manager.io/certificate-revision: 7 |
// | | status: |
// v | conditions: |
// +---------------------+ "current" | - type: Ready |
// CERTIFICATE | kind: Certificate | +------->| status: True |
// IS BEING | status: | | +-MISMATCH---------MISMATCH----------MISMATCH-+
// REISSUED | revision: 7----------+
// | conditions: | | +---------------------------------------------+
// | - type: Issuing | | | kind: CertificateRequest |
// | status: True | | | metadata: |
// | reason: Pending| |------->| annotations: |
// | - type: Ready | "next" | cert-manager.io/certificate-revision: 8 |
// | status: False | | status: |
// +---------------------+ | conditions: |
// | - type: Ready |
// | status: False |
// | reason: Pending |
// +---------------------------------------------+
//
//
// The third scenario C will help us understand the reason why
// DataForCertificate has a "next" certificate request.
//
// DIAGRAM (C1): imagine that a user creates a certificate that contains a
// mistake. The certificate will end up in failure state and will be retried
// after 1 hour:
//
// user creates a "current" +---------------------------------------------+
// certificate with +------->| No current CertificateRequest |
// an invalid field | +---------------------------------------------+
// | |
// | | +---------------------------------------------+
// v | | kind: CertificateRequest |
// +---------------------+ | | metadata: |
// CERTIFICATE | kind: Certificate | | | annotations: |
// IS FAILING | status: | | | cert-manager.io/certificate-revision: 1 |
// | revision: nil --------+ | status: |
// | conditions: | | | conditions: |
// | - type: Issuing | +------->| - type: Failed |
// | status: False | "next" | status: True |
// | reason: Failed | +---------------------------------------------+
// | lastFailureTime: *|
// +---------------------+
// |
// v
// ...
//
// DIAGRAM (C2): now, imagine that the user wants to fix their mistake and
// update the certificate with a correct value. Of course, the user does not
// want to wait for 1 hour for the automatic re-issue. By looking at the "next"
// CR, we can detect whether the "next" CR still matches the certificate. This
// behavior only occurs when the certificate is failing:
// ...
// | "current" +---------------------------------------------+
// | +------->| No current CertificateRequest |
// | | +---------------------------------------------+
// v |
// +---------------------+ |
// CERTIFICATE | kind: Certificate | | +-MISMATCH---------MISMATCH----------MISMATCH-+
// IS SET TO | status: | | | kind: CertificateRequest |
// "REISSUING" | revision: nil --------+ | metadata: |
// DUE TO | conditions: | | | annotations: |
// MISMATCH | - type: Issuing | | | cert-manager.io/certificate-revision: 1 |
// | status: True | | | status: |
// | reason: Pending| |------->| conditions: |
// | - type: Ready | "next" | - type: Failed |
// | status: False | | status: True |
// +---------------------+ +-MISMATCH---------MISMATCH----------MISMATCH-+
// |
// v
// ...
//
// DIAGRAM (C3): the trigger controller is able to detect the mismatch: it
// triggers a re-issuance, and the failing certificate request is re-issued with
// the same revision number:
// ...
// |
// user updates the|
// invalid field with|
// a valid value| "current" +---------------------------------------------+
// | +------->| No current CertificateRequest |
// v | +---------------------------------------------+
// +----------------------+ |
// PREVIOUS | kind: Certificate | |
// CERTIFICATE | status: | | +-NEW---------------NEW-------------------NEW-+
// REQUEST IS | revision: nil --------+ | kind: CertificateRequest |
// REPLACED | conditions: | | | metadata: |
// | - type: Ready | | | annotations: |
// | status: False | | | cert-manager.io/certificate-revision: 1 |
// | - type: Issuing | |------->| status: |
// | status: True | "next" | conditions: |
// | reason: Pending | | - type: Ready |
// +----------------------+ | status: False |
// | reason: Pending |
// +-NEW---------------NEW-------------------NEW-+
import (
"context"
"fmt"
apierrors "k8s.io/apimachinery/pkg/api/errors"
"k8s.io/apimachinery/pkg/labels"
internalinformers "github.com/cert-manager/cert-manager/internal/informers"
cmapi "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
cmlisters "github.com/cert-manager/cert-manager/pkg/client/listers/certmanager/v1"
"github.com/cert-manager/cert-manager/pkg/controller/certificates"
logf "github.com/cert-manager/cert-manager/pkg/logs"
"github.com/cert-manager/cert-manager/pkg/util/predicate"
)
// Gatherer is used to gather data about a Certificate in order to evaluate
// its current readiness/state by applying policy functions to it.
type Gatherer struct {
CertificateRequestLister cmlisters.CertificateRequestLister
SecretLister internalinformers.SecretLister
}
// DataForCertificate returns the secret as well as the "current" and "next"
// certificate request associated with the given certificate. It also returns
// the given certificate as-is. To know more about the "current" and "next"
// certificate requests and why we want to be fetching them along with the
// certificate's secret, take a look at the top comment on this file.
//
// DataForCertificate returns an error when duplicate CRs are found for the
// "current" or the "next" revision. DataForCertificate does not return any
// apierrors.NewNotFound; instead, if either of the objects (current CR, next CR
// or secret) is not found, then the returned value of this object is left nil.
func (g *Gatherer) DataForCertificate(ctx context.Context, crt *cmapi.Certificate) (Input, error) {
log := logf.FromContext(ctx)
// Attempt to fetch the Secret being managed but tolerate NotFound errors.
secret, err := g.SecretLister.Secrets(crt.Namespace).Get(crt.Spec.SecretName)
if err != nil && !apierrors.IsNotFound(err) {
return Input{}, err
}
// Attempt to fetch the CertificateRequest for the current status.revision.
//
// We can skip looking for the current CR when the status.revision is nil
// since there cannot be any available "current" certificate request if the
// certificate's revision is empty. That is due to the fact that the
// certificate's revision field stays nil until the first certificate
// request (revision "1") has become ready.
var curCR *cmapi.CertificateRequest
if crt.Status.Revision != nil {
// As depicted in the above diagram (A), there cannot be any "current"
// certificate request revision when the certificate's revision is nil,
// hence the above if revision != nil.
reqs, err := certificates.ListCertificateRequestsMatchingPredicates(g.CertificateRequestLister.CertificateRequests(crt.Namespace),
labels.Everything(),
predicate.ResourceOwnedBy(crt),
predicate.CertificateRequestRevision(*crt.Status.Revision),
)
if err != nil {
return Input{}, err
}
switch {
case len(reqs) > 1:
return Input{}, fmt.Errorf("multiple CertificateRequests were found for the 'current' revision %v, issuance is skipped until there are no more duplicates", *crt.Status.Revision)
case len(reqs) == 1:
curCR = reqs[0]
case len(reqs) == 0:
log.V(logf.DebugLevel).Info("Found no CertificateRequest resources owned by this Certificate for the current revision", "revision", *crt.Status.Revision)
}
}
// Attempt fetching the CertificateRequest for the next status.revision.
var nextCR *cmapi.CertificateRequest
nextCRRevision := 1
if crt.Status.Revision != nil {
// As depicted in the above diagram (A), the "next" certificate request
// revision always starts at 1 when the certificate's status.revision is
// nil.
nextCRRevision = *crt.Status.Revision + 1
}
reqs, err := certificates.ListCertificateRequestsMatchingPredicates(g.CertificateRequestLister.CertificateRequests(crt.Namespace),
labels.Everything(),
predicate.ResourceOwnedBy(crt),
predicate.CertificateRequestRevision(nextCRRevision),
)
if err != nil {
return Input{}, err
}
switch {
case len(reqs) > 1:
// This error feels worthless: we know that the "duplicate certificate
// requests" will be fixed almost instantaneously; showing this error to
// the user is pointless since it won't even help in a debug session.
// Unfortunately, we DO have to return an error just for the purpose of
// making sure that the caller function (trigger controller, readiness
// controller) will abort their sync and retrigger a new sync, with the
// hope that the duplicate will have been removed before the next
// resync.
return Input{}, fmt.Errorf("multiple CertificateRequests were found for the 'next' revision %v, issuance is skipped until there are no more duplicates", nextCRRevision)
case len(reqs) == 1:
nextCR = reqs[0]
case len(reqs) == 0:
log.V(logf.DebugLevel).Info("Found no CertificateRequest resources owned by this Certificate for the next revision", "revision", nextCRRevision)
}
return Input{
Certificate: crt,
Secret: secret,
CurrentRevisionRequest: curCR,
NextRevisionRequest: nextCR,
}, nil
}
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Package policies provides functionality to evaluate Certificate's state
package policies
import (
corev1 "k8s.io/api/core/v1"
"k8s.io/utils/clock"
cmapi "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
)
type Input struct {
Certificate *cmapi.Certificate
Secret *corev1.Secret
// The "current" certificate request designates the certificate request that
// led to the current revision of the certificate. The "current" certificate
// request is by definition in a ready state, and can be seen as the source
// of information of the current certificate. Take a look at the gatherer
// package's documentation to see more about why we care about the "current"
// certificate request.
CurrentRevisionRequest *cmapi.CertificateRequest
// The "next" certificate request is the one that is currently being issued.
// Take a look at the gatherer package's documentation to see more about why
// we care about the "next" certificate request.
NextRevisionRequest *cmapi.CertificateRequest
}
// A Func evaluates the given input data and decides whether a check has passed
// or failed, returning additional human readable information in the 'reason'
// and 'message' return parameters if so.
type Func func(Input) (reason, message string, failed bool)
// A Chain of PolicyFuncs to be evaluated in order.
type Chain []Func
// Evaluate will evaluate the entire policy chain using the provided input.
// As soon as it is discovered that the input violates one policy,
// Evaluate will return and not evaluate the rest of the chain.
func (c Chain) Evaluate(input Input) (string, string, bool) {
for _, policyFunc := range c {
reason, message, violationFound := policyFunc(input)
if violationFound {
return reason, message, violationFound
}
}
return "", "", false
}
// NewTriggerPolicyChain includes trigger policy checks, which if returns true,
// should cause a Certificate to be marked for issuance.
func NewTriggerPolicyChain(c clock.Clock) Chain {
return Chain{
SecretDoesNotExist, // Make sure the Secret exists
SecretIsMissingData, // Make sure the Secret has the required keys set
SecretPublicKeysDiffer, // Make sure the PrivateKey and PublicKey match in the Secret
SecretIssuerAnnotationsMismatch, // Make sure the Secret's IssuerRef annotations match the Certificate spec
SecretCertificateNameAnnotationsMismatch, // Make sure the Secret's CertificateName annotation matches the Certificate's name
SecretPrivateKeyMismatchesSpec, // Make sure the PrivateKey Type and Size match the Certificate spec
SecretPublicKeyDiffersFromCurrentCertificateRequest, // Make sure the Secret's PublicKey matches the current CertificateRequest
CurrentCertificateRequestMismatchesSpec, // Make sure the current CertificateRequest matches the Certificate spec
CurrentCertificateNearingExpiry(c), // Make sure the Certificate in the Secret is not nearing expiry
}
}
// NewReadinessPolicyChain includes readiness policy checks, which if returns
// true, would cause a Certificate to be marked as not ready.
func NewReadinessPolicyChain(c clock.Clock) Chain {
return Chain{
SecretDoesNotExist, // Make sure the Secret exists
SecretIsMissingData, // Make sure the Secret has the required keys set
SecretPublicKeysDiffer, // Make sure the PrivateKey and PublicKey match in the Secret
SecretIssuerAnnotationsMismatch, // Make sure the Secret's IssuerRef annotations match the Certificate spec
SecretCertificateNameAnnotationsMismatch, // Make sure the Secret's CertificateName annotation matches the Certificate's name
SecretPrivateKeyMismatchesSpec, // Make sure the PrivateKey Type and Size match the Certificate spec
SecretPublicKeyDiffersFromCurrentCertificateRequest, // Make sure the Secret's PublicKey matches the current CertificateRequest
CurrentCertificateRequestMismatchesSpec, // Make sure the current CertificateRequest matches the Certificate spec
CurrentCertificateHasExpired(c), // Make sure the Certificate in the Secret has not expired
}
}
// NewSecretPostIssuancePolicyChain includes policy checks that are to be
// performed _after_ issuance has been successful, testing for the presence and
// correctness of metadata and output formats of Certificate's Secrets.
func NewSecretPostIssuancePolicyChain(ownerRefEnabled bool, fieldManager string) Chain {
return Chain{
SecretBaseLabelsMismatch, // Make sure the managed labels have the correct values
SecretCertificateDetailsAnnotationsMismatch, // Make sure the managed certificate details annotations have the correct values
SecretManagedLabelsAndAnnotationsManagedFieldsMismatch(fieldManager), // Make sure only the expected managed labels and annotations exist
SecretSecretTemplateMismatch, // Make sure the template label and annotation values match the secret
SecretSecretTemplateManagedFieldsMismatch(fieldManager), // Make sure only the expected template labels and annotations exist
SecretAdditionalOutputFormatsMismatch,
SecretAdditionalOutputFormatsManagedFieldsMismatch(fieldManager),
SecretOwnerReferenceMismatch(ownerRefEnabled),
SecretOwnerReferenceManagedFieldMismatch(ownerRefEnabled, fieldManager),
SecretKeystoreFormatMismatch,
}
}
// NewTemporaryCertificatePolicyChain includes policy checks for ensuing a
// temporary certificate is valid.
func NewTemporaryCertificatePolicyChain() Chain {
return Chain{
SecretDoesNotExist, // Make sure the Secret exists
SecretIsMissingData, // Make sure the Secret has the required keys set
SecretPublicKeysDiffer, // Make sure the PrivateKey and PublicKey match in the Secret
}
}
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package certificates
import (
"bytes"
"crypto/x509"
"github.com/cert-manager/cert-manager/internal/pem"
cmapi "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
cmutil "github.com/cert-manager/cert-manager/pkg/util"
utilpki "github.com/cert-manager/cert-manager/pkg/util/pki"
)
// AnnotationsForCertificate returns a map which is set on all
// Certificate Secret's Annotations when issued. These annotations contain
// information about the Certificate.
// If the X.509 certificate is nil, an empty map will be returned.
func AnnotationsForCertificate(certificate *x509.Certificate) (map[string]string, error) {
annotations := make(map[string]string)
if certificate == nil {
return annotations, nil
}
// TODO: the reason that for some annotations we keep empty annotations and we don't for others is not clear.
// The keepEmpty parameter is only used here to maintain this unexplained previous behaviour.
var encodingErr error
addStringAnnotation := func(keepEmpty bool, key string, value string) {
if len(value) == 0 && !keepEmpty {
return
}
annotations[key] = value
}
addCSVEncodedAnnotation := func(keepEmpty bool, key string, values []string) {
if len(values) == 0 && !keepEmpty {
return
}
csvString, err := cmutil.JoinWithEscapeCSV(values)
if err != nil {
encodingErr = err
return
}
annotations[key] = csvString
}
addStringAnnotation(true, cmapi.CommonNameAnnotationKey, certificate.Subject.CommonName)
addStringAnnotation(false, cmapi.SubjectSerialNumberAnnotationKey, certificate.Subject.SerialNumber)
addCSVEncodedAnnotation(false, cmapi.SubjectOrganizationsAnnotationKey, certificate.Subject.Organization)
addCSVEncodedAnnotation(false, cmapi.SubjectOrganizationalUnitsAnnotationKey, certificate.Subject.OrganizationalUnit)
addCSVEncodedAnnotation(false, cmapi.SubjectCountriesAnnotationKey, certificate.Subject.Country)
addCSVEncodedAnnotation(false, cmapi.SubjectProvincesAnnotationKey, certificate.Subject.Province)
addCSVEncodedAnnotation(false, cmapi.SubjectLocalitiesAnnotationKey, certificate.Subject.Locality)
addCSVEncodedAnnotation(false, cmapi.SubjectPostalCodesAnnotationKey, certificate.Subject.PostalCode)
addCSVEncodedAnnotation(false, cmapi.SubjectStreetAddressesAnnotationKey, certificate.Subject.StreetAddress)
addCSVEncodedAnnotation(false, cmapi.EmailsAnnotationKey, certificate.EmailAddresses)
addCSVEncodedAnnotation(true, cmapi.AltNamesAnnotationKey, certificate.DNSNames)
addCSVEncodedAnnotation(true, cmapi.IPSANAnnotationKey, utilpki.IPAddressesToString(certificate.IPAddresses))
addCSVEncodedAnnotation(true, cmapi.URISANAnnotationKey, utilpki.URLsToString(certificate.URIs))
if encodingErr != nil {
return nil, encodingErr
}
return annotations, nil
}
// OutputFormatDER returns the byte slice of the private key in DER format. To
// be used for Certificate's Additional Output Format DER.
func OutputFormatDER(privateKey []byte) []byte {
// NOTE: This call to pem.SafeDecodePrivateKey ignores errors.
// This is acceptable here since we're calling this function only on PEM data which we created
// by encoding the private key. As such, we can be fairly confident that:
// 1) The PEM is valid
// 2) The PEM isn't attacker-controlled (and as such unsafe to decode)
block, _, _ := pem.SafeDecodePrivateKey(privateKey)
return block.Bytes
}
// OutputFormatCombinedPEM returns the byte slice of the PEM encoded private
// key and signed certificate chain, concatenated. To be used for Certificate's
// Additional Output Format Combined PEM.
func OutputFormatCombinedPEM(privateKey, certificate []byte) []byte {
return bytes.Join([][]byte{privateKey, certificate}, []byte("\n"))
}
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// feature contains controller's feature gate setup functionality. Do not import
// this package into any code that's shared with other components to prevent
// overwriting other component's feature gates, see i.e
// https://github.com/cert-manager/cert-manager/issues/6011
package feature
import (
"k8s.io/apimachinery/pkg/util/runtime"
"k8s.io/component-base/featuregate"
utilfeature "github.com/cert-manager/cert-manager/pkg/util/feature"
)
// see https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/#feature-stages
const (
// Copy & paste the following template when you add a new feature gate:
// ========================== START TEMPLATE ==========================
// Owner: @username
// Alpha: vX.Y
// Beta: ...
//
// FeatureName will enable XYZ feature.
// Fill this section out with additional details about the feature.
// FeatureName featuregate.Feature = "FeatureName"
// =========================== END TEMPLATE ===========================
// Owner: N/A
// Alpha: v1.4
//
// ExperimentalCertificateSigningRequestControllers enables all CertificateSigningRequest
// controllers that sign Kubernetes CertificateSigningRequest resources
ExperimentalCertificateSigningRequestControllers featuregate.Feature = "ExperimentalCertificateSigningRequestControllers"
// Owner: N/A
// Alpha: v1.5
// Beta: v1.15
//
// ExperimentalGatewayAPISupport enables the gateway-shim controller and adds support for
// the Gateway API to the HTTP-01 challenge solver.
ExperimentalGatewayAPISupport featuregate.Feature = "ExperimentalGatewayAPISupport"
// Owner: @joshvanl
// Alpha: v1.7
// Beta: v1.15
// GA: v1.18
//
// AdditionalCertificateOutputFormats enable output additional format
AdditionalCertificateOutputFormats featuregate.Feature = "AdditionalCertificateOutputFormats"
// Owner: @joshvanl
// Alpha: v1.8
//
// ServerSideApply enables the use of ServerSideApply in all API calls.
ServerSideApply featuregate.Feature = "ServerSideApply"
// Owner: @spockz , @irbekrm
// Alpha: v1.9
//
// LiteralCertificateSubject will enable providing a subject in the Certificate that will be used literally in the CertificateSigningRequest. The subject can be provided via `LiteralSubject` field on `Certificate`'s spec.
// This feature gate must be used together with LiteralCertificateSubject webhook feature gate.
// See https://github.com/cert-manager/cert-manager/issues/3203 and https://github.com/cert-manager/cert-manager/issues/4424 for context.
LiteralCertificateSubject featuregate.Feature = "LiteralCertificateSubject"
// Owner: @inteon
// Alpha: v1.10
// Beta: v1.13
//
// StableCertificateRequestName will enable generation of CertificateRequest resources with a fixed name. The name of the CertificateRequest will be a function of Certificate resource name and its revision
// This feature gate will disable auto-generated CertificateRequest name
// Github Issue: https://github.com/cert-manager/cert-manager/issues/4956
StableCertificateRequestName featuregate.Feature = "StableCertificateRequestName"
// Owner: @SgtCoDFish
// Alpha: v1.11
//
// UseCertificateRequestBasicConstraints will add Basic Constraints section in the Extension Request of the Certificate Signing Request
// This feature will add BasicConstraints section with CA field defaulting to false; CA field will be set true if the Certificate resource spec has isCA as true
// Github Issue: https://github.com/cert-manager/cert-manager/issues/5539
UseCertificateRequestBasicConstraints featuregate.Feature = "UseCertificateRequestBasicConstraints"
// Owner: @irbekrm
// Alpha v1.12
// Beta: v1.13
//
// SecretsFilteredCaching reduces controller's memory consumption by
// filtering which Secrets are cached in full using
// `controller.cert-manager.io/fao` label. By default all Certificate
// Secrets are labelled with controller.cert-manager.io/fao label. Users
// can also label other Secrets, such as issuer credentials Secrets that
// they know cert-manager will need to access, to speed up issuance.
// See https://github.com/cert-manager/cert-manager/blob/master/design/20221205-memory-management.md
SecretsFilteredCaching featuregate.Feature = "SecretsFilteredCaching"
// Owner: @inteon
// Beta: v1.13
// GA: v1.15
//
// DisallowInsecureCSRUsageDefinition will prevent the webhook from allowing
// CertificateRequest's usages to be only defined in the CSR, while leaving
// the usages field empty.
DisallowInsecureCSRUsageDefinition featuregate.Feature = "DisallowInsecureCSRUsageDefinition"
// Owner: @tanujd11
// Alpha: v1.14
// Beta: v1.17
//
// NameConstraints adds support for Name Constraints in Certificate resources
// with IsCA=true.
// Github Issue: https://github.com/cert-manager/cert-manager/issues/3655
NameConstraints featuregate.Feature = "NameConstraints"
// Owner: @SpectralHiss
// Alpha: v1.14
//
// OtherNames adds support for OtherName Subject Alternative Name values in
// Certificate resources.
// Github Issue: https://github.com/cert-manager/cert-manager/issues/6393
OtherNames featuregate.Feature = "OtherNames"
// Owner: @jsoref
// Alpha: v1.16
// Beta: v1.17
// GA: v1.18
//
// UseDomainQualifiedFinalizer changes the finalizer added to cert-manager created
// resources to acme.cert-manager.io/finalizer instead of finalizer.acme.cert-manager.io.
// GitHub Issue: https://github.com/cert-manager/cert-manager/issues/7266
UseDomainQualifiedFinalizer featuregate.Feature = "UseDomainQualifiedFinalizer"
// Owner: N/A
// Alpha: v0.7.2
// Deprecated: v1.17
// Removed: v1.18
//
// ValidateCAA is a now-removed feature gate which enabled CAA checking when issuing certificates
// This was never widely adopted, and without an owner to sponsor it we decided to deprecate
// this feature gate and then remove it.
// The feature gate is still defined here so that users who specify the feature gate aren't
// hit with "unknown feature gate" errors which crash the controller, but this is a no-op
// and only prints a log line if added.
ValidateCAA featuregate.Feature = "ValidateCAA"
// Owner: @wallrj
// Alpha: v1.18.0
// Beta: v1.18.0
//
// DefaultPrivateKeyRotationPolicyAlways change the default value of
// `Certificate.Spec.PrivateKey.RotationPolicy` to `Always`.
// Why? Because the old default (`Never`) was unintuitive and insecure. For
// example, if a private key is exposed, users may (reasonably) assume that
// re-issuing a certificate (e.g. using cmctl renew) will generate a new
// private key, but it won't unless the user has explicitly set
// rotationPolicy: Always on the Certificate resource.
// This feature skipped the Alpha phase and was instead introduced as a Beta
// feature, because it is thought be low-risk feature and because we want to
// accelerate the adoption of this important security feature.
DefaultPrivateKeyRotationPolicyAlways featuregate.Feature = "DefaultPrivateKeyRotationPolicyAlways"
// Owner: @sspreitzer, @wallrj
// Alpha: v1.18.1
// Beta: v1.18.1
//
// ACMEHTTP01IngressPathTypeExact will use Ingress pathType `Exact`.
// `ACMEHTTP01IngressPathTypeExact` changes the default `pathType` for ACME
// HTTP01 Ingress based challenges to `Exact`. This security feature ensures
// that the challenge path (which is an exact path) is not misinterpreted as
// a regular expression or some other Ingress specific (ImplementationSpecific)
// parsing. This allows HTTP01 challenges to be solved when using standards
// compliant Ingress controllers such as Cilium. The old default
// `ImplementationSpecific`` can be reinstated by disabling this feature gate.
// You may need to disable the feature for compatibility with ingress-nginx.
// See: https://cert-manager.io/docs/releases/release-notes/release-notes-1.18
ACMEHTTP01IngressPathTypeExact featuregate.Feature = "ACMEHTTP01IngressPathTypeExact"
)
func init() {
runtime.Must(utilfeature.DefaultMutableFeatureGate.Add(defaultCertManagerFeatureGates))
}
// defaultCertManagerFeatureGates consists of all known cert-manager feature keys.
// To add a new feature, define a key for it above and add it here. The features will be
// available on the cert-manager controller binary.
var defaultCertManagerFeatureGates = map[featuregate.Feature]featuregate.FeatureSpec{
DisallowInsecureCSRUsageDefinition: {Default: true, PreRelease: featuregate.GA},
StableCertificateRequestName: {Default: true, PreRelease: featuregate.Beta},
SecretsFilteredCaching: {Default: true, PreRelease: featuregate.Beta},
ExperimentalCertificateSigningRequestControllers: {Default: false, PreRelease: featuregate.Alpha},
ExperimentalGatewayAPISupport: {Default: true, PreRelease: featuregate.Beta},
AdditionalCertificateOutputFormats: {Default: true, PreRelease: featuregate.GA},
ServerSideApply: {Default: false, PreRelease: featuregate.Alpha},
LiteralCertificateSubject: {Default: true, PreRelease: featuregate.Beta},
UseCertificateRequestBasicConstraints: {Default: false, PreRelease: featuregate.Alpha},
NameConstraints: {Default: true, PreRelease: featuregate.Beta},
OtherNames: {Default: false, PreRelease: featuregate.Alpha},
UseDomainQualifiedFinalizer: {Default: true, PreRelease: featuregate.GA},
DefaultPrivateKeyRotationPolicyAlways: {Default: true, PreRelease: featuregate.Beta},
ACMEHTTP01IngressPathTypeExact: {Default: true, PreRelease: featuregate.Beta},
// NB: Deprecated + removed feature gates are kept here.
// `featuregate.Deprecated` exists, but will cause the featuregate library
// to emit its own warning when the gate is set:
// > W...] Setting deprecated feature gate ValidateCAA=true. It will be removed in a future release.
// So we have to set to Alpha to avoid that. `PreAlpha` also exists, but
// adds versioning logic we don't want to deal with.
// If we simply remove the gate from here, then anyone still setting it will
// see an error and the controller will enter CrashLoopBackOff:
// > E...] "error executing command" err="failed to set feature gates from initial flags-based config: unrecognized feature gate: ValidateCAA" logger="cert-manager"
// So we leave it here, set to alpha.
ValidateCAA: {Default: false, PreRelease: featuregate.Alpha},
}
/*
Copyright 2023 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package informers
import (
"time"
corev1 "k8s.io/api/core/v1"
kubeinformers "k8s.io/client-go/informers"
certificatesv1 "k8s.io/client-go/informers/certificates/v1"
corev1informers "k8s.io/client-go/informers/core/v1"
networkingv1informers "k8s.io/client-go/informers/networking/v1"
"k8s.io/client-go/kubernetes"
corev1listers "k8s.io/client-go/listers/core/v1"
"k8s.io/client-go/tools/cache"
)
// This file contains an implementation of core informers that wraps the core
// upstream informers without any custom modifications
// baseFactory is an implementation of KubeSharedInformerFactory that returns
// standard upstream informer functionality
type baseFactory struct {
f kubeinformers.SharedInformerFactory
// namespace is set if cert-manager controller is scoped to a single
// namespace
namespace string
}
func NewBaseKubeInformerFactory(client kubernetes.Interface, resync time.Duration, namespace string) KubeInformerFactory {
return &baseFactory{
f: kubeinformers.NewSharedInformerFactoryWithOptions(client, resync, kubeinformers.WithNamespace(namespace)),
// namespace is set to a non-empty value if cert-manager
// controller is scoped to a single namespace via --namespace
// flag
namespace: namespace,
}
}
func (bf *baseFactory) Start(stopCh <-chan struct{}) {
bf.f.Start(stopCh)
}
func (bf *baseFactory) WaitForCacheSync(stopCh <-chan struct{}) map[string]bool {
ret := make(map[string]bool)
cacheSyncs := bf.f.WaitForCacheSync(stopCh)
for key, val := range cacheSyncs {
ret[key.String()] = val
}
return ret
}
func (bf *baseFactory) Shutdown() {
bf.f.Shutdown()
}
func (bf *baseFactory) Ingresses() networkingv1informers.IngressInformer {
return bf.f.Networking().V1().Ingresses()
}
func (bf *baseFactory) Secrets() SecretInformer {
return &baseSecretInformer{
f: bf.f,
namespace: bf.namespace,
}
}
func (bf *baseFactory) CertificateSigningRequests() certificatesv1.CertificateSigningRequestInformer {
return bf.f.Certificates().V1().CertificateSigningRequests()
}
var _ SecretInformer = &baseSecretInformer{}
// baseSecretInformer is an implementation of SecretInformer that only uses
// upstream client-go functionality
type baseSecretInformer struct {
f kubeinformers.SharedInformerFactory
informer cache.SharedIndexInformer
namespace string
}
func (bsi *baseSecretInformer) Informer() Informer {
bsi.informer = bsi.f.InformerFor(&corev1.Secret{}, bsi.new)
return bsi.informer
}
func (bsi *baseSecretInformer) Lister() SecretLister {
return corev1listers.NewSecretLister(bsi.f.InformerFor(&corev1.Secret{}, bsi.new).GetIndexer())
}
func (bsi *baseSecretInformer) new(client kubernetes.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
return corev1informers.NewSecretInformer(client, bsi.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc})
}
/*
Copyright 2023 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package informers
import (
"context"
"fmt"
"time"
corev1 "k8s.io/api/core/v1"
apierrors "k8s.io/apimachinery/pkg/api/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/labels"
"k8s.io/apimachinery/pkg/runtime/schema"
"k8s.io/apimachinery/pkg/selection"
"k8s.io/apimachinery/pkg/types"
kubeinformers "k8s.io/client-go/informers"
certificatesv1 "k8s.io/client-go/informers/certificates/v1"
corev1informers "k8s.io/client-go/informers/core/v1"
internalinterfaces "k8s.io/client-go/informers/internalinterfaces"
networkingv1informers "k8s.io/client-go/informers/networking/v1"
"k8s.io/client-go/kubernetes"
typedcorev1 "k8s.io/client-go/kubernetes/typed/core/v1"
corev1listers "k8s.io/client-go/listers/core/v1"
"k8s.io/client-go/metadata"
"k8s.io/client-go/metadata/metadatainformer"
"k8s.io/client-go/metadata/metadatalister"
"k8s.io/client-go/tools/cache"
cmapi "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
logf "github.com/cert-manager/cert-manager/pkg/logs"
)
// This file contains all the functionality for implementing core informers with a filter for Secrets
// https://github.com/cert-manager/cert-manager/blob/master/design/20221205-memory-management.md
var (
isCertManageSecretLabelSelector labels.Selector
isNotCertManagerSecretLabelSelector labels.Selector
)
func init() {
r, err := labels.NewRequirement(cmapi.PartOfCertManagerControllerLabelKey, selection.Equals, []string{"true"})
if err != nil {
panic(fmt.Errorf("internal error: failed to build label selector to filter cert-manager secrets: %w", err))
}
isCertManageSecretLabelSelector = labels.NewSelector().Add(*r)
r, err = labels.NewRequirement(cmapi.PartOfCertManagerControllerLabelKey, selection.DoesNotExist, nil)
if err != nil {
panic(fmt.Errorf("internal error: failed to build label selector to filter non-cert-manager secrets: %w", err))
}
isNotCertManagerSecretLabelSelector = labels.NewSelector().Add(*r)
}
type filteredSecretsFactory struct {
typedInformerFactory kubeinformers.SharedInformerFactory
metadataInformerFactory metadatainformer.SharedInformerFactory
client kubernetes.Interface
namespace string
ctx context.Context
}
func NewFilteredSecretsKubeInformerFactory(ctx context.Context, typedClient kubernetes.Interface, metadataClient metadata.Interface, resync time.Duration, namespace string) KubeInformerFactory {
return &filteredSecretsFactory{
typedInformerFactory: kubeinformers.NewSharedInformerFactoryWithOptions(typedClient, resync, kubeinformers.WithNamespace(namespace)),
metadataInformerFactory: metadatainformer.NewFilteredSharedInformerFactory(metadataClient, resync, namespace, func(listOptions *metav1.ListOptions) {
listOptions.LabelSelector = isNotCertManagerSecretLabelSelector.String()
}),
// namespace is set to a non-empty value if cert-manager
// controller is scoped to a single namespace via --namespace
// flag
namespace: namespace,
client: typedClient,
// Go recommends to not store context in
// structs, but here we have no other way as we need to use root context inside
// Get whose signature is defined upstream and does not accept context
ctx: ctx,
}
}
func (bf *filteredSecretsFactory) Start(stopCh <-chan struct{}) {
bf.typedInformerFactory.Start(stopCh)
bf.metadataInformerFactory.Start(stopCh)
}
func (bf *filteredSecretsFactory) WaitForCacheSync(stopCh <-chan struct{}) map[string]bool {
caches := make(map[string]bool)
typedCaches := bf.typedInformerFactory.WaitForCacheSync(stopCh)
partialMetaCaches := bf.metadataInformerFactory.WaitForCacheSync(stopCh)
// We have to cast the keys into string type. It is not possible to
// create a generic type here as neither of the types returned by
// WaitForCacheSync are valid map key arguments in generics - they aren't
// comparable types.
for key, val := range typedCaches {
caches[key.String()] = val
}
for key, val := range partialMetaCaches {
caches[key.String()] = val
}
return caches
}
func (bf *filteredSecretsFactory) Shutdown() {
bf.typedInformerFactory.Shutdown()
bf.metadataInformerFactory.Shutdown()
}
func (bf *filteredSecretsFactory) Ingresses() networkingv1informers.IngressInformer {
return bf.typedInformerFactory.Networking().V1().Ingresses()
}
func (bf *filteredSecretsFactory) CertificateSigningRequests() certificatesv1.CertificateSigningRequestInformer {
return bf.typedInformerFactory.Certificates().V1().CertificateSigningRequests()
}
func (bf *filteredSecretsFactory) Secrets() SecretInformer {
f := func(client kubernetes.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
return corev1informers.NewFilteredSecretInformer(client, bf.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, func(listOptions *metav1.ListOptions) {
listOptions.LabelSelector = isCertManageSecretLabelSelector.String()
})
}
return &filteredSecretInformer{
typedInformerFactory: bf.typedInformerFactory,
metadataInformerFactory: bf.metadataInformerFactory,
namespace: bf.namespace,
typedClient: bf.client.CoreV1(),
newTyped: f,
ctx: bf.ctx,
}
}
// filteredSecretInformer is an implementation of SecretInformer that uses two
// caches (typed and metadata) to list and watch Secrets
type filteredSecretInformer struct {
typedInformerFactory kubeinformers.SharedInformerFactory
metadataInformerFactory metadatainformer.SharedInformerFactory
typedClient typedcorev1.SecretsGetter
newTyped internalinterfaces.NewInformerFunc
namespace string
// Go recommends to not store context in
// structs, but here we have no other way as we need to use root context inside
// Get whose signature is defined upstream and does not accept context
ctx context.Context
}
func (f *filteredSecretInformer) Informer() Informer {
typedInformer := f.typedInformerFactory.InformerFor(&corev1.Secret{}, f.newTyped)
metadataInformer := f.metadataInformerFactory.ForResource(secretsGVR).Informer()
if err := metadataInformer.SetTransform(partialMetadataRemoveAll); err != nil {
panic(fmt.Sprintf("internal error: error setting transformer on the metadata informer: %v", err))
}
return &informer{
typedInformer: typedInformer,
metadataInformer: metadataInformer,
}
}
func (f *filteredSecretInformer) Lister() SecretLister {
typedLister := corev1listers.NewSecretLister(f.typedInformerFactory.InformerFor(&corev1.Secret{}, f.newTyped).GetIndexer())
metadataLister := metadatalister.New(f.metadataInformerFactory.ForResource(secretsGVR).Informer().GetIndexer(), secretsGVR)
return &secretLister{
typedClient: f.typedClient,
namespace: f.namespace,
typedLister: typedLister,
partialMetadataLister: metadataLister,
ctx: f.ctx,
}
}
// informer is an implementation of Informer interface
type informer struct {
typedInformer cache.SharedIndexInformer
metadataInformer cache.SharedIndexInformer
}
func (i *informer) HasSynced() bool {
return i.typedInformer.HasSynced() && i.metadataInformer.HasSynced()
}
func (i *informer) AddEventHandler(handler cache.ResourceEventHandler) (cache.ResourceEventHandlerRegistration, error) {
_, err := i.metadataInformer.AddEventHandler(handler)
if err != nil {
return nil, err
}
_, err = i.typedInformer.AddEventHandler(handler)
return nil, err
}
// secretLister is an implementation of SecretLister with a namespaced lister
// that knows how to do conditional GET/LIST of Secrets using a combination of
// typed and metadata cache and kube apiserver
type secretLister struct {
namespace string
partialMetadataLister metadatalister.Lister
typedLister corev1listers.SecretLister
typedClient typedcorev1.SecretsGetter
// Go recommends to not store context in
// structs, but here we have no other way as we need to use root context inside
// Get whose signature is defined upstream and does not accept context
ctx context.Context
}
func (sl *secretLister) Secrets(namespace string) corev1listers.SecretNamespaceLister {
return &secretNamespaceLister{
namespace: namespace,
partialMetadataLister: sl.partialMetadataLister,
typedLister: sl.typedLister,
typedClient: sl.typedClient,
ctx: sl.ctx,
}
}
var _ corev1listers.SecretNamespaceLister = &secretNamespaceLister{}
// secretNamespaceLister is an implementation of
// corelisters.SecretNamespaceLister
// https://github.com/kubernetes/client-go/blob/0382bf0f53b2294d4ac448203718f0ba774a477d/listers/core/v1/secret.go#L62-L72.
// It knows how to get and list Secrets using typed and partial metadata caches
// and kube apiserver. It looks for Secrets in both caches, if the Secret is
// found in metadata cache, it will retrieve it from kube apiserver.
type secretNamespaceLister struct {
namespace string
partialMetadataLister metadatalister.Lister
typedLister corev1listers.SecretLister
typedClient typedcorev1.SecretsGetter
// Go recommends to not store context in
// structs, but here we have no other way as we need to use root context inside
// Get whose signature is defined upstream and does not accept context
ctx context.Context
}
func (snl *secretNamespaceLister) Get(name string) (*corev1.Secret, error) {
log := logf.FromContext(snl.ctx)
log = log.WithValues("secret", name, "namespace", snl.namespace)
var secretFoundInTypedCache, secretFoundInMetadataCache bool
secret, typedCacheErr := snl.typedLister.Secrets(snl.namespace).Get(name)
if typedCacheErr == nil {
secretFoundInTypedCache = true
}
if typedCacheErr != nil && !apierrors.IsNotFound(typedCacheErr) {
log.Error(typedCacheErr, "error getting secret from typed cache")
return nil, fmt.Errorf("error retrieving secret from the typed cache: %w", typedCacheErr)
}
_, partialMetadataGetErr := snl.partialMetadataLister.Namespace(snl.namespace).Get(name)
if partialMetadataGetErr == nil {
secretFoundInMetadataCache = true
}
if partialMetadataGetErr != nil && !apierrors.IsNotFound(partialMetadataGetErr) {
log.Error(partialMetadataGetErr, "error getting secret from metadata cache")
return nil, fmt.Errorf("error retrieving object from partial object metadata cache: %w", partialMetadataGetErr)
}
if secretFoundInMetadataCache {
// if secret is found in both caches log an error and return the version from kube apiserver
if secretFoundInTypedCache {
key := types.NamespacedName{Namespace: snl.namespace, Name: name}
log.Info(fmt.Sprintf("warning: possible internal error: stale cache: secret found both in typed cache and in partial cache: %s", pleaseOpenIssue), "secret", key)
}
return snl.typedClient.Secrets(snl.namespace).Get(snl.ctx, name, metav1.GetOptions{})
}
if secretFoundInTypedCache {
return secret, nil
}
// If we get here it is because secret was found neither in typed cache
// nor partial metadata cache
return nil, apierrors.NewNotFound(schema.GroupResource{Group: corev1.GroupName, Resource: corev1.ResourceSecrets.String()}, name)
}
func (snl *secretNamespaceLister) List(selector labels.Selector) ([]*corev1.Secret, error) {
log := logf.FromContext(snl.ctx)
log = log.WithValues("secrets namespace", snl.namespace, "secrets selector", selector.String())
matchingSecretsMap := make(map[types.NamespacedName]*corev1.Secret)
typedSecrets, err := snl.typedLister.List(selector)
if err != nil {
log.Error(err, "error listing Secrets from typed cache")
return nil, fmt.Errorf("error listing Secrets from typed cache: %w", err)
}
for _, secret := range typedSecrets {
key := types.NamespacedName{Namespace: secret.Namespace, Name: secret.Name}
matchingSecretsMap[key] = secret
}
metadataSecrets, err := snl.partialMetadataLister.List(selector)
if err != nil {
log.Error(err, "error listing Secrets from metadata only cache")
return nil, fmt.Errorf("error listing Secrets from metadata only cache: %w", err)
}
if len(metadataSecrets) > 0 {
// We currently do not LIST unlabelled Secrets. This log line is
// here in case we do it sometime in the future at which point
// we can see whether the metadata functionality is performant
// enough.
log.V(logf.InfoLevel).Info("unexpected behaviour: secrets LISTed from metadata cache. Please open an issue")
}
// In practice this section will never be used. The only place
// where we LIST Secrets is in keymanager controller where we list
// temporary Certificate Secrets which are all labelled.
// It is unlikely that we will every list unlabelled Secrets.
for _, secretMeta := range metadataSecrets {
key := types.NamespacedName{Namespace: secretMeta.Namespace, Name: secretMeta.Name}
if _, ok := matchingSecretsMap[key]; ok {
log.Info(fmt.Sprintf("warning: possible internal error: stale cache: secret found both in typed cache and in partial cache: %s", pleaseOpenIssue), "secret name", secretMeta.Name)
// in case of duplicates, return the version from kube apiserver
}
secret, err := snl.typedClient.Secrets(snl.namespace).Get(snl.ctx, secretMeta.Name, metav1.GetOptions{})
if err != nil {
log.Error(err, "error retrieving secret from kube apiserver", "secret name", secretMeta.Name)
return nil, fmt.Errorf("error retrieving Secret from kube apiserver: %w", err)
}
matchingSecretsMap[key] = secret
}
matchingSecrets := make([]*corev1.Secret, 0)
for _, val := range matchingSecretsMap {
matchingSecrets = append(matchingSecrets, val)
}
return matchingSecrets, nil
}
/*
Copyright 2023 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package informers
import (
"context"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/labels"
"k8s.io/apimachinery/pkg/types"
"k8s.io/apimachinery/pkg/watch"
applyconfigcorev1 "k8s.io/client-go/applyconfigurations/core/v1"
typedcorev1 "k8s.io/client-go/kubernetes/typed/core/v1"
corev1listers "k8s.io/client-go/listers/core/v1"
"k8s.io/client-go/metadata/metadatalister"
)
// FakeSecretLister is a fake of SecretLister
// https://github.com/kubernetes/client-go/blob/0382bf0f53b2294d4ac448203718f0ba774a477d/listers/core/v1/secret.go#L28-L37
type FakeSecretLister struct {
NamespaceLister FakeSecretNamespaceLister
FakeList func(labels.Selector) ([]*corev1.Secret, error)
}
func (fsl FakeSecretLister) List(selector labels.Selector) ([]*corev1.Secret, error) {
return fsl.FakeList(selector)
}
func (fsl FakeSecretLister) Secrets(namespace string) corev1listers.SecretNamespaceLister {
return fsl.NamespaceLister
}
// FakeSecretNamespaceLister is a fake of SecretNamespaceLister
// https://github.com/kubernetes/client-go/blob/0382bf0f53b2294d4ac448203718f0ba774a477d/listers/core/v1/secret.go#L62-L72.
type FakeSecretNamespaceLister struct {
FakeList func(labels.Selector) ([]*corev1.Secret, error)
FakeGet func(string) (*corev1.Secret, error)
}
func (fsnl FakeSecretNamespaceLister) List(selector labels.Selector) ([]*corev1.Secret, error) {
return fsnl.FakeList(selector)
}
func (fsnl FakeSecretNamespaceLister) Get(name string) (*corev1.Secret, error) {
return fsnl.FakeGet(name)
}
// FakeMetadataLister is a fake of metadata Lister
// https://github.com/kubernetes/client-go/blob/0382bf0f53b2294d4ac448203718f0ba774a477d/metadata/metadatalister/interface.go#L24-L32
type FakeMetadataLister struct {
FakeList func(labels.Selector) ([]*metav1.PartialObjectMetadata, error)
FakeGet func(string) (*metav1.PartialObjectMetadata, error)
NamespaceLister metadatalister.NamespaceLister
}
func (fml FakeMetadataLister) List(selector labels.Selector) ([]*metav1.PartialObjectMetadata, error) {
return fml.FakeList(selector)
}
func (fml FakeMetadataLister) Get(name string) (*metav1.PartialObjectMetadata, error) {
return fml.FakeGet(name)
}
func (fml FakeMetadataLister) Namespace(string) metadatalister.NamespaceLister {
return fml.NamespaceLister
}
// FakeMetadataNamespaceLister is a fake of metadata NamespaceLister
// https://github.com/kubernetes/client-go/blob/0382bf0f53b2294d4ac448203718f0ba774a477d/metadata/metadatalister/interface.go#L34-L40
type FakeMetadataNamespaceLister struct {
FakeList func(labels.Selector) ([]*metav1.PartialObjectMetadata, error)
FakeGet func(string) (*metav1.PartialObjectMetadata, error)
}
func (fmnl FakeMetadataNamespaceLister) List(selector labels.Selector) ([]*metav1.PartialObjectMetadata, error) {
return fmnl.FakeList(selector)
}
func (fmnl FakeMetadataNamespaceLister) Get(name string) (*metav1.PartialObjectMetadata, error) {
return fmnl.FakeGet(name)
}
// FakeSecretsGetter is a fake of corev1 SecretsGetter
// https://github.com/kubernetes/client-go/blob/0382bf0f53b2294d4ac448203718f0ba774a477d/kubernetes/typed/core/v1/secret.go#L33-L37
type FakeSecretsGetter struct {
FakeSecrets func(string) typedcorev1.SecretInterface
}
func (fsg FakeSecretsGetter) Secrets(namespace string) typedcorev1.SecretInterface {
return fsg.FakeSecrets(namespace)
}
// FakeSecretInterface is a fake of corev1 SecretInterface
// https://github.com/kubernetes/client-go/blob/0382bf0f53b2294d4ac448203718f0ba774a477d/kubernetes/typed/core/v1/secret.go#L39-L50
type FakeSecretInterface struct {
FakeGet func(context.Context, string, metav1.GetOptions) (*corev1.Secret, error)
FakeList func(context.Context, metav1.ListOptions) (*corev1.SecretList, error)
}
func (fsi FakeSecretInterface) Get(ctx context.Context, name string, opts metav1.GetOptions) (*corev1.Secret, error) {
return fsi.FakeGet(ctx, name, opts)
}
func (fsi FakeSecretInterface) List(ctx context.Context, opts metav1.ListOptions) (*corev1.SecretList, error) {
return fsi.FakeList(ctx, opts)
}
func (fsi FakeSecretInterface) Create(ctx context.Context, secret *corev1.Secret, opts metav1.CreateOptions) (*corev1.Secret, error) {
panic("not implemented")
}
func (fsi FakeSecretInterface) Update(ctx context.Context, secret *corev1.Secret, opts metav1.UpdateOptions) (*corev1.Secret, error) {
panic("not implemented")
}
func (fsi FakeSecretInterface) Delete(ctx context.Context, name string, opts metav1.DeleteOptions) error {
panic("not implemented")
}
func (fsi FakeSecretInterface) DeleteCollection(ctx context.Context, opts metav1.DeleteOptions, listOpts metav1.ListOptions) error {
panic("not implemented")
}
func (fsi FakeSecretInterface) Watch(ctx context.Context, opts metav1.ListOptions) (watch.Interface, error) {
panic("not implemented")
}
func (fsi FakeSecretInterface) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts metav1.PatchOptions, subresources ...string) (result *corev1.Secret, err error) {
panic("not implemented")
}
func (fsi FakeSecretInterface) Apply(ctx context.Context, secret *applyconfigcorev1.SecretApplyConfiguration, opts metav1.ApplyOptions) (result *corev1.Secret, err error) {
panic("not implemented")
}
/*
Copyright 2023 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package informers
import (
"fmt"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/client-go/tools/cache"
)
var _ cache.TransformFunc = partialMetadataRemoveAll
// partialMetadataRemoveAll implements a cache.TransformFunc that removes
// labels, annotations and managed
// fields from PartialObjectMetadata.
func partialMetadataRemoveAll(obj interface{}) (interface{}, error) {
partialMeta, ok := obj.(*metav1.PartialObjectMetadata)
if !ok {
return nil, fmt.Errorf("internal error: cannot cast object %#+v to PartialObjectMetadata", obj)
}
partialMeta.Annotations = nil
partialMeta.ManagedFields = nil
partialMeta.Labels = nil
return partialMeta, nil
}
/*
Copyright 2021 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package kube
import (
"fmt"
"os"
"k8s.io/client-go/rest"
"k8s.io/client-go/tools/clientcmd"
clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
)
func BuildClientConfig(apiServerHost string, kubeConfig string) (*rest.Config, error) {
if apiServerHost == "" && kubeConfig == "" {
return rest.InClusterConfig()
}
return clientcmd.BuildConfigFromKubeconfigGetter(apiServerHost, getKubeConfigGetter(kubeConfig))
}
func getKubeConfigGetter(kubeConfig string) clientcmd.KubeconfigGetter {
return func() (*clientcmdapi.Config, error) {
if len(kubeConfig) == 0 {
return clientcmdapi.NewConfig(), nil
}
cfg, err := clientcmd.LoadFromFile(kubeConfig)
if os.IsNotExist(err) {
return clientcmdapi.NewConfig(), err
}
if err != nil {
return clientcmdapi.NewConfig(), fmt.Errorf("error loading config file \"%s\": %v", kubeConfig, err)
}
return cfg, nil
}
}
/*
Copyright 2024 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Package pem provides utility functions for safely decoding PEM data, placing upper limits on the size
// of data that will be processed. It functions as an extension to the standard library "encoding/pem" functions.
package pem
import (
stdpem "encoding/pem"
"errors"
"fmt"
)
// The constants below are estimates at reasonable upper bounds for sizes of PEM data that cert-manager might encounter.
// cert-manager supports RSA, ECDSA and Ed25519 keys, of which RSA keys are by far the largest.
// We'll aim to support RSA certs / keys which are larger than the maximum size (defined in pkg/util/pki.MaxRSAKeySize).
// RSA keys grow proportional to the size of the RSA key used. For example:
// PEM-encoded RSA Keys: 4096-bit is ~3kB, 8192-bit is ~6kB and a 16k-bit key is ~12kB.
// Certificates have two variables that we can estimate easily; the public key of the cert, and the signature from the signing cert.
// An N-bit key produces an (N/8)-byte signature, so as a worst case for us, a 16kB RSA key will create a 2kB signature.
// PEM-encoded RSA X.509 certificates:
// Signed with 1k-bit RSA key: 4096-bit is ~1.4kB, 8192-bit is ~2kB, 16k-bit is ~3.5kB
// Signed with 16k-bit RSA key: 4096-bit is ~3.3kB, 8192-bit is ~4kB, 16k-bit is ~5.4kB
// See https://fm4dd.com/openssl/certexamples.shtm for examples of large RSA certs / keys
// A further factor more usually for leaf certificates is the number of identities contained within the certificate - usually, DNS names.
// Adding one DNS name to a certificate experimentally adds the length of the DNS name itself, plus about 20 bytes of overhead.
// We've seen[0] some certificates with 250+ DNS names, which could add up to about 30kB of extra size to a certificate given very long DNS names.
// Generally, issuer certificates will not contain vast amounts of identities, so we can assume a difference in the size of leaf and issuer certificates,
// with issuer certificates being dominated by the size of the public key and signature, while leaf certificates can vary greatly but may be significantly larger
// than issuer certificates due to the number of identities they contain.
// [0]: https://github.com/cert-manager/cert-manager/pull/7642#issuecomment-3129868718
const (
// maxCACertificatePEMSize is the maximum size in bytes expected for a single PEM-encoded X.509 CA certificate. In practice, this is smaller than the
// maximum size which will be accepted by SafeDecodeSingleCertificate, because CA certificates generally won't contain large numbers of identities.
// The value is based on how large a "realistic" (but still very large) 16k-bit RSA CA certificate might be, plus about a kilobyte of extra data.
// 16k-bit RSA keys are impractical on most on modern hardware due to how slow they can be,
// so we can reasonably assume that no real-world PEM-encoded X.509 cert will be larger than this because of the key size.
maxCACertificatePEMSize = 6500
// maxLeafCertificatePEMSize is the maximum size in bytes expected for a single PEM-encoded X.509 certificate which SafeDecodeSingleCertificate will accept.
// The value is based on how large a "realistic" (but still very large) self-signed 16k-bit RSA certificate might be, plus
// a significant amount of extra data for potentially hundreds of DNS names, policy names, etc.
// See the comment for maxCACertificatePEMSize for more details on why we use a 16k-bit RSA key.
// 30000 is a rounded-up estimate for about 250 large DNS names.
maxLeafCertificatePEMSize = 30000 + maxCACertificatePEMSize
// maxPrivateKeyPEMSize is the maximum size, in bytes, of PEM-encoded private keys which SafeDecodePrivateKey will accept.
// cert-manager supports RSA, ECDSA and Ed25519 keys, of which RSA is by far the largest.
// The value is based on how large a "realistic" (but very large) 16k-bit RSA private key might be.
// Given that 16k-bit RSA keys are so slow to use as to be impractical on modern hardware,
// we can reasonably assume that no real-world PEM-encoded key will be this large.
maxPrivateKeyPEMSize = 13000
// maxCertsInChain is the maximum number of 16k-bit RSA certificates signed by 16k-bit RSA CAs we'll allow in a given call to SafeDecodeCertificateChain.
// This is _not_ the maximum number of certificates cert-manager will process in a given chain, which could be much larger.
// This is simply the maximum number of worst-case certificates we'll accept in a chain when parsing PEM data.
maxCertsInChain = 10
// maxCertificateChainSize assumes a chain of CA certificates - which we expect to be smaller, generally -
// plus one leaf certificate which can be much larger due to the number of identities it contains.
// See comments for individual constants for more details on the sizes of the certificates.
maxCertificateChainSize = (maxCertsInChain-1)*maxCACertificatePEMSize + maxLeafCertificatePEMSize
// maxCertsInTrustBundle is an estimated upper-bound for how many large certs might appear in a PEM-encoded trust bundle,
// based on the cert-manager `cert-manager-package-debian` bundle [1] which contains 129 certificates.
// This isn't an upper bound on how many certificates can appear and be parsed; just a reasonable upper bound if using
// exclusively large RSA certs (see estimatedCACertSize)
// In practice, trust stores will contain ECDSA/EdDSA certificates which are smaller than RSA certs, and so will be able to have more certificates
// than maxCertsInTrustBundle if needed.
// [1] quay.io/jetstack/cert-manager-package-debian:20210119.0@sha256:116133f68938ef568aca17a0c691d5b1ef73a9a207029c9a068cf4230053fed5
maxCertsInTrustBundle = 150
// estimatedCACertSize is a guess of how many bytes a large realistic CA cert in a trust bundle cert might be. This is slightly larger
// than a typical self-signed 4096-bit RSA cert (which is just under 2kB).
// For other estimates (i.e. maxCACertificatePEMSize and maxLeafCertificatePEMSize) we use a much larger RSA key, but using such a large RSA key would make
// maxBundleSize's estimate unrealistically large when compared to real-world trust bundles (such as the widely used Mozilla CA trust store)
estimatedCACertSize = 2200
// maxBundleSize is an estimate for the max reasonable size for a PEM-encoded TLS trust bundle.
// See also comments for maxCertsInTrustBundle and estimatedCACertSize.
// This estimate is ultimately based on the cert-manager `cert-manager-package-debian` bundle [1] which contains 129 certificates, totalling ~196kB of data.
// [1] quay.io/jetstack/cert-manager-package-debian:20210119.0@sha256:116133f68938ef568aca17a0c691d5b1ef73a9a207029c9a068cf4230053fed5
maxBundleSize = maxCertsInTrustBundle * estimatedCACertSize
)
var (
// ErrNoPEMData is returned when the given data contained no PEM
ErrNoPEMData = errors.New("no PEM data was found in given input")
)
// ErrPEMDataTooLarge is returned when the given data is larger than the maximum allowed
type ErrPEMDataTooLarge int //nolint:errname
// Error returns an error string
func (e ErrPEMDataTooLarge) Error() string {
return fmt.Sprintf("provided PEM data was larger than the maximum %dB", int(e))
}
func safeDecodeInternal(b []byte, maxSize int) (*stdpem.Block, []byte, error) {
if len(b) > maxSize {
return nil, b, ErrPEMDataTooLarge(maxSize)
}
block, rest := stdpem.Decode(b)
if block == nil {
return nil, rest, ErrNoPEMData
}
return block, rest, nil
}
// SafeDecodePrivateKey calls [encoding/pem.Decode] on the given input as long as it's within a sensible range for
// how large we expect a private key to be. The baseline is a 16k-bit RSA private key, which is larger than the maximum
// supported by cert-manager for key generation.
func SafeDecodePrivateKey(b []byte) (*stdpem.Block, []byte, error) {
return safeDecodeInternal(b, maxPrivateKeyPEMSize)
}
// SafeDecodeCSR calls [encoding/pem.Decode] on the given input as long as it's within a sensible range for
// how large we expect a single PEM-encoded PKCS#10 CSR to be.
// We assume that a PKCS#12 CSR can be about as large as a leaf certificate, which grows with the size of its public key, signature
// and the number of identities it contains.
func SafeDecodeCSR(b []byte) (*stdpem.Block, []byte, error) {
return safeDecodeInternal(b, maxLeafCertificatePEMSize)
}
// SafeDecodeSingleCertificate calls [encoding/pem.Decode] on the given input as long as it's within a sensible range for
// how large we expect a single PEM-encoded X.509 _leaf_ certificate to be.
// The baseline is a 16k-bit RSA certificate signed by a different 16k-bit RSA CA, with a very large number of long DNS names.
// The maximum size allowed by this function is significantly larger than the size of most CA certificates, which will usually
// not have a large amount of DNS names or other identities in them.
func SafeDecodeSingleCertificate(b []byte) (*stdpem.Block, []byte, error) {
return safeDecodeInternal(b, maxLeafCertificatePEMSize)
}
// SafeDecodeCertificateChain calls [encoding/pem.Decode] on the given input as long as it's within a sensible range for
// how large we expect a reasonable-length PEM-encoded X.509 certificate chain to be.
// The baseline is many average sized CA certificates, plus one potentially much larger leaf certificate.
func SafeDecodeCertificateChain(b []byte) (*stdpem.Block, []byte, error) {
return safeDecodeInternal(b, maxCertificateChainSize)
}
// SafeDecodeCertificateBundle calls [encoding/pem.Decode] on the given input as long as it's within a sensible range for
// how large we expect a reasonable-length PEM-encoded X.509 certificate bundle (such as a TLS trust store) to be.
// The baseline is a bundle of 4k-bit RSA certificates, all self-signed. This is smaller than the 16k-bit RSA keys
// we use in other functions, because using such large keys would make our estimate several times
// too large for a realistic bundle which would be used in practice.
func SafeDecodeCertificateBundle(b []byte) (*stdpem.Block, []byte, error) {
return safeDecodeInternal(b, maxBundleSize)
}
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package fake
import (
"errors"
"testing"
vault "github.com/hashicorp/vault/api"
)
type FakeClient struct {
NewRequestS *vault.Request
RawRequestFn func(r *vault.Request) (*vault.Response, error)
GotToken string
T *testing.T
}
func NewFakeClient() *FakeClient {
return &FakeClient{
NewRequestS: new(vault.Request),
RawRequestFn: func(r *vault.Request) (*vault.Response, error) {
return nil, errors.New("unexpected RawRequest call")
},
}
}
func (c *FakeClient) CloneConfig() *vault.Config {
return vault.DefaultConfig()
}
func (c *FakeClient) WithNewRequest(r *vault.Request) *FakeClient {
c.NewRequestS = r
return c
}
func (c *FakeClient) WithRawRequest(resp *vault.Response, err error) *FakeClient {
c.RawRequestFn = func(r *vault.Request) (*vault.Response, error) {
return resp, err
}
return c
}
func (c *FakeClient) WithRawRequestFn(fn func(t *testing.T, r *vault.Request) (*vault.Response, error)) *FakeClient {
c.RawRequestFn = func(req *vault.Request) (*vault.Response, error) {
return fn(c.T, req)
}
return c
}
func (c *FakeClient) NewRequest(method, requestPath string) *vault.Request {
return c.NewRequestS
}
func (c *FakeClient) SetToken(v string) {
c.GotToken = v
}
func (c *FakeClient) RawRequest(r *vault.Request) (*vault.Response, error) {
return c.RawRequestFn(r)
}
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Package fake contains a fake Vault signer for use in tests
package fake
import (
"time"
internalinformers "github.com/cert-manager/cert-manager/internal/informers"
cmapi "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
)
// Vault is a mock implementation of the Vault interface
type Vault struct {
NewFn func(string, internalinformers.SecretLister, cmapi.GenericIssuer) (*Vault, error)
SignFn func([]byte, time.Duration) ([]byte, []byte, error)
IsVaultInitializedAndUnsealedFn func() error
}
// New returns a new fake Vault
func New() *Vault {
v := &Vault{
SignFn: func([]byte, time.Duration) ([]byte, []byte, error) {
return nil, nil, nil
},
IsVaultInitializedAndUnsealedFn: func() error {
return nil
},
}
v.NewFn = func(string, internalinformers.SecretLister, cmapi.GenericIssuer) (*Vault, error) {
return v, nil
}
return v
}
// Sign implements `vault.Interface`.
func (v *Vault) Sign(csrPEM []byte, duration time.Duration) ([]byte, []byte, error) {
return v.SignFn(csrPEM, duration)
}
// WithSign sets the fake Vault's Sign function.
func (v *Vault) WithSign(certPEM, caPEM []byte, err error) *Vault {
v.SignFn = func([]byte, time.Duration) ([]byte, []byte, error) {
return certPEM, caPEM, err
}
return v
}
// WithNew sets the fake Vault's New function.
func (v *Vault) WithNew(f func(string, internalinformers.SecretLister, cmapi.GenericIssuer) (*Vault, error)) *Vault {
v.NewFn = f
return v
}
// New call NewFn and returns a pointer to the fake Vault.
func (v *Vault) New(ns string, sl internalinformers.SecretLister, iss cmapi.GenericIssuer) (*Vault, error) {
_, err := v.NewFn(ns, sl, iss)
if err != nil {
return nil, err
}
return v, nil
}
// IsVaultInitializedAndUnsealed always returns nil
func (v *Vault) IsVaultInitializedAndUnsealed() error {
return nil
}
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package vault
import (
"context"
"crypto/tls"
"crypto/x509"
"errors"
"fmt"
"net/http"
"path"
"path/filepath"
"strings"
"time"
vault "github.com/hashicorp/vault/api"
"github.com/hashicorp/vault/sdk/helper/certutil"
authv1 "k8s.io/api/authentication/v1"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/utils/ptr"
internalinformers "github.com/cert-manager/cert-manager/internal/informers"
v1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
cmmeta "github.com/cert-manager/cert-manager/pkg/apis/meta/v1"
cmerrors "github.com/cert-manager/cert-manager/pkg/util/errors"
"github.com/cert-manager/cert-manager/pkg/util/pki"
)
var _ Interface = &Vault{}
// ClientBuilder is a function type that returns a new Interface.
// Can be used in tests to create a mock signer of Vault certificate requests.
type ClientBuilder func(ctx context.Context, namespace string, _ func(ns string) CreateToken, _ internalinformers.SecretLister, _ v1.GenericIssuer) (Interface, error)
// Interface implements various high level functionality related to connecting
// with a Vault server, verifying its status and signing certificate request for
// Vault's certificate.
type Interface interface {
Sign(csrPEM []byte, duration time.Duration) (certPEM []byte, caPEM []byte, err error)
IsVaultInitializedAndUnsealed() error
}
// Client implements functionality to talk to a Vault server.
type Client interface {
NewRequest(method, requestPath string) *vault.Request
RawRequest(r *vault.Request) (*vault.Response, error)
SetToken(v string)
CloneConfig() *vault.Config
}
// For mocking purposes.
type CreateToken func(ctx context.Context, saName string, req *authv1.TokenRequest, opts metav1.CreateOptions) (*authv1.TokenRequest, error)
// Vault implements Interface and holds a Vault issuer, secrets lister and a
// Vault client.
type Vault struct {
createToken CreateToken // Uses the same namespace as below.
secretsLister internalinformers.SecretLister
issuer v1.GenericIssuer
namespace string
// The pattern below, of namespaced and non-namespaced Vault clients, is copied from Hashicorp Nomad:
// https://github.com/hashicorp/nomad/blob/6e4410a9b13ce167bc7ef53da97c621b5c9dcd12/nomad/vault.go#L180-L190
// client is the Vault API client used for Namespace-relative integrations
// with the Vault API (anything except `/v1/sys`).
// The namespace feature is only available in Vault Enterprise.
// The namespace HTTP header (X-Vault-Namespace) is ignored by the open source version of Vault.
// See https://www.vaultproject.io/docs/enterprise/namespaces
client Client
// clientSys is the Vault API client used for non-Namespace-relative integrations
// with the Vault API (anything involving `/v1/sys`). This client is never configured
// with a Vault namespace, because these endpoints may return errors if a namespace
// header is provided
// See https://developer.hashicorp.com/vault/docs/enterprise/namespaces#root-only-api-paths
clientSys Client
}
// New returns a new Vault instance with the given namespace, issuer and
// secrets lister.
// Returned errors may be network failures and should be considered for
// retrying.
func New(ctx context.Context, namespace string, createTokenFn func(ns string) CreateToken, secretsLister internalinformers.SecretLister, issuer v1.GenericIssuer) (Interface, error) {
v := &Vault{
createToken: createTokenFn(namespace),
secretsLister: secretsLister,
namespace: namespace,
issuer: issuer,
}
cfg, err := v.newConfig()
if err != nil {
return nil, err
}
client, err := vault.NewClient(cfg)
if err != nil {
return nil, fmt.Errorf("error initializing Vault client: %s", err.Error())
}
// Set the Vault namespace.
// An empty namespace string will cause the client to not send the namespace related HTTP headers to Vault.
clientNS := client.WithNamespace(issuer.GetSpec().Vault.Namespace)
// Use the (maybe) namespaced client to authenticate.
// If a Vault namespace is configured, then the authentication endpoints are
// expected to be in that namespace.
if err := v.setToken(ctx, clientNS); err != nil {
return nil, err
}
// A client for use with namespaced API paths
v.client = clientNS
// Create duplicate Vault client without a namespace, for interacting with root-only API paths.
// For backwards compatibility, this client will use the token from the namespaced client,
// although this is probably unnecessary / bad practice, since we only
// interact with the sys/health endpoint which is an unauthenticated endpoint:
// https://github.com/hashicorp/vault/issues/209#issuecomment-102485565.
v.clientSys = clientNS.WithNamespace("")
return v, nil
}
// Sign will connect to a Vault instance to sign a certificate signing request.
func (v *Vault) Sign(csrPEM []byte, duration time.Duration) (cert []byte, ca []byte, err error) {
csr, err := pki.DecodeX509CertificateRequestBytes(csrPEM)
if err != nil {
return nil, nil, fmt.Errorf("failed to decode CSR for signing: %s", err)
}
parameters := map[string]string{
"common_name": csr.Subject.CommonName,
"alt_names": strings.Join(csr.DNSNames, ","),
"ip_sans": strings.Join(pki.IPAddressesToString(csr.IPAddresses), ","),
"uri_sans": strings.Join(pki.URLsToString(csr.URIs), ","),
"ttl": duration.String(),
"csr": string(csrPEM),
"exclude_cn_from_sans": "true",
}
vaultIssuer := v.issuer.GetSpec().Vault
url := path.Join("/v1", vaultIssuer.Path)
request := v.client.NewRequest("POST", url)
if err := request.SetJSONBody(parameters); err != nil {
return nil, nil, fmt.Errorf("failed to build vault request: %s", err)
}
resp, err := v.client.RawRequest(request)
if err != nil {
return nil, nil, fmt.Errorf("failed to sign certificate by vault: %s", err)
}
defer resp.Body.Close()
vaultResult := certutil.Secret{}
err = resp.DecodeJSON(&vaultResult)
if err != nil {
return nil, nil, fmt.Errorf("failed to decode response returned by vault: %s", err)
}
return extractCertificatesFromVaultCertificateSecret(&vaultResult)
}
func (v *Vault) setToken(ctx context.Context, client Client) error {
// IMPORTANT: Because of backwards compatibility with older versions that
// incorrectly allowed multiple authentication methods to be specified at
// the time of validation, we must still allow multiple authentication methods
// to be specified.
// In terms of implementation, we will use the first authentication method.
// The order of precedence is: tokenSecretRef, appRole, clientCertificate, kubernetes
tokenRef := v.issuer.GetSpec().Vault.Auth.TokenSecretRef
if tokenRef != nil {
token, err := v.tokenRef(tokenRef.Name, v.namespace, tokenRef.Key)
if err != nil {
return err
}
client.SetToken(token)
return nil
}
appRole := v.issuer.GetSpec().Vault.Auth.AppRole
if appRole != nil {
token, err := v.requestTokenWithAppRoleRef(client, appRole)
if err != nil {
return err
}
client.SetToken(token)
return nil
}
clientCert := v.issuer.GetSpec().Vault.Auth.ClientCertificate
if clientCert != nil {
token, err := v.requestTokenWithClientCertificate(client, clientCert)
if err != nil {
return err
}
client.SetToken(token)
return nil
}
kubernetesAuth := v.issuer.GetSpec().Vault.Auth.Kubernetes
if kubernetesAuth != nil {
token, err := v.requestTokenWithKubernetesAuth(ctx, client, kubernetesAuth)
if err != nil {
return fmt.Errorf("while requesting a Vault token using the Kubernetes auth: %w", err)
}
client.SetToken(token)
return nil
}
return cmerrors.NewInvalidData("error initializing Vault client: tokenSecretRef, appRoleSecretRef, clientCertificate, or Kubernetes auth role not set")
}
func (v *Vault) newConfig() (*vault.Config, error) {
cfg := vault.DefaultConfig()
cfg.Address = v.issuer.GetSpec().Vault.Server
caBundle, err := v.caBundle()
if err != nil {
return nil, fmt.Errorf("failed to load vault CA bundle: %w", err)
}
if len(caBundle) != 0 {
caCertPool := x509.NewCertPool()
ok := caCertPool.AppendCertsFromPEM(caBundle)
if !ok {
return nil, fmt.Errorf("no Vault CA bundles loaded, check bundle contents")
}
cfg.HttpClient.Transport.(*http.Transport).TLSClientConfig.RootCAs = caCertPool
}
clientCertificate, err := v.clientCertificate()
if err != nil {
return nil, fmt.Errorf("failed to load vault client certificate: %w", err)
}
if clientCertificate != nil {
cfg.HttpClient.Transport.(*http.Transport).TLSClientConfig.Certificates = []tls.Certificate{*clientCertificate}
}
if serverName := v.issuer.GetSpec().Vault.ServerName; len(serverName) != 0 {
cfg.HttpClient.Transport.(*http.Transport).TLSClientConfig.ServerName = serverName
}
return cfg, nil
}
// caBundle returns the CA bundle for the Vault server. Can be used in Vault
// client configs to trust the connection to the Vault server. If no custom CA
// bundle is configured, an empty byte slice is returned.
// Assumes the in-line and Secret CA bundles are not both defined.
// If the `key` of the Secret CA bundle is not defined, its value defaults to
// `ca.crt`.
func (v *Vault) caBundle() ([]byte, error) {
if len(v.issuer.GetSpec().Vault.CABundle) > 0 {
return v.issuer.GetSpec().Vault.CABundle, nil
}
ref := v.issuer.GetSpec().Vault.CABundleSecretRef
if ref == nil {
return nil, nil
}
secret, err := v.secretsLister.Secrets(v.namespace).Get(ref.Name)
if err != nil {
return nil, fmt.Errorf("could not access secret '%s/%s': %s", v.namespace, ref.Name, err)
}
var key string
if ref.Key != "" {
key = ref.Key
} else {
key = cmmeta.TLSCAKey
}
certBytes, ok := secret.Data[key]
if !ok {
return nil, fmt.Errorf("no data for %q in secret '%s/%s'", key, v.namespace, ref.Name)
}
return certBytes, nil
}
// clientCertificate returns the Client Certificate for the Vault server.
// Can be used in Vault client configs when the server requires mTLS.
func (v *Vault) clientCertificate() (*tls.Certificate, error) {
refCert := v.issuer.GetSpec().Vault.ClientCertSecretRef
refPrivateKey := v.issuer.GetSpec().Vault.ClientKeySecretRef
if refCert == nil || refPrivateKey == nil {
return nil, nil
}
secretCert, err := v.secretsLister.Secrets(v.namespace).Get(refCert.Name)
if err != nil {
return nil, fmt.Errorf("could not access Secret '%s/%s': %s", v.namespace, refCert.Name, err)
}
secretPrivateKey, err := v.secretsLister.Secrets(v.namespace).Get(refPrivateKey.Name)
if err != nil {
return nil, fmt.Errorf("could not access Secret '%s/%s': %s", v.namespace, refPrivateKey.Name, err)
}
var keyCert string
if refCert.Key != "" {
keyCert = refCert.Key
} else {
keyCert = corev1.TLSCertKey
}
var keyPrivate string
if refPrivateKey.Key != "" {
keyPrivate = refPrivateKey.Key
} else {
keyPrivate = corev1.TLSPrivateKeyKey
}
certBytes, ok := secretCert.Data[keyCert]
if !ok {
return nil, fmt.Errorf("no data for %q in Secret '%s/%s'", keyCert, v.namespace, refCert.Name)
}
privateKeyBytes, ok := secretPrivateKey.Data[keyPrivate]
if !ok {
return nil, fmt.Errorf("no data for %q in Secret '%s/%s'", keyPrivate, v.namespace, refPrivateKey.Name)
}
cert, err := tls.X509KeyPair(certBytes, privateKeyBytes)
if err != nil {
return nil, fmt.Errorf("could not parse the TLS certificate from Secrets '%s/%s'(cert) and '%s/%s'(key): %s", v.namespace, refCert.Name, v.namespace, refPrivateKey.Name, err)
}
return &cert, nil
}
func (v *Vault) tokenRef(name, namespace, key string) (string, error) {
secret, err := v.secretsLister.Secrets(namespace).Get(name)
if err != nil {
return "", err
}
if key == "" {
key = v1.DefaultVaultTokenAuthSecretKey
}
keyBytes, ok := secret.Data[key]
if !ok {
return "", fmt.Errorf("no data for %q in secret '%s/%s'", key, name, namespace)
}
token := string(keyBytes)
token = strings.TrimSpace(token)
return token, nil
}
func (v *Vault) appRoleRef(appRole *v1.VaultAppRole) (roleId, secretId string, err error) {
roleId = strings.TrimSpace(appRole.RoleId)
secret, err := v.secretsLister.Secrets(v.namespace).Get(appRole.SecretRef.Name)
if err != nil {
return "", "", err
}
key := appRole.SecretRef.Key
keyBytes, ok := secret.Data[key]
if !ok {
return "", "", fmt.Errorf("no data for %q in secret '%s/%s'", key, v.namespace, appRole.SecretRef.Name)
}
secretId = string(keyBytes)
secretId = strings.TrimSpace(secretId)
return roleId, secretId, nil
}
func (v *Vault) requestTokenWithAppRoleRef(client Client, appRole *v1.VaultAppRole) (string, error) {
roleId, secretId, err := v.appRoleRef(appRole)
if err != nil {
return "", err
}
parameters := map[string]string{
"role_id": roleId,
"secret_id": secretId,
}
authPath := appRole.Path
if authPath == "" {
authPath = "approle"
}
url := path.Join("/v1", "auth", authPath, "login")
request := client.NewRequest("POST", url)
err = request.SetJSONBody(parameters)
if err != nil {
return "", fmt.Errorf("error encoding Vault parameters: %s", err.Error())
}
resp, err := client.RawRequest(request)
if err != nil {
return "", fmt.Errorf("error logging in to Vault server: %s", err.Error())
}
defer resp.Body.Close()
vaultResult := vault.Secret{}
if err := resp.DecodeJSON(&vaultResult); err != nil {
return "", fmt.Errorf("unable to decode JSON payload: %s", err.Error())
}
token, err := vaultResult.TokenID()
if err != nil {
return "", fmt.Errorf("unable to read token: %s", err.Error())
}
if token == "" {
return "", errors.New("no token returned")
}
return token, nil
}
func (v *Vault) requestTokenWithClientCertificate(client Client, clientCertificateAuth *v1.VaultClientCertificateAuth) (string, error) {
// If secretName is set, load client certificate from Secret, otherwise assume that a
// fitting client certificate is loaded in the client already.
if len(clientCertificateAuth.SecretName) != 0 {
secret, err := v.secretsLister.Secrets(v.namespace).Get(clientCertificateAuth.SecretName)
if err != nil {
return "", err
}
cert, ok := secret.Data["tls.crt"]
if !ok {
return "", fmt.Errorf("no data for tls.crt in secret '%s/%s'", v.namespace, clientCertificateAuth.SecretName)
}
key, ok := secret.Data["tls.key"]
if !ok {
return "", fmt.Errorf("no data for tls.key in secret '%s/%s'", v.namespace, clientCertificateAuth.SecretName)
}
clientCertificate, err := tls.X509KeyPair(cert, key)
if err != nil {
return "", fmt.Errorf("error reading client certificate: %s", err.Error())
}
// Setting up a short lived client with a configured client certificate.
// It is only meant to be used for requesting a Vault token. We clone
// http.Client's Transport separately as it has to be adjusted and does
// not seem to be cloned by CloneConfig.
cfg := client.CloneConfig()
tmpTransport := cfg.HttpClient.Transport.(*http.Transport).Clone()
tmpTransport.TLSClientConfig.Certificates = append(tmpTransport.TLSClientConfig.Certificates, clientCertificate)
cfg.HttpClient.Transport = tmpTransport
client, err = vault.NewClient(cfg)
if err != nil {
return "", fmt.Errorf("error initializing intermediary Vault client: %s", err.Error())
}
}
parameters := map[string]string{
"name": clientCertificateAuth.Name,
}
mountPath := clientCertificateAuth.Path
if mountPath == "" {
mountPath = v1.DefaultVaultClientCertificateAuthMountPath
}
url := filepath.Join(mountPath, "login")
request := client.NewRequest("POST", url)
err := request.SetJSONBody(parameters)
if err != nil {
return "", fmt.Errorf("error encoding Vault parameters: %s", err.Error())
}
resp, err := client.RawRequest(request)
if err != nil {
return "", fmt.Errorf("error calling Vault server: %s", err.Error())
}
defer resp.Body.Close()
vaultResult := vault.Secret{}
err = resp.DecodeJSON(&vaultResult)
if err != nil {
return "", fmt.Errorf("unable to decode JSON payload: %s", err.Error())
}
token, err := vaultResult.TokenID()
if err != nil {
return "", fmt.Errorf("unable to read token: %s", err.Error())
}
return token, nil
}
func (v *Vault) requestTokenWithKubernetesAuth(ctx context.Context, client Client, kubernetesAuth *v1.VaultKubernetesAuth) (string, error) {
var jwt string
switch {
case kubernetesAuth.SecretRef.Name != "":
secret, err := v.secretsLister.Secrets(v.namespace).Get(kubernetesAuth.SecretRef.Name)
if err != nil {
return "", err
}
key := kubernetesAuth.SecretRef.Key
if key == "" {
key = v1.DefaultVaultTokenAuthSecretKey
}
keyBytes, ok := secret.Data[key]
if !ok {
return "", fmt.Errorf("no data for %q in secret '%s/%s'", key, v.namespace, kubernetesAuth.SecretRef.Name)
}
jwt = string(keyBytes)
case kubernetesAuth.ServiceAccountRef != nil:
defaultAudience := "vault://"
if v.issuer.GetNamespace() != "" {
defaultAudience += v.issuer.GetNamespace() + "/"
}
defaultAudience += v.issuer.GetName()
audiences := append([]string(nil), kubernetesAuth.ServiceAccountRef.TokenAudiences...)
audiences = append(audiences, defaultAudience)
tokenrequest, err := v.createToken(ctx, kubernetesAuth.ServiceAccountRef.Name, &authv1.TokenRequest{
Spec: authv1.TokenRequestSpec{
// Default audience is generated by cert-manager.
// This is the most secure configuration as vault role must explicitly mandate the audience.
// The format is:
// "vault://<namespace>/<issuer-name>" (for an Issuer)
// "vault://<issuer-name>" (for a ClusterIssuer)
//
// If audiences are specified in the VaultIssuer, they will be appended to the default audience.
//
// Vault backend can bind the kubernetes auth backend role to the service account and specific namespace of the service account.
// Providing additional audiences is not considered a major non-mitigatable security risk
// as if someone creates an Issuer in another namespace/globally with the same audiences
// in attempt to hijack the certificate vault (if role config mandates sa:namespace) won't authorise the connection
// as token subject won't match vault role requirement to have SA originated from the specific namespace.
Audiences: audiences,
// Since the JWT is only used to authenticate with Vault and is
// immediately discarded, let's use the minimal duration
// possible. 10 minutes is the minimum allowed by the Kubernetes
// API.
ExpirationSeconds: ptr.To(int64(600)),
},
}, metav1.CreateOptions{})
if err != nil {
return "", fmt.Errorf("while requesting a token for the service account %s/%s: %s", v.issuer.GetNamespace(), kubernetesAuth.ServiceAccountRef.Name, err.Error())
}
jwt = tokenrequest.Status.Token
default:
return "", fmt.Errorf("programmer mistake: both serviceAccountRef and tokenRef.name are empty")
}
parameters := map[string]string{
"role": kubernetesAuth.Role,
"jwt": jwt,
}
mountPath := kubernetesAuth.Path
if mountPath == "" {
mountPath = v1.DefaultVaultKubernetesAuthMountPath
}
url := filepath.Join(mountPath, "login")
request := client.NewRequest("POST", url)
err := request.SetJSONBody(parameters)
if err != nil {
return "", fmt.Errorf("error encoding Vault parameters: %s", err.Error())
}
resp, err := client.RawRequest(request)
if err != nil {
return "", fmt.Errorf("error calling Vault server: %s", err.Error())
}
defer resp.Body.Close()
vaultResult := vault.Secret{}
err = resp.DecodeJSON(&vaultResult)
if err != nil {
return "", fmt.Errorf("unable to decode JSON payload: %s", err.Error())
}
token, err := vaultResult.TokenID()
if err != nil {
return "", fmt.Errorf("unable to read token: %s", err.Error())
}
return token, nil
}
func extractCertificatesFromVaultCertificateSecret(secret *certutil.Secret) ([]byte, []byte, error) {
parsedBundle, err := certutil.ParsePKIMap(secret.Data)
if err != nil {
return nil, nil, fmt.Errorf("failed to decode response returned by vault: %s", err)
}
vbundle, err := parsedBundle.ToCertBundle()
if err != nil {
return nil, nil, fmt.Errorf("unable to convert certificate bundle to PEM bundle: %s", err.Error())
}
bundle, err := pki.ParseSingleCertificateChainPEM([]byte(
strings.Join(append(
vbundle.CAChain,
vbundle.IssuingCA,
vbundle.Certificate,
), "\n")))
if err != nil {
return nil, nil, fmt.Errorf("failed to parse certificate chain from vault: %w", err)
}
return bundle.ChainPEM, bundle.CAPEM, nil
}
func (v *Vault) IsVaultInitializedAndUnsealed() error {
healthURL := path.Join("/v1", "sys", "health")
healthRequest := v.clientSys.NewRequest("GET", healthURL)
healthResp, err := v.clientSys.RawRequest(healthRequest)
if healthResp != nil {
defer healthResp.Body.Close()
}
// 200 = if initialized, unsealed, and active
// 429 = if unsealed and standby
// 472 = if disaster recovery mode replication secondary and active
// 473 = if performance standby
// 501 = if not initialized
// 503 = if sealed
// nolint: usestdlibvars // We use the numeric error codes here that we got from the Vault docs.
if err != nil {
switch {
case healthResp == nil:
return err
case healthResp.StatusCode == 429, healthResp.StatusCode == 472, healthResp.StatusCode == 473:
return nil
case healthResp.StatusCode == 501:
return fmt.Errorf("Vault is not initialized")
case healthResp.StatusCode == 503:
return fmt.Errorf("Vault is sealed")
default:
return fmt.Errorf("error calling Vault %s: %w", healthURL, err)
}
}
return nil
}
/*
Copyright 2021 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package approval
// CertificateRequestApproval is a plugin that ensures entities that are attempting to
// modify `status.conditions[type="Approved"]` or `status.conditions[type="Denied"]`
// have permission to do so (granted via RBAC).
// Entities will need to be able to `approve` (verb) `signers` (resource type) in
// `cert-manager.io` (group) with the name `<issuer-type>.<issuer-group>/[<certificaterequest-namespace>.]<issuer-name>`.
// For example: `issuers.cert-manager.io/my-namespace.my-issuer-name`.
// A wildcard signerName format is also supported: `issuers.cert-manager.io/*`.
import (
"context"
"fmt"
"sync"
admissionv1 "k8s.io/api/admission/v1"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/runtime/schema"
"k8s.io/apimachinery/pkg/util/validation/field"
"k8s.io/apiserver/pkg/authentication/user"
"k8s.io/apiserver/pkg/authorization/authorizer"
"k8s.io/client-go/discovery"
"github.com/cert-manager/cert-manager/internal/apis/certmanager"
"github.com/cert-manager/cert-manager/internal/apis/certmanager/validation/util"
"github.com/cert-manager/cert-manager/pkg/webhook/admission"
)
type certificateRequestApproval struct {
*admission.Handler
authorizer authorizer.Authorizer
discovery discovery.DiscoveryInterface
// resourceInfo stores the associated resource info for a given GroupKind
// to prevent making multiple queries to the API server for every approval.
resourceInfo map[schema.GroupKind]resourceInfo
mutex sync.RWMutex
}
type resourceInfo struct {
schema.GroupResource
Namespaced bool
}
var _ admission.ValidationInterface = &certificateRequestApproval{}
func NewPlugin(authz authorizer.Authorizer, discoveryClient discovery.DiscoveryInterface) admission.Interface {
return &certificateRequestApproval{
Handler: admission.NewHandler(admissionv1.Update),
resourceInfo: map[schema.GroupKind]resourceInfo{},
authorizer: authz,
discovery: discoveryClient,
}
}
func (c *certificateRequestApproval) Validate(ctx context.Context, request admissionv1.AdmissionRequest, oldObj, obj runtime.Object) (warnings []string, err error) {
if request.RequestResource.Group != "cert-manager.io" ||
request.RequestResource.Resource != "certificaterequests" ||
request.RequestSubResource != "status" {
return nil, nil
}
oldCR, cr := oldObj.(*certmanager.CertificateRequest), obj.(*certmanager.CertificateRequest)
if !approvalConditionsHaveChanged(oldCR, cr) {
return nil, nil
}
group := cr.Spec.IssuerRef.Group
kind := cr.Spec.IssuerRef.Kind
// TODO: move this defaulting into the Scheme (registered as default functions) so
// these will be set when the CertificateRequest is decoded.
if group == "" {
group = "cert-manager.io"
}
if kind == "" {
kind = "Issuer"
}
// We got the GroupKind, now we need to get the Resource name.
apiResource, err := c.apiResourceForGroupKind(schema.GroupKind{Group: group, Kind: kind})
switch {
case err == errNoResourceExists:
return nil, field.Forbidden(field.NewPath("spec.issuerRef"),
fmt.Sprintf("referenced signer resource does not exist: %v", cr.Spec.IssuerRef))
case err != nil:
return nil, err
}
signerNames := signerNamesForAPIResource(cr.Spec.IssuerRef.Name, cr.Namespace, *apiResource)
if !isAuthorizedForSignerNames(ctx, c.authorizer, userInfoForRequest(request), signerNames) {
return nil, field.Forbidden(field.NewPath("status.conditions"),
fmt.Sprintf("user %q does not have permissions to set approved/denied conditions for issuer %v", request.UserInfo.Username, cr.Spec.IssuerRef))
}
return nil, nil
}
// approvalConditionsHaveChanged returns true if either the Approved or Denied conditions
// have been added to the CertificateRequest.
func approvalConditionsHaveChanged(oldCR, cr *certmanager.CertificateRequest) bool {
oldCRApproving := util.GetCertificateRequestCondition(oldCR.Status.Conditions, certmanager.CertificateRequestConditionApproved)
newCRApproving := util.GetCertificateRequestCondition(cr.Status.Conditions, certmanager.CertificateRequestConditionApproved)
oldCRDenying := util.GetCertificateRequestCondition(oldCR.Status.Conditions, certmanager.CertificateRequestConditionDenied)
newCRDenying := util.GetCertificateRequestCondition(cr.Status.Conditions, certmanager.CertificateRequestConditionDenied)
return (oldCRApproving == nil && newCRApproving != nil) || (oldCRDenying == nil && newCRDenying != nil)
}
// apiResourceForGroupKind returns the metav1.APIResource descriptor for a given GroupKind.
// This is required to properly construct the `signerName` used as part of validating
// requests that approve or deny the CertificateRequest.
// namespaced will be true if the resource is namespaced.
// 'resource' may be nil even if err is also nil.
func (c *certificateRequestApproval) apiResourceForGroupKind(groupKind schema.GroupKind) (info *resourceInfo, err error) {
// fast path if resource is in the cache already
if resource := c.readAPIResourceFromCache(groupKind); resource != nil {
return resource, nil
}
// otherwise, query the apiserver
// TODO: we should enhance caching here to avoid performing discovery queries
// many times if many CertificateRequest resources exist that reference
// a resource that doesn't exist
groups, err := c.discovery.ServerGroups()
if err != nil {
return nil, err
}
for _, apiGroup := range groups.Groups {
if apiGroup.Name != groupKind.Group {
continue
}
for _, version := range apiGroup.Versions {
apiResources, err := c.discovery.ServerResourcesForGroupVersion(version.GroupVersion)
if err != nil {
return nil, err
}
for _, resource := range apiResources.APIResources {
if resource.Kind != groupKind.Kind {
continue
}
return c.cacheAPIResource(groupKind, resource.Name, resource.Namespaced), nil
}
}
}
return nil, errNoResourceExists
}
func (c *certificateRequestApproval) readAPIResourceFromCache(groupKind schema.GroupKind) *resourceInfo {
c.mutex.RLock()
defer c.mutex.RUnlock()
if info, ok := c.resourceInfo[groupKind]; ok {
return &info
}
return nil
}
func (c *certificateRequestApproval) cacheAPIResource(groupKind schema.GroupKind, resourceName string, namespaced bool) *resourceInfo {
c.mutex.Lock()
defer c.mutex.Unlock()
info := resourceInfo{
GroupResource: schema.GroupResource{
Group: groupKind.Group,
Resource: resourceName,
},
Namespaced: namespaced,
}
c.resourceInfo[groupKind] = info
return &info
}
var errNoResourceExists = fmt.Errorf("no resource registered")
// signerNamesForAPIResource returns the computed signerName for a given API resource
// referenced by a CertificateRequest in a namespace.
func signerNamesForAPIResource(name, namespace string, info resourceInfo) []string {
signerNames := make([]string, 0, 2)
signerNames = append(signerNames, fmt.Sprintf("%s.%s/*", info.Resource, info.Group))
if info.Namespaced {
signerNames = append(signerNames, fmt.Sprintf("%s.%s/%s.%s", info.Resource, info.Group, namespace, name))
} else {
signerNames = append(signerNames, fmt.Sprintf("%s.%s/%s", info.Resource, info.Group, name))
}
return signerNames
}
// userInfoForRequest constructs a user.Info suitable for using with the authorizer interface
// from an AdmissionRequest.
func userInfoForRequest(req admissionv1.AdmissionRequest) user.Info {
extra := make(map[string][]string)
for k, v := range req.UserInfo.Extra {
extra[k] = v
}
return &user.DefaultInfo{
Name: req.UserInfo.Username,
UID: req.UserInfo.UID,
Groups: req.UserInfo.Groups,
Extra: extra,
}
}
// isAuthorizedForSignerNames checks whether an entity is authorized to 'approve' certificaterequests
// for a given set of signerNames.
// We absorb errors from the authorizer because they are already retried by the underlying authorization
// client, so we shouldn't ever see them unless the context webhook doesn't have the ability to submit
// SARs or the context is cancelled (in which case, the AdmissionResponse won't ever be returned to the apiserver).
func isAuthorizedForSignerNames(ctx context.Context, authz authorizer.Authorizer, info user.Info, signerNames []string) bool {
verb := "approve"
for _, signerName := range signerNames {
attr := buildAttributes(info, verb, signerName)
decision, _, err := authz.Authorize(ctx, attr)
switch {
case err != nil:
return false
case decision == authorizer.DecisionAllow:
return true
}
}
return false
}
func buildAttributes(info user.Info, verb, signerName string) authorizer.Attributes {
return authorizer.AttributesRecord{
User: info,
Verb: verb,
Name: signerName,
APIGroup: "cert-manager.io",
APIVersion: "*",
Resource: "signers",
ResourceRequest: true,
}
}
func (c *certificateRequestApproval) ValidateInitialization() error {
if c.authorizer == nil {
return fmt.Errorf("authorizer not set")
}
if c.discovery == nil {
return fmt.Errorf("discovery client not set")
}
_, err := c.discovery.ServerGroups()
if err != nil {
return err
}
return nil
}
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package accounts
import (
"crypto/rsa"
"crypto/tls"
"crypto/x509"
"net"
"net/http"
"time"
acmecl "github.com/cert-manager/cert-manager/pkg/acme/client"
"github.com/cert-manager/cert-manager/pkg/acme/client/middleware"
acmeutil "github.com/cert-manager/cert-manager/pkg/acme/util"
"github.com/cert-manager/cert-manager/pkg/metrics"
acmeapi "github.com/cert-manager/cert-manager/third_party/forked/acme"
)
const (
// defaultACMEHTTPTimeout sets the default maximum time that an individual HTTP request can take when doing ACME operations.
// Note that there may be other timeouts - e.g., dial timeouts or TLS handshake timeouts - which will be smaller than this. This
// timeout is the overall timeout for the entire request.
defaultACMEHTTPTimeout = time.Second * 90
)
type NewClientOptions struct {
SkipTLSVerify bool
CABundle []byte
Server string
PrivateKey *rsa.PrivateKey
}
// NewClientFunc is a function type for building a new ACME client.
type NewClientFunc func(options NewClientOptions) acmecl.Interface
// NewClient is an implementation of NewClientFunc that returns a real ACME client.
func NewClient(
metrics *metrics.Metrics,
userAgent string,
) NewClientFunc {
return func(options NewClientOptions) acmecl.Interface {
httpClient := buildHTTPClientWithCABundle(metrics, options.SkipTLSVerify, options.CABundle)
return newClientFromHTTPClient(httpClient, userAgent, options)
}
}
func newClientFromHTTPClient(httpClient *http.Client, userAgent string, options NewClientOptions) acmecl.Interface {
return middleware.NewLogger(&acmeapi.Client{
Key: options.PrivateKey,
HTTPClient: httpClient,
DirectoryURL: options.Server,
UserAgent: userAgent,
RetryBackoff: acmeutil.RetryBackoff,
})
}
// buildHTTPClientWithCABundle returns an instrumented HTTP client to be used by an ACME
// client, with an optional custom CA bundle set.
// For the time being, we construct a new HTTP client on each invocation, because we need
// to set the 'skipTLSVerify' flag and the CA bundle on the HTTP client itself, distinct
// from the ACME client
func buildHTTPClientWithCABundle(metrics *metrics.Metrics, skipTLSVerify bool, caBundle []byte) *http.Client {
tlsConfig := &tls.Config{
InsecureSkipVerify: skipTLSVerify, // #nosec G402 -- false positive
}
// len also checks if the bundle is nil
if len(caBundle) > 0 {
pool := x509.NewCertPool()
// We only want tlsConfig.RootCAs to be non-nil if we added at least one custom
// CA to "pool".
if ok := pool.AppendCertsFromPEM(caBundle); ok {
tlsConfig.RootCAs = pool
}
}
return acmecl.NewInstrumentedClient(
metrics,
&http.Client{
Transport: &http.Transport{
Proxy: http.ProxyFromEnvironment,
DialContext: (&net.Dialer{
Timeout: 30 * time.Second,
KeepAlive: 30 * time.Second,
}).DialContext,
TLSClientConfig: tlsConfig,
MaxIdleConns: 100,
IdleConnTimeout: 90 * time.Second,
TLSHandshakeTimeout: 10 * time.Second,
ExpectContinueTimeout: 1 * time.Second,
},
Timeout: defaultACMEHTTPTimeout,
},
)
}
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package accounts
import (
"crypto/rsa"
"crypto/sha256"
"crypto/x509"
"encoding/base64"
"errors"
"sync"
acmecl "github.com/cert-manager/cert-manager/pkg/acme/client"
)
// ErrNotFound is returned by GetClient if there is no ACME client registered.
var ErrNotFound = errors.New("ACME client for issuer not initialised/available")
// A registry provides a means to store and access ACME clients using an issuer
// objects UID.
// This is used as a shared cache of ACME clients across various controllers.
type Registry interface {
// AddClient will ensure the registry has a stored ACME client for the Issuer
// object with the given UID, configuration and private key.
AddClient(uid string, options NewClientOptions)
// RemoveClient will remove a registered client using the UID of the Issuer
// resource that constructed it.
RemoveClient(uid string)
// IsKeyCheckSumCached checks if the private key checksum is cached with registered client.
// If not cached, the account is re-verified for the private key.
IsKeyCheckSumCached(lastPrivateKeyHash string, privateKey *rsa.PrivateKey) bool
Getter
}
// Getter is an interface that contains the read-only methods for a registry.
type Getter interface {
// GetClient will fetch a registered client using the UID of the Issuer
// resources that constructed it.
// If no client is found, ErrNotFound will be returned.
GetClient(uid string) (acmecl.Interface, error)
// ListClients will return a full list of all ACME clients by their UIDs.
// This can be used to enumerate all registered clients and call RemoveClient
// on any clients that should no longer be registered, e.g., because their
// corresponding Issuer resource has been deleted.
ListClients() map[string]acmecl.Interface
}
// NewDefaultRegistry returns a new default instantiation of a client registry.
func NewDefaultRegistry(newClientFunc NewClientFunc) Registry {
return ®istry{
newClientFunc: newClientFunc,
clients: make(map[string]clientWithMeta),
}
}
// Implementation of the Registry interface
type registry struct {
lock sync.RWMutex
newClientFunc NewClientFunc
// a map of an issuer's 'uid' to an ACME client with metadata
clients map[string]clientWithMeta
}
// stableOptions contains data about an ACME client that can be used to compare
// for 'equality' between two clients. This is used to determine whether any
// options that should trigger a re-initialisation of a client have changed.
type stableOptions struct {
serverURL string
skipVerifyTLS bool
issuerUID string
publicKey string
exponent int
caBundle string
keyChecksum [sha256.Size]byte
}
func (c stableOptions) equalTo(c2 stableOptions) bool {
return c == c2
}
func newStableOptions(uid string, options NewClientOptions) stableOptions {
// Encoding a big.Int cannot fail
publicNBytes, _ := options.PrivateKey.PublicKey.N.GobEncode()
checksum := sha256.Sum256(x509.MarshalPKCS1PrivateKey(options.PrivateKey))
return stableOptions{
serverURL: options.Server,
skipVerifyTLS: options.SkipTLSVerify,
issuerUID: uid,
publicKey: string(publicNBytes),
exponent: options.PrivateKey.PublicKey.E,
caBundle: string(options.CABundle),
keyChecksum: checksum,
}
}
// clientWithMeta wraps an ACME client with additional metadata used to
// identify the options used to instantiate the client.
type clientWithMeta struct {
acmecl.Interface
stableOptions
}
// AddClient will ensure the registry has a stored ACME client for the Issuer
// object with the given UID, configuration and private key.
func (r *registry) AddClient(uid string, options NewClientOptions) {
// ensure the client is up to date for the current configuration
r.ensureClient(uid, options)
}
// ensureClient will ensure an ACME client with the given parameters is registered.
// If one is already registered and it was constructed using the same input options,
// the client will NOT be mutated or replaced, allowing this method to be called
// even if the client does not need replacing/updating without causing issues for
// consumers of the registry.
func (r *registry) ensureClient(uid string, options NewClientOptions) {
// acquire a read-write lock even if we hit the fast-path where the client
// is already present to avoid having to RLock, RUnlock and Lock again,
// which could itself cause a race
r.lock.Lock()
defer r.lock.Unlock()
newOpts := newStableOptions(uid, options)
// fast-path if there is nothing to do
if meta, ok := r.clients[uid]; ok && meta.equalTo(newOpts) {
return
}
// create a new client if one is not registered or if the
// 'metadata' does not match
r.clients[uid] = clientWithMeta{
Interface: r.newClientFunc(options),
stableOptions: newOpts,
}
}
// GetClient will fetch a registered client using the UID of the Issuer
// resources that constructed it.
// If no client is found, ErrNotFound will be returned.
func (r *registry) GetClient(uid string) (acmecl.Interface, error) {
r.lock.RLock()
defer r.lock.RUnlock()
// fast-path if the client is already registered
if c, ok := r.clients[uid]; ok {
return c.Interface, nil
}
return nil, ErrNotFound
}
// RemoveClient will remove a registered client using the UID of the Issuer
// resource that constructed it.
func (r *registry) RemoveClient(uid string) {
r.lock.Lock()
defer r.lock.Unlock()
if _, ok := r.clients[uid]; !ok {
return
}
delete(r.clients, uid)
}
// ListClients will return a full list of all ACME clients by their UIDs.
// This can be used to enumerate all registered clients and call RemoveClient
// on any clients that should no longer be registered, e.g., because their
// corresponding Issuer resource has been deleted.
func (r *registry) ListClients() map[string]acmecl.Interface {
r.lock.RLock()
defer r.lock.RUnlock()
// strip the client metadata before returning
out := make(map[string]acmecl.Interface)
for k, v := range r.clients {
out[k] = v.Interface
}
return out
}
// IsKeyCheckSumCached returns true when there is no difference in private key checksum.
// This can be used to identify if the private key has changed for the existing
// registered client.
func (r *registry) IsKeyCheckSumCached(lastPrivateKeyHash string, privateKey *rsa.PrivateKey) bool {
r.lock.RLock()
defer r.lock.RUnlock()
if privateKey != nil && lastPrivateKeyHash != "" {
privateKeyBytes := x509.MarshalPKCS1PrivateKey(privateKey)
checksum := sha256.Sum256(privateKeyBytes)
checksumString := base64.StdEncoding.EncodeToString(checksum[:])
if lastPrivateKeyHash == checksumString {
return true
}
}
// Either there is no entry found in client cache for uid
// or private key checksum does not match with cached entry
return false
}
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package client
import (
"context"
"fmt"
"github.com/cert-manager/cert-manager/third_party/forked/acme"
)
// TODO: expand this out one day to be backed by the pebble wfe package
// this will allow us to simulate a 'real' acme server in lightweight tests
// FakeACME implements Interface and can be used as a mock acme.Client in tests.
type FakeACME struct {
FakeAuthorizeOrder func(ctx context.Context, id []acme.AuthzID, opt ...acme.OrderOption) (*acme.Order, error)
FakeGetOrder func(ctx context.Context, url string) (*acme.Order, error)
FakeFetchCert func(ctx context.Context, url string, bundle bool) ([][]byte, error)
FakeListCertAlternates func(ctx context.Context, url string) ([]string, error)
FakeWaitOrder func(ctx context.Context, url string) (*acme.Order, error)
FakeCreateOrderCert func(ctx context.Context, finalizeURL string, csr []byte, bundle bool) (der [][]byte, certURL string, err error)
FakeAccept func(ctx context.Context, chal *acme.Challenge) (*acme.Challenge, error)
FakeGetChallenge func(ctx context.Context, url string) (*acme.Challenge, error)
FakeGetAuthorization func(ctx context.Context, url string) (*acme.Authorization, error)
FakeWaitAuthorization func(ctx context.Context, url string) (*acme.Authorization, error)
FakeRegister func(ctx context.Context, a *acme.Account, prompt func(tosURL string) bool) (*acme.Account, error)
FakeGetReg func(ctx context.Context, url string) (*acme.Account, error)
FakeHTTP01ChallengeResponse func(token string) (string, error)
FakeDNS01ChallengeRecord func(token string) (string, error)
FakeDiscover func(ctx context.Context) (acme.Directory, error)
FakeUpdateReg func(ctx context.Context, a *acme.Account) (*acme.Account, error)
}
var _ Interface = &FakeACME{}
func (f *FakeACME) AuthorizeOrder(ctx context.Context, id []acme.AuthzID, opt ...acme.OrderOption) (*acme.Order, error) {
if f.FakeAuthorizeOrder != nil {
return f.FakeAuthorizeOrder(ctx, id, opt...)
}
return nil, fmt.Errorf("AuthorizeOrder not implemented")
}
func (f *FakeACME) GetOrder(ctx context.Context, url string) (*acme.Order, error) {
if f.FakeGetOrder != nil {
return f.FakeGetOrder(ctx, url)
}
return nil, fmt.Errorf("GetOrder not implemented")
}
func (f *FakeACME) FetchCert(ctx context.Context, url string, bundle bool) ([][]byte, error) {
if f.FakeFetchCert != nil {
return f.FakeFetchCert(ctx, url, bundle)
}
return nil, fmt.Errorf("FetchCert not implemented")
}
func (f *FakeACME) WaitOrder(ctx context.Context, url string) (*acme.Order, error) {
if f.FakeWaitOrder != nil {
return f.FakeWaitOrder(ctx, url)
}
return nil, fmt.Errorf("WaitOrder not implemented")
}
func (f *FakeACME) CreateOrderCert(ctx context.Context, finalizeURL string, csr []byte, bundle bool) (der [][]byte, certURL string, err error) {
if f.FakeCreateOrderCert != nil {
return f.FakeCreateOrderCert(ctx, finalizeURL, csr, bundle)
}
return nil, "", fmt.Errorf("CreateOrderCert not implemented")
}
func (f *FakeACME) Accept(ctx context.Context, chal *acme.Challenge) (*acme.Challenge, error) {
if f.FakeAccept != nil {
return f.FakeAccept(ctx, chal)
}
return nil, fmt.Errorf("Accept not implemented")
}
func (f *FakeACME) GetChallenge(ctx context.Context, url string) (*acme.Challenge, error) {
if f.FakeGetChallenge != nil {
return f.FakeGetChallenge(ctx, url)
}
return nil, fmt.Errorf("GetChallenge not implemented")
}
func (f *FakeACME) GetAuthorization(ctx context.Context, url string) (*acme.Authorization, error) {
if f.FakeGetAuthorization != nil {
return f.FakeGetAuthorization(ctx, url)
}
return nil, fmt.Errorf("GetAuthorization not implemented")
}
func (f *FakeACME) WaitAuthorization(ctx context.Context, url string) (*acme.Authorization, error) {
if f.FakeWaitAuthorization != nil {
return f.FakeWaitAuthorization(ctx, url)
}
return nil, fmt.Errorf("WaitAuthorization not implemented")
}
func (f *FakeACME) Register(ctx context.Context, a *acme.Account, prompt func(tosURL string) bool) (*acme.Account, error) {
if f.FakeRegister != nil {
return f.FakeRegister(ctx, a, prompt)
}
return nil, fmt.Errorf("Register not implemented")
}
func (f *FakeACME) GetReg(ctx context.Context, url string) (*acme.Account, error) {
if f.FakeGetReg != nil {
return f.FakeGetReg(ctx, url)
}
return nil, fmt.Errorf("GetReg not implemented")
}
func (f *FakeACME) HTTP01ChallengeResponse(token string) (string, error) {
if f.FakeHTTP01ChallengeResponse != nil {
return f.FakeHTTP01ChallengeResponse(token)
}
return "", fmt.Errorf("HTTP01ChallengeResponse not implemented")
}
func (f *FakeACME) DNS01ChallengeRecord(token string) (string, error) {
if f.FakeDNS01ChallengeRecord != nil {
return f.FakeDNS01ChallengeRecord(token)
}
return "", fmt.Errorf("DNS01ChallengeRecord not implemented")
}
func (f *FakeACME) Discover(ctx context.Context) (acme.Directory, error) {
if f.FakeDiscover != nil {
return f.FakeDiscover(ctx)
}
// We only use Discover to find CAAIdentities, so returning an
// empty directory here will be fine
return acme.Directory{}, nil
}
func (f *FakeACME) UpdateReg(ctx context.Context, a *acme.Account) (*acme.Account, error) {
if f.FakeUpdateReg != nil {
return f.FakeUpdateReg(ctx, a)
}
return nil, fmt.Errorf("UpdateReg not implemented")
}
func (f *FakeACME) ListCertAlternates(ctx context.Context, url string) ([]string, error) {
if f.FakeListCertAlternates != nil {
return f.FakeListCertAlternates(ctx, url)
}
return nil, fmt.Errorf("ListCertAlternates not implemented")
}
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package client
import (
"fmt"
"net/http"
"strings"
"time"
"github.com/cert-manager/cert-manager/pkg/metrics"
)
// This file implements a custom instrumented HTTP client round tripper that
// exposes prometheus metrics for each endpoint called.
//
// We implement this as part of the HTTP client to ensure we don't miss any
// calls made to the ACME server caused by retries in the underlying ACME
// library.
// Transport is a http.RoundTripper that collects Prometheus metrics of every
// request it processes. It allows to be configured with callbacks that process
// request path and query into a suitable label value.
type Transport struct {
metrics *metrics.Metrics
wrappedRT http.RoundTripper
}
// NewInstrumentedClient takes a *http.Client and returns a *http.Client that
// has its RoundTripper wrapped with instrumentation.
func NewInstrumentedClient(metrics *metrics.Metrics, client *http.Client) *http.Client {
// If next client is not defined we'll use http.DefaultClient.
if client == nil {
client = http.DefaultClient
}
if client.Transport == nil {
client.Transport = http.DefaultTransport
}
client.Transport = &Transport{
wrappedRT: client.Transport,
metrics: metrics,
}
return client
}
// RoundTrip implements http.RoundTripper. It forwards the request to the
// wrapped RoundTripper and measures the time it took in Prometheus summary.
func (it *Transport) RoundTrip(req *http.Request) (*http.Response, error) {
statusCode := 999
// Remember the current time.
start := time.Now()
// Make the request using the wrapped RoundTripper.
resp, err := it.wrappedRT.RoundTrip(req)
if resp != nil {
statusCode = resp.StatusCode
}
labels := []string{
req.URL.Scheme,
req.URL.Host,
pathProcessor(req.URL.Path),
req.Method,
fmt.Sprintf("%d", statusCode),
}
// Observe the time it took to make the request.
it.metrics.ObserveACMERequestDuration(time.Since(start), labels...)
it.metrics.IncrementACMERequestCount(labels...)
// return the response and error reported from the next RoundTripper.
return resp, err
}
// pathProcessor will trim the provided path to only include the first 2
// segments in order to reduce the number of prometheus labels generated
func pathProcessor(path string) string {
p := strings.Split(path, "/")
// only record the first two path segments as a prometheus label value
if len(p) > 3 {
p = p[:3]
}
return strings.Join(p, "/")
}
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package middleware
import (
"context"
"github.com/go-logr/logr"
"github.com/cert-manager/cert-manager/pkg/acme/client"
logf "github.com/cert-manager/cert-manager/pkg/logs"
"github.com/cert-manager/cert-manager/third_party/forked/acme"
)
func NewLogger(baseCl client.Interface) client.Interface {
return &Logger{
baseCl: baseCl,
log: logf.Log.WithName("acme-middleware"),
}
}
// Logger is a glog based logging middleware for an ACME client
type Logger struct {
baseCl client.Interface
log logr.Logger
}
var _ client.Interface = &Logger{}
func (l *Logger) AuthorizeOrder(ctx context.Context, id []acme.AuthzID, opt ...acme.OrderOption) (*acme.Order, error) {
l.log.V(logf.TraceLevel).Info("Calling AuthorizeOrder")
return l.baseCl.AuthorizeOrder(ctx, id, opt...)
}
func (l *Logger) GetOrder(ctx context.Context, url string) (*acme.Order, error) {
l.log.V(logf.TraceLevel).Info("Calling GetOrder")
return l.baseCl.GetOrder(ctx, url)
}
func (l *Logger) FetchCert(ctx context.Context, url string, bundle bool) ([][]byte, error) {
l.log.V(logf.TraceLevel).Info("Calling FetchCert")
return l.baseCl.FetchCert(ctx, url, bundle)
}
func (l *Logger) ListCertAlternates(ctx context.Context, url string) ([]string, error) {
l.log.V(logf.TraceLevel).Info("Calling ListCertAlternates")
return l.baseCl.ListCertAlternates(ctx, url)
}
func (l *Logger) WaitOrder(ctx context.Context, url string) (*acme.Order, error) {
l.log.V(logf.TraceLevel).Info("Calling WaitOrder")
return l.baseCl.WaitOrder(ctx, url)
}
func (l *Logger) CreateOrderCert(ctx context.Context, finalizeURL string, csr []byte, bundle bool) (der [][]byte, certURL string, err error) {
l.log.V(logf.TraceLevel).Info("Calling CreateOrderCert")
return l.baseCl.CreateOrderCert(ctx, finalizeURL, csr, bundle)
}
func (l *Logger) Accept(ctx context.Context, chal *acme.Challenge) (*acme.Challenge, error) {
l.log.V(logf.TraceLevel).Info("Calling Accept")
return l.baseCl.Accept(ctx, chal)
}
func (l *Logger) GetChallenge(ctx context.Context, url string) (*acme.Challenge, error) {
l.log.V(logf.TraceLevel).Info("Calling GetChallenge")
return l.baseCl.GetChallenge(ctx, url)
}
func (l *Logger) GetAuthorization(ctx context.Context, url string) (*acme.Authorization, error) {
l.log.V(logf.TraceLevel).Info("Calling GetAuthorization")
return l.baseCl.GetAuthorization(ctx, url)
}
func (l *Logger) WaitAuthorization(ctx context.Context, url string) (*acme.Authorization, error) {
l.log.V(logf.TraceLevel).Info("Calling WaitAuthorization")
return l.baseCl.WaitAuthorization(ctx, url)
}
func (l *Logger) Register(ctx context.Context, a *acme.Account, prompt func(tosURL string) bool) (*acme.Account, error) {
l.log.V(logf.TraceLevel).Info("Calling Register")
return l.baseCl.Register(ctx, a, prompt)
}
func (l *Logger) GetReg(ctx context.Context, url string) (*acme.Account, error) {
l.log.V(logf.TraceLevel).Info("Calling GetReg")
return l.baseCl.GetReg(ctx, url)
}
func (l *Logger) HTTP01ChallengeResponse(token string) (string, error) {
l.log.V(logf.TraceLevel).Info("Calling HTTP01ChallengeResponse")
return l.baseCl.HTTP01ChallengeResponse(token)
}
func (l *Logger) DNS01ChallengeRecord(token string) (string, error) {
l.log.V(logf.TraceLevel).Info("Calling DNS01ChallengeRecord")
return l.baseCl.DNS01ChallengeRecord(token)
}
func (l *Logger) Discover(ctx context.Context) (acme.Directory, error) {
l.log.V(logf.TraceLevel).Info("Calling Discover")
return l.baseCl.Discover(ctx)
}
func (l *Logger) UpdateReg(ctx context.Context, a *acme.Account) (*acme.Account, error) {
l.log.V(logf.TraceLevel).Info("Calling UpdateReg")
return l.baseCl.UpdateReg(ctx, a)
}
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package util
import (
"math/rand/v2"
"net/http"
"time"
)
const (
maxDelay = 3 * time.Second
maxRetries = 5
)
// RetryBackoff is the ACME client RetryBackoff which is modified
// to act upon badNonce errors. all other retries will be handled by cert-manager.
// Since we cannot check the exact error this is best effort.
func RetryBackoff(n int, r *http.Request, resp *http.Response) time.Duration {
// According to the spec badNonce is urn:ietf:params:acme:error:badNonce.
// However, we cannot use the request body in here as it is closed already.
// So we're using its status code instead: 400
if resp.StatusCode != http.StatusBadRequest {
return -1
}
// don't retry more than 6 times, if we get 6 nonce mismatches something is quite wrong
if n > maxRetries {
return -1
}
// No need for a cryptographically secure RNG here
jitter := 1 + time.Millisecond*time.Duration(rand.Int64N(1000)) // #nosec G404
// the exponent is calculated slightly contrived to allow the gosec:G115
// linter to recognise the safe type conversion.
// simple formula: exponent = max(0, n-1)
exponent := uint(0)
if temp := n - 1; temp >= 0 {
exponent = uint(temp)
}
d := time.Duration(1<<exponent)*time.Second + jitter
if d > maxDelay {
return maxDelay
}
return d
}
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package v1alpha1
import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/runtime/schema"
"github.com/cert-manager/cert-manager/pkg/acme/webhook/apis/acme"
)
// SchemeGroupVersion is group version used to register these objects
var SchemeGroupVersion = schema.GroupVersion{Group: acme.GroupName, Version: "v1alpha1"}
// Resource takes an unqualified resource and returns a Group qualified GroupResource
func Resource(resource string) schema.GroupResource {
return SchemeGroupVersion.WithResource(resource).GroupResource()
}
var (
// SchemeBuilder should be declared in packages that will have generated deep
// copy or conversion functions.
SchemeBuilder runtime.SchemeBuilder
localSchemeBuilder = &SchemeBuilder
AddToScheme = localSchemeBuilder.AddToScheme
)
func init() {
// We only register manually written functions here. The registration of the
// generated functions takes place in the generated files. The separation
// makes the code compile even when the generated files are missing.
localSchemeBuilder.Register(addKnownTypes)
}
// Adds the list of known types to api.Scheme.
func addKnownTypes(scheme *runtime.Scheme) error {
scheme.AddKnownTypes(SchemeGroupVersion,
&ChallengePayload{},
)
metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
return nil
}
//go:build !ignore_autogenerated
// +build !ignore_autogenerated
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by deepcopy-gen. DO NOT EDIT.
package v1alpha1
import (
v1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
runtime "k8s.io/apimachinery/pkg/runtime"
)
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ChallengePayload) DeepCopyInto(out *ChallengePayload) {
*out = *in
out.TypeMeta = in.TypeMeta
if in.Request != nil {
in, out := &in.Request, &out.Request
*out = new(ChallengeRequest)
(*in).DeepCopyInto(*out)
}
if in.Response != nil {
in, out := &in.Response, &out.Response
*out = new(ChallengeResponse)
(*in).DeepCopyInto(*out)
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ChallengePayload.
func (in *ChallengePayload) DeepCopy() *ChallengePayload {
if in == nil {
return nil
}
out := new(ChallengePayload)
in.DeepCopyInto(out)
return out
}
// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (in *ChallengePayload) DeepCopyObject() runtime.Object {
if c := in.DeepCopy(); c != nil {
return c
}
return nil
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ChallengeRequest) DeepCopyInto(out *ChallengeRequest) {
*out = *in
if in.Config != nil {
in, out := &in.Config, &out.Config
*out = new(v1.JSON)
(*in).DeepCopyInto(*out)
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ChallengeRequest.
func (in *ChallengeRequest) DeepCopy() *ChallengeRequest {
if in == nil {
return nil
}
out := new(ChallengeRequest)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ChallengeResponse) DeepCopyInto(out *ChallengeResponse) {
*out = *in
if in.Result != nil {
in, out := &in.Result, &out.Result
*out = new(metav1.Status)
(*in).DeepCopyInto(*out)
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ChallengeResponse.
func (in *ChallengeResponse) DeepCopy() *ChallengeResponse {
if in == nil {
return nil
}
out := new(ChallengeResponse)
in.DeepCopyInto(out)
return out
}
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package api
import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/runtime/schema"
"k8s.io/apimachinery/pkg/runtime/serializer"
utilruntime "k8s.io/apimachinery/pkg/util/runtime"
whapi "github.com/cert-manager/cert-manager/pkg/acme/webhook/apis/acme/v1alpha1"
cmacmev1 "github.com/cert-manager/cert-manager/pkg/apis/acme/v1"
cmapiv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
cmmeta "github.com/cert-manager/cert-manager/pkg/apis/meta/v1"
)
// This package defines a Scheme and Codec that has the *external* API types
// registered.
// This means that the scheme will *not* perform defaulting or conversions for
// cert-manager API resources.
// This is to ensure a clean separation between API semantics and controllers.
// Only the webhook should utilise a scheme with conversions and defaults
// registered in order to ensure all controllers have a consistent view of
// resource types in the apiserver.
var Scheme = runtime.NewScheme()
var Codecs = serializer.NewCodecFactory(Scheme)
var ParameterCodec = runtime.NewParameterCodec(Scheme)
var localSchemeBuilder = runtime.SchemeBuilder{
cmapiv1.AddToScheme,
cmacmev1.AddToScheme,
cmmeta.AddToScheme,
whapi.AddToScheme,
}
// AddToScheme adds all types of this clientset into the given scheme. This allows composition
// of clientsets, like in:
//
// import (
// "k8s.io/client-go/kubernetes"
// clientsetscheme "k8s.io/client-go/kubernetes/scheme"
// aggregatorclientsetscheme "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset/scheme"
// )
//
// kclientset, _ := kubernetes.NewForConfig(c)
// _ = aggregatorclientsetscheme.AddToScheme(clientsetscheme.Scheme)
//
// After this, RawExtensions in Kubernetes types will serialize kube-aggregator types
// correctly.
var AddToScheme = localSchemeBuilder.AddToScheme
func init() {
metav1.AddToGroupVersion(Scheme, schema.GroupVersion{Version: "v1"})
utilruntime.Must(AddToScheme(Scheme))
}
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package util
import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/klog/v2"
"k8s.io/utils/clock"
cmapi "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
cmmeta "github.com/cert-manager/cert-manager/pkg/apis/meta/v1"
logf "github.com/cert-manager/cert-manager/pkg/logs"
)
// Clock is defined as a package var so it can be stubbed out during tests.
var Clock clock.Clock = clock.RealClock{}
// IssuerHasCondition will return true if the given GenericIssuer has a
// condition matching the provided IssuerCondition.
// Only the Type and Status field will be used in the comparison, meaning that
// this function will return 'true' even if the Reason, Message and
// LastTransitionTime fields do not match.
func IssuerHasCondition(i cmapi.GenericIssuer, c cmapi.IssuerCondition) bool {
if i == nil {
return false
}
existingConditions := i.GetStatus().Conditions
for _, cond := range existingConditions {
if c.Type == cond.Type && c.Status == cond.Status {
return true
}
}
return false
}
// SetIssuerCondition will set a 'condition' on the given GenericIssuer.
// - If no condition of the same type already exists, the condition will be
// inserted with the LastTransitionTime set to the current time.
// - If a condition of the same type and state already exists, the condition
// will be updated but the LastTransitionTime will not be modified.
// - If a condition of the same type and different state already exists, the
// condition will be updated and the LastTransitionTime set to the current
// time.
//
// This function works with both Issuer and ClusterIssuer resources.
func SetIssuerCondition(i cmapi.GenericIssuer, observedGeneration int64, conditionType cmapi.IssuerConditionType, status cmmeta.ConditionStatus, reason, message string) {
newCondition := cmapi.IssuerCondition{
Type: conditionType,
Status: status,
Reason: reason,
Message: message,
}
nowTime := metav1.NewTime(Clock.Now())
newCondition.LastTransitionTime = &nowTime
// Set the condition generation
newCondition.ObservedGeneration = observedGeneration
// Search through existing conditions
for idx, cond := range i.GetStatus().Conditions {
// Skip unrelated conditions
if cond.Type != conditionType {
continue
}
// If this update doesn't contain a state transition, we don't update
// the conditions LastTransitionTime to Now()
if cond.Status == status {
newCondition.LastTransitionTime = cond.LastTransitionTime
} else {
logf.Log.V(logf.InfoLevel).Info("Found status change for Issuer condition; setting lastTransitionTime",
"issuer", klog.KObj(i),
"condition", conditionType,
"oldStatus", cond.Status,
"status", status,
"lastTransitionTime", nowTime.Time)
}
// Overwrite the existing condition
i.GetStatus().Conditions[idx] = newCondition
return
}
// If we've not found an existing condition of this type, we simply insert
// the new condition into the slice.
i.GetStatus().Conditions = append(i.GetStatus().Conditions, newCondition)
logf.Log.V(logf.InfoLevel).Info("Setting lastTransitionTime for Issuer condition",
"issuer", klog.KObj(i),
"condition", conditionType,
"lastTransitionTime", nowTime.Time)
}
// CertificateHasCondition will return true if the given Certificate has a
// condition matching the provided CertificateCondition.
// Only the Type and Status field will be used in the comparison, meaning that
// this function will return 'true' even if the Reason, Message and
// LastTransitionTime fields do not match.
func CertificateHasCondition(crt *cmapi.Certificate, c cmapi.CertificateCondition) bool {
if crt == nil {
return false
}
existingConditions := crt.Status.Conditions
for _, cond := range existingConditions {
if c.Type == cond.Type && c.Status == cond.Status {
return true
}
}
return false
}
// CertificateHasConditionWithObservedGeneration will return true if the given Certificate has a
// condition matching the provided CertificateCondition with a ObservedGeneration
// that is bigger or equal to the ObservedGeneration of the provided CertificateCondition.
// Only the Type, Status and ObservedGeneration field will be used in the comparison,
// meaning that this function will return 'true' even if the Reason, Message and
// LastTransitionTime fields do not match.
func CertificateHasConditionWithObservedGeneration(crt *cmapi.Certificate, c cmapi.CertificateCondition) bool {
if crt == nil {
return false
}
existingConditions := crt.Status.Conditions
for _, cond := range existingConditions {
if c.Type == cond.Type && c.Status == cond.Status && c.ObservedGeneration <= cond.ObservedGeneration {
return true
}
}
return false
}
func GetCertificateCondition(crt *cmapi.Certificate, conditionType cmapi.CertificateConditionType) *cmapi.CertificateCondition {
for i, cond := range crt.Status.Conditions {
if cond.Type == conditionType {
return &crt.Status.Conditions[i]
}
}
return nil
}
func GetCertificateRequestCondition(req *cmapi.CertificateRequest, conditionType cmapi.CertificateRequestConditionType) *cmapi.CertificateRequestCondition {
for i, cond := range req.Status.Conditions {
if cond.Type == conditionType {
return &req.Status.Conditions[i]
}
}
return nil
}
// SetCertificateCondition will set a 'condition' on the given Certificate.
// - If no condition of the same type already exists, the condition will be
// inserted with the LastTransitionTime set to the current time.
// - If a condition of the same type and state already exists, the condition
// will be updated but the LastTransitionTime will not be modified.
// - If a condition of the same type and different state already exists, the
// condition will be updated with the LastTransitionTime set to the current
// time.
//
// The given ObservedGeneration will always set on the condition, whether the
// lastTransitionTime is modified or not.
func SetCertificateCondition(crt *cmapi.Certificate, observedGeneration int64, conditionType cmapi.CertificateConditionType,
status cmmeta.ConditionStatus, reason, message string) {
newCondition := cmapi.CertificateCondition{
Type: conditionType,
Status: status,
Reason: reason,
Message: message,
}
nowTime := metav1.NewTime(Clock.Now())
newCondition.LastTransitionTime = &nowTime
// Set the condition generation
newCondition.ObservedGeneration = observedGeneration
// Search through existing conditions
for idx, cond := range crt.Status.Conditions {
// Skip unrelated conditions
if cond.Type != conditionType {
continue
}
// If this update doesn't contain a state transition, we don't update the
// conditions LastTransitionTime to Now()
if cond.Status == status {
newCondition.LastTransitionTime = cond.LastTransitionTime
} else {
logf.Log.V(logf.InfoLevel).Info("Found status change for Certificate condition; setting lastTransitionTime",
"certificate", klog.KObj(crt),
"condition", conditionType,
"oldStatus", cond.Status,
"status", status,
"lastTransitionTime", nowTime.Time)
}
// Overwrite the existing condition
crt.Status.Conditions[idx] = newCondition
return
}
// If we've not found an existing condition of this type, we simply insert
// the new condition into the slice.
crt.Status.Conditions = append(crt.Status.Conditions, newCondition)
logf.Log.V(logf.InfoLevel).Info("Setting lastTransitionTime for Certificate condition",
"certificate", klog.KObj(crt),
"condition", conditionType,
"lastTransitionTime", nowTime.Time)
}
// RemoveCertificateCondition will remove any condition with this condition type
func RemoveCertificateCondition(crt *cmapi.Certificate, conditionType cmapi.CertificateConditionType) {
var updatedConditions []cmapi.CertificateCondition
// Search through existing conditions
for _, cond := range crt.Status.Conditions {
// Only add unrelated conditions
if cond.Type != conditionType {
updatedConditions = append(updatedConditions, cond)
}
}
crt.Status.Conditions = updatedConditions
}
// SetCertificateRequestCondition will set a 'condition' on the given CertificateRequest.
// - If no condition of the same type already exists, the condition will be
// inserted with the LastTransitionTime set to the current time.
// - If a condition of the same type and state already exists, the condition
// will be updated but the LastTransitionTime will not be modified.
// - If a condition of the same type and different state already exists, the
// condition will be updated and the LastTransitionTime set to the current
// time.
func SetCertificateRequestCondition(cr *cmapi.CertificateRequest, conditionType cmapi.CertificateRequestConditionType, status cmmeta.ConditionStatus, reason, message string) {
newCondition := cmapi.CertificateRequestCondition{
Type: conditionType,
Status: status,
Reason: reason,
Message: message,
}
nowTime := metav1.NewTime(Clock.Now())
newCondition.LastTransitionTime = &nowTime
// Search through existing conditions
for idx, cond := range cr.Status.Conditions {
// Skip unrelated conditions
if cond.Type != conditionType {
continue
}
// If this update doesn't contain a state transition, we don't update
// the conditions LastTransitionTime to Now()
if cond.Status == status {
newCondition.LastTransitionTime = cond.LastTransitionTime
} else {
logf.Log.V(logf.InfoLevel).Info("Found status change for CertificateRequest condition; setting lastTransitionTime",
"certificateRequest", klog.KObj(cr),
"condition", conditionType,
"oldStatus", cond.Status,
"status", status,
"lastTransitionTime", nowTime.Time)
}
// Overwrite the existing condition
cr.Status.Conditions[idx] = newCondition
return
}
// If we've not found an existing condition of this type, we simply insert
// the new condition into the slice.
cr.Status.Conditions = append(cr.Status.Conditions, newCondition)
logf.Log.V(logf.InfoLevel).Info("Setting lastTransitionTime for CertificateRequest condition",
"certificateRequest", klog.KObj(cr),
"condition", conditionType,
"lastTransitionTime", nowTime.Time)
}
// CertificateRequestHasCondition will return true if the given
// CertificateRequest has a condition matching the provided
// CertificateRequestCondition.
// Only the Type and Status field will be used in the comparison, meaning that
// this function will return 'true' even if the Reason, Message and
// LastTransitionTime fields do not match.
func CertificateRequestHasCondition(cr *cmapi.CertificateRequest, c cmapi.CertificateRequestCondition) bool {
if cr == nil {
return false
}
existingConditions := cr.Status.Conditions
for _, cond := range existingConditions {
if c.Type == cond.Type && c.Status == cond.Status {
if c.Reason == "" || c.Reason == cond.Reason {
return true
}
}
}
return false
}
// This returns the status reason of a CertificateRequest. The order of reason
// hierarchy is 'Failed' -> 'Ready' -> 'Pending' -> ”
func CertificateRequestReadyReason(cr *cmapi.CertificateRequest) string {
for _, reason := range []string{
cmapi.CertificateRequestReasonFailed,
cmapi.CertificateRequestReasonIssued,
cmapi.CertificateRequestReasonPending,
cmapi.CertificateRequestReasonDenied,
} {
for _, con := range cr.Status.Conditions {
if con.Type == cmapi.CertificateRequestConditionReady &&
con.Reason == reason {
return reason
}
}
}
return ""
}
// This returns with the message if the CertificateRequest contains an
// InvalidRequest condition, and returns "" otherwise.
func CertificateRequestInvalidRequestMessage(cr *cmapi.CertificateRequest) string {
if cr == nil {
return ""
}
for _, con := range cr.Status.Conditions {
if con.Type == cmapi.CertificateRequestConditionInvalidRequest &&
con.Status == cmmeta.ConditionTrue {
return con.Message
}
}
return ""
}
// This returns with true if the CertificateRequest contains an InvalidRequest
// condition, and returns false otherwise.
func CertificateRequestHasInvalidRequest(cr *cmapi.CertificateRequest) bool {
if cr == nil {
return false
}
for _, con := range cr.Status.Conditions {
if con.Type == cmapi.CertificateRequestConditionInvalidRequest &&
con.Status == cmmeta.ConditionTrue {
return true
}
}
return false
}
// CertificateRequestIsApproved returns true if the CertificateRequest is
// approved via an Approved condition of status `True`, returns false
// otherwise.
func CertificateRequestIsApproved(cr *cmapi.CertificateRequest) bool {
if cr == nil {
return false
}
for _, con := range cr.Status.Conditions {
if con.Type == cmapi.CertificateRequestConditionApproved &&
con.Status == cmmeta.ConditionTrue {
return true
}
}
return false
}
// CertificateRequestIsDenied returns true if the CertificateRequest is denied
// via a Denied condition of status `True`, returns false otherwise.
func CertificateRequestIsDenied(cr *cmapi.CertificateRequest) bool {
if cr == nil {
return false
}
for _, con := range cr.Status.Conditions {
if con.Type == cmapi.CertificateRequestConditionDenied &&
con.Status == cmmeta.ConditionTrue {
return true
}
}
return false
}
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package util
import (
"time"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
v1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
)
// DefaultCertDuration returns d.Duration if set, otherwise returns
// cert-manager's default certificate duration (90 days).
func DefaultCertDuration(d *metav1.Duration) time.Duration {
certDuration := v1.DefaultCertificateDuration
if d != nil {
certDuration = d.Duration
}
return certDuration
}
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package util
import (
"fmt"
cmapi "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
)
const (
// IssuerACME is the name of the ACME issuer
IssuerACME string = "acme"
// IssuerCA is the name of the simple issuer
IssuerCA string = "ca"
// IssuerVault is the name of the Vault issuer
IssuerVault string = "vault"
// IssuerSelfSigned is a self signing issuer
IssuerSelfSigned string = "selfsigned"
// IssuerVenafi uses Venafi Trust Protection Platform and Venafi Cloud
IssuerVenafi string = "venafi"
)
// NameForIssuer determines the name of the Issuer implementation given an
// Issuer resource.
func NameForIssuer(i cmapi.GenericIssuer) (string, error) {
switch {
case i.GetSpec().ACME != nil:
return IssuerACME, nil
case i.GetSpec().CA != nil:
return IssuerCA, nil
case i.GetSpec().Vault != nil:
return IssuerVault, nil
case i.GetSpec().SelfSigned != nil:
return IssuerSelfSigned, nil
case i.GetSpec().Venafi != nil:
return IssuerVenafi, nil
}
return "", fmt.Errorf("no issuer specified for Issuer '%s/%s'", i.GetObjectMeta().Namespace, i.GetObjectMeta().Name)
}
/*
Copyright 2021 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package util
import (
"crypto/x509"
"math/bits"
certificatesv1 "k8s.io/api/certificates/v1"
)
var keyUsagesKube = map[certificatesv1.KeyUsage]x509.KeyUsage{
certificatesv1.UsageSigning: x509.KeyUsageDigitalSignature,
certificatesv1.UsageDigitalSignature: x509.KeyUsageDigitalSignature,
certificatesv1.UsageContentCommitment: x509.KeyUsageContentCommitment,
certificatesv1.UsageKeyEncipherment: x509.KeyUsageKeyEncipherment,
certificatesv1.UsageKeyAgreement: x509.KeyUsageKeyAgreement,
certificatesv1.UsageDataEncipherment: x509.KeyUsageDataEncipherment,
certificatesv1.UsageCertSign: x509.KeyUsageCertSign,
certificatesv1.UsageCRLSign: x509.KeyUsageCRLSign,
certificatesv1.UsageEncipherOnly: x509.KeyUsageEncipherOnly,
certificatesv1.UsageDecipherOnly: x509.KeyUsageDecipherOnly,
}
var extKeyUsagesKube = map[certificatesv1.KeyUsage]x509.ExtKeyUsage{
certificatesv1.UsageAny: x509.ExtKeyUsageAny,
certificatesv1.UsageServerAuth: x509.ExtKeyUsageServerAuth,
certificatesv1.UsageClientAuth: x509.ExtKeyUsageClientAuth,
certificatesv1.UsageCodeSigning: x509.ExtKeyUsageCodeSigning,
certificatesv1.UsageEmailProtection: x509.ExtKeyUsageEmailProtection,
certificatesv1.UsageSMIME: x509.ExtKeyUsageEmailProtection,
certificatesv1.UsageIPsecEndSystem: x509.ExtKeyUsageIPSECEndSystem,
certificatesv1.UsageIPsecTunnel: x509.ExtKeyUsageIPSECTunnel,
certificatesv1.UsageIPsecUser: x509.ExtKeyUsageIPSECUser,
certificatesv1.UsageTimestamping: x509.ExtKeyUsageTimeStamping,
certificatesv1.UsageOCSPSigning: x509.ExtKeyUsageOCSPSigning,
certificatesv1.UsageMicrosoftSGC: x509.ExtKeyUsageMicrosoftServerGatedCrypto,
certificatesv1.UsageNetscapeSGC: x509.ExtKeyUsageNetscapeServerGatedCrypto,
}
// KeyUsageTypeKube returns the relevant x509.KeyUsage or false if not found
func KeyUsageTypeKube(usage certificatesv1.KeyUsage) (x509.KeyUsage, bool) {
u, ok := keyUsagesKube[usage]
return u, ok
}
// ExtKeyUsageTypeKube returns the relevant x509.KeyUsage or false if not found
func ExtKeyUsageTypeKube(usage certificatesv1.KeyUsage) (x509.ExtKeyUsage, bool) {
eu, ok := extKeyUsagesKube[usage]
return eu, ok
}
// KubeKeyUsageStrings returns the certificatesv1.KeyUsage and "unknown" if not
// found
func KubeKeyUsageStrings(usage x509.KeyUsage) []certificatesv1.KeyUsage {
var usageStr []certificatesv1.KeyUsage
for i := range bits.UintSize {
if v := usage & (1 << i); v != 0 {
usageStr = append(usageStr, kubeKeyUsageString(v))
}
}
return usageStr
}
// KubeExtKeyUsageStrings returns the certificatesv1.KeyUsage and "unknown" if not found
func KubeExtKeyUsageStrings(usage []x509.ExtKeyUsage) []certificatesv1.KeyUsage {
var usageStr []certificatesv1.KeyUsage
for _, u := range usage {
usageStr = append(usageStr, kubeExtKeyUsageString(u))
}
return usageStr
}
// kubeKeyUsageString returns the cmapi.KeyUsage and "unknown" if not found
func kubeKeyUsageString(usage x509.KeyUsage) certificatesv1.KeyUsage {
if usage == x509.KeyUsageDigitalSignature {
return certificatesv1.UsageDigitalSignature // we have two keys that map to KeyUsageDigitalSignature in our map, we should be consistent when parsing
}
for k, v := range keyUsagesKube {
if usage == v {
return k
}
}
return "unknown"
}
// kubeExtKeyUsageString returns the cmapi.ExtKeyUsage and "unknown" if not found
func kubeExtKeyUsageString(usage x509.ExtKeyUsage) certificatesv1.KeyUsage {
if usage == x509.ExtKeyUsageEmailProtection {
return certificatesv1.UsageEmailProtection // we have two keys that map to ExtKeyUsageEmailProtection in our map, we should be consistent when parsing
}
for k, v := range extKeyUsagesKube {
if usage == v {
return k
}
}
return "unknown"
}
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package util
import (
"crypto/sha256"
"encoding/json"
"fmt"
"hash/fnv"
"regexp"
)
// ComputeName hashes the given object and prefixes it with prefix.
// The algorithm in use is Fowler–Noll–Vo hash function and is not
// cryptographically secure. Using a cryptographically secure hash is
// not necessary.
func ComputeName(prefix string, obj interface{}) (string, error) {
objectBytes, err := json.Marshal(obj)
if err != nil {
return "", err
}
hashF := fnv.New32()
_, err = hashF.Write(objectBytes)
if err != nil {
return "", err
}
// we're shortening to stay under 64 as we use this in services
// and pods down the road for ACME resources.
prefix = DNSSafeShortenTo52Characters(prefix)
// the prefix is <= 52 characters, the decimal representation of
// the hash is <= 10 characters, and the hyphen is 1 character.
// 52 + 10 + 1 = 63, so we're good.
return fmt.Sprintf("%s-%d", prefix, hashF.Sum32()), nil
}
// ComputeSecureUniqueDeterministicNameFromData computes a deterministic name from the given data.
// The algorithm in use is SHA256 and is cryptographically secure.
// The output is a string that is safe to use as a DNS label.
// The output is guaranteed to be unique for the given input.
// The output will be at least 64 characters long.
func ComputeSecureUniqueDeterministicNameFromData(fullName string, maxNameLength int) (string, error) {
const hashLength = 64
if maxNameLength < hashLength {
return "", fmt.Errorf("maxNameLength must be at least %d", hashLength)
}
if len(fullName) <= maxNameLength {
return fullName, nil
}
hash := sha256.New()
_, err := hash.Write([]byte(fullName))
if err != nil {
return "", err
}
// Although fullName is already a DNS subdomain, we can't just cut it
// at N characters and expect another DNS subdomain. That's because
// we might cut it right after a ".", which would give an invalid DNS
// subdomain (e.g., test.-<hash>). So we make sure the last character
// is an alpha-numeric character.
prefix := DNSSafeShortenToNCharacters(fullName, maxNameLength-hashLength-1)
hashResult := hash.Sum(nil)
if len(prefix) == 0 {
return fmt.Sprintf("%08x", hashResult), nil
}
return fmt.Sprintf("%s-%08x", prefix, hashResult), nil
}
// DNSSafeShortenToNCharacters shortens the input string to N chars and ensures the last char is an alpha-numeric character.
func DNSSafeShortenToNCharacters(in string, maxLength int) string {
var alphaNumeric = regexp.MustCompile(`[a-zA-Z\d]`)
if len(in) < maxLength {
return in
}
if maxLength <= 0 {
return ""
}
validCharIndexes := alphaNumeric.FindAllStringIndex(in[:maxLength], -1)
if len(validCharIndexes) == 0 {
return ""
}
return in[:validCharIndexes[len(validCharIndexes)-1][1]]
}
// DNSSafeShortenTo52Characters shortens the input string to 52 chars and ensures the last char is an alpha-numeric character.
func DNSSafeShortenTo52Characters(in string) string {
return DNSSafeShortenToNCharacters(in, 52)
}
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package util
import (
"crypto/x509"
"math/bits"
cmapi "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
)
var keyUsages = map[cmapi.KeyUsage]x509.KeyUsage{
cmapi.UsageSigning: x509.KeyUsageDigitalSignature,
cmapi.UsageDigitalSignature: x509.KeyUsageDigitalSignature,
cmapi.UsageContentCommitment: x509.KeyUsageContentCommitment,
cmapi.UsageKeyEncipherment: x509.KeyUsageKeyEncipherment,
cmapi.UsageKeyAgreement: x509.KeyUsageKeyAgreement,
cmapi.UsageDataEncipherment: x509.KeyUsageDataEncipherment,
cmapi.UsageCertSign: x509.KeyUsageCertSign,
cmapi.UsageCRLSign: x509.KeyUsageCRLSign,
cmapi.UsageEncipherOnly: x509.KeyUsageEncipherOnly,
cmapi.UsageDecipherOnly: x509.KeyUsageDecipherOnly,
}
var extKeyUsages = map[cmapi.KeyUsage]x509.ExtKeyUsage{
cmapi.UsageAny: x509.ExtKeyUsageAny,
cmapi.UsageServerAuth: x509.ExtKeyUsageServerAuth,
cmapi.UsageClientAuth: x509.ExtKeyUsageClientAuth,
cmapi.UsageCodeSigning: x509.ExtKeyUsageCodeSigning,
cmapi.UsageEmailProtection: x509.ExtKeyUsageEmailProtection,
cmapi.UsageSMIME: x509.ExtKeyUsageEmailProtection,
cmapi.UsageIPsecEndSystem: x509.ExtKeyUsageIPSECEndSystem,
cmapi.UsageIPsecTunnel: x509.ExtKeyUsageIPSECTunnel,
cmapi.UsageIPsecUser: x509.ExtKeyUsageIPSECUser,
cmapi.UsageTimestamping: x509.ExtKeyUsageTimeStamping,
cmapi.UsageOCSPSigning: x509.ExtKeyUsageOCSPSigning,
cmapi.UsageMicrosoftSGC: x509.ExtKeyUsageMicrosoftServerGatedCrypto,
cmapi.UsageNetscapeSGC: x509.ExtKeyUsageNetscapeServerGatedCrypto,
}
// KeyUsageType returns the relevant x509.KeyUsage or false if not found
func KeyUsageType(usage cmapi.KeyUsage) (x509.KeyUsage, bool) {
u, ok := keyUsages[usage]
return u, ok
}
// ExtKeyUsageType returns the relevant x509.ExtKeyUsage or false if not found
func ExtKeyUsageType(usage cmapi.KeyUsage) (x509.ExtKeyUsage, bool) {
eu, ok := extKeyUsages[usage]
return eu, ok
}
// KeyUsageStrings returns the cmapi.KeyUsage and "unknown" if not found
func KeyUsageStrings(usage x509.KeyUsage) []cmapi.KeyUsage {
var usageStr []cmapi.KeyUsage
for i := range bits.UintSize {
if v := usage & (1 << i); v != 0 {
usageStr = append(usageStr, keyUsageString(v))
}
}
return usageStr
}
// ExtKeyUsageStrings returns the cmapi.KeyUsage and "unknown" if not found
func ExtKeyUsageStrings(usage []x509.ExtKeyUsage) []cmapi.KeyUsage {
var usageStr []cmapi.KeyUsage
for _, u := range usage {
usageStr = append(usageStr, extKeyUsageString(u))
}
return usageStr
}
// keyUsageString returns the cmapi.KeyUsage and "unknown" if not found
func keyUsageString(usage x509.KeyUsage) cmapi.KeyUsage {
if usage == x509.KeyUsageDigitalSignature {
return cmapi.UsageDigitalSignature // we have two keys that map to KeyUsageDigitalSignature in our map, we should be consistent when parsing
}
for k, v := range keyUsages {
if usage == v {
return k
}
}
return "unknown"
}
// extKeyUsageString returns the cmapi.ExtKeyUsage and "unknown" if not found
func extKeyUsageString(usage x509.ExtKeyUsage) cmapi.KeyUsage {
if usage == x509.ExtKeyUsageEmailProtection {
return cmapi.UsageEmailProtection // we have two keys that map to ExtKeyUsageEmailProtection in our map, we should be consistent when parsing
}
for k, v := range extKeyUsages {
if usage == v {
return k
}
}
return "unknown"
}
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package v1
import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/runtime/schema"
"github.com/cert-manager/cert-manager/pkg/apis/acme"
)
// SchemeGroupVersion is group version used to register these objects
var SchemeGroupVersion = schema.GroupVersion{Group: acme.GroupName, Version: "v1"}
// Resource takes an unqualified resource and returns a Group qualified GroupResource
func Resource(resource string) schema.GroupResource {
return SchemeGroupVersion.WithResource(resource).GroupResource()
}
var (
SchemeBuilder runtime.SchemeBuilder
localSchemeBuilder = &SchemeBuilder
AddToScheme = localSchemeBuilder.AddToScheme
)
func init() {
// We only register manually written functions here. The registration of the
// generated functions takes place in the generated files. The separation
// makes the code compile even when the generated files are missing.
localSchemeBuilder.Register(addKnownTypes)
}
// Adds the list of known types to api.Scheme.
func addKnownTypes(scheme *runtime.Scheme) error {
scheme.AddKnownTypes(SchemeGroupVersion,
&Order{},
&OrderList{},
&Challenge{},
&ChallengeList{},
)
metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
return nil
}
//go:build !ignore_autogenerated
// +build !ignore_autogenerated
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by deepcopy-gen. DO NOT EDIT.
package v1
import (
metav1 "github.com/cert-manager/cert-manager/pkg/apis/meta/v1"
corev1 "k8s.io/api/core/v1"
apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
apismetav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
runtime "k8s.io/apimachinery/pkg/runtime"
apisv1 "sigs.k8s.io/gateway-api/apis/v1"
)
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ACMEAuthorization) DeepCopyInto(out *ACMEAuthorization) {
*out = *in
if in.Wildcard != nil {
in, out := &in.Wildcard, &out.Wildcard
*out = new(bool)
**out = **in
}
if in.Challenges != nil {
in, out := &in.Challenges, &out.Challenges
*out = make([]ACMEChallenge, len(*in))
copy(*out, *in)
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ACMEAuthorization.
func (in *ACMEAuthorization) DeepCopy() *ACMEAuthorization {
if in == nil {
return nil
}
out := new(ACMEAuthorization)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ACMEChallenge) DeepCopyInto(out *ACMEChallenge) {
*out = *in
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ACMEChallenge.
func (in *ACMEChallenge) DeepCopy() *ACMEChallenge {
if in == nil {
return nil
}
out := new(ACMEChallenge)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ACMEChallengeSolver) DeepCopyInto(out *ACMEChallengeSolver) {
*out = *in
if in.Selector != nil {
in, out := &in.Selector, &out.Selector
*out = new(CertificateDNSNameSelector)
(*in).DeepCopyInto(*out)
}
if in.HTTP01 != nil {
in, out := &in.HTTP01, &out.HTTP01
*out = new(ACMEChallengeSolverHTTP01)
(*in).DeepCopyInto(*out)
}
if in.DNS01 != nil {
in, out := &in.DNS01, &out.DNS01
*out = new(ACMEChallengeSolverDNS01)
(*in).DeepCopyInto(*out)
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ACMEChallengeSolver.
func (in *ACMEChallengeSolver) DeepCopy() *ACMEChallengeSolver {
if in == nil {
return nil
}
out := new(ACMEChallengeSolver)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ACMEChallengeSolverDNS01) DeepCopyInto(out *ACMEChallengeSolverDNS01) {
*out = *in
if in.Akamai != nil {
in, out := &in.Akamai, &out.Akamai
*out = new(ACMEIssuerDNS01ProviderAkamai)
**out = **in
}
if in.CloudDNS != nil {
in, out := &in.CloudDNS, &out.CloudDNS
*out = new(ACMEIssuerDNS01ProviderCloudDNS)
(*in).DeepCopyInto(*out)
}
if in.Cloudflare != nil {
in, out := &in.Cloudflare, &out.Cloudflare
*out = new(ACMEIssuerDNS01ProviderCloudflare)
(*in).DeepCopyInto(*out)
}
if in.Route53 != nil {
in, out := &in.Route53, &out.Route53
*out = new(ACMEIssuerDNS01ProviderRoute53)
(*in).DeepCopyInto(*out)
}
if in.AzureDNS != nil {
in, out := &in.AzureDNS, &out.AzureDNS
*out = new(ACMEIssuerDNS01ProviderAzureDNS)
(*in).DeepCopyInto(*out)
}
if in.DigitalOcean != nil {
in, out := &in.DigitalOcean, &out.DigitalOcean
*out = new(ACMEIssuerDNS01ProviderDigitalOcean)
**out = **in
}
if in.AcmeDNS != nil {
in, out := &in.AcmeDNS, &out.AcmeDNS
*out = new(ACMEIssuerDNS01ProviderAcmeDNS)
**out = **in
}
if in.RFC2136 != nil {
in, out := &in.RFC2136, &out.RFC2136
*out = new(ACMEIssuerDNS01ProviderRFC2136)
**out = **in
}
if in.Webhook != nil {
in, out := &in.Webhook, &out.Webhook
*out = new(ACMEIssuerDNS01ProviderWebhook)
(*in).DeepCopyInto(*out)
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ACMEChallengeSolverDNS01.
func (in *ACMEChallengeSolverDNS01) DeepCopy() *ACMEChallengeSolverDNS01 {
if in == nil {
return nil
}
out := new(ACMEChallengeSolverDNS01)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ACMEChallengeSolverHTTP01) DeepCopyInto(out *ACMEChallengeSolverHTTP01) {
*out = *in
if in.Ingress != nil {
in, out := &in.Ingress, &out.Ingress
*out = new(ACMEChallengeSolverHTTP01Ingress)
(*in).DeepCopyInto(*out)
}
if in.GatewayHTTPRoute != nil {
in, out := &in.GatewayHTTPRoute, &out.GatewayHTTPRoute
*out = new(ACMEChallengeSolverHTTP01GatewayHTTPRoute)
(*in).DeepCopyInto(*out)
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ACMEChallengeSolverHTTP01.
func (in *ACMEChallengeSolverHTTP01) DeepCopy() *ACMEChallengeSolverHTTP01 {
if in == nil {
return nil
}
out := new(ACMEChallengeSolverHTTP01)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ACMEChallengeSolverHTTP01GatewayHTTPRoute) DeepCopyInto(out *ACMEChallengeSolverHTTP01GatewayHTTPRoute) {
*out = *in
if in.Labels != nil {
in, out := &in.Labels, &out.Labels
*out = make(map[string]string, len(*in))
for key, val := range *in {
(*out)[key] = val
}
}
if in.ParentRefs != nil {
in, out := &in.ParentRefs, &out.ParentRefs
*out = make([]apisv1.ParentReference, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
if in.PodTemplate != nil {
in, out := &in.PodTemplate, &out.PodTemplate
*out = new(ACMEChallengeSolverHTTP01IngressPodTemplate)
(*in).DeepCopyInto(*out)
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ACMEChallengeSolverHTTP01GatewayHTTPRoute.
func (in *ACMEChallengeSolverHTTP01GatewayHTTPRoute) DeepCopy() *ACMEChallengeSolverHTTP01GatewayHTTPRoute {
if in == nil {
return nil
}
out := new(ACMEChallengeSolverHTTP01GatewayHTTPRoute)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ACMEChallengeSolverHTTP01Ingress) DeepCopyInto(out *ACMEChallengeSolverHTTP01Ingress) {
*out = *in
if in.IngressClassName != nil {
in, out := &in.IngressClassName, &out.IngressClassName
*out = new(string)
**out = **in
}
if in.Class != nil {
in, out := &in.Class, &out.Class
*out = new(string)
**out = **in
}
if in.PodTemplate != nil {
in, out := &in.PodTemplate, &out.PodTemplate
*out = new(ACMEChallengeSolverHTTP01IngressPodTemplate)
(*in).DeepCopyInto(*out)
}
if in.IngressTemplate != nil {
in, out := &in.IngressTemplate, &out.IngressTemplate
*out = new(ACMEChallengeSolverHTTP01IngressTemplate)
(*in).DeepCopyInto(*out)
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ACMEChallengeSolverHTTP01Ingress.
func (in *ACMEChallengeSolverHTTP01Ingress) DeepCopy() *ACMEChallengeSolverHTTP01Ingress {
if in == nil {
return nil
}
out := new(ACMEChallengeSolverHTTP01Ingress)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ACMEChallengeSolverHTTP01IngressObjectMeta) DeepCopyInto(out *ACMEChallengeSolverHTTP01IngressObjectMeta) {
*out = *in
if in.Annotations != nil {
in, out := &in.Annotations, &out.Annotations
*out = make(map[string]string, len(*in))
for key, val := range *in {
(*out)[key] = val
}
}
if in.Labels != nil {
in, out := &in.Labels, &out.Labels
*out = make(map[string]string, len(*in))
for key, val := range *in {
(*out)[key] = val
}
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ACMEChallengeSolverHTTP01IngressObjectMeta.
func (in *ACMEChallengeSolverHTTP01IngressObjectMeta) DeepCopy() *ACMEChallengeSolverHTTP01IngressObjectMeta {
if in == nil {
return nil
}
out := new(ACMEChallengeSolverHTTP01IngressObjectMeta)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ACMEChallengeSolverHTTP01IngressPodObjectMeta) DeepCopyInto(out *ACMEChallengeSolverHTTP01IngressPodObjectMeta) {
*out = *in
if in.Annotations != nil {
in, out := &in.Annotations, &out.Annotations
*out = make(map[string]string, len(*in))
for key, val := range *in {
(*out)[key] = val
}
}
if in.Labels != nil {
in, out := &in.Labels, &out.Labels
*out = make(map[string]string, len(*in))
for key, val := range *in {
(*out)[key] = val
}
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ACMEChallengeSolverHTTP01IngressPodObjectMeta.
func (in *ACMEChallengeSolverHTTP01IngressPodObjectMeta) DeepCopy() *ACMEChallengeSolverHTTP01IngressPodObjectMeta {
if in == nil {
return nil
}
out := new(ACMEChallengeSolverHTTP01IngressPodObjectMeta)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ACMEChallengeSolverHTTP01IngressPodResources) DeepCopyInto(out *ACMEChallengeSolverHTTP01IngressPodResources) {
*out = *in
if in.Limits != nil {
in, out := &in.Limits, &out.Limits
*out = make(corev1.ResourceList, len(*in))
for key, val := range *in {
(*out)[key] = val.DeepCopy()
}
}
if in.Requests != nil {
in, out := &in.Requests, &out.Requests
*out = make(corev1.ResourceList, len(*in))
for key, val := range *in {
(*out)[key] = val.DeepCopy()
}
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ACMEChallengeSolverHTTP01IngressPodResources.
func (in *ACMEChallengeSolverHTTP01IngressPodResources) DeepCopy() *ACMEChallengeSolverHTTP01IngressPodResources {
if in == nil {
return nil
}
out := new(ACMEChallengeSolverHTTP01IngressPodResources)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ACMEChallengeSolverHTTP01IngressPodSecurityContext) DeepCopyInto(out *ACMEChallengeSolverHTTP01IngressPodSecurityContext) {
*out = *in
if in.SELinuxOptions != nil {
in, out := &in.SELinuxOptions, &out.SELinuxOptions
*out = new(corev1.SELinuxOptions)
**out = **in
}
if in.RunAsUser != nil {
in, out := &in.RunAsUser, &out.RunAsUser
*out = new(int64)
**out = **in
}
if in.RunAsGroup != nil {
in, out := &in.RunAsGroup, &out.RunAsGroup
*out = new(int64)
**out = **in
}
if in.RunAsNonRoot != nil {
in, out := &in.RunAsNonRoot, &out.RunAsNonRoot
*out = new(bool)
**out = **in
}
if in.SupplementalGroups != nil {
in, out := &in.SupplementalGroups, &out.SupplementalGroups
*out = make([]int64, len(*in))
copy(*out, *in)
}
if in.FSGroup != nil {
in, out := &in.FSGroup, &out.FSGroup
*out = new(int64)
**out = **in
}
if in.Sysctls != nil {
in, out := &in.Sysctls, &out.Sysctls
*out = make([]corev1.Sysctl, len(*in))
copy(*out, *in)
}
if in.FSGroupChangePolicy != nil {
in, out := &in.FSGroupChangePolicy, &out.FSGroupChangePolicy
*out = new(corev1.PodFSGroupChangePolicy)
**out = **in
}
if in.SeccompProfile != nil {
in, out := &in.SeccompProfile, &out.SeccompProfile
*out = new(corev1.SeccompProfile)
(*in).DeepCopyInto(*out)
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ACMEChallengeSolverHTTP01IngressPodSecurityContext.
func (in *ACMEChallengeSolverHTTP01IngressPodSecurityContext) DeepCopy() *ACMEChallengeSolverHTTP01IngressPodSecurityContext {
if in == nil {
return nil
}
out := new(ACMEChallengeSolverHTTP01IngressPodSecurityContext)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ACMEChallengeSolverHTTP01IngressPodSpec) DeepCopyInto(out *ACMEChallengeSolverHTTP01IngressPodSpec) {
*out = *in
if in.NodeSelector != nil {
in, out := &in.NodeSelector, &out.NodeSelector
*out = make(map[string]string, len(*in))
for key, val := range *in {
(*out)[key] = val
}
}
if in.Affinity != nil {
in, out := &in.Affinity, &out.Affinity
*out = new(corev1.Affinity)
(*in).DeepCopyInto(*out)
}
if in.Tolerations != nil {
in, out := &in.Tolerations, &out.Tolerations
*out = make([]corev1.Toleration, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
if in.ImagePullSecrets != nil {
in, out := &in.ImagePullSecrets, &out.ImagePullSecrets
*out = make([]corev1.LocalObjectReference, len(*in))
copy(*out, *in)
}
if in.SecurityContext != nil {
in, out := &in.SecurityContext, &out.SecurityContext
*out = new(ACMEChallengeSolverHTTP01IngressPodSecurityContext)
(*in).DeepCopyInto(*out)
}
if in.Resources != nil {
in, out := &in.Resources, &out.Resources
*out = new(ACMEChallengeSolverHTTP01IngressPodResources)
(*in).DeepCopyInto(*out)
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ACMEChallengeSolverHTTP01IngressPodSpec.
func (in *ACMEChallengeSolverHTTP01IngressPodSpec) DeepCopy() *ACMEChallengeSolverHTTP01IngressPodSpec {
if in == nil {
return nil
}
out := new(ACMEChallengeSolverHTTP01IngressPodSpec)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ACMEChallengeSolverHTTP01IngressPodTemplate) DeepCopyInto(out *ACMEChallengeSolverHTTP01IngressPodTemplate) {
*out = *in
in.ACMEChallengeSolverHTTP01IngressPodObjectMeta.DeepCopyInto(&out.ACMEChallengeSolverHTTP01IngressPodObjectMeta)
in.Spec.DeepCopyInto(&out.Spec)
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ACMEChallengeSolverHTTP01IngressPodTemplate.
func (in *ACMEChallengeSolverHTTP01IngressPodTemplate) DeepCopy() *ACMEChallengeSolverHTTP01IngressPodTemplate {
if in == nil {
return nil
}
out := new(ACMEChallengeSolverHTTP01IngressPodTemplate)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ACMEChallengeSolverHTTP01IngressTemplate) DeepCopyInto(out *ACMEChallengeSolverHTTP01IngressTemplate) {
*out = *in
in.ACMEChallengeSolverHTTP01IngressObjectMeta.DeepCopyInto(&out.ACMEChallengeSolverHTTP01IngressObjectMeta)
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ACMEChallengeSolverHTTP01IngressTemplate.
func (in *ACMEChallengeSolverHTTP01IngressTemplate) DeepCopy() *ACMEChallengeSolverHTTP01IngressTemplate {
if in == nil {
return nil
}
out := new(ACMEChallengeSolverHTTP01IngressTemplate)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ACMEExternalAccountBinding) DeepCopyInto(out *ACMEExternalAccountBinding) {
*out = *in
out.Key = in.Key
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ACMEExternalAccountBinding.
func (in *ACMEExternalAccountBinding) DeepCopy() *ACMEExternalAccountBinding {
if in == nil {
return nil
}
out := new(ACMEExternalAccountBinding)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ACMEIssuer) DeepCopyInto(out *ACMEIssuer) {
*out = *in
if in.CABundle != nil {
in, out := &in.CABundle, &out.CABundle
*out = make([]byte, len(*in))
copy(*out, *in)
}
if in.ExternalAccountBinding != nil {
in, out := &in.ExternalAccountBinding, &out.ExternalAccountBinding
*out = new(ACMEExternalAccountBinding)
**out = **in
}
out.PrivateKey = in.PrivateKey
if in.Solvers != nil {
in, out := &in.Solvers, &out.Solvers
*out = make([]ACMEChallengeSolver, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ACMEIssuer.
func (in *ACMEIssuer) DeepCopy() *ACMEIssuer {
if in == nil {
return nil
}
out := new(ACMEIssuer)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ACMEIssuerDNS01ProviderAcmeDNS) DeepCopyInto(out *ACMEIssuerDNS01ProviderAcmeDNS) {
*out = *in
out.AccountSecret = in.AccountSecret
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ACMEIssuerDNS01ProviderAcmeDNS.
func (in *ACMEIssuerDNS01ProviderAcmeDNS) DeepCopy() *ACMEIssuerDNS01ProviderAcmeDNS {
if in == nil {
return nil
}
out := new(ACMEIssuerDNS01ProviderAcmeDNS)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ACMEIssuerDNS01ProviderAkamai) DeepCopyInto(out *ACMEIssuerDNS01ProviderAkamai) {
*out = *in
out.ClientToken = in.ClientToken
out.ClientSecret = in.ClientSecret
out.AccessToken = in.AccessToken
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ACMEIssuerDNS01ProviderAkamai.
func (in *ACMEIssuerDNS01ProviderAkamai) DeepCopy() *ACMEIssuerDNS01ProviderAkamai {
if in == nil {
return nil
}
out := new(ACMEIssuerDNS01ProviderAkamai)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ACMEIssuerDNS01ProviderAzureDNS) DeepCopyInto(out *ACMEIssuerDNS01ProviderAzureDNS) {
*out = *in
if in.ClientSecret != nil {
in, out := &in.ClientSecret, &out.ClientSecret
*out = new(metav1.SecretKeySelector)
**out = **in
}
if in.ManagedIdentity != nil {
in, out := &in.ManagedIdentity, &out.ManagedIdentity
*out = new(AzureManagedIdentity)
**out = **in
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ACMEIssuerDNS01ProviderAzureDNS.
func (in *ACMEIssuerDNS01ProviderAzureDNS) DeepCopy() *ACMEIssuerDNS01ProviderAzureDNS {
if in == nil {
return nil
}
out := new(ACMEIssuerDNS01ProviderAzureDNS)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ACMEIssuerDNS01ProviderCloudDNS) DeepCopyInto(out *ACMEIssuerDNS01ProviderCloudDNS) {
*out = *in
if in.ServiceAccount != nil {
in, out := &in.ServiceAccount, &out.ServiceAccount
*out = new(metav1.SecretKeySelector)
**out = **in
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ACMEIssuerDNS01ProviderCloudDNS.
func (in *ACMEIssuerDNS01ProviderCloudDNS) DeepCopy() *ACMEIssuerDNS01ProviderCloudDNS {
if in == nil {
return nil
}
out := new(ACMEIssuerDNS01ProviderCloudDNS)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ACMEIssuerDNS01ProviderCloudflare) DeepCopyInto(out *ACMEIssuerDNS01ProviderCloudflare) {
*out = *in
if in.APIKey != nil {
in, out := &in.APIKey, &out.APIKey
*out = new(metav1.SecretKeySelector)
**out = **in
}
if in.APIToken != nil {
in, out := &in.APIToken, &out.APIToken
*out = new(metav1.SecretKeySelector)
**out = **in
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ACMEIssuerDNS01ProviderCloudflare.
func (in *ACMEIssuerDNS01ProviderCloudflare) DeepCopy() *ACMEIssuerDNS01ProviderCloudflare {
if in == nil {
return nil
}
out := new(ACMEIssuerDNS01ProviderCloudflare)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ACMEIssuerDNS01ProviderDigitalOcean) DeepCopyInto(out *ACMEIssuerDNS01ProviderDigitalOcean) {
*out = *in
out.Token = in.Token
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ACMEIssuerDNS01ProviderDigitalOcean.
func (in *ACMEIssuerDNS01ProviderDigitalOcean) DeepCopy() *ACMEIssuerDNS01ProviderDigitalOcean {
if in == nil {
return nil
}
out := new(ACMEIssuerDNS01ProviderDigitalOcean)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ACMEIssuerDNS01ProviderRFC2136) DeepCopyInto(out *ACMEIssuerDNS01ProviderRFC2136) {
*out = *in
out.TSIGSecret = in.TSIGSecret
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ACMEIssuerDNS01ProviderRFC2136.
func (in *ACMEIssuerDNS01ProviderRFC2136) DeepCopy() *ACMEIssuerDNS01ProviderRFC2136 {
if in == nil {
return nil
}
out := new(ACMEIssuerDNS01ProviderRFC2136)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ACMEIssuerDNS01ProviderRoute53) DeepCopyInto(out *ACMEIssuerDNS01ProviderRoute53) {
*out = *in
if in.Auth != nil {
in, out := &in.Auth, &out.Auth
*out = new(Route53Auth)
(*in).DeepCopyInto(*out)
}
if in.SecretAccessKeyID != nil {
in, out := &in.SecretAccessKeyID, &out.SecretAccessKeyID
*out = new(metav1.SecretKeySelector)
**out = **in
}
out.SecretAccessKey = in.SecretAccessKey
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ACMEIssuerDNS01ProviderRoute53.
func (in *ACMEIssuerDNS01ProviderRoute53) DeepCopy() *ACMEIssuerDNS01ProviderRoute53 {
if in == nil {
return nil
}
out := new(ACMEIssuerDNS01ProviderRoute53)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ACMEIssuerDNS01ProviderWebhook) DeepCopyInto(out *ACMEIssuerDNS01ProviderWebhook) {
*out = *in
if in.Config != nil {
in, out := &in.Config, &out.Config
*out = new(apiextensionsv1.JSON)
(*in).DeepCopyInto(*out)
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ACMEIssuerDNS01ProviderWebhook.
func (in *ACMEIssuerDNS01ProviderWebhook) DeepCopy() *ACMEIssuerDNS01ProviderWebhook {
if in == nil {
return nil
}
out := new(ACMEIssuerDNS01ProviderWebhook)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ACMEIssuerStatus) DeepCopyInto(out *ACMEIssuerStatus) {
*out = *in
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ACMEIssuerStatus.
func (in *ACMEIssuerStatus) DeepCopy() *ACMEIssuerStatus {
if in == nil {
return nil
}
out := new(ACMEIssuerStatus)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *AzureManagedIdentity) DeepCopyInto(out *AzureManagedIdentity) {
*out = *in
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AzureManagedIdentity.
func (in *AzureManagedIdentity) DeepCopy() *AzureManagedIdentity {
if in == nil {
return nil
}
out := new(AzureManagedIdentity)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *CertificateDNSNameSelector) DeepCopyInto(out *CertificateDNSNameSelector) {
*out = *in
if in.MatchLabels != nil {
in, out := &in.MatchLabels, &out.MatchLabels
*out = make(map[string]string, len(*in))
for key, val := range *in {
(*out)[key] = val
}
}
if in.DNSNames != nil {
in, out := &in.DNSNames, &out.DNSNames
*out = make([]string, len(*in))
copy(*out, *in)
}
if in.DNSZones != nil {
in, out := &in.DNSZones, &out.DNSZones
*out = make([]string, len(*in))
copy(*out, *in)
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateDNSNameSelector.
func (in *CertificateDNSNameSelector) DeepCopy() *CertificateDNSNameSelector {
if in == nil {
return nil
}
out := new(CertificateDNSNameSelector)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *Challenge) DeepCopyInto(out *Challenge) {
*out = *in
out.TypeMeta = in.TypeMeta
in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
in.Spec.DeepCopyInto(&out.Spec)
out.Status = in.Status
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Challenge.
func (in *Challenge) DeepCopy() *Challenge {
if in == nil {
return nil
}
out := new(Challenge)
in.DeepCopyInto(out)
return out
}
// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (in *Challenge) DeepCopyObject() runtime.Object {
if c := in.DeepCopy(); c != nil {
return c
}
return nil
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ChallengeList) DeepCopyInto(out *ChallengeList) {
*out = *in
out.TypeMeta = in.TypeMeta
in.ListMeta.DeepCopyInto(&out.ListMeta)
if in.Items != nil {
in, out := &in.Items, &out.Items
*out = make([]Challenge, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ChallengeList.
func (in *ChallengeList) DeepCopy() *ChallengeList {
if in == nil {
return nil
}
out := new(ChallengeList)
in.DeepCopyInto(out)
return out
}
// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (in *ChallengeList) DeepCopyObject() runtime.Object {
if c := in.DeepCopy(); c != nil {
return c
}
return nil
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ChallengeSpec) DeepCopyInto(out *ChallengeSpec) {
*out = *in
in.Solver.DeepCopyInto(&out.Solver)
out.IssuerRef = in.IssuerRef
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ChallengeSpec.
func (in *ChallengeSpec) DeepCopy() *ChallengeSpec {
if in == nil {
return nil
}
out := new(ChallengeSpec)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ChallengeStatus) DeepCopyInto(out *ChallengeStatus) {
*out = *in
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ChallengeStatus.
func (in *ChallengeStatus) DeepCopy() *ChallengeStatus {
if in == nil {
return nil
}
out := new(ChallengeStatus)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *Order) DeepCopyInto(out *Order) {
*out = *in
out.TypeMeta = in.TypeMeta
in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
in.Spec.DeepCopyInto(&out.Spec)
in.Status.DeepCopyInto(&out.Status)
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Order.
func (in *Order) DeepCopy() *Order {
if in == nil {
return nil
}
out := new(Order)
in.DeepCopyInto(out)
return out
}
// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (in *Order) DeepCopyObject() runtime.Object {
if c := in.DeepCopy(); c != nil {
return c
}
return nil
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *OrderList) DeepCopyInto(out *OrderList) {
*out = *in
out.TypeMeta = in.TypeMeta
in.ListMeta.DeepCopyInto(&out.ListMeta)
if in.Items != nil {
in, out := &in.Items, &out.Items
*out = make([]Order, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OrderList.
func (in *OrderList) DeepCopy() *OrderList {
if in == nil {
return nil
}
out := new(OrderList)
in.DeepCopyInto(out)
return out
}
// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (in *OrderList) DeepCopyObject() runtime.Object {
if c := in.DeepCopy(); c != nil {
return c
}
return nil
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *OrderSpec) DeepCopyInto(out *OrderSpec) {
*out = *in
if in.Request != nil {
in, out := &in.Request, &out.Request
*out = make([]byte, len(*in))
copy(*out, *in)
}
out.IssuerRef = in.IssuerRef
if in.DNSNames != nil {
in, out := &in.DNSNames, &out.DNSNames
*out = make([]string, len(*in))
copy(*out, *in)
}
if in.IPAddresses != nil {
in, out := &in.IPAddresses, &out.IPAddresses
*out = make([]string, len(*in))
copy(*out, *in)
}
if in.Duration != nil {
in, out := &in.Duration, &out.Duration
*out = new(apismetav1.Duration)
**out = **in
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OrderSpec.
func (in *OrderSpec) DeepCopy() *OrderSpec {
if in == nil {
return nil
}
out := new(OrderSpec)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *OrderStatus) DeepCopyInto(out *OrderStatus) {
*out = *in
if in.Authorizations != nil {
in, out := &in.Authorizations, &out.Authorizations
*out = make([]ACMEAuthorization, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
if in.Certificate != nil {
in, out := &in.Certificate, &out.Certificate
*out = make([]byte, len(*in))
copy(*out, *in)
}
if in.FailureTime != nil {
in, out := &in.FailureTime, &out.FailureTime
*out = (*in).DeepCopy()
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OrderStatus.
func (in *OrderStatus) DeepCopy() *OrderStatus {
if in == nil {
return nil
}
out := new(OrderStatus)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *Route53Auth) DeepCopyInto(out *Route53Auth) {
*out = *in
if in.Kubernetes != nil {
in, out := &in.Kubernetes, &out.Kubernetes
*out = new(Route53KubernetesAuth)
(*in).DeepCopyInto(*out)
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Route53Auth.
func (in *Route53Auth) DeepCopy() *Route53Auth {
if in == nil {
return nil
}
out := new(Route53Auth)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *Route53KubernetesAuth) DeepCopyInto(out *Route53KubernetesAuth) {
*out = *in
if in.ServiceAccountRef != nil {
in, out := &in.ServiceAccountRef, &out.ServiceAccountRef
*out = new(ServiceAccountRef)
(*in).DeepCopyInto(*out)
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Route53KubernetesAuth.
func (in *Route53KubernetesAuth) DeepCopy() *Route53KubernetesAuth {
if in == nil {
return nil
}
out := new(Route53KubernetesAuth)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ServiceAccountRef) DeepCopyInto(out *ServiceAccountRef) {
*out = *in
if in.TokenAudiences != nil {
in, out := &in.TokenAudiences, &out.TokenAudiences
*out = make([]string, len(*in))
copy(*out, *in)
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServiceAccountRef.
func (in *ServiceAccountRef) DeepCopy() *ServiceAccountRef {
if in == nil {
return nil
}
out := new(ServiceAccountRef)
in.DeepCopyInto(out)
return out
}
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package v1
import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"
cmacme "github.com/cert-manager/cert-manager/pkg/apis/acme/v1"
)
type GenericIssuer interface {
runtime.Object
metav1.Object
GetObjectMeta() *metav1.ObjectMeta
GetSpec() *IssuerSpec
GetStatus() *IssuerStatus
}
var _ GenericIssuer = &Issuer{}
var _ GenericIssuer = &ClusterIssuer{}
func (c *ClusterIssuer) GetObjectMeta() *metav1.ObjectMeta {
return &c.ObjectMeta
}
func (c *ClusterIssuer) GetSpec() *IssuerSpec {
return &c.Spec
}
func (c *ClusterIssuer) GetStatus() *IssuerStatus {
return &c.Status
}
func (c *ClusterIssuer) SetSpec(spec IssuerSpec) {
c.Spec = spec
}
func (c *ClusterIssuer) SetStatus(status IssuerStatus) {
c.Status = status
}
func (c *ClusterIssuer) Copy() GenericIssuer {
return c.DeepCopy()
}
func (c *Issuer) GetObjectMeta() *metav1.ObjectMeta {
return &c.ObjectMeta
}
func (c *Issuer) GetSpec() *IssuerSpec {
return &c.Spec
}
func (c *Issuer) GetStatus() *IssuerStatus {
return &c.Status
}
func (c *Issuer) SetSpec(spec IssuerSpec) {
c.Spec = spec
}
func (c *Issuer) SetStatus(status IssuerStatus) {
c.Status = status
}
func (c *Issuer) Copy() GenericIssuer {
return c.DeepCopy()
}
// TODO: refactor these functions away
func (i *IssuerStatus) ACMEStatus() *cmacme.ACMEIssuerStatus {
// this is an edge case, but this will prevent panics
if i == nil {
return &cmacme.ACMEIssuerStatus{}
}
if i.ACME == nil {
i.ACME = &cmacme.ACMEIssuerStatus{}
}
return i.ACME
}
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package v1
import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/runtime/schema"
"github.com/cert-manager/cert-manager/pkg/apis/certmanager"
)
// SchemeGroupVersion is group version used to register these objects
var SchemeGroupVersion = schema.GroupVersion{Group: certmanager.GroupName, Version: "v1"}
// Resource takes an unqualified resource and returns a Group qualified GroupResource
func Resource(resource string) schema.GroupResource {
return SchemeGroupVersion.WithResource(resource).GroupResource()
}
var (
SchemeBuilder runtime.SchemeBuilder
localSchemeBuilder = &SchemeBuilder
AddToScheme = localSchemeBuilder.AddToScheme
)
func init() {
// We only register manually written functions here. The registration of the
// generated functions takes place in the generated files. The separation
// makes the code compile even when the generated files are missing.
localSchemeBuilder.Register(addKnownTypes)
}
// Adds the list of known types to api.Scheme.
func addKnownTypes(scheme *runtime.Scheme) error {
scheme.AddKnownTypes(SchemeGroupVersion,
&Certificate{},
&CertificateList{},
&Issuer{},
&IssuerList{},
&ClusterIssuer{},
&ClusterIssuerList{},
&CertificateRequest{},
&CertificateRequestList{},
)
metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
return nil
}
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package v1
const (
// Common label keys added to resources
// Label key that indicates that a resource is of interest to
// cert-manager controller By default this is set on
// certificate.spec.secretName secret as well as on the temporary
// private key Secret. If using SecretsFilteredCaching feature, you
// might want to set this (with a value of 'true') to any other Secrets
// that cert-manager controller needs to read, such as issuer
// credentials Secrets.
// fao = 'for attention of'
// See https://github.com/cert-manager/cert-manager/blob/master/design/20221205-memory-management.md#risks-and-mitigations
PartOfCertManagerControllerLabelKey = "controller.cert-manager.io/fao"
// Common annotation keys added to resources
// Annotation key for DNS subjectAltNames.
AltNamesAnnotationKey = "cert-manager.io/alt-names"
// Annotation key for IP subjectAltNames.
IPSANAnnotationKey = "cert-manager.io/ip-sans"
// Annotation key for URI subjectAltNames.
URISANAnnotationKey = "cert-manager.io/uri-sans"
// Annotation key for certificate common name.
CommonNameAnnotationKey = "cert-manager.io/common-name"
// Duration key for certificate duration.
DurationAnnotationKey = "cert-manager.io/duration"
// Annotation key for certificate renewBefore.
RenewBeforeAnnotationKey = "cert-manager.io/renew-before"
// Annotation key for certificate renewBeforePercentage.
RenewBeforePercentageAnnotationKey = "cert-manager.io/renew-before-percentage"
// Annotation key for emails subjectAltNames.
EmailsAnnotationKey = "cert-manager.io/email-sans"
// Annotation key for subject organization.
SubjectOrganizationsAnnotationKey = "cert-manager.io/subject-organizations"
// Annotation key for subject organizational units.
SubjectOrganizationalUnitsAnnotationKey = "cert-manager.io/subject-organizationalunits"
// Annotation key for subject organizational units.
SubjectCountriesAnnotationKey = "cert-manager.io/subject-countries"
// Annotation key for subject provinces.
SubjectProvincesAnnotationKey = "cert-manager.io/subject-provinces"
// Annotation key for subject localities.
SubjectLocalitiesAnnotationKey = "cert-manager.io/subject-localities"
// Annotation key for subject provinces.
SubjectStreetAddressesAnnotationKey = "cert-manager.io/subject-streetaddresses"
// Annotation key for subject postal codes.
SubjectPostalCodesAnnotationKey = "cert-manager.io/subject-postalcodes"
// Annotation key for subject serial number.
SubjectSerialNumberAnnotationKey = "cert-manager.io/subject-serialnumber"
// Annotation key for certificate key usages.
UsagesAnnotationKey = "cert-manager.io/usages"
// Annotation key the 'name' of the Issuer resource.
IssuerNameAnnotationKey = "cert-manager.io/issuer-name"
// Annotation key for the 'kind' of the Issuer resource.
IssuerKindAnnotationKey = "cert-manager.io/issuer-kind"
// Annotation key for the 'group' of the Issuer resource.
IssuerGroupAnnotationKey = "cert-manager.io/issuer-group"
// Annotation key for the name of the certificate that a resource is related to.
CertificateNameKey = "cert-manager.io/certificate-name"
// Annotation key used to denote whether a Secret is named on a Certificate
// as a 'next private key' Secret resource.
IsNextPrivateKeySecretLabelKey = "cert-manager.io/next-private-key"
// Annotation key used to limit the number of CertificateRequests to be kept for a Certificate.
// Minimum value is 1.
// If unset all CertificateRequests will be kept.
RevisionHistoryLimitAnnotationKey = "cert-manager.io/revision-history-limit"
// Annotation key used to set the PrivateKeyAlgorithm for a Certificate.
// If PrivateKeyAlgorithm is specified and `size` is not provided,
// key size of 256 will be used for `ECDSA` key algorithm and
// key size of 2048 will be used for `RSA` key algorithm.
// key size is ignored when using the `Ed25519` key algorithm.
// If unset an algorithm `RSA` will be used.
PrivateKeyAlgorithmAnnotationKey = "cert-manager.io/private-key-algorithm"
// Annotation key used to set the PrivateKeyEncoding for a Certificate.
// If provided, allowed values are `PKCS1` and `PKCS8` standing for PKCS#1
// and PKCS#8, respectively.
// If unset an encoding `PKCS1` will be used.
PrivateKeyEncodingAnnotationKey = "cert-manager.io/private-key-encoding"
// Annotation key used to set the size of the private key for a Certificate.
// If PrivateKeyAlgorithm is set to `RSA`, valid values are `2048`, `4096` or `8192`,
// and will default to `2048` if not specified.
// If PrivateKeyAlgorithm is set to `ECDSA`, valid values are `256`, `384` or `521`,
// and will default to `256` if not specified.
// If PrivateKeyAlgorithm is set to `Ed25519`, Size is ignored.
// No other values are allowed.
PrivateKeySizeAnnotationKey = "cert-manager.io/private-key-size"
// Annotation key used to set the PrivateKeyRotationPolicy for a Certificate.
// If unset a policy `Never` will be used.
PrivateKeyRotationPolicyAnnotationKey = "cert-manager.io/private-key-rotation-policy"
)
const (
// IngressIssuerNameAnnotationKey holds the issuerNameAnnotation value which can be
// used to override the issuer specified on the created Certificate resource.
IngressIssuerNameAnnotationKey = "cert-manager.io/issuer"
// IngressClusterIssuerNameAnnotationKey holds the clusterIssuerNameAnnotation value which
// can be used to override the issuer specified on the created Certificate resource. The Certificate
// will reference the specified *ClusterIssuer* instead of normal issuer.
IngressClusterIssuerNameAnnotationKey = "cert-manager.io/cluster-issuer"
// IngressACMEIssuerHTTP01IngressClassAnnotationKey holds the acmeIssuerHTTP01IngressClassAnnotation value
// which can be used to override the http01 ingressClass if the challenge type is set to http01
IngressACMEIssuerHTTP01IngressClassAnnotationKey = "acme.cert-manager.io/http01-ingress-class"
// IngressClassAnnotationKey picks a specific "class" for the Ingress. The
// controller only processes Ingresses with this annotation either unset, or
// set to either the configured value or the empty string.
IngressClassAnnotationKey = "kubernetes.io/ingress.class"
// IngressSecretTemplate can be used to set the secretTemplate field in the generated Certificate.
// The value is a JSON representation of secretTemplate and must not have any unknown fields.
IngressSecretTemplate = "cert-manager.io/secret-template"
)
// Annotation names for CertificateRequests
const (
// Annotation added to CertificateRequest resources to denote the name of
// a Secret resource containing the private key used to sign the CSR stored
// on the resource.
// This annotation *may* not be present, and is used by the 'self signing'
// issuer type to self-sign certificates.
CertificateRequestPrivateKeyAnnotationKey = "cert-manager.io/private-key-secret-name"
// Annotation to declare the CertificateRequest "revision", belonging to a Certificate Resource
CertificateRequestRevisionAnnotationKey = "cert-manager.io/certificate-revision"
)
const (
// IssueTemporaryCertificateAnnotation is an annotation that can be added to
// Certificate resources.
// If it is present, a temporary internally signed certificate will be
// stored in the target Secret resource whilst the real Issuer is processing
// the certificate request.
IssueTemporaryCertificateAnnotation = "cert-manager.io/issue-temporary-certificate"
)
// Common/known resource kinds.
const (
ClusterIssuerKind = "ClusterIssuer"
IssuerKind = "Issuer"
CertificateKind = "Certificate"
CertificateRequestKind = "CertificateRequest"
)
const (
// WantInjectAnnotation is the annotation that specifies that a particular
// object wants injection of CAs. It takes the form of a reference to a certificate
// as namespace/name. The certificate is expected to have the is-serving-for annotations.
WantInjectAnnotation = "cert-manager.io/inject-ca-from"
// WantInjectAPIServerCAAnnotation will - if set to "true" - make the cainjector
// inject the CA certificate for the Kubernetes apiserver into the resource.
// It discovers the apiserver's CA by inspecting the service account credentials
// mounted into the cainjector pod.
WantInjectAPIServerCAAnnotation = "cert-manager.io/inject-apiserver-ca"
// WantInjectFromSecretAnnotation is the annotation that specifies that a particular
// object wants injection of CAs. It takes the form of a reference to a Secret
// as namespace/name.
WantInjectFromSecretAnnotation = "cert-manager.io/inject-ca-from-secret"
// AllowsInjectionFromSecretAnnotation is an annotation that must be added
// to Secret resource that want to denote that they can be directly
// injected into injectables that have a `inject-ca-from-secret` annotation.
// If an injectable references a Secret that does NOT have this annotation,
// the cainjector will refuse to inject the secret.
AllowsInjectionFromSecretAnnotation = "cert-manager.io/allow-direct-injection"
)
// Issuer specific Annotations
const (
// VenafiCustomFieldsAnnotationKey is the annotation that passes on JSON encoded custom fields to the Venafi issuer
// This will only work with Venafi TPP v19.3 and higher
// The value is an array with objects containing the name and value keys
// for example: `[{"name": "custom-field", "value": "custom-value"}]`
VenafiCustomFieldsAnnotationKey = "venafi.cert-manager.io/custom-fields"
// VenafiPickupIDAnnotationKey is the annotation key used to record the
// Venafi Pickup ID of a certificate signing request that has been submitted
// to the Venafi API for collection later.
VenafiPickupIDAnnotationKey = "venafi.cert-manager.io/pickup-id"
)
// KeyUsage specifies valid usage contexts for keys.
// See:
// https://tools.ietf.org/html/rfc5280#section-4.2.1.3
// https://tools.ietf.org/html/rfc5280#section-4.2.1.12
//
// Valid KeyUsage values are as follows:
// "signing",
// "digital signature",
// "content commitment",
// "key encipherment",
// "key agreement",
// "data encipherment",
// "cert sign",
// "crl sign",
// "encipher only",
// "decipher only",
// "any",
// "server auth",
// "client auth",
// "code signing",
// "email protection",
// "s/mime",
// "ipsec end system",
// "ipsec tunnel",
// "ipsec user",
// "timestamping",
// "ocsp signing",
// "microsoft sgc",
// "netscape sgc"
// +kubebuilder:validation:Enum="signing";"digital signature";"content commitment";"key encipherment";"key agreement";"data encipherment";"cert sign";"crl sign";"encipher only";"decipher only";"any";"server auth";"client auth";"code signing";"email protection";"s/mime";"ipsec end system";"ipsec tunnel";"ipsec user";"timestamping";"ocsp signing";"microsoft sgc";"netscape sgc"
type KeyUsage string
const (
UsageSigning KeyUsage = "signing"
UsageDigitalSignature KeyUsage = "digital signature"
UsageContentCommitment KeyUsage = "content commitment"
UsageKeyEncipherment KeyUsage = "key encipherment"
UsageKeyAgreement KeyUsage = "key agreement"
UsageDataEncipherment KeyUsage = "data encipherment"
UsageCertSign KeyUsage = "cert sign"
UsageCRLSign KeyUsage = "crl sign"
UsageEncipherOnly KeyUsage = "encipher only"
UsageDecipherOnly KeyUsage = "decipher only"
UsageAny KeyUsage = "any"
UsageServerAuth KeyUsage = "server auth"
UsageClientAuth KeyUsage = "client auth"
UsageCodeSigning KeyUsage = "code signing"
UsageEmailProtection KeyUsage = "email protection"
UsageSMIME KeyUsage = "s/mime"
UsageIPsecEndSystem KeyUsage = "ipsec end system"
UsageIPsecTunnel KeyUsage = "ipsec tunnel"
UsageIPsecUser KeyUsage = "ipsec user"
UsageTimestamping KeyUsage = "timestamping"
UsageOCSPSigning KeyUsage = "ocsp signing"
UsageMicrosoftSGC KeyUsage = "microsoft sgc"
UsageNetscapeSGC KeyUsage = "netscape sgc"
)
// Keystore specific secret keys
const (
// PKCS12SecretKey is the name of the data entry in the Secret resource
// used to store the p12 file.
PKCS12SecretKey = "keystore.p12"
// Data Entry Name in the Secret resource for PKCS12 containing Certificate Authority
PKCS12TruststoreKey = "truststore.p12"
// JKSSecretKey is the name of the data entry in the Secret resource
// used to store the jks file.
JKSSecretKey = "keystore.jks"
// Data Entry Name in the Secret resource for JKS containing Certificate Authority
JKSTruststoreKey = "truststore.jks"
// The password used to encrypt the keystore and truststore
KeystorePassword = "keystorePassword"
)
// DefaultKeyUsages contains the default list of key usages
func DefaultKeyUsages() []KeyUsage {
// The serverAuth EKU is required as of Mac OS Catalina: https://support.apple.com/en-us/HT210176
// Without this usage, certificates will _always_ flag a warning in newer Mac OS browsers.
// We don't explicitly add it here as it leads to strange behaviour when a user sets isCA: true
// (in which case, 'serverAuth' on the CA can break a lot of clients).
// CAs can (and often do) opt to automatically add usages.
return []KeyUsage{UsageDigitalSignature, UsageKeyEncipherment}
}
//go:build !ignore_autogenerated
// +build !ignore_autogenerated
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by deepcopy-gen. DO NOT EDIT.
package v1
import (
acmev1 "github.com/cert-manager/cert-manager/pkg/apis/acme/v1"
apismetav1 "github.com/cert-manager/cert-manager/pkg/apis/meta/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
runtime "k8s.io/apimachinery/pkg/runtime"
)
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *CAIssuer) DeepCopyInto(out *CAIssuer) {
*out = *in
if in.CRLDistributionPoints != nil {
in, out := &in.CRLDistributionPoints, &out.CRLDistributionPoints
*out = make([]string, len(*in))
copy(*out, *in)
}
if in.OCSPServers != nil {
in, out := &in.OCSPServers, &out.OCSPServers
*out = make([]string, len(*in))
copy(*out, *in)
}
if in.IssuingCertificateURLs != nil {
in, out := &in.IssuingCertificateURLs, &out.IssuingCertificateURLs
*out = make([]string, len(*in))
copy(*out, *in)
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CAIssuer.
func (in *CAIssuer) DeepCopy() *CAIssuer {
if in == nil {
return nil
}
out := new(CAIssuer)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *Certificate) DeepCopyInto(out *Certificate) {
*out = *in
out.TypeMeta = in.TypeMeta
in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
in.Spec.DeepCopyInto(&out.Spec)
in.Status.DeepCopyInto(&out.Status)
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Certificate.
func (in *Certificate) DeepCopy() *Certificate {
if in == nil {
return nil
}
out := new(Certificate)
in.DeepCopyInto(out)
return out
}
// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (in *Certificate) DeepCopyObject() runtime.Object {
if c := in.DeepCopy(); c != nil {
return c
}
return nil
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *CertificateAdditionalOutputFormat) DeepCopyInto(out *CertificateAdditionalOutputFormat) {
*out = *in
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateAdditionalOutputFormat.
func (in *CertificateAdditionalOutputFormat) DeepCopy() *CertificateAdditionalOutputFormat {
if in == nil {
return nil
}
out := new(CertificateAdditionalOutputFormat)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *CertificateCondition) DeepCopyInto(out *CertificateCondition) {
*out = *in
if in.LastTransitionTime != nil {
in, out := &in.LastTransitionTime, &out.LastTransitionTime
*out = (*in).DeepCopy()
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateCondition.
func (in *CertificateCondition) DeepCopy() *CertificateCondition {
if in == nil {
return nil
}
out := new(CertificateCondition)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *CertificateKeystores) DeepCopyInto(out *CertificateKeystores) {
*out = *in
if in.JKS != nil {
in, out := &in.JKS, &out.JKS
*out = new(JKSKeystore)
(*in).DeepCopyInto(*out)
}
if in.PKCS12 != nil {
in, out := &in.PKCS12, &out.PKCS12
*out = new(PKCS12Keystore)
(*in).DeepCopyInto(*out)
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateKeystores.
func (in *CertificateKeystores) DeepCopy() *CertificateKeystores {
if in == nil {
return nil
}
out := new(CertificateKeystores)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *CertificateList) DeepCopyInto(out *CertificateList) {
*out = *in
out.TypeMeta = in.TypeMeta
in.ListMeta.DeepCopyInto(&out.ListMeta)
if in.Items != nil {
in, out := &in.Items, &out.Items
*out = make([]Certificate, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateList.
func (in *CertificateList) DeepCopy() *CertificateList {
if in == nil {
return nil
}
out := new(CertificateList)
in.DeepCopyInto(out)
return out
}
// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (in *CertificateList) DeepCopyObject() runtime.Object {
if c := in.DeepCopy(); c != nil {
return c
}
return nil
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *CertificatePrivateKey) DeepCopyInto(out *CertificatePrivateKey) {
*out = *in
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificatePrivateKey.
func (in *CertificatePrivateKey) DeepCopy() *CertificatePrivateKey {
if in == nil {
return nil
}
out := new(CertificatePrivateKey)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *CertificateRequest) DeepCopyInto(out *CertificateRequest) {
*out = *in
out.TypeMeta = in.TypeMeta
in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
in.Spec.DeepCopyInto(&out.Spec)
in.Status.DeepCopyInto(&out.Status)
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateRequest.
func (in *CertificateRequest) DeepCopy() *CertificateRequest {
if in == nil {
return nil
}
out := new(CertificateRequest)
in.DeepCopyInto(out)
return out
}
// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (in *CertificateRequest) DeepCopyObject() runtime.Object {
if c := in.DeepCopy(); c != nil {
return c
}
return nil
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *CertificateRequestCondition) DeepCopyInto(out *CertificateRequestCondition) {
*out = *in
if in.LastTransitionTime != nil {
in, out := &in.LastTransitionTime, &out.LastTransitionTime
*out = (*in).DeepCopy()
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateRequestCondition.
func (in *CertificateRequestCondition) DeepCopy() *CertificateRequestCondition {
if in == nil {
return nil
}
out := new(CertificateRequestCondition)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *CertificateRequestList) DeepCopyInto(out *CertificateRequestList) {
*out = *in
out.TypeMeta = in.TypeMeta
in.ListMeta.DeepCopyInto(&out.ListMeta)
if in.Items != nil {
in, out := &in.Items, &out.Items
*out = make([]CertificateRequest, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateRequestList.
func (in *CertificateRequestList) DeepCopy() *CertificateRequestList {
if in == nil {
return nil
}
out := new(CertificateRequestList)
in.DeepCopyInto(out)
return out
}
// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (in *CertificateRequestList) DeepCopyObject() runtime.Object {
if c := in.DeepCopy(); c != nil {
return c
}
return nil
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *CertificateRequestSpec) DeepCopyInto(out *CertificateRequestSpec) {
*out = *in
if in.Duration != nil {
in, out := &in.Duration, &out.Duration
*out = new(metav1.Duration)
**out = **in
}
out.IssuerRef = in.IssuerRef
if in.Request != nil {
in, out := &in.Request, &out.Request
*out = make([]byte, len(*in))
copy(*out, *in)
}
if in.Usages != nil {
in, out := &in.Usages, &out.Usages
*out = make([]KeyUsage, len(*in))
copy(*out, *in)
}
if in.Groups != nil {
in, out := &in.Groups, &out.Groups
*out = make([]string, len(*in))
copy(*out, *in)
}
if in.Extra != nil {
in, out := &in.Extra, &out.Extra
*out = make(map[string][]string, len(*in))
for key, val := range *in {
var outVal []string
if val == nil {
(*out)[key] = nil
} else {
in, out := &val, &outVal
*out = make([]string, len(*in))
copy(*out, *in)
}
(*out)[key] = outVal
}
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateRequestSpec.
func (in *CertificateRequestSpec) DeepCopy() *CertificateRequestSpec {
if in == nil {
return nil
}
out := new(CertificateRequestSpec)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *CertificateRequestStatus) DeepCopyInto(out *CertificateRequestStatus) {
*out = *in
if in.Conditions != nil {
in, out := &in.Conditions, &out.Conditions
*out = make([]CertificateRequestCondition, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
if in.Certificate != nil {
in, out := &in.Certificate, &out.Certificate
*out = make([]byte, len(*in))
copy(*out, *in)
}
if in.CA != nil {
in, out := &in.CA, &out.CA
*out = make([]byte, len(*in))
copy(*out, *in)
}
if in.FailureTime != nil {
in, out := &in.FailureTime, &out.FailureTime
*out = (*in).DeepCopy()
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateRequestStatus.
func (in *CertificateRequestStatus) DeepCopy() *CertificateRequestStatus {
if in == nil {
return nil
}
out := new(CertificateRequestStatus)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *CertificateSecretTemplate) DeepCopyInto(out *CertificateSecretTemplate) {
*out = *in
if in.Annotations != nil {
in, out := &in.Annotations, &out.Annotations
*out = make(map[string]string, len(*in))
for key, val := range *in {
(*out)[key] = val
}
}
if in.Labels != nil {
in, out := &in.Labels, &out.Labels
*out = make(map[string]string, len(*in))
for key, val := range *in {
(*out)[key] = val
}
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateSecretTemplate.
func (in *CertificateSecretTemplate) DeepCopy() *CertificateSecretTemplate {
if in == nil {
return nil
}
out := new(CertificateSecretTemplate)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *CertificateSpec) DeepCopyInto(out *CertificateSpec) {
*out = *in
if in.Subject != nil {
in, out := &in.Subject, &out.Subject
*out = new(X509Subject)
(*in).DeepCopyInto(*out)
}
if in.Duration != nil {
in, out := &in.Duration, &out.Duration
*out = new(metav1.Duration)
**out = **in
}
if in.RenewBefore != nil {
in, out := &in.RenewBefore, &out.RenewBefore
*out = new(metav1.Duration)
**out = **in
}
if in.RenewBeforePercentage != nil {
in, out := &in.RenewBeforePercentage, &out.RenewBeforePercentage
*out = new(int32)
**out = **in
}
if in.DNSNames != nil {
in, out := &in.DNSNames, &out.DNSNames
*out = make([]string, len(*in))
copy(*out, *in)
}
if in.IPAddresses != nil {
in, out := &in.IPAddresses, &out.IPAddresses
*out = make([]string, len(*in))
copy(*out, *in)
}
if in.URIs != nil {
in, out := &in.URIs, &out.URIs
*out = make([]string, len(*in))
copy(*out, *in)
}
if in.OtherNames != nil {
in, out := &in.OtherNames, &out.OtherNames
*out = make([]OtherName, len(*in))
copy(*out, *in)
}
if in.EmailAddresses != nil {
in, out := &in.EmailAddresses, &out.EmailAddresses
*out = make([]string, len(*in))
copy(*out, *in)
}
if in.SecretTemplate != nil {
in, out := &in.SecretTemplate, &out.SecretTemplate
*out = new(CertificateSecretTemplate)
(*in).DeepCopyInto(*out)
}
if in.Keystores != nil {
in, out := &in.Keystores, &out.Keystores
*out = new(CertificateKeystores)
(*in).DeepCopyInto(*out)
}
out.IssuerRef = in.IssuerRef
if in.Usages != nil {
in, out := &in.Usages, &out.Usages
*out = make([]KeyUsage, len(*in))
copy(*out, *in)
}
if in.PrivateKey != nil {
in, out := &in.PrivateKey, &out.PrivateKey
*out = new(CertificatePrivateKey)
**out = **in
}
if in.EncodeUsagesInRequest != nil {
in, out := &in.EncodeUsagesInRequest, &out.EncodeUsagesInRequest
*out = new(bool)
**out = **in
}
if in.RevisionHistoryLimit != nil {
in, out := &in.RevisionHistoryLimit, &out.RevisionHistoryLimit
*out = new(int32)
**out = **in
}
if in.AdditionalOutputFormats != nil {
in, out := &in.AdditionalOutputFormats, &out.AdditionalOutputFormats
*out = make([]CertificateAdditionalOutputFormat, len(*in))
copy(*out, *in)
}
if in.NameConstraints != nil {
in, out := &in.NameConstraints, &out.NameConstraints
*out = new(NameConstraints)
(*in).DeepCopyInto(*out)
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateSpec.
func (in *CertificateSpec) DeepCopy() *CertificateSpec {
if in == nil {
return nil
}
out := new(CertificateSpec)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *CertificateStatus) DeepCopyInto(out *CertificateStatus) {
*out = *in
if in.Conditions != nil {
in, out := &in.Conditions, &out.Conditions
*out = make([]CertificateCondition, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
if in.LastFailureTime != nil {
in, out := &in.LastFailureTime, &out.LastFailureTime
*out = (*in).DeepCopy()
}
if in.NotBefore != nil {
in, out := &in.NotBefore, &out.NotBefore
*out = (*in).DeepCopy()
}
if in.NotAfter != nil {
in, out := &in.NotAfter, &out.NotAfter
*out = (*in).DeepCopy()
}
if in.RenewalTime != nil {
in, out := &in.RenewalTime, &out.RenewalTime
*out = (*in).DeepCopy()
}
if in.Revision != nil {
in, out := &in.Revision, &out.Revision
*out = new(int)
**out = **in
}
if in.NextPrivateKeySecretName != nil {
in, out := &in.NextPrivateKeySecretName, &out.NextPrivateKeySecretName
*out = new(string)
**out = **in
}
if in.FailedIssuanceAttempts != nil {
in, out := &in.FailedIssuanceAttempts, &out.FailedIssuanceAttempts
*out = new(int)
**out = **in
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateStatus.
func (in *CertificateStatus) DeepCopy() *CertificateStatus {
if in == nil {
return nil
}
out := new(CertificateStatus)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ClusterIssuer) DeepCopyInto(out *ClusterIssuer) {
*out = *in
out.TypeMeta = in.TypeMeta
in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
in.Spec.DeepCopyInto(&out.Spec)
in.Status.DeepCopyInto(&out.Status)
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterIssuer.
func (in *ClusterIssuer) DeepCopy() *ClusterIssuer {
if in == nil {
return nil
}
out := new(ClusterIssuer)
in.DeepCopyInto(out)
return out
}
// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (in *ClusterIssuer) DeepCopyObject() runtime.Object {
if c := in.DeepCopy(); c != nil {
return c
}
return nil
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ClusterIssuerList) DeepCopyInto(out *ClusterIssuerList) {
*out = *in
out.TypeMeta = in.TypeMeta
in.ListMeta.DeepCopyInto(&out.ListMeta)
if in.Items != nil {
in, out := &in.Items, &out.Items
*out = make([]ClusterIssuer, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterIssuerList.
func (in *ClusterIssuerList) DeepCopy() *ClusterIssuerList {
if in == nil {
return nil
}
out := new(ClusterIssuerList)
in.DeepCopyInto(out)
return out
}
// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (in *ClusterIssuerList) DeepCopyObject() runtime.Object {
if c := in.DeepCopy(); c != nil {
return c
}
return nil
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *Issuer) DeepCopyInto(out *Issuer) {
*out = *in
out.TypeMeta = in.TypeMeta
in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
in.Spec.DeepCopyInto(&out.Spec)
in.Status.DeepCopyInto(&out.Status)
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Issuer.
func (in *Issuer) DeepCopy() *Issuer {
if in == nil {
return nil
}
out := new(Issuer)
in.DeepCopyInto(out)
return out
}
// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (in *Issuer) DeepCopyObject() runtime.Object {
if c := in.DeepCopy(); c != nil {
return c
}
return nil
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *IssuerCondition) DeepCopyInto(out *IssuerCondition) {
*out = *in
if in.LastTransitionTime != nil {
in, out := &in.LastTransitionTime, &out.LastTransitionTime
*out = (*in).DeepCopy()
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IssuerCondition.
func (in *IssuerCondition) DeepCopy() *IssuerCondition {
if in == nil {
return nil
}
out := new(IssuerCondition)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *IssuerConfig) DeepCopyInto(out *IssuerConfig) {
*out = *in
if in.ACME != nil {
in, out := &in.ACME, &out.ACME
*out = new(acmev1.ACMEIssuer)
(*in).DeepCopyInto(*out)
}
if in.CA != nil {
in, out := &in.CA, &out.CA
*out = new(CAIssuer)
(*in).DeepCopyInto(*out)
}
if in.Vault != nil {
in, out := &in.Vault, &out.Vault
*out = new(VaultIssuer)
(*in).DeepCopyInto(*out)
}
if in.SelfSigned != nil {
in, out := &in.SelfSigned, &out.SelfSigned
*out = new(SelfSignedIssuer)
(*in).DeepCopyInto(*out)
}
if in.Venafi != nil {
in, out := &in.Venafi, &out.Venafi
*out = new(VenafiIssuer)
(*in).DeepCopyInto(*out)
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IssuerConfig.
func (in *IssuerConfig) DeepCopy() *IssuerConfig {
if in == nil {
return nil
}
out := new(IssuerConfig)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *IssuerList) DeepCopyInto(out *IssuerList) {
*out = *in
out.TypeMeta = in.TypeMeta
in.ListMeta.DeepCopyInto(&out.ListMeta)
if in.Items != nil {
in, out := &in.Items, &out.Items
*out = make([]Issuer, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IssuerList.
func (in *IssuerList) DeepCopy() *IssuerList {
if in == nil {
return nil
}
out := new(IssuerList)
in.DeepCopyInto(out)
return out
}
// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (in *IssuerList) DeepCopyObject() runtime.Object {
if c := in.DeepCopy(); c != nil {
return c
}
return nil
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *IssuerSpec) DeepCopyInto(out *IssuerSpec) {
*out = *in
in.IssuerConfig.DeepCopyInto(&out.IssuerConfig)
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IssuerSpec.
func (in *IssuerSpec) DeepCopy() *IssuerSpec {
if in == nil {
return nil
}
out := new(IssuerSpec)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *IssuerStatus) DeepCopyInto(out *IssuerStatus) {
*out = *in
if in.Conditions != nil {
in, out := &in.Conditions, &out.Conditions
*out = make([]IssuerCondition, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
if in.ACME != nil {
in, out := &in.ACME, &out.ACME
*out = new(acmev1.ACMEIssuerStatus)
**out = **in
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IssuerStatus.
func (in *IssuerStatus) DeepCopy() *IssuerStatus {
if in == nil {
return nil
}
out := new(IssuerStatus)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *JKSKeystore) DeepCopyInto(out *JKSKeystore) {
*out = *in
if in.Alias != nil {
in, out := &in.Alias, &out.Alias
*out = new(string)
**out = **in
}
out.PasswordSecretRef = in.PasswordSecretRef
if in.Password != nil {
in, out := &in.Password, &out.Password
*out = new(string)
**out = **in
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JKSKeystore.
func (in *JKSKeystore) DeepCopy() *JKSKeystore {
if in == nil {
return nil
}
out := new(JKSKeystore)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *NameConstraintItem) DeepCopyInto(out *NameConstraintItem) {
*out = *in
if in.DNSDomains != nil {
in, out := &in.DNSDomains, &out.DNSDomains
*out = make([]string, len(*in))
copy(*out, *in)
}
if in.IPRanges != nil {
in, out := &in.IPRanges, &out.IPRanges
*out = make([]string, len(*in))
copy(*out, *in)
}
if in.EmailAddresses != nil {
in, out := &in.EmailAddresses, &out.EmailAddresses
*out = make([]string, len(*in))
copy(*out, *in)
}
if in.URIDomains != nil {
in, out := &in.URIDomains, &out.URIDomains
*out = make([]string, len(*in))
copy(*out, *in)
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NameConstraintItem.
func (in *NameConstraintItem) DeepCopy() *NameConstraintItem {
if in == nil {
return nil
}
out := new(NameConstraintItem)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *NameConstraints) DeepCopyInto(out *NameConstraints) {
*out = *in
if in.Permitted != nil {
in, out := &in.Permitted, &out.Permitted
*out = new(NameConstraintItem)
(*in).DeepCopyInto(*out)
}
if in.Excluded != nil {
in, out := &in.Excluded, &out.Excluded
*out = new(NameConstraintItem)
(*in).DeepCopyInto(*out)
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NameConstraints.
func (in *NameConstraints) DeepCopy() *NameConstraints {
if in == nil {
return nil
}
out := new(NameConstraints)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *OtherName) DeepCopyInto(out *OtherName) {
*out = *in
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OtherName.
func (in *OtherName) DeepCopy() *OtherName {
if in == nil {
return nil
}
out := new(OtherName)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *PKCS12Keystore) DeepCopyInto(out *PKCS12Keystore) {
*out = *in
out.PasswordSecretRef = in.PasswordSecretRef
if in.Password != nil {
in, out := &in.Password, &out.Password
*out = new(string)
**out = **in
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PKCS12Keystore.
func (in *PKCS12Keystore) DeepCopy() *PKCS12Keystore {
if in == nil {
return nil
}
out := new(PKCS12Keystore)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *SelfSignedIssuer) DeepCopyInto(out *SelfSignedIssuer) {
*out = *in
if in.CRLDistributionPoints != nil {
in, out := &in.CRLDistributionPoints, &out.CRLDistributionPoints
*out = make([]string, len(*in))
copy(*out, *in)
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SelfSignedIssuer.
func (in *SelfSignedIssuer) DeepCopy() *SelfSignedIssuer {
if in == nil {
return nil
}
out := new(SelfSignedIssuer)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ServiceAccountRef) DeepCopyInto(out *ServiceAccountRef) {
*out = *in
if in.TokenAudiences != nil {
in, out := &in.TokenAudiences, &out.TokenAudiences
*out = make([]string, len(*in))
copy(*out, *in)
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServiceAccountRef.
func (in *ServiceAccountRef) DeepCopy() *ServiceAccountRef {
if in == nil {
return nil
}
out := new(ServiceAccountRef)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *VaultAppRole) DeepCopyInto(out *VaultAppRole) {
*out = *in
out.SecretRef = in.SecretRef
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultAppRole.
func (in *VaultAppRole) DeepCopy() *VaultAppRole {
if in == nil {
return nil
}
out := new(VaultAppRole)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *VaultAuth) DeepCopyInto(out *VaultAuth) {
*out = *in
if in.TokenSecretRef != nil {
in, out := &in.TokenSecretRef, &out.TokenSecretRef
*out = new(apismetav1.SecretKeySelector)
**out = **in
}
if in.AppRole != nil {
in, out := &in.AppRole, &out.AppRole
*out = new(VaultAppRole)
**out = **in
}
if in.ClientCertificate != nil {
in, out := &in.ClientCertificate, &out.ClientCertificate
*out = new(VaultClientCertificateAuth)
**out = **in
}
if in.Kubernetes != nil {
in, out := &in.Kubernetes, &out.Kubernetes
*out = new(VaultKubernetesAuth)
(*in).DeepCopyInto(*out)
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultAuth.
func (in *VaultAuth) DeepCopy() *VaultAuth {
if in == nil {
return nil
}
out := new(VaultAuth)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *VaultClientCertificateAuth) DeepCopyInto(out *VaultClientCertificateAuth) {
*out = *in
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultClientCertificateAuth.
func (in *VaultClientCertificateAuth) DeepCopy() *VaultClientCertificateAuth {
if in == nil {
return nil
}
out := new(VaultClientCertificateAuth)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *VaultIssuer) DeepCopyInto(out *VaultIssuer) {
*out = *in
in.Auth.DeepCopyInto(&out.Auth)
if in.CABundle != nil {
in, out := &in.CABundle, &out.CABundle
*out = make([]byte, len(*in))
copy(*out, *in)
}
if in.CABundleSecretRef != nil {
in, out := &in.CABundleSecretRef, &out.CABundleSecretRef
*out = new(apismetav1.SecretKeySelector)
**out = **in
}
if in.ClientCertSecretRef != nil {
in, out := &in.ClientCertSecretRef, &out.ClientCertSecretRef
*out = new(apismetav1.SecretKeySelector)
**out = **in
}
if in.ClientKeySecretRef != nil {
in, out := &in.ClientKeySecretRef, &out.ClientKeySecretRef
*out = new(apismetav1.SecretKeySelector)
**out = **in
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultIssuer.
func (in *VaultIssuer) DeepCopy() *VaultIssuer {
if in == nil {
return nil
}
out := new(VaultIssuer)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *VaultKubernetesAuth) DeepCopyInto(out *VaultKubernetesAuth) {
*out = *in
out.SecretRef = in.SecretRef
if in.ServiceAccountRef != nil {
in, out := &in.ServiceAccountRef, &out.ServiceAccountRef
*out = new(ServiceAccountRef)
(*in).DeepCopyInto(*out)
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultKubernetesAuth.
func (in *VaultKubernetesAuth) DeepCopy() *VaultKubernetesAuth {
if in == nil {
return nil
}
out := new(VaultKubernetesAuth)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *VenafiCloud) DeepCopyInto(out *VenafiCloud) {
*out = *in
out.APITokenSecretRef = in.APITokenSecretRef
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VenafiCloud.
func (in *VenafiCloud) DeepCopy() *VenafiCloud {
if in == nil {
return nil
}
out := new(VenafiCloud)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *VenafiIssuer) DeepCopyInto(out *VenafiIssuer) {
*out = *in
if in.TPP != nil {
in, out := &in.TPP, &out.TPP
*out = new(VenafiTPP)
(*in).DeepCopyInto(*out)
}
if in.Cloud != nil {
in, out := &in.Cloud, &out.Cloud
*out = new(VenafiCloud)
**out = **in
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VenafiIssuer.
func (in *VenafiIssuer) DeepCopy() *VenafiIssuer {
if in == nil {
return nil
}
out := new(VenafiIssuer)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *VenafiTPP) DeepCopyInto(out *VenafiTPP) {
*out = *in
out.CredentialsRef = in.CredentialsRef
if in.CABundle != nil {
in, out := &in.CABundle, &out.CABundle
*out = make([]byte, len(*in))
copy(*out, *in)
}
if in.CABundleSecretRef != nil {
in, out := &in.CABundleSecretRef, &out.CABundleSecretRef
*out = new(apismetav1.SecretKeySelector)
**out = **in
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VenafiTPP.
func (in *VenafiTPP) DeepCopy() *VenafiTPP {
if in == nil {
return nil
}
out := new(VenafiTPP)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *X509Subject) DeepCopyInto(out *X509Subject) {
*out = *in
if in.Organizations != nil {
in, out := &in.Organizations, &out.Organizations
*out = make([]string, len(*in))
copy(*out, *in)
}
if in.Countries != nil {
in, out := &in.Countries, &out.Countries
*out = make([]string, len(*in))
copy(*out, *in)
}
if in.OrganizationalUnits != nil {
in, out := &in.OrganizationalUnits, &out.OrganizationalUnits
*out = make([]string, len(*in))
copy(*out, *in)
}
if in.Localities != nil {
in, out := &in.Localities, &out.Localities
*out = make([]string, len(*in))
copy(*out, *in)
}
if in.Provinces != nil {
in, out := &in.Provinces, &out.Provinces
*out = make([]string, len(*in))
copy(*out, *in)
}
if in.StreetAddresses != nil {
in, out := &in.StreetAddresses, &out.StreetAddresses
*out = make([]string, len(*in))
copy(*out, *in)
}
if in.PostalCodes != nil {
in, out := &in.PostalCodes, &out.PostalCodes
*out = make([]string, len(*in))
copy(*out, *in)
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new X509Subject.
func (in *X509Subject) DeepCopy() *X509Subject {
if in == nil {
return nil
}
out := new(X509Subject)
in.DeepCopyInto(out)
return out
}
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package v1
import (
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/runtime/schema"
cmmeta "github.com/cert-manager/cert-manager/pkg/apis/meta"
)
// SchemeGroupVersion is group version used to register these objects
var SchemeGroupVersion = schema.GroupVersion{Group: cmmeta.GroupName, Version: "v1"}
// Resource takes an unqualified resource and returns a Group qualified GroupResource
func Resource(resource string) schema.GroupResource {
return SchemeGroupVersion.WithResource(resource).GroupResource()
}
var (
SchemeBuilder runtime.SchemeBuilder
localSchemeBuilder = &SchemeBuilder
AddToScheme = localSchemeBuilder.AddToScheme
)
func init() {
// We only register manually written functions here. The registration of the
// generated functions takes place in the generated files. The separation
// makes the code compile even when the generated files are missing.
localSchemeBuilder.Register(addKnownTypes)
}
// Adds the list of known types to api.Scheme.
func addKnownTypes(scheme *runtime.Scheme) error {
// No types to register in the meta group
return nil
}
//go:build !ignore_autogenerated
// +build !ignore_autogenerated
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by deepcopy-gen. DO NOT EDIT.
package v1
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *IssuerReference) DeepCopyInto(out *IssuerReference) {
*out = *in
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IssuerReference.
func (in *IssuerReference) DeepCopy() *IssuerReference {
if in == nil {
return nil
}
out := new(IssuerReference)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *LocalObjectReference) DeepCopyInto(out *LocalObjectReference) {
*out = *in
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LocalObjectReference.
func (in *LocalObjectReference) DeepCopy() *LocalObjectReference {
if in == nil {
return nil
}
out := new(LocalObjectReference)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *SecretKeySelector) DeepCopyInto(out *SecretKeySelector) {
*out = *in
out.LocalObjectReference = in.LocalObjectReference
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretKeySelector.
func (in *SecretKeySelector) DeepCopy() *SecretKeySelector {
if in == nil {
return nil
}
out := new(SecretKeySelector)
in.DeepCopyInto(out)
return out
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by applyconfiguration-gen. DO NOT EDIT.
package v1
import (
acmev1 "github.com/cert-manager/cert-manager/pkg/apis/acme/v1"
)
// ACMEAuthorizationApplyConfiguration represents a declarative configuration of the ACMEAuthorization type for use
// with apply.
type ACMEAuthorizationApplyConfiguration struct {
URL *string `json:"url,omitempty"`
Identifier *string `json:"identifier,omitempty"`
Wildcard *bool `json:"wildcard,omitempty"`
InitialState *acmev1.State `json:"initialState,omitempty"`
Challenges []ACMEChallengeApplyConfiguration `json:"challenges,omitempty"`
}
// ACMEAuthorizationApplyConfiguration constructs a declarative configuration of the ACMEAuthorization type for use with
// apply.
func ACMEAuthorization() *ACMEAuthorizationApplyConfiguration {
return &ACMEAuthorizationApplyConfiguration{}
}
// WithURL sets the URL field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the URL field is set to the value of the last call.
func (b *ACMEAuthorizationApplyConfiguration) WithURL(value string) *ACMEAuthorizationApplyConfiguration {
b.URL = &value
return b
}
// WithIdentifier sets the Identifier field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Identifier field is set to the value of the last call.
func (b *ACMEAuthorizationApplyConfiguration) WithIdentifier(value string) *ACMEAuthorizationApplyConfiguration {
b.Identifier = &value
return b
}
// WithWildcard sets the Wildcard field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Wildcard field is set to the value of the last call.
func (b *ACMEAuthorizationApplyConfiguration) WithWildcard(value bool) *ACMEAuthorizationApplyConfiguration {
b.Wildcard = &value
return b
}
// WithInitialState sets the InitialState field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the InitialState field is set to the value of the last call.
func (b *ACMEAuthorizationApplyConfiguration) WithInitialState(value acmev1.State) *ACMEAuthorizationApplyConfiguration {
b.InitialState = &value
return b
}
// WithChallenges adds the given value to the Challenges field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, values provided by each call will be appended to the Challenges field.
func (b *ACMEAuthorizationApplyConfiguration) WithChallenges(values ...*ACMEChallengeApplyConfiguration) *ACMEAuthorizationApplyConfiguration {
for i := range values {
if values[i] == nil {
panic("nil value passed to WithChallenges")
}
b.Challenges = append(b.Challenges, *values[i])
}
return b
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by applyconfiguration-gen. DO NOT EDIT.
package v1
// ACMEChallengeApplyConfiguration represents a declarative configuration of the ACMEChallenge type for use
// with apply.
type ACMEChallengeApplyConfiguration struct {
URL *string `json:"url,omitempty"`
Token *string `json:"token,omitempty"`
Type *string `json:"type,omitempty"`
}
// ACMEChallengeApplyConfiguration constructs a declarative configuration of the ACMEChallenge type for use with
// apply.
func ACMEChallenge() *ACMEChallengeApplyConfiguration {
return &ACMEChallengeApplyConfiguration{}
}
// WithURL sets the URL field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the URL field is set to the value of the last call.
func (b *ACMEChallengeApplyConfiguration) WithURL(value string) *ACMEChallengeApplyConfiguration {
b.URL = &value
return b
}
// WithToken sets the Token field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Token field is set to the value of the last call.
func (b *ACMEChallengeApplyConfiguration) WithToken(value string) *ACMEChallengeApplyConfiguration {
b.Token = &value
return b
}
// WithType sets the Type field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Type field is set to the value of the last call.
func (b *ACMEChallengeApplyConfiguration) WithType(value string) *ACMEChallengeApplyConfiguration {
b.Type = &value
return b
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by applyconfiguration-gen. DO NOT EDIT.
package v1
// ACMEChallengeSolverApplyConfiguration represents a declarative configuration of the ACMEChallengeSolver type for use
// with apply.
type ACMEChallengeSolverApplyConfiguration struct {
Selector *CertificateDNSNameSelectorApplyConfiguration `json:"selector,omitempty"`
HTTP01 *ACMEChallengeSolverHTTP01ApplyConfiguration `json:"http01,omitempty"`
DNS01 *ACMEChallengeSolverDNS01ApplyConfiguration `json:"dns01,omitempty"`
}
// ACMEChallengeSolverApplyConfiguration constructs a declarative configuration of the ACMEChallengeSolver type for use with
// apply.
func ACMEChallengeSolver() *ACMEChallengeSolverApplyConfiguration {
return &ACMEChallengeSolverApplyConfiguration{}
}
// WithSelector sets the Selector field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Selector field is set to the value of the last call.
func (b *ACMEChallengeSolverApplyConfiguration) WithSelector(value *CertificateDNSNameSelectorApplyConfiguration) *ACMEChallengeSolverApplyConfiguration {
b.Selector = value
return b
}
// WithHTTP01 sets the HTTP01 field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the HTTP01 field is set to the value of the last call.
func (b *ACMEChallengeSolverApplyConfiguration) WithHTTP01(value *ACMEChallengeSolverHTTP01ApplyConfiguration) *ACMEChallengeSolverApplyConfiguration {
b.HTTP01 = value
return b
}
// WithDNS01 sets the DNS01 field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the DNS01 field is set to the value of the last call.
func (b *ACMEChallengeSolverApplyConfiguration) WithDNS01(value *ACMEChallengeSolverDNS01ApplyConfiguration) *ACMEChallengeSolverApplyConfiguration {
b.DNS01 = value
return b
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by applyconfiguration-gen. DO NOT EDIT.
package v1
import (
acmev1 "github.com/cert-manager/cert-manager/pkg/apis/acme/v1"
)
// ACMEChallengeSolverDNS01ApplyConfiguration represents a declarative configuration of the ACMEChallengeSolverDNS01 type for use
// with apply.
type ACMEChallengeSolverDNS01ApplyConfiguration struct {
CNAMEStrategy *acmev1.CNAMEStrategy `json:"cnameStrategy,omitempty"`
Akamai *ACMEIssuerDNS01ProviderAkamaiApplyConfiguration `json:"akamai,omitempty"`
CloudDNS *ACMEIssuerDNS01ProviderCloudDNSApplyConfiguration `json:"cloudDNS,omitempty"`
Cloudflare *ACMEIssuerDNS01ProviderCloudflareApplyConfiguration `json:"cloudflare,omitempty"`
Route53 *ACMEIssuerDNS01ProviderRoute53ApplyConfiguration `json:"route53,omitempty"`
AzureDNS *ACMEIssuerDNS01ProviderAzureDNSApplyConfiguration `json:"azureDNS,omitempty"`
DigitalOcean *ACMEIssuerDNS01ProviderDigitalOceanApplyConfiguration `json:"digitalocean,omitempty"`
AcmeDNS *ACMEIssuerDNS01ProviderAcmeDNSApplyConfiguration `json:"acmeDNS,omitempty"`
RFC2136 *ACMEIssuerDNS01ProviderRFC2136ApplyConfiguration `json:"rfc2136,omitempty"`
Webhook *ACMEIssuerDNS01ProviderWebhookApplyConfiguration `json:"webhook,omitempty"`
}
// ACMEChallengeSolverDNS01ApplyConfiguration constructs a declarative configuration of the ACMEChallengeSolverDNS01 type for use with
// apply.
func ACMEChallengeSolverDNS01() *ACMEChallengeSolverDNS01ApplyConfiguration {
return &ACMEChallengeSolverDNS01ApplyConfiguration{}
}
// WithCNAMEStrategy sets the CNAMEStrategy field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the CNAMEStrategy field is set to the value of the last call.
func (b *ACMEChallengeSolverDNS01ApplyConfiguration) WithCNAMEStrategy(value acmev1.CNAMEStrategy) *ACMEChallengeSolverDNS01ApplyConfiguration {
b.CNAMEStrategy = &value
return b
}
// WithAkamai sets the Akamai field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Akamai field is set to the value of the last call.
func (b *ACMEChallengeSolverDNS01ApplyConfiguration) WithAkamai(value *ACMEIssuerDNS01ProviderAkamaiApplyConfiguration) *ACMEChallengeSolverDNS01ApplyConfiguration {
b.Akamai = value
return b
}
// WithCloudDNS sets the CloudDNS field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the CloudDNS field is set to the value of the last call.
func (b *ACMEChallengeSolverDNS01ApplyConfiguration) WithCloudDNS(value *ACMEIssuerDNS01ProviderCloudDNSApplyConfiguration) *ACMEChallengeSolverDNS01ApplyConfiguration {
b.CloudDNS = value
return b
}
// WithCloudflare sets the Cloudflare field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Cloudflare field is set to the value of the last call.
func (b *ACMEChallengeSolverDNS01ApplyConfiguration) WithCloudflare(value *ACMEIssuerDNS01ProviderCloudflareApplyConfiguration) *ACMEChallengeSolverDNS01ApplyConfiguration {
b.Cloudflare = value
return b
}
// WithRoute53 sets the Route53 field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Route53 field is set to the value of the last call.
func (b *ACMEChallengeSolverDNS01ApplyConfiguration) WithRoute53(value *ACMEIssuerDNS01ProviderRoute53ApplyConfiguration) *ACMEChallengeSolverDNS01ApplyConfiguration {
b.Route53 = value
return b
}
// WithAzureDNS sets the AzureDNS field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the AzureDNS field is set to the value of the last call.
func (b *ACMEChallengeSolverDNS01ApplyConfiguration) WithAzureDNS(value *ACMEIssuerDNS01ProviderAzureDNSApplyConfiguration) *ACMEChallengeSolverDNS01ApplyConfiguration {
b.AzureDNS = value
return b
}
// WithDigitalOcean sets the DigitalOcean field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the DigitalOcean field is set to the value of the last call.
func (b *ACMEChallengeSolverDNS01ApplyConfiguration) WithDigitalOcean(value *ACMEIssuerDNS01ProviderDigitalOceanApplyConfiguration) *ACMEChallengeSolverDNS01ApplyConfiguration {
b.DigitalOcean = value
return b
}
// WithAcmeDNS sets the AcmeDNS field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the AcmeDNS field is set to the value of the last call.
func (b *ACMEChallengeSolverDNS01ApplyConfiguration) WithAcmeDNS(value *ACMEIssuerDNS01ProviderAcmeDNSApplyConfiguration) *ACMEChallengeSolverDNS01ApplyConfiguration {
b.AcmeDNS = value
return b
}
// WithRFC2136 sets the RFC2136 field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the RFC2136 field is set to the value of the last call.
func (b *ACMEChallengeSolverDNS01ApplyConfiguration) WithRFC2136(value *ACMEIssuerDNS01ProviderRFC2136ApplyConfiguration) *ACMEChallengeSolverDNS01ApplyConfiguration {
b.RFC2136 = value
return b
}
// WithWebhook sets the Webhook field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Webhook field is set to the value of the last call.
func (b *ACMEChallengeSolverDNS01ApplyConfiguration) WithWebhook(value *ACMEIssuerDNS01ProviderWebhookApplyConfiguration) *ACMEChallengeSolverDNS01ApplyConfiguration {
b.Webhook = value
return b
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by applyconfiguration-gen. DO NOT EDIT.
package v1
// ACMEChallengeSolverHTTP01ApplyConfiguration represents a declarative configuration of the ACMEChallengeSolverHTTP01 type for use
// with apply.
type ACMEChallengeSolverHTTP01ApplyConfiguration struct {
Ingress *ACMEChallengeSolverHTTP01IngressApplyConfiguration `json:"ingress,omitempty"`
GatewayHTTPRoute *ACMEChallengeSolverHTTP01GatewayHTTPRouteApplyConfiguration `json:"gatewayHTTPRoute,omitempty"`
}
// ACMEChallengeSolverHTTP01ApplyConfiguration constructs a declarative configuration of the ACMEChallengeSolverHTTP01 type for use with
// apply.
func ACMEChallengeSolverHTTP01() *ACMEChallengeSolverHTTP01ApplyConfiguration {
return &ACMEChallengeSolverHTTP01ApplyConfiguration{}
}
// WithIngress sets the Ingress field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Ingress field is set to the value of the last call.
func (b *ACMEChallengeSolverHTTP01ApplyConfiguration) WithIngress(value *ACMEChallengeSolverHTTP01IngressApplyConfiguration) *ACMEChallengeSolverHTTP01ApplyConfiguration {
b.Ingress = value
return b
}
// WithGatewayHTTPRoute sets the GatewayHTTPRoute field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the GatewayHTTPRoute field is set to the value of the last call.
func (b *ACMEChallengeSolverHTTP01ApplyConfiguration) WithGatewayHTTPRoute(value *ACMEChallengeSolverHTTP01GatewayHTTPRouteApplyConfiguration) *ACMEChallengeSolverHTTP01ApplyConfiguration {
b.GatewayHTTPRoute = value
return b
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by applyconfiguration-gen. DO NOT EDIT.
package v1
import (
corev1 "k8s.io/api/core/v1"
apisv1 "sigs.k8s.io/gateway-api/apis/v1"
)
// ACMEChallengeSolverHTTP01GatewayHTTPRouteApplyConfiguration represents a declarative configuration of the ACMEChallengeSolverHTTP01GatewayHTTPRoute type for use
// with apply.
type ACMEChallengeSolverHTTP01GatewayHTTPRouteApplyConfiguration struct {
ServiceType *corev1.ServiceType `json:"serviceType,omitempty"`
Labels map[string]string `json:"labels,omitempty"`
ParentRefs []apisv1.ParentReference `json:"parentRefs,omitempty"`
PodTemplate *ACMEChallengeSolverHTTP01IngressPodTemplateApplyConfiguration `json:"podTemplate,omitempty"`
}
// ACMEChallengeSolverHTTP01GatewayHTTPRouteApplyConfiguration constructs a declarative configuration of the ACMEChallengeSolverHTTP01GatewayHTTPRoute type for use with
// apply.
func ACMEChallengeSolverHTTP01GatewayHTTPRoute() *ACMEChallengeSolverHTTP01GatewayHTTPRouteApplyConfiguration {
return &ACMEChallengeSolverHTTP01GatewayHTTPRouteApplyConfiguration{}
}
// WithServiceType sets the ServiceType field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the ServiceType field is set to the value of the last call.
func (b *ACMEChallengeSolverHTTP01GatewayHTTPRouteApplyConfiguration) WithServiceType(value corev1.ServiceType) *ACMEChallengeSolverHTTP01GatewayHTTPRouteApplyConfiguration {
b.ServiceType = &value
return b
}
// WithLabels puts the entries into the Labels field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, the entries provided by each call will be put on the Labels field,
// overwriting an existing map entries in Labels field with the same key.
func (b *ACMEChallengeSolverHTTP01GatewayHTTPRouteApplyConfiguration) WithLabels(entries map[string]string) *ACMEChallengeSolverHTTP01GatewayHTTPRouteApplyConfiguration {
if b.Labels == nil && len(entries) > 0 {
b.Labels = make(map[string]string, len(entries))
}
for k, v := range entries {
b.Labels[k] = v
}
return b
}
// WithParentRefs adds the given value to the ParentRefs field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, values provided by each call will be appended to the ParentRefs field.
func (b *ACMEChallengeSolverHTTP01GatewayHTTPRouteApplyConfiguration) WithParentRefs(values ...apisv1.ParentReference) *ACMEChallengeSolverHTTP01GatewayHTTPRouteApplyConfiguration {
for i := range values {
b.ParentRefs = append(b.ParentRefs, values[i])
}
return b
}
// WithPodTemplate sets the PodTemplate field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the PodTemplate field is set to the value of the last call.
func (b *ACMEChallengeSolverHTTP01GatewayHTTPRouteApplyConfiguration) WithPodTemplate(value *ACMEChallengeSolverHTTP01IngressPodTemplateApplyConfiguration) *ACMEChallengeSolverHTTP01GatewayHTTPRouteApplyConfiguration {
b.PodTemplate = value
return b
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by applyconfiguration-gen. DO NOT EDIT.
package v1
import (
corev1 "k8s.io/api/core/v1"
)
// ACMEChallengeSolverHTTP01IngressApplyConfiguration represents a declarative configuration of the ACMEChallengeSolverHTTP01Ingress type for use
// with apply.
type ACMEChallengeSolverHTTP01IngressApplyConfiguration struct {
ServiceType *corev1.ServiceType `json:"serviceType,omitempty"`
IngressClassName *string `json:"ingressClassName,omitempty"`
Class *string `json:"class,omitempty"`
Name *string `json:"name,omitempty"`
PodTemplate *ACMEChallengeSolverHTTP01IngressPodTemplateApplyConfiguration `json:"podTemplate,omitempty"`
IngressTemplate *ACMEChallengeSolverHTTP01IngressTemplateApplyConfiguration `json:"ingressTemplate,omitempty"`
}
// ACMEChallengeSolverHTTP01IngressApplyConfiguration constructs a declarative configuration of the ACMEChallengeSolverHTTP01Ingress type for use with
// apply.
func ACMEChallengeSolverHTTP01Ingress() *ACMEChallengeSolverHTTP01IngressApplyConfiguration {
return &ACMEChallengeSolverHTTP01IngressApplyConfiguration{}
}
// WithServiceType sets the ServiceType field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the ServiceType field is set to the value of the last call.
func (b *ACMEChallengeSolverHTTP01IngressApplyConfiguration) WithServiceType(value corev1.ServiceType) *ACMEChallengeSolverHTTP01IngressApplyConfiguration {
b.ServiceType = &value
return b
}
// WithIngressClassName sets the IngressClassName field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the IngressClassName field is set to the value of the last call.
func (b *ACMEChallengeSolverHTTP01IngressApplyConfiguration) WithIngressClassName(value string) *ACMEChallengeSolverHTTP01IngressApplyConfiguration {
b.IngressClassName = &value
return b
}
// WithClass sets the Class field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Class field is set to the value of the last call.
func (b *ACMEChallengeSolverHTTP01IngressApplyConfiguration) WithClass(value string) *ACMEChallengeSolverHTTP01IngressApplyConfiguration {
b.Class = &value
return b
}
// WithName sets the Name field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Name field is set to the value of the last call.
func (b *ACMEChallengeSolverHTTP01IngressApplyConfiguration) WithName(value string) *ACMEChallengeSolverHTTP01IngressApplyConfiguration {
b.Name = &value
return b
}
// WithPodTemplate sets the PodTemplate field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the PodTemplate field is set to the value of the last call.
func (b *ACMEChallengeSolverHTTP01IngressApplyConfiguration) WithPodTemplate(value *ACMEChallengeSolverHTTP01IngressPodTemplateApplyConfiguration) *ACMEChallengeSolverHTTP01IngressApplyConfiguration {
b.PodTemplate = value
return b
}
// WithIngressTemplate sets the IngressTemplate field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the IngressTemplate field is set to the value of the last call.
func (b *ACMEChallengeSolverHTTP01IngressApplyConfiguration) WithIngressTemplate(value *ACMEChallengeSolverHTTP01IngressTemplateApplyConfiguration) *ACMEChallengeSolverHTTP01IngressApplyConfiguration {
b.IngressTemplate = value
return b
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by applyconfiguration-gen. DO NOT EDIT.
package v1
// ACMEChallengeSolverHTTP01IngressObjectMetaApplyConfiguration represents a declarative configuration of the ACMEChallengeSolverHTTP01IngressObjectMeta type for use
// with apply.
type ACMEChallengeSolverHTTP01IngressObjectMetaApplyConfiguration struct {
Annotations map[string]string `json:"annotations,omitempty"`
Labels map[string]string `json:"labels,omitempty"`
}
// ACMEChallengeSolverHTTP01IngressObjectMetaApplyConfiguration constructs a declarative configuration of the ACMEChallengeSolverHTTP01IngressObjectMeta type for use with
// apply.
func ACMEChallengeSolverHTTP01IngressObjectMeta() *ACMEChallengeSolverHTTP01IngressObjectMetaApplyConfiguration {
return &ACMEChallengeSolverHTTP01IngressObjectMetaApplyConfiguration{}
}
// WithAnnotations puts the entries into the Annotations field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, the entries provided by each call will be put on the Annotations field,
// overwriting an existing map entries in Annotations field with the same key.
func (b *ACMEChallengeSolverHTTP01IngressObjectMetaApplyConfiguration) WithAnnotations(entries map[string]string) *ACMEChallengeSolverHTTP01IngressObjectMetaApplyConfiguration {
if b.Annotations == nil && len(entries) > 0 {
b.Annotations = make(map[string]string, len(entries))
}
for k, v := range entries {
b.Annotations[k] = v
}
return b
}
// WithLabels puts the entries into the Labels field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, the entries provided by each call will be put on the Labels field,
// overwriting an existing map entries in Labels field with the same key.
func (b *ACMEChallengeSolverHTTP01IngressObjectMetaApplyConfiguration) WithLabels(entries map[string]string) *ACMEChallengeSolverHTTP01IngressObjectMetaApplyConfiguration {
if b.Labels == nil && len(entries) > 0 {
b.Labels = make(map[string]string, len(entries))
}
for k, v := range entries {
b.Labels[k] = v
}
return b
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by applyconfiguration-gen. DO NOT EDIT.
package v1
// ACMEChallengeSolverHTTP01IngressPodObjectMetaApplyConfiguration represents a declarative configuration of the ACMEChallengeSolverHTTP01IngressPodObjectMeta type for use
// with apply.
type ACMEChallengeSolverHTTP01IngressPodObjectMetaApplyConfiguration struct {
Annotations map[string]string `json:"annotations,omitempty"`
Labels map[string]string `json:"labels,omitempty"`
}
// ACMEChallengeSolverHTTP01IngressPodObjectMetaApplyConfiguration constructs a declarative configuration of the ACMEChallengeSolverHTTP01IngressPodObjectMeta type for use with
// apply.
func ACMEChallengeSolverHTTP01IngressPodObjectMeta() *ACMEChallengeSolverHTTP01IngressPodObjectMetaApplyConfiguration {
return &ACMEChallengeSolverHTTP01IngressPodObjectMetaApplyConfiguration{}
}
// WithAnnotations puts the entries into the Annotations field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, the entries provided by each call will be put on the Annotations field,
// overwriting an existing map entries in Annotations field with the same key.
func (b *ACMEChallengeSolverHTTP01IngressPodObjectMetaApplyConfiguration) WithAnnotations(entries map[string]string) *ACMEChallengeSolverHTTP01IngressPodObjectMetaApplyConfiguration {
if b.Annotations == nil && len(entries) > 0 {
b.Annotations = make(map[string]string, len(entries))
}
for k, v := range entries {
b.Annotations[k] = v
}
return b
}
// WithLabels puts the entries into the Labels field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, the entries provided by each call will be put on the Labels field,
// overwriting an existing map entries in Labels field with the same key.
func (b *ACMEChallengeSolverHTTP01IngressPodObjectMetaApplyConfiguration) WithLabels(entries map[string]string) *ACMEChallengeSolverHTTP01IngressPodObjectMetaApplyConfiguration {
if b.Labels == nil && len(entries) > 0 {
b.Labels = make(map[string]string, len(entries))
}
for k, v := range entries {
b.Labels[k] = v
}
return b
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by applyconfiguration-gen. DO NOT EDIT.
package v1
import (
corev1 "k8s.io/api/core/v1"
)
// ACMEChallengeSolverHTTP01IngressPodResourcesApplyConfiguration represents a declarative configuration of the ACMEChallengeSolverHTTP01IngressPodResources type for use
// with apply.
type ACMEChallengeSolverHTTP01IngressPodResourcesApplyConfiguration struct {
Limits *corev1.ResourceList `json:"limits,omitempty"`
Requests *corev1.ResourceList `json:"requests,omitempty"`
}
// ACMEChallengeSolverHTTP01IngressPodResourcesApplyConfiguration constructs a declarative configuration of the ACMEChallengeSolverHTTP01IngressPodResources type for use with
// apply.
func ACMEChallengeSolverHTTP01IngressPodResources() *ACMEChallengeSolverHTTP01IngressPodResourcesApplyConfiguration {
return &ACMEChallengeSolverHTTP01IngressPodResourcesApplyConfiguration{}
}
// WithLimits sets the Limits field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Limits field is set to the value of the last call.
func (b *ACMEChallengeSolverHTTP01IngressPodResourcesApplyConfiguration) WithLimits(value corev1.ResourceList) *ACMEChallengeSolverHTTP01IngressPodResourcesApplyConfiguration {
b.Limits = &value
return b
}
// WithRequests sets the Requests field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Requests field is set to the value of the last call.
func (b *ACMEChallengeSolverHTTP01IngressPodResourcesApplyConfiguration) WithRequests(value corev1.ResourceList) *ACMEChallengeSolverHTTP01IngressPodResourcesApplyConfiguration {
b.Requests = &value
return b
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by applyconfiguration-gen. DO NOT EDIT.
package v1
import (
corev1 "k8s.io/api/core/v1"
)
// ACMEChallengeSolverHTTP01IngressPodSecurityContextApplyConfiguration represents a declarative configuration of the ACMEChallengeSolverHTTP01IngressPodSecurityContext type for use
// with apply.
type ACMEChallengeSolverHTTP01IngressPodSecurityContextApplyConfiguration struct {
SELinuxOptions *corev1.SELinuxOptions `json:"seLinuxOptions,omitempty"`
RunAsUser *int64 `json:"runAsUser,omitempty"`
RunAsGroup *int64 `json:"runAsGroup,omitempty"`
RunAsNonRoot *bool `json:"runAsNonRoot,omitempty"`
SupplementalGroups []int64 `json:"supplementalGroups,omitempty"`
FSGroup *int64 `json:"fsGroup,omitempty"`
Sysctls []corev1.Sysctl `json:"sysctls,omitempty"`
FSGroupChangePolicy *corev1.PodFSGroupChangePolicy `json:"fsGroupChangePolicy,omitempty"`
SeccompProfile *corev1.SeccompProfile `json:"seccompProfile,omitempty"`
}
// ACMEChallengeSolverHTTP01IngressPodSecurityContextApplyConfiguration constructs a declarative configuration of the ACMEChallengeSolverHTTP01IngressPodSecurityContext type for use with
// apply.
func ACMEChallengeSolverHTTP01IngressPodSecurityContext() *ACMEChallengeSolverHTTP01IngressPodSecurityContextApplyConfiguration {
return &ACMEChallengeSolverHTTP01IngressPodSecurityContextApplyConfiguration{}
}
// WithSELinuxOptions sets the SELinuxOptions field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the SELinuxOptions field is set to the value of the last call.
func (b *ACMEChallengeSolverHTTP01IngressPodSecurityContextApplyConfiguration) WithSELinuxOptions(value corev1.SELinuxOptions) *ACMEChallengeSolverHTTP01IngressPodSecurityContextApplyConfiguration {
b.SELinuxOptions = &value
return b
}
// WithRunAsUser sets the RunAsUser field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the RunAsUser field is set to the value of the last call.
func (b *ACMEChallengeSolverHTTP01IngressPodSecurityContextApplyConfiguration) WithRunAsUser(value int64) *ACMEChallengeSolverHTTP01IngressPodSecurityContextApplyConfiguration {
b.RunAsUser = &value
return b
}
// WithRunAsGroup sets the RunAsGroup field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the RunAsGroup field is set to the value of the last call.
func (b *ACMEChallengeSolverHTTP01IngressPodSecurityContextApplyConfiguration) WithRunAsGroup(value int64) *ACMEChallengeSolverHTTP01IngressPodSecurityContextApplyConfiguration {
b.RunAsGroup = &value
return b
}
// WithRunAsNonRoot sets the RunAsNonRoot field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the RunAsNonRoot field is set to the value of the last call.
func (b *ACMEChallengeSolverHTTP01IngressPodSecurityContextApplyConfiguration) WithRunAsNonRoot(value bool) *ACMEChallengeSolverHTTP01IngressPodSecurityContextApplyConfiguration {
b.RunAsNonRoot = &value
return b
}
// WithSupplementalGroups adds the given value to the SupplementalGroups field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, values provided by each call will be appended to the SupplementalGroups field.
func (b *ACMEChallengeSolverHTTP01IngressPodSecurityContextApplyConfiguration) WithSupplementalGroups(values ...int64) *ACMEChallengeSolverHTTP01IngressPodSecurityContextApplyConfiguration {
for i := range values {
b.SupplementalGroups = append(b.SupplementalGroups, values[i])
}
return b
}
// WithFSGroup sets the FSGroup field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the FSGroup field is set to the value of the last call.
func (b *ACMEChallengeSolverHTTP01IngressPodSecurityContextApplyConfiguration) WithFSGroup(value int64) *ACMEChallengeSolverHTTP01IngressPodSecurityContextApplyConfiguration {
b.FSGroup = &value
return b
}
// WithSysctls adds the given value to the Sysctls field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, values provided by each call will be appended to the Sysctls field.
func (b *ACMEChallengeSolverHTTP01IngressPodSecurityContextApplyConfiguration) WithSysctls(values ...corev1.Sysctl) *ACMEChallengeSolverHTTP01IngressPodSecurityContextApplyConfiguration {
for i := range values {
b.Sysctls = append(b.Sysctls, values[i])
}
return b
}
// WithFSGroupChangePolicy sets the FSGroupChangePolicy field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the FSGroupChangePolicy field is set to the value of the last call.
func (b *ACMEChallengeSolverHTTP01IngressPodSecurityContextApplyConfiguration) WithFSGroupChangePolicy(value corev1.PodFSGroupChangePolicy) *ACMEChallengeSolverHTTP01IngressPodSecurityContextApplyConfiguration {
b.FSGroupChangePolicy = &value
return b
}
// WithSeccompProfile sets the SeccompProfile field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the SeccompProfile field is set to the value of the last call.
func (b *ACMEChallengeSolverHTTP01IngressPodSecurityContextApplyConfiguration) WithSeccompProfile(value corev1.SeccompProfile) *ACMEChallengeSolverHTTP01IngressPodSecurityContextApplyConfiguration {
b.SeccompProfile = &value
return b
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by applyconfiguration-gen. DO NOT EDIT.
package v1
import (
corev1 "k8s.io/api/core/v1"
)
// ACMEChallengeSolverHTTP01IngressPodSpecApplyConfiguration represents a declarative configuration of the ACMEChallengeSolverHTTP01IngressPodSpec type for use
// with apply.
type ACMEChallengeSolverHTTP01IngressPodSpecApplyConfiguration struct {
NodeSelector map[string]string `json:"nodeSelector,omitempty"`
Affinity *corev1.Affinity `json:"affinity,omitempty"`
Tolerations []corev1.Toleration `json:"tolerations,omitempty"`
PriorityClassName *string `json:"priorityClassName,omitempty"`
ServiceAccountName *string `json:"serviceAccountName,omitempty"`
ImagePullSecrets []corev1.LocalObjectReference `json:"imagePullSecrets,omitempty"`
SecurityContext *ACMEChallengeSolverHTTP01IngressPodSecurityContextApplyConfiguration `json:"securityContext,omitempty"`
Resources *ACMEChallengeSolverHTTP01IngressPodResourcesApplyConfiguration `json:"resources,omitempty"`
}
// ACMEChallengeSolverHTTP01IngressPodSpecApplyConfiguration constructs a declarative configuration of the ACMEChallengeSolverHTTP01IngressPodSpec type for use with
// apply.
func ACMEChallengeSolverHTTP01IngressPodSpec() *ACMEChallengeSolverHTTP01IngressPodSpecApplyConfiguration {
return &ACMEChallengeSolverHTTP01IngressPodSpecApplyConfiguration{}
}
// WithNodeSelector puts the entries into the NodeSelector field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, the entries provided by each call will be put on the NodeSelector field,
// overwriting an existing map entries in NodeSelector field with the same key.
func (b *ACMEChallengeSolverHTTP01IngressPodSpecApplyConfiguration) WithNodeSelector(entries map[string]string) *ACMEChallengeSolverHTTP01IngressPodSpecApplyConfiguration {
if b.NodeSelector == nil && len(entries) > 0 {
b.NodeSelector = make(map[string]string, len(entries))
}
for k, v := range entries {
b.NodeSelector[k] = v
}
return b
}
// WithAffinity sets the Affinity field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Affinity field is set to the value of the last call.
func (b *ACMEChallengeSolverHTTP01IngressPodSpecApplyConfiguration) WithAffinity(value corev1.Affinity) *ACMEChallengeSolverHTTP01IngressPodSpecApplyConfiguration {
b.Affinity = &value
return b
}
// WithTolerations adds the given value to the Tolerations field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, values provided by each call will be appended to the Tolerations field.
func (b *ACMEChallengeSolverHTTP01IngressPodSpecApplyConfiguration) WithTolerations(values ...corev1.Toleration) *ACMEChallengeSolverHTTP01IngressPodSpecApplyConfiguration {
for i := range values {
b.Tolerations = append(b.Tolerations, values[i])
}
return b
}
// WithPriorityClassName sets the PriorityClassName field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the PriorityClassName field is set to the value of the last call.
func (b *ACMEChallengeSolverHTTP01IngressPodSpecApplyConfiguration) WithPriorityClassName(value string) *ACMEChallengeSolverHTTP01IngressPodSpecApplyConfiguration {
b.PriorityClassName = &value
return b
}
// WithServiceAccountName sets the ServiceAccountName field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the ServiceAccountName field is set to the value of the last call.
func (b *ACMEChallengeSolverHTTP01IngressPodSpecApplyConfiguration) WithServiceAccountName(value string) *ACMEChallengeSolverHTTP01IngressPodSpecApplyConfiguration {
b.ServiceAccountName = &value
return b
}
// WithImagePullSecrets adds the given value to the ImagePullSecrets field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, values provided by each call will be appended to the ImagePullSecrets field.
func (b *ACMEChallengeSolverHTTP01IngressPodSpecApplyConfiguration) WithImagePullSecrets(values ...corev1.LocalObjectReference) *ACMEChallengeSolverHTTP01IngressPodSpecApplyConfiguration {
for i := range values {
b.ImagePullSecrets = append(b.ImagePullSecrets, values[i])
}
return b
}
// WithSecurityContext sets the SecurityContext field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the SecurityContext field is set to the value of the last call.
func (b *ACMEChallengeSolverHTTP01IngressPodSpecApplyConfiguration) WithSecurityContext(value *ACMEChallengeSolverHTTP01IngressPodSecurityContextApplyConfiguration) *ACMEChallengeSolverHTTP01IngressPodSpecApplyConfiguration {
b.SecurityContext = value
return b
}
// WithResources sets the Resources field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Resources field is set to the value of the last call.
func (b *ACMEChallengeSolverHTTP01IngressPodSpecApplyConfiguration) WithResources(value *ACMEChallengeSolverHTTP01IngressPodResourcesApplyConfiguration) *ACMEChallengeSolverHTTP01IngressPodSpecApplyConfiguration {
b.Resources = value
return b
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by applyconfiguration-gen. DO NOT EDIT.
package v1
// ACMEChallengeSolverHTTP01IngressPodTemplateApplyConfiguration represents a declarative configuration of the ACMEChallengeSolverHTTP01IngressPodTemplate type for use
// with apply.
type ACMEChallengeSolverHTTP01IngressPodTemplateApplyConfiguration struct {
*ACMEChallengeSolverHTTP01IngressPodObjectMetaApplyConfiguration `json:"metadata,omitempty"`
Spec *ACMEChallengeSolverHTTP01IngressPodSpecApplyConfiguration `json:"spec,omitempty"`
}
// ACMEChallengeSolverHTTP01IngressPodTemplateApplyConfiguration constructs a declarative configuration of the ACMEChallengeSolverHTTP01IngressPodTemplate type for use with
// apply.
func ACMEChallengeSolverHTTP01IngressPodTemplate() *ACMEChallengeSolverHTTP01IngressPodTemplateApplyConfiguration {
return &ACMEChallengeSolverHTTP01IngressPodTemplateApplyConfiguration{}
}
// WithAnnotations puts the entries into the Annotations field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, the entries provided by each call will be put on the Annotations field,
// overwriting an existing map entries in Annotations field with the same key.
func (b *ACMEChallengeSolverHTTP01IngressPodTemplateApplyConfiguration) WithAnnotations(entries map[string]string) *ACMEChallengeSolverHTTP01IngressPodTemplateApplyConfiguration {
b.ensureACMEChallengeSolverHTTP01IngressPodObjectMetaApplyConfigurationExists()
if b.ACMEChallengeSolverHTTP01IngressPodObjectMetaApplyConfiguration.Annotations == nil && len(entries) > 0 {
b.ACMEChallengeSolverHTTP01IngressPodObjectMetaApplyConfiguration.Annotations = make(map[string]string, len(entries))
}
for k, v := range entries {
b.ACMEChallengeSolverHTTP01IngressPodObjectMetaApplyConfiguration.Annotations[k] = v
}
return b
}
// WithLabels puts the entries into the Labels field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, the entries provided by each call will be put on the Labels field,
// overwriting an existing map entries in Labels field with the same key.
func (b *ACMEChallengeSolverHTTP01IngressPodTemplateApplyConfiguration) WithLabels(entries map[string]string) *ACMEChallengeSolverHTTP01IngressPodTemplateApplyConfiguration {
b.ensureACMEChallengeSolverHTTP01IngressPodObjectMetaApplyConfigurationExists()
if b.ACMEChallengeSolverHTTP01IngressPodObjectMetaApplyConfiguration.Labels == nil && len(entries) > 0 {
b.ACMEChallengeSolverHTTP01IngressPodObjectMetaApplyConfiguration.Labels = make(map[string]string, len(entries))
}
for k, v := range entries {
b.ACMEChallengeSolverHTTP01IngressPodObjectMetaApplyConfiguration.Labels[k] = v
}
return b
}
func (b *ACMEChallengeSolverHTTP01IngressPodTemplateApplyConfiguration) ensureACMEChallengeSolverHTTP01IngressPodObjectMetaApplyConfigurationExists() {
if b.ACMEChallengeSolverHTTP01IngressPodObjectMetaApplyConfiguration == nil {
b.ACMEChallengeSolverHTTP01IngressPodObjectMetaApplyConfiguration = &ACMEChallengeSolverHTTP01IngressPodObjectMetaApplyConfiguration{}
}
}
// WithSpec sets the Spec field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Spec field is set to the value of the last call.
func (b *ACMEChallengeSolverHTTP01IngressPodTemplateApplyConfiguration) WithSpec(value *ACMEChallengeSolverHTTP01IngressPodSpecApplyConfiguration) *ACMEChallengeSolverHTTP01IngressPodTemplateApplyConfiguration {
b.Spec = value
return b
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by applyconfiguration-gen. DO NOT EDIT.
package v1
// ACMEChallengeSolverHTTP01IngressTemplateApplyConfiguration represents a declarative configuration of the ACMEChallengeSolverHTTP01IngressTemplate type for use
// with apply.
type ACMEChallengeSolverHTTP01IngressTemplateApplyConfiguration struct {
*ACMEChallengeSolverHTTP01IngressObjectMetaApplyConfiguration `json:"metadata,omitempty"`
}
// ACMEChallengeSolverHTTP01IngressTemplateApplyConfiguration constructs a declarative configuration of the ACMEChallengeSolverHTTP01IngressTemplate type for use with
// apply.
func ACMEChallengeSolverHTTP01IngressTemplate() *ACMEChallengeSolverHTTP01IngressTemplateApplyConfiguration {
return &ACMEChallengeSolverHTTP01IngressTemplateApplyConfiguration{}
}
// WithAnnotations puts the entries into the Annotations field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, the entries provided by each call will be put on the Annotations field,
// overwriting an existing map entries in Annotations field with the same key.
func (b *ACMEChallengeSolverHTTP01IngressTemplateApplyConfiguration) WithAnnotations(entries map[string]string) *ACMEChallengeSolverHTTP01IngressTemplateApplyConfiguration {
b.ensureACMEChallengeSolverHTTP01IngressObjectMetaApplyConfigurationExists()
if b.ACMEChallengeSolverHTTP01IngressObjectMetaApplyConfiguration.Annotations == nil && len(entries) > 0 {
b.ACMEChallengeSolverHTTP01IngressObjectMetaApplyConfiguration.Annotations = make(map[string]string, len(entries))
}
for k, v := range entries {
b.ACMEChallengeSolverHTTP01IngressObjectMetaApplyConfiguration.Annotations[k] = v
}
return b
}
// WithLabels puts the entries into the Labels field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, the entries provided by each call will be put on the Labels field,
// overwriting an existing map entries in Labels field with the same key.
func (b *ACMEChallengeSolverHTTP01IngressTemplateApplyConfiguration) WithLabels(entries map[string]string) *ACMEChallengeSolverHTTP01IngressTemplateApplyConfiguration {
b.ensureACMEChallengeSolverHTTP01IngressObjectMetaApplyConfigurationExists()
if b.ACMEChallengeSolverHTTP01IngressObjectMetaApplyConfiguration.Labels == nil && len(entries) > 0 {
b.ACMEChallengeSolverHTTP01IngressObjectMetaApplyConfiguration.Labels = make(map[string]string, len(entries))
}
for k, v := range entries {
b.ACMEChallengeSolverHTTP01IngressObjectMetaApplyConfiguration.Labels[k] = v
}
return b
}
func (b *ACMEChallengeSolverHTTP01IngressTemplateApplyConfiguration) ensureACMEChallengeSolverHTTP01IngressObjectMetaApplyConfigurationExists() {
if b.ACMEChallengeSolverHTTP01IngressObjectMetaApplyConfiguration == nil {
b.ACMEChallengeSolverHTTP01IngressObjectMetaApplyConfiguration = &ACMEChallengeSolverHTTP01IngressObjectMetaApplyConfiguration{}
}
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by applyconfiguration-gen. DO NOT EDIT.
package v1
import (
acmev1 "github.com/cert-manager/cert-manager/pkg/apis/acme/v1"
metav1 "github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/meta/v1"
)
// ACMEExternalAccountBindingApplyConfiguration represents a declarative configuration of the ACMEExternalAccountBinding type for use
// with apply.
type ACMEExternalAccountBindingApplyConfiguration struct {
KeyID *string `json:"keyID,omitempty"`
Key *metav1.SecretKeySelectorApplyConfiguration `json:"keySecretRef,omitempty"`
KeyAlgorithm *acmev1.HMACKeyAlgorithm `json:"keyAlgorithm,omitempty"`
}
// ACMEExternalAccountBindingApplyConfiguration constructs a declarative configuration of the ACMEExternalAccountBinding type for use with
// apply.
func ACMEExternalAccountBinding() *ACMEExternalAccountBindingApplyConfiguration {
return &ACMEExternalAccountBindingApplyConfiguration{}
}
// WithKeyID sets the KeyID field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the KeyID field is set to the value of the last call.
func (b *ACMEExternalAccountBindingApplyConfiguration) WithKeyID(value string) *ACMEExternalAccountBindingApplyConfiguration {
b.KeyID = &value
return b
}
// WithKey sets the Key field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Key field is set to the value of the last call.
func (b *ACMEExternalAccountBindingApplyConfiguration) WithKey(value *metav1.SecretKeySelectorApplyConfiguration) *ACMEExternalAccountBindingApplyConfiguration {
b.Key = value
return b
}
// WithKeyAlgorithm sets the KeyAlgorithm field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the KeyAlgorithm field is set to the value of the last call.
func (b *ACMEExternalAccountBindingApplyConfiguration) WithKeyAlgorithm(value acmev1.HMACKeyAlgorithm) *ACMEExternalAccountBindingApplyConfiguration {
b.KeyAlgorithm = &value
return b
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by applyconfiguration-gen. DO NOT EDIT.
package v1
import (
metav1 "github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/meta/v1"
)
// ACMEIssuerApplyConfiguration represents a declarative configuration of the ACMEIssuer type for use
// with apply.
type ACMEIssuerApplyConfiguration struct {
Email *string `json:"email,omitempty"`
Server *string `json:"server,omitempty"`
PreferredChain *string `json:"preferredChain,omitempty"`
CABundle []byte `json:"caBundle,omitempty"`
SkipTLSVerify *bool `json:"skipTLSVerify,omitempty"`
ExternalAccountBinding *ACMEExternalAccountBindingApplyConfiguration `json:"externalAccountBinding,omitempty"`
PrivateKey *metav1.SecretKeySelectorApplyConfiguration `json:"privateKeySecretRef,omitempty"`
Solvers []ACMEChallengeSolverApplyConfiguration `json:"solvers,omitempty"`
DisableAccountKeyGeneration *bool `json:"disableAccountKeyGeneration,omitempty"`
EnableDurationFeature *bool `json:"enableDurationFeature,omitempty"`
Profile *string `json:"profile,omitempty"`
}
// ACMEIssuerApplyConfiguration constructs a declarative configuration of the ACMEIssuer type for use with
// apply.
func ACMEIssuer() *ACMEIssuerApplyConfiguration {
return &ACMEIssuerApplyConfiguration{}
}
// WithEmail sets the Email field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Email field is set to the value of the last call.
func (b *ACMEIssuerApplyConfiguration) WithEmail(value string) *ACMEIssuerApplyConfiguration {
b.Email = &value
return b
}
// WithServer sets the Server field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Server field is set to the value of the last call.
func (b *ACMEIssuerApplyConfiguration) WithServer(value string) *ACMEIssuerApplyConfiguration {
b.Server = &value
return b
}
// WithPreferredChain sets the PreferredChain field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the PreferredChain field is set to the value of the last call.
func (b *ACMEIssuerApplyConfiguration) WithPreferredChain(value string) *ACMEIssuerApplyConfiguration {
b.PreferredChain = &value
return b
}
// WithCABundle adds the given value to the CABundle field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, values provided by each call will be appended to the CABundle field.
func (b *ACMEIssuerApplyConfiguration) WithCABundle(values ...byte) *ACMEIssuerApplyConfiguration {
for i := range values {
b.CABundle = append(b.CABundle, values[i])
}
return b
}
// WithSkipTLSVerify sets the SkipTLSVerify field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the SkipTLSVerify field is set to the value of the last call.
func (b *ACMEIssuerApplyConfiguration) WithSkipTLSVerify(value bool) *ACMEIssuerApplyConfiguration {
b.SkipTLSVerify = &value
return b
}
// WithExternalAccountBinding sets the ExternalAccountBinding field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the ExternalAccountBinding field is set to the value of the last call.
func (b *ACMEIssuerApplyConfiguration) WithExternalAccountBinding(value *ACMEExternalAccountBindingApplyConfiguration) *ACMEIssuerApplyConfiguration {
b.ExternalAccountBinding = value
return b
}
// WithPrivateKey sets the PrivateKey field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the PrivateKey field is set to the value of the last call.
func (b *ACMEIssuerApplyConfiguration) WithPrivateKey(value *metav1.SecretKeySelectorApplyConfiguration) *ACMEIssuerApplyConfiguration {
b.PrivateKey = value
return b
}
// WithSolvers adds the given value to the Solvers field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, values provided by each call will be appended to the Solvers field.
func (b *ACMEIssuerApplyConfiguration) WithSolvers(values ...*ACMEChallengeSolverApplyConfiguration) *ACMEIssuerApplyConfiguration {
for i := range values {
if values[i] == nil {
panic("nil value passed to WithSolvers")
}
b.Solvers = append(b.Solvers, *values[i])
}
return b
}
// WithDisableAccountKeyGeneration sets the DisableAccountKeyGeneration field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the DisableAccountKeyGeneration field is set to the value of the last call.
func (b *ACMEIssuerApplyConfiguration) WithDisableAccountKeyGeneration(value bool) *ACMEIssuerApplyConfiguration {
b.DisableAccountKeyGeneration = &value
return b
}
// WithEnableDurationFeature sets the EnableDurationFeature field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the EnableDurationFeature field is set to the value of the last call.
func (b *ACMEIssuerApplyConfiguration) WithEnableDurationFeature(value bool) *ACMEIssuerApplyConfiguration {
b.EnableDurationFeature = &value
return b
}
// WithProfile sets the Profile field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Profile field is set to the value of the last call.
func (b *ACMEIssuerApplyConfiguration) WithProfile(value string) *ACMEIssuerApplyConfiguration {
b.Profile = &value
return b
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by applyconfiguration-gen. DO NOT EDIT.
package v1
import (
metav1 "github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/meta/v1"
)
// ACMEIssuerDNS01ProviderAcmeDNSApplyConfiguration represents a declarative configuration of the ACMEIssuerDNS01ProviderAcmeDNS type for use
// with apply.
type ACMEIssuerDNS01ProviderAcmeDNSApplyConfiguration struct {
Host *string `json:"host,omitempty"`
AccountSecret *metav1.SecretKeySelectorApplyConfiguration `json:"accountSecretRef,omitempty"`
}
// ACMEIssuerDNS01ProviderAcmeDNSApplyConfiguration constructs a declarative configuration of the ACMEIssuerDNS01ProviderAcmeDNS type for use with
// apply.
func ACMEIssuerDNS01ProviderAcmeDNS() *ACMEIssuerDNS01ProviderAcmeDNSApplyConfiguration {
return &ACMEIssuerDNS01ProviderAcmeDNSApplyConfiguration{}
}
// WithHost sets the Host field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Host field is set to the value of the last call.
func (b *ACMEIssuerDNS01ProviderAcmeDNSApplyConfiguration) WithHost(value string) *ACMEIssuerDNS01ProviderAcmeDNSApplyConfiguration {
b.Host = &value
return b
}
// WithAccountSecret sets the AccountSecret field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the AccountSecret field is set to the value of the last call.
func (b *ACMEIssuerDNS01ProviderAcmeDNSApplyConfiguration) WithAccountSecret(value *metav1.SecretKeySelectorApplyConfiguration) *ACMEIssuerDNS01ProviderAcmeDNSApplyConfiguration {
b.AccountSecret = value
return b
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by applyconfiguration-gen. DO NOT EDIT.
package v1
import (
metav1 "github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/meta/v1"
)
// ACMEIssuerDNS01ProviderAkamaiApplyConfiguration represents a declarative configuration of the ACMEIssuerDNS01ProviderAkamai type for use
// with apply.
type ACMEIssuerDNS01ProviderAkamaiApplyConfiguration struct {
ServiceConsumerDomain *string `json:"serviceConsumerDomain,omitempty"`
ClientToken *metav1.SecretKeySelectorApplyConfiguration `json:"clientTokenSecretRef,omitempty"`
ClientSecret *metav1.SecretKeySelectorApplyConfiguration `json:"clientSecretSecretRef,omitempty"`
AccessToken *metav1.SecretKeySelectorApplyConfiguration `json:"accessTokenSecretRef,omitempty"`
}
// ACMEIssuerDNS01ProviderAkamaiApplyConfiguration constructs a declarative configuration of the ACMEIssuerDNS01ProviderAkamai type for use with
// apply.
func ACMEIssuerDNS01ProviderAkamai() *ACMEIssuerDNS01ProviderAkamaiApplyConfiguration {
return &ACMEIssuerDNS01ProviderAkamaiApplyConfiguration{}
}
// WithServiceConsumerDomain sets the ServiceConsumerDomain field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the ServiceConsumerDomain field is set to the value of the last call.
func (b *ACMEIssuerDNS01ProviderAkamaiApplyConfiguration) WithServiceConsumerDomain(value string) *ACMEIssuerDNS01ProviderAkamaiApplyConfiguration {
b.ServiceConsumerDomain = &value
return b
}
// WithClientToken sets the ClientToken field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the ClientToken field is set to the value of the last call.
func (b *ACMEIssuerDNS01ProviderAkamaiApplyConfiguration) WithClientToken(value *metav1.SecretKeySelectorApplyConfiguration) *ACMEIssuerDNS01ProviderAkamaiApplyConfiguration {
b.ClientToken = value
return b
}
// WithClientSecret sets the ClientSecret field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the ClientSecret field is set to the value of the last call.
func (b *ACMEIssuerDNS01ProviderAkamaiApplyConfiguration) WithClientSecret(value *metav1.SecretKeySelectorApplyConfiguration) *ACMEIssuerDNS01ProviderAkamaiApplyConfiguration {
b.ClientSecret = value
return b
}
// WithAccessToken sets the AccessToken field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the AccessToken field is set to the value of the last call.
func (b *ACMEIssuerDNS01ProviderAkamaiApplyConfiguration) WithAccessToken(value *metav1.SecretKeySelectorApplyConfiguration) *ACMEIssuerDNS01ProviderAkamaiApplyConfiguration {
b.AccessToken = value
return b
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by applyconfiguration-gen. DO NOT EDIT.
package v1
import (
acmev1 "github.com/cert-manager/cert-manager/pkg/apis/acme/v1"
metav1 "github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/meta/v1"
)
// ACMEIssuerDNS01ProviderAzureDNSApplyConfiguration represents a declarative configuration of the ACMEIssuerDNS01ProviderAzureDNS type for use
// with apply.
type ACMEIssuerDNS01ProviderAzureDNSApplyConfiguration struct {
ClientID *string `json:"clientID,omitempty"`
ClientSecret *metav1.SecretKeySelectorApplyConfiguration `json:"clientSecretSecretRef,omitempty"`
SubscriptionID *string `json:"subscriptionID,omitempty"`
TenantID *string `json:"tenantID,omitempty"`
ResourceGroupName *string `json:"resourceGroupName,omitempty"`
HostedZoneName *string `json:"hostedZoneName,omitempty"`
Environment *acmev1.AzureDNSEnvironment `json:"environment,omitempty"`
ManagedIdentity *AzureManagedIdentityApplyConfiguration `json:"managedIdentity,omitempty"`
}
// ACMEIssuerDNS01ProviderAzureDNSApplyConfiguration constructs a declarative configuration of the ACMEIssuerDNS01ProviderAzureDNS type for use with
// apply.
func ACMEIssuerDNS01ProviderAzureDNS() *ACMEIssuerDNS01ProviderAzureDNSApplyConfiguration {
return &ACMEIssuerDNS01ProviderAzureDNSApplyConfiguration{}
}
// WithClientID sets the ClientID field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the ClientID field is set to the value of the last call.
func (b *ACMEIssuerDNS01ProviderAzureDNSApplyConfiguration) WithClientID(value string) *ACMEIssuerDNS01ProviderAzureDNSApplyConfiguration {
b.ClientID = &value
return b
}
// WithClientSecret sets the ClientSecret field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the ClientSecret field is set to the value of the last call.
func (b *ACMEIssuerDNS01ProviderAzureDNSApplyConfiguration) WithClientSecret(value *metav1.SecretKeySelectorApplyConfiguration) *ACMEIssuerDNS01ProviderAzureDNSApplyConfiguration {
b.ClientSecret = value
return b
}
// WithSubscriptionID sets the SubscriptionID field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the SubscriptionID field is set to the value of the last call.
func (b *ACMEIssuerDNS01ProviderAzureDNSApplyConfiguration) WithSubscriptionID(value string) *ACMEIssuerDNS01ProviderAzureDNSApplyConfiguration {
b.SubscriptionID = &value
return b
}
// WithTenantID sets the TenantID field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the TenantID field is set to the value of the last call.
func (b *ACMEIssuerDNS01ProviderAzureDNSApplyConfiguration) WithTenantID(value string) *ACMEIssuerDNS01ProviderAzureDNSApplyConfiguration {
b.TenantID = &value
return b
}
// WithResourceGroupName sets the ResourceGroupName field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the ResourceGroupName field is set to the value of the last call.
func (b *ACMEIssuerDNS01ProviderAzureDNSApplyConfiguration) WithResourceGroupName(value string) *ACMEIssuerDNS01ProviderAzureDNSApplyConfiguration {
b.ResourceGroupName = &value
return b
}
// WithHostedZoneName sets the HostedZoneName field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the HostedZoneName field is set to the value of the last call.
func (b *ACMEIssuerDNS01ProviderAzureDNSApplyConfiguration) WithHostedZoneName(value string) *ACMEIssuerDNS01ProviderAzureDNSApplyConfiguration {
b.HostedZoneName = &value
return b
}
// WithEnvironment sets the Environment field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Environment field is set to the value of the last call.
func (b *ACMEIssuerDNS01ProviderAzureDNSApplyConfiguration) WithEnvironment(value acmev1.AzureDNSEnvironment) *ACMEIssuerDNS01ProviderAzureDNSApplyConfiguration {
b.Environment = &value
return b
}
// WithManagedIdentity sets the ManagedIdentity field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the ManagedIdentity field is set to the value of the last call.
func (b *ACMEIssuerDNS01ProviderAzureDNSApplyConfiguration) WithManagedIdentity(value *AzureManagedIdentityApplyConfiguration) *ACMEIssuerDNS01ProviderAzureDNSApplyConfiguration {
b.ManagedIdentity = value
return b
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by applyconfiguration-gen. DO NOT EDIT.
package v1
import (
metav1 "github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/meta/v1"
)
// ACMEIssuerDNS01ProviderCloudDNSApplyConfiguration represents a declarative configuration of the ACMEIssuerDNS01ProviderCloudDNS type for use
// with apply.
type ACMEIssuerDNS01ProviderCloudDNSApplyConfiguration struct {
ServiceAccount *metav1.SecretKeySelectorApplyConfiguration `json:"serviceAccountSecretRef,omitempty"`
Project *string `json:"project,omitempty"`
HostedZoneName *string `json:"hostedZoneName,omitempty"`
}
// ACMEIssuerDNS01ProviderCloudDNSApplyConfiguration constructs a declarative configuration of the ACMEIssuerDNS01ProviderCloudDNS type for use with
// apply.
func ACMEIssuerDNS01ProviderCloudDNS() *ACMEIssuerDNS01ProviderCloudDNSApplyConfiguration {
return &ACMEIssuerDNS01ProviderCloudDNSApplyConfiguration{}
}
// WithServiceAccount sets the ServiceAccount field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the ServiceAccount field is set to the value of the last call.
func (b *ACMEIssuerDNS01ProviderCloudDNSApplyConfiguration) WithServiceAccount(value *metav1.SecretKeySelectorApplyConfiguration) *ACMEIssuerDNS01ProviderCloudDNSApplyConfiguration {
b.ServiceAccount = value
return b
}
// WithProject sets the Project field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Project field is set to the value of the last call.
func (b *ACMEIssuerDNS01ProviderCloudDNSApplyConfiguration) WithProject(value string) *ACMEIssuerDNS01ProviderCloudDNSApplyConfiguration {
b.Project = &value
return b
}
// WithHostedZoneName sets the HostedZoneName field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the HostedZoneName field is set to the value of the last call.
func (b *ACMEIssuerDNS01ProviderCloudDNSApplyConfiguration) WithHostedZoneName(value string) *ACMEIssuerDNS01ProviderCloudDNSApplyConfiguration {
b.HostedZoneName = &value
return b
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by applyconfiguration-gen. DO NOT EDIT.
package v1
import (
metav1 "github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/meta/v1"
)
// ACMEIssuerDNS01ProviderCloudflareApplyConfiguration represents a declarative configuration of the ACMEIssuerDNS01ProviderCloudflare type for use
// with apply.
type ACMEIssuerDNS01ProviderCloudflareApplyConfiguration struct {
Email *string `json:"email,omitempty"`
APIKey *metav1.SecretKeySelectorApplyConfiguration `json:"apiKeySecretRef,omitempty"`
APIToken *metav1.SecretKeySelectorApplyConfiguration `json:"apiTokenSecretRef,omitempty"`
}
// ACMEIssuerDNS01ProviderCloudflareApplyConfiguration constructs a declarative configuration of the ACMEIssuerDNS01ProviderCloudflare type for use with
// apply.
func ACMEIssuerDNS01ProviderCloudflare() *ACMEIssuerDNS01ProviderCloudflareApplyConfiguration {
return &ACMEIssuerDNS01ProviderCloudflareApplyConfiguration{}
}
// WithEmail sets the Email field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Email field is set to the value of the last call.
func (b *ACMEIssuerDNS01ProviderCloudflareApplyConfiguration) WithEmail(value string) *ACMEIssuerDNS01ProviderCloudflareApplyConfiguration {
b.Email = &value
return b
}
// WithAPIKey sets the APIKey field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the APIKey field is set to the value of the last call.
func (b *ACMEIssuerDNS01ProviderCloudflareApplyConfiguration) WithAPIKey(value *metav1.SecretKeySelectorApplyConfiguration) *ACMEIssuerDNS01ProviderCloudflareApplyConfiguration {
b.APIKey = value
return b
}
// WithAPIToken sets the APIToken field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the APIToken field is set to the value of the last call.
func (b *ACMEIssuerDNS01ProviderCloudflareApplyConfiguration) WithAPIToken(value *metav1.SecretKeySelectorApplyConfiguration) *ACMEIssuerDNS01ProviderCloudflareApplyConfiguration {
b.APIToken = value
return b
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by applyconfiguration-gen. DO NOT EDIT.
package v1
import (
metav1 "github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/meta/v1"
)
// ACMEIssuerDNS01ProviderDigitalOceanApplyConfiguration represents a declarative configuration of the ACMEIssuerDNS01ProviderDigitalOcean type for use
// with apply.
type ACMEIssuerDNS01ProviderDigitalOceanApplyConfiguration struct {
Token *metav1.SecretKeySelectorApplyConfiguration `json:"tokenSecretRef,omitempty"`
}
// ACMEIssuerDNS01ProviderDigitalOceanApplyConfiguration constructs a declarative configuration of the ACMEIssuerDNS01ProviderDigitalOcean type for use with
// apply.
func ACMEIssuerDNS01ProviderDigitalOcean() *ACMEIssuerDNS01ProviderDigitalOceanApplyConfiguration {
return &ACMEIssuerDNS01ProviderDigitalOceanApplyConfiguration{}
}
// WithToken sets the Token field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Token field is set to the value of the last call.
func (b *ACMEIssuerDNS01ProviderDigitalOceanApplyConfiguration) WithToken(value *metav1.SecretKeySelectorApplyConfiguration) *ACMEIssuerDNS01ProviderDigitalOceanApplyConfiguration {
b.Token = value
return b
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by applyconfiguration-gen. DO NOT EDIT.
package v1
import (
acmev1 "github.com/cert-manager/cert-manager/pkg/apis/acme/v1"
metav1 "github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/meta/v1"
)
// ACMEIssuerDNS01ProviderRFC2136ApplyConfiguration represents a declarative configuration of the ACMEIssuerDNS01ProviderRFC2136 type for use
// with apply.
type ACMEIssuerDNS01ProviderRFC2136ApplyConfiguration struct {
Nameserver *string `json:"nameserver,omitempty"`
TSIGSecret *metav1.SecretKeySelectorApplyConfiguration `json:"tsigSecretSecretRef,omitempty"`
TSIGKeyName *string `json:"tsigKeyName,omitempty"`
TSIGAlgorithm *string `json:"tsigAlgorithm,omitempty"`
Protocol *acmev1.RFC2136UpdateProtocol `json:"protocol,omitempty"`
}
// ACMEIssuerDNS01ProviderRFC2136ApplyConfiguration constructs a declarative configuration of the ACMEIssuerDNS01ProviderRFC2136 type for use with
// apply.
func ACMEIssuerDNS01ProviderRFC2136() *ACMEIssuerDNS01ProviderRFC2136ApplyConfiguration {
return &ACMEIssuerDNS01ProviderRFC2136ApplyConfiguration{}
}
// WithNameserver sets the Nameserver field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Nameserver field is set to the value of the last call.
func (b *ACMEIssuerDNS01ProviderRFC2136ApplyConfiguration) WithNameserver(value string) *ACMEIssuerDNS01ProviderRFC2136ApplyConfiguration {
b.Nameserver = &value
return b
}
// WithTSIGSecret sets the TSIGSecret field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the TSIGSecret field is set to the value of the last call.
func (b *ACMEIssuerDNS01ProviderRFC2136ApplyConfiguration) WithTSIGSecret(value *metav1.SecretKeySelectorApplyConfiguration) *ACMEIssuerDNS01ProviderRFC2136ApplyConfiguration {
b.TSIGSecret = value
return b
}
// WithTSIGKeyName sets the TSIGKeyName field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the TSIGKeyName field is set to the value of the last call.
func (b *ACMEIssuerDNS01ProviderRFC2136ApplyConfiguration) WithTSIGKeyName(value string) *ACMEIssuerDNS01ProviderRFC2136ApplyConfiguration {
b.TSIGKeyName = &value
return b
}
// WithTSIGAlgorithm sets the TSIGAlgorithm field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the TSIGAlgorithm field is set to the value of the last call.
func (b *ACMEIssuerDNS01ProviderRFC2136ApplyConfiguration) WithTSIGAlgorithm(value string) *ACMEIssuerDNS01ProviderRFC2136ApplyConfiguration {
b.TSIGAlgorithm = &value
return b
}
// WithProtocol sets the Protocol field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Protocol field is set to the value of the last call.
func (b *ACMEIssuerDNS01ProviderRFC2136ApplyConfiguration) WithProtocol(value acmev1.RFC2136UpdateProtocol) *ACMEIssuerDNS01ProviderRFC2136ApplyConfiguration {
b.Protocol = &value
return b
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by applyconfiguration-gen. DO NOT EDIT.
package v1
import (
metav1 "github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/meta/v1"
)
// ACMEIssuerDNS01ProviderRoute53ApplyConfiguration represents a declarative configuration of the ACMEIssuerDNS01ProviderRoute53 type for use
// with apply.
type ACMEIssuerDNS01ProviderRoute53ApplyConfiguration struct {
Auth *Route53AuthApplyConfiguration `json:"auth,omitempty"`
AccessKeyID *string `json:"accessKeyID,omitempty"`
SecretAccessKeyID *metav1.SecretKeySelectorApplyConfiguration `json:"accessKeyIDSecretRef,omitempty"`
SecretAccessKey *metav1.SecretKeySelectorApplyConfiguration `json:"secretAccessKeySecretRef,omitempty"`
Role *string `json:"role,omitempty"`
HostedZoneID *string `json:"hostedZoneID,omitempty"`
Region *string `json:"region,omitempty"`
}
// ACMEIssuerDNS01ProviderRoute53ApplyConfiguration constructs a declarative configuration of the ACMEIssuerDNS01ProviderRoute53 type for use with
// apply.
func ACMEIssuerDNS01ProviderRoute53() *ACMEIssuerDNS01ProviderRoute53ApplyConfiguration {
return &ACMEIssuerDNS01ProviderRoute53ApplyConfiguration{}
}
// WithAuth sets the Auth field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Auth field is set to the value of the last call.
func (b *ACMEIssuerDNS01ProviderRoute53ApplyConfiguration) WithAuth(value *Route53AuthApplyConfiguration) *ACMEIssuerDNS01ProviderRoute53ApplyConfiguration {
b.Auth = value
return b
}
// WithAccessKeyID sets the AccessKeyID field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the AccessKeyID field is set to the value of the last call.
func (b *ACMEIssuerDNS01ProviderRoute53ApplyConfiguration) WithAccessKeyID(value string) *ACMEIssuerDNS01ProviderRoute53ApplyConfiguration {
b.AccessKeyID = &value
return b
}
// WithSecretAccessKeyID sets the SecretAccessKeyID field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the SecretAccessKeyID field is set to the value of the last call.
func (b *ACMEIssuerDNS01ProviderRoute53ApplyConfiguration) WithSecretAccessKeyID(value *metav1.SecretKeySelectorApplyConfiguration) *ACMEIssuerDNS01ProviderRoute53ApplyConfiguration {
b.SecretAccessKeyID = value
return b
}
// WithSecretAccessKey sets the SecretAccessKey field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the SecretAccessKey field is set to the value of the last call.
func (b *ACMEIssuerDNS01ProviderRoute53ApplyConfiguration) WithSecretAccessKey(value *metav1.SecretKeySelectorApplyConfiguration) *ACMEIssuerDNS01ProviderRoute53ApplyConfiguration {
b.SecretAccessKey = value
return b
}
// WithRole sets the Role field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Role field is set to the value of the last call.
func (b *ACMEIssuerDNS01ProviderRoute53ApplyConfiguration) WithRole(value string) *ACMEIssuerDNS01ProviderRoute53ApplyConfiguration {
b.Role = &value
return b
}
// WithHostedZoneID sets the HostedZoneID field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the HostedZoneID field is set to the value of the last call.
func (b *ACMEIssuerDNS01ProviderRoute53ApplyConfiguration) WithHostedZoneID(value string) *ACMEIssuerDNS01ProviderRoute53ApplyConfiguration {
b.HostedZoneID = &value
return b
}
// WithRegion sets the Region field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Region field is set to the value of the last call.
func (b *ACMEIssuerDNS01ProviderRoute53ApplyConfiguration) WithRegion(value string) *ACMEIssuerDNS01ProviderRoute53ApplyConfiguration {
b.Region = &value
return b
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by applyconfiguration-gen. DO NOT EDIT.
package v1
import (
apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
)
// ACMEIssuerDNS01ProviderWebhookApplyConfiguration represents a declarative configuration of the ACMEIssuerDNS01ProviderWebhook type for use
// with apply.
type ACMEIssuerDNS01ProviderWebhookApplyConfiguration struct {
GroupName *string `json:"groupName,omitempty"`
SolverName *string `json:"solverName,omitempty"`
Config *apiextensionsv1.JSON `json:"config,omitempty"`
}
// ACMEIssuerDNS01ProviderWebhookApplyConfiguration constructs a declarative configuration of the ACMEIssuerDNS01ProviderWebhook type for use with
// apply.
func ACMEIssuerDNS01ProviderWebhook() *ACMEIssuerDNS01ProviderWebhookApplyConfiguration {
return &ACMEIssuerDNS01ProviderWebhookApplyConfiguration{}
}
// WithGroupName sets the GroupName field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the GroupName field is set to the value of the last call.
func (b *ACMEIssuerDNS01ProviderWebhookApplyConfiguration) WithGroupName(value string) *ACMEIssuerDNS01ProviderWebhookApplyConfiguration {
b.GroupName = &value
return b
}
// WithSolverName sets the SolverName field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the SolverName field is set to the value of the last call.
func (b *ACMEIssuerDNS01ProviderWebhookApplyConfiguration) WithSolverName(value string) *ACMEIssuerDNS01ProviderWebhookApplyConfiguration {
b.SolverName = &value
return b
}
// WithConfig sets the Config field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Config field is set to the value of the last call.
func (b *ACMEIssuerDNS01ProviderWebhookApplyConfiguration) WithConfig(value apiextensionsv1.JSON) *ACMEIssuerDNS01ProviderWebhookApplyConfiguration {
b.Config = &value
return b
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by applyconfiguration-gen. DO NOT EDIT.
package v1
// ACMEIssuerStatusApplyConfiguration represents a declarative configuration of the ACMEIssuerStatus type for use
// with apply.
type ACMEIssuerStatusApplyConfiguration struct {
URI *string `json:"uri,omitempty"`
LastRegisteredEmail *string `json:"lastRegisteredEmail,omitempty"`
LastPrivateKeyHash *string `json:"lastPrivateKeyHash,omitempty"`
}
// ACMEIssuerStatusApplyConfiguration constructs a declarative configuration of the ACMEIssuerStatus type for use with
// apply.
func ACMEIssuerStatus() *ACMEIssuerStatusApplyConfiguration {
return &ACMEIssuerStatusApplyConfiguration{}
}
// WithURI sets the URI field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the URI field is set to the value of the last call.
func (b *ACMEIssuerStatusApplyConfiguration) WithURI(value string) *ACMEIssuerStatusApplyConfiguration {
b.URI = &value
return b
}
// WithLastRegisteredEmail sets the LastRegisteredEmail field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the LastRegisteredEmail field is set to the value of the last call.
func (b *ACMEIssuerStatusApplyConfiguration) WithLastRegisteredEmail(value string) *ACMEIssuerStatusApplyConfiguration {
b.LastRegisteredEmail = &value
return b
}
// WithLastPrivateKeyHash sets the LastPrivateKeyHash field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the LastPrivateKeyHash field is set to the value of the last call.
func (b *ACMEIssuerStatusApplyConfiguration) WithLastPrivateKeyHash(value string) *ACMEIssuerStatusApplyConfiguration {
b.LastPrivateKeyHash = &value
return b
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by applyconfiguration-gen. DO NOT EDIT.
package v1
// AzureManagedIdentityApplyConfiguration represents a declarative configuration of the AzureManagedIdentity type for use
// with apply.
type AzureManagedIdentityApplyConfiguration struct {
ClientID *string `json:"clientID,omitempty"`
ResourceID *string `json:"resourceID,omitempty"`
TenantID *string `json:"tenantID,omitempty"`
}
// AzureManagedIdentityApplyConfiguration constructs a declarative configuration of the AzureManagedIdentity type for use with
// apply.
func AzureManagedIdentity() *AzureManagedIdentityApplyConfiguration {
return &AzureManagedIdentityApplyConfiguration{}
}
// WithClientID sets the ClientID field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the ClientID field is set to the value of the last call.
func (b *AzureManagedIdentityApplyConfiguration) WithClientID(value string) *AzureManagedIdentityApplyConfiguration {
b.ClientID = &value
return b
}
// WithResourceID sets the ResourceID field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the ResourceID field is set to the value of the last call.
func (b *AzureManagedIdentityApplyConfiguration) WithResourceID(value string) *AzureManagedIdentityApplyConfiguration {
b.ResourceID = &value
return b
}
// WithTenantID sets the TenantID field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the TenantID field is set to the value of the last call.
func (b *AzureManagedIdentityApplyConfiguration) WithTenantID(value string) *AzureManagedIdentityApplyConfiguration {
b.TenantID = &value
return b
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by applyconfiguration-gen. DO NOT EDIT.
package v1
// CertificateDNSNameSelectorApplyConfiguration represents a declarative configuration of the CertificateDNSNameSelector type for use
// with apply.
type CertificateDNSNameSelectorApplyConfiguration struct {
MatchLabels map[string]string `json:"matchLabels,omitempty"`
DNSNames []string `json:"dnsNames,omitempty"`
DNSZones []string `json:"dnsZones,omitempty"`
}
// CertificateDNSNameSelectorApplyConfiguration constructs a declarative configuration of the CertificateDNSNameSelector type for use with
// apply.
func CertificateDNSNameSelector() *CertificateDNSNameSelectorApplyConfiguration {
return &CertificateDNSNameSelectorApplyConfiguration{}
}
// WithMatchLabels puts the entries into the MatchLabels field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, the entries provided by each call will be put on the MatchLabels field,
// overwriting an existing map entries in MatchLabels field with the same key.
func (b *CertificateDNSNameSelectorApplyConfiguration) WithMatchLabels(entries map[string]string) *CertificateDNSNameSelectorApplyConfiguration {
if b.MatchLabels == nil && len(entries) > 0 {
b.MatchLabels = make(map[string]string, len(entries))
}
for k, v := range entries {
b.MatchLabels[k] = v
}
return b
}
// WithDNSNames adds the given value to the DNSNames field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, values provided by each call will be appended to the DNSNames field.
func (b *CertificateDNSNameSelectorApplyConfiguration) WithDNSNames(values ...string) *CertificateDNSNameSelectorApplyConfiguration {
for i := range values {
b.DNSNames = append(b.DNSNames, values[i])
}
return b
}
// WithDNSZones adds the given value to the DNSZones field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, values provided by each call will be appended to the DNSZones field.
func (b *CertificateDNSNameSelectorApplyConfiguration) WithDNSZones(values ...string) *CertificateDNSNameSelectorApplyConfiguration {
for i := range values {
b.DNSZones = append(b.DNSZones, values[i])
}
return b
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by applyconfiguration-gen. DO NOT EDIT.
package v1
import (
acmev1 "github.com/cert-manager/cert-manager/pkg/apis/acme/v1"
internal "github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/internal"
apismetav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
types "k8s.io/apimachinery/pkg/types"
managedfields "k8s.io/apimachinery/pkg/util/managedfields"
metav1 "k8s.io/client-go/applyconfigurations/meta/v1"
)
// ChallengeApplyConfiguration represents a declarative configuration of the Challenge type for use
// with apply.
type ChallengeApplyConfiguration struct {
metav1.TypeMetaApplyConfiguration `json:",inline"`
*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
Spec *ChallengeSpecApplyConfiguration `json:"spec,omitempty"`
Status *ChallengeStatusApplyConfiguration `json:"status,omitempty"`
}
// Challenge constructs a declarative configuration of the Challenge type for use with
// apply.
func Challenge(name, namespace string) *ChallengeApplyConfiguration {
b := &ChallengeApplyConfiguration{}
b.WithName(name)
b.WithNamespace(namespace)
b.WithKind("Challenge")
b.WithAPIVersion("acme.cert-manager.io/v1")
return b
}
// ExtractChallenge extracts the applied configuration owned by fieldManager from
// challenge. If no managedFields are found in challenge for fieldManager, a
// ChallengeApplyConfiguration is returned with only the Name, Namespace (if applicable),
// APIVersion and Kind populated. It is possible that no managed fields were found for because other
// field managers have taken ownership of all the fields previously owned by fieldManager, or because
// the fieldManager never owned fields any fields.
// challenge must be a unmodified Challenge API object that was retrieved from the Kubernetes API.
// ExtractChallenge provides a way to perform a extract/modify-in-place/apply workflow.
// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
// applied if another fieldManager has updated or force applied any of the previously applied fields.
// Experimental!
func ExtractChallenge(challenge *acmev1.Challenge, fieldManager string) (*ChallengeApplyConfiguration, error) {
return extractChallenge(challenge, fieldManager, "")
}
// ExtractChallengeStatus is the same as ExtractChallenge except
// that it extracts the status subresource applied configuration.
// Experimental!
func ExtractChallengeStatus(challenge *acmev1.Challenge, fieldManager string) (*ChallengeApplyConfiguration, error) {
return extractChallenge(challenge, fieldManager, "status")
}
func extractChallenge(challenge *acmev1.Challenge, fieldManager string, subresource string) (*ChallengeApplyConfiguration, error) {
b := &ChallengeApplyConfiguration{}
err := managedfields.ExtractInto(challenge, internal.Parser().Type("com.github.cert-manager.cert-manager.pkg.apis.acme.v1.Challenge"), fieldManager, b, subresource)
if err != nil {
return nil, err
}
b.WithName(challenge.Name)
b.WithNamespace(challenge.Namespace)
b.WithKind("Challenge")
b.WithAPIVersion("acme.cert-manager.io/v1")
return b, nil
}
func (b ChallengeApplyConfiguration) IsApplyConfiguration() {}
// WithKind sets the Kind field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Kind field is set to the value of the last call.
func (b *ChallengeApplyConfiguration) WithKind(value string) *ChallengeApplyConfiguration {
b.TypeMetaApplyConfiguration.Kind = &value
return b
}
// WithAPIVersion sets the APIVersion field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the APIVersion field is set to the value of the last call.
func (b *ChallengeApplyConfiguration) WithAPIVersion(value string) *ChallengeApplyConfiguration {
b.TypeMetaApplyConfiguration.APIVersion = &value
return b
}
// WithName sets the Name field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Name field is set to the value of the last call.
func (b *ChallengeApplyConfiguration) WithName(value string) *ChallengeApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
b.ObjectMetaApplyConfiguration.Name = &value
return b
}
// WithGenerateName sets the GenerateName field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the GenerateName field is set to the value of the last call.
func (b *ChallengeApplyConfiguration) WithGenerateName(value string) *ChallengeApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
b.ObjectMetaApplyConfiguration.GenerateName = &value
return b
}
// WithNamespace sets the Namespace field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Namespace field is set to the value of the last call.
func (b *ChallengeApplyConfiguration) WithNamespace(value string) *ChallengeApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
b.ObjectMetaApplyConfiguration.Namespace = &value
return b
}
// WithUID sets the UID field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the UID field is set to the value of the last call.
func (b *ChallengeApplyConfiguration) WithUID(value types.UID) *ChallengeApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
b.ObjectMetaApplyConfiguration.UID = &value
return b
}
// WithResourceVersion sets the ResourceVersion field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the ResourceVersion field is set to the value of the last call.
func (b *ChallengeApplyConfiguration) WithResourceVersion(value string) *ChallengeApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
b.ObjectMetaApplyConfiguration.ResourceVersion = &value
return b
}
// WithGeneration sets the Generation field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Generation field is set to the value of the last call.
func (b *ChallengeApplyConfiguration) WithGeneration(value int64) *ChallengeApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
b.ObjectMetaApplyConfiguration.Generation = &value
return b
}
// WithCreationTimestamp sets the CreationTimestamp field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the CreationTimestamp field is set to the value of the last call.
func (b *ChallengeApplyConfiguration) WithCreationTimestamp(value apismetav1.Time) *ChallengeApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
b.ObjectMetaApplyConfiguration.CreationTimestamp = &value
return b
}
// WithDeletionTimestamp sets the DeletionTimestamp field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the DeletionTimestamp field is set to the value of the last call.
func (b *ChallengeApplyConfiguration) WithDeletionTimestamp(value apismetav1.Time) *ChallengeApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
b.ObjectMetaApplyConfiguration.DeletionTimestamp = &value
return b
}
// WithDeletionGracePeriodSeconds sets the DeletionGracePeriodSeconds field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the DeletionGracePeriodSeconds field is set to the value of the last call.
func (b *ChallengeApplyConfiguration) WithDeletionGracePeriodSeconds(value int64) *ChallengeApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
b.ObjectMetaApplyConfiguration.DeletionGracePeriodSeconds = &value
return b
}
// WithLabels puts the entries into the Labels field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, the entries provided by each call will be put on the Labels field,
// overwriting an existing map entries in Labels field with the same key.
func (b *ChallengeApplyConfiguration) WithLabels(entries map[string]string) *ChallengeApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
if b.ObjectMetaApplyConfiguration.Labels == nil && len(entries) > 0 {
b.ObjectMetaApplyConfiguration.Labels = make(map[string]string, len(entries))
}
for k, v := range entries {
b.ObjectMetaApplyConfiguration.Labels[k] = v
}
return b
}
// WithAnnotations puts the entries into the Annotations field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, the entries provided by each call will be put on the Annotations field,
// overwriting an existing map entries in Annotations field with the same key.
func (b *ChallengeApplyConfiguration) WithAnnotations(entries map[string]string) *ChallengeApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
if b.ObjectMetaApplyConfiguration.Annotations == nil && len(entries) > 0 {
b.ObjectMetaApplyConfiguration.Annotations = make(map[string]string, len(entries))
}
for k, v := range entries {
b.ObjectMetaApplyConfiguration.Annotations[k] = v
}
return b
}
// WithOwnerReferences adds the given value to the OwnerReferences field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, values provided by each call will be appended to the OwnerReferences field.
func (b *ChallengeApplyConfiguration) WithOwnerReferences(values ...*metav1.OwnerReferenceApplyConfiguration) *ChallengeApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
for i := range values {
if values[i] == nil {
panic("nil value passed to WithOwnerReferences")
}
b.ObjectMetaApplyConfiguration.OwnerReferences = append(b.ObjectMetaApplyConfiguration.OwnerReferences, *values[i])
}
return b
}
// WithFinalizers adds the given value to the Finalizers field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, values provided by each call will be appended to the Finalizers field.
func (b *ChallengeApplyConfiguration) WithFinalizers(values ...string) *ChallengeApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
for i := range values {
b.ObjectMetaApplyConfiguration.Finalizers = append(b.ObjectMetaApplyConfiguration.Finalizers, values[i])
}
return b
}
func (b *ChallengeApplyConfiguration) ensureObjectMetaApplyConfigurationExists() {
if b.ObjectMetaApplyConfiguration == nil {
b.ObjectMetaApplyConfiguration = &metav1.ObjectMetaApplyConfiguration{}
}
}
// WithSpec sets the Spec field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Spec field is set to the value of the last call.
func (b *ChallengeApplyConfiguration) WithSpec(value *ChallengeSpecApplyConfiguration) *ChallengeApplyConfiguration {
b.Spec = value
return b
}
// WithStatus sets the Status field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Status field is set to the value of the last call.
func (b *ChallengeApplyConfiguration) WithStatus(value *ChallengeStatusApplyConfiguration) *ChallengeApplyConfiguration {
b.Status = value
return b
}
// GetKind retrieves the value of the Kind field in the declarative configuration.
func (b *ChallengeApplyConfiguration) GetKind() *string {
return b.TypeMetaApplyConfiguration.Kind
}
// GetAPIVersion retrieves the value of the APIVersion field in the declarative configuration.
func (b *ChallengeApplyConfiguration) GetAPIVersion() *string {
return b.TypeMetaApplyConfiguration.APIVersion
}
// GetName retrieves the value of the Name field in the declarative configuration.
func (b *ChallengeApplyConfiguration) GetName() *string {
b.ensureObjectMetaApplyConfigurationExists()
return b.ObjectMetaApplyConfiguration.Name
}
// GetNamespace retrieves the value of the Namespace field in the declarative configuration.
func (b *ChallengeApplyConfiguration) GetNamespace() *string {
b.ensureObjectMetaApplyConfigurationExists()
return b.ObjectMetaApplyConfiguration.Namespace
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by applyconfiguration-gen. DO NOT EDIT.
package v1
import (
acmev1 "github.com/cert-manager/cert-manager/pkg/apis/acme/v1"
metav1 "github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/meta/v1"
)
// ChallengeSpecApplyConfiguration represents a declarative configuration of the ChallengeSpec type for use
// with apply.
type ChallengeSpecApplyConfiguration struct {
URL *string `json:"url,omitempty"`
AuthorizationURL *string `json:"authorizationURL,omitempty"`
DNSName *string `json:"dnsName,omitempty"`
Wildcard *bool `json:"wildcard,omitempty"`
Type *acmev1.ACMEChallengeType `json:"type,omitempty"`
Token *string `json:"token,omitempty"`
Key *string `json:"key,omitempty"`
Solver *ACMEChallengeSolverApplyConfiguration `json:"solver,omitempty"`
IssuerRef *metav1.IssuerReferenceApplyConfiguration `json:"issuerRef,omitempty"`
}
// ChallengeSpecApplyConfiguration constructs a declarative configuration of the ChallengeSpec type for use with
// apply.
func ChallengeSpec() *ChallengeSpecApplyConfiguration {
return &ChallengeSpecApplyConfiguration{}
}
// WithURL sets the URL field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the URL field is set to the value of the last call.
func (b *ChallengeSpecApplyConfiguration) WithURL(value string) *ChallengeSpecApplyConfiguration {
b.URL = &value
return b
}
// WithAuthorizationURL sets the AuthorizationURL field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the AuthorizationURL field is set to the value of the last call.
func (b *ChallengeSpecApplyConfiguration) WithAuthorizationURL(value string) *ChallengeSpecApplyConfiguration {
b.AuthorizationURL = &value
return b
}
// WithDNSName sets the DNSName field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the DNSName field is set to the value of the last call.
func (b *ChallengeSpecApplyConfiguration) WithDNSName(value string) *ChallengeSpecApplyConfiguration {
b.DNSName = &value
return b
}
// WithWildcard sets the Wildcard field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Wildcard field is set to the value of the last call.
func (b *ChallengeSpecApplyConfiguration) WithWildcard(value bool) *ChallengeSpecApplyConfiguration {
b.Wildcard = &value
return b
}
// WithType sets the Type field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Type field is set to the value of the last call.
func (b *ChallengeSpecApplyConfiguration) WithType(value acmev1.ACMEChallengeType) *ChallengeSpecApplyConfiguration {
b.Type = &value
return b
}
// WithToken sets the Token field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Token field is set to the value of the last call.
func (b *ChallengeSpecApplyConfiguration) WithToken(value string) *ChallengeSpecApplyConfiguration {
b.Token = &value
return b
}
// WithKey sets the Key field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Key field is set to the value of the last call.
func (b *ChallengeSpecApplyConfiguration) WithKey(value string) *ChallengeSpecApplyConfiguration {
b.Key = &value
return b
}
// WithSolver sets the Solver field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Solver field is set to the value of the last call.
func (b *ChallengeSpecApplyConfiguration) WithSolver(value *ACMEChallengeSolverApplyConfiguration) *ChallengeSpecApplyConfiguration {
b.Solver = value
return b
}
// WithIssuerRef sets the IssuerRef field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the IssuerRef field is set to the value of the last call.
func (b *ChallengeSpecApplyConfiguration) WithIssuerRef(value *metav1.IssuerReferenceApplyConfiguration) *ChallengeSpecApplyConfiguration {
b.IssuerRef = value
return b
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by applyconfiguration-gen. DO NOT EDIT.
package v1
import (
acmev1 "github.com/cert-manager/cert-manager/pkg/apis/acme/v1"
)
// ChallengeStatusApplyConfiguration represents a declarative configuration of the ChallengeStatus type for use
// with apply.
type ChallengeStatusApplyConfiguration struct {
Processing *bool `json:"processing,omitempty"`
Presented *bool `json:"presented,omitempty"`
Reason *string `json:"reason,omitempty"`
State *acmev1.State `json:"state,omitempty"`
}
// ChallengeStatusApplyConfiguration constructs a declarative configuration of the ChallengeStatus type for use with
// apply.
func ChallengeStatus() *ChallengeStatusApplyConfiguration {
return &ChallengeStatusApplyConfiguration{}
}
// WithProcessing sets the Processing field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Processing field is set to the value of the last call.
func (b *ChallengeStatusApplyConfiguration) WithProcessing(value bool) *ChallengeStatusApplyConfiguration {
b.Processing = &value
return b
}
// WithPresented sets the Presented field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Presented field is set to the value of the last call.
func (b *ChallengeStatusApplyConfiguration) WithPresented(value bool) *ChallengeStatusApplyConfiguration {
b.Presented = &value
return b
}
// WithReason sets the Reason field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Reason field is set to the value of the last call.
func (b *ChallengeStatusApplyConfiguration) WithReason(value string) *ChallengeStatusApplyConfiguration {
b.Reason = &value
return b
}
// WithState sets the State field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the State field is set to the value of the last call.
func (b *ChallengeStatusApplyConfiguration) WithState(value acmev1.State) *ChallengeStatusApplyConfiguration {
b.State = &value
return b
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by applyconfiguration-gen. DO NOT EDIT.
package v1
import (
acmev1 "github.com/cert-manager/cert-manager/pkg/apis/acme/v1"
internal "github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/internal"
apismetav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
types "k8s.io/apimachinery/pkg/types"
managedfields "k8s.io/apimachinery/pkg/util/managedfields"
metav1 "k8s.io/client-go/applyconfigurations/meta/v1"
)
// OrderApplyConfiguration represents a declarative configuration of the Order type for use
// with apply.
type OrderApplyConfiguration struct {
metav1.TypeMetaApplyConfiguration `json:",inline"`
*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
Spec *OrderSpecApplyConfiguration `json:"spec,omitempty"`
Status *OrderStatusApplyConfiguration `json:"status,omitempty"`
}
// Order constructs a declarative configuration of the Order type for use with
// apply.
func Order(name, namespace string) *OrderApplyConfiguration {
b := &OrderApplyConfiguration{}
b.WithName(name)
b.WithNamespace(namespace)
b.WithKind("Order")
b.WithAPIVersion("acme.cert-manager.io/v1")
return b
}
// ExtractOrder extracts the applied configuration owned by fieldManager from
// order. If no managedFields are found in order for fieldManager, a
// OrderApplyConfiguration is returned with only the Name, Namespace (if applicable),
// APIVersion and Kind populated. It is possible that no managed fields were found for because other
// field managers have taken ownership of all the fields previously owned by fieldManager, or because
// the fieldManager never owned fields any fields.
// order must be a unmodified Order API object that was retrieved from the Kubernetes API.
// ExtractOrder provides a way to perform a extract/modify-in-place/apply workflow.
// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
// applied if another fieldManager has updated or force applied any of the previously applied fields.
// Experimental!
func ExtractOrder(order *acmev1.Order, fieldManager string) (*OrderApplyConfiguration, error) {
return extractOrder(order, fieldManager, "")
}
// ExtractOrderStatus is the same as ExtractOrder except
// that it extracts the status subresource applied configuration.
// Experimental!
func ExtractOrderStatus(order *acmev1.Order, fieldManager string) (*OrderApplyConfiguration, error) {
return extractOrder(order, fieldManager, "status")
}
func extractOrder(order *acmev1.Order, fieldManager string, subresource string) (*OrderApplyConfiguration, error) {
b := &OrderApplyConfiguration{}
err := managedfields.ExtractInto(order, internal.Parser().Type("com.github.cert-manager.cert-manager.pkg.apis.acme.v1.Order"), fieldManager, b, subresource)
if err != nil {
return nil, err
}
b.WithName(order.Name)
b.WithNamespace(order.Namespace)
b.WithKind("Order")
b.WithAPIVersion("acme.cert-manager.io/v1")
return b, nil
}
func (b OrderApplyConfiguration) IsApplyConfiguration() {}
// WithKind sets the Kind field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Kind field is set to the value of the last call.
func (b *OrderApplyConfiguration) WithKind(value string) *OrderApplyConfiguration {
b.TypeMetaApplyConfiguration.Kind = &value
return b
}
// WithAPIVersion sets the APIVersion field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the APIVersion field is set to the value of the last call.
func (b *OrderApplyConfiguration) WithAPIVersion(value string) *OrderApplyConfiguration {
b.TypeMetaApplyConfiguration.APIVersion = &value
return b
}
// WithName sets the Name field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Name field is set to the value of the last call.
func (b *OrderApplyConfiguration) WithName(value string) *OrderApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
b.ObjectMetaApplyConfiguration.Name = &value
return b
}
// WithGenerateName sets the GenerateName field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the GenerateName field is set to the value of the last call.
func (b *OrderApplyConfiguration) WithGenerateName(value string) *OrderApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
b.ObjectMetaApplyConfiguration.GenerateName = &value
return b
}
// WithNamespace sets the Namespace field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Namespace field is set to the value of the last call.
func (b *OrderApplyConfiguration) WithNamespace(value string) *OrderApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
b.ObjectMetaApplyConfiguration.Namespace = &value
return b
}
// WithUID sets the UID field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the UID field is set to the value of the last call.
func (b *OrderApplyConfiguration) WithUID(value types.UID) *OrderApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
b.ObjectMetaApplyConfiguration.UID = &value
return b
}
// WithResourceVersion sets the ResourceVersion field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the ResourceVersion field is set to the value of the last call.
func (b *OrderApplyConfiguration) WithResourceVersion(value string) *OrderApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
b.ObjectMetaApplyConfiguration.ResourceVersion = &value
return b
}
// WithGeneration sets the Generation field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Generation field is set to the value of the last call.
func (b *OrderApplyConfiguration) WithGeneration(value int64) *OrderApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
b.ObjectMetaApplyConfiguration.Generation = &value
return b
}
// WithCreationTimestamp sets the CreationTimestamp field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the CreationTimestamp field is set to the value of the last call.
func (b *OrderApplyConfiguration) WithCreationTimestamp(value apismetav1.Time) *OrderApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
b.ObjectMetaApplyConfiguration.CreationTimestamp = &value
return b
}
// WithDeletionTimestamp sets the DeletionTimestamp field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the DeletionTimestamp field is set to the value of the last call.
func (b *OrderApplyConfiguration) WithDeletionTimestamp(value apismetav1.Time) *OrderApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
b.ObjectMetaApplyConfiguration.DeletionTimestamp = &value
return b
}
// WithDeletionGracePeriodSeconds sets the DeletionGracePeriodSeconds field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the DeletionGracePeriodSeconds field is set to the value of the last call.
func (b *OrderApplyConfiguration) WithDeletionGracePeriodSeconds(value int64) *OrderApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
b.ObjectMetaApplyConfiguration.DeletionGracePeriodSeconds = &value
return b
}
// WithLabels puts the entries into the Labels field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, the entries provided by each call will be put on the Labels field,
// overwriting an existing map entries in Labels field with the same key.
func (b *OrderApplyConfiguration) WithLabels(entries map[string]string) *OrderApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
if b.ObjectMetaApplyConfiguration.Labels == nil && len(entries) > 0 {
b.ObjectMetaApplyConfiguration.Labels = make(map[string]string, len(entries))
}
for k, v := range entries {
b.ObjectMetaApplyConfiguration.Labels[k] = v
}
return b
}
// WithAnnotations puts the entries into the Annotations field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, the entries provided by each call will be put on the Annotations field,
// overwriting an existing map entries in Annotations field with the same key.
func (b *OrderApplyConfiguration) WithAnnotations(entries map[string]string) *OrderApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
if b.ObjectMetaApplyConfiguration.Annotations == nil && len(entries) > 0 {
b.ObjectMetaApplyConfiguration.Annotations = make(map[string]string, len(entries))
}
for k, v := range entries {
b.ObjectMetaApplyConfiguration.Annotations[k] = v
}
return b
}
// WithOwnerReferences adds the given value to the OwnerReferences field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, values provided by each call will be appended to the OwnerReferences field.
func (b *OrderApplyConfiguration) WithOwnerReferences(values ...*metav1.OwnerReferenceApplyConfiguration) *OrderApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
for i := range values {
if values[i] == nil {
panic("nil value passed to WithOwnerReferences")
}
b.ObjectMetaApplyConfiguration.OwnerReferences = append(b.ObjectMetaApplyConfiguration.OwnerReferences, *values[i])
}
return b
}
// WithFinalizers adds the given value to the Finalizers field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, values provided by each call will be appended to the Finalizers field.
func (b *OrderApplyConfiguration) WithFinalizers(values ...string) *OrderApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
for i := range values {
b.ObjectMetaApplyConfiguration.Finalizers = append(b.ObjectMetaApplyConfiguration.Finalizers, values[i])
}
return b
}
func (b *OrderApplyConfiguration) ensureObjectMetaApplyConfigurationExists() {
if b.ObjectMetaApplyConfiguration == nil {
b.ObjectMetaApplyConfiguration = &metav1.ObjectMetaApplyConfiguration{}
}
}
// WithSpec sets the Spec field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Spec field is set to the value of the last call.
func (b *OrderApplyConfiguration) WithSpec(value *OrderSpecApplyConfiguration) *OrderApplyConfiguration {
b.Spec = value
return b
}
// WithStatus sets the Status field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Status field is set to the value of the last call.
func (b *OrderApplyConfiguration) WithStatus(value *OrderStatusApplyConfiguration) *OrderApplyConfiguration {
b.Status = value
return b
}
// GetKind retrieves the value of the Kind field in the declarative configuration.
func (b *OrderApplyConfiguration) GetKind() *string {
return b.TypeMetaApplyConfiguration.Kind
}
// GetAPIVersion retrieves the value of the APIVersion field in the declarative configuration.
func (b *OrderApplyConfiguration) GetAPIVersion() *string {
return b.TypeMetaApplyConfiguration.APIVersion
}
// GetName retrieves the value of the Name field in the declarative configuration.
func (b *OrderApplyConfiguration) GetName() *string {
b.ensureObjectMetaApplyConfigurationExists()
return b.ObjectMetaApplyConfiguration.Name
}
// GetNamespace retrieves the value of the Namespace field in the declarative configuration.
func (b *OrderApplyConfiguration) GetNamespace() *string {
b.ensureObjectMetaApplyConfigurationExists()
return b.ObjectMetaApplyConfiguration.Namespace
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by applyconfiguration-gen. DO NOT EDIT.
package v1
import (
metav1 "github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/meta/v1"
apismetav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
// OrderSpecApplyConfiguration represents a declarative configuration of the OrderSpec type for use
// with apply.
type OrderSpecApplyConfiguration struct {
Request []byte `json:"request,omitempty"`
IssuerRef *metav1.IssuerReferenceApplyConfiguration `json:"issuerRef,omitempty"`
CommonName *string `json:"commonName,omitempty"`
DNSNames []string `json:"dnsNames,omitempty"`
IPAddresses []string `json:"ipAddresses,omitempty"`
Duration *apismetav1.Duration `json:"duration,omitempty"`
Profile *string `json:"profile,omitempty"`
}
// OrderSpecApplyConfiguration constructs a declarative configuration of the OrderSpec type for use with
// apply.
func OrderSpec() *OrderSpecApplyConfiguration {
return &OrderSpecApplyConfiguration{}
}
// WithRequest adds the given value to the Request field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, values provided by each call will be appended to the Request field.
func (b *OrderSpecApplyConfiguration) WithRequest(values ...byte) *OrderSpecApplyConfiguration {
for i := range values {
b.Request = append(b.Request, values[i])
}
return b
}
// WithIssuerRef sets the IssuerRef field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the IssuerRef field is set to the value of the last call.
func (b *OrderSpecApplyConfiguration) WithIssuerRef(value *metav1.IssuerReferenceApplyConfiguration) *OrderSpecApplyConfiguration {
b.IssuerRef = value
return b
}
// WithCommonName sets the CommonName field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the CommonName field is set to the value of the last call.
func (b *OrderSpecApplyConfiguration) WithCommonName(value string) *OrderSpecApplyConfiguration {
b.CommonName = &value
return b
}
// WithDNSNames adds the given value to the DNSNames field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, values provided by each call will be appended to the DNSNames field.
func (b *OrderSpecApplyConfiguration) WithDNSNames(values ...string) *OrderSpecApplyConfiguration {
for i := range values {
b.DNSNames = append(b.DNSNames, values[i])
}
return b
}
// WithIPAddresses adds the given value to the IPAddresses field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, values provided by each call will be appended to the IPAddresses field.
func (b *OrderSpecApplyConfiguration) WithIPAddresses(values ...string) *OrderSpecApplyConfiguration {
for i := range values {
b.IPAddresses = append(b.IPAddresses, values[i])
}
return b
}
// WithDuration sets the Duration field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Duration field is set to the value of the last call.
func (b *OrderSpecApplyConfiguration) WithDuration(value apismetav1.Duration) *OrderSpecApplyConfiguration {
b.Duration = &value
return b
}
// WithProfile sets the Profile field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Profile field is set to the value of the last call.
func (b *OrderSpecApplyConfiguration) WithProfile(value string) *OrderSpecApplyConfiguration {
b.Profile = &value
return b
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by applyconfiguration-gen. DO NOT EDIT.
package v1
import (
acmev1 "github.com/cert-manager/cert-manager/pkg/apis/acme/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
// OrderStatusApplyConfiguration represents a declarative configuration of the OrderStatus type for use
// with apply.
type OrderStatusApplyConfiguration struct {
URL *string `json:"url,omitempty"`
FinalizeURL *string `json:"finalizeURL,omitempty"`
Authorizations []ACMEAuthorizationApplyConfiguration `json:"authorizations,omitempty"`
Certificate []byte `json:"certificate,omitempty"`
State *acmev1.State `json:"state,omitempty"`
Reason *string `json:"reason,omitempty"`
FailureTime *metav1.Time `json:"failureTime,omitempty"`
}
// OrderStatusApplyConfiguration constructs a declarative configuration of the OrderStatus type for use with
// apply.
func OrderStatus() *OrderStatusApplyConfiguration {
return &OrderStatusApplyConfiguration{}
}
// WithURL sets the URL field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the URL field is set to the value of the last call.
func (b *OrderStatusApplyConfiguration) WithURL(value string) *OrderStatusApplyConfiguration {
b.URL = &value
return b
}
// WithFinalizeURL sets the FinalizeURL field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the FinalizeURL field is set to the value of the last call.
func (b *OrderStatusApplyConfiguration) WithFinalizeURL(value string) *OrderStatusApplyConfiguration {
b.FinalizeURL = &value
return b
}
// WithAuthorizations adds the given value to the Authorizations field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, values provided by each call will be appended to the Authorizations field.
func (b *OrderStatusApplyConfiguration) WithAuthorizations(values ...*ACMEAuthorizationApplyConfiguration) *OrderStatusApplyConfiguration {
for i := range values {
if values[i] == nil {
panic("nil value passed to WithAuthorizations")
}
b.Authorizations = append(b.Authorizations, *values[i])
}
return b
}
// WithCertificate adds the given value to the Certificate field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, values provided by each call will be appended to the Certificate field.
func (b *OrderStatusApplyConfiguration) WithCertificate(values ...byte) *OrderStatusApplyConfiguration {
for i := range values {
b.Certificate = append(b.Certificate, values[i])
}
return b
}
// WithState sets the State field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the State field is set to the value of the last call.
func (b *OrderStatusApplyConfiguration) WithState(value acmev1.State) *OrderStatusApplyConfiguration {
b.State = &value
return b
}
// WithReason sets the Reason field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Reason field is set to the value of the last call.
func (b *OrderStatusApplyConfiguration) WithReason(value string) *OrderStatusApplyConfiguration {
b.Reason = &value
return b
}
// WithFailureTime sets the FailureTime field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the FailureTime field is set to the value of the last call.
func (b *OrderStatusApplyConfiguration) WithFailureTime(value metav1.Time) *OrderStatusApplyConfiguration {
b.FailureTime = &value
return b
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by applyconfiguration-gen. DO NOT EDIT.
package v1
// Route53AuthApplyConfiguration represents a declarative configuration of the Route53Auth type for use
// with apply.
type Route53AuthApplyConfiguration struct {
Kubernetes *Route53KubernetesAuthApplyConfiguration `json:"kubernetes,omitempty"`
}
// Route53AuthApplyConfiguration constructs a declarative configuration of the Route53Auth type for use with
// apply.
func Route53Auth() *Route53AuthApplyConfiguration {
return &Route53AuthApplyConfiguration{}
}
// WithKubernetes sets the Kubernetes field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Kubernetes field is set to the value of the last call.
func (b *Route53AuthApplyConfiguration) WithKubernetes(value *Route53KubernetesAuthApplyConfiguration) *Route53AuthApplyConfiguration {
b.Kubernetes = value
return b
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by applyconfiguration-gen. DO NOT EDIT.
package v1
// Route53KubernetesAuthApplyConfiguration represents a declarative configuration of the Route53KubernetesAuth type for use
// with apply.
type Route53KubernetesAuthApplyConfiguration struct {
ServiceAccountRef *ServiceAccountRefApplyConfiguration `json:"serviceAccountRef,omitempty"`
}
// Route53KubernetesAuthApplyConfiguration constructs a declarative configuration of the Route53KubernetesAuth type for use with
// apply.
func Route53KubernetesAuth() *Route53KubernetesAuthApplyConfiguration {
return &Route53KubernetesAuthApplyConfiguration{}
}
// WithServiceAccountRef sets the ServiceAccountRef field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the ServiceAccountRef field is set to the value of the last call.
func (b *Route53KubernetesAuthApplyConfiguration) WithServiceAccountRef(value *ServiceAccountRefApplyConfiguration) *Route53KubernetesAuthApplyConfiguration {
b.ServiceAccountRef = value
return b
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by applyconfiguration-gen. DO NOT EDIT.
package v1
// ServiceAccountRefApplyConfiguration represents a declarative configuration of the ServiceAccountRef type for use
// with apply.
type ServiceAccountRefApplyConfiguration struct {
Name *string `json:"name,omitempty"`
TokenAudiences []string `json:"audiences,omitempty"`
}
// ServiceAccountRefApplyConfiguration constructs a declarative configuration of the ServiceAccountRef type for use with
// apply.
func ServiceAccountRef() *ServiceAccountRefApplyConfiguration {
return &ServiceAccountRefApplyConfiguration{}
}
// WithName sets the Name field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Name field is set to the value of the last call.
func (b *ServiceAccountRefApplyConfiguration) WithName(value string) *ServiceAccountRefApplyConfiguration {
b.Name = &value
return b
}
// WithTokenAudiences adds the given value to the TokenAudiences field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, values provided by each call will be appended to the TokenAudiences field.
func (b *ServiceAccountRefApplyConfiguration) WithTokenAudiences(values ...string) *ServiceAccountRefApplyConfiguration {
for i := range values {
b.TokenAudiences = append(b.TokenAudiences, values[i])
}
return b
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by applyconfiguration-gen. DO NOT EDIT.
package v1
// CAIssuerApplyConfiguration represents a declarative configuration of the CAIssuer type for use
// with apply.
type CAIssuerApplyConfiguration struct {
SecretName *string `json:"secretName,omitempty"`
CRLDistributionPoints []string `json:"crlDistributionPoints,omitempty"`
OCSPServers []string `json:"ocspServers,omitempty"`
IssuingCertificateURLs []string `json:"issuingCertificateURLs,omitempty"`
}
// CAIssuerApplyConfiguration constructs a declarative configuration of the CAIssuer type for use with
// apply.
func CAIssuer() *CAIssuerApplyConfiguration {
return &CAIssuerApplyConfiguration{}
}
// WithSecretName sets the SecretName field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the SecretName field is set to the value of the last call.
func (b *CAIssuerApplyConfiguration) WithSecretName(value string) *CAIssuerApplyConfiguration {
b.SecretName = &value
return b
}
// WithCRLDistributionPoints adds the given value to the CRLDistributionPoints field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, values provided by each call will be appended to the CRLDistributionPoints field.
func (b *CAIssuerApplyConfiguration) WithCRLDistributionPoints(values ...string) *CAIssuerApplyConfiguration {
for i := range values {
b.CRLDistributionPoints = append(b.CRLDistributionPoints, values[i])
}
return b
}
// WithOCSPServers adds the given value to the OCSPServers field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, values provided by each call will be appended to the OCSPServers field.
func (b *CAIssuerApplyConfiguration) WithOCSPServers(values ...string) *CAIssuerApplyConfiguration {
for i := range values {
b.OCSPServers = append(b.OCSPServers, values[i])
}
return b
}
// WithIssuingCertificateURLs adds the given value to the IssuingCertificateURLs field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, values provided by each call will be appended to the IssuingCertificateURLs field.
func (b *CAIssuerApplyConfiguration) WithIssuingCertificateURLs(values ...string) *CAIssuerApplyConfiguration {
for i := range values {
b.IssuingCertificateURLs = append(b.IssuingCertificateURLs, values[i])
}
return b
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by applyconfiguration-gen. DO NOT EDIT.
package v1
import (
certmanagerv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
internal "github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/internal"
apismetav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
types "k8s.io/apimachinery/pkg/types"
managedfields "k8s.io/apimachinery/pkg/util/managedfields"
metav1 "k8s.io/client-go/applyconfigurations/meta/v1"
)
// CertificateApplyConfiguration represents a declarative configuration of the Certificate type for use
// with apply.
type CertificateApplyConfiguration struct {
metav1.TypeMetaApplyConfiguration `json:",inline"`
*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
Spec *CertificateSpecApplyConfiguration `json:"spec,omitempty"`
Status *CertificateStatusApplyConfiguration `json:"status,omitempty"`
}
// Certificate constructs a declarative configuration of the Certificate type for use with
// apply.
func Certificate(name, namespace string) *CertificateApplyConfiguration {
b := &CertificateApplyConfiguration{}
b.WithName(name)
b.WithNamespace(namespace)
b.WithKind("Certificate")
b.WithAPIVersion("cert-manager.io/v1")
return b
}
// ExtractCertificate extracts the applied configuration owned by fieldManager from
// certificate. If no managedFields are found in certificate for fieldManager, a
// CertificateApplyConfiguration is returned with only the Name, Namespace (if applicable),
// APIVersion and Kind populated. It is possible that no managed fields were found for because other
// field managers have taken ownership of all the fields previously owned by fieldManager, or because
// the fieldManager never owned fields any fields.
// certificate must be a unmodified Certificate API object that was retrieved from the Kubernetes API.
// ExtractCertificate provides a way to perform a extract/modify-in-place/apply workflow.
// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
// applied if another fieldManager has updated or force applied any of the previously applied fields.
// Experimental!
func ExtractCertificate(certificate *certmanagerv1.Certificate, fieldManager string) (*CertificateApplyConfiguration, error) {
return extractCertificate(certificate, fieldManager, "")
}
// ExtractCertificateStatus is the same as ExtractCertificate except
// that it extracts the status subresource applied configuration.
// Experimental!
func ExtractCertificateStatus(certificate *certmanagerv1.Certificate, fieldManager string) (*CertificateApplyConfiguration, error) {
return extractCertificate(certificate, fieldManager, "status")
}
func extractCertificate(certificate *certmanagerv1.Certificate, fieldManager string, subresource string) (*CertificateApplyConfiguration, error) {
b := &CertificateApplyConfiguration{}
err := managedfields.ExtractInto(certificate, internal.Parser().Type("com.github.cert-manager.cert-manager.pkg.apis.certmanager.v1.Certificate"), fieldManager, b, subresource)
if err != nil {
return nil, err
}
b.WithName(certificate.Name)
b.WithNamespace(certificate.Namespace)
b.WithKind("Certificate")
b.WithAPIVersion("cert-manager.io/v1")
return b, nil
}
func (b CertificateApplyConfiguration) IsApplyConfiguration() {}
// WithKind sets the Kind field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Kind field is set to the value of the last call.
func (b *CertificateApplyConfiguration) WithKind(value string) *CertificateApplyConfiguration {
b.TypeMetaApplyConfiguration.Kind = &value
return b
}
// WithAPIVersion sets the APIVersion field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the APIVersion field is set to the value of the last call.
func (b *CertificateApplyConfiguration) WithAPIVersion(value string) *CertificateApplyConfiguration {
b.TypeMetaApplyConfiguration.APIVersion = &value
return b
}
// WithName sets the Name field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Name field is set to the value of the last call.
func (b *CertificateApplyConfiguration) WithName(value string) *CertificateApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
b.ObjectMetaApplyConfiguration.Name = &value
return b
}
// WithGenerateName sets the GenerateName field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the GenerateName field is set to the value of the last call.
func (b *CertificateApplyConfiguration) WithGenerateName(value string) *CertificateApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
b.ObjectMetaApplyConfiguration.GenerateName = &value
return b
}
// WithNamespace sets the Namespace field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Namespace field is set to the value of the last call.
func (b *CertificateApplyConfiguration) WithNamespace(value string) *CertificateApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
b.ObjectMetaApplyConfiguration.Namespace = &value
return b
}
// WithUID sets the UID field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the UID field is set to the value of the last call.
func (b *CertificateApplyConfiguration) WithUID(value types.UID) *CertificateApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
b.ObjectMetaApplyConfiguration.UID = &value
return b
}
// WithResourceVersion sets the ResourceVersion field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the ResourceVersion field is set to the value of the last call.
func (b *CertificateApplyConfiguration) WithResourceVersion(value string) *CertificateApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
b.ObjectMetaApplyConfiguration.ResourceVersion = &value
return b
}
// WithGeneration sets the Generation field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Generation field is set to the value of the last call.
func (b *CertificateApplyConfiguration) WithGeneration(value int64) *CertificateApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
b.ObjectMetaApplyConfiguration.Generation = &value
return b
}
// WithCreationTimestamp sets the CreationTimestamp field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the CreationTimestamp field is set to the value of the last call.
func (b *CertificateApplyConfiguration) WithCreationTimestamp(value apismetav1.Time) *CertificateApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
b.ObjectMetaApplyConfiguration.CreationTimestamp = &value
return b
}
// WithDeletionTimestamp sets the DeletionTimestamp field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the DeletionTimestamp field is set to the value of the last call.
func (b *CertificateApplyConfiguration) WithDeletionTimestamp(value apismetav1.Time) *CertificateApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
b.ObjectMetaApplyConfiguration.DeletionTimestamp = &value
return b
}
// WithDeletionGracePeriodSeconds sets the DeletionGracePeriodSeconds field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the DeletionGracePeriodSeconds field is set to the value of the last call.
func (b *CertificateApplyConfiguration) WithDeletionGracePeriodSeconds(value int64) *CertificateApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
b.ObjectMetaApplyConfiguration.DeletionGracePeriodSeconds = &value
return b
}
// WithLabels puts the entries into the Labels field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, the entries provided by each call will be put on the Labels field,
// overwriting an existing map entries in Labels field with the same key.
func (b *CertificateApplyConfiguration) WithLabels(entries map[string]string) *CertificateApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
if b.ObjectMetaApplyConfiguration.Labels == nil && len(entries) > 0 {
b.ObjectMetaApplyConfiguration.Labels = make(map[string]string, len(entries))
}
for k, v := range entries {
b.ObjectMetaApplyConfiguration.Labels[k] = v
}
return b
}
// WithAnnotations puts the entries into the Annotations field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, the entries provided by each call will be put on the Annotations field,
// overwriting an existing map entries in Annotations field with the same key.
func (b *CertificateApplyConfiguration) WithAnnotations(entries map[string]string) *CertificateApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
if b.ObjectMetaApplyConfiguration.Annotations == nil && len(entries) > 0 {
b.ObjectMetaApplyConfiguration.Annotations = make(map[string]string, len(entries))
}
for k, v := range entries {
b.ObjectMetaApplyConfiguration.Annotations[k] = v
}
return b
}
// WithOwnerReferences adds the given value to the OwnerReferences field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, values provided by each call will be appended to the OwnerReferences field.
func (b *CertificateApplyConfiguration) WithOwnerReferences(values ...*metav1.OwnerReferenceApplyConfiguration) *CertificateApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
for i := range values {
if values[i] == nil {
panic("nil value passed to WithOwnerReferences")
}
b.ObjectMetaApplyConfiguration.OwnerReferences = append(b.ObjectMetaApplyConfiguration.OwnerReferences, *values[i])
}
return b
}
// WithFinalizers adds the given value to the Finalizers field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, values provided by each call will be appended to the Finalizers field.
func (b *CertificateApplyConfiguration) WithFinalizers(values ...string) *CertificateApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
for i := range values {
b.ObjectMetaApplyConfiguration.Finalizers = append(b.ObjectMetaApplyConfiguration.Finalizers, values[i])
}
return b
}
func (b *CertificateApplyConfiguration) ensureObjectMetaApplyConfigurationExists() {
if b.ObjectMetaApplyConfiguration == nil {
b.ObjectMetaApplyConfiguration = &metav1.ObjectMetaApplyConfiguration{}
}
}
// WithSpec sets the Spec field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Spec field is set to the value of the last call.
func (b *CertificateApplyConfiguration) WithSpec(value *CertificateSpecApplyConfiguration) *CertificateApplyConfiguration {
b.Spec = value
return b
}
// WithStatus sets the Status field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Status field is set to the value of the last call.
func (b *CertificateApplyConfiguration) WithStatus(value *CertificateStatusApplyConfiguration) *CertificateApplyConfiguration {
b.Status = value
return b
}
// GetKind retrieves the value of the Kind field in the declarative configuration.
func (b *CertificateApplyConfiguration) GetKind() *string {
return b.TypeMetaApplyConfiguration.Kind
}
// GetAPIVersion retrieves the value of the APIVersion field in the declarative configuration.
func (b *CertificateApplyConfiguration) GetAPIVersion() *string {
return b.TypeMetaApplyConfiguration.APIVersion
}
// GetName retrieves the value of the Name field in the declarative configuration.
func (b *CertificateApplyConfiguration) GetName() *string {
b.ensureObjectMetaApplyConfigurationExists()
return b.ObjectMetaApplyConfiguration.Name
}
// GetNamespace retrieves the value of the Namespace field in the declarative configuration.
func (b *CertificateApplyConfiguration) GetNamespace() *string {
b.ensureObjectMetaApplyConfigurationExists()
return b.ObjectMetaApplyConfiguration.Namespace
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by applyconfiguration-gen. DO NOT EDIT.
package v1
import (
certmanagerv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
)
// CertificateAdditionalOutputFormatApplyConfiguration represents a declarative configuration of the CertificateAdditionalOutputFormat type for use
// with apply.
type CertificateAdditionalOutputFormatApplyConfiguration struct {
Type *certmanagerv1.CertificateOutputFormatType `json:"type,omitempty"`
}
// CertificateAdditionalOutputFormatApplyConfiguration constructs a declarative configuration of the CertificateAdditionalOutputFormat type for use with
// apply.
func CertificateAdditionalOutputFormat() *CertificateAdditionalOutputFormatApplyConfiguration {
return &CertificateAdditionalOutputFormatApplyConfiguration{}
}
// WithType sets the Type field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Type field is set to the value of the last call.
func (b *CertificateAdditionalOutputFormatApplyConfiguration) WithType(value certmanagerv1.CertificateOutputFormatType) *CertificateAdditionalOutputFormatApplyConfiguration {
b.Type = &value
return b
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by applyconfiguration-gen. DO NOT EDIT.
package v1
import (
certmanagerv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
metav1 "github.com/cert-manager/cert-manager/pkg/apis/meta/v1"
apismetav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
// CertificateConditionApplyConfiguration represents a declarative configuration of the CertificateCondition type for use
// with apply.
type CertificateConditionApplyConfiguration struct {
Type *certmanagerv1.CertificateConditionType `json:"type,omitempty"`
Status *metav1.ConditionStatus `json:"status,omitempty"`
LastTransitionTime *apismetav1.Time `json:"lastTransitionTime,omitempty"`
Reason *string `json:"reason,omitempty"`
Message *string `json:"message,omitempty"`
ObservedGeneration *int64 `json:"observedGeneration,omitempty"`
}
// CertificateConditionApplyConfiguration constructs a declarative configuration of the CertificateCondition type for use with
// apply.
func CertificateCondition() *CertificateConditionApplyConfiguration {
return &CertificateConditionApplyConfiguration{}
}
// WithType sets the Type field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Type field is set to the value of the last call.
func (b *CertificateConditionApplyConfiguration) WithType(value certmanagerv1.CertificateConditionType) *CertificateConditionApplyConfiguration {
b.Type = &value
return b
}
// WithStatus sets the Status field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Status field is set to the value of the last call.
func (b *CertificateConditionApplyConfiguration) WithStatus(value metav1.ConditionStatus) *CertificateConditionApplyConfiguration {
b.Status = &value
return b
}
// WithLastTransitionTime sets the LastTransitionTime field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the LastTransitionTime field is set to the value of the last call.
func (b *CertificateConditionApplyConfiguration) WithLastTransitionTime(value apismetav1.Time) *CertificateConditionApplyConfiguration {
b.LastTransitionTime = &value
return b
}
// WithReason sets the Reason field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Reason field is set to the value of the last call.
func (b *CertificateConditionApplyConfiguration) WithReason(value string) *CertificateConditionApplyConfiguration {
b.Reason = &value
return b
}
// WithMessage sets the Message field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Message field is set to the value of the last call.
func (b *CertificateConditionApplyConfiguration) WithMessage(value string) *CertificateConditionApplyConfiguration {
b.Message = &value
return b
}
// WithObservedGeneration sets the ObservedGeneration field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the ObservedGeneration field is set to the value of the last call.
func (b *CertificateConditionApplyConfiguration) WithObservedGeneration(value int64) *CertificateConditionApplyConfiguration {
b.ObservedGeneration = &value
return b
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by applyconfiguration-gen. DO NOT EDIT.
package v1
// CertificateKeystoresApplyConfiguration represents a declarative configuration of the CertificateKeystores type for use
// with apply.
type CertificateKeystoresApplyConfiguration struct {
JKS *JKSKeystoreApplyConfiguration `json:"jks,omitempty"`
PKCS12 *PKCS12KeystoreApplyConfiguration `json:"pkcs12,omitempty"`
}
// CertificateKeystoresApplyConfiguration constructs a declarative configuration of the CertificateKeystores type for use with
// apply.
func CertificateKeystores() *CertificateKeystoresApplyConfiguration {
return &CertificateKeystoresApplyConfiguration{}
}
// WithJKS sets the JKS field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the JKS field is set to the value of the last call.
func (b *CertificateKeystoresApplyConfiguration) WithJKS(value *JKSKeystoreApplyConfiguration) *CertificateKeystoresApplyConfiguration {
b.JKS = value
return b
}
// WithPKCS12 sets the PKCS12 field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the PKCS12 field is set to the value of the last call.
func (b *CertificateKeystoresApplyConfiguration) WithPKCS12(value *PKCS12KeystoreApplyConfiguration) *CertificateKeystoresApplyConfiguration {
b.PKCS12 = value
return b
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by applyconfiguration-gen. DO NOT EDIT.
package v1
import (
certmanagerv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
)
// CertificatePrivateKeyApplyConfiguration represents a declarative configuration of the CertificatePrivateKey type for use
// with apply.
type CertificatePrivateKeyApplyConfiguration struct {
RotationPolicy *certmanagerv1.PrivateKeyRotationPolicy `json:"rotationPolicy,omitempty"`
Encoding *certmanagerv1.PrivateKeyEncoding `json:"encoding,omitempty"`
Algorithm *certmanagerv1.PrivateKeyAlgorithm `json:"algorithm,omitempty"`
Size *int `json:"size,omitempty"`
}
// CertificatePrivateKeyApplyConfiguration constructs a declarative configuration of the CertificatePrivateKey type for use with
// apply.
func CertificatePrivateKey() *CertificatePrivateKeyApplyConfiguration {
return &CertificatePrivateKeyApplyConfiguration{}
}
// WithRotationPolicy sets the RotationPolicy field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the RotationPolicy field is set to the value of the last call.
func (b *CertificatePrivateKeyApplyConfiguration) WithRotationPolicy(value certmanagerv1.PrivateKeyRotationPolicy) *CertificatePrivateKeyApplyConfiguration {
b.RotationPolicy = &value
return b
}
// WithEncoding sets the Encoding field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Encoding field is set to the value of the last call.
func (b *CertificatePrivateKeyApplyConfiguration) WithEncoding(value certmanagerv1.PrivateKeyEncoding) *CertificatePrivateKeyApplyConfiguration {
b.Encoding = &value
return b
}
// WithAlgorithm sets the Algorithm field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Algorithm field is set to the value of the last call.
func (b *CertificatePrivateKeyApplyConfiguration) WithAlgorithm(value certmanagerv1.PrivateKeyAlgorithm) *CertificatePrivateKeyApplyConfiguration {
b.Algorithm = &value
return b
}
// WithSize sets the Size field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Size field is set to the value of the last call.
func (b *CertificatePrivateKeyApplyConfiguration) WithSize(value int) *CertificatePrivateKeyApplyConfiguration {
b.Size = &value
return b
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by applyconfiguration-gen. DO NOT EDIT.
package v1
import (
certmanagerv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
internal "github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/internal"
apismetav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
types "k8s.io/apimachinery/pkg/types"
managedfields "k8s.io/apimachinery/pkg/util/managedfields"
metav1 "k8s.io/client-go/applyconfigurations/meta/v1"
)
// CertificateRequestApplyConfiguration represents a declarative configuration of the CertificateRequest type for use
// with apply.
type CertificateRequestApplyConfiguration struct {
metav1.TypeMetaApplyConfiguration `json:",inline"`
*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
Spec *CertificateRequestSpecApplyConfiguration `json:"spec,omitempty"`
Status *CertificateRequestStatusApplyConfiguration `json:"status,omitempty"`
}
// CertificateRequest constructs a declarative configuration of the CertificateRequest type for use with
// apply.
func CertificateRequest(name, namespace string) *CertificateRequestApplyConfiguration {
b := &CertificateRequestApplyConfiguration{}
b.WithName(name)
b.WithNamespace(namespace)
b.WithKind("CertificateRequest")
b.WithAPIVersion("cert-manager.io/v1")
return b
}
// ExtractCertificateRequest extracts the applied configuration owned by fieldManager from
// certificateRequest. If no managedFields are found in certificateRequest for fieldManager, a
// CertificateRequestApplyConfiguration is returned with only the Name, Namespace (if applicable),
// APIVersion and Kind populated. It is possible that no managed fields were found for because other
// field managers have taken ownership of all the fields previously owned by fieldManager, or because
// the fieldManager never owned fields any fields.
// certificateRequest must be a unmodified CertificateRequest API object that was retrieved from the Kubernetes API.
// ExtractCertificateRequest provides a way to perform a extract/modify-in-place/apply workflow.
// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
// applied if another fieldManager has updated or force applied any of the previously applied fields.
// Experimental!
func ExtractCertificateRequest(certificateRequest *certmanagerv1.CertificateRequest, fieldManager string) (*CertificateRequestApplyConfiguration, error) {
return extractCertificateRequest(certificateRequest, fieldManager, "")
}
// ExtractCertificateRequestStatus is the same as ExtractCertificateRequest except
// that it extracts the status subresource applied configuration.
// Experimental!
func ExtractCertificateRequestStatus(certificateRequest *certmanagerv1.CertificateRequest, fieldManager string) (*CertificateRequestApplyConfiguration, error) {
return extractCertificateRequest(certificateRequest, fieldManager, "status")
}
func extractCertificateRequest(certificateRequest *certmanagerv1.CertificateRequest, fieldManager string, subresource string) (*CertificateRequestApplyConfiguration, error) {
b := &CertificateRequestApplyConfiguration{}
err := managedfields.ExtractInto(certificateRequest, internal.Parser().Type("com.github.cert-manager.cert-manager.pkg.apis.certmanager.v1.CertificateRequest"), fieldManager, b, subresource)
if err != nil {
return nil, err
}
b.WithName(certificateRequest.Name)
b.WithNamespace(certificateRequest.Namespace)
b.WithKind("CertificateRequest")
b.WithAPIVersion("cert-manager.io/v1")
return b, nil
}
func (b CertificateRequestApplyConfiguration) IsApplyConfiguration() {}
// WithKind sets the Kind field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Kind field is set to the value of the last call.
func (b *CertificateRequestApplyConfiguration) WithKind(value string) *CertificateRequestApplyConfiguration {
b.TypeMetaApplyConfiguration.Kind = &value
return b
}
// WithAPIVersion sets the APIVersion field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the APIVersion field is set to the value of the last call.
func (b *CertificateRequestApplyConfiguration) WithAPIVersion(value string) *CertificateRequestApplyConfiguration {
b.TypeMetaApplyConfiguration.APIVersion = &value
return b
}
// WithName sets the Name field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Name field is set to the value of the last call.
func (b *CertificateRequestApplyConfiguration) WithName(value string) *CertificateRequestApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
b.ObjectMetaApplyConfiguration.Name = &value
return b
}
// WithGenerateName sets the GenerateName field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the GenerateName field is set to the value of the last call.
func (b *CertificateRequestApplyConfiguration) WithGenerateName(value string) *CertificateRequestApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
b.ObjectMetaApplyConfiguration.GenerateName = &value
return b
}
// WithNamespace sets the Namespace field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Namespace field is set to the value of the last call.
func (b *CertificateRequestApplyConfiguration) WithNamespace(value string) *CertificateRequestApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
b.ObjectMetaApplyConfiguration.Namespace = &value
return b
}
// WithUID sets the UID field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the UID field is set to the value of the last call.
func (b *CertificateRequestApplyConfiguration) WithUID(value types.UID) *CertificateRequestApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
b.ObjectMetaApplyConfiguration.UID = &value
return b
}
// WithResourceVersion sets the ResourceVersion field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the ResourceVersion field is set to the value of the last call.
func (b *CertificateRequestApplyConfiguration) WithResourceVersion(value string) *CertificateRequestApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
b.ObjectMetaApplyConfiguration.ResourceVersion = &value
return b
}
// WithGeneration sets the Generation field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Generation field is set to the value of the last call.
func (b *CertificateRequestApplyConfiguration) WithGeneration(value int64) *CertificateRequestApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
b.ObjectMetaApplyConfiguration.Generation = &value
return b
}
// WithCreationTimestamp sets the CreationTimestamp field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the CreationTimestamp field is set to the value of the last call.
func (b *CertificateRequestApplyConfiguration) WithCreationTimestamp(value apismetav1.Time) *CertificateRequestApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
b.ObjectMetaApplyConfiguration.CreationTimestamp = &value
return b
}
// WithDeletionTimestamp sets the DeletionTimestamp field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the DeletionTimestamp field is set to the value of the last call.
func (b *CertificateRequestApplyConfiguration) WithDeletionTimestamp(value apismetav1.Time) *CertificateRequestApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
b.ObjectMetaApplyConfiguration.DeletionTimestamp = &value
return b
}
// WithDeletionGracePeriodSeconds sets the DeletionGracePeriodSeconds field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the DeletionGracePeriodSeconds field is set to the value of the last call.
func (b *CertificateRequestApplyConfiguration) WithDeletionGracePeriodSeconds(value int64) *CertificateRequestApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
b.ObjectMetaApplyConfiguration.DeletionGracePeriodSeconds = &value
return b
}
// WithLabels puts the entries into the Labels field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, the entries provided by each call will be put on the Labels field,
// overwriting an existing map entries in Labels field with the same key.
func (b *CertificateRequestApplyConfiguration) WithLabels(entries map[string]string) *CertificateRequestApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
if b.ObjectMetaApplyConfiguration.Labels == nil && len(entries) > 0 {
b.ObjectMetaApplyConfiguration.Labels = make(map[string]string, len(entries))
}
for k, v := range entries {
b.ObjectMetaApplyConfiguration.Labels[k] = v
}
return b
}
// WithAnnotations puts the entries into the Annotations field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, the entries provided by each call will be put on the Annotations field,
// overwriting an existing map entries in Annotations field with the same key.
func (b *CertificateRequestApplyConfiguration) WithAnnotations(entries map[string]string) *CertificateRequestApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
if b.ObjectMetaApplyConfiguration.Annotations == nil && len(entries) > 0 {
b.ObjectMetaApplyConfiguration.Annotations = make(map[string]string, len(entries))
}
for k, v := range entries {
b.ObjectMetaApplyConfiguration.Annotations[k] = v
}
return b
}
// WithOwnerReferences adds the given value to the OwnerReferences field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, values provided by each call will be appended to the OwnerReferences field.
func (b *CertificateRequestApplyConfiguration) WithOwnerReferences(values ...*metav1.OwnerReferenceApplyConfiguration) *CertificateRequestApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
for i := range values {
if values[i] == nil {
panic("nil value passed to WithOwnerReferences")
}
b.ObjectMetaApplyConfiguration.OwnerReferences = append(b.ObjectMetaApplyConfiguration.OwnerReferences, *values[i])
}
return b
}
// WithFinalizers adds the given value to the Finalizers field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, values provided by each call will be appended to the Finalizers field.
func (b *CertificateRequestApplyConfiguration) WithFinalizers(values ...string) *CertificateRequestApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
for i := range values {
b.ObjectMetaApplyConfiguration.Finalizers = append(b.ObjectMetaApplyConfiguration.Finalizers, values[i])
}
return b
}
func (b *CertificateRequestApplyConfiguration) ensureObjectMetaApplyConfigurationExists() {
if b.ObjectMetaApplyConfiguration == nil {
b.ObjectMetaApplyConfiguration = &metav1.ObjectMetaApplyConfiguration{}
}
}
// WithSpec sets the Spec field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Spec field is set to the value of the last call.
func (b *CertificateRequestApplyConfiguration) WithSpec(value *CertificateRequestSpecApplyConfiguration) *CertificateRequestApplyConfiguration {
b.Spec = value
return b
}
// WithStatus sets the Status field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Status field is set to the value of the last call.
func (b *CertificateRequestApplyConfiguration) WithStatus(value *CertificateRequestStatusApplyConfiguration) *CertificateRequestApplyConfiguration {
b.Status = value
return b
}
// GetKind retrieves the value of the Kind field in the declarative configuration.
func (b *CertificateRequestApplyConfiguration) GetKind() *string {
return b.TypeMetaApplyConfiguration.Kind
}
// GetAPIVersion retrieves the value of the APIVersion field in the declarative configuration.
func (b *CertificateRequestApplyConfiguration) GetAPIVersion() *string {
return b.TypeMetaApplyConfiguration.APIVersion
}
// GetName retrieves the value of the Name field in the declarative configuration.
func (b *CertificateRequestApplyConfiguration) GetName() *string {
b.ensureObjectMetaApplyConfigurationExists()
return b.ObjectMetaApplyConfiguration.Name
}
// GetNamespace retrieves the value of the Namespace field in the declarative configuration.
func (b *CertificateRequestApplyConfiguration) GetNamespace() *string {
b.ensureObjectMetaApplyConfigurationExists()
return b.ObjectMetaApplyConfiguration.Namespace
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by applyconfiguration-gen. DO NOT EDIT.
package v1
import (
certmanagerv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
metav1 "github.com/cert-manager/cert-manager/pkg/apis/meta/v1"
apismetav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
// CertificateRequestConditionApplyConfiguration represents a declarative configuration of the CertificateRequestCondition type for use
// with apply.
type CertificateRequestConditionApplyConfiguration struct {
Type *certmanagerv1.CertificateRequestConditionType `json:"type,omitempty"`
Status *metav1.ConditionStatus `json:"status,omitempty"`
LastTransitionTime *apismetav1.Time `json:"lastTransitionTime,omitempty"`
Reason *string `json:"reason,omitempty"`
Message *string `json:"message,omitempty"`
}
// CertificateRequestConditionApplyConfiguration constructs a declarative configuration of the CertificateRequestCondition type for use with
// apply.
func CertificateRequestCondition() *CertificateRequestConditionApplyConfiguration {
return &CertificateRequestConditionApplyConfiguration{}
}
// WithType sets the Type field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Type field is set to the value of the last call.
func (b *CertificateRequestConditionApplyConfiguration) WithType(value certmanagerv1.CertificateRequestConditionType) *CertificateRequestConditionApplyConfiguration {
b.Type = &value
return b
}
// WithStatus sets the Status field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Status field is set to the value of the last call.
func (b *CertificateRequestConditionApplyConfiguration) WithStatus(value metav1.ConditionStatus) *CertificateRequestConditionApplyConfiguration {
b.Status = &value
return b
}
// WithLastTransitionTime sets the LastTransitionTime field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the LastTransitionTime field is set to the value of the last call.
func (b *CertificateRequestConditionApplyConfiguration) WithLastTransitionTime(value apismetav1.Time) *CertificateRequestConditionApplyConfiguration {
b.LastTransitionTime = &value
return b
}
// WithReason sets the Reason field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Reason field is set to the value of the last call.
func (b *CertificateRequestConditionApplyConfiguration) WithReason(value string) *CertificateRequestConditionApplyConfiguration {
b.Reason = &value
return b
}
// WithMessage sets the Message field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Message field is set to the value of the last call.
func (b *CertificateRequestConditionApplyConfiguration) WithMessage(value string) *CertificateRequestConditionApplyConfiguration {
b.Message = &value
return b
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by applyconfiguration-gen. DO NOT EDIT.
package v1
import (
certmanagerv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
applyconfigurationsmetav1 "github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/meta/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
// CertificateRequestSpecApplyConfiguration represents a declarative configuration of the CertificateRequestSpec type for use
// with apply.
type CertificateRequestSpecApplyConfiguration struct {
Duration *metav1.Duration `json:"duration,omitempty"`
IssuerRef *applyconfigurationsmetav1.IssuerReferenceApplyConfiguration `json:"issuerRef,omitempty"`
Request []byte `json:"request,omitempty"`
IsCA *bool `json:"isCA,omitempty"`
Usages []certmanagerv1.KeyUsage `json:"usages,omitempty"`
Username *string `json:"username,omitempty"`
UID *string `json:"uid,omitempty"`
Groups []string `json:"groups,omitempty"`
Extra map[string][]string `json:"extra,omitempty"`
}
// CertificateRequestSpecApplyConfiguration constructs a declarative configuration of the CertificateRequestSpec type for use with
// apply.
func CertificateRequestSpec() *CertificateRequestSpecApplyConfiguration {
return &CertificateRequestSpecApplyConfiguration{}
}
// WithDuration sets the Duration field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Duration field is set to the value of the last call.
func (b *CertificateRequestSpecApplyConfiguration) WithDuration(value metav1.Duration) *CertificateRequestSpecApplyConfiguration {
b.Duration = &value
return b
}
// WithIssuerRef sets the IssuerRef field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the IssuerRef field is set to the value of the last call.
func (b *CertificateRequestSpecApplyConfiguration) WithIssuerRef(value *applyconfigurationsmetav1.IssuerReferenceApplyConfiguration) *CertificateRequestSpecApplyConfiguration {
b.IssuerRef = value
return b
}
// WithRequest adds the given value to the Request field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, values provided by each call will be appended to the Request field.
func (b *CertificateRequestSpecApplyConfiguration) WithRequest(values ...byte) *CertificateRequestSpecApplyConfiguration {
for i := range values {
b.Request = append(b.Request, values[i])
}
return b
}
// WithIsCA sets the IsCA field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the IsCA field is set to the value of the last call.
func (b *CertificateRequestSpecApplyConfiguration) WithIsCA(value bool) *CertificateRequestSpecApplyConfiguration {
b.IsCA = &value
return b
}
// WithUsages adds the given value to the Usages field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, values provided by each call will be appended to the Usages field.
func (b *CertificateRequestSpecApplyConfiguration) WithUsages(values ...certmanagerv1.KeyUsage) *CertificateRequestSpecApplyConfiguration {
for i := range values {
b.Usages = append(b.Usages, values[i])
}
return b
}
// WithUsername sets the Username field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Username field is set to the value of the last call.
func (b *CertificateRequestSpecApplyConfiguration) WithUsername(value string) *CertificateRequestSpecApplyConfiguration {
b.Username = &value
return b
}
// WithUID sets the UID field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the UID field is set to the value of the last call.
func (b *CertificateRequestSpecApplyConfiguration) WithUID(value string) *CertificateRequestSpecApplyConfiguration {
b.UID = &value
return b
}
// WithGroups adds the given value to the Groups field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, values provided by each call will be appended to the Groups field.
func (b *CertificateRequestSpecApplyConfiguration) WithGroups(values ...string) *CertificateRequestSpecApplyConfiguration {
for i := range values {
b.Groups = append(b.Groups, values[i])
}
return b
}
// WithExtra puts the entries into the Extra field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, the entries provided by each call will be put on the Extra field,
// overwriting an existing map entries in Extra field with the same key.
func (b *CertificateRequestSpecApplyConfiguration) WithExtra(entries map[string][]string) *CertificateRequestSpecApplyConfiguration {
if b.Extra == nil && len(entries) > 0 {
b.Extra = make(map[string][]string, len(entries))
}
for k, v := range entries {
b.Extra[k] = v
}
return b
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by applyconfiguration-gen. DO NOT EDIT.
package v1
import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
// CertificateRequestStatusApplyConfiguration represents a declarative configuration of the CertificateRequestStatus type for use
// with apply.
type CertificateRequestStatusApplyConfiguration struct {
Conditions []CertificateRequestConditionApplyConfiguration `json:"conditions,omitempty"`
Certificate []byte `json:"certificate,omitempty"`
CA []byte `json:"ca,omitempty"`
FailureTime *metav1.Time `json:"failureTime,omitempty"`
}
// CertificateRequestStatusApplyConfiguration constructs a declarative configuration of the CertificateRequestStatus type for use with
// apply.
func CertificateRequestStatus() *CertificateRequestStatusApplyConfiguration {
return &CertificateRequestStatusApplyConfiguration{}
}
// WithConditions adds the given value to the Conditions field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, values provided by each call will be appended to the Conditions field.
func (b *CertificateRequestStatusApplyConfiguration) WithConditions(values ...*CertificateRequestConditionApplyConfiguration) *CertificateRequestStatusApplyConfiguration {
for i := range values {
if values[i] == nil {
panic("nil value passed to WithConditions")
}
b.Conditions = append(b.Conditions, *values[i])
}
return b
}
// WithCertificate adds the given value to the Certificate field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, values provided by each call will be appended to the Certificate field.
func (b *CertificateRequestStatusApplyConfiguration) WithCertificate(values ...byte) *CertificateRequestStatusApplyConfiguration {
for i := range values {
b.Certificate = append(b.Certificate, values[i])
}
return b
}
// WithCA adds the given value to the CA field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, values provided by each call will be appended to the CA field.
func (b *CertificateRequestStatusApplyConfiguration) WithCA(values ...byte) *CertificateRequestStatusApplyConfiguration {
for i := range values {
b.CA = append(b.CA, values[i])
}
return b
}
// WithFailureTime sets the FailureTime field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the FailureTime field is set to the value of the last call.
func (b *CertificateRequestStatusApplyConfiguration) WithFailureTime(value metav1.Time) *CertificateRequestStatusApplyConfiguration {
b.FailureTime = &value
return b
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by applyconfiguration-gen. DO NOT EDIT.
package v1
// CertificateSecretTemplateApplyConfiguration represents a declarative configuration of the CertificateSecretTemplate type for use
// with apply.
type CertificateSecretTemplateApplyConfiguration struct {
Annotations map[string]string `json:"annotations,omitempty"`
Labels map[string]string `json:"labels,omitempty"`
}
// CertificateSecretTemplateApplyConfiguration constructs a declarative configuration of the CertificateSecretTemplate type for use with
// apply.
func CertificateSecretTemplate() *CertificateSecretTemplateApplyConfiguration {
return &CertificateSecretTemplateApplyConfiguration{}
}
// WithAnnotations puts the entries into the Annotations field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, the entries provided by each call will be put on the Annotations field,
// overwriting an existing map entries in Annotations field with the same key.
func (b *CertificateSecretTemplateApplyConfiguration) WithAnnotations(entries map[string]string) *CertificateSecretTemplateApplyConfiguration {
if b.Annotations == nil && len(entries) > 0 {
b.Annotations = make(map[string]string, len(entries))
}
for k, v := range entries {
b.Annotations[k] = v
}
return b
}
// WithLabels puts the entries into the Labels field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, the entries provided by each call will be put on the Labels field,
// overwriting an existing map entries in Labels field with the same key.
func (b *CertificateSecretTemplateApplyConfiguration) WithLabels(entries map[string]string) *CertificateSecretTemplateApplyConfiguration {
if b.Labels == nil && len(entries) > 0 {
b.Labels = make(map[string]string, len(entries))
}
for k, v := range entries {
b.Labels[k] = v
}
return b
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by applyconfiguration-gen. DO NOT EDIT.
package v1
import (
certmanagerv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
applyconfigurationsmetav1 "github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/meta/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
// CertificateSpecApplyConfiguration represents a declarative configuration of the CertificateSpec type for use
// with apply.
type CertificateSpecApplyConfiguration struct {
Subject *X509SubjectApplyConfiguration `json:"subject,omitempty"`
LiteralSubject *string `json:"literalSubject,omitempty"`
CommonName *string `json:"commonName,omitempty"`
Duration *metav1.Duration `json:"duration,omitempty"`
RenewBefore *metav1.Duration `json:"renewBefore,omitempty"`
RenewBeforePercentage *int32 `json:"renewBeforePercentage,omitempty"`
DNSNames []string `json:"dnsNames,omitempty"`
IPAddresses []string `json:"ipAddresses,omitempty"`
URIs []string `json:"uris,omitempty"`
OtherNames []OtherNameApplyConfiguration `json:"otherNames,omitempty"`
EmailAddresses []string `json:"emailAddresses,omitempty"`
SecretName *string `json:"secretName,omitempty"`
SecretTemplate *CertificateSecretTemplateApplyConfiguration `json:"secretTemplate,omitempty"`
Keystores *CertificateKeystoresApplyConfiguration `json:"keystores,omitempty"`
IssuerRef *applyconfigurationsmetav1.IssuerReferenceApplyConfiguration `json:"issuerRef,omitempty"`
IsCA *bool `json:"isCA,omitempty"`
Usages []certmanagerv1.KeyUsage `json:"usages,omitempty"`
PrivateKey *CertificatePrivateKeyApplyConfiguration `json:"privateKey,omitempty"`
SignatureAlgorithm *certmanagerv1.SignatureAlgorithm `json:"signatureAlgorithm,omitempty"`
EncodeUsagesInRequest *bool `json:"encodeUsagesInRequest,omitempty"`
RevisionHistoryLimit *int32 `json:"revisionHistoryLimit,omitempty"`
AdditionalOutputFormats []CertificateAdditionalOutputFormatApplyConfiguration `json:"additionalOutputFormats,omitempty"`
NameConstraints *NameConstraintsApplyConfiguration `json:"nameConstraints,omitempty"`
}
// CertificateSpecApplyConfiguration constructs a declarative configuration of the CertificateSpec type for use with
// apply.
func CertificateSpec() *CertificateSpecApplyConfiguration {
return &CertificateSpecApplyConfiguration{}
}
// WithSubject sets the Subject field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Subject field is set to the value of the last call.
func (b *CertificateSpecApplyConfiguration) WithSubject(value *X509SubjectApplyConfiguration) *CertificateSpecApplyConfiguration {
b.Subject = value
return b
}
// WithLiteralSubject sets the LiteralSubject field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the LiteralSubject field is set to the value of the last call.
func (b *CertificateSpecApplyConfiguration) WithLiteralSubject(value string) *CertificateSpecApplyConfiguration {
b.LiteralSubject = &value
return b
}
// WithCommonName sets the CommonName field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the CommonName field is set to the value of the last call.
func (b *CertificateSpecApplyConfiguration) WithCommonName(value string) *CertificateSpecApplyConfiguration {
b.CommonName = &value
return b
}
// WithDuration sets the Duration field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Duration field is set to the value of the last call.
func (b *CertificateSpecApplyConfiguration) WithDuration(value metav1.Duration) *CertificateSpecApplyConfiguration {
b.Duration = &value
return b
}
// WithRenewBefore sets the RenewBefore field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the RenewBefore field is set to the value of the last call.
func (b *CertificateSpecApplyConfiguration) WithRenewBefore(value metav1.Duration) *CertificateSpecApplyConfiguration {
b.RenewBefore = &value
return b
}
// WithRenewBeforePercentage sets the RenewBeforePercentage field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the RenewBeforePercentage field is set to the value of the last call.
func (b *CertificateSpecApplyConfiguration) WithRenewBeforePercentage(value int32) *CertificateSpecApplyConfiguration {
b.RenewBeforePercentage = &value
return b
}
// WithDNSNames adds the given value to the DNSNames field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, values provided by each call will be appended to the DNSNames field.
func (b *CertificateSpecApplyConfiguration) WithDNSNames(values ...string) *CertificateSpecApplyConfiguration {
for i := range values {
b.DNSNames = append(b.DNSNames, values[i])
}
return b
}
// WithIPAddresses adds the given value to the IPAddresses field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, values provided by each call will be appended to the IPAddresses field.
func (b *CertificateSpecApplyConfiguration) WithIPAddresses(values ...string) *CertificateSpecApplyConfiguration {
for i := range values {
b.IPAddresses = append(b.IPAddresses, values[i])
}
return b
}
// WithURIs adds the given value to the URIs field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, values provided by each call will be appended to the URIs field.
func (b *CertificateSpecApplyConfiguration) WithURIs(values ...string) *CertificateSpecApplyConfiguration {
for i := range values {
b.URIs = append(b.URIs, values[i])
}
return b
}
// WithOtherNames adds the given value to the OtherNames field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, values provided by each call will be appended to the OtherNames field.
func (b *CertificateSpecApplyConfiguration) WithOtherNames(values ...*OtherNameApplyConfiguration) *CertificateSpecApplyConfiguration {
for i := range values {
if values[i] == nil {
panic("nil value passed to WithOtherNames")
}
b.OtherNames = append(b.OtherNames, *values[i])
}
return b
}
// WithEmailAddresses adds the given value to the EmailAddresses field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, values provided by each call will be appended to the EmailAddresses field.
func (b *CertificateSpecApplyConfiguration) WithEmailAddresses(values ...string) *CertificateSpecApplyConfiguration {
for i := range values {
b.EmailAddresses = append(b.EmailAddresses, values[i])
}
return b
}
// WithSecretName sets the SecretName field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the SecretName field is set to the value of the last call.
func (b *CertificateSpecApplyConfiguration) WithSecretName(value string) *CertificateSpecApplyConfiguration {
b.SecretName = &value
return b
}
// WithSecretTemplate sets the SecretTemplate field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the SecretTemplate field is set to the value of the last call.
func (b *CertificateSpecApplyConfiguration) WithSecretTemplate(value *CertificateSecretTemplateApplyConfiguration) *CertificateSpecApplyConfiguration {
b.SecretTemplate = value
return b
}
// WithKeystores sets the Keystores field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Keystores field is set to the value of the last call.
func (b *CertificateSpecApplyConfiguration) WithKeystores(value *CertificateKeystoresApplyConfiguration) *CertificateSpecApplyConfiguration {
b.Keystores = value
return b
}
// WithIssuerRef sets the IssuerRef field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the IssuerRef field is set to the value of the last call.
func (b *CertificateSpecApplyConfiguration) WithIssuerRef(value *applyconfigurationsmetav1.IssuerReferenceApplyConfiguration) *CertificateSpecApplyConfiguration {
b.IssuerRef = value
return b
}
// WithIsCA sets the IsCA field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the IsCA field is set to the value of the last call.
func (b *CertificateSpecApplyConfiguration) WithIsCA(value bool) *CertificateSpecApplyConfiguration {
b.IsCA = &value
return b
}
// WithUsages adds the given value to the Usages field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, values provided by each call will be appended to the Usages field.
func (b *CertificateSpecApplyConfiguration) WithUsages(values ...certmanagerv1.KeyUsage) *CertificateSpecApplyConfiguration {
for i := range values {
b.Usages = append(b.Usages, values[i])
}
return b
}
// WithPrivateKey sets the PrivateKey field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the PrivateKey field is set to the value of the last call.
func (b *CertificateSpecApplyConfiguration) WithPrivateKey(value *CertificatePrivateKeyApplyConfiguration) *CertificateSpecApplyConfiguration {
b.PrivateKey = value
return b
}
// WithSignatureAlgorithm sets the SignatureAlgorithm field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the SignatureAlgorithm field is set to the value of the last call.
func (b *CertificateSpecApplyConfiguration) WithSignatureAlgorithm(value certmanagerv1.SignatureAlgorithm) *CertificateSpecApplyConfiguration {
b.SignatureAlgorithm = &value
return b
}
// WithEncodeUsagesInRequest sets the EncodeUsagesInRequest field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the EncodeUsagesInRequest field is set to the value of the last call.
func (b *CertificateSpecApplyConfiguration) WithEncodeUsagesInRequest(value bool) *CertificateSpecApplyConfiguration {
b.EncodeUsagesInRequest = &value
return b
}
// WithRevisionHistoryLimit sets the RevisionHistoryLimit field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the RevisionHistoryLimit field is set to the value of the last call.
func (b *CertificateSpecApplyConfiguration) WithRevisionHistoryLimit(value int32) *CertificateSpecApplyConfiguration {
b.RevisionHistoryLimit = &value
return b
}
// WithAdditionalOutputFormats adds the given value to the AdditionalOutputFormats field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, values provided by each call will be appended to the AdditionalOutputFormats field.
func (b *CertificateSpecApplyConfiguration) WithAdditionalOutputFormats(values ...*CertificateAdditionalOutputFormatApplyConfiguration) *CertificateSpecApplyConfiguration {
for i := range values {
if values[i] == nil {
panic("nil value passed to WithAdditionalOutputFormats")
}
b.AdditionalOutputFormats = append(b.AdditionalOutputFormats, *values[i])
}
return b
}
// WithNameConstraints sets the NameConstraints field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the NameConstraints field is set to the value of the last call.
func (b *CertificateSpecApplyConfiguration) WithNameConstraints(value *NameConstraintsApplyConfiguration) *CertificateSpecApplyConfiguration {
b.NameConstraints = value
return b
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by applyconfiguration-gen. DO NOT EDIT.
package v1
import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
// CertificateStatusApplyConfiguration represents a declarative configuration of the CertificateStatus type for use
// with apply.
type CertificateStatusApplyConfiguration struct {
Conditions []CertificateConditionApplyConfiguration `json:"conditions,omitempty"`
LastFailureTime *metav1.Time `json:"lastFailureTime,omitempty"`
NotBefore *metav1.Time `json:"notBefore,omitempty"`
NotAfter *metav1.Time `json:"notAfter,omitempty"`
RenewalTime *metav1.Time `json:"renewalTime,omitempty"`
Revision *int `json:"revision,omitempty"`
NextPrivateKeySecretName *string `json:"nextPrivateKeySecretName,omitempty"`
FailedIssuanceAttempts *int `json:"failedIssuanceAttempts,omitempty"`
}
// CertificateStatusApplyConfiguration constructs a declarative configuration of the CertificateStatus type for use with
// apply.
func CertificateStatus() *CertificateStatusApplyConfiguration {
return &CertificateStatusApplyConfiguration{}
}
// WithConditions adds the given value to the Conditions field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, values provided by each call will be appended to the Conditions field.
func (b *CertificateStatusApplyConfiguration) WithConditions(values ...*CertificateConditionApplyConfiguration) *CertificateStatusApplyConfiguration {
for i := range values {
if values[i] == nil {
panic("nil value passed to WithConditions")
}
b.Conditions = append(b.Conditions, *values[i])
}
return b
}
// WithLastFailureTime sets the LastFailureTime field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the LastFailureTime field is set to the value of the last call.
func (b *CertificateStatusApplyConfiguration) WithLastFailureTime(value metav1.Time) *CertificateStatusApplyConfiguration {
b.LastFailureTime = &value
return b
}
// WithNotBefore sets the NotBefore field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the NotBefore field is set to the value of the last call.
func (b *CertificateStatusApplyConfiguration) WithNotBefore(value metav1.Time) *CertificateStatusApplyConfiguration {
b.NotBefore = &value
return b
}
// WithNotAfter sets the NotAfter field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the NotAfter field is set to the value of the last call.
func (b *CertificateStatusApplyConfiguration) WithNotAfter(value metav1.Time) *CertificateStatusApplyConfiguration {
b.NotAfter = &value
return b
}
// WithRenewalTime sets the RenewalTime field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the RenewalTime field is set to the value of the last call.
func (b *CertificateStatusApplyConfiguration) WithRenewalTime(value metav1.Time) *CertificateStatusApplyConfiguration {
b.RenewalTime = &value
return b
}
// WithRevision sets the Revision field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Revision field is set to the value of the last call.
func (b *CertificateStatusApplyConfiguration) WithRevision(value int) *CertificateStatusApplyConfiguration {
b.Revision = &value
return b
}
// WithNextPrivateKeySecretName sets the NextPrivateKeySecretName field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the NextPrivateKeySecretName field is set to the value of the last call.
func (b *CertificateStatusApplyConfiguration) WithNextPrivateKeySecretName(value string) *CertificateStatusApplyConfiguration {
b.NextPrivateKeySecretName = &value
return b
}
// WithFailedIssuanceAttempts sets the FailedIssuanceAttempts field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the FailedIssuanceAttempts field is set to the value of the last call.
func (b *CertificateStatusApplyConfiguration) WithFailedIssuanceAttempts(value int) *CertificateStatusApplyConfiguration {
b.FailedIssuanceAttempts = &value
return b
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by applyconfiguration-gen. DO NOT EDIT.
package v1
import (
certmanagerv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
internal "github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/internal"
apismetav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
types "k8s.io/apimachinery/pkg/types"
managedfields "k8s.io/apimachinery/pkg/util/managedfields"
metav1 "k8s.io/client-go/applyconfigurations/meta/v1"
)
// ClusterIssuerApplyConfiguration represents a declarative configuration of the ClusterIssuer type for use
// with apply.
type ClusterIssuerApplyConfiguration struct {
metav1.TypeMetaApplyConfiguration `json:",inline"`
*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
Spec *IssuerSpecApplyConfiguration `json:"spec,omitempty"`
Status *IssuerStatusApplyConfiguration `json:"status,omitempty"`
}
// ClusterIssuer constructs a declarative configuration of the ClusterIssuer type for use with
// apply.
func ClusterIssuer(name string) *ClusterIssuerApplyConfiguration {
b := &ClusterIssuerApplyConfiguration{}
b.WithName(name)
b.WithKind("ClusterIssuer")
b.WithAPIVersion("cert-manager.io/v1")
return b
}
// ExtractClusterIssuer extracts the applied configuration owned by fieldManager from
// clusterIssuer. If no managedFields are found in clusterIssuer for fieldManager, a
// ClusterIssuerApplyConfiguration is returned with only the Name, Namespace (if applicable),
// APIVersion and Kind populated. It is possible that no managed fields were found for because other
// field managers have taken ownership of all the fields previously owned by fieldManager, or because
// the fieldManager never owned fields any fields.
// clusterIssuer must be a unmodified ClusterIssuer API object that was retrieved from the Kubernetes API.
// ExtractClusterIssuer provides a way to perform a extract/modify-in-place/apply workflow.
// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
// applied if another fieldManager has updated or force applied any of the previously applied fields.
// Experimental!
func ExtractClusterIssuer(clusterIssuer *certmanagerv1.ClusterIssuer, fieldManager string) (*ClusterIssuerApplyConfiguration, error) {
return extractClusterIssuer(clusterIssuer, fieldManager, "")
}
// ExtractClusterIssuerStatus is the same as ExtractClusterIssuer except
// that it extracts the status subresource applied configuration.
// Experimental!
func ExtractClusterIssuerStatus(clusterIssuer *certmanagerv1.ClusterIssuer, fieldManager string) (*ClusterIssuerApplyConfiguration, error) {
return extractClusterIssuer(clusterIssuer, fieldManager, "status")
}
func extractClusterIssuer(clusterIssuer *certmanagerv1.ClusterIssuer, fieldManager string, subresource string) (*ClusterIssuerApplyConfiguration, error) {
b := &ClusterIssuerApplyConfiguration{}
err := managedfields.ExtractInto(clusterIssuer, internal.Parser().Type("com.github.cert-manager.cert-manager.pkg.apis.certmanager.v1.ClusterIssuer"), fieldManager, b, subresource)
if err != nil {
return nil, err
}
b.WithName(clusterIssuer.Name)
b.WithKind("ClusterIssuer")
b.WithAPIVersion("cert-manager.io/v1")
return b, nil
}
func (b ClusterIssuerApplyConfiguration) IsApplyConfiguration() {}
// WithKind sets the Kind field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Kind field is set to the value of the last call.
func (b *ClusterIssuerApplyConfiguration) WithKind(value string) *ClusterIssuerApplyConfiguration {
b.TypeMetaApplyConfiguration.Kind = &value
return b
}
// WithAPIVersion sets the APIVersion field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the APIVersion field is set to the value of the last call.
func (b *ClusterIssuerApplyConfiguration) WithAPIVersion(value string) *ClusterIssuerApplyConfiguration {
b.TypeMetaApplyConfiguration.APIVersion = &value
return b
}
// WithName sets the Name field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Name field is set to the value of the last call.
func (b *ClusterIssuerApplyConfiguration) WithName(value string) *ClusterIssuerApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
b.ObjectMetaApplyConfiguration.Name = &value
return b
}
// WithGenerateName sets the GenerateName field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the GenerateName field is set to the value of the last call.
func (b *ClusterIssuerApplyConfiguration) WithGenerateName(value string) *ClusterIssuerApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
b.ObjectMetaApplyConfiguration.GenerateName = &value
return b
}
// WithNamespace sets the Namespace field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Namespace field is set to the value of the last call.
func (b *ClusterIssuerApplyConfiguration) WithNamespace(value string) *ClusterIssuerApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
b.ObjectMetaApplyConfiguration.Namespace = &value
return b
}
// WithUID sets the UID field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the UID field is set to the value of the last call.
func (b *ClusterIssuerApplyConfiguration) WithUID(value types.UID) *ClusterIssuerApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
b.ObjectMetaApplyConfiguration.UID = &value
return b
}
// WithResourceVersion sets the ResourceVersion field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the ResourceVersion field is set to the value of the last call.
func (b *ClusterIssuerApplyConfiguration) WithResourceVersion(value string) *ClusterIssuerApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
b.ObjectMetaApplyConfiguration.ResourceVersion = &value
return b
}
// WithGeneration sets the Generation field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Generation field is set to the value of the last call.
func (b *ClusterIssuerApplyConfiguration) WithGeneration(value int64) *ClusterIssuerApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
b.ObjectMetaApplyConfiguration.Generation = &value
return b
}
// WithCreationTimestamp sets the CreationTimestamp field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the CreationTimestamp field is set to the value of the last call.
func (b *ClusterIssuerApplyConfiguration) WithCreationTimestamp(value apismetav1.Time) *ClusterIssuerApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
b.ObjectMetaApplyConfiguration.CreationTimestamp = &value
return b
}
// WithDeletionTimestamp sets the DeletionTimestamp field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the DeletionTimestamp field is set to the value of the last call.
func (b *ClusterIssuerApplyConfiguration) WithDeletionTimestamp(value apismetav1.Time) *ClusterIssuerApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
b.ObjectMetaApplyConfiguration.DeletionTimestamp = &value
return b
}
// WithDeletionGracePeriodSeconds sets the DeletionGracePeriodSeconds field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the DeletionGracePeriodSeconds field is set to the value of the last call.
func (b *ClusterIssuerApplyConfiguration) WithDeletionGracePeriodSeconds(value int64) *ClusterIssuerApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
b.ObjectMetaApplyConfiguration.DeletionGracePeriodSeconds = &value
return b
}
// WithLabels puts the entries into the Labels field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, the entries provided by each call will be put on the Labels field,
// overwriting an existing map entries in Labels field with the same key.
func (b *ClusterIssuerApplyConfiguration) WithLabels(entries map[string]string) *ClusterIssuerApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
if b.ObjectMetaApplyConfiguration.Labels == nil && len(entries) > 0 {
b.ObjectMetaApplyConfiguration.Labels = make(map[string]string, len(entries))
}
for k, v := range entries {
b.ObjectMetaApplyConfiguration.Labels[k] = v
}
return b
}
// WithAnnotations puts the entries into the Annotations field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, the entries provided by each call will be put on the Annotations field,
// overwriting an existing map entries in Annotations field with the same key.
func (b *ClusterIssuerApplyConfiguration) WithAnnotations(entries map[string]string) *ClusterIssuerApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
if b.ObjectMetaApplyConfiguration.Annotations == nil && len(entries) > 0 {
b.ObjectMetaApplyConfiguration.Annotations = make(map[string]string, len(entries))
}
for k, v := range entries {
b.ObjectMetaApplyConfiguration.Annotations[k] = v
}
return b
}
// WithOwnerReferences adds the given value to the OwnerReferences field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, values provided by each call will be appended to the OwnerReferences field.
func (b *ClusterIssuerApplyConfiguration) WithOwnerReferences(values ...*metav1.OwnerReferenceApplyConfiguration) *ClusterIssuerApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
for i := range values {
if values[i] == nil {
panic("nil value passed to WithOwnerReferences")
}
b.ObjectMetaApplyConfiguration.OwnerReferences = append(b.ObjectMetaApplyConfiguration.OwnerReferences, *values[i])
}
return b
}
// WithFinalizers adds the given value to the Finalizers field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, values provided by each call will be appended to the Finalizers field.
func (b *ClusterIssuerApplyConfiguration) WithFinalizers(values ...string) *ClusterIssuerApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
for i := range values {
b.ObjectMetaApplyConfiguration.Finalizers = append(b.ObjectMetaApplyConfiguration.Finalizers, values[i])
}
return b
}
func (b *ClusterIssuerApplyConfiguration) ensureObjectMetaApplyConfigurationExists() {
if b.ObjectMetaApplyConfiguration == nil {
b.ObjectMetaApplyConfiguration = &metav1.ObjectMetaApplyConfiguration{}
}
}
// WithSpec sets the Spec field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Spec field is set to the value of the last call.
func (b *ClusterIssuerApplyConfiguration) WithSpec(value *IssuerSpecApplyConfiguration) *ClusterIssuerApplyConfiguration {
b.Spec = value
return b
}
// WithStatus sets the Status field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Status field is set to the value of the last call.
func (b *ClusterIssuerApplyConfiguration) WithStatus(value *IssuerStatusApplyConfiguration) *ClusterIssuerApplyConfiguration {
b.Status = value
return b
}
// GetKind retrieves the value of the Kind field in the declarative configuration.
func (b *ClusterIssuerApplyConfiguration) GetKind() *string {
return b.TypeMetaApplyConfiguration.Kind
}
// GetAPIVersion retrieves the value of the APIVersion field in the declarative configuration.
func (b *ClusterIssuerApplyConfiguration) GetAPIVersion() *string {
return b.TypeMetaApplyConfiguration.APIVersion
}
// GetName retrieves the value of the Name field in the declarative configuration.
func (b *ClusterIssuerApplyConfiguration) GetName() *string {
b.ensureObjectMetaApplyConfigurationExists()
return b.ObjectMetaApplyConfiguration.Name
}
// GetNamespace retrieves the value of the Namespace field in the declarative configuration.
func (b *ClusterIssuerApplyConfiguration) GetNamespace() *string {
b.ensureObjectMetaApplyConfigurationExists()
return b.ObjectMetaApplyConfiguration.Namespace
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by applyconfiguration-gen. DO NOT EDIT.
package v1
import (
certmanagerv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
internal "github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/internal"
apismetav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
types "k8s.io/apimachinery/pkg/types"
managedfields "k8s.io/apimachinery/pkg/util/managedfields"
metav1 "k8s.io/client-go/applyconfigurations/meta/v1"
)
// IssuerApplyConfiguration represents a declarative configuration of the Issuer type for use
// with apply.
type IssuerApplyConfiguration struct {
metav1.TypeMetaApplyConfiguration `json:",inline"`
*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
Spec *IssuerSpecApplyConfiguration `json:"spec,omitempty"`
Status *IssuerStatusApplyConfiguration `json:"status,omitempty"`
}
// Issuer constructs a declarative configuration of the Issuer type for use with
// apply.
func Issuer(name, namespace string) *IssuerApplyConfiguration {
b := &IssuerApplyConfiguration{}
b.WithName(name)
b.WithNamespace(namespace)
b.WithKind("Issuer")
b.WithAPIVersion("cert-manager.io/v1")
return b
}
// ExtractIssuer extracts the applied configuration owned by fieldManager from
// issuer. If no managedFields are found in issuer for fieldManager, a
// IssuerApplyConfiguration is returned with only the Name, Namespace (if applicable),
// APIVersion and Kind populated. It is possible that no managed fields were found for because other
// field managers have taken ownership of all the fields previously owned by fieldManager, or because
// the fieldManager never owned fields any fields.
// issuer must be a unmodified Issuer API object that was retrieved from the Kubernetes API.
// ExtractIssuer provides a way to perform a extract/modify-in-place/apply workflow.
// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
// applied if another fieldManager has updated or force applied any of the previously applied fields.
// Experimental!
func ExtractIssuer(issuer *certmanagerv1.Issuer, fieldManager string) (*IssuerApplyConfiguration, error) {
return extractIssuer(issuer, fieldManager, "")
}
// ExtractIssuerStatus is the same as ExtractIssuer except
// that it extracts the status subresource applied configuration.
// Experimental!
func ExtractIssuerStatus(issuer *certmanagerv1.Issuer, fieldManager string) (*IssuerApplyConfiguration, error) {
return extractIssuer(issuer, fieldManager, "status")
}
func extractIssuer(issuer *certmanagerv1.Issuer, fieldManager string, subresource string) (*IssuerApplyConfiguration, error) {
b := &IssuerApplyConfiguration{}
err := managedfields.ExtractInto(issuer, internal.Parser().Type("com.github.cert-manager.cert-manager.pkg.apis.certmanager.v1.Issuer"), fieldManager, b, subresource)
if err != nil {
return nil, err
}
b.WithName(issuer.Name)
b.WithNamespace(issuer.Namespace)
b.WithKind("Issuer")
b.WithAPIVersion("cert-manager.io/v1")
return b, nil
}
func (b IssuerApplyConfiguration) IsApplyConfiguration() {}
// WithKind sets the Kind field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Kind field is set to the value of the last call.
func (b *IssuerApplyConfiguration) WithKind(value string) *IssuerApplyConfiguration {
b.TypeMetaApplyConfiguration.Kind = &value
return b
}
// WithAPIVersion sets the APIVersion field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the APIVersion field is set to the value of the last call.
func (b *IssuerApplyConfiguration) WithAPIVersion(value string) *IssuerApplyConfiguration {
b.TypeMetaApplyConfiguration.APIVersion = &value
return b
}
// WithName sets the Name field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Name field is set to the value of the last call.
func (b *IssuerApplyConfiguration) WithName(value string) *IssuerApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
b.ObjectMetaApplyConfiguration.Name = &value
return b
}
// WithGenerateName sets the GenerateName field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the GenerateName field is set to the value of the last call.
func (b *IssuerApplyConfiguration) WithGenerateName(value string) *IssuerApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
b.ObjectMetaApplyConfiguration.GenerateName = &value
return b
}
// WithNamespace sets the Namespace field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Namespace field is set to the value of the last call.
func (b *IssuerApplyConfiguration) WithNamespace(value string) *IssuerApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
b.ObjectMetaApplyConfiguration.Namespace = &value
return b
}
// WithUID sets the UID field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the UID field is set to the value of the last call.
func (b *IssuerApplyConfiguration) WithUID(value types.UID) *IssuerApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
b.ObjectMetaApplyConfiguration.UID = &value
return b
}
// WithResourceVersion sets the ResourceVersion field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the ResourceVersion field is set to the value of the last call.
func (b *IssuerApplyConfiguration) WithResourceVersion(value string) *IssuerApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
b.ObjectMetaApplyConfiguration.ResourceVersion = &value
return b
}
// WithGeneration sets the Generation field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Generation field is set to the value of the last call.
func (b *IssuerApplyConfiguration) WithGeneration(value int64) *IssuerApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
b.ObjectMetaApplyConfiguration.Generation = &value
return b
}
// WithCreationTimestamp sets the CreationTimestamp field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the CreationTimestamp field is set to the value of the last call.
func (b *IssuerApplyConfiguration) WithCreationTimestamp(value apismetav1.Time) *IssuerApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
b.ObjectMetaApplyConfiguration.CreationTimestamp = &value
return b
}
// WithDeletionTimestamp sets the DeletionTimestamp field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the DeletionTimestamp field is set to the value of the last call.
func (b *IssuerApplyConfiguration) WithDeletionTimestamp(value apismetav1.Time) *IssuerApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
b.ObjectMetaApplyConfiguration.DeletionTimestamp = &value
return b
}
// WithDeletionGracePeriodSeconds sets the DeletionGracePeriodSeconds field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the DeletionGracePeriodSeconds field is set to the value of the last call.
func (b *IssuerApplyConfiguration) WithDeletionGracePeriodSeconds(value int64) *IssuerApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
b.ObjectMetaApplyConfiguration.DeletionGracePeriodSeconds = &value
return b
}
// WithLabels puts the entries into the Labels field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, the entries provided by each call will be put on the Labels field,
// overwriting an existing map entries in Labels field with the same key.
func (b *IssuerApplyConfiguration) WithLabels(entries map[string]string) *IssuerApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
if b.ObjectMetaApplyConfiguration.Labels == nil && len(entries) > 0 {
b.ObjectMetaApplyConfiguration.Labels = make(map[string]string, len(entries))
}
for k, v := range entries {
b.ObjectMetaApplyConfiguration.Labels[k] = v
}
return b
}
// WithAnnotations puts the entries into the Annotations field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, the entries provided by each call will be put on the Annotations field,
// overwriting an existing map entries in Annotations field with the same key.
func (b *IssuerApplyConfiguration) WithAnnotations(entries map[string]string) *IssuerApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
if b.ObjectMetaApplyConfiguration.Annotations == nil && len(entries) > 0 {
b.ObjectMetaApplyConfiguration.Annotations = make(map[string]string, len(entries))
}
for k, v := range entries {
b.ObjectMetaApplyConfiguration.Annotations[k] = v
}
return b
}
// WithOwnerReferences adds the given value to the OwnerReferences field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, values provided by each call will be appended to the OwnerReferences field.
func (b *IssuerApplyConfiguration) WithOwnerReferences(values ...*metav1.OwnerReferenceApplyConfiguration) *IssuerApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
for i := range values {
if values[i] == nil {
panic("nil value passed to WithOwnerReferences")
}
b.ObjectMetaApplyConfiguration.OwnerReferences = append(b.ObjectMetaApplyConfiguration.OwnerReferences, *values[i])
}
return b
}
// WithFinalizers adds the given value to the Finalizers field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, values provided by each call will be appended to the Finalizers field.
func (b *IssuerApplyConfiguration) WithFinalizers(values ...string) *IssuerApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
for i := range values {
b.ObjectMetaApplyConfiguration.Finalizers = append(b.ObjectMetaApplyConfiguration.Finalizers, values[i])
}
return b
}
func (b *IssuerApplyConfiguration) ensureObjectMetaApplyConfigurationExists() {
if b.ObjectMetaApplyConfiguration == nil {
b.ObjectMetaApplyConfiguration = &metav1.ObjectMetaApplyConfiguration{}
}
}
// WithSpec sets the Spec field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Spec field is set to the value of the last call.
func (b *IssuerApplyConfiguration) WithSpec(value *IssuerSpecApplyConfiguration) *IssuerApplyConfiguration {
b.Spec = value
return b
}
// WithStatus sets the Status field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Status field is set to the value of the last call.
func (b *IssuerApplyConfiguration) WithStatus(value *IssuerStatusApplyConfiguration) *IssuerApplyConfiguration {
b.Status = value
return b
}
// GetKind retrieves the value of the Kind field in the declarative configuration.
func (b *IssuerApplyConfiguration) GetKind() *string {
return b.TypeMetaApplyConfiguration.Kind
}
// GetAPIVersion retrieves the value of the APIVersion field in the declarative configuration.
func (b *IssuerApplyConfiguration) GetAPIVersion() *string {
return b.TypeMetaApplyConfiguration.APIVersion
}
// GetName retrieves the value of the Name field in the declarative configuration.
func (b *IssuerApplyConfiguration) GetName() *string {
b.ensureObjectMetaApplyConfigurationExists()
return b.ObjectMetaApplyConfiguration.Name
}
// GetNamespace retrieves the value of the Namespace field in the declarative configuration.
func (b *IssuerApplyConfiguration) GetNamespace() *string {
b.ensureObjectMetaApplyConfigurationExists()
return b.ObjectMetaApplyConfiguration.Namespace
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by applyconfiguration-gen. DO NOT EDIT.
package v1
import (
certmanagerv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
metav1 "github.com/cert-manager/cert-manager/pkg/apis/meta/v1"
apismetav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
// IssuerConditionApplyConfiguration represents a declarative configuration of the IssuerCondition type for use
// with apply.
type IssuerConditionApplyConfiguration struct {
Type *certmanagerv1.IssuerConditionType `json:"type,omitempty"`
Status *metav1.ConditionStatus `json:"status,omitempty"`
LastTransitionTime *apismetav1.Time `json:"lastTransitionTime,omitempty"`
Reason *string `json:"reason,omitempty"`
Message *string `json:"message,omitempty"`
ObservedGeneration *int64 `json:"observedGeneration,omitempty"`
}
// IssuerConditionApplyConfiguration constructs a declarative configuration of the IssuerCondition type for use with
// apply.
func IssuerCondition() *IssuerConditionApplyConfiguration {
return &IssuerConditionApplyConfiguration{}
}
// WithType sets the Type field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Type field is set to the value of the last call.
func (b *IssuerConditionApplyConfiguration) WithType(value certmanagerv1.IssuerConditionType) *IssuerConditionApplyConfiguration {
b.Type = &value
return b
}
// WithStatus sets the Status field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Status field is set to the value of the last call.
func (b *IssuerConditionApplyConfiguration) WithStatus(value metav1.ConditionStatus) *IssuerConditionApplyConfiguration {
b.Status = &value
return b
}
// WithLastTransitionTime sets the LastTransitionTime field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the LastTransitionTime field is set to the value of the last call.
func (b *IssuerConditionApplyConfiguration) WithLastTransitionTime(value apismetav1.Time) *IssuerConditionApplyConfiguration {
b.LastTransitionTime = &value
return b
}
// WithReason sets the Reason field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Reason field is set to the value of the last call.
func (b *IssuerConditionApplyConfiguration) WithReason(value string) *IssuerConditionApplyConfiguration {
b.Reason = &value
return b
}
// WithMessage sets the Message field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Message field is set to the value of the last call.
func (b *IssuerConditionApplyConfiguration) WithMessage(value string) *IssuerConditionApplyConfiguration {
b.Message = &value
return b
}
// WithObservedGeneration sets the ObservedGeneration field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the ObservedGeneration field is set to the value of the last call.
func (b *IssuerConditionApplyConfiguration) WithObservedGeneration(value int64) *IssuerConditionApplyConfiguration {
b.ObservedGeneration = &value
return b
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by applyconfiguration-gen. DO NOT EDIT.
package v1
import (
acmev1 "github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/acme/v1"
)
// IssuerConfigApplyConfiguration represents a declarative configuration of the IssuerConfig type for use
// with apply.
type IssuerConfigApplyConfiguration struct {
ACME *acmev1.ACMEIssuerApplyConfiguration `json:"acme,omitempty"`
CA *CAIssuerApplyConfiguration `json:"ca,omitempty"`
Vault *VaultIssuerApplyConfiguration `json:"vault,omitempty"`
SelfSigned *SelfSignedIssuerApplyConfiguration `json:"selfSigned,omitempty"`
Venafi *VenafiIssuerApplyConfiguration `json:"venafi,omitempty"`
}
// IssuerConfigApplyConfiguration constructs a declarative configuration of the IssuerConfig type for use with
// apply.
func IssuerConfig() *IssuerConfigApplyConfiguration {
return &IssuerConfigApplyConfiguration{}
}
// WithACME sets the ACME field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the ACME field is set to the value of the last call.
func (b *IssuerConfigApplyConfiguration) WithACME(value *acmev1.ACMEIssuerApplyConfiguration) *IssuerConfigApplyConfiguration {
b.ACME = value
return b
}
// WithCA sets the CA field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the CA field is set to the value of the last call.
func (b *IssuerConfigApplyConfiguration) WithCA(value *CAIssuerApplyConfiguration) *IssuerConfigApplyConfiguration {
b.CA = value
return b
}
// WithVault sets the Vault field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Vault field is set to the value of the last call.
func (b *IssuerConfigApplyConfiguration) WithVault(value *VaultIssuerApplyConfiguration) *IssuerConfigApplyConfiguration {
b.Vault = value
return b
}
// WithSelfSigned sets the SelfSigned field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the SelfSigned field is set to the value of the last call.
func (b *IssuerConfigApplyConfiguration) WithSelfSigned(value *SelfSignedIssuerApplyConfiguration) *IssuerConfigApplyConfiguration {
b.SelfSigned = value
return b
}
// WithVenafi sets the Venafi field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Venafi field is set to the value of the last call.
func (b *IssuerConfigApplyConfiguration) WithVenafi(value *VenafiIssuerApplyConfiguration) *IssuerConfigApplyConfiguration {
b.Venafi = value
return b
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by applyconfiguration-gen. DO NOT EDIT.
package v1
import (
acmev1 "github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/acme/v1"
)
// IssuerSpecApplyConfiguration represents a declarative configuration of the IssuerSpec type for use
// with apply.
type IssuerSpecApplyConfiguration struct {
IssuerConfigApplyConfiguration `json:",inline"`
}
// IssuerSpecApplyConfiguration constructs a declarative configuration of the IssuerSpec type for use with
// apply.
func IssuerSpec() *IssuerSpecApplyConfiguration {
return &IssuerSpecApplyConfiguration{}
}
// WithACME sets the ACME field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the ACME field is set to the value of the last call.
func (b *IssuerSpecApplyConfiguration) WithACME(value *acmev1.ACMEIssuerApplyConfiguration) *IssuerSpecApplyConfiguration {
b.IssuerConfigApplyConfiguration.ACME = value
return b
}
// WithCA sets the CA field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the CA field is set to the value of the last call.
func (b *IssuerSpecApplyConfiguration) WithCA(value *CAIssuerApplyConfiguration) *IssuerSpecApplyConfiguration {
b.IssuerConfigApplyConfiguration.CA = value
return b
}
// WithVault sets the Vault field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Vault field is set to the value of the last call.
func (b *IssuerSpecApplyConfiguration) WithVault(value *VaultIssuerApplyConfiguration) *IssuerSpecApplyConfiguration {
b.IssuerConfigApplyConfiguration.Vault = value
return b
}
// WithSelfSigned sets the SelfSigned field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the SelfSigned field is set to the value of the last call.
func (b *IssuerSpecApplyConfiguration) WithSelfSigned(value *SelfSignedIssuerApplyConfiguration) *IssuerSpecApplyConfiguration {
b.IssuerConfigApplyConfiguration.SelfSigned = value
return b
}
// WithVenafi sets the Venafi field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Venafi field is set to the value of the last call.
func (b *IssuerSpecApplyConfiguration) WithVenafi(value *VenafiIssuerApplyConfiguration) *IssuerSpecApplyConfiguration {
b.IssuerConfigApplyConfiguration.Venafi = value
return b
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by applyconfiguration-gen. DO NOT EDIT.
package v1
import (
acmev1 "github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/acme/v1"
)
// IssuerStatusApplyConfiguration represents a declarative configuration of the IssuerStatus type for use
// with apply.
type IssuerStatusApplyConfiguration struct {
Conditions []IssuerConditionApplyConfiguration `json:"conditions,omitempty"`
ACME *acmev1.ACMEIssuerStatusApplyConfiguration `json:"acme,omitempty"`
}
// IssuerStatusApplyConfiguration constructs a declarative configuration of the IssuerStatus type for use with
// apply.
func IssuerStatus() *IssuerStatusApplyConfiguration {
return &IssuerStatusApplyConfiguration{}
}
// WithConditions adds the given value to the Conditions field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, values provided by each call will be appended to the Conditions field.
func (b *IssuerStatusApplyConfiguration) WithConditions(values ...*IssuerConditionApplyConfiguration) *IssuerStatusApplyConfiguration {
for i := range values {
if values[i] == nil {
panic("nil value passed to WithConditions")
}
b.Conditions = append(b.Conditions, *values[i])
}
return b
}
// WithACME sets the ACME field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the ACME field is set to the value of the last call.
func (b *IssuerStatusApplyConfiguration) WithACME(value *acmev1.ACMEIssuerStatusApplyConfiguration) *IssuerStatusApplyConfiguration {
b.ACME = value
return b
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by applyconfiguration-gen. DO NOT EDIT.
package v1
import (
metav1 "github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/meta/v1"
)
// JKSKeystoreApplyConfiguration represents a declarative configuration of the JKSKeystore type for use
// with apply.
type JKSKeystoreApplyConfiguration struct {
Create *bool `json:"create,omitempty"`
Alias *string `json:"alias,omitempty"`
PasswordSecretRef *metav1.SecretKeySelectorApplyConfiguration `json:"passwordSecretRef,omitempty"`
Password *string `json:"password,omitempty"`
}
// JKSKeystoreApplyConfiguration constructs a declarative configuration of the JKSKeystore type for use with
// apply.
func JKSKeystore() *JKSKeystoreApplyConfiguration {
return &JKSKeystoreApplyConfiguration{}
}
// WithCreate sets the Create field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Create field is set to the value of the last call.
func (b *JKSKeystoreApplyConfiguration) WithCreate(value bool) *JKSKeystoreApplyConfiguration {
b.Create = &value
return b
}
// WithAlias sets the Alias field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Alias field is set to the value of the last call.
func (b *JKSKeystoreApplyConfiguration) WithAlias(value string) *JKSKeystoreApplyConfiguration {
b.Alias = &value
return b
}
// WithPasswordSecretRef sets the PasswordSecretRef field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the PasswordSecretRef field is set to the value of the last call.
func (b *JKSKeystoreApplyConfiguration) WithPasswordSecretRef(value *metav1.SecretKeySelectorApplyConfiguration) *JKSKeystoreApplyConfiguration {
b.PasswordSecretRef = value
return b
}
// WithPassword sets the Password field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Password field is set to the value of the last call.
func (b *JKSKeystoreApplyConfiguration) WithPassword(value string) *JKSKeystoreApplyConfiguration {
b.Password = &value
return b
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by applyconfiguration-gen. DO NOT EDIT.
package v1
// NameConstraintItemApplyConfiguration represents a declarative configuration of the NameConstraintItem type for use
// with apply.
type NameConstraintItemApplyConfiguration struct {
DNSDomains []string `json:"dnsDomains,omitempty"`
IPRanges []string `json:"ipRanges,omitempty"`
EmailAddresses []string `json:"emailAddresses,omitempty"`
URIDomains []string `json:"uriDomains,omitempty"`
}
// NameConstraintItemApplyConfiguration constructs a declarative configuration of the NameConstraintItem type for use with
// apply.
func NameConstraintItem() *NameConstraintItemApplyConfiguration {
return &NameConstraintItemApplyConfiguration{}
}
// WithDNSDomains adds the given value to the DNSDomains field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, values provided by each call will be appended to the DNSDomains field.
func (b *NameConstraintItemApplyConfiguration) WithDNSDomains(values ...string) *NameConstraintItemApplyConfiguration {
for i := range values {
b.DNSDomains = append(b.DNSDomains, values[i])
}
return b
}
// WithIPRanges adds the given value to the IPRanges field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, values provided by each call will be appended to the IPRanges field.
func (b *NameConstraintItemApplyConfiguration) WithIPRanges(values ...string) *NameConstraintItemApplyConfiguration {
for i := range values {
b.IPRanges = append(b.IPRanges, values[i])
}
return b
}
// WithEmailAddresses adds the given value to the EmailAddresses field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, values provided by each call will be appended to the EmailAddresses field.
func (b *NameConstraintItemApplyConfiguration) WithEmailAddresses(values ...string) *NameConstraintItemApplyConfiguration {
for i := range values {
b.EmailAddresses = append(b.EmailAddresses, values[i])
}
return b
}
// WithURIDomains adds the given value to the URIDomains field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, values provided by each call will be appended to the URIDomains field.
func (b *NameConstraintItemApplyConfiguration) WithURIDomains(values ...string) *NameConstraintItemApplyConfiguration {
for i := range values {
b.URIDomains = append(b.URIDomains, values[i])
}
return b
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by applyconfiguration-gen. DO NOT EDIT.
package v1
// NameConstraintsApplyConfiguration represents a declarative configuration of the NameConstraints type for use
// with apply.
type NameConstraintsApplyConfiguration struct {
Critical *bool `json:"critical,omitempty"`
Permitted *NameConstraintItemApplyConfiguration `json:"permitted,omitempty"`
Excluded *NameConstraintItemApplyConfiguration `json:"excluded,omitempty"`
}
// NameConstraintsApplyConfiguration constructs a declarative configuration of the NameConstraints type for use with
// apply.
func NameConstraints() *NameConstraintsApplyConfiguration {
return &NameConstraintsApplyConfiguration{}
}
// WithCritical sets the Critical field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Critical field is set to the value of the last call.
func (b *NameConstraintsApplyConfiguration) WithCritical(value bool) *NameConstraintsApplyConfiguration {
b.Critical = &value
return b
}
// WithPermitted sets the Permitted field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Permitted field is set to the value of the last call.
func (b *NameConstraintsApplyConfiguration) WithPermitted(value *NameConstraintItemApplyConfiguration) *NameConstraintsApplyConfiguration {
b.Permitted = value
return b
}
// WithExcluded sets the Excluded field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Excluded field is set to the value of the last call.
func (b *NameConstraintsApplyConfiguration) WithExcluded(value *NameConstraintItemApplyConfiguration) *NameConstraintsApplyConfiguration {
b.Excluded = value
return b
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by applyconfiguration-gen. DO NOT EDIT.
package v1
// OtherNameApplyConfiguration represents a declarative configuration of the OtherName type for use
// with apply.
type OtherNameApplyConfiguration struct {
OID *string `json:"oid,omitempty"`
UTF8Value *string `json:"utf8Value,omitempty"`
}
// OtherNameApplyConfiguration constructs a declarative configuration of the OtherName type for use with
// apply.
func OtherName() *OtherNameApplyConfiguration {
return &OtherNameApplyConfiguration{}
}
// WithOID sets the OID field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the OID field is set to the value of the last call.
func (b *OtherNameApplyConfiguration) WithOID(value string) *OtherNameApplyConfiguration {
b.OID = &value
return b
}
// WithUTF8Value sets the UTF8Value field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the UTF8Value field is set to the value of the last call.
func (b *OtherNameApplyConfiguration) WithUTF8Value(value string) *OtherNameApplyConfiguration {
b.UTF8Value = &value
return b
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by applyconfiguration-gen. DO NOT EDIT.
package v1
import (
certmanagerv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
metav1 "github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/meta/v1"
)
// PKCS12KeystoreApplyConfiguration represents a declarative configuration of the PKCS12Keystore type for use
// with apply.
type PKCS12KeystoreApplyConfiguration struct {
Create *bool `json:"create,omitempty"`
Profile *certmanagerv1.PKCS12Profile `json:"profile,omitempty"`
PasswordSecretRef *metav1.SecretKeySelectorApplyConfiguration `json:"passwordSecretRef,omitempty"`
Password *string `json:"password,omitempty"`
}
// PKCS12KeystoreApplyConfiguration constructs a declarative configuration of the PKCS12Keystore type for use with
// apply.
func PKCS12Keystore() *PKCS12KeystoreApplyConfiguration {
return &PKCS12KeystoreApplyConfiguration{}
}
// WithCreate sets the Create field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Create field is set to the value of the last call.
func (b *PKCS12KeystoreApplyConfiguration) WithCreate(value bool) *PKCS12KeystoreApplyConfiguration {
b.Create = &value
return b
}
// WithProfile sets the Profile field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Profile field is set to the value of the last call.
func (b *PKCS12KeystoreApplyConfiguration) WithProfile(value certmanagerv1.PKCS12Profile) *PKCS12KeystoreApplyConfiguration {
b.Profile = &value
return b
}
// WithPasswordSecretRef sets the PasswordSecretRef field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the PasswordSecretRef field is set to the value of the last call.
func (b *PKCS12KeystoreApplyConfiguration) WithPasswordSecretRef(value *metav1.SecretKeySelectorApplyConfiguration) *PKCS12KeystoreApplyConfiguration {
b.PasswordSecretRef = value
return b
}
// WithPassword sets the Password field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Password field is set to the value of the last call.
func (b *PKCS12KeystoreApplyConfiguration) WithPassword(value string) *PKCS12KeystoreApplyConfiguration {
b.Password = &value
return b
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by applyconfiguration-gen. DO NOT EDIT.
package v1
// SelfSignedIssuerApplyConfiguration represents a declarative configuration of the SelfSignedIssuer type for use
// with apply.
type SelfSignedIssuerApplyConfiguration struct {
CRLDistributionPoints []string `json:"crlDistributionPoints,omitempty"`
}
// SelfSignedIssuerApplyConfiguration constructs a declarative configuration of the SelfSignedIssuer type for use with
// apply.
func SelfSignedIssuer() *SelfSignedIssuerApplyConfiguration {
return &SelfSignedIssuerApplyConfiguration{}
}
// WithCRLDistributionPoints adds the given value to the CRLDistributionPoints field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, values provided by each call will be appended to the CRLDistributionPoints field.
func (b *SelfSignedIssuerApplyConfiguration) WithCRLDistributionPoints(values ...string) *SelfSignedIssuerApplyConfiguration {
for i := range values {
b.CRLDistributionPoints = append(b.CRLDistributionPoints, values[i])
}
return b
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by applyconfiguration-gen. DO NOT EDIT.
package v1
// ServiceAccountRefApplyConfiguration represents a declarative configuration of the ServiceAccountRef type for use
// with apply.
type ServiceAccountRefApplyConfiguration struct {
Name *string `json:"name,omitempty"`
TokenAudiences []string `json:"audiences,omitempty"`
}
// ServiceAccountRefApplyConfiguration constructs a declarative configuration of the ServiceAccountRef type for use with
// apply.
func ServiceAccountRef() *ServiceAccountRefApplyConfiguration {
return &ServiceAccountRefApplyConfiguration{}
}
// WithName sets the Name field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Name field is set to the value of the last call.
func (b *ServiceAccountRefApplyConfiguration) WithName(value string) *ServiceAccountRefApplyConfiguration {
b.Name = &value
return b
}
// WithTokenAudiences adds the given value to the TokenAudiences field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, values provided by each call will be appended to the TokenAudiences field.
func (b *ServiceAccountRefApplyConfiguration) WithTokenAudiences(values ...string) *ServiceAccountRefApplyConfiguration {
for i := range values {
b.TokenAudiences = append(b.TokenAudiences, values[i])
}
return b
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by applyconfiguration-gen. DO NOT EDIT.
package v1
import (
metav1 "github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/meta/v1"
)
// VaultAppRoleApplyConfiguration represents a declarative configuration of the VaultAppRole type for use
// with apply.
type VaultAppRoleApplyConfiguration struct {
Path *string `json:"path,omitempty"`
RoleId *string `json:"roleId,omitempty"`
SecretRef *metav1.SecretKeySelectorApplyConfiguration `json:"secretRef,omitempty"`
}
// VaultAppRoleApplyConfiguration constructs a declarative configuration of the VaultAppRole type for use with
// apply.
func VaultAppRole() *VaultAppRoleApplyConfiguration {
return &VaultAppRoleApplyConfiguration{}
}
// WithPath sets the Path field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Path field is set to the value of the last call.
func (b *VaultAppRoleApplyConfiguration) WithPath(value string) *VaultAppRoleApplyConfiguration {
b.Path = &value
return b
}
// WithRoleId sets the RoleId field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the RoleId field is set to the value of the last call.
func (b *VaultAppRoleApplyConfiguration) WithRoleId(value string) *VaultAppRoleApplyConfiguration {
b.RoleId = &value
return b
}
// WithSecretRef sets the SecretRef field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the SecretRef field is set to the value of the last call.
func (b *VaultAppRoleApplyConfiguration) WithSecretRef(value *metav1.SecretKeySelectorApplyConfiguration) *VaultAppRoleApplyConfiguration {
b.SecretRef = value
return b
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by applyconfiguration-gen. DO NOT EDIT.
package v1
import (
metav1 "github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/meta/v1"
)
// VaultAuthApplyConfiguration represents a declarative configuration of the VaultAuth type for use
// with apply.
type VaultAuthApplyConfiguration struct {
TokenSecretRef *metav1.SecretKeySelectorApplyConfiguration `json:"tokenSecretRef,omitempty"`
AppRole *VaultAppRoleApplyConfiguration `json:"appRole,omitempty"`
ClientCertificate *VaultClientCertificateAuthApplyConfiguration `json:"clientCertificate,omitempty"`
Kubernetes *VaultKubernetesAuthApplyConfiguration `json:"kubernetes,omitempty"`
}
// VaultAuthApplyConfiguration constructs a declarative configuration of the VaultAuth type for use with
// apply.
func VaultAuth() *VaultAuthApplyConfiguration {
return &VaultAuthApplyConfiguration{}
}
// WithTokenSecretRef sets the TokenSecretRef field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the TokenSecretRef field is set to the value of the last call.
func (b *VaultAuthApplyConfiguration) WithTokenSecretRef(value *metav1.SecretKeySelectorApplyConfiguration) *VaultAuthApplyConfiguration {
b.TokenSecretRef = value
return b
}
// WithAppRole sets the AppRole field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the AppRole field is set to the value of the last call.
func (b *VaultAuthApplyConfiguration) WithAppRole(value *VaultAppRoleApplyConfiguration) *VaultAuthApplyConfiguration {
b.AppRole = value
return b
}
// WithClientCertificate sets the ClientCertificate field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the ClientCertificate field is set to the value of the last call.
func (b *VaultAuthApplyConfiguration) WithClientCertificate(value *VaultClientCertificateAuthApplyConfiguration) *VaultAuthApplyConfiguration {
b.ClientCertificate = value
return b
}
// WithKubernetes sets the Kubernetes field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Kubernetes field is set to the value of the last call.
func (b *VaultAuthApplyConfiguration) WithKubernetes(value *VaultKubernetesAuthApplyConfiguration) *VaultAuthApplyConfiguration {
b.Kubernetes = value
return b
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by applyconfiguration-gen. DO NOT EDIT.
package v1
// VaultClientCertificateAuthApplyConfiguration represents a declarative configuration of the VaultClientCertificateAuth type for use
// with apply.
type VaultClientCertificateAuthApplyConfiguration struct {
Path *string `json:"mountPath,omitempty"`
SecretName *string `json:"secretName,omitempty"`
Name *string `json:"name,omitempty"`
}
// VaultClientCertificateAuthApplyConfiguration constructs a declarative configuration of the VaultClientCertificateAuth type for use with
// apply.
func VaultClientCertificateAuth() *VaultClientCertificateAuthApplyConfiguration {
return &VaultClientCertificateAuthApplyConfiguration{}
}
// WithPath sets the Path field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Path field is set to the value of the last call.
func (b *VaultClientCertificateAuthApplyConfiguration) WithPath(value string) *VaultClientCertificateAuthApplyConfiguration {
b.Path = &value
return b
}
// WithSecretName sets the SecretName field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the SecretName field is set to the value of the last call.
func (b *VaultClientCertificateAuthApplyConfiguration) WithSecretName(value string) *VaultClientCertificateAuthApplyConfiguration {
b.SecretName = &value
return b
}
// WithName sets the Name field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Name field is set to the value of the last call.
func (b *VaultClientCertificateAuthApplyConfiguration) WithName(value string) *VaultClientCertificateAuthApplyConfiguration {
b.Name = &value
return b
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by applyconfiguration-gen. DO NOT EDIT.
package v1
import (
metav1 "github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/meta/v1"
)
// VaultIssuerApplyConfiguration represents a declarative configuration of the VaultIssuer type for use
// with apply.
type VaultIssuerApplyConfiguration struct {
Auth *VaultAuthApplyConfiguration `json:"auth,omitempty"`
Server *string `json:"server,omitempty"`
ServerName *string `json:"serverName,omitempty"`
Path *string `json:"path,omitempty"`
Namespace *string `json:"namespace,omitempty"`
CABundle []byte `json:"caBundle,omitempty"`
CABundleSecretRef *metav1.SecretKeySelectorApplyConfiguration `json:"caBundleSecretRef,omitempty"`
ClientCertSecretRef *metav1.SecretKeySelectorApplyConfiguration `json:"clientCertSecretRef,omitempty"`
ClientKeySecretRef *metav1.SecretKeySelectorApplyConfiguration `json:"clientKeySecretRef,omitempty"`
}
// VaultIssuerApplyConfiguration constructs a declarative configuration of the VaultIssuer type for use with
// apply.
func VaultIssuer() *VaultIssuerApplyConfiguration {
return &VaultIssuerApplyConfiguration{}
}
// WithAuth sets the Auth field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Auth field is set to the value of the last call.
func (b *VaultIssuerApplyConfiguration) WithAuth(value *VaultAuthApplyConfiguration) *VaultIssuerApplyConfiguration {
b.Auth = value
return b
}
// WithServer sets the Server field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Server field is set to the value of the last call.
func (b *VaultIssuerApplyConfiguration) WithServer(value string) *VaultIssuerApplyConfiguration {
b.Server = &value
return b
}
// WithServerName sets the ServerName field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the ServerName field is set to the value of the last call.
func (b *VaultIssuerApplyConfiguration) WithServerName(value string) *VaultIssuerApplyConfiguration {
b.ServerName = &value
return b
}
// WithPath sets the Path field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Path field is set to the value of the last call.
func (b *VaultIssuerApplyConfiguration) WithPath(value string) *VaultIssuerApplyConfiguration {
b.Path = &value
return b
}
// WithNamespace sets the Namespace field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Namespace field is set to the value of the last call.
func (b *VaultIssuerApplyConfiguration) WithNamespace(value string) *VaultIssuerApplyConfiguration {
b.Namespace = &value
return b
}
// WithCABundle adds the given value to the CABundle field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, values provided by each call will be appended to the CABundle field.
func (b *VaultIssuerApplyConfiguration) WithCABundle(values ...byte) *VaultIssuerApplyConfiguration {
for i := range values {
b.CABundle = append(b.CABundle, values[i])
}
return b
}
// WithCABundleSecretRef sets the CABundleSecretRef field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the CABundleSecretRef field is set to the value of the last call.
func (b *VaultIssuerApplyConfiguration) WithCABundleSecretRef(value *metav1.SecretKeySelectorApplyConfiguration) *VaultIssuerApplyConfiguration {
b.CABundleSecretRef = value
return b
}
// WithClientCertSecretRef sets the ClientCertSecretRef field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the ClientCertSecretRef field is set to the value of the last call.
func (b *VaultIssuerApplyConfiguration) WithClientCertSecretRef(value *metav1.SecretKeySelectorApplyConfiguration) *VaultIssuerApplyConfiguration {
b.ClientCertSecretRef = value
return b
}
// WithClientKeySecretRef sets the ClientKeySecretRef field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the ClientKeySecretRef field is set to the value of the last call.
func (b *VaultIssuerApplyConfiguration) WithClientKeySecretRef(value *metav1.SecretKeySelectorApplyConfiguration) *VaultIssuerApplyConfiguration {
b.ClientKeySecretRef = value
return b
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by applyconfiguration-gen. DO NOT EDIT.
package v1
import (
metav1 "github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/meta/v1"
)
// VaultKubernetesAuthApplyConfiguration represents a declarative configuration of the VaultKubernetesAuth type for use
// with apply.
type VaultKubernetesAuthApplyConfiguration struct {
Path *string `json:"mountPath,omitempty"`
SecretRef *metav1.SecretKeySelectorApplyConfiguration `json:"secretRef,omitempty"`
ServiceAccountRef *ServiceAccountRefApplyConfiguration `json:"serviceAccountRef,omitempty"`
Role *string `json:"role,omitempty"`
}
// VaultKubernetesAuthApplyConfiguration constructs a declarative configuration of the VaultKubernetesAuth type for use with
// apply.
func VaultKubernetesAuth() *VaultKubernetesAuthApplyConfiguration {
return &VaultKubernetesAuthApplyConfiguration{}
}
// WithPath sets the Path field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Path field is set to the value of the last call.
func (b *VaultKubernetesAuthApplyConfiguration) WithPath(value string) *VaultKubernetesAuthApplyConfiguration {
b.Path = &value
return b
}
// WithSecretRef sets the SecretRef field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the SecretRef field is set to the value of the last call.
func (b *VaultKubernetesAuthApplyConfiguration) WithSecretRef(value *metav1.SecretKeySelectorApplyConfiguration) *VaultKubernetesAuthApplyConfiguration {
b.SecretRef = value
return b
}
// WithServiceAccountRef sets the ServiceAccountRef field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the ServiceAccountRef field is set to the value of the last call.
func (b *VaultKubernetesAuthApplyConfiguration) WithServiceAccountRef(value *ServiceAccountRefApplyConfiguration) *VaultKubernetesAuthApplyConfiguration {
b.ServiceAccountRef = value
return b
}
// WithRole sets the Role field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Role field is set to the value of the last call.
func (b *VaultKubernetesAuthApplyConfiguration) WithRole(value string) *VaultKubernetesAuthApplyConfiguration {
b.Role = &value
return b
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by applyconfiguration-gen. DO NOT EDIT.
package v1
import (
metav1 "github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/meta/v1"
)
// VenafiCloudApplyConfiguration represents a declarative configuration of the VenafiCloud type for use
// with apply.
type VenafiCloudApplyConfiguration struct {
URL *string `json:"url,omitempty"`
APITokenSecretRef *metav1.SecretKeySelectorApplyConfiguration `json:"apiTokenSecretRef,omitempty"`
}
// VenafiCloudApplyConfiguration constructs a declarative configuration of the VenafiCloud type for use with
// apply.
func VenafiCloud() *VenafiCloudApplyConfiguration {
return &VenafiCloudApplyConfiguration{}
}
// WithURL sets the URL field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the URL field is set to the value of the last call.
func (b *VenafiCloudApplyConfiguration) WithURL(value string) *VenafiCloudApplyConfiguration {
b.URL = &value
return b
}
// WithAPITokenSecretRef sets the APITokenSecretRef field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the APITokenSecretRef field is set to the value of the last call.
func (b *VenafiCloudApplyConfiguration) WithAPITokenSecretRef(value *metav1.SecretKeySelectorApplyConfiguration) *VenafiCloudApplyConfiguration {
b.APITokenSecretRef = value
return b
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by applyconfiguration-gen. DO NOT EDIT.
package v1
// VenafiIssuerApplyConfiguration represents a declarative configuration of the VenafiIssuer type for use
// with apply.
type VenafiIssuerApplyConfiguration struct {
Zone *string `json:"zone,omitempty"`
TPP *VenafiTPPApplyConfiguration `json:"tpp,omitempty"`
Cloud *VenafiCloudApplyConfiguration `json:"cloud,omitempty"`
}
// VenafiIssuerApplyConfiguration constructs a declarative configuration of the VenafiIssuer type for use with
// apply.
func VenafiIssuer() *VenafiIssuerApplyConfiguration {
return &VenafiIssuerApplyConfiguration{}
}
// WithZone sets the Zone field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Zone field is set to the value of the last call.
func (b *VenafiIssuerApplyConfiguration) WithZone(value string) *VenafiIssuerApplyConfiguration {
b.Zone = &value
return b
}
// WithTPP sets the TPP field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the TPP field is set to the value of the last call.
func (b *VenafiIssuerApplyConfiguration) WithTPP(value *VenafiTPPApplyConfiguration) *VenafiIssuerApplyConfiguration {
b.TPP = value
return b
}
// WithCloud sets the Cloud field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Cloud field is set to the value of the last call.
func (b *VenafiIssuerApplyConfiguration) WithCloud(value *VenafiCloudApplyConfiguration) *VenafiIssuerApplyConfiguration {
b.Cloud = value
return b
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by applyconfiguration-gen. DO NOT EDIT.
package v1
import (
metav1 "github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/meta/v1"
)
// VenafiTPPApplyConfiguration represents a declarative configuration of the VenafiTPP type for use
// with apply.
type VenafiTPPApplyConfiguration struct {
URL *string `json:"url,omitempty"`
CredentialsRef *metav1.LocalObjectReferenceApplyConfiguration `json:"credentialsRef,omitempty"`
CABundle []byte `json:"caBundle,omitempty"`
CABundleSecretRef *metav1.SecretKeySelectorApplyConfiguration `json:"caBundleSecretRef,omitempty"`
}
// VenafiTPPApplyConfiguration constructs a declarative configuration of the VenafiTPP type for use with
// apply.
func VenafiTPP() *VenafiTPPApplyConfiguration {
return &VenafiTPPApplyConfiguration{}
}
// WithURL sets the URL field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the URL field is set to the value of the last call.
func (b *VenafiTPPApplyConfiguration) WithURL(value string) *VenafiTPPApplyConfiguration {
b.URL = &value
return b
}
// WithCredentialsRef sets the CredentialsRef field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the CredentialsRef field is set to the value of the last call.
func (b *VenafiTPPApplyConfiguration) WithCredentialsRef(value *metav1.LocalObjectReferenceApplyConfiguration) *VenafiTPPApplyConfiguration {
b.CredentialsRef = value
return b
}
// WithCABundle adds the given value to the CABundle field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, values provided by each call will be appended to the CABundle field.
func (b *VenafiTPPApplyConfiguration) WithCABundle(values ...byte) *VenafiTPPApplyConfiguration {
for i := range values {
b.CABundle = append(b.CABundle, values[i])
}
return b
}
// WithCABundleSecretRef sets the CABundleSecretRef field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the CABundleSecretRef field is set to the value of the last call.
func (b *VenafiTPPApplyConfiguration) WithCABundleSecretRef(value *metav1.SecretKeySelectorApplyConfiguration) *VenafiTPPApplyConfiguration {
b.CABundleSecretRef = value
return b
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by applyconfiguration-gen. DO NOT EDIT.
package v1
// X509SubjectApplyConfiguration represents a declarative configuration of the X509Subject type for use
// with apply.
type X509SubjectApplyConfiguration struct {
Organizations []string `json:"organizations,omitempty"`
Countries []string `json:"countries,omitempty"`
OrganizationalUnits []string `json:"organizationalUnits,omitempty"`
Localities []string `json:"localities,omitempty"`
Provinces []string `json:"provinces,omitempty"`
StreetAddresses []string `json:"streetAddresses,omitempty"`
PostalCodes []string `json:"postalCodes,omitempty"`
SerialNumber *string `json:"serialNumber,omitempty"`
}
// X509SubjectApplyConfiguration constructs a declarative configuration of the X509Subject type for use with
// apply.
func X509Subject() *X509SubjectApplyConfiguration {
return &X509SubjectApplyConfiguration{}
}
// WithOrganizations adds the given value to the Organizations field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, values provided by each call will be appended to the Organizations field.
func (b *X509SubjectApplyConfiguration) WithOrganizations(values ...string) *X509SubjectApplyConfiguration {
for i := range values {
b.Organizations = append(b.Organizations, values[i])
}
return b
}
// WithCountries adds the given value to the Countries field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, values provided by each call will be appended to the Countries field.
func (b *X509SubjectApplyConfiguration) WithCountries(values ...string) *X509SubjectApplyConfiguration {
for i := range values {
b.Countries = append(b.Countries, values[i])
}
return b
}
// WithOrganizationalUnits adds the given value to the OrganizationalUnits field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, values provided by each call will be appended to the OrganizationalUnits field.
func (b *X509SubjectApplyConfiguration) WithOrganizationalUnits(values ...string) *X509SubjectApplyConfiguration {
for i := range values {
b.OrganizationalUnits = append(b.OrganizationalUnits, values[i])
}
return b
}
// WithLocalities adds the given value to the Localities field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, values provided by each call will be appended to the Localities field.
func (b *X509SubjectApplyConfiguration) WithLocalities(values ...string) *X509SubjectApplyConfiguration {
for i := range values {
b.Localities = append(b.Localities, values[i])
}
return b
}
// WithProvinces adds the given value to the Provinces field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, values provided by each call will be appended to the Provinces field.
func (b *X509SubjectApplyConfiguration) WithProvinces(values ...string) *X509SubjectApplyConfiguration {
for i := range values {
b.Provinces = append(b.Provinces, values[i])
}
return b
}
// WithStreetAddresses adds the given value to the StreetAddresses field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, values provided by each call will be appended to the StreetAddresses field.
func (b *X509SubjectApplyConfiguration) WithStreetAddresses(values ...string) *X509SubjectApplyConfiguration {
for i := range values {
b.StreetAddresses = append(b.StreetAddresses, values[i])
}
return b
}
// WithPostalCodes adds the given value to the PostalCodes field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, values provided by each call will be appended to the PostalCodes field.
func (b *X509SubjectApplyConfiguration) WithPostalCodes(values ...string) *X509SubjectApplyConfiguration {
for i := range values {
b.PostalCodes = append(b.PostalCodes, values[i])
}
return b
}
// WithSerialNumber sets the SerialNumber field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the SerialNumber field is set to the value of the last call.
func (b *X509SubjectApplyConfiguration) WithSerialNumber(value string) *X509SubjectApplyConfiguration {
b.SerialNumber = &value
return b
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by applyconfiguration-gen. DO NOT EDIT.
package internal
import (
fmt "fmt"
sync "sync"
typed "sigs.k8s.io/structured-merge-diff/v6/typed"
)
func Parser() *typed.Parser {
parserOnce.Do(func() {
var err error
parser, err = typed.NewParser(schemaYAML)
if err != nil {
panic(fmt.Sprintf("Failed to parse schema: %v", err))
}
})
return parser
}
var parserOnce sync.Once
var parser *typed.Parser
var schemaYAML = typed.YAMLObject(`types:
- name: com.github.cert-manager.cert-manager.pkg.apis.acme.v1.ACMEAuthorization
map:
fields:
- name: challenges
type:
list:
elementType:
namedType: com.github.cert-manager.cert-manager.pkg.apis.acme.v1.ACMEChallenge
elementRelationship: atomic
- name: identifier
type:
scalar: string
- name: initialState
type:
scalar: string
- name: url
type:
scalar: string
default: ""
- name: wildcard
type:
scalar: boolean
- name: com.github.cert-manager.cert-manager.pkg.apis.acme.v1.ACMEChallenge
map:
fields:
- name: token
type:
scalar: string
default: ""
- name: type
type:
scalar: string
default: ""
- name: url
type:
scalar: string
default: ""
- name: com.github.cert-manager.cert-manager.pkg.apis.acme.v1.ACMEChallengeSolver
map:
fields:
- name: dns01
type:
namedType: com.github.cert-manager.cert-manager.pkg.apis.acme.v1.ACMEChallengeSolverDNS01
- name: http01
type:
namedType: com.github.cert-manager.cert-manager.pkg.apis.acme.v1.ACMEChallengeSolverHTTP01
- name: selector
type:
namedType: com.github.cert-manager.cert-manager.pkg.apis.acme.v1.CertificateDNSNameSelector
- name: com.github.cert-manager.cert-manager.pkg.apis.acme.v1.ACMEChallengeSolverDNS01
map:
fields:
- name: acmeDNS
type:
namedType: com.github.cert-manager.cert-manager.pkg.apis.acme.v1.ACMEIssuerDNS01ProviderAcmeDNS
- name: akamai
type:
namedType: com.github.cert-manager.cert-manager.pkg.apis.acme.v1.ACMEIssuerDNS01ProviderAkamai
- name: azureDNS
type:
namedType: com.github.cert-manager.cert-manager.pkg.apis.acme.v1.ACMEIssuerDNS01ProviderAzureDNS
- name: cloudDNS
type:
namedType: com.github.cert-manager.cert-manager.pkg.apis.acme.v1.ACMEIssuerDNS01ProviderCloudDNS
- name: cloudflare
type:
namedType: com.github.cert-manager.cert-manager.pkg.apis.acme.v1.ACMEIssuerDNS01ProviderCloudflare
- name: cnameStrategy
type:
scalar: string
- name: digitalocean
type:
namedType: com.github.cert-manager.cert-manager.pkg.apis.acme.v1.ACMEIssuerDNS01ProviderDigitalOcean
- name: rfc2136
type:
namedType: com.github.cert-manager.cert-manager.pkg.apis.acme.v1.ACMEIssuerDNS01ProviderRFC2136
- name: route53
type:
namedType: com.github.cert-manager.cert-manager.pkg.apis.acme.v1.ACMEIssuerDNS01ProviderRoute53
- name: webhook
type:
namedType: com.github.cert-manager.cert-manager.pkg.apis.acme.v1.ACMEIssuerDNS01ProviderWebhook
- name: com.github.cert-manager.cert-manager.pkg.apis.acme.v1.ACMEChallengeSolverHTTP01
map:
fields:
- name: gatewayHTTPRoute
type:
namedType: com.github.cert-manager.cert-manager.pkg.apis.acme.v1.ACMEChallengeSolverHTTP01GatewayHTTPRoute
- name: ingress
type:
namedType: com.github.cert-manager.cert-manager.pkg.apis.acme.v1.ACMEChallengeSolverHTTP01Ingress
- name: com.github.cert-manager.cert-manager.pkg.apis.acme.v1.ACMEChallengeSolverHTTP01GatewayHTTPRoute
map:
fields:
- name: labels
type:
map:
elementType:
scalar: string
- name: parentRefs
type:
list:
elementType:
namedType: io.k8s.sigs.gateway-api.apis.v1.ParentReference
elementRelationship: atomic
- name: podTemplate
type:
namedType: com.github.cert-manager.cert-manager.pkg.apis.acme.v1.ACMEChallengeSolverHTTP01IngressPodTemplate
- name: serviceType
type:
scalar: string
- name: com.github.cert-manager.cert-manager.pkg.apis.acme.v1.ACMEChallengeSolverHTTP01Ingress
map:
fields:
- name: class
type:
scalar: string
- name: ingressClassName
type:
scalar: string
- name: ingressTemplate
type:
namedType: com.github.cert-manager.cert-manager.pkg.apis.acme.v1.ACMEChallengeSolverHTTP01IngressTemplate
- name: name
type:
scalar: string
- name: podTemplate
type:
namedType: com.github.cert-manager.cert-manager.pkg.apis.acme.v1.ACMEChallengeSolverHTTP01IngressPodTemplate
- name: serviceType
type:
scalar: string
- name: com.github.cert-manager.cert-manager.pkg.apis.acme.v1.ACMEChallengeSolverHTTP01IngressObjectMeta
map:
fields:
- name: annotations
type:
map:
elementType:
scalar: string
- name: labels
type:
map:
elementType:
scalar: string
- name: com.github.cert-manager.cert-manager.pkg.apis.acme.v1.ACMEChallengeSolverHTTP01IngressPodObjectMeta
map:
fields:
- name: annotations
type:
map:
elementType:
scalar: string
- name: labels
type:
map:
elementType:
scalar: string
- name: com.github.cert-manager.cert-manager.pkg.apis.acme.v1.ACMEChallengeSolverHTTP01IngressPodResources
map:
fields:
- name: limits
type:
map:
elementType:
namedType: io.k8s.apimachinery.pkg.api.resource.Quantity
- name: requests
type:
map:
elementType:
namedType: io.k8s.apimachinery.pkg.api.resource.Quantity
- name: com.github.cert-manager.cert-manager.pkg.apis.acme.v1.ACMEChallengeSolverHTTP01IngressPodSecurityContext
map:
fields:
- name: fsGroup
type:
scalar: numeric
- name: fsGroupChangePolicy
type:
scalar: string
- name: runAsGroup
type:
scalar: numeric
- name: runAsNonRoot
type:
scalar: boolean
- name: runAsUser
type:
scalar: numeric
- name: seLinuxOptions
type:
namedType: io.k8s.api.core.v1.SELinuxOptions
- name: seccompProfile
type:
namedType: io.k8s.api.core.v1.SeccompProfile
- name: supplementalGroups
type:
list:
elementType:
scalar: numeric
elementRelationship: atomic
- name: sysctls
type:
list:
elementType:
namedType: io.k8s.api.core.v1.Sysctl
elementRelationship: atomic
- name: com.github.cert-manager.cert-manager.pkg.apis.acme.v1.ACMEChallengeSolverHTTP01IngressPodSpec
map:
fields:
- name: affinity
type:
namedType: io.k8s.api.core.v1.Affinity
- name: imagePullSecrets
type:
list:
elementType:
namedType: io.k8s.api.core.v1.LocalObjectReference
elementRelationship: associative
keys:
- name
- name: nodeSelector
type:
map:
elementType:
scalar: string
- name: priorityClassName
type:
scalar: string
- name: resources
type:
namedType: com.github.cert-manager.cert-manager.pkg.apis.acme.v1.ACMEChallengeSolverHTTP01IngressPodResources
- name: securityContext
type:
namedType: com.github.cert-manager.cert-manager.pkg.apis.acme.v1.ACMEChallengeSolverHTTP01IngressPodSecurityContext
- name: serviceAccountName
type:
scalar: string
- name: tolerations
type:
list:
elementType:
namedType: io.k8s.api.core.v1.Toleration
elementRelationship: atomic
- name: com.github.cert-manager.cert-manager.pkg.apis.acme.v1.ACMEChallengeSolverHTTP01IngressPodTemplate
map:
fields:
- name: metadata
type:
namedType: com.github.cert-manager.cert-manager.pkg.apis.acme.v1.ACMEChallengeSolverHTTP01IngressPodObjectMeta
default: {}
- name: spec
type:
namedType: com.github.cert-manager.cert-manager.pkg.apis.acme.v1.ACMEChallengeSolverHTTP01IngressPodSpec
default: {}
- name: com.github.cert-manager.cert-manager.pkg.apis.acme.v1.ACMEChallengeSolverHTTP01IngressTemplate
map:
fields:
- name: metadata
type:
namedType: com.github.cert-manager.cert-manager.pkg.apis.acme.v1.ACMEChallengeSolverHTTP01IngressObjectMeta
default: {}
- name: com.github.cert-manager.cert-manager.pkg.apis.acme.v1.ACMEExternalAccountBinding
map:
fields:
- name: keyAlgorithm
type:
scalar: string
- name: keyID
type:
scalar: string
default: ""
- name: keySecretRef
type:
namedType: com.github.cert-manager.cert-manager.pkg.apis.meta.v1.SecretKeySelector
default: {}
- name: com.github.cert-manager.cert-manager.pkg.apis.acme.v1.ACMEIssuer
map:
fields:
- name: caBundle
type:
scalar: string
- name: disableAccountKeyGeneration
type:
scalar: boolean
- name: email
type:
scalar: string
- name: enableDurationFeature
type:
scalar: boolean
- name: externalAccountBinding
type:
namedType: com.github.cert-manager.cert-manager.pkg.apis.acme.v1.ACMEExternalAccountBinding
- name: preferredChain
type:
scalar: string
- name: privateKeySecretRef
type:
namedType: com.github.cert-manager.cert-manager.pkg.apis.meta.v1.SecretKeySelector
default: {}
- name: profile
type:
scalar: string
- name: server
type:
scalar: string
default: ""
- name: skipTLSVerify
type:
scalar: boolean
- name: solvers
type:
list:
elementType:
namedType: com.github.cert-manager.cert-manager.pkg.apis.acme.v1.ACMEChallengeSolver
elementRelationship: atomic
- name: com.github.cert-manager.cert-manager.pkg.apis.acme.v1.ACMEIssuerDNS01ProviderAcmeDNS
map:
fields:
- name: accountSecretRef
type:
namedType: com.github.cert-manager.cert-manager.pkg.apis.meta.v1.SecretKeySelector
default: {}
- name: host
type:
scalar: string
default: ""
- name: com.github.cert-manager.cert-manager.pkg.apis.acme.v1.ACMEIssuerDNS01ProviderAkamai
map:
fields:
- name: accessTokenSecretRef
type:
namedType: com.github.cert-manager.cert-manager.pkg.apis.meta.v1.SecretKeySelector
default: {}
- name: clientSecretSecretRef
type:
namedType: com.github.cert-manager.cert-manager.pkg.apis.meta.v1.SecretKeySelector
default: {}
- name: clientTokenSecretRef
type:
namedType: com.github.cert-manager.cert-manager.pkg.apis.meta.v1.SecretKeySelector
default: {}
- name: serviceConsumerDomain
type:
scalar: string
default: ""
- name: com.github.cert-manager.cert-manager.pkg.apis.acme.v1.ACMEIssuerDNS01ProviderAzureDNS
map:
fields:
- name: clientID
type:
scalar: string
- name: clientSecretSecretRef
type:
namedType: com.github.cert-manager.cert-manager.pkg.apis.meta.v1.SecretKeySelector
- name: environment
type:
scalar: string
- name: hostedZoneName
type:
scalar: string
- name: managedIdentity
type:
namedType: com.github.cert-manager.cert-manager.pkg.apis.acme.v1.AzureManagedIdentity
- name: resourceGroupName
type:
scalar: string
default: ""
- name: subscriptionID
type:
scalar: string
default: ""
- name: tenantID
type:
scalar: string
- name: com.github.cert-manager.cert-manager.pkg.apis.acme.v1.ACMEIssuerDNS01ProviderCloudDNS
map:
fields:
- name: hostedZoneName
type:
scalar: string
- name: project
type:
scalar: string
default: ""
- name: serviceAccountSecretRef
type:
namedType: com.github.cert-manager.cert-manager.pkg.apis.meta.v1.SecretKeySelector
- name: com.github.cert-manager.cert-manager.pkg.apis.acme.v1.ACMEIssuerDNS01ProviderCloudflare
map:
fields:
- name: apiKeySecretRef
type:
namedType: com.github.cert-manager.cert-manager.pkg.apis.meta.v1.SecretKeySelector
- name: apiTokenSecretRef
type:
namedType: com.github.cert-manager.cert-manager.pkg.apis.meta.v1.SecretKeySelector
- name: email
type:
scalar: string
- name: com.github.cert-manager.cert-manager.pkg.apis.acme.v1.ACMEIssuerDNS01ProviderDigitalOcean
map:
fields:
- name: tokenSecretRef
type:
namedType: com.github.cert-manager.cert-manager.pkg.apis.meta.v1.SecretKeySelector
default: {}
- name: com.github.cert-manager.cert-manager.pkg.apis.acme.v1.ACMEIssuerDNS01ProviderRFC2136
map:
fields:
- name: nameserver
type:
scalar: string
default: ""
- name: protocol
type:
scalar: string
- name: tsigAlgorithm
type:
scalar: string
- name: tsigKeyName
type:
scalar: string
- name: tsigSecretSecretRef
type:
namedType: com.github.cert-manager.cert-manager.pkg.apis.meta.v1.SecretKeySelector
default: {}
- name: com.github.cert-manager.cert-manager.pkg.apis.acme.v1.ACMEIssuerDNS01ProviderRoute53
map:
fields:
- name: accessKeyID
type:
scalar: string
- name: accessKeyIDSecretRef
type:
namedType: com.github.cert-manager.cert-manager.pkg.apis.meta.v1.SecretKeySelector
- name: auth
type:
namedType: com.github.cert-manager.cert-manager.pkg.apis.acme.v1.Route53Auth
- name: hostedZoneID
type:
scalar: string
- name: region
type:
scalar: string
- name: role
type:
scalar: string
- name: secretAccessKeySecretRef
type:
namedType: com.github.cert-manager.cert-manager.pkg.apis.meta.v1.SecretKeySelector
default: {}
- name: com.github.cert-manager.cert-manager.pkg.apis.acme.v1.ACMEIssuerDNS01ProviderWebhook
map:
fields:
- name: config
type:
namedType: io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.JSON
- name: groupName
type:
scalar: string
default: ""
- name: solverName
type:
scalar: string
default: ""
- name: com.github.cert-manager.cert-manager.pkg.apis.acme.v1.ACMEIssuerStatus
map:
fields:
- name: lastPrivateKeyHash
type:
scalar: string
- name: lastRegisteredEmail
type:
scalar: string
- name: uri
type:
scalar: string
- name: com.github.cert-manager.cert-manager.pkg.apis.acme.v1.AzureManagedIdentity
map:
fields:
- name: clientID
type:
scalar: string
- name: resourceID
type:
scalar: string
- name: tenantID
type:
scalar: string
- name: com.github.cert-manager.cert-manager.pkg.apis.acme.v1.CertificateDNSNameSelector
map:
fields:
- name: dnsNames
type:
list:
elementType:
scalar: string
elementRelationship: atomic
- name: dnsZones
type:
list:
elementType:
scalar: string
elementRelationship: atomic
- name: matchLabels
type:
map:
elementType:
scalar: string
- name: com.github.cert-manager.cert-manager.pkg.apis.acme.v1.Challenge
map:
fields:
- name: apiVersion
type:
scalar: string
- name: kind
type:
scalar: string
- name: metadata
type:
namedType: io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta
default: {}
- name: spec
type:
namedType: com.github.cert-manager.cert-manager.pkg.apis.acme.v1.ChallengeSpec
default: {}
- name: status
type:
namedType: com.github.cert-manager.cert-manager.pkg.apis.acme.v1.ChallengeStatus
default: {}
- name: com.github.cert-manager.cert-manager.pkg.apis.acme.v1.ChallengeSpec
map:
fields:
- name: authorizationURL
type:
scalar: string
default: ""
- name: dnsName
type:
scalar: string
default: ""
- name: issuerRef
type:
namedType: com.github.cert-manager.cert-manager.pkg.apis.meta.v1.IssuerReference
default: {}
- name: key
type:
scalar: string
default: ""
- name: solver
type:
namedType: com.github.cert-manager.cert-manager.pkg.apis.acme.v1.ACMEChallengeSolver
default: {}
- name: token
type:
scalar: string
default: ""
- name: type
type:
scalar: string
default: ""
- name: url
type:
scalar: string
default: ""
- name: wildcard
type:
scalar: boolean
default: false
- name: com.github.cert-manager.cert-manager.pkg.apis.acme.v1.ChallengeStatus
map:
fields:
- name: presented
type:
scalar: boolean
default: false
- name: processing
type:
scalar: boolean
default: false
- name: reason
type:
scalar: string
- name: state
type:
scalar: string
- name: com.github.cert-manager.cert-manager.pkg.apis.acme.v1.Order
map:
fields:
- name: apiVersion
type:
scalar: string
- name: kind
type:
scalar: string
- name: metadata
type:
namedType: io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta
default: {}
- name: spec
type:
namedType: com.github.cert-manager.cert-manager.pkg.apis.acme.v1.OrderSpec
default: {}
- name: status
type:
namedType: com.github.cert-manager.cert-manager.pkg.apis.acme.v1.OrderStatus
default: {}
- name: com.github.cert-manager.cert-manager.pkg.apis.acme.v1.OrderSpec
map:
fields:
- name: commonName
type:
scalar: string
- name: dnsNames
type:
list:
elementType:
scalar: string
elementRelationship: atomic
- name: duration
type:
namedType: io.k8s.apimachinery.pkg.apis.meta.v1.Duration
- name: ipAddresses
type:
list:
elementType:
scalar: string
elementRelationship: atomic
- name: issuerRef
type:
namedType: com.github.cert-manager.cert-manager.pkg.apis.meta.v1.IssuerReference
default: {}
- name: profile
type:
scalar: string
- name: request
type:
scalar: string
- name: com.github.cert-manager.cert-manager.pkg.apis.acme.v1.OrderStatus
map:
fields:
- name: authorizations
type:
list:
elementType:
namedType: com.github.cert-manager.cert-manager.pkg.apis.acme.v1.ACMEAuthorization
elementRelationship: atomic
- name: certificate
type:
scalar: string
- name: failureTime
type:
namedType: io.k8s.apimachinery.pkg.apis.meta.v1.Time
- name: finalizeURL
type:
scalar: string
- name: reason
type:
scalar: string
- name: state
type:
scalar: string
- name: url
type:
scalar: string
- name: com.github.cert-manager.cert-manager.pkg.apis.acme.v1.Route53Auth
map:
fields:
- name: kubernetes
type:
namedType: com.github.cert-manager.cert-manager.pkg.apis.acme.v1.Route53KubernetesAuth
- name: com.github.cert-manager.cert-manager.pkg.apis.acme.v1.Route53KubernetesAuth
map:
fields:
- name: serviceAccountRef
type:
namedType: com.github.cert-manager.cert-manager.pkg.apis.acme.v1.ServiceAccountRef
- name: com.github.cert-manager.cert-manager.pkg.apis.acme.v1.ServiceAccountRef
map:
fields:
- name: audiences
type:
list:
elementType:
scalar: string
elementRelationship: atomic
- name: name
type:
scalar: string
default: ""
- name: com.github.cert-manager.cert-manager.pkg.apis.certmanager.v1.CAIssuer
map:
fields:
- name: crlDistributionPoints
type:
list:
elementType:
scalar: string
elementRelationship: atomic
- name: issuingCertificateURLs
type:
list:
elementType:
scalar: string
elementRelationship: atomic
- name: ocspServers
type:
list:
elementType:
scalar: string
elementRelationship: atomic
- name: secretName
type:
scalar: string
default: ""
- name: com.github.cert-manager.cert-manager.pkg.apis.certmanager.v1.Certificate
map:
fields:
- name: apiVersion
type:
scalar: string
- name: kind
type:
scalar: string
- name: metadata
type:
namedType: io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta
default: {}
- name: spec
type:
namedType: com.github.cert-manager.cert-manager.pkg.apis.certmanager.v1.CertificateSpec
default: {}
- name: status
type:
namedType: com.github.cert-manager.cert-manager.pkg.apis.certmanager.v1.CertificateStatus
default: {}
- name: com.github.cert-manager.cert-manager.pkg.apis.certmanager.v1.CertificateAdditionalOutputFormat
map:
fields:
- name: type
type:
scalar: string
default: ""
- name: com.github.cert-manager.cert-manager.pkg.apis.certmanager.v1.CertificateCondition
map:
fields:
- name: lastTransitionTime
type:
namedType: io.k8s.apimachinery.pkg.apis.meta.v1.Time
- name: message
type:
scalar: string
- name: observedGeneration
type:
scalar: numeric
- name: reason
type:
scalar: string
- name: status
type:
scalar: string
default: ""
- name: type
type:
scalar: string
default: ""
- name: com.github.cert-manager.cert-manager.pkg.apis.certmanager.v1.CertificateKeystores
map:
fields:
- name: jks
type:
namedType: com.github.cert-manager.cert-manager.pkg.apis.certmanager.v1.JKSKeystore
- name: pkcs12
type:
namedType: com.github.cert-manager.cert-manager.pkg.apis.certmanager.v1.PKCS12Keystore
- name: com.github.cert-manager.cert-manager.pkg.apis.certmanager.v1.CertificatePrivateKey
map:
fields:
- name: algorithm
type:
scalar: string
- name: encoding
type:
scalar: string
- name: rotationPolicy
type:
scalar: string
- name: size
type:
scalar: numeric
- name: com.github.cert-manager.cert-manager.pkg.apis.certmanager.v1.CertificateRequest
map:
fields:
- name: apiVersion
type:
scalar: string
- name: kind
type:
scalar: string
- name: metadata
type:
namedType: io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta
default: {}
- name: spec
type:
namedType: com.github.cert-manager.cert-manager.pkg.apis.certmanager.v1.CertificateRequestSpec
default: {}
- name: status
type:
namedType: com.github.cert-manager.cert-manager.pkg.apis.certmanager.v1.CertificateRequestStatus
default: {}
- name: com.github.cert-manager.cert-manager.pkg.apis.certmanager.v1.CertificateRequestCondition
map:
fields:
- name: lastTransitionTime
type:
namedType: io.k8s.apimachinery.pkg.apis.meta.v1.Time
- name: message
type:
scalar: string
- name: reason
type:
scalar: string
- name: status
type:
scalar: string
default: ""
- name: type
type:
scalar: string
default: ""
- name: com.github.cert-manager.cert-manager.pkg.apis.certmanager.v1.CertificateRequestSpec
map:
fields:
- name: duration
type:
namedType: io.k8s.apimachinery.pkg.apis.meta.v1.Duration
- name: extra
type:
map:
elementType:
list:
elementType:
scalar: string
elementRelationship: atomic
- name: groups
type:
list:
elementType:
scalar: string
elementRelationship: atomic
- name: isCA
type:
scalar: boolean
- name: issuerRef
type:
namedType: com.github.cert-manager.cert-manager.pkg.apis.meta.v1.IssuerReference
default: {}
- name: request
type:
scalar: string
- name: uid
type:
scalar: string
- name: usages
type:
list:
elementType:
scalar: string
elementRelationship: atomic
- name: username
type:
scalar: string
- name: com.github.cert-manager.cert-manager.pkg.apis.certmanager.v1.CertificateRequestStatus
map:
fields:
- name: ca
type:
scalar: string
- name: certificate
type:
scalar: string
- name: conditions
type:
list:
elementType:
namedType: com.github.cert-manager.cert-manager.pkg.apis.certmanager.v1.CertificateRequestCondition
elementRelationship: associative
keys:
- type
- name: failureTime
type:
namedType: io.k8s.apimachinery.pkg.apis.meta.v1.Time
- name: com.github.cert-manager.cert-manager.pkg.apis.certmanager.v1.CertificateSecretTemplate
map:
fields:
- name: annotations
type:
map:
elementType:
scalar: string
- name: labels
type:
map:
elementType:
scalar: string
- name: com.github.cert-manager.cert-manager.pkg.apis.certmanager.v1.CertificateSpec
map:
fields:
- name: additionalOutputFormats
type:
list:
elementType:
namedType: com.github.cert-manager.cert-manager.pkg.apis.certmanager.v1.CertificateAdditionalOutputFormat
elementRelationship: atomic
- name: commonName
type:
scalar: string
- name: dnsNames
type:
list:
elementType:
scalar: string
elementRelationship: atomic
- name: duration
type:
namedType: io.k8s.apimachinery.pkg.apis.meta.v1.Duration
- name: emailAddresses
type:
list:
elementType:
scalar: string
elementRelationship: atomic
- name: encodeUsagesInRequest
type:
scalar: boolean
- name: ipAddresses
type:
list:
elementType:
scalar: string
elementRelationship: atomic
- name: isCA
type:
scalar: boolean
- name: issuerRef
type:
namedType: com.github.cert-manager.cert-manager.pkg.apis.meta.v1.IssuerReference
default: {}
- name: keystores
type:
namedType: com.github.cert-manager.cert-manager.pkg.apis.certmanager.v1.CertificateKeystores
- name: literalSubject
type:
scalar: string
- name: nameConstraints
type:
namedType: com.github.cert-manager.cert-manager.pkg.apis.certmanager.v1.NameConstraints
- name: otherNames
type:
list:
elementType:
namedType: com.github.cert-manager.cert-manager.pkg.apis.certmanager.v1.OtherName
elementRelationship: atomic
- name: privateKey
type:
namedType: com.github.cert-manager.cert-manager.pkg.apis.certmanager.v1.CertificatePrivateKey
- name: renewBefore
type:
namedType: io.k8s.apimachinery.pkg.apis.meta.v1.Duration
- name: renewBeforePercentage
type:
scalar: numeric
- name: revisionHistoryLimit
type:
scalar: numeric
- name: secretName
type:
scalar: string
default: ""
- name: secretTemplate
type:
namedType: com.github.cert-manager.cert-manager.pkg.apis.certmanager.v1.CertificateSecretTemplate
- name: signatureAlgorithm
type:
scalar: string
- name: subject
type:
namedType: com.github.cert-manager.cert-manager.pkg.apis.certmanager.v1.X509Subject
- name: uris
type:
list:
elementType:
scalar: string
elementRelationship: atomic
- name: usages
type:
list:
elementType:
scalar: string
elementRelationship: atomic
- name: com.github.cert-manager.cert-manager.pkg.apis.certmanager.v1.CertificateStatus
map:
fields:
- name: conditions
type:
list:
elementType:
namedType: com.github.cert-manager.cert-manager.pkg.apis.certmanager.v1.CertificateCondition
elementRelationship: associative
keys:
- type
- name: failedIssuanceAttempts
type:
scalar: numeric
- name: lastFailureTime
type:
namedType: io.k8s.apimachinery.pkg.apis.meta.v1.Time
- name: nextPrivateKeySecretName
type:
scalar: string
- name: notAfter
type:
namedType: io.k8s.apimachinery.pkg.apis.meta.v1.Time
- name: notBefore
type:
namedType: io.k8s.apimachinery.pkg.apis.meta.v1.Time
- name: renewalTime
type:
namedType: io.k8s.apimachinery.pkg.apis.meta.v1.Time
- name: revision
type:
scalar: numeric
- name: com.github.cert-manager.cert-manager.pkg.apis.certmanager.v1.ClusterIssuer
map:
fields:
- name: apiVersion
type:
scalar: string
- name: kind
type:
scalar: string
- name: metadata
type:
namedType: io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta
default: {}
- name: spec
type:
namedType: com.github.cert-manager.cert-manager.pkg.apis.certmanager.v1.IssuerSpec
default: {}
- name: status
type:
namedType: com.github.cert-manager.cert-manager.pkg.apis.certmanager.v1.IssuerStatus
default: {}
- name: com.github.cert-manager.cert-manager.pkg.apis.certmanager.v1.Issuer
map:
fields:
- name: apiVersion
type:
scalar: string
- name: kind
type:
scalar: string
- name: metadata
type:
namedType: io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta
default: {}
- name: spec
type:
namedType: com.github.cert-manager.cert-manager.pkg.apis.certmanager.v1.IssuerSpec
default: {}
- name: status
type:
namedType: com.github.cert-manager.cert-manager.pkg.apis.certmanager.v1.IssuerStatus
default: {}
- name: com.github.cert-manager.cert-manager.pkg.apis.certmanager.v1.IssuerCondition
map:
fields:
- name: lastTransitionTime
type:
namedType: io.k8s.apimachinery.pkg.apis.meta.v1.Time
- name: message
type:
scalar: string
- name: observedGeneration
type:
scalar: numeric
- name: reason
type:
scalar: string
- name: status
type:
scalar: string
default: ""
- name: type
type:
scalar: string
default: ""
- name: com.github.cert-manager.cert-manager.pkg.apis.certmanager.v1.IssuerSpec
map:
fields:
- name: acme
type:
namedType: com.github.cert-manager.cert-manager.pkg.apis.acme.v1.ACMEIssuer
- name: ca
type:
namedType: com.github.cert-manager.cert-manager.pkg.apis.certmanager.v1.CAIssuer
- name: selfSigned
type:
namedType: com.github.cert-manager.cert-manager.pkg.apis.certmanager.v1.SelfSignedIssuer
- name: vault
type:
namedType: com.github.cert-manager.cert-manager.pkg.apis.certmanager.v1.VaultIssuer
- name: venafi
type:
namedType: com.github.cert-manager.cert-manager.pkg.apis.certmanager.v1.VenafiIssuer
- name: com.github.cert-manager.cert-manager.pkg.apis.certmanager.v1.IssuerStatus
map:
fields:
- name: acme
type:
namedType: com.github.cert-manager.cert-manager.pkg.apis.acme.v1.ACMEIssuerStatus
- name: conditions
type:
list:
elementType:
namedType: com.github.cert-manager.cert-manager.pkg.apis.certmanager.v1.IssuerCondition
elementRelationship: associative
keys:
- type
- name: com.github.cert-manager.cert-manager.pkg.apis.certmanager.v1.JKSKeystore
map:
fields:
- name: alias
type:
scalar: string
- name: create
type:
scalar: boolean
default: false
- name: password
type:
scalar: string
- name: passwordSecretRef
type:
namedType: com.github.cert-manager.cert-manager.pkg.apis.meta.v1.SecretKeySelector
default: {}
- name: com.github.cert-manager.cert-manager.pkg.apis.certmanager.v1.NameConstraintItem
map:
fields:
- name: dnsDomains
type:
list:
elementType:
scalar: string
elementRelationship: atomic
- name: emailAddresses
type:
list:
elementType:
scalar: string
elementRelationship: atomic
- name: ipRanges
type:
list:
elementType:
scalar: string
elementRelationship: atomic
- name: uriDomains
type:
list:
elementType:
scalar: string
elementRelationship: atomic
- name: com.github.cert-manager.cert-manager.pkg.apis.certmanager.v1.NameConstraints
map:
fields:
- name: critical
type:
scalar: boolean
- name: excluded
type:
namedType: com.github.cert-manager.cert-manager.pkg.apis.certmanager.v1.NameConstraintItem
- name: permitted
type:
namedType: com.github.cert-manager.cert-manager.pkg.apis.certmanager.v1.NameConstraintItem
- name: com.github.cert-manager.cert-manager.pkg.apis.certmanager.v1.OtherName
map:
fields:
- name: oid
type:
scalar: string
- name: utf8Value
type:
scalar: string
- name: com.github.cert-manager.cert-manager.pkg.apis.certmanager.v1.PKCS12Keystore
map:
fields:
- name: create
type:
scalar: boolean
default: false
- name: password
type:
scalar: string
- name: passwordSecretRef
type:
namedType: com.github.cert-manager.cert-manager.pkg.apis.meta.v1.SecretKeySelector
default: {}
- name: profile
type:
scalar: string
- name: com.github.cert-manager.cert-manager.pkg.apis.certmanager.v1.SelfSignedIssuer
map:
fields:
- name: crlDistributionPoints
type:
list:
elementType:
scalar: string
elementRelationship: atomic
- name: com.github.cert-manager.cert-manager.pkg.apis.certmanager.v1.ServiceAccountRef
map:
fields:
- name: audiences
type:
list:
elementType:
scalar: string
elementRelationship: atomic
- name: name
type:
scalar: string
default: ""
- name: com.github.cert-manager.cert-manager.pkg.apis.certmanager.v1.VaultAppRole
map:
fields:
- name: path
type:
scalar: string
default: ""
- name: roleId
type:
scalar: string
default: ""
- name: secretRef
type:
namedType: com.github.cert-manager.cert-manager.pkg.apis.meta.v1.SecretKeySelector
default: {}
- name: com.github.cert-manager.cert-manager.pkg.apis.certmanager.v1.VaultAuth
map:
fields:
- name: appRole
type:
namedType: com.github.cert-manager.cert-manager.pkg.apis.certmanager.v1.VaultAppRole
- name: clientCertificate
type:
namedType: com.github.cert-manager.cert-manager.pkg.apis.certmanager.v1.VaultClientCertificateAuth
- name: kubernetes
type:
namedType: com.github.cert-manager.cert-manager.pkg.apis.certmanager.v1.VaultKubernetesAuth
- name: tokenSecretRef
type:
namedType: com.github.cert-manager.cert-manager.pkg.apis.meta.v1.SecretKeySelector
- name: com.github.cert-manager.cert-manager.pkg.apis.certmanager.v1.VaultClientCertificateAuth
map:
fields:
- name: mountPath
type:
scalar: string
- name: name
type:
scalar: string
- name: secretName
type:
scalar: string
- name: com.github.cert-manager.cert-manager.pkg.apis.certmanager.v1.VaultIssuer
map:
fields:
- name: auth
type:
namedType: com.github.cert-manager.cert-manager.pkg.apis.certmanager.v1.VaultAuth
default: {}
- name: caBundle
type:
scalar: string
- name: caBundleSecretRef
type:
namedType: com.github.cert-manager.cert-manager.pkg.apis.meta.v1.SecretKeySelector
- name: clientCertSecretRef
type:
namedType: com.github.cert-manager.cert-manager.pkg.apis.meta.v1.SecretKeySelector
- name: clientKeySecretRef
type:
namedType: com.github.cert-manager.cert-manager.pkg.apis.meta.v1.SecretKeySelector
- name: namespace
type:
scalar: string
- name: path
type:
scalar: string
default: ""
- name: server
type:
scalar: string
default: ""
- name: serverName
type:
scalar: string
- name: com.github.cert-manager.cert-manager.pkg.apis.certmanager.v1.VaultKubernetesAuth
map:
fields:
- name: mountPath
type:
scalar: string
- name: role
type:
scalar: string
default: ""
- name: secretRef
type:
namedType: com.github.cert-manager.cert-manager.pkg.apis.meta.v1.SecretKeySelector
default: {}
- name: serviceAccountRef
type:
namedType: com.github.cert-manager.cert-manager.pkg.apis.certmanager.v1.ServiceAccountRef
- name: com.github.cert-manager.cert-manager.pkg.apis.certmanager.v1.VenafiCloud
map:
fields:
- name: apiTokenSecretRef
type:
namedType: com.github.cert-manager.cert-manager.pkg.apis.meta.v1.SecretKeySelector
default: {}
- name: url
type:
scalar: string
- name: com.github.cert-manager.cert-manager.pkg.apis.certmanager.v1.VenafiIssuer
map:
fields:
- name: cloud
type:
namedType: com.github.cert-manager.cert-manager.pkg.apis.certmanager.v1.VenafiCloud
- name: tpp
type:
namedType: com.github.cert-manager.cert-manager.pkg.apis.certmanager.v1.VenafiTPP
- name: zone
type:
scalar: string
default: ""
- name: com.github.cert-manager.cert-manager.pkg.apis.certmanager.v1.VenafiTPP
map:
fields:
- name: caBundle
type:
scalar: string
- name: caBundleSecretRef
type:
namedType: com.github.cert-manager.cert-manager.pkg.apis.meta.v1.SecretKeySelector
- name: credentialsRef
type:
namedType: com.github.cert-manager.cert-manager.pkg.apis.meta.v1.LocalObjectReference
default: {}
- name: url
type:
scalar: string
default: ""
- name: com.github.cert-manager.cert-manager.pkg.apis.certmanager.v1.X509Subject
map:
fields:
- name: countries
type:
list:
elementType:
scalar: string
elementRelationship: atomic
- name: localities
type:
list:
elementType:
scalar: string
elementRelationship: atomic
- name: organizationalUnits
type:
list:
elementType:
scalar: string
elementRelationship: atomic
- name: organizations
type:
list:
elementType:
scalar: string
elementRelationship: atomic
- name: postalCodes
type:
list:
elementType:
scalar: string
elementRelationship: atomic
- name: provinces
type:
list:
elementType:
scalar: string
elementRelationship: atomic
- name: serialNumber
type:
scalar: string
- name: streetAddresses
type:
list:
elementType:
scalar: string
elementRelationship: atomic
- name: com.github.cert-manager.cert-manager.pkg.apis.meta.v1.IssuerReference
map:
fields:
- name: group
type:
scalar: string
default: cert-manager.io
- name: kind
type:
scalar: string
default: Issuer
- name: name
type:
scalar: string
default: ""
- name: com.github.cert-manager.cert-manager.pkg.apis.meta.v1.LocalObjectReference
map:
fields:
- name: name
type:
scalar: string
default: ""
- name: com.github.cert-manager.cert-manager.pkg.apis.meta.v1.SecretKeySelector
map:
fields:
- name: key
type:
scalar: string
- name: name
type:
scalar: string
default: ""
- name: io.k8s.api.core.v1.Affinity
map:
fields:
- name: nodeAffinity
type:
namedType: io.k8s.api.core.v1.NodeAffinity
- name: podAffinity
type:
namedType: io.k8s.api.core.v1.PodAffinity
- name: podAntiAffinity
type:
namedType: io.k8s.api.core.v1.PodAntiAffinity
- name: io.k8s.api.core.v1.LocalObjectReference
map:
fields:
- name: name
type:
scalar: string
default: ""
elementRelationship: atomic
- name: io.k8s.api.core.v1.NodeAffinity
map:
fields:
- name: preferredDuringSchedulingIgnoredDuringExecution
type:
list:
elementType:
namedType: io.k8s.api.core.v1.PreferredSchedulingTerm
elementRelationship: atomic
- name: requiredDuringSchedulingIgnoredDuringExecution
type:
namedType: io.k8s.api.core.v1.NodeSelector
- name: io.k8s.api.core.v1.NodeSelector
map:
fields:
- name: nodeSelectorTerms
type:
list:
elementType:
namedType: io.k8s.api.core.v1.NodeSelectorTerm
elementRelationship: atomic
elementRelationship: atomic
- name: io.k8s.api.core.v1.NodeSelectorRequirement
map:
fields:
- name: key
type:
scalar: string
default: ""
- name: operator
type:
scalar: string
default: ""
- name: values
type:
list:
elementType:
scalar: string
elementRelationship: atomic
- name: io.k8s.api.core.v1.NodeSelectorTerm
map:
fields:
- name: matchExpressions
type:
list:
elementType:
namedType: io.k8s.api.core.v1.NodeSelectorRequirement
elementRelationship: atomic
- name: matchFields
type:
list:
elementType:
namedType: io.k8s.api.core.v1.NodeSelectorRequirement
elementRelationship: atomic
elementRelationship: atomic
- name: io.k8s.api.core.v1.PodAffinity
map:
fields:
- name: preferredDuringSchedulingIgnoredDuringExecution
type:
list:
elementType:
namedType: io.k8s.api.core.v1.WeightedPodAffinityTerm
elementRelationship: atomic
- name: requiredDuringSchedulingIgnoredDuringExecution
type:
list:
elementType:
namedType: io.k8s.api.core.v1.PodAffinityTerm
elementRelationship: atomic
- name: io.k8s.api.core.v1.PodAffinityTerm
map:
fields:
- name: labelSelector
type:
namedType: io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector
- name: matchLabelKeys
type:
list:
elementType:
scalar: string
elementRelationship: atomic
- name: mismatchLabelKeys
type:
list:
elementType:
scalar: string
elementRelationship: atomic
- name: namespaceSelector
type:
namedType: io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector
- name: namespaces
type:
list:
elementType:
scalar: string
elementRelationship: atomic
- name: topologyKey
type:
scalar: string
default: ""
- name: io.k8s.api.core.v1.PodAntiAffinity
map:
fields:
- name: preferredDuringSchedulingIgnoredDuringExecution
type:
list:
elementType:
namedType: io.k8s.api.core.v1.WeightedPodAffinityTerm
elementRelationship: atomic
- name: requiredDuringSchedulingIgnoredDuringExecution
type:
list:
elementType:
namedType: io.k8s.api.core.v1.PodAffinityTerm
elementRelationship: atomic
- name: io.k8s.api.core.v1.PreferredSchedulingTerm
map:
fields:
- name: preference
type:
namedType: io.k8s.api.core.v1.NodeSelectorTerm
default: {}
- name: weight
type:
scalar: numeric
default: 0
- name: io.k8s.api.core.v1.SELinuxOptions
map:
fields:
- name: level
type:
scalar: string
- name: role
type:
scalar: string
- name: type
type:
scalar: string
- name: user
type:
scalar: string
- name: io.k8s.api.core.v1.SeccompProfile
map:
fields:
- name: localhostProfile
type:
scalar: string
- name: type
type:
scalar: string
default: ""
unions:
- discriminator: type
fields:
- fieldName: localhostProfile
discriminatorValue: LocalhostProfile
- name: io.k8s.api.core.v1.Sysctl
map:
fields:
- name: name
type:
scalar: string
default: ""
- name: value
type:
scalar: string
default: ""
- name: io.k8s.api.core.v1.Toleration
map:
fields:
- name: effect
type:
scalar: string
- name: key
type:
scalar: string
- name: operator
type:
scalar: string
- name: tolerationSeconds
type:
scalar: numeric
- name: value
type:
scalar: string
- name: io.k8s.api.core.v1.WeightedPodAffinityTerm
map:
fields:
- name: podAffinityTerm
type:
namedType: io.k8s.api.core.v1.PodAffinityTerm
default: {}
- name: weight
type:
scalar: numeric
default: 0
- name: io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.JSON
scalar: untyped
list:
elementType:
namedType: __untyped_atomic_
elementRelationship: atomic
map:
elementType:
namedType: __untyped_deduced_
elementRelationship: separable
- name: io.k8s.apimachinery.pkg.api.resource.Quantity
scalar: untyped
- name: io.k8s.apimachinery.pkg.apis.meta.v1.Duration
scalar: string
- name: io.k8s.apimachinery.pkg.apis.meta.v1.FieldsV1
map:
elementType:
scalar: untyped
list:
elementType:
namedType: __untyped_atomic_
elementRelationship: atomic
map:
elementType:
namedType: __untyped_deduced_
elementRelationship: separable
- name: io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector
map:
fields:
- name: matchExpressions
type:
list:
elementType:
namedType: io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelectorRequirement
elementRelationship: atomic
- name: matchLabels
type:
map:
elementType:
scalar: string
elementRelationship: atomic
- name: io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelectorRequirement
map:
fields:
- name: key
type:
scalar: string
default: ""
- name: operator
type:
scalar: string
default: ""
- name: values
type:
list:
elementType:
scalar: string
elementRelationship: atomic
- name: io.k8s.apimachinery.pkg.apis.meta.v1.ManagedFieldsEntry
map:
fields:
- name: apiVersion
type:
scalar: string
- name: fieldsType
type:
scalar: string
- name: fieldsV1
type:
namedType: io.k8s.apimachinery.pkg.apis.meta.v1.FieldsV1
- name: manager
type:
scalar: string
- name: operation
type:
scalar: string
- name: subresource
type:
scalar: string
- name: time
type:
namedType: io.k8s.apimachinery.pkg.apis.meta.v1.Time
- name: io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta
map:
fields:
- name: annotations
type:
map:
elementType:
scalar: string
- name: creationTimestamp
type:
namedType: io.k8s.apimachinery.pkg.apis.meta.v1.Time
- name: deletionGracePeriodSeconds
type:
scalar: numeric
- name: deletionTimestamp
type:
namedType: io.k8s.apimachinery.pkg.apis.meta.v1.Time
- name: finalizers
type:
list:
elementType:
scalar: string
elementRelationship: associative
- name: generateName
type:
scalar: string
- name: generation
type:
scalar: numeric
- name: labels
type:
map:
elementType:
scalar: string
- name: managedFields
type:
list:
elementType:
namedType: io.k8s.apimachinery.pkg.apis.meta.v1.ManagedFieldsEntry
elementRelationship: atomic
- name: name
type:
scalar: string
- name: namespace
type:
scalar: string
- name: ownerReferences
type:
list:
elementType:
namedType: io.k8s.apimachinery.pkg.apis.meta.v1.OwnerReference
elementRelationship: associative
keys:
- uid
- name: resourceVersion
type:
scalar: string
- name: selfLink
type:
scalar: string
- name: uid
type:
scalar: string
- name: io.k8s.apimachinery.pkg.apis.meta.v1.OwnerReference
map:
fields:
- name: apiVersion
type:
scalar: string
default: ""
- name: blockOwnerDeletion
type:
scalar: boolean
- name: controller
type:
scalar: boolean
- name: kind
type:
scalar: string
default: ""
- name: name
type:
scalar: string
default: ""
- name: uid
type:
scalar: string
default: ""
elementRelationship: atomic
- name: io.k8s.apimachinery.pkg.apis.meta.v1.Time
scalar: untyped
- name: io.k8s.sigs.gateway-api.apis.v1.ParentReference
map:
fields:
- name: group
type:
scalar: string
- name: kind
type:
scalar: string
- name: name
type:
scalar: string
default: ""
- name: namespace
type:
scalar: string
- name: port
type:
scalar: numeric
- name: sectionName
type:
scalar: string
- name: __untyped_atomic_
scalar: untyped
list:
elementType:
namedType: __untyped_atomic_
elementRelationship: atomic
map:
elementType:
namedType: __untyped_atomic_
elementRelationship: atomic
- name: __untyped_deduced_
scalar: untyped
list:
elementType:
namedType: __untyped_atomic_
elementRelationship: atomic
map:
elementType:
namedType: __untyped_deduced_
elementRelationship: separable
`)
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by applyconfiguration-gen. DO NOT EDIT.
package v1
// IssuerReferenceApplyConfiguration represents a declarative configuration of the IssuerReference type for use
// with apply.
type IssuerReferenceApplyConfiguration struct {
Name *string `json:"name,omitempty"`
Kind *string `json:"kind,omitempty"`
Group *string `json:"group,omitempty"`
}
// IssuerReferenceApplyConfiguration constructs a declarative configuration of the IssuerReference type for use with
// apply.
func IssuerReference() *IssuerReferenceApplyConfiguration {
return &IssuerReferenceApplyConfiguration{}
}
// WithName sets the Name field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Name field is set to the value of the last call.
func (b *IssuerReferenceApplyConfiguration) WithName(value string) *IssuerReferenceApplyConfiguration {
b.Name = &value
return b
}
// WithKind sets the Kind field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Kind field is set to the value of the last call.
func (b *IssuerReferenceApplyConfiguration) WithKind(value string) *IssuerReferenceApplyConfiguration {
b.Kind = &value
return b
}
// WithGroup sets the Group field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Group field is set to the value of the last call.
func (b *IssuerReferenceApplyConfiguration) WithGroup(value string) *IssuerReferenceApplyConfiguration {
b.Group = &value
return b
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by applyconfiguration-gen. DO NOT EDIT.
package v1
// LocalObjectReferenceApplyConfiguration represents a declarative configuration of the LocalObjectReference type for use
// with apply.
type LocalObjectReferenceApplyConfiguration struct {
Name *string `json:"name,omitempty"`
}
// LocalObjectReferenceApplyConfiguration constructs a declarative configuration of the LocalObjectReference type for use with
// apply.
func LocalObjectReference() *LocalObjectReferenceApplyConfiguration {
return &LocalObjectReferenceApplyConfiguration{}
}
// WithName sets the Name field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Name field is set to the value of the last call.
func (b *LocalObjectReferenceApplyConfiguration) WithName(value string) *LocalObjectReferenceApplyConfiguration {
b.Name = &value
return b
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by applyconfiguration-gen. DO NOT EDIT.
package v1
// SecretKeySelectorApplyConfiguration represents a declarative configuration of the SecretKeySelector type for use
// with apply.
type SecretKeySelectorApplyConfiguration struct {
LocalObjectReferenceApplyConfiguration `json:",inline"`
Key *string `json:"key,omitempty"`
}
// SecretKeySelectorApplyConfiguration constructs a declarative configuration of the SecretKeySelector type for use with
// apply.
func SecretKeySelector() *SecretKeySelectorApplyConfiguration {
return &SecretKeySelectorApplyConfiguration{}
}
// WithName sets the Name field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Name field is set to the value of the last call.
func (b *SecretKeySelectorApplyConfiguration) WithName(value string) *SecretKeySelectorApplyConfiguration {
b.LocalObjectReferenceApplyConfiguration.Name = &value
return b
}
// WithKey sets the Key field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Key field is set to the value of the last call.
func (b *SecretKeySelectorApplyConfiguration) WithKey(value string) *SecretKeySelectorApplyConfiguration {
b.Key = &value
return b
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by applyconfiguration-gen. DO NOT EDIT.
package applyconfigurations
import (
v1 "github.com/cert-manager/cert-manager/pkg/apis/acme/v1"
certmanagerv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
metav1 "github.com/cert-manager/cert-manager/pkg/apis/meta/v1"
acmev1 "github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/acme/v1"
applyconfigurationscertmanagerv1 "github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/certmanager/v1"
internal "github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/internal"
applyconfigurationsmetav1 "github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/meta/v1"
runtime "k8s.io/apimachinery/pkg/runtime"
schema "k8s.io/apimachinery/pkg/runtime/schema"
managedfields "k8s.io/apimachinery/pkg/util/managedfields"
)
// ForKind returns an apply configuration type for the given GroupVersionKind, or nil if no
// apply configuration type exists for the given GroupVersionKind.
func ForKind(kind schema.GroupVersionKind) interface{} {
switch kind {
// Group=acme.cert-manager.io, Version=v1
case v1.SchemeGroupVersion.WithKind("ACMEAuthorization"):
return &acmev1.ACMEAuthorizationApplyConfiguration{}
case v1.SchemeGroupVersion.WithKind("ACMEChallenge"):
return &acmev1.ACMEChallengeApplyConfiguration{}
case v1.SchemeGroupVersion.WithKind("ACMEChallengeSolver"):
return &acmev1.ACMEChallengeSolverApplyConfiguration{}
case v1.SchemeGroupVersion.WithKind("ACMEChallengeSolverDNS01"):
return &acmev1.ACMEChallengeSolverDNS01ApplyConfiguration{}
case v1.SchemeGroupVersion.WithKind("ACMEChallengeSolverHTTP01"):
return &acmev1.ACMEChallengeSolverHTTP01ApplyConfiguration{}
case v1.SchemeGroupVersion.WithKind("ACMEChallengeSolverHTTP01GatewayHTTPRoute"):
return &acmev1.ACMEChallengeSolverHTTP01GatewayHTTPRouteApplyConfiguration{}
case v1.SchemeGroupVersion.WithKind("ACMEChallengeSolverHTTP01Ingress"):
return &acmev1.ACMEChallengeSolverHTTP01IngressApplyConfiguration{}
case v1.SchemeGroupVersion.WithKind("ACMEChallengeSolverHTTP01IngressObjectMeta"):
return &acmev1.ACMEChallengeSolverHTTP01IngressObjectMetaApplyConfiguration{}
case v1.SchemeGroupVersion.WithKind("ACMEChallengeSolverHTTP01IngressPodObjectMeta"):
return &acmev1.ACMEChallengeSolverHTTP01IngressPodObjectMetaApplyConfiguration{}
case v1.SchemeGroupVersion.WithKind("ACMEChallengeSolverHTTP01IngressPodResources"):
return &acmev1.ACMEChallengeSolverHTTP01IngressPodResourcesApplyConfiguration{}
case v1.SchemeGroupVersion.WithKind("ACMEChallengeSolverHTTP01IngressPodSecurityContext"):
return &acmev1.ACMEChallengeSolverHTTP01IngressPodSecurityContextApplyConfiguration{}
case v1.SchemeGroupVersion.WithKind("ACMEChallengeSolverHTTP01IngressPodSpec"):
return &acmev1.ACMEChallengeSolverHTTP01IngressPodSpecApplyConfiguration{}
case v1.SchemeGroupVersion.WithKind("ACMEChallengeSolverHTTP01IngressPodTemplate"):
return &acmev1.ACMEChallengeSolverHTTP01IngressPodTemplateApplyConfiguration{}
case v1.SchemeGroupVersion.WithKind("ACMEChallengeSolverHTTP01IngressTemplate"):
return &acmev1.ACMEChallengeSolverHTTP01IngressTemplateApplyConfiguration{}
case v1.SchemeGroupVersion.WithKind("ACMEExternalAccountBinding"):
return &acmev1.ACMEExternalAccountBindingApplyConfiguration{}
case v1.SchemeGroupVersion.WithKind("ACMEIssuer"):
return &acmev1.ACMEIssuerApplyConfiguration{}
case v1.SchemeGroupVersion.WithKind("ACMEIssuerDNS01ProviderAcmeDNS"):
return &acmev1.ACMEIssuerDNS01ProviderAcmeDNSApplyConfiguration{}
case v1.SchemeGroupVersion.WithKind("ACMEIssuerDNS01ProviderAkamai"):
return &acmev1.ACMEIssuerDNS01ProviderAkamaiApplyConfiguration{}
case v1.SchemeGroupVersion.WithKind("ACMEIssuerDNS01ProviderAzureDNS"):
return &acmev1.ACMEIssuerDNS01ProviderAzureDNSApplyConfiguration{}
case v1.SchemeGroupVersion.WithKind("ACMEIssuerDNS01ProviderCloudDNS"):
return &acmev1.ACMEIssuerDNS01ProviderCloudDNSApplyConfiguration{}
case v1.SchemeGroupVersion.WithKind("ACMEIssuerDNS01ProviderCloudflare"):
return &acmev1.ACMEIssuerDNS01ProviderCloudflareApplyConfiguration{}
case v1.SchemeGroupVersion.WithKind("ACMEIssuerDNS01ProviderDigitalOcean"):
return &acmev1.ACMEIssuerDNS01ProviderDigitalOceanApplyConfiguration{}
case v1.SchemeGroupVersion.WithKind("ACMEIssuerDNS01ProviderRFC2136"):
return &acmev1.ACMEIssuerDNS01ProviderRFC2136ApplyConfiguration{}
case v1.SchemeGroupVersion.WithKind("ACMEIssuerDNS01ProviderRoute53"):
return &acmev1.ACMEIssuerDNS01ProviderRoute53ApplyConfiguration{}
case v1.SchemeGroupVersion.WithKind("ACMEIssuerDNS01ProviderWebhook"):
return &acmev1.ACMEIssuerDNS01ProviderWebhookApplyConfiguration{}
case v1.SchemeGroupVersion.WithKind("ACMEIssuerStatus"):
return &acmev1.ACMEIssuerStatusApplyConfiguration{}
case v1.SchemeGroupVersion.WithKind("AzureManagedIdentity"):
return &acmev1.AzureManagedIdentityApplyConfiguration{}
case v1.SchemeGroupVersion.WithKind("CertificateDNSNameSelector"):
return &acmev1.CertificateDNSNameSelectorApplyConfiguration{}
case v1.SchemeGroupVersion.WithKind("Challenge"):
return &acmev1.ChallengeApplyConfiguration{}
case v1.SchemeGroupVersion.WithKind("ChallengeSpec"):
return &acmev1.ChallengeSpecApplyConfiguration{}
case v1.SchemeGroupVersion.WithKind("ChallengeStatus"):
return &acmev1.ChallengeStatusApplyConfiguration{}
case v1.SchemeGroupVersion.WithKind("Order"):
return &acmev1.OrderApplyConfiguration{}
case v1.SchemeGroupVersion.WithKind("OrderSpec"):
return &acmev1.OrderSpecApplyConfiguration{}
case v1.SchemeGroupVersion.WithKind("OrderStatus"):
return &acmev1.OrderStatusApplyConfiguration{}
case v1.SchemeGroupVersion.WithKind("Route53Auth"):
return &acmev1.Route53AuthApplyConfiguration{}
case v1.SchemeGroupVersion.WithKind("Route53KubernetesAuth"):
return &acmev1.Route53KubernetesAuthApplyConfiguration{}
case v1.SchemeGroupVersion.WithKind("ServiceAccountRef"):
return &acmev1.ServiceAccountRefApplyConfiguration{}
// Group=cert-manager.io, Version=v1
case certmanagerv1.SchemeGroupVersion.WithKind("CAIssuer"):
return &applyconfigurationscertmanagerv1.CAIssuerApplyConfiguration{}
case certmanagerv1.SchemeGroupVersion.WithKind("Certificate"):
return &applyconfigurationscertmanagerv1.CertificateApplyConfiguration{}
case certmanagerv1.SchemeGroupVersion.WithKind("CertificateAdditionalOutputFormat"):
return &applyconfigurationscertmanagerv1.CertificateAdditionalOutputFormatApplyConfiguration{}
case certmanagerv1.SchemeGroupVersion.WithKind("CertificateCondition"):
return &applyconfigurationscertmanagerv1.CertificateConditionApplyConfiguration{}
case certmanagerv1.SchemeGroupVersion.WithKind("CertificateKeystores"):
return &applyconfigurationscertmanagerv1.CertificateKeystoresApplyConfiguration{}
case certmanagerv1.SchemeGroupVersion.WithKind("CertificatePrivateKey"):
return &applyconfigurationscertmanagerv1.CertificatePrivateKeyApplyConfiguration{}
case certmanagerv1.SchemeGroupVersion.WithKind("CertificateRequest"):
return &applyconfigurationscertmanagerv1.CertificateRequestApplyConfiguration{}
case certmanagerv1.SchemeGroupVersion.WithKind("CertificateRequestCondition"):
return &applyconfigurationscertmanagerv1.CertificateRequestConditionApplyConfiguration{}
case certmanagerv1.SchemeGroupVersion.WithKind("CertificateRequestSpec"):
return &applyconfigurationscertmanagerv1.CertificateRequestSpecApplyConfiguration{}
case certmanagerv1.SchemeGroupVersion.WithKind("CertificateRequestStatus"):
return &applyconfigurationscertmanagerv1.CertificateRequestStatusApplyConfiguration{}
case certmanagerv1.SchemeGroupVersion.WithKind("CertificateSecretTemplate"):
return &applyconfigurationscertmanagerv1.CertificateSecretTemplateApplyConfiguration{}
case certmanagerv1.SchemeGroupVersion.WithKind("CertificateSpec"):
return &applyconfigurationscertmanagerv1.CertificateSpecApplyConfiguration{}
case certmanagerv1.SchemeGroupVersion.WithKind("CertificateStatus"):
return &applyconfigurationscertmanagerv1.CertificateStatusApplyConfiguration{}
case certmanagerv1.SchemeGroupVersion.WithKind("ClusterIssuer"):
return &applyconfigurationscertmanagerv1.ClusterIssuerApplyConfiguration{}
case certmanagerv1.SchemeGroupVersion.WithKind("Issuer"):
return &applyconfigurationscertmanagerv1.IssuerApplyConfiguration{}
case certmanagerv1.SchemeGroupVersion.WithKind("IssuerCondition"):
return &applyconfigurationscertmanagerv1.IssuerConditionApplyConfiguration{}
case certmanagerv1.SchemeGroupVersion.WithKind("IssuerConfig"):
return &applyconfigurationscertmanagerv1.IssuerConfigApplyConfiguration{}
case certmanagerv1.SchemeGroupVersion.WithKind("IssuerSpec"):
return &applyconfigurationscertmanagerv1.IssuerSpecApplyConfiguration{}
case certmanagerv1.SchemeGroupVersion.WithKind("IssuerStatus"):
return &applyconfigurationscertmanagerv1.IssuerStatusApplyConfiguration{}
case certmanagerv1.SchemeGroupVersion.WithKind("JKSKeystore"):
return &applyconfigurationscertmanagerv1.JKSKeystoreApplyConfiguration{}
case certmanagerv1.SchemeGroupVersion.WithKind("NameConstraintItem"):
return &applyconfigurationscertmanagerv1.NameConstraintItemApplyConfiguration{}
case certmanagerv1.SchemeGroupVersion.WithKind("NameConstraints"):
return &applyconfigurationscertmanagerv1.NameConstraintsApplyConfiguration{}
case certmanagerv1.SchemeGroupVersion.WithKind("OtherName"):
return &applyconfigurationscertmanagerv1.OtherNameApplyConfiguration{}
case certmanagerv1.SchemeGroupVersion.WithKind("PKCS12Keystore"):
return &applyconfigurationscertmanagerv1.PKCS12KeystoreApplyConfiguration{}
case certmanagerv1.SchemeGroupVersion.WithKind("SelfSignedIssuer"):
return &applyconfigurationscertmanagerv1.SelfSignedIssuerApplyConfiguration{}
case certmanagerv1.SchemeGroupVersion.WithKind("ServiceAccountRef"):
return &applyconfigurationscertmanagerv1.ServiceAccountRefApplyConfiguration{}
case certmanagerv1.SchemeGroupVersion.WithKind("VaultAppRole"):
return &applyconfigurationscertmanagerv1.VaultAppRoleApplyConfiguration{}
case certmanagerv1.SchemeGroupVersion.WithKind("VaultAuth"):
return &applyconfigurationscertmanagerv1.VaultAuthApplyConfiguration{}
case certmanagerv1.SchemeGroupVersion.WithKind("VaultClientCertificateAuth"):
return &applyconfigurationscertmanagerv1.VaultClientCertificateAuthApplyConfiguration{}
case certmanagerv1.SchemeGroupVersion.WithKind("VaultIssuer"):
return &applyconfigurationscertmanagerv1.VaultIssuerApplyConfiguration{}
case certmanagerv1.SchemeGroupVersion.WithKind("VaultKubernetesAuth"):
return &applyconfigurationscertmanagerv1.VaultKubernetesAuthApplyConfiguration{}
case certmanagerv1.SchemeGroupVersion.WithKind("VenafiCloud"):
return &applyconfigurationscertmanagerv1.VenafiCloudApplyConfiguration{}
case certmanagerv1.SchemeGroupVersion.WithKind("VenafiIssuer"):
return &applyconfigurationscertmanagerv1.VenafiIssuerApplyConfiguration{}
case certmanagerv1.SchemeGroupVersion.WithKind("VenafiTPP"):
return &applyconfigurationscertmanagerv1.VenafiTPPApplyConfiguration{}
case certmanagerv1.SchemeGroupVersion.WithKind("X509Subject"):
return &applyconfigurationscertmanagerv1.X509SubjectApplyConfiguration{}
// Group=meta, Version=v1
case metav1.SchemeGroupVersion.WithKind("IssuerReference"):
return &applyconfigurationsmetav1.IssuerReferenceApplyConfiguration{}
case metav1.SchemeGroupVersion.WithKind("LocalObjectReference"):
return &applyconfigurationsmetav1.LocalObjectReferenceApplyConfiguration{}
case metav1.SchemeGroupVersion.WithKind("SecretKeySelector"):
return &applyconfigurationsmetav1.SecretKeySelectorApplyConfiguration{}
}
return nil
}
func NewTypeConverter(scheme *runtime.Scheme) managedfields.TypeConverter {
return managedfields.NewSchemeTypeConverter(scheme, internal.Parser())
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by client-gen. DO NOT EDIT.
package versioned
import (
fmt "fmt"
http "net/http"
acmev1 "github.com/cert-manager/cert-manager/pkg/client/clientset/versioned/typed/acme/v1"
certmanagerv1 "github.com/cert-manager/cert-manager/pkg/client/clientset/versioned/typed/certmanager/v1"
discovery "k8s.io/client-go/discovery"
rest "k8s.io/client-go/rest"
flowcontrol "k8s.io/client-go/util/flowcontrol"
)
type Interface interface {
Discovery() discovery.DiscoveryInterface
AcmeV1() acmev1.AcmeV1Interface
CertmanagerV1() certmanagerv1.CertmanagerV1Interface
}
// Clientset contains the clients for groups.
type Clientset struct {
*discovery.DiscoveryClient
acmeV1 *acmev1.AcmeV1Client
certmanagerV1 *certmanagerv1.CertmanagerV1Client
}
// AcmeV1 retrieves the AcmeV1Client
func (c *Clientset) AcmeV1() acmev1.AcmeV1Interface {
return c.acmeV1
}
// CertmanagerV1 retrieves the CertmanagerV1Client
func (c *Clientset) CertmanagerV1() certmanagerv1.CertmanagerV1Interface {
return c.certmanagerV1
}
// Discovery retrieves the DiscoveryClient
func (c *Clientset) Discovery() discovery.DiscoveryInterface {
if c == nil {
return nil
}
return c.DiscoveryClient
}
// NewForConfig creates a new Clientset for the given config.
// If config's RateLimiter is not set and QPS and Burst are acceptable,
// NewForConfig will generate a rate-limiter in configShallowCopy.
// NewForConfig is equivalent to NewForConfigAndClient(c, httpClient),
// where httpClient was generated with rest.HTTPClientFor(c).
func NewForConfig(c *rest.Config) (*Clientset, error) {
configShallowCopy := *c
if configShallowCopy.UserAgent == "" {
configShallowCopy.UserAgent = rest.DefaultKubernetesUserAgent()
}
// share the transport between all clients
httpClient, err := rest.HTTPClientFor(&configShallowCopy)
if err != nil {
return nil, err
}
return NewForConfigAndClient(&configShallowCopy, httpClient)
}
// NewForConfigAndClient creates a new Clientset for the given config and http client.
// Note the http client provided takes precedence over the configured transport values.
// If config's RateLimiter is not set and QPS and Burst are acceptable,
// NewForConfigAndClient will generate a rate-limiter in configShallowCopy.
func NewForConfigAndClient(c *rest.Config, httpClient *http.Client) (*Clientset, error) {
configShallowCopy := *c
if configShallowCopy.RateLimiter == nil && configShallowCopy.QPS > 0 {
if configShallowCopy.Burst <= 0 {
return nil, fmt.Errorf("burst is required to be greater than 0 when RateLimiter is not set and QPS is set to greater than 0")
}
configShallowCopy.RateLimiter = flowcontrol.NewTokenBucketRateLimiter(configShallowCopy.QPS, configShallowCopy.Burst)
}
var cs Clientset
var err error
cs.acmeV1, err = acmev1.NewForConfigAndClient(&configShallowCopy, httpClient)
if err != nil {
return nil, err
}
cs.certmanagerV1, err = certmanagerv1.NewForConfigAndClient(&configShallowCopy, httpClient)
if err != nil {
return nil, err
}
cs.DiscoveryClient, err = discovery.NewDiscoveryClientForConfigAndClient(&configShallowCopy, httpClient)
if err != nil {
return nil, err
}
return &cs, nil
}
// NewForConfigOrDie creates a new Clientset for the given config and
// panics if there is an error in the config.
func NewForConfigOrDie(c *rest.Config) *Clientset {
cs, err := NewForConfig(c)
if err != nil {
panic(err)
}
return cs
}
// New creates a new Clientset for the given RESTClient.
func New(c rest.Interface) *Clientset {
var cs Clientset
cs.acmeV1 = acmev1.New(c)
cs.certmanagerV1 = certmanagerv1.New(c)
cs.DiscoveryClient = discovery.NewDiscoveryClient(c)
return &cs
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by client-gen. DO NOT EDIT.
package fake
import (
applyconfigurations "github.com/cert-manager/cert-manager/pkg/client/applyconfigurations"
clientset "github.com/cert-manager/cert-manager/pkg/client/clientset/versioned"
acmev1 "github.com/cert-manager/cert-manager/pkg/client/clientset/versioned/typed/acme/v1"
fakeacmev1 "github.com/cert-manager/cert-manager/pkg/client/clientset/versioned/typed/acme/v1/fake"
certmanagerv1 "github.com/cert-manager/cert-manager/pkg/client/clientset/versioned/typed/certmanager/v1"
fakecertmanagerv1 "github.com/cert-manager/cert-manager/pkg/client/clientset/versioned/typed/certmanager/v1/fake"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/watch"
"k8s.io/client-go/discovery"
fakediscovery "k8s.io/client-go/discovery/fake"
"k8s.io/client-go/testing"
)
// NewSimpleClientset returns a clientset that will respond with the provided objects.
// It's backed by a very simple object tracker that processes creates, updates and deletions as-is,
// without applying any field management, validations and/or defaults. It shouldn't be considered a replacement
// for a real clientset and is mostly useful in simple unit tests.
//
// DEPRECATED: NewClientset replaces this with support for field management, which significantly improves
// server side apply testing. NewClientset is only available when apply configurations are generated (e.g.
// via --with-applyconfig).
func NewSimpleClientset(objects ...runtime.Object) *Clientset {
o := testing.NewObjectTracker(scheme, codecs.UniversalDecoder())
for _, obj := range objects {
if err := o.Add(obj); err != nil {
panic(err)
}
}
cs := &Clientset{tracker: o}
cs.discovery = &fakediscovery.FakeDiscovery{Fake: &cs.Fake}
cs.AddReactor("*", "*", testing.ObjectReaction(o))
cs.AddWatchReactor("*", func(action testing.Action) (handled bool, ret watch.Interface, err error) {
var opts metav1.ListOptions
if watchActcion, ok := action.(testing.WatchActionImpl); ok {
opts = watchActcion.ListOptions
}
gvr := action.GetResource()
ns := action.GetNamespace()
watch, err := o.Watch(gvr, ns, opts)
if err != nil {
return false, nil, err
}
return true, watch, nil
})
return cs
}
// Clientset implements clientset.Interface. Meant to be embedded into a
// struct to get a default implementation. This makes faking out just the method
// you want to test easier.
type Clientset struct {
testing.Fake
discovery *fakediscovery.FakeDiscovery
tracker testing.ObjectTracker
}
func (c *Clientset) Discovery() discovery.DiscoveryInterface {
return c.discovery
}
func (c *Clientset) Tracker() testing.ObjectTracker {
return c.tracker
}
// NewClientset returns a clientset that will respond with the provided objects.
// It's backed by a very simple object tracker that processes creates, updates and deletions as-is,
// without applying any validations and/or defaults. It shouldn't be considered a replacement
// for a real clientset and is mostly useful in simple unit tests.
func NewClientset(objects ...runtime.Object) *Clientset {
o := testing.NewFieldManagedObjectTracker(
scheme,
codecs.UniversalDecoder(),
applyconfigurations.NewTypeConverter(scheme),
)
for _, obj := range objects {
if err := o.Add(obj); err != nil {
panic(err)
}
}
cs := &Clientset{tracker: o}
cs.discovery = &fakediscovery.FakeDiscovery{Fake: &cs.Fake}
cs.AddReactor("*", "*", testing.ObjectReaction(o))
cs.AddWatchReactor("*", func(action testing.Action) (handled bool, ret watch.Interface, err error) {
var opts metav1.ListOptions
if watchAction, ok := action.(testing.WatchActionImpl); ok {
opts = watchAction.ListOptions
}
gvr := action.GetResource()
ns := action.GetNamespace()
watch, err := o.Watch(gvr, ns, opts)
if err != nil {
return false, nil, err
}
return true, watch, nil
})
return cs
}
var (
_ clientset.Interface = &Clientset{}
_ testing.FakeClient = &Clientset{}
)
// AcmeV1 retrieves the AcmeV1Client
func (c *Clientset) AcmeV1() acmev1.AcmeV1Interface {
return &fakeacmev1.FakeAcmeV1{Fake: &c.Fake}
}
// CertmanagerV1 retrieves the CertmanagerV1Client
func (c *Clientset) CertmanagerV1() certmanagerv1.CertmanagerV1Interface {
return &fakecertmanagerv1.FakeCertmanagerV1{Fake: &c.Fake}
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by client-gen. DO NOT EDIT.
package fake
import (
acmev1 "github.com/cert-manager/cert-manager/pkg/apis/acme/v1"
certmanagerv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
runtime "k8s.io/apimachinery/pkg/runtime"
schema "k8s.io/apimachinery/pkg/runtime/schema"
serializer "k8s.io/apimachinery/pkg/runtime/serializer"
utilruntime "k8s.io/apimachinery/pkg/util/runtime"
)
var scheme = runtime.NewScheme()
var codecs = serializer.NewCodecFactory(scheme)
var localSchemeBuilder = runtime.SchemeBuilder{
acmev1.AddToScheme,
certmanagerv1.AddToScheme,
}
// AddToScheme adds all types of this clientset into the given scheme. This allows composition
// of clientsets, like in:
//
// import (
// "k8s.io/client-go/kubernetes"
// clientsetscheme "k8s.io/client-go/kubernetes/scheme"
// aggregatorclientsetscheme "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset/scheme"
// )
//
// kclientset, _ := kubernetes.NewForConfig(c)
// _ = aggregatorclientsetscheme.AddToScheme(clientsetscheme.Scheme)
//
// After this, RawExtensions in Kubernetes types will serialize kube-aggregator types
// correctly.
var AddToScheme = localSchemeBuilder.AddToScheme
func init() {
v1.AddToGroupVersion(scheme, schema.GroupVersion{Version: "v1"})
utilruntime.Must(AddToScheme(scheme))
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by client-gen. DO NOT EDIT.
package scheme
import (
acmev1 "github.com/cert-manager/cert-manager/pkg/apis/acme/v1"
certmanagerv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
runtime "k8s.io/apimachinery/pkg/runtime"
schema "k8s.io/apimachinery/pkg/runtime/schema"
serializer "k8s.io/apimachinery/pkg/runtime/serializer"
utilruntime "k8s.io/apimachinery/pkg/util/runtime"
)
var Scheme = runtime.NewScheme()
var Codecs = serializer.NewCodecFactory(Scheme)
var ParameterCodec = runtime.NewParameterCodec(Scheme)
var localSchemeBuilder = runtime.SchemeBuilder{
acmev1.AddToScheme,
certmanagerv1.AddToScheme,
}
// AddToScheme adds all types of this clientset into the given scheme. This allows composition
// of clientsets, like in:
//
// import (
// "k8s.io/client-go/kubernetes"
// clientsetscheme "k8s.io/client-go/kubernetes/scheme"
// aggregatorclientsetscheme "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset/scheme"
// )
//
// kclientset, _ := kubernetes.NewForConfig(c)
// _ = aggregatorclientsetscheme.AddToScheme(clientsetscheme.Scheme)
//
// After this, RawExtensions in Kubernetes types will serialize kube-aggregator types
// correctly.
var AddToScheme = localSchemeBuilder.AddToScheme
func init() {
v1.AddToGroupVersion(Scheme, schema.GroupVersion{Version: "v1"})
utilruntime.Must(AddToScheme(Scheme))
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by client-gen. DO NOT EDIT.
package v1
import (
http "net/http"
acmev1 "github.com/cert-manager/cert-manager/pkg/apis/acme/v1"
scheme "github.com/cert-manager/cert-manager/pkg/client/clientset/versioned/scheme"
rest "k8s.io/client-go/rest"
)
type AcmeV1Interface interface {
RESTClient() rest.Interface
ChallengesGetter
OrdersGetter
}
// AcmeV1Client is used to interact with features provided by the acme.cert-manager.io group.
type AcmeV1Client struct {
restClient rest.Interface
}
func (c *AcmeV1Client) Challenges(namespace string) ChallengeInterface {
return newChallenges(c, namespace)
}
func (c *AcmeV1Client) Orders(namespace string) OrderInterface {
return newOrders(c, namespace)
}
// NewForConfig creates a new AcmeV1Client for the given config.
// NewForConfig is equivalent to NewForConfigAndClient(c, httpClient),
// where httpClient was generated with rest.HTTPClientFor(c).
func NewForConfig(c *rest.Config) (*AcmeV1Client, error) {
config := *c
setConfigDefaults(&config)
httpClient, err := rest.HTTPClientFor(&config)
if err != nil {
return nil, err
}
return NewForConfigAndClient(&config, httpClient)
}
// NewForConfigAndClient creates a new AcmeV1Client for the given config and http client.
// Note the http client provided takes precedence over the configured transport values.
func NewForConfigAndClient(c *rest.Config, h *http.Client) (*AcmeV1Client, error) {
config := *c
setConfigDefaults(&config)
client, err := rest.RESTClientForConfigAndClient(&config, h)
if err != nil {
return nil, err
}
return &AcmeV1Client{client}, nil
}
// NewForConfigOrDie creates a new AcmeV1Client for the given config and
// panics if there is an error in the config.
func NewForConfigOrDie(c *rest.Config) *AcmeV1Client {
client, err := NewForConfig(c)
if err != nil {
panic(err)
}
return client
}
// New creates a new AcmeV1Client for the given RESTClient.
func New(c rest.Interface) *AcmeV1Client {
return &AcmeV1Client{c}
}
func setConfigDefaults(config *rest.Config) {
gv := acmev1.SchemeGroupVersion
config.GroupVersion = &gv
config.APIPath = "/apis"
config.NegotiatedSerializer = rest.CodecFactoryForGeneratedClient(scheme.Scheme, scheme.Codecs).WithoutConversion()
if config.UserAgent == "" {
config.UserAgent = rest.DefaultKubernetesUserAgent()
}
}
// RESTClient returns a RESTClient that is used to communicate
// with API server by this client implementation.
func (c *AcmeV1Client) RESTClient() rest.Interface {
if c == nil {
return nil
}
return c.restClient
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by client-gen. DO NOT EDIT.
package v1
import (
context "context"
acmev1 "github.com/cert-manager/cert-manager/pkg/apis/acme/v1"
applyconfigurationsacmev1 "github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/acme/v1"
scheme "github.com/cert-manager/cert-manager/pkg/client/clientset/versioned/scheme"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
types "k8s.io/apimachinery/pkg/types"
watch "k8s.io/apimachinery/pkg/watch"
gentype "k8s.io/client-go/gentype"
)
// ChallengesGetter has a method to return a ChallengeInterface.
// A group's client should implement this interface.
type ChallengesGetter interface {
Challenges(namespace string) ChallengeInterface
}
// ChallengeInterface has methods to work with Challenge resources.
type ChallengeInterface interface {
Create(ctx context.Context, challenge *acmev1.Challenge, opts metav1.CreateOptions) (*acmev1.Challenge, error)
Update(ctx context.Context, challenge *acmev1.Challenge, opts metav1.UpdateOptions) (*acmev1.Challenge, error)
// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
UpdateStatus(ctx context.Context, challenge *acmev1.Challenge, opts metav1.UpdateOptions) (*acmev1.Challenge, error)
Delete(ctx context.Context, name string, opts metav1.DeleteOptions) error
DeleteCollection(ctx context.Context, opts metav1.DeleteOptions, listOpts metav1.ListOptions) error
Get(ctx context.Context, name string, opts metav1.GetOptions) (*acmev1.Challenge, error)
List(ctx context.Context, opts metav1.ListOptions) (*acmev1.ChallengeList, error)
Watch(ctx context.Context, opts metav1.ListOptions) (watch.Interface, error)
Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts metav1.PatchOptions, subresources ...string) (result *acmev1.Challenge, err error)
Apply(ctx context.Context, challenge *applyconfigurationsacmev1.ChallengeApplyConfiguration, opts metav1.ApplyOptions) (result *acmev1.Challenge, err error)
// Add a +genclient:noStatus comment above the type to avoid generating ApplyStatus().
ApplyStatus(ctx context.Context, challenge *applyconfigurationsacmev1.ChallengeApplyConfiguration, opts metav1.ApplyOptions) (result *acmev1.Challenge, err error)
ChallengeExpansion
}
// challenges implements ChallengeInterface
type challenges struct {
*gentype.ClientWithListAndApply[*acmev1.Challenge, *acmev1.ChallengeList, *applyconfigurationsacmev1.ChallengeApplyConfiguration]
}
// newChallenges returns a Challenges
func newChallenges(c *AcmeV1Client, namespace string) *challenges {
return &challenges{
gentype.NewClientWithListAndApply[*acmev1.Challenge, *acmev1.ChallengeList, *applyconfigurationsacmev1.ChallengeApplyConfiguration](
"challenges",
c.RESTClient(),
scheme.ParameterCodec,
namespace,
func() *acmev1.Challenge { return &acmev1.Challenge{} },
func() *acmev1.ChallengeList { return &acmev1.ChallengeList{} },
),
}
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by client-gen. DO NOT EDIT.
package fake
import (
v1 "github.com/cert-manager/cert-manager/pkg/client/clientset/versioned/typed/acme/v1"
rest "k8s.io/client-go/rest"
testing "k8s.io/client-go/testing"
)
type FakeAcmeV1 struct {
*testing.Fake
}
func (c *FakeAcmeV1) Challenges(namespace string) v1.ChallengeInterface {
return newFakeChallenges(c, namespace)
}
func (c *FakeAcmeV1) Orders(namespace string) v1.OrderInterface {
return newFakeOrders(c, namespace)
}
// RESTClient returns a RESTClient that is used to communicate
// with API server by this client implementation.
func (c *FakeAcmeV1) RESTClient() rest.Interface {
var ret *rest.RESTClient
return ret
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by client-gen. DO NOT EDIT.
package fake
import (
v1 "github.com/cert-manager/cert-manager/pkg/apis/acme/v1"
acmev1 "github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/acme/v1"
typedacmev1 "github.com/cert-manager/cert-manager/pkg/client/clientset/versioned/typed/acme/v1"
gentype "k8s.io/client-go/gentype"
)
// fakeChallenges implements ChallengeInterface
type fakeChallenges struct {
*gentype.FakeClientWithListAndApply[*v1.Challenge, *v1.ChallengeList, *acmev1.ChallengeApplyConfiguration]
Fake *FakeAcmeV1
}
func newFakeChallenges(fake *FakeAcmeV1, namespace string) typedacmev1.ChallengeInterface {
return &fakeChallenges{
gentype.NewFakeClientWithListAndApply[*v1.Challenge, *v1.ChallengeList, *acmev1.ChallengeApplyConfiguration](
fake.Fake,
namespace,
v1.SchemeGroupVersion.WithResource("challenges"),
v1.SchemeGroupVersion.WithKind("Challenge"),
func() *v1.Challenge { return &v1.Challenge{} },
func() *v1.ChallengeList { return &v1.ChallengeList{} },
func(dst, src *v1.ChallengeList) { dst.ListMeta = src.ListMeta },
func(list *v1.ChallengeList) []*v1.Challenge { return gentype.ToPointerSlice(list.Items) },
func(list *v1.ChallengeList, items []*v1.Challenge) { list.Items = gentype.FromPointerSlice(items) },
),
fake,
}
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by client-gen. DO NOT EDIT.
package fake
import (
v1 "github.com/cert-manager/cert-manager/pkg/apis/acme/v1"
acmev1 "github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/acme/v1"
typedacmev1 "github.com/cert-manager/cert-manager/pkg/client/clientset/versioned/typed/acme/v1"
gentype "k8s.io/client-go/gentype"
)
// fakeOrders implements OrderInterface
type fakeOrders struct {
*gentype.FakeClientWithListAndApply[*v1.Order, *v1.OrderList, *acmev1.OrderApplyConfiguration]
Fake *FakeAcmeV1
}
func newFakeOrders(fake *FakeAcmeV1, namespace string) typedacmev1.OrderInterface {
return &fakeOrders{
gentype.NewFakeClientWithListAndApply[*v1.Order, *v1.OrderList, *acmev1.OrderApplyConfiguration](
fake.Fake,
namespace,
v1.SchemeGroupVersion.WithResource("orders"),
v1.SchemeGroupVersion.WithKind("Order"),
func() *v1.Order { return &v1.Order{} },
func() *v1.OrderList { return &v1.OrderList{} },
func(dst, src *v1.OrderList) { dst.ListMeta = src.ListMeta },
func(list *v1.OrderList) []*v1.Order { return gentype.ToPointerSlice(list.Items) },
func(list *v1.OrderList, items []*v1.Order) { list.Items = gentype.FromPointerSlice(items) },
),
fake,
}
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by client-gen. DO NOT EDIT.
package v1
import (
context "context"
acmev1 "github.com/cert-manager/cert-manager/pkg/apis/acme/v1"
applyconfigurationsacmev1 "github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/acme/v1"
scheme "github.com/cert-manager/cert-manager/pkg/client/clientset/versioned/scheme"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
types "k8s.io/apimachinery/pkg/types"
watch "k8s.io/apimachinery/pkg/watch"
gentype "k8s.io/client-go/gentype"
)
// OrdersGetter has a method to return a OrderInterface.
// A group's client should implement this interface.
type OrdersGetter interface {
Orders(namespace string) OrderInterface
}
// OrderInterface has methods to work with Order resources.
type OrderInterface interface {
Create(ctx context.Context, order *acmev1.Order, opts metav1.CreateOptions) (*acmev1.Order, error)
Update(ctx context.Context, order *acmev1.Order, opts metav1.UpdateOptions) (*acmev1.Order, error)
// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
UpdateStatus(ctx context.Context, order *acmev1.Order, opts metav1.UpdateOptions) (*acmev1.Order, error)
Delete(ctx context.Context, name string, opts metav1.DeleteOptions) error
DeleteCollection(ctx context.Context, opts metav1.DeleteOptions, listOpts metav1.ListOptions) error
Get(ctx context.Context, name string, opts metav1.GetOptions) (*acmev1.Order, error)
List(ctx context.Context, opts metav1.ListOptions) (*acmev1.OrderList, error)
Watch(ctx context.Context, opts metav1.ListOptions) (watch.Interface, error)
Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts metav1.PatchOptions, subresources ...string) (result *acmev1.Order, err error)
Apply(ctx context.Context, order *applyconfigurationsacmev1.OrderApplyConfiguration, opts metav1.ApplyOptions) (result *acmev1.Order, err error)
// Add a +genclient:noStatus comment above the type to avoid generating ApplyStatus().
ApplyStatus(ctx context.Context, order *applyconfigurationsacmev1.OrderApplyConfiguration, opts metav1.ApplyOptions) (result *acmev1.Order, err error)
OrderExpansion
}
// orders implements OrderInterface
type orders struct {
*gentype.ClientWithListAndApply[*acmev1.Order, *acmev1.OrderList, *applyconfigurationsacmev1.OrderApplyConfiguration]
}
// newOrders returns a Orders
func newOrders(c *AcmeV1Client, namespace string) *orders {
return &orders{
gentype.NewClientWithListAndApply[*acmev1.Order, *acmev1.OrderList, *applyconfigurationsacmev1.OrderApplyConfiguration](
"orders",
c.RESTClient(),
scheme.ParameterCodec,
namespace,
func() *acmev1.Order { return &acmev1.Order{} },
func() *acmev1.OrderList { return &acmev1.OrderList{} },
),
}
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by client-gen. DO NOT EDIT.
package v1
import (
context "context"
certmanagerv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
applyconfigurationscertmanagerv1 "github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/certmanager/v1"
scheme "github.com/cert-manager/cert-manager/pkg/client/clientset/versioned/scheme"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
types "k8s.io/apimachinery/pkg/types"
watch "k8s.io/apimachinery/pkg/watch"
gentype "k8s.io/client-go/gentype"
)
// CertificatesGetter has a method to return a CertificateInterface.
// A group's client should implement this interface.
type CertificatesGetter interface {
Certificates(namespace string) CertificateInterface
}
// CertificateInterface has methods to work with Certificate resources.
type CertificateInterface interface {
Create(ctx context.Context, certificate *certmanagerv1.Certificate, opts metav1.CreateOptions) (*certmanagerv1.Certificate, error)
Update(ctx context.Context, certificate *certmanagerv1.Certificate, opts metav1.UpdateOptions) (*certmanagerv1.Certificate, error)
// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
UpdateStatus(ctx context.Context, certificate *certmanagerv1.Certificate, opts metav1.UpdateOptions) (*certmanagerv1.Certificate, error)
Delete(ctx context.Context, name string, opts metav1.DeleteOptions) error
DeleteCollection(ctx context.Context, opts metav1.DeleteOptions, listOpts metav1.ListOptions) error
Get(ctx context.Context, name string, opts metav1.GetOptions) (*certmanagerv1.Certificate, error)
List(ctx context.Context, opts metav1.ListOptions) (*certmanagerv1.CertificateList, error)
Watch(ctx context.Context, opts metav1.ListOptions) (watch.Interface, error)
Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts metav1.PatchOptions, subresources ...string) (result *certmanagerv1.Certificate, err error)
Apply(ctx context.Context, certificate *applyconfigurationscertmanagerv1.CertificateApplyConfiguration, opts metav1.ApplyOptions) (result *certmanagerv1.Certificate, err error)
// Add a +genclient:noStatus comment above the type to avoid generating ApplyStatus().
ApplyStatus(ctx context.Context, certificate *applyconfigurationscertmanagerv1.CertificateApplyConfiguration, opts metav1.ApplyOptions) (result *certmanagerv1.Certificate, err error)
CertificateExpansion
}
// certificates implements CertificateInterface
type certificates struct {
*gentype.ClientWithListAndApply[*certmanagerv1.Certificate, *certmanagerv1.CertificateList, *applyconfigurationscertmanagerv1.CertificateApplyConfiguration]
}
// newCertificates returns a Certificates
func newCertificates(c *CertmanagerV1Client, namespace string) *certificates {
return &certificates{
gentype.NewClientWithListAndApply[*certmanagerv1.Certificate, *certmanagerv1.CertificateList, *applyconfigurationscertmanagerv1.CertificateApplyConfiguration](
"certificates",
c.RESTClient(),
scheme.ParameterCodec,
namespace,
func() *certmanagerv1.Certificate { return &certmanagerv1.Certificate{} },
func() *certmanagerv1.CertificateList { return &certmanagerv1.CertificateList{} },
),
}
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by client-gen. DO NOT EDIT.
package v1
import (
context "context"
certmanagerv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
applyconfigurationscertmanagerv1 "github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/certmanager/v1"
scheme "github.com/cert-manager/cert-manager/pkg/client/clientset/versioned/scheme"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
types "k8s.io/apimachinery/pkg/types"
watch "k8s.io/apimachinery/pkg/watch"
gentype "k8s.io/client-go/gentype"
)
// CertificateRequestsGetter has a method to return a CertificateRequestInterface.
// A group's client should implement this interface.
type CertificateRequestsGetter interface {
CertificateRequests(namespace string) CertificateRequestInterface
}
// CertificateRequestInterface has methods to work with CertificateRequest resources.
type CertificateRequestInterface interface {
Create(ctx context.Context, certificateRequest *certmanagerv1.CertificateRequest, opts metav1.CreateOptions) (*certmanagerv1.CertificateRequest, error)
Update(ctx context.Context, certificateRequest *certmanagerv1.CertificateRequest, opts metav1.UpdateOptions) (*certmanagerv1.CertificateRequest, error)
// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
UpdateStatus(ctx context.Context, certificateRequest *certmanagerv1.CertificateRequest, opts metav1.UpdateOptions) (*certmanagerv1.CertificateRequest, error)
Delete(ctx context.Context, name string, opts metav1.DeleteOptions) error
DeleteCollection(ctx context.Context, opts metav1.DeleteOptions, listOpts metav1.ListOptions) error
Get(ctx context.Context, name string, opts metav1.GetOptions) (*certmanagerv1.CertificateRequest, error)
List(ctx context.Context, opts metav1.ListOptions) (*certmanagerv1.CertificateRequestList, error)
Watch(ctx context.Context, opts metav1.ListOptions) (watch.Interface, error)
Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts metav1.PatchOptions, subresources ...string) (result *certmanagerv1.CertificateRequest, err error)
Apply(ctx context.Context, certificateRequest *applyconfigurationscertmanagerv1.CertificateRequestApplyConfiguration, opts metav1.ApplyOptions) (result *certmanagerv1.CertificateRequest, err error)
// Add a +genclient:noStatus comment above the type to avoid generating ApplyStatus().
ApplyStatus(ctx context.Context, certificateRequest *applyconfigurationscertmanagerv1.CertificateRequestApplyConfiguration, opts metav1.ApplyOptions) (result *certmanagerv1.CertificateRequest, err error)
CertificateRequestExpansion
}
// certificateRequests implements CertificateRequestInterface
type certificateRequests struct {
*gentype.ClientWithListAndApply[*certmanagerv1.CertificateRequest, *certmanagerv1.CertificateRequestList, *applyconfigurationscertmanagerv1.CertificateRequestApplyConfiguration]
}
// newCertificateRequests returns a CertificateRequests
func newCertificateRequests(c *CertmanagerV1Client, namespace string) *certificateRequests {
return &certificateRequests{
gentype.NewClientWithListAndApply[*certmanagerv1.CertificateRequest, *certmanagerv1.CertificateRequestList, *applyconfigurationscertmanagerv1.CertificateRequestApplyConfiguration](
"certificaterequests",
c.RESTClient(),
scheme.ParameterCodec,
namespace,
func() *certmanagerv1.CertificateRequest { return &certmanagerv1.CertificateRequest{} },
func() *certmanagerv1.CertificateRequestList { return &certmanagerv1.CertificateRequestList{} },
),
}
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by client-gen. DO NOT EDIT.
package v1
import (
http "net/http"
certmanagerv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
scheme "github.com/cert-manager/cert-manager/pkg/client/clientset/versioned/scheme"
rest "k8s.io/client-go/rest"
)
type CertmanagerV1Interface interface {
RESTClient() rest.Interface
CertificatesGetter
CertificateRequestsGetter
ClusterIssuersGetter
IssuersGetter
}
// CertmanagerV1Client is used to interact with features provided by the cert-manager.io group.
type CertmanagerV1Client struct {
restClient rest.Interface
}
func (c *CertmanagerV1Client) Certificates(namespace string) CertificateInterface {
return newCertificates(c, namespace)
}
func (c *CertmanagerV1Client) CertificateRequests(namespace string) CertificateRequestInterface {
return newCertificateRequests(c, namespace)
}
func (c *CertmanagerV1Client) ClusterIssuers() ClusterIssuerInterface {
return newClusterIssuers(c)
}
func (c *CertmanagerV1Client) Issuers(namespace string) IssuerInterface {
return newIssuers(c, namespace)
}
// NewForConfig creates a new CertmanagerV1Client for the given config.
// NewForConfig is equivalent to NewForConfigAndClient(c, httpClient),
// where httpClient was generated with rest.HTTPClientFor(c).
func NewForConfig(c *rest.Config) (*CertmanagerV1Client, error) {
config := *c
setConfigDefaults(&config)
httpClient, err := rest.HTTPClientFor(&config)
if err != nil {
return nil, err
}
return NewForConfigAndClient(&config, httpClient)
}
// NewForConfigAndClient creates a new CertmanagerV1Client for the given config and http client.
// Note the http client provided takes precedence over the configured transport values.
func NewForConfigAndClient(c *rest.Config, h *http.Client) (*CertmanagerV1Client, error) {
config := *c
setConfigDefaults(&config)
client, err := rest.RESTClientForConfigAndClient(&config, h)
if err != nil {
return nil, err
}
return &CertmanagerV1Client{client}, nil
}
// NewForConfigOrDie creates a new CertmanagerV1Client for the given config and
// panics if there is an error in the config.
func NewForConfigOrDie(c *rest.Config) *CertmanagerV1Client {
client, err := NewForConfig(c)
if err != nil {
panic(err)
}
return client
}
// New creates a new CertmanagerV1Client for the given RESTClient.
func New(c rest.Interface) *CertmanagerV1Client {
return &CertmanagerV1Client{c}
}
func setConfigDefaults(config *rest.Config) {
gv := certmanagerv1.SchemeGroupVersion
config.GroupVersion = &gv
config.APIPath = "/apis"
config.NegotiatedSerializer = rest.CodecFactoryForGeneratedClient(scheme.Scheme, scheme.Codecs).WithoutConversion()
if config.UserAgent == "" {
config.UserAgent = rest.DefaultKubernetesUserAgent()
}
}
// RESTClient returns a RESTClient that is used to communicate
// with API server by this client implementation.
func (c *CertmanagerV1Client) RESTClient() rest.Interface {
if c == nil {
return nil
}
return c.restClient
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by client-gen. DO NOT EDIT.
package v1
import (
context "context"
certmanagerv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
applyconfigurationscertmanagerv1 "github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/certmanager/v1"
scheme "github.com/cert-manager/cert-manager/pkg/client/clientset/versioned/scheme"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
types "k8s.io/apimachinery/pkg/types"
watch "k8s.io/apimachinery/pkg/watch"
gentype "k8s.io/client-go/gentype"
)
// ClusterIssuersGetter has a method to return a ClusterIssuerInterface.
// A group's client should implement this interface.
type ClusterIssuersGetter interface {
ClusterIssuers() ClusterIssuerInterface
}
// ClusterIssuerInterface has methods to work with ClusterIssuer resources.
type ClusterIssuerInterface interface {
Create(ctx context.Context, clusterIssuer *certmanagerv1.ClusterIssuer, opts metav1.CreateOptions) (*certmanagerv1.ClusterIssuer, error)
Update(ctx context.Context, clusterIssuer *certmanagerv1.ClusterIssuer, opts metav1.UpdateOptions) (*certmanagerv1.ClusterIssuer, error)
// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
UpdateStatus(ctx context.Context, clusterIssuer *certmanagerv1.ClusterIssuer, opts metav1.UpdateOptions) (*certmanagerv1.ClusterIssuer, error)
Delete(ctx context.Context, name string, opts metav1.DeleteOptions) error
DeleteCollection(ctx context.Context, opts metav1.DeleteOptions, listOpts metav1.ListOptions) error
Get(ctx context.Context, name string, opts metav1.GetOptions) (*certmanagerv1.ClusterIssuer, error)
List(ctx context.Context, opts metav1.ListOptions) (*certmanagerv1.ClusterIssuerList, error)
Watch(ctx context.Context, opts metav1.ListOptions) (watch.Interface, error)
Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts metav1.PatchOptions, subresources ...string) (result *certmanagerv1.ClusterIssuer, err error)
Apply(ctx context.Context, clusterIssuer *applyconfigurationscertmanagerv1.ClusterIssuerApplyConfiguration, opts metav1.ApplyOptions) (result *certmanagerv1.ClusterIssuer, err error)
// Add a +genclient:noStatus comment above the type to avoid generating ApplyStatus().
ApplyStatus(ctx context.Context, clusterIssuer *applyconfigurationscertmanagerv1.ClusterIssuerApplyConfiguration, opts metav1.ApplyOptions) (result *certmanagerv1.ClusterIssuer, err error)
ClusterIssuerExpansion
}
// clusterIssuers implements ClusterIssuerInterface
type clusterIssuers struct {
*gentype.ClientWithListAndApply[*certmanagerv1.ClusterIssuer, *certmanagerv1.ClusterIssuerList, *applyconfigurationscertmanagerv1.ClusterIssuerApplyConfiguration]
}
// newClusterIssuers returns a ClusterIssuers
func newClusterIssuers(c *CertmanagerV1Client) *clusterIssuers {
return &clusterIssuers{
gentype.NewClientWithListAndApply[*certmanagerv1.ClusterIssuer, *certmanagerv1.ClusterIssuerList, *applyconfigurationscertmanagerv1.ClusterIssuerApplyConfiguration](
"clusterissuers",
c.RESTClient(),
scheme.ParameterCodec,
"",
func() *certmanagerv1.ClusterIssuer { return &certmanagerv1.ClusterIssuer{} },
func() *certmanagerv1.ClusterIssuerList { return &certmanagerv1.ClusterIssuerList{} },
),
}
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by client-gen. DO NOT EDIT.
package fake
import (
v1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
certmanagerv1 "github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/certmanager/v1"
typedcertmanagerv1 "github.com/cert-manager/cert-manager/pkg/client/clientset/versioned/typed/certmanager/v1"
gentype "k8s.io/client-go/gentype"
)
// fakeCertificates implements CertificateInterface
type fakeCertificates struct {
*gentype.FakeClientWithListAndApply[*v1.Certificate, *v1.CertificateList, *certmanagerv1.CertificateApplyConfiguration]
Fake *FakeCertmanagerV1
}
func newFakeCertificates(fake *FakeCertmanagerV1, namespace string) typedcertmanagerv1.CertificateInterface {
return &fakeCertificates{
gentype.NewFakeClientWithListAndApply[*v1.Certificate, *v1.CertificateList, *certmanagerv1.CertificateApplyConfiguration](
fake.Fake,
namespace,
v1.SchemeGroupVersion.WithResource("certificates"),
v1.SchemeGroupVersion.WithKind("Certificate"),
func() *v1.Certificate { return &v1.Certificate{} },
func() *v1.CertificateList { return &v1.CertificateList{} },
func(dst, src *v1.CertificateList) { dst.ListMeta = src.ListMeta },
func(list *v1.CertificateList) []*v1.Certificate { return gentype.ToPointerSlice(list.Items) },
func(list *v1.CertificateList, items []*v1.Certificate) { list.Items = gentype.FromPointerSlice(items) },
),
fake,
}
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by client-gen. DO NOT EDIT.
package fake
import (
v1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
certmanagerv1 "github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/certmanager/v1"
typedcertmanagerv1 "github.com/cert-manager/cert-manager/pkg/client/clientset/versioned/typed/certmanager/v1"
gentype "k8s.io/client-go/gentype"
)
// fakeCertificateRequests implements CertificateRequestInterface
type fakeCertificateRequests struct {
*gentype.FakeClientWithListAndApply[*v1.CertificateRequest, *v1.CertificateRequestList, *certmanagerv1.CertificateRequestApplyConfiguration]
Fake *FakeCertmanagerV1
}
func newFakeCertificateRequests(fake *FakeCertmanagerV1, namespace string) typedcertmanagerv1.CertificateRequestInterface {
return &fakeCertificateRequests{
gentype.NewFakeClientWithListAndApply[*v1.CertificateRequest, *v1.CertificateRequestList, *certmanagerv1.CertificateRequestApplyConfiguration](
fake.Fake,
namespace,
v1.SchemeGroupVersion.WithResource("certificaterequests"),
v1.SchemeGroupVersion.WithKind("CertificateRequest"),
func() *v1.CertificateRequest { return &v1.CertificateRequest{} },
func() *v1.CertificateRequestList { return &v1.CertificateRequestList{} },
func(dst, src *v1.CertificateRequestList) { dst.ListMeta = src.ListMeta },
func(list *v1.CertificateRequestList) []*v1.CertificateRequest {
return gentype.ToPointerSlice(list.Items)
},
func(list *v1.CertificateRequestList, items []*v1.CertificateRequest) {
list.Items = gentype.FromPointerSlice(items)
},
),
fake,
}
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by client-gen. DO NOT EDIT.
package fake
import (
v1 "github.com/cert-manager/cert-manager/pkg/client/clientset/versioned/typed/certmanager/v1"
rest "k8s.io/client-go/rest"
testing "k8s.io/client-go/testing"
)
type FakeCertmanagerV1 struct {
*testing.Fake
}
func (c *FakeCertmanagerV1) Certificates(namespace string) v1.CertificateInterface {
return newFakeCertificates(c, namespace)
}
func (c *FakeCertmanagerV1) CertificateRequests(namespace string) v1.CertificateRequestInterface {
return newFakeCertificateRequests(c, namespace)
}
func (c *FakeCertmanagerV1) ClusterIssuers() v1.ClusterIssuerInterface {
return newFakeClusterIssuers(c)
}
func (c *FakeCertmanagerV1) Issuers(namespace string) v1.IssuerInterface {
return newFakeIssuers(c, namespace)
}
// RESTClient returns a RESTClient that is used to communicate
// with API server by this client implementation.
func (c *FakeCertmanagerV1) RESTClient() rest.Interface {
var ret *rest.RESTClient
return ret
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by client-gen. DO NOT EDIT.
package fake
import (
v1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
certmanagerv1 "github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/certmanager/v1"
typedcertmanagerv1 "github.com/cert-manager/cert-manager/pkg/client/clientset/versioned/typed/certmanager/v1"
gentype "k8s.io/client-go/gentype"
)
// fakeClusterIssuers implements ClusterIssuerInterface
type fakeClusterIssuers struct {
*gentype.FakeClientWithListAndApply[*v1.ClusterIssuer, *v1.ClusterIssuerList, *certmanagerv1.ClusterIssuerApplyConfiguration]
Fake *FakeCertmanagerV1
}
func newFakeClusterIssuers(fake *FakeCertmanagerV1) typedcertmanagerv1.ClusterIssuerInterface {
return &fakeClusterIssuers{
gentype.NewFakeClientWithListAndApply[*v1.ClusterIssuer, *v1.ClusterIssuerList, *certmanagerv1.ClusterIssuerApplyConfiguration](
fake.Fake,
"",
v1.SchemeGroupVersion.WithResource("clusterissuers"),
v1.SchemeGroupVersion.WithKind("ClusterIssuer"),
func() *v1.ClusterIssuer { return &v1.ClusterIssuer{} },
func() *v1.ClusterIssuerList { return &v1.ClusterIssuerList{} },
func(dst, src *v1.ClusterIssuerList) { dst.ListMeta = src.ListMeta },
func(list *v1.ClusterIssuerList) []*v1.ClusterIssuer { return gentype.ToPointerSlice(list.Items) },
func(list *v1.ClusterIssuerList, items []*v1.ClusterIssuer) {
list.Items = gentype.FromPointerSlice(items)
},
),
fake,
}
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by client-gen. DO NOT EDIT.
package fake
import (
v1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
certmanagerv1 "github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/certmanager/v1"
typedcertmanagerv1 "github.com/cert-manager/cert-manager/pkg/client/clientset/versioned/typed/certmanager/v1"
gentype "k8s.io/client-go/gentype"
)
// fakeIssuers implements IssuerInterface
type fakeIssuers struct {
*gentype.FakeClientWithListAndApply[*v1.Issuer, *v1.IssuerList, *certmanagerv1.IssuerApplyConfiguration]
Fake *FakeCertmanagerV1
}
func newFakeIssuers(fake *FakeCertmanagerV1, namespace string) typedcertmanagerv1.IssuerInterface {
return &fakeIssuers{
gentype.NewFakeClientWithListAndApply[*v1.Issuer, *v1.IssuerList, *certmanagerv1.IssuerApplyConfiguration](
fake.Fake,
namespace,
v1.SchemeGroupVersion.WithResource("issuers"),
v1.SchemeGroupVersion.WithKind("Issuer"),
func() *v1.Issuer { return &v1.Issuer{} },
func() *v1.IssuerList { return &v1.IssuerList{} },
func(dst, src *v1.IssuerList) { dst.ListMeta = src.ListMeta },
func(list *v1.IssuerList) []*v1.Issuer { return gentype.ToPointerSlice(list.Items) },
func(list *v1.IssuerList, items []*v1.Issuer) { list.Items = gentype.FromPointerSlice(items) },
),
fake,
}
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by client-gen. DO NOT EDIT.
package v1
import (
context "context"
certmanagerv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
applyconfigurationscertmanagerv1 "github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/certmanager/v1"
scheme "github.com/cert-manager/cert-manager/pkg/client/clientset/versioned/scheme"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
types "k8s.io/apimachinery/pkg/types"
watch "k8s.io/apimachinery/pkg/watch"
gentype "k8s.io/client-go/gentype"
)
// IssuersGetter has a method to return a IssuerInterface.
// A group's client should implement this interface.
type IssuersGetter interface {
Issuers(namespace string) IssuerInterface
}
// IssuerInterface has methods to work with Issuer resources.
type IssuerInterface interface {
Create(ctx context.Context, issuer *certmanagerv1.Issuer, opts metav1.CreateOptions) (*certmanagerv1.Issuer, error)
Update(ctx context.Context, issuer *certmanagerv1.Issuer, opts metav1.UpdateOptions) (*certmanagerv1.Issuer, error)
// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
UpdateStatus(ctx context.Context, issuer *certmanagerv1.Issuer, opts metav1.UpdateOptions) (*certmanagerv1.Issuer, error)
Delete(ctx context.Context, name string, opts metav1.DeleteOptions) error
DeleteCollection(ctx context.Context, opts metav1.DeleteOptions, listOpts metav1.ListOptions) error
Get(ctx context.Context, name string, opts metav1.GetOptions) (*certmanagerv1.Issuer, error)
List(ctx context.Context, opts metav1.ListOptions) (*certmanagerv1.IssuerList, error)
Watch(ctx context.Context, opts metav1.ListOptions) (watch.Interface, error)
Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts metav1.PatchOptions, subresources ...string) (result *certmanagerv1.Issuer, err error)
Apply(ctx context.Context, issuer *applyconfigurationscertmanagerv1.IssuerApplyConfiguration, opts metav1.ApplyOptions) (result *certmanagerv1.Issuer, err error)
// Add a +genclient:noStatus comment above the type to avoid generating ApplyStatus().
ApplyStatus(ctx context.Context, issuer *applyconfigurationscertmanagerv1.IssuerApplyConfiguration, opts metav1.ApplyOptions) (result *certmanagerv1.Issuer, err error)
IssuerExpansion
}
// issuers implements IssuerInterface
type issuers struct {
*gentype.ClientWithListAndApply[*certmanagerv1.Issuer, *certmanagerv1.IssuerList, *applyconfigurationscertmanagerv1.IssuerApplyConfiguration]
}
// newIssuers returns a Issuers
func newIssuers(c *CertmanagerV1Client, namespace string) *issuers {
return &issuers{
gentype.NewClientWithListAndApply[*certmanagerv1.Issuer, *certmanagerv1.IssuerList, *applyconfigurationscertmanagerv1.IssuerApplyConfiguration](
"issuers",
c.RESTClient(),
scheme.ParameterCodec,
namespace,
func() *certmanagerv1.Issuer { return &certmanagerv1.Issuer{} },
func() *certmanagerv1.IssuerList { return &certmanagerv1.IssuerList{} },
),
}
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by informer-gen. DO NOT EDIT.
package acme
import (
v1 "github.com/cert-manager/cert-manager/pkg/client/informers/externalversions/acme/v1"
internalinterfaces "github.com/cert-manager/cert-manager/pkg/client/informers/externalversions/internalinterfaces"
)
// Interface provides access to each of this group's versions.
type Interface interface {
// V1 provides access to shared informers for resources in V1.
V1() v1.Interface
}
type group struct {
factory internalinterfaces.SharedInformerFactory
namespace string
tweakListOptions internalinterfaces.TweakListOptionsFunc
}
// New returns a new Interface.
func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) Interface {
return &group{factory: f, namespace: namespace, tweakListOptions: tweakListOptions}
}
// V1 returns a new v1.Interface.
func (g *group) V1() v1.Interface {
return v1.New(g.factory, g.namespace, g.tweakListOptions)
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by informer-gen. DO NOT EDIT.
package v1
import (
context "context"
time "time"
apisacmev1 "github.com/cert-manager/cert-manager/pkg/apis/acme/v1"
versioned "github.com/cert-manager/cert-manager/pkg/client/clientset/versioned"
internalinterfaces "github.com/cert-manager/cert-manager/pkg/client/informers/externalversions/internalinterfaces"
acmev1 "github.com/cert-manager/cert-manager/pkg/client/listers/acme/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
runtime "k8s.io/apimachinery/pkg/runtime"
watch "k8s.io/apimachinery/pkg/watch"
cache "k8s.io/client-go/tools/cache"
)
// ChallengeInformer provides access to a shared informer and lister for
// Challenges.
type ChallengeInformer interface {
Informer() cache.SharedIndexInformer
Lister() acmev1.ChallengeLister
}
type challengeInformer struct {
factory internalinterfaces.SharedInformerFactory
tweakListOptions internalinterfaces.TweakListOptionsFunc
namespace string
}
// NewChallengeInformer constructs a new informer for Challenge type.
// Always prefer using an informer factory to get a shared informer instead of getting an independent
// one. This reduces memory footprint and number of connections to the server.
func NewChallengeInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {
return NewFilteredChallengeInformer(client, namespace, resyncPeriod, indexers, nil)
}
// NewFilteredChallengeInformer constructs a new informer for Challenge type.
// Always prefer using an informer factory to get a shared informer instead of getting an independent
// one. This reduces memory footprint and number of connections to the server.
func NewFilteredChallengeInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
return cache.NewSharedIndexInformer(
&cache.ListWatch{
ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
if tweakListOptions != nil {
tweakListOptions(&options)
}
return client.AcmeV1().Challenges(namespace).List(context.Background(), options)
},
WatchFunc: func(options metav1.ListOptions) (watch.Interface, error) {
if tweakListOptions != nil {
tweakListOptions(&options)
}
return client.AcmeV1().Challenges(namespace).Watch(context.Background(), options)
},
ListWithContextFunc: func(ctx context.Context, options metav1.ListOptions) (runtime.Object, error) {
if tweakListOptions != nil {
tweakListOptions(&options)
}
return client.AcmeV1().Challenges(namespace).List(ctx, options)
},
WatchFuncWithContext: func(ctx context.Context, options metav1.ListOptions) (watch.Interface, error) {
if tweakListOptions != nil {
tweakListOptions(&options)
}
return client.AcmeV1().Challenges(namespace).Watch(ctx, options)
},
},
&apisacmev1.Challenge{},
resyncPeriod,
indexers,
)
}
func (f *challengeInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
return NewFilteredChallengeInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)
}
func (f *challengeInformer) Informer() cache.SharedIndexInformer {
return f.factory.InformerFor(&apisacmev1.Challenge{}, f.defaultInformer)
}
func (f *challengeInformer) Lister() acmev1.ChallengeLister {
return acmev1.NewChallengeLister(f.Informer().GetIndexer())
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by informer-gen. DO NOT EDIT.
package v1
import (
internalinterfaces "github.com/cert-manager/cert-manager/pkg/client/informers/externalversions/internalinterfaces"
)
// Interface provides access to all the informers in this group version.
type Interface interface {
// Challenges returns a ChallengeInformer.
Challenges() ChallengeInformer
// Orders returns a OrderInformer.
Orders() OrderInformer
}
type version struct {
factory internalinterfaces.SharedInformerFactory
namespace string
tweakListOptions internalinterfaces.TweakListOptionsFunc
}
// New returns a new Interface.
func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) Interface {
return &version{factory: f, namespace: namespace, tweakListOptions: tweakListOptions}
}
// Challenges returns a ChallengeInformer.
func (v *version) Challenges() ChallengeInformer {
return &challengeInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
}
// Orders returns a OrderInformer.
func (v *version) Orders() OrderInformer {
return &orderInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by informer-gen. DO NOT EDIT.
package v1
import (
context "context"
time "time"
apisacmev1 "github.com/cert-manager/cert-manager/pkg/apis/acme/v1"
versioned "github.com/cert-manager/cert-manager/pkg/client/clientset/versioned"
internalinterfaces "github.com/cert-manager/cert-manager/pkg/client/informers/externalversions/internalinterfaces"
acmev1 "github.com/cert-manager/cert-manager/pkg/client/listers/acme/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
runtime "k8s.io/apimachinery/pkg/runtime"
watch "k8s.io/apimachinery/pkg/watch"
cache "k8s.io/client-go/tools/cache"
)
// OrderInformer provides access to a shared informer and lister for
// Orders.
type OrderInformer interface {
Informer() cache.SharedIndexInformer
Lister() acmev1.OrderLister
}
type orderInformer struct {
factory internalinterfaces.SharedInformerFactory
tweakListOptions internalinterfaces.TweakListOptionsFunc
namespace string
}
// NewOrderInformer constructs a new informer for Order type.
// Always prefer using an informer factory to get a shared informer instead of getting an independent
// one. This reduces memory footprint and number of connections to the server.
func NewOrderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {
return NewFilteredOrderInformer(client, namespace, resyncPeriod, indexers, nil)
}
// NewFilteredOrderInformer constructs a new informer for Order type.
// Always prefer using an informer factory to get a shared informer instead of getting an independent
// one. This reduces memory footprint and number of connections to the server.
func NewFilteredOrderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
return cache.NewSharedIndexInformer(
&cache.ListWatch{
ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
if tweakListOptions != nil {
tweakListOptions(&options)
}
return client.AcmeV1().Orders(namespace).List(context.Background(), options)
},
WatchFunc: func(options metav1.ListOptions) (watch.Interface, error) {
if tweakListOptions != nil {
tweakListOptions(&options)
}
return client.AcmeV1().Orders(namespace).Watch(context.Background(), options)
},
ListWithContextFunc: func(ctx context.Context, options metav1.ListOptions) (runtime.Object, error) {
if tweakListOptions != nil {
tweakListOptions(&options)
}
return client.AcmeV1().Orders(namespace).List(ctx, options)
},
WatchFuncWithContext: func(ctx context.Context, options metav1.ListOptions) (watch.Interface, error) {
if tweakListOptions != nil {
tweakListOptions(&options)
}
return client.AcmeV1().Orders(namespace).Watch(ctx, options)
},
},
&apisacmev1.Order{},
resyncPeriod,
indexers,
)
}
func (f *orderInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
return NewFilteredOrderInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)
}
func (f *orderInformer) Informer() cache.SharedIndexInformer {
return f.factory.InformerFor(&apisacmev1.Order{}, f.defaultInformer)
}
func (f *orderInformer) Lister() acmev1.OrderLister {
return acmev1.NewOrderLister(f.Informer().GetIndexer())
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by informer-gen. DO NOT EDIT.
package certmanager
import (
v1 "github.com/cert-manager/cert-manager/pkg/client/informers/externalversions/certmanager/v1"
internalinterfaces "github.com/cert-manager/cert-manager/pkg/client/informers/externalversions/internalinterfaces"
)
// Interface provides access to each of this group's versions.
type Interface interface {
// V1 provides access to shared informers for resources in V1.
V1() v1.Interface
}
type group struct {
factory internalinterfaces.SharedInformerFactory
namespace string
tweakListOptions internalinterfaces.TweakListOptionsFunc
}
// New returns a new Interface.
func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) Interface {
return &group{factory: f, namespace: namespace, tweakListOptions: tweakListOptions}
}
// V1 returns a new v1.Interface.
func (g *group) V1() v1.Interface {
return v1.New(g.factory, g.namespace, g.tweakListOptions)
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by informer-gen. DO NOT EDIT.
package v1
import (
context "context"
time "time"
apiscertmanagerv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
versioned "github.com/cert-manager/cert-manager/pkg/client/clientset/versioned"
internalinterfaces "github.com/cert-manager/cert-manager/pkg/client/informers/externalversions/internalinterfaces"
certmanagerv1 "github.com/cert-manager/cert-manager/pkg/client/listers/certmanager/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
runtime "k8s.io/apimachinery/pkg/runtime"
watch "k8s.io/apimachinery/pkg/watch"
cache "k8s.io/client-go/tools/cache"
)
// CertificateInformer provides access to a shared informer and lister for
// Certificates.
type CertificateInformer interface {
Informer() cache.SharedIndexInformer
Lister() certmanagerv1.CertificateLister
}
type certificateInformer struct {
factory internalinterfaces.SharedInformerFactory
tweakListOptions internalinterfaces.TweakListOptionsFunc
namespace string
}
// NewCertificateInformer constructs a new informer for Certificate type.
// Always prefer using an informer factory to get a shared informer instead of getting an independent
// one. This reduces memory footprint and number of connections to the server.
func NewCertificateInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {
return NewFilteredCertificateInformer(client, namespace, resyncPeriod, indexers, nil)
}
// NewFilteredCertificateInformer constructs a new informer for Certificate type.
// Always prefer using an informer factory to get a shared informer instead of getting an independent
// one. This reduces memory footprint and number of connections to the server.
func NewFilteredCertificateInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
return cache.NewSharedIndexInformer(
&cache.ListWatch{
ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
if tweakListOptions != nil {
tweakListOptions(&options)
}
return client.CertmanagerV1().Certificates(namespace).List(context.Background(), options)
},
WatchFunc: func(options metav1.ListOptions) (watch.Interface, error) {
if tweakListOptions != nil {
tweakListOptions(&options)
}
return client.CertmanagerV1().Certificates(namespace).Watch(context.Background(), options)
},
ListWithContextFunc: func(ctx context.Context, options metav1.ListOptions) (runtime.Object, error) {
if tweakListOptions != nil {
tweakListOptions(&options)
}
return client.CertmanagerV1().Certificates(namespace).List(ctx, options)
},
WatchFuncWithContext: func(ctx context.Context, options metav1.ListOptions) (watch.Interface, error) {
if tweakListOptions != nil {
tweakListOptions(&options)
}
return client.CertmanagerV1().Certificates(namespace).Watch(ctx, options)
},
},
&apiscertmanagerv1.Certificate{},
resyncPeriod,
indexers,
)
}
func (f *certificateInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
return NewFilteredCertificateInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)
}
func (f *certificateInformer) Informer() cache.SharedIndexInformer {
return f.factory.InformerFor(&apiscertmanagerv1.Certificate{}, f.defaultInformer)
}
func (f *certificateInformer) Lister() certmanagerv1.CertificateLister {
return certmanagerv1.NewCertificateLister(f.Informer().GetIndexer())
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by informer-gen. DO NOT EDIT.
package v1
import (
context "context"
time "time"
apiscertmanagerv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
versioned "github.com/cert-manager/cert-manager/pkg/client/clientset/versioned"
internalinterfaces "github.com/cert-manager/cert-manager/pkg/client/informers/externalversions/internalinterfaces"
certmanagerv1 "github.com/cert-manager/cert-manager/pkg/client/listers/certmanager/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
runtime "k8s.io/apimachinery/pkg/runtime"
watch "k8s.io/apimachinery/pkg/watch"
cache "k8s.io/client-go/tools/cache"
)
// CertificateRequestInformer provides access to a shared informer and lister for
// CertificateRequests.
type CertificateRequestInformer interface {
Informer() cache.SharedIndexInformer
Lister() certmanagerv1.CertificateRequestLister
}
type certificateRequestInformer struct {
factory internalinterfaces.SharedInformerFactory
tweakListOptions internalinterfaces.TweakListOptionsFunc
namespace string
}
// NewCertificateRequestInformer constructs a new informer for CertificateRequest type.
// Always prefer using an informer factory to get a shared informer instead of getting an independent
// one. This reduces memory footprint and number of connections to the server.
func NewCertificateRequestInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {
return NewFilteredCertificateRequestInformer(client, namespace, resyncPeriod, indexers, nil)
}
// NewFilteredCertificateRequestInformer constructs a new informer for CertificateRequest type.
// Always prefer using an informer factory to get a shared informer instead of getting an independent
// one. This reduces memory footprint and number of connections to the server.
func NewFilteredCertificateRequestInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
return cache.NewSharedIndexInformer(
&cache.ListWatch{
ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
if tweakListOptions != nil {
tweakListOptions(&options)
}
return client.CertmanagerV1().CertificateRequests(namespace).List(context.Background(), options)
},
WatchFunc: func(options metav1.ListOptions) (watch.Interface, error) {
if tweakListOptions != nil {
tweakListOptions(&options)
}
return client.CertmanagerV1().CertificateRequests(namespace).Watch(context.Background(), options)
},
ListWithContextFunc: func(ctx context.Context, options metav1.ListOptions) (runtime.Object, error) {
if tweakListOptions != nil {
tweakListOptions(&options)
}
return client.CertmanagerV1().CertificateRequests(namespace).List(ctx, options)
},
WatchFuncWithContext: func(ctx context.Context, options metav1.ListOptions) (watch.Interface, error) {
if tweakListOptions != nil {
tweakListOptions(&options)
}
return client.CertmanagerV1().CertificateRequests(namespace).Watch(ctx, options)
},
},
&apiscertmanagerv1.CertificateRequest{},
resyncPeriod,
indexers,
)
}
func (f *certificateRequestInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
return NewFilteredCertificateRequestInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)
}
func (f *certificateRequestInformer) Informer() cache.SharedIndexInformer {
return f.factory.InformerFor(&apiscertmanagerv1.CertificateRequest{}, f.defaultInformer)
}
func (f *certificateRequestInformer) Lister() certmanagerv1.CertificateRequestLister {
return certmanagerv1.NewCertificateRequestLister(f.Informer().GetIndexer())
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by informer-gen. DO NOT EDIT.
package v1
import (
context "context"
time "time"
apiscertmanagerv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
versioned "github.com/cert-manager/cert-manager/pkg/client/clientset/versioned"
internalinterfaces "github.com/cert-manager/cert-manager/pkg/client/informers/externalversions/internalinterfaces"
certmanagerv1 "github.com/cert-manager/cert-manager/pkg/client/listers/certmanager/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
runtime "k8s.io/apimachinery/pkg/runtime"
watch "k8s.io/apimachinery/pkg/watch"
cache "k8s.io/client-go/tools/cache"
)
// ClusterIssuerInformer provides access to a shared informer and lister for
// ClusterIssuers.
type ClusterIssuerInformer interface {
Informer() cache.SharedIndexInformer
Lister() certmanagerv1.ClusterIssuerLister
}
type clusterIssuerInformer struct {
factory internalinterfaces.SharedInformerFactory
tweakListOptions internalinterfaces.TweakListOptionsFunc
}
// NewClusterIssuerInformer constructs a new informer for ClusterIssuer type.
// Always prefer using an informer factory to get a shared informer instead of getting an independent
// one. This reduces memory footprint and number of connections to the server.
func NewClusterIssuerInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {
return NewFilteredClusterIssuerInformer(client, resyncPeriod, indexers, nil)
}
// NewFilteredClusterIssuerInformer constructs a new informer for ClusterIssuer type.
// Always prefer using an informer factory to get a shared informer instead of getting an independent
// one. This reduces memory footprint and number of connections to the server.
func NewFilteredClusterIssuerInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
return cache.NewSharedIndexInformer(
&cache.ListWatch{
ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
if tweakListOptions != nil {
tweakListOptions(&options)
}
return client.CertmanagerV1().ClusterIssuers().List(context.Background(), options)
},
WatchFunc: func(options metav1.ListOptions) (watch.Interface, error) {
if tweakListOptions != nil {
tweakListOptions(&options)
}
return client.CertmanagerV1().ClusterIssuers().Watch(context.Background(), options)
},
ListWithContextFunc: func(ctx context.Context, options metav1.ListOptions) (runtime.Object, error) {
if tweakListOptions != nil {
tweakListOptions(&options)
}
return client.CertmanagerV1().ClusterIssuers().List(ctx, options)
},
WatchFuncWithContext: func(ctx context.Context, options metav1.ListOptions) (watch.Interface, error) {
if tweakListOptions != nil {
tweakListOptions(&options)
}
return client.CertmanagerV1().ClusterIssuers().Watch(ctx, options)
},
},
&apiscertmanagerv1.ClusterIssuer{},
resyncPeriod,
indexers,
)
}
func (f *clusterIssuerInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
return NewFilteredClusterIssuerInformer(client, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)
}
func (f *clusterIssuerInformer) Informer() cache.SharedIndexInformer {
return f.factory.InformerFor(&apiscertmanagerv1.ClusterIssuer{}, f.defaultInformer)
}
func (f *clusterIssuerInformer) Lister() certmanagerv1.ClusterIssuerLister {
return certmanagerv1.NewClusterIssuerLister(f.Informer().GetIndexer())
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by informer-gen. DO NOT EDIT.
package v1
import (
internalinterfaces "github.com/cert-manager/cert-manager/pkg/client/informers/externalversions/internalinterfaces"
)
// Interface provides access to all the informers in this group version.
type Interface interface {
// Certificates returns a CertificateInformer.
Certificates() CertificateInformer
// CertificateRequests returns a CertificateRequestInformer.
CertificateRequests() CertificateRequestInformer
// ClusterIssuers returns a ClusterIssuerInformer.
ClusterIssuers() ClusterIssuerInformer
// Issuers returns a IssuerInformer.
Issuers() IssuerInformer
}
type version struct {
factory internalinterfaces.SharedInformerFactory
namespace string
tweakListOptions internalinterfaces.TweakListOptionsFunc
}
// New returns a new Interface.
func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) Interface {
return &version{factory: f, namespace: namespace, tweakListOptions: tweakListOptions}
}
// Certificates returns a CertificateInformer.
func (v *version) Certificates() CertificateInformer {
return &certificateInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
}
// CertificateRequests returns a CertificateRequestInformer.
func (v *version) CertificateRequests() CertificateRequestInformer {
return &certificateRequestInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
}
// ClusterIssuers returns a ClusterIssuerInformer.
func (v *version) ClusterIssuers() ClusterIssuerInformer {
return &clusterIssuerInformer{factory: v.factory, tweakListOptions: v.tweakListOptions}
}
// Issuers returns a IssuerInformer.
func (v *version) Issuers() IssuerInformer {
return &issuerInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by informer-gen. DO NOT EDIT.
package v1
import (
context "context"
time "time"
apiscertmanagerv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
versioned "github.com/cert-manager/cert-manager/pkg/client/clientset/versioned"
internalinterfaces "github.com/cert-manager/cert-manager/pkg/client/informers/externalversions/internalinterfaces"
certmanagerv1 "github.com/cert-manager/cert-manager/pkg/client/listers/certmanager/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
runtime "k8s.io/apimachinery/pkg/runtime"
watch "k8s.io/apimachinery/pkg/watch"
cache "k8s.io/client-go/tools/cache"
)
// IssuerInformer provides access to a shared informer and lister for
// Issuers.
type IssuerInformer interface {
Informer() cache.SharedIndexInformer
Lister() certmanagerv1.IssuerLister
}
type issuerInformer struct {
factory internalinterfaces.SharedInformerFactory
tweakListOptions internalinterfaces.TweakListOptionsFunc
namespace string
}
// NewIssuerInformer constructs a new informer for Issuer type.
// Always prefer using an informer factory to get a shared informer instead of getting an independent
// one. This reduces memory footprint and number of connections to the server.
func NewIssuerInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {
return NewFilteredIssuerInformer(client, namespace, resyncPeriod, indexers, nil)
}
// NewFilteredIssuerInformer constructs a new informer for Issuer type.
// Always prefer using an informer factory to get a shared informer instead of getting an independent
// one. This reduces memory footprint and number of connections to the server.
func NewFilteredIssuerInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
return cache.NewSharedIndexInformer(
&cache.ListWatch{
ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
if tweakListOptions != nil {
tweakListOptions(&options)
}
return client.CertmanagerV1().Issuers(namespace).List(context.Background(), options)
},
WatchFunc: func(options metav1.ListOptions) (watch.Interface, error) {
if tweakListOptions != nil {
tweakListOptions(&options)
}
return client.CertmanagerV1().Issuers(namespace).Watch(context.Background(), options)
},
ListWithContextFunc: func(ctx context.Context, options metav1.ListOptions) (runtime.Object, error) {
if tweakListOptions != nil {
tweakListOptions(&options)
}
return client.CertmanagerV1().Issuers(namespace).List(ctx, options)
},
WatchFuncWithContext: func(ctx context.Context, options metav1.ListOptions) (watch.Interface, error) {
if tweakListOptions != nil {
tweakListOptions(&options)
}
return client.CertmanagerV1().Issuers(namespace).Watch(ctx, options)
},
},
&apiscertmanagerv1.Issuer{},
resyncPeriod,
indexers,
)
}
func (f *issuerInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
return NewFilteredIssuerInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)
}
func (f *issuerInformer) Informer() cache.SharedIndexInformer {
return f.factory.InformerFor(&apiscertmanagerv1.Issuer{}, f.defaultInformer)
}
func (f *issuerInformer) Lister() certmanagerv1.IssuerLister {
return certmanagerv1.NewIssuerLister(f.Informer().GetIndexer())
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by informer-gen. DO NOT EDIT.
package externalversions
import (
reflect "reflect"
sync "sync"
time "time"
versioned "github.com/cert-manager/cert-manager/pkg/client/clientset/versioned"
acme "github.com/cert-manager/cert-manager/pkg/client/informers/externalversions/acme"
certmanager "github.com/cert-manager/cert-manager/pkg/client/informers/externalversions/certmanager"
internalinterfaces "github.com/cert-manager/cert-manager/pkg/client/informers/externalversions/internalinterfaces"
v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
runtime "k8s.io/apimachinery/pkg/runtime"
schema "k8s.io/apimachinery/pkg/runtime/schema"
cache "k8s.io/client-go/tools/cache"
)
// SharedInformerOption defines the functional option type for SharedInformerFactory.
type SharedInformerOption func(*sharedInformerFactory) *sharedInformerFactory
type sharedInformerFactory struct {
client versioned.Interface
namespace string
tweakListOptions internalinterfaces.TweakListOptionsFunc
lock sync.Mutex
defaultResync time.Duration
customResync map[reflect.Type]time.Duration
transform cache.TransformFunc
informers map[reflect.Type]cache.SharedIndexInformer
// startedInformers is used for tracking which informers have been started.
// This allows Start() to be called multiple times safely.
startedInformers map[reflect.Type]bool
// wg tracks how many goroutines were started.
wg sync.WaitGroup
// shuttingDown is true when Shutdown has been called. It may still be running
// because it needs to wait for goroutines.
shuttingDown bool
}
// WithCustomResyncConfig sets a custom resync period for the specified informer types.
func WithCustomResyncConfig(resyncConfig map[v1.Object]time.Duration) SharedInformerOption {
return func(factory *sharedInformerFactory) *sharedInformerFactory {
for k, v := range resyncConfig {
factory.customResync[reflect.TypeOf(k)] = v
}
return factory
}
}
// WithTweakListOptions sets a custom filter on all listers of the configured SharedInformerFactory.
func WithTweakListOptions(tweakListOptions internalinterfaces.TweakListOptionsFunc) SharedInformerOption {
return func(factory *sharedInformerFactory) *sharedInformerFactory {
factory.tweakListOptions = tweakListOptions
return factory
}
}
// WithNamespace limits the SharedInformerFactory to the specified namespace.
func WithNamespace(namespace string) SharedInformerOption {
return func(factory *sharedInformerFactory) *sharedInformerFactory {
factory.namespace = namespace
return factory
}
}
// WithTransform sets a transform on all informers.
func WithTransform(transform cache.TransformFunc) SharedInformerOption {
return func(factory *sharedInformerFactory) *sharedInformerFactory {
factory.transform = transform
return factory
}
}
// NewSharedInformerFactory constructs a new instance of sharedInformerFactory for all namespaces.
func NewSharedInformerFactory(client versioned.Interface, defaultResync time.Duration) SharedInformerFactory {
return NewSharedInformerFactoryWithOptions(client, defaultResync)
}
// NewFilteredSharedInformerFactory constructs a new instance of sharedInformerFactory.
// Listers obtained via this SharedInformerFactory will be subject to the same filters
// as specified here.
// Deprecated: Please use NewSharedInformerFactoryWithOptions instead
func NewFilteredSharedInformerFactory(client versioned.Interface, defaultResync time.Duration, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) SharedInformerFactory {
return NewSharedInformerFactoryWithOptions(client, defaultResync, WithNamespace(namespace), WithTweakListOptions(tweakListOptions))
}
// NewSharedInformerFactoryWithOptions constructs a new instance of a SharedInformerFactory with additional options.
func NewSharedInformerFactoryWithOptions(client versioned.Interface, defaultResync time.Duration, options ...SharedInformerOption) SharedInformerFactory {
factory := &sharedInformerFactory{
client: client,
namespace: v1.NamespaceAll,
defaultResync: defaultResync,
informers: make(map[reflect.Type]cache.SharedIndexInformer),
startedInformers: make(map[reflect.Type]bool),
customResync: make(map[reflect.Type]time.Duration),
}
// Apply all options
for _, opt := range options {
factory = opt(factory)
}
return factory
}
func (f *sharedInformerFactory) Start(stopCh <-chan struct{}) {
f.lock.Lock()
defer f.lock.Unlock()
if f.shuttingDown {
return
}
for informerType, informer := range f.informers {
if !f.startedInformers[informerType] {
f.wg.Add(1)
// We need a new variable in each loop iteration,
// otherwise the goroutine would use the loop variable
// and that keeps changing.
informer := informer
go func() {
defer f.wg.Done()
informer.Run(stopCh)
}()
f.startedInformers[informerType] = true
}
}
}
func (f *sharedInformerFactory) Shutdown() {
f.lock.Lock()
f.shuttingDown = true
f.lock.Unlock()
// Will return immediately if there is nothing to wait for.
f.wg.Wait()
}
func (f *sharedInformerFactory) WaitForCacheSync(stopCh <-chan struct{}) map[reflect.Type]bool {
informers := func() map[reflect.Type]cache.SharedIndexInformer {
f.lock.Lock()
defer f.lock.Unlock()
informers := map[reflect.Type]cache.SharedIndexInformer{}
for informerType, informer := range f.informers {
if f.startedInformers[informerType] {
informers[informerType] = informer
}
}
return informers
}()
res := map[reflect.Type]bool{}
for informType, informer := range informers {
res[informType] = cache.WaitForCacheSync(stopCh, informer.HasSynced)
}
return res
}
// InformerFor returns the SharedIndexInformer for obj using an internal
// client.
func (f *sharedInformerFactory) InformerFor(obj runtime.Object, newFunc internalinterfaces.NewInformerFunc) cache.SharedIndexInformer {
f.lock.Lock()
defer f.lock.Unlock()
informerType := reflect.TypeOf(obj)
informer, exists := f.informers[informerType]
if exists {
return informer
}
resyncPeriod, exists := f.customResync[informerType]
if !exists {
resyncPeriod = f.defaultResync
}
informer = newFunc(f.client, resyncPeriod)
informer.SetTransform(f.transform)
f.informers[informerType] = informer
return informer
}
// SharedInformerFactory provides shared informers for resources in all known
// API group versions.
//
// It is typically used like this:
//
// ctx, cancel := context.Background()
// defer cancel()
// factory := NewSharedInformerFactory(client, resyncPeriod)
// defer factory.WaitForStop() // Returns immediately if nothing was started.
// genericInformer := factory.ForResource(resource)
// typedInformer := factory.SomeAPIGroup().V1().SomeType()
// factory.Start(ctx.Done()) // Start processing these informers.
// synced := factory.WaitForCacheSync(ctx.Done())
// for v, ok := range synced {
// if !ok {
// fmt.Fprintf(os.Stderr, "caches failed to sync: %v", v)
// return
// }
// }
//
// // Creating informers can also be created after Start, but then
// // Start must be called again:
// anotherGenericInformer := factory.ForResource(resource)
// factory.Start(ctx.Done())
type SharedInformerFactory interface {
internalinterfaces.SharedInformerFactory
// Start initializes all requested informers. They are handled in goroutines
// which run until the stop channel gets closed.
// Warning: Start does not block. When run in a go-routine, it will race with a later WaitForCacheSync.
Start(stopCh <-chan struct{})
// Shutdown marks a factory as shutting down. At that point no new
// informers can be started anymore and Start will return without
// doing anything.
//
// In addition, Shutdown blocks until all goroutines have terminated. For that
// to happen, the close channel(s) that they were started with must be closed,
// either before Shutdown gets called or while it is waiting.
//
// Shutdown may be called multiple times, even concurrently. All such calls will
// block until all goroutines have terminated.
Shutdown()
// WaitForCacheSync blocks until all started informers' caches were synced
// or the stop channel gets closed.
WaitForCacheSync(stopCh <-chan struct{}) map[reflect.Type]bool
// ForResource gives generic access to a shared informer of the matching type.
ForResource(resource schema.GroupVersionResource) (GenericInformer, error)
// InformerFor returns the SharedIndexInformer for obj using an internal
// client.
InformerFor(obj runtime.Object, newFunc internalinterfaces.NewInformerFunc) cache.SharedIndexInformer
Acme() acme.Interface
Certmanager() certmanager.Interface
}
func (f *sharedInformerFactory) Acme() acme.Interface {
return acme.New(f, f.namespace, f.tweakListOptions)
}
func (f *sharedInformerFactory) Certmanager() certmanager.Interface {
return certmanager.New(f, f.namespace, f.tweakListOptions)
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by informer-gen. DO NOT EDIT.
package externalversions
import (
fmt "fmt"
v1 "github.com/cert-manager/cert-manager/pkg/apis/acme/v1"
certmanagerv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
schema "k8s.io/apimachinery/pkg/runtime/schema"
cache "k8s.io/client-go/tools/cache"
)
// GenericInformer is type of SharedIndexInformer which will locate and delegate to other
// sharedInformers based on type
type GenericInformer interface {
Informer() cache.SharedIndexInformer
Lister() cache.GenericLister
}
type genericInformer struct {
informer cache.SharedIndexInformer
resource schema.GroupResource
}
// Informer returns the SharedIndexInformer.
func (f *genericInformer) Informer() cache.SharedIndexInformer {
return f.informer
}
// Lister returns the GenericLister.
func (f *genericInformer) Lister() cache.GenericLister {
return cache.NewGenericLister(f.Informer().GetIndexer(), f.resource)
}
// ForResource gives generic access to a shared informer of the matching type
// TODO extend this to unknown resources with a client pool
func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource) (GenericInformer, error) {
switch resource {
// Group=acme.cert-manager.io, Version=v1
case v1.SchemeGroupVersion.WithResource("challenges"):
return &genericInformer{resource: resource.GroupResource(), informer: f.Acme().V1().Challenges().Informer()}, nil
case v1.SchemeGroupVersion.WithResource("orders"):
return &genericInformer{resource: resource.GroupResource(), informer: f.Acme().V1().Orders().Informer()}, nil
// Group=cert-manager.io, Version=v1
case certmanagerv1.SchemeGroupVersion.WithResource("certificates"):
return &genericInformer{resource: resource.GroupResource(), informer: f.Certmanager().V1().Certificates().Informer()}, nil
case certmanagerv1.SchemeGroupVersion.WithResource("certificaterequests"):
return &genericInformer{resource: resource.GroupResource(), informer: f.Certmanager().V1().CertificateRequests().Informer()}, nil
case certmanagerv1.SchemeGroupVersion.WithResource("clusterissuers"):
return &genericInformer{resource: resource.GroupResource(), informer: f.Certmanager().V1().ClusterIssuers().Informer()}, nil
case certmanagerv1.SchemeGroupVersion.WithResource("issuers"):
return &genericInformer{resource: resource.GroupResource(), informer: f.Certmanager().V1().Issuers().Informer()}, nil
}
return nil, fmt.Errorf("no informer found for %v", resource)
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by lister-gen. DO NOT EDIT.
package v1
import (
acmev1 "github.com/cert-manager/cert-manager/pkg/apis/acme/v1"
labels "k8s.io/apimachinery/pkg/labels"
listers "k8s.io/client-go/listers"
cache "k8s.io/client-go/tools/cache"
)
// ChallengeLister helps list Challenges.
// All objects returned here must be treated as read-only.
type ChallengeLister interface {
// List lists all Challenges in the indexer.
// Objects returned here must be treated as read-only.
List(selector labels.Selector) (ret []*acmev1.Challenge, err error)
// Challenges returns an object that can list and get Challenges.
Challenges(namespace string) ChallengeNamespaceLister
ChallengeListerExpansion
}
// challengeLister implements the ChallengeLister interface.
type challengeLister struct {
listers.ResourceIndexer[*acmev1.Challenge]
}
// NewChallengeLister returns a new ChallengeLister.
func NewChallengeLister(indexer cache.Indexer) ChallengeLister {
return &challengeLister{listers.New[*acmev1.Challenge](indexer, acmev1.Resource("challenge"))}
}
// Challenges returns an object that can list and get Challenges.
func (s *challengeLister) Challenges(namespace string) ChallengeNamespaceLister {
return challengeNamespaceLister{listers.NewNamespaced[*acmev1.Challenge](s.ResourceIndexer, namespace)}
}
// ChallengeNamespaceLister helps list and get Challenges.
// All objects returned here must be treated as read-only.
type ChallengeNamespaceLister interface {
// List lists all Challenges in the indexer for a given namespace.
// Objects returned here must be treated as read-only.
List(selector labels.Selector) (ret []*acmev1.Challenge, err error)
// Get retrieves the Challenge from the indexer for a given namespace and name.
// Objects returned here must be treated as read-only.
Get(name string) (*acmev1.Challenge, error)
ChallengeNamespaceListerExpansion
}
// challengeNamespaceLister implements the ChallengeNamespaceLister
// interface.
type challengeNamespaceLister struct {
listers.ResourceIndexer[*acmev1.Challenge]
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by lister-gen. DO NOT EDIT.
package v1
import (
acmev1 "github.com/cert-manager/cert-manager/pkg/apis/acme/v1"
labels "k8s.io/apimachinery/pkg/labels"
listers "k8s.io/client-go/listers"
cache "k8s.io/client-go/tools/cache"
)
// OrderLister helps list Orders.
// All objects returned here must be treated as read-only.
type OrderLister interface {
// List lists all Orders in the indexer.
// Objects returned here must be treated as read-only.
List(selector labels.Selector) (ret []*acmev1.Order, err error)
// Orders returns an object that can list and get Orders.
Orders(namespace string) OrderNamespaceLister
OrderListerExpansion
}
// orderLister implements the OrderLister interface.
type orderLister struct {
listers.ResourceIndexer[*acmev1.Order]
}
// NewOrderLister returns a new OrderLister.
func NewOrderLister(indexer cache.Indexer) OrderLister {
return &orderLister{listers.New[*acmev1.Order](indexer, acmev1.Resource("order"))}
}
// Orders returns an object that can list and get Orders.
func (s *orderLister) Orders(namespace string) OrderNamespaceLister {
return orderNamespaceLister{listers.NewNamespaced[*acmev1.Order](s.ResourceIndexer, namespace)}
}
// OrderNamespaceLister helps list and get Orders.
// All objects returned here must be treated as read-only.
type OrderNamespaceLister interface {
// List lists all Orders in the indexer for a given namespace.
// Objects returned here must be treated as read-only.
List(selector labels.Selector) (ret []*acmev1.Order, err error)
// Get retrieves the Order from the indexer for a given namespace and name.
// Objects returned here must be treated as read-only.
Get(name string) (*acmev1.Order, error)
OrderNamespaceListerExpansion
}
// orderNamespaceLister implements the OrderNamespaceLister
// interface.
type orderNamespaceLister struct {
listers.ResourceIndexer[*acmev1.Order]
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by lister-gen. DO NOT EDIT.
package v1
import (
certmanagerv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
labels "k8s.io/apimachinery/pkg/labels"
listers "k8s.io/client-go/listers"
cache "k8s.io/client-go/tools/cache"
)
// CertificateLister helps list Certificates.
// All objects returned here must be treated as read-only.
type CertificateLister interface {
// List lists all Certificates in the indexer.
// Objects returned here must be treated as read-only.
List(selector labels.Selector) (ret []*certmanagerv1.Certificate, err error)
// Certificates returns an object that can list and get Certificates.
Certificates(namespace string) CertificateNamespaceLister
CertificateListerExpansion
}
// certificateLister implements the CertificateLister interface.
type certificateLister struct {
listers.ResourceIndexer[*certmanagerv1.Certificate]
}
// NewCertificateLister returns a new CertificateLister.
func NewCertificateLister(indexer cache.Indexer) CertificateLister {
return &certificateLister{listers.New[*certmanagerv1.Certificate](indexer, certmanagerv1.Resource("certificate"))}
}
// Certificates returns an object that can list and get Certificates.
func (s *certificateLister) Certificates(namespace string) CertificateNamespaceLister {
return certificateNamespaceLister{listers.NewNamespaced[*certmanagerv1.Certificate](s.ResourceIndexer, namespace)}
}
// CertificateNamespaceLister helps list and get Certificates.
// All objects returned here must be treated as read-only.
type CertificateNamespaceLister interface {
// List lists all Certificates in the indexer for a given namespace.
// Objects returned here must be treated as read-only.
List(selector labels.Selector) (ret []*certmanagerv1.Certificate, err error)
// Get retrieves the Certificate from the indexer for a given namespace and name.
// Objects returned here must be treated as read-only.
Get(name string) (*certmanagerv1.Certificate, error)
CertificateNamespaceListerExpansion
}
// certificateNamespaceLister implements the CertificateNamespaceLister
// interface.
type certificateNamespaceLister struct {
listers.ResourceIndexer[*certmanagerv1.Certificate]
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by lister-gen. DO NOT EDIT.
package v1
import (
certmanagerv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
labels "k8s.io/apimachinery/pkg/labels"
listers "k8s.io/client-go/listers"
cache "k8s.io/client-go/tools/cache"
)
// CertificateRequestLister helps list CertificateRequests.
// All objects returned here must be treated as read-only.
type CertificateRequestLister interface {
// List lists all CertificateRequests in the indexer.
// Objects returned here must be treated as read-only.
List(selector labels.Selector) (ret []*certmanagerv1.CertificateRequest, err error)
// CertificateRequests returns an object that can list and get CertificateRequests.
CertificateRequests(namespace string) CertificateRequestNamespaceLister
CertificateRequestListerExpansion
}
// certificateRequestLister implements the CertificateRequestLister interface.
type certificateRequestLister struct {
listers.ResourceIndexer[*certmanagerv1.CertificateRequest]
}
// NewCertificateRequestLister returns a new CertificateRequestLister.
func NewCertificateRequestLister(indexer cache.Indexer) CertificateRequestLister {
return &certificateRequestLister{listers.New[*certmanagerv1.CertificateRequest](indexer, certmanagerv1.Resource("certificaterequest"))}
}
// CertificateRequests returns an object that can list and get CertificateRequests.
func (s *certificateRequestLister) CertificateRequests(namespace string) CertificateRequestNamespaceLister {
return certificateRequestNamespaceLister{listers.NewNamespaced[*certmanagerv1.CertificateRequest](s.ResourceIndexer, namespace)}
}
// CertificateRequestNamespaceLister helps list and get CertificateRequests.
// All objects returned here must be treated as read-only.
type CertificateRequestNamespaceLister interface {
// List lists all CertificateRequests in the indexer for a given namespace.
// Objects returned here must be treated as read-only.
List(selector labels.Selector) (ret []*certmanagerv1.CertificateRequest, err error)
// Get retrieves the CertificateRequest from the indexer for a given namespace and name.
// Objects returned here must be treated as read-only.
Get(name string) (*certmanagerv1.CertificateRequest, error)
CertificateRequestNamespaceListerExpansion
}
// certificateRequestNamespaceLister implements the CertificateRequestNamespaceLister
// interface.
type certificateRequestNamespaceLister struct {
listers.ResourceIndexer[*certmanagerv1.CertificateRequest]
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by lister-gen. DO NOT EDIT.
package v1
import (
certmanagerv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
labels "k8s.io/apimachinery/pkg/labels"
listers "k8s.io/client-go/listers"
cache "k8s.io/client-go/tools/cache"
)
// ClusterIssuerLister helps list ClusterIssuers.
// All objects returned here must be treated as read-only.
type ClusterIssuerLister interface {
// List lists all ClusterIssuers in the indexer.
// Objects returned here must be treated as read-only.
List(selector labels.Selector) (ret []*certmanagerv1.ClusterIssuer, err error)
// Get retrieves the ClusterIssuer from the index for a given name.
// Objects returned here must be treated as read-only.
Get(name string) (*certmanagerv1.ClusterIssuer, error)
ClusterIssuerListerExpansion
}
// clusterIssuerLister implements the ClusterIssuerLister interface.
type clusterIssuerLister struct {
listers.ResourceIndexer[*certmanagerv1.ClusterIssuer]
}
// NewClusterIssuerLister returns a new ClusterIssuerLister.
func NewClusterIssuerLister(indexer cache.Indexer) ClusterIssuerLister {
return &clusterIssuerLister{listers.New[*certmanagerv1.ClusterIssuer](indexer, certmanagerv1.Resource("clusterissuer"))}
}
/*
Copyright The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by lister-gen. DO NOT EDIT.
package v1
import (
certmanagerv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
labels "k8s.io/apimachinery/pkg/labels"
listers "k8s.io/client-go/listers"
cache "k8s.io/client-go/tools/cache"
)
// IssuerLister helps list Issuers.
// All objects returned here must be treated as read-only.
type IssuerLister interface {
// List lists all Issuers in the indexer.
// Objects returned here must be treated as read-only.
List(selector labels.Selector) (ret []*certmanagerv1.Issuer, err error)
// Issuers returns an object that can list and get Issuers.
Issuers(namespace string) IssuerNamespaceLister
IssuerListerExpansion
}
// issuerLister implements the IssuerLister interface.
type issuerLister struct {
listers.ResourceIndexer[*certmanagerv1.Issuer]
}
// NewIssuerLister returns a new IssuerLister.
func NewIssuerLister(indexer cache.Indexer) IssuerLister {
return &issuerLister{listers.New[*certmanagerv1.Issuer](indexer, certmanagerv1.Resource("issuer"))}
}
// Issuers returns an object that can list and get Issuers.
func (s *issuerLister) Issuers(namespace string) IssuerNamespaceLister {
return issuerNamespaceLister{listers.NewNamespaced[*certmanagerv1.Issuer](s.ResourceIndexer, namespace)}
}
// IssuerNamespaceLister helps list and get Issuers.
// All objects returned here must be treated as read-only.
type IssuerNamespaceLister interface {
// List lists all Issuers in the indexer for a given namespace.
// Objects returned here must be treated as read-only.
List(selector labels.Selector) (ret []*certmanagerv1.Issuer, err error)
// Get retrieves the Issuer from the indexer for a given namespace and name.
// Objects returned here must be treated as read-only.
Get(name string) (*certmanagerv1.Issuer, error)
IssuerNamespaceListerExpansion
}
// issuerNamespaceLister implements the IssuerNamespaceLister
// interface.
type issuerNamespaceLister struct {
listers.ResourceIndexer[*certmanagerv1.Issuer]
}
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package controller
import (
"context"
"fmt"
"time"
)
// Builder is used to build controllers that implement the queuingController
// interface
type Builder struct {
// the root controller context factory. Used to build a component context
// which is passed when calling Register() on the queueing Controller.
contextFactory *ContextFactory
// name is the name for this controller
name string
// the actual controller implementation
impl queueingController
// runDurationFuncs are a list of functions that will be called every
// 'duration'
runDurationFuncs []runDurationFunc
}
// New creates a basic Builder, setting the sync call to the one given
func NewBuilder(controllerctx *ContextFactory, name string) *Builder {
return &Builder{
contextFactory: controllerctx,
name: name,
}
}
func (b *Builder) For(ctrl queueingController) *Builder {
b.impl = ctrl
return b
}
// With will register an additional function that should be called every
// 'duration' alongside the controller.
// This is useful if a controller needs to periodically run a scheduled task.
func (b *Builder) With(function func(context.Context), duration time.Duration) *Builder {
b.runDurationFuncs = append(b.runDurationFuncs, runDurationFunc{
fn: function,
duration: duration,
})
return b
}
func (b *Builder) Complete() (Interface, error) {
controllerctx, err := b.contextFactory.Build(b.name)
if err != nil {
return nil, err
}
if b.impl == nil {
return nil, fmt.Errorf("controller implementation must be non-nil")
}
queue, mustSync, err := b.impl.Register(controllerctx)
if err != nil {
return nil, fmt.Errorf("error registering controller: %v", err)
}
return NewController(b.name, controllerctx.Metrics, b.impl.ProcessItem, mustSync, b.runDurationFuncs, queue), nil
}
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package certificaterequests
import (
"fmt"
"k8s.io/apimachinery/pkg/labels"
"k8s.io/apimachinery/pkg/types"
cmapi "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
logf "github.com/cert-manager/cert-manager/pkg/logs"
)
func (c *Controller) handleGenericIssuer(obj interface{}) {
log := c.log.WithName("handleGenericIssuer")
iss, ok := obj.(cmapi.GenericIssuer)
if !ok {
log.Error(nil, "object does not implement GenericIssuer")
return
}
log = logf.WithResource(log, iss)
crs, err := c.certificatesRequestsForGenericIssuer(iss)
if err != nil {
log.Error(err, "error looking up certificates observing issuer or clusterissuer")
return
}
for _, cr := range crs {
c.queue.Add(types.NamespacedName{
Name: cr.Name,
Namespace: cr.Namespace,
})
}
}
func (c *Controller) certificatesRequestsForGenericIssuer(iss cmapi.GenericIssuer) ([]*cmapi.CertificateRequest, error) {
crts, err := c.certificateRequestLister.List(labels.NewSelector())
if err != nil {
return nil, fmt.Errorf("error listing certificates: %s", err.Error())
}
_, isClusterIssuer := iss.(*cmapi.ClusterIssuer)
var affected []*cmapi.CertificateRequest
for _, crt := range crts {
if isClusterIssuer && crt.Spec.IssuerRef.Kind != cmapi.ClusterIssuerKind {
continue
}
if !isClusterIssuer {
if crt.Namespace != iss.GetObjectMeta().Namespace {
continue
}
}
if crt.Spec.IssuerRef.Name != iss.GetObjectMeta().Name {
continue
}
affected = append(affected, crt)
}
return affected, nil
}
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package certificaterequests
import (
"context"
"fmt"
"github.com/go-logr/logr"
k8sErrors "k8s.io/apimachinery/pkg/api/errors"
"k8s.io/apimachinery/pkg/types"
"k8s.io/client-go/tools/cache"
"k8s.io/client-go/tools/record"
"k8s.io/client-go/util/workqueue"
"k8s.io/utils/clock"
internalinformers "github.com/cert-manager/cert-manager/internal/informers"
v1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
cmclient "github.com/cert-manager/cert-manager/pkg/client/clientset/versioned"
cmlisters "github.com/cert-manager/cert-manager/pkg/client/listers/certmanager/v1"
controllerpkg "github.com/cert-manager/cert-manager/pkg/controller"
"github.com/cert-manager/cert-manager/pkg/controller/certificaterequests/util"
"github.com/cert-manager/cert-manager/pkg/issuer"
logf "github.com/cert-manager/cert-manager/pkg/logs"
)
// Issuer implements the functionality to sign a certificate request for a
// particular issuer type.
type Issuer interface {
Sign(context.Context, *v1.CertificateRequest, v1.GenericIssuer) (*issuer.IssueResponse, error)
}
// Issuer Contractor builds an Issuer instance using the given controller
// context.
type IssuerConstructor func(*controllerpkg.Context) Issuer
// RegisterExtraInformerFn is a function used by CertificateRequest controller
// implementations to add custom workqueue functions based on informers not
// covered in the main shared controller implementation.
// The returned set of InformerSyncs will be waited on when the controller
// starts.
type RegisterExtraInformerFn func(*controllerpkg.Context, logr.Logger, workqueue.TypedRateLimitingInterface[types.NamespacedName]) ([]cache.InformerSynced, error)
// Controller is an implementation of the queueingController for
// certificate requests.
type Controller struct {
helper issuer.Helper
// clientset used to update cert-manager API resources
cmClient cmclient.Interface
// fieldManager is the manager name used for the Apply operations.
fieldManager string
certificateRequestLister cmlisters.CertificateRequestLister
// we need to wait for Secrets to be synced to avoid a situation where CA issuer's Secret
// is not yet in cached at a time when issuance is attempted,
// more details at https://github.com/cert-manager/cert-manager/issues/5216
secretLister internalinformers.SecretLister
queue workqueue.TypedRateLimitingInterface[types.NamespacedName]
// logger to be used by this controller
log logr.Logger
// used to record Events about resources to the API
recorder record.EventRecorder
// the issuer kind to react to when a certificate request is synced
issuerType string
issuerLister cmlisters.IssuerLister
clusterIssuerLister cmlisters.ClusterIssuerLister
// registerExtraInformers is a list of functions that CertificateRequest
// controllers can use to register custom informers.
registerExtraInformers []RegisterExtraInformerFn
// Issuer to call sign function
issuerConstructor IssuerConstructor
issuer Issuer
// used for testing
clock clock.Clock
reporter *util.Reporter
}
// New will construct a new certificaterequest controller using the given
// Issuer implementation.
// Note: the registerExtraInformers passed here will be 'waited' for when
// starting to ensure their corresponding listers have synced.
// The caller is responsible for ensuring the informer work functions are setup
// correctly on any informer.
// It's also the callers responsibility to ensure the Run function on the
// informer is called in order to start the reflector. This is handled
// automatically when the informer factory's Start method is called, if the
// given informer was obtained using a SharedInformerFactory.
func New(issuerType string, issuerConstructor IssuerConstructor, registerExtraInformers ...RegisterExtraInformerFn) *Controller {
return &Controller{
issuerType: issuerType,
issuerConstructor: issuerConstructor,
registerExtraInformers: registerExtraInformers,
}
}
// Register registers and constructs the controller using the provided context.
// It returns the workqueue to be used to enqueue items, a list of
// InformerSynced functions that must be synced, or an error.
func (c *Controller) Register(ctx *controllerpkg.Context) (workqueue.TypedRateLimitingInterface[types.NamespacedName], []cache.InformerSynced, error) {
componentName := "certificaterequests-issuer-" + c.issuerType
// construct a new named logger to be reused throughout the controller
c.log = logf.FromContext(ctx.RootContext, componentName)
// create a queue used to queue up items to be processed
c.queue = workqueue.NewTypedRateLimitingQueueWithConfig(
controllerpkg.DefaultItemBasedRateLimiter(),
workqueue.TypedRateLimitingQueueConfig[types.NamespacedName]{
Name: componentName,
},
)
secretsInformer := ctx.KubeSharedInformerFactory.Secrets()
issuerInformer := ctx.SharedInformerFactory.Certmanager().V1().Issuers()
c.issuerLister = issuerInformer.Lister()
c.secretLister = secretsInformer.Lister()
// obtain references to all the informers used by this controller
certificateRequestInformer := ctx.SharedInformerFactory.Certmanager().V1().CertificateRequests()
// build a list of InformerSynced functions that will be returned by the
// Register method. The controller will only begin processing items once all
// of these informers have synced.
mustSync := []cache.InformerSynced{
certificateRequestInformer.Informer().HasSynced,
issuerInformer.Informer().HasSynced,
secretsInformer.Informer().HasSynced,
}
for _, reg := range c.registerExtraInformers {
ms, err := reg(ctx, c.log, c.queue)
if err != nil {
return nil, nil, fmt.Errorf("failed to register extra informer: %w", err)
}
mustSync = append(mustSync, ms...)
}
// if scoped to a single namespace
// if we are running in non-namespaced mode (i.e. --namespace=""), we also
// register event handlers and obtain a lister for clusterissuers.
if ctx.Namespace == "" {
clusterIssuerInformer := ctx.SharedInformerFactory.Certmanager().V1().ClusterIssuers()
c.clusterIssuerLister = clusterIssuerInformer.Lister()
// register handler function for clusterissuer resources
if _, err := clusterIssuerInformer.Informer().AddEventHandler(&controllerpkg.BlockingEventHandler{WorkFunc: c.handleGenericIssuer}); err != nil {
return nil, nil, fmt.Errorf("error setting up event handler: %v", err)
}
mustSync = append(mustSync, clusterIssuerInformer.Informer().HasSynced)
}
// set all the references to the listers for used by the Sync function
c.certificateRequestLister = certificateRequestInformer.Lister()
// register handler functions
if _, err := certificateRequestInformer.Informer().AddEventHandler(&controllerpkg.QueuingEventHandler{Queue: c.queue}); err != nil {
return nil, nil, fmt.Errorf("error setting up event handler: %v", err)
}
if _, err := issuerInformer.Informer().AddEventHandler(&controllerpkg.BlockingEventHandler{WorkFunc: c.handleGenericIssuer}); err != nil {
return nil, nil, fmt.Errorf("error setting up event handler: %v", err)
}
// create an issuer helper for reading generic issuers
c.helper = issuer.NewHelper(c.issuerLister, c.clusterIssuerLister)
// clock is used to set the FailureTime of failed CertificateRequests
c.clock = ctx.Clock
// recorder records events about resources to the Kubernetes api
c.recorder = ctx.Recorder
c.reporter = util.NewReporter(c.clock, c.recorder)
c.cmClient = ctx.CMClient
c.fieldManager = ctx.FieldManager
// Construct the issuer implementation with the built component context.
c.issuer = c.issuerConstructor(ctx)
c.log.V(logf.DebugLevel).Info("new certificate request controller registered",
"type", c.issuerType)
return c.queue, mustSync, nil
}
// ProcessItem is the worker function that will be called with a new key from
// the workqueue. A key corresponds to a certificate request object.
func (c *Controller) ProcessItem(ctx context.Context, key types.NamespacedName) error {
log := logf.FromContext(ctx)
namespace, name := key.Namespace, key.Name
cr, err := c.certificateRequestLister.CertificateRequests(namespace).Get(name)
if err != nil && !k8sErrors.IsNotFound(err) {
return err
}
if cr == nil || cr.DeletionTimestamp != nil {
// If the CertificateRequest object was/ is being deleted, we don't want to start signing.
return nil
}
ctx = logf.NewContext(ctx, logf.WithResource(log, cr))
return c.Sync(ctx, cr)
}
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package certificaterequests
import (
"context"
"fmt"
"reflect"
"github.com/google/go-cmp/cmp"
corev1 "k8s.io/api/core/v1"
apiequality "k8s.io/apimachinery/pkg/api/equality"
k8sErrors "k8s.io/apimachinery/pkg/api/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
utilerrors "k8s.io/apimachinery/pkg/util/errors"
internalcertificaterequests "github.com/cert-manager/cert-manager/internal/controller/certificaterequests"
"github.com/cert-manager/cert-manager/internal/controller/feature"
apiutil "github.com/cert-manager/cert-manager/pkg/api/util"
"github.com/cert-manager/cert-manager/pkg/apis/certmanager"
cmapi "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
cmmeta "github.com/cert-manager/cert-manager/pkg/apis/meta/v1"
logf "github.com/cert-manager/cert-manager/pkg/logs"
utilfeature "github.com/cert-manager/cert-manager/pkg/util/feature"
"github.com/cert-manager/cert-manager/pkg/util/pki"
)
func (c *Controller) Sync(ctx context.Context, cr *cmapi.CertificateRequest) (err error) {
log := logf.FromContext(ctx)
dbg := log.V(logf.DebugLevel)
if cr.Spec.IssuerRef.Group != certmanager.GroupName {
dbg.Info("certificate request issuerRef group does not match certmanager group so skipping processing")
return nil
}
crCopy := cr.DeepCopy()
defer func() {
if saveErr := c.updateCertificateRequestStatusAndAnnotations(ctx, cr, crCopy); saveErr != nil {
err = utilerrors.NewAggregate([]error{saveErr, err})
}
}()
// If CertificateRequest has been denied, mark the CertificateRequest as
// Ready=RequestDenied if not already.
if apiutil.CertificateRequestIsDenied(cr) {
c.reporter.Denied(crCopy)
return nil
}
// If CertificateRequest is invalid, do not process it
if apiutil.CertificateRequestHasInvalidRequest(cr) {
dbg.Info("certificate request is invalid and will not be further processed")
return nil
}
// If CertificateRequest has not been approved, exit early.
if !apiutil.CertificateRequestIsApproved(cr) {
dbg.Info("certificate request has not been approved")
c.recorder.Event(cr, corev1.EventTypeNormal, "WaitingForApproval", "Not signing CertificateRequest until it is Approved")
return nil
}
switch apiutil.CertificateRequestReadyReason(cr) {
case cmapi.CertificateRequestReasonFailed:
dbg.Info("certificate request Ready condition failed so skipping processing")
return
case cmapi.CertificateRequestReasonIssued:
dbg.Info("certificate request Ready condition true so skipping processing")
return
}
dbg.Info("fetching issuer object referenced by CertificateRequest")
issuerObj, err := c.helper.GetGenericIssuer(crCopy.Spec.IssuerRef, crCopy.Namespace)
if k8sErrors.IsNotFound(err) {
c.reporter.Pending(crCopy, err, "IssuerNotFound",
fmt.Sprintf("Referenced %q not found", crCopy.Spec.IssuerRef.Kind))
return nil
}
if err != nil {
log.Error(err, "failed to get issuer")
return err
}
log = logf.WithRelatedResource(log, issuerObj)
dbg.Info("ensuring issuer type matches this controller")
issuerType, err := apiutil.NameForIssuer(issuerObj)
if err != nil {
c.reporter.Pending(crCopy, err, "IssuerTypeMissing",
"Missing issuer type")
return nil
}
// This CertificateRequest is not meant for us, ignore
if issuerType != c.issuerType {
c.log.WithValues(
logf.RelatedResourceKindKey, issuerType,
).V(logf.DebugLevel).Info("issuer reference type does not match controller resource kind, ignoring")
return nil
}
// check ready condition
if !apiutil.IssuerHasCondition(issuerObj, cmapi.IssuerCondition{
Type: cmapi.IssuerConditionReady,
Status: cmmeta.ConditionTrue,
}) {
c.reporter.Pending(crCopy, nil, "IssuerNotReady",
"Referenced issuer does not have a Ready status condition")
return nil
}
dbg.Info("validating CertificateRequest resource object")
if len(crCopy.Status.Certificate) > 0 {
dbg.Info("certificate field is already set in status so skipping processing")
return nil
}
dbg.Info("invoking sign function as existing certificate does not exist")
// Attempt to call the Sign function on our issuer
resp, err := c.issuer.Sign(ctx, crCopy, issuerObj)
if err != nil {
log.Error(err, "error issuing certificate request")
return err
}
// If the issuer has not returned any data we may be pending or failed. The
// underlying issuer will have set the condition of pending or failed and we
// should potentially wait for a re-sync.
if resp == nil {
return nil
}
// Update to status with the new given response.
crCopy.Status.Certificate = resp.Certificate
crCopy.Status.CA = resp.CA
// invalid cert
_, err = pki.DecodeX509CertificateBytes(crCopy.Status.Certificate)
if err != nil {
c.reporter.Failed(crCopy, err, "DecodeError", "Failed to decode returned certificate")
return nil
}
// Set condition to Ready.
c.reporter.Ready(crCopy)
return nil
}
func (c *Controller) updateCertificateRequestStatusAndAnnotations(ctx context.Context, oldCR, newCR *cmapi.CertificateRequest) error {
log := logf.FromContext(ctx, "updateStatus")
// if annotations changed we have to call .Update() and not .UpdateStatus()
if !reflect.DeepEqual(oldCR.Annotations, newCR.Annotations) {
log.V(logf.DebugLevel).Info("updating resource due to change in annotations", "diff", cmp.Diff(oldCR.Annotations, newCR.Annotations))
return c.updateOrApply(ctx, newCR)
}
if apiequality.Semantic.DeepEqual(oldCR.Status, newCR.Status) {
return nil
}
log.V(logf.DebugLevel).Info("updating resource due to change in status", "diff", cmp.Diff(oldCR.Status, newCR.Status))
return c.updateStatusOrApply(ctx, newCR)
}
func (c *Controller) updateOrApply(ctx context.Context, cr *cmapi.CertificateRequest) error {
if utilfeature.DefaultFeatureGate.Enabled(feature.ServerSideApply) {
_, err := internalcertificaterequests.Apply(ctx, c.cmClient, c.fieldManager, cr)
return err
} else {
_, err := c.cmClient.CertmanagerV1().CertificateRequests(cr.Namespace).Update(ctx, cr, metav1.UpdateOptions{})
return err
}
}
func (c *Controller) updateStatusOrApply(ctx context.Context, cr *cmapi.CertificateRequest) error {
if utilfeature.DefaultFeatureGate.Enabled(feature.ServerSideApply) {
return internalcertificaterequests.ApplyStatus(ctx, c.cmClient, c.fieldManager, cr)
} else {
_, err := c.cmClient.CertmanagerV1().CertificateRequests(cr.Namespace).UpdateStatus(ctx, cr, metav1.UpdateOptions{})
return err
}
}
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package util
import (
"fmt"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/client-go/tools/record"
"k8s.io/utils/clock"
apiutil "github.com/cert-manager/cert-manager/pkg/api/util"
cmapi "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
cmmeta "github.com/cert-manager/cert-manager/pkg/apis/meta/v1"
)
const (
readyMessage = "Certificate fetched from issuer successfully"
)
// A Reporter updates the Status of a CertificateRequest and sends an event
// to the Kubernetes Events API.
type Reporter struct {
clock clock.Clock
recorder record.EventRecorder
}
// NewReporter returns a Reporter that will send events to the given EventRecorder.
func NewReporter(clock clock.Clock, recorder record.EventRecorder) *Reporter {
return &Reporter{
clock: clock,
recorder: recorder,
}
}
// Failed marks a CertificateRequest as terminally failed and sends a corresponding event.
func (r *Reporter) Failed(cr *cmapi.CertificateRequest, err error, reason, message string) {
// Set the FailureTime to c.clock.Now(), only if it has not been already set.
if cr.Status.FailureTime == nil {
nowTime := metav1.NewTime(r.clock.Now())
cr.Status.FailureTime = &nowTime
}
message = fmt.Sprintf("%s: %v", message, err)
r.recorder.Event(cr, corev1.EventTypeWarning, reason, message)
apiutil.SetCertificateRequestCondition(cr, cmapi.CertificateRequestConditionReady,
cmmeta.ConditionFalse, cmapi.CertificateRequestReasonFailed, message)
}
// Denied marks a CertificateRequest as terminally denied. No event is sent as it is
// expected to be sent by the approval controller.
func (r *Reporter) Denied(cr *cmapi.CertificateRequest) {
// Set the FailureTime to c.clock.Now(), only if it has not been already set.
if cr.Status.FailureTime == nil {
nowTime := metav1.NewTime(r.clock.Now())
cr.Status.FailureTime = &nowTime
}
message := "The CertificateRequest was denied by an approval controller"
apiutil.SetCertificateRequestCondition(cr, cmapi.CertificateRequestConditionReady,
cmmeta.ConditionFalse, cmapi.CertificateRequestReasonDenied, message)
}
// InvalidRequest marks a CertificateRequest as terminally Invalid. No event is sent as it
// is expected to be reported by the order controller.
func (r *Reporter) InvalidRequest(cr *cmapi.CertificateRequest, reason, message string) {
apiutil.SetCertificateRequestCondition(cr, cmapi.CertificateRequestConditionInvalidRequest,
cmmeta.ConditionTrue, reason, message)
}
// Pending marks a CertificateRequest as pending and sends a corresponding event.
//
// The event is only sent if the CertificateRequest is not already pending.
func (r *Reporter) Pending(cr *cmapi.CertificateRequest, err error, reason, message string) {
if err != nil {
message = fmt.Sprintf("%s: %v", message, err)
}
// If pending condition not already set then fire a Pending Event. This is to
// reduce strain on the API server and avoid rate limiting ourselves for
// Event creation.
if apiutil.CertificateRequestReadyReason(cr) != cmapi.CertificateRequestReasonPending {
r.recorder.Event(cr, corev1.EventTypeNormal, reason, message)
}
apiutil.SetCertificateRequestCondition(cr, cmapi.CertificateRequestConditionReady,
cmmeta.ConditionFalse, cmapi.CertificateRequestReasonPending, message)
}
// Ready marks a CertificateRequest as Ready and sends a corresponding event.
func (r *Reporter) Ready(cr *cmapi.CertificateRequest) {
r.recorder.Event(cr, corev1.EventTypeNormal, "CertificateIssued", readyMessage)
apiutil.SetCertificateRequestCondition(cr, cmapi.CertificateRequestConditionReady,
cmmeta.ConditionTrue, cmapi.CertificateRequestReasonIssued, readyMessage)
}
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package vault
import (
"context"
k8sErrors "k8s.io/apimachinery/pkg/api/errors"
internalinformers "github.com/cert-manager/cert-manager/internal/informers"
vaultinternal "github.com/cert-manager/cert-manager/internal/vault"
apiutil "github.com/cert-manager/cert-manager/pkg/api/util"
v1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
controllerpkg "github.com/cert-manager/cert-manager/pkg/controller"
"github.com/cert-manager/cert-manager/pkg/controller/certificaterequests"
crutil "github.com/cert-manager/cert-manager/pkg/controller/certificaterequests/util"
"github.com/cert-manager/cert-manager/pkg/issuer"
logf "github.com/cert-manager/cert-manager/pkg/logs"
cmerrors "github.com/cert-manager/cert-manager/pkg/util/errors"
)
const (
// CRControllerName is the name of Vault certificate requests controller.
CRControllerName = "certificaterequests-issuer-vault"
)
// Vault is a Vault-specific implementation of
// pkg/controller/certificaterequests.Issuer interface.
type Vault struct {
issuerOptions controllerpkg.IssuerOptions
createTokenFn func(ns string) vaultinternal.CreateToken
secretsLister internalinformers.SecretLister
reporter *crutil.Reporter
vaultClientBuilder vaultinternal.ClientBuilder
}
func init() {
// create certificate request controller for vault issuer
controllerpkg.Register(CRControllerName, func(ctx *controllerpkg.ContextFactory) (controllerpkg.Interface, error) {
return controllerpkg.NewBuilder(ctx, CRControllerName).
For(certificaterequests.New(apiutil.IssuerVault, NewVault)).
Complete()
})
}
// NewVault returns a new Vault instance with the given controller context.
func NewVault(ctx *controllerpkg.Context) certificaterequests.Issuer {
return &Vault{
issuerOptions: ctx.IssuerOptions,
createTokenFn: func(ns string) vaultinternal.CreateToken {
return ctx.Client.CoreV1().ServiceAccounts(ns).CreateToken
},
secretsLister: ctx.KubeSharedInformerFactory.Secrets().Lister(),
reporter: crutil.NewReporter(ctx.Clock, ctx.Recorder),
vaultClientBuilder: vaultinternal.New,
}
}
// Sign will connect to Vault server associated with the provided issuer to sign
// the X.509 certificate from the Certificate Request.
func (v *Vault) Sign(ctx context.Context, cr *v1.CertificateRequest, issuerObj v1.GenericIssuer) (*issuer.IssueResponse, error) {
log := logf.FromContext(ctx, "sign")
log = logf.WithRelatedResource(log, issuerObj)
resourceNamespace := v.issuerOptions.ResourceNamespace(issuerObj)
client, err := v.vaultClientBuilder(ctx, resourceNamespace, v.createTokenFn, v.secretsLister, issuerObj)
if k8sErrors.IsNotFound(err) {
message := "Required secret resource not found"
v.reporter.Pending(cr, err, "SecretMissing", message)
log.Error(err, message)
return nil, nil
}
if err != nil {
message := "Failed to initialise vault client for signing"
v.reporter.Pending(cr, err, "VaultInitError", message)
log.Error(err, message)
if cmerrors.IsInvalidData(err) {
return nil, nil // Don't retry, wait for the issuer to be updated
}
return nil, err // Return error to requeue and retry
}
certDuration := apiutil.DefaultCertDuration(cr.Spec.Duration)
certPem, caPem, err := client.Sign(cr.Spec.Request, certDuration)
if err != nil {
message := "Vault failed to sign certificate"
v.reporter.Failed(cr, err, "SigningError", message)
log.Error(err, message)
return nil, nil
}
log.V(logf.DebugLevel).Info("certificate issued")
return &issuer.IssueResponse{
Certificate: certPem,
CA: caPem,
}, nil
}
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package venafi
import (
"context"
"encoding/json"
"fmt"
"github.com/Venafi/vcert/v5/pkg/endpoint"
k8sErrors "k8s.io/apimachinery/pkg/api/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
internalinformers "github.com/cert-manager/cert-manager/internal/informers"
apiutil "github.com/cert-manager/cert-manager/pkg/api/util"
cmapi "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
clientset "github.com/cert-manager/cert-manager/pkg/client/clientset/versioned"
controllerpkg "github.com/cert-manager/cert-manager/pkg/controller"
"github.com/cert-manager/cert-manager/pkg/controller/certificaterequests"
crutil "github.com/cert-manager/cert-manager/pkg/controller/certificaterequests/util"
issuerpkg "github.com/cert-manager/cert-manager/pkg/issuer"
venaficlient "github.com/cert-manager/cert-manager/pkg/issuer/venafi/client"
"github.com/cert-manager/cert-manager/pkg/issuer/venafi/client/api"
logf "github.com/cert-manager/cert-manager/pkg/logs"
"github.com/cert-manager/cert-manager/pkg/metrics"
utilpki "github.com/cert-manager/cert-manager/pkg/util/pki"
)
const (
CRControllerName = "certificaterequests-issuer-venafi"
)
type Venafi struct {
issuerOptions controllerpkg.IssuerOptions
secretsLister internalinformers.SecretLister
reporter *crutil.Reporter
cmClient clientset.Interface
clientBuilder venaficlient.VenafiClientBuilder
metrics *metrics.Metrics
// userAgent is the string used as the UserAgent when making HTTP calls.
userAgent string
}
func init() {
// create certificate request controller for venafi issuer
controllerpkg.Register(CRControllerName, func(ctx *controllerpkg.ContextFactory) (controllerpkg.Interface, error) {
return controllerpkg.NewBuilder(ctx, CRControllerName).
For(certificaterequests.New(apiutil.IssuerVenafi, NewVenafi)).
Complete()
})
}
func NewVenafi(ctx *controllerpkg.Context) certificaterequests.Issuer {
return &Venafi{
issuerOptions: ctx.IssuerOptions,
secretsLister: ctx.KubeSharedInformerFactory.Secrets().Lister(),
reporter: crutil.NewReporter(ctx.Clock, ctx.Recorder),
clientBuilder: venaficlient.New,
metrics: ctx.Metrics,
cmClient: ctx.CMClient,
userAgent: ctx.RESTConfig.UserAgent,
}
}
func (v *Venafi) Sign(ctx context.Context, cr *cmapi.CertificateRequest, issuerObj cmapi.GenericIssuer) (*issuerpkg.IssueResponse, error) {
log := logf.FromContext(ctx, "sign")
log = logf.WithRelatedResource(log, issuerObj)
client, err := v.clientBuilder(v.issuerOptions.ResourceNamespace(issuerObj), v.secretsLister, issuerObj, v.metrics, log, v.userAgent)
if k8sErrors.IsNotFound(err) {
message := "Required secret resource not found"
v.reporter.Pending(cr, err, "SecretMissing", message)
log.Error(err, message)
return nil, nil
}
if err != nil {
message := "Failed to initialise venafi client for signing"
v.reporter.Pending(cr, err, "VenafiInitError", message)
log.Error(err, message)
return nil, err
}
var customFields []api.CustomField
if annotation, exists := cr.GetAnnotations()[cmapi.VenafiCustomFieldsAnnotationKey]; exists && annotation != "" {
err := json.Unmarshal([]byte(annotation), &customFields)
if err != nil {
message := fmt.Sprintf("Failed to parse %q annotation", cmapi.VenafiCustomFieldsAnnotationKey)
v.reporter.Failed(cr, err, "CustomFieldsError", message)
log.Error(err, message)
return nil, nil
}
}
duration := apiutil.DefaultCertDuration(cr.Spec.Duration)
pickupID := cr.ObjectMeta.Annotations[cmapi.VenafiPickupIDAnnotationKey]
// check if the pickup ID annotation is there, if not set it up.
if pickupID == "" {
pickupID, err = client.RequestCertificate(cr.Spec.Request, duration, customFields)
// Check some known error types
if err != nil {
switch err.(type) {
case venaficlient.ErrCustomFieldsType:
v.reporter.Failed(cr, err, "CustomFieldsError", err.Error())
log.Error(err, err.Error())
return nil, nil
default:
message := "Failed to request venafi certificate"
v.reporter.Failed(cr, err, "RequestError", message)
log.Error(err, message)
return nil, err
}
}
v.reporter.Pending(cr, err, "IssuancePending", "Venafi certificate is requested")
metav1.SetMetaDataAnnotation(&cr.ObjectMeta, cmapi.VenafiPickupIDAnnotationKey, pickupID)
return nil, nil
}
certPem, err := client.RetrieveCertificate(pickupID, cr.Spec.Request, duration, customFields)
if err != nil {
switch err.(type) {
case endpoint.ErrCertificatePending, endpoint.ErrRetrieveCertificateTimeout:
message := "Venafi certificate still in a pending state, the request will be retried"
v.reporter.Pending(cr, err, "IssuancePending", message)
log.Error(err, message)
return nil, err
default:
message := "Failed to obtain venafi certificate"
v.reporter.Failed(cr, err, "RetrieveError", message)
log.Error(err, message)
return nil, err
}
}
log.V(logf.DebugLevel).Info("certificate issued")
bundle, err := utilpki.ParseSingleCertificateChainPEM(certPem)
if err != nil {
message := "Failed to parse returned certificate bundle"
v.reporter.Failed(cr, err, "ParseError", message)
log.Error(err, message)
return nil, err
}
return &issuerpkg.IssueResponse{
Certificate: bundle.ChainPEM,
CA: bundle.CAPEM,
}, nil
}
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package certificates
import (
"github.com/go-logr/logr"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/labels"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/types"
"k8s.io/client-go/util/workqueue"
cmlisters "github.com/cert-manager/cert-manager/pkg/client/listers/certmanager/v1"
logf "github.com/cert-manager/cert-manager/pkg/logs"
"github.com/cert-manager/cert-manager/pkg/util/predicate"
)
// EnqueueCertificatesForResourceUsingPredicates will return a function
// that can be used as an OnAdd handler for a SharedIndexInformer.
// It should be used as a handler for resources that are referenced
// in some way by Certificates.
// The namespace of the object being processed will be used in the List
// call when enqueuing Certificate resources.
// If no predicate constructors are given, all Certificate resources will be
// enqueued on every invocation.
func EnqueueCertificatesForResourceUsingPredicates(log logr.Logger, queue workqueue.TypedInterface[types.NamespacedName], lister cmlisters.CertificateLister, selector labels.Selector, predicateBuilders ...predicate.ExtractorFunc) func(obj interface{}) {
return func(obj interface{}) {
s, ok := obj.(metav1.Object)
if !ok {
log.V(logf.ErrorLevel).Info("Non-Object type resource passed to EnqueueCertificatesForSecretUsingPredicates")
return
}
// 'Construct' the predicate functions using the given Secret
predicates := make(predicate.Funcs, len(predicateBuilders))
for i, b := range predicateBuilders {
predicates[i] = b(s.(runtime.Object))
}
certs, err := ListCertificatesMatchingPredicates(lister.Certificates(s.GetNamespace()), selector, predicates...)
if err != nil {
log.Error(err, "Failed listing Certificate resources")
return
}
for _, cert := range certs {
queue.Add(types.NamespacedName{
Name: cert.Name,
Namespace: cert.Namespace,
})
}
}
}
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// This file defines methods used for PKCS#12 support.
// This is an experimental feature and the contents of this file are intended
// to be absorbed into a more fully fledged implementing ahead of the v0.15
// release.
// This should hopefully not exist by the next time you come to read this :)
package internal
import (
"bytes"
"crypto/x509"
"fmt"
"time"
jks "github.com/pavlo-v-chernykh/keystore-go/v4"
"software.sslmate.com/src/go-pkcs12"
cmapi "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
"github.com/cert-manager/cert-manager/pkg/util/pki"
)
// encodePKCS12Keystore will encode a PKCS12 keystore using the password provided.
// The key, certificate and CA data must be provided in PKCS1 or PKCS8 PEM format.
// If the certificate data contains multiple certificates, the first will be used
// as the keystores 'certificate' and the remaining certificates will be prepended
// to the list of CAs in the resulting keystore.
func encodePKCS12Keystore(profile cmapi.PKCS12Profile, password string, rawKey []byte, certPem []byte, caPem []byte) ([]byte, error) {
key, err := pki.DecodePrivateKeyBytes(rawKey)
if err != nil {
return nil, err
}
certs, err := pki.DecodeX509CertificateChainBytes(certPem)
if err != nil {
return nil, err
}
var cas []*x509.Certificate
if len(caPem) > 0 {
cas, err = pki.DecodeX509CertificateSetBytes(caPem)
if err != nil {
return nil, err
}
}
// prepend the certificate chain to the list of certificates as the PKCS12
// library only allows setting a single certificate.
if len(certs) > 1 {
cas = append(certs[1:], cas...)
}
switch profile {
case cmapi.Modern2023PKCS12Profile:
return pkcs12.Modern2023.Encode(key, certs[0], cas, password)
case cmapi.LegacyDESPKCS12Profile:
return pkcs12.LegacyDES.Encode(key, certs[0], cas, password)
case cmapi.LegacyRC2PKCS12Profile:
return pkcs12.LegacyRC2.Encode(key, certs[0], cas, password)
default:
return pkcs12.LegacyRC2.Encode(key, certs[0], cas, password)
}
}
func encodePKCS12Truststore(profile cmapi.PKCS12Profile, password string, caPem []byte) ([]byte, error) {
cas, err := pki.DecodeX509CertificateSetBytes(caPem)
if err != nil {
return nil, err
}
switch profile {
case cmapi.Modern2023PKCS12Profile:
return pkcs12.Modern2023.EncodeTrustStore(cas, password)
case cmapi.LegacyDESPKCS12Profile:
return pkcs12.LegacyDES.EncodeTrustStore(cas, password)
case cmapi.LegacyRC2PKCS12Profile:
return pkcs12.LegacyRC2.EncodeTrustStore(cas, password)
default:
return pkcs12.LegacyRC2.EncodeTrustStore(cas, password)
}
}
func encodeJKSKeystore(password []byte, keyAlias string, rawKey []byte, certPem []byte, caPem []byte) ([]byte, error) {
// encode the private key to PKCS8
key, err := pki.DecodePrivateKeyBytes(rawKey)
if err != nil {
return nil, err
}
keyDER, err := x509.MarshalPKCS8PrivateKey(key)
if err != nil {
return nil, err
}
// encode the certificate chain
chain, err := pki.DecodeX509CertificateChainBytes(certPem)
if err != nil {
return nil, err
}
certs := make([]jks.Certificate, len(chain))
for i, cert := range chain {
certs[i] = jks.Certificate{
Type: "X509",
Content: cert.Raw,
}
}
ks := jks.New()
if err = ks.SetPrivateKeyEntry(keyAlias, jks.PrivateKeyEntry{
CreationTime: time.Now(),
PrivateKey: keyDER,
CertificateChain: certs,
}, password); err != nil {
return nil, err
}
// add the CA certificate, if set
if len(caPem) > 0 {
if err := addCAsToJKSStore(&ks, caPem); err != nil {
return nil, err
}
}
buf := &bytes.Buffer{}
if err := ks.Store(buf, password); err != nil {
return nil, err
}
return buf.Bytes(), nil
}
func encodeJKSTruststore(password []byte, caPem []byte) ([]byte, error) {
ks := jks.New()
if err := addCAsToJKSStore(&ks, caPem); err != nil {
return nil, err
}
buf := &bytes.Buffer{}
if err := ks.Store(buf, password); err != nil {
return nil, err
}
return buf.Bytes(), nil
}
func addCAsToJKSStore(ks *jks.KeyStore, caPem []byte) error {
cas, err := pki.DecodeX509CertificateSetBytes(caPem)
if err != nil {
return err
}
creationTime := time.Now()
for i, ca := range cas {
alias := fmt.Sprintf("ca-%d", i)
if i == 0 {
alias = "ca"
}
if err = ks.SetTrustedCertificateEntry(alias, jks.TrustedCertificateEntry{
CreationTime: creationTime,
Certificate: jks.Certificate{
Type: "X509",
Content: ca.Raw,
}},
); err != nil {
return err
}
}
return nil
}
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package internal
import (
"context"
"crypto/x509"
"fmt"
"maps"
corev1 "k8s.io/api/core/v1"
apierrors "k8s.io/apimachinery/pkg/api/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
applycorev1 "k8s.io/client-go/applyconfigurations/core/v1"
applymetav1 "k8s.io/client-go/applyconfigurations/meta/v1"
coreclient "k8s.io/client-go/kubernetes/typed/core/v1"
"github.com/cert-manager/cert-manager/internal/controller/certificates"
internalinformers "github.com/cert-manager/cert-manager/internal/informers"
cmapi "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
cmmeta "github.com/cert-manager/cert-manager/pkg/apis/meta/v1"
logf "github.com/cert-manager/cert-manager/pkg/logs"
utilpki "github.com/cert-manager/cert-manager/pkg/util/pki"
)
// DefaultPassword is the string "changeit", a commonly-used password for keystore files.
const DefaultKeystorePassword = "changeit"
var (
certificateGvk = cmapi.SchemeGroupVersion.WithKind("Certificate")
)
// SecretsManager creates and updates secrets with certificate and key data.
type SecretsManager struct {
secretClient coreclient.SecretsGetter
secretLister internalinformers.SecretLister
// fieldManager is the manager name used for the Apply operations on Secrets.
fieldManager string
// if true, Secret resources created by the controller will have an
// 'owner reference' set, meaning when the Certificate is deleted, the
// Secret resource will be automatically deleted.
// This option is disabled by default.
enableSecretOwnerReferences bool
}
// SecretData is a structure wrapping private key, Certificate and CA data
type SecretData struct {
PrivateKey, Certificate, CA []byte
CertificateName string
IssuerName, IssuerKind, IssuerGroup string
}
// NewSecretsManager returns a new SecretsManager. Setting
// enableSecretOwnerReferences to true will mean that secrets will be deleted
// when the corresponding Certificate is deleted.
func NewSecretsManager(
secretClient coreclient.SecretsGetter,
secretLister internalinformers.SecretLister,
fieldManager string,
enableSecretOwnerReferences bool,
) *SecretsManager {
return &SecretsManager{
secretClient: secretClient,
secretLister: secretLister,
fieldManager: fieldManager,
enableSecretOwnerReferences: enableSecretOwnerReferences,
}
}
// UpdateData will ensure the Secret resource contains the given secret data as
// well as appropriate metadata using an Apply call.
// If the Secret resource does not exist, it will be created on Apply.
// UpdateData will also update deprecated annotations if they exist.
func (s *SecretsManager) UpdateData(ctx context.Context, crt *cmapi.Certificate, data SecretData) error {
secret, err := s.getCertificateSecret(crt)
if err != nil {
return err
}
log := logf.FromContext(ctx).WithName("secrets_manager")
log = logf.WithResource(log, secret)
if err := s.setValues(crt, secret, data); err != nil {
return err
}
// Build Secret apply configuration and options.
applyOpts := metav1.ApplyOptions{FieldManager: s.fieldManager, Force: true}
applyCnf := applycorev1.Secret(secret.Name, secret.Namespace).
WithAnnotations(secret.Annotations).WithLabels(secret.Labels).
WithData(secret.Data).WithType(secret.Type)
// If Secret owner reference is enabled, set it on the Secret. This results
// in a no-op if the Secret already exists and has the owner reference set,
// and visa-versa.
if s.enableSecretOwnerReferences {
ref := *metav1.NewControllerRef(crt, certificateGvk)
applyCnf = applyCnf.WithOwnerReferences(&applymetav1.OwnerReferenceApplyConfiguration{
APIVersion: &ref.APIVersion, Kind: &ref.Kind,
Name: &ref.Name, UID: &ref.UID,
Controller: ref.Controller, BlockOwnerDeletion: ref.BlockOwnerDeletion,
})
}
log.V(logf.DebugLevel).Info("applying secret")
_, err = s.secretClient.Secrets(secret.Namespace).Apply(ctx, applyCnf, applyOpts)
if err != nil {
return fmt.Errorf("failed to apply secret %s/%s: %w", secret.Namespace, secret.Name, err)
}
return nil
}
// setValues will update the Secret resource 'secret' with the data contained
// in the given secretData.
// It will update labels and annotations on the Secret resource appropriately.
// The Secret resource 's' must be non-nil, although may be a resource that does
// not exist in the Kubernetes apiserver yet.
// setValues will NOT actually update the resource in the apiserver.
// It will also update depreciated issuer name and kind annotations if they
// exist.
func (s *SecretsManager) setValues(crt *cmapi.Certificate, secret *corev1.Secret, data SecretData) error {
if err := s.setKeystores(crt, secret, data); err != nil {
return fmt.Errorf("failed to add keystores to Secret: %w", err)
}
// Add additional output formats if enabled.
if err := setAdditionalOutputFormats(crt, secret, data); err != nil {
return fmt.Errorf("failed to add additional output formats to Secret: %w", err)
}
secret.Data[corev1.TLSPrivateKeyKey] = data.PrivateKey
secret.Data[corev1.TLSCertKey] = data.Certificate
if len(data.CA) > 0 {
secret.Data[cmmeta.TLSCAKey] = data.CA
}
if secret.Annotations == nil {
secret.Annotations = make(map[string]string)
}
if secret.Labels == nil {
secret.Labels = make(map[string]string)
}
if crt.Spec.SecretTemplate != nil {
maps.Copy(secret.Labels, crt.Spec.SecretTemplate.Labels)
maps.Copy(secret.Annotations, crt.Spec.SecretTemplate.Annotations)
}
var certificate *x509.Certificate
if len(data.Certificate) > 0 {
var err error
certificate, err = utilpki.DecodeX509CertificateBytes(data.Certificate)
// TODO: handle InvalidData here? Maybe we should still patch the secret
// when we detect that the certificate bytes are invalid.
if err != nil {
return err
}
}
certificateDetailsAnnotations, err := certificates.AnnotationsForCertificate(certificate)
if err != nil {
return err
}
maps.Copy(secret.Annotations, certificateDetailsAnnotations)
// Add the certificate name and issuer details to the secret annotations.
// If the annotations are not set/ empty, we do not use them to determine
// if the secret needs to be updated.
if data.CertificateName != "" {
secret.Annotations[cmapi.CertificateNameKey] = data.CertificateName
}
if data.IssuerName != "" || data.IssuerKind != "" || data.IssuerGroup != "" {
secret.Annotations[cmapi.IssuerNameAnnotationKey] = data.IssuerName
secret.Annotations[cmapi.IssuerKindAnnotationKey] = data.IssuerKind
secret.Annotations[cmapi.IssuerGroupAnnotationKey] = data.IssuerGroup
}
secret.Labels[cmapi.PartOfCertManagerControllerLabelKey] = "true"
return nil
}
// getCertificateSecret will return a secret which is ready for fields to be
// applied. Only the Secret Type will be persisted from the original Secret.
func (s *SecretsManager) getCertificateSecret(crt *cmapi.Certificate) (*corev1.Secret, error) {
// Get existing secret if it exists.
existingSecret, err := s.secretLister.Secrets(crt.Namespace).Get(crt.Spec.SecretName)
// If secret doesn't exist yet, return an empty secret that should be
// created.
if apierrors.IsNotFound(err) {
return &corev1.Secret{
ObjectMeta: metav1.ObjectMeta{
Name: crt.Spec.SecretName,
Namespace: crt.Namespace,
},
Data: make(map[string][]byte),
Type: corev1.SecretTypeTLS,
}, nil
}
// Transient error.
if err != nil {
return nil, err
}
// Only copy Secret Type to not take ownership of annotations or labels on
// Apply.
return &corev1.Secret{
ObjectMeta: metav1.ObjectMeta{
Name: crt.Spec.SecretName,
Namespace: crt.Namespace,
},
Data: make(map[string][]byte),
// Use the existing Secret's type since this may not be of type
// `kubernetes.io/tls`, if for example it was created beforehand. Type is
// immutable, so we must keep it to its original value.
Type: existingSecret.Type,
}, nil
}
// setKeystores will set extra Secret Data keys according to any Keystores
// which have been configured.
func (s *SecretsManager) setKeystores(crt *cmapi.Certificate, secret *corev1.Secret, data SecretData) error {
if crt.Spec.Keystores == nil {
return nil
}
// Handle PKCS#12 keystores
if crt.Spec.Keystores.PKCS12 != nil && crt.Spec.Keystores.PKCS12.Create {
var pw []byte
ref := crt.Spec.Keystores.PKCS12.PasswordSecretRef
switch {
case ref.Name != "":
pwSecret, err := s.secretLister.Secrets(crt.Namespace).Get(ref.Name)
if err != nil {
return fmt.Errorf("fetching PKCS12 keystore password from Secret: %v", err)
}
if pwSecret.Data == nil || len(pwSecret.Data[ref.Key]) == 0 {
return fmt.Errorf("PKCS12 keystore password Secret contains no data for key %q", ref.Key)
}
pw = pwSecret.Data[ref.Key]
case crt.Spec.Keystores.PKCS12.Password != nil:
if len(*crt.Spec.Keystores.PKCS12.Password) == 0 {
return fmt.Errorf("PKCS12 literal password cannot be empty")
}
pw = []byte(*crt.Spec.Keystores.PKCS12.Password)
default:
return fmt.Errorf("either passwordSecretRef or password must be set for PKCS#12 keystore")
}
profile := crt.Spec.Keystores.PKCS12.Profile
keystoreData, err := encodePKCS12Keystore(profile, string(pw), data.PrivateKey, data.Certificate, data.CA)
if err != nil {
return fmt.Errorf("error encoding PKCS12 bundle: %w", err)
}
// always overwrite the keystore entry for now
secret.Data[cmapi.PKCS12SecretKey] = keystoreData
if len(data.CA) > 0 {
truststoreData, err := encodePKCS12Truststore(profile, string(pw), data.CA)
if err != nil {
return fmt.Errorf("error encoding PKCS12 trust store bundle: %w", err)
}
// always overwrite the truststore entry
secret.Data[cmapi.PKCS12TruststoreKey] = truststoreData
}
}
// Handle JKS keystores
if crt.Spec.Keystores.JKS != nil && crt.Spec.Keystores.JKS.Create {
var pw []byte
ref := crt.Spec.Keystores.JKS.PasswordSecretRef
switch {
case ref.Name != "":
pwSecret, err := s.secretLister.Secrets(crt.Namespace).Get(ref.Name)
if err != nil {
return fmt.Errorf("fetching JKS keystore password from Secret: %v", err)
}
if pwSecret.Data == nil || len(pwSecret.Data[ref.Key]) == 0 {
return fmt.Errorf("JKS keystore password Secret contains no data for key %q", ref.Key)
}
pw = pwSecret.Data[ref.Key]
case crt.Spec.Keystores.JKS.Password != nil:
if len(*crt.Spec.Keystores.JKS.Password) == 0 {
return fmt.Errorf("JKS literal password cannot be empty")
}
pw = []byte(*crt.Spec.Keystores.JKS.Password)
default:
return fmt.Errorf("either passwordSecretRef or password must be set for JKS keystore")
}
alias := "certificate"
if crt.Spec.Keystores.JKS.Alias != nil {
alias = *crt.Spec.Keystores.JKS.Alias
}
keystoreData, err := encodeJKSKeystore(pw, alias, data.PrivateKey, data.Certificate, data.CA)
if err != nil {
return fmt.Errorf("error encoding JKS bundle: %w", err)
}
// always overwrite the keystore entry
secret.Data[cmapi.JKSSecretKey] = keystoreData
if len(data.CA) > 0 {
truststoreData, err := encodeJKSTruststore(pw, data.CA)
if err != nil {
return fmt.Errorf("error encoding JKS trust store bundle: %w", err)
}
// always overwrite the keystore entry
secret.Data[cmapi.JKSTruststoreKey] = truststoreData
}
}
return nil
}
// setAdditionalOutputFormat will set extra Secret Data keys with additional
// output formats according to any OutputFormats which have been configured.
func setAdditionalOutputFormats(crt *cmapi.Certificate, secret *corev1.Secret, data SecretData) error {
for _, format := range crt.Spec.AdditionalOutputFormats {
switch format.Type {
case cmapi.CertificateOutputFormatDER:
// Store binary format of the private key
secret.Data[cmapi.CertificateOutputFormatDERKey] = certificates.OutputFormatDER(data.PrivateKey)
case cmapi.CertificateOutputFormatCombinedPEM:
// Combine tls.key and tls.crt
secret.Data[cmapi.CertificateOutputFormatCombinedPEMKey] = certificates.OutputFormatCombinedPEM(data.PrivateKey, data.Certificate)
default:
return fmt.Errorf("unknown additional output format %s", format.Type)
}
}
return nil
}
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package issuing
import (
"context"
"crypto"
"fmt"
"time"
"github.com/go-logr/logr"
corev1 "k8s.io/api/core/v1"
apierrors "k8s.io/apimachinery/pkg/api/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/labels"
"k8s.io/apimachinery/pkg/types"
"k8s.io/client-go/tools/cache"
"k8s.io/client-go/tools/record"
"k8s.io/client-go/util/workqueue"
"k8s.io/utils/clock"
internalcertificates "github.com/cert-manager/cert-manager/internal/controller/certificates"
"github.com/cert-manager/cert-manager/internal/controller/certificates/policies"
"github.com/cert-manager/cert-manager/internal/controller/feature"
internalinformers "github.com/cert-manager/cert-manager/internal/informers"
apiutil "github.com/cert-manager/cert-manager/pkg/api/util"
cmapi "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
cmmeta "github.com/cert-manager/cert-manager/pkg/apis/meta/v1"
cmclient "github.com/cert-manager/cert-manager/pkg/client/clientset/versioned"
cmlisters "github.com/cert-manager/cert-manager/pkg/client/listers/certmanager/v1"
controllerpkg "github.com/cert-manager/cert-manager/pkg/controller"
"github.com/cert-manager/cert-manager/pkg/controller/certificates"
"github.com/cert-manager/cert-manager/pkg/controller/certificates/issuing/internal"
logf "github.com/cert-manager/cert-manager/pkg/logs"
utilfeature "github.com/cert-manager/cert-manager/pkg/util/feature"
utilkube "github.com/cert-manager/cert-manager/pkg/util/kube"
utilpki "github.com/cert-manager/cert-manager/pkg/util/pki"
"github.com/cert-manager/cert-manager/pkg/util/predicate"
)
const (
ControllerName = "certificates-issuing"
)
type localTemporarySignerFn func(crt *cmapi.Certificate, pk []byte) ([]byte, error)
// This controller observes the state of the certificate's 'Issuing' condition,
// which will then copy the signed certificates and private key to the target
// Secret resource.
type controller struct {
certificateLister cmlisters.CertificateLister
certificateRequestLister cmlisters.CertificateRequestLister
secretLister internalinformers.SecretLister
recorder record.EventRecorder
clock clock.Clock
client cmclient.Interface
// secretsUpdateData is used by the SecretTemplate controller for
// re-reconciling Secrets where the SecretTemplate is not up to date with a
// Certificate's secret.
secretsUpdateData func(context.Context, *cmapi.Certificate, internal.SecretData) error
// postIssuancePolicyChain is the policies chain to ensure that all Secret
// metadata and output formats are kept are present and correct.
postIssuancePolicyChain policies.Chain
// fieldManager is the string which will be used as the Field Manager on
// fields created or edited by the cert-manager Kubernetes client during
// Apply API calls.
fieldManager string
// localTemporarySigner signs a certificate that is stored temporarily
localTemporarySigner localTemporarySignerFn
}
func NewController(
log logr.Logger,
ctx *controllerpkg.Context,
) (*controller, workqueue.TypedRateLimitingInterface[types.NamespacedName], []cache.InformerSynced, error) {
// create a queue used to queue up items to be processed
queue := workqueue.NewTypedRateLimitingQueueWithConfig(
controllerpkg.DefaultCertificateRateLimiter(),
workqueue.TypedRateLimitingQueueConfig[types.NamespacedName]{
Name: ControllerName,
},
)
// obtain references to all the informers used by this controller
certificateInformer := ctx.SharedInformerFactory.Certmanager().V1().Certificates()
certificateRequestInformer := ctx.SharedInformerFactory.Certmanager().V1().CertificateRequests()
secretsInformer := ctx.KubeSharedInformerFactory.Secrets()
if _, err := certificateInformer.Informer().AddEventHandler(&controllerpkg.QueuingEventHandler{Queue: queue}); err != nil {
return nil, nil, nil, fmt.Errorf("error setting up event handler: %v", err)
}
if _, err := certificateRequestInformer.Informer().AddEventHandler(&controllerpkg.BlockingEventHandler{
WorkFunc: certificates.EnqueueCertificatesForResourceUsingPredicates(log, queue, certificateInformer.Lister(), labels.Everything(), predicate.ResourceOwnerOf),
}); err != nil {
return nil, nil, nil, fmt.Errorf("error setting up event handler: %v", err)
}
if _, err := secretsInformer.Informer().AddEventHandler(&controllerpkg.BlockingEventHandler{
// Issuer reconciles on changes to the Secret named `spec.nextPrivateKeySecretName`
WorkFunc: certificates.EnqueueCertificatesForResourceUsingPredicates(log, queue, certificateInformer.Lister(), labels.Everything(),
predicate.ResourceOwnerOf,
predicate.ExtractResourceName(predicate.CertificateNextPrivateKeySecretName)),
}); err != nil {
return nil, nil, nil, fmt.Errorf("error setting up event handler: %v", err)
}
if _, err := secretsInformer.Informer().AddEventHandler(&controllerpkg.BlockingEventHandler{
// Issuer reconciles on changes to the Secret named `spec.secretName`
WorkFunc: certificates.EnqueueCertificatesForResourceUsingPredicates(log, queue, certificateInformer.Lister(), labels.Everything(),
predicate.ExtractResourceName(predicate.CertificateSecretName)),
}); err != nil {
return nil, nil, nil, fmt.Errorf("error setting up event handler: %v", err)
}
// build a list of InformerSynced functions that will be returned by the Register method.
// the controller will only begin processing items once all of these informers have synced.
mustSync := []cache.InformerSynced{
certificateRequestInformer.Informer().HasSynced,
secretsInformer.Informer().HasSynced,
certificateInformer.Informer().HasSynced,
}
secretsManager := internal.NewSecretsManager(
ctx.Client.CoreV1(), secretsInformer.Lister(),
ctx.FieldManager, ctx.CertificateOptions.EnableOwnerRef,
)
return &controller{
certificateLister: certificateInformer.Lister(),
certificateRequestLister: certificateRequestInformer.Lister(),
secretLister: secretsInformer.Lister(),
client: ctx.CMClient,
recorder: ctx.Recorder,
clock: ctx.Clock,
secretsUpdateData: secretsManager.UpdateData,
postIssuancePolicyChain: policies.NewSecretPostIssuancePolicyChain(
ctx.CertificateOptions.EnableOwnerRef,
ctx.FieldManager,
),
fieldManager: ctx.FieldManager,
localTemporarySigner: utilpki.GenerateLocallySignedTemporaryCertificate,
}, queue, mustSync, nil
}
func (c *controller) ProcessItem(ctx context.Context, key types.NamespacedName) error {
// TODO: Change to globals.DefaultControllerContextTimeout as part of a wider effort to ensure we have
// failsafe timeouts in every controller
ctx, cancel := context.WithTimeout(ctx, time.Second*10)
defer cancel()
log := logf.FromContext(ctx).WithValues("key", key)
namespace, name := key.Namespace, key.Name
crt, err := c.certificateLister.Certificates(namespace).Get(name)
if err != nil && !apierrors.IsNotFound(err) {
return err
}
if crt == nil || crt.DeletionTimestamp != nil {
// If the Certificate object was/ is being deleted, we don't want to update its status or
// create/ update any Secret resources.
return nil
}
log = logf.WithResource(log, crt)
ctx = logf.NewContext(ctx, log)
if !apiutil.CertificateHasCondition(crt, cmapi.CertificateCondition{
Type: cmapi.CertificateConditionIssuing,
Status: cmmeta.ConditionTrue,
}) {
// If Certificate doesn't have Issuing=true condition then we should check
// to ensure all non-issuing related SecretData is correct on the
// Certificate's secret.
return c.ensureSecretData(ctx, log, crt)
}
if crt.Status.NextPrivateKeySecretName == nil ||
len(*crt.Status.NextPrivateKeySecretName) == 0 {
// Do nothing if the next private key secret name is not set
return nil
}
// Fetch and parse the 'next private key secret'
nextPrivateKeySecret, err := c.secretLister.Secrets(crt.Namespace).Get(*crt.Status.NextPrivateKeySecretName)
if apierrors.IsNotFound(err) {
log.V(logf.DebugLevel).Info("Next private key secret does not exist, waiting for keymanager controller")
// If secret does not exist, do nothing (keymanager will handle this).
return nil
}
if err != nil {
return err
}
if nextPrivateKeySecret.Data == nil || len(nextPrivateKeySecret.Data[corev1.TLSPrivateKeyKey]) == 0 {
logf.WithResource(log, nextPrivateKeySecret).Info("Next private key secret does not contain any private key data, waiting for keymanager controller")
return nil
}
pk, _, err := utilkube.ParseTLSKeyFromSecret(nextPrivateKeySecret, corev1.TLSPrivateKeyKey)
if err != nil {
// If the private key cannot be parsed here, do nothing as the key manager will handle this.
logf.WithResource(log, nextPrivateKeySecret).Error(err, "failed to parse next private key, waiting for keymanager controller")
return nil
}
pkViolations := utilpki.PrivateKeyMatchesSpec(pk, crt.Spec)
if len(pkViolations) > 0 {
logf.WithResource(log, nextPrivateKeySecret).Info("stored next private key does not match requirements on Certificate resource, waiting for keymanager controller", "violations", pkViolations)
return nil
}
// CertificateRequest revisions begin from 1. If no revision is set on the
// status then assume no revision yet set.
nextRevision := 1
if crt.Status.Revision != nil {
nextRevision = *crt.Status.Revision + 1
}
reqs, err := certificates.ListCertificateRequestsMatchingPredicates(c.certificateRequestLister.CertificateRequests(crt.Namespace),
labels.Everything(),
predicate.CertificateRequestRevision(nextRevision),
predicate.ResourceOwnedBy(crt),
)
if err != nil || len(reqs) != 1 {
// If error return.
// if no error but none exist do nothing.
// If no error but multiple exist, then leave to requestmanager controller
// to clean up.
return err
}
req := reqs[0]
log = logf.WithResource(log, req)
// Verify the CSR options match what is requested in certificate.spec.
// If there are violations in the spec, then the requestmanager will handle this.
requestViolations, err := utilpki.RequestMatchesSpec(req, crt.Spec)
if err != nil {
return err
}
if len(requestViolations) > 0 {
log.V(logf.DebugLevel).Info("CertificateRequest does not match Certificate, waiting for keymanager controller")
return nil
}
certIssuingCond := apiutil.GetCertificateCondition(crt, cmapi.CertificateConditionIssuing)
crReadyCond := apiutil.GetCertificateRequestCondition(req, cmapi.CertificateRequestConditionReady)
if certIssuingCond == nil {
// This should never happen
log.V(logf.ErrorLevel).Info("Certificate does not have an issuing condition")
return nil
}
// If the CertificateRequest for this revision failed before the
// Issuing condition was last updated on the Certificate, then it must be a
// failed CertificateRequest from the previous issuance for the same
// revision. Leave it to the certificate-requests controller to delete the
// CertificateRequest and create a new one.
if req.Status.FailureTime != nil &&
req.Status.FailureTime.Before(certIssuingCond.LastTransitionTime) && crReadyCond.Reason == cmapi.CertificateRequestReasonFailed {
log.V(logf.InfoLevel).Info("Found a failed CertificateRequest from previous issuance, waiting for it to be deleted...")
return nil
}
// Now check if CertificateRequest is in any of the final states so that
// this issuance can be completed as either succeeded or failed. Failed
// issuance will be retried with a delay (the logic for that lives in
// certificates-trigger controller). Final states are: Denied condition
// with status True => fail issuance InvalidRequest condition with
// status True => fail issuance Ready condition with reason Failed =>
// fail issuance Ready condition with reason Issued => finalize issuance
// as succeeded.
// In case of a non-compliant issuer, a CertificateRequest can have both
// Denied status True (set by an approver) and Ready condition with
// reason Issued (set by the issuer). In this case, we prioritize the
// Denied condition and fail the issuance. This is done for consistency
// and also to avoid race conditions between the non-compliant issuer
// and this control loop.
// If the certificate request was denied, set the last failure time to
// now, bump the issuance attempts and set the Issuing status condition
// to False.
if apiutil.CertificateRequestIsDenied(req) {
return c.failIssueCertificate(ctx, log, crt, apiutil.GetCertificateRequestCondition(req, cmapi.CertificateRequestConditionDenied))
}
// If the certificate request is invalid, set the last failure time to
// now, bump the issuance attempts and set the Issuing status condition
// to False.
if apiutil.CertificateRequestHasInvalidRequest(req) {
return c.failIssueCertificate(ctx, log, crt, apiutil.GetCertificateRequestCondition(req, cmapi.CertificateRequestConditionInvalidRequest))
}
if crReadyCond == nil {
log.V(logf.DebugLevel).Info("CertificateRequest does not have Ready condition, waiting...")
return nil
}
// If the certificate request has failed, set the last failure time to
// now, bump the issuance attempts and set the Issuing status condition
// to False.
if crReadyCond.Reason == cmapi.CertificateRequestReasonFailed {
return c.failIssueCertificate(ctx, log, crt, apiutil.GetCertificateRequestCondition(req, cmapi.CertificateRequestConditionReady))
}
// If public key does not match, do nothing (requestmanager will handle this).
csr, err := utilpki.DecodeX509CertificateRequestBytes(req.Spec.Request)
if err != nil {
return err
}
publicKeyMatchesCSR, err := utilpki.PublicKeyMatchesCSR(pk.Public(), csr)
if err != nil {
return err
}
if !publicKeyMatchesCSR {
logf.WithResource(log, nextPrivateKeySecret).Info("next private key does not match CSR public key, waiting for requestmanager controller")
return nil
}
// If the CertificateRequest is valid and ready, verify its status and issue
// accordingly.
if crReadyCond.Reason == cmapi.CertificateRequestReasonIssued {
return c.issueCertificate(ctx, nextRevision, crt, req, pk)
}
// Issue temporary certificate if needed. If a certificate was issued, then
// return early - we will sync again since the target Secret has been
// updated.
if issued, err := c.ensureTemporaryCertificate(ctx, crt, pk); err != nil || issued {
return err
}
// CertificateRequest is not in a final state so do nothing.
log.V(logf.DebugLevel).Info("CertificateRequest not in final state, waiting...", "reason", crReadyCond.Reason)
return nil
}
// failIssueCertificate will mark the Issuing condition of this Certificate as
// false, set the Certificate's last failure time and issuance attempts, and log
// an appropriate event. The reason and message of the Issuing condition will be that of
// the CertificateRequest condition passed.
func (c *controller) failIssueCertificate(ctx context.Context, log logr.Logger, crt *cmapi.Certificate, condition *cmapi.CertificateRequestCondition) error {
nowTime := metav1.NewTime(c.clock.Now())
crt.Status.LastFailureTime = &nowTime
failedIssuanceAttempts := 1
if crt.Status.FailedIssuanceAttempts != nil {
failedIssuanceAttempts = *crt.Status.FailedIssuanceAttempts + 1
}
crt.Status.FailedIssuanceAttempts = &failedIssuanceAttempts
log.V(logf.DebugLevel).Info("CertificateRequest in failed state so retrying issuance later")
var reason, message string
reason = condition.Reason
message = fmt.Sprintf("The certificate request has failed to complete and will be retried: %s",
condition.Message)
crt = crt.DeepCopy()
apiutil.SetCertificateCondition(crt, crt.Generation, cmapi.CertificateConditionIssuing, cmmeta.ConditionFalse, reason, message)
if err := c.updateOrApplyStatus(ctx, crt, false); err != nil {
return err
}
c.recorder.Event(crt, corev1.EventTypeWarning, reason, message)
return nil
}
// issueCertificate will ensure the public key of the CSR matches the signed
// certificate, and then store the certificate, CA and private key into the
// Secret in the appropriate format type.
func (c *controller) issueCertificate(ctx context.Context, nextRevision int, crt *cmapi.Certificate, req *cmapi.CertificateRequest, pk crypto.Signer) error {
crt = crt.DeepCopy()
if crt.Spec.PrivateKey == nil {
crt.Spec.PrivateKey = &cmapi.CertificatePrivateKey{}
}
pkData, err := utilpki.EncodePrivateKey(pk, crt.Spec.PrivateKey.Encoding)
if err != nil {
return err
}
secretData := internal.SecretData{
PrivateKey: pkData,
Certificate: req.Status.Certificate,
CA: req.Status.CA,
CertificateName: crt.Name,
IssuerName: req.Spec.IssuerRef.Name,
IssuerKind: req.Spec.IssuerRef.Kind,
IssuerGroup: req.Spec.IssuerRef.Group,
}
if err := c.secretsUpdateData(ctx, crt, secretData); err != nil {
return err
}
// Set status.revision to revision of the CertificateRequest
crt.Status.Revision = &nextRevision
// Remove Issuing status condition
// TODO @joshvanl: Once we move to only server-side apply API calls, this
// should be changed to setting the Issuing condition to False.
apiutil.RemoveCertificateCondition(crt, cmapi.CertificateConditionIssuing)
// Clear status.failedIssuanceAttempts (if set)
crt.Status.FailedIssuanceAttempts = nil
// Clear status.lastFailureTime (if set)
crt.Status.LastFailureTime = nil
if err := c.updateOrApplyStatus(ctx, crt, true); err != nil {
return err
}
message := "The certificate has been successfully issued"
c.recorder.Event(crt, corev1.EventTypeNormal, "Issuing", message)
return nil
}
// updateOrApplyStatus will update the controller status. If the
// ServerSideApply feature is enabled, the managed fields will instead get
// applied using the relevant Patch API call.
// conditionRemove should be true if the Issuing condition has been removed by
// this controller. If the ServerSideApply feature is enabled and condition
// have been removed, the Issuing condition will be set to False before
// applying.
func (c *controller) updateOrApplyStatus(ctx context.Context, crt *cmapi.Certificate, conditionRemoved bool) error {
if utilfeature.DefaultFeatureGate.Enabled(feature.ServerSideApply) {
// TODO @joshvanl: Once we move to only server-side apply API calls,
// `conditionRemoved` can be removed and setting the Issuing condition to
// False can be moved to the `issueCertificate` func.
if conditionRemoved {
message := "The certificate has been successfully issued"
apiutil.SetCertificateCondition(crt, crt.Generation, cmapi.CertificateConditionIssuing, cmmeta.ConditionFalse, "Issued", message)
}
var conditions []cmapi.CertificateCondition
if cond := apiutil.GetCertificateCondition(crt, cmapi.CertificateConditionIssuing); cond != nil {
conditions = []cmapi.CertificateCondition{*cond}
}
return internalcertificates.ApplyStatus(ctx, c.client, c.fieldManager, &cmapi.Certificate{
ObjectMeta: metav1.ObjectMeta{Namespace: crt.Namespace, Name: crt.Name},
Status: cmapi.CertificateStatus{
Revision: crt.Status.Revision,
LastFailureTime: crt.Status.LastFailureTime,
Conditions: conditions,
},
})
} else {
_, err := c.client.CertmanagerV1().Certificates(crt.Namespace).UpdateStatus(ctx, crt, metav1.UpdateOptions{})
return err
}
}
// controllerWrapper wraps the `controller` structure to make it implement
// the controllerpkg.queueingController interface
type controllerWrapper struct {
*controller
}
func (c *controllerWrapper) Register(ctx *controllerpkg.Context) (workqueue.TypedRateLimitingInterface[types.NamespacedName], []cache.InformerSynced, error) {
// construct a new named logger to be reused throughout the controller
log := logf.FromContext(ctx.RootContext, ControllerName)
ctrl, queue, mustSync, err := NewController(log, ctx)
c.controller = ctrl
return queue, mustSync, err
}
func init() {
controllerpkg.Register(ControllerName, func(ctx *controllerpkg.ContextFactory) (controllerpkg.Interface, error) {
return controllerpkg.NewBuilder(ctx, ControllerName).
For(&controllerWrapper{}).
Complete()
})
}
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package issuing
import (
"context"
"errors"
"github.com/go-logr/logr"
corev1 "k8s.io/api/core/v1"
apierrors "k8s.io/apimachinery/pkg/api/errors"
"github.com/cert-manager/cert-manager/internal/controller/certificates/policies"
cmapi "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
cmmeta "github.com/cert-manager/cert-manager/pkg/apis/meta/v1"
"github.com/cert-manager/cert-manager/pkg/controller/certificates/issuing/internal"
logf "github.com/cert-manager/cert-manager/pkg/logs"
)
// ensureSecretData ensures that the Certificate's Secret is up to date with
// non-issuing condition related data.
// Reconciles over the Certificate's SecretTemplate, and
// AdditionalOutputFormats.
func (c *controller) ensureSecretData(ctx context.Context, log logr.Logger, crt *cmapi.Certificate) error {
// Retrieve the Secret which is associated with this Certificate.
secret, err := c.secretLister.Secrets(crt.Namespace).Get(crt.Spec.SecretName)
// Secret doesn't exist so we can't do anything. The Certificate will be
// marked for a re-issuance and the resulting Secret will be evaluated again.
if apierrors.IsNotFound(err) {
log.V(logf.DebugLevel).Info("secret not found", "error", err.Error())
return nil
}
// This error is transient, return error to be retried on the rate limiting
// queue.
if err != nil {
return err
}
log = log.WithValues("secret", secret.Name)
// If there is no certificate or private key data available at the target
// Secret then exit early. The absence of these keys should cause an issuance
// of the Certificate, so there is no need to run post issuance checks.
if secret.Data == nil ||
len(secret.Data[corev1.TLSCertKey]) == 0 ||
len(secret.Data[corev1.TLSPrivateKeyKey]) == 0 {
log.V(logf.DebugLevel).Info("secret doesn't contain both certificate and private key data",
"cert_data_len", len(secret.Data[corev1.TLSCertKey]), "key_data_len", len(secret.Data[corev1.TLSPrivateKeyKey]))
return nil
}
data := internal.SecretData{
PrivateKey: secret.Data[corev1.TLSPrivateKeyKey],
Certificate: secret.Data[corev1.TLSCertKey],
CA: secret.Data[cmmeta.TLSCAKey],
CertificateName: secret.Annotations[cmapi.CertificateNameKey],
IssuerName: secret.Annotations[cmapi.IssuerNameAnnotationKey],
IssuerKind: secret.Annotations[cmapi.IssuerKindAnnotationKey],
IssuerGroup: secret.Annotations[cmapi.IssuerGroupAnnotationKey],
}
// Check whether the Certificate's Secret has correct output format and
// metadata.
reason, message, isViolation := c.postIssuancePolicyChain.Evaluate(policies.Input{
Certificate: crt,
Secret: secret,
})
if isViolation {
switch reason {
case policies.InvalidCertificate, policies.ManagedFieldsParseError:
// An error here indicates that the managed fields are malformed and the
// decoder doesn't understand the managed fields on the Secret, or the
// signed certificate data could not be decoded. There is nothing more the
// controller can do here, so we exit nil so this controller doesn't end in
// an infinite loop.
log.Error(errors.New(message), "failed to determine whether the SecretTemplate matches Secret")
return nil
default:
// Here the Certificate need to be re-reconciled.
log.Info("applying Secret data", "message", message)
return c.secretsUpdateData(ctx, crt, data)
}
}
// No Secret violations, nothing to do.
return nil
}
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package issuing
import (
"context"
"crypto"
corev1 "k8s.io/api/core/v1"
apierrors "k8s.io/apimachinery/pkg/api/errors"
"github.com/cert-manager/cert-manager/internal/controller/certificates/policies"
cmapi "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
"github.com/cert-manager/cert-manager/pkg/controller/certificates/issuing/internal"
utilpki "github.com/cert-manager/cert-manager/pkg/util/pki"
)
// ensureTemporaryCertificate will create a temporary certificate and store it
// into the target Secret if:
// - The temporary certificate annotation is present
// - The target Secret does not exist yet, or the certificate/key data there is not valid
// - If the Certificate/Key pair does not match the 'NextPrivateKey'
// Returns true is a temporary certificate was issued
func (c *controller) ensureTemporaryCertificate(ctx context.Context, crt *cmapi.Certificate, pk crypto.Signer) (bool, error) {
crt = crt.DeepCopy()
if crt.Spec.PrivateKey == nil {
crt.Spec.PrivateKey = &cmapi.CertificatePrivateKey{}
}
// If certificate does not have temporary certificate annotation, do nothing
if !certificateHasTemporaryCertificateAnnotation(crt) {
return false, nil
}
// Attempt to fetch the Secret being managed but tolerate NotFound errors.
secret, err := c.secretLister.Secrets(crt.Namespace).Get(crt.Spec.SecretName)
if err != nil && !apierrors.IsNotFound(err) {
return false, err
}
input := policies.Input{Secret: secret}
// If the target Secret exists with a signed certificate and matching private
// key, do not issue.
if _, _, invalid := policies.NewTemporaryCertificatePolicyChain().Evaluate(input); !invalid {
return false, nil
}
// Issue temporary certificate
pkData, err := utilpki.EncodePrivateKey(pk, crt.Spec.PrivateKey.Encoding)
if err != nil {
return false, err
}
certData, err := c.localTemporarySigner(crt, pkData)
if err != nil {
return false, err
}
secretData := internal.SecretData{
Certificate: certData,
PrivateKey: pkData,
CertificateName: crt.Name,
}
if err := c.secretsUpdateData(ctx, crt, secretData); err != nil {
return false, err
}
c.recorder.Event(crt, corev1.EventTypeNormal, "Issuing", "Issued temporary certificate")
return true, nil
}
func certificateHasTemporaryCertificateAnnotation(crt *cmapi.Certificate) bool {
if crt.Annotations == nil {
return false
}
if val, ok := crt.Annotations[cmapi.IssueTemporaryCertificateAnnotation]; ok && val == "true" {
return true
}
return false
}
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package keymanager
import (
"context"
"crypto"
"fmt"
"github.com/go-logr/logr"
corev1 "k8s.io/api/core/v1"
apierrors "k8s.io/apimachinery/pkg/api/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/labels"
"k8s.io/apimachinery/pkg/selection"
"k8s.io/apimachinery/pkg/types"
"k8s.io/client-go/kubernetes"
"k8s.io/client-go/tools/cache"
"k8s.io/client-go/tools/record"
"k8s.io/client-go/util/workqueue"
cminternal "github.com/cert-manager/cert-manager/internal/apis/certmanager/v1"
internalcertificates "github.com/cert-manager/cert-manager/internal/controller/certificates"
"github.com/cert-manager/cert-manager/internal/controller/feature"
internalinformers "github.com/cert-manager/cert-manager/internal/informers"
apiutil "github.com/cert-manager/cert-manager/pkg/api/util"
cmapi "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
cmmeta "github.com/cert-manager/cert-manager/pkg/apis/meta/v1"
cmclient "github.com/cert-manager/cert-manager/pkg/client/clientset/versioned"
cmlisters "github.com/cert-manager/cert-manager/pkg/client/listers/certmanager/v1"
controllerpkg "github.com/cert-manager/cert-manager/pkg/controller"
"github.com/cert-manager/cert-manager/pkg/controller/certificates"
logf "github.com/cert-manager/cert-manager/pkg/logs"
utilfeature "github.com/cert-manager/cert-manager/pkg/util/feature"
"github.com/cert-manager/cert-manager/pkg/util/pki"
"github.com/cert-manager/cert-manager/pkg/util/predicate"
)
const (
ControllerName = "certificates-key-manager"
reasonDecodeFailed = "DecodeFailed"
reasonCannotRegenerateKey = "CannotRegenerateKey"
reasonDeleted = "Deleted"
)
var (
certificateGvk = cmapi.SchemeGroupVersion.WithKind("Certificate")
)
type controller struct {
certificateLister cmlisters.CertificateLister
secretLister internalinformers.SecretLister
client cmclient.Interface
coreClient kubernetes.Interface
recorder record.EventRecorder
// fieldManager is the string which will be used as the Field Manager on
// fields created or edited by the cert-manager Kubernetes client during
// Apply API calls.
fieldManager string
}
func NewController(
log logr.Logger, ctx *controllerpkg.Context,
) (*controller, workqueue.TypedRateLimitingInterface[types.NamespacedName], []cache.InformerSynced, error) {
// create a queue used to queue up items to be processed
queue := workqueue.NewTypedRateLimitingQueueWithConfig(
controllerpkg.DefaultCertificateRateLimiter(),
workqueue.TypedRateLimitingQueueConfig[types.NamespacedName]{
Name: ControllerName,
},
)
// obtain references to all the informers used by this controller
certificateInformer := ctx.SharedInformerFactory.Certmanager().V1().Certificates()
secretsInformer := ctx.KubeSharedInformerFactory.Secrets()
if _, err := certificateInformer.Informer().AddEventHandler(&controllerpkg.QueuingEventHandler{Queue: queue}); err != nil {
return nil, nil, nil, fmt.Errorf("error setting up event handler: %v", err)
}
if _, err := secretsInformer.Informer().AddEventHandler(&controllerpkg.BlockingEventHandler{
// Trigger reconciles on changes to any 'owned' secret resources
WorkFunc: certificates.EnqueueCertificatesForResourceUsingPredicates(log, queue, certificateInformer.Lister(), labels.Everything(),
predicate.ResourceOwnerOf,
),
}); err != nil {
return nil, nil, nil, fmt.Errorf("error setting up event handler: %v", err)
}
if _, err := secretsInformer.Informer().AddEventHandler(&controllerpkg.BlockingEventHandler{
// Trigger reconciles on changes to certificates named as spec.secretName
WorkFunc: certificates.EnqueueCertificatesForResourceUsingPredicates(log, queue, certificateInformer.Lister(), labels.Everything(),
predicate.ExtractResourceName(predicate.CertificateSecretName),
),
}); err != nil {
return nil, nil, nil, fmt.Errorf("error setting up event handler: %v", err)
}
// build a list of InformerSynced functions that will be returned by the Register method.
// the controller will only begin processing items once all of these informers have synced.
mustSync := []cache.InformerSynced{
secretsInformer.Informer().HasSynced,
certificateInformer.Informer().HasSynced,
}
return &controller{
certificateLister: certificateInformer.Lister(),
secretLister: secretsInformer.Lister(),
client: ctx.CMClient,
coreClient: ctx.Client,
recorder: ctx.Recorder,
fieldManager: ctx.FieldManager,
}, queue, mustSync, nil
}
// isNextPrivateKeyLabelSelector is a label selector used to match Secret
// resources with the `cert-manager.io/next-private-key: "true"` label.
var isNextPrivateKeyLabelSelector labels.Selector
func init() {
r, err := labels.NewRequirement(cmapi.IsNextPrivateKeySecretLabelKey, selection.Equals, []string{"true"})
if err != nil {
panic(err)
}
isNextPrivateKeyLabelSelector = labels.NewSelector().Add(*r)
}
func (c *controller) ProcessItem(ctx context.Context, key types.NamespacedName) error {
log := logf.FromContext(ctx).WithValues("key", key)
ctx = logf.NewContext(ctx, log)
namespace, name := key.Namespace, key.Name
crt, err := c.certificateLister.Certificates(namespace).Get(name)
if err != nil && !apierrors.IsNotFound(err) {
return err
}
if crt == nil || crt.DeletionTimestamp != nil {
// If the Certificate object was/ is being deleted, we don't want to create any
// new Secret resources.
return nil
}
// Apply runtime defaults to apply default values that are governed by
// controller feature gates, such as DefaultPrivateKeyRotationPolicyAlways.
// We deep copy the object to avoid mutating the client-go cache.
crt = crt.DeepCopy()
cminternal.SetRuntimeDefaults_Certificate(crt)
// Discover all 'owned' secrets that have the `next-private-key` label
secrets, err := certificates.ListSecretsMatchingPredicates(c.secretLister.Secrets(crt.Namespace), isNextPrivateKeyLabelSelector, predicate.ResourceOwnedBy(crt))
if err != nil {
return err
}
if !apiutil.CertificateHasCondition(crt, cmapi.CertificateCondition{
Type: cmapi.CertificateConditionIssuing,
Status: cmmeta.ConditionTrue,
}) {
log.V(logf.DebugLevel).Info("Cleaning up Secret resources and unsetting nextPrivateKeySecretName as issuance is no longer in progress")
if err := c.deleteSecretResources(ctx, secrets); err != nil {
return err
}
return c.setNextPrivateKeySecretName(ctx, crt, nil)
}
// if there is no existing Secret resource, create a new one
if len(secrets) == 0 {
// PrivateKey is a pointer, but it will never be nil because we called
// the SetRuntimeDefaults function at the start of this function.
rotationPolicy := crt.Spec.PrivateKey.RotationPolicy
switch rotationPolicy {
case cmapi.RotationPolicyNever:
return c.createNextPrivateKeyRotationPolicyNever(ctx, crt)
case cmapi.RotationPolicyAlways:
log.V(logf.DebugLevel).Info("Creating new nextPrivateKeySecretName Secret because no existing Secret found")
return c.createAndSetNextPrivateKey(ctx, crt)
default:
log.V(logf.WarnLevel).Info("Certificate with unknown certificate.spec.privateKey.rotationPolicy value", "rotation_policy", rotationPolicy)
return nil
}
}
// always clean up if multiple are found
if len(secrets) > 1 {
// TODO: if nextPrivateKeySecretName is set, we should skip deleting that one Secret resource
log.V(logf.DebugLevel).Info("Cleaning up Secret resources as multiple nextPrivateKeySecretName candidates found")
return c.deleteSecretResources(ctx, secrets)
}
secret := secrets[0]
log = logf.WithRelatedResource(log, secret)
ctx = logf.NewContext(ctx, log)
if crt.Status.NextPrivateKeySecretName == nil {
log.V(logf.DebugLevel).Info("Adopting existing private key Secret")
return c.setNextPrivateKeySecretName(ctx, crt, &secret.Name)
}
if *crt.Status.NextPrivateKeySecretName != secrets[0].Name {
log.V(logf.DebugLevel).Info("Deleting existing private key secret as name does not match status.nextPrivateKeySecretName")
return c.deleteSecretResources(ctx, secrets)
}
if secret.Data == nil || len(secret.Data[corev1.TLSPrivateKeyKey]) == 0 {
log.V(logf.DebugLevel).Info("Deleting Secret resource as it contains no data")
return c.deleteSecretResources(ctx, secrets)
}
pkData := secret.Data[corev1.TLSPrivateKeyKey]
pk, err := pki.DecodePrivateKeyBytes(pkData)
if err != nil {
log.Error(err, "Deleting existing private key secret due to error decoding data")
return c.deleteSecretResources(ctx, secrets)
}
violations := pki.PrivateKeyMatchesSpec(pk, crt.Spec)
if len(violations) > 0 {
log.V(logf.DebugLevel).Info("Regenerating private key due to change in fields", "violations", violations)
c.recorder.Eventf(crt, corev1.EventTypeNormal, reasonDeleted, "Regenerating private key due to change in fields: %v", violations)
return c.deleteSecretResources(ctx, secrets)
}
return nil
}
func (c *controller) createNextPrivateKeyRotationPolicyNever(ctx context.Context, crt *cmapi.Certificate) error {
log := logf.FromContext(ctx)
s, err := c.secretLister.Secrets(crt.Namespace).Get(crt.Spec.SecretName)
if apierrors.IsNotFound(err) {
log.V(logf.DebugLevel).Info("Creating new nextPrivateKeySecretName Secret because no existing Secret found and rotation policy is Never")
return c.createAndSetNextPrivateKey(ctx, crt)
}
if err != nil {
return err
}
if s.Data == nil || len(s.Data[corev1.TLSPrivateKeyKey]) == 0 {
log.V(logf.DebugLevel).Info("Creating new nextPrivateKeySecretName Secret because existing Secret contains empty data and rotation policy is Never")
return c.createAndSetNextPrivateKey(ctx, crt)
}
existingPKData := s.Data[corev1.TLSPrivateKeyKey]
pk, err := pki.DecodePrivateKeyBytes(existingPKData)
if err != nil {
c.recorder.Eventf(crt, corev1.EventTypeWarning, reasonDecodeFailed, "Failed to decode private key stored in Secret %q - generating new key", crt.Spec.SecretName)
return c.createAndSetNextPrivateKey(ctx, crt)
}
violations := pki.PrivateKeyMatchesSpec(pk, crt.Spec)
if len(violations) > 0 {
c.recorder.Eventf(crt, corev1.EventTypeWarning, reasonCannotRegenerateKey, "User intervention required: existing private key in Secret %q does not match requirements on Certificate resource, mismatching fields: %v, but cert-manager cannot create new private key as the Certificate's .spec.privateKey.rotationPolicy is unset or set to Never. To allow cert-manager to create a new private key you can set .spec.privateKey.rotationPolicy to 'Always' (this will result in the private key being regenerated every time a cert is renewed) ", crt.Spec.SecretName, violations)
return nil
}
nextPkSecret, err := c.createNewPrivateKeySecret(ctx, crt, pk)
if err != nil {
return err
}
c.recorder.Event(crt, corev1.EventTypeNormal, "Reused", fmt.Sprintf("Reusing private key stored in existing Secret resource %q", s.Name))
return c.setNextPrivateKeySecretName(ctx, crt, &nextPkSecret.Name)
}
func (c *controller) createAndSetNextPrivateKey(ctx context.Context, crt *cmapi.Certificate) error {
pk, err := pki.GeneratePrivateKeyForCertificate(crt)
if err != nil {
return err
}
s, err := c.createNewPrivateKeySecret(ctx, crt, pk)
if err != nil {
return err
}
c.recorder.Event(crt, corev1.EventTypeNormal, "Generated", fmt.Sprintf("Stored new private key in temporary Secret resource %q", s.Name))
return c.setNextPrivateKeySecretName(ctx, crt, &s.Name)
}
// deleteSecretResources will delete the given secret resources
func (c *controller) deleteSecretResources(ctx context.Context, secrets []*corev1.Secret) error {
log := logf.FromContext(ctx)
for _, s := range secrets {
if err := c.coreClient.CoreV1().Secrets(s.Namespace).Delete(ctx, s.Name, metav1.DeleteOptions{}); err != nil {
return err
}
logf.WithRelatedResource(log, s).V(logf.DebugLevel).Info("Deleted 'next private key' Secret resource")
}
return nil
}
func (c *controller) setNextPrivateKeySecretName(ctx context.Context, crt *cmapi.Certificate, name *string) error {
// skip updates if there has been no change
if name == nil && crt.Status.NextPrivateKeySecretName == nil {
return nil
}
if name != nil && crt.Status.NextPrivateKeySecretName != nil {
if *name == *crt.Status.NextPrivateKeySecretName {
return nil
}
}
crt = crt.DeepCopy()
crt.Status.NextPrivateKeySecretName = name
return c.updateOrApplyStatus(ctx, crt)
}
// updateOrApplyStatus will update the controller status. If the
// ServerSideApply feature is enabled, the managed fields will instead get
// applied using the relevant Patch API call.
func (c *controller) updateOrApplyStatus(ctx context.Context, crt *cmapi.Certificate) error {
if utilfeature.DefaultFeatureGate.Enabled(feature.ServerSideApply) {
return internalcertificates.ApplyStatus(ctx, c.client, c.fieldManager, &cmapi.Certificate{
ObjectMeta: metav1.ObjectMeta{Namespace: crt.Namespace, Name: crt.Name},
Status: cmapi.CertificateStatus{NextPrivateKeySecretName: crt.Status.NextPrivateKeySecretName},
})
} else {
_, err := c.client.CertmanagerV1().Certificates(crt.Namespace).UpdateStatus(ctx, &cmapi.Certificate{
ObjectMeta: crt.ObjectMeta,
Status: crt.Status,
}, metav1.UpdateOptions{})
return err
}
}
func (c *controller) createNewPrivateKeySecret(ctx context.Context, crt *cmapi.Certificate, pk crypto.Signer) (*corev1.Secret, error) {
// if the 'nextPrivateKeySecretName' field is already set, use this as the
// name of the Secret resource.
name := ""
if crt.Status.NextPrivateKeySecretName != nil {
name = *crt.Status.NextPrivateKeySecretName
}
pkData, err := pki.EncodePrivateKey(pk, cmapi.PKCS8)
if err != nil {
return nil, err
}
s := &corev1.Secret{
ObjectMeta: metav1.ObjectMeta{
Namespace: crt.Namespace,
Name: name,
OwnerReferences: []metav1.OwnerReference{*metav1.NewControllerRef(crt, certificateGvk)},
Labels: map[string]string{
cmapi.IsNextPrivateKeySecretLabelKey: "true",
cmapi.PartOfCertManagerControllerLabelKey: "true",
},
},
Data: map[string][]byte{
corev1.TLSPrivateKeyKey: pkData,
},
}
if s.Name == "" {
// TODO: handle certificate resources that have especially long names
s.GenerateName = crt.Name + "-"
}
s, err = c.coreClient.CoreV1().Secrets(s.Namespace).Create(ctx, s, metav1.CreateOptions{})
if err != nil {
return nil, err
}
return s, nil
}
// controllerWrapper wraps the `controller` structure to make it implement
// the controllerpkg.queueingController interface
type controllerWrapper struct {
*controller
}
func (c *controllerWrapper) Register(ctx *controllerpkg.Context) (workqueue.TypedRateLimitingInterface[types.NamespacedName], []cache.InformerSynced, error) {
// construct a new named logger to be reused throughout the controller
log := logf.FromContext(ctx.RootContext, ControllerName)
ctrl, queue, mustSync, err := NewController(log, ctx)
c.controller = ctrl
return queue, mustSync, err
}
func init() {
controllerpkg.Register(ControllerName, func(ctx *controllerpkg.ContextFactory) (controllerpkg.Interface, error) {
return controllerpkg.NewBuilder(ctx, ControllerName).
For(&controllerWrapper{}).
Complete()
})
}
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package certificates
import (
corev1 "k8s.io/api/core/v1"
"k8s.io/apimachinery/pkg/labels"
corelisters "k8s.io/client-go/listers/core/v1"
cmapi "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
cmlisters "github.com/cert-manager/cert-manager/pkg/client/listers/certmanager/v1"
"github.com/cert-manager/cert-manager/pkg/util/predicate"
)
// ListCertificateRequestsMatchingPredicates will list CertificateRequest
// resources using the provided lister, optionally applying the given predicate
// functions to filter the CertificateRequest resources returned.
func ListCertificateRequestsMatchingPredicates(lister cmlisters.CertificateRequestNamespaceLister, selector labels.Selector, predicates ...predicate.Func) ([]*cmapi.CertificateRequest, error) {
reqs, err := lister.List(selector)
if err != nil {
return nil, err
}
funcs := predicate.Funcs(predicates)
out := make([]*cmapi.CertificateRequest, 0)
for _, req := range reqs {
if funcs.Evaluate(req) {
out = append(out, req)
}
}
return out, nil
}
// ListCertificatesMatchingPredicates will list Certificate resources using
// the provided lister, optionally applying the given predicate functions to
// filter the Certificate resources returned.
func ListCertificatesMatchingPredicates(lister cmlisters.CertificateNamespaceLister, selector labels.Selector, predicates ...predicate.Func) ([]*cmapi.Certificate, error) {
reqs, err := lister.List(selector)
if err != nil {
return nil, err
}
funcs := predicate.Funcs(predicates)
out := make([]*cmapi.Certificate, 0)
for _, req := range reqs {
if funcs.Evaluate(req) {
out = append(out, req)
}
}
return out, nil
}
// ListSecretsMatchingPredicates will list Secret resources using
// the provided lister, optionally applying the given predicate functions to
// filter the Secret resources returned.
func ListSecretsMatchingPredicates(lister corelisters.SecretNamespaceLister, selector labels.Selector, predicates ...predicate.Func) ([]*corev1.Secret, error) {
reqs, err := lister.List(selector)
if err != nil {
return nil, err
}
funcs := predicate.Funcs(predicates)
out := make([]*corev1.Secret, 0)
for _, req := range reqs {
if funcs.Evaluate(req) {
out = append(out, req)
}
}
return out, nil
}
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package readiness
import (
"context"
"fmt"
"github.com/go-logr/logr"
corev1 "k8s.io/api/core/v1"
apiequality "k8s.io/apimachinery/pkg/api/equality"
apierrors "k8s.io/apimachinery/pkg/api/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/labels"
"k8s.io/apimachinery/pkg/types"
"k8s.io/client-go/tools/cache"
"k8s.io/client-go/util/workqueue"
internalcertificates "github.com/cert-manager/cert-manager/internal/controller/certificates"
"github.com/cert-manager/cert-manager/internal/controller/certificates/policies"
"github.com/cert-manager/cert-manager/internal/controller/feature"
internalinformers "github.com/cert-manager/cert-manager/internal/informers"
apiutil "github.com/cert-manager/cert-manager/pkg/api/util"
cmapi "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
cmmeta "github.com/cert-manager/cert-manager/pkg/apis/meta/v1"
cmclient "github.com/cert-manager/cert-manager/pkg/client/clientset/versioned"
cmlisters "github.com/cert-manager/cert-manager/pkg/client/listers/certmanager/v1"
controllerpkg "github.com/cert-manager/cert-manager/pkg/controller"
"github.com/cert-manager/cert-manager/pkg/controller/certificates"
logf "github.com/cert-manager/cert-manager/pkg/logs"
utilfeature "github.com/cert-manager/cert-manager/pkg/util/feature"
"github.com/cert-manager/cert-manager/pkg/util/pki"
"github.com/cert-manager/cert-manager/pkg/util/predicate"
)
const (
// ControllerName is the name of the certificate readiness controller.
ControllerName = "certificates-readiness"
// ReadyReason is the 'Ready' reason of a Certificate.
ReadyReason = "Ready"
)
type controller struct {
// the policies to use to define readiness - named here to make testing simpler
policyChain policies.Chain
certificateLister cmlisters.CertificateLister
certificateRequestLister cmlisters.CertificateRequestLister
secretLister internalinformers.SecretLister
client cmclient.Interface
gatherer *policies.Gatherer
// policyEvaluator builds Ready condition of a Certificate based on policy evaluation
policyEvaluator policyEvaluatorFunc
// renewalTimeCalculator calculates renewal time of a certificate
renewalTimeCalculator pki.RenewalTimeFunc
// fieldManager is the string which will be used as the Field Manager on
// fields created or edited by the cert-manager Kubernetes client during
// Apply API calls.
fieldManager string
}
// readyConditionFunc is custom function type that builds certificate's Ready condition
type policyEvaluatorFunc func(policies.Chain, policies.Input) cmapi.CertificateCondition
// NewController returns a new certificate readiness controller.
func NewController(
log logr.Logger,
ctx *controllerpkg.Context,
chain policies.Chain,
renewalTimeCalculator pki.RenewalTimeFunc,
policyEvaluator policyEvaluatorFunc,
) (*controller, workqueue.TypedRateLimitingInterface[types.NamespacedName], []cache.InformerSynced, error) {
// create a queue used to queue up items to be processed
queue := workqueue.NewTypedRateLimitingQueueWithConfig(
controllerpkg.DefaultCertificateRateLimiter(),
workqueue.TypedRateLimitingQueueConfig[types.NamespacedName]{
Name: ControllerName,
},
)
// obtain references to all the informers used by this controller
certificateInformer := ctx.SharedInformerFactory.Certmanager().V1().Certificates()
certificateRequestInformer := ctx.SharedInformerFactory.Certmanager().V1().CertificateRequests()
secretsInformer := ctx.KubeSharedInformerFactory.Secrets()
if _, err := certificateInformer.Informer().AddEventHandler(&controllerpkg.QueuingEventHandler{Queue: queue}); err != nil {
return nil, nil, nil, fmt.Errorf("error setting up event handler: %v", err)
}
// When a CertificateRequest resource changes, enqueue the Certificate resource that owns it.
if _, err := certificateRequestInformer.Informer().AddEventHandler(&controllerpkg.BlockingEventHandler{
WorkFunc: certificates.EnqueueCertificatesForResourceUsingPredicates(log, queue, certificateInformer.Lister(), labels.Everything(), predicate.ResourceOwnerOf),
}); err != nil {
return nil, nil, nil, fmt.Errorf("error setting up event handler: %v", err)
}
// When a Secret resource changes, enqueue any Certificate resources that name it as spec.secretName.
if _, err := secretsInformer.Informer().AddEventHandler(&controllerpkg.BlockingEventHandler{
// Trigger reconciles on changes to the Secret named `spec.secretName`
WorkFunc: certificates.EnqueueCertificatesForResourceUsingPredicates(log, queue, certificateInformer.Lister(), labels.Everything(),
predicate.ExtractResourceName(predicate.CertificateSecretName)),
}); err != nil {
return nil, nil, nil, fmt.Errorf("error setting up event handler: %v", err)
}
// build a list of InformerSynced functions that will be returned by the Register method.
// the controller will only begin processing items once all of these informers have synced.
mustSync := []cache.InformerSynced{
certificateRequestInformer.Informer().HasSynced,
secretsInformer.Informer().HasSynced,
certificateInformer.Informer().HasSynced,
}
return &controller{
policyChain: chain,
certificateLister: certificateInformer.Lister(),
certificateRequestLister: certificateRequestInformer.Lister(),
secretLister: secretsInformer.Lister(),
client: ctx.CMClient,
gatherer: &policies.Gatherer{
CertificateRequestLister: certificateRequestInformer.Lister(),
SecretLister: secretsInformer.Lister(),
},
policyEvaluator: policyEvaluator,
renewalTimeCalculator: renewalTimeCalculator,
fieldManager: ctx.FieldManager,
}, queue, mustSync, nil
}
// ProcessItem is a worker function that will be called when a new key
// corresponding to a Certificate to be re-synced is pulled from the workqueue.
// ProcessItem will update the Ready condition of a Certificate.
func (c *controller) ProcessItem(ctx context.Context, key types.NamespacedName) error {
log := logf.FromContext(ctx).WithValues("key", key)
ctx = logf.NewContext(ctx, log)
namespace, name := key.Namespace, key.Name
crt, err := c.certificateLister.Certificates(namespace).Get(name)
if err != nil && !apierrors.IsNotFound(err) {
return err
}
if crt == nil || crt.DeletionTimestamp != nil {
// If the Certificate object was/ is being deleted, we don't want to update its status.
return nil
}
input, err := c.gatherer.DataForCertificate(ctx, crt)
if err != nil {
return err
}
condition := c.policyEvaluator(c.policyChain, input)
oldCrt := crt
crt = crt.DeepCopy()
apiutil.SetCertificateCondition(crt, crt.Generation, condition.Type, condition.Status, condition.Reason, condition.Message)
switch {
case input.Secret != nil && input.Secret.Data != nil:
x509cert, err := pki.DecodeX509CertificateBytes(input.Secret.Data[corev1.TLSCertKey])
if err != nil {
// clear status fields if we cannot decode the certificate bytes
crt.Status.NotAfter = nil
crt.Status.NotBefore = nil
crt.Status.RenewalTime = nil
break
}
notBefore := metav1.NewTime(x509cert.NotBefore)
notAfter := metav1.NewTime(x509cert.NotAfter)
renewalTime := c.renewalTimeCalculator(x509cert.NotBefore, x509cert.NotAfter, crt.Spec.RenewBefore, crt.Spec.RenewBeforePercentage)
// update Certificate's Status
crt.Status.NotBefore = ¬Before
crt.Status.NotAfter = ¬After
crt.Status.RenewalTime = renewalTime
default:
// clear status fields if the secret does not have any data
crt.Status.NotAfter = nil
crt.Status.NotBefore = nil
crt.Status.RenewalTime = nil
}
if !apiequality.Semantic.DeepEqual(oldCrt.Status, crt.Status) {
log.V(logf.DebugLevel).Info("updating status fields", "notAfter",
crt.Status.NotAfter, "notBefore", crt.Status.NotBefore, "renewalTime",
crt.Status.RenewalTime)
return c.updateOrApplyStatus(ctx, crt)
}
return nil
}
// updateOrApplyStatus will update the controller status. If the
// ServerSideApply feature is enabled, the managed fields will instead get
// applied using the relevant Patch API call.
func (c *controller) updateOrApplyStatus(ctx context.Context, crt *cmapi.Certificate) error {
if utilfeature.DefaultFeatureGate.Enabled(feature.ServerSideApply) {
var conditions []cmapi.CertificateCondition
if cond := apiutil.GetCertificateCondition(crt, cmapi.CertificateConditionReady); cond != nil {
conditions = []cmapi.CertificateCondition{*cond}
}
return internalcertificates.ApplyStatus(ctx, c.client, c.fieldManager, &cmapi.Certificate{
ObjectMeta: metav1.ObjectMeta{Namespace: crt.Namespace, Name: crt.Name},
Status: cmapi.CertificateStatus{
NotAfter: crt.Status.NotAfter,
NotBefore: crt.Status.NotBefore,
RenewalTime: crt.Status.RenewalTime,
Conditions: conditions,
},
})
} else {
_, err := c.client.CertmanagerV1().Certificates(crt.Namespace).UpdateStatus(ctx, crt, metav1.UpdateOptions{})
return err
}
}
// BuildReadyConditionFromChain builds Certificate's Ready condition using the result of policy chain evaluation
func BuildReadyConditionFromChain(chain policies.Chain, input policies.Input) cmapi.CertificateCondition {
reason, message, violationsFound := chain.Evaluate(input)
if !violationsFound {
return cmapi.CertificateCondition{
Type: cmapi.CertificateConditionReady,
Status: cmmeta.ConditionTrue,
Reason: ReadyReason,
Message: "Certificate is up to date and has not expired",
}
}
return cmapi.CertificateCondition{
Type: cmapi.CertificateConditionReady,
Status: cmmeta.ConditionFalse,
Reason: reason,
Message: message,
}
}
// controllerWrapper wraps the `controller` structure to make it implement
// the controllerpkg.queueingController interface
type controllerWrapper struct {
*controller
}
func (c *controllerWrapper) Register(ctx *controllerpkg.Context) (workqueue.TypedRateLimitingInterface[types.NamespacedName], []cache.InformerSynced, error) {
// construct a new named logger to be reused throughout the controller
log := logf.FromContext(ctx.RootContext, ControllerName)
ctrl, queue, mustSync, err := NewController(log,
ctx,
policies.NewReadinessPolicyChain(ctx.Clock),
pki.RenewalTime,
BuildReadyConditionFromChain,
)
c.controller = ctrl
return queue, mustSync, err
}
func init() {
controllerpkg.Register(ControllerName, func(ctx *controllerpkg.ContextFactory) (controllerpkg.Interface, error) {
return controllerpkg.NewBuilder(ctx, ControllerName).
For(&controllerWrapper{}).
Complete()
})
}
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package requestmanager
import (
"bytes"
"context"
"crypto"
"encoding/pem"
"fmt"
"strconv"
"time"
"github.com/go-logr/logr"
corev1 "k8s.io/api/core/v1"
apierrors "k8s.io/apimachinery/pkg/api/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/labels"
"k8s.io/apimachinery/pkg/types"
"k8s.io/apimachinery/pkg/util/wait"
"k8s.io/client-go/tools/cache"
"k8s.io/client-go/tools/record"
"k8s.io/client-go/util/workqueue"
"k8s.io/utils/clock"
"github.com/cert-manager/cert-manager/internal/controller/feature"
internalinformers "github.com/cert-manager/cert-manager/internal/informers"
apiutil "github.com/cert-manager/cert-manager/pkg/api/util"
cmapi "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
cmmeta "github.com/cert-manager/cert-manager/pkg/apis/meta/v1"
cmclient "github.com/cert-manager/cert-manager/pkg/client/clientset/versioned"
cmlisters "github.com/cert-manager/cert-manager/pkg/client/listers/certmanager/v1"
controllerpkg "github.com/cert-manager/cert-manager/pkg/controller"
"github.com/cert-manager/cert-manager/pkg/controller/certificates"
logf "github.com/cert-manager/cert-manager/pkg/logs"
utilfeature "github.com/cert-manager/cert-manager/pkg/util/feature"
"github.com/cert-manager/cert-manager/pkg/util/pki"
"github.com/cert-manager/cert-manager/pkg/util/predicate"
)
const (
ControllerName = "certificates-request-manager"
reasonRequestFailed = "RequestFailed"
reasonRequested = "Requested"
)
var (
certificateGvk = cmapi.SchemeGroupVersion.WithKind("Certificate")
)
type controller struct {
certificateLister cmlisters.CertificateLister
certificateRequestLister cmlisters.CertificateRequestLister
secretLister internalinformers.SecretLister
client cmclient.Interface
recorder record.EventRecorder
clock clock.Clock
copiedAnnotationPrefixes []string
// fieldManager is the string which will be used as the Field Manager on
// fields created or edited by the cert-manager Kubernetes client during
// Create or Apply API calls.
fieldManager string
}
func NewController(
log logr.Logger, ctx *controllerpkg.Context) (*controller, workqueue.TypedRateLimitingInterface[types.NamespacedName], []cache.InformerSynced, error) {
// create a queue used to queue up items to be processed
queue := workqueue.NewTypedRateLimitingQueueWithConfig(
controllerpkg.DefaultCertificateRateLimiter(),
workqueue.TypedRateLimitingQueueConfig[types.NamespacedName]{
Name: ControllerName,
},
)
// obtain references to all the informers used by this controller
certificateInformer := ctx.SharedInformerFactory.Certmanager().V1().Certificates()
certificateRequestInformer := ctx.SharedInformerFactory.Certmanager().V1().CertificateRequests()
secretsInformer := ctx.KubeSharedInformerFactory.Secrets()
if _, err := certificateInformer.Informer().AddEventHandler(&controllerpkg.QueuingEventHandler{Queue: queue}); err != nil {
return nil, nil, nil, fmt.Errorf("error setting up event handler: %v", err)
}
if _, err := certificateRequestInformer.Informer().AddEventHandler(&controllerpkg.BlockingEventHandler{
// Trigger reconciles on changes to any 'owned' CertificateRequest resources
WorkFunc: certificates.EnqueueCertificatesForResourceUsingPredicates(log, queue, certificateInformer.Lister(), labels.Everything(),
predicate.ResourceOwnerOf,
),
}); err != nil {
return nil, nil, nil, fmt.Errorf("error setting up event handler: %v", err)
}
if _, err := secretsInformer.Informer().AddEventHandler(&controllerpkg.BlockingEventHandler{
// Trigger reconciles on changes to any 'owned' secret resources
WorkFunc: certificates.EnqueueCertificatesForResourceUsingPredicates(log, queue, certificateInformer.Lister(), labels.Everything(),
predicate.ResourceOwnerOf,
),
}); err != nil {
return nil, nil, nil, fmt.Errorf("error setting up event handler: %v", err)
}
// build a list of InformerSynced functions that will be returned by the Register method.
// the controller will only begin processing items once all of these informers have synced.
mustSync := []cache.InformerSynced{
secretsInformer.Informer().HasSynced,
certificateRequestInformer.Informer().HasSynced,
certificateInformer.Informer().HasSynced,
}
return &controller{
certificateLister: certificateInformer.Lister(),
certificateRequestLister: certificateRequestInformer.Lister(),
secretLister: secretsInformer.Lister(),
client: ctx.CMClient,
recorder: ctx.Recorder,
clock: ctx.Clock,
copiedAnnotationPrefixes: ctx.CertificateOptions.CopiedAnnotationPrefixes,
fieldManager: ctx.FieldManager,
}, queue, mustSync, nil
}
func (c *controller) ProcessItem(ctx context.Context, key types.NamespacedName) error {
log := logf.FromContext(ctx).WithValues("key", key)
ctx = logf.NewContext(ctx, log)
namespace, name := key.Namespace, key.Name
crt, err := c.certificateLister.Certificates(namespace).Get(name)
if err != nil && !apierrors.IsNotFound(err) {
return err
}
if crt == nil || crt.DeletionTimestamp != nil {
// If the Certificate object was/ is being deleted, we don't want to create any
// new CertificateRequests objects
return nil
}
if !apiutil.CertificateHasCondition(crt, cmapi.CertificateCondition{
Type: cmapi.CertificateConditionIssuing,
Status: cmmeta.ConditionTrue,
}) {
return nil
}
// Check for and fetch the 'status.nextPrivateKeySecretName' secret
if crt.Status.NextPrivateKeySecretName == nil {
log.V(logf.DebugLevel).Info("status.nextPrivateKeySecretName not yet set, waiting for keymanager before processing certificate")
return nil
}
nextPrivateKeySecret, err := c.secretLister.Secrets(crt.Namespace).Get(*crt.Status.NextPrivateKeySecretName)
if apierrors.IsNotFound(err) {
log.V(logf.DebugLevel).Info("nextPrivateKeySecretName Secret resource does not exist, waiting for keymanager to create it before continuing")
return nil
}
if err != nil {
return err
}
if nextPrivateKeySecret.Data == nil || len(nextPrivateKeySecret.Data[corev1.TLSPrivateKeyKey]) == 0 {
log.V(logf.DebugLevel).Info("Next private key secret does not contain any valid data, waiting for keymanager before processing certificate")
return nil
}
pk, err := pki.DecodePrivateKeyBytes(nextPrivateKeySecret.Data[corev1.TLSPrivateKeyKey])
if err != nil {
log.Error(err, "Failed to decode next private key secret data, waiting for keymanager before processing certificate")
return nil
}
// Discover all 'owned' CertificateRequests
requests, err := certificates.ListCertificateRequestsMatchingPredicates(c.certificateRequestLister.CertificateRequests(crt.Namespace), labels.Everything(), predicate.ResourceOwnedBy(crt))
if err != nil {
return err
}
// delete any existing CertificateRequest resources that do not have a
// revision annotation
if requests, err = c.deleteRequestsWithoutRevision(ctx, requests...); err != nil {
return err
}
currentCertificateRevision := 0
if crt.Status.Revision != nil {
currentCertificateRevision = *crt.Status.Revision
}
nextRevision := currentCertificateRevision + 1
requests, err = requestsWithRevision(requests, nextRevision)
if err != nil {
return err
}
requests, err = c.deleteRequestsNotMatchingSpec(ctx, crt, pk.Public(), requests...)
if err != nil {
return err
}
requests, err = c.deleteCurrentFailedRequests(ctx, crt, requests...)
if err != nil {
return err
}
if len(requests) > 1 {
// TODO: we should handle this case better, but for now do nothing to
// avoid getting into loops where we keep creating multiple requests
// and deleting them again.
log.V(logf.ErrorLevel).Info("Multiple matching CertificateRequest resources exist, delete one of them. This is likely an error and should be reported on the issue tracker!")
return nil
}
if len(requests) == 1 {
// Nothing to do as we've already verified that the CertificateRequest
// is up to date above.
return nil
}
return c.createNewCertificateRequest(ctx, crt, pk, nextRevision, nextPrivateKeySecret.Name)
}
func (c *controller) deleteCurrentFailedRequests(ctx context.Context, crt *cmapi.Certificate, reqs ...*cmapi.CertificateRequest) ([]*cmapi.CertificateRequest, error) {
log := logf.FromContext(ctx).WithValues("Certificate", crt.Name)
var remaining []*cmapi.CertificateRequest
for _, req := range reqs {
log = logf.WithRelatedResource(log, req)
// Check if there are any 'current' CertificateRequests that
// failed during the previous issuance cycle. Those should be
// deleted so that a new one gets created and the issuance is
// re-tried. In practice no more than one CertificateRequest is
// expected at this point.
crReadyCond := apiutil.GetCertificateRequestCondition(req, cmapi.CertificateRequestConditionReady)
if crReadyCond == nil || crReadyCond.Status != cmmeta.ConditionFalse || crReadyCond.Reason != cmapi.CertificateRequestReasonFailed {
remaining = append(remaining, req)
continue
}
certIssuingCond := apiutil.GetCertificateCondition(crt, cmapi.CertificateConditionIssuing)
if certIssuingCond == nil {
// This should never happen
log.V(logf.ErrorLevel).Info("Certificate does not have Issuing condition")
return nil, nil
}
// If the Issuing condition on the Certificate is newer than the
// failure time on CertificateRequest, it means that the
// CertificateRequest failed during the previous issuance (for the
// same revision). If it is a CertificateRequest that failed
// during the previous issuance, then it should be deleted so
// that we create a new one for this issuance.
if req.Status.FailureTime.Before(certIssuingCond.LastTransitionTime) {
log.V(logf.DebugLevel).Info("Found a failed CertificateRequest for previous issuance of this revision, deleting...")
if err := c.client.CertmanagerV1().CertificateRequests(req.Namespace).Delete(ctx, req.Name, metav1.DeleteOptions{}); err != nil {
return nil, err
}
continue
}
remaining = append(remaining, req)
}
return remaining, nil
}
func (c *controller) deleteRequestsWithoutRevision(ctx context.Context, reqs ...*cmapi.CertificateRequest) ([]*cmapi.CertificateRequest, error) {
log := logf.FromContext(ctx)
var remaining []*cmapi.CertificateRequest
for _, req := range reqs {
log := logf.WithRelatedResource(log, req)
if req.Annotations == nil || req.Annotations[cmapi.CertificateRequestRevisionAnnotationKey] == "" {
log.V(logf.DebugLevel).Info("Deleting CertificateRequest as it does not contain a revision annotation")
if err := c.client.CertmanagerV1().CertificateRequests(req.Namespace).Delete(ctx, req.Name, metav1.DeleteOptions{}); err != nil {
return nil, err
}
continue
}
reqRevisionStr := req.Annotations[cmapi.CertificateRequestRevisionAnnotationKey]
_, err := strconv.ParseInt(reqRevisionStr, 10, 0)
if err != nil {
log.V(logf.DebugLevel).Info("Deleting CertificateRequest as it contains an invalid revision annotation")
if err := c.client.CertmanagerV1().CertificateRequests(req.Namespace).Delete(ctx, req.Name, metav1.DeleteOptions{}); err != nil {
return nil, err
}
continue
}
remaining = append(remaining, req)
}
return remaining, nil
}
func requestsWithRevision(reqs []*cmapi.CertificateRequest, revision int) ([]*cmapi.CertificateRequest, error) {
var remaining []*cmapi.CertificateRequest
for _, req := range reqs {
if req.Annotations == nil || req.Annotations[cmapi.CertificateRequestRevisionAnnotationKey] == "" {
return nil, fmt.Errorf("certificaterequest %q does not contain revision annotation", req.Name)
}
reqRevisionStr := req.Annotations[cmapi.CertificateRequestRevisionAnnotationKey]
reqRevision, err := strconv.ParseInt(reqRevisionStr, 10, 0)
if err != nil {
return nil, err
}
if reqRevision == int64(revision) {
remaining = append(remaining, req)
}
}
return remaining, nil
}
func (c *controller) deleteRequestsNotMatchingSpec(ctx context.Context, crt *cmapi.Certificate, publicKey crypto.PublicKey, reqs ...*cmapi.CertificateRequest) ([]*cmapi.CertificateRequest, error) {
log := logf.FromContext(ctx)
var remaining []*cmapi.CertificateRequest
for _, req := range reqs {
log := logf.WithRelatedResource(log, req)
violations, err := pki.RequestMatchesSpec(req, crt.Spec)
if err != nil {
log.Error(err, "Failed to check if CertificateRequest matches spec, deleting CertificateRequest")
if err := c.client.CertmanagerV1().CertificateRequests(req.Namespace).Delete(ctx, req.Name, metav1.DeleteOptions{}); err != nil {
return nil, err
}
continue
}
if len(violations) > 0 {
log.V(logf.InfoLevel).WithValues("violations", violations).Info("CertificateRequest does not match requirements on certificate.spec, deleting CertificateRequest", "violations", violations)
if err := c.client.CertmanagerV1().CertificateRequests(req.Namespace).Delete(ctx, req.Name, metav1.DeleteOptions{}); err != nil {
return nil, err
}
continue
}
x509Req, err := pki.DecodeX509CertificateRequestBytes(req.Spec.Request)
if err != nil {
// this case cannot happen as RequestMatchesSpec would have returned an error too
return nil, err
}
matches, err := pki.PublicKeyMatchesCSR(publicKey, x509Req)
if err != nil {
return nil, err
}
if !matches {
log.V(logf.DebugLevel).Info("CertificateRequest contains a CSR that does not have the same public key as the stored next private key secret, deleting CertificateRequest")
if err := c.client.CertmanagerV1().CertificateRequests(req.Namespace).Delete(ctx, req.Name, metav1.DeleteOptions{}); err != nil {
return nil, err
}
continue
}
remaining = append(remaining, req)
}
return remaining, nil
}
func (c *controller) createNewCertificateRequest(ctx context.Context, crt *cmapi.Certificate, pk crypto.Signer, nextRevision int, nextPrivateKeySecretName string) error {
log := logf.FromContext(ctx)
x509CSR, err := pki.GenerateCSR(
crt,
pki.WithUseLiteralSubject(utilfeature.DefaultMutableFeatureGate.Enabled(feature.LiteralCertificateSubject)),
pki.WithEncodeBasicConstraintsInRequest(utilfeature.DefaultMutableFeatureGate.Enabled(feature.UseCertificateRequestBasicConstraints)),
pki.WithNameConstraints(utilfeature.DefaultMutableFeatureGate.Enabled(feature.NameConstraints)),
pki.WithOtherNames(utilfeature.DefaultMutableFeatureGate.Enabled(feature.OtherNames)),
)
if err != nil {
log.Error(err, "Failed to generate CSR - will not retry")
return nil
}
csrDER, err := pki.EncodeCSR(x509CSR, pk)
if err != nil {
return err
}
csrPEM := bytes.NewBuffer([]byte{})
err = pem.Encode(csrPEM, &pem.Block{Type: "CERTIFICATE REQUEST", Bytes: csrDER})
if err != nil {
return err
}
annotations := controllerpkg.BuildAnnotationsToCopy(crt.Annotations, c.copiedAnnotationPrefixes)
annotations[cmapi.CertificateRequestRevisionAnnotationKey] = strconv.Itoa(nextRevision)
annotations[cmapi.CertificateRequestPrivateKeyAnnotationKey] = nextPrivateKeySecretName
annotations[cmapi.CertificateNameKey] = crt.Name
cr := &cmapi.CertificateRequest{
ObjectMeta: metav1.ObjectMeta{
Namespace: crt.Namespace,
// We limit the GenerateName to 52 + 1 characters to stay within the 63 - 5 character limit that
// is used in Kubernetes when generating names.
// see https://github.com/kubernetes/apiserver/blob/696768606f546f71a1e90546613be37d1aa37f64/pkg/storage/names/generate.go
GenerateName: apiutil.DNSSafeShortenTo52Characters(crt.Name) + "-",
Annotations: annotations,
Labels: crt.Labels,
OwnerReferences: []metav1.OwnerReference{*metav1.NewControllerRef(crt, certificateGvk)},
},
Spec: cmapi.CertificateRequestSpec{
Duration: crt.Spec.Duration,
IssuerRef: crt.Spec.IssuerRef,
Request: csrPEM.Bytes(),
IsCA: crt.Spec.IsCA,
Usages: crt.Spec.Usages,
},
}
if utilfeature.DefaultFeatureGate.Enabled(feature.StableCertificateRequestName) {
cr.ObjectMeta.GenerateName = ""
// The CertificateRequest name is limited to 253 characters, assuming the nextRevision and hyphen
// can be represented using 20 characters, we can directly accept certificate names up to 233
// characters. Certificate names that are longer than this will be hashed to a shorter name. We want
// to make crafting two Certificates with the same truncated name as difficult as possible, so we
// use a cryptographic hash function to hash the full certificate name to 64 characters.
// Finally, for Certificates with a name longer than 233 characters, we build the CertificateRequest
// name as follows: <first-168-chars-of-certificate-name>-<64-char-hash>-<19-char-nextRevision>
crName, err := apiutil.ComputeSecureUniqueDeterministicNameFromData(crt.Name, 233)
if err != nil {
return err
}
cr.ObjectMeta.Name = fmt.Sprintf("%s-%d", crName, nextRevision)
}
cr, err = c.client.CertmanagerV1().CertificateRequests(cr.Namespace).Create(ctx, cr, metav1.CreateOptions{FieldManager: c.fieldManager})
if err != nil {
c.recorder.Eventf(crt, corev1.EventTypeWarning, reasonRequestFailed, "Failed to create CertificateRequest: "+err.Error())
return err
}
c.recorder.Eventf(crt, corev1.EventTypeNormal, reasonRequested, "Created new CertificateRequest resource %q", cr.Name)
// If the StableCertificateRequestName feature gate is enabled, skip waiting for our informer cache/lister to
// observe the creation event and instead rely on an AlreadyExists error being returned if we do attempt a
// CREATE for the same CertificateRequest name again early.
if utilfeature.DefaultFeatureGate.Enabled(feature.StableCertificateRequestName) {
return nil
}
if err := c.waitForCertificateRequestToExist(ctx, cr.Namespace, cr.Name); err != nil {
return fmt.Errorf("failed whilst waiting for CertificateRequest to exist - this may indicate an apiserver running slowly. Request will be retried. %w", err)
}
return nil
}
func (c *controller) waitForCertificateRequestToExist(ctx context.Context, namespace, name string) error {
return wait.PollUntilContextTimeout(ctx, time.Millisecond*100, time.Second*5, false, func(_ context.Context) (bool, error) {
_, err := c.certificateRequestLister.CertificateRequests(namespace).Get(name)
if apierrors.IsNotFound(err) {
return false, nil
}
if err != nil {
return false, err
}
return true, nil
})
}
// controllerWrapper wraps the `controller` structure to make it implement
// the controllerpkg.queueingController interface
type controllerWrapper struct {
*controller
}
func (c *controllerWrapper) Register(ctx *controllerpkg.Context) (workqueue.TypedRateLimitingInterface[types.NamespacedName], []cache.InformerSynced, error) {
// construct a new named logger to be reused throughout the controller
log := logf.FromContext(ctx.RootContext, ControllerName)
ctrl, queue, mustSync, err := NewController(log, ctx)
c.controller = ctrl
return queue, mustSync, err
}
func init() {
controllerpkg.Register(ControllerName, func(ctx *controllerpkg.ContextFactory) (controllerpkg.Interface, error) {
return controllerpkg.NewBuilder(ctx, ControllerName).
For(&controllerWrapper{}).
Complete()
})
}
/*
Copyright 2021 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package revisionmanager
import (
"context"
"errors"
"fmt"
"sort"
"strconv"
"github.com/go-logr/logr"
apierrors "k8s.io/apimachinery/pkg/api/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/labels"
"k8s.io/apimachinery/pkg/types"
"k8s.io/client-go/tools/cache"
"k8s.io/client-go/util/workqueue"
apiutil "github.com/cert-manager/cert-manager/pkg/api/util"
cmapi "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
cmmeta "github.com/cert-manager/cert-manager/pkg/apis/meta/v1"
cmclient "github.com/cert-manager/cert-manager/pkg/client/clientset/versioned"
cmlisters "github.com/cert-manager/cert-manager/pkg/client/listers/certmanager/v1"
controllerpkg "github.com/cert-manager/cert-manager/pkg/controller"
"github.com/cert-manager/cert-manager/pkg/controller/certificates"
logf "github.com/cert-manager/cert-manager/pkg/logs"
"github.com/cert-manager/cert-manager/pkg/util/predicate"
)
const (
ControllerName = "certificates-revision-manager"
)
type controller struct {
certificateLister cmlisters.CertificateLister
certificateRequestLister cmlisters.CertificateRequestLister
client cmclient.Interface
}
type revision struct {
rev int
types.NamespacedName
}
func NewController(log logr.Logger, ctx *controllerpkg.Context) (*controller, workqueue.TypedRateLimitingInterface[types.NamespacedName], []cache.InformerSynced, error) {
// create a queue used to queue up items to be processed
queue := workqueue.NewTypedRateLimitingQueueWithConfig(
controllerpkg.DefaultCertificateRateLimiter(),
workqueue.TypedRateLimitingQueueConfig[types.NamespacedName]{
Name: ControllerName,
},
)
// obtain references to all the informers used by this controller
certificateInformer := ctx.SharedInformerFactory.Certmanager().V1().Certificates()
certificateRequestInformer := ctx.SharedInformerFactory.Certmanager().V1().CertificateRequests()
if _, err := certificateInformer.Informer().AddEventHandler(&controllerpkg.QueuingEventHandler{Queue: queue}); err != nil {
return nil, nil, nil, fmt.Errorf("error setting up event handler: %v", err)
}
if _, err := certificateRequestInformer.Informer().AddEventHandler(&controllerpkg.BlockingEventHandler{
// Trigger reconciles on changes to any 'owned' CertificateRequest resources
WorkFunc: certificates.EnqueueCertificatesForResourceUsingPredicates(log, queue, certificateInformer.Lister(), labels.Everything(),
predicate.ResourceOwnerOf,
),
}); err != nil {
return nil, nil, nil, fmt.Errorf("error setting up event handler: %v", err)
}
// build a list of InformerSynced functions that will be returned by the Register method.
// the controller will only begin processing items once all of these informers have synced.
mustSync := []cache.InformerSynced{
certificateRequestInformer.Informer().HasSynced,
certificateInformer.Informer().HasSynced,
}
return &controller{
certificateLister: certificateInformer.Lister(),
certificateRequestLister: certificateRequestInformer.Lister(),
client: ctx.CMClient,
}, queue, mustSync, nil
}
// ProcessItem will attempt to garbage collect old CertificateRequests based
// upon `spec.revisionHistoryLimit`. This controller will only act on
// Certificates which are in a Ready state and this value is set.
func (c *controller) ProcessItem(ctx context.Context, key types.NamespacedName) error {
log := logf.FromContext(ctx).WithValues("key", key)
ctx = logf.NewContext(ctx, log)
namespace, name := key.Namespace, key.Name
crt, err := c.certificateLister.Certificates(namespace).Get(name)
if err != nil && !apierrors.IsNotFound(err) {
return err
}
if crt == nil || crt.DeletionTimestamp != nil {
// If the Certificate object was/ is being deleted, we don't want to start deleting
// CertificateRequests last minute in the same namespace.
return nil
}
log = logf.WithResource(log, crt)
// Only garbage collect over Certificates that are in a Ready=True condition.
if !apiutil.CertificateHasCondition(crt, cmapi.CertificateCondition{
Type: cmapi.CertificateConditionReady,
Status: cmmeta.ConditionTrue,
}) {
return nil
}
// Get all CertificateRequests that are owned by this Certificate
requests, err := certificates.ListCertificateRequestsMatchingPredicates(
c.certificateRequestLister.CertificateRequests(crt.Namespace), labels.Everything(), predicate.ResourceOwnedBy(crt))
if err != nil {
return err
}
// Fetch and delete all CertificateRequests that need to be deleted
// If RevisionHistoryLimit is nil, then default to 1
var limit int
if crt.Spec.RevisionHistoryLimit == nil {
limit = 1
} else {
limit = int(*crt.Spec.RevisionHistoryLimit)
}
toDelete := certificateRequestsToDelete(log, limit, requests)
for _, req := range toDelete {
logf.WithRelatedResourceName(log, req.Name, req.Namespace, cmapi.CertificateRequestKind).
WithValues("revision", req.rev).Info("garbage collecting old certificate request revision")
err = c.client.CertmanagerV1().CertificateRequests(req.Namespace).Delete(ctx, req.Name, metav1.DeleteOptions{})
if apierrors.IsNotFound(err) {
continue
}
if err != nil {
return err
}
}
return nil
}
// certificateRequestsToDelete will prune the given CertificateRequests for
// those that have a valid revision number set, and return a slice of requests
// that should be deleted according to the limit given. Oldest
// CertificateRequests by revision will be returned.
func certificateRequestsToDelete(log logr.Logger, limit int, requests []*cmapi.CertificateRequest) []revision {
// If the number of requests is the same or below the limit, return nothing.
if limit >= len(requests) {
return nil
}
// Prune and sort all CertificateRequests by their revision number.
var revisions []revision
for _, req := range requests {
log = logf.WithRelatedResource(log, req)
if req.Annotations == nil || req.Annotations[cmapi.CertificateRequestRevisionAnnotationKey] == "" {
log.Error(errors.New("skipping processing request with missing revision"), "")
continue
}
rn, err := strconv.Atoi(req.Annotations[cmapi.CertificateRequestRevisionAnnotationKey])
if err != nil {
log.Error(err, "failed to parse request revision")
continue
}
revisions = append(revisions, revision{rn, types.NamespacedName{Namespace: req.Namespace, Name: req.Name}})
}
sort.SliceStable(revisions, func(i, j int) bool {
return revisions[i].rev < revisions[j].rev
})
// Return the oldest revisions which are over the limit
remaining := len(revisions) - limit
if remaining < 0 {
return nil
}
return revisions[:remaining]
}
// controllerWrapper wraps the `controller` structure to make it implement
// the controllerpkg.queueingController interface
type controllerWrapper struct {
*controller
}
func (c *controllerWrapper) Register(ctx *controllerpkg.Context) (workqueue.TypedRateLimitingInterface[types.NamespacedName], []cache.InformerSynced, error) {
// construct a new named logger to be reused throughout the controller
log := logf.FromContext(ctx.RootContext, ControllerName)
ctrl, queue, mustSync, err := NewController(log, ctx)
c.controller = ctrl
return queue, mustSync, err
}
func init() {
controllerpkg.Register(ControllerName, func(ctx *controllerpkg.ContextFactory) (controllerpkg.Interface, error) {
return controllerpkg.NewBuilder(ctx, ControllerName).
For(&controllerWrapper{}).
Complete()
})
}
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package trigger
import (
"context"
"fmt"
"math"
"time"
"github.com/go-logr/logr"
corev1 "k8s.io/api/core/v1"
k8sErrors "k8s.io/apimachinery/pkg/api/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/labels"
"k8s.io/apimachinery/pkg/types"
"k8s.io/client-go/tools/cache"
"k8s.io/client-go/tools/record"
"k8s.io/client-go/util/workqueue"
"k8s.io/utils/clock"
internalcertificates "github.com/cert-manager/cert-manager/internal/controller/certificates"
"github.com/cert-manager/cert-manager/internal/controller/certificates/policies"
"github.com/cert-manager/cert-manager/internal/controller/feature"
internalinformers "github.com/cert-manager/cert-manager/internal/informers"
apiutil "github.com/cert-manager/cert-manager/pkg/api/util"
cmapi "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
cmmeta "github.com/cert-manager/cert-manager/pkg/apis/meta/v1"
cmclient "github.com/cert-manager/cert-manager/pkg/client/clientset/versioned"
cmlisters "github.com/cert-manager/cert-manager/pkg/client/listers/certmanager/v1"
controllerpkg "github.com/cert-manager/cert-manager/pkg/controller"
"github.com/cert-manager/cert-manager/pkg/controller/certificates"
logf "github.com/cert-manager/cert-manager/pkg/logs"
"github.com/cert-manager/cert-manager/pkg/scheduler"
utilfeature "github.com/cert-manager/cert-manager/pkg/util/feature"
"github.com/cert-manager/cert-manager/pkg/util/pki"
"github.com/cert-manager/cert-manager/pkg/util/predicate"
)
const (
ControllerName = "certificates-trigger"
// stopIncreaseBackoff is the number of issuance attempts after which the backoff period should stop to increase
stopIncreaseBackoff = 6 // 2 ^ (6 - 1) = 32 = maxDelay
// maxDelay is the maximum backoff period
maxDelay = 32 * time.Hour
)
// This controller observes the state of the certificate's currently
// issued `spec.secretName` and the rest of the `certificate.spec` fields to
// determine whether a re-issuance is required.
// It triggers re-issuance by adding the `Issuing` status condition when a new
// certificate is required.
type controller struct {
certificateLister cmlisters.CertificateLister
certificateRequestLister cmlisters.CertificateRequestLister
secretLister internalinformers.SecretLister
client cmclient.Interface
recorder record.EventRecorder
scheduledWorkQueue scheduler.ScheduledWorkQueue[types.NamespacedName]
// fieldManager is the string which will be used as the Field Manager on
// fields created or edited by the cert-manager Kubernetes client during
// Apply API calls.
fieldManager string
// The following are used for testing purposes.
clock clock.Clock
shouldReissue policies.Func
dataForCertificate func(context.Context, *cmapi.Certificate) (policies.Input, error)
}
func NewController(
log logr.Logger,
ctx *controllerpkg.Context,
shouldReissue policies.Func,
) (*controller, workqueue.TypedRateLimitingInterface[types.NamespacedName], []cache.InformerSynced, error) {
// create a queue used to queue up items to be processed
queue := workqueue.NewTypedRateLimitingQueueWithConfig(
controllerpkg.DefaultCertificateRateLimiter(),
workqueue.TypedRateLimitingQueueConfig[types.NamespacedName]{
Name: ControllerName,
},
)
// obtain references to all the informers used by this controller
certificateInformer := ctx.SharedInformerFactory.Certmanager().V1().Certificates()
certificateRequestInformer := ctx.SharedInformerFactory.Certmanager().V1().CertificateRequests()
secretsInformer := ctx.KubeSharedInformerFactory.Secrets()
if _, err := certificateInformer.Informer().AddEventHandler(&controllerpkg.QueuingEventHandler{Queue: queue}); err != nil {
return nil, nil, nil, fmt.Errorf("error setting up event handler: %v", err)
}
// When a CertificateRequest resource changes, enqueue the Certificate resource that owns it.
if _, err := certificateRequestInformer.Informer().AddEventHandler(&controllerpkg.BlockingEventHandler{
WorkFunc: certificates.EnqueueCertificatesForResourceUsingPredicates(log, queue, certificateInformer.Lister(), labels.Everything(), predicate.ResourceOwnerOf),
}); err != nil {
return nil, nil, nil, fmt.Errorf("error setting up event handler: %v", err)
}
// When a Secret resource changes, enqueue any Certificate resources that name it as spec.secretName.
if _, err := secretsInformer.Informer().AddEventHandler(&controllerpkg.BlockingEventHandler{
// Trigger reconciles on changes to the Secret named `spec.secretName`
WorkFunc: certificates.EnqueueCertificatesForResourceUsingPredicates(log, queue, certificateInformer.Lister(), labels.Everything(),
predicate.ExtractResourceName(predicate.CertificateSecretName)),
}); err != nil {
return nil, nil, nil, fmt.Errorf("error setting up event handler: %v", err)
}
// build a list of InformerSynced functions that will be returned by the Register method.
// the controller will only begin processing items once all of these informers have synced.
mustSync := []cache.InformerSynced{
certificateRequestInformer.Informer().HasSynced,
secretsInformer.Informer().HasSynced,
certificateInformer.Informer().HasSynced,
}
return &controller{
certificateLister: certificateInformer.Lister(),
certificateRequestLister: certificateRequestInformer.Lister(),
secretLister: secretsInformer.Lister(),
client: ctx.CMClient,
recorder: ctx.Recorder,
scheduledWorkQueue: scheduler.NewScheduledWorkQueue(ctx.Clock, queue.Add),
fieldManager: ctx.FieldManager,
// The following are used for testing purposes.
clock: ctx.Clock,
shouldReissue: shouldReissue,
dataForCertificate: (&policies.Gatherer{
CertificateRequestLister: certificateRequestInformer.Lister(),
SecretLister: secretsInformer.Lister(),
}).DataForCertificate,
}, queue, mustSync, nil
}
func (c *controller) ProcessItem(ctx context.Context, key types.NamespacedName) error {
log := logf.FromContext(ctx).WithValues("key", key)
ctx = logf.NewContext(ctx, log)
namespace, name := key.Namespace, key.Name
crt, err := c.certificateLister.Certificates(namespace).Get(name)
if err != nil && !k8sErrors.IsNotFound(err) {
return err
}
if crt == nil || crt.DeletionTimestamp != nil {
// If the Certificate object was/ is being deleted, we don't want to start scheduling
// renewals.
return nil
}
if apiutil.CertificateHasCondition(crt, cmapi.CertificateCondition{
Type: cmapi.CertificateConditionIssuing,
Status: cmmeta.ConditionTrue,
}) {
// Do nothing if an issuance is already in progress.
return nil
}
// It is possible for multiple Certificates to reference the same Secret. In that case, without this check,
// the duplicate Certificates would each be issued and store their version of the X.509 certificate in the
// target Secret, triggering the re-issuance of the other Certificate resources whose spec no longer matches
// what is in the Secret. This would cause a flood of re-issuance attempts and overloads the Kubernetes API
// and the API server of the issuing CA.
isOwner, duplicates, err := internalcertificates.CertificateOwnsSecret(ctx, c.certificateLister, c.secretLister, crt)
if err != nil {
return err
}
if !isOwner {
log.V(logf.DebugLevel).Info("Certificate.Spec.SecretName refers to the same Secret as other Certificates in the same namespace, skipping trigger.", "duplicates", duplicates)
// If the Certificate is not the owner of the Secret, we requeue the Certificate and wait for the
// Certificate to become the owner of the Secret. This can happen if the Certificate is updated to
// reference a different Secret, or if the conflicting Certificate is deleted or updated to no longer
// reference the Secret.
c.scheduledWorkQueue.Add(key, 3*time.Minute)
return nil
}
input, err := c.dataForCertificate(ctx, crt)
if err != nil {
return err
}
// Don't trigger issuance if we need to back off due to previous failures and Certificate's spec has not changed.
backoff, delay := shouldBackoffReissuingOnFailure(log, c.clock, input.Certificate, input.NextRevisionRequest)
if backoff {
nextIssuanceRetry := c.clock.Now().Add(delay)
message := fmt.Sprintf("Backing off from issuance due to previously failed issuance(s). Issuance will next be attempted at %v", nextIssuanceRetry)
log.V(logf.InfoLevel).Info(message)
c.scheduleRecheckOfCertificateIfRequired(log, key, delay)
return nil
}
if crt.Status.RenewalTime != nil {
// ensure a resync is scheduled in the future so that we re-check
// Certificate resources and trigger them near expiry time
c.scheduleRecheckOfCertificateIfRequired(log, key, crt.Status.RenewalTime.Time.Sub(c.clock.Now()))
}
reason, message, reissue := c.shouldReissue(input)
if !reissue {
// no re-issuance required, return early
return nil
}
// Although the below recorder.Event already logs the event, the log
// line is quite unreadable (very long). Since this information is very
// important for the user and the operator, we log the following
// message.
log.V(logf.InfoLevel).Info("Certificate must be re-issued", "reason", reason, "message", message)
crt = crt.DeepCopy()
apiutil.SetCertificateCondition(crt, crt.Generation, cmapi.CertificateConditionIssuing, cmmeta.ConditionTrue, reason, message)
if err := c.updateOrApplyStatus(ctx, crt); err != nil {
return err
}
c.recorder.Event(crt, corev1.EventTypeNormal, "Issuing", message)
return nil
}
// updateOrApplyStatus will update the controller status. If the
// ServerSideApply feature is enabled, the managed fields will instead get
// applied using the relevant Patch API call.
func (c *controller) updateOrApplyStatus(ctx context.Context, crt *cmapi.Certificate) error {
if utilfeature.DefaultFeatureGate.Enabled(feature.ServerSideApply) {
var conditions []cmapi.CertificateCondition
if cond := apiutil.GetCertificateCondition(crt, cmapi.CertificateConditionIssuing); cond != nil {
conditions = []cmapi.CertificateCondition{*cond}
}
return internalcertificates.ApplyStatus(ctx, c.client, c.fieldManager, &cmapi.Certificate{
ObjectMeta: metav1.ObjectMeta{Namespace: crt.Namespace, Name: crt.Name},
Status: cmapi.CertificateStatus{Conditions: conditions},
})
} else {
_, err := c.client.CertmanagerV1().Certificates(crt.Namespace).UpdateStatus(ctx, crt, metav1.UpdateOptions{})
return err
}
}
// shouldBackOffReissuingOnFailure returns true if an issuance needs to be
// delayed and the required delay after calculating the exponential backoff.
// The backoff periods are 1h, 2h, 4h, 8h, 16h and 32h counting from when the last
// failure occurred,
// so the returned delay will be backoff_period - (current_time - last_failure_time)
//
// Notably, it returns no back-off when the certificate doesn't
// match the "next" certificate (since a mismatch means that this certificate
// gets re-issued immediately).
//
// Note that the request can be left nil: in that case, the returned back-off
// will be 0 since it means the CR must be created immediately.
func shouldBackoffReissuingOnFailure(log logr.Logger, c clock.Clock, crt *cmapi.Certificate, nextCR *cmapi.CertificateRequest) (bool, time.Duration) {
if crt.Status.LastFailureTime == nil {
return false, 0
}
// We want to immediately trigger a re-issuance when the certificate
// changes. In order to detect a "change", we compare the "next" CR with the
// certificate spec and reissue if there is a mismatch. To understand this
// mechanism, take a look at the diagram of the scenario C at the top of the
// gatherer.go file.
//
// Note that the "next" CR is the only CR that matters when looking at
// whether the certificate still matches its CR. The "current" CR matches
// the previous spec of the certificate, so we don't want to be looking at
// the current CR.
if nextCR == nil {
log.V(logf.InfoLevel).Info("next CertificateRequest not available, skipping checking if Certificate matches the CertificateRequest")
} else {
mismatches, err := pki.RequestMatchesSpec(nextCR, crt.Spec)
if err != nil {
log.V(logf.InfoLevel).Info("next CertificateRequest cannot be decoded, skipping checking if Certificate matches the CertificateRequest")
return false, 0
}
if len(mismatches) > 0 {
log.V(logf.ExtendedInfoLevel).WithValues("mismatches", mismatches).Info("Certificate is failing but the Certificate differs from CertificateRequest, backoff is not required")
return false, 0
}
}
now := c.Now()
durationSinceFailure := now.Sub(crt.Status.LastFailureTime.Time)
initialDelay := time.Hour
delay := initialDelay
failedIssuanceAttempts := 0
// It is possible that crt.Status.LastFailureTime != nil &&
// crt.Status.FailedIssuanceAttempts == nil (in case of the Certificate having
// failed for an installation of cert-manager before the issuance
// attempts were introduced). In such case delay = initialDelay.
if crt.Status.FailedIssuanceAttempts != nil {
failedIssuanceAttempts = *crt.Status.FailedIssuanceAttempts
delay = time.Hour * time.Duration(math.Pow(2, float64(failedIssuanceAttempts-1)))
}
// Ensure that maximum returned delay is 32 hours
// delay cannot be calculated for large issuance numbers, so we
// cannot reliably check if delay > maxDelay directly
// (see i.e the result of time.Duration(math.Pow(2, 99)))
if failedIssuanceAttempts > stopIncreaseBackoff {
delay = maxDelay
}
// Ensure that minimum returned delay is 1 hour. This is here to guard
// against an edge case where the delay duration got messed
// up as a result of maths misuse in the previous calculations
if delay < initialDelay {
delay = initialDelay
}
if durationSinceFailure >= delay {
log.V(logf.ExtendedInfoLevel).WithValues("since_failure", durationSinceFailure).Info("Certificate has been in failure state long enough, no need to back off")
return false, 0
}
return true, delay - durationSinceFailure
}
// scheduleRecheckOfCertificateIfRequired will schedule the resource with the
// given key to be re-queued for processing after the given amount of time
// has elapsed.
// If the 'durationUntilRenewalTime' is less than zero, it will not be
// queued again.
func (c *controller) scheduleRecheckOfCertificateIfRequired(log logr.Logger, key types.NamespacedName, durationUntilRenewalTime time.Duration) {
// don't schedule a re-queue if the time is in the past.
// if it is in the past, the resource will be triggered during the
// current call to the ProcessItem method. If we added the item to the
// queue with a duration of <=0, we would otherwise continually re-queue
// in a tight loop whilst we wait for the caching listers to observe
// the 'Triggered' status condition changing to 'True'.
if durationUntilRenewalTime < 0 {
return
}
log.V(logf.DebugLevel).Info("scheduling renewal", "duration_until_renewal", durationUntilRenewalTime.String())
c.scheduledWorkQueue.Add(key, durationUntilRenewalTime)
}
// controllerWrapper wraps the `controller` structure to make it implement
// the controllerpkg.queueingController interface
type controllerWrapper struct {
*controller
}
func (c *controllerWrapper) Register(ctx *controllerpkg.Context) (workqueue.TypedRateLimitingInterface[types.NamespacedName], []cache.InformerSynced, error) {
// construct a new named logger to be reused throughout the controller
log := logf.FromContext(ctx.RootContext, ControllerName)
ctrl, queue, mustSync, err := NewController(log,
ctx,
policies.NewTriggerPolicyChain(ctx.Clock).Evaluate,
)
c.controller = ctrl
return queue, mustSync, err
}
func init() {
controllerpkg.Register(ControllerName, func(ctx *controllerpkg.ContextFactory) (controllerpkg.Interface, error) {
return controllerpkg.NewBuilder(ctx, ControllerName).
For(&controllerWrapper{}).
Complete()
})
}
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package controller
import (
"context"
"errors"
"fmt"
"time"
"github.com/go-logr/logr"
corev1 "k8s.io/api/core/v1"
apierrors "k8s.io/apimachinery/pkg/api/errors"
"k8s.io/apimachinery/pkg/api/resource"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/labels"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/selection"
utilruntime "k8s.io/apimachinery/pkg/util/runtime"
"k8s.io/client-go/discovery"
"k8s.io/client-go/kubernetes"
kscheme "k8s.io/client-go/kubernetes/scheme"
clientv1 "k8s.io/client-go/kubernetes/typed/core/v1"
"k8s.io/client-go/metadata"
"k8s.io/client-go/metadata/metadatainformer"
"k8s.io/client-go/rest"
"k8s.io/client-go/tools/record"
"k8s.io/client-go/util/flowcontrol"
"k8s.io/utils/clock"
gwapi "sigs.k8s.io/gateway-api/apis/v1"
gwclient "sigs.k8s.io/gateway-api/pkg/client/clientset/versioned"
gwscheme "sigs.k8s.io/gateway-api/pkg/client/clientset/versioned/scheme"
gwinformers "sigs.k8s.io/gateway-api/pkg/client/informers/externalversions"
"github.com/cert-manager/cert-manager/internal/controller/feature"
internalinformers "github.com/cert-manager/cert-manager/internal/informers"
"github.com/cert-manager/cert-manager/internal/kube"
"github.com/cert-manager/cert-manager/pkg/acme/accounts"
cmacme "github.com/cert-manager/cert-manager/pkg/apis/acme/v1"
clientset "github.com/cert-manager/cert-manager/pkg/client/clientset/versioned"
cmscheme "github.com/cert-manager/cert-manager/pkg/client/clientset/versioned/scheme"
informers "github.com/cert-manager/cert-manager/pkg/client/informers/externalversions"
logf "github.com/cert-manager/cert-manager/pkg/logs"
"github.com/cert-manager/cert-manager/pkg/metrics"
"github.com/cert-manager/cert-manager/pkg/util"
utilfeature "github.com/cert-manager/cert-manager/pkg/util/feature"
)
// This sets the informer's resync period to 10 hours
// following the controller-runtime defaults
// and following discussion: https://github.com/kubernetes-sigs/controller-runtime/pull/88#issuecomment-408500629
const resyncPeriod = 10 * time.Hour
// Context contains various types that are used by controller implementations.
// We purposely don't have specific informers/listers here, and instead keep a
// reference to a SharedInformerFactory so that controllers can choose
// themselves which listers are required.
// Each component should be given distinct Contexts, built from the
// ContextFactory that has configured the underlying client to use separate
// User Agents.
type Context struct {
// RootContext is the root context for the controller
RootContext context.Context
// FieldManager is the string that should be used as the field manager when
// applying API object. This value is derived from the user agent.
FieldManager string
// RESTConfig is the loaded Kubernetes apiserver rest client configuration
RESTConfig *rest.Config
// Scheme is the Kubernetes scheme that should be used when serialising and
// deserialising API objects
Scheme *runtime.Scheme
// Client is a Kubernetes clientset
Client kubernetes.Interface
// CMClient is a cert-manager clientset
CMClient clientset.Interface
// GWClient is a GatewayAPI clientset.
GWClient gwclient.Interface
// MetadataClient is a PartialObjectMetadata client
MetadataClient metadata.Interface
// DiscoveryClient is a discovery interface. Usually set to Client.Discovery unless a fake client is in use.
DiscoveryClient discovery.DiscoveryInterface
// Clock should be used to access the current time instead of relying on
// time.Now, to make it easier to test controllers that utilise time
Clock clock.Clock
// ACMEAccountRegistry is used as a cache of ACME accounts between various
// components of cert-manager
ACMEAccountRegistry accounts.Registry
// Metrics is used for exposing Prometheus metrics across the controllers
Metrics *metrics.Metrics
// Recorder to record events to
Recorder record.EventRecorder
// KubeSharedInformerFactory can be used to obtain shared
// SharedIndexInformer instances for Kubernetes types
KubeSharedInformerFactory internalinformers.KubeInformerFactory
// SharedInformerFactory can be used to obtain shared SharedIndexInformer
// instances for cert-manager.io types
SharedInformerFactory informers.SharedInformerFactory
// HTTP01ResourceMetadataInformersFactory is a metadata only informers
// factory with a http-01 resource label filter selector
HTTP01ResourceMetadataInformersFactory metadatainformer.SharedInformerFactory
// GWShared can be used to obtain SharedIndexInformer instances for
// gateway.networking.k8s.io types
GWShared gwinformers.SharedInformerFactory
GatewaySolverEnabled bool
ContextOptions
}
// ContextOptions are static Controller Context options.
type ContextOptions struct {
// APIServerHost is the host address of the target Kubernetes API server.
APIServerHost string
// Kubeconfig is the optional file path location to a kubeconfig to connect
// and authenticate to the API server.
Kubeconfig string
// Kubernetes API QPS is the value of the maximum QPS to the API server from
// clients.
KubernetesAPIQPS float32
// KubernetesAPIBurst is the value of the Maximum burst for throttle.
KubernetesAPIBurst int
// Namespace is the namespace to operate within.
// If unset, operates on all namespaces
Namespace string
IssuerOptions
ACMEOptions
IngressShimOptions
CertificateOptions
SchedulerOptions
ConfigOptions
}
type ConfigOptions struct {
// EnableGatewayAPI indicates if the user has enabled GatewayAPI support.
EnableGatewayAPI bool
}
type IssuerOptions struct {
// ClusterResourceNamespace is the namespace to store resources created by
// non-namespaced resources (e.g., ClusterIssuer) in.
ClusterResourceNamespace string
// ClusterIssuerAmbientCredentials controls whether a cluster issuer should
// pick up ambient credentials, such as those from metadata services, to
// construct clients.
ClusterIssuerAmbientCredentials bool
// IssuerAmbientCredentials controls whether an issuer should pick up ambient
// credentials, such as those from metadata services, to construct clients.
IssuerAmbientCredentials bool
}
type ACMEOptions struct {
// ACMEHTTP01SolverImage is the image to use for solving ACME HTTP01
// challenges
HTTP01SolverImage string
// HTTP01SolverResourceRequestCPU defines the ACME pod's resource request CPU size
HTTP01SolverResourceRequestCPU resource.Quantity
// HTTP01SolverResourceRequestMemory defines the ACME pod's resource request Memory size
HTTP01SolverResourceRequestMemory resource.Quantity
// HTTP01SolverResourceLimitsCPU defines the ACME pod's resource limits CPU size
HTTP01SolverResourceLimitsCPU resource.Quantity
// HTTP01SolverResourceLimitsMemory defines the ACME pod's resource limits Memory size
HTTP01SolverResourceLimitsMemory resource.Quantity
// ACMEHTTP01SolverRunAsNonRoot sets the ACME pod's ability to run as root
ACMEHTTP01SolverRunAsNonRoot bool
// HTTP01SolverNameservers is a list of nameservers to use when performing self-checks
// for ACME HTTP01 validations.
HTTP01SolverNameservers []string
// DNS01CheckAuthoritative is a flag for controlling if auth nss are used
// for checking propagation of an RR. This is the ideal scenario
DNS01CheckAuthoritative bool
// DNS01Nameservers is a list of nameservers to use when performing self-checks
// for ACME DNS01 validations.
DNS01Nameservers []string
// DNS01CheckRetryPeriod is the time the controller should wait between checking if a ACME dns entry exists.
DNS01CheckRetryPeriod time.Duration
}
// IngressShimOptions contain default Issuer GVK config for the certificate-shim controllers.
// These are set from the cmd cli flags, allowing the controllers to support legacy annotations
// such as `kubernetes.io/tls-acme`.
type IngressShimOptions struct {
DefaultIssuerName string
DefaultIssuerKind string
DefaultIssuerGroup string
DefaultAutoCertificateAnnotations []string
ExtraCertificateAnnotations []string
}
type CertificateOptions struct {
// EnableOwnerRef controls whether the certificate is configured as an owner of
// secret where the effective TLS certificate is stored.
EnableOwnerRef bool
// CopiedAnnotationPrefixes defines which annotations should be copied
// Certificate -> CertificateRequest, CertificateRequest -> Order.
CopiedAnnotationPrefixes []string
}
type SchedulerOptions struct {
// MaxConcurrentChallenges determines the maximum number of challenges that can be
// scheduled as 'processing' at once.
MaxConcurrentChallenges int
}
// ContextFactory is used for constructing new Contexts whose clients have been
// configured with a User Agent built from the component name.
type ContextFactory struct {
// baseRestConfig is the base Kubernetes REST config that can authenticate to
// the Kubernetes API server.
baseRestConfig *rest.Config
// log is the factory logger which is used to construct event broadcasters.
log logr.Logger
// ctx is the base controller Context that all Contexts will be built from.
ctx *Context
}
// NewContextFactory builds a ContextFactory that builds controller Contexts
// that have been configured for that components User Agent.
// All resulting Context's and clients contain the same RateLimiter and
// corresponding QPS and Burst buckets.
func NewContextFactory(ctx context.Context, opts ContextOptions) (*ContextFactory, error) {
// Load the users Kubernetes config
restConfig, err := kube.BuildClientConfig(opts.APIServerHost, opts.Kubeconfig)
if err != nil {
return nil, fmt.Errorf("error creating rest config: %w", err)
}
restConfig = util.RestConfigWithUserAgent(restConfig)
restConfig.QPS = opts.KubernetesAPIQPS
restConfig.Burst = opts.KubernetesAPIBurst
// Construct a single RateLimiter used across all built Context's clients. A
// single rate limiter (with corresponding QPS and Burst buckets) are
// preserved for all Contexts.
// Adapted from
// https://github.com/kubernetes/client-go/blob/v0.23.3/kubernetes/clientset.go#L431-L435
if restConfig.RateLimiter == nil && restConfig.QPS > 0 {
if restConfig.Burst <= 0 {
return nil, errors.New("burst is required to be greater than 0 when RateLimiter is not set and QPS is set to greater than 0")
}
restConfig.RateLimiter = flowcontrol.NewTokenBucketRateLimiter(restConfig.QPS, restConfig.Burst)
}
clients, err := buildClients(restConfig, opts)
if err != nil {
return nil, err
}
sharedInformerFactory := informers.NewSharedInformerFactoryWithOptions(clients.cmClient, resyncPeriod, informers.WithNamespace(opts.Namespace))
var kubeSharedInformerFactory internalinformers.KubeInformerFactory
if utilfeature.DefaultFeatureGate.Enabled(feature.SecretsFilteredCaching) {
kubeSharedInformerFactory = internalinformers.NewFilteredSecretsKubeInformerFactory(ctx, clients.kubeClient, clients.metadataOnlyClient, resyncPeriod, opts.Namespace)
} else {
kubeSharedInformerFactory = internalinformers.NewBaseKubeInformerFactory(clients.kubeClient, resyncPeriod, opts.Namespace)
}
r, err := labels.NewRequirement(cmacme.DomainLabelKey, selection.Exists, nil)
if err != nil {
panic(fmt.Errorf("internal error: failed to build label selector to filter HTTP-01 challenge resources: %w", err))
}
isHTTP01ChallengeResourceLabelSelector := labels.NewSelector().Add(*r)
http01ResourceMetadataInformerFactory := metadatainformer.NewFilteredSharedInformerFactory(clients.metadataOnlyClient, resyncPeriod, opts.Namespace, func(listOptions *metav1.ListOptions) {
// metadataInformersFactory is at the moment only used for pods
// and services for http-01 challenge which can be identified by
// the same label keys, so it is okay to set the label selector
// here. If we start using it for other resources then we'll
// have to set the selectors on individual informers instead.
listOptions.LabelSelector = isHTTP01ChallengeResourceLabelSelector.String()
})
gwSharedInformerFactory := gwinformers.NewSharedInformerFactoryWithOptions(clients.gwClient, resyncPeriod, gwinformers.WithNamespace(opts.Namespace))
clock := clock.RealClock{}
log := logf.FromContext(ctx)
metrics := metrics.New(log, clock)
return &ContextFactory{
baseRestConfig: restConfig,
log: log,
ctx: &Context{
RootContext: ctx,
KubeSharedInformerFactory: kubeSharedInformerFactory,
SharedInformerFactory: sharedInformerFactory,
GWShared: gwSharedInformerFactory,
GatewaySolverEnabled: clients.gatewayAvailable,
HTTP01ResourceMetadataInformersFactory: http01ResourceMetadataInformerFactory,
ContextOptions: opts,
Clock: clock,
Metrics: metrics,
ACMEAccountRegistry: accounts.NewDefaultRegistry(
accounts.NewClient(metrics, restConfig.UserAgent),
),
},
}, nil
}
// Build builds a new controller Context whose clients have a User Agent
// derived from the optional component name.
func (c *ContextFactory) Build(component ...string) (*Context, error) {
restConfig := util.RestConfigWithUserAgent(c.baseRestConfig, component...)
scheme := runtime.NewScheme()
utilruntime.Must(kscheme.AddToScheme(scheme))
utilruntime.Must(cmscheme.AddToScheme(scheme))
utilruntime.Must(gwscheme.AddToScheme(scheme))
clients, err := buildClients(restConfig, c.ctx.ContextOptions)
if err != nil {
return nil, err
}
// Create event broadcaster.
// Add cert-manager types to the default Kubernetes Scheme so Events can be
// logged properly.
c.log.V(logf.DebugLevel).Info("creating event broadcaster")
eventBroadcaster := record.NewBroadcaster()
eventBroadcaster.StartLogging(logf.WithInfof(c.log.V(logf.DebugLevel)).Infof)
eventBroadcaster.StartRecordingToSink(&clientv1.EventSinkImpl{Interface: clients.kubeClient.CoreV1().Events("")})
recorder := eventBroadcaster.NewRecorder(scheme, corev1.EventSource{Component: util.PrefixFromUserAgent(restConfig.UserAgent)})
ctx := *c.ctx
ctx.FieldManager = util.PrefixFromUserAgent(restConfig.UserAgent)
ctx.RESTConfig = restConfig
ctx.Scheme = scheme
ctx.Client = clients.kubeClient
ctx.CMClient = clients.cmClient
ctx.GWClient = clients.gwClient
ctx.MetadataClient = clients.metadataOnlyClient
ctx.DiscoveryClient = clients.kubeClient.Discovery()
ctx.Recorder = recorder
return &ctx, nil
}
// contextClients is a helper struct containing API clients.
type contextClients struct {
kubeClient kubernetes.Interface
cmClient clientset.Interface
gwClient gwclient.Interface
metadataOnlyClient metadata.Interface
gatewayAvailable bool
}
// buildClients builds all required clients for the context using the given
// REST config.
func buildClients(restConfig *rest.Config, opts ContextOptions) (contextClients, error) {
httpClient, err := rest.HTTPClientFor(restConfig)
if err != nil {
return contextClients{}, fmt.Errorf("error creating HTTP client: %w", err)
}
// Create a cert-manager api client
cmClient, err := clientset.NewForConfigAndClient(restConfig, httpClient)
if err != nil {
return contextClients{}, fmt.Errorf("error creating cert-manager client: %w", err)
}
// Create a Kubernetes api client
kubeClient, err := kubernetes.NewForConfigAndClient(restConfig, httpClient)
if err != nil {
return contextClients{}, fmt.Errorf("error creating kubernetes client: %w", err)
}
// create a metadata-only client
metadataOnlyClient, err := metadata.NewForConfigAndClient(restConfig, httpClient)
if err != nil {
return contextClients{}, fmt.Errorf("error creating metadata-only client: %w", err)
}
var gatewayAvailable bool
// Check if the Gateway API feature gate was enabled
if utilfeature.DefaultFeatureGate.Enabled(feature.ExperimentalGatewayAPISupport) && opts.EnableGatewayAPI {
// Check if the gateway API CRDs are available. If they are not found
// return an error which will cause cert-manager to crashloopbackoff.
d := kubeClient.Discovery()
resources, err := d.ServerResourcesForGroupVersion(gwapi.GroupVersion.String())
var GatewayAPINotAvailable = "the Gateway API CRDs do not seem to be present, but " + feature.ExperimentalGatewayAPISupport +
" is set to true. Please install the gateway-api CRDs."
switch {
case apierrors.IsNotFound(err):
return contextClients{}, fmt.Errorf("%s (%w)", GatewayAPINotAvailable, err)
case err != nil:
return contextClients{}, fmt.Errorf("while checking if the Gateway API CRD is installed: %w", err)
case len(resources.APIResources) == 0:
return contextClients{}, fmt.Errorf("%s (found %d APIResources in %s)", GatewayAPINotAvailable, len(resources.APIResources), gwapi.GroupVersion.String())
default:
gatewayAvailable = true
}
}
// Create a GatewayAPI client.
gwClient, err := gwclient.NewForConfigAndClient(restConfig, httpClient)
if err != nil {
return contextClients{}, fmt.Errorf("error creating kubernetes client: %w", err)
}
return contextClients{kubeClient, cmClient, gwClient, metadataOnlyClient, gatewayAvailable}, nil
}
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package controller
import (
"context"
"fmt"
"strings"
"sync"
"time"
"k8s.io/apimachinery/pkg/types"
"k8s.io/apimachinery/pkg/util/wait"
genericregistry "k8s.io/apiserver/pkg/registry/generic/registry"
"k8s.io/client-go/tools/cache"
"k8s.io/client-go/util/workqueue"
logf "github.com/cert-manager/cert-manager/pkg/logs"
"github.com/cert-manager/cert-manager/pkg/metrics"
)
type runFunc func(context.Context)
type runDurationFunc struct {
fn runFunc
duration time.Duration
}
type queueingController interface {
Register(*Context) (workqueue.TypedRateLimitingInterface[types.NamespacedName], []cache.InformerSynced, error)
ProcessItem(ctx context.Context, key types.NamespacedName) error
}
func NewController(
name string,
metrics *metrics.Metrics,
syncFunc func(ctx context.Context, key types.NamespacedName) error,
mustSync []cache.InformerSynced,
runDurationFuncs []runDurationFunc,
queue workqueue.TypedRateLimitingInterface[types.NamespacedName],
) Interface {
return &controller{
name: name,
metrics: metrics,
syncHandler: syncFunc,
mustSync: mustSync,
runDurationFuncs: runDurationFuncs,
queue: queue,
}
}
type controller struct {
// name is the name for this controller
name string
// the function that should be called when an item is popped
// off the workqueue
syncHandler func(ctx context.Context, key types.NamespacedName) error
// mustSync is a slice of informers that must have synced before
// this controller can start
mustSync []cache.InformerSynced
// a set of functions that will be called just after controller initialisation, once.
runFirstFuncs []runFunc
// a set of functions that should be called every duration.
runDurationFuncs []runDurationFunc
// queue is a reference to the queue used to enqueue resources
// to be processed
queue workqueue.TypedRateLimitingInterface[types.NamespacedName]
// metrics is used to expose Prometheus, shared by all controllers
metrics *metrics.Metrics
}
// Run starts the controller loop
func (c *controller) Run(workers int, ctx context.Context) error {
ctx, cancel := context.WithCancel(ctx)
defer cancel()
log := logf.FromContext(ctx, c.name)
log.V(logf.DebugLevel).Info("starting control loop")
// wait for all the informer caches we depend on are synced
if !cache.WaitForCacheSync(ctx.Done(), c.mustSync...) {
return fmt.Errorf("error waiting for informer caches to sync")
}
var wg sync.WaitGroup
for range workers {
wg.Add(1)
go func() {
defer wg.Done()
c.worker(ctx)
}()
}
for _, f := range c.runFirstFuncs {
f(ctx)
}
for _, f := range c.runDurationFuncs {
go wait.Until(func() { f.fn(ctx) }, f.duration, ctx.Done())
}
<-ctx.Done()
log.V(logf.InfoLevel).Info("shutting down queue as workqueue signaled shutdown")
c.queue.ShutDown()
log.V(logf.DebugLevel).Info("waiting for workers to exit...")
wg.Wait()
log.V(logf.DebugLevel).Info("workers exited")
return nil
}
func (c *controller) worker(ctx context.Context) {
log := logf.FromContext(ctx)
log.V(logf.DebugLevel).Info("starting worker")
for {
obj, shutdown := c.queue.Get()
if shutdown {
break
}
// use an inlined function so we can use defer
func() {
defer c.queue.Done(obj)
log.V(logf.DebugLevel).Info("syncing item")
// Increase sync count for this controller
c.metrics.IncrementSyncCallCount(c.name)
err := c.syncHandler(ctx, obj)
if err != nil {
if strings.Contains(err.Error(), genericregistry.OptimisticLockErrorMsg) {
log.Info("re-queuing item due to optimistic locking on resource", "error", err.Error())
// These errors are not counted towards the controllerSyncErrorCount metric on purpose
// as they will go way with
// https://github.com/cert-manager/cert-manager/blob/master/design/20220118.server-side-apply.md
} else {
log.Error(err, "re-queuing item due to error processing")
c.metrics.IncrementSyncErrorCount(c.name)
}
c.queue.AddRateLimited(obj)
return
}
log.V(logf.DebugLevel).Info("finished processing work item")
c.queue.Forget(obj)
}()
}
log.V(logf.DebugLevel).Info("exiting worker loop")
}
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package controller
import (
cmapi "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
cmmeta "github.com/cert-manager/cert-manager/pkg/apis/meta/v1"
)
// ResourceNamespace returns the Kubernetes namespace where resources
// created or read by `iss` are located.
func (o IssuerOptions) ResourceNamespace(iss cmapi.GenericIssuer) string {
ns := iss.GetObjectMeta().Namespace
if ns == "" {
ns = o.ClusterResourceNamespace
}
return ns
}
// ResourceNamespaceRef returns the Kubernetes namespace where resources
// created or read by the referenced issuer are located.
// This function is identical to ResourceNamespace, but takes a reference to
// the issuer instead of the issuer itself (which means we don't need to fetch the
// issuer from the API server).
func (o IssuerOptions) ResourceNamespaceRef(ref cmmeta.IssuerReference, challengeNamespace string) string {
switch ref.Kind {
case cmapi.ClusterIssuerKind:
return o.ClusterResourceNamespace
case cmapi.IssuerKind:
return challengeNamespace
}
return challengeNamespace // Should not be reached
}
// CanUseAmbientCredentials returns whether `iss` will attempt to configure itself
// from ambient credentials (e.g., from a cloud metadata service).
func (o IssuerOptions) CanUseAmbientCredentials(iss cmapi.GenericIssuer) bool {
switch iss.(type) {
case *cmapi.ClusterIssuer:
return o.ClusterIssuerAmbientCredentials
case *cmapi.Issuer:
return o.IssuerAmbientCredentials
}
return false
}
// CanUseAmbientCredentialsFromRef returns whether the referenced issuer will attempt
// to configure itself from ambient credentials (e.g., from a cloud metadata service).
// This function is identical to CanUseAmbientCredentials, but takes a reference to
// the issuer instead of the issuer itself (which means we don't need to fetch the
// issuer from the API server).
func (o IssuerOptions) CanUseAmbientCredentialsFromRef(ref cmmeta.IssuerReference) bool {
switch ref.Kind {
case cmapi.ClusterIssuerKind:
return o.ClusterIssuerAmbientCredentials
case cmapi.IssuerKind:
return o.IssuerAmbientCredentials
}
return false
}
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package controller
import "context"
// This file defines types for controllers to register themselves with the
// controller package.
// Interface represents a controller that can be run.
type Interface interface {
// Run will start a controller. 'workers' should be the number of
// independent goroutines for this controller in question that are to be
// run, and the workers should shut down upon a signal on stopCh.
// This method should block until all workers have exited cleanly, thus
// allowing for graceful shutdown of control loops.
Run(workers int, ctx context.Context) error
}
// Constructor is a function that creates a new control loop given a
// controller Context.
type Constructor func(ctx *ContextFactory) (Interface, error)
var (
known = make(map[string]Constructor)
)
// Known returns a map of the registered controller Constructors
func Known() map[string]Constructor {
return known
}
// Register registers a controller constructor with the controller package
func Register(name string, fn Constructor) {
known[name] = fn
}
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package test
import (
"fmt"
"github.com/google/go-cmp/cmp"
coretesting "k8s.io/client-go/testing"
)
// ActionMatchFn is a type of custom matcher for two Actions.
type ActionMatchFn func(coretesting.Action, coretesting.Action) error
// Action implements a getter and a matcher for coretesting.Action type.
type Action interface {
Action() coretesting.Action
Matches(coretesting.Action) error
}
type customMatchAction struct {
action coretesting.Action
matchFn ActionMatchFn
}
var _ Action = &customMatchAction{}
// NewCustomMatch takes an Action and a matcher function and returns a wrapper
// that can be used to compare this Action with another one.
func NewCustomMatch(a coretesting.Action, matchFn ActionMatchFn) Action {
return &customMatchAction{
action: a,
matchFn: matchFn,
}
}
// Action is a getter for customMatchAction.action.
func (a *customMatchAction) Action() coretesting.Action {
return a.action
}
// Matches compares the action of customMatchAction with another Action.
func (a *customMatchAction) Matches(act coretesting.Action) error {
return a.matchFn(a.action, act)
}
type action struct {
action coretesting.Action
}
var _ Action = &action{}
// NewAction takes coretesting.Action and wraps it with action.
func NewAction(a coretesting.Action) Action {
return &action{
action: a,
}
}
// Action is a getter for action.action.
func (a *action) Action() coretesting.Action {
return a.action
}
// Matches compares action.action with another Action.
func (a *action) Matches(act coretesting.Action) error {
diff := cmp.Diff(a.action, act,
// We ignore differences in .ManagedFields since the expected object does not have them.
// FIXME: don't ignore this field
cmp.FilterPath(func(p cmp.Path) bool {
// FIXME: Must ignore managed fields as newer fake clients are tracking them
return p.Last().String() == ".ManagedFields"
}, cmp.Ignore()),
)
if diff != "" {
return fmt.Errorf("unexpected difference between actions (-want +got):\n%s", diff)
}
return nil
}
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package test
import (
"context"
"flag"
"fmt"
"slices"
"testing"
"time"
networkingv1 "k8s.io/api/networking/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"
utilerrors "k8s.io/apimachinery/pkg/util/errors"
"k8s.io/apimachinery/pkg/util/rand"
kubefake "k8s.io/client-go/kubernetes/fake"
metadatafake "k8s.io/client-go/metadata/fake"
"k8s.io/client-go/metadata/metadatainformer"
"k8s.io/client-go/rest"
coretesting "k8s.io/client-go/testing"
"k8s.io/utils/clock"
fakeclock "k8s.io/utils/clock/testing"
ctrl "sigs.k8s.io/controller-runtime"
gwfake "sigs.k8s.io/gateway-api/pkg/client/clientset/versioned/fake"
gwinformers "sigs.k8s.io/gateway-api/pkg/client/informers/externalversions"
internalinformers "github.com/cert-manager/cert-manager/internal/informers"
apiutil "github.com/cert-manager/cert-manager/pkg/api/util"
cmfake "github.com/cert-manager/cert-manager/pkg/client/clientset/versioned/fake"
informers "github.com/cert-manager/cert-manager/pkg/client/informers/externalversions"
"github.com/cert-manager/cert-manager/pkg/controller"
"github.com/cert-manager/cert-manager/pkg/logs"
"github.com/cert-manager/cert-manager/pkg/metrics"
"github.com/cert-manager/cert-manager/pkg/util"
discoveryfake "github.com/cert-manager/cert-manager/test/unit/discovery"
)
func init() {
logs.InitLogs()
_ = flag.Set("alsologtostderr", "true")
_ = flag.Set("v", "4")
ctrl.SetLogger(logs.Log)
}
type StringGenerator func(n int) string
// Builder is a structure used to construct new Contexts for use during tests.
// Currently, only KubeObjects, CertManagerObjects and GWObjects can be
// specified. These will be auto loaded into the constructed fake Clientsets.
// Call ToContext() to construct a new context using the given values.
type Builder struct {
T *testing.T
KubeObjects []runtime.Object
CertManagerObjects []runtime.Object
GWObjects []runtime.Object
PartialMetadataObjects []runtime.Object
ExpectedActions []Action
ExpectedEvents []string
StringGenerator StringGenerator
// Clock will be the Clock set on the controller context.
// If not specified, the RealClock will be used.
Clock *fakeclock.FakeClock
// CheckFn is a custom check function that will be executed when the
// CheckAndFinish method is called on the builder, after all other checks.
// It will be passed a reference to the Builder in order to access state,
// as well as a list of all the arguments passed to the CheckAndFinish
// function (typically the list of return arguments from the function under
// test).
CheckFn func(*Builder, ...interface{})
stopCh chan struct{}
*controller.Context
}
func (b *Builder) generateNameReactor(action coretesting.Action) (handled bool, ret runtime.Object, err error) {
obj := action.(coretesting.CreateAction).GetObject().(metav1.Object)
genName := obj.GetGenerateName()
if genName != "" {
obj.SetName(genName + b.StringGenerator(5))
return false, obj.(runtime.Object), nil
}
return false, obj.(runtime.Object), nil
}
// informerResyncPeriod is the resync period used by the test informers. We
// want this period to be as short as possible to make the tests faster.
// However, client-go imposes a minimum resync period of 1 second, so that
// is the lowest we can go.
// https://github.com/kubernetes/client-go/blob/5a019202120ab4dd7dfb3788e5cb87269f343ebe/tools/cache/shared_informer.go#L575
const informerResyncPeriod = time.Second
// Init will construct a new context for this builder and set default values
// for any unset fields.
func (b *Builder) Init() {
if b.Context == nil {
b.Context = &controller.Context{}
}
if b.Context.RootContext == nil {
b.Context.RootContext = context.Background()
}
if b.StringGenerator == nil {
b.StringGenerator = rand.String
}
scheme := metadatafake.NewTestScheme()
if err := metav1.AddMetaToScheme(scheme); err != nil {
b.T.Fatalf("error adding meta to scheme: %v", err)
}
b.ACMEOptions.ACMEHTTP01SolverRunAsNonRoot = true // default from cmd/controller/app/options/options.go
b.Client = kubefake.NewClientset(b.KubeObjects...)
b.CMClient = cmfake.NewClientset(b.CertManagerObjects...)
// FIXME: It seems like the gateway-api fake.NewClientset is misbehaving and is not usable per July 2025
b.GWClient = gwfake.NewSimpleClientset(b.GWObjects...)
b.MetadataClient = metadatafake.NewSimpleMetadataClient(scheme, b.PartialMetadataObjects...)
b.DiscoveryClient = discoveryfake.NewDiscovery().WithServerResourcesForGroupVersion(func(groupVersion string) (*metav1.APIResourceList, error) {
if groupVersion == networkingv1.SchemeGroupVersion.String() {
return &metav1.APIResourceList{
TypeMeta: metav1.TypeMeta{},
GroupVersion: networkingv1.SchemeGroupVersion.String(),
APIResources: []metav1.APIResource{
{
Name: "ingresses",
SingularName: "Ingress",
Namespaced: true,
Group: networkingv1.GroupName,
Version: networkingv1.SchemeGroupVersion.Version,
Kind: networkingv1.SchemeGroupVersion.WithKind("Ingress").Kind,
Verbs: metav1.Verbs{"get", "list", "watch", "create", "update", "patch", "delete", "deletecollection"},
ShortNames: []string{"ing"},
Categories: []string{"all"},
StorageVersionHash: "testing",
},
},
}, nil
}
return &metav1.APIResourceList{}, nil
})
b.Recorder = new(FakeRecorder)
b.FakeKubeClient().PrependReactor("create", "*", b.generateNameReactor)
b.FakeCMClient().PrependReactor("create", "*", b.generateNameReactor)
b.FakeGWClient().PrependReactor("create", "*", b.generateNameReactor)
b.FakeMetadataClient().PrependReactor("create", "*", b.generateNameReactor)
b.KubeSharedInformerFactory = internalinformers.NewBaseKubeInformerFactory(b.Client, informerResyncPeriod, "")
b.SharedInformerFactory = informers.NewSharedInformerFactory(b.CMClient, informerResyncPeriod)
b.GWShared = gwinformers.NewSharedInformerFactory(b.GWClient, informerResyncPeriod)
b.HTTP01ResourceMetadataInformersFactory = metadatainformer.NewFilteredSharedInformerFactory(b.MetadataClient, informerResyncPeriod, "", func(listOptions *metav1.ListOptions) {})
b.stopCh = make(chan struct{})
b.Metrics = metrics.New(logs.Log, clock.RealClock{})
// set the Clock on the context
if b.Clock == nil {
b.Context.Clock = clock.RealClock{}
} else {
b.Context.Clock = b.Clock
}
// Fix the clock used in apiutil so that calls to set status conditions
// can be predictably tested
apiutil.Clock = b.Context.Clock
}
// InitWithRESTConfig() will call builder.Init(), then assign an initialised
// RESTConfig with a `cert-manager/unit-test` User Agent.
func (b *Builder) InitWithRESTConfig() {
b.Init()
b.RESTConfig = util.RestConfigWithUserAgent(new(rest.Config), "unit-testing")
}
func (b *Builder) FakeKubeClient() *kubefake.Clientset {
return b.Context.Client.(*kubefake.Clientset)
}
func (b *Builder) FakeKubeInformerFactory() internalinformers.KubeInformerFactory {
return b.Context.KubeSharedInformerFactory
}
func (b *Builder) FakeCMClient() *cmfake.Clientset {
return b.Context.CMClient.(*cmfake.Clientset)
}
func (b *Builder) FakeGWClient() *gwfake.Clientset {
return b.Context.GWClient.(*gwfake.Clientset)
}
func (b *Builder) FakeCMInformerFactory() informers.SharedInformerFactory {
return b.Context.SharedInformerFactory
}
func (b *Builder) FakeMetadataClient() *metadatafake.FakeMetadataClient {
return b.Context.MetadataClient.(*metadatafake.FakeMetadataClient)
}
func (b *Builder) FakeDiscoveryClient() *discoveryfake.Discovery {
return b.Context.DiscoveryClient.(*discoveryfake.Discovery)
}
// CheckAndFinish will run ensure: all reactors are called, all actions are
// expected, and all events are as expected.
// It will then call the Builder's CheckFn, if defined.
func (b *Builder) CheckAndFinish(args ...interface{}) {
defer b.Stop()
if err := b.AllActionsExecuted(); err != nil {
b.T.Error(err)
}
if err := b.AllEventsCalled(); err != nil {
b.T.Error(err)
}
// resync listers before running checks
b.Sync()
// run custom checks
if b.CheckFn != nil {
b.CheckFn(b, args...)
}
}
func (b *Builder) AllEventsCalled() error {
var errs []error
if !util.EqualUnsorted(b.ExpectedEvents, b.Events()) {
errs = append(errs, fmt.Errorf("got unexpected events, exp='%s' got='%s'",
b.ExpectedEvents, b.Events()))
}
return utilerrors.NewAggregate(errs)
}
// AllActionsExecuted skips the "list" and "watch" action verbs.
func (b *Builder) AllActionsExecuted() error {
firedActions := b.FakeCMClient().Actions()
firedActions = append(firedActions, b.FakeKubeClient().Actions()...)
firedActions = append(firedActions, b.FakeGWClient().Actions()...)
var unexpectedActions []coretesting.Action
var errs []error
missingActions := slices.Clone(b.ExpectedActions)
for _, a := range firedActions {
// skip list and watch actions
if a.GetVerb() == "list" || a.GetVerb() == "watch" {
continue
}
found := false
var err error
for i, expA := range missingActions {
if expA.Action().GetNamespace() != a.GetNamespace() ||
expA.Action().GetResource() != a.GetResource() ||
expA.Action().GetSubresource() != a.GetSubresource() ||
expA.Action().GetVerb() != a.GetVerb() {
continue
}
err = expA.Matches(a)
// if this action doesn't match, we record the error and continue
// as there may be multiple action matchers for the same resource
if err != nil {
continue
}
missingActions = append(missingActions[:i], missingActions[i+1:]...)
found = true
break
}
if !found {
unexpectedActions = append(unexpectedActions, a)
if err != nil {
errs = append(errs, err)
}
}
}
for _, a := range missingActions {
errs = append(errs, fmt.Errorf("missing action: %v", actionToString(a.Action())))
}
for _, a := range unexpectedActions {
errs = append(errs, fmt.Errorf("unexpected action: %v", actionToString(a)))
}
return utilerrors.NewAggregate(errs)
}
func actionToString(a coretesting.Action) string {
return fmt.Sprintf("%s %s %q in namespace %s", a.GetVerb(), a.GetSubresource(), a.GetResource(), a.GetNamespace())
}
// Stop will signal the informers to stop watching changes
// This method is *not* safe to be called concurrently
func (b *Builder) Stop() {
if b.stopCh == nil {
return
}
close(b.stopCh)
b.stopCh = nil
// Reset the clock back to the RealClock in apiutil
apiutil.Clock = clock.RealClock{}
}
func (b *Builder) Start() {
b.KubeSharedInformerFactory.Start(b.stopCh)
b.SharedInformerFactory.Start(b.stopCh)
b.GWShared.Start(b.stopCh)
b.HTTP01ResourceMetadataInformersFactory.Start(b.stopCh)
// wait for caches to sync
b.Sync()
}
// Sync is a function used by tests to wait for all informers to be synced. This function
// is called initially by the Start method, to wait for the caches to be populated. It is
// also called directly by tests to wait for any updates made by the fake clients to be
// reflected in the informer caches.
// Sync calls the WaitForCacheSync method on all informers to make sure they have populated
// their caches. The WaitForCacheSync method is only useful at startup. In order to wait
// for updates made by the fake clients to be reflected in the informer caches, we need
// to sleep for the informerResyncPeriod.
func (b *Builder) Sync() {
if err := mustAllSync(b.KubeSharedInformerFactory.WaitForCacheSync(b.stopCh)); err != nil {
panic("Error waiting for kubeSharedInformerFactory to sync: " + err.Error())
}
if err := mustAllSync(b.SharedInformerFactory.WaitForCacheSync(b.stopCh)); err != nil {
panic("Error waiting for SharedInformerFactory to sync: " + err.Error())
}
if err := mustAllSync(b.GWShared.WaitForCacheSync(b.stopCh)); err != nil {
panic("Error waiting for GWShared to sync: " + err.Error())
}
if err := mustAllSync(b.HTTP01ResourceMetadataInformersFactory.WaitForCacheSync(b.stopCh)); err != nil {
panic("Error waiting for MetadataInformerFactory to sync:" + err.Error())
}
// Wait for the informerResyncPeriod to make sure any update made by any of the fake clients
// is reflected in the informer caches.
time.Sleep(informerResyncPeriod)
}
func (b *Builder) Events() []string {
if e, ok := b.Recorder.(*FakeRecorder); ok {
return e.Events
}
return nil
}
func mustAllSync[E comparable](in map[E]bool) error {
var errs []error
for t, started := range in {
if !started {
errs = append(errs, fmt.Errorf("informer for %v not synced", t))
}
}
return utilerrors.NewAggregate(errs)
}
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package test
import (
"fmt"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"
)
// FakeRecorder is used as a fake during tests. It is thread safe. It is usable
// when created manually and not by NewFakeRecorder, however all events may be
// thrown away in this case.
type FakeRecorder struct {
Events []string
}
func (f *FakeRecorder) Event(object runtime.Object, eventtype, reason, message string) {
f.Events = append(f.Events, fmt.Sprintf("%s %s %s", eventtype, reason, message))
}
func (f *FakeRecorder) Eventf(object runtime.Object, eventtype, reason, messageFmt string, args ...interface{}) {
f.Events = append(f.Events, fmt.Sprintf(eventtype+" "+reason+" "+messageFmt, args...))
}
func (f *FakeRecorder) PastEventf(object runtime.Object, timestamp metav1.Time, eventtype, reason, messageFmt string, args ...interface{}) {
}
func (f *FakeRecorder) AnnotatedEventf(object runtime.Object, annotations map[string]string, eventtype, reason, messageFmt string, args ...interface{}) {
f.Eventf(object, eventtype, reason, messageFmt, args...)
}
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package controller
import (
"reflect"
"strings"
"time"
"github.com/go-logr/logr"
corev1 "k8s.io/api/core/v1"
"k8s.io/apimachinery/pkg/api/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime/schema"
"k8s.io/apimachinery/pkg/types"
"k8s.io/apimachinery/pkg/util/runtime"
"k8s.io/client-go/tools/cache"
"k8s.io/client-go/util/workqueue"
logf "github.com/cert-manager/cert-manager/pkg/logs"
)
// DefaultItemBasedRateLimiter returns a new rate limiter with base delay of 5
// seconds, max delay of 5 minutes.
func DefaultItemBasedRateLimiter() workqueue.TypedRateLimiter[types.NamespacedName] {
return workqueue.NewTypedItemExponentialFailureRateLimiter[types.NamespacedName](time.Second*5, time.Minute*5)
}
// DefaultCertificateRateLimiter returns a new rate limiter with base delay of 1
// seconds, max delay of 30 seconds.
func DefaultCertificateRateLimiter() workqueue.TypedRateLimiter[types.NamespacedName] {
return workqueue.NewTypedItemExponentialFailureRateLimiter[types.NamespacedName](time.Second*1, time.Second*30)
}
// DefaultCertificateRateLimiter returns a new rate limiter with base delay of 5
// seconds, max delay of 30 minutes.
func DefaultACMERateLimiter() workqueue.TypedRateLimiter[types.NamespacedName] {
return workqueue.NewTypedItemExponentialFailureRateLimiter[types.NamespacedName](time.Second*5, time.Minute*30)
}
// HandleOwnedResourceNamespacedFunc returns a function that accepts a
// Kubernetes object and adds its owner references to the workqueue.
// https://kubernetes.io/docs/concepts/workloads/controllers/garbage-collection/#owners-and-dependents
func HandleOwnedResourceNamespacedFunc[T metav1.Object](
log logr.Logger,
queue workqueue.TypedRateLimitingInterface[types.NamespacedName],
ownerGVK schema.GroupVersionKind,
get func(namespace, name string) (T, error),
) func(obj interface{}) {
return func(obj interface{}) {
log := log.WithName("handleOwnedResource")
metaobj, ok := obj.(metav1.Object)
if !ok {
log.Error(nil, "item passed to handleOwnedResource does not implement metav1.Object")
return
}
log = logf.WithResource(log, metaobj)
ownerRefs := metaobj.GetOwnerReferences()
for _, ref := range ownerRefs {
log := log.WithValues(
logf.RelatedResourceNamespaceKey, metaobj.GetNamespace(),
logf.RelatedResourceNameKey, ref.Name,
logf.RelatedResourceKindKey, ref.Kind,
)
// Parse the Group out of the OwnerReference to compare it to what was parsed out of the requested OwnerType
refGV, err := schema.ParseGroupVersion(ref.APIVersion)
if err != nil {
log.Error(err, "could not parse OwnerReference GroupVersion")
continue
}
if refGV.Group == ownerGVK.Group && ref.Kind == ownerGVK.Kind {
obj, err := get(metaobj.GetNamespace(), ref.Name)
// This function is always called with a getter
// that gets from informers cache. Because this
// is also called on cache sync it may be that
// the owner is not yet in the cache.
if err != nil && errors.IsNotFound(err) {
log.Info("owning resource not found in cache")
continue
}
if err != nil {
log.Error(err, "error getting referenced owning resource from cache")
continue
}
queue.Add(types.NamespacedName{
Name: obj.GetName(),
Namespace: obj.GetNamespace(),
})
}
}
}
}
// QueuingEventHandler is an implementation of cache.ResourceEventHandler that
// simply queues objects that are added/updated/deleted.
type QueuingEventHandler struct {
Queue workqueue.TypedRateLimitingInterface[types.NamespacedName]
}
// Enqueue adds a key for an object to the workqueue.
func (q *QueuingEventHandler) Enqueue(obj interface{}) {
objectName, err := cache.DeletionHandlingObjectToName(obj)
if err != nil {
runtime.HandleError(err)
return
}
q.Queue.Add(types.NamespacedName{
Name: objectName.Name,
Namespace: objectName.Namespace,
})
}
// OnAdd adds a newly created object to the workqueue.
func (q *QueuingEventHandler) OnAdd(obj interface{}, isInInitialList bool) {
q.Enqueue(obj)
}
// OnUpdate adds an updated object to the workqueue.
func (q *QueuingEventHandler) OnUpdate(oldObj, newObj interface{}) {
if reflect.DeepEqual(oldObj, newObj) {
return
}
q.Enqueue(newObj)
}
// OnDelete adds a deleted object to the workqueue for processing.
func (q *QueuingEventHandler) OnDelete(obj interface{}) {
tombstone, ok := obj.(cache.DeletedFinalStateUnknown)
if ok {
obj = tombstone.Obj
}
q.Enqueue(obj)
}
// BlockingEventHandler is an implementation of cache.ResourceEventHandler that
// simply synchronously calls it's WorkFunc upon calls to OnAdd, OnUpdate or
// OnDelete.
type BlockingEventHandler struct {
WorkFunc func(obj interface{})
}
// Enqueue synchronously adds a key for an object to the workqueue.
func (b *BlockingEventHandler) Enqueue(obj interface{}) {
b.WorkFunc(obj)
}
// OnAdd synchronously adds a newly created object to the workqueue.
func (b *BlockingEventHandler) OnAdd(obj interface{}, isInInitialList bool) {
b.WorkFunc(obj)
}
// OnUpdate synchronously adds an updated object to the workqueue.
func (b *BlockingEventHandler) OnUpdate(oldObj, newObj interface{}) {
if reflect.DeepEqual(oldObj, newObj) {
return
}
b.WorkFunc(newObj)
}
// OnDelete synchronously adds a deleted object to the workqueue.
func (b *BlockingEventHandler) OnDelete(obj interface{}) {
tombstone, ok := obj.(cache.DeletedFinalStateUnknown)
if ok {
obj = tombstone.Obj
}
b.WorkFunc(obj)
}
// BuildAnnotationsToCopy takes a map of annotations and a list of prefix
// filters and builds a filtered map of annotations. It is used to filter
// annotations to be copied from Certificate to CertificateRequest and from
// CertificateSigningRequest to Order.
func BuildAnnotationsToCopy(allAnnotations map[string]string, prefixes []string) map[string]string {
filteredAnnotations := make(map[string]string)
includeAll := false
for _, v := range prefixes {
if v == "*" {
includeAll = true
}
}
for _, annotation := range prefixes {
prefix := strings.TrimPrefix(annotation, "-")
for k, v := range allAnnotations {
if strings.HasPrefix(annotation, "-") {
if strings.HasPrefix(k, prefix) {
// If this is an annotation to not be copied.
delete(filteredAnnotations, k)
}
} else if includeAll || strings.HasPrefix(k, annotation) {
// If this is an annotation to be copied or if 'all' should be copied.
filteredAnnotations[k] = v
}
}
}
return filteredAnnotations
}
func ToSecret(obj interface{}) (*corev1.Secret, bool) {
secret, ok := obj.(*corev1.Secret)
if !ok {
meta, ok := obj.(*metav1.PartialObjectMetadata)
if !ok {
// TODO: I wasn't able to get GVK from PartialMetadata,
// however perhaps this should be possible and then we
// could verify that this really is a Secret. At the
// moment this is okay as there is no path how any
// reconcile loop would receive PartialObjectMetadata
// for any other type.
return nil, false
}
secret = &corev1.Secret{}
secret.SetName(meta.Name)
secret.SetNamespace(meta.Namespace)
}
return secret, true
}
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package issuer
import (
"fmt"
"sync"
apiutil "github.com/cert-manager/cert-manager/pkg/api/util"
v1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
"github.com/cert-manager/cert-manager/pkg/controller"
)
// IssuerConstructor constructs an issuer given an Issuer resource and a Context.
// An error will be returned if the appropriate issuer is not registered.
type IssuerConstructor func(*controller.Context) (Interface, error)
var (
constructors = make(map[string]IssuerConstructor)
constructorsLock sync.RWMutex
)
// RegisterIssuer will register an issuer constructor so it can be used within the
// application. 'name' should be unique, and should be used to identify this
// issuer.
// TODO: move this method to be on Factory, and invent a way to obtain a
// SharedFactory. This will make testing easier.
func RegisterIssuer(name string, c IssuerConstructor) {
constructorsLock.Lock()
defer constructorsLock.Unlock()
constructors[name] = c
}
// Factory is an interface that can be used to obtain Issuer implementations.
// It determines which issuer implementation to use by introspecting the
// given Issuer resource.
type Factory interface {
IssuerFor(v1.GenericIssuer) (Interface, error)
}
// factory is the default Factory implementation
type factory struct {
ctx *controller.Context
}
// NewFactory returns a new issuer factory with the given issuer context.
// The context will be injected into each Issuer upon creation.
func NewFactory(ctx *controller.Context) Factory {
return &factory{ctx: ctx}
}
// IssuerFor will return an Issuer interface for the given Issuer. If the
// requested Issuer is not registered, an error will be returned.
// A new instance of the Issuer will be returned for each call to IssuerFor,
// however this is an inexpensive operation and so, Issuers should not need
// to be cached and reused.
func (f *factory) IssuerFor(issuer v1.GenericIssuer) (Interface, error) {
issuerType, err := apiutil.NameForIssuer(issuer)
if err != nil {
return nil, fmt.Errorf("could not get issuer type: %s", err.Error())
}
constructorsLock.RLock()
defer constructorsLock.RUnlock()
if constructor, ok := constructors[issuerType]; ok {
return constructor(f.ctx)
}
return nil, fmt.Errorf("issuer '%s' not registered", issuerType)
}
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package issuer
import (
"fmt"
cmapi "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
cmmeta "github.com/cert-manager/cert-manager/pkg/apis/meta/v1"
cmlisters "github.com/cert-manager/cert-manager/pkg/client/listers/certmanager/v1"
)
// Helper is an interface that defines a method that returns an issuer for the given
// IssuerRef and namespace.
type Helper interface {
GetGenericIssuer(ref cmmeta.IssuerReference, ns string) (cmapi.GenericIssuer, error)
}
// Type Helper provides a set of commonly useful functions for use when building
// a cert-manager controller.
// An instance of Helper is made available as part of a controller's context.
type helperImpl struct {
issuerLister cmlisters.IssuerLister
clusterIssuerLister cmlisters.ClusterIssuerLister
}
var _ Helper = &helperImpl{}
// NewHelper will construct a new instance of a Helper using values supplied on
// the provided controller context.
func NewHelper(issuerLister cmlisters.IssuerLister, clusterIssuerLister cmlisters.ClusterIssuerLister) Helper {
return &helperImpl{
issuerLister: issuerLister,
clusterIssuerLister: clusterIssuerLister,
}
}
// GetGenericIssuer will return an Issuer for the given IssuerRef.
// The namespace parameter must be provided if an 'Issuer' is referenced.
// This namespace will be used to read the Issuer resource.
// In most cases, the ns parameter should be set to the namespace of the resource
// that defines the IssuerRef (i.e. the namespace of the Certificate resource).
func (h *helperImpl) GetGenericIssuer(ref cmmeta.IssuerReference, ns string) (cmapi.GenericIssuer, error) {
switch ref.Kind {
case cmapi.IssuerKind:
return h.issuerLister.Issuers(ns).Get(ref.Name)
case cmapi.ClusterIssuerKind:
// handle edge case where the ClusterIssuerLister is not set.
// this isn't actually a supported operating mode right now, nor is it
// exposed to users.
// we include it here in case we do allow this mode of operation again
// in future.
if h.clusterIssuerLister == nil {
return nil, fmt.Errorf("cannot get ClusterIssuer named %q as cert-manager is scoped to a single namespace", ref.Name)
}
return h.clusterIssuerLister.Get(ref.Name)
default:
return nil, fmt.Errorf(`invalid value %q for issuerRef.kind. Must be %q or %q`, ref.Kind, cmapi.IssuerKind, cmapi.ClusterIssuerKind)
}
}
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package fake
import (
"github.com/Venafi/vcert/v5/pkg/certificate"
"github.com/Venafi/vcert/v5/pkg/endpoint"
"github.com/Venafi/vcert/v5/pkg/venafi/fake"
)
type Connector struct {
*fake.Connector
PingFunc func() error
ReadZoneConfigurationFunc func() (*endpoint.ZoneConfiguration, error)
RetrieveCertificateFunc func(*certificate.Request) (*certificate.PEMCollection, error)
RequestCertificateFunc func(*certificate.Request) (string, error)
RenewCertificateFunc func(*certificate.RenewalRequest) (string, error)
}
func (f Connector) Default() *Connector {
if f.Connector == nil {
f.Connector = fake.NewConnector(true, nil)
}
return &f
}
func (f *Connector) Ping() (err error) {
if f.PingFunc != nil {
return f.PingFunc()
}
return f.Connector.Ping()
}
func (f *Connector) ReadZoneConfiguration() (config *endpoint.ZoneConfiguration, err error) {
if f.ReadZoneConfigurationFunc != nil {
return f.ReadZoneConfigurationFunc()
}
return f.Connector.ReadZoneConfiguration()
}
func (f *Connector) RetrieveCertificate(req *certificate.Request) (certificates *certificate.PEMCollection, err error) {
if f.RetrieveCertificateFunc != nil {
return f.RetrieveCertificateFunc(req)
}
return f.Connector.RetrieveCertificate(req)
}
func (f *Connector) RequestCertificate(req *certificate.Request) (requestID string, err error) {
if f.RequestCertificateFunc != nil {
return f.RequestCertificateFunc(req)
}
return f.Connector.RequestCertificate(req)
}
func (f *Connector) RenewCertificate(req *certificate.RenewalRequest) (requestID string, err error) {
if f.RenewCertificateFunc != nil {
return f.RenewCertificateFunc(req)
}
return f.Connector.RenewCertificate(req)
}
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package fake
import (
"time"
"github.com/Venafi/vcert/v5/pkg/endpoint"
"github.com/cert-manager/cert-manager/pkg/issuer/venafi/client/api"
)
type Venafi struct {
PingFn func() error
RequestCertificateFn func(csrPEM []byte, duration time.Duration, customFields []api.CustomField) (string, error)
RetrieveCertificateFn func(pickupID string, csrPEM []byte, duration time.Duration, customFields []api.CustomField) ([]byte, error)
ReadZoneConfigurationFn func() (*endpoint.ZoneConfiguration, error)
VerifyCredentialsFn func() error
}
func (v *Venafi) Ping() error {
return v.PingFn()
}
func (v *Venafi) RequestCertificate(csrPEM []byte, duration time.Duration, customFields []api.CustomField) (string, error) {
return v.RequestCertificateFn(csrPEM, duration, customFields)
}
func (v *Venafi) RetrieveCertificate(pickupID string, csrPEM []byte, duration time.Duration, customFields []api.CustomField) ([]byte, error) {
return v.RetrieveCertificateFn(pickupID, csrPEM, duration, customFields)
}
func (v *Venafi) ReadZoneConfiguration() (*endpoint.ZoneConfiguration, error) {
return v.ReadZoneConfigurationFn()
}
func (v *Venafi) SetClient(endpoint.Connector) {}
// VerifyCredentials will return VerifyCredentialsFn if set, otherwise nil.
func (v *Venafi) VerifyCredentials() error {
if v.VerifyCredentialsFn != nil {
return v.VerifyCredentialsFn()
}
return nil
}
/*
Copyright 2022 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package client
import (
"time"
"github.com/Venafi/vcert/v5/pkg/certificate"
"github.com/Venafi/vcert/v5/pkg/endpoint"
"github.com/go-logr/logr"
logf "github.com/cert-manager/cert-manager/pkg/logs"
"github.com/cert-manager/cert-manager/pkg/metrics"
)
type instrumentedConnector struct {
conn connector
metrics *metrics.Metrics
logger *logr.Logger
}
var _ connector = instrumentedConnector{}
func newInstrumentedConnector(conn connector, metrics *metrics.Metrics, log logr.Logger) connector {
return instrumentedConnector{
conn: conn,
metrics: metrics,
logger: &log,
}
}
func (ic instrumentedConnector) ReadZoneConfiguration() (*endpoint.ZoneConfiguration, error) {
start := time.Now()
ic.logger.V(logf.TraceLevel).Info("calling ReadZoneConfiguration")
config, err := ic.conn.ReadZoneConfiguration()
labels := []string{"read_zone_configuration"}
ic.metrics.ObserveVenafiRequestDuration(time.Since(start), labels...)
return config, err
}
func (ic instrumentedConnector) RequestCertificate(req *certificate.Request) (string, error) {
start := time.Now()
ic.logger.V(logf.TraceLevel).Info("calling RequestCertificate")
reqID, err := ic.conn.RequestCertificate(req)
labels := []string{"request_certificate"}
ic.metrics.ObserveVenafiRequestDuration(time.Since(start), labels...)
return reqID, err
}
func (ic instrumentedConnector) RetrieveCertificate(req *certificate.Request) (*certificate.PEMCollection, error) {
start := time.Now()
ic.logger.V(logf.TraceLevel).Info("calling RetrieveCertificate")
pemCollection, err := ic.conn.RetrieveCertificate(req)
labels := []string{"retrieve_certificate"}
ic.metrics.ObserveVenafiRequestDuration(time.Since(start), labels...)
return pemCollection, err
}
func (ic instrumentedConnector) Ping() error {
start := time.Now()
ic.logger.V(logf.TraceLevel).Info("calling Ping")
err := ic.conn.Ping()
labels := []string{"ping"}
ic.metrics.ObserveVenafiRequestDuration(time.Since(start), labels...)
return err
}
func (ic instrumentedConnector) RenewCertificate(req *certificate.RenewalRequest) (string, error) {
start := time.Now()
ic.logger.V(logf.TraceLevel).Info("calling RenewCertificate")
reqID, err := ic.conn.RenewCertificate(req)
labels := []string{"renew_certificate"}
ic.metrics.ObserveVenafiRequestDuration(time.Since(start), labels...)
return reqID, err
}
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package client
import (
"crypto/x509"
"errors"
"fmt"
"strings"
"time"
"github.com/Venafi/vcert/v5/pkg/certificate"
"github.com/Venafi/vcert/v5/pkg/util"
"github.com/Venafi/vcert/v5/pkg/venafi/tpp"
"github.com/cert-manager/cert-manager/pkg/issuer/venafi/client/api"
"github.com/cert-manager/cert-manager/pkg/util/pki"
)
// ErrCustomFieldsType provides a common error structure for an invalid Venafi custom field type
type ErrCustomFieldsType struct { //nolint:errname
Type api.CustomFieldType
}
func (err ErrCustomFieldsType) Error() string {
return fmt.Sprintf("certificate request contains an invalid Venafi custom fields type: %q", err.Type)
}
var ErrorMissingSubject = errors.New("Certificate requests submitted to Venafi issuers must have the 'commonName' field or at least one other subject field set.") //nolint:errname
// This function sends a request to Venafi to for a signed certificate.
// The CSR will be decoded to be validated against the zone configuration policy.
// Upon the template being successfully defaulted and validated, the CSR will be sent, as is.
// It will return a pickup ID which can be used with RetrieveCertificate to get the certificate
func (v *Venafi) RequestCertificate(csrPEM []byte, duration time.Duration, customFields []api.CustomField) (string, error) {
vreq, err := v.buildVReq(csrPEM, duration, customFields)
if err != nil {
return "", err
}
// If the connector is TPP, we unconditionally reset any prior failed enrollment
// so that we don't get stuck with "Fix any errors, and then click Retry."
// (60% of the time) or "WebSDK CertRequest" (40% of the time).
//
// It would be preferable to only reset when necessary to avoid the extra
// call. We tried that in https://github.com/Venafi/vcert/pull/269. It turns
// out that calling "request" followed by "reset(restart=true)" causes a
// race in TPP.
//
// Unconditionally resetting isn't optimal, but "reset(restart=false)" is
// lightweight. We haven't verified that it doesn't slow things down on
// large TPP instances.
//
// Note that resetting won't affect the existing certificate if one was
// already issued.
if v.tppClient != nil {
// We can't use the instrumented v.vcertClient because its concrete
// value is `instrumentedConnector`, which doesn't give access to the
// *tpp.Connector it wraps. Also, `instrumentedConnector` doesn't
// support `ResetCertificate`.
err := v.tppClient.ResetCertificate(vreq, false)
notFoundErr := &tpp.ErrCertNotFound{}
if err != nil && !errors.As(err, ¬FoundErr) {
return "", err
}
}
return v.vcertClient.RequestCertificate(vreq)
}
func (v *Venafi) RetrieveCertificate(pickupID string, csrPEM []byte, duration time.Duration, customFields []api.CustomField) ([]byte, error) {
vreq, err := v.buildVReq(csrPEM, duration, customFields)
if err != nil {
return nil, err
}
vreq.PickupID = pickupID
vreq.Timeout = time.Second * 60
// Retrieve the certificate from request
pemCollection, err := v.vcertClient.RetrieveCertificate(vreq)
if err != nil {
return nil, err
}
// Construct the certificate chain and return the new keypair
cs := append([]string{pemCollection.Certificate}, pemCollection.Chain...)
chain := strings.Join(cs, "\n")
return []byte(chain), nil
}
func (v *Venafi) buildVReq(csrPEM []byte, duration time.Duration, customFields []api.CustomField) (*certificate.Request, error) {
// Retrieve a copy of the Venafi zone.
// This contains default values and policy control info that we can apply
// and check against locally.
zoneCfg, err := v.vcertClient.ReadZoneConfiguration()
if err != nil {
return nil, err
}
tmpl, err := pki.CertificateTemplateFromCSRPEM(csrPEM)
if err != nil {
return nil, err
}
if tmpl.Subject.String() == "" {
return nil, ErrorMissingSubject
}
// Create a vcert Request structure
vreq := newVRequest(tmpl, duration)
// Convert over custom fields from our struct type to venafi's
vfields, err := convertCustomFieldsToVcert(customFields)
if err != nil {
return nil, err
}
vreq.CustomFields = append(vreq.CustomFields, vfields...)
// Apply default values from the Venafi zone
zoneCfg.UpdateCertificateRequest(vreq)
// Here we are validating the request using the current policy with
// defaulting applied to the CSR. The CSR we send will not be defaulted
// however, as this will be done again server side.
err = zoneCfg.ValidateCertificateRequest(vreq)
if err != nil {
return nil, err
}
friendlyName, err := getVcertFriendlyName(tmpl)
if err != nil {
return nil, err
}
vreq.FriendlyName = friendlyName
// Set options on the request
vreq.CsrOrigin = certificate.UserProvidedCSR
// Set the request CSR with the passed value
if err := vreq.SetCSR(csrPEM); err != nil {
return nil, err
}
return vreq, nil
}
func convertCustomFieldsToVcert(customFields []api.CustomField) ([]certificate.CustomField, error) {
var out []certificate.CustomField
if len(customFields) > 0 {
for _, field := range customFields {
var fieldType certificate.CustomFieldType
switch field.Type {
case api.CustomFieldTypePlain, "":
fieldType = certificate.CustomFieldPlain
default:
return nil, ErrCustomFieldsType{Type: field.Type}
}
out = append(out, certificate.CustomField{
Type: fieldType,
Name: field.Name,
Value: field.Value,
})
}
}
return out, nil
}
func newVRequest(cert *x509.Certificate, duration time.Duration) *certificate.Request {
req := certificate.NewRequest(cert)
req.ValidityDuration = &duration
req.IssuerHint = util.IssuerHintAllIssuers
req.ChainOption = certificate.ChainOptionRootLast
// overwrite entire Subject block
req.Subject = cert.Subject
// Add cert-manager origin tag
req.CustomFields = []certificate.CustomField{
{
Type: certificate.CustomFieldOrigin,
Value: "cert-manager",
},
}
return req
}
func getVcertFriendlyName(crt *x509.Certificate) (string, error) {
// Set the 'ObjectName' through the vcert friendly name. This is set in
// order of precedence CN->DNS->URI.
switch {
case len(crt.Subject.CommonName) > 0:
return crt.Subject.CommonName, nil
case len(crt.DNSNames) > 0:
return crt.DNSNames[0], nil
case len(crt.URIs) > 0:
return crt.URIs[0].String(), nil
case len(crt.EmailAddresses) > 0:
return crt.EmailAddresses[0], nil
case len(crt.IPAddresses) > 0:
return crt.IPAddresses[0].String(), nil
default:
return "", errors.New("certificate request contains no Common Name, DNS Name, nor URI SAN, at least one must be supplied to be used as the Venafi certificate objects name")
}
}
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package client
import (
"crypto/tls"
"crypto/x509"
"fmt"
"net"
"net/http"
"time"
vcert "github.com/Venafi/vcert/v5"
"github.com/Venafi/vcert/v5/pkg/certificate"
"github.com/Venafi/vcert/v5/pkg/endpoint"
"github.com/Venafi/vcert/v5/pkg/venafi/cloud"
"github.com/Venafi/vcert/v5/pkg/venafi/tpp"
"github.com/go-logr/logr"
"k8s.io/utils/ptr"
internalinformers "github.com/cert-manager/cert-manager/internal/informers"
cmapi "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
cmmeta "github.com/cert-manager/cert-manager/pkg/apis/meta/v1"
"github.com/cert-manager/cert-manager/pkg/issuer/venafi/client/api"
"github.com/cert-manager/cert-manager/pkg/metrics"
"github.com/cert-manager/cert-manager/pkg/util"
)
const (
tppUsernameKey = "username"
tppPasswordKey = "password"
tppAccessTokenKey = "access-token"
tppClientIdKey = "client-id"
defaultTppClientId = "cert-manager.io"
// Setting Scope statically for simplicity
tppScopes = "certificate:manage"
defaultAPIKeyKey = "api-key"
)
type VenafiClientBuilder func(namespace string, secretsLister internalinformers.SecretLister,
issuer cmapi.GenericIssuer, metrics *metrics.Metrics, logger logr.Logger, userAgent string) (Interface, error)
// Interface implements a Venafi client
type Interface interface {
RequestCertificate(csrPEM []byte, duration time.Duration, customFields []api.CustomField) (string, error)
RetrieveCertificate(pickupID string, csrPEM []byte, duration time.Duration, customFields []api.CustomField) ([]byte, error)
Ping() error
ReadZoneConfiguration() (*endpoint.ZoneConfiguration, error)
SetClient(endpoint.Connector)
VerifyCredentials() error
}
// Venafi is an implementation of vcert library to manager certificates from TPP or Venafi Cloud
type Venafi struct {
// Namespace in which to read resources related to this Issuer from.
// For Issuers, this will be the namespace of the Issuer.
// For ClusterIssuers, this will be the cluster resource namespace.
namespace string
secretsLister internalinformers.SecretLister
vcertClient connector
tppClient *tpp.Connector
cloudClient *cloud.Connector
config *vcert.Config
}
// connector exposes a subset of the vcert Connector interface to make stubbing
// out its functionality during tests easier.
type connector interface {
Ping() (err error)
ReadZoneConfiguration() (config *endpoint.ZoneConfiguration, err error)
RequestCertificate(req *certificate.Request) (requestID string, err error)
RetrieveCertificate(req *certificate.Request) (certificates *certificate.PEMCollection, err error)
// TODO: (irbekrm) this method is never used - can it be removed?
RenewCertificate(req *certificate.RenewalRequest) (requestID string, err error)
}
// New constructs a Venafi client Interface. Errors may be network errors and
// should be considered for retrying.
func New(namespace string, secretsLister internalinformers.SecretLister, issuer cmapi.GenericIssuer, metrics *metrics.Metrics, logger logr.Logger, userAgent string) (Interface, error) {
cfg, err := configForIssuer(issuer, secretsLister, namespace, userAgent)
if err != nil {
return nil, err
}
// Using `false` here ensures we do not immediately authenticate to the
// Venafi backend. Doing so invokes a call which forces the use of APIKey
// on the TPP side. This auth method has been removed since 22.4 of TPP.
// This results in an APIKey usage error.
// Reference code from vcert library which still refers to the APIKey.
// ref: https://github.com/Venafi/vcert/blob/master/pkg/venafi/tpp/connector.go#L137-L146
//
// cert-manager uses the VerifyCredentials function below after the client
// has been created.
vcertClient, err := vcert.NewClient(cfg, false)
if err != nil {
return nil, fmt.Errorf("error creating Venafi client: %s", err.Error())
}
var tppc *tpp.Connector
var cc *cloud.Connector
switch vcertClient.GetType() {
case endpoint.ConnectorTypeTPP:
c, ok := vcertClient.(*tpp.Connector)
if ok {
tppc = c
}
case endpoint.ConnectorTypeCloud:
c, ok := vcertClient.(*cloud.Connector)
if ok {
cc = c
}
default:
return nil, fmt.Errorf("unsupported Venafi connector type: %v", vcertClient.GetType())
}
instrumentedVCertClient := newInstrumentedConnector(vcertClient, metrics, logger)
v := &Venafi{
namespace: namespace,
secretsLister: secretsLister,
vcertClient: instrumentedVCertClient,
cloudClient: cc,
tppClient: tppc,
config: cfg,
}
// Since we did not authenticate when creating the client, authenticate
// now to verify the credentials passed. Ensure that upon leaving this
// function that credentials have been verified.
if err := v.VerifyCredentials(); err != nil {
return nil, err
}
return v, nil
}
// configForIssuer will convert a cert-manager Venafi issuer into a vcert.Config
// that can be used to instantiate an API client.
func configForIssuer(iss cmapi.GenericIssuer, secretsLister internalinformers.SecretLister, namespace string, userAgent string) (*vcert.Config, error) {
venaCfg := iss.GetSpec().Venafi
switch {
case venaCfg.TPP != nil:
tpp := venaCfg.TPP
tppSecret, err := secretsLister.Secrets(namespace).Get(tpp.CredentialsRef.Name)
if err != nil {
return nil, err
}
caBundle, err := caBundleForVcertTPP(tpp, secretsLister, namespace)
if err != nil {
return nil, err
}
username := string(tppSecret.Data[tppUsernameKey])
password := string(tppSecret.Data[tppPasswordKey])
clientId := string(tppSecret.Data[tppClientIdKey])
// fallback to default client-id if not provided
if clientId == "" {
clientId = defaultTppClientId
}
accessToken := string(tppSecret.Data[tppAccessTokenKey])
return &vcert.Config{
ConnectorType: endpoint.ConnectorTypeTPP,
BaseUrl: tpp.URL,
Zone: venaCfg.Zone,
// always enable verbose logging for now
LogVerbose: true,
// We supply the CA bundle here, to trigger the vcert's builtin
// validation of the supplied PEM content.
// This is somewhat redundant because the value (if valid) will be
// ignored by vcert since we also supply a custom HTTP client,
// below. But we want to retain the CA bundle validation errors that
// were returned in previous versions of this code.
// https://github.com/Venafi/vcert/blob/89645a7710a7b529765274cb60dc5e28066217a1/client.go#L55-L61
ConnectionTrust: string(caBundle),
Credentials: &endpoint.Authentication{
User: username,
Password: password,
AccessToken: accessToken,
ClientId: clientId,
},
Client: httpClientForVcert(&httpClientForVcertOptions{
UserAgent: ptr.To(userAgent),
CABundle: caBundle,
TLSRenegotiationSupport: ptr.To(tls.RenegotiateOnceAsClient),
}),
}, nil
case venaCfg.Cloud != nil:
cloud := venaCfg.Cloud
cloudSecret, err := secretsLister.Secrets(namespace).Get(cloud.APITokenSecretRef.Name)
if err != nil {
return nil, err
}
k := defaultAPIKeyKey
if cloud.APITokenSecretRef.Key != "" {
k = cloud.APITokenSecretRef.Key
}
apiKey := string(cloudSecret.Data[k])
return &vcert.Config{
ConnectorType: endpoint.ConnectorTypeCloud,
BaseUrl: cloud.URL,
Zone: venaCfg.Zone,
// always enable verbose logging for now
LogVerbose: true,
Credentials: &endpoint.Authentication{
APIKey: apiKey,
},
Client: httpClientForVcert(&httpClientForVcertOptions{
UserAgent: ptr.To(userAgent),
}),
}, nil
}
// API validation in webhook and in the ClusterIssuer and Issuer controller
// Sync functions should make this unreachable in production.
return nil, fmt.Errorf("neither Venafi Cloud or TPP configuration found")
}
// httpClientForVcertOptions contains options for `httpClientForVcert`, to allow
// you to customize the HTTP client.
type httpClientForVcertOptions struct {
// UserAgent will add a User-Agent header to all HTTP requests.
UserAgent *string
// CABundle will override the CA certificates used to verify server
// certificates.
CABundle []byte
// TLSRenegotiationSupport will override the TLSRenegotiationSupport setting
// of the client.
TLSRenegotiationSupport *tls.RenegotiationSupport
}
// httpClientForVcert creates an HTTP client which matches the default HTTP client of vcert,
// but allows you to customize client TLS renegotiation, and User-Agent.
//
// Why is it necessary to create our own HTTP client for vcert?
//
// 1. We need to customize the client TLS renegotiation setting when connecting
// to certain TPP servers.
// 2. We need to customize the User-Agent header for all HTTP requests to Venafi
// REST API endpoints.
// 3. The vcert package does not currently provide an easier way to change those
// settings. See:
// * https://github.com/Venafi/vcert/issues/437
// * https://github.com/Venafi/vcert/issues/438
//
// Why is it necessary to customize the client TLS renegotiation?
//
// 1. The TPP API server is served by Microsoft Windows Server and IIS.
// 2. IIS uses TLS-1.2 by default[1] and it uses a
// TLS-1.2 feature called "renegotiation" to allow client certificate
// settings to be configured at the folder level. e.g.
// https://tpp.example.com/vedauth may Require or Accept client
// certificates while https://tpp.example.com/vedsdk may Ignore
// client certificates.
// 3. When IIS is configured this way it behaves as follows[2]:
// "Server receives a connection request on port 443; it begins a
// handshake. The server does not ask for a client certificate. Once
// the handshake is completed, the client sends the actual target URL
// as a HTTP request in the SSL tunnel. Up to that point, the server
// did not know which page was targeted; it only knew, at best, the
// intended server name (through the Server Name Indication). Now
// that the server knows which page is targeted, he knows which
// "site" (i.e. part of the server, in IIS terminology) is to be
// used."
// 4. In this scenario, the Go HTTP client MUST be configured to
// renegotiate (by default it will refuse to renegotiate).
// We use RenegotiateOnceAsClient rather than RenegotiateFreelyAsClient
// because cert-manager establishes a new HTTPS connection for each API
// request and therefore should only ever need to renegotiate once in this
// scenario.
//
// Why do we supply CA bundle in the HTTP client **and** in the vcert.Config?
//
// 1. Overriding the HTTP client causes vcert to ignore the
// `vcert.Config.ConnectionTrust` field, so we also have to set up the root
// CA trust pool ourselves.
// 2. And the value of RootCAs MUST be nil unless the user has supplied a
// custom CA, because a nil value causes the Go HTTP client to load the
// system default root CAs.
//
// [1] TLS protocol version support in Microsoft Windows: https://learn.microsoft.com/en-us/windows/win32/secauthn/protocols-in-tls-ssl--schannel-ssp-#tls-protocol-version-support
// [2] Should I use SSL/TLS renegotiation?: https://security.stackexchange.com/a/24569
func httpClientForVcert(options *httpClientForVcertOptions) *http.Client {
// Copy vcert's default HTTP transport, which is mostly identical to the
// http.DefaultTransport settings in Go's stdlib.
// https://github.com/Venafi/vcert/blob/89645a7710a7b529765274cb60dc5e28066217a1/pkg/venafi/tpp/tpp.go#L481-L513
transport := &http.Transport{
Proxy: http.ProxyFromEnvironment,
DialContext: (&net.Dialer{
Timeout: 30 * time.Second,
KeepAlive: 30 * time.Second,
// Note: This DualStack setting is copied from vcert but
// deviates from the http.DefaultTransport in Go's stdlib.
DualStack: true,
}).DialContext,
MaxIdleConns: 100,
IdleConnTimeout: 90 * time.Second,
TLSHandshakeTimeout: 10 * time.Second,
ExpectContinueTimeout: 1 * time.Second,
}
// Copy vcert's initialization of the TLS client config
tlsClientConfig := http.DefaultTransport.(*http.Transport).TLSClientConfig.Clone()
if tlsClientConfig == nil {
tlsClientConfig = &tls.Config{MinVersion: tls.VersionTLS12}
}
if len(options.CABundle) > 0 {
rootCAs := x509.NewCertPool()
rootCAs.AppendCertsFromPEM(options.CABundle)
tlsClientConfig.RootCAs = rootCAs
}
transport.TLSClientConfig = tlsClientConfig
if options.TLSRenegotiationSupport != nil {
transport.TLSClientConfig.Renegotiation = *options.TLSRenegotiationSupport
}
var roundTripper http.RoundTripper = transport
if options.UserAgent != nil {
roundTripper = util.UserAgentRoundTripper(transport, *options.UserAgent)
}
// Copy vcert's initialization of the HTTP client, which overrides the default timeout.
// https://github.com/Venafi/vcert/blob/89645a7710a7b529765274cb60dc5e28066217a1/pkg/venafi/tpp/tpp.go#L481-L513
return &http.Client{
Transport: roundTripper,
Timeout: time.Second * 30,
}
}
// caBundleForVcertTPP is used to by ConnectionTrust and Client fields of vcert.Config.
// This function sets appropriate CA based on provided bundle or kubernetes secret
// If no custom CA bundle is configured, an empty byte slice is returned.
// Assumes exactly one of the in-line/Secret CA bundles are defined.
// If the `key` of the Secret CA bundle is not defined, its value defaults to
// `ca.crt`.
func caBundleForVcertTPP(tpp *cmapi.VenafiTPP, secretsLister internalinformers.SecretLister, namespace string) (caBundle []byte, err error) {
if len(tpp.CABundle) > 0 {
return tpp.CABundle, nil
}
secretRef := tpp.CABundleSecretRef
if secretRef == nil {
return nil, nil
}
var certBytes []byte
var ok bool
if secretRef != nil {
secret, err := secretsLister.Secrets(namespace).Get(secretRef.Name)
if err != nil {
return nil, fmt.Errorf("could not access secret '%s/%s': %s", namespace, secretRef.Name, err)
}
var key string
if secretRef.Key != "" {
key = secretRef.Key
} else {
key = cmmeta.TLSCAKey
}
certBytes, ok = secret.Data[key]
if !ok {
return nil, fmt.Errorf("no data for %q in secret '%s/%s'", key, namespace, secretRef.Name)
}
}
return certBytes, nil
}
func (v *Venafi) Ping() error {
return v.vcertClient.Ping()
}
func (v *Venafi) ReadZoneConfiguration() (*endpoint.ZoneConfiguration, error) {
return v.vcertClient.ReadZoneConfiguration()
}
func (v *Venafi) SetClient(client endpoint.Connector) {
v.vcertClient = client
}
// VerifyCredentials will remotely verify the credentials for the client, both for TPP and Cloud
func (v *Venafi) VerifyCredentials() error {
switch {
case v.cloudClient != nil:
err := v.cloudClient.Authenticate(&endpoint.Authentication{
APIKey: v.config.Credentials.APIKey,
})
if err != nil {
return fmt.Errorf("cloudClient.Authenticate: %v", err)
}
return nil
case v.tppClient != nil:
if v.config.Credentials == nil {
return fmt.Errorf("credentials not configured")
}
if v.config.Credentials.AccessToken != "" {
_, err := v.tppClient.VerifyAccessToken(&endpoint.Authentication{
AccessToken: v.config.Credentials.AccessToken,
})
if err != nil {
return fmt.Errorf("tppClient.VerifyAccessToken: %v", err)
}
return nil
}
if v.config.Credentials.User != "" && v.config.Credentials.Password != "" {
// Use vcert library GetRefreshToken which brings back a token pair.
// This includes the access_token which we set against the tppClient.
// Replaces usage of v.tppClient.Authenticate function which would
// have called the APIKey endpoint resulting in error.
resp, err := v.tppClient.GetRefreshToken(&endpoint.Authentication{
User: v.config.Credentials.User,
Password: v.config.Credentials.Password,
ClientId: v.config.Credentials.ClientId,
Scope: tppScopes,
})
if err != nil {
return fmt.Errorf("tppClient.GetRefreshToken: %v", err)
}
// Ensure that the access_token is stored on the tppClient object.
err = v.tppClient.Authenticate(&endpoint.Authentication{
AccessToken: resp.Access_token,
})
if err != nil {
return fmt.Errorf("tppClient.Authenticate: %v", err)
}
return nil
}
}
return fmt.Errorf("neither tppClient or cloudClient have been set")
}
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package logs
import (
"context"
"flag"
"fmt"
"github.com/go-logr/logr"
"github.com/spf13/pflag"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/runtime/schema"
"k8s.io/component-base/logs"
logsapi "k8s.io/component-base/logs/api/v1"
"k8s.io/klog/v2"
"github.com/cert-manager/cert-manager/pkg/api"
_ "k8s.io/component-base/logs/json/register"
)
var Log = klog.TODO().WithName("cert-manager")
const (
// Following analog to https://github.com/kubernetes/community/blob/master/contributors/devel/sig-instrumentation/logging.md
ErrorLevel = 0
WarnLevel = 1
InfoLevel = 2
ExtendedInfoLevel = 3
DebugLevel = 4
TraceLevel = 5
)
// InitLogs initializes logs the way we want for kubernetes.
func InitLogs() {
logs.InitLogs()
klog.EnableContextualLogging(true) // Enable contextual logging
}
func AddFlagsNonDeprecated(opts *logsapi.LoggingConfiguration, fs *pflag.FlagSet) {
var allFlags pflag.FlagSet
logsapi.AddFlags(opts, &allFlags)
allFlags.VisitAll(func(f *pflag.Flag) {
switch f.Name {
case "logging-format", "log-flush-frequency", "v", "vmodule":
fs.AddFlag(f)
}
})
}
func AddFlags(opts *logsapi.LoggingConfiguration, fs *pflag.FlagSet) {
var allFlags flag.FlagSet
klog.InitFlags(&allFlags)
allFlags.VisitAll(func(f *flag.Flag) {
switch f.Name {
case "add_dir_header", "alsologtostderr", "log_backtrace_at", "log_dir", "log_file", "log_file_max_size",
"logtostderr", "one_output", "skip_headers", "skip_log_headers", "stderrthreshold":
pf := pflag.PFlagFromGoFlag(f)
pf.Deprecated = "this flag may be removed in the future"
pf.Hidden = true
fs.AddFlag(pf)
}
})
AddFlagsNonDeprecated(opts, fs)
}
func ValidateAndApply(opts *logsapi.LoggingConfiguration) error {
return logsapi.ValidateAndApply(opts, nil)
}
// FlushLogs flushes logs immediately.
func FlushLogs() {
logs.FlushLogs()
}
const (
ResourceNameKey = "resource_name"
ResourceNamespaceKey = "resource_namespace"
ResourceKindKey = "resource_kind"
ResourceVersionKey = "resource_version"
RelatedResourceNameKey = "related_resource_name"
RelatedResourceNamespaceKey = "related_resource_namespace"
RelatedResourceKindKey = "related_resource_kind"
RelatedResourceVersionKey = "related_resource_version"
)
func WithResource(l logr.Logger, obj metav1.Object) logr.Logger {
var gvk schema.GroupVersionKind
if runtimeObj, ok := obj.(runtime.Object); ok {
gvks, _, _ := api.Scheme.ObjectKinds(runtimeObj)
if len(gvks) > 0 {
gvk = gvks[0]
}
}
return l.WithValues(
ResourceNameKey, obj.GetName(),
ResourceNamespaceKey, obj.GetNamespace(),
ResourceKindKey, gvk.Kind,
ResourceVersionKey, gvk.Version,
)
}
func WithRelatedResource(l logr.Logger, obj metav1.Object) logr.Logger {
var gvk schema.GroupVersionKind
if runtimeObj, ok := obj.(runtime.Object); ok {
gvks, _, _ := api.Scheme.ObjectKinds(runtimeObj)
if len(gvks) > 0 {
gvk = gvks[0]
}
}
return l.WithValues(
RelatedResourceNameKey, obj.GetName(),
RelatedResourceNamespaceKey, obj.GetNamespace(),
RelatedResourceKindKey, gvk.Kind,
RelatedResourceVersionKey, gvk.Version,
)
}
func WithRelatedResourceName(l logr.Logger, name, namespace, kind string) logr.Logger {
return l.WithValues(
RelatedResourceNameKey, name,
RelatedResourceNamespaceKey, namespace,
RelatedResourceKindKey, kind,
)
}
func FromContext(ctx context.Context, names ...string) logr.Logger {
l, err := logr.FromContext(ctx)
if err != nil {
l = Log
}
for _, n := range names {
l = l.WithName(n)
}
return l
}
func NewContext(ctx context.Context, l logr.Logger, names ...string) context.Context {
for _, n := range names {
l = l.WithName(n)
}
return logr.NewContext(ctx, l)
}
// LogWithFormat is a wrapper for logger that adds Infof method to log messages
// with the given format and arguments.
//
// Used as a patch to the controller eventBroadcaster for sending non-string objects.
type LogWithFormat struct {
logr.Logger
}
func WithInfof(l logr.Logger) *LogWithFormat {
return &LogWithFormat{l}
}
// Infof logs message with the given format and arguments.
func (l *LogWithFormat) Infof(format string, a ...interface{}) {
l.Info(fmt.Sprintf(format, a...))
}
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package metrics
import (
"time"
)
// ObserveACMERequestDuration increases bucket counters for that ACME client duration.
func (m *Metrics) ObserveACMERequestDuration(duration time.Duration, labels ...string) {
m.acmeClientRequestDurationSeconds.WithLabelValues(labels...).Observe(duration.Seconds())
}
// IncrementACMERequestCount increases the acme client request counter.
func (m *Metrics) IncrementACMERequestCount(labels ...string) {
m.acmeClientRequestCount.WithLabelValues(labels...).Inc()
}
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Package metrics contains global structures related to metrics collection
// cert-manager exposes the following metrics:
// certificate_expiration_timestamp_seconds{name, namespace, issuer_name, issuer_kind, issuer_group}
// certificate_renewal_timestamp_seconds{name, namespace, issuer_name, issuer_kind, issuer_group}
// certificate_ready_status{name, namespace, condition, issuer_name, issuer_kind, issuer_group}
// certificate_challenge_status{status, domain, reason, processing, id, type}
// acme_client_request_count{"scheme", "host", "path", "method", "status"}
// acme_client_request_duration_seconds{"scheme", "host", "path", "method", "status"}
// venafi_client_request_duration_seconds{"scheme", "host", "path", "method", "status"}
// controller_sync_call_count{"controller"}
package metrics
import (
"net"
"net/http"
"time"
"github.com/go-logr/logr"
"github.com/prometheus/client_golang/prometheus"
"github.com/prometheus/client_golang/prometheus/collectors"
"github.com/prometheus/client_golang/prometheus/promhttp"
"k8s.io/utils/clock"
cmcollectors "github.com/cert-manager/cert-manager/internal/collectors"
cmacmelisters "github.com/cert-manager/cert-manager/pkg/client/listers/acme/v1"
cmlisters "github.com/cert-manager/cert-manager/pkg/client/listers/certmanager/v1"
)
const (
// Namespace is the namespace for cert-manager metric names
namespace = "certmanager"
prometheusMetricsServerReadTimeout = 8 * time.Second
prometheusMetricsServerWriteTimeout = 8 * time.Second
prometheusMetricsServerMaxHeaderBytes = 1 << 20 // 1 MiB
)
// Metrics is designed to be a shared object for updating the metrics exposed
// by cert-manager
type Metrics struct {
log logr.Logger
registry *prometheus.Registry
clockTimeSeconds prometheus.CounterFunc
clockTimeSecondsGauge prometheus.GaugeFunc
acmeClientRequestDurationSeconds *prometheus.SummaryVec
acmeClientRequestCount *prometheus.CounterVec
venafiClientRequestDurationSeconds *prometheus.SummaryVec
controllerSyncCallCount *prometheus.CounterVec
controllerSyncErrorCount *prometheus.CounterVec
challengeCollector prometheus.Collector
certificateCollector prometheus.Collector
}
// New creates a Metrics struct and populates it with prometheus metric types.
func New(log logr.Logger, c clock.Clock) *Metrics {
var (
// Deprecated in favour of clock_time_seconds_gauge.
clockTimeSeconds = prometheus.NewCounterFunc(
//nolint:promlinter // This metric is deprecated and should be removed
prometheus.CounterOpts{
Namespace: namespace,
Name: "clock_time_seconds",
Help: "DEPRECATED: use clock_time_seconds_gauge instead. The clock time given in seconds (from 1970/01/01 UTC).",
},
func() float64 {
return float64(c.Now().Unix())
},
)
// The clockTimeSeconds metric was first added, however this was
// erroneously made a "counter" metric type. Time can in fact go backwards,
// see:
// - https://github.com/cert-manager/cert-manager/issues/4560
// - https://www.robustperception.io/are-increasing-timestamps-counters-or-gauges
// In order to not break users relying on the `clock_time_seconds` metric,
// a new `clock_time_seconds_gauge` metric of type gauge is added which
// implements the same thing.
clockTimeSecondsGauge = prometheus.NewGaugeFunc(
//nolint:promlinter
prometheus.GaugeOpts{
Namespace: namespace,
Name: "clock_time_seconds_gauge",
Help: "The clock time given in seconds (from 1970/01/01 UTC).",
},
func() float64 {
return float64(c.Now().Unix())
},
)
// acmeClientRequestCount is a Prometheus summary to collect the number of
// requests made to each endpoint with the ACME client.
acmeClientRequestCount = prometheus.NewCounterVec(
//nolint:promlinter
prometheus.CounterOpts{
Namespace: namespace,
Name: "acme_client_request_count",
Help: "The number of requests made by the ACME client.",
Subsystem: "http",
},
[]string{"scheme", "host", "path", "method", "status"},
)
// acmeClientRequestDurationSeconds is a Prometheus summary to collect request
// times for the ACME client.
acmeClientRequestDurationSeconds = prometheus.NewSummaryVec(
prometheus.SummaryOpts{
Namespace: namespace,
Name: "acme_client_request_duration_seconds",
Help: "The HTTP request latencies in seconds for the ACME client.",
Subsystem: "http",
Objectives: map[float64]float64{0.5: 0.05, 0.9: 0.01, 0.99: 0.001},
},
[]string{"scheme", "host", "path", "method", "status"},
)
// venafiClientRequestDurationSeconds is a Prometheus summary to
// collect api call latencies for the Venafi client. This
// metric is in alpha since cert-manager 1.9. Move it to GA once
// we have seen that it helps to measure Venafi call latency.
venafiClientRequestDurationSeconds = prometheus.NewSummaryVec(
prometheus.SummaryOpts{
Namespace: namespace,
Name: "venafi_client_request_duration_seconds",
Help: "ALPHA: The HTTP request latencies in seconds for the Venafi client. This metric is currently alpha as we would like to understand whether it helps to measure Venafi call latency. Please leave feedback if you have any.",
Subsystem: "http",
Objectives: map[float64]float64{0.5: 0.05, 0.9: 0.01, 0.99: 0.001},
},
[]string{"api_call"},
)
controllerSyncCallCount = prometheus.NewCounterVec(
//nolint:promlinter
prometheus.CounterOpts{
Namespace: namespace,
Name: "controller_sync_call_count",
Help: "The number of sync() calls made by a controller.",
},
[]string{"controller"},
)
controllerSyncErrorCount = prometheus.NewCounterVec(
//nolint:promlinter
prometheus.CounterOpts{
Namespace: namespace,
Name: "controller_sync_error_count",
Help: "The number of errors encountered during controller sync().",
},
[]string{"controller"},
)
)
// Create Registry and register the recommended collectors
registry := prometheus.NewRegistry()
registry.MustRegister(
collectors.NewProcessCollector(collectors.ProcessCollectorOpts{}),
collectors.NewGoCollector(),
)
// Create server and register Prometheus metrics handler
m := &Metrics{
log: log.WithName("metrics"),
registry: registry,
clockTimeSeconds: clockTimeSeconds,
clockTimeSecondsGauge: clockTimeSecondsGauge,
acmeClientRequestCount: acmeClientRequestCount,
acmeClientRequestDurationSeconds: acmeClientRequestDurationSeconds,
venafiClientRequestDurationSeconds: venafiClientRequestDurationSeconds,
controllerSyncCallCount: controllerSyncCallCount,
controllerSyncErrorCount: controllerSyncErrorCount,
}
return m
}
func (m *Metrics) SetupACMECollector(acmeInformers cmacmelisters.ChallengeLister) {
m.challengeCollector = cmcollectors.NewACMECollector(acmeInformers)
}
func (m *Metrics) SetupCertificateCollector(certLister cmlisters.CertificateLister) {
m.certificateCollector = cmcollectors.NewCertificateCollector(certLister)
}
// NewServer registers Prometheus metrics and returns a new Prometheus metrics HTTP server.
func (m *Metrics) NewServer(ln net.Listener) *http.Server {
m.registry.MustRegister(m.clockTimeSeconds)
m.registry.MustRegister(m.clockTimeSecondsGauge)
m.registry.MustRegister(m.acmeClientRequestDurationSeconds)
m.registry.MustRegister(m.venafiClientRequestDurationSeconds)
m.registry.MustRegister(m.acmeClientRequestCount)
m.registry.MustRegister(m.controllerSyncCallCount)
m.registry.MustRegister(m.controllerSyncErrorCount)
if m.challengeCollector != nil {
m.registry.MustRegister(m.challengeCollector)
}
if m.certificateCollector != nil {
m.registry.MustRegister(m.certificateCollector)
}
mux := http.NewServeMux()
mux.Handle("/metrics", promhttp.HandlerFor(m.registry, promhttp.HandlerOpts{}))
server := &http.Server{
Addr: ln.Addr().String(),
ReadTimeout: prometheusMetricsServerReadTimeout,
WriteTimeout: prometheusMetricsServerWriteTimeout,
MaxHeaderBytes: prometheusMetricsServerMaxHeaderBytes,
Handler: mux,
}
return server
}
// IncrementSyncCallCount will increase the sync counter for that controller.
func (m *Metrics) IncrementSyncCallCount(controllerName string) {
m.controllerSyncCallCount.WithLabelValues(controllerName).Inc()
}
// IncrementSyncErrorCount will increase count of errors during sync of that controller.
func (m *Metrics) IncrementSyncErrorCount(controllerName string) {
m.controllerSyncErrorCount.WithLabelValues(controllerName).Inc()
}
/*
Copyright 2022 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package metrics
import (
"time"
)
// ObserveVenafiRequestDuration increases bucket counters for that Venafi client duration.
func (m *Metrics) ObserveVenafiRequestDuration(duration time.Duration, labels ...string) {
m.venafiClientRequestDurationSeconds.WithLabelValues(labels...).Observe(duration.Seconds())
}
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package scheduler
import (
"sync"
"time"
"k8s.io/utils/clock"
)
// We are writing our own time.AfterFunc to be able to mock the clock. The
// cancel function can be called concurrently.
func afterFunc(c clock.Clock, d time.Duration, f func()) (cancel func()) {
t := c.NewTimer(d)
cancelCh := make(chan struct{})
cancelOnce := sync.Once{}
cancel = func() {
t.Stop()
cancelOnce.Do(func() {
close(cancelCh)
})
}
go func() {
defer cancel()
select {
case <-t.C():
// We don't need to check whether the channel has returned a zero
// value since t.C is never closed as per the timer.Stop
// documentation.
f()
case <-cancelCh:
return
}
}()
return cancel
}
// ProcessFunc is a function to process an item in the work queue.
type ProcessFunc[T comparable] func(T)
// ScheduledWorkQueue is an interface to describe a queue that will execute the
// given ProcessFunc with the object given to Add once the time.Duration is up,
// since the time of calling Add.
type ScheduledWorkQueue[T comparable] interface {
// Add will add an item to this queue, executing the ProcessFunc after the
// Duration has come (since the time Add was called). If an existing Timer
// for obj already exists, the previous timer will be cancelled.
Add(T, time.Duration)
// Forget will cancel the timer for the given object, if the timer exists.
Forget(T)
}
type scheduledWorkQueue[T comparable] struct {
processFunc ProcessFunc[T]
clock clock.Clock
work map[T]func()
workLock sync.Mutex
// Testing purposes.
afterFunc func(clock.Clock, time.Duration, func()) func()
}
// NewScheduledWorkQueue will create a new workqueue with the given processFunc
func NewScheduledWorkQueue[T comparable](clock clock.Clock, processFunc ProcessFunc[T]) ScheduledWorkQueue[T] {
return &scheduledWorkQueue[T]{
processFunc: processFunc,
clock: clock,
work: make(map[T]func()),
workLock: sync.Mutex{},
afterFunc: afterFunc,
}
}
// Add will add an item to this queue, executing the ProcessFunc after the
// Duration has come (since the time Add was called). If an existing Timer for
// obj already exists, the previous timer will be cancelled.
func (s *scheduledWorkQueue[T]) Add(obj T, duration time.Duration) {
s.workLock.Lock()
defer s.workLock.Unlock()
if cancel, ok := s.work[obj]; ok {
cancel()
delete(s.work, obj)
}
s.work[obj] = afterFunc(s.clock, duration, func() {
defer s.Forget(obj)
s.processFunc(obj)
})
}
// Forget will cancel the timer for the given object, if the timer exists.
func (s *scheduledWorkQueue[T]) Forget(obj T) {
s.workLock.Lock()
defer s.workLock.Unlock()
if cancel, ok := s.work[obj]; ok {
cancel()
delete(s.work, obj)
}
}
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package errors
import "fmt"
type invalidDataError struct{ error }
func NewInvalidData(str string, obj ...interface{}) error {
return &invalidDataError{error: fmt.Errorf(str, obj...)}
}
func IsInvalidData(err error) bool {
if _, ok := err.(*invalidDataError); !ok {
return false
}
return true
}
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package kube
import (
"context"
"crypto"
"crypto/x509"
corev1 "k8s.io/api/core/v1"
internalinformers "github.com/cert-manager/cert-manager/internal/informers"
cmmeta "github.com/cert-manager/cert-manager/pkg/apis/meta/v1"
"github.com/cert-manager/cert-manager/pkg/util/errors"
"github.com/cert-manager/cert-manager/pkg/util/pki"
)
// SecretTLSKeyRef will decode a PKCS1/SEC1 (in effect, a RSA or ECDSA) private key stored in a
// secret with 'name' in 'namespace'. It will read the private key data from the secret
// entry with name 'keyName'.
func SecretTLSKeyRef(ctx context.Context, secretLister internalinformers.SecretLister, namespace, name, keyName string) (crypto.Signer, error) {
secret, err := secretLister.Secrets(namespace).Get(name)
if err != nil {
return nil, err
}
key, _, err := ParseTLSKeyFromSecret(secret, keyName)
if err != nil {
return nil, err
}
return key, nil
}
// SecretTLSKey will decode a PKCS1/SEC1 (in effect, a RSA or ECDSA) private key stored in a
// secret with 'name' in 'namespace'. It will read the private key data from the secret
// entry with name 'keyName'.
func SecretTLSKey(ctx context.Context, secretLister internalinformers.SecretLister, namespace, name string) (crypto.Signer, error) {
return SecretTLSKeyRef(ctx, secretLister, namespace, name, corev1.TLSPrivateKeyKey)
}
// ParseTLSKeyFromSecret will parse and decode a private key from the given
// Secret at the given key index.
func ParseTLSKeyFromSecret(secret *corev1.Secret, keyName string) (crypto.Signer, []byte, error) {
keyBytes, ok := secret.Data[keyName]
if !ok {
return nil, nil, errors.NewInvalidData("no data for %q in secret '%s/%s'", keyName, secret.Namespace, secret.Name)
}
key, err := pki.DecodePrivateKeyBytes(keyBytes)
if err != nil {
return nil, keyBytes, errors.NewInvalidData("%s", err)
}
return key, keyBytes, nil
}
func SecretTLSCertChain(ctx context.Context, secretLister internalinformers.SecretLister, namespace, name string) ([]*x509.Certificate, error) {
secret, err := secretLister.Secrets(namespace).Get(name)
if err != nil {
return nil, err
}
certBytes, ok := secret.Data[corev1.TLSCertKey]
if !ok {
return nil, errors.NewInvalidData("no data for %q in secret '%s/%s'", corev1.TLSCertKey, namespace, name)
}
cert, err := pki.DecodeX509CertificateChainBytes(certBytes)
if err != nil {
return cert, errors.NewInvalidData("%s", err)
}
return cert, nil
}
// SecretTLSKeyPairAndCA returns the X.509 certificate chain and private key of
// the leaf certificate contained in the target Secret. If the ca.crt field exists
// on the Secret, it is parsed and added to the end of the certificate chain.
func SecretTLSKeyPairAndCA(ctx context.Context, secretLister internalinformers.SecretLister, namespace, name string) ([]*x509.Certificate, crypto.Signer, error) {
certs, key, err := SecretTLSKeyPair(ctx, secretLister, namespace, name)
if err != nil {
return nil, nil, err
}
secret, err := secretLister.Secrets(namespace).Get(name)
if err != nil {
return nil, nil, err
}
caBytes, ok := secret.Data[cmmeta.TLSCAKey]
if !ok || len(caBytes) == 0 {
return certs, key, nil
}
ca, err := pki.DecodeX509CertificateBytes(caBytes)
if err != nil {
return nil, key, errors.NewInvalidData("%s", err)
}
return append(certs, ca), key, nil
}
func SecretTLSKeyPair(ctx context.Context, secretLister internalinformers.SecretLister, namespace, name string) ([]*x509.Certificate, crypto.Signer, error) {
secret, err := secretLister.Secrets(namespace).Get(name)
if err != nil {
return nil, nil, err
}
keyBytes, ok := secret.Data[corev1.TLSPrivateKeyKey]
if !ok {
return nil, nil, errors.NewInvalidData("no private key data for %q in secret '%s/%s'", corev1.TLSPrivateKeyKey, namespace, name)
}
key, err := pki.DecodePrivateKeyBytes(keyBytes)
if err != nil {
return nil, nil, errors.NewInvalidData("%s", err)
}
certBytes, ok := secret.Data[corev1.TLSCertKey]
if !ok {
return nil, key, errors.NewInvalidData("no certificate data for %q in secret '%s/%s'", corev1.TLSCertKey, namespace, name)
}
cert, err := pki.DecodeX509CertificateChainBytes(certBytes)
if err != nil {
return nil, key, errors.NewInvalidData("%s", err)
}
return cert, key, nil
}
func SecretTLSCert(ctx context.Context, secretLister internalinformers.SecretLister, namespace, name string) (*x509.Certificate, error) {
certs, err := SecretTLSCertChain(ctx, secretLister, namespace, name)
if err != nil {
return nil, err
}
return certs[0], nil
}
/*
Copyright 2023 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// This file contains some code copied from the Go standard library under the following license: https://github.com/golang/go/blob/c95fe91d0715dc0a8d55ac80a80f383c3635548b/LICENSE
package pki
import (
"encoding/asn1"
"errors"
"fmt"
"strconv"
"strings"
"unicode"
"unicode/utf8"
)
// ParseObjectIdentifier parses an object identifier from its string representation.
func ParseObjectIdentifier(oidString string) (oid asn1.ObjectIdentifier, err error) {
if len(oidString) == 0 {
return nil, errors.New("zero length OBJECT IDENTIFIER")
}
parts := strings.Split(oidString, ".")
oid = make(asn1.ObjectIdentifier, 0, len(parts))
for _, part := range parts {
value, err := strconv.Atoi(part)
if err != nil {
return nil, err
}
oid = append(oid, value)
}
return oid, nil
}
type UniversalValueType int
const (
UniversalValueTypeBytes UniversalValueType = iota
UniversalValueTypeIA5String
UniversalValueTypeUTF8String
UniversalValueTypePrintableString
)
type UniversalValue struct {
Bytes []byte
IA5String string
UTF8String string
PrintableString string
}
func (uv UniversalValue) Type() UniversalValueType {
isBytes := uv.Bytes != nil
isIA5String := uv.IA5String != ""
isUTF8String := uv.UTF8String != ""
isPrintableString := uv.PrintableString != ""
switch {
case isBytes && !isIA5String && !isUTF8String && !isPrintableString:
return UniversalValueTypeBytes
case !isBytes && isIA5String && !isUTF8String && !isPrintableString:
return UniversalValueTypeIA5String
case !isBytes && !isIA5String && isUTF8String && !isPrintableString:
return UniversalValueTypeUTF8String
case !isBytes && !isIA5String && !isUTF8String && isPrintableString:
return UniversalValueTypePrintableString
}
return -1 // Either no field is set or two fields are set.
}
func MarshalUniversalValue(uv UniversalValue) ([]byte, error) {
switch uvType := uv.Type(); uvType {
case -1:
return nil, errors.New("UniversalValue should have exactly one field set")
case UniversalValueTypeBytes:
return uv.Bytes, nil
case UniversalValueTypeIA5String:
if err := isIA5String(uv.IA5String); err != nil {
return nil, errors.New("asn1: invalid IA5 string")
}
return marshalRawString(asn1.TagIA5String, []byte(uv.IA5String))
case UniversalValueTypeUTF8String:
if !utf8.ValidString(uv.UTF8String) {
return nil, errors.New("asn1: invalid UTF-8 string")
}
return marshalRawString(asn1.TagUTF8String, []byte(uv.UTF8String))
case UniversalValueTypePrintableString:
if !isPrintable(uv.PrintableString) {
return nil, errors.New("asn1: invalid PrintableString string")
}
return marshalRawString(asn1.TagPrintableString, []byte(uv.PrintableString))
default:
return nil, fmt.Errorf("unsupported UniversalValue type: %d", uvType)
}
}
func marshalRawString(tag int, value []byte) ([]byte, error) {
rawValue := asn1.RawValue{
Class: asn1.ClassUniversal,
Tag: tag,
IsCompound: false,
Bytes: value,
}
return asn1.Marshal(rawValue)
}
func UnmarshalUniversalValue(rawValue asn1.RawValue) (UniversalValue, error) {
var uv UniversalValue
if rawValue.FullBytes == nil {
fullBytes, err := asn1.Marshal(rawValue)
if err != nil {
return uv, err
}
rawValue.FullBytes = fullBytes
}
var rest []byte
var err error
switch rawValue.Tag {
case asn1.TagIA5String:
rest, err = asn1.UnmarshalWithParams(rawValue.FullBytes, &uv.IA5String, "ia5")
case asn1.TagUTF8String:
rest, err = asn1.UnmarshalWithParams(rawValue.FullBytes, &uv.UTF8String, "utf8")
case asn1.TagPrintableString:
rest, err = asn1.UnmarshalWithParams(rawValue.FullBytes, &uv.PrintableString, "printable")
default:
uv.Bytes = rawValue.FullBytes
}
if err != nil {
return uv, err
}
if len(rest) != 0 {
return uv, fmt.Errorf("trailing data")
}
return uv, nil
}
// Copied from: https://github.com/golang/go/blob/c95fe91d0715dc0a8d55ac80a80f383c3635548b/src/crypto/x509/x509.go#L1093
func isIA5String(s string) error {
for _, r := range s {
// Per RFC5280 "IA5String is limited to the set of ASCII characters"
if r > unicode.MaxASCII {
return fmt.Errorf("x509: %q cannot be encoded as an IA5String", s)
}
}
return nil
}
// isPrintable reports whether the given b is in the ASN.1 PrintableString set.
// '*' and '&' are also allowed, reflecting existing practice.
// Copied from: https://github.com/golang/go/blob/c95fe91d0715dc0a8d55ac80a80f383c3635548b/src/crypto/x509/parser.go#L34
func isPrintable(s string) bool {
for _, b := range s {
if 'a' <= b && b <= 'z' ||
'A' <= b && b <= 'Z' ||
'0' <= b && b <= '9' ||
'\'' <= b && b <= ')' ||
'+' <= b && b <= '/' ||
b == ' ' ||
b == ':' ||
b == '=' ||
b == '?' ||
// This is technically not allowed in a PrintableString.
// However, x509 certificates with wildcard strings don't
// always use the correct string type so we permit it.
b == '*' ||
// This is not technically allowed either. However, not
// only is it relatively common, but there are also a
// handful of CA certificates that contain it. At least
// one of which will not expire until 2027.
b == '&' {
continue
}
return false
}
return true
}
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package pki
import (
"crypto/x509/pkix"
"encoding/asn1"
"errors"
)
// Copied from x509.go
var (
OIDExtensionBasicConstraints = []int{2, 5, 29, 19}
)
// Copied from x509.go
type basicConstraints struct {
IsCA bool `asn1:"optional"`
MaxPathLen int `asn1:"optional,default:-1"`
}
// Adapted from x509.go
func MarshalBasicConstraints(isCA bool, maxPathLen *int) (pkix.Extension, error) {
ext := pkix.Extension{Id: OIDExtensionBasicConstraints, Critical: true}
// A value of -1 causes encoding/asn1 to omit the value as desired.
maxPathLenValue := -1
if maxPathLen != nil {
maxPathLenValue = *maxPathLen
}
var err error
ext.Value, err = asn1.Marshal(basicConstraints{isCA, maxPathLenValue})
return ext, err
}
// Adapted from x509.go
func UnmarshalBasicConstraints(value []byte) (isCA bool, maxPathLen *int, err error) {
var constraints basicConstraints
var rest []byte
if rest, err = asn1.Unmarshal(value, &constraints); err != nil {
return isCA, maxPathLen, err
} else if len(rest) != 0 {
return isCA, maxPathLen, errors.New("x509: trailing data after X.509 BasicConstraints")
}
isCA = constraints.IsCA
if constraints.MaxPathLen >= 0 {
maxPathLen = new(int)
*maxPathLen = constraints.MaxPathLen
}
return isCA, maxPathLen, nil
}
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package pki
import (
"crypto/x509"
"crypto/x509/pkix"
"encoding/asn1"
"fmt"
"slices"
"strings"
"time"
certificatesv1 "k8s.io/api/certificates/v1"
apiutil "github.com/cert-manager/cert-manager/pkg/api/util"
v1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
experimentalapi "github.com/cert-manager/cert-manager/pkg/apis/experimental/v1alpha1"
)
type CertificateTemplateValidatorMutator func(*x509.CertificateRequest, *x509.Certificate) error
func hasExtension(checkReq *x509.CertificateRequest, extensionID asn1.ObjectIdentifier) bool {
for _, ext := range checkReq.Extensions {
if ext.Id.Equal(extensionID) {
return true
}
}
for _, ext := range checkReq.ExtraExtensions {
if ext.Id.Equal(extensionID) {
return true
}
}
return false
}
// CertificateTemplateOverrideDuration returns a CertificateTemplateValidatorMutator that overrides the
// certificate duration.
func CertificateTemplateOverrideDuration(duration time.Duration) CertificateTemplateValidatorMutator {
return func(req *x509.CertificateRequest, cert *x509.Certificate) error {
cert.NotBefore = time.Now()
cert.NotAfter = cert.NotBefore.Add(duration)
return nil
}
}
// CertificateTemplateValidateAndOverrideBasicConstraints returns a CertificateTemplateValidatorMutator that overrides
// the certificate basic constraints.
func CertificateTemplateValidateAndOverrideBasicConstraints(isCA bool, maxPathLen *int) CertificateTemplateValidatorMutator {
return func(req *x509.CertificateRequest, cert *x509.Certificate) error {
if hasExtension(req, OIDExtensionBasicConstraints) {
if !cert.BasicConstraintsValid {
return fmt.Errorf("encoded CSR error: BasicConstraintsValid is not true")
}
if cert.IsCA != isCA {
return fmt.Errorf("encoded CSR error: IsCA %v does not match expected value %v", cert.IsCA, isCA)
}
// We explicitly do not check the MaxPathLen and MaxPathLenZero fields here, as there is no way to
// configure these fields in a CertificateRequest or CSR object yet. If we ever add a way to configure
// these fields, we should add a check here to ensure that the values match the expected values.
// The provided maxPathLen is only used to override the value, not to validate it.
// TODO: if we add support for maxPathLen, we should add a check here to ensure that the value in the
// CertificateRequest or CSR matches the value encoded in the CSR blob.
}
cert.BasicConstraintsValid = true
cert.IsCA = isCA
if maxPathLen != nil {
cert.MaxPathLen = *maxPathLen
cert.MaxPathLenZero = *maxPathLen == 0
} else {
cert.MaxPathLen = 0
cert.MaxPathLenZero = false
}
return nil
}
}
// CertificateTemplateValidateAndOverrideKeyUsages returns a CertificateTemplateValidatorMutator that overrides the
// certificate key usages.
func CertificateTemplateValidateAndOverrideKeyUsages(keyUsage x509.KeyUsage, extKeyUsage []x509.ExtKeyUsage) CertificateTemplateValidatorMutator {
return func(req *x509.CertificateRequest, cert *x509.Certificate) error {
if hasExtension(req, OIDExtensionKeyUsage) || hasExtension(req, OIDExtensionExtendedKeyUsage) {
if cert.KeyUsage != keyUsage {
return fmt.Errorf("encoded CSR error: the KeyUsages %s do not match the expected KeyUsages %s",
printKeyUsage(apiutil.KeyUsageStrings(cert.KeyUsage)),
printKeyUsage(apiutil.KeyUsageStrings(keyUsage)),
)
}
if !slices.Equal(cert.ExtKeyUsage, extKeyUsage) {
return fmt.Errorf("encoded CSR error: the ExtKeyUsages %s do not match the expected ExtKeyUsages %s",
printKeyUsage(apiutil.ExtKeyUsageStrings(cert.ExtKeyUsage)),
printKeyUsage(apiutil.ExtKeyUsageStrings(extKeyUsage)),
)
}
}
cert.KeyUsage = keyUsage
cert.ExtKeyUsage = extKeyUsage
return nil
}
}
type printKeyUsage []v1.KeyUsage
func (k printKeyUsage) String() string {
var sb strings.Builder
sb.WriteString("[")
for i, u := range k {
sb.WriteString(" '")
sb.WriteString(string(u))
sb.WriteString("'")
if i < len(k)-1 {
sb.WriteString(",")
}
}
if len(k) > 0 {
sb.WriteString(" ")
}
sb.WriteString("]")
return sb.String()
}
// CertificateTemplateFromCSR will create a x509.Certificate for the
// given *x509.CertificateRequest.
func CertificateTemplateFromCSR(csr *x509.CertificateRequest, validatorMutators ...CertificateTemplateValidatorMutator) (*x509.Certificate, error) {
cert := &x509.Certificate{
PublicKeyAlgorithm: csr.PublicKeyAlgorithm,
PublicKey: csr.PublicKey,
Subject: csr.Subject,
RawSubject: csr.RawSubject,
DNSNames: csr.DNSNames,
IPAddresses: csr.IPAddresses,
EmailAddresses: csr.EmailAddresses,
URIs: csr.URIs,
}
// Start by copying all extensions from the CSR
extractExtensions := func(template *x509.Certificate, val pkix.Extension) error {
// Check the CSR for the X.509 BasicConstraints (RFC 5280, 4.2.1.9)
// extension and append to template if necessary
if val.Id.Equal(OIDExtensionBasicConstraints) {
unmarshalIsCA, unmarshalMaxPathLen, err := UnmarshalBasicConstraints(val.Value)
if err != nil {
return err
}
template.BasicConstraintsValid = true
template.IsCA = unmarshalIsCA
if unmarshalMaxPathLen != nil {
template.MaxPathLen = *unmarshalMaxPathLen
template.MaxPathLenZero = *unmarshalMaxPathLen == 0
} else {
template.MaxPathLen = 0
template.MaxPathLenZero = false
}
}
if val.Id.Equal(OIDExtensionNameConstraints) {
nameConstraints, err := UnmarshalNameConstraints(val.Value)
if err != nil {
return err
}
template.PermittedDNSDomainsCritical = val.Critical
template.PermittedDNSDomains = nameConstraints.PermittedDNSDomains
template.PermittedIPRanges = nameConstraints.PermittedIPRanges
template.PermittedEmailAddresses = nameConstraints.PermittedEmailAddresses
template.PermittedURIDomains = nameConstraints.PermittedURIDomains
template.ExcludedDNSDomains = nameConstraints.ExcludedDNSDomains
template.ExcludedIPRanges = nameConstraints.ExcludedIPRanges
template.ExcludedEmailAddresses = nameConstraints.ExcludedEmailAddresses
template.ExcludedURIDomains = nameConstraints.ExcludedURIDomains
}
// RFC 5280, 4.2.1.3
if val.Id.Equal(OIDExtensionKeyUsage) {
usage, err := UnmarshalKeyUsage(val.Value)
if err != nil {
return err
}
template.KeyUsage = usage
}
if val.Id.Equal(OIDExtensionExtendedKeyUsage) {
extUsages, unknownUsages, err := UnmarshalExtKeyUsage(val.Value)
if err != nil {
return err
}
template.ExtKeyUsage = extUsages
template.UnknownExtKeyUsage = unknownUsages
}
// The SANs fields in the Certificate resource are not enough to
// represent the full set of SANs that can be encoded in a CSR.
// Therefore, we need to copy the SANs from the CSR into the
// ExtraExtensions field of the certificate template.
if val.Id.Equal(oidExtensionSubjectAltName) {
template.ExtraExtensions = append(template.ExtraExtensions, val)
}
return nil
}
for _, val := range csr.Extensions {
if err := extractExtensions(cert, val); err != nil {
return nil, err
}
}
for _, val := range csr.ExtraExtensions {
if err := extractExtensions(cert, val); err != nil {
return nil, err
}
}
cert.Extensions = csr.Extensions
for _, validatorMutator := range validatorMutators {
if err := validatorMutator(csr, cert); err != nil {
return nil, err
}
}
// Finally, we fix up the certificate template to ensure that it is valid
{
// If the certificate has an empty Subject, we set any SAN extensions to be critical
var asn1Subject []byte
var err error
if cert.RawSubject != nil {
asn1Subject = cert.RawSubject
} else {
asn1Subject, err = asn1.Marshal(cert.Subject.ToRDNSequence())
if err != nil {
return nil, fmt.Errorf("failed to marshal subject to ASN.1 DER: %s", err.Error())
}
}
for i := range cert.ExtraExtensions {
if cert.ExtraExtensions[i].Id.Equal(oidExtensionSubjectAltName) {
cert.ExtraExtensions[i].Critical = IsASN1SubjectEmpty(asn1Subject)
}
}
}
return cert, nil
}
// CertificateTemplateFromCSRPEM will create a x509.Certificate for the
// given csrPEM.
func CertificateTemplateFromCSRPEM(csrPEM []byte, validatorMutators ...CertificateTemplateValidatorMutator) (*x509.Certificate, error) {
csr, err := DecodeX509CertificateRequestBytes(csrPEM)
if err != nil {
return nil, err
}
if err := csr.CheckSignature(); err != nil {
return nil, err
}
return CertificateTemplateFromCSR(csr, validatorMutators...)
}
// CertificateTemplateFromCertificate will create a x509.Certificate for the given
// Certificate resource
func CertificateTemplateFromCertificate(crt *v1.Certificate) (*x509.Certificate, error) {
csr, err := GenerateCSR(crt)
if err != nil {
return nil, err
}
certDuration := apiutil.DefaultCertDuration(crt.Spec.Duration)
keyUsage, extKeyUsage, err := KeyUsagesForCertificateOrCertificateRequest(crt.Spec.Usages, crt.Spec.IsCA)
if err != nil {
return nil, err
}
return CertificateTemplateFromCSR(
csr,
CertificateTemplateOverrideDuration(certDuration),
CertificateTemplateValidateAndOverrideBasicConstraints(crt.Spec.IsCA, nil),
CertificateTemplateValidateAndOverrideKeyUsages(keyUsage, extKeyUsage),
)
}
// CertificateTemplateFromCertificateRequest will create a x509.Certificate for the given
// CertificateRequest resource
func CertificateTemplateFromCertificateRequest(cr *v1.CertificateRequest) (*x509.Certificate, error) {
certDuration := apiutil.DefaultCertDuration(cr.Spec.Duration)
keyUsage, extKeyUsage, err := KeyUsagesForCertificateOrCertificateRequest(cr.Spec.Usages, cr.Spec.IsCA)
if err != nil {
return nil, err
}
return CertificateTemplateFromCSRPEM(
cr.Spec.Request,
CertificateTemplateOverrideDuration(certDuration),
CertificateTemplateValidateAndOverrideBasicConstraints(cr.Spec.IsCA, nil), // Override the basic constraints, but make sure they match the constraints in the CSR if present
CertificateTemplateValidateAndOverrideKeyUsages(keyUsage, extKeyUsage), // Override the key usages, but make sure they match the usages in the CSR if present
)
}
// CertificateTemplateFromCertificateSigningRequest will create a x509.Certificate for the given
// CertificateSigningRequest resource
func CertificateTemplateFromCertificateSigningRequest(csr *certificatesv1.CertificateSigningRequest) (*x509.Certificate, error) {
duration, err := DurationFromCertificateSigningRequest(csr)
if err != nil {
return nil, err
}
ku, eku, err := BuildKeyUsagesKube(csr.Spec.Usages)
if err != nil {
return nil, err
}
isCA := csr.Annotations[experimentalapi.CertificateSigningRequestIsCAAnnotationKey] == "true"
return CertificateTemplateFromCSRPEM(
csr.Spec.Request,
CertificateTemplateOverrideDuration(duration),
CertificateTemplateValidateAndOverrideBasicConstraints(isCA, nil), // Override the basic constraints, but make sure they match the constraints in the CSR if present
CertificateTemplateValidateAndOverrideKeyUsages(ku, eku), // Override the key usages, but make sure they match the usages in the CSR if present
)
}
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package pki
import (
"bytes"
"crypto"
"crypto/ecdsa"
"crypto/ed25519"
"crypto/elliptic"
"crypto/rand"
"crypto/rsa"
"crypto/x509"
"crypto/x509/pkix"
"encoding/asn1"
"encoding/pem"
"errors"
"fmt"
"net"
"net/netip"
"net/url"
apiutil "github.com/cert-manager/cert-manager/pkg/api/util"
v1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
)
// IPAddressesToString converts a slice of IP addresses to strings, which can be useful for
// printing a list of addresses but MUST NOT be used for comparing two slices of IP addresses.
func IPAddressesToString(ipAddresses []net.IP) []string {
var ipNames []string
for _, ip := range ipAddresses {
ipNames = append(ipNames, ip.String())
}
return ipNames
}
func IPAddressesFromStrings(ipStrings []string) ([]net.IP, error) {
var ipAddresses []net.IP
for _, ipString := range ipStrings {
ip, err := netip.ParseAddr(ipString)
if err != nil || ip.Zone() != "" {
return nil, err
}
addr := ip.AsSlice()
if len(addr) == 0 {
return nil, fmt.Errorf("failed to parse IP address %q", ipString)
}
ipAddresses = append(ipAddresses, net.IP(addr))
}
return ipAddresses, nil
}
func URLsToString(uris []*url.URL) []string {
var uriStrs []string
for _, uri := range uris {
if uri == nil {
panic("provided uri to string is nil")
}
uriStrs = append(uriStrs, uri.String())
}
return uriStrs
}
// SubjectForCertificate will return the Subject from the Certificate resource or an empty one if it is not set
func SubjectForCertificate(crt *v1.Certificate) v1.X509Subject {
if crt.Spec.Subject == nil {
return v1.X509Subject{}
}
return *crt.Spec.Subject
}
func KeyUsagesForCertificateOrCertificateRequest(usages []v1.KeyUsage, isCA bool) (ku x509.KeyUsage, eku []x509.ExtKeyUsage, err error) {
var unk []v1.KeyUsage
if isCA {
ku |= x509.KeyUsageCertSign
}
// If no usages are specified, default to the ones specified in the
// Kubernetes API.
if len(usages) == 0 {
usages = v1.DefaultKeyUsages()
}
for _, u := range usages {
if kuse, ok := apiutil.KeyUsageType(u); ok {
ku |= kuse
} else if ekuse, ok := apiutil.ExtKeyUsageType(u); ok {
eku = append(eku, ekuse)
} else {
unk = append(unk, u)
}
}
if len(unk) > 0 {
err = fmt.Errorf("unknown key usages: %v", unk)
}
return
}
type generateCSROptions struct {
EncodeBasicConstraintsInRequest bool
EncodeNameConstraints bool
EncodeOtherNames bool
UseLiteralSubject bool
}
type GenerateCSROption func(*generateCSROptions)
// WithEncodeBasicConstraintsInRequest determines whether the BasicConstraints
// extension should be encoded in the CSR.
// NOTE: this is a temporary option that will be removed in a future release.
func WithEncodeBasicConstraintsInRequest(encode bool) GenerateCSROption {
return func(o *generateCSROptions) {
o.EncodeBasicConstraintsInRequest = encode
}
}
func WithNameConstraints(enabled bool) GenerateCSROption {
return func(o *generateCSROptions) {
o.EncodeNameConstraints = enabled
}
}
func WithOtherNames(enabled bool) GenerateCSROption {
return func(o *generateCSROptions) {
o.EncodeOtherNames = enabled
}
}
func WithUseLiteralSubject(useLiteralSubject bool) GenerateCSROption {
return func(o *generateCSROptions) {
o.UseLiteralSubject = useLiteralSubject
}
}
// GenerateCSR will generate a new *x509.CertificateRequest template to be used
// by issuers that utilise CSRs to obtain Certificates.
// The CSR will not be signed, and should be passed to either EncodeCSR or
// to the x509.CreateCertificateRequest function.
func GenerateCSR(crt *v1.Certificate, optFuncs ...GenerateCSROption) (*x509.CertificateRequest, error) {
opts := &generateCSROptions{
EncodeBasicConstraintsInRequest: false,
EncodeNameConstraints: false,
EncodeOtherNames: false,
UseLiteralSubject: false,
}
for _, opt := range optFuncs {
opt(opts)
}
// Generate the Subject field for the CSR.
var commonName string
var rdnSubject pkix.RDNSequence
if opts.UseLiteralSubject && len(crt.Spec.LiteralSubject) > 0 {
subjectRDNSequence, err := UnmarshalSubjectStringToRDNSequence(crt.Spec.LiteralSubject)
if err != nil {
return nil, err
}
commonName = ExtractCommonNameFromRDNSequence(subjectRDNSequence)
rdnSubject = subjectRDNSequence
} else {
subject := SubjectForCertificate(crt)
commonName = crt.Spec.CommonName
rdnSubject = pkix.Name{
Country: subject.Countries,
Organization: subject.Organizations,
OrganizationalUnit: subject.OrganizationalUnits,
Locality: subject.Localities,
Province: subject.Provinces,
StreetAddress: subject.StreetAddresses,
PostalCode: subject.PostalCodes,
SerialNumber: subject.SerialNumber,
CommonName: commonName,
}.ToRDNSequence()
}
// Generate the SANs for the CSR.
ipAddresses, err := IPAddressesFromStrings(crt.Spec.IPAddresses)
if err != nil {
return nil, err
}
sans := GeneralNames{
RFC822Names: crt.Spec.EmailAddresses,
DNSNames: crt.Spec.DNSNames,
UniformResourceIdentifiers: crt.Spec.URIs,
IPAddresses: ipAddresses,
}
if opts.EncodeOtherNames {
for _, otherName := range crt.Spec.OtherNames {
oid, err := ParseObjectIdentifier(otherName.OID)
if err != nil {
return nil, err
}
value, err := MarshalUniversalValue(UniversalValue{
UTF8String: otherName.UTF8Value,
})
if err != nil {
return nil, err
}
sans.OtherNames = append(sans.OtherNames, OtherName{
TypeID: oid,
Value: asn1.RawValue{
Tag: 0,
Class: asn1.ClassContextSpecific,
IsCompound: true,
Bytes: value,
},
})
}
}
if len(commonName) == 0 && sans.Empty() {
return nil, fmt.Errorf("no common name (from the commonName field or from a literalSubject), DNS name, URI SAN, Email SAN, IP or OtherName SAN specified on certificate")
}
pubKeyAlgo, sigAlgo, err := SignatureAlgorithm(crt)
if err != nil {
return nil, err
}
asn1Subject, err := MarshalRDNSequenceToRawDERBytes(rdnSubject)
if err != nil {
return nil, err
}
var extraExtensions []pkix.Extension
if !sans.Empty() {
sanExtension, err := MarshalSANs(sans, !IsASN1SubjectEmpty(asn1Subject))
if err != nil {
return nil, err
}
extraExtensions = append(extraExtensions, sanExtension)
}
if crt.Spec.EncodeUsagesInRequest == nil || *crt.Spec.EncodeUsagesInRequest {
ku, ekus, err := KeyUsagesForCertificateOrCertificateRequest(crt.Spec.Usages, crt.Spec.IsCA)
if err != nil {
return nil, fmt.Errorf("failed to build key usages: %w", err)
}
if ku != 0 {
usage, err := MarshalKeyUsage(ku)
if err != nil {
return nil, fmt.Errorf("failed to asn1 encode usages: %w", err)
}
extraExtensions = append(extraExtensions, usage)
}
// Only add extended usages if they are specified.
if len(ekus) > 0 {
extendedUsages, err := MarshalExtKeyUsage(ekus, nil)
if err != nil {
return nil, fmt.Errorf("failed to asn1 encode extended usages: %w", err)
}
extraExtensions = append(extraExtensions, extendedUsages)
}
}
// NOTE(@inteon): opts.EncodeBasicConstraintsInRequest is a temporary solution and will
// be removed/ replaced in a future release.
if opts.EncodeBasicConstraintsInRequest {
basicExtension, err := MarshalBasicConstraints(crt.Spec.IsCA, nil)
if err != nil {
return nil, err
}
extraExtensions = append(extraExtensions, basicExtension)
}
if opts.EncodeNameConstraints && crt.Spec.NameConstraints != nil {
nameConstraints := &NameConstraints{}
if crt.Spec.NameConstraints.Permitted != nil {
nameConstraints.PermittedDNSDomains = crt.Spec.NameConstraints.Permitted.DNSDomains
nameConstraints.PermittedIPRanges, err = parseCIDRs(crt.Spec.NameConstraints.Permitted.IPRanges)
if err != nil {
return nil, err
}
nameConstraints.PermittedEmailAddresses = crt.Spec.NameConstraints.Permitted.EmailAddresses
nameConstraints.PermittedURIDomains = crt.Spec.NameConstraints.Permitted.URIDomains
}
if crt.Spec.NameConstraints.Excluded != nil {
nameConstraints.ExcludedDNSDomains = crt.Spec.NameConstraints.Excluded.DNSDomains
nameConstraints.ExcludedIPRanges, err = parseCIDRs(crt.Spec.NameConstraints.Excluded.IPRanges)
if err != nil {
return nil, err
}
nameConstraints.ExcludedEmailAddresses = crt.Spec.NameConstraints.Excluded.EmailAddresses
nameConstraints.ExcludedURIDomains = crt.Spec.NameConstraints.Excluded.URIDomains
}
if !nameConstraints.IsEmpty() {
extension, err := MarshalNameConstraints(nameConstraints, crt.Spec.NameConstraints.Critical)
if err != nil {
return nil, err
}
extraExtensions = append(extraExtensions, extension)
}
}
cr := &x509.CertificateRequest{
// Version 0 is the only one defined in the PKCS#10 standard, RFC2986.
// This value isn't used by Go at the time of writing.
// https://datatracker.ietf.org/doc/html/rfc2986#section-4
Version: 0,
SignatureAlgorithm: sigAlgo,
PublicKeyAlgorithm: pubKeyAlgo,
RawSubject: asn1Subject,
ExtraExtensions: extraExtensions,
}
return cr, nil
}
// SignCertificate returns a signed *x509.Certificate given a template
// *x509.Certificate crt and an issuer.
// publicKey is the public key of the signee, and signerKey is the private
// key of the signer.
// It returns a PEM encoded copy of the Certificate as well as a *x509.Certificate
// which can be used for reading the encoded values.
func SignCertificate(template *x509.Certificate, issuerCert *x509.Certificate, publicKey crypto.PublicKey, signerKey any) ([]byte, *x509.Certificate, error) {
typedSigner, ok := signerKey.(crypto.Signer)
if !ok {
return nil, nil, fmt.Errorf("didn't get an expected Signer in call to SignCertificate")
}
var pubKeyAlgo x509.PublicKeyAlgorithm
var sigAlgoArg any
// NB: can't rely on issuerCert.Public or issuercert.PublicKeyAlgorithm being set reliably;
// but we know that signerKey.Public() will work!
switch pubKey := typedSigner.Public().(type) {
case *rsa.PublicKey:
pubKeyAlgo = x509.RSA
// Size is in bytes so multiply by 8 to get bits because they're more familiar
// This is technically not portable but if you're using cert-manager on a platform
// with bytes that don't have 8 bits, you've got bigger problems than this!
sigAlgoArg = pubKey.Size() * 8
case *ecdsa.PublicKey:
pubKeyAlgo = x509.ECDSA
sigAlgoArg = pubKey.Curve
case ed25519.PublicKey:
pubKeyAlgo = x509.Ed25519
sigAlgoArg = nil // ignored by signatureAlgorithmFromPublicKey
default:
return nil, nil, fmt.Errorf("unknown public key type on signing certificate: %T", issuerCert.PublicKey)
}
var err error
template.SignatureAlgorithm, err = signatureAlgorithmFromPublicKey(pubKeyAlgo, sigAlgoArg)
if err != nil {
return nil, nil, err
}
derBytes, err := x509.CreateCertificate(rand.Reader, template, issuerCert, publicKey, signerKey)
if err != nil {
return nil, nil, fmt.Errorf("error creating x509 certificate: %s", err.Error())
}
cert, err := x509.ParseCertificate(derBytes)
if err != nil {
return nil, nil, fmt.Errorf("error decoding DER certificate bytes: %s", err.Error())
}
pemBytes := bytes.NewBuffer([]byte{})
err = pem.Encode(pemBytes, &pem.Block{Type: "CERTIFICATE", Bytes: derBytes})
if err != nil {
return nil, nil, fmt.Errorf("error encoding certificate PEM: %s", err.Error())
}
return pemBytes.Bytes(), cert, err
}
// SignCSRTemplate signs a certificate template usually based upon a CSR. This
// function expects all fields to be present in the certificate template,
// including its public key.
// It returns the PEM bundle containing certificate data and the CA data, encoded in PEM format.
func SignCSRTemplate(caCerts []*x509.Certificate, caPrivateKey crypto.Signer, template *x509.Certificate) (PEMBundle, error) {
if len(caCerts) == 0 {
return PEMBundle{}, errors.New("no CA certificates given to sign CSR template")
}
issuingCACert := caCerts[0]
_, cert, err := SignCertificate(template, issuingCACert, template.PublicKey, caPrivateKey)
if err != nil {
return PEMBundle{}, err
}
bundle, err := ParseSingleCertificateChain(append(caCerts, cert))
if err != nil {
return PEMBundle{}, err
}
return bundle, nil
}
// EncodeCSR calls x509.CreateCertificateRequest to sign the given CSR template.
// It returns a DER encoded signed CSR.
func EncodeCSR(template *x509.CertificateRequest, key crypto.Signer) ([]byte, error) {
derBytes, err := x509.CreateCertificateRequest(rand.Reader, template, key)
if err != nil {
return nil, fmt.Errorf("error creating x509 certificate: %s", err.Error())
}
return derBytes, nil
}
// EncodeX509 will encode a single *x509.Certificate into PEM format.
func EncodeX509(cert *x509.Certificate) ([]byte, error) {
caPem := bytes.NewBuffer([]byte{})
err := pem.Encode(caPem, &pem.Block{Type: "CERTIFICATE", Bytes: cert.Raw})
if err != nil {
return nil, err
}
return caPem.Bytes(), nil
}
// EncodeX509Chain will encode a list of *x509.Certificates into a PEM format chain.
// Self-signed certificates are not included as per
// https://datatracker.ietf.org/doc/html/rfc5246#section-7.4.2
// Certificates are output in the order they're given; if the input is not ordered
// as specified in RFC5246 section 7.4.2, the resulting chain might not be valid
// for use in TLS.
func EncodeX509Chain(certs []*x509.Certificate) ([]byte, error) {
caPem := bytes.NewBuffer([]byte{})
for _, cert := range certs {
if cert == nil {
continue
}
if cert.CheckSignatureFrom(cert) == nil {
// Don't include self-signed certificate
continue
}
err := pem.Encode(caPem, &pem.Block{Type: "CERTIFICATE", Bytes: cert.Raw})
if err != nil {
return nil, err
}
}
return caPem.Bytes(), nil
}
var keyAlgorithms = map[v1.PrivateKeyAlgorithm]x509.PublicKeyAlgorithm{
v1.RSAKeyAlgorithm: x509.RSA,
v1.ECDSAKeyAlgorithm: x509.ECDSA,
v1.Ed25519KeyAlgorithm: x509.Ed25519,
}
var sigAlgorithms = map[v1.SignatureAlgorithm]x509.SignatureAlgorithm{
v1.SHA256WithRSA: x509.SHA256WithRSA,
v1.SHA384WithRSA: x509.SHA384WithRSA,
v1.SHA512WithRSA: x509.SHA512WithRSA,
v1.ECDSAWithSHA256: x509.ECDSAWithSHA256,
v1.ECDSAWithSHA384: x509.ECDSAWithSHA384,
v1.ECDSAWithSHA512: x509.ECDSAWithSHA512,
v1.PureEd25519: x509.PureEd25519,
}
// SignatureAlgorithm will determine the appropriate signature algorithm for
// the given certificate.
// Adapted from https://github.com/cloudflare/cfssl/blob/master/csr/csr.go#L102
func SignatureAlgorithm(crt *v1.Certificate) (x509.PublicKeyAlgorithm, x509.SignatureAlgorithm, error) {
var pubKeyAlgo x509.PublicKeyAlgorithm
var specAlgorithm v1.PrivateKeyAlgorithm
var specKeySize int
if crt.Spec.PrivateKey != nil {
specAlgorithm = crt.Spec.PrivateKey.Algorithm
specKeySize = crt.Spec.PrivateKey.Size
}
var sigAlgoArg any
var ok bool
if specAlgorithm == "" {
pubKeyAlgo = x509.RSA
} else {
pubKeyAlgo, ok = keyAlgorithms[specAlgorithm]
if !ok {
return x509.UnknownPublicKeyAlgorithm, x509.UnknownSignatureAlgorithm, fmt.Errorf("unsupported algorithm specified: %s. should be either 'ecdsa', 'ed25519' or 'rsa", crt.Spec.PrivateKey.Algorithm)
}
}
var sigAlgo x509.SignatureAlgorithm
if crt.Spec.SignatureAlgorithm != "" {
sigAlgo, ok = sigAlgorithms[crt.Spec.SignatureAlgorithm]
if !ok {
return x509.UnknownPublicKeyAlgorithm, x509.UnknownSignatureAlgorithm, fmt.Errorf("unsupported signature algorithm: %s", crt.Spec.SignatureAlgorithm)
}
return pubKeyAlgo, sigAlgo, nil
}
switch pubKeyAlgo {
case x509.RSA:
if specKeySize == 0 {
sigAlgoArg = MinRSAKeySize
} else {
sigAlgoArg = specKeySize
}
case x509.ECDSA:
switch specKeySize {
case 521:
sigAlgoArg = elliptic.P521()
case 384:
sigAlgoArg = elliptic.P384()
case 256, 0:
sigAlgoArg = elliptic.P256()
default:
return x509.UnknownPublicKeyAlgorithm, x509.UnknownSignatureAlgorithm, fmt.Errorf("unsupported ecdsa keysize specified: %d", crt.Spec.PrivateKey.Size)
}
default:
// ok
}
sigAlgo, err := signatureAlgorithmFromPublicKey(pubKeyAlgo, sigAlgoArg)
if err != nil {
return x509.UnknownPublicKeyAlgorithm, x509.UnknownSignatureAlgorithm, err
}
return pubKeyAlgo, sigAlgo, nil
}
// signatureAlgorithmFromPublicKey takes a public key type and an argument specific to that public
// key, and returns an appropriate signature algorithm for that key.
// If alg is x509.RSA, arg must be an integer key size in bits
// If alg is x509.ECDSA, arg must be an elliptic.Curve
// If alg is x509.Ed25519, arg is ignored
// All other algorithms and args cause an error
// The signature algorithms returned by this function are to some degree a matter of preference. The
// choices here are motivated by what is common and what is required by bodies such as the US DoD.
func signatureAlgorithmFromPublicKey(alg x509.PublicKeyAlgorithm, arg any) (x509.SignatureAlgorithm, error) {
var signatureAlgorithm x509.SignatureAlgorithm
switch alg {
case x509.RSA:
size, ok := arg.(int)
if !ok {
return x509.UnknownSignatureAlgorithm, fmt.Errorf("expected to get an integer key size for RSA key but got %T", arg)
}
switch {
case size >= 4096:
signatureAlgorithm = x509.SHA512WithRSA
case size >= 3072:
signatureAlgorithm = x509.SHA384WithRSA
case size >= 2048:
signatureAlgorithm = x509.SHA256WithRSA
default:
return x509.UnknownSignatureAlgorithm, fmt.Errorf("invalid size %d for RSA key on signing certificate", size)
}
case x509.ECDSA:
curve, ok := arg.(elliptic.Curve)
if !ok {
return x509.UnknownSignatureAlgorithm, fmt.Errorf("expected to get an ECDSA curve for ECDSA key but got %T", arg)
}
switch curve {
case elliptic.P521():
signatureAlgorithm = x509.ECDSAWithSHA512
case elliptic.P384():
signatureAlgorithm = x509.ECDSAWithSHA384
case elliptic.P256():
signatureAlgorithm = x509.ECDSAWithSHA256
default:
return x509.UnknownSignatureAlgorithm, fmt.Errorf("unknown / unsupported curve attached to ECDSA signing certificate")
}
case x509.Ed25519:
signatureAlgorithm = x509.PureEd25519
default:
return x509.UnknownSignatureAlgorithm, fmt.Errorf("got unsupported public key type when trying to calculate signature algorithm")
}
return signatureAlgorithm, nil
}
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package pki
import (
"crypto"
"crypto/ecdsa"
"crypto/ed25519"
"crypto/elliptic"
"crypto/rand"
"crypto/rsa"
"crypto/x509"
"encoding/pem"
"fmt"
v1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
)
const (
// MinRSAKeySize is the minimum RSA keysize allowed to be generated by the
// generator functions in this package.
MinRSAKeySize = 2048
// MaxRSAKeySize is the maximum RSA keysize allowed to be generated by the
// generator functions in this package.
MaxRSAKeySize = 8192
// ECCurve256 represents a secp256r1 / prime256v1 / NIST P-256 ECDSA key.
ECCurve256 = 256
// ECCurve384 represents a secp384r1 / NIST P-384 ECDSA key.
ECCurve384 = 384
// ECCurve521 represents a secp521r1 / NIST P-521 ECDSA key.
ECCurve521 = 521
)
// GeneratePrivateKeyForCertificate will generate a private key suitable for
// the provided cert-manager Certificate resource, taking into account the
// parameters on the provided resource.
// The returned key will either be RSA or ECDSA.
func GeneratePrivateKeyForCertificate(crt *v1.Certificate) (crypto.Signer, error) {
crt = crt.DeepCopy()
if crt.Spec.PrivateKey == nil {
crt.Spec.PrivateKey = &v1.CertificatePrivateKey{}
}
switch crt.Spec.PrivateKey.Algorithm {
case v1.PrivateKeyAlgorithm(""), v1.RSAKeyAlgorithm:
keySize := MinRSAKeySize
if crt.Spec.PrivateKey.Size > 0 {
keySize = crt.Spec.PrivateKey.Size
}
return GenerateRSAPrivateKey(keySize)
case v1.ECDSAKeyAlgorithm:
keySize := ECCurve256
if crt.Spec.PrivateKey.Size > 0 {
keySize = crt.Spec.PrivateKey.Size
}
return GenerateECPrivateKey(keySize)
case v1.Ed25519KeyAlgorithm:
return GenerateEd25519PrivateKey()
default:
return nil, fmt.Errorf("unsupported private key algorithm specified: %s", crt.Spec.PrivateKey.Algorithm)
}
}
// GenerateRSAPrivateKey will generate a RSA private key of the given size.
// It places restrictions on the minimum and maximum RSA keysize.
func GenerateRSAPrivateKey(keySize int) (*rsa.PrivateKey, error) {
// Do not allow keySize < 2048
// https://en.wikipedia.org/wiki/Key_size#cite_note-twirl-14
if keySize < MinRSAKeySize {
return nil, fmt.Errorf("weak rsa key size specified: %d. minimum key size: %d", keySize, MinRSAKeySize)
}
if keySize > MaxRSAKeySize {
return nil, fmt.Errorf("rsa key size specified too big: %d. maximum key size: %d", keySize, MaxRSAKeySize)
}
return rsa.GenerateKey(rand.Reader, keySize)
}
// GenerateECPrivateKey will generate an ECDSA private key of the given size.
// It can be used to generate 256, 384 and 521 sized keys.
func GenerateECPrivateKey(keySize int) (*ecdsa.PrivateKey, error) {
var ecCurve elliptic.Curve
switch keySize {
case ECCurve256:
ecCurve = elliptic.P256()
case ECCurve384:
ecCurve = elliptic.P384()
case ECCurve521:
ecCurve = elliptic.P521()
default:
return nil, fmt.Errorf("unsupported ecdsa key size specified: %d", keySize)
}
return ecdsa.GenerateKey(ecCurve, rand.Reader)
}
// GenerateEd25519PrivateKey will generate an Ed25519 private key
func GenerateEd25519PrivateKey() (ed25519.PrivateKey, error) {
_, prvkey, err := ed25519.GenerateKey(rand.Reader)
return prvkey, err
}
// EncodePrivateKey will encode a given crypto.PrivateKey by first inspecting
// the type of key encoding and then inspecting the type of key provided.
// It only supports encoding RSA or ECDSA keys.
func EncodePrivateKey(pk crypto.PrivateKey, keyEncoding v1.PrivateKeyEncoding) ([]byte, error) {
switch keyEncoding {
case v1.PrivateKeyEncoding(""), v1.PKCS1:
switch k := pk.(type) {
case *rsa.PrivateKey:
return EncodePKCS1PrivateKey(k), nil
case *ecdsa.PrivateKey:
return EncodeECPrivateKey(k)
case ed25519.PrivateKey:
return EncodePKCS8PrivateKey(k)
default:
return nil, fmt.Errorf("error encoding private key: unknown key type: %T", pk)
}
case v1.PKCS8:
return EncodePKCS8PrivateKey(pk)
default:
return nil, fmt.Errorf("error encoding private key: unknown key encoding: %s", keyEncoding)
}
}
// EncodePKCS1PrivateKey will marshal a RSA private key into x509 PEM format.
func EncodePKCS1PrivateKey(pk *rsa.PrivateKey) []byte {
block := &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(pk)}
return pem.EncodeToMemory(block)
}
// EncodePKCS8PrivateKey will marshal a private key into x509 PEM format.
func EncodePKCS8PrivateKey(pk interface{}) ([]byte, error) {
keyBytes, err := x509.MarshalPKCS8PrivateKey(pk)
if err != nil {
return nil, err
}
block := &pem.Block{Type: "PRIVATE KEY", Bytes: keyBytes}
return pem.EncodeToMemory(block), nil
}
// EncodeECPrivateKey will marshal an ECDSA private key into x509 PEM format.
func EncodeECPrivateKey(pk *ecdsa.PrivateKey) ([]byte, error) {
asnBytes, err := x509.MarshalECPrivateKey(pk)
if err != nil {
return nil, fmt.Errorf("error encoding private key: %s", err.Error())
}
block := &pem.Block{Type: "EC PRIVATE KEY", Bytes: asnBytes}
return pem.EncodeToMemory(block), nil
}
// PublicKeyForPrivateKey will return the crypto.PublicKey for the given
// crypto.PrivateKey. It only supports RSA and ECDSA keys.
func PublicKeyForPrivateKey(pk crypto.PrivateKey) (crypto.PublicKey, error) {
switch k := pk.(type) {
case *rsa.PrivateKey:
return k.Public(), nil
case *ecdsa.PrivateKey:
return k.Public(), nil
case ed25519.PrivateKey:
return k.Public(), nil
default:
return nil, fmt.Errorf("unknown private key type: %T", pk)
}
}
// PublicKeyMatchesCertificate checks whether the given public key matches the
// public key in the given x509.Certificate.
// Returns false and no error if the public key is *not* the same as the certificate's key
// Returns true and no error if the public key *is* the same as the certificate's key
// Returns an error if the certificate's key type cannot be determined (i.e. non RSA/ECDSA keys)
func PublicKeyMatchesCertificate(check crypto.PublicKey, crt *x509.Certificate) (bool, error) {
return PublicKeysEqual(crt.PublicKey, check)
}
// PublicKeyMatchesCSR can be used to verify the given public key matches the
// public key in the given x509.CertificateRequest.
// Returns false and no error if the given public key is *not* the same as the CSR's key
// Returns true and no error if the given public key *is* the same as the CSR's key
// Returns an error if the CSR's key type cannot be determined (i.e. non RSA/ECDSA keys)
func PublicKeyMatchesCSR(check crypto.PublicKey, csr *x509.CertificateRequest) (bool, error) {
return PublicKeysEqual(csr.PublicKey, check)
}
// PublicKeysEqual compares two given public keys for equality.
// The definition of "equality" depends on the type of the public keys.
// Returns true if the keys are the same, false if they differ or an error if
// the key type of `a` cannot be determined.
func PublicKeysEqual(a, b crypto.PublicKey) (bool, error) {
switch pub := a.(type) {
case *rsa.PublicKey:
return pub.Equal(b), nil
case *ecdsa.PublicKey:
return pub.Equal(b), nil
case ed25519.PublicKey:
return pub.Equal(b), nil
default:
return false, fmt.Errorf("unrecognised public key type: %T", a)
}
}
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package pki
import (
"crypto/x509"
"crypto/x509/pkix"
"encoding/asn1"
"errors"
)
// Copied from x509.go
var (
OIDExtensionKeyUsage = []int{2, 5, 29, 15}
OIDExtensionExtendedKeyUsage = []int{2, 5, 29, 37}
)
// RFC 5280, 4.2.1.12 Extended Key Usage
//
// anyExtendedKeyUsage OBJECT IDENTIFIER ::= { id-ce-extKeyUsage 0 }
//
// id-kp OBJECT IDENTIFIER ::= { id-pkix 3 }
//
// id-kp-serverAuth OBJECT IDENTIFIER ::= { id-kp 1 }
// id-kp-clientAuth OBJECT IDENTIFIER ::= { id-kp 2 }
// id-kp-codeSigning OBJECT IDENTIFIER ::= { id-kp 3 }
// id-kp-emailProtection OBJECT IDENTIFIER ::= { id-kp 4 }
// id-kp-timeStamping OBJECT IDENTIFIER ::= { id-kp 8 }
// id-kp-OCSPSigning OBJECT IDENTIFIER ::= { id-kp 9 }
var (
oidExtKeyUsageAny = asn1.ObjectIdentifier{2, 5, 29, 37, 0}
oidExtKeyUsageServerAuth = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 1}
oidExtKeyUsageClientAuth = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 2}
oidExtKeyUsageCodeSigning = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 3}
oidExtKeyUsageEmailProtection = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 4}
oidExtKeyUsageIPSECEndSystem = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 5}
oidExtKeyUsageIPSECTunnel = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 6}
oidExtKeyUsageIPSECUser = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 7}
oidExtKeyUsageTimeStamping = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 8}
oidExtKeyUsageOCSPSigning = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 9}
oidExtKeyUsageMicrosoftServerGatedCrypto = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 311, 10, 3, 3}
oidExtKeyUsageNetscapeServerGatedCrypto = asn1.ObjectIdentifier{2, 16, 840, 1, 113730, 4, 1}
oidExtKeyUsageMicrosoftCommercialCodeSigning = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 311, 2, 1, 22}
oidExtKeyUsageMicrosoftKernelCodeSigning = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 311, 61, 1, 1}
)
// extKeyUsageOIDs contains the mapping between an ExtKeyUsage and its OID.
var extKeyUsageOIDs = []struct {
extKeyUsage x509.ExtKeyUsage
oid asn1.ObjectIdentifier
}{
{x509.ExtKeyUsageAny, oidExtKeyUsageAny},
{x509.ExtKeyUsageServerAuth, oidExtKeyUsageServerAuth},
{x509.ExtKeyUsageClientAuth, oidExtKeyUsageClientAuth},
{x509.ExtKeyUsageCodeSigning, oidExtKeyUsageCodeSigning},
{x509.ExtKeyUsageEmailProtection, oidExtKeyUsageEmailProtection},
{x509.ExtKeyUsageIPSECEndSystem, oidExtKeyUsageIPSECEndSystem},
{x509.ExtKeyUsageIPSECTunnel, oidExtKeyUsageIPSECTunnel},
{x509.ExtKeyUsageIPSECUser, oidExtKeyUsageIPSECUser},
{x509.ExtKeyUsageTimeStamping, oidExtKeyUsageTimeStamping},
{x509.ExtKeyUsageOCSPSigning, oidExtKeyUsageOCSPSigning},
{x509.ExtKeyUsageMicrosoftServerGatedCrypto, oidExtKeyUsageMicrosoftServerGatedCrypto},
{x509.ExtKeyUsageNetscapeServerGatedCrypto, oidExtKeyUsageNetscapeServerGatedCrypto},
{x509.ExtKeyUsageMicrosoftCommercialCodeSigning, oidExtKeyUsageMicrosoftCommercialCodeSigning},
{x509.ExtKeyUsageMicrosoftKernelCodeSigning, oidExtKeyUsageMicrosoftKernelCodeSigning},
}
// OIDFromExtKeyUsage returns the ASN1 Identifier for a x509.ExtKeyUsage
func OIDFromExtKeyUsage(eku x509.ExtKeyUsage) (oid asn1.ObjectIdentifier, ok bool) {
for _, pair := range extKeyUsageOIDs {
if eku == pair.extKeyUsage {
return pair.oid, true
}
}
return
}
func ExtKeyUsageFromOID(oid asn1.ObjectIdentifier) (eku x509.ExtKeyUsage, ok bool) {
for _, pair := range extKeyUsageOIDs {
if oid.Equal(pair.oid) {
return pair.extKeyUsage, true
}
}
return
}
// asn1BitLength returns the bit-length of bitString by considering the
// most-significant bit in a byte to be the "first" bit. This convention
// matches ASN.1, but differs from almost everything else.
func asn1BitLength(bitString []byte) int {
bitLen := len(bitString) * 8
for i := range bitString {
b := bitString[len(bitString)-i-1]
for bit := range uint(8) {
if (b>>bit)&1 == 1 {
return bitLen
}
bitLen--
}
}
return 0
}
// Copied from x509.go
func reverseBitsInAByte(in byte) byte {
b1 := in>>4 | in<<4
b2 := b1>>2&0x33 | b1<<2&0xcc
b3 := b2>>1&0x55 | b2<<1&0xaa
return b3
}
// Adapted from x509.go
func MarshalKeyUsage(usage x509.KeyUsage) (pkix.Extension, error) {
ext := pkix.Extension{Id: OIDExtensionKeyUsage, Critical: true}
var a [2]byte
a[0] = reverseBitsInAByte(byte(usage))
a[1] = reverseBitsInAByte(byte(usage >> 8))
l := 1
if a[1] != 0 {
l = 2
}
bitString := a[:l]
var err error
ext.Value, err = asn1.Marshal(asn1.BitString{Bytes: bitString, BitLength: asn1BitLength(bitString)})
return ext, err
}
func UnmarshalKeyUsage(value []byte) (usage x509.KeyUsage, err error) {
var asn1bits asn1.BitString
var rest []byte
if rest, err = asn1.Unmarshal(value, &asn1bits); err != nil {
return usage, err
} else if len(rest) != 0 {
return usage, errors.New("x509: trailing data after X.509 KeyUsage")
}
var usageInt int
for i := range 9 {
if asn1bits.At(i) != 0 {
usageInt |= 1 << uint(i) // #nosec G115 -- gosec can somehow not detect that this is safe
}
}
return x509.KeyUsage(usageInt), nil
}
// Adapted from x509.go
func MarshalExtKeyUsage(extUsages []x509.ExtKeyUsage, unknownUsages []asn1.ObjectIdentifier) (pkix.Extension, error) {
ext := pkix.Extension{Id: OIDExtensionExtendedKeyUsage}
oids := make([]asn1.ObjectIdentifier, len(extUsages)+len(unknownUsages))
for i, u := range extUsages {
if oid, ok := OIDFromExtKeyUsage(u); ok {
oids[i] = oid
} else {
return ext, errors.New("x509: unknown extended key usage")
}
}
copy(oids[len(extUsages):], unknownUsages)
var err error
ext.Value, err = asn1.Marshal(oids)
return ext, err
}
func UnmarshalExtKeyUsage(value []byte) (extUsages []x509.ExtKeyUsage, unknownUsages []asn1.ObjectIdentifier, err error) {
var asn1ExtendedUsages []asn1.ObjectIdentifier
var rest []byte
if rest, err = asn1.Unmarshal(value, &asn1ExtendedUsages); err != nil {
return extUsages, unknownUsages, err
} else if len(rest) != 0 {
return extUsages, unknownUsages, errors.New("x509: trailing data after X.509 ExtendedKeyUsage")
}
for _, asnExtUsage := range asn1ExtendedUsages {
if eku, ok := ExtKeyUsageFromOID(asnExtUsage); ok {
extUsages = append(extUsages, eku)
} else {
unknownUsages = append(unknownUsages, asnExtUsage)
}
}
return extUsages, unknownUsages, nil
}
/*
Copyright 2021 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package pki
import (
"crypto/x509"
"fmt"
"time"
certificatesv1 "k8s.io/api/certificates/v1"
apiutil "github.com/cert-manager/cert-manager/pkg/api/util"
cmapi "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
experimentalapi "github.com/cert-manager/cert-manager/pkg/apis/experimental/v1alpha1"
)
// DurationFromCertificateSigningRequest returns the duration that the user may
// have requested using the annotation
// "experimental.cert-manager.io/request-duration" or via the CSR
// spec.expirationSeconds field (the annotation is preferred since it predates
// the field which is only available in Kubernetes v1.22+).
// Returns the cert-manager default certificate duration when the user hasn't
// provided the annotation or spec.expirationSeconds.
func DurationFromCertificateSigningRequest(csr *certificatesv1.CertificateSigningRequest) (time.Duration, error) {
requestedDuration, ok := csr.Annotations[experimentalapi.CertificateSigningRequestDurationAnnotationKey]
if !ok {
if csr.Spec.ExpirationSeconds != nil {
return time.Duration(*csr.Spec.ExpirationSeconds) * time.Second, nil
}
// The user may not have set a duration annotation. Use the default
// duration in this case.
return cmapi.DefaultCertificateDuration, nil
}
duration, err := time.ParseDuration(requestedDuration)
if err != nil {
return -1, fmt.Errorf("failed to parse requested duration on annotation %q: %w",
experimentalapi.CertificateSigningRequestDurationAnnotationKey, err)
}
return duration, nil
}
// BuildKeyUsagesKube returns a key usage and extended key usage of the x509 certificate
func BuildKeyUsagesKube(usages []certificatesv1.KeyUsage) (x509.KeyUsage, []x509.ExtKeyUsage, error) {
var unk []certificatesv1.KeyUsage
if len(usages) == 0 {
usages = []certificatesv1.KeyUsage{certificatesv1.UsageDigitalSignature, certificatesv1.UsageKeyEncipherment}
}
var (
ku x509.KeyUsage
eku []x509.ExtKeyUsage
)
for _, u := range usages {
if kuse, ok := apiutil.KeyUsageTypeKube(u); ok {
ku |= kuse
} else if ekuse, ok := apiutil.ExtKeyUsageTypeKube(u); ok {
eku = append(eku, ekuse)
} else {
unk = append(unk, u)
}
}
if len(unk) > 0 {
return -1, nil, fmt.Errorf("unknown key usages: %v", unk)
}
return ku, eku, nil
}
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package pki
import (
"bytes"
"crypto"
"crypto/ecdsa"
"crypto/ed25519"
"crypto/rsa"
"crypto/x509"
"crypto/x509/pkix"
"encoding/asn1"
"fmt"
"net"
"reflect"
"k8s.io/apimachinery/pkg/util/sets"
cmapi "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
"github.com/cert-manager/cert-manager/pkg/util"
)
// PrivateKeyMatchesSpec returns a list of violations for the provided private
// key against the provided CertificateSpec. It will return an empty list/ nil
// if there are no violations found. RSA, Ed25519 and ECDSA private keys are
// supported.
// The function panics if the CertificateSpec contains an unknown key algorithm,
// since this should have been caught by the CertificateSpec validation already.
func PrivateKeyMatchesSpec(pk crypto.PrivateKey, spec cmapi.CertificateSpec) []string {
spec = *spec.DeepCopy()
if spec.PrivateKey == nil {
spec.PrivateKey = &cmapi.CertificatePrivateKey{}
}
switch spec.PrivateKey.Algorithm {
case "", cmapi.RSAKeyAlgorithm:
return rsaPrivateKeyMatchesSpec(pk, spec)
case cmapi.Ed25519KeyAlgorithm:
return ed25519PrivateKeyMatchesSpec(pk)
case cmapi.ECDSAKeyAlgorithm:
return ecdsaPrivateKeyMatchesSpec(pk, spec)
default:
// This should never happen as the CertificateSpec validation should
// catch this before it reaches this point.
panic(fmt.Sprintf("[PROGRAMMING ERROR] unrecognised key algorithm type %q", spec.PrivateKey.Algorithm))
}
}
func rsaPrivateKeyMatchesSpec(pk crypto.PrivateKey, spec cmapi.CertificateSpec) []string {
rsaPk, ok := pk.(*rsa.PrivateKey)
if !ok {
return []string{"spec.privateKey.algorithm"}
}
var violations []string
// TODO: we should not use implicit defaulting here, and instead rely on
// defaulting performed within the Kubernetes apiserver here.
// This requires careful handling in order to not interrupt users upgrading
// from older versions.
// The default RSA keySize is set to 2048.
keySize := MinRSAKeySize
if spec.PrivateKey.Size > 0 {
keySize = spec.PrivateKey.Size
}
if rsaPk.N.BitLen() != keySize {
violations = append(violations, "spec.privateKey.size")
}
return violations
}
func ecdsaPrivateKeyMatchesSpec(pk crypto.PrivateKey, spec cmapi.CertificateSpec) []string {
ecdsaPk, ok := pk.(*ecdsa.PrivateKey)
if !ok {
return []string{"spec.privateKey.algorithm"}
}
var violations []string
// TODO: we should not use implicit defaulting here, and instead rely on
// defaulting performed within the Kubernetes apiserver here.
// This requires careful handling in order to not interrupt users upgrading
// from older versions.
// The default EC curve type is EC256
expectedKeySize := ECCurve256
if spec.PrivateKey.Size > 0 {
expectedKeySize = spec.PrivateKey.Size
}
if expectedKeySize != ecdsaPk.Curve.Params().BitSize {
violations = append(violations, "spec.privateKey.size")
}
return violations
}
func ed25519PrivateKeyMatchesSpec(pk crypto.PrivateKey) []string {
_, ok := pk.(ed25519.PrivateKey)
if !ok {
return []string{"spec.privateKey.algorithm"}
}
return nil
}
func ipSlicesMatch(parsedIPs []net.IP, stringIPs []string) bool {
parsedStringIPs := make([]net.IP, len(stringIPs))
for i, s := range stringIPs {
parsedStringIPs[i] = net.ParseIP(s)
}
return util.EqualIPsUnsorted(parsedStringIPs, parsedIPs)
}
// RequestMatchesSpec compares a CertificateRequest with a CertificateSpec
// and returns a list of field names on the Certificate that do not match their
// counterpart fields on the CertificateRequest.
// If decoding the x509 certificate request fails, an error will be returned.
func RequestMatchesSpec(req *cmapi.CertificateRequest, spec cmapi.CertificateSpec) ([]string, error) {
x509req, err := DecodeX509CertificateRequestBytes(req.Spec.Request)
if err != nil {
return nil, err
}
// It is safe to mutate top-level fields in `spec` as it is not a pointer
// meaning changes will not affect the caller.
if spec.Subject == nil {
spec.Subject = &cmapi.X509Subject{}
}
var violations []string
if !ipSlicesMatch(x509req.IPAddresses, spec.IPAddresses) {
violations = append(violations, "spec.ipAddresses")
}
if !util.EqualUnsorted(URLsToString(x509req.URIs), spec.URIs) {
violations = append(violations, "spec.uris")
}
if !util.EqualUnsorted(x509req.EmailAddresses, spec.EmailAddresses) {
violations = append(violations, "spec.emailAddresses")
}
if !util.EqualUnsorted(x509req.DNSNames, spec.DNSNames) {
violations = append(violations, "spec.dnsNames")
}
if spec.OtherNames != nil {
matched, err := matchOtherNames(x509req.Extensions, spec.OtherNames)
if err != nil {
return nil, err
}
if !matched {
violations = append(violations, "spec.otherNames")
}
}
if spec.LiteralSubject == "" {
// Comparing Subject fields
if x509req.Subject.CommonName != spec.CommonName {
violations = append(violations, "spec.commonName")
}
if x509req.Subject.SerialNumber != spec.Subject.SerialNumber {
violations = append(violations, "spec.subject.serialNumber")
}
if !util.EqualUnsorted(x509req.Subject.Organization, spec.Subject.Organizations) {
violations = append(violations, "spec.subject.organizations")
}
if !util.EqualUnsorted(x509req.Subject.Country, spec.Subject.Countries) {
violations = append(violations, "spec.subject.countries")
}
if !util.EqualUnsorted(x509req.Subject.Locality, spec.Subject.Localities) {
violations = append(violations, "spec.subject.localities")
}
if !util.EqualUnsorted(x509req.Subject.OrganizationalUnit, spec.Subject.OrganizationalUnits) {
violations = append(violations, "spec.subject.organizationalUnits")
}
if !util.EqualUnsorted(x509req.Subject.PostalCode, spec.Subject.PostalCodes) {
violations = append(violations, "spec.subject.postCodes")
}
if !util.EqualUnsorted(x509req.Subject.Province, spec.Subject.Provinces) {
violations = append(violations, "spec.subject.postCodes")
}
if !util.EqualUnsorted(x509req.Subject.StreetAddress, spec.Subject.StreetAddresses) {
violations = append(violations, "spec.subject.streetAddresses")
}
} else {
// we have a LiteralSubject, generate the RDNSequence and encode it to compare
// with the request's subject
rdnSequenceFromCertificate, err := UnmarshalSubjectStringToRDNSequence(spec.LiteralSubject)
if err != nil {
return nil, err
}
asn1Sequence, err := asn1.Marshal(rdnSequenceFromCertificate)
if err != nil {
return nil, err
}
if !bytes.Equal(x509req.RawSubject, asn1Sequence) {
violations = append(violations, "spec.literalSubject")
}
}
if req.Spec.IsCA != spec.IsCA {
violations = append(violations, "spec.isCA")
}
if !util.EqualKeyUsagesUnsorted(req.Spec.Usages, spec.Usages) {
violations = append(violations, "spec.usages")
}
if req.Spec.Duration != nil && spec.Duration != nil &&
req.Spec.Duration.Duration != spec.Duration.Duration {
violations = append(violations, "spec.duration")
}
if !reflect.DeepEqual(req.Spec.IssuerRef, spec.IssuerRef) {
violations = append(violations, "spec.issuerRef")
}
// TODO: check spec.EncodeBasicConstraintsInRequest and spec.EncodeUsagesInRequest
return violations, nil
}
func matchOtherNames(extension []pkix.Extension, specOtherNames []cmapi.OtherName) (bool, error) {
x509SANExtension, err := extractSANExtension(extension)
if err != nil {
return false, nil //nolint:nilerr
}
x509GeneralNames, err := UnmarshalSANs(x509SANExtension.Value)
if err != nil {
return false, err
}
x509OtherNames := make([]cmapi.OtherName, 0, len(x509GeneralNames.OtherNames))
for _, otherName := range x509GeneralNames.OtherNames {
var otherNameInnerValue asn1.RawValue
// We have to perform one more level of unwrapping because value is still context specific class
// tagged 0
_, err := asn1.Unmarshal(otherName.Value.Bytes, &otherNameInnerValue)
if err != nil {
return false, err
}
uv, err := UnmarshalUniversalValue(otherNameInnerValue)
if err != nil {
return false, err
}
if uv.Type() != UniversalValueTypeUTF8String {
// This means the CertificateRequest's otherName was not an utf8 value
return false, fmt.Errorf("otherName is not an utf8 value, got: %v", uv.Type())
}
x509OtherNames = append(x509OtherNames, cmapi.OtherName{
OID: otherName.TypeID.String(),
UTF8Value: uv.UTF8String,
})
}
if !util.EqualOtherNamesUnsorted(x509OtherNames, specOtherNames) {
return false, nil
}
return true, nil
}
// FuzzyX509AltNamesMatchSpec will compare a X509 Certificate to a CertificateSpec
// and return a list of 'violations' for any fields that do not match their counterparts.
//
// This is a purposely less comprehensive check than RequestMatchesSpec as some
// issuers override/force certain fields.
//
// Deprecated: This function is very fuzzy and makes too many assumptions about
// how the issuer maps a CSR to a certificate. We only keep it for backward compatibility
// reasons, but use other comparison functions when possible.
func FuzzyX509AltNamesMatchSpec(x509cert *x509.Certificate, spec cmapi.CertificateSpec) []string {
var violations []string
// Perform a 'loose' check on the x509 certificate to determine if the
// commonName and dnsNames fields are up to date.
// This check allows names to move between the DNSNames and CommonName
// field freely in order to account for CAs behaviour of promoting DNSNames
// to be CommonNames or vice-versa.
expectedDNSNames := sets.New(spec.DNSNames...)
if spec.CommonName != "" {
expectedDNSNames.Insert(spec.CommonName)
}
allDNSNames := sets.New(x509cert.DNSNames...)
if x509cert.Subject.CommonName != "" {
allDNSNames.Insert(x509cert.Subject.CommonName)
}
if !allDNSNames.Equal(expectedDNSNames) {
// We know a mismatch occurred, so now determine which fields mismatched.
if (spec.CommonName != "" && !allDNSNames.Has(spec.CommonName)) || (x509cert.Subject.CommonName != "" && !expectedDNSNames.Has(x509cert.Subject.CommonName)) {
violations = append(violations, "spec.commonName")
}
if !allDNSNames.HasAll(spec.DNSNames...) || !expectedDNSNames.HasAll(x509cert.DNSNames...) {
violations = append(violations, "spec.dnsNames")
}
}
if !ipSlicesMatch(x509cert.IPAddresses, spec.IPAddresses) {
violations = append(violations, "spec.ipAddresses")
}
if !util.EqualUnsorted(URLsToString(x509cert.URIs), spec.URIs) {
violations = append(violations, "spec.uris")
}
if !util.EqualUnsorted(x509cert.EmailAddresses, spec.EmailAddresses) {
violations = append(violations, "spec.emailAddresses")
}
return violations
}
func extractSANExtension(extensions []pkix.Extension) (pkix.Extension, error) {
oidExtensionSubjectAltName := []int{2, 5, 29, 17}
for _, extension := range extensions {
if extension.Id.Equal(oidExtensionSubjectAltName) {
return extension, nil
}
}
return pkix.Extension{}, fmt.Errorf("SAN extension not present!")
}
/*
Copyright 2023 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package pki
import (
"crypto/x509/pkix"
"errors"
"fmt"
"net"
"golang.org/x/crypto/cryptobyte"
cryptobyte_asn1 "golang.org/x/crypto/cryptobyte/asn1"
)
// Copied from x509.go
var (
OIDExtensionNameConstraints = []int{2, 5, 29, 30}
)
// NameConstraints represents the NameConstraints extension.
type NameConstraints struct {
PermittedDNSDomains []string
ExcludedDNSDomains []string
PermittedIPRanges []*net.IPNet
ExcludedIPRanges []*net.IPNet
PermittedEmailAddresses []string
ExcludedEmailAddresses []string
PermittedURIDomains []string
ExcludedURIDomains []string
}
func (nc NameConstraints) IsEmpty() bool {
return len(nc.PermittedDNSDomains) == 0 &&
len(nc.PermittedIPRanges) == 0 &&
len(nc.PermittedEmailAddresses) == 0 &&
len(nc.PermittedURIDomains) == 0 &&
len(nc.ExcludedDNSDomains) == 0 &&
len(nc.ExcludedIPRanges) == 0 &&
len(nc.ExcludedEmailAddresses) == 0 &&
len(nc.ExcludedURIDomains) == 0
}
// Adapted from x509.go
func MarshalNameConstraints(nameConstraints *NameConstraints, critical bool) (pkix.Extension, error) {
ipAndMask := func(ipNet *net.IPNet) []byte {
maskedIP := ipNet.IP.Mask(ipNet.Mask)
ipAndMask := make([]byte, 0, len(maskedIP)+len(ipNet.Mask))
ipAndMask = append(ipAndMask, maskedIP...)
ipAndMask = append(ipAndMask, ipNet.Mask...)
return ipAndMask
}
serialiseConstraints := func(dns []string, ips []*net.IPNet, emails []string, uriDomains []string) (der []byte, err error) {
var b cryptobyte.Builder
for _, name := range dns {
if err = isIA5String(name); err != nil {
return nil, err
}
b.AddASN1(cryptobyte_asn1.SEQUENCE, func(b *cryptobyte.Builder) {
b.AddASN1(cryptobyte_asn1.Tag(2).ContextSpecific(), func(b *cryptobyte.Builder) {
b.AddBytes([]byte(name))
})
})
}
for _, ipNet := range ips {
b.AddASN1(cryptobyte_asn1.SEQUENCE, func(b *cryptobyte.Builder) {
b.AddASN1(cryptobyte_asn1.Tag(7).ContextSpecific(), func(b *cryptobyte.Builder) {
b.AddBytes(ipAndMask(ipNet))
})
})
}
for _, email := range emails {
if err = isIA5String(email); err != nil {
return nil, err
}
b.AddASN1(cryptobyte_asn1.SEQUENCE, func(b *cryptobyte.Builder) {
b.AddASN1(cryptobyte_asn1.Tag(1).ContextSpecific(), func(b *cryptobyte.Builder) {
b.AddBytes([]byte(email))
})
})
}
for _, uriDomain := range uriDomains {
if err = isIA5String(uriDomain); err != nil {
return nil, err
}
b.AddASN1(cryptobyte_asn1.SEQUENCE, func(b *cryptobyte.Builder) {
b.AddASN1(cryptobyte_asn1.Tag(6).ContextSpecific(), func(b *cryptobyte.Builder) {
b.AddBytes([]byte(uriDomain))
})
})
}
return b.Bytes()
}
var permitted []byte
var err error
permitted, err = serialiseConstraints(nameConstraints.PermittedDNSDomains, nameConstraints.PermittedIPRanges, nameConstraints.PermittedEmailAddresses, nameConstraints.PermittedURIDomains)
if err != nil {
return pkix.Extension{}, err
}
var excluded []byte
excluded, err = serialiseConstraints(nameConstraints.ExcludedDNSDomains, nameConstraints.ExcludedIPRanges, nameConstraints.ExcludedEmailAddresses, nameConstraints.ExcludedURIDomains)
if err != nil {
return pkix.Extension{}, err
}
var b cryptobyte.Builder
b.AddASN1(cryptobyte_asn1.SEQUENCE, func(b *cryptobyte.Builder) {
if len(permitted) > 0 {
b.AddASN1(cryptobyte_asn1.Tag(0).ContextSpecific().Constructed(), func(b *cryptobyte.Builder) {
b.AddBytes(permitted)
})
}
if len(excluded) > 0 {
b.AddASN1(cryptobyte_asn1.Tag(1).ContextSpecific().Constructed(), func(b *cryptobyte.Builder) {
b.AddBytes(excluded)
})
}
})
bytes, err := b.Bytes()
if err != nil {
return pkix.Extension{}, err
}
return pkix.Extension{
Id: OIDExtensionNameConstraints,
Critical: critical,
Value: bytes,
}, nil
}
func parseCIDRs(cidrs []string) ([]*net.IPNet, error) {
ipRanges := []*net.IPNet{}
for _, cidr := range cidrs {
_, ipNet, err := net.ParseCIDR(cidr)
if err != nil {
return nil, err
}
ipRanges = append(ipRanges, &net.IPNet{
IP: ipNet.IP,
Mask: ipNet.Mask,
})
}
return ipRanges, nil
}
// Adapted from crypto/x509/parser.go
func UnmarshalNameConstraints(value []byte) (*NameConstraints, error) {
// RFC 5280, 4.2.1.10
// NameConstraints ::= SEQUENCE {
// permittedSubtrees [0] GeneralSubtrees OPTIONAL,
// excludedSubtrees [1] GeneralSubtrees OPTIONAL }
//
// GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree
//
// GeneralSubtree ::= SEQUENCE {
// base GeneralName,
// minimum [0] BaseDistance DEFAULT 0,
// maximum [1] BaseDistance OPTIONAL }
//
// BaseDistance ::= INTEGER (0..MAX)
outer := cryptobyte.String(value)
var toplevel, permitted, excluded cryptobyte.String
var havePermitted, haveExcluded bool
if !outer.ReadASN1(&toplevel, cryptobyte_asn1.SEQUENCE) ||
!outer.Empty() ||
!toplevel.ReadOptionalASN1(&permitted, &havePermitted, cryptobyte_asn1.Tag(0).ContextSpecific().Constructed()) ||
!toplevel.ReadOptionalASN1(&excluded, &haveExcluded, cryptobyte_asn1.Tag(1).ContextSpecific().Constructed()) ||
!toplevel.Empty() {
return nil, errors.New("x509: invalid NameConstraints extension")
}
if !havePermitted && !haveExcluded || len(permitted) == 0 && len(excluded) == 0 {
// From RFC 5280, Section 4.2.1.10:
// “either the permittedSubtrees field
// or the excludedSubtrees MUST be
// present”
return nil, errors.New("x509: empty name constraints extension")
}
getValues := func(subtrees cryptobyte.String) (dnsNames []string, ips []*net.IPNet, emails, uriDomains []string, err error) {
for !subtrees.Empty() {
var seq, value cryptobyte.String
var tag cryptobyte_asn1.Tag
if !subtrees.ReadASN1(&seq, cryptobyte_asn1.SEQUENCE) ||
!seq.ReadAnyASN1(&value, &tag) {
return nil, nil, nil, nil, fmt.Errorf("x509: invalid NameConstraints extension")
}
var (
dnsTag = cryptobyte_asn1.Tag(2).ContextSpecific()
emailTag = cryptobyte_asn1.Tag(1).ContextSpecific()
ipTag = cryptobyte_asn1.Tag(7).ContextSpecific()
uriTag = cryptobyte_asn1.Tag(6).ContextSpecific()
)
switch tag {
case dnsTag:
domain := string(value)
if err := isIA5String(domain); err != nil {
return nil, nil, nil, nil, errors.New("x509: invalid constraint value: " + err.Error())
}
dnsNames = append(dnsNames, domain)
case ipTag:
l := len(value)
var ip, mask []byte
switch l {
case 2 * net.IPv4len:
ip = value[:net.IPv4len]
mask = value[net.IPv4len:]
case 2 * net.IPv6len:
ip = value[:net.IPv6len]
mask = value[net.IPv6len:]
default:
return nil, nil, nil, nil, fmt.Errorf("x509: IP constraint contained value of length %d", l)
}
if !isValidIPMask(mask) {
return nil, nil, nil, nil, fmt.Errorf("x509: IP constraint contained invalid mask %x", mask)
}
ips = append(ips, &net.IPNet{IP: net.IP(ip), Mask: net.IPMask(mask)})
case emailTag:
constraint := string(value)
if err := isIA5String(constraint); err != nil {
return nil, nil, nil, nil, errors.New("x509: invalid constraint value: " + err.Error())
}
emails = append(emails, constraint)
case uriTag:
domain := string(value)
if err := isIA5String(domain); err != nil {
return nil, nil, nil, nil, errors.New("x509: invalid constraint value: " + err.Error())
}
uriDomains = append(uriDomains, domain)
default:
return nil, nil, nil, nil, fmt.Errorf("x509: unsupported NameConstraints tag: %v", tag)
}
}
return dnsNames, ips, emails, uriDomains, nil
}
out := &NameConstraints{}
var err error
if out.PermittedDNSDomains, out.PermittedIPRanges, out.PermittedEmailAddresses, out.PermittedURIDomains, err = getValues(permitted); err != nil {
return nil, err
}
if out.ExcludedDNSDomains, out.ExcludedIPRanges, out.ExcludedEmailAddresses, out.ExcludedURIDomains, err = getValues(excluded); err != nil {
return nil, err
}
return out, nil
}
// isValidIPMask reports whether mask consists of zero or more 1 bits, followed by zero bits.
func isValidIPMask(mask []byte) bool {
seenZero := false
for _, b := range mask {
if seenZero {
if b != 0 {
return false
}
continue
}
switch b {
case 0x00, 0x80, 0xc0, 0xe0, 0xf0, 0xf8, 0xfc, 0xfe:
seenZero = true
case 0xff:
default:
return false
}
}
return true
}
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package pki
import (
"crypto"
"crypto/x509"
stdpem "encoding/pem"
"github.com/cert-manager/cert-manager/internal/pem"
"github.com/cert-manager/cert-manager/pkg/util/errors"
)
// DecodePrivateKeyBytes will decode a PEM encoded private key into a crypto.Signer.
// It supports ECDSA, RSA and EdDSA private keys only. All other types will return err.
func DecodePrivateKeyBytes(keyBytes []byte) (crypto.Signer, error) {
// decode the private key pem
block, _, err := pem.SafeDecodePrivateKey(keyBytes)
if err != nil {
return nil, errors.NewInvalidData("error decoding private key PEM block: %s", err.Error())
}
switch block.Type {
case "PRIVATE KEY":
key, err := x509.ParsePKCS8PrivateKey(block.Bytes)
if err != nil {
return nil, errors.NewInvalidData("error parsing pkcs#8 private key: %s", err.Error())
}
signer, ok := key.(crypto.Signer)
if !ok {
return nil, errors.NewInvalidData("error parsing pkcs#8 private key: invalid key type")
}
return signer, nil
case "EC PRIVATE KEY":
key, err := x509.ParseECPrivateKey(block.Bytes)
if err != nil {
return nil, errors.NewInvalidData("error parsing ecdsa private key: %s", err.Error())
}
return key, nil
case "RSA PRIVATE KEY":
key, err := x509.ParsePKCS1PrivateKey(block.Bytes)
if err != nil {
return nil, errors.NewInvalidData("error parsing rsa private key: %s", err.Error())
}
err = key.Validate()
if err != nil {
return nil, errors.NewInvalidData("rsa private key failed validation: %s", err.Error())
}
return key, nil
default:
return nil, errors.NewInvalidData("unknown private key type: %s", block.Type)
}
}
func decodeMultipleCerts(certBytes []byte, decodeFn func([]byte) (*stdpem.Block, []byte, error)) ([]*x509.Certificate, error) {
certs := []*x509.Certificate{}
var block *stdpem.Block
for {
var err error
// decode the tls certificate pem
block, certBytes, err = decodeFn(certBytes)
if err != nil {
if err == pem.ErrNoPEMData {
break
}
return nil, err
}
// parse the tls certificate
cert, err := x509.ParseCertificate(block.Bytes)
if err != nil {
return nil, errors.NewInvalidData("error parsing X.509 certificate: %s", err.Error())
}
certs = append(certs, cert)
}
if len(certs) == 0 {
return nil, errors.NewInvalidData("error decoding certificate PEM block: no valid certificates found")
}
return certs, nil
}
// DecodeX509CertificateChainBytes will decode a PEM encoded x509 Certificate chain with a tight
// size limit to reduce the risk of DoS attacks. If you need to decode many certificates, use
// DecodeX509CertificateSetBytes instead.
func DecodeX509CertificateChainBytes(certBytes []byte) ([]*x509.Certificate, error) {
return decodeMultipleCerts(certBytes, pem.SafeDecodeCertificateChain)
}
// DecodeX509CertificateSetBytes will decode a concatenated set of PEM encoded x509 Certificates,
// with generous size limits to enable parsing of TLS trust bundles.
// If you need to decode a single certificate chain, use DecodeX509CertificateChainBytes instead.
func DecodeX509CertificateSetBytes(certBytes []byte) ([]*x509.Certificate, error) {
return decodeMultipleCerts(certBytes, pem.SafeDecodeCertificateBundle)
}
// DecodeX509CertificateBytes will decode a PEM encoded x509 Certificate.
func DecodeX509CertificateBytes(certBytes []byte) (*x509.Certificate, error) {
certs, err := DecodeX509CertificateSetBytes(certBytes)
if err != nil {
return nil, err
}
return certs[0], nil
}
// DecodeX509CertificateRequestBytes will decode a PEM encoded x509 Certificate Request.
func DecodeX509CertificateRequestBytes(csrBytes []byte) (*x509.CertificateRequest, error) {
block, _, err := pem.SafeDecodeCSR(csrBytes)
if err != nil {
return nil, errors.NewInvalidData("error decoding certificate request PEM block: %s", err)
}
csr, err := x509.ParseCertificateRequest(block.Bytes)
if err != nil {
return nil, err
}
return csr, nil
}
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package pki
import (
"bytes"
"crypto/x509"
"slices"
"github.com/cert-manager/cert-manager/pkg/util/errors"
)
// PEMBundle includes the PEM encoded X.509 certificate chain and CA. CAPEM
// contains either 1 CA certificate, or is empty if only a single certificate
// exists in the chain.
type PEMBundle struct {
CAPEM []byte
ChainPEM []byte
}
type chainNode struct {
cert *x509.Certificate
issuer *chainNode
}
// ParseSingleCertificateChainPEM decodes a PEM encoded certificate chain before
// calling ParseSingleCertificateChainPEM
func ParseSingleCertificateChainPEM(pembundle []byte) (PEMBundle, error) {
certs, err := DecodeX509CertificateChainBytes(pembundle)
if err != nil {
return PEMBundle{}, err
}
return ParseSingleCertificateChain(certs)
}
// ParseSingleCertificateChain returns the PEM-encoded chain of certificates as
// well as the PEM-encoded CA certificate.
//
// The CA (CAPEM) may not be a true root, but the highest intermediate certificate.
// The certificate is chosen as follows:
// - If the chain has a self-signed root, the root certificate.
// - If the chain has no self-signed root and has > 1 certificates, the highest certificate in the chain.
// - If the chain has no self-signed root and has == 1 certificate, nil.
//
// The certificate chain (ChainPEM) starts with the leaf certificate and ends with the
// highest certificate in the chain which is not self-signed. Self-signed certificates
// are not included in the chain because we are certain they are known and trusted by the
// client already.
//
// This function removes duplicate certificate entries as well as comments and
// unnecessary white space.
//
// An error is returned if the passed bundle is not a valid single chain,
// the bundle is malformed, or the chain is broken.
func ParseSingleCertificateChain(certs []*x509.Certificate) (PEMBundle, error) {
for _, cert := range certs {
if cert == nil {
return PEMBundle{}, errors.NewInvalidData("certificate chain contains nil certificate")
}
if len(cert.Raw) == 0 {
return PEMBundle{}, errors.NewInvalidData("certificate chain contains certificate without Raw set")
}
}
{
// De-duplicate certificates. This moves "complicated" logic away from
// consumers and into a shared function, who would otherwise have to do this
// anyway.
// For lots of certificates, the time complexity is O(n log n).
uniqueCerts := append([]*x509.Certificate{}, certs...)
slices.SortFunc(uniqueCerts, func(a, b *x509.Certificate) int {
return bytes.Compare(a.Raw, b.Raw)
})
uniqueCerts = slices.CompactFunc(uniqueCerts, func(a, b *x509.Certificate) bool {
return bytes.Equal(a.Raw, b.Raw)
})
certs = uniqueCerts
}
// To prevent a malicious input from causing a DoS, we limit the number of unique
// certificates. This helps us avoid issues with O(n^2) time complexity in the algorithm below.
if len(certs) > 1000 {
return PEMBundle{}, errors.NewInvalidData("certificate chain is too long, must be less than 1000 certificates")
}
// A certificate chain can be well described as a linked list. Here we build
// multiple lists that contain a single node, each being a single certificate
// that was passed.
var chains []*chainNode
for i := range certs {
chains = append(chains, &chainNode{cert: certs[i]})
}
// The task is to build a single list which represents a single certificate
// chain. The strategy is to iteratively attempt to join items in the list to
// build this single chain. Once we have a single list, we have built the
// chain. If no match is found after a pass, then the list can never be reduced
// to a single chain and we error.
// For lots of certificates, the time complexity is O(n^2).
//
// If a single list is left, then we have built the entire chain. Stop
// iterating.
for len(chains) > 1 {
// If we were not able to merge two chains in this pass, then the chain is
// broken and cannot be built. Error.
mergedTwoChains := false
// Pop the last chain off the list and attempt to find a chain it can be
// merged with.
lastChain := chains[len(chains)-1]
chains = chains[:len(chains)-1]
for i, chain := range chains {
// attempt to add both chains together
chain, ok := lastChain.tryMergeChain(chain)
if ok {
// If adding the chains together was successful, replace the chain at
// index i with the new chain.
chains[i] = chain
mergedTwoChains = true
break
}
}
// If no chains were merged in this pass, the chain can never be built as a
// single list. Error.
if !mergedTwoChains {
return PEMBundle{}, errors.NewInvalidData("certificate chain is malformed or broken")
}
}
// There is only a single chain left at index 0. Return chain as PEM.
return chains[0].toBundleAndCA()
}
// toBundleAndCA will return the PEM bundle of this chain.
func (c *chainNode) toBundleAndCA() (PEMBundle, error) {
var (
certs []*x509.Certificate
ca *x509.Certificate
)
for {
// If the issuer is nil, we have hit the root of the chain. Assign the CA
// to this certificate and stop traversing. If the certificate at the root
// of the chain is not self-signed (i.e. is not a root CA), then also append
// that certificate to the chain.
// Root certificates are omitted from the chain as per
// https://datatracker.ietf.org/doc/html/rfc5246#section-7.4.2
// > [T]he self-signed certificate that specifies the root certificate authority
// > MAY be omitted from the chain, under the assumption that the remote end must
// > already possess it in order to validate it in any case.
if c.issuer == nil {
if len(certs) > 0 && !isSelfSignedCertificate(c.cert) {
certs = append(certs, c.cert)
}
ca = c.cert
break
}
// Add this node's certificate to the list at the end. Ready to check
// next node up.
certs = append(certs, c.cert)
c = c.issuer
}
caPEM, err := EncodeX509(ca)
if err != nil {
return PEMBundle{}, err
}
// If no certificates parsed, then CA is the only certificate and should be
// the chain. If the CA is also self-signed, then by definition it's also the
// issuer and so can be placed in CAPEM too.
if len(certs) == 0 {
if isSelfSignedCertificate(ca) {
return PEMBundle{ChainPEM: caPEM, CAPEM: caPEM}, nil
}
return PEMBundle{ChainPEM: caPEM}, nil
}
// Encode full certificate chain
chainPEM, err := EncodeX509Chain(certs)
if err != nil {
return PEMBundle{}, err
}
// Return chain and ca
return PEMBundle{CAPEM: caPEM, ChainPEM: chainPEM}, nil
}
// tryMergeChain glues two chains A and B together by adding one on top of
// the other. The function tries both gluing A on top of B and B on top of
// A, which is why the argument order for the two input chains does not
// matter.
//
// Glueability: We say that the chains A and B are glueable when either the
// leaf certificate of A can be verified using the root certificate of B,
// or that the leaf certificate of B can be verified using the root certificate
// of A.
//
// A leaf certificate C (as in "child") is verified by a certificate P
// (as in "parent"), when they satisfy C.CheckSignatureFrom(P). In the
// following diagram, C.CheckSignatureFrom(P) is satisfied, i.e., the
// signature ("sig") on the certificate C can be verified using the parent P:
//
// head tail
// +------+-------+ +------+-------+ +------+-------+
// | | | | | | | | |
// | | sig ------->| C | sig ------->| P | |
// | | | | | | | | |
// +------+-------+ +------+-------+ +------+-------+
// leaf certificate root certificate
//
// The function returns false if the chains A and B are not glueable.
func (a *chainNode) tryMergeChain(b *chainNode) (*chainNode, bool) {
bRoot := b.root()
// b's root has been signed by a. Add a as parent of b's root.
if bytes.Equal(bRoot.cert.RawIssuer, a.cert.RawSubject) &&
bRoot.cert.CheckSignatureFrom(a.cert) == nil {
bRoot.issuer = a
return b, true
}
aRoot := a.root()
// a's root has been signed by b. Add b as parent of a's root.
if bytes.Equal(aRoot.cert.RawIssuer, b.cert.RawSubject) &&
aRoot.cert.CheckSignatureFrom(b.cert) == nil {
aRoot.issuer = b
return a, true
}
// Chains cannot be added together.
return a, false
}
// Return the root most node of this chain.
func (c *chainNode) root() *chainNode {
for c.issuer != nil {
c = c.issuer
}
return c
}
// isSelfSignedCertificate returns true if the given X.509 certificate has been
// signed by itself, which would make it a "root" certificate.
func isSelfSignedCertificate(cert *x509.Certificate) bool {
return cert.CheckSignatureFrom(cert) == nil
}
// Copyright 2024 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
package pki
func FuzzUnmarshalSubjectStringToRDNSequence(data []byte) int {
UnmarshalSubjectStringToRDNSequence(string(data))
return 1
}
func FuzzDecodePrivateKeyBytes(data []byte) int {
DecodePrivateKeyBytes(data)
return 1
}
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package pki
import (
"time"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
// RenewalTimeFunc is a custom function type for calculating renewal time of a certificate.
type RenewalTimeFunc func(time.Time, time.Time, *metav1.Duration, *int32) *metav1.Time
// RenewalTime calculates renewal time for a certificate.
// If renewBefore is non-nil and less than the certificate's lifetime, renewal
// time will be the computed renewBefore period before expiry.
// If renewBeforePercentage is non-nil and in the range (0,100), renewal time
// will be the computed period before expiry based on the renewBeforePercentage
// value and certificate lifetime.
// Default renewal time is 2/3 through certificate's lifetime.
func RenewalTime(notBefore, notAfter time.Time, renewBefore *metav1.Duration, renewBeforePercentage *int32) *metav1.Time {
// 1. Calculate how long before expiry a cert should be renewed
actualDuration := notAfter.Sub(notBefore)
actualRenewBefore := RenewBefore(actualDuration, renewBefore, renewBeforePercentage)
// 2. Calculate when a cert should be renewed
// Truncate the renewal time to nearest second. This is important
// because the renewal time also gets stored on Certificate's status
// where it is truncated to the nearest second. We use the renewal time
// from Certificate's status to determine when the Certificate will be
// added to the queue to be renewed, but then re-calculate whether it
// needs to be renewed _now_ using this function, so returning a
// non-truncated value here would potentially cause Certificates to be
// re-queued for renewal earlier than the calculated renewal time thus
// causing Certificates to not be automatically renewed. See
// https://github.com/cert-manager/cert-manager/pull/4399.
rt := metav1.NewTime(notAfter.Add(-1 * actualRenewBefore).Truncate(time.Second))
return &rt
}
// RenewBefore calculates how far before expiry a certificate should be renewed.
// If renewBefore is non-nil and less than the certificate's lifetime, renewal
// time will be the computed renewBefore period before expiry.
// If renewBeforePercentage is non-nil and in the range (0,100), renewal time
// will be the computed period before expiry based on the renewBeforePercentage
// and actualDuration values.
// Default is 2/3 through certificate's lifetime.
func RenewBefore(actualDuration time.Duration, renewBefore *metav1.Duration, renewBeforePercentage *int32) time.Duration {
// If spec.renewBefore or spec.renewBeforePercentage was set (and is
// valid) respect that. We don't want to prevent users from renewing
// longer lived certs more frequently.
if renewBefore != nil && renewBefore.Duration > 0 && renewBefore.Duration < actualDuration {
return renewBefore.Duration
} else if renewBeforePercentage != nil && *renewBeforePercentage > 0 && *renewBeforePercentage < 100 {
return actualDuration * time.Duration(*renewBeforePercentage) / 100
}
// Otherwise, default to renewing 2/3 through certificate's lifetime.
return actualDuration / 3
}
/*
Copyright 2023 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package pki
import (
"crypto/x509/pkix"
"encoding/asn1"
"errors"
"fmt"
"net"
"strconv"
)
// Copied from x509.go
var (
oidExtensionSubjectAltName = []int{2, 5, 29, 17}
)
// Based on RFC 5280, section 4.2.1.6
// see https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.6
/*
OtherName ::= SEQUENCE {
type-id OBJECT IDENTIFIER,
value [0] EXPLICIT ANY DEFINED BY type-id }
*/
type OtherName struct {
TypeID asn1.ObjectIdentifier
Value asn1.RawValue `asn1:"tag:0,explicit"`
}
// Based on RFC 5280, section 4.2.1.6
// see https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.6
/*
EDIPartyName ::= SEQUENCE {
nameAssigner [0] DirectoryString OPTIONAL,
partyName [1] DirectoryString }
*/
type EDIPartyName struct {
NameAssigner string `asn1:"tag:0,optional"`
PartyName string `asn1:"tag:1"`
}
// Based on RFC 5280, section 4.2.1.6
// see https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.6
/*
GeneralName ::= CHOICE {
otherName [0] OtherName,
rfc822Name [1] IA5String,
dnsName [2] IA5String,
x400Address [3] ORAddress,
directoryName [4] Name,
ediPartyName [5] EDIPartyName,
uniformResourceIdentifier [6] IA5String,
ipAddress [7] OCTET STRING,
registeredID [8] OBJECT IDENTIFIER }
*/
const (
nameTypeOtherName = 0
nameTypeRFC822Name = 1
nameTypeDNSName = 2
nameTypeX400Address = 3
nameTypeDirectoryName = 4
nameTypeEDIPartyName = 5
nameTypeUniformResourceIdentifier = 6
nameTypeIPAddress = 7
nameTypeRegisteredID = 8
)
type GeneralNames struct {
OtherNames []OtherName
RFC822Names []string
DNSNames []string
X400Addresses []asn1.RawValue
DirectoryNames []pkix.RDNSequence
EDIPartyNames []EDIPartyName
UniformResourceIdentifiers []string
IPAddresses []net.IP
RegisteredIDs []asn1.ObjectIdentifier
}
func (gns GeneralNames) Empty() bool {
return len(gns.OtherNames) == 0 &&
len(gns.RFC822Names) == 0 &&
len(gns.DNSNames) == 0 &&
len(gns.X400Addresses) == 0 &&
len(gns.DirectoryNames) == 0 &&
len(gns.EDIPartyNames) == 0 &&
len(gns.UniformResourceIdentifiers) == 0 &&
len(gns.IPAddresses) == 0 &&
len(gns.RegisteredIDs) == 0
}
// adapted from https://cs.opensource.google/go/go/+/master:src/crypto/x509/parser.go;l=373-416;drc=16d3040a84be821d801b75bd1a3d8ab4cc89ee36
func UnmarshalSANs(value []byte) (GeneralNames, error) {
var gns GeneralNames
err := forEachSAN(value, func(v asn1.RawValue) error {
switch v.Tag {
case nameTypeOtherName:
var otherName OtherName
if _, err := asn1.UnmarshalWithParams(v.FullBytes, &otherName, fmt.Sprintf("tag:%d", nameTypeOtherName)); err != nil {
return err
}
gns.OtherNames = append(gns.OtherNames, otherName)
case nameTypeRFC822Name:
email := string(v.Bytes)
if err := isIA5String(email); err != nil {
return errors.New("x509: SAN rfc822Name is malformed")
}
gns.RFC822Names = append(gns.RFC822Names, email)
case nameTypeDNSName:
name := string(v.Bytes)
if err := isIA5String(name); err != nil {
return errors.New("x509: SAN dNSName is malformed")
}
gns.DNSNames = append(gns.DNSNames, name)
case nameTypeX400Address:
gns.X400Addresses = append(gns.X400Addresses, v)
case nameTypeDirectoryName:
var rdn pkix.RDNSequence
if _, err := asn1.UnmarshalWithParams(v.FullBytes, &rdn, fmt.Sprintf("tag:%d", nameTypeDirectoryName)); err != nil {
return err
}
gns.DirectoryNames = append(gns.DirectoryNames, rdn)
case nameTypeEDIPartyName:
var edipn EDIPartyName
if _, err := asn1.UnmarshalWithParams(v.FullBytes, &edipn, fmt.Sprintf("tag:%d", nameTypeEDIPartyName)); err != nil {
return err
}
gns.EDIPartyNames = append(gns.EDIPartyNames, edipn)
case nameTypeUniformResourceIdentifier:
uriStr := string(v.Bytes)
if err := isIA5String(uriStr); err != nil {
return errors.New("x509: SAN uniformResourceIdentifier is malformed")
}
gns.UniformResourceIdentifiers = append(gns.UniformResourceIdentifiers, uriStr)
case nameTypeIPAddress:
switch len(v.Bytes) {
case net.IPv4len, net.IPv6len:
gns.IPAddresses = append(gns.IPAddresses, v.Bytes)
default:
return errors.New("x509: cannot parse IP address of length " + strconv.Itoa(len(v.Bytes)))
}
case nameTypeRegisteredID:
var oid asn1.ObjectIdentifier
if _, err := asn1.UnmarshalWithParams(v.FullBytes, &oid, fmt.Sprintf("tag:%d", nameTypeRegisteredID)); err != nil {
return err
}
gns.RegisteredIDs = append(gns.RegisteredIDs, oid)
default:
return asn1.StructuralError{Msg: "bad SAN choice"}
}
return nil
})
return gns, err
}
func forEachSAN(extension []byte, callback func(v asn1.RawValue) error) error {
var seq asn1.RawValue
rest, err := asn1.Unmarshal(extension, &seq)
if err != nil {
return err
} else if len(rest) != 0 {
return fmt.Errorf("x509: trailing data after X.509 extension")
}
if !seq.IsCompound || seq.Tag != asn1.TagSequence || seq.Class != asn1.ClassUniversal {
return asn1.StructuralError{Msg: "bad SAN sequence"}
}
rest = seq.Bytes
for len(rest) > 0 {
var v asn1.RawValue
rest, err = asn1.Unmarshal(rest, &v)
if err != nil {
return err
}
if err := callback(v); err != nil {
return err
}
}
return nil
}
// adapted from https://cs.opensource.google/go/go/+/master:src/crypto/x509/x509.go;l=1059-1103;drc=e2d9574b14b3db044331da0c6fadeb62315c644a
// MarshalSANs marshals a list of addresses into the contents of an X.509
// SubjectAlternativeName extension.
func MarshalSANs(gns GeneralNames, hasSubject bool) (pkix.Extension, error) {
var rawValues []asn1.RawValue
addMarshalable := func(tag int, val interface{}) error {
fullBytes, err := asn1.MarshalWithParams(val, fmt.Sprint("tag:", tag))
if err != nil {
return err
}
rawValues = append(rawValues, asn1.RawValue{FullBytes: fullBytes})
return nil
}
addIA5String := func(tag int, val string) error {
if err := isIA5String(val); err != nil {
return fmt.Errorf("x509: %q cannot be encoded as an IA5String", val)
}
rawValues = append(rawValues, asn1.RawValue{Tag: tag, Class: asn1.ClassContextSpecific, Bytes: []byte(val)})
return nil
}
// Maintain the order of the SANs as produced by the Go x509 library.
for _, val := range gns.DNSNames {
if err := addIA5String(nameTypeDNSName, val); err != nil {
return pkix.Extension{}, err
}
}
for _, val := range gns.RFC822Names {
if err := addIA5String(nameTypeRFC822Name, val); err != nil {
return pkix.Extension{}, err
}
}
for _, rawIP := range gns.IPAddresses {
// If possible, we always want to encode IPv4 addresses in 4 bytes.
ip := rawIP.To4()
if ip == nil {
ip = rawIP
}
rawValues = append(rawValues, asn1.RawValue{Tag: nameTypeIPAddress, Class: asn1.ClassContextSpecific, Bytes: ip})
}
for _, val := range gns.UniformResourceIdentifiers {
if err := addIA5String(nameTypeUniformResourceIdentifier, val); err != nil {
return pkix.Extension{}, err
}
}
// Add support for the remaining SAN types.
for _, val := range gns.OtherNames {
if err := addMarshalable(nameTypeOtherName, val); err != nil {
return pkix.Extension{}, err
}
}
for _, val := range gns.X400Addresses {
if err := addMarshalable(nameTypeX400Address, val); err != nil {
return pkix.Extension{}, err
}
}
for _, val := range gns.DirectoryNames {
if err := addMarshalable(nameTypeDirectoryName, val); err != nil {
return pkix.Extension{}, err
}
}
for _, val := range gns.EDIPartyNames {
if err := addMarshalable(nameTypeEDIPartyName, val); err != nil {
return pkix.Extension{}, err
}
}
for _, val := range gns.RegisteredIDs {
if err := addMarshalable(nameTypeRegisteredID, val); err != nil {
return pkix.Extension{}, err
}
}
byteValue, err := asn1.Marshal(rawValues)
if err != nil {
return pkix.Extension{}, err
}
return pkix.Extension{
Id: oidExtensionSubjectAltName,
Critical: !hasSubject,
Value: byteValue,
}, nil
}
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package pki
import (
"bytes"
"crypto/x509/pkix"
"encoding/asn1"
"errors"
"github.com/go-ldap/ldap/v3"
)
var OIDConstants = struct {
Country []int
Organization []int
OrganizationalUnit []int
CommonName []int
SerialNumber []int
Locality []int
Province []int
StreetAddress []int
DomainComponent []int
UniqueIdentifier []int
}{
Country: []int{2, 5, 4, 6},
Organization: []int{2, 5, 4, 10},
OrganizationalUnit: []int{2, 5, 4, 11},
CommonName: []int{2, 5, 4, 3},
SerialNumber: []int{2, 5, 4, 5},
Locality: []int{2, 5, 4, 7},
Province: []int{2, 5, 4, 8},
StreetAddress: []int{2, 5, 4, 9},
DomainComponent: []int{0, 9, 2342, 19200300, 100, 1, 25},
UniqueIdentifier: []int{0, 9, 2342, 19200300, 100, 1, 1},
}
// Copied from pkix.attributeTypeNames and inverted. (Sadly it is private.)
// Source: https://cs.opensource.google/go/go/+/refs/tags/go1.18.2:src/crypto/x509/pkix/pkix.go;l=26
// Added RDNs identifier to support rfc4514 LDAP certificates, cf https://github.com/cert-manager/cert-manager/issues/5582
var attributeTypeNames = map[string][]int{
"C": OIDConstants.Country,
"O": OIDConstants.Organization,
"OU": OIDConstants.OrganizationalUnit,
"CN": OIDConstants.CommonName,
"SERIALNUMBER": OIDConstants.SerialNumber,
"L": OIDConstants.Locality,
"ST": OIDConstants.Province,
"STREET": OIDConstants.StreetAddress,
"DC": OIDConstants.DomainComponent,
"UID": OIDConstants.UniqueIdentifier,
}
func UnmarshalSubjectStringToRDNSequence(subject string) (pkix.RDNSequence, error) {
dn, err := ldap.ParseDN(subject)
if err != nil {
return nil, err
}
// Traverse the parsed RDNSequence in REVERSE order as RDNs in String format are expected to be written in reverse order.
// Meaning, a string of "CN=Foo,OU=Bar,O=Baz" actually should have "O=Baz" as the first element in the RDNSequence.
rdns := make(pkix.RDNSequence, 0, len(dn.RDNs))
for i := range dn.RDNs {
ldapRelativeDN := dn.RDNs[len(dn.RDNs)-i-1]
atvs := make([]pkix.AttributeTypeAndValue, 0, len(ldapRelativeDN.Attributes))
for _, ldapATV := range ldapRelativeDN.Attributes {
oid, ok := attributeTypeNames[ldapATV.Type]
if !ok {
// If the attribute type is not known, we try to parse it as an OID.
// If it is not an OID, we set Type=nil
oid, err = ParseObjectIdentifier(ldapATV.Type)
if err != nil {
oid = nil
}
}
atvs = append(atvs, pkix.AttributeTypeAndValue{
Type: oid,
Value: ldapATV.Value,
})
}
rdns = append(rdns, atvs)
}
return rdns, nil
}
func IsASN1SubjectEmpty(asn1Subject []byte) bool {
// emptyASN1Subject is the ASN.1 DER encoding of an empty Subject, which is
// just an empty SEQUENCE.
var emptyASN1Subject = []byte{0x30, 0}
return bytes.Equal(asn1Subject, emptyASN1Subject)
}
func MarshalRDNSequenceToRawDERBytes(rdnSequence pkix.RDNSequence) ([]byte, error) {
return asn1.Marshal(rdnSequence)
}
func UnmarshalRawDerBytesToRDNSequence(der []byte) (rdnSequence pkix.RDNSequence, err error) {
var rest []byte
if rest, err = asn1.Unmarshal(der, &rdnSequence); err != nil {
return rdnSequence, err
} else if len(rest) != 0 {
return rdnSequence, errors.New("RDNSequence: trailing data after Subject")
} else {
return rdnSequence, nil
}
}
func ExtractCommonNameFromRDNSequence(rdns pkix.RDNSequence) string {
for _, rdn := range rdns {
for _, atv := range rdn {
if atv.Type.Equal(OIDConstants.CommonName) {
if str, ok := atv.Value.(string); ok {
return str
}
}
}
}
return ""
}
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package pki
import cmapi "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
// staticTemporarySerialNumber is a fixed serial number we use for temporary certificates
const staticTemporarySerialNumber = "1234567890"
// GenerateLocallySignedTemporaryCertificate signs a temporary certificate for
// the given certificate resource using a one-use temporary CA that is then
// discarded afterwards.
// This is to mitigate a potential attack against x509 certificates that use a
// predictable serial number and weak MD5 hashing algorithms.
// In practice, this shouldn't really be a concern anyway.
func GenerateLocallySignedTemporaryCertificate(crt *cmapi.Certificate, pkData []byte) ([]byte, error) {
// generate a throwaway self-signed root CA
caPk, err := GenerateECPrivateKey(ECCurve521)
if err != nil {
return nil, err
}
caCertTemplate, err := CertificateTemplateFromCertificate(&cmapi.Certificate{
Spec: cmapi.CertificateSpec{
CommonName: "cert-manager.local",
IsCA: true,
},
})
if err != nil {
return nil, err
}
_, caCert, err := SignCertificate(caCertTemplate, caCertTemplate, caPk.Public(), caPk)
if err != nil {
return nil, err
}
// sign a temporary certificate using the root CA
template, err := CertificateTemplateFromCertificate(crt)
if err != nil {
return nil, err
}
template.Subject.SerialNumber = staticTemporarySerialNumber
signeeKey, err := DecodePrivateKeyBytes(pkData)
if err != nil {
return nil, err
}
b, _, err := SignCertificate(template, caCert, signeeKey.Public(), caPk)
if err != nil {
return nil, err
}
return b, nil
}
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package predicate
import (
"k8s.io/apimachinery/pkg/runtime"
cmapi "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
)
// CertificateSecretName returns a predicate that used to filter Certificates
// to only those with the given 'spec.secretName'.
func CertificateSecretName(name string) Func {
return func(obj runtime.Object) bool {
crt := obj.(*cmapi.Certificate)
return crt.Spec.SecretName == name
}
}
// CertificateNextPrivateKeySecretName returns a predicate that used to filter Certificates
// to only those with the given 'status.nextPrivateKeySecretName'.
// It is not possible to select Certificates with a 'nil' secret name using
// this predicate function.
func CertificateNextPrivateKeySecretName(name string) Func {
return func(obj runtime.Object) bool {
crt := obj.(*cmapi.Certificate)
if crt.Status.NextPrivateKeySecretName == nil {
return false
}
return *crt.Status.NextPrivateKeySecretName == name
}
}
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package predicate
import (
"fmt"
"k8s.io/apimachinery/pkg/runtime"
cmapi "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
)
// CertificateRequestRevision returns a predicate that used to filter
// CertificateRequest to only those with a given 'revision' number.
func CertificateRequestRevision(revision int) Func {
return func(obj runtime.Object) bool {
req := obj.(*cmapi.CertificateRequest)
if req.Annotations == nil {
return false
}
return req.Annotations[cmapi.CertificateRequestRevisionAnnotationKey] == fmt.Sprintf("%d", revision)
}
}
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package predicate
import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"
)
// ResourceOwnedBy will filter returned results to only those with the
// given resource as an owner.
func ResourceOwnedBy(owner runtime.Object) Func {
return func(obj runtime.Object) bool {
return metav1.IsControlledBy(obj.(metav1.Object), owner.(metav1.Object))
}
}
// ResourceOwnerOf will filter returned results to only those that own the given
// resource.
func ResourceOwnerOf(obj runtime.Object) Func {
return func(ownerObj runtime.Object) bool {
return metav1.IsControlledBy(obj.(metav1.Object), ownerObj.(metav1.Object))
}
}
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package predicate
import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"
)
// Func is a generic function used to filter various types of resources.
type Func func(obj runtime.Object) bool
// Funcs is a list of predicates to be AND'd together.
type Funcs []Func
// Evaluate will evaluate all the predicate functions in order, AND'ing
// together the results.
func (f Funcs) Evaluate(obj runtime.Object) bool {
for _, fn := range f {
if !fn(obj) {
return false
}
}
return true
}
// An ExtractorFunc applies a transformation to a runtime.Object and creates a
// predicate function based on the result of the transformation.
// This can be used to apply complex lookup logic to determine which resources
// should be enqueued if another resource being watched changes, for example,
// enqueuing all Certificate resources that own a CertificateRequest that has
// been observed, or enqueuing all Certificate resources that specify
// `status.nextPrivateKeySecretName` as the name of the Secret being processed.
type ExtractorFunc func(obj runtime.Object) Func
// ExtractResourceName is a helper function used to extract a name from a
// metav1.Object being enqueued to construct a Func that is variadic
// based on a string value.
func ExtractResourceName(p func(s string) Func) ExtractorFunc {
return func(obj runtime.Object) Func {
metaObj := obj.(metav1.Object)
return p(metaObj.GetName())
}
}
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package util
import (
"bytes"
"fmt"
"net/http"
"strings"
"unicode"
"unicode/utf8"
"k8s.io/apimachinery/pkg/apis/meta/v1/validation"
"k8s.io/client-go/rest"
)
// RestConfigWithUserAgent returns a copy of the Kubernetes REST config with
// the User Agent set which includes the optional component strings given.
func RestConfigWithUserAgent(restConfig *rest.Config, component ...string) *rest.Config {
restConfig = rest.CopyConfig(restConfig)
restConfig.UserAgent = fmt.Sprintf("%s/%s (%s) cert-manager/%s",
strings.Join(append([]string{"cert-manager"}, component...), "-"),
version(), VersionInfo().Platform, VersionInfo().GitCommit)
return restConfig
}
// PrefixFromUserAgent takes the characters preceding the first /, quote
// unprintable character and then trim what's beyond the FieldManagerMaxLength
// limit.
// Taken from
// https://github.com/kubernetes/kubernetes/blob/9a75e7b0fd1b567f774a3373be640e19b33e7ef1/staging/src/k8s.io/apiserver/pkg/endpoints/handlers/create.go#L252
func PrefixFromUserAgent(u string) string {
m := strings.Split(u, "/")[0]
buf := bytes.NewBuffer(nil)
for _, r := range m {
// Ignore non-printable characters
if !unicode.IsPrint(r) {
continue
}
// Only append if we have room for it
if buf.Len()+utf8.RuneLen(r) > validation.FieldManagerMaxLength {
break
}
buf.WriteRune(r)
}
return buf.String()
}
// UserAgentRoundTripper implements the http.RoundTripper interface and adds a User-Agent
// header.
type userAgentRoundTripper struct {
inner http.RoundTripper
userAgent string
}
// UserAgentRoundTripper returns a RoundTripper that functions identically to
// the provided 'inner' round tripper, other than also setting a user agent.
func UserAgentRoundTripper(inner http.RoundTripper, userAgent string) http.RoundTripper {
return userAgentRoundTripper{
inner: inner,
userAgent: userAgent,
}
}
// RoundTrip implements http.RoundTripper
func (u userAgentRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
req.Header.Set("User-Agent", u.userAgent)
return u.inner.RoundTrip(req)
}
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package util
import (
"bytes"
"encoding/csv"
"fmt"
"net"
"net/url"
"slices"
"strings"
cmapi "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
)
// genericEqualUnsorted reports whether two slices are identical up to reordering
// using a comparison function.
// If the lengths are different, genericEqualUnsorted returns false. Otherwise, the
// elements are sorted using the comparison function, and the sorted slices are
// compared element by element using the same comparison function. If all elements
// are equal, genericEqualUnsorted returns true. Otherwise it returns false.
func genericEqualUnsorted[S ~[]E, E any](
s1 S, s2 S,
cmp func(a, b E) int,
) bool {
if len(s1) != len(s2) {
return false
}
s1, s2 = slices.Clone(s1), slices.Clone(s2)
slices.SortStableFunc(s1, cmp)
slices.SortStableFunc(s2, cmp)
return slices.EqualFunc(s1, s2, func(a, b E) bool {
return cmp(a, b) == 0
})
}
func EqualUnsorted(s1 []string, s2 []string) bool {
return genericEqualUnsorted(s1, s2, strings.Compare)
}
// Test for equal URL slices even if unsorted. Panics if any element is nil
func EqualURLsUnsorted(s1, s2 []*url.URL) bool {
return genericEqualUnsorted(s1, s2, func(a, b *url.URL) int {
return strings.Compare(a.String(), b.String())
})
}
// Test for equal cmapi.OtherName slices even if unsorted. Panics if any element is nil
func EqualOtherNamesUnsorted(s1, s2 []cmapi.OtherName) bool {
return genericEqualUnsorted(s1, s2, func(a cmapi.OtherName, b cmapi.OtherName) int {
if a.OID == b.OID {
return strings.Compare(a.UTF8Value, b.UTF8Value)
}
return strings.Compare(a.OID, b.OID)
})
}
// EqualIPsUnsorted checks if the given slices of IP addresses contain the same elements, even if in a different order
func EqualIPsUnsorted(s1, s2 []net.IP) bool {
// Two IPv4 addresses can compare unequal with bytes.Equal which is why net.IP.Equal exists.
// We still want to sort the lists, though, and we don't want different representations of IPv4 addresses
// to be sorted differently. That can happen if one is stored as a 4-byte address while
// the other is stored as a 16-byte representation
// To avoid ambiguity, we ensure that only the 16-byte form is used for all addresses we work with.
return genericEqualUnsorted(s1, s2, func(a, b net.IP) int {
return bytes.Compare(a.To16(), b.To16())
})
}
// Test for equal KeyUsage slices even if unsorted
func EqualKeyUsagesUnsorted(s1, s2 []cmapi.KeyUsage) bool {
return genericEqualUnsorted(s1, s2, func(a, b cmapi.KeyUsage) int {
return strings.Compare(string(a), string(b))
})
}
// JoinWithEscapeCSV returns the given list as a single line of CSV that
// is escaped with quotes if necessary
func JoinWithEscapeCSV(in []string) (string, error) {
b := new(bytes.Buffer)
writer := csv.NewWriter(b)
if err := writer.Write(in); err != nil {
return "", fmt.Errorf("failed to write %q as CSV: %w", in, err)
}
writer.Flush()
if err := writer.Error(); err != nil {
return "", fmt.Errorf("failed to write %q as CSV: %w", in, err)
}
s := b.String()
// CSV writer adds a trailing new line, we need to clean it up
s = strings.TrimSuffix(s, "\n")
return s, nil
}
// SplitWithEscapeCSV parses the given input as a single line of CSV, which allows
// a comma-separated list of strings to be parsed while allowing commas to be present
// in each field. For example, a user can specify:
// "10 Downing Street, Westminster",Manchester
// to produce []string{"10 Downing Street, Westminster", "Manchester"}, keeping the comma
// in the first address. Empty lines or multiple CSV records are both rejected.
func SplitWithEscapeCSV(in string) ([]string, error) {
reader := csv.NewReader(strings.NewReader(in))
records, err := reader.ReadAll()
if err != nil {
return nil, fmt.Errorf("failed to parse %q as CSV: %w", in, err)
}
if len(records) == 0 {
return nil, fmt.Errorf("no values found after parsing %q", in)
} else if len(records) > 1 {
return nil, fmt.Errorf("refusing to use %q as input as it parses as multiple lines of CSV", in)
}
return records[0], nil
}
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package util
import (
"fmt"
"runtime"
)
type Version struct {
GitVersion string `json:"gitVersion"`
GitCommit string `json:"gitCommit"`
GitTreeState string `json:"gitTreeState"`
GoVersion string `json:"goVersion"`
Compiler string `json:"compiler"`
Platform string `json:"platform"`
}
// This variable block holds information used to build up the version string
var (
AppGitState = ""
AppGitCommit = ""
AppVersion = "canary"
)
func VersionInfo() Version {
return Version{
GitVersion: AppVersion,
GitCommit: AppGitCommit,
GitTreeState: AppGitState,
GoVersion: runtime.Version(),
Compiler: runtime.Compiler,
Platform: fmt.Sprintf("%s/%s", runtime.GOOS, runtime.GOARCH),
}
}
func version() string {
v := AppVersion
if AppVersion == "canary" && AppGitCommit != "" {
v += "-" + AppGitCommit
}
if AppGitState != "" {
v += fmt.Sprintf(" (%v)", AppGitState)
}
return v
}
/*
Copyright 2021 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package admission
import (
"context"
admissionv1 "k8s.io/api/admission/v1"
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
"k8s.io/apimachinery/pkg/runtime"
utilerrors "k8s.io/apimachinery/pkg/util/errors"
)
type PluginChain []Interface
var _ Interface = PluginChain(nil)
var _ ValidationInterface = PluginChain(nil)
var _ MutationInterface = PluginChain(nil)
func (pc PluginChain) Handles(operation admissionv1.Operation) bool {
for _, plugin := range pc {
if plugin.Handles(operation) {
return true
}
}
return false
}
func (pc PluginChain) Validate(ctx context.Context, request admissionv1.AdmissionRequest, oldObj, obj runtime.Object) ([]string, error) {
var allWarnings []string
var allErrors []error
for _, handler := range pc {
if !handler.Handles(request.Operation) {
continue
}
if validator, ok := handler.(ValidationInterface); ok {
warnings, err := validator.Validate(ctx, request, oldObj, obj)
allErrors = append(allErrors, err)
allWarnings = append(allWarnings, warnings...)
}
}
return allWarnings, utilerrors.NewAggregate(allErrors)
}
func (pc PluginChain) Mutate(ctx context.Context, request admissionv1.AdmissionRequest, obj *unstructured.Unstructured) error {
for _, handler := range pc {
if !handler.Handles(request.Operation) {
continue
}
if mutator, ok := handler.(MutationInterface); ok {
if err := mutator.Mutate(ctx, request, obj); err != nil {
return err
}
}
}
return nil
}
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package admission
import (
"fmt"
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/runtime/schema"
"k8s.io/apimachinery/pkg/runtime/serializer"
"k8s.io/utils/ptr"
)
// decoder knows how to decode the contents of an admission
// request into a concrete object.
type internalDecoder struct {
scheme *runtime.Scheme
codecs serializer.CodecFactory
}
// DecodeRaw decodes a RawExtension object.
// It errors out if rawObj is empty i.e. containing 0 raw bytes.
func (d *internalDecoder) DecodeRaw(rawObj runtime.RawExtension, rawKind schema.GroupVersionKind) (runtime.Object, error) {
// we error out if rawObj is an empty object.
if len(rawObj.Raw) == 0 {
return nil, fmt.Errorf("there is no content to decode")
}
obj, gvk, err := d.codecs.UniversalDeserializer().Decode(rawObj.Raw, ptr.To(rawKind), nil)
if err != nil {
return nil, err
}
if obj.GetObjectKind().GroupVersionKind().Empty() && gvk != nil {
obj.GetObjectKind().SetGroupVersionKind(*gvk)
}
return d.scheme.UnsafeConvertToVersion(obj, runtime.InternalGroupVersioner)
}
// DecodeRawUnstructured decodes a RawExtension object into an unstructured object.
func DecodeRawUnstructured(rawObj runtime.RawExtension, rawKind schema.GroupVersionKind) (*unstructured.Unstructured, error) {
if len(rawObj.Raw) == 0 {
return nil, fmt.Errorf("there is no content to decode")
}
obj := &unstructured.Unstructured{}
if err := obj.UnmarshalJSON(rawObj.Raw); err != nil {
return nil, err
}
if obj.GetObjectKind().GroupVersionKind().Empty() {
obj.GetObjectKind().SetGroupVersionKind(rawKind)
}
return obj, nil
}
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package admission
import (
"context"
"errors"
"net/http"
admissionv1 "k8s.io/api/admission/v1"
apierrors "k8s.io/apimachinery/pkg/api/errors"
"k8s.io/apimachinery/pkg/runtime/schema"
"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
)
func NewCustomMutationWebhook(
mutationWebhook MutationInterface,
) *admission.Webhook {
return &admission.Webhook{
Handler: &mutator{
mutationWebhook: mutationWebhook,
},
}
}
type mutator struct {
mutationWebhook MutationInterface
}
// Handle handles admission requests.
func (h *mutator) Handle(ctx context.Context, req admission.Request) admission.Response {
// short-path
if h.mutationWebhook == nil || !h.mutationWebhook.Handles(req.AdmissionRequest.Operation) {
return admission.Allowed("")
}
// Always skip when a DELETE operation received in custom mutation handler.
if req.Operation == admissionv1.Delete {
return admission.Allowed("")
}
ctx = admission.NewContextWithRequest(ctx, req)
gvk := schema.GroupVersionKind{
Group: req.Kind.Group,
Version: req.Kind.Version,
Kind: req.Kind.Kind,
}
// Get the object in the request
obj, err := DecodeRawUnstructured(req.Object, gvk)
if err != nil {
return admission.Errored(http.StatusBadRequest, err)
}
// Default the object
if err := h.mutationWebhook.Mutate(ctx, req.AdmissionRequest, obj); err != nil {
var apiStatus apierrors.APIStatus
if errors.As(err, &apiStatus) {
status := apiStatus.Status()
return admission.Response{
AdmissionResponse: admissionv1.AdmissionResponse{
Allowed: false,
Result: &status,
},
}
}
return admission.Denied(err.Error())
}
// Create the patch
marshalled, err := obj.MarshalJSON()
if err != nil {
return admission.Errored(http.StatusInternalServerError, err)
}
return admission.PatchResponseFromRaw(req.Object.Raw, marshalled)
}
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package admission
import (
"context"
"errors"
"fmt"
"net/http"
admissionv1 "k8s.io/api/admission/v1"
apierrors "k8s.io/apimachinery/pkg/api/errors"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/runtime/schema"
"k8s.io/apimachinery/pkg/runtime/serializer"
"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
)
func NewCustomValidationWebhook(
scheme *runtime.Scheme,
validationWebhook ValidationInterface,
) *admission.Webhook {
return &admission.Webhook{
Handler: &validator{
decoder: &internalDecoder{
scheme: scheme,
codecs: serializer.NewCodecFactory(scheme),
},
validationWebhook: validationWebhook,
},
}
}
type validator struct {
decoder *internalDecoder
validationWebhook ValidationInterface
}
// Handle handles admission requests.
func (h *validator) Handle(ctx context.Context, req admission.Request) admission.Response {
if h.decoder == nil {
panic("decoder should never be nil")
}
// short-path
if h.validationWebhook == nil || !h.validationWebhook.Handles(req.AdmissionRequest.Operation) {
return admission.Allowed("")
}
ctx = admission.NewContextWithRequest(ctx, req)
gvk := schema.GroupVersionKind{
Group: req.Kind.Group,
Version: req.Kind.Version,
Kind: req.Kind.Kind,
}
var obj runtime.Object
var oldObj runtime.Object
var err error
var warnings []string
switch req.Operation {
case admissionv1.Connect:
// No validation for connect requests.
// TODO(vincepri): Should we validate CONNECT requests? In what cases?
case admissionv1.Create:
if obj, err = h.decoder.DecodeRaw(req.Object, gvk); err != nil {
return admission.Errored(http.StatusBadRequest, err)
}
warnings, err = h.validationWebhook.Validate(ctx, req.AdmissionRequest, nil, obj)
case admissionv1.Update:
if obj, err = h.decoder.DecodeRaw(req.Object, gvk); err != nil {
return admission.Errored(http.StatusBadRequest, err)
}
if oldObj, err = h.decoder.DecodeRaw(req.OldObject, gvk); err != nil {
return admission.Errored(http.StatusBadRequest, err)
}
warnings, err = h.validationWebhook.Validate(ctx, req.AdmissionRequest, oldObj, obj)
case admissionv1.Delete:
// In reference to PR: https://github.com/kubernetes/kubernetes/pull/76346
// OldObject contains the object being deleted
if oldObj, err = h.decoder.DecodeRaw(req.OldObject, gvk); err != nil {
return admission.Errored(http.StatusBadRequest, err)
}
warnings, err = h.validationWebhook.Validate(ctx, req.AdmissionRequest, oldObj, nil)
default:
return admission.Errored(http.StatusBadRequest, fmt.Errorf("unknown operation %q", req.Operation))
}
// Check the error message first.
if err != nil {
var apiStatus apierrors.APIStatus
if errors.As(err, &apiStatus) {
status := apiStatus.Status()
return admission.Response{
AdmissionResponse: admissionv1.AdmissionResponse{
Allowed: false,
Result: &status,
},
}.WithWarnings(warnings...)
}
return admission.Denied(err.Error()).WithWarnings(warnings...)
}
// Return allowed if everything succeeded.
return admission.Allowed("").WithWarnings(warnings...)
}
/*
Copyright 2021 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package admission
import (
admissionv1 "k8s.io/api/admission/v1"
"k8s.io/apimachinery/pkg/util/sets"
)
type Handler struct {
operations sets.Set[string]
}
func (h Handler) Handles(operation admissionv1.Operation) bool {
return h.operations.Has(string(operation))
}
var _ Interface = &Handler{}
func NewHandler(ops ...admissionv1.Operation) *Handler {
operations := sets.New[string]()
for _, op := range ops {
operations.Insert(string(op))
}
return &Handler{operations: operations}
}
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package crypto
import (
"crypto"
"crypto/x509"
"encoding/pem"
"fmt"
"testing"
"time"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/utils/clock"
apiutil "github.com/cert-manager/cert-manager/pkg/api/util"
cmapi "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
cmmeta "github.com/cert-manager/cert-manager/pkg/apis/meta/v1"
"github.com/cert-manager/cert-manager/pkg/util/pki"
"github.com/cert-manager/cert-manager/test/unit/gen"
)
var (
certificateGvk = cmapi.SchemeGroupVersion.WithKind("Certificate")
)
type CryptoBundle struct {
// certificate is the Certificate resource used to create this bundle
Certificate *cmapi.Certificate
// expectedRequestName is the name of the CertificateRequest that is
// expected to be created to issue this certificate
ExpectedRequestName string
// privateKey is the private key used as the complement to the certificates
// in this bundle
PrivateKey crypto.Signer
PrivateKeyBytes []byte
// csr is the CSR used to obtain the certificate in this bundle
CSR *x509.CertificateRequest
CSRBytes []byte
// certificateRequest is the request that is expected to be created to
// obtain a certificate when using this bundle
CertificateRequest *cmapi.CertificateRequest
CertificateRequestPending *cmapi.CertificateRequest
CertificateRequestReady *cmapi.CertificateRequest
CertificateRequestFailed *cmapi.CertificateRequest
CertificateRequestFailedInvalidRequest *cmapi.CertificateRequest
// cert is a signed certificate
Cert *x509.Certificate
CertBytes []byte
LocalTemporaryCertificateBytes []byte
Clock clock.Clock
}
// MustCreateCryptoBundle creates a CryptoBundle to be used with tests or fails.
func MustCreateCryptoBundle(t *testing.T, crt *cmapi.Certificate, clock clock.Clock) CryptoBundle {
c, err := CreateCryptoBundle(crt, clock)
if err != nil {
t.Fatalf("error generating crypto bundle: %v", err)
}
return *c
}
func CreateCryptoBundle(originalCert *cmapi.Certificate, clock clock.Clock) (*CryptoBundle, error) {
crt := originalCert.DeepCopy()
if crt.Spec.PrivateKey == nil {
crt.Spec.PrivateKey = &cmapi.CertificatePrivateKey{}
}
reqName, err := apiutil.ComputeName(crt.Name, crt.Spec)
if err != nil {
return nil, err
}
privateKey, err := pki.GeneratePrivateKeyForCertificate(crt)
if err != nil {
return nil, err
}
privateKeyBytes, err := pki.EncodePrivateKey(privateKey, crt.Spec.PrivateKey.Encoding)
if err != nil {
return nil, err
}
csrPEM, err := generateCSRImpl(crt, privateKeyBytes)
if err != nil {
return nil, err
}
csr, err := pki.DecodeX509CertificateRequestBytes(csrPEM)
if err != nil {
return nil, err
}
annotations := make(map[string]string)
for k, v := range crt.Annotations {
annotations[k] = v
}
if crt.Status.Revision != nil {
annotations[cmapi.CertificateRequestRevisionAnnotationKey] = fmt.Sprintf("%d", *crt.Status.Revision)
}
annotations[cmapi.CertificateRequestPrivateKeyAnnotationKey] = crt.Spec.SecretName
annotations[cmapi.CertificateNameKey] = crt.Name
certificateRequest := &cmapi.CertificateRequest{
ObjectMeta: metav1.ObjectMeta{
Name: reqName,
Namespace: crt.Namespace,
OwnerReferences: []metav1.OwnerReference{*metav1.NewControllerRef(crt, certificateGvk)},
Annotations: annotations,
},
Spec: cmapi.CertificateRequestSpec{
Request: csrPEM,
Duration: crt.Spec.Duration,
IssuerRef: crt.Spec.IssuerRef,
IsCA: crt.Spec.IsCA,
},
}
unsignedCert, err := pki.CertificateTemplateFromCertificateRequest(certificateRequest)
if err != nil {
return nil, err
}
certBytes, cert, err := pki.SignCertificate(unsignedCert, unsignedCert, privateKey.Public(), privateKey)
if err != nil {
return nil, err
}
certificateRequestReady := gen.CertificateRequestFrom(certificateRequest,
gen.SetCertificateRequestCertificate(certBytes),
gen.SetCertificateRequestStatusCondition(cmapi.CertificateRequestCondition{
Type: cmapi.CertificateRequestConditionReady,
Status: cmmeta.ConditionTrue,
Reason: cmapi.CertificateRequestReasonIssued,
}),
)
certificateRequestPending := gen.CertificateRequestFrom(certificateRequest,
gen.SetCertificateRequestStatusCondition(cmapi.CertificateRequestCondition{
Type: cmapi.CertificateRequestConditionReady,
Status: cmmeta.ConditionFalse,
Reason: cmapi.CertificateRequestReasonPending,
}),
)
certificateRequestFailed := gen.CertificateRequestFrom(certificateRequest,
gen.SetCertificateRequestStatusCondition(cmapi.CertificateRequestCondition{
Type: cmapi.CertificateRequestConditionReady,
Status: cmmeta.ConditionFalse,
Reason: cmapi.CertificateRequestReasonFailed,
}),
)
certificateRequestFailedInvalidRequest := gen.CertificateRequestFrom(certificateRequestFailed,
gen.SetCertificateRequestStatusCondition(cmapi.CertificateRequestCondition{
Type: cmapi.CertificateRequestConditionInvalidRequest,
Status: cmmeta.ConditionTrue,
Reason: cmapi.CertificateRequestReasonFailed,
}),
)
tempCertBytes, err := pki.GenerateLocallySignedTemporaryCertificate(crt, privateKeyBytes)
if err != nil {
panic("failed to generate test fixture: " + err.Error())
}
return &CryptoBundle{
Certificate: originalCert,
ExpectedRequestName: reqName,
PrivateKey: privateKey,
PrivateKeyBytes: privateKeyBytes,
CSR: csr,
CSRBytes: csrPEM,
CertificateRequest: certificateRequest,
CertificateRequestPending: certificateRequestPending,
CertificateRequestReady: certificateRequestReady,
CertificateRequestFailed: certificateRequestFailed,
CertificateRequestFailedInvalidRequest: certificateRequestFailedInvalidRequest,
Cert: cert,
CertBytes: certBytes,
LocalTemporaryCertificateBytes: tempCertBytes,
Clock: clock,
}, nil
}
func generateCSRImpl(crt *cmapi.Certificate, pk []byte) ([]byte, error) {
csr, err := pki.GenerateCSR(crt)
if err != nil {
return nil, err
}
signer, err := pki.DecodePrivateKeyBytes(pk)
if err != nil {
return nil, err
}
csrDER, err := pki.EncodeCSR(csr, signer)
if err != nil {
return nil, err
}
csrPEM := pem.EncodeToMemory(&pem.Block{
Type: "CERTIFICATE REQUEST", Bytes: csrDER,
})
return csrPEM, nil
}
// MustGenerateCSRImpl returns PEM encoded certificate signing request
func MustGenerateCSRImpl(t *testing.T, pkData []byte, cert *cmapi.Certificate) []byte {
csrPEM, err := generateCSRImpl(cert, pkData)
if err != nil {
t.Fatal(err)
}
return csrPEM
}
// MustCreatePEMPrivateKey returns a PEM encoded 2048 bit RSA private key
func MustCreatePEMPrivateKey(t *testing.T) []byte {
pk, err := pki.GenerateRSAPrivateKey(2048)
if err != nil {
t.Fatal(err)
}
pkData, err := pki.EncodePrivateKey(pk, cmapi.PKCS8)
if err != nil {
t.Fatal(err)
}
return pkData
}
// MustCreateCertWithNotBeforeAfter returns a self-signed x509 cert for Certificate
// with the provided NotBefore, NotAfter values
func MustCreateCertWithNotBeforeAfter(t *testing.T, pkData []byte, spec *cmapi.Certificate, notBefore, notAfter time.Time) []byte {
pk, err := pki.DecodePrivateKeyBytes(pkData)
if err != nil {
t.Fatal(err)
}
template, err := pki.CertificateTemplateFromCertificate(spec)
if err != nil {
t.Fatal(err)
}
template.NotBefore = notBefore
template.NotAfter = notAfter
certData, _, err := pki.SignCertificate(template, template, pk.Public(), pk)
if err != nil {
t.Fatal(err)
}
return certData
}
// MustCreateCert returns a self-signed x509 certificate
func MustCreateCert(t *testing.T, pkData []byte, spec *cmapi.Certificate) []byte {
pk, err := pki.DecodePrivateKeyBytes(pkData)
if err != nil {
t.Fatal(err)
}
template, err := pki.CertificateTemplateFromCertificate(spec)
if err != nil {
t.Fatal(err)
}
certData, _, err := pki.SignCertificate(template, template, pk.Public(), pk)
if err != nil {
t.Fatal(err)
}
return certData
}
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package discovery
import (
openapi_v2 "github.com/google/gnostic-models/openapiv2"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/version"
"k8s.io/client-go/discovery"
"k8s.io/client-go/openapi"
restclient "k8s.io/client-go/rest"
)
var _ discovery.DiscoveryInterface = &Discovery{}
type Discovery struct {
serverResourcesForGroupVersionFn func(string) (*metav1.APIResourceList, error)
serverResourcesFn func() ([]*metav1.APIResourceList, error)
serverGroupsAndResourcesFn func() ([]*metav1.APIGroup, []*metav1.APIResourceList, error)
serverPreferredResourcesFn func() ([]*metav1.APIResourceList, error)
serverPreferredNamespacedResourcesFn func() ([]*metav1.APIResourceList, error)
serverGroupsFn func() (*metav1.APIGroupList, error)
serverVersionFn func() (*version.Info, error)
openAPISchemaFn func() (*openapi_v2.Document, error)
openAPIV3SchemaFn func() openapi.Client
restClientFn func() restclient.Interface
}
func NewDiscovery() *Discovery {
return &Discovery{
serverResourcesForGroupVersionFn: func(string) (*metav1.APIResourceList, error) { return nil, nil },
serverResourcesFn: func() ([]*metav1.APIResourceList, error) { return nil, nil },
serverGroupsAndResourcesFn: func() ([]*metav1.APIGroup, []*metav1.APIResourceList, error) { return nil, nil, nil },
serverPreferredResourcesFn: func() ([]*metav1.APIResourceList, error) { return nil, nil },
serverPreferredNamespacedResourcesFn: func() ([]*metav1.APIResourceList, error) { return nil, nil },
serverGroupsFn: func() (*metav1.APIGroupList, error) { return nil, nil },
serverVersionFn: func() (*version.Info, error) { return nil, nil },
openAPISchemaFn: func() (*openapi_v2.Document, error) { return nil, nil },
openAPIV3SchemaFn: func() openapi.Client { return nil },
restClientFn: func() restclient.Interface { return nil },
}
}
func (d *Discovery) WithServerGroups(fn func() (*metav1.APIGroupList, error)) *Discovery {
d.serverGroupsFn = fn
return d
}
func (d *Discovery) WithServerResourcesForGroupVersion(fn func(groupVersion string) (*metav1.APIResourceList, error)) *Discovery {
d.serverResourcesForGroupVersionFn = fn
return d
}
func (d *Discovery) ServerResourcesForGroupVersion(groupVersion string) (*metav1.APIResourceList, error) {
return d.serverResourcesForGroupVersionFn(groupVersion)
}
func (d *Discovery) ServerResources() ([]*metav1.APIResourceList, error) {
return d.serverResourcesFn()
}
func (d *Discovery) ServerGroupsAndResources() ([]*metav1.APIGroup, []*metav1.APIResourceList, error) {
return d.serverGroupsAndResourcesFn()
}
func (d *Discovery) ServerPreferredResources() ([]*metav1.APIResourceList, error) {
return d.serverPreferredResourcesFn()
}
func (d *Discovery) ServerPreferredNamespacedResources() ([]*metav1.APIResourceList, error) {
return d.serverPreferredNamespacedResourcesFn()
}
func (d *Discovery) ServerGroups() (*metav1.APIGroupList, error) {
return d.serverGroupsFn()
}
func (d *Discovery) ServerVersion() (*version.Info, error) {
return d.serverVersionFn()
}
func (d *Discovery) OpenAPISchema() (*openapi_v2.Document, error) {
return d.openAPISchemaFn()
}
func (d *Discovery) OpenAPIV3() openapi.Client {
return d.openAPIV3SchemaFn()
}
func (d *Discovery) WithLegacy() discovery.DiscoveryInterface {
// setting the discovery client to legacy mode (not using the aggregated discovery client) doesn't
// make any difference for our testing purposes here, so we just return the same discovery client
return d
}
func (d *Discovery) RESTClient() restclient.Interface {
return d.restClientFn()
}
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package gen
import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/types"
internalv1 "github.com/cert-manager/cert-manager/internal/apis/certmanager/v1"
v1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
cmmeta "github.com/cert-manager/cert-manager/pkg/apis/meta/v1"
)
type CertificateModifier func(*v1.Certificate)
func Certificate(name string, mods ...CertificateModifier) *v1.Certificate {
c := &v1.Certificate{
ObjectMeta: ObjectMeta(name),
Spec: v1.CertificateSpec{
PrivateKey: &v1.CertificatePrivateKey{},
},
}
for _, mod := range mods {
mod(c)
}
internalv1.SetObjectDefaults_Certificate(c)
return c
}
func CertificateFrom(c *v1.Certificate, mods ...CertificateModifier) *v1.Certificate {
c = c.DeepCopy()
for _, mod := range mods {
mod(c)
}
internalv1.SetObjectDefaults_Certificate(c)
return c
}
// SetCertificateIssuer sets the Certificate.spec.issuerRef field
func SetCertificateIssuer(o cmmeta.IssuerReference) CertificateModifier {
return func(c *v1.Certificate) {
c.Spec.IssuerRef = o
}
}
func SetCertificateDNSNames(dnsNames ...string) CertificateModifier {
return func(crt *v1.Certificate) {
crt.Spec.DNSNames = dnsNames
}
}
func SetCertificateCommonName(commonName string) CertificateModifier {
return func(crt *v1.Certificate) {
crt.Spec.CommonName = commonName
}
}
func SetCertificateIPs(ips ...string) CertificateModifier {
return func(crt *v1.Certificate) {
crt.Spec.IPAddresses = ips
}
}
func SetCertificateOtherNames(otherNames ...v1.OtherName) CertificateModifier {
return func(crt *v1.Certificate) {
crt.Spec.OtherNames = otherNames
}
}
func SetCertificateEmails(emails ...string) CertificateModifier {
return func(crt *v1.Certificate) {
crt.Spec.EmailAddresses = emails
}
}
func SetCertificateURIs(uris ...string) CertificateModifier {
return func(crt *v1.Certificate) {
crt.Spec.URIs = uris
}
}
func SetCertificateIsCA(isCA bool) CertificateModifier {
return func(crt *v1.Certificate) {
crt.Spec.IsCA = isCA
}
}
func SetCertificateKeyAlgorithm(keyAlgorithm v1.PrivateKeyAlgorithm) CertificateModifier {
return func(crt *v1.Certificate) {
crt.Spec.PrivateKey.Algorithm = keyAlgorithm
}
}
func SetCertificateKeySize(keySize int) CertificateModifier {
return func(crt *v1.Certificate) {
crt.Spec.PrivateKey.Size = keySize
}
}
func SetCertificateKeyEncoding(keyEncoding v1.PrivateKeyEncoding) CertificateModifier {
return func(crt *v1.Certificate) {
crt.Spec.PrivateKey.Encoding = keyEncoding
}
}
func SetCertificateSecretName(secretName string) CertificateModifier {
return func(crt *v1.Certificate) {
crt.Spec.SecretName = secretName
}
}
// SetCertificateSecretTemplate sets annotations and labels to be attached to the secret metadata.
func SetCertificateSecretTemplate(annotations, labels map[string]string) CertificateModifier {
return func(crt *v1.Certificate) {
crt.Spec.SecretTemplate = &v1.CertificateSecretTemplate{
Annotations: annotations,
Labels: labels,
}
}
}
func SetCertificateDuration(duration *metav1.Duration) CertificateModifier {
return func(crt *v1.Certificate) {
crt.Spec.Duration = duration
}
}
func SetCertificateRenewBefore(renewBefore *metav1.Duration) CertificateModifier {
return func(crt *v1.Certificate) {
crt.Spec.RenewBefore = renewBefore
}
}
func SetCertificateNextPrivateKeySecretName(name string) CertificateModifier {
return func(crt *v1.Certificate) {
crt.Status.NextPrivateKeySecretName = &name
}
}
func SetCertificateStatusCondition(c v1.CertificateCondition) CertificateModifier {
return func(crt *v1.Certificate) {
if len(crt.Status.Conditions) == 0 {
crt.Status.Conditions = []v1.CertificateCondition{c}
return
}
for i, existingC := range crt.Status.Conditions {
if existingC.Type == c.Type {
crt.Status.Conditions[i] = c
return
}
}
crt.Status.Conditions = append(crt.Status.Conditions, c)
}
}
func SetCertificateLastFailureTime(p metav1.Time) CertificateModifier {
return func(crt *v1.Certificate) {
crt.Status.LastFailureTime = &p
}
}
func SetCertificateIssuanceAttempts(ia *int) CertificateModifier {
return func(crt *v1.Certificate) {
crt.Status.FailedIssuanceAttempts = ia
}
}
func SetCertificateNotAfter(p metav1.Time) CertificateModifier {
return func(crt *v1.Certificate) {
crt.Status.NotAfter = &p
}
}
func SetCertificateNotBefore(p metav1.Time) CertificateModifier {
return func(crt *v1.Certificate) {
crt.Status.NotBefore = &p
}
}
func SetCertificateRenewalTime(p metav1.Time) CertificateModifier {
return func(crt *v1.Certificate) {
crt.Status.RenewalTime = &p
}
}
func SetCertificateOrganization(orgs ...string) CertificateModifier {
return func(ch *v1.Certificate) {
if ch.Spec.Subject == nil {
ch.Spec.Subject = &v1.X509Subject{}
}
ch.Spec.Subject.Organizations = orgs
}
}
func SetCertificateNamespace(namespace string) CertificateModifier {
return func(crt *v1.Certificate) {
crt.ObjectMeta.Namespace = namespace
}
}
func SetCertificateKeyUsages(usages ...v1.KeyUsage) CertificateModifier {
return func(crt *v1.Certificate) {
crt.Spec.Usages = usages
}
}
func SetCertificateRevision(revision int) CertificateModifier {
return func(crt *v1.Certificate) {
crt.Status.Revision = &revision
}
}
func SetCertificateUID(uid types.UID) CertificateModifier {
return func(crt *v1.Certificate) {
crt.UID = uid
}
}
func SetCertificateGeneration(gen int64) CertificateModifier {
return func(crt *v1.Certificate) {
crt.Generation = gen
}
}
func SetCertificateCreationTimestamp(creationTimestamp metav1.Time) CertificateModifier {
return func(crt *v1.Certificate) {
crt.ObjectMeta.CreationTimestamp = creationTimestamp
}
}
func AddCertificateAnnotations(annotations map[string]string) CertificateModifier {
return func(crt *v1.Certificate) {
if crt.Annotations == nil {
crt.Annotations = make(map[string]string)
}
for k, v := range annotations {
crt.Annotations[k] = v
}
}
}
func AddCertificateLabels(labels map[string]string) CertificateModifier {
return func(crt *v1.Certificate) {
if crt.Labels == nil {
crt.Labels = make(map[string]string)
}
for k, v := range labels {
crt.Labels[k] = v
}
}
}
// CertificateRef creates an owner reference for a certificate without having to
// give the full certificate. Only use this function for testing purposes.
//
// Note that the only "important" field that must be filled in ownerReference
// [1] is the UID. Most notably, the IsControlledBy function [2] only cares
// about the UID. The apiVersion, kind and name are only used for information
// purposes.
//
// [1]: https://github.com/kubernetes/apimachinery/blob/10b3882/pkg/apis/meta/v1/types.go#L273-L275
// [2]: https://github.com/kubernetes/apimachinery/blob/10b3882/pkg/apis/meta/v1/controller_ref.go#L29
func CertificateRef(certName, certUID string) metav1.OwnerReference {
return *metav1.NewControllerRef(
Certificate(certName,
SetCertificateUID(types.UID(certUID)),
),
v1.SchemeGroupVersion.WithKind("Certificate"),
)
}
func SetCertificateRevisionHistoryLimit(limit int32) CertificateModifier {
return func(crt *v1.Certificate) {
crt.Spec.RevisionHistoryLimit = &limit
}
}
func SetCertificateAdditionalOutputFormats(additionalOutputFormats ...v1.CertificateAdditionalOutputFormat) CertificateModifier {
return func(crt *v1.Certificate) {
crt.Spec.AdditionalOutputFormats = additionalOutputFormats
}
}
func SetCertificateKeystore(keystores *v1.CertificateKeystores) CertificateModifier {
return func(crt *v1.Certificate) {
crt.Spec.Keystores = keystores
}
}
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package gen
import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
internalv1 "github.com/cert-manager/cert-manager/internal/apis/certmanager/v1"
v1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
cmmeta "github.com/cert-manager/cert-manager/pkg/apis/meta/v1"
)
type CertificateRequestModifier func(*v1.CertificateRequest)
func CertificateRequest(name string, mods ...CertificateRequestModifier) *v1.CertificateRequest {
cr := &v1.CertificateRequest{
ObjectMeta: ObjectMeta(name),
}
for _, mod := range mods {
mod(cr)
}
internalv1.SetObjectDefaults_CertificateRequest(cr)
return cr
}
func CertificateRequestFrom(cr *v1.CertificateRequest, mods ...CertificateRequestModifier) *v1.CertificateRequest {
cr = cr.DeepCopy()
for _, mod := range mods {
mod(cr)
}
internalv1.SetObjectDefaults_CertificateRequest(cr)
return cr
}
// SetCertificateRequestIssuer sets the CertificateRequest.spec.issuerRef field
func SetCertificateRequestIssuer(o cmmeta.IssuerReference) CertificateRequestModifier {
return func(c *v1.CertificateRequest) {
c.Spec.IssuerRef = o
}
}
func SetCertificateRequestCSR(csr []byte) CertificateRequestModifier {
return func(cr *v1.CertificateRequest) {
cr.Spec.Request = csr
}
}
func SetCertificateRequestIsCA(isCA bool) CertificateRequestModifier {
return func(cr *v1.CertificateRequest) {
cr.Spec.IsCA = isCA
}
}
func SetCertificateRequestDuration(duration *metav1.Duration) CertificateRequestModifier {
return func(cr *v1.CertificateRequest) {
cr.Spec.Duration = duration
}
}
func SetCertificateRequestCA(ca []byte) CertificateRequestModifier {
return func(cr *v1.CertificateRequest) {
cr.Status.CA = ca
}
}
func SetCertificateRequestCertificate(cert []byte) CertificateRequestModifier {
return func(cr *v1.CertificateRequest) {
cr.Status.Certificate = cert
}
}
func SetCertificateRequestStatusCondition(c v1.CertificateRequestCondition) CertificateRequestModifier {
return func(cr *v1.CertificateRequest) {
if len(cr.Status.Conditions) == 0 {
cr.Status.Conditions = []v1.CertificateRequestCondition{c}
return
}
for i, existingC := range cr.Status.Conditions {
if existingC.Type == c.Type {
cr.Status.Conditions[i] = c
return
}
}
cr.Status.Conditions = append(cr.Status.Conditions, c)
}
}
func AddCertificateRequestStatusCondition(c v1.CertificateRequestCondition) CertificateRequestModifier {
return func(cr *v1.CertificateRequest) {
cr.Status.Conditions = append(cr.Status.Conditions, c)
}
}
func SetCertificateRequestNamespace(namespace string) CertificateRequestModifier {
return func(cr *v1.CertificateRequest) {
cr.ObjectMeta.Namespace = namespace
}
}
func SetCertificateRequestName(name string) CertificateRequestModifier {
return func(cr *v1.CertificateRequest) {
cr.ObjectMeta.Name = name
}
}
func SetCertificateRequestGenerateName(generateName string) CertificateRequestModifier {
return func(cr *v1.CertificateRequest) {
cr.ObjectMeta.GenerateName = generateName
}
}
func SetCertificateRequestKeyUsages(usages ...v1.KeyUsage) CertificateRequestModifier {
return func(cr *v1.CertificateRequest) {
cr.Spec.Usages = usages
}
}
func AddCertificateRequestAnnotations(annotations map[string]string) CertificateRequestModifier {
return func(cr *v1.CertificateRequest) {
// Make sure to do a merge here with new annotations overriding.
annotationsNew := cr.GetAnnotations()
if annotationsNew == nil {
annotationsNew = make(map[string]string)
}
for k, v := range annotations {
annotationsNew[k] = v
}
cr.SetAnnotations(annotationsNew)
}
}
func AddCertificateRequestOwnerReferences(owners ...metav1.OwnerReference) CertificateRequestModifier {
return func(cr *v1.CertificateRequest) {
cr.OwnerReferences = append(cr.OwnerReferences, owners...)
}
}
func SetCertificateRequestAnnotations(annotations map[string]string) CertificateRequestModifier {
return func(cr *v1.CertificateRequest) {
if cr.Annotations == nil {
cr.Annotations = make(map[string]string)
}
for k, v := range annotations {
cr.Annotations[k] = v
}
}
}
func DeleteCertificateRequestAnnotation(key string) CertificateRequestModifier {
return func(cr *v1.CertificateRequest) {
if cr.Annotations == nil {
return
}
delete(cr.Annotations, key)
}
}
func SetCertificateRequestFailureTime(p metav1.Time) CertificateRequestModifier {
return func(cr *v1.CertificateRequest) {
cr.Status.FailureTime = &p
}
}
func SetCertificateRequestTypeMeta(tm metav1.TypeMeta) CertificateRequestModifier {
return func(cr *v1.CertificateRequest) {
cr.TypeMeta = tm
}
}
func SetCertificateRequestUsername(username string) CertificateRequestModifier {
return func(cr *v1.CertificateRequest) {
cr.Spec.Username = username
}
}
func SetCertificateRequestGroups(groups []string) CertificateRequestModifier {
return func(cr *v1.CertificateRequest) {
cr.Spec.Groups = groups
}
}
func SetCertificateRequestRevision(rev string) CertificateRequestModifier {
return func(cr *v1.CertificateRequest) {
if cr.Annotations == nil {
cr.Annotations = make(map[string]string)
}
cr.Annotations[v1.CertificateRequestRevisionAnnotationKey] = rev
}
}
/*
Copyright 2021 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package gen
import (
"strconv"
certificatesv1 "k8s.io/api/certificates/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
experimentalapi "github.com/cert-manager/cert-manager/pkg/apis/experimental/v1alpha1"
)
type CertificateSigningRequestModifier func(*certificatesv1.CertificateSigningRequest)
func CertificateSigningRequest(name string, mods ...CertificateSigningRequestModifier) *certificatesv1.CertificateSigningRequest {
c := &certificatesv1.CertificateSigningRequest{
ObjectMeta: metav1.ObjectMeta{
Name: name,
Annotations: make(map[string]string),
Labels: make(map[string]string),
},
}
for _, mod := range mods {
mod(c)
}
return c
}
func CertificateSigningRequestWithRandomName(prefix string, mods ...CertificateSigningRequestModifier) *certificatesv1.CertificateSigningRequest {
c := &certificatesv1.CertificateSigningRequest{
ObjectMeta: metav1.ObjectMeta{
GenerateName: prefix,
Annotations: make(map[string]string),
Labels: make(map[string]string),
},
}
for _, mod := range mods {
mod(c)
}
return c
}
func CertificateSigningRequestFrom(cr *certificatesv1.CertificateSigningRequest, mods ...CertificateSigningRequestModifier) *certificatesv1.CertificateSigningRequest {
cr = cr.DeepCopy()
for _, mod := range mods {
mod(cr)
}
return cr
}
func SetCertificateSigningRequestIsCA(isCA bool) CertificateSigningRequestModifier {
return AddCertificateSigningRequestAnnotations(map[string]string{
experimentalapi.CertificateSigningRequestIsCAAnnotationKey: strconv.FormatBool(isCA),
})
}
func SetCertificateSigningRequestRequest(request []byte) CertificateSigningRequestModifier {
return func(csr *certificatesv1.CertificateSigningRequest) {
csr.Spec.Request = request
}
}
func AddCertificateSigningRequestAnnotations(annotations map[string]string) CertificateSigningRequestModifier {
return func(csr *certificatesv1.CertificateSigningRequest) {
// Make sure to do a merge here with new annotations overriding.
annotationsNew := csr.GetAnnotations()
if annotationsNew == nil {
annotationsNew = make(map[string]string)
}
for k, v := range annotations {
annotationsNew[k] = v
}
csr.SetAnnotations(annotationsNew)
}
}
func SetCertificateSigningRequestSignerName(signerName string) CertificateSigningRequestModifier {
return func(csr *certificatesv1.CertificateSigningRequest) {
csr.Spec.SignerName = signerName
}
}
func SetCertificateSigningRequestExpirationSeconds(seconds int32) CertificateSigningRequestModifier {
return func(csr *certificatesv1.CertificateSigningRequest) {
csr.Spec.ExpirationSeconds = &seconds
}
}
func SetCertificateSigningRequestDuration(duration string) CertificateSigningRequestModifier {
return AddCertificateSigningRequestAnnotations(map[string]string{
experimentalapi.CertificateSigningRequestDurationAnnotationKey: duration,
})
}
func SetCertificateSigningRequestCertificate(cert []byte) CertificateSigningRequestModifier {
return func(csr *certificatesv1.CertificateSigningRequest) {
csr.Status.Certificate = cert
}
}
func SetCertificateSigningRequestStatusCondition(c certificatesv1.CertificateSigningRequestCondition) CertificateSigningRequestModifier {
return func(csr *certificatesv1.CertificateSigningRequest) {
if len(csr.Status.Conditions) == 0 {
csr.Status.Conditions = []certificatesv1.CertificateSigningRequestCondition{c}
return
}
for i, existingC := range csr.Status.Conditions {
if existingC.Type == c.Type {
csr.Status.Conditions[i] = c
return
}
}
csr.Status.Conditions = append(csr.Status.Conditions, c)
}
}
func SetCertificateSigningRequestUsername(username string) CertificateSigningRequestModifier {
return func(csr *certificatesv1.CertificateSigningRequest) {
csr.Spec.Username = username
}
}
func SetCertificateSigningRequestGroups(groups []string) CertificateSigningRequestModifier {
return func(csr *certificatesv1.CertificateSigningRequest) {
csr.Spec.Groups = groups
}
}
func SetCertificateSigningRequestUID(uid string) CertificateSigningRequestModifier {
return func(csr *certificatesv1.CertificateSigningRequest) {
csr.Spec.UID = uid
}
}
func SetCertificateSigningRequestExtra(extra map[string]certificatesv1.ExtraValue) CertificateSigningRequestModifier {
return func(csr *certificatesv1.CertificateSigningRequest) {
csr.Spec.Extra = extra
}
}
func SetCertificateSigningRequestUsages(usages []certificatesv1.KeyUsage) CertificateSigningRequestModifier {
return func(csr *certificatesv1.CertificateSigningRequest) {
csr.Spec.Usages = usages
}
}
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package gen
import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
internalv1 "github.com/cert-manager/cert-manager/internal/apis/acme/v1"
cmacme "github.com/cert-manager/cert-manager/pkg/apis/acme/v1"
cmmeta "github.com/cert-manager/cert-manager/pkg/apis/meta/v1"
)
type ChallengeModifier func(*cmacme.Challenge)
func Challenge(name string, mods ...ChallengeModifier) *cmacme.Challenge {
ch := &cmacme.Challenge{
ObjectMeta: ObjectMeta(name),
}
for _, mod := range mods {
mod(ch)
}
internalv1.SetObjectDefaults_Challenge(ch)
return ch
}
func ChallengeFrom(ch *cmacme.Challenge, mods ...ChallengeModifier) *cmacme.Challenge {
ch = ch.DeepCopy()
for _, mod := range mods {
mod(ch)
}
internalv1.SetObjectDefaults_Challenge(ch)
return ch
}
func SetChallengeNamespace(ns string) ChallengeModifier {
return func(ch *cmacme.Challenge) {
ch.Namespace = ns
}
}
func SetChallengeType(t cmacme.ACMEChallengeType) ChallengeModifier {
return func(ch *cmacme.Challenge) {
ch.Spec.Type = t
}
}
func SetChallengeToken(t string) ChallengeModifier {
return func(ch *cmacme.Challenge) {
ch.Spec.Token = t
}
}
func SetChallengeKey(k string) ChallengeModifier {
return func(ch *cmacme.Challenge) {
ch.Spec.Key = k
}
}
// SetChallengeIssuer sets the challenge.spec.issuerRef field
func SetChallengeIssuer(o cmmeta.IssuerReference) ChallengeModifier {
return func(c *cmacme.Challenge) {
c.Spec.IssuerRef = o
}
}
func SetChallengeDNSName(dnsName string) ChallengeModifier {
return func(ch *cmacme.Challenge) {
ch.Spec.DNSName = dnsName
}
}
func SetChallengePresented(p bool) ChallengeModifier {
return func(ch *cmacme.Challenge) {
ch.Status.Presented = p
}
}
func SetChallengeWildcard(p bool) ChallengeModifier {
return func(ch *cmacme.Challenge) {
ch.Spec.Wildcard = p
}
}
func SetChallengeState(s cmacme.State) ChallengeModifier {
return func(ch *cmacme.Challenge) {
ch.Status.State = s
}
}
func SetChallengeReason(s string) ChallengeModifier {
return func(ch *cmacme.Challenge) {
ch.Status.Reason = s
}
}
func SetChallengeURL(s string) ChallengeModifier {
return func(ch *cmacme.Challenge) {
ch.Spec.URL = s
}
}
func SetChallengeProcessing(b bool) ChallengeModifier {
return func(ch *cmacme.Challenge) {
ch.Status.Processing = b
}
}
func SetChallengeFinalizers(finalizers []string) ChallengeModifier {
return func(ch *cmacme.Challenge) {
ch.Finalizers = finalizers
}
}
func SetChallengeDeletionTimestamp(ts metav1.Time) ChallengeModifier {
return func(ch *cmacme.Challenge) {
ch.DeletionTimestamp = &ts
}
}
func ResetChallengeStatus() ChallengeModifier {
return func(ch *cmacme.Challenge) {
ch.Status = cmacme.ChallengeStatus{}
}
}
func SetChallengeSolverDNS01(solver cmacme.ACMEChallengeSolverDNS01) ChallengeModifier {
return func(ch *cmacme.Challenge) {
ch.Spec.Solver.DNS01 = &solver
}
}
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package gen
import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
v1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
cmmeta "github.com/cert-manager/cert-manager/pkg/apis/meta/v1"
)
type IssuerConditionModifier func(*v1.IssuerCondition)
func IssuerCondition(t v1.IssuerConditionType, mods ...IssuerConditionModifier) *v1.IssuerCondition {
c := &v1.IssuerCondition{
Type: t,
}
for _, m := range mods {
m(c)
}
return c
}
func IssuerConditionFrom(c *v1.IssuerCondition, mods ...IssuerConditionModifier) *v1.IssuerCondition {
c = c.DeepCopy()
for _, m := range mods {
m(c)
}
return c
}
func SetIssuerConditionStatus(s cmmeta.ConditionStatus) IssuerConditionModifier {
return func(c *v1.IssuerCondition) {
c.Status = s
}
}
func SetIssuerConditionLastTransitionTime(t *metav1.Time) IssuerConditionModifier {
return func(c *v1.IssuerCondition) {
c.LastTransitionTime = t
}
}
func SetIssuerConditionReason(s string) IssuerConditionModifier {
return func(c *v1.IssuerCondition) {
c.Reason = s
}
}
func SetIssuerConditionMessage(s string) IssuerConditionModifier {
return func(c *v1.IssuerCondition) {
c.Message = s
}
}
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package gen
import (
"crypto"
"crypto/ecdsa"
"crypto/ed25519"
"crypto/elliptic"
"crypto/rsa"
"crypto/x509"
"encoding/pem"
"fmt"
"net"
"net/url"
v1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
"github.com/cert-manager/cert-manager/pkg/util/pki"
)
type CSRModifier func(*x509.CertificateRequest) error
var defaultGenerateCSROptions = []pki.GenerateCSROption{
pki.WithEncodeBasicConstraintsInRequest(true),
pki.WithNameConstraints(true),
pki.WithOtherNames(true),
pki.WithUseLiteralSubject(true),
}
func CSRForCertificate(crt *v1.Certificate, mods ...CSRModifier) (csr []byte, sk crypto.Signer, err error) {
cr, err := pki.GenerateCSR(crt, defaultGenerateCSROptions...)
if err != nil {
return nil, nil, err
}
modifiers := []CSRModifier{}
modifiers = append(modifiers, func(c *x509.CertificateRequest) error {
*c = *cr
return nil
})
modifiers = append(modifiers, mods...)
return CSR(cr.PublicKeyAlgorithm, modifiers...)
}
func CSRWithSignerForCertificate(crt *v1.Certificate, sk crypto.Signer, mods ...CSRModifier) (csr []byte, err error) {
cr, err := pki.GenerateCSR(crt, defaultGenerateCSROptions...)
if err != nil {
return nil, err
}
modifiers := []CSRModifier{}
modifiers = append(modifiers, func(c *x509.CertificateRequest) error {
if c.PublicKeyAlgorithm != cr.PublicKeyAlgorithm {
return fmt.Errorf("public key algorithm mismatch: %s != %s", c.PublicKeyAlgorithm, cr.PublicKeyAlgorithm)
}
if c.SignatureAlgorithm != cr.SignatureAlgorithm {
return fmt.Errorf("signature algorithm mismatch: %s != %s", c.SignatureAlgorithm, cr.SignatureAlgorithm)
}
*c = *cr
return nil
})
modifiers = append(modifiers, mods...)
return CSRWithSigner(sk, modifiers...)
}
func CSR(keyAlgorithm x509.PublicKeyAlgorithm, mods ...CSRModifier) (csr []byte, sk crypto.Signer, err error) {
switch keyAlgorithm {
case x509.RSA:
sk, err = pki.GenerateRSAPrivateKey(pki.MinRSAKeySize)
if err != nil {
return nil, nil, err
}
case x509.ECDSA:
sk, err = pki.GenerateECPrivateKey(pki.ECCurve256)
if err != nil {
return nil, nil, err
}
case x509.Ed25519:
sk, err = pki.GenerateEd25519PrivateKey()
if err != nil {
return nil, nil, err
}
default:
return nil, nil, fmt.Errorf("unrecognised key algorithm: %s", keyAlgorithm)
}
csr, err = CSRWithSigner(sk, mods...)
return
}
func CSRWithSigner(sk crypto.Signer, mods ...CSRModifier) (csr []byte, err error) {
var keyAlgorithm x509.PublicKeyAlgorithm
var signatureAlgorithm x509.SignatureAlgorithm
switch pub := sk.Public().(type) {
case *rsa.PublicKey:
keyAlgorithm = x509.RSA
keySize := pub.N.BitLen()
switch {
case keySize >= 4096:
signatureAlgorithm = x509.SHA512WithRSA
case keySize >= 3072:
signatureAlgorithm = x509.SHA384WithRSA
case keySize >= 2048:
signatureAlgorithm = x509.SHA256WithRSA
default:
signatureAlgorithm = x509.SHA1WithRSA
}
case *ecdsa.PublicKey:
keyAlgorithm = x509.ECDSA
switch pub.Curve {
case elliptic.P256():
signatureAlgorithm = x509.ECDSAWithSHA256
case elliptic.P384():
signatureAlgorithm = x509.ECDSAWithSHA384
case elliptic.P521():
signatureAlgorithm = x509.ECDSAWithSHA512
default:
signatureAlgorithm = x509.ECDSAWithSHA1
}
case ed25519.PublicKey:
keyAlgorithm = x509.Ed25519
signatureAlgorithm = x509.PureEd25519
default:
return nil, fmt.Errorf("unrecognised public key type: %T", sk)
}
cr := &x509.CertificateRequest{
Version: 0,
SignatureAlgorithm: signatureAlgorithm,
PublicKeyAlgorithm: keyAlgorithm,
PublicKey: sk.Public(),
}
for _, mod := range mods {
err = mod(cr)
if err != nil {
return
}
}
csrBytes, err := pki.EncodeCSR(cr, sk)
if err != nil {
return nil, err
}
csr = pem.EncodeToMemory(&pem.Block{
Type: "CERTIFICATE REQUEST", Bytes: csrBytes,
})
return
}
func SetCSRDNSNames(dnsNames ...string) CSRModifier {
return func(c *x509.CertificateRequest) error {
c.DNSNames = dnsNames
return nil
}
}
func SetCSRIPAddresses(ips ...net.IP) CSRModifier {
return func(c *x509.CertificateRequest) error {
c.IPAddresses = ips
return nil
}
}
func SetCSRIPAddressesFromStrings(ips ...string) CSRModifier {
return func(c *x509.CertificateRequest) error {
var certIPs []net.IP
for _, ip := range ips {
if certIP := net.ParseIP(ip); certIP == nil {
return fmt.Errorf("invalid ip: %s", ip)
} else {
certIPs = append(certIPs, certIP)
}
}
c.IPAddresses = certIPs
return nil
}
}
func SetCSRURIs(uris ...*url.URL) CSRModifier {
return func(c *x509.CertificateRequest) error {
c.URIs = uris
return nil
}
}
func SetCSRURIsFromStrings(uris ...string) CSRModifier {
return func(c *x509.CertificateRequest) error {
var certUris []*url.URL
for _, uri := range uris {
parsed, err := url.Parse(uri)
if err != nil {
return err
}
certUris = append(certUris, parsed)
}
c.URIs = certUris
return nil
}
}
func SetCSRCommonName(commonName string) CSRModifier {
return func(c *x509.CertificateRequest) error {
c.Subject.CommonName = commonName
return nil
}
}
func SetCSREmails(emails []string) CSRModifier {
return func(c *x509.CertificateRequest) error {
c.EmailAddresses = emails
return nil
}
}
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package gen
import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
cmacme "github.com/cert-manager/cert-manager/pkg/apis/acme/v1"
v1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
cmmeta "github.com/cert-manager/cert-manager/pkg/apis/meta/v1"
)
type IssuerModifier func(v1.GenericIssuer)
func ClusterIssuer(name string, mods ...IssuerModifier) *v1.ClusterIssuer {
c := &v1.ClusterIssuer{
ObjectMeta: ObjectMeta(name),
}
c.ObjectMeta.Namespace = ""
for _, mod := range mods {
mod(c)
}
return c
}
func ClusterIssuerFrom(iss *v1.ClusterIssuer, mods ...IssuerModifier) *v1.ClusterIssuer {
for _, mod := range mods {
mod(iss)
}
return iss
}
// ClusterIssuerWithRandomName returns a ClusterIssuer named 'prefix<random-string>'
// with the specified modifications.
func ClusterIssuerWithRandomName(prefix string, mods ...IssuerModifier) *v1.ClusterIssuer {
iss := &v1.ClusterIssuer{
ObjectMeta: metav1.ObjectMeta{
GenerateName: prefix,
},
}
for _, mod := range mods {
mod(iss)
}
return iss
}
func Issuer(name string, mods ...IssuerModifier) *v1.Issuer {
c := &v1.Issuer{
ObjectMeta: ObjectMeta(name),
}
for _, mod := range mods {
mod(c)
}
return c
}
func IssuerFrom(iss *v1.Issuer, mods ...IssuerModifier) *v1.Issuer {
iss = iss.DeepCopy()
for _, mod := range mods {
mod(iss)
}
return iss
}
// IssuerWithRandomName returns a new Issuer named prefix<random-string>
// with the provided modifications.
func IssuerWithRandomName(prefix string, mods ...IssuerModifier) *v1.Issuer {
iss := &v1.Issuer{
ObjectMeta: metav1.ObjectMeta{
GenerateName: prefix,
},
}
for _, mod := range mods {
mod(iss)
}
return iss
}
func SetIssuerACME(a cmacme.ACMEIssuer) IssuerModifier {
return func(iss v1.GenericIssuer) {
iss.GetSpec().ACME = &a
}
}
func SetIssuerACMEPreferredChain(chain string) IssuerModifier {
return func(iss v1.GenericIssuer) {
spec := iss.GetSpec()
if spec.ACME == nil {
spec.ACME = &cmacme.ACMEIssuer{}
}
spec.ACME.PreferredChain = chain
}
}
func SetIssuerACMEURL(url string) IssuerModifier {
return func(iss v1.GenericIssuer) {
spec := iss.GetSpec()
if spec.ACME == nil {
spec.ACME = &cmacme.ACMEIssuer{}
}
spec.ACME.Server = url
}
}
func SetIssuerACMEEmail(email string) IssuerModifier {
return func(iss v1.GenericIssuer) {
spec := iss.GetSpec()
if spec.ACME == nil {
spec.ACME = &cmacme.ACMEIssuer{}
}
spec.ACME.Email = email
}
}
func SetIssuerACMEProfile(profile string) IssuerModifier {
return func(iss v1.GenericIssuer) {
spec := iss.GetSpec()
if spec.ACME == nil {
spec.ACME = &cmacme.ACMEIssuer{}
}
spec.ACME.Profile = profile
}
}
func SetIssuerACMEPrivKeyRef(privateKeyName string) IssuerModifier {
return func(iss v1.GenericIssuer) {
spec := iss.GetSpec()
if spec.ACME == nil {
spec.ACME = &cmacme.ACMEIssuer{}
}
spec.ACME.PrivateKey = cmmeta.SecretKeySelector{
LocalObjectReference: cmmeta.LocalObjectReference{
Name: privateKeyName,
},
}
}
}
func SetIssuerACMESolvers(solvers []cmacme.ACMEChallengeSolver) IssuerModifier {
return func(iss v1.GenericIssuer) {
spec := iss.GetSpec()
if spec.ACME == nil {
spec.ACME = &cmacme.ACMEIssuer{}
}
spec.ACME.Solvers = solvers
}
}
func SetIssuerACMEDuration(enabled bool) IssuerModifier {
return func(iss v1.GenericIssuer) {
spec := iss.GetSpec()
if spec.ACME == nil {
spec.ACME = &cmacme.ACMEIssuer{}
}
spec.ACME.EnableDurationFeature = enabled
}
}
func SetIssuerACMESkipTLSVerify(shouldSkip bool) IssuerModifier {
return func(iss v1.GenericIssuer) {
spec := iss.GetSpec()
if spec.ACME == nil {
spec.ACME = &cmacme.ACMEIssuer{}
}
spec.ACME.SkipTLSVerify = shouldSkip
}
}
func SetIssuerACMEDisableAccountKeyGeneration(disabled bool) IssuerModifier {
return func(iss v1.GenericIssuer) {
spec := iss.GetSpec()
if spec.ACME == nil {
spec.ACME = &cmacme.ACMEIssuer{}
}
spec.ACME.DisableAccountKeyGeneration = disabled
}
}
func SetIssuerACMEEAB(keyID, secretName string) IssuerModifier {
return func(iss v1.GenericIssuer) {
spec := iss.GetSpec()
if spec.ACME == nil {
spec.ACME = &cmacme.ACMEIssuer{}
}
spec.ACME.ExternalAccountBinding = &cmacme.ACMEExternalAccountBinding{
KeyID: keyID,
Key: cmmeta.SecretKeySelector{
Key: "key",
LocalObjectReference: cmmeta.LocalObjectReference{
Name: secretName,
},
},
}
}
}
// SetIssuerACMEEABWithKeyAlgorithm returns an ACME Issuer modifier that sets
// ACME External Account Binding with the legacy keyAlgorithm field set.
func SetIssuerACMEEABWithKeyAlgorithm(keyID, secretName string, keyAlgorithm cmacme.HMACKeyAlgorithm) IssuerModifier {
return func(iss v1.GenericIssuer) {
spec := iss.GetSpec()
if spec.ACME == nil {
spec.ACME = &cmacme.ACMEIssuer{}
}
spec.ACME.ExternalAccountBinding = &cmacme.ACMEExternalAccountBinding{
KeyID: keyID,
KeyAlgorithm: keyAlgorithm,
Key: cmmeta.SecretKeySelector{
Key: "key",
LocalObjectReference: cmmeta.LocalObjectReference{
Name: secretName,
},
},
}
}
}
func SetIssuerACMEAccountURL(url string) IssuerModifier {
return func(iss v1.GenericIssuer) {
status := iss.GetStatus()
if status.ACME == nil {
status.ACME = &cmacme.ACMEIssuerStatus{}
}
status.ACME.URI = url
}
}
func SetIssuerACMELastRegisteredEmail(email string) IssuerModifier {
return func(iss v1.GenericIssuer) {
status := iss.GetStatus()
if status.ACME == nil {
status.ACME = &cmacme.ACMEIssuerStatus{}
}
status.ACME.LastRegisteredEmail = email
}
}
func SetIssuerACMELastPrivateKeyHash(privateKeyHash string) IssuerModifier {
return func(iss v1.GenericIssuer) {
status := iss.GetStatus()
if status.ACME == nil {
status.ACME = &cmacme.ACMEIssuerStatus{}
}
status.ACME.LastPrivateKeyHash = privateKeyHash
}
}
func SetIssuerCA(a v1.CAIssuer) IssuerModifier {
return func(iss v1.GenericIssuer) {
iss.GetSpec().CA = &a
}
}
func SetIssuerCASecretName(secretName string) IssuerModifier {
return func(iss v1.GenericIssuer) {
spec := iss.GetSpec()
if spec.CA == nil {
spec.CA = &v1.CAIssuer{}
}
spec.CA.SecretName = secretName
}
}
func SetIssuerVault(v v1.VaultIssuer) IssuerModifier {
return func(iss v1.GenericIssuer) {
iss.GetSpec().Vault = &v
}
}
func SetIssuerVaultURL(url string) IssuerModifier {
return func(iss v1.GenericIssuer) {
spec := iss.GetSpec()
if spec.Vault == nil {
spec.Vault = &v1.VaultIssuer{}
}
spec.Vault.Server = url
}
}
func SetIssuerVaultPath(path string) IssuerModifier {
return func(iss v1.GenericIssuer) {
spec := iss.GetSpec()
if spec.Vault == nil {
spec.Vault = &v1.VaultIssuer{}
}
spec.Vault.Path = path
}
}
func SetIssuerVaultCABundle(caBundle []byte) IssuerModifier {
return func(iss v1.GenericIssuer) {
spec := iss.GetSpec()
if spec.Vault == nil {
spec.Vault = &v1.VaultIssuer{}
}
spec.Vault.CABundle = caBundle
}
}
func SetIssuerVaultCABundleSecretRef(name, namespace, key string) IssuerModifier {
return func(iss v1.GenericIssuer) {
spec := iss.GetSpec()
if spec.Vault == nil {
spec.Vault = &v1.VaultIssuer{}
}
spec.Vault.CABundleSecretRef = &cmmeta.SecretKeySelector{
LocalObjectReference: cmmeta.LocalObjectReference{
Name: name,
},
Key: key,
}
}
}
func SetIssuerVaultClientCertSecretRef(vaultClientCertificateSecretName, key string) IssuerModifier {
return func(iss v1.GenericIssuer) {
spec := iss.GetSpec()
if spec.Vault == nil {
spec.Vault = &v1.VaultIssuer{}
}
spec.Vault.ClientCertSecretRef = &cmmeta.SecretKeySelector{
LocalObjectReference: cmmeta.LocalObjectReference{
Name: vaultClientCertificateSecretName,
},
Key: key,
}
}
}
func SetIssuerVaultClientKeySecretRef(vaultClientCertificateSecretName, key string) IssuerModifier {
return func(iss v1.GenericIssuer) {
spec := iss.GetSpec()
if spec.Vault == nil {
spec.Vault = &v1.VaultIssuer{}
}
spec.Vault.ClientKeySecretRef = &cmmeta.SecretKeySelector{
LocalObjectReference: cmmeta.LocalObjectReference{
Name: vaultClientCertificateSecretName,
},
Key: key,
}
}
}
func SetIssuerVaultTokenAuth(keyName, tokenName string) IssuerModifier {
return func(iss v1.GenericIssuer) {
spec := iss.GetSpec()
if spec.Vault == nil {
spec.Vault = &v1.VaultIssuer{}
}
spec.Vault.Auth.TokenSecretRef = &cmmeta.SecretKeySelector{
Key: keyName,
LocalObjectReference: cmmeta.LocalObjectReference{
Name: tokenName,
},
}
}
}
func SetIssuerVaultAppRoleAuth(keyName, approleName, roleId, path string) IssuerModifier {
return func(iss v1.GenericIssuer) {
spec := iss.GetSpec()
if spec.Vault == nil {
spec.Vault = &v1.VaultIssuer{}
}
spec.Vault.Auth.AppRole = &v1.VaultAppRole{
Path: path,
RoleId: roleId,
SecretRef: cmmeta.SecretKeySelector{
Key: keyName,
LocalObjectReference: cmmeta.LocalObjectReference{
Name: approleName,
},
},
}
}
}
func SetIssuerVaultClientCertificateAuth(path, secretName string) IssuerModifier {
return func(iss v1.GenericIssuer) {
spec := iss.GetSpec()
if spec.Vault == nil {
spec.Vault = &v1.VaultIssuer{}
}
spec.Vault.Auth.ClientCertificate = &v1.VaultClientCertificateAuth{
Path: path,
SecretName: secretName,
}
}
}
func SetIssuerVaultKubernetesAuthSecret(secretKey, secretName, vaultRole, vaultPath string) IssuerModifier {
return func(iss v1.GenericIssuer) {
spec := iss.GetSpec()
if spec.Vault == nil {
spec.Vault = &v1.VaultIssuer{}
}
spec.Vault.Auth.Kubernetes = &v1.VaultKubernetesAuth{
Path: vaultPath,
SecretRef: cmmeta.SecretKeySelector{
Key: secretKey,
LocalObjectReference: cmmeta.LocalObjectReference{
Name: secretName,
},
},
Role: vaultRole,
}
}
}
func SetIssuerVaultKubernetesAuthServiceAccount(serviceAccount, role, path string) IssuerModifier {
return func(iss v1.GenericIssuer) {
spec := iss.GetSpec()
if spec.Vault == nil {
spec.Vault = &v1.VaultIssuer{}
}
spec.Vault.Auth.Kubernetes = &v1.VaultKubernetesAuth{
Path: path,
Role: role,
ServiceAccountRef: &v1.ServiceAccountRef{
Name: serviceAccount,
},
}
}
}
func SetIssuerSelfSigned(a v1.SelfSignedIssuer) IssuerModifier {
return func(iss v1.GenericIssuer) {
iss.GetSpec().SelfSigned = &a
}
}
func SetIssuerVenafi(a v1.VenafiIssuer) IssuerModifier {
return func(iss v1.GenericIssuer) {
iss.GetSpec().Venafi = &a
}
}
func AddIssuerCondition(c v1.IssuerCondition) IssuerModifier {
return func(iss v1.GenericIssuer) {
iss.GetStatus().Conditions = append(iss.GetStatus().Conditions, c)
}
}
func SetIssuerNamespace(namespace string) IssuerModifier {
return func(iss v1.GenericIssuer) {
iss.GetObjectMeta().Namespace = namespace
}
}
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package gen
import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
const (
// DefaultTestNamespace is the default namespace set on resources that
// are namespaced.
DefaultTestNamespace = "default-unit-test-ns"
)
// ObjectMetaModifier applies a transformation to the provider ObjectMeta
type ObjectMetaModifier func(*metav1.ObjectMeta)
// ObjectMeta creates a new metav1.ObjectMeta with the given name, optionally
// applying the provided ObjectMetaModifiers.
// It applies a DefaultTestNamespace by default.
// Cluster-scoped resource generators should explicitly add `SetNamespace("")`
// to their constructors.
func ObjectMeta(name string, mods ...ObjectMetaModifier) metav1.ObjectMeta {
m := &metav1.ObjectMeta{
Name: name,
Namespace: DefaultTestNamespace,
}
for _, mod := range mods {
mod(m)
}
return *m
}
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package gen
import (
"time"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
internalv1 "github.com/cert-manager/cert-manager/internal/apis/acme/v1"
cmacme "github.com/cert-manager/cert-manager/pkg/apis/acme/v1"
cmmeta "github.com/cert-manager/cert-manager/pkg/apis/meta/v1"
)
type OrderModifier func(*cmacme.Order)
func Order(name string, mods ...OrderModifier) *cmacme.Order {
order := &cmacme.Order{
ObjectMeta: ObjectMeta(name),
}
for _, mod := range mods {
mod(order)
}
internalv1.SetObjectDefaults_Order(order)
return order
}
func OrderFrom(order *cmacme.Order, mods ...OrderModifier) *cmacme.Order {
order = order.DeepCopy()
for _, mod := range mods {
mod(order)
}
internalv1.SetObjectDefaults_Order(order)
return order
}
// SetOrderIssuer sets the Order.spec.issuerRef field
func SetOrderIssuer(o cmmeta.IssuerReference) OrderModifier {
return func(order *cmacme.Order) {
order.Spec.IssuerRef = o
}
}
func SetOrderDNSNames(dnsNames ...string) OrderModifier {
return func(order *cmacme.Order) {
order.Spec.DNSNames = dnsNames
}
}
func SetOrderIPAddresses(ips ...string) OrderModifier {
return func(order *cmacme.Order) {
order.Spec.IPAddresses = ips
}
}
func SetOrderURL(url string) OrderModifier {
return func(order *cmacme.Order) {
order.Status.URL = url
}
}
func SetOrderState(s cmacme.State) OrderModifier {
return func(order *cmacme.Order) {
order.Status.State = s
}
}
func SetOrderReason(reason string) OrderModifier {
return func(order *cmacme.Order) {
order.Status.Reason = reason
}
}
func SetOrderStatus(s cmacme.OrderStatus) OrderModifier {
return func(order *cmacme.Order) {
order.Status = s
}
}
func SetOrderCertificate(d []byte) OrderModifier {
return func(order *cmacme.Order) {
order.Status.Certificate = d
}
}
func SetOrderCommonName(commonName string) OrderModifier {
return func(order *cmacme.Order) {
order.Spec.CommonName = commonName
}
}
func SetOrderNamespace(namespace string) OrderModifier {
return func(order *cmacme.Order) {
order.ObjectMeta.Namespace = namespace
}
}
func SetOrderCsr(csr []byte) OrderModifier {
return func(order *cmacme.Order) {
order.Spec.Request = csr
}
}
func SetOrderDuration(duration time.Duration) OrderModifier {
return func(order *cmacme.Order) {
order.Spec.Duration = &metav1.Duration{Duration: duration}
}
}
func SetOrderAnnotations(annotations map[string]string) OrderModifier {
return func(order *cmacme.Order) {
order.Annotations = annotations
}
}
func SetOrderOwnerReference(ref metav1.OwnerReference) OrderModifier {
return func(order *cmacme.Order) {
order.OwnerReferences = []metav1.OwnerReference{ref}
}
}
func SetOrderProfile(profile string) OrderModifier {
return func(order *cmacme.Order) {
order.Spec.Profile = profile
}
}
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package gen
import (
corev1 "k8s.io/api/core/v1"
)
type SecretModifier func(*corev1.Secret)
func Secret(name string, mods ...SecretModifier) *corev1.Secret {
c := &corev1.Secret{
ObjectMeta: ObjectMeta(name),
}
for _, mod := range mods {
mod(c)
}
return c
}
func SecretFrom(sec *corev1.Secret, mods ...SecretModifier) *corev1.Secret {
sec = sec.DeepCopy()
for _, mod := range mods {
mod(sec)
}
return sec
}
func SetSecretNamespace(namespace string) SecretModifier {
return func(sec *corev1.Secret) {
sec.ObjectMeta.Namespace = namespace
}
}
func SetSecretAnnotations(an map[string]string) SecretModifier {
return func(sec *corev1.Secret) {
sec.Annotations = make(map[string]string)
for k, v := range an {
sec.Annotations[k] = v
}
}
}
func SetSecretData(data map[string][]byte) SecretModifier {
return func(sec *corev1.Secret) {
sec.Data = make(map[string][]byte)
for k, v := range data {
sec.Data[k] = v
}
}
}
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package listers
import (
"k8s.io/apimachinery/pkg/labels"
cmacme "github.com/cert-manager/cert-manager/pkg/apis/acme/v1"
acmelisters "github.com/cert-manager/cert-manager/pkg/client/listers/acme/v1"
)
var _ acmelisters.OrderLister = &FakeOrderLister{}
var _ acmelisters.OrderNamespaceLister = &FakeOrderNamespaceLister{}
type FakeOrderLister struct {
ListFn func(selector labels.Selector) (ret []*cmacme.Order, err error)
OrdersFn func(namespace string) acmelisters.OrderNamespaceLister
}
type FakeOrderNamespaceLister struct {
ListFn func(selector labels.Selector) (ret []*cmacme.Order, err error)
GetFn func(name string) (ret *cmacme.Order, err error)
}
func NewFakeOrderLister() *FakeOrderLister {
return &FakeOrderLister{
ListFn: func(selector labels.Selector) (ret []*cmacme.Order, err error) {
return nil, nil
},
OrdersFn: func(namespace string) acmelisters.OrderNamespaceLister {
return nil
},
}
}
func NewFakeOrderNamespaceLister() *FakeOrderNamespaceLister {
return &FakeOrderNamespaceLister{
ListFn: func(selector labels.Selector) (ret []*cmacme.Order, err error) {
return nil, nil
},
GetFn: func(name string) (ret *cmacme.Order, err error) {
return nil, nil
},
}
}
func (f *FakeOrderLister) List(selector labels.Selector) (ret []*cmacme.Order, err error) {
return f.ListFn(selector)
}
func (f *FakeOrderLister) Orders(namespace string) acmelisters.OrderNamespaceLister {
return f.OrdersFn(namespace)
}
func (f *FakeOrderNamespaceLister) List(selector labels.Selector) (ret []*cmacme.Order, err error) {
return f.ListFn(selector)
}
func (f *FakeOrderNamespaceLister) Get(name string) (*cmacme.Order, error) {
return f.GetFn(name)
}
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package listers
import (
corev1 "k8s.io/api/core/v1"
"k8s.io/apimachinery/pkg/labels"
clientcorev1 "k8s.io/client-go/listers/core/v1"
)
var _ clientcorev1.SecretLister = &FakeSecretLister{}
var _ clientcorev1.SecretNamespaceLister = &FakeSecretNamespaceLister{}
type FakeSecretListerModifier func(*FakeSecretLister)
type FakeSecretNamespaceListerModifier func(*FakeSecretNamespaceLister)
type FakeSecretLister struct {
ListFn func(selector labels.Selector) (ret []*corev1.Secret, err error)
SecretsFn func(namespace string) clientcorev1.SecretNamespaceLister
}
type FakeSecretNamespaceLister struct {
ListFn func(selector labels.Selector) (ret []*corev1.Secret, err error)
GetFn func(name string) (ret *corev1.Secret, err error)
}
func NewFakeSecretLister(mods ...FakeSecretListerModifier) *FakeSecretLister {
return FakeSecretListerFrom(&FakeSecretLister{
ListFn: func(selector labels.Selector) (ret []*corev1.Secret, err error) {
return nil, nil
},
SecretsFn: func(namespace string) clientcorev1.SecretNamespaceLister {
return nil
},
}, mods...)
}
func NewFakeSecretNamespaceLister(mods ...FakeSecretNamespaceListerModifier) *FakeSecretNamespaceLister {
return FakeSecretNamespaceListerFrom(&FakeSecretNamespaceLister{
ListFn: func(selector labels.Selector) (ret []*corev1.Secret, err error) {
return nil, nil
},
GetFn: func(name string) (ret *corev1.Secret, err error) {
return nil, nil
},
}, mods...)
}
func (f *FakeSecretLister) List(selector labels.Selector) (ret []*corev1.Secret, err error) {
return f.ListFn(selector)
}
func (f *FakeSecretLister) Secrets(namespace string) clientcorev1.SecretNamespaceLister {
return f.SecretsFn(namespace)
}
func (f *FakeSecretNamespaceLister) List(selector labels.Selector) (ret []*corev1.Secret, err error) {
return f.ListFn(selector)
}
func (f *FakeSecretNamespaceLister) Get(name string) (*corev1.Secret, error) {
return f.GetFn(name)
}
func FakeSecretNamespaceListerFrom(f *FakeSecretNamespaceLister, mods ...FakeSecretNamespaceListerModifier) *FakeSecretNamespaceLister {
for _, mod := range mods {
mod(f)
}
return f
}
func (f *FakeSecretNamespaceLister) SetFakeSecretNamespaceListerGet(ret *corev1.Secret,
err error) *FakeSecretNamespaceLister {
f.GetFn = func(string) (*corev1.Secret, error) {
return ret, err
}
return f
}
func FakeSecretListerFrom(s *FakeSecretLister, mods ...FakeSecretListerModifier) *FakeSecretLister {
for _, mod := range mods {
mod(s)
}
return s
}
func SetFakeSecretListerSecret(s func(namespace string) clientcorev1.SecretNamespaceLister) FakeSecretListerModifier {
return func(f *FakeSecretLister) {
f.SecretsFn = s
}
}
func SetFakeSecretNamespaceListerGet(sec *corev1.Secret, err error) FakeSecretListerModifier {
return func(f *FakeSecretLister) {
f.SecretsFn = func(namespace string) clientcorev1.SecretNamespaceLister {
return &FakeSecretNamespaceLister{
GetFn: func(name string) (*corev1.Secret, error) {
return sec, err
},
}
}
}
}
// Copyright 2015 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
// Package acme provides an implementation of the
// Automatic Certificate Management Environment (ACME) spec,
// most famously used by Let's Encrypt.
//
// The initial implementation of this package was based on an early version
// of the spec. The current implementation supports only the modern
// RFC 8555 but some of the old API surface remains for compatibility.
// While code using the old API will still compile, it will return an error.
// Note the deprecation comments to update your code.
//
// See https://tools.ietf.org/html/rfc8555 for the spec.
//
// Most common scenarios will want to use autocert subdirectory instead,
// which provides automatic access to certificates from Let's Encrypt
// and any other ACME-based CA.
package acme
import (
"context"
"crypto"
"crypto/ecdsa"
"crypto/elliptic"
"crypto/rand"
"crypto/sha256"
"crypto/tls"
"crypto/x509"
"crypto/x509/pkix"
"encoding/asn1"
"encoding/base64"
"encoding/hex"
"encoding/json"
"encoding/pem"
"errors"
"fmt"
"math/big"
"net/http"
"strings"
"sync"
"time"
)
const (
// LetsEncryptURL is the Directory endpoint of Let's Encrypt CA.
LetsEncryptURL = "https://acme-v02.api.letsencrypt.org/directory"
// ALPNProto is the ALPN protocol name used by a CA server when validating
// tls-alpn-01 challenges.
//
// Package users must ensure their servers can negotiate the ACME ALPN in
// order for tls-alpn-01 challenge verifications to succeed.
// See the crypto/tls package's Config.NextProtos field.
ALPNProto = "acme-tls/1"
)
// idPeACMEIdentifier is the OID for the ACME extension for the TLS-ALPN challenge.
// https://tools.ietf.org/html/draft-ietf-acme-tls-alpn-05#section-5.1
var idPeACMEIdentifier = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 31}
const (
maxChainLen = 5 // max depth and breadth of a certificate chain
maxCertSize = 1 << 20 // max size of a certificate, in DER bytes
// Used for decoding certs from application/pem-certificate-chain response,
// the default when in RFC mode.
maxCertChainSize = maxCertSize * maxChainLen
// Max number of collected nonces kept in memory.
// Expect usual peak of 1 or 2.
maxNonces = 100
)
// Client is an ACME client.
//
// The only required field is Key. An example of creating a client with a new key
// is as follows:
//
// key, err := rsa.GenerateKey(rand.Reader, 2048)
// if err != nil {
// log.Fatal(err)
// }
// client := &Client{Key: key}
type Client struct {
// Key is the account key used to register with a CA and sign requests.
// Key.Public() must return a *rsa.PublicKey or *ecdsa.PublicKey.
//
// The following algorithms are supported:
// RS256, ES256, ES384 and ES512.
// See RFC 7518 for more details about the algorithms.
Key crypto.Signer
// HTTPClient optionally specifies an HTTP client to use
// instead of http.DefaultClient.
HTTPClient *http.Client
// DirectoryURL points to the CA directory endpoint.
// If empty, LetsEncryptURL is used.
// Mutating this value after a successful call of Client's Discover method
// will have no effect.
DirectoryURL string
// RetryBackoff computes the duration after which the nth retry of a failed request
// should occur. The value of n for the first call on failure is 1.
// The values of r and resp are the request and response of the last failed attempt.
// If the returned value is negative or zero, no more retries are done and an error
// is returned to the caller of the original method.
//
// Requests which result in a 4xx client error are not retried,
// except for 400 Bad Request due to "bad nonce" errors and 429 Too Many Requests.
//
// If RetryBackoff is nil, a truncated exponential backoff algorithm
// with the ceiling of 10 seconds is used, where each subsequent retry n
// is done after either ("Retry-After" + jitter) or (2^n seconds + jitter),
// preferring the former if "Retry-After" header is found in the resp.
// The jitter is a random value up to 1 second.
RetryBackoff func(n int, r *http.Request, resp *http.Response) time.Duration
// UserAgent is prepended to the User-Agent header sent to the ACME server,
// which by default is this package's name and version.
//
// Reusable libraries and tools in particular should set this value to be
// identifiable by the server, in case they are causing issues.
UserAgent string
cacheMu sync.Mutex
dir *Directory // cached result of Client's Discover method
// KID is the key identifier provided by the CA. If not provided it will be
// retrieved from the CA by making a call to the registration endpoint.
KID KeyID
noncesMu sync.Mutex
nonces map[string]struct{} // nonces collected from previous responses
}
// accountKID returns a key ID associated with c.Key, the account identity
// provided by the CA during RFC based registration.
// It assumes c.Discover has already been called.
//
// accountKID requires at most one network roundtrip.
// It caches only successful result.
//
// When in pre-RFC mode or when c.getRegRFC responds with an error, accountKID
// returns noKeyID.
func (c *Client) accountKID(ctx context.Context) KeyID {
c.cacheMu.Lock()
defer c.cacheMu.Unlock()
if c.KID != noKeyID {
return c.KID
}
a, err := c.getRegRFC(ctx)
if err != nil {
return noKeyID
}
c.KID = KeyID(a.URI)
return c.KID
}
var errPreRFC = errors.New("acme: server does not support the RFC 8555 version of ACME")
// Discover performs ACME server discovery using c.DirectoryURL.
//
// It caches successful result. So, subsequent calls will not result in
// a network round-trip. This also means mutating c.DirectoryURL after successful call
// of this method will have no effect.
func (c *Client) Discover(ctx context.Context) (Directory, error) {
c.cacheMu.Lock()
defer c.cacheMu.Unlock()
if c.dir != nil {
return *c.dir, nil
}
res, err := c.get(ctx, c.directoryURL(), wantStatus(http.StatusOK))
if err != nil {
return Directory{}, err
}
defer res.Body.Close()
c.addNonce(res.Header)
var v struct {
Reg string `json:"newAccount"`
Authz string `json:"newAuthz"`
Order string `json:"newOrder"`
Revoke string `json:"revokeCert"`
Nonce string `json:"newNonce"`
KeyChange string `json:"keyChange"`
Meta struct {
Terms string `json:"termsOfService"`
Website string `json:"website"`
CAA []string `json:"caaIdentities"`
ExternalAcct bool `json:"externalAccountRequired"`
Profiles map[string]string `json:"profiles"`
}
}
if err := json.NewDecoder(res.Body).Decode(&v); err != nil {
return Directory{}, err
}
if v.Order == "" {
return Directory{}, errPreRFC
}
c.dir = &Directory{
RegURL: v.Reg,
AuthzURL: v.Authz,
OrderURL: v.Order,
RevokeURL: v.Revoke,
NonceURL: v.Nonce,
KeyChangeURL: v.KeyChange,
Terms: v.Meta.Terms,
Website: v.Meta.Website,
CAA: v.Meta.CAA,
ExternalAccountRequired: v.Meta.ExternalAcct,
Profiles: v.Meta.Profiles,
}
return *c.dir, nil
}
func (c *Client) directoryURL() string {
if c.DirectoryURL != "" {
return c.DirectoryURL
}
return LetsEncryptURL
}
// CreateCert was part of the old version of ACME. It is incompatible with RFC 8555.
//
// Deprecated: this was for the pre-RFC 8555 version of ACME. Callers should use CreateOrderCert.
func (c *Client) CreateCert(ctx context.Context, csr []byte, exp time.Duration, bundle bool) (der [][]byte, certURL string, err error) {
return nil, "", errPreRFC
}
// FetchCert retrieves already issued certificate from the given url, in DER format.
// It retries the request until the certificate is successfully retrieved,
// context is cancelled by the caller or an error response is received.
//
// If the bundle argument is true, the returned value also contains the CA (issuer)
// certificate chain.
//
// FetchCert returns an error if the CA's response or chain was unreasonably large.
// Callers are encouraged to parse the returned value to ensure the certificate is valid
// and has expected features.
func (c *Client) FetchCert(ctx context.Context, url string, bundle bool) ([][]byte, error) {
if _, err := c.Discover(ctx); err != nil {
return nil, err
}
return c.fetchCertRFC(ctx, url, bundle)
}
// RevokeCert revokes a previously issued certificate cert, provided in DER format.
//
// The key argument, used to sign the request, must be authorized
// to revoke the certificate. It's up to the CA to decide which keys are authorized.
// For instance, the key pair of the certificate may be authorized.
// If the key is nil, c.Key is used instead.
func (c *Client) RevokeCert(ctx context.Context, key crypto.Signer, cert []byte, reason CRLReasonCode) error {
if _, err := c.Discover(ctx); err != nil {
return err
}
return c.revokeCertRFC(ctx, key, cert, reason)
}
// AcceptTOS always returns true to indicate the acceptance of a CA's Terms of Service
// during account registration. See Register method of Client for more details.
func AcceptTOS(tosURL string) bool { return true }
// Register creates a new account with the CA using c.Key.
// It returns the registered account. The account acct is not modified.
//
// The registration may require the caller to agree to the CA's Terms of Service (TOS).
// If so, and the account has not indicated the acceptance of the terms (see Account for details),
// Register calls prompt with a TOS URL provided by the CA. Prompt should report
// whether the caller agrees to the terms. To always accept the terms, the caller can use AcceptTOS.
//
// When interfacing with an RFC-compliant CA, non-RFC 8555 fields of acct are ignored
// and prompt is called if Directory's Terms field is non-zero.
// Also see Error's Instance field for when a CA requires already registered accounts to agree
// to an updated Terms of Service.
func (c *Client) Register(ctx context.Context, acct *Account, prompt func(tosURL string) bool) (*Account, error) {
if c.Key == nil {
return nil, errors.New("acme: client.Key must be set to Register")
}
if _, err := c.Discover(ctx); err != nil {
return nil, err
}
return c.registerRFC(ctx, acct, prompt)
}
// GetReg retrieves an existing account associated with c.Key.
//
// The url argument is a legacy artifact of the pre-RFC 8555 API
// and is ignored.
func (c *Client) GetReg(ctx context.Context, url string) (*Account, error) {
if _, err := c.Discover(ctx); err != nil {
return nil, err
}
return c.getRegRFC(ctx)
}
// UpdateReg updates an existing registration.
// It returns an updated account copy. The provided account is not modified.
//
// The account's URI is ignored and the account URL associated with
// c.Key is used instead.
func (c *Client) UpdateReg(ctx context.Context, acct *Account) (*Account, error) {
if _, err := c.Discover(ctx); err != nil {
return nil, err
}
return c.updateRegRFC(ctx, acct)
}
// AccountKeyRollover attempts to transition a client's account key to a new key.
// On success client's Key is updated which is not concurrency safe.
// On failure an error will be returned.
// The new key is already registered with the ACME provider if the following is true:
// - error is of type acme.Error
// - StatusCode should be 409 (Conflict)
// - Location header will have the KID of the associated account
//
// More about account key rollover can be found at
// https://tools.ietf.org/html/rfc8555#section-7.3.5.
func (c *Client) AccountKeyRollover(ctx context.Context, newKey crypto.Signer) error {
return c.accountKeyRollover(ctx, newKey)
}
// Authorize performs the initial step in the pre-authorization flow,
// as opposed to order-based flow.
// The caller will then need to choose from and perform a set of returned
// challenges using c.Accept in order to successfully complete authorization.
//
// Once complete, the caller can use AuthorizeOrder which the CA
// should provision with the already satisfied authorization.
// For pre-RFC CAs, the caller can proceed directly to requesting a certificate
// using CreateCert method.
//
// If an authorization has been previously granted, the CA may return
// a valid authorization which has its Status field set to StatusValid.
//
// More about pre-authorization can be found at
// https://tools.ietf.org/html/rfc8555#section-7.4.1.
func (c *Client) Authorize(ctx context.Context, domain string) (*Authorization, error) {
return c.authorize(ctx, "dns", domain)
}
// AuthorizeIP is the same as Authorize but requests IP address authorization.
// Clients which successfully obtain such authorization may request to issue
// a certificate for IP addresses.
//
// See the ACME spec extension for more details about IP address identifiers:
// https://tools.ietf.org/html/draft-ietf-acme-ip.
func (c *Client) AuthorizeIP(ctx context.Context, ipaddr string) (*Authorization, error) {
return c.authorize(ctx, "ip", ipaddr)
}
func (c *Client) authorize(ctx context.Context, typ, val string) (*Authorization, error) {
if _, err := c.Discover(ctx); err != nil {
return nil, err
}
if c.dir.AuthzURL == "" {
// Pre-Authorization is unsupported
return nil, errPreAuthorizationNotSupported
}
type authzID struct {
Type string `json:"type"`
Value string `json:"value"`
}
req := struct {
Resource string `json:"resource"`
Identifier authzID `json:"identifier"`
}{
Resource: "new-authz",
Identifier: authzID{Type: typ, Value: val},
}
res, err := c.post(ctx, nil, c.dir.AuthzURL, req, wantStatus(http.StatusCreated))
if err != nil {
return nil, err
}
defer res.Body.Close()
var v wireAuthz
if err := json.NewDecoder(res.Body).Decode(&v); err != nil {
return nil, fmt.Errorf("acme: invalid response: %v", err)
}
if v.Status != StatusPending && v.Status != StatusValid {
return nil, fmt.Errorf("acme: unexpected status: %s", v.Status)
}
return v.authorization(res.Header.Get("Location")), nil
}
// GetAuthorization retrieves an authorization identified by the given URL.
//
// If a caller needs to poll an authorization until its status is final,
// see the WaitAuthorization method.
func (c *Client) GetAuthorization(ctx context.Context, url string) (*Authorization, error) {
if _, err := c.Discover(ctx); err != nil {
return nil, err
}
res, err := c.postAsGet(ctx, url, wantStatus(http.StatusOK))
if err != nil {
return nil, err
}
defer res.Body.Close()
var v wireAuthz
if err := json.NewDecoder(res.Body).Decode(&v); err != nil {
return nil, fmt.Errorf("acme: invalid response: %v", err)
}
return v.authorization(url), nil
}
// RevokeAuthorization relinquishes an existing authorization identified
// by the given URL.
// The url argument is an Authorization.URI value.
//
// If successful, the caller will be required to obtain a new authorization
// using the Authorize or AuthorizeOrder methods before being able to request
// a new certificate for the domain associated with the authorization.
//
// It does not revoke existing certificates.
func (c *Client) RevokeAuthorization(ctx context.Context, url string) error {
if _, err := c.Discover(ctx); err != nil {
return err
}
req := struct {
Resource string `json:"resource"`
Status string `json:"status"`
Delete bool `json:"delete"`
}{
Resource: "authz",
Status: "deactivated",
Delete: true,
}
res, err := c.post(ctx, nil, url, req, wantStatus(http.StatusOK))
if err != nil {
return err
}
defer res.Body.Close()
return nil
}
// WaitAuthorization polls an authorization at the given URL
// until it is in one of the final states, StatusValid or StatusInvalid,
// the ACME CA responded with a 4xx error code, or the context is done.
//
// It returns a non-nil Authorization only if its Status is StatusValid.
// In all other cases WaitAuthorization returns an error.
// If the Status is StatusInvalid, the returned error is of type *AuthorizationError.
func (c *Client) WaitAuthorization(ctx context.Context, url string) (*Authorization, error) {
if _, err := c.Discover(ctx); err != nil {
return nil, err
}
for {
res, err := c.postAsGet(ctx, url, wantStatus(http.StatusOK, http.StatusAccepted))
if err != nil {
return nil, err
}
var raw wireAuthz
err = json.NewDecoder(res.Body).Decode(&raw)
res.Body.Close()
switch {
case err != nil:
// Skip and retry.
case raw.Status == StatusValid:
return raw.authorization(url), nil
case raw.Status == StatusInvalid:
return nil, raw.error(url)
}
// Exponential backoff is implemented in c.get above.
// This is just to prevent continuously hitting the CA
// while waiting for a final authorization status.
d := retryAfter(res.Header.Get("Retry-After"))
if d == 0 {
// Given that the fastest challenges TLS-SNI and HTTP-01
// require a CA to make at least 1 network round trip
// and most likely persist a challenge state,
// this default delay seems reasonable.
d = time.Second
}
t := time.NewTimer(d)
select {
case <-ctx.Done():
t.Stop()
return nil, ctx.Err()
case <-t.C:
// Retry.
}
}
}
// GetChallenge retrieves the current status of an challenge.
//
// A client typically polls a challenge status using this method.
func (c *Client) GetChallenge(ctx context.Context, url string) (*Challenge, error) {
if _, err := c.Discover(ctx); err != nil {
return nil, err
}
res, err := c.postAsGet(ctx, url, wantStatus(http.StatusOK, http.StatusAccepted))
if err != nil {
return nil, err
}
defer res.Body.Close()
v := wireChallenge{URI: url}
if err := json.NewDecoder(res.Body).Decode(&v); err != nil {
return nil, fmt.Errorf("acme: invalid response: %v", err)
}
return v.challenge(), nil
}
// Accept informs the server that the client accepts one of its challenges
// previously obtained with c.Authorize.
//
// The server will then perform the validation asynchronously.
func (c *Client) Accept(ctx context.Context, chal *Challenge) (*Challenge, error) {
if _, err := c.Discover(ctx); err != nil {
return nil, err
}
payload := json.RawMessage("{}")
if len(chal.Payload) != 0 {
payload = chal.Payload
}
res, err := c.post(ctx, nil, chal.URI, payload, wantStatus(
http.StatusOK, // according to the spec
http.StatusAccepted, // Let's Encrypt: see https://goo.gl/WsJ7VT (acme-divergences.md)
))
if err != nil {
return nil, err
}
defer res.Body.Close()
var v wireChallenge
if err := json.NewDecoder(res.Body).Decode(&v); err != nil {
return nil, fmt.Errorf("acme: invalid response: %v", err)
}
return v.challenge(), nil
}
// DNS01ChallengeRecord returns a DNS record value for a dns-01 challenge response.
// A TXT record containing the returned value must be provisioned under
// "_acme-challenge" name of the domain being validated.
//
// The token argument is a Challenge.Token value.
func (c *Client) DNS01ChallengeRecord(token string) (string, error) {
ka, err := keyAuth(c.Key.Public(), token)
if err != nil {
return "", err
}
b := sha256.Sum256([]byte(ka))
return base64.RawURLEncoding.EncodeToString(b[:]), nil
}
// HTTP01ChallengeResponse returns the response for an http-01 challenge.
// Servers should respond with the value to HTTP requests at the URL path
// provided by HTTP01ChallengePath to validate the challenge and prove control
// over a domain name.
//
// The token argument is a Challenge.Token value.
func (c *Client) HTTP01ChallengeResponse(token string) (string, error) {
return keyAuth(c.Key.Public(), token)
}
// HTTP01ChallengePath returns the URL path at which the response for an http-01 challenge
// should be provided by the servers.
// The response value can be obtained with HTTP01ChallengeResponse.
//
// The token argument is a Challenge.Token value.
func (c *Client) HTTP01ChallengePath(token string) string {
return "/.well-known/acme-challenge/" + token
}
// TLSSNI01ChallengeCert creates a certificate for TLS-SNI-01 challenge response.
//
// Deprecated: This challenge type is unused in both draft-02 and RFC versions of the ACME spec.
func (c *Client) TLSSNI01ChallengeCert(token string, opt ...CertOption) (cert tls.Certificate, name string, err error) {
ka, err := keyAuth(c.Key.Public(), token)
if err != nil {
return tls.Certificate{}, "", err
}
b := sha256.Sum256([]byte(ka))
h := hex.EncodeToString(b[:])
name = fmt.Sprintf("%s.%s.acme.invalid", h[:32], h[32:])
cert, err = tlsChallengeCert([]string{name}, opt)
if err != nil {
return tls.Certificate{}, "", err
}
return cert, name, nil
}
// TLSSNI02ChallengeCert creates a certificate for TLS-SNI-02 challenge response.
//
// Deprecated: This challenge type is unused in both draft-02 and RFC versions of the ACME spec.
func (c *Client) TLSSNI02ChallengeCert(token string, opt ...CertOption) (cert tls.Certificate, name string, err error) {
b := sha256.Sum256([]byte(token))
h := hex.EncodeToString(b[:])
sanA := fmt.Sprintf("%s.%s.token.acme.invalid", h[:32], h[32:])
ka, err := keyAuth(c.Key.Public(), token)
if err != nil {
return tls.Certificate{}, "", err
}
b = sha256.Sum256([]byte(ka))
h = hex.EncodeToString(b[:])
sanB := fmt.Sprintf("%s.%s.ka.acme.invalid", h[:32], h[32:])
cert, err = tlsChallengeCert([]string{sanA, sanB}, opt)
if err != nil {
return tls.Certificate{}, "", err
}
return cert, sanA, nil
}
// TLSALPN01ChallengeCert creates a certificate for TLS-ALPN-01 challenge response.
// Servers can present the certificate to validate the challenge and prove control
// over a domain name. For more details on TLS-ALPN-01 see
// https://tools.ietf.org/html/draft-shoemaker-acme-tls-alpn-00#section-3
//
// The token argument is a Challenge.Token value.
// If a WithKey option is provided, its private part signs the returned cert,
// and the public part is used to specify the signee.
// If no WithKey option is provided, a new ECDSA key is generated using P-256 curve.
//
// The returned certificate is valid for the next 24 hours and must be presented only when
// the server name in the TLS ClientHello matches the domain, and the special acme-tls/1 ALPN protocol
// has been specified.
func (c *Client) TLSALPN01ChallengeCert(token, domain string, opt ...CertOption) (cert tls.Certificate, err error) {
ka, err := keyAuth(c.Key.Public(), token)
if err != nil {
return tls.Certificate{}, err
}
shasum := sha256.Sum256([]byte(ka))
extValue, err := asn1.Marshal(shasum[:])
if err != nil {
return tls.Certificate{}, err
}
acmeExtension := pkix.Extension{
Id: idPeACMEIdentifier,
Critical: true,
Value: extValue,
}
tmpl := defaultTLSChallengeCertTemplate()
var newOpt []CertOption
for _, o := range opt {
switch o := o.(type) {
case *certOptTemplate:
t := *(*x509.Certificate)(o) // shallow copy is ok
tmpl = &t
default:
newOpt = append(newOpt, o)
}
}
tmpl.ExtraExtensions = append(tmpl.ExtraExtensions, acmeExtension)
newOpt = append(newOpt, WithTemplate(tmpl))
return tlsChallengeCert([]string{domain}, newOpt)
}
// popNonce returns a nonce value previously stored with c.addNonce
// or fetches a fresh one from c.dir.NonceURL.
// If NonceURL is empty, it first tries c.directoryURL() and, failing that,
// the provided url.
func (c *Client) popNonce(ctx context.Context, url string) (string, error) {
c.noncesMu.Lock()
defer c.noncesMu.Unlock()
if len(c.nonces) == 0 {
if c.dir != nil && c.dir.NonceURL != "" {
return c.fetchNonce(ctx, c.dir.NonceURL)
}
dirURL := c.directoryURL()
v, err := c.fetchNonce(ctx, dirURL)
if err != nil && url != dirURL {
v, err = c.fetchNonce(ctx, url)
}
return v, err
}
var nonce string
for nonce = range c.nonces {
delete(c.nonces, nonce)
break
}
return nonce, nil
}
// clearNonces clears any stored nonces
func (c *Client) clearNonces() {
c.noncesMu.Lock()
defer c.noncesMu.Unlock()
c.nonces = make(map[string]struct{})
}
// addNonce stores a nonce value found in h (if any) for future use.
func (c *Client) addNonce(h http.Header) {
v := nonceFromHeader(h)
if v == "" {
return
}
c.noncesMu.Lock()
defer c.noncesMu.Unlock()
if len(c.nonces) >= maxNonces {
return
}
if c.nonces == nil {
c.nonces = make(map[string]struct{})
}
c.nonces[v] = struct{}{}
}
func (c *Client) fetchNonce(ctx context.Context, url string) (string, error) {
r, err := http.NewRequest("HEAD", url, nil)
if err != nil {
return "", err
}
resp, err := c.doNoRetry(ctx, r)
if err != nil {
return "", err
}
defer resp.Body.Close()
nonce := nonceFromHeader(resp.Header)
if nonce == "" {
if resp.StatusCode > 299 {
return "", responseError(resp)
}
return "", errors.New("acme: nonce not found")
}
return nonce, nil
}
func nonceFromHeader(h http.Header) string {
return h.Get("Replay-Nonce")
}
// linkHeader returns URI-Reference values of all Link headers
// with relation-type rel.
// See https://tools.ietf.org/html/rfc5988#section-5 for details.
func linkHeader(h http.Header, rel string) []string {
var links []string
for _, v := range h["Link"] {
parts := strings.Split(v, ";")
for _, p := range parts {
p = strings.TrimSpace(p)
if !strings.HasPrefix(p, "rel=") {
continue
}
if v := strings.Trim(p[4:], `"`); v == rel {
links = append(links, strings.Trim(parts[0], "<>"))
}
}
}
return links
}
// keyAuth generates a key authorization string for a given token.
func keyAuth(pub crypto.PublicKey, token string) (string, error) {
th, err := JWKThumbprint(pub)
if err != nil {
return "", err
}
return fmt.Sprintf("%s.%s", token, th), nil
}
// defaultTLSChallengeCertTemplate is a template used to create challenge certs for TLS challenges.
func defaultTLSChallengeCertTemplate() *x509.Certificate {
return &x509.Certificate{
SerialNumber: big.NewInt(1),
NotBefore: time.Now(),
NotAfter: time.Now().Add(24 * time.Hour),
BasicConstraintsValid: true,
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
}
}
// tlsChallengeCert creates a temporary certificate for TLS-SNI challenges
// with the given SANs and auto-generated public/private key pair.
// The Subject Common Name is set to the first SAN to aid debugging.
// To create a cert with a custom key pair, specify WithKey option.
func tlsChallengeCert(san []string, opt []CertOption) (tls.Certificate, error) {
var key crypto.Signer
tmpl := defaultTLSChallengeCertTemplate()
for _, o := range opt {
switch o := o.(type) {
case *certOptKey:
if key != nil {
return tls.Certificate{}, errors.New("acme: duplicate key option")
}
key = o.key
case *certOptTemplate:
t := *(*x509.Certificate)(o) // shallow copy is ok
tmpl = &t
default:
// package's fault, if we let this happen:
panic(fmt.Sprintf("unsupported option type %T", o))
}
}
if key == nil {
var err error
if key, err = ecdsa.GenerateKey(elliptic.P256(), rand.Reader); err != nil {
return tls.Certificate{}, err
}
}
tmpl.DNSNames = san
if len(san) > 0 {
tmpl.Subject.CommonName = san[0]
}
der, err := x509.CreateCertificate(rand.Reader, tmpl, tmpl, key.Public(), key)
if err != nil {
return tls.Certificate{}, err
}
return tls.Certificate{
Certificate: [][]byte{der},
PrivateKey: key,
}, nil
}
// encodePEM returns b encoded as PEM with block of type typ.
func encodePEM(typ string, b []byte) []byte {
pb := &pem.Block{Type: typ, Bytes: b}
return pem.EncodeToMemory(pb)
}
// timeNow is time.Now, except in tests which can mess with it.
var timeNow = time.Now
// Copyright 2018 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
package acme
import (
"bytes"
"context"
"crypto"
"crypto/rand"
"encoding/json"
"errors"
"fmt"
"io"
"math/big"
"net/http"
"runtime/debug"
"strconv"
"strings"
"time"
)
// retryTimer encapsulates common logic for retrying unsuccessful requests.
// It is not safe for concurrent use.
type retryTimer struct {
// backoffFn provides backoff delay sequence for retries.
// See Client.RetryBackoff doc comment.
backoffFn func(n int, r *http.Request, res *http.Response) time.Duration
// n is the current retry attempt.
n int
}
func (t *retryTimer) inc() {
t.n++
}
// backoff pauses the current goroutine as described in Client.RetryBackoff.
func (t *retryTimer) backoff(ctx context.Context, r *http.Request, res *http.Response) error {
d := t.backoffFn(t.n, r, res)
if d <= 0 {
return fmt.Errorf("acme: no more retries for %s; tried %d time(s)", r.URL, t.n)
}
wakeup := time.NewTimer(d)
defer wakeup.Stop()
select {
case <-ctx.Done():
return ctx.Err()
case <-wakeup.C:
return nil
}
}
func (c *Client) retryTimer() *retryTimer {
f := c.RetryBackoff
if f == nil {
f = defaultBackoff
}
return &retryTimer{backoffFn: f}
}
// defaultBackoff provides default Client.RetryBackoff implementation
// using a truncated exponential backoff algorithm,
// as described in Client.RetryBackoff.
//
// The n argument is always bounded between 1 and 30.
// The returned value is always greater than 0.
func defaultBackoff(n int, r *http.Request, res *http.Response) time.Duration {
const maxVal = 10 * time.Second
var jitter time.Duration
if x, err := rand.Int(rand.Reader, big.NewInt(1000)); err == nil {
// Set the minimum to 1ms to avoid a case where
// an invalid Retry-After value is parsed into 0 below,
// resulting in the 0 returned value which would unintentionally
// stop the retries.
jitter = (1 + time.Duration(x.Int64())) * time.Millisecond
}
if v, ok := res.Header["Retry-After"]; ok {
return retryAfter(v[0]) + jitter
}
if n < 1 {
n = 1
}
if n > 30 {
n = 30
}
d := time.Duration(1<<uint(n-1))*time.Second + jitter
return min(d, maxVal)
}
// retryAfter parses a Retry-After HTTP header value,
// trying to convert v into an int (seconds) or use http.ParseTime otherwise.
// It returns zero value if v cannot be parsed.
func retryAfter(v string) time.Duration {
if i, err := strconv.Atoi(v); err == nil {
return time.Duration(i) * time.Second
}
t, err := http.ParseTime(v)
if err != nil {
return 0
}
return t.Sub(timeNow())
}
// resOkay is a function that reports whether the provided response is okay.
// It is expected to keep the response body unread.
type resOkay func(*http.Response) bool
// wantStatus returns a function which reports whether the code
// matches the status code of a response.
func wantStatus(codes ...int) resOkay {
return func(res *http.Response) bool {
for _, code := range codes {
if code == res.StatusCode {
return true
}
}
return false
}
}
// get issues an unsigned GET request to the specified URL.
// It returns a non-error value only when ok reports true.
//
// get retries unsuccessful attempts according to c.RetryBackoff
// until the context is done or a non-retriable error is received.
func (c *Client) get(ctx context.Context, url string, ok resOkay) (*http.Response, error) {
retry := c.retryTimer()
for {
req, err := http.NewRequest("GET", url, nil)
if err != nil {
return nil, err
}
res, err := c.doNoRetry(ctx, req)
switch {
case err != nil:
return nil, err
case ok(res):
return res, nil
case isRetriable(res.StatusCode):
retry.inc()
resErr := responseError(res)
res.Body.Close()
// Ignore the error value from retry.backoff
// and return the one from last retry, as received from the CA.
if retry.backoff(ctx, req, res) != nil {
return nil, resErr
}
default:
defer res.Body.Close()
return nil, responseError(res)
}
}
}
// postAsGet is POST-as-GET, a replacement for GET in RFC 8555
// as described in https://tools.ietf.org/html/rfc8555#section-6.3.
// It makes a POST request in KID form with zero JWS payload.
// See nopayload doc comments in jws.go.
func (c *Client) postAsGet(ctx context.Context, url string, ok resOkay) (*http.Response, error) {
return c.post(ctx, nil, url, noPayload, ok)
}
// post issues a signed POST request in JWS format using the provided key
// to the specified URL. If key is nil, c.Key is used instead.
// It returns a non-error value only when ok reports true.
//
// post retries unsuccessful attempts according to c.RetryBackoff
// until the context is done or a non-retriable error is received.
// It uses postNoRetry to make individual requests.
func (c *Client) post(ctx context.Context, key crypto.Signer, url string, body interface{}, ok resOkay) (*http.Response, error) {
retry := c.retryTimer()
for {
res, req, err := c.postNoRetry(ctx, key, url, body)
if err != nil {
return nil, err
}
if ok(res) {
return res, nil
}
resErr := responseError(res)
res.Body.Close()
switch {
// Check for bad nonce before isRetriable because it may have been returned
// with an unretriable response code such as 400 Bad Request.
case isBadNonce(resErr):
// Consider any previously stored nonce values to be invalid.
c.clearNonces()
case !isRetriable(res.StatusCode):
return nil, resErr
}
retry.inc()
// Ignore the error value from retry.backoff
// and return the one from last retry, as received from the CA.
if err := retry.backoff(ctx, req, res); err != nil {
return nil, resErr
}
}
}
// postNoRetry signs the body with the given key and POSTs it to the provided url.
// It is used by c.post to retry unsuccessful attempts.
// The body argument must be JSON-serializable.
//
// If key argument is nil, c.Key is used to sign the request.
// If key argument is nil and c.accountKID returns a non-zero keyID,
// the request is sent in KID form. Otherwise, JWK form is used.
//
// In practice, when interfacing with RFC-compliant CAs most requests are sent in KID form
// and JWK is used only when KID is unavailable: new account endpoint and certificate
// revocation requests authenticated by a cert key.
// See jwsEncodeJSON for other details.
func (c *Client) postNoRetry(ctx context.Context, key crypto.Signer, url string, body interface{}) (*http.Response, *http.Request, error) {
kid := noKeyID
if key == nil {
if c.Key == nil {
return nil, nil, errors.New("acme: Client.Key must be populated to make POST requests")
}
key = c.Key
kid = c.accountKID(ctx)
}
nonce, err := c.popNonce(ctx, url)
if err != nil {
return nil, nil, err
}
b, err := jwsEncodeJSON(body, key, kid, nonce, url)
if err != nil {
return nil, nil, err
}
req, err := http.NewRequest("POST", url, bytes.NewReader(b))
if err != nil {
return nil, nil, err
}
req.Header.Set("Content-Type", "application/jose+json")
res, err := c.doNoRetry(ctx, req)
if err != nil {
return nil, nil, err
}
c.addNonce(res.Header)
return res, req, nil
}
// doNoRetry issues a request req, replacing its context (if any) with ctx.
func (c *Client) doNoRetry(ctx context.Context, req *http.Request) (*http.Response, error) {
req.Header.Set("User-Agent", c.userAgent())
res, err := c.httpClient().Do(req.WithContext(ctx))
if err != nil {
select {
case <-ctx.Done():
// Prefer the unadorned context error.
// (The acme package had tests assuming this, previously from ctxhttp's
// behavior, predating net/http supporting contexts natively)
// TODO(bradfitz): reconsider this in the future. But for now this
// requires no test updates.
return nil, ctx.Err()
default:
return nil, err
}
}
return res, nil
}
func (c *Client) httpClient() *http.Client {
if c.HTTPClient != nil {
return c.HTTPClient
}
return http.DefaultClient
}
// packageVersion is the version of the module that contains this package, for
// sending as part of the User-Agent header.
var packageVersion string
func init() {
// Set packageVersion if the binary was built in modules mode and x/crypto
// was not replaced with a different module.
info, ok := debug.ReadBuildInfo()
if !ok {
return
}
for _, m := range info.Deps {
if m.Path != "github.com/cert-manager/cert-manager" {
continue
}
if m.Replace == nil {
packageVersion = m.Version
}
break
}
}
// userAgent returns the User-Agent header value. It includes the package name,
// the module version (if available), and the c.UserAgent value (if set).
func (c *Client) userAgent() string {
ua := "github.com/cert-manager/cert-manager/third_party/forked/acme"
if packageVersion != "" {
ua += "@" + packageVersion
}
if c.UserAgent != "" {
ua = c.UserAgent + " " + ua
}
return ua
}
// isBadNonce reports whether err is an ACME "badnonce" error.
func isBadNonce(err error) bool {
// According to the spec badNonce is urn:ietf:params:acme:error:badNonce.
// However, ACME servers in the wild return their versions of the error.
// See https://tools.ietf.org/html/draft-ietf-acme-acme-02#section-5.4
// and https://github.com/letsencrypt/boulder/blob/0e07eacb/docs/acme-divergences.md#section-66.
ae, ok := err.(*Error)
return ok && strings.HasSuffix(strings.ToLower(ae.ProblemType), ":badnonce")
}
// isRetriable reports whether a request can be retried
// based on the response status code.
//
// Note that a "bad nonce" error is returned with a non-retriable 400 Bad Request code.
// Callers should parse the response and check with isBadNonce.
func isRetriable(code int) bool {
return code <= 399 || code >= 500 || code == http.StatusTooManyRequests
}
// responseError creates an error of Error type from resp.
func responseError(resp *http.Response) error {
// don't care if ReadAll returns an error:
// json.Unmarshal will fail in that case anyway
b, _ := io.ReadAll(resp.Body)
e := &wireError{Status: resp.StatusCode}
if err := json.Unmarshal(b, e); err != nil {
// this is not a regular error response:
// populate detail with anything we received,
// e.Status will already contain HTTP response code value
e.Detail = string(b)
if e.Detail == "" {
e.Detail = resp.Status
}
}
return e.error(resp.Header)
}
// Copyright 2015 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
package acme
import (
"crypto"
"crypto/ecdsa"
"crypto/hmac"
"crypto/rand"
"crypto/rsa"
"crypto/sha256"
_ "crypto/sha512" // need for EC keys
"encoding/asn1"
"encoding/base64"
"encoding/json"
"errors"
"fmt"
"math/big"
)
// KeyID is the account key identity provided by a CA during registration.
type KeyID string
// noKeyID indicates that jwsEncodeJSON should compute and use JWK instead of a KID.
// See jwsEncodeJSON for details.
const noKeyID = KeyID("")
// noPayload indicates jwsEncodeJSON will encode zero-length octet string
// in a JWS request. This is called POST-as-GET in RFC 8555 and is used to make
// authenticated GET requests via POSTing with an empty payload.
// See https://tools.ietf.org/html/rfc8555#section-6.3 for more details.
const noPayload = ""
// noNonce indicates that the nonce should be omitted from the protected header.
// See jwsEncodeJSON for details.
const noNonce = ""
// jsonWebSignature can be easily serialized into a JWS following
// https://tools.ietf.org/html/rfc7515#section-3.2.
type jsonWebSignature struct {
Protected string `json:"protected"`
Payload string `json:"payload"`
Sig string `json:"signature"`
}
// jwsEncodeJSON signs claimset using provided key and a nonce.
// The result is serialized in JSON format containing either kid or jwk
// fields based on the provided KeyID value.
//
// The claimset is marshalled using json.Marshal unless it is a string.
// In which case it is inserted directly into the message.
//
// If kid is non-empty, its quoted value is inserted in the protected header
// as "kid" field value. Otherwise, JWK is computed using jwkEncode and inserted
// as "jwk" field value. The "jwk" and "kid" fields are mutually exclusive.
//
// If nonce is non-empty, its quoted value is inserted in the protected header.
//
// See https://tools.ietf.org/html/rfc7515#section-7.
func jwsEncodeJSON(claimset interface{}, key crypto.Signer, kid KeyID, nonce, url string) ([]byte, error) {
if key == nil {
return nil, errors.New("nil key")
}
alg, sha := jwsHasher(key.Public())
if alg == "" || !sha.Available() {
return nil, ErrUnsupportedKey
}
headers := struct {
Alg string `json:"alg"`
KID string `json:"kid,omitempty"`
JWK json.RawMessage `json:"jwk,omitempty"`
Nonce string `json:"nonce,omitempty"`
URL string `json:"url"`
}{
Alg: alg,
Nonce: nonce,
URL: url,
}
switch kid {
case noKeyID:
jwk, err := jwkEncode(key.Public())
if err != nil {
return nil, err
}
headers.JWK = json.RawMessage(jwk)
default:
headers.KID = string(kid)
}
phJSON, err := json.Marshal(headers)
if err != nil {
return nil, err
}
phead := base64.RawURLEncoding.EncodeToString(phJSON)
var payload string
if val, ok := claimset.(string); ok {
payload = val
} else {
cs, err := json.Marshal(claimset)
if err != nil {
return nil, err
}
payload = base64.RawURLEncoding.EncodeToString(cs)
}
hash := sha.New()
hash.Write([]byte(phead + "." + payload))
sig, err := jwsSign(key, sha, hash.Sum(nil))
if err != nil {
return nil, err
}
enc := jsonWebSignature{
Protected: phead,
Payload: payload,
Sig: base64.RawURLEncoding.EncodeToString(sig),
}
return json.Marshal(&enc)
}
// jwsWithMAC creates and signs a JWS using the given key and the HS256
// algorithm. kid and url are included in the protected header. rawPayload
// should not be base64-URL-encoded.
func jwsWithMAC(key []byte, kid, url string, rawPayload []byte) (*jsonWebSignature, error) {
if len(key) == 0 {
return nil, errors.New("acme: cannot sign JWS with an empty MAC key")
}
header := struct {
Algorithm string `json:"alg"`
KID string `json:"kid"`
URL string `json:"url,omitempty"`
}{
// Only HMAC-SHA256 is supported.
Algorithm: "HS256",
KID: kid,
URL: url,
}
rawProtected, err := json.Marshal(header)
if err != nil {
return nil, err
}
protected := base64.RawURLEncoding.EncodeToString(rawProtected)
payload := base64.RawURLEncoding.EncodeToString(rawPayload)
h := hmac.New(sha256.New, key)
if _, err := h.Write([]byte(protected + "." + payload)); err != nil {
return nil, err
}
mac := h.Sum(nil)
return &jsonWebSignature{
Protected: protected,
Payload: payload,
Sig: base64.RawURLEncoding.EncodeToString(mac),
}, nil
}
// jwkEncode encodes public part of an RSA or ECDSA key into a JWK.
// The result is also suitable for creating a JWK thumbprint.
// https://tools.ietf.org/html/rfc7517
func jwkEncode(pub crypto.PublicKey) (string, error) {
switch pub := pub.(type) {
case *rsa.PublicKey:
// https://tools.ietf.org/html/rfc7518#section-6.3.1
n := pub.N
e := big.NewInt(int64(pub.E))
// Field order is important.
// See https://tools.ietf.org/html/rfc7638#section-3.3 for details.
return fmt.Sprintf(`{"e":"%s","kty":"RSA","n":"%s"}`,
base64.RawURLEncoding.EncodeToString(e.Bytes()),
base64.RawURLEncoding.EncodeToString(n.Bytes()),
), nil
case *ecdsa.PublicKey:
// https://tools.ietf.org/html/rfc7518#section-6.2.1
p := pub.Curve.Params()
n := p.BitSize / 8
if p.BitSize%8 != 0 {
n++
}
x := pub.X.Bytes()
if n > len(x) {
x = append(make([]byte, n-len(x)), x...)
}
y := pub.Y.Bytes()
if n > len(y) {
y = append(make([]byte, n-len(y)), y...)
}
// Field order is important.
// See https://tools.ietf.org/html/rfc7638#section-3.3 for details.
return fmt.Sprintf(`{"crv":"%s","kty":"EC","x":"%s","y":"%s"}`,
p.Name,
base64.RawURLEncoding.EncodeToString(x),
base64.RawURLEncoding.EncodeToString(y),
), nil
}
return "", ErrUnsupportedKey
}
// jwsSign signs the digest using the given key.
// The hash is unused for ECDSA keys.
func jwsSign(key crypto.Signer, hash crypto.Hash, digest []byte) ([]byte, error) {
switch pub := key.Public().(type) {
case *rsa.PublicKey:
return key.Sign(rand.Reader, digest, hash)
case *ecdsa.PublicKey:
sigASN1, err := key.Sign(rand.Reader, digest, hash)
if err != nil {
return nil, err
}
var rs struct{ R, S *big.Int }
if _, err := asn1.Unmarshal(sigASN1, &rs); err != nil {
return nil, err
}
rb, sb := rs.R.Bytes(), rs.S.Bytes()
size := pub.Params().BitSize / 8
if size%8 > 0 {
size++
}
sig := make([]byte, size*2)
copy(sig[size-len(rb):], rb)
copy(sig[size*2-len(sb):], sb)
return sig, nil
}
return nil, ErrUnsupportedKey
}
// jwsHasher indicates suitable JWS algorithm name and a hash function
// to use for signing a digest with the provided key.
// It returns ("", 0) if the key is not supported.
func jwsHasher(pub crypto.PublicKey) (string, crypto.Hash) {
switch pub := pub.(type) {
case *rsa.PublicKey:
return "RS256", crypto.SHA256
case *ecdsa.PublicKey:
switch pub.Params().Name {
case "P-256":
return "ES256", crypto.SHA256
case "P-384":
return "ES384", crypto.SHA384
case "P-521":
return "ES512", crypto.SHA512
}
}
return "", 0
}
// JWKThumbprint creates a JWK thumbprint out of pub
// as specified in https://tools.ietf.org/html/rfc7638.
func JWKThumbprint(pub crypto.PublicKey) (string, error) {
jwk, err := jwkEncode(pub)
if err != nil {
return "", err
}
b := sha256.Sum256([]byte(jwk))
return base64.RawURLEncoding.EncodeToString(b[:]), nil
}
// Copyright 2019 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
package acme
import (
"context"
"crypto"
"encoding/base64"
"encoding/json"
"encoding/pem"
"errors"
"fmt"
"io"
"net/http"
"time"
)
// DeactivateReg permanently disables an existing account associated with c.Key.
// A deactivated account can no longer request certificate issuance or access
// resources related to the account, such as orders or authorizations.
//
// It only works with CAs implementing RFC 8555.
func (c *Client) DeactivateReg(ctx context.Context) error {
if _, err := c.Discover(ctx); err != nil { // required by c.accountKID
return err
}
url := string(c.accountKID(ctx))
if url == "" {
return ErrNoAccount
}
req := json.RawMessage(`{"status": "deactivated"}`)
res, err := c.post(ctx, nil, url, req, wantStatus(http.StatusOK))
if err != nil {
return err
}
res.Body.Close()
return nil
}
// registerRFC is equivalent to c.Register but for CAs implementing RFC 8555.
// It expects c.Discover to have already been called.
func (c *Client) registerRFC(ctx context.Context, acct *Account, prompt func(tosURL string) bool) (*Account, error) {
c.cacheMu.Lock() // guard c.kid access
defer c.cacheMu.Unlock()
req := struct {
TermsAgreed bool `json:"termsOfServiceAgreed,omitempty"`
Contact []string `json:"contact,omitempty"`
ExternalAccountBinding *jsonWebSignature `json:"externalAccountBinding,omitempty"`
}{
Contact: acct.Contact,
}
if c.dir.Terms != "" {
req.TermsAgreed = prompt(c.dir.Terms)
}
// set 'externalAccountBinding' field if requested
if acct.ExternalAccountBinding != nil {
eabJWS, err := c.encodeExternalAccountBinding(acct.ExternalAccountBinding)
if err != nil {
return nil, fmt.Errorf("acme: failed to encode external account binding: %v", err)
}
req.ExternalAccountBinding = eabJWS
}
res, err := c.post(ctx, c.Key, c.dir.RegURL, req, wantStatus(
http.StatusOK, // account with this key already registered
http.StatusCreated, // new account created
))
if err != nil {
return nil, err
}
defer res.Body.Close()
a, err := responseAccount(res)
if err != nil {
return nil, err
}
// Cache Account URL even if we return an error to the caller.
// It is by all means a valid and usable "kid" value for future requests.
c.KID = KeyID(a.URI)
if res.StatusCode == http.StatusOK {
return nil, ErrAccountAlreadyExists
}
return a, nil
}
// encodeExternalAccountBinding will encode an external account binding stanza
// as described in https://tools.ietf.org/html/rfc8555#section-7.3.4.
func (c *Client) encodeExternalAccountBinding(eab *ExternalAccountBinding) (*jsonWebSignature, error) {
jwk, err := jwkEncode(c.Key.Public())
if err != nil {
return nil, err
}
return jwsWithMAC(eab.Key, eab.KID, c.dir.RegURL, []byte(jwk))
}
// updateRegRFC is equivalent to c.UpdateReg but for CAs implementing RFC 8555.
// It expects c.Discover to have already been called.
func (c *Client) updateRegRFC(ctx context.Context, a *Account) (*Account, error) {
url := string(c.accountKID(ctx))
if url == "" {
return nil, ErrNoAccount
}
req := struct {
Contact []string `json:"contact,omitempty"`
}{
Contact: a.Contact,
}
res, err := c.post(ctx, nil, url, req, wantStatus(http.StatusOK))
if err != nil {
return nil, err
}
defer res.Body.Close()
return responseAccount(res)
}
// getRegRFC is equivalent to c.GetReg but for CAs implementing RFC 8555.
// It expects c.Discover to have already been called.
func (c *Client) getRegRFC(ctx context.Context) (*Account, error) {
req := json.RawMessage(`{"onlyReturnExisting": true}`)
res, err := c.post(ctx, c.Key, c.dir.RegURL, req, wantStatus(http.StatusOK))
if e, ok := err.(*Error); ok && e.ProblemType == "urn:ietf:params:acme:error:accountDoesNotExist" {
return nil, ErrNoAccount
}
if err != nil {
return nil, err
}
defer res.Body.Close()
return responseAccount(res)
}
func responseAccount(res *http.Response) (*Account, error) {
var v struct {
Status string
Contact []string
Orders string
}
if err := json.NewDecoder(res.Body).Decode(&v); err != nil {
return nil, fmt.Errorf("acme: invalid account response: %v", err)
}
return &Account{
URI: res.Header.Get("Location"),
Status: v.Status,
Contact: v.Contact,
OrdersURL: v.Orders,
}, nil
}
// accountKeyRollover attempts to perform account key rollover.
// On success it will change client.Key to the new key.
func (c *Client) accountKeyRollover(ctx context.Context, newKey crypto.Signer) error {
dir, err := c.Discover(ctx) // Also required by c.accountKID
if err != nil {
return err
}
kid := c.accountKID(ctx)
if kid == noKeyID {
return ErrNoAccount
}
oldKey, err := jwkEncode(c.Key.Public())
if err != nil {
return err
}
payload := struct {
Account string `json:"account"`
OldKey json.RawMessage `json:"oldKey"`
}{
Account: string(kid),
OldKey: json.RawMessage(oldKey),
}
inner, err := jwsEncodeJSON(payload, newKey, noKeyID, noNonce, dir.KeyChangeURL)
if err != nil {
return err
}
res, err := c.post(ctx, nil, dir.KeyChangeURL, base64.RawURLEncoding.EncodeToString(inner), wantStatus(http.StatusOK))
if err != nil {
return err
}
defer res.Body.Close()
c.Key = newKey
return nil
}
// AuthorizeOrder initiates the order-based application for certificate issuance,
// as opposed to pre-authorization in Authorize.
// It is only supported by CAs implementing RFC 8555.
//
// The caller then needs to fetch each authorization with GetAuthorization,
// identify those with StatusPending status and fulfill a challenge using Accept.
// Once all authorizations are satisfied, the caller will typically want to poll
// order status using WaitOrder until it's in StatusReady state.
// To finalize the order and obtain a certificate, the caller submits a CSR with CreateOrderCert.
func (c *Client) AuthorizeOrder(ctx context.Context, id []AuthzID, opt ...OrderOption) (*Order, error) {
dir, err := c.Discover(ctx)
if err != nil {
return nil, err
}
req := struct {
Identifiers []wireAuthzID `json:"identifiers"`
NotBefore string `json:"notBefore,omitempty"`
NotAfter string `json:"notAfter,omitempty"`
Profile string `json:"profile,omitempty"`
}{}
for _, v := range id {
req.Identifiers = append(req.Identifiers, wireAuthzID{
Type: v.Type,
Value: v.Value,
})
}
for _, o := range opt {
switch o := o.(type) {
case orderNotBeforeOpt:
req.NotBefore = time.Time(o).Format(time.RFC3339)
case orderNotAfterOpt:
req.NotAfter = time.Time(o).Format(time.RFC3339)
case orderProfileOpt:
if !dir.Profiles.isSupported() {
return nil, ErrCADoesNotSupportProfiles
}
profileName := string(o)
if !dir.Profiles.Has(profileName) {
return nil, fmt.Errorf("%w %s", ErrProfileNotInSetOfSupportedProfiles, profileName)
}
req.Profile = profileName
default:
// Package's fault if we let this happen.
panic(fmt.Sprintf("unsupported order option type %T", o))
}
}
res, err := c.post(ctx, nil, dir.OrderURL, req, wantStatus(http.StatusCreated))
if err != nil {
return nil, err
}
defer res.Body.Close()
return responseOrder(res)
}
// GetOrder retrives an order identified by the given URL.
// For orders created with AuthorizeOrder, the url value is Order.URI.
//
// If a caller needs to poll an order until its status is final,
// see the WaitOrder method.
func (c *Client) GetOrder(ctx context.Context, url string) (*Order, error) {
if _, err := c.Discover(ctx); err != nil {
return nil, err
}
res, err := c.postAsGet(ctx, url, wantStatus(http.StatusOK))
if err != nil {
return nil, err
}
defer res.Body.Close()
return responseOrder(res)
}
// WaitOrder polls an order from the given URL until it is in one of the final states,
// StatusReady, StatusValid or StatusInvalid, the CA responded with a non-retryable error
// or the context is done.
//
// It returns a non-nil Order only if its Status is StatusReady or StatusValid.
// In all other cases WaitOrder returns an error.
// If the Status is StatusInvalid, the returned error is of type *OrderError.
func (c *Client) WaitOrder(ctx context.Context, url string) (*Order, error) {
if _, err := c.Discover(ctx); err != nil {
return nil, err
}
for {
res, err := c.postAsGet(ctx, url, wantStatus(http.StatusOK))
if err != nil {
return nil, err
}
o, err := responseOrder(res)
res.Body.Close()
switch {
case err != nil:
// Skip and retry.
case o.Status == StatusInvalid:
return nil, &OrderError{OrderURL: o.URI, Status: o.Status}
case o.Status == StatusReady || o.Status == StatusValid:
return o, nil
}
d := retryAfter(res.Header.Get("Retry-After"))
if d == 0 {
// Default retry-after.
// Same reasoning as in WaitAuthorization.
d = time.Second
}
t := time.NewTimer(d)
select {
case <-ctx.Done():
t.Stop()
return nil, ctx.Err()
case <-t.C:
// Retry.
}
}
}
func responseOrder(res *http.Response) (*Order, error) {
var v struct {
Status string
Expires time.Time
Identifiers []wireAuthzID
NotBefore time.Time
NotAfter time.Time
Error *wireError
Authorizations []string
Finalize string
Certificate string
}
if err := json.NewDecoder(res.Body).Decode(&v); err != nil {
return nil, fmt.Errorf("acme: error reading order: %v", err)
}
o := &Order{
URI: res.Header.Get("Location"),
Status: v.Status,
Expires: v.Expires,
NotBefore: v.NotBefore,
NotAfter: v.NotAfter,
AuthzURLs: v.Authorizations,
FinalizeURL: v.Finalize,
CertURL: v.Certificate,
}
for _, id := range v.Identifiers {
o.Identifiers = append(o.Identifiers, AuthzID{Type: id.Type, Value: id.Value})
}
if v.Error != nil {
o.Error = v.Error.error(nil /* headers */)
}
return o, nil
}
// CreateOrderCert submits the CSR (Certificate Signing Request) to a CA at the specified URL.
// The URL is the FinalizeURL field of an Order created with AuthorizeOrder.
//
// If the bundle argument is true, the returned value also contain the CA (issuer)
// certificate chain. Otherwise, only a leaf certificate is returned.
// The returned URL can be used to re-fetch the certificate using FetchCert.
//
// This method is only supported by CAs implementing RFC 8555. See CreateCert for pre-RFC CAs.
//
// CreateOrderCert returns an error if the CA's response is unreasonably large.
// Callers are encouraged to parse the returned value to ensure the certificate is valid and has the expected features.
func (c *Client) CreateOrderCert(ctx context.Context, url string, csr []byte, bundle bool) (der [][]byte, certURL string, err error) {
if _, err := c.Discover(ctx); err != nil { // required by c.accountKID
return nil, "", err
}
// RFC describes this as "finalize order" request.
req := struct {
CSR string `json:"csr"`
}{
CSR: base64.RawURLEncoding.EncodeToString(csr),
}
res, err := c.post(ctx, nil, url, req, wantStatus(http.StatusOK))
if err != nil {
return nil, "", err
}
defer res.Body.Close()
o, err := responseOrder(res)
if err != nil {
return nil, "", err
}
// Wait for CA to issue the cert if they haven't.
if o.Status != StatusValid {
o, err = c.WaitOrder(ctx, o.URI)
}
if err != nil {
return nil, "", err
}
// The only acceptable status post finalize and WaitOrder is "valid".
if o.Status != StatusValid {
return nil, "", &OrderError{OrderURL: o.URI, Status: o.Status}
}
crt, err := c.fetchCertRFC(ctx, o.CertURL, bundle)
return crt, o.CertURL, err
}
// fetchCertRFC downloads issued certificate from the given URL.
// It expects the CA to respond with PEM-encoded certificate chain.
//
// The URL argument is the CertURL field of Order.
func (c *Client) fetchCertRFC(ctx context.Context, url string, bundle bool) ([][]byte, error) {
res, err := c.postAsGet(ctx, url, wantStatus(http.StatusOK))
if err != nil {
return nil, err
}
defer res.Body.Close()
// Get all the bytes up to a sane maximum.
// Account very roughly for base64 overhead.
const max = maxCertChainSize + maxCertChainSize/33
b, err := io.ReadAll(io.LimitReader(res.Body, max+1))
if err != nil {
return nil, fmt.Errorf("acme: fetch cert response stream: %v", err)
}
if len(b) > max {
return nil, errors.New("acme: certificate chain is too big")
}
// Decode PEM chain.
var chain [][]byte
for {
var p *pem.Block
p, b = pem.Decode(b)
if p == nil {
break
}
if p.Type != "CERTIFICATE" {
return nil, fmt.Errorf("acme: invalid PEM cert type %q", p.Type)
}
chain = append(chain, p.Bytes)
if !bundle {
return chain, nil
}
if len(chain) > maxChainLen {
return nil, errors.New("acme: certificate chain is too long")
}
}
if len(chain) == 0 {
return nil, errors.New("acme: certificate chain is empty")
}
return chain, nil
}
// sends a cert revocation request in either JWK form when key is non-nil or KID form otherwise.
func (c *Client) revokeCertRFC(ctx context.Context, key crypto.Signer, cert []byte, reason CRLReasonCode) error {
req := &struct {
Cert string `json:"certificate"`
Reason int `json:"reason"`
}{
Cert: base64.RawURLEncoding.EncodeToString(cert),
Reason: int(reason),
}
res, err := c.post(ctx, key, c.dir.RevokeURL, req, wantStatus(http.StatusOK))
if err != nil {
if isAlreadyRevoked(err) {
// Assume it is not an error to revoke an already revoked cert.
return nil
}
return err
}
defer res.Body.Close()
return nil
}
func isAlreadyRevoked(err error) bool {
e, ok := err.(*Error)
return ok && e.ProblemType == "urn:ietf:params:acme:error:alreadyRevoked"
}
// ListCertAlternates retrieves any alternate certificate chain URLs for the
// given certificate chain URL. These alternate URLs can be passed to FetchCert
// in order to retrieve the alternate certificate chains.
//
// If there are no alternate issuer certificate chains, a nil slice will be
// returned.
func (c *Client) ListCertAlternates(ctx context.Context, url string) ([]string, error) {
if _, err := c.Discover(ctx); err != nil { // required by c.accountKID
return nil, err
}
res, err := c.postAsGet(ctx, url, wantStatus(http.StatusOK))
if err != nil {
return nil, err
}
defer res.Body.Close()
// We don't need the body but we need to discard it so we don't end up
// preventing keep-alive
if _, err := io.Copy(io.Discard, res.Body); err != nil {
return nil, fmt.Errorf("acme: cert alternates response stream: %v", err)
}
alts := linkHeader(res.Header, "alternate")
return alts, nil
}
// Copyright 2016 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
package acme
import (
"crypto"
"crypto/x509"
"encoding/json"
"errors"
"fmt"
"net/http"
"strings"
"time"
)
// ACME status values of Account, Order, Authorization and Challenge objects.
// See https://tools.ietf.org/html/rfc8555#section-7.1.6 for details.
const (
StatusDeactivated = "deactivated"
StatusExpired = "expired"
StatusInvalid = "invalid"
StatusPending = "pending"
StatusProcessing = "processing"
StatusReady = "ready"
StatusRevoked = "revoked"
StatusUnknown = "unknown"
StatusValid = "valid"
)
// CRLReasonCode identifies the reason for a certificate revocation.
type CRLReasonCode int
// CRL reason codes as defined in RFC 5280.
const (
CRLReasonUnspecified CRLReasonCode = 0
CRLReasonKeyCompromise CRLReasonCode = 1
CRLReasonCACompromise CRLReasonCode = 2
CRLReasonAffiliationChanged CRLReasonCode = 3
CRLReasonSuperseded CRLReasonCode = 4
CRLReasonCessationOfOperation CRLReasonCode = 5
CRLReasonCertificateHold CRLReasonCode = 6
CRLReasonRemoveFromCRL CRLReasonCode = 8
CRLReasonPrivilegeWithdrawn CRLReasonCode = 9
CRLReasonAACompromise CRLReasonCode = 10
)
var (
// ErrUnsupportedKey is returned when an unsupported key type is encountered.
ErrUnsupportedKey = errors.New("acme: unknown key type; only RSA and ECDSA are supported")
// ErrAccountAlreadyExists indicates that the Client's key has already been registered
// with the CA. It is returned by Register method.
ErrAccountAlreadyExists = errors.New("acme: account already exists")
// ErrNoAccount indicates that the Client's key has not been registered with the CA.
ErrNoAccount = errors.New("acme: account does not exist")
// errPreAuthorizationNotSupported indicates that the server does not
// support pre-authorization of identifiers.
errPreAuthorizationNotSupported = errors.New("acme: pre-authorization is not supported")
// ErrCADoesNotSupportProfiles indicates that [WithOrderProfile] was
// included with a CA that does not advertise support for profiles in
// their directory.
ErrCADoesNotSupportProfiles = errors.New("acme: certificate authority does not support profiles")
// ErrProfileNotInSetOfSupportedProfiles indicates that the profile
// specified with [WithOrderProfile} is not one supported by the CA
ErrProfileNotInSetOfSupportedProfiles = errors.New("acme: certificate authority does not advertise a profile with name")
)
// A Subproblem describes an ACME subproblem as reported in an Error.
type Subproblem struct {
// Type is a URI reference that identifies the problem type,
// typically in a "urn:acme:error:xxx" form.
Type string
// Detail is a human-readable explanation specific to this occurrence of the problem.
Detail string
// Instance indicates a URL that the client should direct a human user to visit
// in order for instructions on how to agree to the updated Terms of Service.
// In such an event CA sets StatusCode to 403, Type to
// "urn:ietf:params:acme:error:userActionRequired", and adds a Link header with relation
// "terms-of-service" containing the latest TOS URL.
Instance string
// Identifier may contain the ACME identifier that the error is for.
Identifier *AuthzID
}
func (sp Subproblem) String() string {
str := fmt.Sprintf("%s: ", sp.Type)
if sp.Identifier != nil {
str += fmt.Sprintf("[%s: %s] ", sp.Identifier.Type, sp.Identifier.Value)
}
str += sp.Detail
return str
}
// Error is an ACME error, defined in Problem Details for HTTP APIs doc
// http://tools.ietf.org/html/draft-ietf-appsawg-http-problem.
type Error struct {
// StatusCode is The HTTP status code generated by the origin server.
StatusCode int
// ProblemType is a URI reference that identifies the problem type,
// typically in a "urn:acme:error:xxx" form.
ProblemType string
// Detail is a human-readable explanation specific to this occurrence of the problem.
Detail string
// Instance indicates a URL that the client should direct a human user to visit
// in order for instructions on how to agree to the updated Terms of Service.
// In such an event CA sets StatusCode to 403, ProblemType to
// "urn:ietf:params:acme:error:userActionRequired" and a Link header with relation
// "terms-of-service" containing the latest TOS URL.
Instance string
// Header is the original server error response headers.
// It may be nil.
Header http.Header
// Subproblems may contain more detailed information about the individual problems
// that caused the error. This field is only sent by RFC 8555 compatible ACME
// servers. Defined in RFC 8555 Section 6.7.1.
Subproblems []Subproblem
}
func (e *Error) Error() string {
str := fmt.Sprintf("%d %s: %s", e.StatusCode, e.ProblemType, e.Detail)
if len(e.Subproblems) > 0 {
str += fmt.Sprintf("; subproblems:")
for _, sp := range e.Subproblems {
str += fmt.Sprintf("\n\t%s", sp)
}
}
return str
}
// AuthorizationError indicates that an authorization for an identifier
// did not succeed.
// It contains all errors from Challenge items of the failed Authorization.
type AuthorizationError struct {
// URI uniquely identifies the failed Authorization.
URI string
// Identifier is an AuthzID.Value of the failed Authorization.
Identifier string
// Errors is a collection of non-nil error values of Challenge items
// of the failed Authorization.
Errors []error
}
func (a *AuthorizationError) Error() string {
e := make([]string, len(a.Errors))
for i, err := range a.Errors {
e[i] = err.Error()
}
if a.Identifier != "" {
return fmt.Sprintf("acme: authorization error for %s: %s", a.Identifier, strings.Join(e, "; "))
}
return fmt.Sprintf("acme: authorization error: %s", strings.Join(e, "; "))
}
// OrderError is returned from Client's order related methods.
// It indicates the order is unusable and the clients should start over with
// AuthorizeOrder.
//
// The clients can still fetch the order object from CA using GetOrder
// to inspect its state.
type OrderError struct {
OrderURL string
Status string
}
func (oe *OrderError) Error() string {
return fmt.Sprintf("acme: order %s status: %s", oe.OrderURL, oe.Status)
}
// RateLimit reports whether err represents a rate limit error and
// any Retry-After duration returned by the server.
//
// See the following for more details on rate limiting:
// https://tools.ietf.org/html/draft-ietf-acme-acme-05#section-5.6
func RateLimit(err error) (time.Duration, bool) {
e, ok := err.(*Error)
if !ok {
return 0, false
}
// Some CA implementations may return incorrect values.
// Use case-insensitive comparison.
if !strings.HasSuffix(strings.ToLower(e.ProblemType), ":ratelimited") {
return 0, false
}
if e.Header == nil {
return 0, true
}
return retryAfter(e.Header.Get("Retry-After")), true
}
// Account is a user account. It is associated with a private key.
// Non-RFC 8555 fields are empty when interfacing with a compliant CA.
type Account struct {
// URI is the account unique ID, which is also a URL used to retrieve
// account data from the CA.
// When interfacing with RFC 8555-compliant CAs, URI is the "kid" field
// value in JWS signed requests.
URI string
// Contact is a slice of contact info used during registration.
// See https://tools.ietf.org/html/rfc8555#section-7.3 for supported
// formats.
Contact []string
// Status indicates current account status as returned by the CA.
// Possible values are StatusValid, StatusDeactivated, and StatusRevoked.
Status string
// OrdersURL is a URL from which a list of orders submitted by this account
// can be fetched.
OrdersURL string
// The terms user has agreed to.
// A value not matching CurrentTerms indicates that the user hasn't agreed
// to the actual Terms of Service of the CA.
//
// It is non-RFC 8555 compliant. Package users can store the ToS they agree to
// during Client's Register call in the prompt callback function.
AgreedTerms string
// Actual terms of a CA.
//
// It is non-RFC 8555 compliant. Use Directory's Terms field.
// When a CA updates their terms and requires an account agreement,
// a URL at which instructions to do so is available in Error's Instance field.
CurrentTerms string
// Authz is the authorization URL used to initiate a new authz flow.
//
// It is non-RFC 8555 compliant. Use Directory's AuthzURL or OrderURL.
Authz string
// Authorizations is a URI from which a list of authorizations
// granted to this account can be fetched via a GET request.
//
// It is non-RFC 8555 compliant and is obsoleted by OrdersURL.
Authorizations string
// Certificates is a URI from which a list of certificates
// issued for this account can be fetched via a GET request.
//
// It is non-RFC 8555 compliant and is obsoleted by OrdersURL.
Certificates string
// ExternalAccountBinding represents an arbitrary binding to an account of
// the CA which the ACME server is tied to.
// See https://tools.ietf.org/html/rfc8555#section-7.3.4 for more details.
ExternalAccountBinding *ExternalAccountBinding
}
// ExternalAccountBinding contains the data needed to form a request with
// an external account binding.
// See https://tools.ietf.org/html/rfc8555#section-7.3.4 for more details.
type ExternalAccountBinding struct {
// KID is the Key ID of the symmetric MAC key that the CA provides to
// identify an external account from ACME.
KID string
// Key is the bytes of the symmetric key that the CA provides to identify
// the account. Key must correspond to the KID.
Key []byte
}
func (e *ExternalAccountBinding) String() string {
return fmt.Sprintf("&{KID: %q, Key: redacted}", e.KID)
}
// Directory is ACME server discovery data.
// See https://tools.ietf.org/html/rfc8555#section-7.1.1 for more details.
type Directory struct {
// NonceURL indicates an endpoint where to fetch fresh nonce values from.
NonceURL string
// RegURL is an account endpoint URL, allowing for creating new accounts.
// Pre-RFC 8555 CAs also allow modifying existing accounts at this URL.
RegURL string
// OrderURL is used to initiate the certificate issuance flow
// as described in RFC 8555.
OrderURL string
// AuthzURL is used to initiate identifier pre-authorization flow.
// Empty string indicates the flow is unsupported by the CA.
AuthzURL string
// CertURL is a new certificate issuance endpoint URL.
// It is non-RFC 8555 compliant and is obsoleted by OrderURL.
CertURL string
// RevokeURL is used to initiate a certificate revocation flow.
RevokeURL string
// KeyChangeURL allows to perform account key rollover flow.
KeyChangeURL string
// Terms is a URI identifying the current terms of service.
Terms string
// Website is an HTTP or HTTPS URL locating a website
// providing more information about the ACME server.
Website string
// CAA consists of lowercase hostname elements, which the ACME server
// recognises as referring to itself for the purposes of CAA record validation
// as defined in RFC 6844.
CAA []string
// ExternalAccountRequired indicates that the CA requires for all account-related
// requests to include external account binding information.
ExternalAccountRequired bool
// Profiles indicates that the CA supports specifying a profile for an
// order. See also [WithOrderNotAfter].
Profiles Profiles
}
// Order represents a client's request for a certificate.
// It tracks the request flow progress through to issuance.
type Order struct {
// URI uniquely identifies an order.
URI string
// Status represents the current status of the order.
// It indicates which action the client should take.
//
// Possible values are StatusPending, StatusReady, StatusProcessing, StatusValid and StatusInvalid.
// Pending means the CA does not believe that the client has fulfilled the requirements.
// Ready indicates that the client has fulfilled all the requirements and can submit a CSR
// to obtain a certificate. This is done with Client's CreateOrderCert.
// Processing means the certificate is being issued.
// Valid indicates the CA has issued the certificate. It can be downloaded
// from the Order's CertURL. This is done with Client's FetchCert.
// Invalid means the certificate will not be issued. Users should consider this order
// abandoned.
Status string
// Expires is the timestamp after which CA considers this order invalid.
Expires time.Time
// Identifiers contains all identifier objects which the order pertains to.
Identifiers []AuthzID
// NotBefore is the requested value of the notBefore field in the certificate.
NotBefore time.Time
// NotAfter is the requested value of the notAfter field in the certificate.
NotAfter time.Time
// AuthzURLs represents authorizations to complete before a certificate
// for identifiers specified in the order can be issued.
// It also contains unexpired authorizations that the client has completed
// in the past.
//
// Authorization objects can be fetched using Client's GetAuthorization method.
//
// The required authorizations are dictated by CA policies.
// There may not be a 1:1 relationship between the identifiers and required authorizations.
// Required authorizations can be identified by their StatusPending status.
//
// For orders in the StatusValid or StatusInvalid state these are the authorizations
// which were completed.
AuthzURLs []string
// FinalizeURL is the endpoint at which a CSR is submitted to obtain a certificate
// once all the authorizations are satisfied.
FinalizeURL string
// CertURL points to the certificate that has been issued in response to this order.
CertURL string
// The error that occurred while processing the order as received from a CA, if any.
Error *Error
}
// OrderOption allows customizing Client.AuthorizeOrder call.
type OrderOption interface {
privateOrderOpt()
}
// WithOrderNotBefore sets order's NotBefore field.
func WithOrderNotBefore(t time.Time) OrderOption {
return orderNotBeforeOpt(t)
}
// WithOrderNotAfter sets order's NotAfter field.
func WithOrderNotAfter(t time.Time) OrderOption {
return orderNotAfterOpt(t)
}
// WithOrderProfile sets an order's Profile field for servers which support
// profiles.
// See also:
// * https://datatracker.ietf.org/doc/draft-aaron-acme-profiles/
// * https://letsencrypt.org/docs/profiles/
func WithOrderProfile(name string) OrderOption {
return orderProfileOpt(name)
}
type orderNotBeforeOpt time.Time
func (orderNotBeforeOpt) privateOrderOpt() {}
type orderNotAfterOpt time.Time
func (orderNotAfterOpt) privateOrderOpt() {}
type orderProfileOpt string
func (orderProfileOpt) privateOrderOpt() {}
// Authorization encodes an authorization response.
type Authorization struct {
// URI uniquely identifies a authorization.
URI string
// Status is the current status of an authorization.
// Possible values are StatusPending, StatusValid, StatusInvalid, StatusDeactivated,
// StatusExpired and StatusRevoked.
Status string
// Identifier is what the account is authorized to represent.
Identifier AuthzID
// The timestamp after which the CA considers the authorization invalid.
Expires time.Time
// Wildcard is true for authorizations of a wildcard domain name.
Wildcard bool
// Challenges that the client needs to fulfill in order to prove possession
// of the identifier (for pending authorizations).
// For valid authorizations, the challenge that was validated.
// For invalid authorizations, the challenge that was attempted and failed.
//
// RFC 8555 compatible CAs require users to fuflfill only one of the challenges.
Challenges []*Challenge
// A collection of sets of challenges, each of which would be sufficient
// to prove possession of the identifier.
// Clients must complete a set of challenges that covers at least one set.
// Challenges are identified by their indices in the challenges array.
// If this field is empty, the client needs to complete all challenges.
//
// This field is unused in RFC 8555.
Combinations [][]int
}
// AuthzID is an identifier that an account is authorized to represent.
type AuthzID struct {
Type string // The type of identifier, "dns" or "ip".
Value string // The identifier itself, e.g. "example.org".
}
// DomainIDs creates a slice of AuthzID with "dns" identifier type.
func DomainIDs(names ...string) []AuthzID {
a := make([]AuthzID, len(names))
for i, v := range names {
a[i] = AuthzID{Type: "dns", Value: v}
}
return a
}
// IPIDs creates a slice of AuthzID with "ip" identifier type.
// Each element of addr is textual form of an address as defined
// in RFC 1123 Section 2.1 for IPv4 and in RFC 5952 Section 4 for IPv6.
func IPIDs(addr ...string) []AuthzID {
a := make([]AuthzID, len(addr))
for i, v := range addr {
a[i] = AuthzID{Type: "ip", Value: v}
}
return a
}
// wireAuthzID is ACME JSON representation of authorization identifier objects.
type wireAuthzID struct {
Type string `json:"type"`
Value string `json:"value"`
}
// wireAuthz is ACME JSON representation of Authorization objects.
type wireAuthz struct {
Identifier wireAuthzID
Status string
Expires time.Time
Wildcard bool
Challenges []wireChallenge
Combinations [][]int
Error *wireError
}
func (z *wireAuthz) authorization(uri string) *Authorization {
a := &Authorization{
URI: uri,
Status: z.Status,
Identifier: AuthzID{Type: z.Identifier.Type, Value: z.Identifier.Value},
Expires: z.Expires,
Wildcard: z.Wildcard,
Challenges: make([]*Challenge, len(z.Challenges)),
Combinations: z.Combinations, // shallow copy
}
for i, v := range z.Challenges {
a.Challenges[i] = v.challenge()
}
return a
}
func (z *wireAuthz) error(uri string) *AuthorizationError {
err := &AuthorizationError{
URI: uri,
Identifier: z.Identifier.Value,
}
if z.Error != nil {
err.Errors = append(err.Errors, z.Error.error(nil))
}
for _, raw := range z.Challenges {
if raw.Error != nil {
err.Errors = append(err.Errors, raw.Error.error(nil))
}
}
return err
}
// Challenge encodes a returned CA challenge.
// Its Error field may be non-nil if the challenge is part of an Authorization
// with StatusInvalid.
type Challenge struct {
// Type is the challenge type, e.g. "http-01", "tls-alpn-01", "dns-01".
Type string
// URI is where a challenge response can be posted to.
URI string
// Token is a random value that uniquely identifies the challenge.
Token string
// Status identifies the status of this challenge.
// In RFC 8555, possible values are StatusPending, StatusProcessing, StatusValid,
// and StatusInvalid.
Status string
// Validated is the time at which the CA validated this challenge.
// Always zero value in pre-RFC 8555.
Validated time.Time
// Error indicates the reason for an authorization failure
// when this challenge was used.
// The type of a non-nil value is *Error.
Error error
// Payload is the JSON-formatted payload that the client sends
// to the server to indicate it is ready to respond to the challenge.
// When unset, it defaults to an empty JSON object: {}.
// For most challenges, the client must not set Payload,
// see https://tools.ietf.org/html/rfc8555#section-7.5.1.
// Payload is used only for newer challenges (such as "device-attest-01")
// where the client must send additional data for the server to validate
// the challenge.
Payload json.RawMessage
}
// wireChallenge is ACME JSON challenge representation.
type wireChallenge struct {
URL string `json:"url"` // RFC
URI string `json:"uri"` // pre-RFC
Type string
Token string
Status string
Validated time.Time
Error *wireError
}
func (c *wireChallenge) challenge() *Challenge {
v := &Challenge{
URI: c.URL,
Type: c.Type,
Token: c.Token,
Status: c.Status,
}
if v.URI == "" {
v.URI = c.URI // c.URL was empty; use legacy
}
if v.Status == "" {
v.Status = StatusPending
}
if c.Error != nil {
v.Error = c.Error.error(nil)
}
return v
}
// wireError is a subset of fields of the Problem Details object
// as described in https://tools.ietf.org/html/rfc7807#section-3.1.
type wireError struct {
Status int
Type string
Detail string
Instance string
Subproblems []Subproblem
}
func (e *wireError) error(h http.Header) *Error {
err := &Error{
StatusCode: e.Status,
ProblemType: e.Type,
Detail: e.Detail,
Instance: e.Instance,
Header: h,
Subproblems: e.Subproblems,
}
return err
}
// CertOption is an optional argument type for the TLS ChallengeCert methods for
// customizing a temporary certificate for TLS-based challenges.
type CertOption interface {
privateCertOpt()
}
// WithKey creates an option holding a private/public key pair.
// The private part signs a certificate, and the public part represents the signee.
func WithKey(key crypto.Signer) CertOption {
return &certOptKey{key}
}
type certOptKey struct {
key crypto.Signer
}
func (*certOptKey) privateCertOpt() {}
// WithTemplate creates an option for specifying a certificate template.
// See x509.CreateCertificate for template usage details.
//
// In TLS ChallengeCert methods, the template is also used as parent,
// resulting in a self-signed certificate.
// The DNSNames field of t is always overwritten for tls-sni challenge certs.
func WithTemplate(t *x509.Certificate) CertOption {
return (*certOptTemplate)(t)
}
type certOptTemplate x509.Certificate
func (*certOptTemplate) privateCertOpt() {}
type Profiles map[string]string
func (ps Profiles) isSupported() bool {
return len(ps) > 0
}
func (ps Profiles) GetDescription(name string) string {
return ps[name]
}
func (ps Profiles) Has(name string) bool {
_, ok := ps[name]
return ok
}