Trust Manager API reference
Packages
trust.cert-manager.io/v1alpha1
Resource Types
Bundle
Top-level fields
Bundle.spec
Desired state of the Bundle resource.
| Name | Type | Description | Required |
| sources | []object | Set of references whose data will be synced to the target. | true |
| target | object | Target location (in namespaces) where source data is synced. | true |
Bundle.spec.sources[index]
BundleSource is the set of sources whose data will be appended and synced to the BundleTarget in all namespaces.
| Name | Type | Description | Required |
| configMap | object | Reference (by name or label selector) to a ConfigMap’s data keys in the trust namespace. | false |
| inLine | string | A literal string to append as source data. | false |
| secret | object | Reference (by name or label selector) to a Secret’s data keys in the trust namespace. | false |
| useDefaultCAs | boolean | When true, include the default CA bundle as a source. Default CAs are available if trust-manager was installed via Helm or started with the --default-package-location flag. If not configured at startup, requests to use default CAs will fail. The version used is recorded in status.defaultCAVersion. | false |
Bundle.spec.sources[index].configMap
Reference to a ConfigMap’s data keys (by name or selector) in the trust namespace.
| Name | Type | Description | Required |
| includeAllKeys | boolean | Include all keys from the object’s data field. Defaults to false. Must not be true when key is set. | false |
| key | string | Specific key in the object’s data to use. | false |
| name | string | Name of the source object in the trust namespace. Must be empty when selector is set. | false |
| selector | object | Label selector to fetch a list of objects. Must not be set when name is set. | false |
Bundle.spec.sources[index].configMap.selector
| Name | Type | Description | Required |
| matchExpressions | []object | List of label selector requirements (ANDed). | false |
| matchLabels | map[string]string | Map of key/value pairs. Equivalent to matchExpressions entries with operator In. Requirements are ANDed. | false |
Bundle.spec.sources[index].configMap.selector.matchExpressions[index]
A label selector requirement with key, operator, and optional values.
| Name | Type | Description | Required |
| key | string | Label key the selector applies to. | true |
| operator | string | Relationship to values. Valid: In, NotIn, Exists, DoesNotExist. | true |
| values | []string | Values array. Required (non-empty) for In/NotIn; must be empty for Exists/DoesNotExist. | false |
Bundle.spec.sources[index].secret
Reference to a Secret’s data keys (by name or selector) in the trust namespace.
| Name | Type | Description | Required |
| includeAllKeys | boolean | Include all keys from the object’s data field. Defaults to false. Must not be true when key is set. | false |
| key | string | Specific key in the object’s data to use. | false |
| name | string | Name of the source object in the trust namespace. Must be empty when selector is set. | false |
| selector | object | Label selector to fetch a list of objects. Must not be set when name is set. | false |
Bundle.spec.sources[index].secret.selector
| Name | Type | Description | Required |
| matchExpressions | []object | List of label selector requirements (ANDed). | false |
| matchLabels | map[string]string | Map of key/value pairs (see matchExpressions equivalence). ANDed. | false |
Bundle.spec.sources[index].secret.selector.matchExpressions[index]
| Name | Type | Description | Required |
| key | string | Label key the selector applies to. | true |
| operator | string | Valid: In, NotIn, Exists, DoesNotExist. | true |
| values | []string | Values array. Required for In/NotIn; must be empty for Exists/DoesNotExist. | false |
Bundle.spec.target
Target location in namespaces where source data will be synced.
| Name | Type | Description | Required |
| additionalFormats | object | Additional formats to write to the target. | false |
| configMap | object | Target ConfigMap in namespaces where bundle data will be synced. | false |
| namespaceSelector | object | If set, only sync the target resource in namespaces matching this selector. | false |
| secret | object | Target Secret for bundle data. Requires enabling Secret targets at startup. By default, trust-manager cannot write secrets and can only read in the trust namespace. | false |
| Name | Type | Description | Required |
| key | string | Key of the entry in the target object’s data field. | true |
| password | string | Password for the JKS trust store. Default: changeit. | false |
| Name | Type | Description | Required |
| key | string | Key of the entry in the target object’s data field. | true |
| password | string | Password for the PKCS#12 trust store. Default: (empty). | false |
| profile | enum | Encryption/HMAC profile. Allowed: LegacyRC2 (deprecated; not default in OpenSSL 3/Java 20), LegacyDES (less secure; max compatibility), Modern2023 (secure; choose when strong algorithms are required). Default: LegacyRC2 (for backward compatibility). | false |
Bundle.spec.target.configMap
| Name | Type | Description | Required |
| key | string | Key of the entry in the object’s data field to be used. | true |
| metadata | object | Optional labels and annotations to copy to the target. | false |
| Name | Type | Description | Required |
| annotations | map[string]string | Key/value map copied to the target as annotations. | false |
| labels | map[string]string | Key/value map copied to the target as labels. | false |
Bundle.spec.target.namespaceSelector
| Name | Type | Description | Required |
| matchExpressions | []object | List of label selector requirements (ANDed). | false |
| matchLabels | map[string]string | Map of key/value pairs; equivalent to matchExpressions entries with operator In. ANDed. | false |
Bundle.spec.target.namespaceSelector.matchExpressions[index]
| Name | Type | Description | Required |
| key | string | Label key the selector applies to. | true |
| operator | string | Valid: In, NotIn, Exists, DoesNotExist. | true |
| values | []string | Values array. Required for In/NotIn; must be empty for Exists/DoesNotExist. | false |
Bundle.spec.target.secret
| Name | Type | Description | Required |
| key | string | Key of the entry in the object’s data field to be used. | true |
| metadata | object | Optional labels and annotations to copy to the target. | false |
| Name | Type | Description | Required |
| annotations | map[string]string | Key/value map copied to the target as annotations. | false |
| labels | map[string]string | Key/value map copied to the target as labels. | false |
Bundle.status
Status of the Bundle. Set and managed automatically.
| Name | Type | Description | Required |
| conditions | []object | List of condition entries indicating Bundle status. Known condition types include Bundle. | false |
| defaultCAVersion | string | Version info retrieved when default CAs were requested in the bundle source (only set when a source had useDefaultCAs: true). Identical bundles with the same certs share this value. | false |
Bundle.status.conditions[index]
Condition details for one aspect of the current state.
| Name | Type | Description | Required |
| lastTransitionTime | string | Time when the condition last changed status. If unknown, use when the API field last changed. Format: date-time | true |
| message | string | Human-readable message about the transition (may be empty). | true |
| reason | string | Programmatic identifier for the last transition reason (CamelCase; must not be empty). | true |
| status | enum | One of True, False, Unknown. | true |
| type | string | Condition type (CamelCase or group/Type). | true |
| observedGeneration | integer | .metadata.generation that this condition was set from. Format: int64, Minimum: 0 | false |