--- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.17.3 name: binddnssecpolicies.bind.unkin.net spec: group: bind.unkin.net names: kind: BindDNSSECPolicy listKind: BindDNSSECPolicyList plural: binddnssecpolicies shortNames: - bdp singular: binddnssecpolicy scope: Namespaced versions: - additionalPrinterColumns: - jsonPath: .spec.clusterRef name: Cluster type: string - jsonPath: .spec.algorithm name: Algorithm type: string - jsonPath: .status.zoneCount name: Zones type: integer - jsonPath: .status.ready name: Ready type: boolean name: v1alpha1 schema: openAPIV3Schema: description: BindDNSSECPolicy is a reusable DNSSEC signing policy. properties: apiVersion: description: |- APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: description: |- Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: description: |- BindDNSSECPolicySpec mirrors a BIND9 dnssec-policy. Zones referencing it are signed with inline-signing and automated key management. properties: algorithm: default: ecdsap256sha256 description: Algorithm for signing. Defaults to ecdsap256sha256. type: string clusterRef: description: ClusterRef names the owning BindCluster. type: string csk: description: CSK, when set, uses a Combined Signing Key instead of split KSK/ZSK. properties: algorithm: description: Algorithm overrides the policy algorithm for this key. type: string keySize: description: KeySize in bits for RSA algorithms (ignored for ECDSA/EdDSA). format: int32 type: integer lifetime: description: |- Lifetime is how long the key is used before rollover, e.g. "P30D" or "unlimited". Empty means unlimited. type: string type: object extraOptions: description: ExtraOptions are raw named.conf lines appended inside the policy block. items: type: string type: array ksk: description: KSK is the Key Signing Key configuration (ignored when CSK is set). properties: algorithm: description: Algorithm overrides the policy algorithm for this key. type: string keySize: description: KeySize in bits for RSA algorithms (ignored for ECDSA/EdDSA). format: int32 type: integer lifetime: description: |- Lifetime is how long the key is used before rollover, e.g. "P30D" or "unlimited". Empty means unlimited. type: string type: object maxZoneTTL: description: MaxZoneTTL, e.g. "P1D". type: string nsec3: description: NSEC3 enables NSEC3 hashing instead of NSEC. type: boolean policyName: description: |- PolicyName is the dnssec-policy name in named.conf. Defaults to the object name. type: string signaturesValidity: description: SignaturesValidity, e.g. "P14D". type: string zsk: description: ZSK is the Zone Signing Key configuration (ignored when CSK is set). properties: algorithm: description: Algorithm overrides the policy algorithm for this key. type: string keySize: description: KeySize in bits for RSA algorithms (ignored for ECDSA/EdDSA). format: int32 type: integer lifetime: description: |- Lifetime is how long the key is used before rollover, e.g. "P30D" or "unlimited". Empty means unlimited. type: string type: object required: - clusterRef type: object status: description: BindDNSSECPolicyStatus reports observed policy state. properties: conditions: items: description: Condition contains details for one aspect of the current state of this API Resource. properties: lastTransitionTime: description: |- lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: description: |- message is a human readable message indicating details about the transition. This may be an empty string. maxLength: 32768 type: string observedGeneration: description: |- observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: description: |- reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ type: string status: description: status of the condition, one of True, False, Unknown. enum: - "True" - "False" - Unknown type: string type: description: type of condition in CamelCase or in foo.example.com/CamelCase. maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string required: - lastTransitionTime - message - reason - status - type type: object type: array x-kubernetes-list-map-keys: - type x-kubernetes-list-type: map observedGeneration: format: int64 type: integer ready: type: boolean zoneCount: description: ZoneCount is the number of zones signed with this policy. format: int32 type: integer type: object type: object served: true storage: true subresources: status: {}