-
Notifications
You must be signed in to change notification settings - Fork 65
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
When using this controller in single-tenant clusters it becomes desirable for many users to have a single cluster-scoped issuer rather than each namespace duplicating the issuers and secrets. This changeset introduces a "cluster resource namespace", which defaults to the same namespace as the controller (eg, "origin-ca-issuer"). A ClusterOriginIssuer resource type has been added which resolves SecretKeySelectors in this namespace. Other than determing what namespace to resolve the secret, the implementation is the same as the existing OriginIssuer. Fixes: #24
- Loading branch information
1 parent
fd52ada
commit 18c31dc
Showing
13 changed files
with
482 additions
and
53 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
119 changes: 119 additions & 0 deletions
119
deploy/crds/cert-manager.k8s.cloudflare.com_clusteroriginissuers.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,119 @@ | ||
--- | ||
apiVersion: apiextensions.k8s.io/v1 | ||
kind: CustomResourceDefinition | ||
metadata: | ||
annotations: | ||
controller-gen.kubebuilder.io/version: v0.13.0 | ||
name: clusteroriginissuers.cert-manager.k8s.cloudflare.com | ||
spec: | ||
group: cert-manager.k8s.cloudflare.com | ||
names: | ||
kind: ClusterOriginIssuer | ||
listKind: ClusterOriginIssuerList | ||
plural: clusteroriginissuers | ||
singular: clusteroriginissuer | ||
scope: Cluster | ||
versions: | ||
- name: v1 | ||
schema: | ||
openAPIV3Schema: | ||
description: A ClusterOriginIssuer represents the Cloudflare Origin CA as | ||
an external cert-manager issuer. It is scoped to a single namespace, so | ||
it can be used only by resources in the same namespace. | ||
properties: | ||
apiVersion: | ||
description: 'APIVersion defines the versioned schema of this representation | ||
of an object. Servers should convert recognized schemas to the latest | ||
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' | ||
type: string | ||
kind: | ||
description: 'Kind is a string value representing the REST resource this | ||
object represents. Servers may infer this from the endpoint the client | ||
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' | ||
type: string | ||
metadata: | ||
type: object | ||
spec: | ||
description: Spec is the desired state of the ClusterOriginIssuer resource. | ||
properties: | ||
auth: | ||
description: Auth configures how to authenticate with the Cloudflare | ||
API. | ||
properties: | ||
serviceKeyRef: | ||
description: ServiceKeyRef authenticates with an API Service Key. | ||
properties: | ||
key: | ||
description: Key of the secret to select from. Must be a valid | ||
secret key. | ||
type: string | ||
name: | ||
description: Name of the secret in the issuer's namespace | ||
to select. If a cluster-scoped issuer, the secret is selected | ||
from the "cluster resource namespace" configured on the | ||
controller. | ||
type: string | ||
required: | ||
- key | ||
- name | ||
type: object | ||
type: object | ||
requestType: | ||
description: RequestType is the signature algorithm Cloudflare should | ||
use to sign the certificate. | ||
enum: | ||
- OriginRSA | ||
- OriginECC | ||
type: string | ||
required: | ||
- auth | ||
- requestType | ||
type: object | ||
status: | ||
description: Status of the ClusterOriginIssuer. This is set and managed | ||
automatically. | ||
properties: | ||
conditions: | ||
description: List of status conditions to indicate the status of an | ||
OriginIssuer Known condition types are `Ready`. | ||
items: | ||
description: OriginIssuerCondition contains condition information | ||
for the OriginIssuer. | ||
properties: | ||
lastTransitionTime: | ||
description: LastTransitionTime is the timestamp corresponding | ||
to the last status change of this condition. | ||
format: date-time | ||
type: string | ||
message: | ||
description: Message is a human readable description of the | ||
details of the last transition1, complementing reason. | ||
type: string | ||
reason: | ||
description: Reason is a brief machine readable explanation | ||
for the condition's last transition. | ||
type: string | ||
status: | ||
description: Status of the condition, one of ('True', 'False', | ||
'Unknown') | ||
enum: | ||
- "True" | ||
- "False" | ||
- Unknown | ||
type: string | ||
type: | ||
description: Type of the condition, known values are ('Ready') | ||
enum: | ||
- Ready | ||
type: string | ||
required: | ||
- status | ||
- type | ||
type: object | ||
type: array | ||
type: object | ||
type: object | ||
served: true | ||
storage: true | ||
subresources: | ||
status: {} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
Oops, something went wrong.