Approver Policy Enterprise API reference¶
Resource Types:
CertificateRequestPolicy¶
CertificateRequestPolicy is an object for describing a "policy profile" that makes decisions on whether to approve or deny applicable CertificateRequests.
| Name | Type | Description | Required |
|---|---|---|---|
| apiVersion | string | policy.cert-manager.io/v1alpha1 | true |
| kind | string | CertificateRequestPolicy | true |
| metadata | object | Refer to the Kubernetes API documentation for the fields of the metadata field. | true |
| spec | object | CertificateRequestPolicySpec defines the desired state of CertificateRequestPolicy. | false |
| status | object | CertificateRequestPolicyStatus defines the observed state of the CertificateRequestPolicy. | false |
CertificateRequestPolicy.spec¶
CertificateRequestPolicySpec defines the desired state of CertificateRequestPolicy.
| Name | Type | Description | Required |
|---|---|---|---|
| selector | object | You use Selector for selecting over which CertificateRequests this CertificateRequestPolicy is appropriate for and so are used for its approval evaluation. | true |
| allowed | object | Allowed is the set of attributes that are "allowed" by this policy. A CertificateRequest is only considered permissible for this policy if the CertificateRequest has the same or less as that allowed. Empty or nil allowed fields mean CertificateRequests are not allowed to have that field present to be permissible. | false |
| constraints | object | Constraints is the set of attributes that must be satisfied by the CertificateRequest for the request to be permissible by the policy. Empty or nil constraint fields mean CertificateRequests satisfy that field with any value of their corresponding attribute. | false |
| plugins | map[string]object | Plugins define a set of plugins and their configuration that must be executed when this policy is evaluated against a CertificateRequest. A plugin must already exist within Approver Policy for it to be available. | false |
CertificateRequestPolicy.spec.selector¶
You use Selector to select which CertificateRequests this CertificateRequestPolicy is appropriate for and are used for its approval evaluation.
| Name | Type | Description | Required |
|---|---|---|---|
| issuerRef | object | You use IssuerRef to match this CertificateRequestPolicy against processed CertificateRequests. This policy will only be evaluated against a CertificateRequest whose spec.issuerRef field matches spec.selector.issuerRef. CertificateRequests are not processed on unmatched issuerRef if defined, regardless of whether the requestor is bound by RBAC. Accepts wildcards *. Omitted values are equivalent to *. The following value will match all issuerRefs: issuerRef: {} | false |
| namespace | object | You use Namespace to select on Namespaces. This means that the CertificateRequestPolicy will only match on CertificateRequests that have been created in matching selected Namespaces. If this field is omitted, all Namespaces are selected. | false |
CertificateRequestPolicy.spec.selector.issuerRef¶
You use IssuerRef to match this CertificateRequestPolicy against processed CertificateRequests. This policy will only be evaluated against a CertificateRequest whose spec.issuerRef field matches spec.selector.issuerRef. CertificateRequests will not be processed on unmatched issuerRef if defined, regardless of whether the requestor is bound by RBAC. Accepts wildcards *. Omitted values are equivalent to *. The following value will match all issuerRefs: issuerRef: {}
| Name | Type | Description | Required |
|---|---|---|---|
| group | string | Group is the wildcard selector to match the spec.issuerRef.group field on requests. Accepts wildcards "*". An omitted field or value of nil matches all. | false |
| kind | string | Kind is the wildcard selector to match the spec.issuerRef.kind field on requests. Accepts wildcards "*". An omitted field or value of nil matches all. | false |
| name | string | Name is the wildcard selector to match the spec.issuerRef.name field on requests. Accepts wildcards "*". An omitted field or value of nil matches all. | false |
CertificateRequestPolicy.spec.selector.namespace¶
You use Namespace to select on Namespaces, meaning the CertificateRequestPolicy only match on CertificateRequests that have been created in matching selected Namespaces. If this field is omitted, all Namespaces are selected.
| Name | Type | Description | Required |
|---|---|---|---|
| matchLabels | map[string]string | MatchLabels is the set of Namespace labels that select on CertificateRequests which have been created in a Namespace matching the selector. | false |
| matchNames | []string | MatchNames are the set of Namespace names that select on CertificateRequests that have been created in a matching Namespace. Accepts wildcards *. | false |
CertificateRequestPolicy.spec.allowed¶
Allowed is the set of attributes that are "allowed" by this policy. A CertificateRequest is only considered permissible for this policy if the CertificateRequest has the same or less as is allowed. Empty or nil allowed fields mean CertificateRequests are not allowed to have that field present to be permissible.
| Name | Type | Description | Required |
|---|---|---|---|
| commonName | object | CommonName defines the X.509 Common Name that is permissible. | false |
| dnsNames | object | DNSNames defines the X.509 DNS SANs that may be requested. Accepts wildcard *. | false |
| emailAddresses | object | EmailAddresses defines the X.509 Email SANs that may be requested. | false |
| ipAddresses | object | IPAddresses defines the X.509 IP SANs that may be requested. | false |
| isCA | boolean | IsCA defines whether it is permissible for a CertificateRequest to have the spec.IsCA field set to true. An omitted field, value of nil or false, forbids the spec.IsCA field from bring true. A value of true permits CertificateRequests sets the spec.IsCA field to true. | false |
| subject | object | Subject defines the X.509 subject that is permissible. An omitted field or value of nil forbids any Subject being requested. | false |
| uris | object | URIs defines the X.509 URI SANs that may be requested. | false |
| usages | []enum | Usages defines the list of permissible key usages that may appear on the CertificateRequest spec.keyUsages field. An omitted field or value of nil forbids any Usages being requested. An empty slice [] is equivalent to nil. | false |
CertificateRequestPolicy.spec.allowed.commonName¶
CommonName defines the X.509 Common Name that is permissible.
| Name | Type | Description | Required |
|---|---|---|---|
| required | boolean | Required marks this field as being a required value on the request. May only be set to true if Value is also defined. | false |
| value | string | Value defines the value that is permissible on the request. Accepts wildcard *. An omitted field or value of nil forbids the value from being requested. An empty string is equivalent to nil. However, an empty string paired with Required as true is an impossible condition that always denies. Value may not be nil if Required is true. | false |
CertificateRequestPolicy.spec.allowed.dnsNames¶
DNSNames defines the X.509 DNS SANs that may be requested for. Accepts wildcard *.
| Name | Type | Description | Required |
|---|---|---|---|
| required | boolean | Required marks this field as being a required value on the request. May only be set to true if Values is also defined. Default is nil which marks the field as not required. | false |
| values | []string | Defines the values that are permissible to be present on request. Accepts wildcard *. An omitted field or value of nil forbids any value on the related field in the request from being requested. An empty slice [] is equivalent to nil, however an empty slice pared with Required true is an impossible condition that always denies. Values may not be nil if Required is true. | false |
CertificateRequestPolicy.spec.allowed.emailAddresses¶
EmailAddresses defines the X.509 Email SANs that may be requested for.
| Name | Type | Description | Required |
|---|---|---|---|
| required | boolean | Required marks this field as being a required value on the request. May only be set to true if Values is also defined. Default is nil which marks the field as not required. | false |
| values | []string | Defines the values that are permissible to be present on request. Accepts wildcard *. An omitted field or value of nil forbids any value on the related field in the request from being requested. An empty slice [] is equivalent to nil, however an empty slice pared with Required true is an impossible condition that always denies. Values may not be nil if Required is true. | false |
CertificateRequestPolicy.spec.allowed.ipAddresses¶
IPAddresses defines the X.509 IP SANs that may be requested for.
| Name | Type | Description | Required |
|---|---|---|---|
| required | boolean | Required marks this field as being a required value on the request. May only be set to true if Values is also defined. Default is nil which marks the field as not required. | false |
| values | []string | Defines the values that are permissible on the request. Accepts wildcard *. An omitted field or value of nil forbids any value on the related field in the request from being requested. An empty slice [] is equivalent to nil, however an empty slice pared with Required true is an impossible condition that always denies. Values may not be nil if Required is true. | false |
CertificateRequestPolicy.spec.allowed.subject¶
Subject defines the X.509 subject that is permissible. An omitted field or value of nil forbids any Subject being requested.
| Name | Type | Description | Required |
|---|---|---|---|
| countries | object | Countries defines the X.509 Subject Countries that may be requested. | false |
| localities | object | Localities defines the X.509 Subject Localities that may be requested. | false |
| organizationalUnits | object | OrganizationalUnits defines the X.509 Subject Organizational Units that may be requested. | false |
| organizations | object | Organizations defines the X.509 Subject Organizations that may be requested. | false |
| postalCodes | object | PostalCodes defines the X.509 Subject Postal Codes that may be requested. | false |
| provinces | object | Provinces defines the X.509 Subject Provinces that may be requested. | false |
| serialNumber | object | SerialNumber defines the X.509 Subject Serial Number that may be requested. | false |
| streetAddresses | object | StreetAddresses defines the X.509 Subject Street Addresses that may be requested. | false |
CertificateRequestPolicy.spec.allowed.subject.countries¶
Countries define the X.509 Subject Countries that may be requested for.
| Name | Type | Description | Required |
|---|---|---|---|
| required | boolean | Required marks this field as being a required value on the request. May only be set to true if Values is also defined. Default is nil which marks the field as not required. | false |
| values | []string | Defines the values that are permissible to be present on request. Accepts wildcard *. An omitted field or value of nil forbids any value on the related field in the request from being requested. An empty slice [] is equivalent to nil, however an empty slice pared with Required true is an impossible condition that always denies. Values may not be nil if Required is true. | false |
CertificateRequestPolicy.spec.allowed.subject.localities¶
Localities defines the X.509 Subject Localities that may be requested for.
| Name | Type | Description | Required |
|---|---|---|---|
| required | boolean | Required marks this field as being a required value on the request. May only be set to true if values is also defined. Default is nil which marks the field as not required. | false |
| values | []string | Defines the values that are permissible to be present on request. Accepts wildcard *. An omitted field or value of nil forbids any value on the related field in the request from being requested. An empty slice [] is equivalent to nil, however an empty slice pared with Required true is an impossible condition that always denies. Values may not be nil if Required is true. | false |
CertificateRequestPolicy.spec.allowed.subject.organizationalUnits¶
OrganizationalUnits defines the X.509 Subject Organizational Units that may be requested for.
| Name | Type | Description | Required |
|---|---|---|---|
| required | boolean | Required marks this field as being a required value on the request. May only be set to true if values is also defined. Default is nil which marks the field as not required. | false |
| values | []string | Defines the values that are permissible to be present on request. Accepts wildcard *. An omitted field or value of nil forbids any value on the related field in the request from being requested. An empty slice [] is equivalent to nil, however an empty slice pared with Required true is an impossible condition that always denies. Values may not be nil if Required is true. | false |
CertificateRequestPolicy.spec.allowed.subject.organizations¶
Organizations define the X.509 Subject Organizations that may be requested for.
| Name | Type | Description | Required |
|---|---|---|---|
| required | boolean | Required marks this field as being a required value on the request. May only be set to true if values is also defined. Default is nil which marks the field as not required. | false |
| values | []string | Defines the values that are permissible to be present on request. Accepts wildcard *. An omitted field or value of nil forbids any value on the related field in the request from being requested. An empty slice [] is equivalent to nil, however an empty slice pared with Required true is an impossible condition that always denies. Values may not be nil if Required is true. | false |
CertificateRequestPolicy.spec.allowed.subject.postalCodes¶
PostalCodes defines the X.509 Subject Postal Codes that may be requested for.
| Name | Type | Description | Required |
|---|---|---|---|
| required | boolean | Required marks this field as being a required value on the request. May only be set to true if values is also defined. Default is nil which marks the field as not required. | false |
| values | []string | Defines the values that are permissible to be present on request. Accepts wildcard *. An omitted field or value of nil forbids any value on the related field in the request from being requested. An empty slice [] is equivalent to nil, however an empty slice pared with Required true is an impossible condition that always denies. Values may not be nil if Required is true. | false |
CertificateRequestPolicy.spec.allowed.subject.provinces¶
Provinces defines the X.509 Subject Provinces that may be requested for.
| Name | Type | Description | Required |
|---|---|---|---|
| required | boolean | Required marks this field as being a required value on the request. May only be set to true if values is also defined. Default is nil which marks the field as not required. | false |
| values | []string | Defines the values that are permissible to be present on request. Accepts wildcard *. An omitted field or value of nil forbids any value on the related field in the request from being requested. An empty slice [] is equivalent to nil, however an empty slice pared with Required true is an impossible condition that always denies. Values may not be nil if Required is true. | false |
CertificateRequestPolicy.spec.allowed.subject.serialNumber¶
SerialNumber defines the X.509 Subject Serial Number that may be requested for.
| Name | Type | Description | Required |
|---|---|---|---|
| required | boolean | Required marks this field as being a required value on the request. May only be set to true if values is also defined. Default is nil which marks the field as not required. | false |
| values | []string | Defines the values that are permissible to be present on request. Accepts wildcard *. An omitted field or value of nil forbids any value on the related field in the request from being requested. An empty slice [] is equivalent to nil, however an empty slice pared with Required true is an impossible condition that always denies. Values may not be nil if Required is true. | false |
CertificateRequestPolicy.spec.allowed.subject.streetAddresses¶
StreetAddresses defines the X.509 Subject Street Addresses that may be requested for.
| Name | Type | Description | Required |
|---|---|---|---|
| required | boolean | Required marks this field as being a required value on the request. May only be set to true if values is also defined. Default is nil which marks the field as not required. | false |
| values | []string | Defines the values that are permissible to be present on request. Accepts wildcard *. An omitted field or value of nil forbids any value on the related field in the request from being requested. An empty slice [] is equivalent to nil, however an empty slice pared with Required true is an impossible condition that always denies. Values may not be nil if Required is true. | false |
CertificateRequestPolicy.spec.allowed.uris¶
URIs defines the X.509 URI SANs that may be requested for.
| Name | Type | Description | Required |
|---|---|---|---|
| required | boolean | Required marks this field as being a required value on the request. May only be set to true if values is also defined. Default is nil which marks the field as not required. | false |
| values | []string | Defines the values that are permissible to be present on request. Accepts wildcard *. An omitted field or value of nil forbids any value on the related field in the request from being requested. An empty slice [] is equivalent to nil, however an empty slice pared with Required true is an impossible condition that always denies. Values may not be nil if Required is true. | false |
CertificateRequestPolicy.spec.constraints¶
Constraints is the set of attributes that must be satisfied by the CertificateRequest for the request to be permissible by the policy. Empty or nil constraint fields mean CertificateRequests satisfy that field with any value of their corresponding attribute.
| Name | Type | Description | Required |
|---|---|---|---|
| maxDuration | string | MaxDuration defines the maximum duration for which a certificate may be requested. Values are inclusive (i.e. a max value of 1h will accept a duration of 1h). MaxDuration and MinDuration may be the same value. An omitted field or value of nil permits any maximum duration. If MaxDuration is defined, a duration must be requested on the CertificateRequest. | false |
| minDuration | string | MinDuration defines the minimum duration for which a certificate may be requested. Values are inclusive (i.e. a min value of 1h will accept a duration of 1h). MinDuration and MaxDuration may be the same value. An omitted field or value of nil permits any minimum duration. If MinDuration is defined, a duration must be requested on the CertificateRequest. | false |
| privateKey | object | PrivateKey defines the shape of permissible private keys that may be used for the request with this policy. An omitted field or value of nil permits the use of any private key by the requestor. | false |
CertificateRequestPolicy.spec.constraints.privateKey¶
PrivateKey defines the shape of permissible private keys that may be used for the request with this policy. An omitted field or value of nil permits the use of any private key by the requestor.
| Name | Type | Description | Required |
|---|---|---|---|
| algorithm | enum | Algorithm defines the allowed crypto algorithm that is used by the requestor for their private key in their request. An omitted field or value of nil permits any Algorithm. Enum: RSA, ECDSA, Ed25519. | false |
| maxSize | integer | MaxSize defines the maximum key size a requestor may use for their private key. Values are inclusive (i.e. a min value of 2048 will accept a size of 2048). MaxSize and MinSize may be the same value. An omitted field or value of nil permits any maximum size. | false |
| minSize | integer | MinSize defines the minimum key size a requestor may use for their private key. Values are inclusive (i.e. a min value of 2048 will accept a size of 2048). MinSize and MaxSize may be the same value. An omitted field or value of nil permits any minimum size. | false |
CertificateRequestPolicy.spec.plugins[key]¶
CertificateRequestPolicyPluginData is configuration needed by the plugin approver to evaluate a CertificateRequest on this policy.
| Name | Type | Description | Required |
|---|---|---|---|
| values | map[string]string | Values define a set of well-known, to the plugin, key value pairs that are required for the plugin to successfully evaluate a request based on this policy. | false |
CertificateRequestPolicy.status¶
CertificateRequestPolicyStatus defines the observed state of the CertificateRequestPolicy.
| Name | Type | Description | Required |
|---|---|---|---|
| conditions | []object | List of status conditions to indicate the status of the CertificateRequestPolicy. Known condition types are Ready. | false |
CertificateRequestPolicy.status.conditions[index]¶
CertificateRequestPolicyCondition contains condition information for a CertificateRequestPolicyStatus.
| Name | Type | Description | Required |
|---|---|---|---|
| status | string | Status of the condition, one of ('True', 'False', 'Unknown'). | true |
| type | string | Type of the condition, known values are (Ready). | true |
| lastTransitionTime | string | LastTransitionTime is the timestamp corresponding to the last status change of this condition. Format: date-time | false |
| message | string | Message is a human readable description of the details of the last transition, complementing reason. | false |
| observedGeneration | integer | If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the CertificateRequestPolicy. Format: int64 | false |
| reason | string | Reason is a brief machine readable explanation for the condition's last transition. | false |