{ "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, "kind": { "description": "Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string" }, "metadata": { "type": "object" }, "spec": { "description": "Desired state of the Bundle resource.", "properties": { "sources": { "description": "Sources is a set of references to data whose data will sync to the target.", "items": { "description": "BundleSource is the set of sources whose data will be appended and synced to\nthe BundleTarget in all Namespaces.", "properties": { "configMap": { "description": "ConfigMap is a reference (by name) to a ConfigMap's `data` key(s), or to a\nlist of ConfigMap's `data` key(s) using label selector, in the trust Namespace.", "properties": { "includeAllKeys": { "description": "IncludeAllKeys is a flag to include all keys in the object's `data` field to be used. False by default.\nThis field must not be true when `Key` is set.", "type": "boolean" }, "key": { "description": "Key of the entry in the object's `data` field to be used.", "minLength": 1, "type": "string" }, "name": { "description": "Name is the name of the source object in the trust Namespace.\nThis field must be left empty when `selector` is set", "minLength": 1, "type": "string" }, "selector": { "description": "Selector is the label selector to use to fetch a list of objects. Must not be set\nwhen `Name` is set.", "properties": { "matchExpressions": { "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", "items": { "description": "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.", "properties": { "key": { "description": "key is the label key that the selector applies to.", "type": "string" }, "operator": { "description": "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.", "type": "string" }, "values": { "description": "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "atomic" } }, "required": [ "key", "operator" ], "type": "object", "additionalProperties": false }, "type": "array", "x-kubernetes-list-type": "atomic" }, "matchLabels": { "additionalProperties": { "type": "string" }, "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", "type": "object" } }, "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false } }, "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false }, "inLine": { "description": "InLine is a simple string to append as the source data.", "type": "string" }, "secret": { "description": "Secret is a reference (by name) to a Secret's `data` key(s), or to a\nlist of Secret's `data` key(s) using label selector, in the trust Namespace.", "properties": { "includeAllKeys": { "description": "IncludeAllKeys is a flag to include all keys in the object's `data` field to be used. False by default.\nThis field must not be true when `Key` is set.", "type": "boolean" }, "key": { "description": "Key of the entry in the object's `data` field to be used.", "minLength": 1, "type": "string" }, "name": { "description": "Name is the name of the source object in the trust Namespace.\nThis field must be left empty when `selector` is set", "minLength": 1, "type": "string" }, "selector": { "description": "Selector is the label selector to use to fetch a list of objects. Must not be set\nwhen `Name` is set.", "properties": { "matchExpressions": { "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", "items": { "description": "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.", "properties": { "key": { "description": "key is the label key that the selector applies to.", "type": "string" }, "operator": { "description": "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.", "type": "string" }, "values": { "description": "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "atomic" } }, "required": [ "key", "operator" ], "type": "object", "additionalProperties": false }, "type": "array", "x-kubernetes-list-type": "atomic" }, "matchLabels": { "additionalProperties": { "type": "string" }, "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", "type": "object" } }, "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false } }, "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false }, "useDefaultCAs": { "description": "UseDefaultCAs, when true, requests the default CA bundle to be used as a source.\nDefault CAs are available if trust-manager was installed via Helm\nor was otherwise set up to include a package-injecting init container by using the\n\"--default-package-location\" flag when starting the trust-manager controller.\nIf default CAs were not configured at start-up, any request to use the default\nCAs will fail.\nThe version of the default CA package which is used for a Bundle is stored in the\ndefaultCAPackageVersion field of the Bundle's status field.", "type": "boolean" } }, "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false }, "maxItems": 100, "minItems": 1, "type": "array", "x-kubernetes-list-type": "atomic" }, "target": { "description": "Target is the target location in all namespaces to sync source data to.", "properties": { "additionalFormats": { "description": "AdditionalFormats specifies any additional formats to write to the target", "properties": { "jks": { "description": "JKS requests a JKS-formatted binary trust bundle to be written to the target.\nThe bundle has \"changeit\" as the default password.\nFor more information refer to this link https://cert-manager.io/docs/faq/#keystore-passwords\nDeprecated: Writing JKS is subject for removal. Please migrate to PKCS12.\nPKCS#12 trust stores created by trust-manager are compatible with Java.", "properties": { "key": { "description": "Key is the key of the entry in the object's `data` field to be used.", "minLength": 1, "type": "string" }, "password": { "default": "changeit", "description": "Password for JKS trust store", "maxLength": 128, "minLength": 1, "type": "string" } }, "required": [ "key" ], "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false }, "pkcs12": { "description": "PKCS12 requests a PKCS12-formatted binary trust bundle to be written to the target.\n\nThe bundle is by default created without a password.\nFor more information refer to this link https://cert-manager.io/docs/faq/#keystore-passwords", "properties": { "key": { "description": "Key is the key of the entry in the object's `data` field to be used.", "minLength": 1, "type": "string" }, "password": { "default": "", "description": "Password for PKCS12 trust store", "maxLength": 128, "type": "string" }, "profile": { "description": "Profile specifies the certificate encryption algorithms and the HMAC algorithm\nused to create the PKCS12 trust store.\n\nIf provided, allowed values are:\n`LegacyRC2`: Deprecated. Not supported by default in OpenSSL 3 or Java 20.\n`LegacyDES`: Less secure algorithm. Use this option for maximal compatibility.\n`Modern2023`: Secure algorithm. Use this option in case you have to always use secure algorithms (e.g. because of company policy).\n\nDefault value is `LegacyRC2` for backward compatibility.", "enum": [ "LegacyRC2", "LegacyDES", "Modern2023" ], "type": "string" } }, "required": [ "key" ], "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "configMap": { "description": "ConfigMap is the target ConfigMap in Namespaces that all Bundle source\ndata will be synced to.", "properties": { "key": { "description": "Key is the key of the entry in the object's `data` field to be used.", "minLength": 1, "type": "string" }, "metadata": { "description": "Metadata is an optional set of labels and annotations to be copied to the target.", "properties": { "annotations": { "additionalProperties": { "type": "string" }, "description": "Annotations is a key value map to be copied to the target.", "type": "object" }, "labels": { "additionalProperties": { "type": "string" }, "description": "Labels is a key value map to be copied to the target.", "type": "object" } }, "type": "object", "additionalProperties": false } }, "required": [ "key" ], "type": "object", "additionalProperties": false }, "namespaceSelector": { "description": "NamespaceSelector will, if set, only sync the target resource in\nNamespaces which match the selector.", "properties": { "matchExpressions": { "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", "items": { "description": "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.", "properties": { "key": { "description": "key is the label key that the selector applies to.", "type": "string" }, "operator": { "description": "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.", "type": "string" }, "values": { "description": "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "atomic" } }, "required": [ "key", "operator" ], "type": "object", "additionalProperties": false }, "type": "array", "x-kubernetes-list-type": "atomic" }, "matchLabels": { "additionalProperties": { "type": "string" }, "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", "type": "object" } }, "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false }, "secret": { "description": "Secret is the target Secret that all Bundle source data will be synced to.\nUsing Secrets as targets is only supported if enabled at trust-manager startup.\nBy default, trust-manager has no permissions for writing to secrets and can only read secrets in the trust namespace.", "properties": { "key": { "description": "Key is the key of the entry in the object's `data` field to be used.", "minLength": 1, "type": "string" }, "metadata": { "description": "Metadata is an optional set of labels and annotations to be copied to the target.", "properties": { "annotations": { "additionalProperties": { "type": "string" }, "description": "Annotations is a key value map to be copied to the target.", "type": "object" }, "labels": { "additionalProperties": { "type": "string" }, "description": "Labels is a key value map to be copied to the target.", "type": "object" } }, "type": "object", "additionalProperties": false } }, "required": [ "key" ], "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false } }, "required": [ "sources" ], "type": "object", "additionalProperties": false }, "status": { "description": "Status of the Bundle. This is set and managed automatically.", "properties": { "conditions": { "description": "List of status conditions to indicate the status of the Bundle.\nKnown condition types are `Bundle`.", "items": { "description": "Condition contains details for one aspect of the current state of this API Resource.", "properties": { "lastTransitionTime": { "description": "lastTransitionTime is the last time the condition transitioned from one status to another.\nThis should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.", "format": "date-time", "type": "string" }, "message": { "description": "message is a human readable message indicating details about the transition.\nThis may be an empty string.", "maxLength": 32768, "type": "string" }, "observedGeneration": { "description": "observedGeneration represents the .metadata.generation that the condition was set based upon.\nFor instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the instance.", "format": "int64", "minimum": 0, "type": "integer" }, "reason": { "description": "reason contains a programmatic identifier indicating the reason for the condition's last transition.\nProducers of specific condition types may define expected values and meanings for this field,\nand whether the values are considered a guaranteed API.\nThe value should be a CamelCase string.\nThis field may not be empty.", "maxLength": 1024, "minLength": 1, "pattern": "^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$", "type": "string" }, "status": { "description": "status of the condition, one of True, False, Unknown.", "enum": [ "True", "False", "Unknown" ], "type": "string" }, "type": { "description": "type of condition in CamelCase or in foo.example.com/CamelCase.", "maxLength": 316, "pattern": "^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$", "type": "string" } }, "required": [ "lastTransitionTime", "message", "reason", "status", "type" ], "type": "object", "additionalProperties": false }, "type": "array", "x-kubernetes-list-map-keys": [ "type" ], "x-kubernetes-list-type": "map" }, "defaultCAVersion": { "description": "DefaultCAPackageVersion, if set and non-empty, indicates the version information\nwhich was retrieved when the set of default CAs was requested in the bundle\nsource. This should only be set if useDefaultCAs was set to \"true\" on a source,\nand will be the same for the same version of a bundle with identical certificates.", "type": "string" } }, "type": "object", "additionalProperties": false } }, "required": [ "spec" ], "type": "object" }