TLS Protect for Kubernetes Operator API documentation

Version is the version of approver-policy to install https://github.com/cert-manager/approver-policy/releases. Default version: v0.7.0. Supported Versions: v0.7.0, v0.6.3, v0.6.2

ReplicaCount is the number of approver-policy instances to run. Defaults to 2 instances.

Version is the version of approver-policy-enterprise to install https://github.com/cert-manager/approver-policy/releases Default: v0.9.0 Supported Versions: v0.9.0, v0.8.0, v0.7.2

ReplicaCount is the number of approver-policy instances to run. Defaults to 2 instances.

CASources refers to a list API objects that are CA sources. Currently only ConfigMap sources are supported. For each configured ConfigMap the contents of the ca.crt key will be mounted to /etc/ssl/certs/ in the manager container of the approver-policy-enterprise Pod. ConfigMaps must be in component namespace (defaults to jetstack-secure).

SecretName is the name of the secret used to sign Certificates issued by this Issuer.

SelfSignedCA can be used to bootstrap the CA issuer with a CA cert issued by self-signed issuer. If this field is set, the operator will create a self-signed issuer and use that to issue a self-signed CA cert which will be stored in SecretName secret.

The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set, certificates will be issued without distribution points set.

The OCSP server list is an X.509 v3 extension that defines a list of URLs of OCSP responders. The OCSP responders can be queried for the revocation status of an issued certificate. If not set, the certificate will be issued with no OCSP servers set. For example, an OCSP server URL could be “http://ocsp.int-x3.letsencrypt.org”.

Version is the version of csi-driver to install https://github.com/cert-manager/csi-driver/releases Default: v0.50 Supported Versions: v0.5.0

Version is the version of cert-manager/csi-driver-spiffe to install https://github.com/cert-manager/csi-driver-spiffe/releases Default: v0.4.0 Supported Versions: v0.4.0, v0.2.0

IssuerRef is a reference to the issuer that will be used to issue certs by csi-spiffe. This must correspond to an issuer configured in Installation.spec.issuers and must be either a cluster-scoped issuer or be in the same namespace as the pods that will request the certificate volumes. Defaults to a cert-manager.io ClusterIssuer named spiffe-ca.

ReplicaCount is the number of approver (component responsible for verifying requests for SVID certs from the configured issuer) instances to run. Defaults to 2.

"cert-manager.io/csi-driver"

CertManagerCSIDriverName is the name of the CSI driver that corresponds to the cert-manager/csi-driver project.

"cert-manager.io/csi-driver-spiffe"

CertManagerSpiffeCSIDriverName is the name of the CSI driver that corresponds to the cert-manager/csi-driver-spiffe project.

certManager refers to the configuration of a cert-manager.io/csi-driver https://cert-manager.io/docs/projects/csi-driver/

CertManagerSpiffe refers to the configuration of cert-manager/csi-driver-spiffe that can be used to issue SPIFFE certs for workloads https://cert-manager.io/docs/projects/csi-driver-spiffe/

Version is the version of cert-discovery-venafi to install Defaults to v0.2.0 Supported versions are v0.2.0

ReplicaCount is the number of cert-discovery-venafi instances to run. Defaults to 1 instance.

Venafi TPP server configuration options.

Version is the version of cert-manager release to install https://github.com/cert-manager/cert-manager/releases. Default: v1.12.1 Supported Versions: v1.12.1, v1.11.1, v1.11.0

Controller wraps the configuration options for the cert-manager controller

Webhook wraps the configuration options for the cert-manager webhook deployment

ReplicaCount is the number of controller instances to run. Only one instance at a time will be a leader. Defaults to 2.

ReplicaCount is the number of webhook instances to run, default 2

"False"

ConditionFalse means that the condition is false.

"True"

ConditionTrue means that the the condition is true.

"Unknown"

ConditionUnknown means that the condition is unknown.

Name is the name of a configmap

Key is a key in a configmap

Registry allows to configure a custom registry for all images for components managed by the operator. It is user’s responsibility to ensure that the images exist in the registry. By default all images will be pulled from TLS Protect for Kubernetes Enterprise GCR.

Name of an image pull secret to be used to pull images in the registry. This will be added to all component pod specs in component resource configurations. It is user’s responsibility to ensure that the secret exists in jetstack-secure namespace.

Type of condition. Known values are (Ready)

Status of the condition (True, False or Unknown).

Reason is a brief, machine readable explanation for the condition’s last transition.

Message is a longer, human readable explanation for the condition’s last transition.

ObservedGeneration is the value of .metadata.generation at the time this condition was set. This provides a way to track whether the condition is up to date in regards to the current spec. https://github.com/kubernetes/kubernetes/blob/59fdc02b13ec1412d7f4ad078c91050516024a79/staging/src/k8s.io/apiextensions-apiserver/pkg/registry/customresourcedefinition/strategy.go#L82-L89

LastTransitionTime is the last time this condition transitioned from one state to another.

"ApproverPolicyEnterpriseReady"

InstallationConditionApproverPolicyEnterpriseReady represents the state of the approver-policy-enterprise installation.

"ApproverPolicyReady"

InstallationConditionApproverPolicyReady represents the state of the approver-policy installation.

"CSIDriversReady"

InstallationConditionCSIDriversReady represents the state of the installations of any CSI Drivers configured on Installation spec.

"CertDiscoveryVenafiReady"

InstallationConditionCertDiscoveryVenafiReady represents the state of the cert-discovery-venafi installation.

"CertManagerIssuersReady"

InstallationConditionCertManagerIssuersReady indicates whether all cert-manager.io issuers are ready and up to date with the current spec.

"CertManagerReady"

InstallationConditionCertManagerReady indicates that cert-manager is ready and up to date with the current spec.

"CertManagerReconciling"

InstallationConditionCertManagerReconciling indicates that cert-manager installation is currently being reconciled.

"IstioCSRReady"

InstallationConditionIstioCSRReady represents the state of istio-csr if it is configured.

"ManifestsReady"

InstallationConditionManifestsReady indicates that in-memory manifests are ready and up to date.

"NamespaceReady"

InstallationConditionNamespaceReady indicates that the component namespace exists

"Ready"

InstallationConditionReady indicates that the Installation is Ready. This means that all the configured components are healthy.

"TrustManagerReady"

InstallationConditionTrustMangerReady represents the state of the trust-manager installation.

"VenafiConnectionsReady"

InstallationConditionVenafiConnectionsReady indicates whether all jetstack.io Venafi Connections are ready and up to date with the current spec.

"VenafiEnhancedIssuerReady"

InstallationConditionVenafiEnhancedIssuerReady represents the state of the venafi-enhanced-issuer installation.

"VenafiIssuersReady"

InstallationConditionVenafiIssuersReady indicates whether all jetstack.io issuers are ready and up to date with the current spec.

"VenafiOauthHelperReady"

InstallationConditionVenafiOauthHelperReady represents the state of the venafi-oauth-helper installation.

CertManager contains configuration options for the Installation’s cert-manager installation This field must be set as cert-manager is a required component.

ApproverPolicy contains configuration options for the Installation’s approver-policy installation. This field or approverPolicyEnterprise must be set as approver-policy is a required component. https://platform.jetstack.io/documentation/installation/approver-policy

ApproverPolicyEnterprise contains configuration options for the Installation’s approver-policy-enterprise installation. This is mutually exclusive with the approverPolicy field. https://platform.jetstack.io/documentation/installation/approver-policy

VenafiOauthHelper contains configuration options for the Installation’s venafi-oauth-helper’s installation if required. If unset (default) venafi-oauth-helper will not be installed. Set this field to an empty object to install venafi-oauth-helper with default options. See https://platform.jetstack.io/documentation/reference/venafi-oauth-helper/configuration to learn more about venafi-oauth-helper.

CertDiscoveryVenafi contains configuration options for cert-discovery-venafi. See https://platform.jetstack.io/documentation/installation/cert-discovery-venafi to learn more about cert-discovery-venafi. If unset (default) cert-discovery-venafi will not be installed.

VenafiEnhancedIssuer contains configuration options for venafi-enhanced-issuer. See https://platform.jetstack.io/documentation/reference/venafi-enhanced-issuer to learn more about venafi-enhanced-issuer. If unset (default) venafi-enhanced-issuer will not be installed.

VenafiConnections can be used to configure VenafiConnection resources that the operator will deploy. These VenafiConnection resources can be referenced by Venafi Enhanced Issuer resources and Approver Policy Enterprise resources. See https://platform.jetstack.io/documentation/configuration/venafi-connection to learn more about VenafiConnection resources.

Issuers can be used to configure cert-manager issuers that the operator will deploy. Currently only cert-manager.io Issuer and ClusterIssuer types are supported.

CSIDrivers contains configuration for the different CSI Drivers available for installation

IstioCSR contains configuration for istio-csr https://platform.jetstack.io/documentation/installation/istio-csr

TrustManager contains configuration for trust-manager https://cert-manager.io/docs/projects/trust/

Images contains configuration for component images.

ComponentNamespace allows to configure a namespace in which Jetstack Secure components should be deployed. The namespace will be created if it does not exist. Defaults to jetstack-secure. This will also be component leader election namespace and cluster resource namespace.

Name is the name of the Issuer.

Whether a cluster-scoped resource should be created. In case of core cert-manager.io issuers setting this to true will result to a ClusterIssuer being created, setting this to false will result in an Issuer being created. (Default value is false).

Namespace for an Issuer. Cannot be set if ClusterScope is set to true and must be set if ClusterScope is set to false. Namespace needs to already exist.

Labels to set on the created issuer. More info: http://kubernetes.io/docs/user-guide/labels

Annotations to set on the created issuer. More info: http://kubernetes.io/docs/user-guide/annotations

ACME configures this issuer to communicate with a RFC8555 (ACME) server to obtain signed x509 certificates. https://cert-manager.io/docs/configuration/acme/

CA configures this issuer to sign certificates using a signing CA keypair stored in a Secret resource. This is used to build internal PKIs that are managed by cert-manager. https://cert-manager.io/docs/configuration/ca/

Vault configures this issuer to sign certificates using a HashiCorp Vault PKI backend. https://cert-manager.io/docs/configuration/vault/

SelfSigned configures this issuer to ‘self sign’ certificates using the private key used to create the CertificateRequest object. https://cert-manager.io/docs/configuration/selfsigned/

Venafi configures this issuer to sign certificates using a Venafi TPP or Venafi Cloud policy zone. https://cert-manager.io/docs/configuration/venafi/

VenafiEnhancedIssuer is an enterprise version of cert-manager Venafi issuer. It provides advanced authentication and error handling. https://platform.jetstack.io/documentation/reference/venafi-enhanced-issuer If one of the steps in the series of authentication steps for the issuer involves getting Kubernetes Secret or requesting a Kubernetes ServiceAccountToken, Role and RoleBinding to get the Secret or to request the token will be created together with the issuer. https://platform.jetstack.io/documentation/reference/venafi-enhanced-issuer/configuration

Policy is the configuration of the for this CertificateRequestPolicy for issuer. Currently a default ‘allow-all’ policy will be configured for each issuer that does not have a custom policy configured. https://github.com/cert-manager/approver-policy/tree/main

Version is the version of istio-csr to install https://github.com/cert-manager/istio-csr/releases Default: v0.6.0 Supported Versions: v0.6.0, v0.5.0

The namespace in which Istio will be deployed. The namespace is used to pre-create istiod’s serving certificate, verify the Issuer configured for istio-csr and configure istio-csr itself. Defaults to istio-system.

IssuerRef is a reference to the issuer that will be used to issue certs for istiod and workloads. This must correspond to an issuer configured in Installation.spec.issuers and must be either a cluster-scoped issuer or be in IstioNamespace. Defaults to a cert-manager.io Issuer named istio-ca.

ReplicaCount is the number of instances to run, default 2

Group is the group to which the API object belongs.

Kind is the Kind of the API object.

Name is the name of the API object.

Venafi plugin is used to pull a policy defined in a zone in Venafi server and use that to evaluate a CertificateRequest. This plugin is bundled with the approver-policy-enterprise only, so you must make sure that you have set approverPolicyEnterprise field on Installation spec.

AllowAll configures whether an allow-all policy should be created for an issuer.

Subjects is the configuration of which entities are allowed to use the CertificateRequestPolicy. At least one subject must be set if a policy is configured. AllowAll cannot be set at the same time as Allowed and Constraints.

Allowed is the set of attributes that are “allowed” by this policy. A CertificateRequest will only be considered permissible for this policy if the CertificateRequest has the same or less as what is allowed. Empty or nil allowed fields mean CertificateRequests are not allowed to have that field present to be permissible. This field corresponds to the Allowed block in CertificateRequestPolicy API https://github.com/cert-manager/approver-policy#allowed Only one of Allowed, AllowAll can be set.

Constraints is the set of attributes that must be satisfied by the CertificateRequest for the request to be permissible by the policy. Empty or nil constraint fields mean CertificateRequests satisfy that field with any value of their corresponding attribute. This field corresponds to the Constraints block in CertificateRequestPolicyAPI https://github.com/cert-manager/approver-policy#constraints Only one of Constraints, AllowAll can be set.

Plugins defines additional, optional plugins to use with this policy.

Name is the name of a Secret

Key is a key in a Secret

CommonName is a common name to be used on the Certificate. The CommonName should have a length of 64 characters or fewer to avoid generating invalid CSRs.

Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name).

CertManager allows to configure whether the service account of cert-manager’s controller is allowed to use this CertificateRequestPolicy. Must be true for any issuer that will be referenced in Certificate resources as the entity creating CertificateRequests for Certificates is always cert-manager’s controller. Setting this field to true will result in a ClusterRole and ClusterRoleBinding being created that will bind CertificateRequestPolicy to the cert-manager controller’s service account.

IstioCSR allows to configure whether the service account of istio-csr is allowed to use this CertificateRequestPolicy. Must be true if this issuer is going to be used with istio-csr. Setting this field to true will result in a ClusterRole and ClusterRoleBinding being created that will bind CertificateRequestPolicy to the istio-csr’s service account.

CertManagerCSI allows to configure whether the service account of cert-manager/csi-driver’s(configured via Installation.spec.csiDrivers.certManager) Daemonset is allowed to use this CertificateRequestPolicy. Must be true if this issuer is going to be used to request certificates from cert-manager/csi-driver. Setting this field to true will result in a ClusterRole and ClusterRoleBinding being created that will bind CertificateRequestPolicy to the cert-manager csi-driver’s service account.

URL of the TPP server where cert-discovery-venafi should upload discovered certs.

Zone (policy folder) where cert-discovery-venafi should upload discovered certs.

TokenSecretRef is a reference to a key in a Kubernetes Secret with the TPP access token that cert-discovery-venafi will use to authenticate. Secret must be in the same namespace as cert-discovery-venafi (by default cert-manager). Defaults to a Secret named ‘access-token’ with a key named ‘access-token’.

Version is the version of trust-manager to install https://github.com/cert-manager/trust-manager/releases Default version: v0.5.0. Supported Versions: v0.5.0, v0.4.0, v0.3.0

ReplicaCount is the number of trust-manager instances to run. Defaults to 2 instances.

Name is the name of the Venafi connection.

Namespace for a Venafi connection. Will default to the ComponentNamespace if not set.

Labels to set on the created connection. More info: http://kubernetes.io/docs/user-guide/labels

Annotations to set on the created connection. More info: http://kubernetes.io/docs/user-guide/annotations

(Members of VenafiConnectionSpec are embedded into this type.)

Version is the version of venafi-enhanced-issuer to install Default: v0.5.0 Supported Versions: v0.5.0, v0.4.0, v0.3.2

ReplicaCount is the number of venafi-enhanced-issuer instances to run. Defaults to 2 instances.

CASources refers to a list API objects that are CA sources. Currently only ConfigMap sources are supported. For each configured ConfigMap the contents of the ca.crt key will be mounted to /etc/ssl/certs/ in venafi-enhanced-issuer binary. ConfigMaps must be in component namespace (defaults to jetstack-secure).

Version is the version of venafi-oauth-helper to install https://github.com/jetstack/venafi-oauth-helper/releases Default: v0.3.0 Supported Versions: v0.3.0

ReplicaCount is the number of venafi-oauth-helper instances to run. Defaults to 2 instances.

VenafiConnectionName is the name of the Venafi connection to use when retrieving the policy.

For VaaS: Zone = “<Template>” - Application is the name of the Application in Vaas. - Template is the name of the Issuing Template as shown in Vaas.

For TPP: Zone = “” PolicyDN is distinguished name of the policy folder to use when issuing certificates. Example: “\VED\Policy\TLS\TeamAlpha”. You may omit the prefix “\VED\Policy\”.