diff --git a/operators/ack-acmpca-controller/1.0.0/bundle.Dockerfile b/operators/ack-acmpca-controller/1.0.0/bundle.Dockerfile new file mode 100644 index 00000000000..b96d743ed22 --- /dev/null +++ b/operators/ack-acmpca-controller/1.0.0/bundle.Dockerfile @@ -0,0 +1,21 @@ +FROM scratch + +# Core bundle labels. +LABEL operators.operatorframework.io.bundle.mediatype.v1=registry+v1 +LABEL operators.operatorframework.io.bundle.manifests.v1=manifests/ +LABEL operators.operatorframework.io.bundle.metadata.v1=metadata/ +LABEL operators.operatorframework.io.bundle.package.v1=ack-acmpca-controller +LABEL operators.operatorframework.io.bundle.channels.v1=alpha +LABEL operators.operatorframework.io.bundle.channel.default.v1=alpha +LABEL operators.operatorframework.io.metrics.builder=operator-sdk-v1.28.0 +LABEL operators.operatorframework.io.metrics.mediatype.v1=metrics+v1 +LABEL operators.operatorframework.io.metrics.project_layout=unknown + +# Labels for testing. +LABEL operators.operatorframework.io.test.mediatype.v1=scorecard+v1 +LABEL operators.operatorframework.io.test.config.v1=tests/scorecard/ + +# Copy files to locations specified by labels. +COPY bundle/manifests /manifests/ +COPY bundle/metadata /metadata/ +COPY bundle/tests/scorecard /tests/scorecard/ diff --git a/operators/ack-acmpca-controller/1.0.0/manifests/ack-acmpca-controller.clusterserviceversion.yaml b/operators/ack-acmpca-controller/1.0.0/manifests/ack-acmpca-controller.clusterserviceversion.yaml new file mode 100644 index 00000000000..55a7c74f73d --- /dev/null +++ b/operators/ack-acmpca-controller/1.0.0/manifests/ack-acmpca-controller.clusterserviceversion.yaml @@ -0,0 +1,282 @@ +apiVersion: operators.coreos.com/v1alpha1 +kind: ClusterServiceVersion +metadata: + annotations: + alm-examples: |- + [ + { + "apiVersion": "acmpca.services.k8s.aws/v1alpha1", + "kind": "CertificateAuthority", + "metadata": { + "name": "example" + }, + "spec": {} + } + ] + capabilities: Basic Install + categories: Cloud Provider + certified: "false" + containerImage: public.ecr.aws/aws-controllers-k8s/acmpca-controller:1.0.0 + createdAt: "2024-11-18T19:43:36Z" + description: AWS ACM PCA controller is a service controller for managing ACM PCA + resources in Kubernetes + operatorframework.io/suggested-namespace: ack-system + operators.operatorframework.io/builder: operator-sdk-v1.28.0 + operators.operatorframework.io/project_layout: unknown + repository: https://github.com/aws-controllers-k8s + support: Community + labels: + operatorframework.io/arch.amd64: supported + operatorframework.io/arch.arm64: supported + operatorframework.io/os.linux: supported + name: ack-acmpca-controller.v1.0.0 + namespace: placeholder +spec: + apiservicedefinitions: {} + customresourcedefinitions: + owned: + - description: CertificateAuthority represents the state of an AWS acmpca CertificateAuthority + resource. + displayName: CertificateAuthority + kind: CertificateAuthority + name: certificateauthorities.acmpca.services.k8s.aws + version: v1alpha1 + - description: CertificateAuthorityActivation represents the state of an AWS acmpca + CertificateAuthorityActivation resource. + displayName: CertificateAuthorityActivation + kind: CertificateAuthorityActivation + name: certificateauthorityactivations.acmpca.services.k8s.aws + version: v1alpha1 + - description: Certificate represents the state of an AWS acmpca Certificate resource. + displayName: Certificate + kind: Certificate + name: certificates.acmpca.services.k8s.aws + version: v1alpha1 + description: |- + Manage Amazon ACM PCA resources in AWS from within your Kubernetes cluster. + + **About Amazon ACM PCA** + + AWS Private CA enables creation of private certificate authority (CA) hierarchies, including root and subordinate CAs, without the investment and maintenance costs of operating an on-premises CA. Your private CAs can issue end-entity X.509 certificates useful in scenarios including: + - Creating encrypted TLS communication channels + - Authenticating users, computers, API endpoints, and IoT devices + - Cryptographically signing code + - Implementing Online Certificate Status Protocol (OCSP) for obtaining certificate revocation status + + **About the AWS Controllers for Kubernetes** + + This controller is a component of the [AWS Controller for Kubernetes](https://github.com/aws/aws-controllers-k8s) project. This project is currently in **developer preview**. + + **Pre-Installation Steps** + + Please follow the following link: [Red Hat OpenShift](https://aws-controllers-k8s.github.io/community/docs/user-docs/openshift/) + displayName: AWS Controllers for Kubernetes - Amazon ACM PCA + icon: + - base64data: PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPCEtLSBHZW5lcmF0b3I6IEFkb2JlIElsbHVzdHJhdG9yIDE5LjAuMSwgU1ZHIEV4cG9ydCBQbHVnLUluIC4gU1ZHIFZlcnNpb246IDYuMDAgQnVpbGQgMCkgIC0tPgo8c3ZnIHZlcnNpb249IjEuMSIgaWQ9IkxheWVyXzEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiIHg9IjBweCIgeT0iMHB4IiB2aWV3Qm94PSIwIDAgMzA0IDE4MiIgc3R5bGU9ImVuYWJsZS1iYWNrZ3JvdW5kOm5ldyAwIDAgMzA0IDE4MjsiIHhtbDpzcGFjZT0icHJlc2VydmUiPgo8c3R5bGUgdHlwZT0idGV4dC9jc3MiPgoJLnN0MHtmaWxsOiMyNTJGM0U7fQoJLnN0MXtmaWxsLXJ1bGU6ZXZlbm9kZDtjbGlwLXJ1bGU6ZXZlbm9kZDtmaWxsOiNGRjk5MDA7fQo8L3N0eWxlPgo8Zz4KCTxwYXRoIGNsYXNzPSJzdDAiIGQ9Ik04Ni40LDY2LjRjMCwzLjcsMC40LDYuNywxLjEsOC45YzAuOCwyLjIsMS44LDQuNiwzLjIsNy4yYzAuNSwwLjgsMC43LDEuNiwwLjcsMi4zYzAsMS0wLjYsMi0xLjksM2wtNi4zLDQuMiAgIGMtMC45LDAuNi0xLjgsMC45LTIuNiwwLjljLTEsMC0yLTAuNS0zLTEuNEM3Ni4yLDkwLDc1LDg4LjQsNzQsODYuOGMtMS0xLjctMi0zLjYtMy4xLTUuOWMtNy44LDkuMi0xNy42LDEzLjgtMjkuNCwxMy44ICAgYy04LjQsMC0xNS4xLTIuNC0yMC03LjJjLTQuOS00LjgtNy40LTExLjItNy40LTE5LjJjMC04LjUsMy0xNS40LDkuMS0yMC42YzYuMS01LjIsMTQuMi03LjgsMjQuNS03LjhjMy40LDAsNi45LDAuMywxMC42LDAuOCAgIGMzLjcsMC41LDcuNSwxLjMsMTEuNSwyLjJ2LTcuM2MwLTcuNi0xLjYtMTIuOS00LjctMTZjLTMuMi0zLjEtOC42LTQuNi0xNi4zLTQuNmMtMy41LDAtNy4xLDAuNC0xMC44LDEuM2MtMy43LDAuOS03LjMsMi0xMC44LDMuNCAgIGMtMS42LDAuNy0yLjgsMS4xLTMuNSwxLjNjLTAuNywwLjItMS4yLDAuMy0xLjYsMC4zYy0xLjQsMC0yLjEtMS0yLjEtMy4xdi00LjljMC0xLjYsMC4yLTIuOCwwLjctMy41YzAuNS0wLjcsMS40LTEuNCwyLjgtMi4xICAgYzMuNS0xLjgsNy43LTMuMywxMi42LTQuNWM0LjktMS4zLDEwLjEtMS45LDE1LjYtMS45YzExLjksMCwyMC42LDIuNywyNi4yLDguMWM1LjUsNS40LDguMywxMy42LDguMywyNC42VjY2LjR6IE00NS44LDgxLjYgICBjMy4zLDAsNi43LTAuNiwxMC4zLTEuOGMzLjYtMS4yLDYuOC0zLjQsOS41LTYuNGMxLjYtMS45LDIuOC00LDMuNC02LjRjMC42LTIuNCwxLTUuMywxLTguN3YtNC4yYy0yLjktMC43LTYtMS4zLTkuMi0xLjcgICBjLTMuMi0wLjQtNi4zLTAuNi05LjQtMC42Yy02LjcsMC0xMS42LDEuMy0xNC45LDRjLTMuMywyLjctNC45LDYuNS00LjksMTEuNWMwLDQuNywxLjIsOC4yLDMuNywxMC42ICAgQzM3LjcsODAuNCw0MS4yLDgxLjYsNDUuOCw4MS42eiBNMTI2LjEsOTIuNGMtMS44LDAtMy0wLjMtMy44LTFjLTAuOC0wLjYtMS41LTItMi4xLTMuOUw5Ni43LDEwLjJjLTAuNi0yLTAuOS0zLjMtMC45LTQgICBjMC0xLjYsMC44LTIuNSwyLjQtMi41aDkuOGMxLjksMCwzLjIsMC4zLDMuOSwxYzAuOCwwLjYsMS40LDIsMiwzLjlsMTYuOCw2Ni4ybDE1LjYtNjYuMmMwLjUtMiwxLjEtMy4zLDEuOS0zLjljMC44LTAuNiwyLjItMSw0LTEgICBoOGMxLjksMCwzLjIsMC4zLDQsMWMwLjgsMC42LDEuNSwyLDEuOSwzLjlsMTUuOCw2N2wxNy4zLTY3YzAuNi0yLDEuMy0zLjMsMi0zLjljMC44LTAuNiwyLjEtMSwzLjktMWg5LjNjMS42LDAsMi41LDAuOCwyLjUsMi41ICAgYzAsMC41LTAuMSwxLTAuMiwxLjZjLTAuMSwwLjYtMC4zLDEuNC0wLjcsMi41bC0yNC4xLDc3LjNjLTAuNiwyLTEuMywzLjMtMi4xLDMuOWMtMC44LDAuNi0yLjEsMS0zLjgsMWgtOC42Yy0xLjksMC0zLjItMC4zLTQtMSAgIGMtMC44LTAuNy0xLjUtMi0xLjktNEwxNTYsMjNsLTE1LjQsNjQuNGMtMC41LDItMS4xLDMuMy0xLjksNGMtMC44LDAuNy0yLjIsMS00LDFIMTI2LjF6IE0yNTQuNiw5NS4xYy01LjIsMC0xMC40LTAuNi0xNS40LTEuOCAgIGMtNS0xLjItOC45LTIuNS0xMS41LTRjLTEuNi0wLjktMi43LTEuOS0zLjEtMi44Yy0wLjQtMC45LTAuNi0xLjktMC42LTIuOHYtNS4xYzAtMi4xLDAuOC0zLjEsMi4zLTMuMWMwLjYsMCwxLjIsMC4xLDEuOCwwLjMgICBjMC42LDAuMiwxLjUsMC42LDIuNSwxYzMuNCwxLjUsNy4xLDIuNywxMSwzLjVjNCwwLjgsNy45LDEuMiwxMS45LDEuMmM2LjMsMCwxMS4yLTEuMSwxNC42LTMuM2MzLjQtMi4yLDUuMi01LjQsNS4yLTkuNSAgIGMwLTIuOC0wLjktNS4xLTIuNy03Yy0xLjgtMS45LTUuMi0zLjYtMTAuMS01LjJMMjQ2LDUyYy03LjMtMi4zLTEyLjctNS43LTE2LTEwLjJjLTMuMy00LjQtNS05LjMtNS0xNC41YzAtNC4yLDAuOS03LjksMi43LTExLjEgICBjMS44LTMuMiw0LjItNiw3LjItOC4yYzMtMi4zLDYuNC00LDEwLjQtNS4yYzQtMS4yLDguMi0xLjcsMTIuNi0xLjdjMi4yLDAsNC41LDAuMSw2LjcsMC40YzIuMywwLjMsNC40LDAuNyw2LjUsMS4xICAgYzIsMC41LDMuOSwxLDUuNywxLjZjMS44LDAuNiwzLjIsMS4yLDQuMiwxLjhjMS40LDAuOCwyLjQsMS42LDMsMi41YzAuNiwwLjgsMC45LDEuOSwwLjksMy4zdjQuN2MwLDIuMS0wLjgsMy4yLTIuMywzLjIgICBjLTAuOCwwLTIuMS0wLjQtMy44LTEuMmMtNS43LTIuNi0xMi4xLTMuOS0xOS4yLTMuOWMtNS43LDAtMTAuMiwwLjktMTMuMywyLjhjLTMuMSwxLjktNC43LDQuOC00LjcsOC45YzAsMi44LDEsNS4yLDMsNy4xICAgYzIsMS45LDUuNywzLjgsMTEsNS41bDE0LjIsNC41YzcuMiwyLjMsMTIuNCw1LjUsMTUuNSw5LjZjMy4xLDQuMSw0LjYsOC44LDQuNiwxNGMwLDQuMy0wLjksOC4yLTIuNiwxMS42ICAgYy0xLjgsMy40LTQuMiw2LjQtNy4zLDguOGMtMy4xLDIuNS02LjgsNC4zLTExLjEsNS42QzI2NC40LDk0LjQsMjU5LjcsOTUuMSwyNTQuNiw5NS4xeiIvPgoJPGc+CgkJPHBhdGggY2xhc3M9InN0MSIgZD0iTTI3My41LDE0My43Yy0zMi45LDI0LjMtODAuNywzNy4yLTEyMS44LDM3LjJjLTU3LjYsMC0xMDkuNS0yMS4zLTE0OC43LTU2LjdjLTMuMS0yLjgtMC4zLTYuNiwzLjQtNC40ICAgIGM0Mi40LDI0LjYsOTQuNywzOS41LDE0OC44LDM5LjVjMzYuNSwwLDc2LjYtNy42LDExMy41LTIzLjJDMjc0LjIsMTMzLjYsMjc4LjksMTM5LjcsMjczLjUsMTQzLjd6Ii8+CgkJPHBhdGggY2xhc3M9InN0MSIgZD0iTTI4Ny4yLDEyOC4xYy00LjItNS40LTI3LjgtMi42LTM4LjUtMS4zYy0zLjIsMC40LTMuNy0yLjQtMC44LTQuNWMxOC44LTEzLjIsNDkuNy05LjQsNTMuMy01ICAgIGMzLjYsNC41LTEsMzUuNC0xOC42LDUwLjJjLTIuNywyLjMtNS4zLDEuMS00LjEtMS45QzI4Mi41LDE1NS43LDI5MS40LDEzMy40LDI4Ny4yLDEyOC4xeiIvPgoJPC9nPgo8L2c+Cjwvc3ZnPg== + mediatype: image/svg+xml + install: + spec: + clusterPermissions: + - rules: + - apiGroups: + - "" + resources: + - configmaps + - secrets + verbs: + - get + - list + - patch + - watch + - apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch + - apiGroups: + - acmpca.services.k8s.aws + resources: + - certificateauthorities + - certificateauthorityactivations + - certificates + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - acmpca.services.k8s.aws + resources: + - certificateauthorities/status + - certificateauthorityactivations/status + - certificates/status + verbs: + - get + - patch + - update + - apiGroups: + - services.k8s.aws + resources: + - adoptedresources + - fieldexports + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - services.k8s.aws + resources: + - adoptedresources/status + - fieldexports/status + verbs: + - get + - patch + - update + serviceAccountName: ack-acmpca-controller + deployments: + - label: + app.kubernetes.io/name: ack-acmpca-controller + app.kubernetes.io/part-of: ack-system + name: ack-acmpca-controller + spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: ack-acmpca-controller + strategy: {} + template: + metadata: + labels: + app.kubernetes.io/name: ack-acmpca-controller + spec: + containers: + - args: + - --aws-region + - $(AWS_REGION) + - --aws-endpoint-url + - $(AWS_ENDPOINT_URL) + - --enable-development-logging=$(ACK_ENABLE_DEVELOPMENT_LOGGING) + - --log-level + - $(ACK_LOG_LEVEL) + - --resource-tags + - $(ACK_RESOURCE_TAGS) + - --watch-namespace + - $(ACK_WATCH_NAMESPACE) + - --enable-leader-election=$(ENABLE_LEADER_ELECTION) + - --leader-election-namespace + - $(LEADER_ELECTION_NAMESPACE) + - --reconcile-default-max-concurrent-syncs + - $(RECONCILE_DEFAULT_MAX_CONCURRENT_SYNCS) + command: + - ./bin/controller + env: + - name: ACK_SYSTEM_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + envFrom: + - configMapRef: + name: ack-acmpca-user-config + optional: false + - secretRef: + name: ack-acmpca-user-secrets + optional: true + image: public.ecr.aws/aws-controllers-k8s/acmpca-controller:1.0.0 + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + name: controller + ports: + - containerPort: 8080 + name: http + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + limits: + cpu: 100m + memory: 300Mi + requests: + cpu: 100m + memory: 200Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsNonRoot: true + dnsPolicy: ClusterFirst + securityContext: + seccompProfile: + type: RuntimeDefault + serviceAccountName: ack-acmpca-controller + terminationGracePeriodSeconds: 10 + permissions: + - rules: + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + serviceAccountName: ack-acmpca-controller + strategy: deployment + installModes: + - supported: true + type: OwnNamespace + - supported: true + type: SingleNamespace + - supported: true + type: MultiNamespace + - supported: true + type: AllNamespaces + keywords: + - acmpca + - aws + - amazon + - ack + links: + - name: AWS Controllers for Kubernetes + url: https://github.com/aws-controllers-k8s/community + - name: Documentation + url: https://aws-controllers-k8s.github.io/community/ + - name: Amazon ACM PCA Developer Resources + url: https://aws.amazon.com/private-ca/resources + maintainers: + - email: ack-maintainers@amazon.com + name: acmpca maintainer team + maturity: alpha + provider: + name: Amazon, Inc. + url: https://aws.amazon.com + version: 1.0.0 diff --git a/operators/ack-acmpca-controller/1.0.0/manifests/ack-acmpca-metrics-service_v1_service.yaml b/operators/ack-acmpca-controller/1.0.0/manifests/ack-acmpca-metrics-service_v1_service.yaml new file mode 100644 index 00000000000..fc40e2aa21b --- /dev/null +++ b/operators/ack-acmpca-controller/1.0.0/manifests/ack-acmpca-metrics-service_v1_service.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + name: ack-acmpca-metrics-service +spec: + ports: + - name: metricsport + port: 8080 + protocol: TCP + targetPort: http + selector: + app.kubernetes.io/name: ack-acmpca-controller + type: NodePort +status: + loadBalancer: {} diff --git a/operators/ack-acmpca-controller/1.0.0/manifests/ack-acmpca-reader_rbac.authorization.k8s.io_v1_role.yaml b/operators/ack-acmpca-controller/1.0.0/manifests/ack-acmpca-reader_rbac.authorization.k8s.io_v1_role.yaml new file mode 100644 index 00000000000..40f8c805279 --- /dev/null +++ b/operators/ack-acmpca-controller/1.0.0/manifests/ack-acmpca-reader_rbac.authorization.k8s.io_v1_role.yaml @@ -0,0 +1,16 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + creationTimestamp: null + name: ack-acmpca-reader +rules: +- apiGroups: + - acmpca.services.k8s.aws + resources: + - certificates + - certificateauthorities + - certificateauthorityactivations + verbs: + - get + - list + - watch diff --git a/operators/ack-acmpca-controller/1.0.0/manifests/ack-acmpca-writer_rbac.authorization.k8s.io_v1_role.yaml b/operators/ack-acmpca-controller/1.0.0/manifests/ack-acmpca-writer_rbac.authorization.k8s.io_v1_role.yaml new file mode 100644 index 00000000000..7527f24a2da --- /dev/null +++ b/operators/ack-acmpca-controller/1.0.0/manifests/ack-acmpca-writer_rbac.authorization.k8s.io_v1_role.yaml @@ -0,0 +1,30 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + creationTimestamp: null + name: ack-acmpca-writer +rules: +- apiGroups: + - acmpca.services.k8s.aws + resources: + - certificates + - certificateauthorities + - certificateauthorityactivations + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - acmpca.services.k8s.aws + resources: + - certificates + - certificateauthorities + - certificateauthorityactivations + verbs: + - get + - patch + - update diff --git a/operators/ack-acmpca-controller/1.0.0/manifests/acmpca.services.k8s.aws_certificateauthorities.yaml b/operators/ack-acmpca-controller/1.0.0/manifests/acmpca.services.k8s.aws_certificateauthorities.yaml new file mode 100644 index 00000000000..ee896bf7056 --- /dev/null +++ b/operators/ack-acmpca-controller/1.0.0/manifests/acmpca.services.k8s.aws_certificateauthorities.yaml @@ -0,0 +1,543 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.2 + creationTimestamp: null + name: certificateauthorities.acmpca.services.k8s.aws +spec: + group: acmpca.services.k8s.aws + names: + kind: CertificateAuthority + listKind: CertificateAuthorityList + plural: certificateauthorities + singular: certificateauthority + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: CertificateAuthority is the Schema for the CertificateAuthorities + API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + CertificateAuthoritySpec defines the desired state of CertificateAuthority. + + Contains information about your private certificate authority (CA). Your + private CA can issue and revoke X.509 digital certificates. Digital certificates + verify that the entity named in the certificate Subject field owns or controls + the public key contained in the Subject Public Key Info field. Call the CreateCertificateAuthority + (https://docs.aws.amazon.com/privateca/latest/APIReference/API_CreateCertificateAuthority.html) + action to create your private CA. You must then call the GetCertificateAuthorityCertificate + (https://docs.aws.amazon.com/privateca/latest/APIReference/API_GetCertificateAuthorityCertificate.html) + action to retrieve a private CA certificate signing request (CSR). Sign the + CSR with your Amazon Web Services Private CA-hosted or on-premises root or + subordinate CA certificate. Call the ImportCertificateAuthorityCertificate + (https://docs.aws.amazon.com/privateca/latest/APIReference/API_ImportCertificateAuthorityCertificate.html) + action to import the signed certificate into Certificate Manager (ACM). + properties: + certificateAuthorityConfiguration: + description: |- + Name and bit size of the private key algorithm, the name of the signing algorithm, + and X.500 certificate subject information. + properties: + csrExtensions: + description: |- + Describes the certificate extensions to be added to the certificate signing + request (CSR). + properties: + keyUsage: + description: |- + Defines one or more purposes for which the key contained in the certificate + can be used. Default value for each option is false. + properties: + crlSign: + type: boolean + dataEncipherment: + type: boolean + decipherOnly: + type: boolean + digitalSignature: + type: boolean + encipherOnly: + type: boolean + keyAgreement: + type: boolean + keyCertSign: + type: boolean + keyEncipherment: + type: boolean + nonRepudiation: + type: boolean + type: object + subjectInformationAccess: + items: + description: |- + Provides access information used by the authorityInfoAccess and subjectInfoAccess + extensions described in RFC 5280 (https://datatracker.ietf.org/doc/html/rfc5280). + properties: + accessLocation: + description: |- + Describes an ASN.1 X.400 GeneralName as defined in RFC 5280 (https://datatracker.ietf.org/doc/html/rfc5280). + Only one of the following naming options should be provided. Providing more + than one option results in an InvalidArgsException error. + properties: + directoryName: + description: |- + Contains information about the certificate subject. The Subject field in + the certificate identifies the entity that owns or controls the public key + in the certificate. The entity can be a user, computer, device, or service. + The Subject must contain an X.500 distinguished name (DN). A DN is a sequence + of relative distinguished names (RDNs). The RDNs are separated by commas + in the certificate. + properties: + commonName: + type: string + country: + type: string + customAttributes: + items: + description: Defines the X.500 relative distinguished + name (RDN). + properties: + objectIdentifier: + type: string + value: + type: string + type: object + type: array + distinguishedNameQualifier: + type: string + generationQualifier: + type: string + givenName: + type: string + initials: + type: string + locality: + type: string + organization: + type: string + organizationalUnit: + type: string + pseudonym: + type: string + serialNumber: + type: string + state: + type: string + surname: + type: string + title: + type: string + type: object + dnsName: + type: string + ediPartyName: + description: |- + Describes an Electronic Data Interchange (EDI) entity as described in as + defined in Subject Alternative Name (https://datatracker.ietf.org/doc/html/rfc5280) + in RFC 5280. + properties: + nameAssigner: + type: string + partyName: + type: string + type: object + ipAddress: + type: string + otherName: + description: |- + Defines a custom ASN.1 X.400 GeneralName using an object identifier (OID) + and value. The OID must satisfy the regular expression shown below. For more + information, see NIST's definition of Object Identifier (OID) (https://csrc.nist.gov/glossary/term/Object_Identifier). + properties: + typeID: + type: string + value: + type: string + type: object + registeredID: + type: string + rfc822Name: + type: string + uniformResourceIdentifier: + type: string + type: object + accessMethod: + description: |- + Describes the type and format of extension access. Only one of CustomObjectIdentifier + or AccessMethodType may be provided. Providing both results in InvalidArgsException. + properties: + accessMethodType: + type: string + customObjectIdentifier: + type: string + type: object + type: object + type: array + type: object + keyAlgorithm: + type: string + signingAlgorithm: + type: string + subject: + description: |- + Contains information about the certificate subject. The Subject field in + the certificate identifies the entity that owns or controls the public key + in the certificate. The entity can be a user, computer, device, or service. + The Subject must contain an X.500 distinguished name (DN). A DN is a sequence + of relative distinguished names (RDNs). The RDNs are separated by commas + in the certificate. + properties: + commonName: + type: string + country: + type: string + customAttributes: + items: + description: Defines the X.500 relative distinguished name + (RDN). + properties: + objectIdentifier: + type: string + value: + type: string + type: object + type: array + distinguishedNameQualifier: + type: string + generationQualifier: + type: string + givenName: + type: string + initials: + type: string + locality: + type: string + organization: + type: string + organizationalUnit: + type: string + pseudonym: + type: string + serialNumber: + type: string + state: + type: string + surname: + type: string + title: + type: string + type: object + type: object + keyStorageSecurityStandard: + description: |- + Specifies a cryptographic key management compliance standard used for handling + CA keys. + + Default: FIPS_140_2_LEVEL_3_OR_HIGHER + + Some Amazon Web Services Regions do not support the default. When creating + a CA in these Regions, you must provide FIPS_140_2_LEVEL_2_OR_HIGHER as the + argument for KeyStorageSecurityStandard. Failure to do this results in an + InvalidArgsException with the message, "A certificate authority cannot be + created in this region with the specified security standard." + + For information about security standard support in various Regions, see Storage + and security compliance of Amazon Web Services Private CA private keys (https://docs.aws.amazon.com/privateca/latest/userguide/data-protection.html#private-keys). + type: string + revocationConfiguration: + description: |- + Contains information to enable Online Certificate Status Protocol (OCSP) + support, to enable a certificate revocation list (CRL), to enable both, or + to enable neither. The default is for both certificate validation mechanisms + to be disabled. + + The following requirements apply to revocation configurations. + + * A configuration disabling CRLs or OCSP must contain only the Enabled=False + parameter, and will fail if other parameters such as CustomCname or ExpirationInDays + are included. + + * In a CRL configuration, the S3BucketName parameter must conform to Amazon + S3 bucket naming rules (https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucketnamingrules.html). + + * A configuration containing a custom Canonical Name (CNAME) parameter + for CRLs or OCSP must conform to RFC2396 (https://www.ietf.org/rfc/rfc2396.txt) + restrictions on the use of special characters in a CNAME. + + * In a CRL or OCSP configuration, the value of a CNAME parameter must + not include a protocol prefix such as "http://" or "https://". + + For more information, see the OcspConfiguration (https://docs.aws.amazon.com/privateca/latest/APIReference/API_OcspConfiguration.html) + and CrlConfiguration (https://docs.aws.amazon.com/privateca/latest/APIReference/API_CrlConfiguration.html) + types. + properties: + crlConfiguration: + description: |- + Contains configuration information for a certificate revocation list (CRL). + Your private certificate authority (CA) creates base CRLs. Delta CRLs are + not supported. You can enable CRLs for your new or an existing private CA + by setting the Enabled parameter to true. Your private CA writes CRLs to + an S3 bucket that you specify in the S3BucketName parameter. You can hide + the name of your bucket by specifying a value for the CustomCname parameter. + Your private CA copies the CNAME or the S3 bucket name to the CRL Distribution + Points extension of each certificate it issues. Your S3 bucket policy must + give write permission to Amazon Web Services Private CA. + + Amazon Web Services Private CA assets that are stored in Amazon S3 can be + protected with encryption. For more information, see Encrypting Your CRLs + (https://docs.aws.amazon.com/privateca/latest/userguide/PcaCreateCa.html#crl-encryption). + + Your private CA uses the value in the ExpirationInDays parameter to calculate + the nextUpdate field in the CRL. The CRL is refreshed prior to a certificate's + expiration date or when a certificate is revoked. When a certificate is revoked, + it appears in the CRL until the certificate expires, and then in one additional + CRL after expiration, and it always appears in the audit report. + + A CRL is typically updated approximately 30 minutes after a certificate is + revoked. If for any reason a CRL update fails, Amazon Web Services Private + CA makes further attempts every 15 minutes. + + CRLs contain the following fields: + + * Version: The current version number defined in RFC 5280 is V2. The integer + value is 0x1. + + * Signature Algorithm: The name of the algorithm used to sign the CRL. + + * Issuer: The X.500 distinguished name of your private CA that issued + the CRL. + + * Last Update: The issue date and time of this CRL. + + * Next Update: The day and time by which the next CRL will be issued. + + * Revoked Certificates: List of revoked certificates. Each list item contains + the following information. Serial Number: The serial number, in hexadecimal + format, of the revoked certificate. Revocation Date: Date and time the + certificate was revoked. CRL Entry Extensions: Optional extensions for + the CRL entry. X509v3 CRL Reason Code: Reason the certificate was revoked. + + * CRL Extensions: Optional extensions for the CRL. X509v3 Authority Key + Identifier: Identifies the public key associated with the private key + used to sign the certificate. X509v3 CRL Number:: Decimal sequence number + for the CRL. + + * Signature Algorithm: Algorithm used by your private CA to sign the CRL. + + * Signature Value: Signature computed over the CRL. + + Certificate revocation lists created by Amazon Web Services Private CA are + DER-encoded. You can use the following OpenSSL command to list a CRL. + + openssl crl -inform DER -text -in crl_path -noout + + For more information, see Planning a certificate revocation list (CRL) (https://docs.aws.amazon.com/privateca/latest/userguide/crl-planning.html) + in the Amazon Web Services Private Certificate Authority User Guide + properties: + customCNAME: + type: string + enabled: + type: boolean + expirationInDays: + format: int64 + type: integer + s3BucketName: + type: string + s3ObjectACL: + type: string + type: object + ocspConfiguration: + description: |- + Contains information to enable and configure Online Certificate Status Protocol + (OCSP) for validating certificate revocation status. + + When you revoke a certificate, OCSP responses may take up to 60 minutes to + reflect the new status. + properties: + enabled: + type: boolean + ocspCustomCNAME: + type: string + type: object + type: object + tags: + description: |- + Key-value pairs that will be attached to the new private CA. You can associate + up to 50 tags with a private CA. For information using tags with IAM to manage + permissions, see Controlling Access Using IAM Tags (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_iam-tags.html). + items: + description: |- + Tags are labels that you can use to identify and organize your private CAs. + Each tag consists of a key and an optional value. You can associate up to + 50 tags with a private CA. To add one or more tags to a private CA, call + the TagCertificateAuthority (https://docs.aws.amazon.com/privateca/latest/APIReference/API_TagCertificateAuthority.html) + action. To remove a tag, call the UntagCertificateAuthority (https://docs.aws.amazon.com/privateca/latest/APIReference/API_UntagCertificateAuthority.html) + action. + properties: + key: + type: string + value: + type: string + type: object + type: array + type: + description: The type of the certificate authority. + type: string + usageMode: + description: |- + Specifies whether the CA issues general-purpose certificates that typically + require a revocation mechanism, or short-lived certificates that may optionally + omit revocation because they expire quickly. Short-lived certificate validity + is limited to seven days. + + The default value is GENERAL_PURPOSE. + type: string + required: + - certificateAuthorityConfiguration + - type + type: object + status: + description: CertificateAuthorityStatus defines the observed state of + CertificateAuthority + properties: + ackResourceMetadata: + description: |- + All CRs managed by ACK have a common `Status.ACKResourceMetadata` member + that is used to contain resource sync state, account ownership, + constructed ARN for the resource + properties: + arn: + description: |- + ARN is the Amazon Resource Name for the resource. This is a + globally-unique identifier and is set only by the ACK service controller + once the controller has orchestrated the creation of the resource OR + when it has verified that an "adopted" resource (a resource where the + ARN annotation was set by the Kubernetes user on the CR) exists and + matches the supplied CR's Spec field values. + https://github.com/aws/aws-controllers-k8s/issues/270 + type: string + ownerAccountID: + description: |- + OwnerAccountID is the AWS Account ID of the account that owns the + backend AWS service API resource. + type: string + region: + description: Region is the AWS region in which the resource exists + or will exist. + type: string + required: + - ownerAccountID + - region + type: object + certificateSigningRequest: + description: |- + The base64 PEM-encoded certificate signing request (CSR) for your private + CA certificate. + type: string + conditions: + description: |- + All CRS managed by ACK have a common `Status.Conditions` member that + contains a collection of `ackv1alpha1.Condition` objects that describe + the various terminal states of the CR and its backend AWS service API + resource + items: + description: |- + Condition is the common struct used by all CRDs managed by ACK service + controllers to indicate terminal states of the CR and its backend AWS + service API resource + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type is the type of the Condition + type: string + required: + - status + - type + type: object + type: array + createdAt: + description: Date and time at which your private CA was created. + format: date-time + type: string + failureReason: + description: Reason the request to create your private CA failed. + type: string + lastStateChangeAt: + description: Date and time at which your private CA was last updated. + format: date-time + type: string + notAfter: + description: Date and time after which your private CA certificate + is not valid. + format: date-time + type: string + notBefore: + description: Date and time before which your private CA certificate + is not valid. + format: date-time + type: string + ownerAccount: + description: The Amazon Web Services account ID that owns the certificate + authority. + type: string + restorableUntil: + description: |- + The period during which a deleted CA can be restored. For more information, + see the PermanentDeletionTimeInDays parameter of the DeleteCertificateAuthorityRequest + (https://docs.aws.amazon.com/privateca/latest/APIReference/API_DeleteCertificateAuthorityRequest.html) + action. + format: date-time + type: string + serial: + description: Serial number of your private CA. + type: string + status: + description: Status of your private CA. + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/operators/ack-acmpca-controller/1.0.0/manifests/acmpca.services.k8s.aws_certificateauthorityactivations.yaml b/operators/ack-acmpca-controller/1.0.0/manifests/acmpca.services.k8s.aws_certificateauthorityactivations.yaml new file mode 100644 index 00000000000..04132dd16c4 --- /dev/null +++ b/operators/ack-acmpca-controller/1.0.0/manifests/acmpca.services.k8s.aws_certificateauthorityactivations.yaml @@ -0,0 +1,213 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.2 + creationTimestamp: null + name: certificateauthorityactivations.acmpca.services.k8s.aws +spec: + group: acmpca.services.k8s.aws + names: + kind: CertificateAuthorityActivation + listKind: CertificateAuthorityActivationList + plural: certificateauthorityactivations + singular: certificateauthorityactivation + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: CertificateAuthorityActivation is the Schema for the CertificateAuthorityActivations + API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: CertificateAuthorityActivationSpec defines the desired state + of CertificateAuthorityActivation. + properties: + certificate: + description: |- + SecretKeyReference combines a k8s corev1.SecretReference with a + specific key within the referred-to Secret + properties: + key: + description: Key is the key within the secret + type: string + name: + description: name is unique within a namespace to reference a + secret resource. + type: string + namespace: + description: namespace defines the space within which the secret + name must be unique. + type: string + required: + - key + type: object + x-kubernetes-map-type: atomic + certificateAuthorityARN: + description: |- + The Amazon Resource Name (ARN) that was returned when you called CreateCertificateAuthority + (https://docs.aws.amazon.com/privateca/latest/APIReference/API_CreateCertificateAuthority.html). + This must be of the form: + + arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012 + type: string + certificateAuthorityRef: + description: "AWSResourceReferenceWrapper provides a wrapper around + *AWSResourceReference\ntype to provide more user friendly syntax + for references using 'from' field\nEx:\nAPIIDRef:\n\n\tfrom:\n\t + \ name: my-api" + properties: + from: + description: |- + AWSResourceReference provides all the values necessary to reference another + k8s resource for finding the identifier(Id/ARN/Name) + properties: + name: + type: string + namespace: + type: string + type: object + type: object + certificateChain: + description: |- + SecretKeyReference combines a k8s corev1.SecretReference with a + specific key within the referred-to Secret + properties: + key: + description: Key is the key within the secret + type: string + name: + description: name is unique within a namespace to reference a + secret resource. + type: string + namespace: + description: namespace defines the space within which the secret + name must be unique. + type: string + required: + - key + type: object + x-kubernetes-map-type: atomic + completeCertificateChainOutput: + description: |- + SecretKeyReference combines a k8s corev1.SecretReference with a + specific key within the referred-to Secret + properties: + key: + description: Key is the key within the secret + type: string + name: + description: name is unique within a namespace to reference a + secret resource. + type: string + namespace: + description: namespace defines the space within which the secret + name must be unique. + type: string + required: + - key + type: object + x-kubernetes-map-type: atomic + status: + type: string + required: + - certificate + type: object + status: + description: CertificateAuthorityActivationStatus defines the observed + state of CertificateAuthorityActivation + properties: + ackResourceMetadata: + description: |- + All CRs managed by ACK have a common `Status.ACKResourceMetadata` member + that is used to contain resource sync state, account ownership, + constructed ARN for the resource + properties: + arn: + description: |- + ARN is the Amazon Resource Name for the resource. This is a + globally-unique identifier and is set only by the ACK service controller + once the controller has orchestrated the creation of the resource OR + when it has verified that an "adopted" resource (a resource where the + ARN annotation was set by the Kubernetes user on the CR) exists and + matches the supplied CR's Spec field values. + https://github.com/aws/aws-controllers-k8s/issues/270 + type: string + ownerAccountID: + description: |- + OwnerAccountID is the AWS Account ID of the account that owns the + backend AWS service API resource. + type: string + region: + description: Region is the AWS region in which the resource exists + or will exist. + type: string + required: + - ownerAccountID + - region + type: object + conditions: + description: |- + All CRS managed by ACK have a common `Status.Conditions` member that + contains a collection of `ackv1alpha1.Condition` objects that describe + the various terminal states of the CR and its backend AWS service API + resource + items: + description: |- + Condition is the common struct used by all CRDs managed by ACK service + controllers to indicate terminal states of the CR and its backend AWS + service API resource + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type is the type of the Condition + type: string + required: + - status + - type + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/operators/ack-acmpca-controller/1.0.0/manifests/acmpca.services.k8s.aws_certificates.yaml b/operators/ack-acmpca-controller/1.0.0/manifests/acmpca.services.k8s.aws_certificates.yaml new file mode 100644 index 00000000000..f5ac33e3fbd --- /dev/null +++ b/operators/ack-acmpca-controller/1.0.0/manifests/acmpca.services.k8s.aws_certificates.yaml @@ -0,0 +1,496 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.2 + creationTimestamp: null + name: certificates.acmpca.services.k8s.aws +spec: + group: acmpca.services.k8s.aws + names: + kind: Certificate + listKind: CertificateList + plural: certificates + singular: certificate + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: Certificate is the Schema for the Certificates API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: CertificateSpec defines the desired state of Certificate. + properties: + apiPassthrough: + description: |- + Specifies X.509 certificate information to be included in the issued certificate. + An APIPassthrough or APICSRPassthrough template variant must be selected, + or else this parameter is ignored. For more information about using these + templates, see Understanding Certificate Templates (https://docs.aws.amazon.com/privateca/latest/userguide/UsingTemplates.html). + + If conflicting or duplicate certificate information is supplied during certificate + issuance, Amazon Web Services Private CA applies order of operation rules + (https://docs.aws.amazon.com/privateca/latest/userguide/UsingTemplates.html#template-order-of-operations) + to determine what information is used. + properties: + extensions: + description: Contains X.509 extension information for a certificate. + properties: + certificatePolicies: + items: + description: Defines the X.509 CertificatePolicies extension. + properties: + certPolicyID: + type: string + policyQualifiers: + items: + description: |- + Modifies the CertPolicyId of a PolicyInformation object with a qualifier. + Amazon Web Services Private CA supports the certification practice statement + (CPS) qualifier. + properties: + policyQualifierID: + type: string + qualifier: + description: |- + Defines a PolicyInformation qualifier. Amazon Web Services Private CA supports + the certification practice statement (CPS) qualifier (https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.4) + defined in RFC 5280. + properties: + cpsURI: + type: string + type: object + type: object + type: array + type: object + type: array + customExtensions: + items: + description: |- + Specifies the X.509 extension information for a certificate. + + Extensions present in CustomExtensions follow the ApiPassthrough template + rules (https://docs.aws.amazon.com/privateca/latest/userguide/UsingTemplates.html#template-order-of-operations). + properties: + critical: + type: boolean + objectIdentifier: + type: string + value: + type: string + type: object + type: array + extendedKeyUsage: + items: + description: |- + Specifies additional purposes for which the certified public key may be used + other than basic purposes indicated in the KeyUsage extension. + properties: + extendedKeyUsageObjectIdentifier: + type: string + extendedKeyUsageType: + type: string + type: object + type: array + keyUsage: + description: |- + Defines one or more purposes for which the key contained in the certificate + can be used. Default value for each option is false. + properties: + crlSign: + type: boolean + dataEncipherment: + type: boolean + decipherOnly: + type: boolean + digitalSignature: + type: boolean + encipherOnly: + type: boolean + keyAgreement: + type: boolean + keyCertSign: + type: boolean + keyEncipherment: + type: boolean + nonRepudiation: + type: boolean + type: object + subjectAlternativeNames: + items: + description: |- + Describes an ASN.1 X.400 GeneralName as defined in RFC 5280 (https://datatracker.ietf.org/doc/html/rfc5280). + Only one of the following naming options should be provided. Providing more + than one option results in an InvalidArgsException error. + properties: + directoryName: + description: |- + Contains information about the certificate subject. The Subject field in + the certificate identifies the entity that owns or controls the public key + in the certificate. The entity can be a user, computer, device, or service. + The Subject must contain an X.500 distinguished name (DN). A DN is a sequence + of relative distinguished names (RDNs). The RDNs are separated by commas + in the certificate. + properties: + commonName: + type: string + country: + type: string + customAttributes: + items: + description: Defines the X.500 relative distinguished + name (RDN). + properties: + objectIdentifier: + type: string + value: + type: string + type: object + type: array + distinguishedNameQualifier: + type: string + generationQualifier: + type: string + givenName: + type: string + initials: + type: string + locality: + type: string + organization: + type: string + organizationalUnit: + type: string + pseudonym: + type: string + serialNumber: + type: string + state: + type: string + surname: + type: string + title: + type: string + type: object + dnsName: + type: string + ediPartyName: + description: |- + Describes an Electronic Data Interchange (EDI) entity as described in as + defined in Subject Alternative Name (https://datatracker.ietf.org/doc/html/rfc5280) + in RFC 5280. + properties: + nameAssigner: + type: string + partyName: + type: string + type: object + ipAddress: + type: string + otherName: + description: |- + Defines a custom ASN.1 X.400 GeneralName using an object identifier (OID) + and value. The OID must satisfy the regular expression shown below. For more + information, see NIST's definition of Object Identifier (OID) (https://csrc.nist.gov/glossary/term/Object_Identifier). + properties: + typeID: + type: string + value: + type: string + type: object + registeredID: + type: string + rfc822Name: + type: string + uniformResourceIdentifier: + type: string + type: object + type: array + type: object + subject: + description: |- + Contains information about the certificate subject. The Subject field in + the certificate identifies the entity that owns or controls the public key + in the certificate. The entity can be a user, computer, device, or service. + The Subject must contain an X.500 distinguished name (DN). A DN is a sequence + of relative distinguished names (RDNs). The RDNs are separated by commas + in the certificate. + properties: + commonName: + type: string + country: + type: string + customAttributes: + items: + description: Defines the X.500 relative distinguished name + (RDN). + properties: + objectIdentifier: + type: string + value: + type: string + type: object + type: array + distinguishedNameQualifier: + type: string + generationQualifier: + type: string + givenName: + type: string + initials: + type: string + locality: + type: string + organization: + type: string + organizationalUnit: + type: string + pseudonym: + type: string + serialNumber: + type: string + state: + type: string + surname: + type: string + title: + type: string + type: object + type: object + certificateAuthorityARN: + description: |- + The Amazon Resource Name (ARN) that was returned when you called CreateCertificateAuthority + (https://docs.aws.amazon.com/privateca/latest/APIReference/API_CreateCertificateAuthority.html). + This must be of the form: + + arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012 + type: string + certificateAuthorityRef: + description: "AWSResourceReferenceWrapper provides a wrapper around + *AWSResourceReference\ntype to provide more user friendly syntax + for references using 'from' field\nEx:\nAPIIDRef:\n\n\tfrom:\n\t + \ name: my-api" + properties: + from: + description: |- + AWSResourceReference provides all the values necessary to reference another + k8s resource for finding the identifier(Id/ARN/Name) + properties: + name: + type: string + namespace: + type: string + type: object + type: object + certificateOutput: + description: |- + SecretKeyReference combines a k8s corev1.SecretReference with a + specific key within the referred-to Secret + properties: + key: + description: Key is the key within the secret + type: string + name: + description: name is unique within a namespace to reference a + secret resource. + type: string + namespace: + description: namespace defines the space within which the secret + name must be unique. + type: string + required: + - key + type: object + x-kubernetes-map-type: atomic + certificateSigningRequest: + type: string + certificateSigningRequestRef: + description: "AWSResourceReferenceWrapper provides a wrapper around + *AWSResourceReference\ntype to provide more user friendly syntax + for references using 'from' field\nEx:\nAPIIDRef:\n\n\tfrom:\n\t + \ name: my-api" + properties: + from: + description: |- + AWSResourceReference provides all the values necessary to reference another + k8s resource for finding the identifier(Id/ARN/Name) + properties: + name: + type: string + namespace: + type: string + type: object + type: object + signingAlgorithm: + description: |- + The name of the algorithm that will be used to sign the certificate to be + issued. + + This parameter should not be confused with the SigningAlgorithm parameter + used to sign a CSR in the CreateCertificateAuthority action. + + The specified signing algorithm family (RSA or ECDSA) must match the algorithm + family of the CA's secret key. + type: string + templateARN: + description: |- + Specifies a custom configuration template to use when issuing a certificate. + If this parameter is not provided, Amazon Web Services Private CA defaults + to the EndEntityCertificate/V1 template. For CA certificates, you should + choose the shortest path length that meets your needs. The path length is + indicated by the PathLenN portion of the ARN, where N is the CA depth (https://docs.aws.amazon.com/privateca/latest/userguide/PcaTerms.html#terms-cadepth). + + Note: The CA depth configured on a subordinate CA certificate must not exceed + the limit set by its parents in the CA hierarchy. + + For a list of TemplateArn values supported by Amazon Web Services Private + CA, see Understanding Certificate Templates (https://docs.aws.amazon.com/privateca/latest/userguide/UsingTemplates.html). + type: string + validity: + description: |- + Information describing the end of the validity period of the certificate. + This parameter sets the “Not After” date for the certificate. + + Certificate validity is the period of time during which a certificate is + valid. Validity can be expressed as an explicit date and time when the certificate + expires, or as a span of time after issuance, stated in days, months, or + years. For more information, see Validity (https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.5) + in RFC 5280. + + This value is unaffected when ValidityNotBefore is also specified. For example, + if Validity is set to 20 days in the future, the certificate will expire + 20 days from issuance time regardless of the ValidityNotBefore value. + + The end of the validity period configured on a certificate must not exceed + the limit set on its parents in the CA hierarchy. + properties: + type: + type: string + value: + format: int64 + type: integer + type: object + validityNotBefore: + description: |- + Information describing the start of the validity period of the certificate. + This parameter sets the “Not Before" date for the certificate. + + By default, when issuing a certificate, Amazon Web Services Private CA sets + the "Not Before" date to the issuance time minus 60 minutes. This compensates + for clock inconsistencies across computer systems. The ValidityNotBefore + parameter can be used to customize the “Not Before” value. + + Unlike the Validity parameter, the ValidityNotBefore parameter is optional. + + The ValidityNotBefore value is expressed as an explicit date and time, using + the Validity type value ABSOLUTE. For more information, see Validity (https://docs.aws.amazon.com/privateca/latest/APIReference/API_Validity.html) + in this API reference and Validity (https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.5) + in RFC 5280. + properties: + type: + type: string + value: + format: int64 + type: integer + type: object + required: + - signingAlgorithm + - validity + type: object + status: + description: CertificateStatus defines the observed state of Certificate + properties: + ackResourceMetadata: + description: |- + All CRs managed by ACK have a common `Status.ACKResourceMetadata` member + that is used to contain resource sync state, account ownership, + constructed ARN for the resource + properties: + arn: + description: |- + ARN is the Amazon Resource Name for the resource. This is a + globally-unique identifier and is set only by the ACK service controller + once the controller has orchestrated the creation of the resource OR + when it has verified that an "adopted" resource (a resource where the + ARN annotation was set by the Kubernetes user on the CR) exists and + matches the supplied CR's Spec field values. + https://github.com/aws/aws-controllers-k8s/issues/270 + type: string + ownerAccountID: + description: |- + OwnerAccountID is the AWS Account ID of the account that owns the + backend AWS service API resource. + type: string + region: + description: Region is the AWS region in which the resource exists + or will exist. + type: string + required: + - ownerAccountID + - region + type: object + conditions: + description: |- + All CRS managed by ACK have a common `Status.Conditions` member that + contains a collection of `ackv1alpha1.Condition` objects that describe + the various terminal states of the CR and its backend AWS service API + resource + items: + description: |- + Condition is the common struct used by all CRDs managed by ACK service + controllers to indicate terminal states of the CR and its backend AWS + service API resource + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type is the type of the Condition + type: string + required: + - status + - type + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/operators/ack-acmpca-controller/1.0.0/metadata/annotations.yaml b/operators/ack-acmpca-controller/1.0.0/metadata/annotations.yaml new file mode 100644 index 00000000000..d653eefee39 --- /dev/null +++ b/operators/ack-acmpca-controller/1.0.0/metadata/annotations.yaml @@ -0,0 +1,15 @@ +annotations: + # Core bundle annotations. + operators.operatorframework.io.bundle.mediatype.v1: registry+v1 + operators.operatorframework.io.bundle.manifests.v1: manifests/ + operators.operatorframework.io.bundle.metadata.v1: metadata/ + operators.operatorframework.io.bundle.package.v1: ack-acmpca-controller + operators.operatorframework.io.bundle.channels.v1: alpha + operators.operatorframework.io.bundle.channel.default.v1: alpha + operators.operatorframework.io.metrics.builder: operator-sdk-v1.28.0 + operators.operatorframework.io.metrics.mediatype.v1: metrics+v1 + operators.operatorframework.io.metrics.project_layout: unknown + + # Annotations for testing. + operators.operatorframework.io.test.mediatype.v1: scorecard+v1 + operators.operatorframework.io.test.config.v1: tests/scorecard/ diff --git a/operators/ack-acmpca-controller/1.0.0/tests/scorecard/config.yaml b/operators/ack-acmpca-controller/1.0.0/tests/scorecard/config.yaml new file mode 100644 index 00000000000..382ddefd156 --- /dev/null +++ b/operators/ack-acmpca-controller/1.0.0/tests/scorecard/config.yaml @@ -0,0 +1,50 @@ +apiVersion: scorecard.operatorframework.io/v1alpha3 +kind: Configuration +metadata: + name: config +stages: +- parallel: true + tests: + - entrypoint: + - scorecard-test + - basic-check-spec + image: quay.io/operator-framework/scorecard-test:v1.7.1 + labels: + suite: basic + test: basic-check-spec-test + storage: + spec: + mountPath: {} + - entrypoint: + - scorecard-test + - olm-bundle-validation + image: quay.io/operator-framework/scorecard-test:v1.7.1 + labels: + suite: olm + test: olm-bundle-validation-test + storage: + spec: + mountPath: {} + - entrypoint: + - scorecard-test + - olm-crds-have-validation + image: quay.io/operator-framework/scorecard-test:v1.7.1 + labels: + suite: olm + test: olm-crds-have-validation-test + storage: + spec: + mountPath: {} + - entrypoint: + - scorecard-test + - olm-spec-descriptors + image: quay.io/operator-framework/scorecard-test:v1.7.1 + labels: + suite: olm + test: olm-spec-descriptors-test + storage: + spec: + mountPath: {} +storage: + spec: + mountPath: {}