Venafi Enhanced Issuer API reference¶
Resource Types:
VenafiClusterIssuer¶
VenafiClusterIssuer is the Schema for the Venafi Cluster Issuers API.
| Name | Type | Description | Required |
|---|---|---|---|
| apiVersion | string | jetstack.io/v1alpha1 | true |
| kind | string | VenafiClusterIssuer | true |
| metadata | object | Refer to the Kubernetes API documentation for the fields of the metadata field. | true |
| spec | object | false | |
| status | object | false |
VenafiClusterIssuer.spec¶
| Name | Type | Description | Required |
|---|---|---|---|
| venafiConnectionName | string | The name of the VenafiConnection resource to use. | true |
| zone | string | For TLS Protect Cloud, the zone is the combination of an application name and an issuing template name. The syntax is <Application>\<Template>. Example: zone: App1\DigiCert. For TLS Protect Datacenter, the zone corresponds to the DN (distinguished name) of a policy folder. Example: zone: \VED\Policy\TLS\TeamAlpha. You may omit the prefix \VED\Policy\. | true |
| certificateNameExpression | string | CEL expression that generates the friendlyName for the certificate in the Venafi Control Plane. On top of standard CEL functions CEL expression that generates the friendlyName for the certificate in the Venafi Control Plane. On top of standard CEL functions, you can use optional values, string functions, and parseJSON(), which parses a JSON string into a CEL value. The following variables are available: request.name, request.namespace, request.uid, request.labels, request.annotations, request.isCA, request.?maxPathLen, request.?commonName, request.dnsNames, request.uris, request.emailAddresses, request.ipAddresses, request.subject.?serialNumber, request.subject.organization, request.subject.organizationalUnit, request.subject.country, request.subject.province, request.subject.locality, request.subject.streetAddress, request.subject.postalCode. Example 1: request.name. Example 2: request.?commonName.orValue("no-common-name"). Default: optional.none().or(request.?commonName).or(request.dnsNames[?0]).or(request.uris[?0]).or(request.emailAddresses[?0]).or(request.ipAddresses[?0]).value() | false |
| contact | object | Contact allows you to configure a list of TLS Protect Datacenter identities that will receive email notifications about the certificate. This feature only works with TLS Protect Datacenter. The TLS Protect Datacenter user used in the VenafiConnection must be an LDAP or AD user, and the LDAP or AD connector's search attributes must have been configured to enable UPN or email address lookups. Note that TLS Protect Datacenter doesn't support looking up users by email addresses for local users. | false |
VenafiClusterIssuer.spec.contact¶
Contact allows you to configure a list of TLS Protect Datacenter identities that will receive email notifications about the certificate. This feature only works with TLS Protect Datacenter. The TLS Protect Datacenter user used in the VenafiConnection must be an LDAP or AD user, and the LDAP or AD connector's search attributes must have been configured to enable UPN or email address lookups. Note that TLS Protect Datacenter doesn't support looking up users by email addresses for local users.
| Name | Type | Description | Required |
|---|---|---|---|
| emails | []string | Deprecated. Please use tppIdentities instead. | false |
| enableCertAnnotation | boolean | When EnableCertAnnotation is enabled, the annotation venafi.com/contact-tpp-identities can be used on Certificates and CertificateRequests. The value must be a comma-separated list of identity strings that map to existing LDAP or AD users in TLS Protect Datacenter. These are combined with the ones in the tppIdentities field. An identity string is a string that allows you to find a user or group in TLS Protect Datacenter, and depends on the search expression (for an AD connector) or the search attributes (for an LDAP connector). The user principal name (UPN) is often configured as an attribute that can be searched. Example of UPNs: venafi.com/contact-tpp-identities: team1@company.com,team-2@example.com. | false |
| tppIdentities | []string | TLS Protect Datacenter identities to be notified for a certificate issued by this issuer. These identities depend on the search attributes of the identity connector; the user principal name (UPN) is often configured as an attribute that can be searched. These identities are combined with the identities addresses set in the annotation. | false |
VenafiClusterIssuer.status¶
| Name | Type | Description | Required |
|---|---|---|---|
| conditions | []object | List of status conditions to indicate the status of an Issuer. Known condition types are Ready. | false |
VenafiClusterIssuer.status.conditions[index]¶
IssuerCondition contains condition information for an Issuer.
| Name | Type | Description | Required |
|---|---|---|---|
| status | enum | Status of the condition, one of (True, False, Unknown).Enum: True, False, Unknown | true |
| type | string | Type of the condition, known values are (Ready). | true |
| lastTransitionTime | string | LastTransitionTime is the timestamp corresponding to the last status change of this condition. Format: date-time | false |
| message | string | Message is a human readable description of the details of the last transition, complementing reason. | false |
| observedGeneration | integer | If set, this represents the .metadata.generation that the condition was based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Issuer. Format: int64 | false |
| reason | string | Reason is a brief machine readable explanation for the condition's last transition. | false |
VenafiIssuer¶
VenafiIssuer is the Schema for the Venafi Issuers API.
| Name | Type | Description | Required |
|---|---|---|---|
| apiVersion | string | jetstack.io/v1alpha1 | true |
| kind | string | VenafiIssuer | true |
| metadata | object | Refer to the Kubernetes API documentation for the fields of the metadata field. | true |
| spec | object | false | |
| status | object | false |
VenafiIssuer.spec¶
| Name | Type | Description | Required |
|---|---|---|---|
| venafiConnectionName | string | The name of the VenafiConnection resource to use. | true |
| zone | string | For TLS Protect Cloud, the zone is the combination of an application name and an issuing template name. The syntax is <Application>\<Template>. Example: zone: App1\DigiCert. For TLS Protect Datacenter, the zone corresponds to the DN (distinguished name) of a policy folder. Example: zone: \VED\Policy\TLS\TeamAlpha. You may omit the prefix \VED\Policy\. | true |
| certificateNameExpression | string | CEL expression that generates the friendlyName for the certificate in the Venafi Control Plane. On top of standard CEL functions, you can use optional values, string functions, and parseJSON(), which parses a JSON string into a CEL value. The following variables are available: request.name, request.namespace, request.uid, request.labels, request.annotations, request.isCA, request.?maxPathLen, request.?commonName, request.dnsNames, request.uris, request.emailAddresses, request.ipAddresses, request.subject.?serialNumber, request.subject.organization, request.subject.organizationalUnit, request.subject.country, request.subject.province, request.subject.locality, request.subject.streetAddress, request.subject.postalCode. Example 1: request.name. Example 2: request.?commonName.orValue("no-common-name").Default: optional.none().or(request.?commonName).or(request.dnsNames[?0]).or(request.uris[?0]).or(request.emailAddresses[?0]).or(request.ipAddresses[?0]).value() | false |
| contact | object | Contact allows you to configure a list of TLS Protect Datacenter identities that will receive email notifications about the certificate. This feature only works with TLS Protect Datacenter. The TLS Protect Datacenter user used in the VenafiConnection must be an LDAP or AD user, and the LDAP or AD connector's search attributes must have been configured to enable UPN or email address lookups. Note that TLS Protect Datacenter doesn't support looking up users by email addresses for local users. | false |
| venafiConnectionNamespace | string | The namespace of the VenafiConnection resource to use. If not set, the namespace of the VenafiIssuer will be used. | false |
VenafiIssuer.spec.contact¶
Contact allows you to configure a list of TLS Protect Datacenter identities that will receive email notifications about the certificate. This feature only works with TLS Protect Datacenter. The TLS Protect Datacenter user used in the VenafiConnection must be an LDAP or AD user, and the LDAP or AD connector's search attributes must have been configured to enable UPN or email address lookups. Note that TLS Protect Datacenter doesn't support looking up users by email addresses for local users.
| Name | Type | Description | Required |
|---|---|---|---|
| emails | []string | Deprecated. Please use tppIdentities instead. | false |
| enableCertAnnotation | boolean | When EnableCertAnnotation is enabled, the annotation venafi.com/contact-tpp-identities can be used on Certificates and CertificateRequests. The value must be a comma-separated list of identity strings that map to existing LDAP or AD users in TLS Protect Datacenter. These are combined with the ones in the tppIdentities field. An identity string is a string that allows you to find a user or group in TLS Protect Datacenter, and depends on the search expression (for an AD connector) or the search attributes (for an LDAP connector). The user principal name (UPN) is often configured as an attribute that can be searched. Example of UPNs: venafi.com/contact-tpp-identities: team1@company.com,team-2@example.com. | false |
| tppIdentities | []string | TLS Protect Datacenter identities to be notified for a certificate issued by this issuer. These identities depend on the search attributes of the identity connector; the user principal name (UPN) is often configured as an attribute that can be searched. These identities are combined with the identities addresses set in the annotation. | false |
VenafiIssuer.status¶
| Name | Type | Description | Required |
|---|---|---|---|
| conditions | []object | List of status conditions to indicate the status of an Issuer. Known condition types are Ready. | false |
VenafiIssuer.status.conditions[index]¶
IssuerCondition contains condition information for an Issuer.
| Name | Type | Description | Required |
|---|---|---|---|
| status | enum | Status of the condition, one of (True, False, Unknown).Enum: True, False, Unknown | true |
| type | string | Type of the condition, known values are (Ready). | true |
| lastTransitionTime | string | LastTransitionTime is the timestamp corresponding to the last status change of this condition. Format: date-time | false |
| message | string | Message is a human readable description of the details of the last transition, complementing reason. | false |
| observedGeneration | integer | If set, this represents the .metadata.generation that the condition was based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Issuer. Format: int64 | false |
| reason | string | Reason is a brief machine readable explanation for the condition's last transition. | false |