{ "description": "Certificate is the Schema for the Certificates API", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, "kind": { "description": "Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string" }, "metadata": { "type": "object" }, "spec": { "description": "CertificateSpec defines the desired state of Certificate.", "properties": { "apiPassthrough": { "description": "Specifies X.509 certificate information to be included in the issued certificate.\nAn APIPassthrough or APICSRPassthrough template variant must be selected,\nor else this parameter is ignored. For more information about using these\ntemplates, see Understanding Certificate Templates (https://docs.aws.amazon.com/privateca/latest/userguide/UsingTemplates.html).\n\nIf conflicting or duplicate certificate information is supplied during certificate\nissuance, Amazon Web Services Private CA applies order of operation rules\n(https://docs.aws.amazon.com/privateca/latest/userguide/UsingTemplates.html#template-order-of-operations)\nto determine what information is used.", "properties": { "extensions": { "description": "Contains X.509 extension information for a certificate.", "properties": { "certificatePolicies": { "items": { "description": "Defines the X.509 CertificatePolicies extension.", "properties": { "certPolicyID": { "type": "string" }, "policyQualifiers": { "items": { "description": "Modifies the CertPolicyId of a PolicyInformation object with a qualifier.\nAmazon Web Services Private CA supports the certification practice statement\n(CPS) qualifier.", "properties": { "policyQualifierID": { "type": "string" }, "qualifier": { "description": "Defines a PolicyInformation qualifier. Amazon Web Services Private CA supports\nthe certification practice statement (CPS) qualifier (https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.4)\ndefined in RFC 5280.", "properties": { "cpsURI": { "type": "string" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "type": "array" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "customExtensions": { "items": { "description": "Specifies the X.509 extension information for a certificate.\n\nExtensions present in CustomExtensions follow the ApiPassthrough template\nrules (https://docs.aws.amazon.com/privateca/latest/userguide/UsingTemplates.html#template-order-of-operations).", "properties": { "critical": { "type": "boolean" }, "objectIdentifier": { "type": "string" }, "value": { "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "extendedKeyUsage": { "items": { "description": "Specifies additional purposes for which the certified public key may be used\nother than basic purposes indicated in the KeyUsage extension.", "properties": { "extendedKeyUsageObjectIdentifier": { "type": "string" }, "extendedKeyUsageType": { "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "keyUsage": { "description": "Defines one or more purposes for which the key contained in the certificate\ncan be used. Default value for each option is false.", "properties": { "crlSign": { "type": "boolean" }, "dataEncipherment": { "type": "boolean" }, "decipherOnly": { "type": "boolean" }, "digitalSignature": { "type": "boolean" }, "encipherOnly": { "type": "boolean" }, "keyAgreement": { "type": "boolean" }, "keyCertSign": { "type": "boolean" }, "keyEncipherment": { "type": "boolean" }, "nonRepudiation": { "type": "boolean" } }, "type": "object", "additionalProperties": false }, "subjectAlternativeNames": { "items": { "description": "Describes an ASN.1 X.400 GeneralName as defined in RFC 5280 (https://datatracker.ietf.org/doc/html/rfc5280).\nOnly one of the following naming options should be provided. Providing more\nthan one option results in an InvalidArgsException error.", "properties": { "directoryName": { "description": "Contains information about the certificate subject. The Subject field in\nthe certificate identifies the entity that owns or controls the public key\nin the certificate. The entity can be a user, computer, device, or service.\nThe Subject must contain an X.500 distinguished name (DN). A DN is a sequence\nof relative distinguished names (RDNs). The RDNs are separated by commas\nin the certificate.", "properties": { "commonName": { "type": "string" }, "country": { "type": "string" }, "customAttributes": { "items": { "description": "Defines the X.500 relative distinguished name (RDN).", "properties": { "objectIdentifier": { "type": "string" }, "value": { "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "distinguishedNameQualifier": { "type": "string" }, "generationQualifier": { "type": "string" }, "givenName": { "type": "string" }, "initials": { "type": "string" }, "locality": { "type": "string" }, "organization": { "type": "string" }, "organizationalUnit": { "type": "string" }, "pseudonym": { "type": "string" }, "serialNumber": { "type": "string" }, "state": { "type": "string" }, "surname": { "type": "string" }, "title": { "type": "string" } }, "type": "object", "additionalProperties": false }, "dnsName": { "type": "string" }, "ediPartyName": { "description": "Describes an Electronic Data Interchange (EDI) entity as described in as\ndefined in Subject Alternative Name (https://datatracker.ietf.org/doc/html/rfc5280)\nin RFC 5280.", "properties": { "nameAssigner": { "type": "string" }, "partyName": { "type": "string" } }, "type": "object", "additionalProperties": false }, "ipAddress": { "type": "string" }, "otherName": { "description": "Defines a custom ASN.1 X.400 GeneralName using an object identifier (OID)\nand value. The OID must satisfy the regular expression shown below. For more\ninformation, see NIST's definition of Object Identifier (OID) (https://csrc.nist.gov/glossary/term/Object_Identifier).", "properties": { "typeID": { "type": "string" }, "value": { "type": "string" } }, "type": "object", "additionalProperties": false }, "registeredID": { "type": "string" }, "rfc822Name": { "type": "string" }, "uniformResourceIdentifier": { "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "array" } }, "type": "object", "additionalProperties": false }, "subject": { "description": "Contains information about the certificate subject. The Subject field in\nthe certificate identifies the entity that owns or controls the public key\nin the certificate. The entity can be a user, computer, device, or service.\nThe Subject must contain an X.500 distinguished name (DN). A DN is a sequence\nof relative distinguished names (RDNs). The RDNs are separated by commas\nin the certificate.", "properties": { "commonName": { "type": "string" }, "country": { "type": "string" }, "customAttributes": { "items": { "description": "Defines the X.500 relative distinguished name (RDN).", "properties": { "objectIdentifier": { "type": "string" }, "value": { "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "distinguishedNameQualifier": { "type": "string" }, "generationQualifier": { "type": "string" }, "givenName": { "type": "string" }, "initials": { "type": "string" }, "locality": { "type": "string" }, "organization": { "type": "string" }, "organizationalUnit": { "type": "string" }, "pseudonym": { "type": "string" }, "serialNumber": { "type": "string" }, "state": { "type": "string" }, "surname": { "type": "string" }, "title": { "type": "string" } }, "type": "object", "additionalProperties": false } }, "type": "object", "x-kubernetes-validations": [ { "message": "Value is immutable once set", "rule": "self == oldSelf" } ], "additionalProperties": false }, "certificateAuthorityARN": { "description": "The Amazon Resource Name (ARN) that was returned when you called CreateCertificateAuthority\n(https://docs.aws.amazon.com/privateca/latest/APIReference/API_CreateCertificateAuthority.html).\nThis must be of the form:\n\narn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012\n\nRegex Pattern: `^arn:[\\w+=/,.@-]+:acm-pca:[\\w+=/,.@-]*:[0-9]*:[\\w+=,.@-]+(/[\\w+=,.@-]+)*$`", "type": "string", "x-kubernetes-validations": [ { "message": "Value is immutable once set", "rule": "self == oldSelf" } ] }, "certificateAuthorityRef": { "description": "AWSResourceReferenceWrapper provides a wrapper around *AWSResourceReference\ntype to provide more user friendly syntax for references using 'from' field\nEx:\nAPIIDRef:\n\n\tfrom:\n\t name: my-api", "properties": { "from": { "description": "AWSResourceReference provides all the values necessary to reference another\nk8s resource for finding the identifier(Id/ARN/Name)", "properties": { "name": { "type": "string" }, "namespace": { "type": "string" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "certificateOutput": { "description": "SecretKeyReference combines a k8s corev1.SecretReference with a\nspecific key within the referred-to Secret", "properties": { "key": { "description": "Key is the key within the secret", "type": "string" }, "name": { "description": "name is unique within a namespace to reference a secret resource.", "type": "string" }, "namespace": { "description": "namespace defines the space within which the secret name must be unique.", "type": "string" } }, "required": [ "key" ], "type": "object", "x-kubernetes-map-type": "atomic", "x-kubernetes-validations": [ { "message": "Value is immutable once set", "rule": "self == oldSelf" } ], "additionalProperties": false }, "certificateSigningRequest": { "type": "string", "x-kubernetes-validations": [ { "message": "Value is immutable once set", "rule": "self == oldSelf" } ] }, "certificateSigningRequestRef": { "description": "AWSResourceReferenceWrapper provides a wrapper around *AWSResourceReference\ntype to provide more user friendly syntax for references using 'from' field\nEx:\nAPIIDRef:\n\n\tfrom:\n\t name: my-api", "properties": { "from": { "description": "AWSResourceReference provides all the values necessary to reference another\nk8s resource for finding the identifier(Id/ARN/Name)", "properties": { "name": { "type": "string" }, "namespace": { "type": "string" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "signingAlgorithm": { "description": "The name of the algorithm that will be used to sign the certificate to be\nissued.\n\nThis parameter should not be confused with the SigningAlgorithm parameter\nused to sign a CSR in the CreateCertificateAuthority action.\n\nThe specified signing algorithm family (RSA or ECDSA) must match the algorithm\nfamily of the CA's secret key.", "type": "string", "x-kubernetes-validations": [ { "message": "Value is immutable once set", "rule": "self == oldSelf" } ] }, "templateARN": { "description": "Specifies a custom configuration template to use when issuing a certificate.\nIf this parameter is not provided, Amazon Web Services Private CA defaults\nto the EndEntityCertificate/V1 template. For CA certificates, you should\nchoose the shortest path length that meets your needs. The path length is\nindicated by the PathLenN portion of the ARN, where N is the CA depth (https://docs.aws.amazon.com/privateca/latest/userguide/PcaTerms.html#terms-cadepth).\n\nNote: The CA depth configured on a subordinate CA certificate must not exceed\nthe limit set by its parents in the CA hierarchy.\n\nFor a list of TemplateArn values supported by Amazon Web Services Private\nCA, see Understanding Certificate Templates (https://docs.aws.amazon.com/privateca/latest/userguide/UsingTemplates.html).\n\nRegex Pattern: `^arn:[\\w+=/,.@-]+:acm-pca:[\\w+=/,.@-]*:[0-9]*:[\\w+=,.@-]+(/[\\w+=,.@-]+)*$`", "type": "string", "x-kubernetes-validations": [ { "message": "Value is immutable once set", "rule": "self == oldSelf" } ] }, "validity": { "description": "Information describing the end of the validity period of the certificate.\nThis parameter sets the \u201cNot After\u201d date for the certificate.\n\nCertificate validity is the period of time during which a certificate is\nvalid. Validity can be expressed as an explicit date and time when the certificate\nexpires, or as a span of time after issuance, stated in days, months, or\nyears. For more information, see Validity (https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.5)\nin RFC 5280.\n\nThis value is unaffected when ValidityNotBefore is also specified. For example,\nif Validity is set to 20 days in the future, the certificate will expire\n20 days from issuance time regardless of the ValidityNotBefore value.\n\nThe end of the validity period configured on a certificate must not exceed\nthe limit set on its parents in the CA hierarchy.", "properties": { "type": { "type": "string" }, "value": { "format": "int64", "type": "integer" } }, "type": "object", "x-kubernetes-validations": [ { "message": "Value is immutable once set", "rule": "self == oldSelf" } ], "additionalProperties": false }, "validityNotBefore": { "description": "Information describing the start of the validity period of the certificate.\nThis parameter sets the \u201cNot Before\" date for the certificate.\n\nBy default, when issuing a certificate, Amazon Web Services Private CA sets\nthe \"Not Before\" date to the issuance time minus 60 minutes. This compensates\nfor clock inconsistencies across computer systems. The ValidityNotBefore\nparameter can be used to customize the \u201cNot Before\u201d value.\n\nUnlike the Validity parameter, the ValidityNotBefore parameter is optional.\n\nThe ValidityNotBefore value is expressed as an explicit date and time, using\nthe Validity type value ABSOLUTE. For more information, see Validity (https://docs.aws.amazon.com/privateca/latest/APIReference/API_Validity.html)\nin this API reference and Validity (https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.5)\nin RFC 5280.", "properties": { "type": { "type": "string" }, "value": { "format": "int64", "type": "integer" } }, "type": "object", "x-kubernetes-validations": [ { "message": "Value is immutable once set", "rule": "self == oldSelf" } ], "additionalProperties": false } }, "required": [ "signingAlgorithm", "validity" ], "type": "object", "additionalProperties": false }, "status": { "description": "CertificateStatus defines the observed state of Certificate", "properties": { "ackResourceMetadata": { "description": "All CRs managed by ACK have a common `Status.ACKResourceMetadata` member\nthat is used to contain resource sync state, account ownership,\nconstructed ARN for the resource", "properties": { "arn": { "description": "ARN is the Amazon Resource Name for the resource. This is a\nglobally-unique identifier and is set only by the ACK service controller\nonce the controller has orchestrated the creation of the resource OR\nwhen it has verified that an \"adopted\" resource (a resource where the\nARN annotation was set by the Kubernetes user on the CR) exists and\nmatches the supplied CR's Spec field values.\nhttps://github.com/aws/aws-controllers-k8s/issues/270", "type": "string" }, "ownerAccountID": { "description": "OwnerAccountID is the AWS Account ID of the account that owns the\nbackend AWS service API resource.", "type": "string" }, "region": { "description": "Region is the AWS region in which the resource exists or will exist.", "type": "string" } }, "required": [ "ownerAccountID", "region" ], "type": "object", "additionalProperties": false }, "conditions": { "description": "All CRs managed by ACK have a common `Status.Conditions` member that\ncontains a collection of `ackv1alpha1.Condition` objects that describe\nthe various terminal states of the CR and its backend AWS service API\nresource", "items": { "description": "Condition is the common struct used by all CRDs managed by ACK service\ncontrollers to indicate terminal states of the CR and its backend AWS\nservice API resource", "properties": { "lastTransitionTime": { "description": "Last time the condition transitioned from one status to another.", "format": "date-time", "type": "string" }, "message": { "description": "A human readable message indicating details about the transition.", "type": "string" }, "reason": { "description": "The reason for the condition's last transition.", "type": "string" }, "status": { "description": "Status of the condition, one of True, False, Unknown.", "type": "string" }, "type": { "description": "Type is the type of the Condition", "type": "string" } }, "required": [ "status", "type" ], "type": "object", "additionalProperties": false }, "type": "array" } }, "type": "object", "additionalProperties": false } }, "type": "object" }