diff --git a/config/prow/cert-manager.yaml b/config/prow/cert-manager.yaml index 98eadac988..c60b851e2f 100644 --- a/config/prow/cert-manager.yaml +++ b/config/prow/cert-manager.yaml @@ -1,5 +1,4 @@ -# SPDX-License-Identifier: Apache-2.0 -# Copyright YEAR The Jetstack cert-manager contributors. +# Copyright 2022 The cert-manager Authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -13,26300 +12,9339 @@ # See the License for the specific language governing permissions and # limitations under the License. +apiVersion: v1 +kind: Namespace +metadata: + name: cert-manager + +--- +# Source: cert-manager/templates/crds.yaml +# +# START crd apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: + name: certificaterequests.cert-manager.io + # START annotations annotations: - cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca + helm.sh/resource-policy: keep + # END annotations labels: - app: cert-manager - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/name: cert-manager - name: certificaterequests.cert-manager.io + app: 'cert-manager' + app.kubernetes.io/name: 'cert-manager' + app.kubernetes.io/instance: 'cert-manager' + # Generated labels + app.kubernetes.io/version: "v1.15.1" spec: - conversion: - strategy: Webhook - webhook: - clientConfig: - service: - name: cert-manager-webhook - namespace: cert-manager - path: /convert - conversionReviewVersions: - - v1 - - v1beta1 group: cert-manager.io names: kind: CertificateRequest listKind: CertificateRequestList plural: certificaterequests shortNames: - - cr - - crs + - cr + - crs singular: certificaterequest + categories: + - cert-manager scope: Namespaced versions: - - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .spec.issuerRef.name - name: Issuer - priority: 1 - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - priority: 1 - type: string - - description: CreationTimestamp is a timestamp representing the server time when - this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha2 - schema: - openAPIV3Schema: - description: "A CertificateRequest is used to request a signed certificate - from one of the configured issuers. \n All fields within the CertificateRequest's - `spec` are immutable after creation. A CertificateRequest will either succeed - or fail, as denoted by its `status.state` field. \n A CertificateRequest - is a 'one-shot' resource, meaning it represents a single point in time request - for a certificate and cannot be re-used." - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Desired state of the CertificateRequest resource. - properties: - csr: - description: The PEM-encoded x509 certificate signing request to be - submitted to the CA for signing. - format: byte - type: string - duration: - description: The requested 'duration' (i.e. lifetime) of the Certificate. - This option may be ignored/overridden by some issuer types. - type: string - isCA: - description: IsCA will request to mark the certificate as valid for - certificate signing when submitting to the issuer. This will automatically - add the `cert sign` usage to the list of `usages`. - type: boolean - issuerRef: - description: IssuerRef is a reference to the issuer for this CertificateRequest. If - the 'kind' field is not set, or set to 'Issuer', an Issuer resource - with the given name in the same namespace as the CertificateRequest - will be used. If the 'kind' field is set to 'ClusterIssuer', a - ClusterIssuer with the provided name will be used. The 'name' field - in this stanza is required at all times. The group field refers - to the API group of the issuer which defaults to 'cert-manager.io' - if empty. - properties: - group: - description: Group of the resource being referred to. - type: string - kind: - description: Kind of the resource being referred to. - type: string - name: - description: Name of the resource being referred to. - type: string - required: - - name - type: object - usages: - description: Usages is the set of x509 usages that are requested for - the certificate. Defaults to `digital signature` and `key encipherment` - if not specified. - items: - description: 'KeyUsage specifies valid usage contexts for keys. - See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 - Valid KeyUsage values are as follows: "signing", "digital signature", - "content commitment", "key encipherment", "key agreement", "data - encipherment", "cert sign", "crl sign", "encipher only", "decipher - only", "any", "server auth", "client auth", "code signing", "email - protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec - user", "timestamping", "ocsp signing", "microsoft sgc", "netscape - sgc"' - enum: - - signing - - digital signature - - content commitment - - key encipherment - - key agreement - - data encipherment - - cert sign - - crl sign - - encipher only - - decipher only - - any - - server auth - - client auth - - code signing - - email protection - - s/mime - - ipsec end system - - ipsec tunnel - - ipsec user - - timestamping - - ocsp signing - - microsoft sgc - - netscape sgc + - name: v1 + subresources: + status: {} + additionalPrinterColumns: + - jsonPath: .status.conditions[?(@.type=="Approved")].status + name: Approved + type: string + - jsonPath: .status.conditions[?(@.type=="Denied")].status + name: Denied + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .spec.issuerRef.name + name: Issuer + type: string + - jsonPath: .spec.username + name: Requestor + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + priority: 1 + type: string + - jsonPath: .metadata.creationTimestamp + description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + name: Age + type: date + schema: + openAPIV3Schema: + description: |- + A CertificateRequest is used to request a signed certificate from one of the + configured issuers. + + + All fields within the CertificateRequest's `spec` are immutable after creation. + A CertificateRequest will either succeed or fail, as denoted by its `Ready` status + condition and its `status.failureTime` field. + + + A CertificateRequest is a one-shot resource, meaning it represents a single + point in time request for a certificate and cannot be re-used. + type: object + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + Specification of the desired state of the CertificateRequest resource. + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + type: object + required: + - issuerRef + - request + properties: + duration: + description: |- + Requested 'duration' (i.e. lifetime) of the Certificate. Note that the + issuer may choose to ignore the requested duration, just like any other + requested attribute. type: string - type: array - required: - - csr - - issuerRef - type: object - status: - description: Status of the CertificateRequest. This is set and managed - automatically. - properties: - ca: - description: The PEM encoded x509 certificate of the signer, also - known as the CA (Certificate Authority). This is set on a best-effort - basis by different issuers. If not set, the CA is assumed to be - unknown/not available. - format: byte - type: string - certificate: - description: The PEM encoded x509 certificate resulting from the certificate - signing request. If not set, the CertificateRequest has either not - been completed or has failed. More information on failure can be - found by checking the `conditions` field. - format: byte - type: string - conditions: - description: List of status conditions to indicate the status of a - CertificateRequest. Known condition types are `Ready` and `InvalidRequest`. - items: - description: CertificateRequestCondition contains condition information - for a CertificateRequest. - properties: - lastTransitionTime: - description: LastTransitionTime is the timestamp corresponding - to the last status change of this condition. - format: date-time - type: string - message: - description: Message is a human readable description of the - details of the last transition, complementing reason. - type: string - reason: - description: Reason is a brief machine readable explanation - for the condition's last transition. - type: string - status: - description: Status of the condition, one of ('True', 'False', - 'Unknown'). - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: Type of the condition, known values are ('Ready', - 'InvalidRequest'). - type: string - required: - - status - - type + extra: + description: |- + Extra contains extra attributes of the user that created the CertificateRequest. + Populated by the cert-manager webhook on creation and immutable. type: object - type: array - failureTime: - description: FailureTime stores the time that this CertificateRequest - failed. This is used to influence garbage collection and back-off. - format: date-time - type: string - type: object - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .spec.issuerRef.name - name: Issuer - priority: 1 - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - priority: 1 - type: string - - description: CreationTimestamp is a timestamp representing the server time when - this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha3 - schema: - openAPIV3Schema: - description: "A CertificateRequest is used to request a signed certificate - from one of the configured issuers. \n All fields within the CertificateRequest's - `spec` are immutable after creation. A CertificateRequest will either succeed - or fail, as denoted by its `status.state` field. \n A CertificateRequest - is a 'one-shot' resource, meaning it represents a single point in time request - for a certificate and cannot be re-used." - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Desired state of the CertificateRequest resource. - properties: - csr: - description: The PEM-encoded x509 certificate signing request to be - submitted to the CA for signing. - format: byte - type: string - duration: - description: The requested 'duration' (i.e. lifetime) of the Certificate. - This option may be ignored/overridden by some issuer types. - type: string - isCA: - description: IsCA will request to mark the certificate as valid for - certificate signing when submitting to the issuer. This will automatically - add the `cert sign` usage to the list of `usages`. - type: boolean - issuerRef: - description: IssuerRef is a reference to the issuer for this CertificateRequest. If - the 'kind' field is not set, or set to 'Issuer', an Issuer resource - with the given name in the same namespace as the CertificateRequest - will be used. If the 'kind' field is set to 'ClusterIssuer', a - ClusterIssuer with the provided name will be used. The 'name' field - in this stanza is required at all times. The group field refers - to the API group of the issuer which defaults to 'cert-manager.io' - if empty. - properties: - group: - description: Group of the resource being referred to. - type: string - kind: - description: Kind of the resource being referred to. - type: string - name: - description: Name of the resource being referred to. - type: string - required: - - name - type: object - usages: - description: Usages is the set of x509 usages that are requested for - the certificate. Defaults to `digital signature` and `key encipherment` - if not specified. - items: - description: 'KeyUsage specifies valid usage contexts for keys. - See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 - Valid KeyUsage values are as follows: "signing", "digital signature", - "content commitment", "key encipherment", "key agreement", "data - encipherment", "cert sign", "crl sign", "encipher only", "decipher - only", "any", "server auth", "client auth", "code signing", "email - protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec - user", "timestamping", "ocsp signing", "microsoft sgc", "netscape - sgc"' - enum: - - signing - - digital signature - - content commitment - - key encipherment - - key agreement - - data encipherment - - cert sign - - crl sign - - encipher only - - decipher only - - any - - server auth - - client auth - - code signing - - email protection - - s/mime - - ipsec end system - - ipsec tunnel - - ipsec user - - timestamping - - ocsp signing - - microsoft sgc - - netscape sgc - type: string - type: array - required: - - csr - - issuerRef - type: object - status: - description: Status of the CertificateRequest. This is set and managed - automatically. - properties: - ca: - description: The PEM encoded x509 certificate of the signer, also - known as the CA (Certificate Authority). This is set on a best-effort - basis by different issuers. If not set, the CA is assumed to be - unknown/not available. - format: byte - type: string - certificate: - description: The PEM encoded x509 certificate resulting from the certificate - signing request. If not set, the CertificateRequest has either not - been completed or has failed. More information on failure can be - found by checking the `conditions` field. - format: byte - type: string - conditions: - description: List of status conditions to indicate the status of a - CertificateRequest. Known condition types are `Ready` and `InvalidRequest`. - items: - description: CertificateRequestCondition contains condition information - for a CertificateRequest. - properties: - lastTransitionTime: - description: LastTransitionTime is the timestamp corresponding - to the last status change of this condition. - format: date-time - type: string - message: - description: Message is a human readable description of the - details of the last transition, complementing reason. - type: string - reason: - description: Reason is a brief machine readable explanation - for the condition's last transition. - type: string - status: - description: Status of the condition, one of ('True', 'False', - 'Unknown'). - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: Type of the condition, known values are ('Ready', - 'InvalidRequest'). + additionalProperties: + type: array + items: type: string - required: - - status - - type + groups: + description: |- + Groups contains group membership of the user that created the CertificateRequest. + Populated by the cert-manager webhook on creation and immutable. + type: array + items: + type: string + x-kubernetes-list-type: atomic + isCA: + description: |- + Requested basic constraints isCA value. Note that the issuer may choose + to ignore the requested isCA value, just like any other requested attribute. + + + NOTE: If the CSR in the `Request` field has a BasicConstraints extension, + it must have the same isCA value as specified here. + + + If true, this will automatically add the `cert sign` usage to the list + of requested `usages`. + type: boolean + issuerRef: + description: |- + Reference to the issuer responsible for issuing the certificate. + If the issuer is namespace-scoped, it must be in the same namespace + as the Certificate. If the issuer is cluster-scoped, it can be used + from any namespace. + + + The `name` field of the reference must always be specified. type: object - type: array - failureTime: - description: FailureTime stores the time that this CertificateRequest - failed. This is used to influence garbage collection and back-off. - format: date-time - type: string - type: object - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .spec.issuerRef.name - name: Issuer - priority: 1 - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - priority: 1 - type: string - - description: CreationTimestamp is a timestamp representing the server time when - this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - description: "A CertificateRequest is used to request a signed certificate - from one of the configured issuers. \n All fields within the CertificateRequest's - `spec` are immutable after creation. A CertificateRequest will either succeed - or fail, as denoted by its `status.state` field. \n A CertificateRequest - is a 'one-shot' resource, meaning it represents a single point in time request - for a certificate and cannot be re-used." - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Desired state of the CertificateRequest resource. - properties: - duration: - description: The requested 'duration' (i.e. lifetime) of the Certificate. - This option may be ignored/overridden by some issuer types. - type: string - isCA: - description: IsCA will request to mark the certificate as valid for - certificate signing when submitting to the issuer. This will automatically - add the `cert sign` usage to the list of `usages`. - type: boolean - issuerRef: - description: IssuerRef is a reference to the issuer for this CertificateRequest. If - the 'kind' field is not set, or set to 'Issuer', an Issuer resource - with the given name in the same namespace as the CertificateRequest - will be used. If the 'kind' field is set to 'ClusterIssuer', a - ClusterIssuer with the provided name will be used. The 'name' field - in this stanza is required at all times. The group field refers - to the API group of the issuer which defaults to 'cert-manager.io' - if empty. - properties: - group: - description: Group of the resource being referred to. - type: string - kind: - description: Kind of the resource being referred to. - type: string - name: - description: Name of the resource being referred to. - type: string - required: - - name - type: object - request: - description: The PEM-encoded x509 certificate signing request to be - submitted to the CA for signing. - format: byte - type: string - usages: - description: Usages is the set of x509 usages that are requested for - the certificate. Defaults to `digital signature` and `key encipherment` - if not specified. - items: - description: 'KeyUsage specifies valid usage contexts for keys. - See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 - Valid KeyUsage values are as follows: "signing", "digital signature", - "content commitment", "key encipherment", "key agreement", "data - encipherment", "cert sign", "crl sign", "encipher only", "decipher - only", "any", "server auth", "client auth", "code signing", "email - protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec - user", "timestamping", "ocsp signing", "microsoft sgc", "netscape - sgc"' - enum: - - signing - - digital signature - - content commitment - - key encipherment - - key agreement - - data encipherment - - cert sign - - crl sign - - encipher only - - decipher only - - any - - server auth - - client auth - - code signing - - email protection - - s/mime - - ipsec end system - - ipsec tunnel - - ipsec user - - timestamping - - ocsp signing - - microsoft sgc - - netscape sgc - type: string - type: array - required: - - issuerRef - - request - type: object - status: - description: Status of the CertificateRequest. This is set and managed - automatically. - properties: - ca: - description: The PEM encoded x509 certificate of the signer, also - known as the CA (Certificate Authority). This is set on a best-effort - basis by different issuers. If not set, the CA is assumed to be - unknown/not available. - format: byte - type: string - certificate: - description: The PEM encoded x509 certificate resulting from the certificate - signing request. If not set, the CertificateRequest has either not - been completed or has failed. More information on failure can be - found by checking the `conditions` field. - format: byte - type: string - conditions: - description: List of status conditions to indicate the status of a - CertificateRequest. Known condition types are `Ready` and `InvalidRequest`. - items: - description: CertificateRequestCondition contains condition information - for a CertificateRequest. + required: + - name properties: - lastTransitionTime: - description: LastTransitionTime is the timestamp corresponding - to the last status change of this condition. - format: date-time + group: + description: Group of the resource being referred to. type: string - message: - description: Message is a human readable description of the - details of the last transition, complementing reason. + kind: + description: Kind of the resource being referred to. type: string - reason: - description: Reason is a brief machine readable explanation - for the condition's last transition. + name: + description: Name of the resource being referred to. type: string - status: - description: Status of the condition, one of ('True', 'False', - 'Unknown'). - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: Type of the condition, known values are ('Ready', - 'InvalidRequest'). - type: string - required: - - status - - type - type: object - type: array - failureTime: - description: FailureTime stores the time that this CertificateRequest - failed. This is used to influence garbage collection and back-off. - format: date-time - type: string - type: object - required: - - spec - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .spec.issuerRef.name - name: Issuer - priority: 1 - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - priority: 1 - type: string - - description: CreationTimestamp is a timestamp representing the server time when - this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - description: "A CertificateRequest is used to request a signed certificate - from one of the configured issuers. \n All fields within the CertificateRequest's - `spec` are immutable after creation. A CertificateRequest will either succeed - or fail, as denoted by its `status.state` field. \n A CertificateRequest - is a 'one-shot' resource, meaning it represents a single point in time request - for a certificate and cannot be re-used." - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Desired state of the CertificateRequest resource. - properties: - duration: - description: The requested 'duration' (i.e. lifetime) of the Certificate. - This option may be ignored/overridden by some issuer types. - type: string - isCA: - description: IsCA will request to mark the certificate as valid for - certificate signing when submitting to the issuer. This will automatically - add the `cert sign` usage to the list of `usages`. - type: boolean - issuerRef: - description: IssuerRef is a reference to the issuer for this CertificateRequest. If - the 'kind' field is not set, or set to 'Issuer', an Issuer resource - with the given name in the same namespace as the CertificateRequest - will be used. If the 'kind' field is set to 'ClusterIssuer', a - ClusterIssuer with the provided name will be used. The 'name' field - in this stanza is required at all times. The group field refers - to the API group of the issuer which defaults to 'cert-manager.io' - if empty. - properties: - group: - description: Group of the resource being referred to. - type: string - kind: - description: Kind of the resource being referred to. - type: string - name: - description: Name of the resource being referred to. + request: + description: |- + The PEM-encoded X.509 certificate signing request to be submitted to the + issuer for signing. + + + If the CSR has a BasicConstraints extension, its isCA attribute must + match the `isCA` value of this CertificateRequest. + If the CSR has a KeyUsage extension, its key usages must match the + key usages in the `usages` field of this CertificateRequest. + If the CSR has a ExtKeyUsage extension, its extended key usages + must match the extended key usages in the `usages` field of this + CertificateRequest. + type: string + format: byte + uid: + description: |- + UID contains the uid of the user that created the CertificateRequest. + Populated by the cert-manager webhook on creation and immutable. + type: string + usages: + description: |- + Requested key usages and extended key usages. + + + NOTE: If the CSR in the `Request` field has uses the KeyUsage or + ExtKeyUsage extension, these extensions must have the same values + as specified here without any additional values. + + + If unset, defaults to `digital signature` and `key encipherment`. + type: array + items: + description: |- + KeyUsage specifies valid usage contexts for keys. + See: + https://tools.ietf.org/html/rfc5280#section-4.2.1.3 + https://tools.ietf.org/html/rfc5280#section-4.2.1.12 + + + Valid KeyUsage values are as follows: + "signing", + "digital signature", + "content commitment", + "key encipherment", + "key agreement", + "data encipherment", + "cert sign", + "crl sign", + "encipher only", + "decipher only", + "any", + "server auth", + "client auth", + "code signing", + "email protection", + "s/mime", + "ipsec end system", + "ipsec tunnel", + "ipsec user", + "timestamping", + "ocsp signing", + "microsoft sgc", + "netscape sgc" type: string - required: - - name - type: object - request: - description: The PEM-encoded x509 certificate signing request to be - submitted to the CA for signing. - format: byte - type: string - usages: - description: Usages is the set of x509 usages that are requested for - the certificate. If usages are set they SHOULD be encoded inside - the CSR spec Defaults to `digital signature` and `key encipherment` - if not specified. - items: - description: 'KeyUsage specifies valid usage contexts for keys. - See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 - Valid KeyUsage values are as follows: "signing", "digital signature", - "content commitment", "key encipherment", "key agreement", "data - encipherment", "cert sign", "crl sign", "encipher only", "decipher - only", "any", "server auth", "client auth", "code signing", "email - protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec - user", "timestamping", "ocsp signing", "microsoft sgc", "netscape - sgc"' - enum: - - signing - - digital signature - - content commitment - - key encipherment - - key agreement - - data encipherment - - cert sign - - crl sign - - encipher only - - decipher only - - any - - server auth - - client auth - - code signing - - email protection - - s/mime - - ipsec end system - - ipsec tunnel - - ipsec user - - timestamping - - ocsp signing - - microsoft sgc - - netscape sgc + enum: + - signing + - digital signature + - content commitment + - key encipherment + - key agreement + - data encipherment + - cert sign + - crl sign + - encipher only + - decipher only + - any + - server auth + - client auth + - code signing + - email protection + - s/mime + - ipsec end system + - ipsec tunnel + - ipsec user + - timestamping + - ocsp signing + - microsoft sgc + - netscape sgc + username: + description: |- + Username contains the name of the user that created the CertificateRequest. + Populated by the cert-manager webhook on creation and immutable. type: string - type: array - required: - - issuerRef - - request - type: object - status: - description: Status of the CertificateRequest. This is set and managed - automatically. - properties: - ca: - description: The PEM encoded x509 certificate of the signer, also - known as the CA (Certificate Authority). This is set on a best-effort - basis by different issuers. If not set, the CA is assumed to be - unknown/not available. - format: byte - type: string - certificate: - description: The PEM encoded x509 certificate resulting from the certificate - signing request. If not set, the CertificateRequest has either not - been completed or has failed. More information on failure can be - found by checking the `conditions` field. - format: byte - type: string - conditions: - description: List of status conditions to indicate the status of a - CertificateRequest. Known condition types are `Ready` and `InvalidRequest`. - items: - description: CertificateRequestCondition contains condition information - for a CertificateRequest. - properties: - lastTransitionTime: - description: LastTransitionTime is the timestamp corresponding - to the last status change of this condition. - format: date-time - type: string - message: - description: Message is a human readable description of the - details of the last transition, complementing reason. - type: string - reason: - description: Reason is a brief machine readable explanation - for the condition's last transition. - type: string - status: - description: Status of the condition, one of ('True', 'False', - 'Unknown'). - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: Type of the condition, known values are ('Ready', - 'InvalidRequest'). - type: string - required: - - status - - type - type: object - type: array - failureTime: - description: FailureTime stores the time that this CertificateRequest - failed. This is used to influence garbage collection and back-off. - format: date-time - type: string - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] + status: + description: |- + Status of the CertificateRequest. + This is set and managed automatically. + Read-only. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + type: object + properties: + ca: + description: |- + The PEM encoded X.509 certificate of the signer, also known as the CA + (Certificate Authority). + This is set on a best-effort basis by different issuers. + If not set, the CA is assumed to be unknown/not available. + type: string + format: byte + certificate: + description: |- + The PEM encoded X.509 certificate resulting from the certificate + signing request. + If not set, the CertificateRequest has either not been completed or has + failed. More information on failure can be found by checking the + `conditions` field. + type: string + format: byte + conditions: + description: |- + List of status conditions to indicate the status of a CertificateRequest. + Known condition types are `Ready`, `InvalidRequest`, `Approved` and `Denied`. + type: array + items: + description: CertificateRequestCondition contains condition information for a CertificateRequest. + type: object + required: + - status + - type + properties: + lastTransitionTime: + description: |- + LastTransitionTime is the timestamp corresponding to the last status + change of this condition. + type: string + format: date-time + message: + description: |- + Message is a human readable description of the details of the last + transition, complementing reason. + type: string + reason: + description: |- + Reason is a brief machine readable explanation for the condition's last + transition. + type: string + status: + description: Status of the condition, one of (`True`, `False`, `Unknown`). + type: string + enum: + - "True" + - "False" + - Unknown + type: + description: |- + Type of the condition, known values are (`Ready`, `InvalidRequest`, + `Approved`, `Denied`). + type: string + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + failureTime: + description: |- + FailureTime stores the time that this CertificateRequest failed. This is + used to influence garbage collection and back-off. + type: string + format: date-time + served: true + storage: true + +# END crd --- +# Source: cert-manager/templates/crds.yaml +# START crd apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: + name: certificates.cert-manager.io + # START annotations annotations: - cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca + helm.sh/resource-policy: keep + # END annotations labels: - app: cert-manager - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/name: cert-manager - name: certificates.cert-manager.io + app: 'cert-manager' + app.kubernetes.io/name: 'cert-manager' + app.kubernetes.io/instance: 'cert-manager' + # Generated labels + app.kubernetes.io/version: "v1.15.1" spec: - conversion: - strategy: Webhook - webhook: - clientConfig: - service: - name: cert-manager-webhook - namespace: cert-manager - path: /convert - conversionReviewVersions: - - v1 - - v1beta1 group: cert-manager.io names: kind: Certificate listKind: CertificateList plural: certificates shortNames: - - cert - - certs + - cert + - certs singular: certificate + categories: + - cert-manager scope: Namespaced versions: - - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .spec.secretName - name: Secret - type: string - - jsonPath: .spec.issuerRef.name - name: Issuer - priority: 1 - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - priority: 1 - type: string - - description: CreationTimestamp is a timestamp representing the server time when - this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha2 - schema: - openAPIV3Schema: - description: "A Certificate resource should be created to ensure an up to - date and signed x509 certificate is stored in the Kubernetes Secret resource - named in `spec.secretName`. \n The stored certificate will be renewed before - it expires (as configured by `spec.renewBefore`)." - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Desired state of the Certificate resource. - properties: - commonName: - description: 'CommonName is a common name to be used on the Certificate. - The CommonName should have a length of 64 characters or fewer to - avoid generating invalid CSRs. This value is ignored by TLS clients - when any subject alt name is set. This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4' - type: string - dnsNames: - description: DNSNames is a list of DNS subjectAltNames to be set on - the Certificate. - items: - type: string - type: array - duration: - description: The requested 'duration' (i.e. lifetime) of the Certificate. - This option may be ignored/overridden by some issuer types. If overridden - and `renewBefore` is greater than the actual certificate duration, - the certificate will be automatically renewed 2/3rds of the way - through the certificate's duration. - type: string - emailSANs: - description: EmailSANs is a list of email subjectAltNames to be set - on the Certificate. - items: - type: string - type: array - ipAddresses: - description: IPAddresses is a list of IP address subjectAltNames to - be set on the Certificate. - items: - type: string - type: array - isCA: - description: IsCA will mark this Certificate as valid for certificate - signing. This will automatically add the `cert sign` usage to the - list of `usages`. - type: boolean - issuerRef: - description: IssuerRef is a reference to the issuer for this certificate. - If the 'kind' field is not set, or set to 'Issuer', an Issuer resource - with the given name in the same namespace as the Certificate will - be used. If the 'kind' field is set to 'ClusterIssuer', a ClusterIssuer - with the provided name will be used. The 'name' field in this stanza - is required at all times. - properties: - group: - description: Group of the resource being referred to. - type: string - kind: - description: Kind of the resource being referred to. - type: string - name: - description: Name of the resource being referred to. - type: string - required: - - name - type: object - keyAlgorithm: - description: KeyAlgorithm is the private key algorithm of the corresponding - private key for this certificate. If provided, allowed values are - either "rsa" or "ecdsa" If `keyAlgorithm` is specified and `keySize` - is not provided, key size of 256 will be used for "ecdsa" key algorithm - and key size of 2048 will be used for "rsa" key algorithm. - enum: - - rsa - - ecdsa - type: string - keyEncoding: - description: KeyEncoding is the private key cryptography standards - (PKCS) for this certificate's private key to be encoded in. If provided, - allowed values are "pkcs1" and "pkcs8" standing for PKCS#1 and PKCS#8, - respectively. If KeyEncoding is not specified, then PKCS#1 will - be used by default. - enum: - - pkcs1 - - pkcs8 - type: string - keySize: - description: KeySize is the key bit size of the corresponding private - key for this certificate. If `keyAlgorithm` is set to `RSA`, valid - values are `2048`, `4096` or `8192`, and will default to `2048` - if not specified. If `keyAlgorithm` is set to `ECDSA`, valid values - are `256`, `384` or `521`, and will default to `256` if not specified. - No other values are allowed. - maximum: 8192 - minimum: 0 - type: integer - keystores: - description: Keystores configures additional keystore output formats - stored in the `secretName` Secret resource. - properties: - jks: - description: JKS configures options for storing a JKS keystore - in the `spec.secretName` Secret resource. - properties: - create: - description: Create enables JKS keystore creation for the - Certificate. If true, a file named `keystore.jks` will be - created in the target Secret resource, encrypted using the - password stored in `passwordSecretRef`. The keystore file - will only be updated upon re-issuance. - type: boolean - passwordSecretRef: - description: PasswordSecretRef is a reference to a key in - a Secret resource containing the password used to encrypt - the JKS keystore. - properties: - key: - description: The key of the entry in the Secret resource's - `data` field to be used. Some instances of this field - may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - required: - - create - - passwordSecretRef + - name: v1 + subresources: + status: {} + additionalPrinterColumns: + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .spec.secretName + name: Secret + type: string + - jsonPath: .spec.issuerRef.name + name: Issuer + priority: 1 + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + priority: 1 + type: string + - jsonPath: .metadata.creationTimestamp + description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + name: Age + type: date + schema: + openAPIV3Schema: + description: |- + A Certificate resource should be created to ensure an up to date and signed + X.509 certificate is stored in the Kubernetes Secret resource named in `spec.secretName`. + + + The stored certificate will be renewed before it expires (as configured by `spec.renewBefore`). + type: object + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + Specification of the desired state of the Certificate resource. + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + type: object + required: + - issuerRef + - secretName + properties: + additionalOutputFormats: + description: |- + Defines extra output formats of the private key and signed certificate chain + to be written to this Certificate's target Secret. + + + This is a Beta Feature enabled by default. It can be disabled with the + `--feature-gates=AdditionalCertificateOutputFormats=false` option set on both + the controller and webhook components. + type: array + items: + description: |- + CertificateAdditionalOutputFormat defines an additional output format of a + Certificate resource. These contain supplementary data formats of the signed + certificate chain and paired private key. type: object - pkcs12: - description: PKCS12 configures options for storing a PKCS12 keystore - in the `spec.secretName` Secret resource. - properties: - create: - description: Create enables PKCS12 keystore creation for the - Certificate. If true, a file named `keystore.p12` will be - created in the target Secret resource, encrypted using the - password stored in `passwordSecretRef`. The keystore file - will only be updated upon re-issuance. - type: boolean - passwordSecretRef: - description: PasswordSecretRef is a reference to a key in - a Secret resource containing the password used to encrypt - the PKCS12 keystore. - properties: - key: - description: The key of the entry in the Secret resource's - `data` field to be used. Some instances of this field - may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object required: - - create - - passwordSecretRef - type: object - type: object - organization: - description: Organization is a list of organizations to be used on - the Certificate. - items: - type: string - type: array - privateKey: - description: Options to control private keys used for the Certificate. - properties: - rotationPolicy: - description: RotationPolicy controls how private keys should be - regenerated when a re-issuance is being processed. If set to - Never, a private key will only be generated if one does not - already exist in the target `spec.secretName`. If one does exists - but it does not have the correct algorithm or size, a warning - will be raised to await user intervention. If set to Always, - a private key matching the specified requirements will be generated - whenever a re-issuance occurs. Default is 'Never' for backward - compatibility. - type: string - type: object - renewBefore: - description: The amount of time before the currently issued certificate's - `notAfter` time that cert-manager will begin to attempt to renew - the certificate. If this value is greater than the total duration - of the certificate (i.e. notAfter - notBefore), it will be automatically - renewed 2/3rds of the way through the certificate's duration. - type: string - secretName: - description: SecretName is the name of the secret resource that will - be automatically created and managed by this Certificate resource. - It will be populated with a private key and certificate, signed - by the denoted issuer. - type: string - subject: - description: Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name). - properties: - countries: - description: Countries to be used on the Certificate. - items: - type: string - type: array - localities: - description: Cities to be used on the Certificate. - items: - type: string - type: array - organizationalUnits: - description: Organizational Units to be used on the Certificate. - items: - type: string - type: array - postalCodes: - description: Postal codes to be used on the Certificate. - items: - type: string - type: array - provinces: - description: State/Provinces to be used on the Certificate. - items: - type: string - type: array - serialNumber: - description: Serial number to be used on the Certificate. - type: string - streetAddresses: - description: Street addresses to be used on the Certificate. - items: - type: string - type: array - type: object - uriSANs: - description: URISANs is a list of URI subjectAltNames to be set on - the Certificate. - items: + - type + properties: + type: + description: |- + Type is the name of the format type that should be written to the + Certificate's target Secret. + type: string + enum: + - DER + - CombinedPEM + commonName: + description: |- + Requested common name X509 certificate subject attribute. + More info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6 + NOTE: TLS clients will ignore this value when any subject alternative name is + set (see https://tools.ietf.org/html/rfc6125#section-6.4.4). + + + Should have a length of 64 characters or fewer to avoid generating invalid CSRs. + Cannot be set if the `literalSubject` field is set. type: string - type: array - usages: - description: Usages is the set of x509 usages that are requested for - the certificate. Defaults to `digital signature` and `key encipherment` - if not specified. - items: - description: 'KeyUsage specifies valid usage contexts for keys. - See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 - Valid KeyUsage values are as follows: "signing", "digital signature", - "content commitment", "key encipherment", "key agreement", "data - encipherment", "cert sign", "crl sign", "encipher only", "decipher - only", "any", "server auth", "client auth", "code signing", "email - protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec - user", "timestamping", "ocsp signing", "microsoft sgc", "netscape - sgc"' - enum: - - signing - - digital signature - - content commitment - - key encipherment - - key agreement - - data encipherment - - cert sign - - crl sign - - encipher only - - decipher only - - any - - server auth - - client auth - - code signing - - email protection - - s/mime - - ipsec end system - - ipsec tunnel - - ipsec user - - timestamping - - ocsp signing - - microsoft sgc - - netscape sgc + dnsNames: + description: Requested DNS subject alternative names. + type: array + items: + type: string + duration: + description: |- + Requested 'duration' (i.e. lifetime) of the Certificate. Note that the + issuer may choose to ignore the requested duration, just like any other + requested attribute. + + + If unset, this defaults to 90 days. + Minimum accepted duration is 1 hour. + Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration. type: string - type: array - required: - - issuerRef - - secretName - type: object - status: - description: Status of the Certificate. This is set and managed automatically. - properties: - conditions: - description: List of status conditions to indicate the status of certificates. - Known condition types are `Ready` and `Issuing`. - items: - description: CertificateCondition contains condition information - for an Certificate. + emailAddresses: + description: Requested email subject alternative names. + type: array + items: + type: string + encodeUsagesInRequest: + description: |- + Whether the KeyUsage and ExtKeyUsage extensions should be set in the encoded CSR. + + + This option defaults to true, and should only be disabled if the target + issuer does not support CSRs with these X509 KeyUsage/ ExtKeyUsage extensions. + type: boolean + ipAddresses: + description: Requested IP address subject alternative names. + type: array + items: + type: string + isCA: + description: |- + Requested basic constraints isCA value. + The isCA value is used to set the `isCA` field on the created CertificateRequest + resources. Note that the issuer may choose to ignore the requested isCA value, just + like any other requested attribute. + + + If true, this will automatically add the `cert sign` usage to the list + of requested `usages`. + type: boolean + issuerRef: + description: |- + Reference to the issuer responsible for issuing the certificate. + If the issuer is namespace-scoped, it must be in the same namespace + as the Certificate. If the issuer is cluster-scoped, it can be used + from any namespace. + + + The `name` field of the reference must always be specified. + type: object + required: + - name properties: - lastTransitionTime: - description: LastTransitionTime is the timestamp corresponding - to the last status change of this condition. - format: date-time + group: + description: Group of the resource being referred to. type: string - message: - description: Message is a human readable description of the - details of the last transition, complementing reason. + kind: + description: Kind of the resource being referred to. type: string - reason: - description: Reason is a brief machine readable explanation - for the condition's last transition. + name: + description: Name of the resource being referred to. type: string - status: - description: Status of the condition, one of ('True', 'False', - 'Unknown'). - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: Type of the condition, known values are ('Ready', - `Issuing`). - type: string - required: - - status - - type + keystores: + description: Additional keystore output formats to be stored in the Certificate's Secret. type: object - type: array - lastFailureTime: - description: LastFailureTime is the time as recorded by the Certificate - controller of the most recent failure to complete a CertificateRequest - for this Certificate resource. If set, cert-manager will not re-request - another Certificate until 1 hour has elapsed from this time. - format: date-time - type: string - nextPrivateKeySecretName: - description: The name of the Secret resource containing the private - key to be used for the next certificate iteration. The keymanager - controller will automatically set this field if the `Issuing` condition - is set to `True`. It will automatically unset this field when the - Issuing condition is not set or False. - type: string - notAfter: - description: The expiration time of the certificate stored in the - secret named by this resource in `spec.secretName`. - format: date-time - type: string - notBefore: - description: The time after which the certificate stored in the secret - named by this resource in spec.secretName is valid. - format: date-time - type: string - renewalTime: - description: RenewalTime is the time at which the certificate will - be next renewed. If not set, no upcoming renewal is scheduled. - format: date-time - type: string - revision: - description: "The current 'revision' of the certificate as issued. - \n When a CertificateRequest resource is created, it will have the - `cert-manager.io/certificate-revision` set to one greater than the - current value of this field. \n Upon issuance, this field will be - set to the value of the annotation on the CertificateRequest resource - used to issue the certificate. \n Persisting the value on the CertificateRequest - resource allows the certificates controller to know whether a request - is part of an old issuance or if it is part of the ongoing revision's - issuance by checking if the revision value in the annotation is - greater than this field." - type: integer - type: object - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .spec.secretName - name: Secret - type: string - - jsonPath: .spec.issuerRef.name - name: Issuer - priority: 1 - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - priority: 1 - type: string - - description: CreationTimestamp is a timestamp representing the server time when - this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha3 - schema: - openAPIV3Schema: - description: "A Certificate resource should be created to ensure an up to - date and signed x509 certificate is stored in the Kubernetes Secret resource - named in `spec.secretName`. \n The stored certificate will be renewed before - it expires (as configured by `spec.renewBefore`)." - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Desired state of the Certificate resource. - properties: - commonName: - description: 'CommonName is a common name to be used on the Certificate. - The CommonName should have a length of 64 characters or fewer to - avoid generating invalid CSRs. This value is ignored by TLS clients - when any subject alt name is set. This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4' - type: string - dnsNames: - description: DNSNames is a list of DNS subjectAltNames to be set on - the Certificate. - items: - type: string - type: array - duration: - description: The requested 'duration' (i.e. lifetime) of the Certificate. - This option may be ignored/overridden by some issuer types. If overridden - and `renewBefore` is greater than the actual certificate duration, - the certificate will be automatically renewed 2/3rds of the way - through the certificate's duration. - type: string - emailSANs: - description: EmailSANs is a list of email subjectAltNames to be set - on the Certificate. - items: - type: string - type: array - ipAddresses: - description: IPAddresses is a list of IP address subjectAltNames to - be set on the Certificate. - items: + properties: + jks: + description: |- + JKS configures options for storing a JKS keystore in the + `spec.secretName` Secret resource. + type: object + required: + - create + - passwordSecretRef + properties: + alias: + description: |- + Alias specifies the alias of the key in the keystore, required by the JKS format. + If not provided, the default alias `certificate` will be used. + type: string + create: + description: |- + Create enables JKS keystore creation for the Certificate. + If true, a file named `keystore.jks` will be created in the target + Secret resource, encrypted using the password stored in + `passwordSecretRef`. + The keystore file will be updated immediately. + If the issuer provided a CA certificate, a file named `truststore.jks` + will also be created in the target Secret resource, encrypted using the + password stored in `passwordSecretRef` + containing the issuing Certificate Authority + type: boolean + passwordSecretRef: + description: |- + PasswordSecretRef is a reference to a key in a Secret resource + containing the password used to encrypt the JKS keystore. + type: object + required: + - name + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. + Some instances of this field may be defaulted, in others it may be + required. + type: string + name: + description: |- + Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + pkcs12: + description: |- + PKCS12 configures options for storing a PKCS12 keystore in the + `spec.secretName` Secret resource. + type: object + required: + - create + - passwordSecretRef + properties: + create: + description: |- + Create enables PKCS12 keystore creation for the Certificate. + If true, a file named `keystore.p12` will be created in the target + Secret resource, encrypted using the password stored in + `passwordSecretRef`. + The keystore file will be updated immediately. + If the issuer provided a CA certificate, a file named `truststore.p12` will + also be created in the target Secret resource, encrypted using the + password stored in `passwordSecretRef` containing the issuing Certificate + Authority + type: boolean + passwordSecretRef: + description: |- + PasswordSecretRef is a reference to a key in a Secret resource + containing the password used to encrypt the PKCS12 keystore. + type: object + required: + - name + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. + Some instances of this field may be defaulted, in others it may be + required. + type: string + name: + description: |- + Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + profile: + description: |- + Profile specifies the key and certificate encryption algorithms and the HMAC algorithm + used to create the PKCS12 keystore. Default value is `LegacyRC2` for backward compatibility. + + + If provided, allowed values are: + `LegacyRC2`: Deprecated. Not supported by default in OpenSSL 3 or Java 20. + `LegacyDES`: Less secure algorithm. Use this option for maximal compatibility. + `Modern2023`: Secure algorithm. Use this option in case you have to always use secure algorithms + (eg. because of company policy). Please note that the security of the algorithm is not that important + in reality, because the unencrypted certificate and private key are also stored in the Secret. + type: string + enum: + - LegacyRC2 + - LegacyDES + - Modern2023 + literalSubject: + description: |- + Requested X.509 certificate subject, represented using the LDAP "String + Representation of a Distinguished Name" [1]. + Important: the LDAP string format also specifies the order of the attributes + in the subject, this is important when issuing certs for LDAP authentication. + Example: `CN=foo,DC=corp,DC=example,DC=com` + More info [1]: https://datatracker.ietf.org/doc/html/rfc4514 + More info: https://github.com/cert-manager/cert-manager/issues/3203 + More info: https://github.com/cert-manager/cert-manager/issues/4424 + + + Cannot be set if the `subject` or `commonName` field is set. type: string - type: array - isCA: - description: IsCA will mark this Certificate as valid for certificate - signing. This will automatically add the `cert sign` usage to the - list of `usages`. - type: boolean - issuerRef: - description: IssuerRef is a reference to the issuer for this certificate. - If the 'kind' field is not set, or set to 'Issuer', an Issuer resource - with the given name in the same namespace as the Certificate will - be used. If the 'kind' field is set to 'ClusterIssuer', a ClusterIssuer - with the provided name will be used. The 'name' field in this stanza - is required at all times. - properties: - group: - description: Group of the resource being referred to. - type: string - kind: - description: Kind of the resource being referred to. - type: string - name: - description: Name of the resource being referred to. - type: string - required: - - name - type: object - keyAlgorithm: - description: KeyAlgorithm is the private key algorithm of the corresponding - private key for this certificate. If provided, allowed values are - either "rsa" or "ecdsa" If `keyAlgorithm` is specified and `keySize` - is not provided, key size of 256 will be used for "ecdsa" key algorithm - and key size of 2048 will be used for "rsa" key algorithm. - enum: - - rsa - - ecdsa - type: string - keyEncoding: - description: KeyEncoding is the private key cryptography standards - (PKCS) for this certificate's private key to be encoded in. If provided, - allowed values are "pkcs1" and "pkcs8" standing for PKCS#1 and PKCS#8, - respectively. If KeyEncoding is not specified, then PKCS#1 will - be used by default. - enum: - - pkcs1 - - pkcs8 - type: string - keySize: - description: KeySize is the key bit size of the corresponding private - key for this certificate. If `keyAlgorithm` is set to `RSA`, valid - values are `2048`, `4096` or `8192`, and will default to `2048` - if not specified. If `keyAlgorithm` is set to `ECDSA`, valid values - are `256`, `384` or `521`, and will default to `256` if not specified. - No other values are allowed. - maximum: 8192 - minimum: 0 - type: integer - keystores: - description: Keystores configures additional keystore output formats - stored in the `secretName` Secret resource. - properties: - jks: - description: JKS configures options for storing a JKS keystore - in the `spec.secretName` Secret resource. - properties: - create: - description: Create enables JKS keystore creation for the - Certificate. If true, a file named `keystore.jks` will be - created in the target Secret resource, encrypted using the - password stored in `passwordSecretRef`. The keystore file - will only be updated upon re-issuance. - type: boolean - passwordSecretRef: - description: PasswordSecretRef is a reference to a key in - a Secret resource containing the password used to encrypt - the JKS keystore. - properties: - key: - description: The key of the entry in the Secret resource's - `data` field to be used. Some instances of this field - may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - required: - - create - - passwordSecretRef + nameConstraints: + description: |- + x.509 certificate NameConstraint extension which MUST NOT be used in a non-CA certificate. + More Info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10 + + + This is an Alpha Feature and is only enabled with the + `--feature-gates=NameConstraints=true` option set on both + the controller and webhook components. + type: object + properties: + critical: + description: if true then the name constraints are marked critical. + type: boolean + excluded: + description: |- + Excluded contains the constraints which must be disallowed. Any name matching a + restriction in the excluded field is invalid regardless + of information appearing in the permitted + type: object + properties: + dnsDomains: + description: DNSDomains is a list of DNS domains that are permitted or excluded. + type: array + items: + type: string + emailAddresses: + description: EmailAddresses is a list of Email Addresses that are permitted or excluded. + type: array + items: + type: string + ipRanges: + description: |- + IPRanges is a list of IP Ranges that are permitted or excluded. + This should be a valid CIDR notation. + type: array + items: + type: string + uriDomains: + description: URIDomains is a list of URI domains that are permitted or excluded. + type: array + items: + type: string + permitted: + description: Permitted contains the constraints in which the names must be located. + type: object + properties: + dnsDomains: + description: DNSDomains is a list of DNS domains that are permitted or excluded. + type: array + items: + type: string + emailAddresses: + description: EmailAddresses is a list of Email Addresses that are permitted or excluded. + type: array + items: + type: string + ipRanges: + description: |- + IPRanges is a list of IP Ranges that are permitted or excluded. + This should be a valid CIDR notation. + type: array + items: + type: string + uriDomains: + description: URIDomains is a list of URI domains that are permitted or excluded. + type: array + items: + type: string + otherNames: + description: |- + `otherNames` is an escape hatch for SAN that allows any type. We currently restrict the support to string like otherNames, cf RFC 5280 p 37 + Any UTF8 String valued otherName can be passed with by setting the keys oid: x.x.x.x and UTF8Value: somevalue for `otherName`. + Most commonly this would be UPN set with oid: 1.3.6.1.4.1.311.20.2.3 + You should ensure that any OID passed is valid for the UTF8String type as we do not explicitly validate this. + type: array + items: type: object - pkcs12: - description: PKCS12 configures options for storing a PKCS12 keystore - in the `spec.secretName` Secret resource. properties: - create: - description: Create enables PKCS12 keystore creation for the - Certificate. If true, a file named `keystore.p12` will be - created in the target Secret resource, encrypted using the - password stored in `passwordSecretRef`. The keystore file - will only be updated upon re-issuance. - type: boolean - passwordSecretRef: - description: PasswordSecretRef is a reference to a key in - a Secret resource containing the password used to encrypt - the PKCS12 keystore. - properties: - key: - description: The key of the entry in the Secret resource's - `data` field to be used. Some instances of this field - may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - required: - - create - - passwordSecretRef - type: object - type: object - privateKey: - description: Options to control private keys used for the Certificate. - properties: - rotationPolicy: - description: RotationPolicy controls how private keys should be - regenerated when a re-issuance is being processed. If set to - Never, a private key will only be generated if one does not - already exist in the target `spec.secretName`. If one does exists - but it does not have the correct algorithm or size, a warning - will be raised to await user intervention. If set to Always, - a private key matching the specified requirements will be generated - whenever a re-issuance occurs. Default is 'Never' for backward - compatibility. - type: string - type: object - renewBefore: - description: The amount of time before the currently issued certificate's - `notAfter` time that cert-manager will begin to attempt to renew - the certificate. If this value is greater than the total duration - of the certificate (i.e. notAfter - notBefore), it will be automatically - renewed 2/3rds of the way through the certificate's duration. - type: string - secretName: - description: SecretName is the name of the secret resource that will - be automatically created and managed by this Certificate resource. - It will be populated with a private key and certificate, signed - by the denoted issuer. - type: string - subject: - description: Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name). - properties: - countries: - description: Countries to be used on the Certificate. - items: - type: string - type: array - localities: - description: Cities to be used on the Certificate. - items: - type: string - type: array - organizationalUnits: - description: Organizational Units to be used on the Certificate. - items: - type: string - type: array - organizations: - description: Organizations to be used on the Certificate. - items: - type: string - type: array - postalCodes: - description: Postal codes to be used on the Certificate. - items: - type: string - type: array - provinces: - description: State/Provinces to be used on the Certificate. - items: - type: string - type: array - serialNumber: - description: Serial number to be used on the Certificate. - type: string - streetAddresses: - description: Street addresses to be used on the Certificate. - items: - type: string - type: array - type: object - uriSANs: - description: URISANs is a list of URI subjectAltNames to be set on - the Certificate. - items: - type: string - type: array - usages: - description: Usages is the set of x509 usages that are requested for - the certificate. Defaults to `digital signature` and `key encipherment` - if not specified. - items: - description: 'KeyUsage specifies valid usage contexts for keys. - See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 - Valid KeyUsage values are as follows: "signing", "digital signature", - "content commitment", "key encipherment", "key agreement", "data - encipherment", "cert sign", "crl sign", "encipher only", "decipher - only", "any", "server auth", "client auth", "code signing", "email - protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec - user", "timestamping", "ocsp signing", "microsoft sgc", "netscape - sgc"' - enum: - - signing - - digital signature - - content commitment - - key encipherment - - key agreement - - data encipherment - - cert sign - - crl sign - - encipher only - - decipher only - - any - - server auth - - client auth - - code signing - - email protection - - s/mime - - ipsec end system - - ipsec tunnel - - ipsec user - - timestamping - - ocsp signing - - microsoft sgc - - netscape sgc - type: string - type: array - required: - - issuerRef - - secretName - type: object - status: - description: Status of the Certificate. This is set and managed automatically. - properties: - conditions: - description: List of status conditions to indicate the status of certificates. - Known condition types are `Ready` and `Issuing`. - items: - description: CertificateCondition contains condition information - for an Certificate. + oid: + description: |- + OID is the object identifier for the otherName SAN. + The object identifier must be expressed as a dotted string, for + example, "1.2.840.113556.1.4.221". + type: string + utf8Value: + description: |- + utf8Value is the string value of the otherName SAN. + The utf8Value accepts any valid UTF8 string to set as value for the otherName SAN. + type: string + privateKey: + description: |- + Private key options. These include the key algorithm and size, the used + encoding and the rotation policy. + type: object properties: - lastTransitionTime: - description: LastTransitionTime is the timestamp corresponding - to the last status change of this condition. - format: date-time - type: string - message: - description: Message is a human readable description of the - details of the last transition, complementing reason. - type: string - reason: - description: Reason is a brief machine readable explanation - for the condition's last transition. + algorithm: + description: |- + Algorithm is the private key algorithm of the corresponding private key + for this certificate. + + + If provided, allowed values are either `RSA`, `ECDSA` or `Ed25519`. + If `algorithm` is specified and `size` is not provided, + key size of 2048 will be used for `RSA` key algorithm and + key size of 256 will be used for `ECDSA` key algorithm. + key size is ignored when using the `Ed25519` key algorithm. type: string - status: - description: Status of the condition, one of ('True', 'False', - 'Unknown'). enum: - - "True" - - "False" - - Unknown + - RSA + - ECDSA + - Ed25519 + encoding: + description: |- + The private key cryptography standards (PKCS) encoding for this + certificate's private key to be encoded in. + + + If provided, allowed values are `PKCS1` and `PKCS8` standing for PKCS#1 + and PKCS#8, respectively. + Defaults to `PKCS1` if not specified. type: string - type: - description: Type of the condition, known values are ('Ready', - `Issuing`). + enum: + - PKCS1 + - PKCS8 + rotationPolicy: + description: |- + RotationPolicy controls how private keys should be regenerated when a + re-issuance is being processed. + + + If set to `Never`, a private key will only be generated if one does not + already exist in the target `spec.secretName`. If one does exists but it + does not have the correct algorithm or size, a warning will be raised + to await user intervention. + If set to `Always`, a private key matching the specified requirements + will be generated whenever a re-issuance occurs. + Default is `Never` for backward compatibility. type: string - required: - - status - - type - type: object - type: array - lastFailureTime: - description: LastFailureTime is the time as recorded by the Certificate - controller of the most recent failure to complete a CertificateRequest - for this Certificate resource. If set, cert-manager will not re-request - another Certificate until 1 hour has elapsed from this time. - format: date-time - type: string - nextPrivateKeySecretName: - description: The name of the Secret resource containing the private - key to be used for the next certificate iteration. The keymanager - controller will automatically set this field if the `Issuing` condition - is set to `True`. It will automatically unset this field when the - Issuing condition is not set or False. - type: string - notAfter: - description: The expiration time of the certificate stored in the - secret named by this resource in `spec.secretName`. - format: date-time - type: string - notBefore: - description: The time after which the certificate stored in the secret - named by this resource in spec.secretName is valid. - format: date-time - type: string - renewalTime: - description: RenewalTime is the time at which the certificate will - be next renewed. If not set, no upcoming renewal is scheduled. - format: date-time - type: string - revision: - description: "The current 'revision' of the certificate as issued. - \n When a CertificateRequest resource is created, it will have the - `cert-manager.io/certificate-revision` set to one greater than the - current value of this field. \n Upon issuance, this field will be - set to the value of the annotation on the CertificateRequest resource - used to issue the certificate. \n Persisting the value on the CertificateRequest - resource allows the certificates controller to know whether a request - is part of an old issuance or if it is part of the ongoing revision's - issuance by checking if the revision value in the annotation is - greater than this field." - type: integer - type: object - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .spec.secretName - name: Secret - type: string - - jsonPath: .spec.issuerRef.name - name: Issuer - priority: 1 - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - priority: 1 - type: string - - description: CreationTimestamp is a timestamp representing the server time when - this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - description: "A Certificate resource should be created to ensure an up to - date and signed x509 certificate is stored in the Kubernetes Secret resource - named in `spec.secretName`. \n The stored certificate will be renewed before - it expires (as configured by `spec.renewBefore`)." - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Desired state of the Certificate resource. - properties: - commonName: - description: 'CommonName is a common name to be used on the Certificate. - The CommonName should have a length of 64 characters or fewer to - avoid generating invalid CSRs. This value is ignored by TLS clients - when any subject alt name is set. This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4' - type: string - dnsNames: - description: DNSNames is a list of DNS subjectAltNames to be set on - the Certificate. - items: - type: string - type: array - duration: - description: The requested 'duration' (i.e. lifetime) of the Certificate. - This option may be ignored/overridden by some issuer types. If overridden - and `renewBefore` is greater than the actual certificate duration, - the certificate will be automatically renewed 2/3rds of the way - through the certificate's duration. - type: string - emailSANs: - description: EmailSANs is a list of email subjectAltNames to be set - on the Certificate. - items: + enum: + - Never + - Always + size: + description: |- + Size is the key bit size of the corresponding private key for this certificate. + + + If `algorithm` is set to `RSA`, valid values are `2048`, `4096` or `8192`, + and will default to `2048` if not specified. + If `algorithm` is set to `ECDSA`, valid values are `256`, `384` or `521`, + and will default to `256` if not specified. + If `algorithm` is set to `Ed25519`, Size is ignored. + No other values are allowed. + type: integer + renewBefore: + description: |- + How long before the currently issued certificate's expiry cert-manager should + renew the certificate. For example, if a certificate is valid for 60 minutes, + and `renewBefore=10m`, cert-manager will begin to attempt to renew the certificate + 50 minutes after it was issued (i.e. when there are 10 minutes remaining until + the certificate is no longer valid). + + + NOTE: The actual lifetime of the issued certificate is used to determine the + renewal time. If an issuer returns a certificate with a different lifetime than + the one requested, cert-manager will use the lifetime of the issued certificate. + + + If unset, this defaults to 1/3 of the issued certificate's lifetime. + Minimum accepted value is 5 minutes. + Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration. type: string - type: array - ipAddresses: - description: IPAddresses is a list of IP address subjectAltNames to - be set on the Certificate. - items: + revisionHistoryLimit: + description: |- + The maximum number of CertificateRequest revisions that are maintained in + the Certificate's history. Each revision represents a single `CertificateRequest` + created by this Certificate, either when it was created, renewed, or Spec + was changed. Revisions will be removed by oldest first if the number of + revisions exceeds this number. + + + If set, revisionHistoryLimit must be a value of `1` or greater. + If unset (`nil`), revisions will not be garbage collected. + Default value is `nil`. + type: integer + format: int32 + secretName: + description: |- + Name of the Secret resource that will be automatically created and + managed by this Certificate resource. It will be populated with a + private key and certificate, signed by the denoted issuer. The Secret + resource lives in the same namespace as the Certificate resource. type: string - type: array - isCA: - description: IsCA will mark this Certificate as valid for certificate - signing. This will automatically add the `cert sign` usage to the - list of `usages`. - type: boolean - issuerRef: - description: IssuerRef is a reference to the issuer for this certificate. - If the 'kind' field is not set, or set to 'Issuer', an Issuer resource - with the given name in the same namespace as the Certificate will - be used. If the 'kind' field is set to 'ClusterIssuer', a ClusterIssuer - with the provided name will be used. The 'name' field in this stanza - is required at all times. - properties: - group: - description: Group of the resource being referred to. - type: string - kind: - description: Kind of the resource being referred to. - type: string - name: - description: Name of the resource being referred to. + secretTemplate: + description: |- + Defines annotations and labels to be copied to the Certificate's Secret. + Labels and annotations on the Secret will be changed as they appear on the + SecretTemplate when added or removed. SecretTemplate annotations are added + in conjunction with, and cannot overwrite, the base set of annotations + cert-manager sets on the Certificate's Secret. + type: object + properties: + annotations: + description: Annotations is a key value map to be copied to the target Kubernetes Secret. + type: object + additionalProperties: + type: string + labels: + description: Labels is a key value map to be copied to the target Kubernetes Secret. + type: object + additionalProperties: + type: string + subject: + description: |- + Requested set of X509 certificate subject attributes. + More info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6 + + + The common name attribute is specified separately in the `commonName` field. + Cannot be set if the `literalSubject` field is set. + type: object + properties: + countries: + description: Countries to be used on the Certificate. + type: array + items: + type: string + localities: + description: Cities to be used on the Certificate. + type: array + items: + type: string + organizationalUnits: + description: Organizational Units to be used on the Certificate. + type: array + items: + type: string + organizations: + description: Organizations to be used on the Certificate. + type: array + items: + type: string + postalCodes: + description: Postal codes to be used on the Certificate. + type: array + items: + type: string + provinces: + description: State/Provinces to be used on the Certificate. + type: array + items: + type: string + serialNumber: + description: Serial number to be used on the Certificate. + type: string + streetAddresses: + description: Street addresses to be used on the Certificate. + type: array + items: + type: string + uris: + description: Requested URI subject alternative names. + type: array + items: + type: string + usages: + description: |- + Requested key usages and extended key usages. + These usages are used to set the `usages` field on the created CertificateRequest + resources. If `encodeUsagesInRequest` is unset or set to `true`, the usages + will additionally be encoded in the `request` field which contains the CSR blob. + + + If unset, defaults to `digital signature` and `key encipherment`. + type: array + items: + description: |- + KeyUsage specifies valid usage contexts for keys. + See: + https://tools.ietf.org/html/rfc5280#section-4.2.1.3 + https://tools.ietf.org/html/rfc5280#section-4.2.1.12 + + + Valid KeyUsage values are as follows: + "signing", + "digital signature", + "content commitment", + "key encipherment", + "key agreement", + "data encipherment", + "cert sign", + "crl sign", + "encipher only", + "decipher only", + "any", + "server auth", + "client auth", + "code signing", + "email protection", + "s/mime", + "ipsec end system", + "ipsec tunnel", + "ipsec user", + "timestamping", + "ocsp signing", + "microsoft sgc", + "netscape sgc" type: string - required: - - name - type: object - keystores: - description: Keystores configures additional keystore output formats - stored in the `secretName` Secret resource. - properties: - jks: - description: JKS configures options for storing a JKS keystore - in the `spec.secretName` Secret resource. - properties: - create: - description: Create enables JKS keystore creation for the - Certificate. If true, a file named `keystore.jks` will be - created in the target Secret resource, encrypted using the - password stored in `passwordSecretRef`. The keystore file - will only be updated upon re-issuance. - type: boolean - passwordSecretRef: - description: PasswordSecretRef is a reference to a key in - a Secret resource containing the password used to encrypt - the JKS keystore. - properties: - key: - description: The key of the entry in the Secret resource's - `data` field to be used. Some instances of this field - may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - required: - - create - - passwordSecretRef + enum: + - signing + - digital signature + - content commitment + - key encipherment + - key agreement + - data encipherment + - cert sign + - crl sign + - encipher only + - decipher only + - any + - server auth + - client auth + - code signing + - email protection + - s/mime + - ipsec end system + - ipsec tunnel + - ipsec user + - timestamping + - ocsp signing + - microsoft sgc + - netscape sgc + status: + description: |- + Status of the Certificate. + This is set and managed automatically. + Read-only. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + type: object + properties: + conditions: + description: |- + List of status conditions to indicate the status of certificates. + Known condition types are `Ready` and `Issuing`. + type: array + items: + description: CertificateCondition contains condition information for an Certificate. type: object - pkcs12: - description: PKCS12 configures options for storing a PKCS12 keystore - in the `spec.secretName` Secret resource. - properties: - create: - description: Create enables PKCS12 keystore creation for the - Certificate. If true, a file named `keystore.p12` will be - created in the target Secret resource, encrypted using the - password stored in `passwordSecretRef`. The keystore file - will only be updated upon re-issuance. - type: boolean - passwordSecretRef: - description: PasswordSecretRef is a reference to a key in - a Secret resource containing the password used to encrypt - the PKCS12 keystore. - properties: - key: - description: The key of the entry in the Secret resource's - `data` field to be used. Some instances of this field - may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object required: - - create - - passwordSecretRef - type: object - type: object - privateKey: - description: Options to control private keys used for the Certificate. - properties: - algorithm: - description: Algorithm is the private key algorithm of the corresponding - private key for this certificate. If provided, allowed values - are either "rsa" or "ecdsa" If `algorithm` is specified and - `size` is not provided, key size of 256 will be used for "ecdsa" - key algorithm and key size of 2048 will be used for "rsa" key - algorithm. - enum: - - RSA - - ECDSA - type: string - encoding: - description: The private key cryptography standards (PKCS) encoding - for this certificate's private key to be encoded in. If provided, - allowed values are "pkcs1" and "pkcs8" standing for PKCS#1 and - PKCS#8, respectively. Defaults to PKCS#1 if not specified. - enum: - - PKCS1 - - PKCS8 - type: string - rotationPolicy: - description: RotationPolicy controls how private keys should be - regenerated when a re-issuance is being processed. If set to - Never, a private key will only be generated if one does not - already exist in the target `spec.secretName`. If one does exists - but it does not have the correct algorithm or size, a warning - will be raised to await user intervention. If set to Always, - a private key matching the specified requirements will be generated - whenever a re-issuance occurs. Default is 'Never' for backward - compatibility. - type: string - size: - description: Size is the key bit size of the corresponding private - key for this certificate. If `algorithm` is set to `RSA`, valid - values are `2048`, `4096` or `8192`, and will default to `2048` - if not specified. If `algorithm` is set to `ECDSA`, valid values - are `256`, `384` or `521`, and will default to `256` if not - specified. No other values are allowed. - maximum: 8192 - minimum: 0 - type: integer - type: object - renewBefore: - description: The amount of time before the currently issued certificate's - `notAfter` time that cert-manager will begin to attempt to renew - the certificate. If this value is greater than the total duration - of the certificate (i.e. notAfter - notBefore), it will be automatically - renewed 2/3rds of the way through the certificate's duration. - type: string - secretName: - description: SecretName is the name of the secret resource that will - be automatically created and managed by this Certificate resource. - It will be populated with a private key and certificate, signed - by the denoted issuer. - type: string - subject: - description: Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name). - properties: - countries: - description: Countries to be used on the Certificate. - items: - type: string - type: array - localities: - description: Cities to be used on the Certificate. - items: - type: string - type: array - organizationalUnits: - description: Organizational Units to be used on the Certificate. - items: - type: string - type: array - organizations: - description: Organizations to be used on the Certificate. - items: - type: string - type: array - postalCodes: - description: Postal codes to be used on the Certificate. - items: - type: string - type: array - provinces: - description: State/Provinces to be used on the Certificate. - items: - type: string - type: array - serialNumber: - description: Serial number to be used on the Certificate. - type: string - streetAddresses: - description: Street addresses to be used on the Certificate. - items: - type: string - type: array - type: object - uriSANs: - description: URISANs is a list of URI subjectAltNames to be set on - the Certificate. - items: - type: string - type: array - usages: - description: Usages is the set of x509 usages that are requested for - the certificate. Defaults to `digital signature` and `key encipherment` - if not specified. - items: - description: 'KeyUsage specifies valid usage contexts for keys. - See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 - Valid KeyUsage values are as follows: "signing", "digital signature", - "content commitment", "key encipherment", "key agreement", "data - encipherment", "cert sign", "crl sign", "encipher only", "decipher - only", "any", "server auth", "client auth", "code signing", "email - protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec - user", "timestamping", "ocsp signing", "microsoft sgc", "netscape - sgc"' - enum: - - signing - - digital signature - - content commitment - - key encipherment - - key agreement - - data encipherment - - cert sign - - crl sign - - encipher only - - decipher only - - any - - server auth - - client auth - - code signing - - email protection - - s/mime - - ipsec end system - - ipsec tunnel - - ipsec user - - timestamping - - ocsp signing - - microsoft sgc - - netscape sgc - type: string - type: array - required: - - issuerRef - - secretName - type: object - status: - description: Status of the Certificate. This is set and managed automatically. - properties: - conditions: - description: List of status conditions to indicate the status of certificates. - Known condition types are `Ready` and `Issuing`. - items: - description: CertificateCondition contains condition information - for an Certificate. - properties: - lastTransitionTime: - description: LastTransitionTime is the timestamp corresponding - to the last status change of this condition. - format: date-time - type: string - message: - description: Message is a human readable description of the - details of the last transition, complementing reason. - type: string - reason: - description: Reason is a brief machine readable explanation - for the condition's last transition. - type: string - status: - description: Status of the condition, one of ('True', 'False', - 'Unknown'). - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: Type of the condition, known values are ('Ready', - `Issuing`). - type: string - required: - - status - - type - type: object - type: array - lastFailureTime: - description: LastFailureTime is the time as recorded by the Certificate - controller of the most recent failure to complete a CertificateRequest - for this Certificate resource. If set, cert-manager will not re-request - another Certificate until 1 hour has elapsed from this time. - format: date-time - type: string - nextPrivateKeySecretName: - description: The name of the Secret resource containing the private - key to be used for the next certificate iteration. The keymanager - controller will automatically set this field if the `Issuing` condition - is set to `True`. It will automatically unset this field when the - Issuing condition is not set or False. - type: string - notAfter: - description: The expiration time of the certificate stored in the - secret named by this resource in `spec.secretName`. - format: date-time - type: string - notBefore: - description: The time after which the certificate stored in the secret - named by this resource in spec.secretName is valid. - format: date-time - type: string - renewalTime: - description: RenewalTime is the time at which the certificate will - be next renewed. If not set, no upcoming renewal is scheduled. - format: date-time - type: string - revision: - description: "The current 'revision' of the certificate as issued. - \n When a CertificateRequest resource is created, it will have the - `cert-manager.io/certificate-revision` set to one greater than the - current value of this field. \n Upon issuance, this field will be - set to the value of the annotation on the CertificateRequest resource - used to issue the certificate. \n Persisting the value on the CertificateRequest - resource allows the certificates controller to know whether a request - is part of an old issuance or if it is part of the ongoing revision's - issuance by checking if the revision value in the annotation is - greater than this field." - type: integer - type: object - required: - - spec - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .spec.secretName - name: Secret - type: string - - jsonPath: .spec.issuerRef.name - name: Issuer - priority: 1 - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - priority: 1 - type: string - - description: CreationTimestamp is a timestamp representing the server time when - this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - description: "A Certificate resource should be created to ensure an up to - date and signed x509 certificate is stored in the Kubernetes Secret resource - named in `spec.secretName`. \n The stored certificate will be renewed before - it expires (as configured by `spec.renewBefore`)." - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Desired state of the Certificate resource. - properties: - commonName: - description: 'CommonName is a common name to be used on the Certificate. - The CommonName should have a length of 64 characters or fewer to - avoid generating invalid CSRs. This value is ignored by TLS clients - when any subject alt name is set. This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4' - type: string - dnsNames: - description: DNSNames is a list of DNS subjectAltNames to be set on - the Certificate. - items: + - status + - type + properties: + lastTransitionTime: + description: |- + LastTransitionTime is the timestamp corresponding to the last status + change of this condition. + type: string + format: date-time + message: + description: |- + Message is a human readable description of the details of the last + transition, complementing reason. + type: string + observedGeneration: + description: |- + If set, this represents the .metadata.generation that the condition was + set based upon. + For instance, if .metadata.generation is currently 12, but the + .status.condition[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the Certificate. + type: integer + format: int64 + reason: + description: |- + Reason is a brief machine readable explanation for the condition's last + transition. + type: string + status: + description: Status of the condition, one of (`True`, `False`, `Unknown`). + type: string + enum: + - "True" + - "False" + - Unknown + type: + description: Type of the condition, known values are (`Ready`, `Issuing`). + type: string + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + failedIssuanceAttempts: + description: |- + The number of continuous failed issuance attempts up till now. This + field gets removed (if set) on a successful issuance and gets set to + 1 if unset and an issuance has failed. If an issuance has failed, the + delay till the next issuance will be calculated using formula + time.Hour * 2 ^ (failedIssuanceAttempts - 1). + type: integer + lastFailureTime: + description: |- + LastFailureTime is set only if the lastest issuance for this + Certificate failed and contains the time of the failure. If an + issuance has failed, the delay till the next issuance will be + calculated using formula time.Hour * 2 ^ (failedIssuanceAttempts - + 1). If the latest issuance has succeeded this field will be unset. type: string - type: array - duration: - description: The requested 'duration' (i.e. lifetime) of the Certificate. - This option may be ignored/overridden by some issuer types. If overridden - and `renewBefore` is greater than the actual certificate duration, - the certificate will be automatically renewed 2/3rds of the way - through the certificate's duration. - type: string - emailAddresses: - description: EmailAddresses is a list of email subjectAltNames to - be set on the Certificate. - items: + format: date-time + nextPrivateKeySecretName: + description: |- + The name of the Secret resource containing the private key to be used + for the next certificate iteration. + The keymanager controller will automatically set this field if the + `Issuing` condition is set to `True`. + It will automatically unset this field when the Issuing condition is + not set or False. type: string - type: array - ipAddresses: - description: IPAddresses is a list of IP address subjectAltNames to - be set on the Certificate. - items: + notAfter: + description: |- + The expiration time of the certificate stored in the secret named + by this resource in `spec.secretName`. type: string - type: array - isCA: - description: IsCA will mark this Certificate as valid for certificate - signing. This will automatically add the `cert sign` usage to the - list of `usages`. - type: boolean - issuerRef: - description: IssuerRef is a reference to the issuer for this certificate. - If the 'kind' field is not set, or set to 'Issuer', an Issuer resource - with the given name in the same namespace as the Certificate will - be used. If the 'kind' field is set to 'ClusterIssuer', a ClusterIssuer - with the provided name will be used. The 'name' field in this stanza - is required at all times. - properties: - group: - description: Group of the resource being referred to. - type: string - kind: - description: Kind of the resource being referred to. - type: string - name: - description: Name of the resource being referred to. - type: string - required: - - name - type: object - keystores: - description: Keystores configures additional keystore output formats - stored in the `secretName` Secret resource. - properties: - jks: - description: JKS configures options for storing a JKS keystore - in the `spec.secretName` Secret resource. - properties: - create: - description: Create enables JKS keystore creation for the - Certificate. If true, a file named `keystore.jks` will be - created in the target Secret resource, encrypted using the - password stored in `passwordSecretRef`. The keystore file - will only be updated upon re-issuance. - type: boolean - passwordSecretRef: - description: PasswordSecretRef is a reference to a key in - a Secret resource containing the password used to encrypt - the JKS keystore. - properties: - key: - description: The key of the entry in the Secret resource's - `data` field to be used. Some instances of this field - may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - required: - - create - - passwordSecretRef - type: object - pkcs12: - description: PKCS12 configures options for storing a PKCS12 keystore - in the `spec.secretName` Secret resource. - properties: - create: - description: Create enables PKCS12 keystore creation for the - Certificate. If true, a file named `keystore.p12` will be - created in the target Secret resource, encrypted using the - password stored in `passwordSecretRef`. The keystore file - will only be updated upon re-issuance. - type: boolean - passwordSecretRef: - description: PasswordSecretRef is a reference to a key in - a Secret resource containing the password used to encrypt - the PKCS12 keystore. - properties: - key: - description: The key of the entry in the Secret resource's - `data` field to be used. Some instances of this field - may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - required: - - create - - passwordSecretRef - type: object - type: object - privateKey: - description: Options to control private keys used for the Certificate. - properties: - algorithm: - description: Algorithm is the private key algorithm of the corresponding - private key for this certificate. If provided, allowed values - are either "rsa" or "ecdsa" If `algorithm` is specified and - `size` is not provided, key size of 256 will be used for "ecdsa" - key algorithm and key size of 2048 will be used for "rsa" key - algorithm. - enum: - - RSA - - ECDSA - type: string - encoding: - description: The private key cryptography standards (PKCS) encoding - for this certificate's private key to be encoded in. If provided, - allowed values are "pkcs1" and "pkcs8" standing for PKCS#1 and - PKCS#8, respectively. Defaults to PKCS#1 if not specified. - enum: - - PKCS1 - - PKCS8 - type: string - rotationPolicy: - description: RotationPolicy controls how private keys should be - regenerated when a re-issuance is being processed. If set to - Never, a private key will only be generated if one does not - already exist in the target `spec.secretName`. If one does exists - but it does not have the correct algorithm or size, a warning - will be raised to await user intervention. If set to Always, - a private key matching the specified requirements will be generated - whenever a re-issuance occurs. Default is 'Never' for backward - compatibility. - type: string - size: - description: Size is the key bit size of the corresponding private - key for this certificate. If `algorithm` is set to `RSA`, valid - values are `2048`, `4096` or `8192`, and will default to `2048` - if not specified. If `algorithm` is set to `ECDSA`, valid values - are `256`, `384` or `521`, and will default to `256` if not - specified. No other values are allowed. - maximum: 8192 - minimum: 0 - type: integer - type: object - renewBefore: - description: The amount of time before the currently issued certificate's - `notAfter` time that cert-manager will begin to attempt to renew - the certificate. If this value is greater than the total duration - of the certificate (i.e. notAfter - notBefore), it will be automatically - renewed 2/3rds of the way through the certificate's duration. - type: string - secretName: - description: SecretName is the name of the secret resource that will - be automatically created and managed by this Certificate resource. - It will be populated with a private key and certificate, signed - by the denoted issuer. - type: string - subject: - description: Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name). - properties: - countries: - description: Countries to be used on the Certificate. - items: - type: string - type: array - localities: - description: Cities to be used on the Certificate. - items: - type: string - type: array - organizationalUnits: - description: Organizational Units to be used on the Certificate. - items: - type: string - type: array - organizations: - description: Organizations to be used on the Certificate. - items: - type: string - type: array - postalCodes: - description: Postal codes to be used on the Certificate. - items: - type: string - type: array - provinces: - description: State/Provinces to be used on the Certificate. - items: - type: string - type: array - serialNumber: - description: Serial number to be used on the Certificate. - type: string - streetAddresses: - description: Street addresses to be used on the Certificate. - items: - type: string - type: array - type: object - uris: - description: URIs is a list of URI subjectAltNames to be set on the - Certificate. - items: + format: date-time + notBefore: + description: |- + The time after which the certificate stored in the secret named + by this resource in `spec.secretName` is valid. type: string - type: array - usages: - description: Usages is the set of x509 usages that are requested for - the certificate. Defaults to `digital signature` and `key encipherment` - if not specified. - items: - description: 'KeyUsage specifies valid usage contexts for keys. - See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 - Valid KeyUsage values are as follows: "signing", "digital signature", - "content commitment", "key encipherment", "key agreement", "data - encipherment", "cert sign", "crl sign", "encipher only", "decipher - only", "any", "server auth", "client auth", "code signing", "email - protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec - user", "timestamping", "ocsp signing", "microsoft sgc", "netscape - sgc"' - enum: - - signing - - digital signature - - content commitment - - key encipherment - - key agreement - - data encipherment - - cert sign - - crl sign - - encipher only - - decipher only - - any - - server auth - - client auth - - code signing - - email protection - - s/mime - - ipsec end system - - ipsec tunnel - - ipsec user - - timestamping - - ocsp signing - - microsoft sgc - - netscape sgc + format: date-time + renewalTime: + description: |- + RenewalTime is the time at which the certificate will be next + renewed. + If not set, no upcoming renewal is scheduled. type: string - type: array - required: - - issuerRef - - secretName - type: object - status: - description: Status of the Certificate. This is set and managed automatically. - properties: - conditions: - description: List of status conditions to indicate the status of certificates. - Known condition types are `Ready` and `Issuing`. - items: - description: CertificateCondition contains condition information - for an Certificate. - properties: - lastTransitionTime: - description: LastTransitionTime is the timestamp corresponding - to the last status change of this condition. - format: date-time - type: string - message: - description: Message is a human readable description of the - details of the last transition, complementing reason. - type: string - reason: - description: Reason is a brief machine readable explanation - for the condition's last transition. - type: string - status: - description: Status of the condition, one of ('True', 'False', - 'Unknown'). - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: Type of the condition, known values are ('Ready', - `Issuing`). - type: string - required: - - status - - type - type: object - type: array - lastFailureTime: - description: LastFailureTime is the time as recorded by the Certificate - controller of the most recent failure to complete a CertificateRequest - for this Certificate resource. If set, cert-manager will not re-request - another Certificate until 1 hour has elapsed from this time. - format: date-time - type: string - nextPrivateKeySecretName: - description: The name of the Secret resource containing the private - key to be used for the next certificate iteration. The keymanager - controller will automatically set this field if the `Issuing` condition - is set to `True`. It will automatically unset this field when the - Issuing condition is not set or False. - type: string - notAfter: - description: The expiration time of the certificate stored in the - secret named by this resource in `spec.secretName`. - format: date-time - type: string - notBefore: - description: The time after which the certificate stored in the secret - named by this resource in spec.secretName is valid. - format: date-time - type: string - renewalTime: - description: RenewalTime is the time at which the certificate will - be next renewed. If not set, no upcoming renewal is scheduled. - format: date-time - type: string - revision: - description: "The current 'revision' of the certificate as issued. - \n When a CertificateRequest resource is created, it will have the - `cert-manager.io/certificate-revision` set to one greater than the - current value of this field. \n Upon issuance, this field will be - set to the value of the annotation on the CertificateRequest resource - used to issue the certificate. \n Persisting the value on the CertificateRequest - resource allows the certificates controller to know whether a request - is part of an old issuance or if it is part of the ongoing revision's - issuance by checking if the revision value in the annotation is - greater than this field." - type: integer - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] + format: date-time + revision: + description: |- + The current 'revision' of the certificate as issued. + + + When a CertificateRequest resource is created, it will have the + `cert-manager.io/certificate-revision` set to one greater than the + current value of this field. + + + Upon issuance, this field will be set to the value of the annotation + on the CertificateRequest resource used to issue the certificate. + + + Persisting the value on the CertificateRequest resource allows the + certificates controller to know whether a request is part of an old + issuance or if it is part of the ongoing revision's issuance by + checking if the revision value in the annotation is greater than this + field. + type: integer + served: true + storage: true + +# END crd --- +# Source: cert-manager/templates/crds.yaml +# START crd apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: + name: challenges.acme.cert-manager.io + # START annotations annotations: - cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca + helm.sh/resource-policy: keep + # END annotations labels: - app: cert-manager - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/name: cert-manager - name: challenges.acme.cert-manager.io + app: 'cert-manager' + app.kubernetes.io/name: 'cert-manager' + app.kubernetes.io/instance: 'cert-manager' + # Generated labels + app.kubernetes.io/version: "v1.15.1" spec: - conversion: - strategy: Webhook - webhook: - clientConfig: - service: - name: cert-manager-webhook - namespace: cert-manager - path: /convert - conversionReviewVersions: - - v1 - - v1beta1 group: acme.cert-manager.io names: kind: Challenge listKind: ChallengeList plural: challenges singular: challenge + categories: + - cert-manager + - cert-manager-acme scope: Namespaced versions: - - additionalPrinterColumns: - - jsonPath: .status.state - name: State - type: string - - jsonPath: .spec.dnsName - name: Domain - type: string - - jsonPath: .status.reason - name: Reason - priority: 1 - type: string - - description: CreationTimestamp is a timestamp representing the server time when - this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha2 - schema: - openAPIV3Schema: - description: Challenge is a type to represent a Challenge request with an - ACME server - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - properties: - authzURL: - description: AuthzURL is the URL to the ACME Authorization resource - that this challenge is a part of. - type: string - dnsName: - description: DNSName is the identifier that this challenge is for, - e.g. example.com. If the requested DNSName is a 'wildcard', this - field MUST be set to the non-wildcard domain, e.g. for `*.example.com`, - it must be `example.com`. - type: string - issuerRef: - description: IssuerRef references a properly configured ACME-type - Issuer which should be used to create this Challenge. If the Issuer - does not exist, processing will be retried. If the Issuer is not - an 'ACME' Issuer, an error will be returned and the Challenge will - be marked as failed. - properties: - group: - description: Group of the resource being referred to. - type: string - kind: - description: Kind of the resource being referred to. - type: string - name: - description: Name of the resource being referred to. - type: string - required: - - name - type: object - key: - description: 'Key is the ACME challenge key for this challenge For - HTTP01 challenges, this is the value that must be responded with - to complete the HTTP01 challenge in the format: `.`. For DNS01 challenges, - this is the base64 encoded SHA256 sum of the `.` text that must be set as the TXT - record content.' - type: string - solver: - description: Solver contains the domain solving configuration that - should be used to solve this challenge resource. - properties: - dns01: - description: Configures cert-manager to attempt to complete authorizations - by performing the DNS01 challenge flow. - properties: - acmedns: - description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) - API to manage DNS01 challenge records. - properties: - accountSecretRef: - description: A reference to a specific 'key' within a - Secret resource. In some instances, `key` is a required - field. - properties: - key: - description: The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - host: - type: string - required: - - accountSecretRef - - host - type: object - akamai: - description: Use the Akamai DNS zone management API to manage - DNS01 challenge records. - properties: - accessTokenSecretRef: - description: A reference to a specific 'key' within a - Secret resource. In some instances, `key` is a required - field. - properties: - key: - description: The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - clientSecretSecretRef: - description: A reference to a specific 'key' within a - Secret resource. In some instances, `key` is a required - field. - properties: - key: - description: The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - clientTokenSecretRef: - description: A reference to a specific 'key' within a - Secret resource. In some instances, `key` is a required - field. - properties: - key: - description: The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - serviceConsumerDomain: - type: string - required: - - accessTokenSecretRef - - clientSecretSecretRef - - clientTokenSecretRef - - serviceConsumerDomain - type: object - azuredns: - description: Use the Microsoft Azure DNS API to manage DNS01 - challenge records. - properties: - clientID: - description: if both this and ClientSecret are left unset - MSI will be used - type: string - clientSecretSecretRef: - description: if both this and ClientID are left unset - MSI will be used - properties: - key: - description: The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - environment: - enum: - - AzurePublicCloud - - AzureChinaCloud - - AzureGermanCloud - - AzureUSGovernmentCloud - type: string - hostedZoneName: - type: string - resourceGroupName: - type: string - subscriptionID: - type: string - tenantID: - description: when specifying ClientID and ClientSecret - then this field is also needed - type: string - required: - - resourceGroupName - - subscriptionID - type: object - clouddns: - description: Use the Google Cloud DNS API to manage DNS01 - challenge records. - properties: - hostedZoneName: - description: HostedZoneName is an optional field that - tells cert-manager in which Cloud DNS zone the challenge - record has to be created. If left empty cert-manager - will automatically choose a zone. - type: string - project: - type: string - serviceAccountSecretRef: - description: A reference to a specific 'key' within a - Secret resource. In some instances, `key` is a required - field. - properties: - key: - description: The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - required: - - project - type: object - cloudflare: - description: Use the Cloudflare API to manage DNS01 challenge - records. - properties: - apiKeySecretRef: - description: 'API key to use to authenticate with Cloudflare. - Note: using an API token to authenticate is now the - recommended method as it allows greater control of permissions.' - properties: - key: - description: The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - apiTokenSecretRef: - description: API token used to authenticate with Cloudflare. - properties: - key: - description: The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - email: - description: Email of the account, only required when - using API key based authentication. - type: string - type: object - cnameStrategy: - description: CNAMEStrategy configures how the DNS01 provider - should handle CNAME records when found in DNS zones. - enum: - - None - - Follow - type: string - digitalocean: - description: Use the DigitalOcean DNS API to manage DNS01 - challenge records. - properties: - tokenSecretRef: - description: A reference to a specific 'key' within a - Secret resource. In some instances, `key` is a required - field. - properties: - key: - description: The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - required: - - tokenSecretRef - type: object - rfc2136: - description: Use RFC2136 ("Dynamic Updates in the Domain Name - System") (https://datatracker.ietf.org/doc/rfc2136/) to - manage DNS01 challenge records. - properties: - nameserver: - description: The IP address or hostname of an authoritative - DNS server supporting RFC2136 in the form host:port. - If the host is an IPv6 address it must be enclosed in - square brackets (e.g [2001:db8::1]) ; port is optional. - This field is required. - type: string - tsigAlgorithm: - description: 'The TSIG Algorithm configured in the DNS - supporting RFC2136. Used only when ``tsigSecretSecretRef`` - and ``tsigKeyName`` are defined. Supported values are - (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, - ``HMACSHA256`` or ``HMACSHA512``.' - type: string - tsigKeyName: - description: The TSIG Key name configured in the DNS. - If ``tsigSecretSecretRef`` is defined, this field is - required. - type: string - tsigSecretSecretRef: - description: The name of the secret containing the TSIG - value. If ``tsigKeyName`` is defined, this field is - required. - properties: - key: - description: The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - required: - - nameserver - type: object - route53: - description: Use the AWS Route53 API to manage DNS01 challenge - records. - properties: - accessKeyID: - description: 'The AccessKeyID is used for authentication. - If not set we fall-back to using env vars, shared credentials - file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' - type: string - hostedZoneID: - description: If set, the provider will manage only this - zone in Route53 and will not do an lookup using the - route53:ListHostedZonesByName api call. - type: string - region: - description: Always set the region when using AccessKeyID - and SecretAccessKey - type: string - role: - description: Role is a Role ARN which the Route53 provider - will assume using either the explicit credentials AccessKeyID/SecretAccessKey - or the inferred credentials from environment variables, - shared credentials file or AWS Instance metadata - type: string - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication. - If not set we fall-back to using env vars, shared credentials - file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials - properties: - key: - description: The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - required: - - region - type: object - webhook: - description: Configure an external webhook based DNS01 challenge - solver to manage DNS01 challenge records. - properties: - config: - description: Additional configuration that should be passed - to the webhook apiserver when challenges are processed. - This can contain arbitrary JSON data. Secret values - should not be specified in this stanza. If secret values - are needed (e.g. credentials for a DNS service), you - should use a SecretKeySelector to reference a Secret - resource. For details on the schema of this field, consult - the webhook provider implementation's documentation. - x-kubernetes-preserve-unknown-fields: true - groupName: - description: The API group name that should be used when - POSTing ChallengePayload resources to the webhook apiserver. - This should be the same as the GroupName specified in - the webhook provider implementation. - type: string - solverName: - description: The name of the solver to use, as defined - in the webhook provider implementation. This will typically - be the name of the provider, e.g. 'cloudflare'. - type: string - required: - - groupName - - solverName - type: object - type: object - http01: - description: Configures cert-manager to attempt to complete authorizations - by performing the HTTP01 challenge flow. It is not possible - to obtain certificates for wildcard domain names (e.g. `*.example.com`) - using the HTTP01 challenge mechanism. - properties: - ingress: - description: The ingress based HTTP01 challenge solver will - solve challenges by creating or modifying Ingress resources - in order to route requests for '/.well-known/acme-challenge/XYZ' - to 'challenge solver' pods that are provisioned by cert-manager - for each Challenge to be completed. - properties: - class: - description: The ingress class to use when creating Ingress - resources to solve ACME challenges that use this challenge - solver. Only one of 'class' or 'name' may be specified. - type: string - ingressTemplate: - description: Optional ingress template used to configure - the ACME challenge solver ingress used for HTTP01 challenges - properties: - metadata: - description: ObjectMeta overrides for the ingress - used to solve HTTP01 challenges. Only the 'labels' - and 'annotations' fields may be set. If labels or - annotations overlap with in-built values, the values - here will override the in-built values. - properties: - annotations: - additionalProperties: - type: string - description: Annotations that should be added - to the created ACME HTTP01 solver ingress. - type: object - labels: - additionalProperties: - type: string - description: Labels that should be added to the - created ACME HTTP01 solver ingress. - type: object - type: object - type: object - name: - description: The name of the ingress resource that should - have ACME challenge solving routes inserted into it - in order to solve HTTP01 challenges. This is typically - used in conjunction with ingress controllers like ingress-gce, - which maintains a 1:1 mapping between external IPs and - ingress resources. - type: string - podTemplate: - description: Optional pod template used to configure the - ACME challenge solver pods used for HTTP01 challenges - properties: - metadata: - description: ObjectMeta overrides for the pod used - to solve HTTP01 challenges. Only the 'labels' and - 'annotations' fields may be set. If labels or annotations - overlap with in-built values, the values here will - override the in-built values. - properties: - annotations: - additionalProperties: - type: string - description: Annotations that should be added - to the create ACME HTTP01 solver pods. - type: object - labels: - additionalProperties: - type: string - description: Labels that should be added to the - created ACME HTTP01 solver pods. - type: object - type: object - spec: - description: PodSpec defines overrides for the HTTP01 - challenge solver pod. Only the 'priorityClassName', - 'nodeSelector', 'affinity', 'serviceAccountName' - and 'tolerations' fields are supported currently. - All other fields will be ignored. - properties: - affinity: - description: If specified, the pod's scheduling - constraints - properties: - nodeAffinity: - description: Describes node affinity scheduling - rules for the pod. - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer - to schedule pods to nodes that satisfy - the affinity expressions specified by - this field, but it may choose a node - that violates one or more of the expressions. - The node that is most preferred is the - one with the greatest sum of weights, - i.e. for each node that meets all of - the scheduling requirements (resource - request, requiredDuringScheduling affinity - expressions, etc.), compute a sum by - iterating through the elements of this - field and adding "weight" to the sum - if the node matches the corresponding - matchExpressions; the node(s) with the - highest sum are the most preferred. - items: - description: An empty preferred scheduling - term matches all objects with implicit - weight 0 (i.e. it's a no-op). A null - preferred scheduling term matches - no objects (i.e. is also a no-op). - properties: - preference: - description: A node selector term, - associated with the corresponding - weight. - properties: - matchExpressions: - description: A list of node - selector requirements by node's - labels. - items: - description: A node selector - requirement is a selector - that contains values, a - key, and an operator that - relates the key and values. - properties: - key: - description: The label - key that the selector - applies to. - type: string - operator: - description: Represents - a key's relationship - to a set of values. - Valid operators are - In, NotIn, Exists, DoesNotExist. - Gt, and Lt. - type: string - values: - description: An array - of string values. If - the operator is In or - NotIn, the values array - must be non-empty. If - the operator is Exists - or DoesNotExist, the - values array must be - empty. If the operator - is Gt or Lt, the values - array must have a single - element, which will - be interpreted as an - integer. This array - is replaced during a - strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchFields: - description: A list of node - selector requirements by node's - fields. - items: - description: A node selector - requirement is a selector - that contains values, a - key, and an operator that - relates the key and values. - properties: - key: - description: The label - key that the selector - applies to. - type: string - operator: - description: Represents - a key's relationship - to a set of values. - Valid operators are - In, NotIn, Exists, DoesNotExist. - Gt, and Lt. - type: string - values: - description: An array - of string values. If - the operator is In or - NotIn, the values array - must be non-empty. If - the operator is Exists - or DoesNotExist, the - values array must be - empty. If the operator - is Gt or Lt, the values - array must have a single - element, which will - be interpreted as an - integer. This array - is replaced during a - strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - type: object - weight: - description: Weight associated with - matching the corresponding nodeSelectorTerm, - in the range 1-100. - format: int32 - type: integer - required: - - preference - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements - specified by this field are not met - at scheduling time, the pod will not - be scheduled onto the node. If the affinity - requirements specified by this field - cease to be met at some point during - pod execution (e.g. due to an update), - the system may or may not try to eventually - evict the pod from its node. - properties: - nodeSelectorTerms: - description: Required. A list of node - selector terms. The terms are ORed. - items: - description: A null or empty node - selector term matches no objects. - The requirements of them are ANDed. - The TopologySelectorTerm type - implements a subset of the NodeSelectorTerm. - properties: - matchExpressions: - description: A list of node - selector requirements by node's - labels. - items: - description: A node selector - requirement is a selector - that contains values, a - key, and an operator that - relates the key and values. - properties: - key: - description: The label - key that the selector - applies to. - type: string - operator: - description: Represents - a key's relationship - to a set of values. - Valid operators are - In, NotIn, Exists, DoesNotExist. - Gt, and Lt. - type: string - values: - description: An array - of string values. If - the operator is In or - NotIn, the values array - must be non-empty. If - the operator is Exists - or DoesNotExist, the - values array must be - empty. If the operator - is Gt or Lt, the values - array must have a single - element, which will - be interpreted as an - integer. This array - is replaced during a - strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchFields: - description: A list of node - selector requirements by node's - fields. - items: - description: A node selector - requirement is a selector - that contains values, a - key, and an operator that - relates the key and values. - properties: - key: - description: The label - key that the selector - applies to. - type: string - operator: - description: Represents - a key's relationship - to a set of values. - Valid operators are - In, NotIn, Exists, DoesNotExist. - Gt, and Lt. - type: string - values: - description: An array - of string values. If - the operator is In or - NotIn, the values array - must be non-empty. If - the operator is Exists - or DoesNotExist, the - values array must be - empty. If the operator - is Gt or Lt, the values - array must have a single - element, which will - be interpreted as an - integer. This array - is replaced during a - strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - type: object - type: array - required: - - nodeSelectorTerms - type: object - type: object - podAffinity: - description: Describes pod affinity scheduling - rules (e.g. co-locate this pod in the same - node, zone, etc. as some other pod(s)). - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer - to schedule pods to nodes that satisfy - the affinity expressions specified by - this field, but it may choose a node - that violates one or more of the expressions. - The node that is most preferred is the - one with the greatest sum of weights, - i.e. for each node that meets all of - the scheduling requirements (resource - request, requiredDuringScheduling affinity - expressions, etc.), compute a sum by - iterating through the elements of this - field and adding "weight" to the sum - if the node has pods which matches the - corresponding podAffinityTerm; the node(s) - with the highest sum are the most preferred. - items: - description: The weights of all of the - matched WeightedPodAffinityTerm fields - are added per-node to find the most - preferred node(s) - properties: - podAffinityTerm: - description: Required. A pod affinity - term, associated with the corresponding - weight. - properties: - labelSelector: - description: A label query over - a set of resources, in this - case pods. - properties: - matchExpressions: - description: matchExpressions - is a list of label selector - requirements. The requirements - are ANDed. - items: - description: A label selector - requirement is a selector - that contains values, - a key, and an operator - that relates the key - and values. - properties: - key: - description: key is - the label key that - the selector applies - to. - type: string - operator: - description: operator - represents a key's - relationship to - a set of values. - Valid operators - are In, NotIn, Exists - and DoesNotExist. - type: string - values: - description: values - is an array of string - values. If the operator - is In or NotIn, - the values array - must be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. This - array is replaced - during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels - is a map of {key,value} - pairs. A single {key,value} - in the matchLabels map - is equivalent to an element - of matchExpressions, whose - key field is "key", the - operator is "In", and - the values array contains - only "value". The requirements - are ANDed. - type: object - type: object - namespaces: - description: namespaces specifies - which namespaces the labelSelector - applies to (matches against); - null or empty list means "this - pod's namespace" - items: - type: string - type: array - topologyKey: - description: This pod should - be co-located (affinity) or - not co-located (anti-affinity) - with the pods matching the - labelSelector in the specified - namespaces, where co-located - is defined as running on a - node whose value of the label - with key topologyKey matches - that of any node on which - any of the selected pods is - running. Empty topologyKey - is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: weight associated with - matching the corresponding podAffinityTerm, - in the range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements - specified by this field are not met - at scheduling time, the pod will not - be scheduled onto the node. If the affinity - requirements specified by this field - cease to be met at some point during - pod execution (e.g. due to a pod label - update), the system may or may not try - to eventually evict the pod from its - node. When there are multiple elements, - the lists of nodes corresponding to - each podAffinityTerm are intersected, - i.e. all terms must be satisfied. - items: - description: Defines a set of pods (namely - those matching the labelSelector relative - to the given namespace(s)) that this - pod should be co-located (affinity) - or not co-located (anti-affinity) - with, where co-located is defined - as running on a node whose value of - the label with key matches - that of any node on which a pod of - the set of pods is running - properties: - labelSelector: - description: A label query over - a set of resources, in this case - pods. - properties: - matchExpressions: - description: matchExpressions - is a list of label selector - requirements. The requirements - are ANDed. - items: - description: A label selector - requirement is a selector - that contains values, a - key, and an operator that - relates the key and values. - properties: - key: - description: key is the - label key that the selector - applies to. - type: string - operator: - description: operator - represents a key's relationship - to a set of values. - Valid operators are - In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is - an array of string values. - If the operator is In - or NotIn, the values - array must be non-empty. - If the operator is Exists - or DoesNotExist, the - values array must be - empty. This array is - replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is - a map of {key,value} pairs. - A single {key,value} in the - matchLabels map is equivalent - to an element of matchExpressions, - whose key field is "key", - the operator is "In", and - the values array contains - only "value". The requirements - are ANDed. - type: object - type: object - namespaces: - description: namespaces specifies - which namespaces the labelSelector - applies to (matches against); - null or empty list means "this - pod's namespace" - items: - type: string - type: array - topologyKey: - description: This pod should be - co-located (affinity) or not co-located - (anti-affinity) with the pods - matching the labelSelector in - the specified namespaces, where - co-located is defined as running - on a node whose value of the label - with key topologyKey matches that - of any node on which any of the - selected pods is running. Empty - topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - type: array - type: object - podAntiAffinity: - description: Describes pod anti-affinity scheduling - rules (e.g. avoid putting this pod in the - same node, zone, etc. as some other pod(s)). - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer - to schedule pods to nodes that satisfy - the anti-affinity expressions specified - by this field, but it may choose a node - that violates one or more of the expressions. - The node that is most preferred is the - one with the greatest sum of weights, - i.e. for each node that meets all of - the scheduling requirements (resource - request, requiredDuringScheduling anti-affinity - expressions, etc.), compute a sum by - iterating through the elements of this - field and adding "weight" to the sum - if the node has pods which matches the - corresponding podAffinityTerm; the node(s) - with the highest sum are the most preferred. - items: - description: The weights of all of the - matched WeightedPodAffinityTerm fields - are added per-node to find the most - preferred node(s) - properties: - podAffinityTerm: - description: Required. A pod affinity - term, associated with the corresponding - weight. - properties: - labelSelector: - description: A label query over - a set of resources, in this - case pods. - properties: - matchExpressions: - description: matchExpressions - is a list of label selector - requirements. The requirements - are ANDed. - items: - description: A label selector - requirement is a selector - that contains values, - a key, and an operator - that relates the key - and values. - properties: - key: - description: key is - the label key that - the selector applies - to. - type: string - operator: - description: operator - represents a key's - relationship to - a set of values. - Valid operators - are In, NotIn, Exists - and DoesNotExist. - type: string - values: - description: values - is an array of string - values. If the operator - is In or NotIn, - the values array - must be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. This - array is replaced - during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels - is a map of {key,value} - pairs. A single {key,value} - in the matchLabels map - is equivalent to an element - of matchExpressions, whose - key field is "key", the - operator is "In", and - the values array contains - only "value". The requirements - are ANDed. - type: object - type: object - namespaces: - description: namespaces specifies - which namespaces the labelSelector - applies to (matches against); - null or empty list means "this - pod's namespace" - items: - type: string - type: array - topologyKey: - description: This pod should - be co-located (affinity) or - not co-located (anti-affinity) - with the pods matching the - labelSelector in the specified - namespaces, where co-located - is defined as running on a - node whose value of the label - with key topologyKey matches - that of any node on which - any of the selected pods is - running. Empty topologyKey - is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: weight associated with - matching the corresponding podAffinityTerm, - in the range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - description: If the anti-affinity requirements - specified by this field are not met - at scheduling time, the pod will not - be scheduled onto the node. If the anti-affinity - requirements specified by this field - cease to be met at some point during - pod execution (e.g. due to a pod label - update), the system may or may not try - to eventually evict the pod from its - node. When there are multiple elements, - the lists of nodes corresponding to - each podAffinityTerm are intersected, - i.e. all terms must be satisfied. - items: - description: Defines a set of pods (namely - those matching the labelSelector relative - to the given namespace(s)) that this - pod should be co-located (affinity) - or not co-located (anti-affinity) - with, where co-located is defined - as running on a node whose value of - the label with key matches - that of any node on which a pod of - the set of pods is running - properties: - labelSelector: - description: A label query over - a set of resources, in this case - pods. - properties: - matchExpressions: - description: matchExpressions - is a list of label selector - requirements. The requirements - are ANDed. - items: - description: A label selector - requirement is a selector - that contains values, a - key, and an operator that - relates the key and values. - properties: - key: - description: key is the - label key that the selector - applies to. - type: string - operator: - description: operator - represents a key's relationship - to a set of values. - Valid operators are - In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is - an array of string values. - If the operator is In - or NotIn, the values - array must be non-empty. - If the operator is Exists - or DoesNotExist, the - values array must be - empty. This array is - replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is - a map of {key,value} pairs. - A single {key,value} in the - matchLabels map is equivalent - to an element of matchExpressions, - whose key field is "key", - the operator is "In", and - the values array contains - only "value". The requirements - are ANDed. - type: object - type: object - namespaces: - description: namespaces specifies - which namespaces the labelSelector - applies to (matches against); - null or empty list means "this - pod's namespace" - items: - type: string - type: array - topologyKey: - description: This pod should be - co-located (affinity) or not co-located - (anti-affinity) with the pods - matching the labelSelector in - the specified namespaces, where - co-located is defined as running - on a node whose value of the label - with key topologyKey matches that - of any node on which any of the - selected pods is running. Empty - topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - type: array - type: object - type: object - nodeSelector: - additionalProperties: - type: string - description: 'NodeSelector is a selector which - must be true for the pod to fit on a node. Selector - which must match a node''s labels for the pod - to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' - type: object - priorityClassName: - description: If specified, the pod's priorityClassName. - type: string - serviceAccountName: - description: If specified, the pod's service account - type: string - tolerations: - description: If specified, the pod's tolerations. - items: - description: The pod this Toleration is attached - to tolerates any taint that matches the triple - using the matching operator - . - properties: - effect: - description: Effect indicates the taint - effect to match. Empty means match all - taint effects. When specified, allowed - values are NoSchedule, PreferNoSchedule - and NoExecute. - type: string - key: - description: Key is the taint key that the - toleration applies to. Empty means match - all taint keys. If the key is empty, operator - must be Exists; this combination means - to match all values and all keys. - type: string - operator: - description: Operator represents a key's - relationship to the value. Valid operators - are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, - so that a pod can tolerate all taints - of a particular category. - type: string - tolerationSeconds: - description: TolerationSeconds represents - the period of time the toleration (which - must be of effect NoExecute, otherwise - this field is ignored) tolerates the taint. - By default, it is not set, which means - tolerate the taint forever (do not evict). - Zero and negative values will be treated - as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: Value is the taint value the - toleration matches to. If the operator - is Exists, the value should be empty, - otherwise just a regular string. - type: string - type: object - type: array - type: object - type: object - serviceType: - description: Optional service type for Kubernetes solver - service - type: string - type: object - type: object - selector: - description: Selector selects a set of DNSNames on the Certificate - resource that should be solved using this challenge solver. - If not specified, the solver will be treated as the 'default' - solver with the lowest priority, i.e. if any other solver has - a more specific match, it will be used instead. - properties: - dnsNames: - description: List of DNSNames that this solver will be used - to solve. If specified and a match is found, a dnsNames - selector will take precedence over a dnsZones selector. - If multiple solvers match with the same dnsNames value, - the solver with the most matching labels in matchLabels - will be selected. If neither has more matches, the solver - defined earlier in the list will be selected. - items: - type: string - type: array - dnsZones: - description: List of DNSZones that this solver will be used - to solve. The most specific DNS zone match specified here - will take precedence over other DNS zone matches, so a solver - specifying sys.example.com will be selected over one specifying - example.com for the domain www.sys.example.com. If multiple - solvers match with the same dnsZones value, the solver with - the most matching labels in matchLabels will be selected. - If neither has more matches, the solver defined earlier - in the list will be selected. - items: - type: string - type: array - matchLabels: - additionalProperties: - type: string - description: A label selector that is used to refine the set - of certificate's that this challenge solver will apply to. - type: object - type: object - type: object - token: - description: Token is the ACME challenge token for this challenge. - This is the raw value returned from the ACME server. - type: string - type: - description: Type is the type of ACME challenge this resource represents. - One of "http-01" or "dns-01". - enum: - - http-01 - - dns-01 - type: string - url: - description: URL is the URL of the ACME Challenge resource for this - challenge. This can be used to lookup details about the status of - this challenge. - type: string - wildcard: - description: Wildcard will be true if this challenge is for a wildcard - identifier, for example '*.example.com'. - type: boolean - required: - - authzURL - - dnsName - - issuerRef - - key - - solver - - token - - type - - url - type: object - status: - properties: - presented: - description: Presented will be set to true if the challenge values - for this challenge are currently 'presented'. This *does not* imply - the self check is passing. Only that the values have been 'submitted' - for the appropriate challenge mechanism (i.e. the DNS01 TXT record - has been presented, or the HTTP01 configuration has been configured). - type: boolean - processing: - description: Processing is used to denote whether this challenge should - be processed or not. This field will only be set to true by the - 'scheduling' component. It will only be set to false by the 'challenges' - controller, after the challenge has reached a final state or timed - out. If this field is set to false, the challenge controller will - not take any more action. - type: boolean - reason: - description: Reason contains human readable information on why the - Challenge is in the current state. - type: string - state: - description: State contains the current 'state' of the challenge. - If not set, the state of the challenge is unknown. - enum: - - valid - - ready - - pending - - processing - - invalid - - expired - - errored - type: string - type: object - required: - - metadata - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .status.state - name: State - type: string - - jsonPath: .spec.dnsName - name: Domain - type: string - - jsonPath: .status.reason - name: Reason - priority: 1 - type: string - - description: CreationTimestamp is a timestamp representing the server time when - this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha3 - schema: - openAPIV3Schema: - description: Challenge is a type to represent a Challenge request with an - ACME server - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - properties: - authzURL: - description: AuthzURL is the URL to the ACME Authorization resource - that this challenge is a part of. - type: string - dnsName: - description: DNSName is the identifier that this challenge is for, - e.g. example.com. If the requested DNSName is a 'wildcard', this - field MUST be set to the non-wildcard domain, e.g. for `*.example.com`, - it must be `example.com`. - type: string - issuerRef: - description: IssuerRef references a properly configured ACME-type - Issuer which should be used to create this Challenge. If the Issuer - does not exist, processing will be retried. If the Issuer is not - an 'ACME' Issuer, an error will be returned and the Challenge will - be marked as failed. - properties: - group: - description: Group of the resource being referred to. - type: string - kind: - description: Kind of the resource being referred to. - type: string - name: - description: Name of the resource being referred to. - type: string - required: - - name - type: object - key: - description: 'Key is the ACME challenge key for this challenge For - HTTP01 challenges, this is the value that must be responded with - to complete the HTTP01 challenge in the format: `.`. For DNS01 challenges, - this is the base64 encoded SHA256 sum of the `.` text that must be set as the TXT - record content.' - type: string - solver: - description: Solver contains the domain solving configuration that - should be used to solve this challenge resource. - properties: - dns01: - description: Configures cert-manager to attempt to complete authorizations - by performing the DNS01 challenge flow. - properties: - acmedns: - description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) - API to manage DNS01 challenge records. - properties: - accountSecretRef: - description: A reference to a specific 'key' within a - Secret resource. In some instances, `key` is a required - field. - properties: - key: - description: The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - host: - type: string - required: - - accountSecretRef - - host - type: object - akamai: - description: Use the Akamai DNS zone management API to manage - DNS01 challenge records. - properties: - accessTokenSecretRef: - description: A reference to a specific 'key' within a - Secret resource. In some instances, `key` is a required - field. - properties: - key: - description: The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - clientSecretSecretRef: - description: A reference to a specific 'key' within a - Secret resource. In some instances, `key` is a required - field. - properties: - key: - description: The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - clientTokenSecretRef: - description: A reference to a specific 'key' within a - Secret resource. In some instances, `key` is a required - field. - properties: - key: - description: The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - serviceConsumerDomain: - type: string - required: - - accessTokenSecretRef - - clientSecretSecretRef - - clientTokenSecretRef - - serviceConsumerDomain - type: object - azuredns: - description: Use the Microsoft Azure DNS API to manage DNS01 - challenge records. - properties: - clientID: - description: if both this and ClientSecret are left unset - MSI will be used - type: string - clientSecretSecretRef: - description: if both this and ClientID are left unset - MSI will be used - properties: - key: - description: The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - environment: - enum: - - AzurePublicCloud - - AzureChinaCloud - - AzureGermanCloud - - AzureUSGovernmentCloud - type: string - hostedZoneName: - type: string - resourceGroupName: - type: string - subscriptionID: - type: string - tenantID: - description: when specifying ClientID and ClientSecret - then this field is also needed - type: string - required: - - resourceGroupName - - subscriptionID - type: object - clouddns: - description: Use the Google Cloud DNS API to manage DNS01 - challenge records. - properties: - hostedZoneName: - description: HostedZoneName is an optional field that - tells cert-manager in which Cloud DNS zone the challenge - record has to be created. If left empty cert-manager - will automatically choose a zone. - type: string - project: - type: string - serviceAccountSecretRef: - description: A reference to a specific 'key' within a - Secret resource. In some instances, `key` is a required - field. - properties: - key: - description: The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - required: - - project - type: object - cloudflare: - description: Use the Cloudflare API to manage DNS01 challenge - records. - properties: - apiKeySecretRef: - description: 'API key to use to authenticate with Cloudflare. - Note: using an API token to authenticate is now the - recommended method as it allows greater control of permissions.' - properties: - key: - description: The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - apiTokenSecretRef: - description: API token used to authenticate with Cloudflare. - properties: - key: - description: The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - email: - description: Email of the account, only required when - using API key based authentication. - type: string - type: object - cnameStrategy: - description: CNAMEStrategy configures how the DNS01 provider - should handle CNAME records when found in DNS zones. - enum: - - None - - Follow - type: string - digitalocean: - description: Use the DigitalOcean DNS API to manage DNS01 - challenge records. - properties: - tokenSecretRef: - description: A reference to a specific 'key' within a - Secret resource. In some instances, `key` is a required - field. - properties: - key: - description: The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - required: - - tokenSecretRef - type: object - rfc2136: - description: Use RFC2136 ("Dynamic Updates in the Domain Name - System") (https://datatracker.ietf.org/doc/rfc2136/) to - manage DNS01 challenge records. - properties: - nameserver: - description: The IP address or hostname of an authoritative - DNS server supporting RFC2136 in the form host:port. - If the host is an IPv6 address it must be enclosed in - square brackets (e.g [2001:db8::1]) ; port is optional. - This field is required. - type: string - tsigAlgorithm: - description: 'The TSIG Algorithm configured in the DNS - supporting RFC2136. Used only when ``tsigSecretSecretRef`` - and ``tsigKeyName`` are defined. Supported values are - (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, - ``HMACSHA256`` or ``HMACSHA512``.' - type: string - tsigKeyName: - description: The TSIG Key name configured in the DNS. - If ``tsigSecretSecretRef`` is defined, this field is - required. - type: string - tsigSecretSecretRef: - description: The name of the secret containing the TSIG - value. If ``tsigKeyName`` is defined, this field is - required. - properties: - key: - description: The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - required: - - nameserver - type: object - route53: - description: Use the AWS Route53 API to manage DNS01 challenge - records. - properties: - accessKeyID: - description: 'The AccessKeyID is used for authentication. - If not set we fall-back to using env vars, shared credentials - file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' - type: string - hostedZoneID: - description: If set, the provider will manage only this - zone in Route53 and will not do an lookup using the - route53:ListHostedZonesByName api call. - type: string - region: - description: Always set the region when using AccessKeyID - and SecretAccessKey - type: string - role: - description: Role is a Role ARN which the Route53 provider - will assume using either the explicit credentials AccessKeyID/SecretAccessKey - or the inferred credentials from environment variables, - shared credentials file or AWS Instance metadata - type: string - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication. - If not set we fall-back to using env vars, shared credentials - file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials - properties: - key: - description: The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - required: - - region - type: object - webhook: - description: Configure an external webhook based DNS01 challenge - solver to manage DNS01 challenge records. - properties: - config: - description: Additional configuration that should be passed - to the webhook apiserver when challenges are processed. - This can contain arbitrary JSON data. Secret values - should not be specified in this stanza. If secret values - are needed (e.g. credentials for a DNS service), you - should use a SecretKeySelector to reference a Secret - resource. For details on the schema of this field, consult - the webhook provider implementation's documentation. - x-kubernetes-preserve-unknown-fields: true - groupName: - description: The API group name that should be used when - POSTing ChallengePayload resources to the webhook apiserver. - This should be the same as the GroupName specified in - the webhook provider implementation. - type: string - solverName: - description: The name of the solver to use, as defined - in the webhook provider implementation. This will typically - be the name of the provider, e.g. 'cloudflare'. - type: string - required: - - groupName - - solverName - type: object - type: object - http01: - description: Configures cert-manager to attempt to complete authorizations - by performing the HTTP01 challenge flow. It is not possible - to obtain certificates for wildcard domain names (e.g. `*.example.com`) - using the HTTP01 challenge mechanism. - properties: - ingress: - description: The ingress based HTTP01 challenge solver will - solve challenges by creating or modifying Ingress resources - in order to route requests for '/.well-known/acme-challenge/XYZ' - to 'challenge solver' pods that are provisioned by cert-manager - for each Challenge to be completed. - properties: - class: - description: The ingress class to use when creating Ingress - resources to solve ACME challenges that use this challenge - solver. Only one of 'class' or 'name' may be specified. - type: string - ingressTemplate: - description: Optional ingress template used to configure - the ACME challenge solver ingress used for HTTP01 challenges - properties: - metadata: - description: ObjectMeta overrides for the ingress - used to solve HTTP01 challenges. Only the 'labels' - and 'annotations' fields may be set. If labels or - annotations overlap with in-built values, the values - here will override the in-built values. - properties: - annotations: - additionalProperties: - type: string - description: Annotations that should be added - to the created ACME HTTP01 solver ingress. - type: object - labels: - additionalProperties: - type: string - description: Labels that should be added to the - created ACME HTTP01 solver ingress. - type: object - type: object - type: object - name: - description: The name of the ingress resource that should - have ACME challenge solving routes inserted into it - in order to solve HTTP01 challenges. This is typically - used in conjunction with ingress controllers like ingress-gce, - which maintains a 1:1 mapping between external IPs and - ingress resources. - type: string - podTemplate: - description: Optional pod template used to configure the - ACME challenge solver pods used for HTTP01 challenges - properties: - metadata: - description: ObjectMeta overrides for the pod used - to solve HTTP01 challenges. Only the 'labels' and - 'annotations' fields may be set. If labels or annotations - overlap with in-built values, the values here will - override the in-built values. - properties: - annotations: - additionalProperties: - type: string - description: Annotations that should be added - to the create ACME HTTP01 solver pods. - type: object - labels: - additionalProperties: - type: string - description: Labels that should be added to the - created ACME HTTP01 solver pods. - type: object - type: object - spec: - description: PodSpec defines overrides for the HTTP01 - challenge solver pod. Only the 'priorityClassName', - 'nodeSelector', 'affinity', 'serviceAccountName' - and 'tolerations' fields are supported currently. - All other fields will be ignored. - properties: - affinity: - description: If specified, the pod's scheduling - constraints - properties: - nodeAffinity: - description: Describes node affinity scheduling - rules for the pod. - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer - to schedule pods to nodes that satisfy - the affinity expressions specified by - this field, but it may choose a node - that violates one or more of the expressions. - The node that is most preferred is the - one with the greatest sum of weights, - i.e. for each node that meets all of - the scheduling requirements (resource - request, requiredDuringScheduling affinity - expressions, etc.), compute a sum by - iterating through the elements of this - field and adding "weight" to the sum - if the node matches the corresponding - matchExpressions; the node(s) with the - highest sum are the most preferred. - items: - description: An empty preferred scheduling - term matches all objects with implicit - weight 0 (i.e. it's a no-op). A null - preferred scheduling term matches - no objects (i.e. is also a no-op). - properties: - preference: - description: A node selector term, - associated with the corresponding - weight. - properties: - matchExpressions: - description: A list of node - selector requirements by node's - labels. - items: - description: A node selector - requirement is a selector - that contains values, a - key, and an operator that - relates the key and values. - properties: - key: - description: The label - key that the selector - applies to. - type: string - operator: - description: Represents - a key's relationship - to a set of values. - Valid operators are - In, NotIn, Exists, DoesNotExist. - Gt, and Lt. - type: string - values: - description: An array - of string values. If - the operator is In or - NotIn, the values array - must be non-empty. If - the operator is Exists - or DoesNotExist, the - values array must be - empty. If the operator - is Gt or Lt, the values - array must have a single - element, which will - be interpreted as an - integer. This array - is replaced during a - strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchFields: - description: A list of node - selector requirements by node's - fields. - items: - description: A node selector - requirement is a selector - that contains values, a - key, and an operator that - relates the key and values. - properties: - key: - description: The label - key that the selector - applies to. - type: string - operator: - description: Represents - a key's relationship - to a set of values. - Valid operators are - In, NotIn, Exists, DoesNotExist. - Gt, and Lt. - type: string - values: - description: An array - of string values. If - the operator is In or - NotIn, the values array - must be non-empty. If - the operator is Exists - or DoesNotExist, the - values array must be - empty. If the operator - is Gt or Lt, the values - array must have a single - element, which will - be interpreted as an - integer. This array - is replaced during a - strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - type: object - weight: - description: Weight associated with - matching the corresponding nodeSelectorTerm, - in the range 1-100. - format: int32 - type: integer - required: - - preference - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements - specified by this field are not met - at scheduling time, the pod will not - be scheduled onto the node. If the affinity - requirements specified by this field - cease to be met at some point during - pod execution (e.g. due to an update), - the system may or may not try to eventually - evict the pod from its node. - properties: - nodeSelectorTerms: - description: Required. A list of node - selector terms. The terms are ORed. - items: - description: A null or empty node - selector term matches no objects. - The requirements of them are ANDed. - The TopologySelectorTerm type - implements a subset of the NodeSelectorTerm. - properties: - matchExpressions: - description: A list of node - selector requirements by node's - labels. - items: - description: A node selector - requirement is a selector - that contains values, a - key, and an operator that - relates the key and values. - properties: - key: - description: The label - key that the selector - applies to. - type: string - operator: - description: Represents - a key's relationship - to a set of values. - Valid operators are - In, NotIn, Exists, DoesNotExist. - Gt, and Lt. - type: string - values: - description: An array - of string values. If - the operator is In or - NotIn, the values array - must be non-empty. If - the operator is Exists - or DoesNotExist, the - values array must be - empty. If the operator - is Gt or Lt, the values - array must have a single - element, which will - be interpreted as an - integer. This array - is replaced during a - strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchFields: - description: A list of node - selector requirements by node's - fields. - items: - description: A node selector - requirement is a selector - that contains values, a - key, and an operator that - relates the key and values. - properties: - key: - description: The label - key that the selector - applies to. - type: string - operator: - description: Represents - a key's relationship - to a set of values. - Valid operators are - In, NotIn, Exists, DoesNotExist. - Gt, and Lt. - type: string - values: - description: An array - of string values. If - the operator is In or - NotIn, the values array - must be non-empty. If - the operator is Exists - or DoesNotExist, the - values array must be - empty. If the operator - is Gt or Lt, the values - array must have a single - element, which will - be interpreted as an - integer. This array - is replaced during a - strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - type: object - type: array - required: - - nodeSelectorTerms - type: object - type: object - podAffinity: - description: Describes pod affinity scheduling - rules (e.g. co-locate this pod in the same - node, zone, etc. as some other pod(s)). - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer - to schedule pods to nodes that satisfy - the affinity expressions specified by - this field, but it may choose a node - that violates one or more of the expressions. - The node that is most preferred is the - one with the greatest sum of weights, - i.e. for each node that meets all of - the scheduling requirements (resource - request, requiredDuringScheduling affinity - expressions, etc.), compute a sum by - iterating through the elements of this - field and adding "weight" to the sum - if the node has pods which matches the - corresponding podAffinityTerm; the node(s) - with the highest sum are the most preferred. - items: - description: The weights of all of the - matched WeightedPodAffinityTerm fields - are added per-node to find the most - preferred node(s) - properties: - podAffinityTerm: - description: Required. A pod affinity - term, associated with the corresponding - weight. - properties: - labelSelector: - description: A label query over - a set of resources, in this - case pods. - properties: - matchExpressions: - description: matchExpressions - is a list of label selector - requirements. The requirements - are ANDed. - items: - description: A label selector - requirement is a selector - that contains values, - a key, and an operator - that relates the key - and values. - properties: - key: - description: key is - the label key that - the selector applies - to. - type: string - operator: - description: operator - represents a key's - relationship to - a set of values. - Valid operators - are In, NotIn, Exists - and DoesNotExist. - type: string - values: - description: values - is an array of string - values. If the operator - is In or NotIn, - the values array - must be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. This - array is replaced - during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels - is a map of {key,value} - pairs. A single {key,value} - in the matchLabels map - is equivalent to an element - of matchExpressions, whose - key field is "key", the - operator is "In", and - the values array contains - only "value". The requirements - are ANDed. - type: object - type: object - namespaces: - description: namespaces specifies - which namespaces the labelSelector - applies to (matches against); - null or empty list means "this - pod's namespace" - items: - type: string - type: array - topologyKey: - description: This pod should - be co-located (affinity) or - not co-located (anti-affinity) - with the pods matching the - labelSelector in the specified - namespaces, where co-located - is defined as running on a - node whose value of the label - with key topologyKey matches - that of any node on which - any of the selected pods is - running. Empty topologyKey - is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: weight associated with - matching the corresponding podAffinityTerm, - in the range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements - specified by this field are not met - at scheduling time, the pod will not - be scheduled onto the node. If the affinity - requirements specified by this field - cease to be met at some point during - pod execution (e.g. due to a pod label - update), the system may or may not try - to eventually evict the pod from its - node. When there are multiple elements, - the lists of nodes corresponding to - each podAffinityTerm are intersected, - i.e. all terms must be satisfied. - items: - description: Defines a set of pods (namely - those matching the labelSelector relative - to the given namespace(s)) that this - pod should be co-located (affinity) - or not co-located (anti-affinity) - with, where co-located is defined - as running on a node whose value of - the label with key matches - that of any node on which a pod of - the set of pods is running - properties: - labelSelector: - description: A label query over - a set of resources, in this case - pods. - properties: - matchExpressions: - description: matchExpressions - is a list of label selector - requirements. The requirements - are ANDed. - items: - description: A label selector - requirement is a selector - that contains values, a - key, and an operator that - relates the key and values. - properties: - key: - description: key is the - label key that the selector - applies to. - type: string - operator: - description: operator - represents a key's relationship - to a set of values. - Valid operators are - In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is - an array of string values. - If the operator is In - or NotIn, the values - array must be non-empty. - If the operator is Exists - or DoesNotExist, the - values array must be - empty. This array is - replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is - a map of {key,value} pairs. - A single {key,value} in the - matchLabels map is equivalent - to an element of matchExpressions, - whose key field is "key", - the operator is "In", and - the values array contains - only "value". The requirements - are ANDed. - type: object - type: object - namespaces: - description: namespaces specifies - which namespaces the labelSelector - applies to (matches against); - null or empty list means "this - pod's namespace" - items: - type: string - type: array - topologyKey: - description: This pod should be - co-located (affinity) or not co-located - (anti-affinity) with the pods - matching the labelSelector in - the specified namespaces, where - co-located is defined as running - on a node whose value of the label - with key topologyKey matches that - of any node on which any of the - selected pods is running. Empty - topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - type: array - type: object - podAntiAffinity: - description: Describes pod anti-affinity scheduling - rules (e.g. avoid putting this pod in the - same node, zone, etc. as some other pod(s)). - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer - to schedule pods to nodes that satisfy - the anti-affinity expressions specified - by this field, but it may choose a node - that violates one or more of the expressions. - The node that is most preferred is the - one with the greatest sum of weights, - i.e. for each node that meets all of - the scheduling requirements (resource - request, requiredDuringScheduling anti-affinity - expressions, etc.), compute a sum by - iterating through the elements of this - field and adding "weight" to the sum - if the node has pods which matches the - corresponding podAffinityTerm; the node(s) - with the highest sum are the most preferred. - items: - description: The weights of all of the - matched WeightedPodAffinityTerm fields - are added per-node to find the most - preferred node(s) - properties: - podAffinityTerm: - description: Required. A pod affinity - term, associated with the corresponding - weight. - properties: - labelSelector: - description: A label query over - a set of resources, in this - case pods. - properties: - matchExpressions: - description: matchExpressions - is a list of label selector - requirements. The requirements - are ANDed. - items: - description: A label selector - requirement is a selector - that contains values, - a key, and an operator - that relates the key - and values. - properties: - key: - description: key is - the label key that - the selector applies - to. - type: string - operator: - description: operator - represents a key's - relationship to - a set of values. - Valid operators - are In, NotIn, Exists - and DoesNotExist. - type: string - values: - description: values - is an array of string - values. If the operator - is In or NotIn, - the values array - must be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. This - array is replaced - during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels - is a map of {key,value} - pairs. A single {key,value} - in the matchLabels map - is equivalent to an element - of matchExpressions, whose - key field is "key", the - operator is "In", and - the values array contains - only "value". The requirements - are ANDed. - type: object - type: object - namespaces: - description: namespaces specifies - which namespaces the labelSelector - applies to (matches against); - null or empty list means "this - pod's namespace" - items: - type: string - type: array - topologyKey: - description: This pod should - be co-located (affinity) or - not co-located (anti-affinity) - with the pods matching the - labelSelector in the specified - namespaces, where co-located - is defined as running on a - node whose value of the label - with key topologyKey matches - that of any node on which - any of the selected pods is - running. Empty topologyKey - is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: weight associated with - matching the corresponding podAffinityTerm, - in the range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - description: If the anti-affinity requirements - specified by this field are not met - at scheduling time, the pod will not - be scheduled onto the node. If the anti-affinity - requirements specified by this field - cease to be met at some point during - pod execution (e.g. due to a pod label - update), the system may or may not try - to eventually evict the pod from its - node. When there are multiple elements, - the lists of nodes corresponding to - each podAffinityTerm are intersected, - i.e. all terms must be satisfied. - items: - description: Defines a set of pods (namely - those matching the labelSelector relative - to the given namespace(s)) that this - pod should be co-located (affinity) - or not co-located (anti-affinity) - with, where co-located is defined - as running on a node whose value of - the label with key matches - that of any node on which a pod of - the set of pods is running - properties: - labelSelector: - description: A label query over - a set of resources, in this case - pods. - properties: - matchExpressions: - description: matchExpressions - is a list of label selector - requirements. The requirements - are ANDed. - items: - description: A label selector - requirement is a selector - that contains values, a - key, and an operator that - relates the key and values. - properties: - key: - description: key is the - label key that the selector - applies to. - type: string - operator: - description: operator - represents a key's relationship - to a set of values. - Valid operators are - In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is - an array of string values. - If the operator is In - or NotIn, the values - array must be non-empty. - If the operator is Exists - or DoesNotExist, the - values array must be - empty. This array is - replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is - a map of {key,value} pairs. - A single {key,value} in the - matchLabels map is equivalent - to an element of matchExpressions, - whose key field is "key", - the operator is "In", and - the values array contains - only "value". The requirements - are ANDed. - type: object - type: object - namespaces: - description: namespaces specifies - which namespaces the labelSelector - applies to (matches against); - null or empty list means "this - pod's namespace" - items: - type: string - type: array - topologyKey: - description: This pod should be - co-located (affinity) or not co-located - (anti-affinity) with the pods - matching the labelSelector in - the specified namespaces, where - co-located is defined as running - on a node whose value of the label - with key topologyKey matches that - of any node on which any of the - selected pods is running. Empty - topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - type: array - type: object - type: object - nodeSelector: - additionalProperties: - type: string - description: 'NodeSelector is a selector which - must be true for the pod to fit on a node. Selector - which must match a node''s labels for the pod - to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' - type: object - priorityClassName: - description: If specified, the pod's priorityClassName. - type: string - serviceAccountName: - description: If specified, the pod's service account - type: string - tolerations: - description: If specified, the pod's tolerations. - items: - description: The pod this Toleration is attached - to tolerates any taint that matches the triple - using the matching operator - . - properties: - effect: - description: Effect indicates the taint - effect to match. Empty means match all - taint effects. When specified, allowed - values are NoSchedule, PreferNoSchedule - and NoExecute. - type: string - key: - description: Key is the taint key that the - toleration applies to. Empty means match - all taint keys. If the key is empty, operator - must be Exists; this combination means - to match all values and all keys. - type: string - operator: - description: Operator represents a key's - relationship to the value. Valid operators - are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, - so that a pod can tolerate all taints - of a particular category. - type: string - tolerationSeconds: - description: TolerationSeconds represents - the period of time the toleration (which - must be of effect NoExecute, otherwise - this field is ignored) tolerates the taint. - By default, it is not set, which means - tolerate the taint forever (do not evict). - Zero and negative values will be treated - as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: Value is the taint value the - toleration matches to. If the operator - is Exists, the value should be empty, - otherwise just a regular string. - type: string - type: object - type: array - type: object - type: object - serviceType: - description: Optional service type for Kubernetes solver - service - type: string - type: object - type: object - selector: - description: Selector selects a set of DNSNames on the Certificate - resource that should be solved using this challenge solver. - If not specified, the solver will be treated as the 'default' - solver with the lowest priority, i.e. if any other solver has - a more specific match, it will be used instead. - properties: - dnsNames: - description: List of DNSNames that this solver will be used - to solve. If specified and a match is found, a dnsNames - selector will take precedence over a dnsZones selector. - If multiple solvers match with the same dnsNames value, - the solver with the most matching labels in matchLabels - will be selected. If neither has more matches, the solver - defined earlier in the list will be selected. - items: - type: string - type: array - dnsZones: - description: List of DNSZones that this solver will be used - to solve. The most specific DNS zone match specified here - will take precedence over other DNS zone matches, so a solver - specifying sys.example.com will be selected over one specifying - example.com for the domain www.sys.example.com. If multiple - solvers match with the same dnsZones value, the solver with - the most matching labels in matchLabels will be selected. - If neither has more matches, the solver defined earlier - in the list will be selected. - items: - type: string - type: array - matchLabels: - additionalProperties: - type: string - description: A label selector that is used to refine the set - of certificate's that this challenge solver will apply to. - type: object - type: object - type: object - token: - description: Token is the ACME challenge token for this challenge. - This is the raw value returned from the ACME server. - type: string - type: - description: Type is the type of ACME challenge this resource represents. - One of "http-01" or "dns-01". - enum: - - http-01 - - dns-01 - type: string - url: - description: URL is the URL of the ACME Challenge resource for this - challenge. This can be used to lookup details about the status of - this challenge. - type: string - wildcard: - description: Wildcard will be true if this challenge is for a wildcard - identifier, for example '*.example.com'. - type: boolean - required: - - authzURL - - dnsName - - issuerRef - - key - - solver - - token - - type - - url - type: object - status: - properties: - presented: - description: Presented will be set to true if the challenge values - for this challenge are currently 'presented'. This *does not* imply - the self check is passing. Only that the values have been 'submitted' - for the appropriate challenge mechanism (i.e. the DNS01 TXT record - has been presented, or the HTTP01 configuration has been configured). - type: boolean - processing: - description: Processing is used to denote whether this challenge should - be processed or not. This field will only be set to true by the - 'scheduling' component. It will only be set to false by the 'challenges' - controller, after the challenge has reached a final state or timed - out. If this field is set to false, the challenge controller will - not take any more action. - type: boolean - reason: - description: Reason contains human readable information on why the - Challenge is in the current state. - type: string - state: - description: State contains the current 'state' of the challenge. - If not set, the state of the challenge is unknown. - enum: - - valid - - ready - - pending - - processing - - invalid - - expired - - errored - type: string - type: object - required: - - metadata - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .status.state - name: State - type: string - - jsonPath: .spec.dnsName - name: Domain - type: string - - jsonPath: .status.reason - name: Reason - priority: 1 - type: string - - description: CreationTimestamp is a timestamp representing the server time when - this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - description: Challenge is a type to represent a Challenge request with an - ACME server - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - properties: - authorizationURL: - description: The URL to the ACME Authorization resource that this - challenge is a part of. - type: string - dnsName: - description: dnsName is the identifier that this challenge is for, - e.g. example.com. If the requested DNSName is a 'wildcard', this - field MUST be set to the non-wildcard domain, e.g. for `*.example.com`, - it must be `example.com`. - type: string - issuerRef: - description: References a properly configured ACME-type Issuer which - should be used to create this Challenge. If the Issuer does not - exist, processing will be retried. If the Issuer is not an 'ACME' - Issuer, an error will be returned and the Challenge will be marked - as failed. - properties: - group: - description: Group of the resource being referred to. - type: string - kind: - description: Kind of the resource being referred to. - type: string - name: - description: Name of the resource being referred to. - type: string - required: - - name - type: object - key: - description: 'The ACME challenge key for this challenge For HTTP01 - challenges, this is the value that must be responded with to complete - the HTTP01 challenge in the format: `.`. For DNS01 challenges, this is - the base64 encoded SHA256 sum of the `.` text that must be set as the TXT - record content.' - type: string - solver: - description: Contains the domain solving configuration that should - be used to solve this challenge resource. - properties: - dns01: - description: Configures cert-manager to attempt to complete authorizations - by performing the DNS01 challenge flow. - properties: - acmeDNS: - description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) - API to manage DNS01 challenge records. - properties: - accountSecretRef: - description: A reference to a specific 'key' within a - Secret resource. In some instances, `key` is a required - field. - properties: - key: - description: The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - host: - type: string - required: - - accountSecretRef - - host - type: object - akamai: - description: Use the Akamai DNS zone management API to manage - DNS01 challenge records. - properties: - accessTokenSecretRef: - description: A reference to a specific 'key' within a - Secret resource. In some instances, `key` is a required - field. - properties: - key: - description: The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - clientSecretSecretRef: - description: A reference to a specific 'key' within a - Secret resource. In some instances, `key` is a required - field. - properties: - key: - description: The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - clientTokenSecretRef: - description: A reference to a specific 'key' within a - Secret resource. In some instances, `key` is a required - field. - properties: - key: - description: The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - serviceConsumerDomain: - type: string - required: - - accessTokenSecretRef - - clientSecretSecretRef - - clientTokenSecretRef - - serviceConsumerDomain - type: object - azureDNS: - description: Use the Microsoft Azure DNS API to manage DNS01 - challenge records. - properties: - clientID: - description: if both this and ClientSecret are left unset - MSI will be used - type: string - clientSecretSecretRef: - description: if both this and ClientID are left unset - MSI will be used - properties: - key: - description: The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - environment: - enum: - - AzurePublicCloud - - AzureChinaCloud - - AzureGermanCloud - - AzureUSGovernmentCloud - type: string - hostedZoneName: - type: string - resourceGroupName: - type: string - subscriptionID: - type: string - tenantID: - description: when specifying ClientID and ClientSecret - then this field is also needed - type: string - required: - - resourceGroupName - - subscriptionID - type: object - cloudDNS: - description: Use the Google Cloud DNS API to manage DNS01 - challenge records. - properties: - hostedZoneName: - description: HostedZoneName is an optional field that - tells cert-manager in which Cloud DNS zone the challenge - record has to be created. If left empty cert-manager - will automatically choose a zone. - type: string - project: - type: string - serviceAccountSecretRef: - description: A reference to a specific 'key' within a - Secret resource. In some instances, `key` is a required - field. - properties: - key: - description: The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - required: - - project - type: object - cloudflare: - description: Use the Cloudflare API to manage DNS01 challenge - records. - properties: - apiKeySecretRef: - description: 'API key to use to authenticate with Cloudflare. - Note: using an API token to authenticate is now the - recommended method as it allows greater control of permissions.' - properties: - key: - description: The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - apiTokenSecretRef: - description: API token used to authenticate with Cloudflare. - properties: - key: - description: The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - email: - description: Email of the account, only required when - using API key based authentication. - type: string - type: object - cnameStrategy: - description: CNAMEStrategy configures how the DNS01 provider - should handle CNAME records when found in DNS zones. - enum: - - None - - Follow - type: string - digitalocean: - description: Use the DigitalOcean DNS API to manage DNS01 - challenge records. - properties: - tokenSecretRef: - description: A reference to a specific 'key' within a - Secret resource. In some instances, `key` is a required - field. - properties: - key: - description: The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - required: - - tokenSecretRef - type: object - rfc2136: - description: Use RFC2136 ("Dynamic Updates in the Domain Name - System") (https://datatracker.ietf.org/doc/rfc2136/) to - manage DNS01 challenge records. - properties: - nameserver: - description: The IP address or hostname of an authoritative - DNS server supporting RFC2136 in the form host:port. - If the host is an IPv6 address it must be enclosed in - square brackets (e.g [2001:db8::1]) ; port is optional. - This field is required. - type: string - tsigAlgorithm: - description: 'The TSIG Algorithm configured in the DNS - supporting RFC2136. Used only when ``tsigSecretSecretRef`` - and ``tsigKeyName`` are defined. Supported values are - (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, - ``HMACSHA256`` or ``HMACSHA512``.' - type: string - tsigKeyName: - description: The TSIG Key name configured in the DNS. - If ``tsigSecretSecretRef`` is defined, this field is - required. - type: string - tsigSecretSecretRef: - description: The name of the secret containing the TSIG - value. If ``tsigKeyName`` is defined, this field is - required. - properties: - key: - description: The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - required: - - nameserver - type: object - route53: - description: Use the AWS Route53 API to manage DNS01 challenge - records. - properties: - accessKeyID: - description: 'The AccessKeyID is used for authentication. - If not set we fall-back to using env vars, shared credentials - file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' - type: string - hostedZoneID: - description: If set, the provider will manage only this - zone in Route53 and will not do an lookup using the - route53:ListHostedZonesByName api call. - type: string - region: - description: Always set the region when using AccessKeyID - and SecretAccessKey - type: string - role: - description: Role is a Role ARN which the Route53 provider - will assume using either the explicit credentials AccessKeyID/SecretAccessKey - or the inferred credentials from environment variables, - shared credentials file or AWS Instance metadata - type: string - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication. - If not set we fall-back to using env vars, shared credentials - file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials - properties: - key: - description: The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - required: - - region - type: object - webhook: - description: Configure an external webhook based DNS01 challenge - solver to manage DNS01 challenge records. - properties: - config: - description: Additional configuration that should be passed - to the webhook apiserver when challenges are processed. - This can contain arbitrary JSON data. Secret values - should not be specified in this stanza. If secret values - are needed (e.g. credentials for a DNS service), you - should use a SecretKeySelector to reference a Secret - resource. For details on the schema of this field, consult - the webhook provider implementation's documentation. - x-kubernetes-preserve-unknown-fields: true - groupName: - description: The API group name that should be used when - POSTing ChallengePayload resources to the webhook apiserver. - This should be the same as the GroupName specified in - the webhook provider implementation. - type: string - solverName: - description: The name of the solver to use, as defined - in the webhook provider implementation. This will typically - be the name of the provider, e.g. 'cloudflare'. - type: string - required: - - groupName - - solverName - type: object - type: object - http01: - description: Configures cert-manager to attempt to complete authorizations - by performing the HTTP01 challenge flow. It is not possible - to obtain certificates for wildcard domain names (e.g. `*.example.com`) - using the HTTP01 challenge mechanism. - properties: - ingress: - description: The ingress based HTTP01 challenge solver will - solve challenges by creating or modifying Ingress resources - in order to route requests for '/.well-known/acme-challenge/XYZ' - to 'challenge solver' pods that are provisioned by cert-manager - for each Challenge to be completed. - properties: - class: - description: The ingress class to use when creating Ingress - resources to solve ACME challenges that use this challenge - solver. Only one of 'class' or 'name' may be specified. - type: string - ingressTemplate: - description: Optional ingress template used to configure - the ACME challenge solver ingress used for HTTP01 challenges - properties: - metadata: - description: ObjectMeta overrides for the ingress - used to solve HTTP01 challenges. Only the 'labels' - and 'annotations' fields may be set. If labels or - annotations overlap with in-built values, the values - here will override the in-built values. - properties: - annotations: - additionalProperties: - type: string - description: Annotations that should be added - to the created ACME HTTP01 solver ingress. - type: object - labels: - additionalProperties: - type: string - description: Labels that should be added to the - created ACME HTTP01 solver ingress. - type: object - type: object - type: object - name: - description: The name of the ingress resource that should - have ACME challenge solving routes inserted into it - in order to solve HTTP01 challenges. This is typically - used in conjunction with ingress controllers like ingress-gce, - which maintains a 1:1 mapping between external IPs and - ingress resources. - type: string - podTemplate: - description: Optional pod template used to configure the - ACME challenge solver pods used for HTTP01 challenges - properties: - metadata: - description: ObjectMeta overrides for the pod used - to solve HTTP01 challenges. Only the 'labels' and - 'annotations' fields may be set. If labels or annotations - overlap with in-built values, the values here will - override the in-built values. - properties: - annotations: - additionalProperties: - type: string - description: Annotations that should be added - to the create ACME HTTP01 solver pods. - type: object - labels: - additionalProperties: - type: string - description: Labels that should be added to the - created ACME HTTP01 solver pods. - type: object - type: object - spec: - description: PodSpec defines overrides for the HTTP01 - challenge solver pod. Only the 'priorityClassName', - 'nodeSelector', 'affinity', 'serviceAccountName' - and 'tolerations' fields are supported currently. - All other fields will be ignored. - properties: - affinity: - description: If specified, the pod's scheduling - constraints - properties: - nodeAffinity: - description: Describes node affinity scheduling - rules for the pod. - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer - to schedule pods to nodes that satisfy - the affinity expressions specified by - this field, but it may choose a node - that violates one or more of the expressions. - The node that is most preferred is the - one with the greatest sum of weights, - i.e. for each node that meets all of - the scheduling requirements (resource - request, requiredDuringScheduling affinity - expressions, etc.), compute a sum by - iterating through the elements of this - field and adding "weight" to the sum - if the node matches the corresponding - matchExpressions; the node(s) with the - highest sum are the most preferred. - items: - description: An empty preferred scheduling - term matches all objects with implicit - weight 0 (i.e. it's a no-op). A null - preferred scheduling term matches - no objects (i.e. is also a no-op). - properties: - preference: - description: A node selector term, - associated with the corresponding - weight. - properties: - matchExpressions: - description: A list of node - selector requirements by node's - labels. - items: - description: A node selector - requirement is a selector - that contains values, a - key, and an operator that - relates the key and values. - properties: - key: - description: The label - key that the selector - applies to. - type: string - operator: - description: Represents - a key's relationship - to a set of values. - Valid operators are - In, NotIn, Exists, DoesNotExist. - Gt, and Lt. - type: string - values: - description: An array - of string values. If - the operator is In or - NotIn, the values array - must be non-empty. If - the operator is Exists - or DoesNotExist, the - values array must be - empty. If the operator - is Gt or Lt, the values - array must have a single - element, which will - be interpreted as an - integer. This array - is replaced during a - strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchFields: - description: A list of node - selector requirements by node's - fields. - items: - description: A node selector - requirement is a selector - that contains values, a - key, and an operator that - relates the key and values. - properties: - key: - description: The label - key that the selector - applies to. - type: string - operator: - description: Represents - a key's relationship - to a set of values. - Valid operators are - In, NotIn, Exists, DoesNotExist. - Gt, and Lt. - type: string - values: - description: An array - of string values. If - the operator is In or - NotIn, the values array - must be non-empty. If - the operator is Exists - or DoesNotExist, the - values array must be - empty. If the operator - is Gt or Lt, the values - array must have a single - element, which will - be interpreted as an - integer. This array - is replaced during a - strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - type: object - weight: - description: Weight associated with - matching the corresponding nodeSelectorTerm, - in the range 1-100. - format: int32 - type: integer - required: - - preference - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements - specified by this field are not met - at scheduling time, the pod will not - be scheduled onto the node. If the affinity - requirements specified by this field - cease to be met at some point during - pod execution (e.g. due to an update), - the system may or may not try to eventually - evict the pod from its node. - properties: - nodeSelectorTerms: - description: Required. A list of node - selector terms. The terms are ORed. - items: - description: A null or empty node - selector term matches no objects. - The requirements of them are ANDed. - The TopologySelectorTerm type - implements a subset of the NodeSelectorTerm. - properties: - matchExpressions: - description: A list of node - selector requirements by node's - labels. - items: - description: A node selector - requirement is a selector - that contains values, a - key, and an operator that - relates the key and values. - properties: - key: - description: The label - key that the selector - applies to. - type: string - operator: - description: Represents - a key's relationship - to a set of values. - Valid operators are - In, NotIn, Exists, DoesNotExist. - Gt, and Lt. - type: string - values: - description: An array - of string values. If - the operator is In or - NotIn, the values array - must be non-empty. If - the operator is Exists - or DoesNotExist, the - values array must be - empty. If the operator - is Gt or Lt, the values - array must have a single - element, which will - be interpreted as an - integer. This array - is replaced during a - strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchFields: - description: A list of node - selector requirements by node's - fields. - items: - description: A node selector - requirement is a selector - that contains values, a - key, and an operator that - relates the key and values. - properties: - key: - description: The label - key that the selector - applies to. - type: string - operator: - description: Represents - a key's relationship - to a set of values. - Valid operators are - In, NotIn, Exists, DoesNotExist. - Gt, and Lt. - type: string - values: - description: An array - of string values. If - the operator is In or - NotIn, the values array - must be non-empty. If - the operator is Exists - or DoesNotExist, the - values array must be - empty. If the operator - is Gt or Lt, the values - array must have a single - element, which will - be interpreted as an - integer. This array - is replaced during a - strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - type: object - type: array - required: - - nodeSelectorTerms - type: object - type: object - podAffinity: - description: Describes pod affinity scheduling - rules (e.g. co-locate this pod in the same - node, zone, etc. as some other pod(s)). - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer - to schedule pods to nodes that satisfy - the affinity expressions specified by - this field, but it may choose a node - that violates one or more of the expressions. - The node that is most preferred is the - one with the greatest sum of weights, - i.e. for each node that meets all of - the scheduling requirements (resource - request, requiredDuringScheduling affinity - expressions, etc.), compute a sum by - iterating through the elements of this - field and adding "weight" to the sum - if the node has pods which matches the - corresponding podAffinityTerm; the node(s) - with the highest sum are the most preferred. - items: - description: The weights of all of the - matched WeightedPodAffinityTerm fields - are added per-node to find the most - preferred node(s) - properties: - podAffinityTerm: - description: Required. A pod affinity - term, associated with the corresponding - weight. - properties: - labelSelector: - description: A label query over - a set of resources, in this - case pods. - properties: - matchExpressions: - description: matchExpressions - is a list of label selector - requirements. The requirements - are ANDed. - items: - description: A label selector - requirement is a selector - that contains values, - a key, and an operator - that relates the key - and values. - properties: - key: - description: key is - the label key that - the selector applies - to. - type: string - operator: - description: operator - represents a key's - relationship to - a set of values. - Valid operators - are In, NotIn, Exists - and DoesNotExist. - type: string - values: - description: values - is an array of string - values. If the operator - is In or NotIn, - the values array - must be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. This - array is replaced - during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels - is a map of {key,value} - pairs. A single {key,value} - in the matchLabels map - is equivalent to an element - of matchExpressions, whose - key field is "key", the - operator is "In", and - the values array contains - only "value". The requirements - are ANDed. - type: object - type: object - namespaces: - description: namespaces specifies - which namespaces the labelSelector - applies to (matches against); - null or empty list means "this - pod's namespace" - items: - type: string - type: array - topologyKey: - description: This pod should - be co-located (affinity) or - not co-located (anti-affinity) - with the pods matching the - labelSelector in the specified - namespaces, where co-located - is defined as running on a - node whose value of the label - with key topologyKey matches - that of any node on which - any of the selected pods is - running. Empty topologyKey - is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: weight associated with - matching the corresponding podAffinityTerm, - in the range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements - specified by this field are not met - at scheduling time, the pod will not - be scheduled onto the node. If the affinity - requirements specified by this field - cease to be met at some point during - pod execution (e.g. due to a pod label - update), the system may or may not try - to eventually evict the pod from its - node. When there are multiple elements, - the lists of nodes corresponding to - each podAffinityTerm are intersected, - i.e. all terms must be satisfied. - items: - description: Defines a set of pods (namely - those matching the labelSelector relative - to the given namespace(s)) that this - pod should be co-located (affinity) - or not co-located (anti-affinity) - with, where co-located is defined - as running on a node whose value of - the label with key matches - that of any node on which a pod of - the set of pods is running - properties: - labelSelector: - description: A label query over - a set of resources, in this case - pods. - properties: - matchExpressions: - description: matchExpressions - is a list of label selector - requirements. The requirements - are ANDed. - items: - description: A label selector - requirement is a selector - that contains values, a - key, and an operator that - relates the key and values. - properties: - key: - description: key is the - label key that the selector - applies to. - type: string - operator: - description: operator - represents a key's relationship - to a set of values. - Valid operators are - In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is - an array of string values. - If the operator is In - or NotIn, the values - array must be non-empty. - If the operator is Exists - or DoesNotExist, the - values array must be - empty. This array is - replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is - a map of {key,value} pairs. - A single {key,value} in the - matchLabels map is equivalent - to an element of matchExpressions, - whose key field is "key", - the operator is "In", and - the values array contains - only "value". The requirements - are ANDed. - type: object - type: object - namespaces: - description: namespaces specifies - which namespaces the labelSelector - applies to (matches against); - null or empty list means "this - pod's namespace" - items: - type: string - type: array - topologyKey: - description: This pod should be - co-located (affinity) or not co-located - (anti-affinity) with the pods - matching the labelSelector in - the specified namespaces, where - co-located is defined as running - on a node whose value of the label - with key topologyKey matches that - of any node on which any of the - selected pods is running. Empty - topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - type: array - type: object - podAntiAffinity: - description: Describes pod anti-affinity scheduling - rules (e.g. avoid putting this pod in the - same node, zone, etc. as some other pod(s)). - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer - to schedule pods to nodes that satisfy - the anti-affinity expressions specified - by this field, but it may choose a node - that violates one or more of the expressions. - The node that is most preferred is the - one with the greatest sum of weights, - i.e. for each node that meets all of - the scheduling requirements (resource - request, requiredDuringScheduling anti-affinity - expressions, etc.), compute a sum by - iterating through the elements of this - field and adding "weight" to the sum - if the node has pods which matches the - corresponding podAffinityTerm; the node(s) - with the highest sum are the most preferred. - items: - description: The weights of all of the - matched WeightedPodAffinityTerm fields - are added per-node to find the most - preferred node(s) - properties: - podAffinityTerm: - description: Required. A pod affinity - term, associated with the corresponding - weight. - properties: - labelSelector: - description: A label query over - a set of resources, in this - case pods. - properties: - matchExpressions: - description: matchExpressions - is a list of label selector - requirements. The requirements - are ANDed. - items: - description: A label selector - requirement is a selector - that contains values, - a key, and an operator - that relates the key - and values. - properties: - key: - description: key is - the label key that - the selector applies - to. - type: string - operator: - description: operator - represents a key's - relationship to - a set of values. - Valid operators - are In, NotIn, Exists - and DoesNotExist. - type: string - values: - description: values - is an array of string - values. If the operator - is In or NotIn, - the values array - must be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. This - array is replaced - during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels - is a map of {key,value} - pairs. A single {key,value} - in the matchLabels map - is equivalent to an element - of matchExpressions, whose - key field is "key", the - operator is "In", and - the values array contains - only "value". The requirements - are ANDed. - type: object - type: object - namespaces: - description: namespaces specifies - which namespaces the labelSelector - applies to (matches against); - null or empty list means "this - pod's namespace" - items: - type: string - type: array - topologyKey: - description: This pod should - be co-located (affinity) or - not co-located (anti-affinity) - with the pods matching the - labelSelector in the specified - namespaces, where co-located - is defined as running on a - node whose value of the label - with key topologyKey matches - that of any node on which - any of the selected pods is - running. Empty topologyKey - is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: weight associated with - matching the corresponding podAffinityTerm, - in the range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - description: If the anti-affinity requirements - specified by this field are not met - at scheduling time, the pod will not - be scheduled onto the node. If the anti-affinity - requirements specified by this field - cease to be met at some point during - pod execution (e.g. due to a pod label - update), the system may or may not try - to eventually evict the pod from its - node. When there are multiple elements, - the lists of nodes corresponding to - each podAffinityTerm are intersected, - i.e. all terms must be satisfied. - items: - description: Defines a set of pods (namely - those matching the labelSelector relative - to the given namespace(s)) that this - pod should be co-located (affinity) - or not co-located (anti-affinity) - with, where co-located is defined - as running on a node whose value of - the label with key matches - that of any node on which a pod of - the set of pods is running - properties: - labelSelector: - description: A label query over - a set of resources, in this case - pods. - properties: - matchExpressions: - description: matchExpressions - is a list of label selector - requirements. The requirements - are ANDed. - items: - description: A label selector - requirement is a selector - that contains values, a - key, and an operator that - relates the key and values. - properties: - key: - description: key is the - label key that the selector - applies to. - type: string - operator: - description: operator - represents a key's relationship - to a set of values. - Valid operators are - In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is - an array of string values. - If the operator is In - or NotIn, the values - array must be non-empty. - If the operator is Exists - or DoesNotExist, the - values array must be - empty. This array is - replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is - a map of {key,value} pairs. - A single {key,value} in the - matchLabels map is equivalent - to an element of matchExpressions, - whose key field is "key", - the operator is "In", and - the values array contains - only "value". The requirements - are ANDed. - type: object - type: object - namespaces: - description: namespaces specifies - which namespaces the labelSelector - applies to (matches against); - null or empty list means "this - pod's namespace" - items: - type: string - type: array - topologyKey: - description: This pod should be - co-located (affinity) or not co-located - (anti-affinity) with the pods - matching the labelSelector in - the specified namespaces, where - co-located is defined as running - on a node whose value of the label - with key topologyKey matches that - of any node on which any of the - selected pods is running. Empty - topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - type: array - type: object - type: object - nodeSelector: - additionalProperties: - type: string - description: 'NodeSelector is a selector which - must be true for the pod to fit on a node. Selector - which must match a node''s labels for the pod - to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' - type: object - priorityClassName: - description: If specified, the pod's priorityClassName. - type: string - serviceAccountName: - description: If specified, the pod's service account - type: string - tolerations: - description: If specified, the pod's tolerations. - items: - description: The pod this Toleration is attached - to tolerates any taint that matches the triple - using the matching operator - . - properties: - effect: - description: Effect indicates the taint - effect to match. Empty means match all - taint effects. When specified, allowed - values are NoSchedule, PreferNoSchedule - and NoExecute. - type: string - key: - description: Key is the taint key that the - toleration applies to. Empty means match - all taint keys. If the key is empty, operator - must be Exists; this combination means - to match all values and all keys. - type: string - operator: - description: Operator represents a key's - relationship to the value. Valid operators - are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, - so that a pod can tolerate all taints - of a particular category. - type: string - tolerationSeconds: - description: TolerationSeconds represents - the period of time the toleration (which - must be of effect NoExecute, otherwise - this field is ignored) tolerates the taint. - By default, it is not set, which means - tolerate the taint forever (do not evict). - Zero and negative values will be treated - as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: Value is the taint value the - toleration matches to. If the operator - is Exists, the value should be empty, - otherwise just a regular string. - type: string - type: object - type: array - type: object - type: object - serviceType: - description: Optional service type for Kubernetes solver - service - type: string - type: object - type: object - selector: - description: Selector selects a set of DNSNames on the Certificate - resource that should be solved using this challenge solver. - If not specified, the solver will be treated as the 'default' - solver with the lowest priority, i.e. if any other solver has - a more specific match, it will be used instead. - properties: - dnsNames: - description: List of DNSNames that this solver will be used - to solve. If specified and a match is found, a dnsNames - selector will take precedence over a dnsZones selector. - If multiple solvers match with the same dnsNames value, - the solver with the most matching labels in matchLabels - will be selected. If neither has more matches, the solver - defined earlier in the list will be selected. - items: - type: string - type: array - dnsZones: - description: List of DNSZones that this solver will be used - to solve. The most specific DNS zone match specified here - will take precedence over other DNS zone matches, so a solver - specifying sys.example.com will be selected over one specifying - example.com for the domain www.sys.example.com. If multiple - solvers match with the same dnsZones value, the solver with - the most matching labels in matchLabels will be selected. - If neither has more matches, the solver defined earlier - in the list will be selected. - items: - type: string - type: array - matchLabels: - additionalProperties: - type: string - description: A label selector that is used to refine the set - of certificate's that this challenge solver will apply to. - type: object - type: object - type: object - token: - description: The ACME challenge token for this challenge. This is - the raw value returned from the ACME server. - type: string - type: - description: The type of ACME challenge this resource represents. - One of "HTTP-01" or "DNS-01". - enum: - - HTTP-01 - - DNS-01 - type: string - url: - description: The URL of the ACME Challenge resource for this challenge. - This can be used to lookup details about the status of this challenge. - type: string - wildcard: - description: wildcard will be true if this challenge is for a wildcard - identifier, for example '*.example.com'. - type: boolean - required: - - authorizationURL - - dnsName - - issuerRef - - key - - solver - - token - - type - - url - type: object - status: - properties: - presented: - description: presented will be set to true if the challenge values - for this challenge are currently 'presented'. This *does not* imply - the self check is passing. Only that the values have been 'submitted' - for the appropriate challenge mechanism (i.e. the DNS01 TXT record - has been presented, or the HTTP01 configuration has been configured). - type: boolean - processing: - description: Used to denote whether this challenge should be processed - or not. This field will only be set to true by the 'scheduling' - component. It will only be set to false by the 'challenges' controller, - after the challenge has reached a final state or timed out. If this - field is set to false, the challenge controller will not take any - more action. - type: boolean - reason: - description: Contains human readable information on why the Challenge - is in the current state. - type: string - state: - description: Contains the current 'state' of the challenge. If not - set, the state of the challenge is unknown. - enum: - - valid - - ready - - pending - - processing - - invalid - - expired - - errored - type: string - type: object - required: - - metadata - - spec - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .status.state - name: State - type: string - - jsonPath: .spec.dnsName - name: Domain - type: string - - jsonPath: .status.reason - name: Reason - priority: 1 - type: string - - description: CreationTimestamp is a timestamp representing the server time when - this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - description: Challenge is a type to represent a Challenge request with an - ACME server - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - properties: - authorizationURL: - description: The URL to the ACME Authorization resource that this - challenge is a part of. - type: string - dnsName: - description: dnsName is the identifier that this challenge is for, - e.g. example.com. If the requested DNSName is a 'wildcard', this - field MUST be set to the non-wildcard domain, e.g. for `*.example.com`, - it must be `example.com`. - type: string - issuerRef: - description: References a properly configured ACME-type Issuer which - should be used to create this Challenge. If the Issuer does not - exist, processing will be retried. If the Issuer is not an 'ACME' - Issuer, an error will be returned and the Challenge will be marked - as failed. - properties: - group: - description: Group of the resource being referred to. - type: string - kind: - description: Kind of the resource being referred to. - type: string - name: - description: Name of the resource being referred to. - type: string - required: - - name - type: object - key: - description: 'The ACME challenge key for this challenge For HTTP01 - challenges, this is the value that must be responded with to complete - the HTTP01 challenge in the format: `.`. For DNS01 challenges, this is - the base64 encoded SHA256 sum of the `.` text that must be set as the TXT - record content.' - type: string - solver: - description: Contains the domain solving configuration that should - be used to solve this challenge resource. - properties: - dns01: - description: Configures cert-manager to attempt to complete authorizations - by performing the DNS01 challenge flow. - properties: - acmeDNS: - description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) - API to manage DNS01 challenge records. - properties: - accountSecretRef: - description: A reference to a specific 'key' within a - Secret resource. In some instances, `key` is a required - field. - properties: - key: - description: The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - host: - type: string - required: - - accountSecretRef - - host - type: object - akamai: - description: Use the Akamai DNS zone management API to manage - DNS01 challenge records. - properties: - accessTokenSecretRef: - description: A reference to a specific 'key' within a - Secret resource. In some instances, `key` is a required - field. - properties: - key: - description: The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - clientSecretSecretRef: - description: A reference to a specific 'key' within a - Secret resource. In some instances, `key` is a required - field. - properties: - key: - description: The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - clientTokenSecretRef: - description: A reference to a specific 'key' within a - Secret resource. In some instances, `key` is a required - field. - properties: - key: - description: The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - serviceConsumerDomain: - type: string - required: - - accessTokenSecretRef - - clientSecretSecretRef - - clientTokenSecretRef - - serviceConsumerDomain - type: object - azureDNS: - description: Use the Microsoft Azure DNS API to manage DNS01 - challenge records. - properties: - clientID: - description: if both this and ClientSecret are left unset - MSI will be used - type: string - clientSecretSecretRef: - description: if both this and ClientID are left unset - MSI will be used - properties: - key: - description: The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - environment: - enum: - - AzurePublicCloud - - AzureChinaCloud - - AzureGermanCloud - - AzureUSGovernmentCloud - type: string - hostedZoneName: - type: string - resourceGroupName: - type: string - subscriptionID: - type: string - tenantID: - description: when specifying ClientID and ClientSecret - then this field is also needed - type: string - required: - - resourceGroupName - - subscriptionID - type: object - cloudDNS: - description: Use the Google Cloud DNS API to manage DNS01 - challenge records. - properties: - hostedZoneName: - description: HostedZoneName is an optional field that - tells cert-manager in which Cloud DNS zone the challenge - record has to be created. If left empty cert-manager - will automatically choose a zone. - type: string - project: - type: string - serviceAccountSecretRef: - description: A reference to a specific 'key' within a - Secret resource. In some instances, `key` is a required - field. - properties: - key: - description: The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - required: - - project - type: object - cloudflare: - description: Use the Cloudflare API to manage DNS01 challenge - records. - properties: - apiKeySecretRef: - description: 'API key to use to authenticate with Cloudflare. - Note: using an API token to authenticate is now the - recommended method as it allows greater control of permissions.' - properties: - key: - description: The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - apiTokenSecretRef: - description: API token used to authenticate with Cloudflare. - properties: - key: - description: The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - email: - description: Email of the account, only required when - using API key based authentication. - type: string - type: object - cnameStrategy: - description: CNAMEStrategy configures how the DNS01 provider - should handle CNAME records when found in DNS zones. - enum: - - None - - Follow - type: string - digitalocean: - description: Use the DigitalOcean DNS API to manage DNS01 - challenge records. - properties: - tokenSecretRef: - description: A reference to a specific 'key' within a - Secret resource. In some instances, `key` is a required - field. - properties: - key: - description: The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - required: - - tokenSecretRef - type: object - rfc2136: - description: Use RFC2136 ("Dynamic Updates in the Domain Name - System") (https://datatracker.ietf.org/doc/rfc2136/) to - manage DNS01 challenge records. - properties: - nameserver: - description: The IP address or hostname of an authoritative - DNS server supporting RFC2136 in the form host:port. - If the host is an IPv6 address it must be enclosed in - square brackets (e.g [2001:db8::1]) ; port is optional. - This field is required. - type: string - tsigAlgorithm: - description: 'The TSIG Algorithm configured in the DNS - supporting RFC2136. Used only when ``tsigSecretSecretRef`` - and ``tsigKeyName`` are defined. Supported values are - (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, - ``HMACSHA256`` or ``HMACSHA512``.' - type: string - tsigKeyName: - description: The TSIG Key name configured in the DNS. - If ``tsigSecretSecretRef`` is defined, this field is - required. - type: string - tsigSecretSecretRef: - description: The name of the secret containing the TSIG - value. If ``tsigKeyName`` is defined, this field is - required. - properties: - key: - description: The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - required: - - nameserver - type: object - route53: - description: Use the AWS Route53 API to manage DNS01 challenge - records. - properties: - accessKeyID: - description: 'The AccessKeyID is used for authentication. - If not set we fall-back to using env vars, shared credentials - file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' - type: string - hostedZoneID: - description: If set, the provider will manage only this - zone in Route53 and will not do an lookup using the - route53:ListHostedZonesByName api call. - type: string - region: - description: Always set the region when using AccessKeyID - and SecretAccessKey - type: string - role: - description: Role is a Role ARN which the Route53 provider - will assume using either the explicit credentials AccessKeyID/SecretAccessKey - or the inferred credentials from environment variables, - shared credentials file or AWS Instance metadata - type: string - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication. - If not set we fall-back to using env vars, shared credentials - file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials - properties: - key: - description: The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - required: - - region - type: object - webhook: - description: Configure an external webhook based DNS01 challenge - solver to manage DNS01 challenge records. - properties: - config: - description: Additional configuration that should be passed - to the webhook apiserver when challenges are processed. - This can contain arbitrary JSON data. Secret values - should not be specified in this stanza. If secret values - are needed (e.g. credentials for a DNS service), you - should use a SecretKeySelector to reference a Secret - resource. For details on the schema of this field, consult - the webhook provider implementation's documentation. - x-kubernetes-preserve-unknown-fields: true - groupName: - description: The API group name that should be used when - POSTing ChallengePayload resources to the webhook apiserver. - This should be the same as the GroupName specified in - the webhook provider implementation. - type: string - solverName: - description: The name of the solver to use, as defined - in the webhook provider implementation. This will typically - be the name of the provider, e.g. 'cloudflare'. - type: string - required: - - groupName - - solverName - type: object - type: object - http01: - description: Configures cert-manager to attempt to complete authorizations - by performing the HTTP01 challenge flow. It is not possible - to obtain certificates for wildcard domain names (e.g. `*.example.com`) - using the HTTP01 challenge mechanism. - properties: - ingress: - description: The ingress based HTTP01 challenge solver will - solve challenges by creating or modifying Ingress resources - in order to route requests for '/.well-known/acme-challenge/XYZ' - to 'challenge solver' pods that are provisioned by cert-manager - for each Challenge to be completed. - properties: - class: - description: The ingress class to use when creating Ingress - resources to solve ACME challenges that use this challenge - solver. Only one of 'class' or 'name' may be specified. - type: string - ingressTemplate: - description: Optional ingress template used to configure - the ACME challenge solver ingress used for HTTP01 challenges - properties: - metadata: - description: ObjectMeta overrides for the ingress - used to solve HTTP01 challenges. Only the 'labels' - and 'annotations' fields may be set. If labels or - annotations overlap with in-built values, the values - here will override the in-built values. - properties: - annotations: - additionalProperties: - type: string - description: Annotations that should be added - to the created ACME HTTP01 solver ingress. - type: object - labels: - additionalProperties: - type: string - description: Labels that should be added to the - created ACME HTTP01 solver ingress. - type: object - type: object - type: object - name: - description: The name of the ingress resource that should - have ACME challenge solving routes inserted into it - in order to solve HTTP01 challenges. This is typically - used in conjunction with ingress controllers like ingress-gce, - which maintains a 1:1 mapping between external IPs and - ingress resources. - type: string - podTemplate: - description: Optional pod template used to configure the - ACME challenge solver pods used for HTTP01 challenges - properties: - metadata: - description: ObjectMeta overrides for the pod used - to solve HTTP01 challenges. Only the 'labels' and - 'annotations' fields may be set. If labels or annotations - overlap with in-built values, the values here will - override the in-built values. - properties: - annotations: - additionalProperties: - type: string - description: Annotations that should be added - to the create ACME HTTP01 solver pods. - type: object - labels: - additionalProperties: - type: string - description: Labels that should be added to the - created ACME HTTP01 solver pods. - type: object - type: object - spec: - description: PodSpec defines overrides for the HTTP01 - challenge solver pod. Only the 'priorityClassName', - 'nodeSelector', 'affinity', 'serviceAccountName' - and 'tolerations' fields are supported currently. - All other fields will be ignored. - properties: - affinity: - description: If specified, the pod's scheduling - constraints - properties: - nodeAffinity: - description: Describes node affinity scheduling - rules for the pod. - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer - to schedule pods to nodes that satisfy - the affinity expressions specified by - this field, but it may choose a node - that violates one or more of the expressions. - The node that is most preferred is the - one with the greatest sum of weights, - i.e. for each node that meets all of - the scheduling requirements (resource - request, requiredDuringScheduling affinity - expressions, etc.), compute a sum by - iterating through the elements of this - field and adding "weight" to the sum - if the node matches the corresponding - matchExpressions; the node(s) with the - highest sum are the most preferred. - items: - description: An empty preferred scheduling - term matches all objects with implicit - weight 0 (i.e. it's a no-op). A null - preferred scheduling term matches - no objects (i.e. is also a no-op). - properties: - preference: - description: A node selector term, - associated with the corresponding - weight. - properties: - matchExpressions: - description: A list of node - selector requirements by node's - labels. - items: - description: A node selector - requirement is a selector - that contains values, a - key, and an operator that - relates the key and values. - properties: - key: - description: The label - key that the selector - applies to. - type: string - operator: - description: Represents - a key's relationship - to a set of values. - Valid operators are - In, NotIn, Exists, DoesNotExist. - Gt, and Lt. - type: string - values: - description: An array - of string values. If - the operator is In or - NotIn, the values array - must be non-empty. If - the operator is Exists - or DoesNotExist, the - values array must be - empty. If the operator - is Gt or Lt, the values - array must have a single - element, which will - be interpreted as an - integer. This array - is replaced during a - strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchFields: - description: A list of node - selector requirements by node's - fields. - items: - description: A node selector - requirement is a selector - that contains values, a - key, and an operator that - relates the key and values. - properties: - key: - description: The label - key that the selector - applies to. - type: string - operator: - description: Represents - a key's relationship - to a set of values. - Valid operators are - In, NotIn, Exists, DoesNotExist. - Gt, and Lt. - type: string - values: - description: An array - of string values. If - the operator is In or - NotIn, the values array - must be non-empty. If - the operator is Exists - or DoesNotExist, the - values array must be - empty. If the operator - is Gt or Lt, the values - array must have a single - element, which will - be interpreted as an - integer. This array - is replaced during a - strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - type: object - weight: - description: Weight associated with - matching the corresponding nodeSelectorTerm, - in the range 1-100. - format: int32 - type: integer - required: - - preference - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements - specified by this field are not met - at scheduling time, the pod will not - be scheduled onto the node. If the affinity - requirements specified by this field - cease to be met at some point during - pod execution (e.g. due to an update), - the system may or may not try to eventually - evict the pod from its node. - properties: - nodeSelectorTerms: - description: Required. A list of node - selector terms. The terms are ORed. - items: - description: A null or empty node - selector term matches no objects. - The requirements of them are ANDed. - The TopologySelectorTerm type - implements a subset of the NodeSelectorTerm. - properties: - matchExpressions: - description: A list of node - selector requirements by node's - labels. - items: - description: A node selector - requirement is a selector - that contains values, a - key, and an operator that - relates the key and values. - properties: - key: - description: The label - key that the selector - applies to. - type: string - operator: - description: Represents - a key's relationship - to a set of values. - Valid operators are - In, NotIn, Exists, DoesNotExist. - Gt, and Lt. - type: string - values: - description: An array - of string values. If - the operator is In or - NotIn, the values array - must be non-empty. If - the operator is Exists - or DoesNotExist, the - values array must be - empty. If the operator - is Gt or Lt, the values - array must have a single - element, which will - be interpreted as an - integer. This array - is replaced during a - strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchFields: - description: A list of node - selector requirements by node's - fields. - items: - description: A node selector - requirement is a selector - that contains values, a - key, and an operator that - relates the key and values. - properties: - key: - description: The label - key that the selector - applies to. - type: string - operator: - description: Represents - a key's relationship - to a set of values. - Valid operators are - In, NotIn, Exists, DoesNotExist. - Gt, and Lt. - type: string - values: - description: An array - of string values. If - the operator is In or - NotIn, the values array - must be non-empty. If - the operator is Exists - or DoesNotExist, the - values array must be - empty. If the operator - is Gt or Lt, the values - array must have a single - element, which will - be interpreted as an - integer. This array - is replaced during a - strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - type: object - type: array - required: - - nodeSelectorTerms - type: object - type: object - podAffinity: - description: Describes pod affinity scheduling - rules (e.g. co-locate this pod in the same - node, zone, etc. as some other pod(s)). - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer - to schedule pods to nodes that satisfy - the affinity expressions specified by - this field, but it may choose a node - that violates one or more of the expressions. - The node that is most preferred is the - one with the greatest sum of weights, - i.e. for each node that meets all of - the scheduling requirements (resource - request, requiredDuringScheduling affinity - expressions, etc.), compute a sum by - iterating through the elements of this - field and adding "weight" to the sum - if the node has pods which matches the - corresponding podAffinityTerm; the node(s) - with the highest sum are the most preferred. - items: - description: The weights of all of the - matched WeightedPodAffinityTerm fields - are added per-node to find the most - preferred node(s) - properties: - podAffinityTerm: - description: Required. A pod affinity - term, associated with the corresponding - weight. - properties: - labelSelector: - description: A label query over - a set of resources, in this - case pods. - properties: - matchExpressions: - description: matchExpressions - is a list of label selector - requirements. The requirements - are ANDed. - items: - description: A label selector - requirement is a selector - that contains values, - a key, and an operator - that relates the key - and values. - properties: - key: - description: key is - the label key that - the selector applies - to. - type: string - operator: - description: operator - represents a key's - relationship to - a set of values. - Valid operators - are In, NotIn, Exists - and DoesNotExist. - type: string - values: - description: values - is an array of string - values. If the operator - is In or NotIn, - the values array - must be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. This - array is replaced - during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels - is a map of {key,value} - pairs. A single {key,value} - in the matchLabels map - is equivalent to an element - of matchExpressions, whose - key field is "key", the - operator is "In", and - the values array contains - only "value". The requirements - are ANDed. - type: object - type: object - namespaces: - description: namespaces specifies - which namespaces the labelSelector - applies to (matches against); - null or empty list means "this - pod's namespace" - items: - type: string - type: array - topologyKey: - description: This pod should - be co-located (affinity) or - not co-located (anti-affinity) - with the pods matching the - labelSelector in the specified - namespaces, where co-located - is defined as running on a - node whose value of the label - with key topologyKey matches - that of any node on which - any of the selected pods is - running. Empty topologyKey - is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: weight associated with - matching the corresponding podAffinityTerm, - in the range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements - specified by this field are not met - at scheduling time, the pod will not - be scheduled onto the node. If the affinity - requirements specified by this field - cease to be met at some point during - pod execution (e.g. due to a pod label - update), the system may or may not try - to eventually evict the pod from its - node. When there are multiple elements, - the lists of nodes corresponding to - each podAffinityTerm are intersected, - i.e. all terms must be satisfied. - items: - description: Defines a set of pods (namely - those matching the labelSelector relative - to the given namespace(s)) that this - pod should be co-located (affinity) - or not co-located (anti-affinity) - with, where co-located is defined - as running on a node whose value of - the label with key matches - that of any node on which a pod of - the set of pods is running - properties: - labelSelector: - description: A label query over - a set of resources, in this case - pods. - properties: - matchExpressions: - description: matchExpressions - is a list of label selector - requirements. The requirements - are ANDed. - items: - description: A label selector - requirement is a selector - that contains values, a - key, and an operator that - relates the key and values. - properties: - key: - description: key is the - label key that the selector - applies to. - type: string - operator: - description: operator - represents a key's relationship - to a set of values. - Valid operators are - In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is - an array of string values. - If the operator is In - or NotIn, the values - array must be non-empty. - If the operator is Exists - or DoesNotExist, the - values array must be - empty. This array is - replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is - a map of {key,value} pairs. - A single {key,value} in the - matchLabels map is equivalent - to an element of matchExpressions, - whose key field is "key", - the operator is "In", and - the values array contains - only "value". The requirements - are ANDed. - type: object - type: object - namespaces: - description: namespaces specifies - which namespaces the labelSelector - applies to (matches against); - null or empty list means "this - pod's namespace" - items: - type: string - type: array - topologyKey: - description: This pod should be - co-located (affinity) or not co-located - (anti-affinity) with the pods - matching the labelSelector in - the specified namespaces, where - co-located is defined as running - on a node whose value of the label - with key topologyKey matches that - of any node on which any of the - selected pods is running. Empty - topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - type: array - type: object - podAntiAffinity: - description: Describes pod anti-affinity scheduling - rules (e.g. avoid putting this pod in the - same node, zone, etc. as some other pod(s)). - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer - to schedule pods to nodes that satisfy - the anti-affinity expressions specified - by this field, but it may choose a node - that violates one or more of the expressions. - The node that is most preferred is the - one with the greatest sum of weights, - i.e. for each node that meets all of - the scheduling requirements (resource - request, requiredDuringScheduling anti-affinity - expressions, etc.), compute a sum by - iterating through the elements of this - field and adding "weight" to the sum - if the node has pods which matches the - corresponding podAffinityTerm; the node(s) - with the highest sum are the most preferred. - items: - description: The weights of all of the - matched WeightedPodAffinityTerm fields - are added per-node to find the most - preferred node(s) - properties: - podAffinityTerm: - description: Required. A pod affinity - term, associated with the corresponding - weight. - properties: - labelSelector: - description: A label query over - a set of resources, in this - case pods. - properties: - matchExpressions: - description: matchExpressions - is a list of label selector - requirements. The requirements - are ANDed. - items: - description: A label selector - requirement is a selector - that contains values, - a key, and an operator - that relates the key - and values. - properties: - key: - description: key is - the label key that - the selector applies - to. - type: string - operator: - description: operator - represents a key's - relationship to - a set of values. - Valid operators - are In, NotIn, Exists - and DoesNotExist. - type: string - values: - description: values - is an array of string - values. If the operator - is In or NotIn, - the values array - must be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. This - array is replaced - during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels - is a map of {key,value} - pairs. A single {key,value} - in the matchLabels map - is equivalent to an element - of matchExpressions, whose - key field is "key", the - operator is "In", and - the values array contains - only "value". The requirements - are ANDed. - type: object - type: object - namespaces: - description: namespaces specifies - which namespaces the labelSelector - applies to (matches against); - null or empty list means "this - pod's namespace" - items: - type: string - type: array - topologyKey: - description: This pod should - be co-located (affinity) or - not co-located (anti-affinity) - with the pods matching the - labelSelector in the specified - namespaces, where co-located - is defined as running on a - node whose value of the label - with key topologyKey matches - that of any node on which - any of the selected pods is - running. Empty topologyKey - is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: weight associated with - matching the corresponding podAffinityTerm, - in the range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - description: If the anti-affinity requirements - specified by this field are not met - at scheduling time, the pod will not - be scheduled onto the node. If the anti-affinity - requirements specified by this field - cease to be met at some point during - pod execution (e.g. due to a pod label - update), the system may or may not try - to eventually evict the pod from its - node. When there are multiple elements, - the lists of nodes corresponding to - each podAffinityTerm are intersected, - i.e. all terms must be satisfied. - items: - description: Defines a set of pods (namely - those matching the labelSelector relative - to the given namespace(s)) that this - pod should be co-located (affinity) - or not co-located (anti-affinity) - with, where co-located is defined - as running on a node whose value of - the label with key matches - that of any node on which a pod of - the set of pods is running - properties: - labelSelector: - description: A label query over - a set of resources, in this case - pods. - properties: - matchExpressions: - description: matchExpressions - is a list of label selector - requirements. The requirements - are ANDed. - items: - description: A label selector - requirement is a selector - that contains values, a - key, and an operator that - relates the key and values. - properties: - key: - description: key is the - label key that the selector - applies to. - type: string - operator: - description: operator - represents a key's relationship - to a set of values. - Valid operators are - In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is - an array of string values. - If the operator is In - or NotIn, the values - array must be non-empty. - If the operator is Exists - or DoesNotExist, the - values array must be - empty. This array is - replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is - a map of {key,value} pairs. - A single {key,value} in the - matchLabels map is equivalent - to an element of matchExpressions, - whose key field is "key", - the operator is "In", and - the values array contains - only "value". The requirements - are ANDed. - type: object - type: object - namespaces: - description: namespaces specifies - which namespaces the labelSelector - applies to (matches against); - null or empty list means "this - pod's namespace" - items: - type: string - type: array - topologyKey: - description: This pod should be - co-located (affinity) or not co-located - (anti-affinity) with the pods - matching the labelSelector in - the specified namespaces, where - co-located is defined as running - on a node whose value of the label - with key topologyKey matches that - of any node on which any of the - selected pods is running. Empty - topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - type: array - type: object - type: object - nodeSelector: - additionalProperties: - type: string - description: 'NodeSelector is a selector which - must be true for the pod to fit on a node. Selector - which must match a node''s labels for the pod - to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' - type: object - priorityClassName: - description: If specified, the pod's priorityClassName. - type: string - serviceAccountName: - description: If specified, the pod's service account - type: string - tolerations: - description: If specified, the pod's tolerations. - items: - description: The pod this Toleration is attached - to tolerates any taint that matches the triple - using the matching operator - . - properties: - effect: - description: Effect indicates the taint - effect to match. Empty means match all - taint effects. When specified, allowed - values are NoSchedule, PreferNoSchedule - and NoExecute. - type: string - key: - description: Key is the taint key that the - toleration applies to. Empty means match - all taint keys. If the key is empty, operator - must be Exists; this combination means - to match all values and all keys. - type: string - operator: - description: Operator represents a key's - relationship to the value. Valid operators - are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, - so that a pod can tolerate all taints - of a particular category. - type: string - tolerationSeconds: - description: TolerationSeconds represents - the period of time the toleration (which - must be of effect NoExecute, otherwise - this field is ignored) tolerates the taint. - By default, it is not set, which means - tolerate the taint forever (do not evict). - Zero and negative values will be treated - as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: Value is the taint value the - toleration matches to. If the operator - is Exists, the value should be empty, - otherwise just a regular string. - type: string - type: object - type: array - type: object - type: object - serviceType: - description: Optional service type for Kubernetes solver - service - type: string - type: object - type: object - selector: - description: Selector selects a set of DNSNames on the Certificate - resource that should be solved using this challenge solver. - If not specified, the solver will be treated as the 'default' - solver with the lowest priority, i.e. if any other solver has - a more specific match, it will be used instead. - properties: - dnsNames: - description: List of DNSNames that this solver will be used - to solve. If specified and a match is found, a dnsNames - selector will take precedence over a dnsZones selector. - If multiple solvers match with the same dnsNames value, - the solver with the most matching labels in matchLabels - will be selected. If neither has more matches, the solver - defined earlier in the list will be selected. - items: - type: string - type: array - dnsZones: - description: List of DNSZones that this solver will be used - to solve. The most specific DNS zone match specified here - will take precedence over other DNS zone matches, so a solver - specifying sys.example.com will be selected over one specifying - example.com for the domain www.sys.example.com. If multiple - solvers match with the same dnsZones value, the solver with - the most matching labels in matchLabels will be selected. - If neither has more matches, the solver defined earlier - in the list will be selected. - items: - type: string - type: array - matchLabels: - additionalProperties: - type: string - description: A label selector that is used to refine the set - of certificate's that this challenge solver will apply to. - type: object - type: object - type: object - token: - description: The ACME challenge token for this challenge. This is - the raw value returned from the ACME server. - type: string - type: - description: The type of ACME challenge this resource represents. - One of "HTTP-01" or "DNS-01". - enum: - - HTTP-01 - - DNS-01 - type: string - url: - description: The URL of the ACME Challenge resource for this challenge. - This can be used to lookup details about the status of this challenge. - type: string - wildcard: - description: wildcard will be true if this challenge is for a wildcard - identifier, for example '*.example.com'. - type: boolean - required: - - authorizationURL - - dnsName - - issuerRef - - key - - solver - - token - - type - - url - type: object - status: - properties: - presented: - description: presented will be set to true if the challenge values - for this challenge are currently 'presented'. This *does not* imply - the self check is passing. Only that the values have been 'submitted' - for the appropriate challenge mechanism (i.e. the DNS01 TXT record - has been presented, or the HTTP01 configuration has been configured). - type: boolean - processing: - description: Used to denote whether this challenge should be processed - or not. This field will only be set to true by the 'scheduling' - component. It will only be set to false by the 'challenges' controller, - after the challenge has reached a final state or timed out. If this - field is set to false, the challenge controller will not take any - more action. - type: boolean - reason: - description: Contains human readable information on why the Challenge - is in the current state. - type: string - state: - description: Contains the current 'state' of the challenge. If not - set, the state of the challenge is unknown. - enum: - - valid - - ready - - pending - - processing - - invalid - - expired - - errored - type: string - type: object - required: - - metadata - - spec - type: object - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca - labels: - app: cert-manager - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/name: cert-manager - name: clusterissuers.cert-manager.io -spec: - conversion: - strategy: Webhook - webhook: - clientConfig: - service: - name: cert-manager-webhook - namespace: cert-manager - path: /convert - conversionReviewVersions: - - v1 - - v1beta1 - group: cert-manager.io - names: - kind: ClusterIssuer - listKind: ClusterIssuerList - plural: clusterissuers - singular: clusterissuer - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - priority: 1 - type: string - - description: CreationTimestamp is a timestamp representing the server time when - this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha2 - schema: - openAPIV3Schema: - description: A ClusterIssuer represents a certificate issuing authority which - can be referenced as part of `issuerRef` fields. It is similar to an Issuer, - however it is cluster-scoped and therefore can be referenced by resources - that exist in *any* namespace, not just the same namespace as the referent. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Desired state of the ClusterIssuer resource. - properties: - acme: - description: ACME configures this issuer to communicate with a RFC8555 - (ACME) server to obtain signed x509 certificates. - properties: - disableAccountKeyGeneration: - description: Enables or disables generating a new ACME account - key. If true, the Issuer resource will *not* request a new account - but will expect the account key to be supplied via an existing - secret. If false, the cert-manager system will generate a new - ACME account key for the Issuer. Defaults to false. - type: boolean - email: - description: Email is the email address to be associated with - the ACME account. This field is optional, but it is strongly - recommended to be set. It will be used to contact you in case - of issues with your account or certificates, including expiry - notification emails. This field may be updated after the account - is initially registered. - type: string - externalAccountBinding: - description: ExternalAccountBinding is a reference to a CA external - account of the ACME server. If set, upon registration cert-manager - will attempt to associate the given external account credentials - with the registered ACME account. - properties: - keyAlgorithm: - description: keyAlgorithm is the MAC key algorithm that the - key is used for. Valid values are "HS256", "HS384" and "HS512". - enum: - - HS256 - - HS384 - - HS512 - type: string - keyID: - description: keyID is the ID of the CA key that the External - Account is bound to. - type: string - keySecretRef: - description: keySecretRef is a Secret Key Selector referencing - a data item in a Kubernetes Secret which holds the symmetric - MAC key of the External Account Binding. The `key` is the - index string that is paired with the key data in the Secret - and should not be confused with the key data itself, or - indeed with the External Account Binding keyID above. The - secret key stored in the Secret **must** be un-padded, base64 - URL encoded data. - properties: - key: - description: The key of the entry in the Secret resource's - `data` field to be used. Some instances of this field - may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - required: - - keyAlgorithm - - keyID - - keySecretRef - type: object - preferredChain: - description: 'PreferredChain is the chain to use if the ACME server - outputs multiple. PreferredChain is no guarantee that this one - gets delivered by the ACME endpoint. For example, for Let''s - Encrypt''s DST crosssign you would use: "DST Root CA X3" or - "ISRG Root X1" for the newer Let''s Encrypt root CA. This value - picks the first certificate bundle in the ACME alternative chains - that has a certificate with this value as its issuer''s CN' - maxLength: 64 - type: string - privateKeySecretRef: - description: PrivateKey is the name of a Kubernetes Secret resource - that will be used to store the automatically generated ACME - account private key. Optionally, a `key` may be specified to - select a specific entry within the named Secret resource. If - `key` is not specified, a default of `tls.key` will be used. - properties: - key: - description: The key of the entry in the Secret resource's - `data` field to be used. Some instances of this field may - be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More - info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - server: - description: 'Server is the URL used to access the ACME server''s - ''directory'' endpoint. For example, for Let''s Encrypt''s staging - endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". - Only ACME v2 endpoints (i.e. RFC 8555) are supported.' - type: string - skipTLSVerify: - description: Enables or disables validation of the ACME server - TLS certificate. If true, requests to the ACME server will not - have their TLS certificate validated (i.e. insecure connections - will be allowed). Only enable this option in development environments. - The cert-manager system installed roots will be used to verify - connections to the ACME server if this is false. Defaults to - false. - type: boolean - solvers: - description: 'Solvers is a list of challenge solvers that will - be used to solve ACME challenges for the matching domains. Solver - configurations must be provided in order to obtain certificates - from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/' - items: - description: Configures an issuer to solve challenges using - the specified options. Only one of HTTP01 or DNS01 may be - provided. - properties: - dns01: - description: Configures cert-manager to attempt to complete - authorizations by performing the DNS01 challenge flow. - properties: - acmedns: - description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) - API to manage DNS01 challenge records. - properties: - accountSecretRef: - description: A reference to a specific 'key' within - a Secret resource. In some instances, `key` is - a required field. - properties: - key: - description: The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - host: - type: string - required: - - accountSecretRef - - host - type: object - akamai: - description: Use the Akamai DNS zone management API - to manage DNS01 challenge records. - properties: - accessTokenSecretRef: - description: A reference to a specific 'key' within - a Secret resource. In some instances, `key` is - a required field. - properties: - key: - description: The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - clientSecretSecretRef: - description: A reference to a specific 'key' within - a Secret resource. In some instances, `key` is - a required field. - properties: - key: - description: The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - clientTokenSecretRef: - description: A reference to a specific 'key' within - a Secret resource. In some instances, `key` is - a required field. - properties: - key: - description: The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - serviceConsumerDomain: - type: string - required: - - accessTokenSecretRef - - clientSecretSecretRef - - clientTokenSecretRef - - serviceConsumerDomain - type: object - azuredns: - description: Use the Microsoft Azure DNS API to manage - DNS01 challenge records. - properties: - clientID: - description: if both this and ClientSecret are left - unset MSI will be used - type: string - clientSecretSecretRef: - description: if both this and ClientID are left - unset MSI will be used - properties: - key: - description: The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - environment: - enum: - - AzurePublicCloud - - AzureChinaCloud - - AzureGermanCloud - - AzureUSGovernmentCloud - type: string - hostedZoneName: - type: string - resourceGroupName: - type: string - subscriptionID: - type: string - tenantID: - description: when specifying ClientID and ClientSecret - then this field is also needed - type: string - required: - - resourceGroupName - - subscriptionID - type: object - clouddns: - description: Use the Google Cloud DNS API to manage - DNS01 challenge records. - properties: - hostedZoneName: - description: HostedZoneName is an optional field - that tells cert-manager in which Cloud DNS zone - the challenge record has to be created. If left - empty cert-manager will automatically choose a - zone. - type: string - project: - type: string - serviceAccountSecretRef: - description: A reference to a specific 'key' within - a Secret resource. In some instances, `key` is - a required field. - properties: - key: - description: The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - required: - - project - type: object - cloudflare: - description: Use the Cloudflare API to manage DNS01 - challenge records. - properties: - apiKeySecretRef: - description: 'API key to use to authenticate with - Cloudflare. Note: using an API token to authenticate - is now the recommended method as it allows greater - control of permissions.' - properties: - key: - description: The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - apiTokenSecretRef: - description: API token used to authenticate with - Cloudflare. - properties: - key: - description: The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - email: - description: Email of the account, only required - when using API key based authentication. - type: string - type: object - cnameStrategy: - description: CNAMEStrategy configures how the DNS01 - provider should handle CNAME records when found in - DNS zones. - enum: - - None - - Follow - type: string - digitalocean: - description: Use the DigitalOcean DNS API to manage - DNS01 challenge records. - properties: - tokenSecretRef: - description: A reference to a specific 'key' within - a Secret resource. In some instances, `key` is - a required field. - properties: - key: - description: The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - required: - - tokenSecretRef - type: object - rfc2136: - description: Use RFC2136 ("Dynamic Updates in the Domain - Name System") (https://datatracker.ietf.org/doc/rfc2136/) - to manage DNS01 challenge records. - properties: - nameserver: - description: The IP address or hostname of an authoritative - DNS server supporting RFC2136 in the form host:port. - If the host is an IPv6 address it must be enclosed - in square brackets (e.g [2001:db8::1]) ; port - is optional. This field is required. - type: string - tsigAlgorithm: - description: 'The TSIG Algorithm configured in the - DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` - and ``tsigKeyName`` are defined. Supported values - are (case-insensitive): ``HMACMD5`` (default), - ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.' - type: string - tsigKeyName: - description: The TSIG Key name configured in the - DNS. If ``tsigSecretSecretRef`` is defined, this - field is required. - type: string - tsigSecretSecretRef: - description: The name of the secret containing the - TSIG value. If ``tsigKeyName`` is defined, this - field is required. - properties: - key: - description: The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - required: - - nameserver - type: object - route53: - description: Use the AWS Route53 API to manage DNS01 - challenge records. - properties: - accessKeyID: - description: 'The AccessKeyID is used for authentication. - If not set we fall-back to using env vars, shared - credentials file or AWS Instance metadata see: - https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' - type: string - hostedZoneID: - description: If set, the provider will manage only - this zone in Route53 and will not do an lookup - using the route53:ListHostedZonesByName api call. - type: string - region: - description: Always set the region when using AccessKeyID - and SecretAccessKey - type: string - role: - description: Role is a Role ARN which the Route53 - provider will assume using either the explicit - credentials AccessKeyID/SecretAccessKey or the - inferred credentials from environment variables, - shared credentials file or AWS Instance metadata - type: string - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication. - If not set we fall-back to using env vars, shared - credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials - properties: - key: - description: The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - required: - - region - type: object - webhook: - description: Configure an external webhook based DNS01 - challenge solver to manage DNS01 challenge records. - properties: - config: - description: Additional configuration that should - be passed to the webhook apiserver when challenges - are processed. This can contain arbitrary JSON - data. Secret values should not be specified in - this stanza. If secret values are needed (e.g. - credentials for a DNS service), you should use - a SecretKeySelector to reference a Secret resource. - For details on the schema of this field, consult - the webhook provider implementation's documentation. - x-kubernetes-preserve-unknown-fields: true - groupName: - description: The API group name that should be used - when POSTing ChallengePayload resources to the - webhook apiserver. This should be the same as - the GroupName specified in the webhook provider - implementation. - type: string - solverName: - description: The name of the solver to use, as defined - in the webhook provider implementation. This will - typically be the name of the provider, e.g. 'cloudflare'. - type: string - required: - - groupName - - solverName - type: object - type: object - http01: - description: Configures cert-manager to attempt to complete - authorizations by performing the HTTP01 challenge flow. - It is not possible to obtain certificates for wildcard - domain names (e.g. `*.example.com`) using the HTTP01 challenge - mechanism. - properties: - ingress: - description: The ingress based HTTP01 challenge solver - will solve challenges by creating or modifying Ingress - resources in order to route requests for '/.well-known/acme-challenge/XYZ' - to 'challenge solver' pods that are provisioned by - cert-manager for each Challenge to be completed. - properties: - class: - description: The ingress class to use when creating - Ingress resources to solve ACME challenges that - use this challenge solver. Only one of 'class' - or 'name' may be specified. - type: string - ingressTemplate: - description: Optional ingress template used to configure - the ACME challenge solver ingress used for HTTP01 - challenges - properties: - metadata: - description: ObjectMeta overrides for the ingress - used to solve HTTP01 challenges. Only the - 'labels' and 'annotations' fields may be set. - If labels or annotations overlap with in-built - values, the values here will override the - in-built values. - properties: - annotations: - additionalProperties: - type: string - description: Annotations that should be - added to the created ACME HTTP01 solver - ingress. - type: object - labels: - additionalProperties: - type: string - description: Labels that should be added - to the created ACME HTTP01 solver ingress. - type: object - type: object - type: object - name: - description: The name of the ingress resource that - should have ACME challenge solving routes inserted - into it in order to solve HTTP01 challenges. This - is typically used in conjunction with ingress - controllers like ingress-gce, which maintains - a 1:1 mapping between external IPs and ingress - resources. - type: string - podTemplate: - description: Optional pod template used to configure - the ACME challenge solver pods used for HTTP01 - challenges - properties: - metadata: - description: ObjectMeta overrides for the pod - used to solve HTTP01 challenges. Only the - 'labels' and 'annotations' fields may be set. - If labels or annotations overlap with in-built - values, the values here will override the - in-built values. - properties: - annotations: - additionalProperties: - type: string - description: Annotations that should be - added to the create ACME HTTP01 solver - pods. - type: object - labels: - additionalProperties: - type: string - description: Labels that should be added - to the created ACME HTTP01 solver pods. - type: object - type: object - spec: - description: PodSpec defines overrides for the - HTTP01 challenge solver pod. Only the 'priorityClassName', - 'nodeSelector', 'affinity', 'serviceAccountName' - and 'tolerations' fields are supported currently. - All other fields will be ignored. - properties: - affinity: - description: If specified, the pod's scheduling - constraints - properties: - nodeAffinity: - description: Describes node affinity - scheduling rules for the pod. - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will - prefer to schedule pods to nodes - that satisfy the affinity expressions - specified by this field, but it - may choose a node that violates - one or more of the expressions. - The node that is most preferred - is the one with the greatest sum - of weights, i.e. for each node - that meets all of the scheduling - requirements (resource request, - requiredDuringScheduling affinity - expressions, etc.), compute a - sum by iterating through the elements - of this field and adding "weight" - to the sum if the node matches - the corresponding matchExpressions; - the node(s) with the highest sum - are the most preferred. - items: - description: An empty preferred - scheduling term matches all - objects with implicit weight - 0 (i.e. it's a no-op). A null - preferred scheduling term matches - no objects (i.e. is also a no-op). - properties: - preference: - description: A node selector - term, associated with the - corresponding weight. - properties: - matchExpressions: - description: A list of - node selector requirements - by node's labels. - items: - description: A node - selector requirement - is a selector that - contains values, a - key, and an operator - that relates the key - and values. - properties: - key: - description: The - label key that - the selector applies - to. - type: string - operator: - description: Represents - a key's relationship - to a set of values. - Valid operators - are In, NotIn, - Exists, DoesNotExist. - Gt, and Lt. - type: string - values: - description: An - array of string - values. If the - operator is In - or NotIn, the - values array must - be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. - If the operator - is Gt or Lt, the - values array must - have a single - element, which - will be interpreted - as an integer. - This array is - replaced during - a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchFields: - description: A list of - node selector requirements - by node's fields. - items: - description: A node - selector requirement - is a selector that - contains values, a - key, and an operator - that relates the key - and values. - properties: - key: - description: The - label key that - the selector applies - to. - type: string - operator: - description: Represents - a key's relationship - to a set of values. - Valid operators - are In, NotIn, - Exists, DoesNotExist. - Gt, and Lt. - type: string - values: - description: An - array of string - values. If the - operator is In - or NotIn, the - values array must - be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. - If the operator - is Gt or Lt, the - values array must - have a single - element, which - will be interpreted - as an integer. - This array is - replaced during - a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - type: object - weight: - description: Weight associated - with matching the corresponding - nodeSelectorTerm, in the - range 1-100. - format: int32 - type: integer - required: - - preference - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements - specified by this field are not - met at scheduling time, the pod - will not be scheduled onto the - node. If the affinity requirements - specified by this field cease - to be met at some point during - pod execution (e.g. due to an - update), the system may or may - not try to eventually evict the - pod from its node. - properties: - nodeSelectorTerms: - description: Required. A list - of node selector terms. The - terms are ORed. - items: - description: A null or empty - node selector term matches - no objects. The requirements - of them are ANDed. The TopologySelectorTerm - type implements a subset - of the NodeSelectorTerm. - properties: - matchExpressions: - description: A list of - node selector requirements - by node's labels. - items: - description: A node - selector requirement - is a selector that - contains values, a - key, and an operator - that relates the key - and values. - properties: - key: - description: The - label key that - the selector applies - to. - type: string - operator: - description: Represents - a key's relationship - to a set of values. - Valid operators - are In, NotIn, - Exists, DoesNotExist. - Gt, and Lt. - type: string - values: - description: An - array of string - values. If the - operator is In - or NotIn, the - values array must - be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. - If the operator - is Gt or Lt, the - values array must - have a single - element, which - will be interpreted - as an integer. - This array is - replaced during - a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchFields: - description: A list of - node selector requirements - by node's fields. - items: - description: A node - selector requirement - is a selector that - contains values, a - key, and an operator - that relates the key - and values. - properties: - key: - description: The - label key that - the selector applies - to. - type: string - operator: - description: Represents - a key's relationship - to a set of values. - Valid operators - are In, NotIn, - Exists, DoesNotExist. - Gt, and Lt. - type: string - values: - description: An - array of string - values. If the - operator is In - or NotIn, the - values array must - be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. - If the operator - is Gt or Lt, the - values array must - have a single - element, which - will be interpreted - as an integer. - This array is - replaced during - a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - type: object - type: array - required: - - nodeSelectorTerms - type: object - type: object - podAffinity: - description: Describes pod affinity - scheduling rules (e.g. co-locate this - pod in the same node, zone, etc. as - some other pod(s)). - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will - prefer to schedule pods to nodes - that satisfy the affinity expressions - specified by this field, but it - may choose a node that violates - one or more of the expressions. - The node that is most preferred - is the one with the greatest sum - of weights, i.e. for each node - that meets all of the scheduling - requirements (resource request, - requiredDuringScheduling affinity - expressions, etc.), compute a - sum by iterating through the elements - of this field and adding "weight" - to the sum if the node has pods - which matches the corresponding - podAffinityTerm; the node(s) with - the highest sum are the most preferred. - items: - description: The weights of all - of the matched WeightedPodAffinityTerm - fields are added per-node to - find the most preferred node(s) - properties: - podAffinityTerm: - description: Required. A pod - affinity term, associated - with the corresponding weight. - properties: - labelSelector: - description: A label query - over a set of resources, - in this case pods. - properties: - matchExpressions: - description: matchExpressions - is a list of label - selector requirements. - The requirements - are ANDed. - items: - description: A label - selector requirement - is a selector - that contains - values, a key, - and an operator - that relates the - key and values. - properties: - key: - description: key - is the label - key that the - selector applies - to. - type: string - operator: - description: operator - represents - a key's relationship - to a set of - values. Valid - operators - are In, NotIn, - Exists and - DoesNotExist. - type: string - values: - description: values - is an array - of string - values. If - the operator - is In or NotIn, - the values - array must - be non-empty. - If the operator - is Exists - or DoesNotExist, - the values - array must - be empty. - This array - is replaced - during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels - is a map of {key,value} - pairs. A single - {key,value} in the - matchLabels map - is equivalent to - an element of matchExpressions, - whose key field - is "key", the operator - is "In", and the - values array contains - only "value". The - requirements are - ANDed. - type: object - type: object - namespaces: - description: namespaces - specifies which namespaces - the labelSelector applies - to (matches against); - null or empty list means - "this pod's namespace" - items: - type: string - type: array - topologyKey: - description: This pod - should be co-located - (affinity) or not co-located - (anti-affinity) with - the pods matching the - labelSelector in the - specified namespaces, - where co-located is - defined as running on - a node whose value of - the label with key topologyKey - matches that of any - node on which any of - the selected pods is - running. Empty topologyKey - is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: weight associated - with matching the corresponding - podAffinityTerm, in the - range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements - specified by this field are not - met at scheduling time, the pod - will not be scheduled onto the - node. If the affinity requirements - specified by this field cease - to be met at some point during - pod execution (e.g. due to a pod - label update), the system may - or may not try to eventually evict - the pod from its node. When there - are multiple elements, the lists - of nodes corresponding to each - podAffinityTerm are intersected, - i.e. all terms must be satisfied. - items: - description: Defines a set of - pods (namely those matching - the labelSelector relative to - the given namespace(s)) that - this pod should be co-located - (affinity) or not co-located - (anti-affinity) with, where - co-located is defined as running - on a node whose value of the - label with key - matches that of any node on - which a pod of the set of pods - is running - properties: - labelSelector: - description: A label query - over a set of resources, - in this case pods. - properties: - matchExpressions: - description: matchExpressions - is a list of label selector - requirements. The requirements - are ANDed. - items: - description: A label - selector requirement - is a selector that - contains values, a - key, and an operator - that relates the key - and values. - properties: - key: - description: key - is the label key - that the selector - applies to. - type: string - operator: - description: operator - represents a key's - relationship to - a set of values. - Valid operators - are In, NotIn, - Exists and DoesNotExist. - type: string - values: - description: values - is an array of - string values. - If the operator - is In or NotIn, - the values array - must be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. - This array is - replaced during - a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels - is a map of {key,value} - pairs. A single {key,value} - in the matchLabels map - is equivalent to an - element of matchExpressions, - whose key field is "key", - the operator is "In", - and the values array - contains only "value". - The requirements are - ANDed. - type: object - type: object - namespaces: - description: namespaces specifies - which namespaces the labelSelector - applies to (matches against); - null or empty list means - "this pod's namespace" - items: - type: string - type: array - topologyKey: - description: This pod should - be co-located (affinity) - or not co-located (anti-affinity) - with the pods matching the - labelSelector in the specified - namespaces, where co-located - is defined as running on - a node whose value of the - label with key topologyKey - matches that of any node - on which any of the selected - pods is running. Empty topologyKey - is not allowed. - type: string - required: - - topologyKey - type: object - type: array - type: object - podAntiAffinity: - description: Describes pod anti-affinity - scheduling rules (e.g. avoid putting - this pod in the same node, zone, etc. - as some other pod(s)). - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will - prefer to schedule pods to nodes - that satisfy the anti-affinity - expressions specified by this - field, but it may choose a node - that violates one or more of the - expressions. The node that is - most preferred is the one with - the greatest sum of weights, i.e. - for each node that meets all of - the scheduling requirements (resource - request, requiredDuringScheduling - anti-affinity expressions, etc.), - compute a sum by iterating through - the elements of this field and - adding "weight" to the sum if - the node has pods which matches - the corresponding podAffinityTerm; - the node(s) with the highest sum - are the most preferred. - items: - description: The weights of all - of the matched WeightedPodAffinityTerm - fields are added per-node to - find the most preferred node(s) - properties: - podAffinityTerm: - description: Required. A pod - affinity term, associated - with the corresponding weight. - properties: - labelSelector: - description: A label query - over a set of resources, - in this case pods. - properties: - matchExpressions: - description: matchExpressions - is a list of label - selector requirements. - The requirements - are ANDed. - items: - description: A label - selector requirement - is a selector - that contains - values, a key, - and an operator - that relates the - key and values. - properties: - key: - description: key - is the label - key that the - selector applies - to. - type: string - operator: - description: operator - represents - a key's relationship - to a set of - values. Valid - operators - are In, NotIn, - Exists and - DoesNotExist. - type: string - values: - description: values - is an array - of string - values. If - the operator - is In or NotIn, - the values - array must - be non-empty. - If the operator - is Exists - or DoesNotExist, - the values - array must - be empty. - This array - is replaced - during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels - is a map of {key,value} - pairs. A single - {key,value} in the - matchLabels map - is equivalent to - an element of matchExpressions, - whose key field - is "key", the operator - is "In", and the - values array contains - only "value". The - requirements are - ANDed. - type: object - type: object - namespaces: - description: namespaces - specifies which namespaces - the labelSelector applies - to (matches against); - null or empty list means - "this pod's namespace" - items: - type: string - type: array - topologyKey: - description: This pod - should be co-located - (affinity) or not co-located - (anti-affinity) with - the pods matching the - labelSelector in the - specified namespaces, - where co-located is - defined as running on - a node whose value of - the label with key topologyKey - matches that of any - node on which any of - the selected pods is - running. Empty topologyKey - is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: weight associated - with matching the corresponding - podAffinityTerm, in the - range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - description: If the anti-affinity - requirements specified by this - field are not met at scheduling - time, the pod will not be scheduled - onto the node. If the anti-affinity - requirements specified by this - field cease to be met at some - point during pod execution (e.g. - due to a pod label update), the - system may or may not try to eventually - evict the pod from its node. When - there are multiple elements, the - lists of nodes corresponding to - each podAffinityTerm are intersected, - i.e. all terms must be satisfied. - items: - description: Defines a set of - pods (namely those matching - the labelSelector relative to - the given namespace(s)) that - this pod should be co-located - (affinity) or not co-located - (anti-affinity) with, where - co-located is defined as running - on a node whose value of the - label with key - matches that of any node on - which a pod of the set of pods - is running - properties: - labelSelector: - description: A label query - over a set of resources, - in this case pods. - properties: - matchExpressions: - description: matchExpressions - is a list of label selector - requirements. The requirements - are ANDed. - items: - description: A label - selector requirement - is a selector that - contains values, a - key, and an operator - that relates the key - and values. - properties: - key: - description: key - is the label key - that the selector - applies to. - type: string - operator: - description: operator - represents a key's - relationship to - a set of values. - Valid operators - are In, NotIn, - Exists and DoesNotExist. - type: string - values: - description: values - is an array of - string values. - If the operator - is In or NotIn, - the values array - must be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. - This array is - replaced during - a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels - is a map of {key,value} - pairs. A single {key,value} - in the matchLabels map - is equivalent to an - element of matchExpressions, - whose key field is "key", - the operator is "In", - and the values array - contains only "value". - The requirements are - ANDed. - type: object - type: object - namespaces: - description: namespaces specifies - which namespaces the labelSelector - applies to (matches against); - null or empty list means - "this pod's namespace" - items: - type: string - type: array - topologyKey: - description: This pod should - be co-located (affinity) - or not co-located (anti-affinity) - with the pods matching the - labelSelector in the specified - namespaces, where co-located - is defined as running on - a node whose value of the - label with key topologyKey - matches that of any node - on which any of the selected - pods is running. Empty topologyKey - is not allowed. - type: string - required: - - topologyKey - type: object - type: array - type: object - type: object - nodeSelector: - additionalProperties: - type: string - description: 'NodeSelector is a selector - which must be true for the pod to fit - on a node. Selector which must match a - node''s labels for the pod to be scheduled - on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' - type: object - priorityClassName: - description: If specified, the pod's priorityClassName. - type: string - serviceAccountName: - description: If specified, the pod's service - account - type: string - tolerations: - description: If specified, the pod's tolerations. - items: - description: The pod this Toleration is - attached to tolerates any taint that - matches the triple - using the matching operator . - properties: - effect: - description: Effect indicates the - taint effect to match. Empty means - match all taint effects. When specified, - allowed values are NoSchedule, PreferNoSchedule - and NoExecute. - type: string - key: - description: Key is the taint key - that the toleration applies to. - Empty means match all taint keys. - If the key is empty, operator must - be Exists; this combination means - to match all values and all keys. - type: string - operator: - description: Operator represents a - key's relationship to the value. - Valid operators are Exists and Equal. - Defaults to Equal. Exists is equivalent - to wildcard for value, so that a - pod can tolerate all taints of a - particular category. - type: string - tolerationSeconds: - description: TolerationSeconds represents - the period of time the toleration - (which must be of effect NoExecute, - otherwise this field is ignored) - tolerates the taint. By default, - it is not set, which means tolerate - the taint forever (do not evict). - Zero and negative values will be - treated as 0 (evict immediately) - by the system. - format: int64 - type: integer - value: - description: Value is the taint value - the toleration matches to. If the - operator is Exists, the value should - be empty, otherwise just a regular - string. - type: string - type: object - type: array - type: object - type: object - serviceType: - description: Optional service type for Kubernetes - solver service - type: string - type: object - type: object - selector: - description: Selector selects a set of DNSNames on the Certificate - resource that should be solved using this challenge solver. - If not specified, the solver will be treated as the 'default' - solver with the lowest priority, i.e. if any other solver - has a more specific match, it will be used instead. - properties: - dnsNames: - description: List of DNSNames that this solver will - be used to solve. If specified and a match is found, - a dnsNames selector will take precedence over a dnsZones - selector. If multiple solvers match with the same - dnsNames value, the solver with the most matching - labels in matchLabels will be selected. If neither - has more matches, the solver defined earlier in the - list will be selected. - items: - type: string - type: array - dnsZones: - description: List of DNSZones that this solver will - be used to solve. The most specific DNS zone match - specified here will take precedence over other DNS - zone matches, so a solver specifying sys.example.com - will be selected over one specifying example.com for - the domain www.sys.example.com. If multiple solvers - match with the same dnsZones value, the solver with - the most matching labels in matchLabels will be selected. - If neither has more matches, the solver defined earlier - in the list will be selected. - items: - type: string - type: array - matchLabels: - additionalProperties: - type: string - description: A label selector that is used to refine - the set of certificate's that this challenge solver - will apply to. - type: object - type: object - type: object - type: array - required: - - privateKeySecretRef - - server - type: object - ca: - description: CA configures this issuer to sign certificates using - a signing CA keypair stored in a Secret resource. This is used to - build internal PKIs that are managed by cert-manager. - properties: - crlDistributionPoints: - description: The CRL distribution points is an X.509 v3 certificate - extension which identifies the location of the CRL from which - the revocation of this certificate can be checked. If not set, - certificates will be issued without distribution points set. - items: - type: string - type: array - secretName: - description: SecretName is the name of the secret used to sign - Certificates issued by this Issuer. - type: string - required: - - secretName - type: object - selfSigned: - description: SelfSigned configures this issuer to 'self sign' certificates - using the private key used to create the CertificateRequest object. - properties: - crlDistributionPoints: - description: The CRL distribution points is an X.509 v3 certificate - extension which identifies the location of the CRL from which - the revocation of this certificate can be checked. If not set - certificate will be issued without CDP. Values are strings. - items: - type: string - type: array - type: object - vault: - description: Vault configures this issuer to sign certificates using - a HashiCorp Vault PKI backend. - properties: - auth: - description: Auth configures how cert-manager authenticates with - the Vault server. - properties: - appRole: - description: AppRole authenticates with Vault using the App - Role auth mechanism, with the role and secret stored in - a Kubernetes Secret resource. - properties: - path: - description: 'Path where the App Role authentication backend - is mounted in Vault, e.g: "approle"' - type: string - roleId: - description: RoleID configured in the App Role authentication - backend when setting up the authentication backend in - Vault. - type: string - secretRef: - description: Reference to a key in a Secret that contains - the App Role secret used to authenticate with Vault. - The `key` field must be specified and denotes which - entry within the Secret resource is used as the app - role secret. - properties: - key: - description: The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - required: - - path - - roleId - - secretRef - type: object - kubernetes: - description: Kubernetes authenticates with Vault by passing - the ServiceAccount token stored in the named Secret resource - to the Vault server. - properties: - mountPath: - description: The Vault mountPath here is the mount path - to use when authenticating with Vault. For example, - setting a value to `/v1/auth/foo`, will use the path - `/v1/auth/foo/login` to authenticate with Vault. If - unspecified, the default value "/v1/auth/kubernetes" - will be used. - type: string - role: - description: A required field containing the Vault Role - to assume. A Role binds a Kubernetes ServiceAccount - with a set of Vault policies. - type: string - secretRef: - description: The required Secret field containing a Kubernetes - ServiceAccount JWT used for authenticating with Vault. - Use of 'ambient credentials' is not supported. - properties: - key: - description: The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - required: - - role - - secretRef - type: object - tokenSecretRef: - description: TokenSecretRef authenticates with Vault by presenting - a token. - properties: - key: - description: The key of the entry in the Secret resource's - `data` field to be used. Some instances of this field - may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - type: object - caBundle: - description: PEM encoded CA bundle used to validate Vault server - certificate. Only used if the Server URL is using HTTPS protocol. - This parameter is ignored for plain HTTP protocol connection. - If not set the system root certificates are used to validate - the TLS connection. - format: byte - type: string - namespace: - description: 'Name of the vault namespace. Namespaces is a set - of features within Vault Enterprise that allows Vault environments - to support Secure Multi-tenancy. e.g: "ns1" More about namespaces - can be found here https://www.vaultproject.io/docs/enterprise/namespaces' - type: string - path: - description: 'Path is the mount path of the Vault PKI backend''s - `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".' - type: string - server: - description: 'Server is the connection address for the Vault server, - e.g: "https://vault.example.com:8200".' - type: string - required: - - auth - - path - - server - type: object - venafi: - description: Venafi configures this issuer to sign certificates using - a Venafi TPP or Venafi Cloud policy zone. - properties: - cloud: - description: Cloud specifies the Venafi cloud configuration settings. - Only one of TPP or Cloud may be specified. - properties: - apiTokenSecretRef: - description: APITokenSecretRef is a secret key selector for - the Venafi Cloud API token. - properties: - key: - description: The key of the entry in the Secret resource's - `data` field to be used. Some instances of this field - may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - url: - description: URL is the base URL for Venafi Cloud. Defaults - to "https://api.venafi.cloud/v1". - type: string - required: - - apiTokenSecretRef - type: object - tpp: - description: TPP specifies Trust Protection Platform configuration - settings. Only one of TPP or Cloud may be specified. - properties: - caBundle: - description: CABundle is a PEM encoded TLS certificate to - use to verify connections to the TPP instance. If specified, - system roots will not be used and the issuing CA for the - TPP instance must be verifiable using the provided root. - If not specified, the connection will be verified using - the cert-manager system root certificates. - format: byte - type: string - credentialsRef: - description: CredentialsRef is a reference to a Secret containing - the username and password for the TPP server. The secret - must contain two keys, 'username' and 'password'. - properties: - name: - description: 'Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - url: - description: 'URL is the base URL for the vedsdk endpoint - of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".' - type: string - required: - - credentialsRef - - url - type: object - zone: - description: Zone is the Venafi Policy Zone to use for this issuer. - All requests made to the Venafi platform will be restricted - by the named zone policy. This field is required. - type: string - required: - - zone - type: object - type: object - status: - description: Status of the ClusterIssuer. This is set and managed automatically. - properties: - acme: - description: ACME specific status options. This field should only - be set if the Issuer is configured to use an ACME server to issue - certificates. - properties: - lastRegisteredEmail: - description: LastRegisteredEmail is the email associated with - the latest registered ACME account, in order to track changes - made to registered account associated with the Issuer - type: string - uri: - description: URI is the unique account identifier, which can also - be used to retrieve account details from the CA - type: string - type: object - conditions: - description: List of status conditions to indicate the status of a - CertificateRequest. Known condition types are `Ready`. - items: - description: IssuerCondition contains condition information for - an Issuer. - properties: - lastTransitionTime: - description: LastTransitionTime is the timestamp corresponding - to the last status change of this condition. - format: date-time - type: string - message: - description: Message is a human readable description of the - details of the last transition, complementing reason. - type: string - reason: - description: Reason is a brief machine readable explanation - for the condition's last transition. - type: string - status: - description: Status of the condition, one of ('True', 'False', - 'Unknown'). - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: Type of the condition, known values are ('Ready'). - type: string - required: - - status - - type - type: object - type: array - type: object - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - priority: 1 - type: string - - description: CreationTimestamp is a timestamp representing the server time when - this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha3 - schema: - openAPIV3Schema: - description: A ClusterIssuer represents a certificate issuing authority which - can be referenced as part of `issuerRef` fields. It is similar to an Issuer, - however it is cluster-scoped and therefore can be referenced by resources - that exist in *any* namespace, not just the same namespace as the referent. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Desired state of the ClusterIssuer resource. - properties: - acme: - description: ACME configures this issuer to communicate with a RFC8555 - (ACME) server to obtain signed x509 certificates. - properties: - disableAccountKeyGeneration: - description: Enables or disables generating a new ACME account - key. If true, the Issuer resource will *not* request a new account - but will expect the account key to be supplied via an existing - secret. If false, the cert-manager system will generate a new - ACME account key for the Issuer. Defaults to false. - type: boolean - email: - description: Email is the email address to be associated with - the ACME account. This field is optional, but it is strongly - recommended to be set. It will be used to contact you in case - of issues with your account or certificates, including expiry - notification emails. This field may be updated after the account - is initially registered. - type: string - externalAccountBinding: - description: ExternalAccountBinding is a reference to a CA external - account of the ACME server. If set, upon registration cert-manager - will attempt to associate the given external account credentials - with the registered ACME account. - properties: - keyAlgorithm: - description: keyAlgorithm is the MAC key algorithm that the - key is used for. Valid values are "HS256", "HS384" and "HS512". - enum: - - HS256 - - HS384 - - HS512 - type: string - keyID: - description: keyID is the ID of the CA key that the External - Account is bound to. - type: string - keySecretRef: - description: keySecretRef is a Secret Key Selector referencing - a data item in a Kubernetes Secret which holds the symmetric - MAC key of the External Account Binding. The `key` is the - index string that is paired with the key data in the Secret - and should not be confused with the key data itself, or - indeed with the External Account Binding keyID above. The - secret key stored in the Secret **must** be un-padded, base64 - URL encoded data. - properties: - key: - description: The key of the entry in the Secret resource's - `data` field to be used. Some instances of this field - may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - required: - - keyAlgorithm - - keyID - - keySecretRef - type: object - preferredChain: - description: 'PreferredChain is the chain to use if the ACME server - outputs multiple. PreferredChain is no guarantee that this one - gets delivered by the ACME endpoint. For example, for Let''s - Encrypt''s DST crosssign you would use: "DST Root CA X3" or - "ISRG Root X1" for the newer Let''s Encrypt root CA. This value - picks the first certificate bundle in the ACME alternative chains - that has a certificate with this value as its issuer''s CN' - maxLength: 64 - type: string - privateKeySecretRef: - description: PrivateKey is the name of a Kubernetes Secret resource - that will be used to store the automatically generated ACME - account private key. Optionally, a `key` may be specified to - select a specific entry within the named Secret resource. If - `key` is not specified, a default of `tls.key` will be used. - properties: - key: - description: The key of the entry in the Secret resource's - `data` field to be used. Some instances of this field may - be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More - info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - server: - description: 'Server is the URL used to access the ACME server''s - ''directory'' endpoint. For example, for Let''s Encrypt''s staging - endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". - Only ACME v2 endpoints (i.e. RFC 8555) are supported.' - type: string - skipTLSVerify: - description: Enables or disables validation of the ACME server - TLS certificate. If true, requests to the ACME server will not - have their TLS certificate validated (i.e. insecure connections - will be allowed). Only enable this option in development environments. - The cert-manager system installed roots will be used to verify - connections to the ACME server if this is false. Defaults to - false. - type: boolean - solvers: - description: 'Solvers is a list of challenge solvers that will - be used to solve ACME challenges for the matching domains. Solver - configurations must be provided in order to obtain certificates - from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/' - items: - description: Configures an issuer to solve challenges using - the specified options. Only one of HTTP01 or DNS01 may be - provided. - properties: - dns01: - description: Configures cert-manager to attempt to complete - authorizations by performing the DNS01 challenge flow. - properties: - acmedns: - description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) - API to manage DNS01 challenge records. - properties: - accountSecretRef: - description: A reference to a specific 'key' within - a Secret resource. In some instances, `key` is - a required field. - properties: - key: - description: The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - host: - type: string - required: - - accountSecretRef - - host - type: object - akamai: - description: Use the Akamai DNS zone management API - to manage DNS01 challenge records. - properties: - accessTokenSecretRef: - description: A reference to a specific 'key' within - a Secret resource. In some instances, `key` is - a required field. - properties: - key: - description: The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - clientSecretSecretRef: - description: A reference to a specific 'key' within - a Secret resource. In some instances, `key` is - a required field. - properties: - key: - description: The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - clientTokenSecretRef: - description: A reference to a specific 'key' within - a Secret resource. In some instances, `key` is - a required field. - properties: - key: - description: The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - serviceConsumerDomain: - type: string - required: - - accessTokenSecretRef - - clientSecretSecretRef - - clientTokenSecretRef - - serviceConsumerDomain - type: object - azuredns: - description: Use the Microsoft Azure DNS API to manage - DNS01 challenge records. - properties: - clientID: - description: if both this and ClientSecret are left - unset MSI will be used - type: string - clientSecretSecretRef: - description: if both this and ClientID are left - unset MSI will be used - properties: - key: - description: The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - environment: - enum: - - AzurePublicCloud - - AzureChinaCloud - - AzureGermanCloud - - AzureUSGovernmentCloud - type: string - hostedZoneName: - type: string - resourceGroupName: - type: string - subscriptionID: - type: string - tenantID: - description: when specifying ClientID and ClientSecret - then this field is also needed - type: string - required: - - resourceGroupName - - subscriptionID - type: object - clouddns: - description: Use the Google Cloud DNS API to manage - DNS01 challenge records. - properties: - hostedZoneName: - description: HostedZoneName is an optional field - that tells cert-manager in which Cloud DNS zone - the challenge record has to be created. If left - empty cert-manager will automatically choose a - zone. - type: string - project: - type: string - serviceAccountSecretRef: - description: A reference to a specific 'key' within - a Secret resource. In some instances, `key` is - a required field. - properties: - key: - description: The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - required: - - project - type: object - cloudflare: - description: Use the Cloudflare API to manage DNS01 - challenge records. - properties: - apiKeySecretRef: - description: 'API key to use to authenticate with - Cloudflare. Note: using an API token to authenticate - is now the recommended method as it allows greater - control of permissions.' - properties: - key: - description: The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - apiTokenSecretRef: - description: API token used to authenticate with - Cloudflare. - properties: - key: - description: The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - email: - description: Email of the account, only required - when using API key based authentication. - type: string - type: object - cnameStrategy: - description: CNAMEStrategy configures how the DNS01 - provider should handle CNAME records when found in - DNS zones. - enum: - - None - - Follow - type: string - digitalocean: - description: Use the DigitalOcean DNS API to manage - DNS01 challenge records. - properties: - tokenSecretRef: - description: A reference to a specific 'key' within - a Secret resource. In some instances, `key` is - a required field. - properties: - key: - description: The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - required: - - tokenSecretRef - type: object - rfc2136: - description: Use RFC2136 ("Dynamic Updates in the Domain - Name System") (https://datatracker.ietf.org/doc/rfc2136/) - to manage DNS01 challenge records. - properties: - nameserver: - description: The IP address or hostname of an authoritative - DNS server supporting RFC2136 in the form host:port. - If the host is an IPv6 address it must be enclosed - in square brackets (e.g [2001:db8::1]) ; port - is optional. This field is required. - type: string - tsigAlgorithm: - description: 'The TSIG Algorithm configured in the - DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` - and ``tsigKeyName`` are defined. Supported values - are (case-insensitive): ``HMACMD5`` (default), - ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.' - type: string - tsigKeyName: - description: The TSIG Key name configured in the - DNS. If ``tsigSecretSecretRef`` is defined, this - field is required. - type: string - tsigSecretSecretRef: - description: The name of the secret containing the - TSIG value. If ``tsigKeyName`` is defined, this - field is required. - properties: - key: - description: The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - required: - - nameserver - type: object - route53: - description: Use the AWS Route53 API to manage DNS01 - challenge records. - properties: - accessKeyID: - description: 'The AccessKeyID is used for authentication. - If not set we fall-back to using env vars, shared - credentials file or AWS Instance metadata see: - https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' - type: string - hostedZoneID: - description: If set, the provider will manage only - this zone in Route53 and will not do an lookup - using the route53:ListHostedZonesByName api call. - type: string - region: - description: Always set the region when using AccessKeyID - and SecretAccessKey - type: string - role: - description: Role is a Role ARN which the Route53 - provider will assume using either the explicit - credentials AccessKeyID/SecretAccessKey or the - inferred credentials from environment variables, - shared credentials file or AWS Instance metadata - type: string - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication. - If not set we fall-back to using env vars, shared - credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials - properties: - key: - description: The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - required: - - region - type: object - webhook: - description: Configure an external webhook based DNS01 - challenge solver to manage DNS01 challenge records. - properties: - config: - description: Additional configuration that should - be passed to the webhook apiserver when challenges - are processed. This can contain arbitrary JSON - data. Secret values should not be specified in - this stanza. If secret values are needed (e.g. - credentials for a DNS service), you should use - a SecretKeySelector to reference a Secret resource. - For details on the schema of this field, consult - the webhook provider implementation's documentation. - x-kubernetes-preserve-unknown-fields: true - groupName: - description: The API group name that should be used - when POSTing ChallengePayload resources to the - webhook apiserver. This should be the same as - the GroupName specified in the webhook provider - implementation. - type: string - solverName: - description: The name of the solver to use, as defined - in the webhook provider implementation. This will - typically be the name of the provider, e.g. 'cloudflare'. - type: string - required: - - groupName - - solverName - type: object - type: object - http01: - description: Configures cert-manager to attempt to complete - authorizations by performing the HTTP01 challenge flow. - It is not possible to obtain certificates for wildcard - domain names (e.g. `*.example.com`) using the HTTP01 challenge - mechanism. - properties: - ingress: - description: The ingress based HTTP01 challenge solver - will solve challenges by creating or modifying Ingress - resources in order to route requests for '/.well-known/acme-challenge/XYZ' - to 'challenge solver' pods that are provisioned by - cert-manager for each Challenge to be completed. - properties: - class: - description: The ingress class to use when creating - Ingress resources to solve ACME challenges that - use this challenge solver. Only one of 'class' - or 'name' may be specified. - type: string - ingressTemplate: - description: Optional ingress template used to configure - the ACME challenge solver ingress used for HTTP01 - challenges - properties: - metadata: - description: ObjectMeta overrides for the ingress - used to solve HTTP01 challenges. Only the - 'labels' and 'annotations' fields may be set. - If labels or annotations overlap with in-built - values, the values here will override the - in-built values. - properties: - annotations: - additionalProperties: - type: string - description: Annotations that should be - added to the created ACME HTTP01 solver - ingress. - type: object - labels: - additionalProperties: - type: string - description: Labels that should be added - to the created ACME HTTP01 solver ingress. - type: object - type: object - type: object - name: - description: The name of the ingress resource that - should have ACME challenge solving routes inserted - into it in order to solve HTTP01 challenges. This - is typically used in conjunction with ingress - controllers like ingress-gce, which maintains - a 1:1 mapping between external IPs and ingress - resources. - type: string - podTemplate: - description: Optional pod template used to configure - the ACME challenge solver pods used for HTTP01 - challenges - properties: - metadata: - description: ObjectMeta overrides for the pod - used to solve HTTP01 challenges. Only the - 'labels' and 'annotations' fields may be set. - If labels or annotations overlap with in-built - values, the values here will override the - in-built values. - properties: - annotations: - additionalProperties: - type: string - description: Annotations that should be - added to the create ACME HTTP01 solver - pods. - type: object - labels: - additionalProperties: - type: string - description: Labels that should be added - to the created ACME HTTP01 solver pods. - type: object - type: object - spec: - description: PodSpec defines overrides for the - HTTP01 challenge solver pod. Only the 'priorityClassName', - 'nodeSelector', 'affinity', 'serviceAccountName' - and 'tolerations' fields are supported currently. - All other fields will be ignored. - properties: - affinity: - description: If specified, the pod's scheduling - constraints - properties: - nodeAffinity: - description: Describes node affinity - scheduling rules for the pod. - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will - prefer to schedule pods to nodes - that satisfy the affinity expressions - specified by this field, but it - may choose a node that violates - one or more of the expressions. - The node that is most preferred - is the one with the greatest sum - of weights, i.e. for each node - that meets all of the scheduling - requirements (resource request, - requiredDuringScheduling affinity - expressions, etc.), compute a - sum by iterating through the elements - of this field and adding "weight" - to the sum if the node matches - the corresponding matchExpressions; - the node(s) with the highest sum - are the most preferred. - items: - description: An empty preferred - scheduling term matches all - objects with implicit weight - 0 (i.e. it's a no-op). A null - preferred scheduling term matches - no objects (i.e. is also a no-op). - properties: - preference: - description: A node selector - term, associated with the - corresponding weight. - properties: - matchExpressions: - description: A list of - node selector requirements - by node's labels. - items: - description: A node - selector requirement - is a selector that - contains values, a - key, and an operator - that relates the key - and values. - properties: - key: - description: The - label key that - the selector applies - to. - type: string - operator: - description: Represents - a key's relationship - to a set of values. - Valid operators - are In, NotIn, - Exists, DoesNotExist. - Gt, and Lt. - type: string - values: - description: An - array of string - values. If the - operator is In - or NotIn, the - values array must - be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. - If the operator - is Gt or Lt, the - values array must - have a single - element, which - will be interpreted - as an integer. - This array is - replaced during - a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchFields: - description: A list of - node selector requirements - by node's fields. - items: - description: A node - selector requirement - is a selector that - contains values, a - key, and an operator - that relates the key - and values. - properties: - key: - description: The - label key that - the selector applies - to. - type: string - operator: - description: Represents - a key's relationship - to a set of values. - Valid operators - are In, NotIn, - Exists, DoesNotExist. - Gt, and Lt. - type: string - values: - description: An - array of string - values. If the - operator is In - or NotIn, the - values array must - be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. - If the operator - is Gt or Lt, the - values array must - have a single - element, which - will be interpreted - as an integer. - This array is - replaced during - a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - type: object - weight: - description: Weight associated - with matching the corresponding - nodeSelectorTerm, in the - range 1-100. - format: int32 - type: integer - required: - - preference - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements - specified by this field are not - met at scheduling time, the pod - will not be scheduled onto the - node. If the affinity requirements - specified by this field cease - to be met at some point during - pod execution (e.g. due to an - update), the system may or may - not try to eventually evict the - pod from its node. - properties: - nodeSelectorTerms: - description: Required. A list - of node selector terms. The - terms are ORed. - items: - description: A null or empty - node selector term matches - no objects. The requirements - of them are ANDed. The TopologySelectorTerm - type implements a subset - of the NodeSelectorTerm. - properties: - matchExpressions: - description: A list of - node selector requirements - by node's labels. - items: - description: A node - selector requirement - is a selector that - contains values, a - key, and an operator - that relates the key - and values. - properties: - key: - description: The - label key that - the selector applies - to. - type: string - operator: - description: Represents - a key's relationship - to a set of values. - Valid operators - are In, NotIn, - Exists, DoesNotExist. - Gt, and Lt. - type: string - values: - description: An - array of string - values. If the - operator is In - or NotIn, the - values array must - be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. - If the operator - is Gt or Lt, the - values array must - have a single - element, which - will be interpreted - as an integer. - This array is - replaced during - a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchFields: - description: A list of - node selector requirements - by node's fields. - items: - description: A node - selector requirement - is a selector that - contains values, a - key, and an operator - that relates the key - and values. - properties: - key: - description: The - label key that - the selector applies - to. - type: string - operator: - description: Represents - a key's relationship - to a set of values. - Valid operators - are In, NotIn, - Exists, DoesNotExist. - Gt, and Lt. - type: string - values: - description: An - array of string - values. If the - operator is In - or NotIn, the - values array must - be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. - If the operator - is Gt or Lt, the - values array must - have a single - element, which - will be interpreted - as an integer. - This array is - replaced during - a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - type: object - type: array - required: - - nodeSelectorTerms - type: object - type: object - podAffinity: - description: Describes pod affinity - scheduling rules (e.g. co-locate this - pod in the same node, zone, etc. as - some other pod(s)). - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will - prefer to schedule pods to nodes - that satisfy the affinity expressions - specified by this field, but it - may choose a node that violates - one or more of the expressions. - The node that is most preferred - is the one with the greatest sum - of weights, i.e. for each node - that meets all of the scheduling - requirements (resource request, - requiredDuringScheduling affinity - expressions, etc.), compute a - sum by iterating through the elements - of this field and adding "weight" - to the sum if the node has pods - which matches the corresponding - podAffinityTerm; the node(s) with - the highest sum are the most preferred. - items: - description: The weights of all - of the matched WeightedPodAffinityTerm - fields are added per-node to - find the most preferred node(s) - properties: - podAffinityTerm: - description: Required. A pod - affinity term, associated - with the corresponding weight. - properties: - labelSelector: - description: A label query - over a set of resources, - in this case pods. - properties: - matchExpressions: - description: matchExpressions - is a list of label - selector requirements. - The requirements - are ANDed. - items: - description: A label - selector requirement - is a selector - that contains - values, a key, - and an operator - that relates the - key and values. - properties: - key: - description: key - is the label - key that the - selector applies - to. - type: string - operator: - description: operator - represents - a key's relationship - to a set of - values. Valid - operators - are In, NotIn, - Exists and - DoesNotExist. - type: string - values: - description: values - is an array - of string - values. If - the operator - is In or NotIn, - the values - array must - be non-empty. - If the operator - is Exists - or DoesNotExist, - the values - array must - be empty. - This array - is replaced - during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels - is a map of {key,value} - pairs. A single - {key,value} in the - matchLabels map - is equivalent to - an element of matchExpressions, - whose key field - is "key", the operator - is "In", and the - values array contains - only "value". The - requirements are - ANDed. - type: object - type: object - namespaces: - description: namespaces - specifies which namespaces - the labelSelector applies - to (matches against); - null or empty list means - "this pod's namespace" - items: - type: string - type: array - topologyKey: - description: This pod - should be co-located - (affinity) or not co-located - (anti-affinity) with - the pods matching the - labelSelector in the - specified namespaces, - where co-located is - defined as running on - a node whose value of - the label with key topologyKey - matches that of any - node on which any of - the selected pods is - running. Empty topologyKey - is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: weight associated - with matching the corresponding - podAffinityTerm, in the - range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements - specified by this field are not - met at scheduling time, the pod - will not be scheduled onto the - node. If the affinity requirements - specified by this field cease - to be met at some point during - pod execution (e.g. due to a pod - label update), the system may - or may not try to eventually evict - the pod from its node. When there - are multiple elements, the lists - of nodes corresponding to each - podAffinityTerm are intersected, - i.e. all terms must be satisfied. - items: - description: Defines a set of - pods (namely those matching - the labelSelector relative to - the given namespace(s)) that - this pod should be co-located - (affinity) or not co-located - (anti-affinity) with, where - co-located is defined as running - on a node whose value of the - label with key - matches that of any node on - which a pod of the set of pods - is running - properties: - labelSelector: - description: A label query - over a set of resources, - in this case pods. - properties: - matchExpressions: - description: matchExpressions - is a list of label selector - requirements. The requirements - are ANDed. - items: - description: A label - selector requirement - is a selector that - contains values, a - key, and an operator - that relates the key - and values. - properties: - key: - description: key - is the label key - that the selector - applies to. - type: string - operator: - description: operator - represents a key's - relationship to - a set of values. - Valid operators - are In, NotIn, - Exists and DoesNotExist. - type: string - values: - description: values - is an array of - string values. - If the operator - is In or NotIn, - the values array - must be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. - This array is - replaced during - a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels - is a map of {key,value} - pairs. A single {key,value} - in the matchLabels map - is equivalent to an - element of matchExpressions, - whose key field is "key", - the operator is "In", - and the values array - contains only "value". - The requirements are - ANDed. - type: object - type: object - namespaces: - description: namespaces specifies - which namespaces the labelSelector - applies to (matches against); - null or empty list means - "this pod's namespace" - items: - type: string - type: array - topologyKey: - description: This pod should - be co-located (affinity) - or not co-located (anti-affinity) - with the pods matching the - labelSelector in the specified - namespaces, where co-located - is defined as running on - a node whose value of the - label with key topologyKey - matches that of any node - on which any of the selected - pods is running. Empty topologyKey - is not allowed. - type: string - required: - - topologyKey - type: object - type: array - type: object - podAntiAffinity: - description: Describes pod anti-affinity - scheduling rules (e.g. avoid putting - this pod in the same node, zone, etc. - as some other pod(s)). - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will - prefer to schedule pods to nodes - that satisfy the anti-affinity - expressions specified by this - field, but it may choose a node - that violates one or more of the - expressions. The node that is - most preferred is the one with - the greatest sum of weights, i.e. - for each node that meets all of - the scheduling requirements (resource - request, requiredDuringScheduling - anti-affinity expressions, etc.), - compute a sum by iterating through - the elements of this field and - adding "weight" to the sum if - the node has pods which matches - the corresponding podAffinityTerm; - the node(s) with the highest sum - are the most preferred. - items: - description: The weights of all - of the matched WeightedPodAffinityTerm - fields are added per-node to - find the most preferred node(s) - properties: - podAffinityTerm: - description: Required. A pod - affinity term, associated - with the corresponding weight. - properties: - labelSelector: - description: A label query - over a set of resources, - in this case pods. - properties: - matchExpressions: - description: matchExpressions - is a list of label - selector requirements. - The requirements - are ANDed. - items: - description: A label - selector requirement - is a selector - that contains - values, a key, - and an operator - that relates the - key and values. - properties: - key: - description: key - is the label - key that the - selector applies - to. - type: string - operator: - description: operator - represents - a key's relationship - to a set of - values. Valid - operators - are In, NotIn, - Exists and - DoesNotExist. - type: string - values: - description: values - is an array - of string - values. If - the operator - is In or NotIn, - the values - array must - be non-empty. - If the operator - is Exists - or DoesNotExist, - the values - array must - be empty. - This array - is replaced - during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels - is a map of {key,value} - pairs. A single - {key,value} in the - matchLabels map - is equivalent to - an element of matchExpressions, - whose key field - is "key", the operator - is "In", and the - values array contains - only "value". The - requirements are - ANDed. - type: object - type: object - namespaces: - description: namespaces - specifies which namespaces - the labelSelector applies - to (matches against); - null or empty list means - "this pod's namespace" - items: - type: string - type: array - topologyKey: - description: This pod - should be co-located - (affinity) or not co-located - (anti-affinity) with - the pods matching the - labelSelector in the - specified namespaces, - where co-located is - defined as running on - a node whose value of - the label with key topologyKey - matches that of any - node on which any of - the selected pods is - running. Empty topologyKey - is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: weight associated - with matching the corresponding - podAffinityTerm, in the - range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - description: If the anti-affinity - requirements specified by this - field are not met at scheduling - time, the pod will not be scheduled - onto the node. If the anti-affinity - requirements specified by this - field cease to be met at some - point during pod execution (e.g. - due to a pod label update), the - system may or may not try to eventually - evict the pod from its node. When - there are multiple elements, the - lists of nodes corresponding to - each podAffinityTerm are intersected, - i.e. all terms must be satisfied. - items: - description: Defines a set of - pods (namely those matching - the labelSelector relative to - the given namespace(s)) that - this pod should be co-located - (affinity) or not co-located - (anti-affinity) with, where - co-located is defined as running - on a node whose value of the - label with key - matches that of any node on - which a pod of the set of pods - is running - properties: - labelSelector: - description: A label query - over a set of resources, - in this case pods. - properties: - matchExpressions: - description: matchExpressions - is a list of label selector - requirements. The requirements - are ANDed. - items: - description: A label - selector requirement - is a selector that - contains values, a - key, and an operator - that relates the key - and values. - properties: - key: - description: key - is the label key - that the selector - applies to. - type: string - operator: - description: operator - represents a key's - relationship to - a set of values. - Valid operators - are In, NotIn, - Exists and DoesNotExist. - type: string - values: - description: values - is an array of - string values. - If the operator - is In or NotIn, - the values array - must be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. - This array is - replaced during - a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels - is a map of {key,value} - pairs. A single {key,value} - in the matchLabels map - is equivalent to an - element of matchExpressions, - whose key field is "key", - the operator is "In", - and the values array - contains only "value". - The requirements are - ANDed. - type: object - type: object - namespaces: - description: namespaces specifies - which namespaces the labelSelector - applies to (matches against); - null or empty list means - "this pod's namespace" - items: - type: string - type: array - topologyKey: - description: This pod should - be co-located (affinity) - or not co-located (anti-affinity) - with the pods matching the - labelSelector in the specified - namespaces, where co-located - is defined as running on - a node whose value of the - label with key topologyKey - matches that of any node - on which any of the selected - pods is running. Empty topologyKey - is not allowed. - type: string - required: - - topologyKey - type: object - type: array - type: object - type: object - nodeSelector: - additionalProperties: - type: string - description: 'NodeSelector is a selector - which must be true for the pod to fit - on a node. Selector which must match a - node''s labels for the pod to be scheduled - on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' - type: object - priorityClassName: - description: If specified, the pod's priorityClassName. - type: string - serviceAccountName: - description: If specified, the pod's service - account - type: string - tolerations: - description: If specified, the pod's tolerations. - items: - description: The pod this Toleration is - attached to tolerates any taint that - matches the triple - using the matching operator . - properties: - effect: - description: Effect indicates the - taint effect to match. Empty means - match all taint effects. When specified, - allowed values are NoSchedule, PreferNoSchedule - and NoExecute. - type: string - key: - description: Key is the taint key - that the toleration applies to. - Empty means match all taint keys. - If the key is empty, operator must - be Exists; this combination means - to match all values and all keys. - type: string - operator: - description: Operator represents a - key's relationship to the value. - Valid operators are Exists and Equal. - Defaults to Equal. Exists is equivalent - to wildcard for value, so that a - pod can tolerate all taints of a - particular category. - type: string - tolerationSeconds: - description: TolerationSeconds represents - the period of time the toleration - (which must be of effect NoExecute, - otherwise this field is ignored) - tolerates the taint. By default, - it is not set, which means tolerate - the taint forever (do not evict). - Zero and negative values will be - treated as 0 (evict immediately) - by the system. - format: int64 - type: integer - value: - description: Value is the taint value - the toleration matches to. If the - operator is Exists, the value should - be empty, otherwise just a regular - string. - type: string - type: object - type: array - type: object - type: object - serviceType: - description: Optional service type for Kubernetes - solver service - type: string - type: object - type: object - selector: - description: Selector selects a set of DNSNames on the Certificate - resource that should be solved using this challenge solver. - If not specified, the solver will be treated as the 'default' - solver with the lowest priority, i.e. if any other solver - has a more specific match, it will be used instead. - properties: - dnsNames: - description: List of DNSNames that this solver will - be used to solve. If specified and a match is found, - a dnsNames selector will take precedence over a dnsZones - selector. If multiple solvers match with the same - dnsNames value, the solver with the most matching - labels in matchLabels will be selected. If neither - has more matches, the solver defined earlier in the - list will be selected. - items: - type: string - type: array - dnsZones: - description: List of DNSZones that this solver will - be used to solve. The most specific DNS zone match - specified here will take precedence over other DNS - zone matches, so a solver specifying sys.example.com - will be selected over one specifying example.com for - the domain www.sys.example.com. If multiple solvers - match with the same dnsZones value, the solver with - the most matching labels in matchLabels will be selected. - If neither has more matches, the solver defined earlier - in the list will be selected. - items: - type: string - type: array - matchLabels: - additionalProperties: - type: string - description: A label selector that is used to refine - the set of certificate's that this challenge solver - will apply to. - type: object - type: object - type: object - type: array - required: - - privateKeySecretRef - - server - type: object - ca: - description: CA configures this issuer to sign certificates using - a signing CA keypair stored in a Secret resource. This is used to - build internal PKIs that are managed by cert-manager. - properties: - crlDistributionPoints: - description: The CRL distribution points is an X.509 v3 certificate - extension which identifies the location of the CRL from which - the revocation of this certificate can be checked. If not set, - certificates will be issued without distribution points set. - items: - type: string - type: array - secretName: - description: SecretName is the name of the secret used to sign - Certificates issued by this Issuer. - type: string - required: - - secretName - type: object - selfSigned: - description: SelfSigned configures this issuer to 'self sign' certificates - using the private key used to create the CertificateRequest object. - properties: - crlDistributionPoints: - description: The CRL distribution points is an X.509 v3 certificate - extension which identifies the location of the CRL from which - the revocation of this certificate can be checked. If not set - certificate will be issued without CDP. Values are strings. - items: - type: string - type: array - type: object - vault: - description: Vault configures this issuer to sign certificates using - a HashiCorp Vault PKI backend. - properties: - auth: - description: Auth configures how cert-manager authenticates with - the Vault server. - properties: - appRole: - description: AppRole authenticates with Vault using the App - Role auth mechanism, with the role and secret stored in - a Kubernetes Secret resource. - properties: - path: - description: 'Path where the App Role authentication backend - is mounted in Vault, e.g: "approle"' - type: string - roleId: - description: RoleID configured in the App Role authentication - backend when setting up the authentication backend in - Vault. - type: string - secretRef: - description: Reference to a key in a Secret that contains - the App Role secret used to authenticate with Vault. - The `key` field must be specified and denotes which - entry within the Secret resource is used as the app - role secret. - properties: - key: - description: The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - required: - - path - - roleId - - secretRef - type: object - kubernetes: - description: Kubernetes authenticates with Vault by passing - the ServiceAccount token stored in the named Secret resource - to the Vault server. - properties: - mountPath: - description: The Vault mountPath here is the mount path - to use when authenticating with Vault. For example, - setting a value to `/v1/auth/foo`, will use the path - `/v1/auth/foo/login` to authenticate with Vault. If - unspecified, the default value "/v1/auth/kubernetes" - will be used. - type: string - role: - description: A required field containing the Vault Role - to assume. A Role binds a Kubernetes ServiceAccount - with a set of Vault policies. - type: string - secretRef: - description: The required Secret field containing a Kubernetes - ServiceAccount JWT used for authenticating with Vault. - Use of 'ambient credentials' is not supported. - properties: - key: - description: The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - required: - - role - - secretRef - type: object - tokenSecretRef: - description: TokenSecretRef authenticates with Vault by presenting - a token. - properties: - key: - description: The key of the entry in the Secret resource's - `data` field to be used. Some instances of this field - may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - type: object - caBundle: - description: PEM encoded CA bundle used to validate Vault server - certificate. Only used if the Server URL is using HTTPS protocol. - This parameter is ignored for plain HTTP protocol connection. - If not set the system root certificates are used to validate - the TLS connection. - format: byte - type: string - namespace: - description: 'Name of the vault namespace. Namespaces is a set - of features within Vault Enterprise that allows Vault environments - to support Secure Multi-tenancy. e.g: "ns1" More about namespaces - can be found here https://www.vaultproject.io/docs/enterprise/namespaces' - type: string - path: - description: 'Path is the mount path of the Vault PKI backend''s - `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".' - type: string - server: - description: 'Server is the connection address for the Vault server, - e.g: "https://vault.example.com:8200".' - type: string - required: - - auth - - path - - server - type: object - venafi: - description: Venafi configures this issuer to sign certificates using - a Venafi TPP or Venafi Cloud policy zone. - properties: - cloud: - description: Cloud specifies the Venafi cloud configuration settings. - Only one of TPP or Cloud may be specified. - properties: - apiTokenSecretRef: - description: APITokenSecretRef is a secret key selector for - the Venafi Cloud API token. - properties: - key: - description: The key of the entry in the Secret resource's - `data` field to be used. Some instances of this field - may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - url: - description: URL is the base URL for Venafi Cloud. Defaults - to "https://api.venafi.cloud/v1". - type: string - required: - - apiTokenSecretRef - type: object - tpp: - description: TPP specifies Trust Protection Platform configuration - settings. Only one of TPP or Cloud may be specified. - properties: - caBundle: - description: CABundle is a PEM encoded TLS certificate to - use to verify connections to the TPP instance. If specified, - system roots will not be used and the issuing CA for the - TPP instance must be verifiable using the provided root. - If not specified, the connection will be verified using - the cert-manager system root certificates. - format: byte - type: string - credentialsRef: - description: CredentialsRef is a reference to a Secret containing - the username and password for the TPP server. The secret - must contain two keys, 'username' and 'password'. - properties: - name: - description: 'Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - url: - description: 'URL is the base URL for the vedsdk endpoint - of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".' - type: string - required: - - credentialsRef - - url - type: object - zone: - description: Zone is the Venafi Policy Zone to use for this issuer. - All requests made to the Venafi platform will be restricted - by the named zone policy. This field is required. - type: string - required: - - zone - type: object - type: object - status: - description: Status of the ClusterIssuer. This is set and managed automatically. - properties: - acme: - description: ACME specific status options. This field should only - be set if the Issuer is configured to use an ACME server to issue - certificates. - properties: - lastRegisteredEmail: - description: LastRegisteredEmail is the email associated with - the latest registered ACME account, in order to track changes - made to registered account associated with the Issuer - type: string - uri: - description: URI is the unique account identifier, which can also - be used to retrieve account details from the CA - type: string - type: object - conditions: - description: List of status conditions to indicate the status of a - CertificateRequest. Known condition types are `Ready`. - items: - description: IssuerCondition contains condition information for - an Issuer. - properties: - lastTransitionTime: - description: LastTransitionTime is the timestamp corresponding - to the last status change of this condition. - format: date-time - type: string - message: - description: Message is a human readable description of the - details of the last transition, complementing reason. - type: string - reason: - description: Reason is a brief machine readable explanation - for the condition's last transition. - type: string - status: - description: Status of the condition, one of ('True', 'False', - 'Unknown'). - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: Type of the condition, known values are ('Ready'). - type: string - required: - - status - - type - type: object - type: array - type: object - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - priority: 1 - type: string - - description: CreationTimestamp is a timestamp representing the server time when - this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - description: A ClusterIssuer represents a certificate issuing authority which - can be referenced as part of `issuerRef` fields. It is similar to an Issuer, - however it is cluster-scoped and therefore can be referenced by resources - that exist in *any* namespace, not just the same namespace as the referent. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Desired state of the ClusterIssuer resource. - properties: - acme: - description: ACME configures this issuer to communicate with a RFC8555 - (ACME) server to obtain signed x509 certificates. - properties: - disableAccountKeyGeneration: - description: Enables or disables generating a new ACME account - key. If true, the Issuer resource will *not* request a new account - but will expect the account key to be supplied via an existing - secret. If false, the cert-manager system will generate a new - ACME account key for the Issuer. Defaults to false. - type: boolean - email: - description: Email is the email address to be associated with - the ACME account. This field is optional, but it is strongly - recommended to be set. It will be used to contact you in case - of issues with your account or certificates, including expiry - notification emails. This field may be updated after the account - is initially registered. - type: string - externalAccountBinding: - description: ExternalAccountBinding is a reference to a CA external - account of the ACME server. If set, upon registration cert-manager - will attempt to associate the given external account credentials - with the registered ACME account. - properties: - keyAlgorithm: - description: keyAlgorithm is the MAC key algorithm that the - key is used for. Valid values are "HS256", "HS384" and "HS512". - enum: - - HS256 - - HS384 - - HS512 - type: string - keyID: - description: keyID is the ID of the CA key that the External - Account is bound to. - type: string - keySecretRef: - description: keySecretRef is a Secret Key Selector referencing - a data item in a Kubernetes Secret which holds the symmetric - MAC key of the External Account Binding. The `key` is the - index string that is paired with the key data in the Secret - and should not be confused with the key data itself, or - indeed with the External Account Binding keyID above. The - secret key stored in the Secret **must** be un-padded, base64 - URL encoded data. - properties: - key: - description: The key of the entry in the Secret resource's - `data` field to be used. Some instances of this field - may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - required: - - keyAlgorithm - - keyID - - keySecretRef - type: object - preferredChain: - description: 'PreferredChain is the chain to use if the ACME server - outputs multiple. PreferredChain is no guarantee that this one - gets delivered by the ACME endpoint. For example, for Let''s - Encrypt''s DST crosssign you would use: "DST Root CA X3" or - "ISRG Root X1" for the newer Let''s Encrypt root CA. This value - picks the first certificate bundle in the ACME alternative chains - that has a certificate with this value as its issuer''s CN' - maxLength: 64 - type: string - privateKeySecretRef: - description: PrivateKey is the name of a Kubernetes Secret resource - that will be used to store the automatically generated ACME - account private key. Optionally, a `key` may be specified to - select a specific entry within the named Secret resource. If - `key` is not specified, a default of `tls.key` will be used. - properties: - key: - description: The key of the entry in the Secret resource's - `data` field to be used. Some instances of this field may - be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More - info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - server: - description: 'Server is the URL used to access the ACME server''s - ''directory'' endpoint. For example, for Let''s Encrypt''s staging - endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". - Only ACME v2 endpoints (i.e. RFC 8555) are supported.' - type: string - skipTLSVerify: - description: Enables or disables validation of the ACME server - TLS certificate. If true, requests to the ACME server will not - have their TLS certificate validated (i.e. insecure connections - will be allowed). Only enable this option in development environments. - The cert-manager system installed roots will be used to verify - connections to the ACME server if this is false. Defaults to - false. - type: boolean - solvers: - description: 'Solvers is a list of challenge solvers that will - be used to solve ACME challenges for the matching domains. Solver - configurations must be provided in order to obtain certificates - from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/' - items: - description: Configures an issuer to solve challenges using - the specified options. Only one of HTTP01 or DNS01 may be - provided. - properties: - dns01: - description: Configures cert-manager to attempt to complete - authorizations by performing the DNS01 challenge flow. - properties: - acmeDNS: - description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) - API to manage DNS01 challenge records. - properties: - accountSecretRef: - description: A reference to a specific 'key' within - a Secret resource. In some instances, `key` is - a required field. - properties: - key: - description: The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - host: - type: string - required: - - accountSecretRef - - host - type: object - akamai: - description: Use the Akamai DNS zone management API - to manage DNS01 challenge records. - properties: - accessTokenSecretRef: - description: A reference to a specific 'key' within - a Secret resource. In some instances, `key` is - a required field. - properties: - key: - description: The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - clientSecretSecretRef: - description: A reference to a specific 'key' within - a Secret resource. In some instances, `key` is - a required field. - properties: - key: - description: The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - clientTokenSecretRef: - description: A reference to a specific 'key' within - a Secret resource. In some instances, `key` is - a required field. - properties: - key: - description: The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - serviceConsumerDomain: - type: string - required: - - accessTokenSecretRef - - clientSecretSecretRef - - clientTokenSecretRef - - serviceConsumerDomain - type: object - azureDNS: - description: Use the Microsoft Azure DNS API to manage - DNS01 challenge records. - properties: - clientID: - description: if both this and ClientSecret are left - unset MSI will be used - type: string - clientSecretSecretRef: - description: if both this and ClientID are left - unset MSI will be used - properties: - key: - description: The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - environment: - enum: - - AzurePublicCloud - - AzureChinaCloud - - AzureGermanCloud - - AzureUSGovernmentCloud - type: string - hostedZoneName: - type: string - resourceGroupName: - type: string - subscriptionID: - type: string - tenantID: - description: when specifying ClientID and ClientSecret - then this field is also needed - type: string - required: - - resourceGroupName - - subscriptionID - type: object - cloudDNS: - description: Use the Google Cloud DNS API to manage - DNS01 challenge records. - properties: - hostedZoneName: - description: HostedZoneName is an optional field - that tells cert-manager in which Cloud DNS zone - the challenge record has to be created. If left - empty cert-manager will automatically choose a - zone. - type: string - project: - type: string - serviceAccountSecretRef: - description: A reference to a specific 'key' within - a Secret resource. In some instances, `key` is - a required field. - properties: - key: - description: The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - required: - - project - type: object - cloudflare: - description: Use the Cloudflare API to manage DNS01 - challenge records. - properties: - apiKeySecretRef: - description: 'API key to use to authenticate with - Cloudflare. Note: using an API token to authenticate - is now the recommended method as it allows greater - control of permissions.' - properties: - key: - description: The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - apiTokenSecretRef: - description: API token used to authenticate with - Cloudflare. - properties: - key: - description: The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - email: - description: Email of the account, only required - when using API key based authentication. - type: string - type: object - cnameStrategy: - description: CNAMEStrategy configures how the DNS01 - provider should handle CNAME records when found in - DNS zones. - enum: - - None - - Follow - type: string - digitalocean: - description: Use the DigitalOcean DNS API to manage - DNS01 challenge records. - properties: - tokenSecretRef: - description: A reference to a specific 'key' within - a Secret resource. In some instances, `key` is - a required field. - properties: - key: - description: The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - required: - - tokenSecretRef - type: object - rfc2136: - description: Use RFC2136 ("Dynamic Updates in the Domain - Name System") (https://datatracker.ietf.org/doc/rfc2136/) - to manage DNS01 challenge records. - properties: - nameserver: - description: The IP address or hostname of an authoritative - DNS server supporting RFC2136 in the form host:port. - If the host is an IPv6 address it must be enclosed - in square brackets (e.g [2001:db8::1]) ; port - is optional. This field is required. - type: string - tsigAlgorithm: - description: 'The TSIG Algorithm configured in the - DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` - and ``tsigKeyName`` are defined. Supported values - are (case-insensitive): ``HMACMD5`` (default), - ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.' - type: string - tsigKeyName: - description: The TSIG Key name configured in the - DNS. If ``tsigSecretSecretRef`` is defined, this - field is required. - type: string - tsigSecretSecretRef: - description: The name of the secret containing the - TSIG value. If ``tsigKeyName`` is defined, this - field is required. - properties: - key: - description: The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - required: - - nameserver - type: object - route53: - description: Use the AWS Route53 API to manage DNS01 - challenge records. - properties: - accessKeyID: - description: 'The AccessKeyID is used for authentication. - If not set we fall-back to using env vars, shared - credentials file or AWS Instance metadata see: - https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' - type: string - hostedZoneID: - description: If set, the provider will manage only - this zone in Route53 and will not do an lookup - using the route53:ListHostedZonesByName api call. - type: string - region: - description: Always set the region when using AccessKeyID - and SecretAccessKey - type: string - role: - description: Role is a Role ARN which the Route53 - provider will assume using either the explicit - credentials AccessKeyID/SecretAccessKey or the - inferred credentials from environment variables, - shared credentials file or AWS Instance metadata - type: string - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication. - If not set we fall-back to using env vars, shared - credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials - properties: - key: - description: The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - required: - - region - type: object - webhook: - description: Configure an external webhook based DNS01 - challenge solver to manage DNS01 challenge records. - properties: - config: - description: Additional configuration that should - be passed to the webhook apiserver when challenges - are processed. This can contain arbitrary JSON - data. Secret values should not be specified in - this stanza. If secret values are needed (e.g. - credentials for a DNS service), you should use - a SecretKeySelector to reference a Secret resource. - For details on the schema of this field, consult - the webhook provider implementation's documentation. - x-kubernetes-preserve-unknown-fields: true - groupName: - description: The API group name that should be used - when POSTing ChallengePayload resources to the - webhook apiserver. This should be the same as - the GroupName specified in the webhook provider - implementation. - type: string - solverName: - description: The name of the solver to use, as defined - in the webhook provider implementation. This will - typically be the name of the provider, e.g. 'cloudflare'. - type: string - required: - - groupName - - solverName - type: object - type: object - http01: - description: Configures cert-manager to attempt to complete - authorizations by performing the HTTP01 challenge flow. - It is not possible to obtain certificates for wildcard - domain names (e.g. `*.example.com`) using the HTTP01 challenge - mechanism. - properties: - ingress: - description: The ingress based HTTP01 challenge solver - will solve challenges by creating or modifying Ingress - resources in order to route requests for '/.well-known/acme-challenge/XYZ' - to 'challenge solver' pods that are provisioned by - cert-manager for each Challenge to be completed. - properties: - class: - description: The ingress class to use when creating - Ingress resources to solve ACME challenges that - use this challenge solver. Only one of 'class' - or 'name' may be specified. - type: string - ingressTemplate: - description: Optional ingress template used to configure - the ACME challenge solver ingress used for HTTP01 - challenges - properties: - metadata: - description: ObjectMeta overrides for the ingress - used to solve HTTP01 challenges. Only the - 'labels' and 'annotations' fields may be set. - If labels or annotations overlap with in-built - values, the values here will override the - in-built values. - properties: - annotations: - additionalProperties: - type: string - description: Annotations that should be - added to the created ACME HTTP01 solver - ingress. - type: object - labels: - additionalProperties: - type: string - description: Labels that should be added - to the created ACME HTTP01 solver ingress. - type: object - type: object - type: object - name: - description: The name of the ingress resource that - should have ACME challenge solving routes inserted - into it in order to solve HTTP01 challenges. This - is typically used in conjunction with ingress - controllers like ingress-gce, which maintains - a 1:1 mapping between external IPs and ingress - resources. - type: string - podTemplate: - description: Optional pod template used to configure - the ACME challenge solver pods used for HTTP01 - challenges - properties: - metadata: - description: ObjectMeta overrides for the pod - used to solve HTTP01 challenges. Only the - 'labels' and 'annotations' fields may be set. - If labels or annotations overlap with in-built - values, the values here will override the - in-built values. - properties: - annotations: - additionalProperties: - type: string - description: Annotations that should be - added to the create ACME HTTP01 solver - pods. - type: object - labels: - additionalProperties: - type: string - description: Labels that should be added - to the created ACME HTTP01 solver pods. - type: object - type: object - spec: - description: PodSpec defines overrides for the - HTTP01 challenge solver pod. Only the 'priorityClassName', - 'nodeSelector', 'affinity', 'serviceAccountName' - and 'tolerations' fields are supported currently. - All other fields will be ignored. - properties: - affinity: - description: If specified, the pod's scheduling - constraints - properties: - nodeAffinity: - description: Describes node affinity - scheduling rules for the pod. - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will - prefer to schedule pods to nodes - that satisfy the affinity expressions - specified by this field, but it - may choose a node that violates - one or more of the expressions. - The node that is most preferred - is the one with the greatest sum - of weights, i.e. for each node - that meets all of the scheduling - requirements (resource request, - requiredDuringScheduling affinity - expressions, etc.), compute a - sum by iterating through the elements - of this field and adding "weight" - to the sum if the node matches - the corresponding matchExpressions; - the node(s) with the highest sum - are the most preferred. - items: - description: An empty preferred - scheduling term matches all - objects with implicit weight - 0 (i.e. it's a no-op). A null - preferred scheduling term matches - no objects (i.e. is also a no-op). - properties: - preference: - description: A node selector - term, associated with the - corresponding weight. - properties: - matchExpressions: - description: A list of - node selector requirements - by node's labels. - items: - description: A node - selector requirement - is a selector that - contains values, a - key, and an operator - that relates the key - and values. - properties: - key: - description: The - label key that - the selector applies - to. - type: string - operator: - description: Represents - a key's relationship - to a set of values. - Valid operators - are In, NotIn, - Exists, DoesNotExist. - Gt, and Lt. - type: string - values: - description: An - array of string - values. If the - operator is In - or NotIn, the - values array must - be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. - If the operator - is Gt or Lt, the - values array must - have a single - element, which - will be interpreted - as an integer. - This array is - replaced during - a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchFields: - description: A list of - node selector requirements - by node's fields. - items: - description: A node - selector requirement - is a selector that - contains values, a - key, and an operator - that relates the key - and values. - properties: - key: - description: The - label key that - the selector applies - to. - type: string - operator: - description: Represents - a key's relationship - to a set of values. - Valid operators - are In, NotIn, - Exists, DoesNotExist. - Gt, and Lt. - type: string - values: - description: An - array of string - values. If the - operator is In - or NotIn, the - values array must - be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. - If the operator - is Gt or Lt, the - values array must - have a single - element, which - will be interpreted - as an integer. - This array is - replaced during - a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - type: object - weight: - description: Weight associated - with matching the corresponding - nodeSelectorTerm, in the - range 1-100. - format: int32 - type: integer - required: - - preference - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements - specified by this field are not - met at scheduling time, the pod - will not be scheduled onto the - node. If the affinity requirements - specified by this field cease - to be met at some point during - pod execution (e.g. due to an - update), the system may or may - not try to eventually evict the - pod from its node. - properties: - nodeSelectorTerms: - description: Required. A list - of node selector terms. The - terms are ORed. - items: - description: A null or empty - node selector term matches - no objects. The requirements - of them are ANDed. The TopologySelectorTerm - type implements a subset - of the NodeSelectorTerm. - properties: - matchExpressions: - description: A list of - node selector requirements - by node's labels. - items: - description: A node - selector requirement - is a selector that - contains values, a - key, and an operator - that relates the key - and values. - properties: - key: - description: The - label key that - the selector applies - to. - type: string - operator: - description: Represents - a key's relationship - to a set of values. - Valid operators - are In, NotIn, - Exists, DoesNotExist. - Gt, and Lt. - type: string - values: - description: An - array of string - values. If the - operator is In - or NotIn, the - values array must - be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. - If the operator - is Gt or Lt, the - values array must - have a single - element, which - will be interpreted - as an integer. - This array is - replaced during - a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchFields: - description: A list of - node selector requirements - by node's fields. - items: - description: A node - selector requirement - is a selector that - contains values, a - key, and an operator - that relates the key - and values. - properties: - key: - description: The - label key that - the selector applies - to. - type: string - operator: - description: Represents - a key's relationship - to a set of values. - Valid operators - are In, NotIn, - Exists, DoesNotExist. - Gt, and Lt. - type: string - values: - description: An - array of string - values. If the - operator is In - or NotIn, the - values array must - be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. - If the operator - is Gt or Lt, the - values array must - have a single - element, which - will be interpreted - as an integer. - This array is - replaced during - a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - type: object - type: array - required: - - nodeSelectorTerms - type: object - type: object - podAffinity: - description: Describes pod affinity - scheduling rules (e.g. co-locate this - pod in the same node, zone, etc. as - some other pod(s)). - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will - prefer to schedule pods to nodes - that satisfy the affinity expressions - specified by this field, but it - may choose a node that violates - one or more of the expressions. - The node that is most preferred - is the one with the greatest sum - of weights, i.e. for each node - that meets all of the scheduling - requirements (resource request, - requiredDuringScheduling affinity - expressions, etc.), compute a - sum by iterating through the elements - of this field and adding "weight" - to the sum if the node has pods - which matches the corresponding - podAffinityTerm; the node(s) with - the highest sum are the most preferred. - items: - description: The weights of all - of the matched WeightedPodAffinityTerm - fields are added per-node to - find the most preferred node(s) - properties: - podAffinityTerm: - description: Required. A pod - affinity term, associated - with the corresponding weight. - properties: - labelSelector: - description: A label query - over a set of resources, - in this case pods. - properties: - matchExpressions: - description: matchExpressions - is a list of label - selector requirements. - The requirements - are ANDed. - items: - description: A label - selector requirement - is a selector - that contains - values, a key, - and an operator - that relates the - key and values. - properties: - key: - description: key - is the label - key that the - selector applies - to. - type: string - operator: - description: operator - represents - a key's relationship - to a set of - values. Valid - operators - are In, NotIn, - Exists and - DoesNotExist. - type: string - values: - description: values - is an array - of string - values. If - the operator - is In or NotIn, - the values - array must - be non-empty. - If the operator - is Exists - or DoesNotExist, - the values - array must - be empty. - This array - is replaced - during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels - is a map of {key,value} - pairs. A single - {key,value} in the - matchLabels map - is equivalent to - an element of matchExpressions, - whose key field - is "key", the operator - is "In", and the - values array contains - only "value". The - requirements are - ANDed. - type: object - type: object - namespaces: - description: namespaces - specifies which namespaces - the labelSelector applies - to (matches against); - null or empty list means - "this pod's namespace" - items: - type: string - type: array - topologyKey: - description: This pod - should be co-located - (affinity) or not co-located - (anti-affinity) with - the pods matching the - labelSelector in the - specified namespaces, - where co-located is - defined as running on - a node whose value of - the label with key topologyKey - matches that of any - node on which any of - the selected pods is - running. Empty topologyKey - is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: weight associated - with matching the corresponding - podAffinityTerm, in the - range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements - specified by this field are not - met at scheduling time, the pod - will not be scheduled onto the - node. If the affinity requirements - specified by this field cease - to be met at some point during - pod execution (e.g. due to a pod - label update), the system may - or may not try to eventually evict - the pod from its node. When there - are multiple elements, the lists - of nodes corresponding to each - podAffinityTerm are intersected, - i.e. all terms must be satisfied. - items: - description: Defines a set of - pods (namely those matching - the labelSelector relative to - the given namespace(s)) that - this pod should be co-located - (affinity) or not co-located - (anti-affinity) with, where - co-located is defined as running - on a node whose value of the - label with key - matches that of any node on - which a pod of the set of pods - is running - properties: - labelSelector: - description: A label query - over a set of resources, - in this case pods. - properties: - matchExpressions: - description: matchExpressions - is a list of label selector - requirements. The requirements - are ANDed. - items: - description: A label - selector requirement - is a selector that - contains values, a - key, and an operator - that relates the key - and values. - properties: - key: - description: key - is the label key - that the selector - applies to. - type: string - operator: - description: operator - represents a key's - relationship to - a set of values. - Valid operators - are In, NotIn, - Exists and DoesNotExist. - type: string - values: - description: values - is an array of - string values. - If the operator - is In or NotIn, - the values array - must be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. - This array is - replaced during - a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels - is a map of {key,value} - pairs. A single {key,value} - in the matchLabels map - is equivalent to an - element of matchExpressions, - whose key field is "key", - the operator is "In", - and the values array - contains only "value". - The requirements are - ANDed. - type: object - type: object - namespaces: - description: namespaces specifies - which namespaces the labelSelector - applies to (matches against); - null or empty list means - "this pod's namespace" - items: - type: string - type: array - topologyKey: - description: This pod should - be co-located (affinity) - or not co-located (anti-affinity) - with the pods matching the - labelSelector in the specified - namespaces, where co-located - is defined as running on - a node whose value of the - label with key topologyKey - matches that of any node - on which any of the selected - pods is running. Empty topologyKey - is not allowed. - type: string - required: - - topologyKey - type: object - type: array - type: object - podAntiAffinity: - description: Describes pod anti-affinity - scheduling rules (e.g. avoid putting - this pod in the same node, zone, etc. - as some other pod(s)). - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will - prefer to schedule pods to nodes - that satisfy the anti-affinity - expressions specified by this - field, but it may choose a node - that violates one or more of the - expressions. The node that is - most preferred is the one with - the greatest sum of weights, i.e. - for each node that meets all of - the scheduling requirements (resource - request, requiredDuringScheduling - anti-affinity expressions, etc.), - compute a sum by iterating through - the elements of this field and - adding "weight" to the sum if - the node has pods which matches - the corresponding podAffinityTerm; - the node(s) with the highest sum - are the most preferred. - items: - description: The weights of all - of the matched WeightedPodAffinityTerm - fields are added per-node to - find the most preferred node(s) - properties: - podAffinityTerm: - description: Required. A pod - affinity term, associated - with the corresponding weight. - properties: - labelSelector: - description: A label query - over a set of resources, - in this case pods. - properties: - matchExpressions: - description: matchExpressions - is a list of label - selector requirements. - The requirements - are ANDed. - items: - description: A label - selector requirement - is a selector - that contains - values, a key, - and an operator - that relates the - key and values. - properties: - key: - description: key - is the label - key that the - selector applies - to. - type: string - operator: - description: operator - represents - a key's relationship - to a set of - values. Valid - operators - are In, NotIn, - Exists and - DoesNotExist. - type: string - values: - description: values - is an array - of string - values. If - the operator - is In or NotIn, - the values - array must - be non-empty. - If the operator - is Exists - or DoesNotExist, - the values - array must - be empty. - This array - is replaced - during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels - is a map of {key,value} - pairs. A single - {key,value} in the - matchLabels map - is equivalent to - an element of matchExpressions, - whose key field - is "key", the operator - is "In", and the - values array contains - only "value". The - requirements are - ANDed. - type: object - type: object - namespaces: - description: namespaces - specifies which namespaces - the labelSelector applies - to (matches against); - null or empty list means - "this pod's namespace" - items: - type: string - type: array - topologyKey: - description: This pod - should be co-located - (affinity) or not co-located - (anti-affinity) with - the pods matching the - labelSelector in the - specified namespaces, - where co-located is - defined as running on - a node whose value of - the label with key topologyKey - matches that of any - node on which any of - the selected pods is - running. Empty topologyKey - is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: weight associated - with matching the corresponding - podAffinityTerm, in the - range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - description: If the anti-affinity - requirements specified by this - field are not met at scheduling - time, the pod will not be scheduled - onto the node. If the anti-affinity - requirements specified by this - field cease to be met at some - point during pod execution (e.g. - due to a pod label update), the - system may or may not try to eventually - evict the pod from its node. When - there are multiple elements, the - lists of nodes corresponding to - each podAffinityTerm are intersected, - i.e. all terms must be satisfied. - items: - description: Defines a set of - pods (namely those matching - the labelSelector relative to - the given namespace(s)) that - this pod should be co-located - (affinity) or not co-located - (anti-affinity) with, where - co-located is defined as running - on a node whose value of the - label with key - matches that of any node on - which a pod of the set of pods - is running - properties: - labelSelector: - description: A label query - over a set of resources, - in this case pods. - properties: - matchExpressions: - description: matchExpressions - is a list of label selector - requirements. The requirements - are ANDed. - items: - description: A label - selector requirement - is a selector that - contains values, a - key, and an operator - that relates the key - and values. - properties: - key: - description: key - is the label key - that the selector - applies to. - type: string - operator: - description: operator - represents a key's - relationship to - a set of values. - Valid operators - are In, NotIn, - Exists and DoesNotExist. - type: string - values: - description: values - is an array of - string values. - If the operator - is In or NotIn, - the values array - must be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. - This array is - replaced during - a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels - is a map of {key,value} - pairs. A single {key,value} - in the matchLabels map - is equivalent to an - element of matchExpressions, - whose key field is "key", - the operator is "In", - and the values array - contains only "value". - The requirements are - ANDed. - type: object - type: object - namespaces: - description: namespaces specifies - which namespaces the labelSelector - applies to (matches against); - null or empty list means - "this pod's namespace" - items: - type: string - type: array - topologyKey: - description: This pod should - be co-located (affinity) - or not co-located (anti-affinity) - with the pods matching the - labelSelector in the specified - namespaces, where co-located - is defined as running on - a node whose value of the - label with key topologyKey - matches that of any node - on which any of the selected - pods is running. Empty topologyKey - is not allowed. - type: string - required: - - topologyKey - type: object - type: array - type: object - type: object - nodeSelector: - additionalProperties: - type: string - description: 'NodeSelector is a selector - which must be true for the pod to fit - on a node. Selector which must match a - node''s labels for the pod to be scheduled - on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' - type: object - priorityClassName: - description: If specified, the pod's priorityClassName. - type: string - serviceAccountName: - description: If specified, the pod's service - account - type: string - tolerations: - description: If specified, the pod's tolerations. - items: - description: The pod this Toleration is - attached to tolerates any taint that - matches the triple - using the matching operator . - properties: - effect: - description: Effect indicates the - taint effect to match. Empty means - match all taint effects. When specified, - allowed values are NoSchedule, PreferNoSchedule - and NoExecute. - type: string - key: - description: Key is the taint key - that the toleration applies to. - Empty means match all taint keys. - If the key is empty, operator must - be Exists; this combination means - to match all values and all keys. - type: string - operator: - description: Operator represents a - key's relationship to the value. - Valid operators are Exists and Equal. - Defaults to Equal. Exists is equivalent - to wildcard for value, so that a - pod can tolerate all taints of a - particular category. - type: string - tolerationSeconds: - description: TolerationSeconds represents - the period of time the toleration - (which must be of effect NoExecute, - otherwise this field is ignored) - tolerates the taint. By default, - it is not set, which means tolerate - the taint forever (do not evict). - Zero and negative values will be - treated as 0 (evict immediately) - by the system. - format: int64 - type: integer - value: - description: Value is the taint value - the toleration matches to. If the - operator is Exists, the value should - be empty, otherwise just a regular - string. - type: string - type: object - type: array - type: object - type: object - serviceType: - description: Optional service type for Kubernetes - solver service - type: string - type: object - type: object - selector: - description: Selector selects a set of DNSNames on the Certificate - resource that should be solved using this challenge solver. - If not specified, the solver will be treated as the 'default' - solver with the lowest priority, i.e. if any other solver - has a more specific match, it will be used instead. - properties: - dnsNames: - description: List of DNSNames that this solver will - be used to solve. If specified and a match is found, - a dnsNames selector will take precedence over a dnsZones - selector. If multiple solvers match with the same - dnsNames value, the solver with the most matching - labels in matchLabels will be selected. If neither - has more matches, the solver defined earlier in the - list will be selected. - items: - type: string - type: array - dnsZones: - description: List of DNSZones that this solver will - be used to solve. The most specific DNS zone match - specified here will take precedence over other DNS - zone matches, so a solver specifying sys.example.com - will be selected over one specifying example.com for - the domain www.sys.example.com. If multiple solvers - match with the same dnsZones value, the solver with - the most matching labels in matchLabels will be selected. - If neither has more matches, the solver defined earlier - in the list will be selected. - items: - type: string - type: array - matchLabels: - additionalProperties: - type: string - description: A label selector that is used to refine - the set of certificate's that this challenge solver - will apply to. - type: object - type: object - type: object - type: array - required: - - privateKeySecretRef - - server - type: object - ca: - description: CA configures this issuer to sign certificates using - a signing CA keypair stored in a Secret resource. This is used to - build internal PKIs that are managed by cert-manager. - properties: - crlDistributionPoints: - description: The CRL distribution points is an X.509 v3 certificate - extension which identifies the location of the CRL from which - the revocation of this certificate can be checked. If not set, - certificates will be issued without distribution points set. - items: - type: string - type: array - secretName: - description: SecretName is the name of the secret used to sign - Certificates issued by this Issuer. - type: string - required: - - secretName - type: object - selfSigned: - description: SelfSigned configures this issuer to 'self sign' certificates - using the private key used to create the CertificateRequest object. - properties: - crlDistributionPoints: - description: The CRL distribution points is an X.509 v3 certificate - extension which identifies the location of the CRL from which - the revocation of this certificate can be checked. If not set - certificate will be issued without CDP. Values are strings. - items: - type: string - type: array - type: object - vault: - description: Vault configures this issuer to sign certificates using - a HashiCorp Vault PKI backend. - properties: - auth: - description: Auth configures how cert-manager authenticates with - the Vault server. - properties: - appRole: - description: AppRole authenticates with Vault using the App - Role auth mechanism, with the role and secret stored in - a Kubernetes Secret resource. - properties: - path: - description: 'Path where the App Role authentication backend - is mounted in Vault, e.g: "approle"' - type: string - roleId: - description: RoleID configured in the App Role authentication - backend when setting up the authentication backend in - Vault. - type: string - secretRef: - description: Reference to a key in a Secret that contains - the App Role secret used to authenticate with Vault. - The `key` field must be specified and denotes which - entry within the Secret resource is used as the app - role secret. - properties: - key: - description: The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - required: - - path - - roleId - - secretRef - type: object - kubernetes: - description: Kubernetes authenticates with Vault by passing - the ServiceAccount token stored in the named Secret resource - to the Vault server. - properties: - mountPath: - description: The Vault mountPath here is the mount path - to use when authenticating with Vault. For example, - setting a value to `/v1/auth/foo`, will use the path - `/v1/auth/foo/login` to authenticate with Vault. If - unspecified, the default value "/v1/auth/kubernetes" - will be used. - type: string - role: - description: A required field containing the Vault Role - to assume. A Role binds a Kubernetes ServiceAccount - with a set of Vault policies. - type: string - secretRef: - description: The required Secret field containing a Kubernetes - ServiceAccount JWT used for authenticating with Vault. - Use of 'ambient credentials' is not supported. - properties: - key: - description: The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - required: - - role - - secretRef - type: object - tokenSecretRef: - description: TokenSecretRef authenticates with Vault by presenting - a token. - properties: - key: - description: The key of the entry in the Secret resource's - `data` field to be used. Some instances of this field - may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - type: object - caBundle: - description: PEM encoded CA bundle used to validate Vault server - certificate. Only used if the Server URL is using HTTPS protocol. - This parameter is ignored for plain HTTP protocol connection. - If not set the system root certificates are used to validate - the TLS connection. - format: byte - type: string - namespace: - description: 'Name of the vault namespace. Namespaces is a set - of features within Vault Enterprise that allows Vault environments - to support Secure Multi-tenancy. e.g: "ns1" More about namespaces - can be found here https://www.vaultproject.io/docs/enterprise/namespaces' - type: string - path: - description: 'Path is the mount path of the Vault PKI backend''s - `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".' - type: string - server: - description: 'Server is the connection address for the Vault server, - e.g: "https://vault.example.com:8200".' - type: string - required: - - auth - - path - - server - type: object - venafi: - description: Venafi configures this issuer to sign certificates using - a Venafi TPP or Venafi Cloud policy zone. - properties: - cloud: - description: Cloud specifies the Venafi cloud configuration settings. - Only one of TPP or Cloud may be specified. - properties: - apiTokenSecretRef: - description: APITokenSecretRef is a secret key selector for - the Venafi Cloud API token. - properties: - key: - description: The key of the entry in the Secret resource's - `data` field to be used. Some instances of this field - may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - url: - description: URL is the base URL for Venafi Cloud. Defaults - to "https://api.venafi.cloud/v1". - type: string - required: - - apiTokenSecretRef - type: object - tpp: - description: TPP specifies Trust Protection Platform configuration - settings. Only one of TPP or Cloud may be specified. - properties: - caBundle: - description: CABundle is a PEM encoded TLS certificate to - use to verify connections to the TPP instance. If specified, - system roots will not be used and the issuing CA for the - TPP instance must be verifiable using the provided root. - If not specified, the connection will be verified using - the cert-manager system root certificates. - format: byte - type: string - credentialsRef: - description: CredentialsRef is a reference to a Secret containing - the username and password for the TPP server. The secret - must contain two keys, 'username' and 'password'. - properties: - name: - description: 'Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - url: - description: 'URL is the base URL for the vedsdk endpoint - of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".' - type: string - required: - - credentialsRef - - url - type: object - zone: - description: Zone is the Venafi Policy Zone to use for this issuer. - All requests made to the Venafi platform will be restricted - by the named zone policy. This field is required. - type: string - required: - - zone - type: object - type: object - status: - description: Status of the ClusterIssuer. This is set and managed automatically. - properties: - acme: - description: ACME specific status options. This field should only - be set if the Issuer is configured to use an ACME server to issue - certificates. - properties: - lastRegisteredEmail: - description: LastRegisteredEmail is the email associated with - the latest registered ACME account, in order to track changes - made to registered account associated with the Issuer - type: string - uri: - description: URI is the unique account identifier, which can also - be used to retrieve account details from the CA - type: string - type: object - conditions: - description: List of status conditions to indicate the status of a - CertificateRequest. Known condition types are `Ready`. - items: - description: IssuerCondition contains condition information for - an Issuer. - properties: - lastTransitionTime: - description: LastTransitionTime is the timestamp corresponding - to the last status change of this condition. - format: date-time - type: string - message: - description: Message is a human readable description of the - details of the last transition, complementing reason. - type: string - reason: - description: Reason is a brief machine readable explanation - for the condition's last transition. - type: string - status: - description: Status of the condition, one of ('True', 'False', - 'Unknown'). - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: Type of the condition, known values are ('Ready'). - type: string - required: - - status - - type - type: object - type: array - type: object - required: - - spec - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - priority: 1 - type: string - - description: CreationTimestamp is a timestamp representing the server time when - this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - description: A ClusterIssuer represents a certificate issuing authority which - can be referenced as part of `issuerRef` fields. It is similar to an Issuer, - however it is cluster-scoped and therefore can be referenced by resources - that exist in *any* namespace, not just the same namespace as the referent. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Desired state of the ClusterIssuer resource. - properties: - acme: - description: ACME configures this issuer to communicate with a RFC8555 - (ACME) server to obtain signed x509 certificates. - properties: - disableAccountKeyGeneration: - description: Enables or disables generating a new ACME account - key. If true, the Issuer resource will *not* request a new account - but will expect the account key to be supplied via an existing - secret. If false, the cert-manager system will generate a new - ACME account key for the Issuer. Defaults to false. - type: boolean - email: - description: Email is the email address to be associated with - the ACME account. This field is optional, but it is strongly - recommended to be set. It will be used to contact you in case - of issues with your account or certificates, including expiry - notification emails. This field may be updated after the account - is initially registered. - type: string - externalAccountBinding: - description: ExternalAccountBinding is a reference to a CA external - account of the ACME server. If set, upon registration cert-manager - will attempt to associate the given external account credentials - with the registered ACME account. - properties: - keyAlgorithm: - description: keyAlgorithm is the MAC key algorithm that the - key is used for. Valid values are "HS256", "HS384" and "HS512". - enum: - - HS256 - - HS384 - - HS512 - type: string - keyID: - description: keyID is the ID of the CA key that the External - Account is bound to. - type: string - keySecretRef: - description: keySecretRef is a Secret Key Selector referencing - a data item in a Kubernetes Secret which holds the symmetric - MAC key of the External Account Binding. The `key` is the - index string that is paired with the key data in the Secret - and should not be confused with the key data itself, or - indeed with the External Account Binding keyID above. The - secret key stored in the Secret **must** be un-padded, base64 - URL encoded data. - properties: - key: - description: The key of the entry in the Secret resource's - `data` field to be used. Some instances of this field - may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - required: - - keyAlgorithm - - keyID - - keySecretRef - type: object - preferredChain: - description: 'PreferredChain is the chain to use if the ACME server - outputs multiple. PreferredChain is no guarantee that this one - gets delivered by the ACME endpoint. For example, for Let''s - Encrypt''s DST crosssign you would use: "DST Root CA X3" or - "ISRG Root X1" for the newer Let''s Encrypt root CA. This value - picks the first certificate bundle in the ACME alternative chains - that has a certificate with this value as its issuer''s CN' - maxLength: 64 - type: string - privateKeySecretRef: - description: PrivateKey is the name of a Kubernetes Secret resource - that will be used to store the automatically generated ACME - account private key. Optionally, a `key` may be specified to - select a specific entry within the named Secret resource. If - `key` is not specified, a default of `tls.key` will be used. - properties: - key: - description: The key of the entry in the Secret resource's - `data` field to be used. Some instances of this field may - be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More - info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - server: - description: 'Server is the URL used to access the ACME server''s - ''directory'' endpoint. For example, for Let''s Encrypt''s staging - endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". - Only ACME v2 endpoints (i.e. RFC 8555) are supported.' - type: string - skipTLSVerify: - description: Enables or disables validation of the ACME server - TLS certificate. If true, requests to the ACME server will not - have their TLS certificate validated (i.e. insecure connections - will be allowed). Only enable this option in development environments. - The cert-manager system installed roots will be used to verify - connections to the ACME server if this is false. Defaults to - false. - type: boolean - solvers: - description: 'Solvers is a list of challenge solvers that will - be used to solve ACME challenges for the matching domains. Solver - configurations must be provided in order to obtain certificates - from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/' - items: - description: Configures an issuer to solve challenges using - the specified options. Only one of HTTP01 or DNS01 may be - provided. - properties: - dns01: - description: Configures cert-manager to attempt to complete - authorizations by performing the DNS01 challenge flow. - properties: - acmeDNS: - description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) - API to manage DNS01 challenge records. - properties: - accountSecretRef: - description: A reference to a specific 'key' within - a Secret resource. In some instances, `key` is - a required field. - properties: - key: - description: The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - host: - type: string - required: - - accountSecretRef - - host - type: object - akamai: - description: Use the Akamai DNS zone management API - to manage DNS01 challenge records. - properties: - accessTokenSecretRef: - description: A reference to a specific 'key' within - a Secret resource. In some instances, `key` is - a required field. - properties: - key: - description: The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - clientSecretSecretRef: - description: A reference to a specific 'key' within - a Secret resource. In some instances, `key` is - a required field. - properties: - key: - description: The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - clientTokenSecretRef: - description: A reference to a specific 'key' within - a Secret resource. In some instances, `key` is - a required field. - properties: - key: - description: The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - serviceConsumerDomain: - type: string - required: - - accessTokenSecretRef - - clientSecretSecretRef - - clientTokenSecretRef - - serviceConsumerDomain - type: object - azureDNS: - description: Use the Microsoft Azure DNS API to manage - DNS01 challenge records. - properties: - clientID: - description: if both this and ClientSecret are left - unset MSI will be used - type: string - clientSecretSecretRef: - description: if both this and ClientID are left - unset MSI will be used - properties: - key: - description: The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - environment: - enum: - - AzurePublicCloud - - AzureChinaCloud - - AzureGermanCloud - - AzureUSGovernmentCloud - type: string - hostedZoneName: - type: string - resourceGroupName: - type: string - subscriptionID: - type: string - tenantID: - description: when specifying ClientID and ClientSecret - then this field is also needed - type: string - required: - - resourceGroupName - - subscriptionID - type: object - cloudDNS: - description: Use the Google Cloud DNS API to manage - DNS01 challenge records. - properties: - hostedZoneName: - description: HostedZoneName is an optional field - that tells cert-manager in which Cloud DNS zone - the challenge record has to be created. If left - empty cert-manager will automatically choose a - zone. - type: string - project: - type: string - serviceAccountSecretRef: - description: A reference to a specific 'key' within - a Secret resource. In some instances, `key` is - a required field. - properties: - key: - description: The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - required: - - project - type: object - cloudflare: - description: Use the Cloudflare API to manage DNS01 - challenge records. - properties: - apiKeySecretRef: - description: 'API key to use to authenticate with - Cloudflare. Note: using an API token to authenticate - is now the recommended method as it allows greater - control of permissions.' - properties: - key: - description: The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - apiTokenSecretRef: - description: API token used to authenticate with - Cloudflare. - properties: - key: - description: The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - email: - description: Email of the account, only required - when using API key based authentication. - type: string - type: object - cnameStrategy: - description: CNAMEStrategy configures how the DNS01 - provider should handle CNAME records when found in - DNS zones. - enum: - - None - - Follow - type: string - digitalocean: - description: Use the DigitalOcean DNS API to manage - DNS01 challenge records. - properties: - tokenSecretRef: - description: A reference to a specific 'key' within - a Secret resource. In some instances, `key` is - a required field. - properties: - key: - description: The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - required: - - tokenSecretRef - type: object - rfc2136: - description: Use RFC2136 ("Dynamic Updates in the Domain - Name System") (https://datatracker.ietf.org/doc/rfc2136/) - to manage DNS01 challenge records. - properties: - nameserver: - description: The IP address or hostname of an authoritative - DNS server supporting RFC2136 in the form host:port. - If the host is an IPv6 address it must be enclosed - in square brackets (e.g [2001:db8::1]) ; port - is optional. This field is required. - type: string - tsigAlgorithm: - description: 'The TSIG Algorithm configured in the - DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` - and ``tsigKeyName`` are defined. Supported values - are (case-insensitive): ``HMACMD5`` (default), - ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.' - type: string - tsigKeyName: - description: The TSIG Key name configured in the - DNS. If ``tsigSecretSecretRef`` is defined, this - field is required. - type: string - tsigSecretSecretRef: - description: The name of the secret containing the - TSIG value. If ``tsigKeyName`` is defined, this - field is required. - properties: - key: - description: The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - required: - - nameserver - type: object - route53: - description: Use the AWS Route53 API to manage DNS01 - challenge records. - properties: - accessKeyID: - description: 'The AccessKeyID is used for authentication. - If not set we fall-back to using env vars, shared - credentials file or AWS Instance metadata see: - https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' - type: string - hostedZoneID: - description: If set, the provider will manage only - this zone in Route53 and will not do an lookup - using the route53:ListHostedZonesByName api call. - type: string - region: - description: Always set the region when using AccessKeyID - and SecretAccessKey - type: string - role: - description: Role is a Role ARN which the Route53 - provider will assume using either the explicit - credentials AccessKeyID/SecretAccessKey or the - inferred credentials from environment variables, - shared credentials file or AWS Instance metadata - type: string - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication. - If not set we fall-back to using env vars, shared - credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials - properties: - key: - description: The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - required: - - region - type: object - webhook: - description: Configure an external webhook based DNS01 - challenge solver to manage DNS01 challenge records. - properties: - config: - description: Additional configuration that should - be passed to the webhook apiserver when challenges - are processed. This can contain arbitrary JSON - data. Secret values should not be specified in - this stanza. If secret values are needed (e.g. - credentials for a DNS service), you should use - a SecretKeySelector to reference a Secret resource. - For details on the schema of this field, consult - the webhook provider implementation's documentation. - x-kubernetes-preserve-unknown-fields: true - groupName: - description: The API group name that should be used - when POSTing ChallengePayload resources to the - webhook apiserver. This should be the same as - the GroupName specified in the webhook provider - implementation. - type: string - solverName: - description: The name of the solver to use, as defined - in the webhook provider implementation. This will - typically be the name of the provider, e.g. 'cloudflare'. - type: string - required: - - groupName - - solverName - type: object - type: object - http01: - description: Configures cert-manager to attempt to complete - authorizations by performing the HTTP01 challenge flow. - It is not possible to obtain certificates for wildcard - domain names (e.g. `*.example.com`) using the HTTP01 challenge - mechanism. - properties: - ingress: - description: The ingress based HTTP01 challenge solver - will solve challenges by creating or modifying Ingress - resources in order to route requests for '/.well-known/acme-challenge/XYZ' - to 'challenge solver' pods that are provisioned by - cert-manager for each Challenge to be completed. - properties: - class: - description: The ingress class to use when creating - Ingress resources to solve ACME challenges that - use this challenge solver. Only one of 'class' - or 'name' may be specified. - type: string - ingressTemplate: - description: Optional ingress template used to configure - the ACME challenge solver ingress used for HTTP01 - challenges - properties: - metadata: - description: ObjectMeta overrides for the ingress - used to solve HTTP01 challenges. Only the - 'labels' and 'annotations' fields may be set. - If labels or annotations overlap with in-built - values, the values here will override the - in-built values. - properties: - annotations: - additionalProperties: - type: string - description: Annotations that should be - added to the created ACME HTTP01 solver - ingress. - type: object - labels: - additionalProperties: - type: string - description: Labels that should be added - to the created ACME HTTP01 solver ingress. - type: object - type: object - type: object - name: - description: The name of the ingress resource that - should have ACME challenge solving routes inserted - into it in order to solve HTTP01 challenges. This - is typically used in conjunction with ingress - controllers like ingress-gce, which maintains - a 1:1 mapping between external IPs and ingress - resources. - type: string - podTemplate: - description: Optional pod template used to configure - the ACME challenge solver pods used for HTTP01 - challenges - properties: - metadata: - description: ObjectMeta overrides for the pod - used to solve HTTP01 challenges. Only the - 'labels' and 'annotations' fields may be set. - If labels or annotations overlap with in-built - values, the values here will override the - in-built values. - properties: - annotations: - additionalProperties: - type: string - description: Annotations that should be - added to the create ACME HTTP01 solver - pods. - type: object - labels: - additionalProperties: - type: string - description: Labels that should be added - to the created ACME HTTP01 solver pods. - type: object - type: object - spec: - description: PodSpec defines overrides for the - HTTP01 challenge solver pod. Only the 'priorityClassName', - 'nodeSelector', 'affinity', 'serviceAccountName' - and 'tolerations' fields are supported currently. - All other fields will be ignored. - properties: - affinity: - description: If specified, the pod's scheduling - constraints - properties: - nodeAffinity: - description: Describes node affinity - scheduling rules for the pod. - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will - prefer to schedule pods to nodes - that satisfy the affinity expressions - specified by this field, but it - may choose a node that violates - one or more of the expressions. - The node that is most preferred - is the one with the greatest sum - of weights, i.e. for each node - that meets all of the scheduling - requirements (resource request, - requiredDuringScheduling affinity - expressions, etc.), compute a - sum by iterating through the elements - of this field and adding "weight" - to the sum if the node matches - the corresponding matchExpressions; - the node(s) with the highest sum - are the most preferred. - items: - description: An empty preferred - scheduling term matches all - objects with implicit weight - 0 (i.e. it's a no-op). A null - preferred scheduling term matches - no objects (i.e. is also a no-op). - properties: - preference: - description: A node selector - term, associated with the - corresponding weight. - properties: - matchExpressions: - description: A list of - node selector requirements - by node's labels. - items: - description: A node - selector requirement - is a selector that - contains values, a - key, and an operator - that relates the key - and values. - properties: - key: - description: The - label key that - the selector applies - to. - type: string - operator: - description: Represents - a key's relationship - to a set of values. - Valid operators - are In, NotIn, - Exists, DoesNotExist. - Gt, and Lt. - type: string - values: - description: An - array of string - values. If the - operator is In - or NotIn, the - values array must - be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. - If the operator - is Gt or Lt, the - values array must - have a single - element, which - will be interpreted - as an integer. - This array is - replaced during - a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchFields: - description: A list of - node selector requirements - by node's fields. - items: - description: A node - selector requirement - is a selector that - contains values, a - key, and an operator - that relates the key - and values. - properties: - key: - description: The - label key that - the selector applies - to. - type: string - operator: - description: Represents - a key's relationship - to a set of values. - Valid operators - are In, NotIn, - Exists, DoesNotExist. - Gt, and Lt. - type: string - values: - description: An - array of string - values. If the - operator is In - or NotIn, the - values array must - be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. - If the operator - is Gt or Lt, the - values array must - have a single - element, which - will be interpreted - as an integer. - This array is - replaced during - a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - type: object - weight: - description: Weight associated - with matching the corresponding - nodeSelectorTerm, in the - range 1-100. - format: int32 - type: integer - required: - - preference - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements - specified by this field are not - met at scheduling time, the pod - will not be scheduled onto the - node. If the affinity requirements - specified by this field cease - to be met at some point during - pod execution (e.g. due to an - update), the system may or may - not try to eventually evict the - pod from its node. - properties: - nodeSelectorTerms: - description: Required. A list - of node selector terms. The - terms are ORed. - items: - description: A null or empty - node selector term matches - no objects. The requirements - of them are ANDed. The TopologySelectorTerm - type implements a subset - of the NodeSelectorTerm. - properties: - matchExpressions: - description: A list of - node selector requirements - by node's labels. - items: - description: A node - selector requirement - is a selector that - contains values, a - key, and an operator - that relates the key - and values. - properties: - key: - description: The - label key that - the selector applies - to. - type: string - operator: - description: Represents - a key's relationship - to a set of values. - Valid operators - are In, NotIn, - Exists, DoesNotExist. - Gt, and Lt. - type: string - values: - description: An - array of string - values. If the - operator is In - or NotIn, the - values array must - be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. - If the operator - is Gt or Lt, the - values array must - have a single - element, which - will be interpreted - as an integer. - This array is - replaced during - a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchFields: - description: A list of - node selector requirements - by node's fields. - items: - description: A node - selector requirement - is a selector that - contains values, a - key, and an operator - that relates the key - and values. - properties: - key: - description: The - label key that - the selector applies - to. - type: string - operator: - description: Represents - a key's relationship - to a set of values. - Valid operators - are In, NotIn, - Exists, DoesNotExist. - Gt, and Lt. - type: string - values: - description: An - array of string - values. If the - operator is In - or NotIn, the - values array must - be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. - If the operator - is Gt or Lt, the - values array must - have a single - element, which - will be interpreted - as an integer. - This array is - replaced during - a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - type: object - type: array - required: - - nodeSelectorTerms - type: object - type: object - podAffinity: - description: Describes pod affinity - scheduling rules (e.g. co-locate this - pod in the same node, zone, etc. as - some other pod(s)). - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will - prefer to schedule pods to nodes - that satisfy the affinity expressions - specified by this field, but it - may choose a node that violates - one or more of the expressions. - The node that is most preferred - is the one with the greatest sum - of weights, i.e. for each node - that meets all of the scheduling - requirements (resource request, - requiredDuringScheduling affinity - expressions, etc.), compute a - sum by iterating through the elements - of this field and adding "weight" - to the sum if the node has pods - which matches the corresponding - podAffinityTerm; the node(s) with - the highest sum are the most preferred. - items: - description: The weights of all - of the matched WeightedPodAffinityTerm - fields are added per-node to - find the most preferred node(s) - properties: - podAffinityTerm: - description: Required. A pod - affinity term, associated - with the corresponding weight. - properties: - labelSelector: - description: A label query - over a set of resources, - in this case pods. - properties: - matchExpressions: - description: matchExpressions - is a list of label - selector requirements. - The requirements - are ANDed. - items: - description: A label - selector requirement - is a selector - that contains - values, a key, - and an operator - that relates the - key and values. - properties: - key: - description: key - is the label - key that the - selector applies - to. - type: string - operator: - description: operator - represents - a key's relationship - to a set of - values. Valid - operators - are In, NotIn, - Exists and - DoesNotExist. - type: string - values: - description: values - is an array - of string - values. If - the operator - is In or NotIn, - the values - array must - be non-empty. - If the operator - is Exists - or DoesNotExist, - the values - array must - be empty. - This array - is replaced - during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels - is a map of {key,value} - pairs. A single - {key,value} in the - matchLabels map - is equivalent to - an element of matchExpressions, - whose key field - is "key", the operator - is "In", and the - values array contains - only "value". The - requirements are - ANDed. - type: object - type: object - namespaces: - description: namespaces - specifies which namespaces - the labelSelector applies - to (matches against); - null or empty list means - "this pod's namespace" - items: - type: string - type: array - topologyKey: - description: This pod - should be co-located - (affinity) or not co-located - (anti-affinity) with - the pods matching the - labelSelector in the - specified namespaces, - where co-located is - defined as running on - a node whose value of - the label with key topologyKey - matches that of any - node on which any of - the selected pods is - running. Empty topologyKey - is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: weight associated - with matching the corresponding - podAffinityTerm, in the - range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements - specified by this field are not - met at scheduling time, the pod - will not be scheduled onto the - node. If the affinity requirements - specified by this field cease - to be met at some point during - pod execution (e.g. due to a pod - label update), the system may - or may not try to eventually evict - the pod from its node. When there - are multiple elements, the lists - of nodes corresponding to each - podAffinityTerm are intersected, - i.e. all terms must be satisfied. - items: - description: Defines a set of - pods (namely those matching - the labelSelector relative to - the given namespace(s)) that - this pod should be co-located - (affinity) or not co-located - (anti-affinity) with, where - co-located is defined as running - on a node whose value of the - label with key - matches that of any node on - which a pod of the set of pods - is running - properties: - labelSelector: - description: A label query - over a set of resources, - in this case pods. - properties: - matchExpressions: - description: matchExpressions - is a list of label selector - requirements. The requirements - are ANDed. - items: - description: A label - selector requirement - is a selector that - contains values, a - key, and an operator - that relates the key - and values. - properties: - key: - description: key - is the label key - that the selector - applies to. - type: string - operator: - description: operator - represents a key's - relationship to - a set of values. - Valid operators - are In, NotIn, - Exists and DoesNotExist. - type: string - values: - description: values - is an array of - string values. - If the operator - is In or NotIn, - the values array - must be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. - This array is - replaced during - a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels - is a map of {key,value} - pairs. A single {key,value} - in the matchLabels map - is equivalent to an - element of matchExpressions, - whose key field is "key", - the operator is "In", - and the values array - contains only "value". - The requirements are - ANDed. - type: object - type: object - namespaces: - description: namespaces specifies - which namespaces the labelSelector - applies to (matches against); - null or empty list means - "this pod's namespace" - items: - type: string - type: array - topologyKey: - description: This pod should - be co-located (affinity) - or not co-located (anti-affinity) - with the pods matching the - labelSelector in the specified - namespaces, where co-located - is defined as running on - a node whose value of the - label with key topologyKey - matches that of any node - on which any of the selected - pods is running. Empty topologyKey - is not allowed. - type: string - required: - - topologyKey - type: object - type: array - type: object - podAntiAffinity: - description: Describes pod anti-affinity - scheduling rules (e.g. avoid putting - this pod in the same node, zone, etc. - as some other pod(s)). - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will - prefer to schedule pods to nodes - that satisfy the anti-affinity - expressions specified by this - field, but it may choose a node - that violates one or more of the - expressions. The node that is - most preferred is the one with - the greatest sum of weights, i.e. - for each node that meets all of - the scheduling requirements (resource - request, requiredDuringScheduling - anti-affinity expressions, etc.), - compute a sum by iterating through - the elements of this field and - adding "weight" to the sum if - the node has pods which matches - the corresponding podAffinityTerm; - the node(s) with the highest sum - are the most preferred. - items: - description: The weights of all - of the matched WeightedPodAffinityTerm - fields are added per-node to - find the most preferred node(s) - properties: - podAffinityTerm: - description: Required. A pod - affinity term, associated - with the corresponding weight. - properties: - labelSelector: - description: A label query - over a set of resources, - in this case pods. - properties: - matchExpressions: - description: matchExpressions - is a list of label - selector requirements. - The requirements - are ANDed. - items: - description: A label - selector requirement - is a selector - that contains - values, a key, - and an operator - that relates the - key and values. - properties: - key: - description: key - is the label - key that the - selector applies - to. - type: string - operator: - description: operator - represents - a key's relationship - to a set of - values. Valid - operators - are In, NotIn, - Exists and - DoesNotExist. - type: string - values: - description: values - is an array - of string - values. If - the operator - is In or NotIn, - the values - array must - be non-empty. - If the operator - is Exists - or DoesNotExist, - the values - array must - be empty. - This array - is replaced - during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels - is a map of {key,value} - pairs. A single - {key,value} in the - matchLabels map - is equivalent to - an element of matchExpressions, - whose key field - is "key", the operator - is "In", and the - values array contains - only "value". The - requirements are - ANDed. - type: object - type: object - namespaces: - description: namespaces - specifies which namespaces - the labelSelector applies - to (matches against); - null or empty list means - "this pod's namespace" - items: - type: string - type: array - topologyKey: - description: This pod - should be co-located - (affinity) or not co-located - (anti-affinity) with - the pods matching the - labelSelector in the - specified namespaces, - where co-located is - defined as running on - a node whose value of - the label with key topologyKey - matches that of any - node on which any of - the selected pods is - running. Empty topologyKey - is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: weight associated - with matching the corresponding - podAffinityTerm, in the - range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - description: If the anti-affinity - requirements specified by this - field are not met at scheduling - time, the pod will not be scheduled - onto the node. If the anti-affinity - requirements specified by this - field cease to be met at some - point during pod execution (e.g. - due to a pod label update), the - system may or may not try to eventually - evict the pod from its node. When - there are multiple elements, the - lists of nodes corresponding to - each podAffinityTerm are intersected, - i.e. all terms must be satisfied. - items: - description: Defines a set of - pods (namely those matching - the labelSelector relative to - the given namespace(s)) that - this pod should be co-located - (affinity) or not co-located - (anti-affinity) with, where - co-located is defined as running - on a node whose value of the - label with key - matches that of any node on - which a pod of the set of pods - is running - properties: - labelSelector: - description: A label query - over a set of resources, - in this case pods. - properties: - matchExpressions: - description: matchExpressions - is a list of label selector - requirements. The requirements - are ANDed. - items: - description: A label - selector requirement - is a selector that - contains values, a - key, and an operator - that relates the key - and values. - properties: - key: - description: key - is the label key - that the selector - applies to. - type: string - operator: - description: operator - represents a key's - relationship to - a set of values. - Valid operators - are In, NotIn, - Exists and DoesNotExist. - type: string - values: - description: values - is an array of - string values. - If the operator - is In or NotIn, - the values array - must be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. - This array is - replaced during - a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels - is a map of {key,value} - pairs. A single {key,value} - in the matchLabels map - is equivalent to an - element of matchExpressions, - whose key field is "key", - the operator is "In", - and the values array - contains only "value". - The requirements are - ANDed. - type: object - type: object - namespaces: - description: namespaces specifies - which namespaces the labelSelector - applies to (matches against); - null or empty list means - "this pod's namespace" - items: - type: string - type: array - topologyKey: - description: This pod should - be co-located (affinity) - or not co-located (anti-affinity) - with the pods matching the - labelSelector in the specified - namespaces, where co-located - is defined as running on - a node whose value of the - label with key topologyKey - matches that of any node - on which any of the selected - pods is running. Empty topologyKey - is not allowed. - type: string - required: - - topologyKey - type: object - type: array - type: object - type: object - nodeSelector: - additionalProperties: - type: string - description: 'NodeSelector is a selector - which must be true for the pod to fit - on a node. Selector which must match a - node''s labels for the pod to be scheduled - on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' - type: object - priorityClassName: - description: If specified, the pod's priorityClassName. - type: string - serviceAccountName: - description: If specified, the pod's service - account - type: string - tolerations: - description: If specified, the pod's tolerations. - items: - description: The pod this Toleration is - attached to tolerates any taint that - matches the triple - using the matching operator . - properties: - effect: - description: Effect indicates the - taint effect to match. Empty means - match all taint effects. When specified, - allowed values are NoSchedule, PreferNoSchedule - and NoExecute. - type: string - key: - description: Key is the taint key - that the toleration applies to. - Empty means match all taint keys. - If the key is empty, operator must - be Exists; this combination means - to match all values and all keys. - type: string - operator: - description: Operator represents a - key's relationship to the value. - Valid operators are Exists and Equal. - Defaults to Equal. Exists is equivalent - to wildcard for value, so that a - pod can tolerate all taints of a - particular category. - type: string - tolerationSeconds: - description: TolerationSeconds represents - the period of time the toleration - (which must be of effect NoExecute, - otherwise this field is ignored) - tolerates the taint. By default, - it is not set, which means tolerate - the taint forever (do not evict). - Zero and negative values will be - treated as 0 (evict immediately) - by the system. - format: int64 - type: integer - value: - description: Value is the taint value - the toleration matches to. If the - operator is Exists, the value should - be empty, otherwise just a regular - string. - type: string - type: object - type: array - type: object - type: object - serviceType: - description: Optional service type for Kubernetes - solver service - type: string - type: object - type: object - selector: - description: Selector selects a set of DNSNames on the Certificate - resource that should be solved using this challenge solver. - If not specified, the solver will be treated as the 'default' - solver with the lowest priority, i.e. if any other solver - has a more specific match, it will be used instead. - properties: - dnsNames: - description: List of DNSNames that this solver will - be used to solve. If specified and a match is found, - a dnsNames selector will take precedence over a dnsZones - selector. If multiple solvers match with the same - dnsNames value, the solver with the most matching - labels in matchLabels will be selected. If neither - has more matches, the solver defined earlier in the - list will be selected. - items: - type: string - type: array - dnsZones: - description: List of DNSZones that this solver will - be used to solve. The most specific DNS zone match - specified here will take precedence over other DNS - zone matches, so a solver specifying sys.example.com - will be selected over one specifying example.com for - the domain www.sys.example.com. If multiple solvers - match with the same dnsZones value, the solver with - the most matching labels in matchLabels will be selected. - If neither has more matches, the solver defined earlier - in the list will be selected. - items: - type: string - type: array - matchLabels: - additionalProperties: - type: string - description: A label selector that is used to refine - the set of certificate's that this challenge solver - will apply to. - type: object - type: object - type: object - type: array - required: - - privateKeySecretRef - - server - type: object - ca: - description: CA configures this issuer to sign certificates using - a signing CA keypair stored in a Secret resource. This is used to - build internal PKIs that are managed by cert-manager. - properties: - crlDistributionPoints: - description: The CRL distribution points is an X.509 v3 certificate - extension which identifies the location of the CRL from which - the revocation of this certificate can be checked. If not set, - certificates will be issued without distribution points set. - items: - type: string - type: array - secretName: - description: SecretName is the name of the secret used to sign - Certificates issued by this Issuer. - type: string - required: - - secretName - type: object - selfSigned: - description: SelfSigned configures this issuer to 'self sign' certificates - using the private key used to create the CertificateRequest object. - properties: - crlDistributionPoints: - description: The CRL distribution points is an X.509 v3 certificate - extension which identifies the location of the CRL from which - the revocation of this certificate can be checked. If not set - certificate will be issued without CDP. Values are strings. - items: - type: string - type: array - type: object - vault: - description: Vault configures this issuer to sign certificates using - a HashiCorp Vault PKI backend. - properties: - auth: - description: Auth configures how cert-manager authenticates with - the Vault server. - properties: - appRole: - description: AppRole authenticates with Vault using the App - Role auth mechanism, with the role and secret stored in - a Kubernetes Secret resource. - properties: - path: - description: 'Path where the App Role authentication backend - is mounted in Vault, e.g: "approle"' - type: string - roleId: - description: RoleID configured in the App Role authentication - backend when setting up the authentication backend in - Vault. - type: string - secretRef: - description: Reference to a key in a Secret that contains - the App Role secret used to authenticate with Vault. - The `key` field must be specified and denotes which - entry within the Secret resource is used as the app - role secret. - properties: - key: - description: The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - required: - - path - - roleId - - secretRef - type: object - kubernetes: - description: Kubernetes authenticates with Vault by passing - the ServiceAccount token stored in the named Secret resource - to the Vault server. - properties: - mountPath: - description: The Vault mountPath here is the mount path - to use when authenticating with Vault. For example, - setting a value to `/v1/auth/foo`, will use the path - `/v1/auth/foo/login` to authenticate with Vault. If - unspecified, the default value "/v1/auth/kubernetes" - will be used. - type: string - role: - description: A required field containing the Vault Role - to assume. A Role binds a Kubernetes ServiceAccount - with a set of Vault policies. - type: string - secretRef: - description: The required Secret field containing a Kubernetes - ServiceAccount JWT used for authenticating with Vault. - Use of 'ambient credentials' is not supported. - properties: - key: - description: The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - required: - - role - - secretRef - type: object - tokenSecretRef: - description: TokenSecretRef authenticates with Vault by presenting - a token. - properties: - key: - description: The key of the entry in the Secret resource's - `data` field to be used. Some instances of this field - may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - type: object - caBundle: - description: PEM encoded CA bundle used to validate Vault server - certificate. Only used if the Server URL is using HTTPS protocol. - This parameter is ignored for plain HTTP protocol connection. - If not set the system root certificates are used to validate - the TLS connection. - format: byte - type: string - namespace: - description: 'Name of the vault namespace. Namespaces is a set - of features within Vault Enterprise that allows Vault environments - to support Secure Multi-tenancy. e.g: "ns1" More about namespaces - can be found here https://www.vaultproject.io/docs/enterprise/namespaces' - type: string - path: - description: 'Path is the mount path of the Vault PKI backend''s - `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".' - type: string - server: - description: 'Server is the connection address for the Vault server, - e.g: "https://vault.example.com:8200".' - type: string - required: - - auth - - path - - server - type: object - venafi: - description: Venafi configures this issuer to sign certificates using - a Venafi TPP or Venafi Cloud policy zone. - properties: - cloud: - description: Cloud specifies the Venafi cloud configuration settings. - Only one of TPP or Cloud may be specified. - properties: - apiTokenSecretRef: - description: APITokenSecretRef is a secret key selector for - the Venafi Cloud API token. - properties: - key: - description: The key of the entry in the Secret resource's - `data` field to be used. Some instances of this field - may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - url: - description: URL is the base URL for Venafi Cloud. Defaults - to "https://api.venafi.cloud/v1". - type: string - required: - - apiTokenSecretRef - type: object - tpp: - description: TPP specifies Trust Protection Platform configuration - settings. Only one of TPP or Cloud may be specified. - properties: - caBundle: - description: CABundle is a PEM encoded TLS certificate to - use to verify connections to the TPP instance. If specified, - system roots will not be used and the issuing CA for the - TPP instance must be verifiable using the provided root. - If not specified, the connection will be verified using - the cert-manager system root certificates. - format: byte - type: string - credentialsRef: - description: CredentialsRef is a reference to a Secret containing - the username and password for the TPP server. The secret - must contain two keys, 'username' and 'password'. - properties: - name: - description: 'Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - url: - description: 'URL is the base URL for the vedsdk endpoint - of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".' - type: string - required: - - credentialsRef - - url - type: object - zone: - description: Zone is the Venafi Policy Zone to use for this issuer. - All requests made to the Venafi platform will be restricted - by the named zone policy. This field is required. - type: string - required: - - zone - type: object - type: object - status: - description: Status of the ClusterIssuer. This is set and managed automatically. - properties: - acme: - description: ACME specific status options. This field should only - be set if the Issuer is configured to use an ACME server to issue - certificates. - properties: - lastRegisteredEmail: - description: LastRegisteredEmail is the email associated with - the latest registered ACME account, in order to track changes - made to registered account associated with the Issuer - type: string - uri: - description: URI is the unique account identifier, which can also - be used to retrieve account details from the CA - type: string - type: object - conditions: - description: List of status conditions to indicate the status of a - CertificateRequest. Known condition types are `Ready`. - items: - description: IssuerCondition contains condition information for - an Issuer. - properties: - lastTransitionTime: - description: LastTransitionTime is the timestamp corresponding - to the last status change of this condition. - format: date-time - type: string - message: - description: Message is a human readable description of the - details of the last transition, complementing reason. - type: string - reason: - description: Reason is a brief machine readable explanation - for the condition's last transition. - type: string - status: - description: Status of the condition, one of ('True', 'False', - 'Unknown'). - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: Type of the condition, known values are ('Ready'). - type: string - required: - - status - - type - type: object - type: array - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca - labels: - app: cert-manager - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/name: cert-manager - name: issuers.cert-manager.io -spec: - conversion: - strategy: Webhook - webhook: - clientConfig: - service: - name: cert-manager-webhook - namespace: cert-manager - path: /convert - conversionReviewVersions: - - v1 - - v1beta1 - group: cert-manager.io - names: - kind: Issuer - listKind: IssuerList - plural: issuers - singular: issuer - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - priority: 1 - type: string - - description: CreationTimestamp is a timestamp representing the server time when - this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha2 - schema: - openAPIV3Schema: - description: An Issuer represents a certificate issuing authority which can - be referenced as part of `issuerRef` fields. It is scoped to a single namespace - and can therefore only be referenced by resources within the same namespace. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Desired state of the Issuer resource. - properties: - acme: - description: ACME configures this issuer to communicate with a RFC8555 - (ACME) server to obtain signed x509 certificates. - properties: - disableAccountKeyGeneration: - description: Enables or disables generating a new ACME account - key. If true, the Issuer resource will *not* request a new account - but will expect the account key to be supplied via an existing - secret. If false, the cert-manager system will generate a new - ACME account key for the Issuer. Defaults to false. - type: boolean - email: - description: Email is the email address to be associated with - the ACME account. This field is optional, but it is strongly - recommended to be set. It will be used to contact you in case - of issues with your account or certificates, including expiry - notification emails. This field may be updated after the account - is initially registered. - type: string - externalAccountBinding: - description: ExternalAccountBinding is a reference to a CA external - account of the ACME server. If set, upon registration cert-manager - will attempt to associate the given external account credentials - with the registered ACME account. - properties: - keyAlgorithm: - description: keyAlgorithm is the MAC key algorithm that the - key is used for. Valid values are "HS256", "HS384" and "HS512". - enum: - - HS256 - - HS384 - - HS512 - type: string - keyID: - description: keyID is the ID of the CA key that the External - Account is bound to. - type: string - keySecretRef: - description: keySecretRef is a Secret Key Selector referencing - a data item in a Kubernetes Secret which holds the symmetric - MAC key of the External Account Binding. The `key` is the - index string that is paired with the key data in the Secret - and should not be confused with the key data itself, or - indeed with the External Account Binding keyID above. The - secret key stored in the Secret **must** be un-padded, base64 - URL encoded data. - properties: - key: - description: The key of the entry in the Secret resource's - `data` field to be used. Some instances of this field - may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - required: - - keyAlgorithm - - keyID - - keySecretRef - type: object - preferredChain: - description: 'PreferredChain is the chain to use if the ACME server - outputs multiple. PreferredChain is no guarantee that this one - gets delivered by the ACME endpoint. For example, for Let''s - Encrypt''s DST crosssign you would use: "DST Root CA X3" or - "ISRG Root X1" for the newer Let''s Encrypt root CA. This value - picks the first certificate bundle in the ACME alternative chains - that has a certificate with this value as its issuer''s CN' - maxLength: 64 - type: string - privateKeySecretRef: - description: PrivateKey is the name of a Kubernetes Secret resource - that will be used to store the automatically generated ACME - account private key. Optionally, a `key` may be specified to - select a specific entry within the named Secret resource. If - `key` is not specified, a default of `tls.key` will be used. - properties: - key: - description: The key of the entry in the Secret resource's - `data` field to be used. Some instances of this field may - be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More - info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - server: - description: 'Server is the URL used to access the ACME server''s - ''directory'' endpoint. For example, for Let''s Encrypt''s staging - endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". - Only ACME v2 endpoints (i.e. RFC 8555) are supported.' - type: string - skipTLSVerify: - description: Enables or disables validation of the ACME server - TLS certificate. If true, requests to the ACME server will not - have their TLS certificate validated (i.e. insecure connections - will be allowed). Only enable this option in development environments. - The cert-manager system installed roots will be used to verify - connections to the ACME server if this is false. Defaults to - false. - type: boolean - solvers: - description: 'Solvers is a list of challenge solvers that will - be used to solve ACME challenges for the matching domains. Solver - configurations must be provided in order to obtain certificates - from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/' - items: - description: Configures an issuer to solve challenges using - the specified options. Only one of HTTP01 or DNS01 may be - provided. - properties: - dns01: - description: Configures cert-manager to attempt to complete - authorizations by performing the DNS01 challenge flow. - properties: - acmedns: - description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) - API to manage DNS01 challenge records. - properties: - accountSecretRef: - description: A reference to a specific 'key' within - a Secret resource. In some instances, `key` is - a required field. - properties: - key: - description: The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - host: - type: string - required: - - accountSecretRef - - host - type: object - akamai: - description: Use the Akamai DNS zone management API - to manage DNS01 challenge records. - properties: - accessTokenSecretRef: - description: A reference to a specific 'key' within - a Secret resource. In some instances, `key` is - a required field. - properties: - key: - description: The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - clientSecretSecretRef: - description: A reference to a specific 'key' within - a Secret resource. In some instances, `key` is - a required field. - properties: - key: - description: The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - clientTokenSecretRef: - description: A reference to a specific 'key' within - a Secret resource. In some instances, `key` is - a required field. - properties: - key: - description: The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - serviceConsumerDomain: - type: string - required: - - accessTokenSecretRef - - clientSecretSecretRef - - clientTokenSecretRef - - serviceConsumerDomain - type: object - azuredns: - description: Use the Microsoft Azure DNS API to manage - DNS01 challenge records. - properties: - clientID: - description: if both this and ClientSecret are left - unset MSI will be used - type: string - clientSecretSecretRef: - description: if both this and ClientID are left - unset MSI will be used - properties: - key: - description: The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - environment: - enum: - - AzurePublicCloud - - AzureChinaCloud - - AzureGermanCloud - - AzureUSGovernmentCloud - type: string - hostedZoneName: - type: string - resourceGroupName: - type: string - subscriptionID: - type: string - tenantID: - description: when specifying ClientID and ClientSecret - then this field is also needed - type: string - required: - - resourceGroupName - - subscriptionID - type: object - clouddns: - description: Use the Google Cloud DNS API to manage - DNS01 challenge records. - properties: - hostedZoneName: - description: HostedZoneName is an optional field - that tells cert-manager in which Cloud DNS zone - the challenge record has to be created. If left - empty cert-manager will automatically choose a - zone. - type: string - project: - type: string - serviceAccountSecretRef: - description: A reference to a specific 'key' within - a Secret resource. In some instances, `key` is - a required field. - properties: - key: - description: The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - required: - - project - type: object - cloudflare: - description: Use the Cloudflare API to manage DNS01 - challenge records. - properties: - apiKeySecretRef: - description: 'API key to use to authenticate with - Cloudflare. Note: using an API token to authenticate - is now the recommended method as it allows greater - control of permissions.' - properties: - key: - description: The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - apiTokenSecretRef: - description: API token used to authenticate with - Cloudflare. - properties: - key: - description: The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - email: - description: Email of the account, only required - when using API key based authentication. - type: string - type: object - cnameStrategy: - description: CNAMEStrategy configures how the DNS01 - provider should handle CNAME records when found in - DNS zones. - enum: - - None - - Follow - type: string - digitalocean: - description: Use the DigitalOcean DNS API to manage - DNS01 challenge records. - properties: - tokenSecretRef: - description: A reference to a specific 'key' within - a Secret resource. In some instances, `key` is - a required field. - properties: - key: - description: The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - required: - - tokenSecretRef - type: object - rfc2136: - description: Use RFC2136 ("Dynamic Updates in the Domain - Name System") (https://datatracker.ietf.org/doc/rfc2136/) - to manage DNS01 challenge records. - properties: - nameserver: - description: The IP address or hostname of an authoritative - DNS server supporting RFC2136 in the form host:port. - If the host is an IPv6 address it must be enclosed - in square brackets (e.g [2001:db8::1]) ; port - is optional. This field is required. - type: string - tsigAlgorithm: - description: 'The TSIG Algorithm configured in the - DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` - and ``tsigKeyName`` are defined. Supported values - are (case-insensitive): ``HMACMD5`` (default), - ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.' - type: string - tsigKeyName: - description: The TSIG Key name configured in the - DNS. If ``tsigSecretSecretRef`` is defined, this - field is required. - type: string - tsigSecretSecretRef: - description: The name of the secret containing the - TSIG value. If ``tsigKeyName`` is defined, this - field is required. - properties: - key: - description: The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - required: - - nameserver - type: object - route53: - description: Use the AWS Route53 API to manage DNS01 - challenge records. - properties: - accessKeyID: - description: 'The AccessKeyID is used for authentication. - If not set we fall-back to using env vars, shared - credentials file or AWS Instance metadata see: - https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' - type: string - hostedZoneID: - description: If set, the provider will manage only - this zone in Route53 and will not do an lookup - using the route53:ListHostedZonesByName api call. - type: string - region: - description: Always set the region when using AccessKeyID - and SecretAccessKey - type: string - role: - description: Role is a Role ARN which the Route53 - provider will assume using either the explicit - credentials AccessKeyID/SecretAccessKey or the - inferred credentials from environment variables, - shared credentials file or AWS Instance metadata - type: string - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication. - If not set we fall-back to using env vars, shared - credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials - properties: - key: - description: The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - required: - - region - type: object - webhook: - description: Configure an external webhook based DNS01 - challenge solver to manage DNS01 challenge records. - properties: - config: - description: Additional configuration that should - be passed to the webhook apiserver when challenges - are processed. This can contain arbitrary JSON - data. Secret values should not be specified in - this stanza. If secret values are needed (e.g. - credentials for a DNS service), you should use - a SecretKeySelector to reference a Secret resource. - For details on the schema of this field, consult - the webhook provider implementation's documentation. - x-kubernetes-preserve-unknown-fields: true - groupName: - description: The API group name that should be used - when POSTing ChallengePayload resources to the - webhook apiserver. This should be the same as - the GroupName specified in the webhook provider - implementation. - type: string - solverName: - description: The name of the solver to use, as defined - in the webhook provider implementation. This will - typically be the name of the provider, e.g. 'cloudflare'. - type: string - required: - - groupName - - solverName - type: object - type: object - http01: - description: Configures cert-manager to attempt to complete - authorizations by performing the HTTP01 challenge flow. - It is not possible to obtain certificates for wildcard - domain names (e.g. `*.example.com`) using the HTTP01 challenge - mechanism. - properties: - ingress: - description: The ingress based HTTP01 challenge solver - will solve challenges by creating or modifying Ingress - resources in order to route requests for '/.well-known/acme-challenge/XYZ' - to 'challenge solver' pods that are provisioned by - cert-manager for each Challenge to be completed. - properties: - class: - description: The ingress class to use when creating - Ingress resources to solve ACME challenges that - use this challenge solver. Only one of 'class' - or 'name' may be specified. - type: string - ingressTemplate: - description: Optional ingress template used to configure - the ACME challenge solver ingress used for HTTP01 - challenges - properties: - metadata: - description: ObjectMeta overrides for the ingress - used to solve HTTP01 challenges. Only the - 'labels' and 'annotations' fields may be set. - If labels or annotations overlap with in-built - values, the values here will override the - in-built values. - properties: - annotations: - additionalProperties: - type: string - description: Annotations that should be - added to the created ACME HTTP01 solver - ingress. - type: object - labels: - additionalProperties: - type: string - description: Labels that should be added - to the created ACME HTTP01 solver ingress. - type: object - type: object - type: object - name: - description: The name of the ingress resource that - should have ACME challenge solving routes inserted - into it in order to solve HTTP01 challenges. This - is typically used in conjunction with ingress - controllers like ingress-gce, which maintains - a 1:1 mapping between external IPs and ingress - resources. - type: string - podTemplate: - description: Optional pod template used to configure - the ACME challenge solver pods used for HTTP01 - challenges - properties: - metadata: - description: ObjectMeta overrides for the pod - used to solve HTTP01 challenges. Only the - 'labels' and 'annotations' fields may be set. - If labels or annotations overlap with in-built - values, the values here will override the - in-built values. - properties: - annotations: - additionalProperties: - type: string - description: Annotations that should be - added to the create ACME HTTP01 solver - pods. - type: object - labels: - additionalProperties: - type: string - description: Labels that should be added - to the created ACME HTTP01 solver pods. - type: object - type: object - spec: - description: PodSpec defines overrides for the - HTTP01 challenge solver pod. Only the 'priorityClassName', - 'nodeSelector', 'affinity', 'serviceAccountName' - and 'tolerations' fields are supported currently. - All other fields will be ignored. - properties: - affinity: - description: If specified, the pod's scheduling - constraints - properties: - nodeAffinity: - description: Describes node affinity - scheduling rules for the pod. - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will - prefer to schedule pods to nodes - that satisfy the affinity expressions - specified by this field, but it - may choose a node that violates - one or more of the expressions. - The node that is most preferred - is the one with the greatest sum - of weights, i.e. for each node - that meets all of the scheduling - requirements (resource request, - requiredDuringScheduling affinity - expressions, etc.), compute a - sum by iterating through the elements - of this field and adding "weight" - to the sum if the node matches - the corresponding matchExpressions; - the node(s) with the highest sum - are the most preferred. - items: - description: An empty preferred - scheduling term matches all - objects with implicit weight - 0 (i.e. it's a no-op). A null - preferred scheduling term matches - no objects (i.e. is also a no-op). - properties: - preference: - description: A node selector - term, associated with the - corresponding weight. - properties: - matchExpressions: - description: A list of - node selector requirements - by node's labels. - items: - description: A node - selector requirement - is a selector that - contains values, a - key, and an operator - that relates the key - and values. - properties: - key: - description: The - label key that - the selector applies - to. - type: string - operator: - description: Represents - a key's relationship - to a set of values. - Valid operators - are In, NotIn, - Exists, DoesNotExist. - Gt, and Lt. - type: string - values: - description: An - array of string - values. If the - operator is In - or NotIn, the - values array must - be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. - If the operator - is Gt or Lt, the - values array must - have a single - element, which - will be interpreted - as an integer. - This array is - replaced during - a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchFields: - description: A list of - node selector requirements - by node's fields. - items: - description: A node - selector requirement - is a selector that - contains values, a - key, and an operator - that relates the key - and values. - properties: - key: - description: The - label key that - the selector applies - to. - type: string - operator: - description: Represents - a key's relationship - to a set of values. - Valid operators - are In, NotIn, - Exists, DoesNotExist. - Gt, and Lt. - type: string - values: - description: An - array of string - values. If the - operator is In - or NotIn, the - values array must - be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. - If the operator - is Gt or Lt, the - values array must - have a single - element, which - will be interpreted - as an integer. - This array is - replaced during - a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - type: object - weight: - description: Weight associated - with matching the corresponding - nodeSelectorTerm, in the - range 1-100. - format: int32 - type: integer - required: - - preference - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements - specified by this field are not - met at scheduling time, the pod - will not be scheduled onto the - node. If the affinity requirements - specified by this field cease - to be met at some point during - pod execution (e.g. due to an - update), the system may or may - not try to eventually evict the - pod from its node. - properties: - nodeSelectorTerms: - description: Required. A list - of node selector terms. The - terms are ORed. - items: - description: A null or empty - node selector term matches - no objects. The requirements - of them are ANDed. The TopologySelectorTerm - type implements a subset - of the NodeSelectorTerm. - properties: - matchExpressions: - description: A list of - node selector requirements - by node's labels. - items: - description: A node - selector requirement - is a selector that - contains values, a - key, and an operator - that relates the key - and values. - properties: - key: - description: The - label key that - the selector applies - to. - type: string - operator: - description: Represents - a key's relationship - to a set of values. - Valid operators - are In, NotIn, - Exists, DoesNotExist. - Gt, and Lt. - type: string - values: - description: An - array of string - values. If the - operator is In - or NotIn, the - values array must - be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. - If the operator - is Gt or Lt, the - values array must - have a single - element, which - will be interpreted - as an integer. - This array is - replaced during - a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchFields: - description: A list of - node selector requirements - by node's fields. - items: - description: A node - selector requirement - is a selector that - contains values, a - key, and an operator - that relates the key - and values. - properties: - key: - description: The - label key that - the selector applies - to. - type: string - operator: - description: Represents - a key's relationship - to a set of values. - Valid operators - are In, NotIn, - Exists, DoesNotExist. - Gt, and Lt. - type: string - values: - description: An - array of string - values. If the - operator is In - or NotIn, the - values array must - be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. - If the operator - is Gt or Lt, the - values array must - have a single - element, which - will be interpreted - as an integer. - This array is - replaced during - a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - type: object - type: array - required: - - nodeSelectorTerms - type: object - type: object - podAffinity: - description: Describes pod affinity - scheduling rules (e.g. co-locate this - pod in the same node, zone, etc. as - some other pod(s)). - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will - prefer to schedule pods to nodes - that satisfy the affinity expressions - specified by this field, but it - may choose a node that violates - one or more of the expressions. - The node that is most preferred - is the one with the greatest sum - of weights, i.e. for each node - that meets all of the scheduling - requirements (resource request, - requiredDuringScheduling affinity - expressions, etc.), compute a - sum by iterating through the elements - of this field and adding "weight" - to the sum if the node has pods - which matches the corresponding - podAffinityTerm; the node(s) with - the highest sum are the most preferred. - items: - description: The weights of all - of the matched WeightedPodAffinityTerm - fields are added per-node to - find the most preferred node(s) - properties: - podAffinityTerm: - description: Required. A pod - affinity term, associated - with the corresponding weight. - properties: - labelSelector: - description: A label query - over a set of resources, - in this case pods. - properties: - matchExpressions: - description: matchExpressions - is a list of label - selector requirements. - The requirements - are ANDed. - items: - description: A label - selector requirement - is a selector - that contains - values, a key, - and an operator - that relates the - key and values. - properties: - key: - description: key - is the label - key that the - selector applies - to. - type: string - operator: - description: operator - represents - a key's relationship - to a set of - values. Valid - operators - are In, NotIn, - Exists and - DoesNotExist. - type: string - values: - description: values - is an array - of string - values. If - the operator - is In or NotIn, - the values - array must - be non-empty. - If the operator - is Exists - or DoesNotExist, - the values - array must - be empty. - This array - is replaced - during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels - is a map of {key,value} - pairs. A single - {key,value} in the - matchLabels map - is equivalent to - an element of matchExpressions, - whose key field - is "key", the operator - is "In", and the - values array contains - only "value". The - requirements are - ANDed. - type: object - type: object - namespaces: - description: namespaces - specifies which namespaces - the labelSelector applies - to (matches against); - null or empty list means - "this pod's namespace" - items: - type: string - type: array - topologyKey: - description: This pod - should be co-located - (affinity) or not co-located - (anti-affinity) with - the pods matching the - labelSelector in the - specified namespaces, - where co-located is - defined as running on - a node whose value of - the label with key topologyKey - matches that of any - node on which any of - the selected pods is - running. Empty topologyKey - is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: weight associated - with matching the corresponding - podAffinityTerm, in the - range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements - specified by this field are not - met at scheduling time, the pod - will not be scheduled onto the - node. If the affinity requirements - specified by this field cease - to be met at some point during - pod execution (e.g. due to a pod - label update), the system may - or may not try to eventually evict - the pod from its node. When there - are multiple elements, the lists - of nodes corresponding to each - podAffinityTerm are intersected, - i.e. all terms must be satisfied. - items: - description: Defines a set of - pods (namely those matching - the labelSelector relative to - the given namespace(s)) that - this pod should be co-located - (affinity) or not co-located - (anti-affinity) with, where - co-located is defined as running - on a node whose value of the - label with key - matches that of any node on - which a pod of the set of pods - is running - properties: - labelSelector: - description: A label query - over a set of resources, - in this case pods. - properties: - matchExpressions: - description: matchExpressions - is a list of label selector - requirements. The requirements - are ANDed. - items: - description: A label - selector requirement - is a selector that - contains values, a - key, and an operator - that relates the key - and values. - properties: - key: - description: key - is the label key - that the selector - applies to. - type: string - operator: - description: operator - represents a key's - relationship to - a set of values. - Valid operators - are In, NotIn, - Exists and DoesNotExist. - type: string - values: - description: values - is an array of - string values. - If the operator - is In or NotIn, - the values array - must be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. - This array is - replaced during - a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels - is a map of {key,value} - pairs. A single {key,value} - in the matchLabels map - is equivalent to an - element of matchExpressions, - whose key field is "key", - the operator is "In", - and the values array - contains only "value". - The requirements are - ANDed. - type: object - type: object - namespaces: - description: namespaces specifies - which namespaces the labelSelector - applies to (matches against); - null or empty list means - "this pod's namespace" - items: - type: string - type: array - topologyKey: - description: This pod should - be co-located (affinity) - or not co-located (anti-affinity) - with the pods matching the - labelSelector in the specified - namespaces, where co-located - is defined as running on - a node whose value of the - label with key topologyKey - matches that of any node - on which any of the selected - pods is running. Empty topologyKey - is not allowed. - type: string - required: - - topologyKey - type: object - type: array - type: object - podAntiAffinity: - description: Describes pod anti-affinity - scheduling rules (e.g. avoid putting - this pod in the same node, zone, etc. - as some other pod(s)). - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will - prefer to schedule pods to nodes - that satisfy the anti-affinity - expressions specified by this - field, but it may choose a node - that violates one or more of the - expressions. The node that is - most preferred is the one with - the greatest sum of weights, i.e. - for each node that meets all of - the scheduling requirements (resource - request, requiredDuringScheduling - anti-affinity expressions, etc.), - compute a sum by iterating through - the elements of this field and - adding "weight" to the sum if - the node has pods which matches - the corresponding podAffinityTerm; - the node(s) with the highest sum - are the most preferred. - items: - description: The weights of all - of the matched WeightedPodAffinityTerm - fields are added per-node to - find the most preferred node(s) - properties: - podAffinityTerm: - description: Required. A pod - affinity term, associated - with the corresponding weight. - properties: - labelSelector: - description: A label query - over a set of resources, - in this case pods. - properties: - matchExpressions: - description: matchExpressions - is a list of label - selector requirements. - The requirements - are ANDed. - items: - description: A label - selector requirement - is a selector - that contains - values, a key, - and an operator - that relates the - key and values. - properties: - key: - description: key - is the label - key that the - selector applies - to. - type: string - operator: - description: operator - represents - a key's relationship - to a set of - values. Valid - operators - are In, NotIn, - Exists and - DoesNotExist. - type: string - values: - description: values - is an array - of string - values. If - the operator - is In or NotIn, - the values - array must - be non-empty. - If the operator - is Exists - or DoesNotExist, - the values - array must - be empty. - This array - is replaced - during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels - is a map of {key,value} - pairs. A single - {key,value} in the - matchLabels map - is equivalent to - an element of matchExpressions, - whose key field - is "key", the operator - is "In", and the - values array contains - only "value". The - requirements are - ANDed. - type: object - type: object - namespaces: - description: namespaces - specifies which namespaces - the labelSelector applies - to (matches against); - null or empty list means - "this pod's namespace" - items: - type: string - type: array - topologyKey: - description: This pod - should be co-located - (affinity) or not co-located - (anti-affinity) with - the pods matching the - labelSelector in the - specified namespaces, - where co-located is - defined as running on - a node whose value of - the label with key topologyKey - matches that of any - node on which any of - the selected pods is - running. Empty topologyKey - is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: weight associated - with matching the corresponding - podAffinityTerm, in the - range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - description: If the anti-affinity - requirements specified by this - field are not met at scheduling - time, the pod will not be scheduled - onto the node. If the anti-affinity - requirements specified by this - field cease to be met at some - point during pod execution (e.g. - due to a pod label update), the - system may or may not try to eventually - evict the pod from its node. When - there are multiple elements, the - lists of nodes corresponding to - each podAffinityTerm are intersected, - i.e. all terms must be satisfied. - items: - description: Defines a set of - pods (namely those matching - the labelSelector relative to - the given namespace(s)) that - this pod should be co-located - (affinity) or not co-located - (anti-affinity) with, where - co-located is defined as running - on a node whose value of the - label with key - matches that of any node on - which a pod of the set of pods - is running - properties: - labelSelector: - description: A label query - over a set of resources, - in this case pods. - properties: - matchExpressions: - description: matchExpressions - is a list of label selector - requirements. The requirements - are ANDed. - items: - description: A label - selector requirement - is a selector that - contains values, a - key, and an operator - that relates the key - and values. - properties: - key: - description: key - is the label key - that the selector - applies to. - type: string - operator: - description: operator - represents a key's - relationship to - a set of values. - Valid operators - are In, NotIn, - Exists and DoesNotExist. - type: string - values: - description: values - is an array of - string values. - If the operator - is In or NotIn, - the values array - must be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. - This array is - replaced during - a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels - is a map of {key,value} - pairs. A single {key,value} - in the matchLabels map - is equivalent to an - element of matchExpressions, - whose key field is "key", - the operator is "In", - and the values array - contains only "value". - The requirements are - ANDed. - type: object - type: object - namespaces: - description: namespaces specifies - which namespaces the labelSelector - applies to (matches against); - null or empty list means - "this pod's namespace" - items: - type: string - type: array - topologyKey: - description: This pod should - be co-located (affinity) - or not co-located (anti-affinity) - with the pods matching the - labelSelector in the specified - namespaces, where co-located - is defined as running on - a node whose value of the - label with key topologyKey - matches that of any node - on which any of the selected - pods is running. Empty topologyKey - is not allowed. - type: string - required: - - topologyKey - type: object - type: array - type: object - type: object - nodeSelector: - additionalProperties: - type: string - description: 'NodeSelector is a selector - which must be true for the pod to fit - on a node. Selector which must match a - node''s labels for the pod to be scheduled - on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' - type: object - priorityClassName: - description: If specified, the pod's priorityClassName. - type: string - serviceAccountName: - description: If specified, the pod's service - account - type: string - tolerations: - description: If specified, the pod's tolerations. - items: - description: The pod this Toleration is - attached to tolerates any taint that - matches the triple - using the matching operator . - properties: - effect: - description: Effect indicates the - taint effect to match. Empty means - match all taint effects. When specified, - allowed values are NoSchedule, PreferNoSchedule - and NoExecute. - type: string - key: - description: Key is the taint key - that the toleration applies to. - Empty means match all taint keys. - If the key is empty, operator must - be Exists; this combination means - to match all values and all keys. - type: string - operator: - description: Operator represents a - key's relationship to the value. - Valid operators are Exists and Equal. - Defaults to Equal. Exists is equivalent - to wildcard for value, so that a - pod can tolerate all taints of a - particular category. - type: string - tolerationSeconds: - description: TolerationSeconds represents - the period of time the toleration - (which must be of effect NoExecute, - otherwise this field is ignored) - tolerates the taint. By default, - it is not set, which means tolerate - the taint forever (do not evict). - Zero and negative values will be - treated as 0 (evict immediately) - by the system. - format: int64 - type: integer - value: - description: Value is the taint value - the toleration matches to. If the - operator is Exists, the value should - be empty, otherwise just a regular - string. - type: string - type: object - type: array - type: object - type: object - serviceType: - description: Optional service type for Kubernetes - solver service - type: string - type: object + - additionalPrinterColumns: + - jsonPath: .status.state + name: State + type: string + - jsonPath: .spec.dnsName + name: Domain + type: string + - jsonPath: .status.reason + name: Reason + priority: 1 + type: string + - description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: Challenge is a type to represent a Challenge request with an ACME server + type: object + required: + - metadata + - spec + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + type: object + required: + - authorizationURL + - dnsName + - issuerRef + - key + - solver + - token + - type + - url + properties: + authorizationURL: + description: |- + The URL to the ACME Authorization resource that this + challenge is a part of. + type: string + dnsName: + description: |- + dnsName is the identifier that this challenge is for, e.g. example.com. + If the requested DNSName is a 'wildcard', this field MUST be set to the + non-wildcard domain, e.g. for `*.example.com`, it must be `example.com`. + type: string + issuerRef: + description: |- + References a properly configured ACME-type Issuer which should + be used to create this Challenge. + If the Issuer does not exist, processing will be retried. + If the Issuer is not an 'ACME' Issuer, an error will be returned and the + Challenge will be marked as failed. + type: object + required: + - name + properties: + group: + description: Group of the resource being referred to. + type: string + kind: + description: Kind of the resource being referred to. + type: string + name: + description: Name of the resource being referred to. + type: string + key: + description: |- + The ACME challenge key for this challenge + For HTTP01 challenges, this is the value that must be responded with to + complete the HTTP01 challenge in the format: + `.`. + For DNS01 challenges, this is the base64 encoded SHA256 sum of the + `.` + text that must be set as the TXT record content. + type: string + solver: + description: |- + Contains the domain solving configuration that should be used to + solve this challenge resource. + type: object + properties: + dns01: + description: |- + Configures cert-manager to attempt to complete authorizations by + performing the DNS01 challenge flow. + type: object + properties: + acmeDNS: + description: |- + Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage + DNS01 challenge records. type: object - selector: - description: Selector selects a set of DNSNames on the Certificate - resource that should be solved using this challenge solver. - If not specified, the solver will be treated as the 'default' - solver with the lowest priority, i.e. if any other solver - has a more specific match, it will be used instead. + required: + - accountSecretRef + - host properties: - dnsNames: - description: List of DNSNames that this solver will - be used to solve. If specified and a match is found, - a dnsNames selector will take precedence over a dnsZones - selector. If multiple solvers match with the same - dnsNames value, the solver with the most matching - labels in matchLabels will be selected. If neither - has more matches, the solver defined earlier in the - list will be selected. - items: - type: string - type: array - dnsZones: - description: List of DNSZones that this solver will - be used to solve. The most specific DNS zone match - specified here will take precedence over other DNS - zone matches, so a solver specifying sys.example.com - will be selected over one specifying example.com for - the domain www.sys.example.com. If multiple solvers - match with the same dnsZones value, the solver with - the most matching labels in matchLabels will be selected. - If neither has more matches, the solver defined earlier - in the list will be selected. - items: - type: string - type: array - matchLabels: - additionalProperties: - type: string - description: A label selector that is used to refine - the set of certificate's that this challenge solver - will apply to. + accountSecretRef: + description: |- + A reference to a specific 'key' within a Secret resource. + In some instances, `key` is a required field. type: object + required: + - name + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. + Some instances of this field may be defaulted, in others it may be + required. + type: string + name: + description: |- + Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + host: + type: string + akamai: + description: Use the Akamai DNS zone management API to manage DNS01 challenge records. type: object - type: object - type: array - required: - - privateKeySecretRef - - server - type: object - ca: - description: CA configures this issuer to sign certificates using - a signing CA keypair stored in a Secret resource. This is used to - build internal PKIs that are managed by cert-manager. - properties: - crlDistributionPoints: - description: The CRL distribution points is an X.509 v3 certificate - extension which identifies the location of the CRL from which - the revocation of this certificate can be checked. If not set, - certificates will be issued without distribution points set. - items: - type: string - type: array - secretName: - description: SecretName is the name of the secret used to sign - Certificates issued by this Issuer. - type: string - required: - - secretName - type: object - selfSigned: - description: SelfSigned configures this issuer to 'self sign' certificates - using the private key used to create the CertificateRequest object. - properties: - crlDistributionPoints: - description: The CRL distribution points is an X.509 v3 certificate - extension which identifies the location of the CRL from which - the revocation of this certificate can be checked. If not set - certificate will be issued without CDP. Values are strings. - items: - type: string - type: array - type: object - vault: - description: Vault configures this issuer to sign certificates using - a HashiCorp Vault PKI backend. - properties: - auth: - description: Auth configures how cert-manager authenticates with - the Vault server. - properties: - appRole: - description: AppRole authenticates with Vault using the App - Role auth mechanism, with the role and secret stored in - a Kubernetes Secret resource. - properties: - path: - description: 'Path where the App Role authentication backend - is mounted in Vault, e.g: "approle"' - type: string - roleId: - description: RoleID configured in the App Role authentication - backend when setting up the authentication backend in - Vault. - type: string - secretRef: - description: Reference to a key in a Secret that contains - the App Role secret used to authenticate with Vault. - The `key` field must be specified and denotes which - entry within the Secret resource is used as the app - role secret. - properties: - key: - description: The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - required: - - path - - roleId - - secretRef - type: object - kubernetes: - description: Kubernetes authenticates with Vault by passing - the ServiceAccount token stored in the named Secret resource - to the Vault server. - properties: - mountPath: - description: The Vault mountPath here is the mount path - to use when authenticating with Vault. For example, - setting a value to `/v1/auth/foo`, will use the path - `/v1/auth/foo/login` to authenticate with Vault. If - unspecified, the default value "/v1/auth/kubernetes" - will be used. - type: string - role: - description: A required field containing the Vault Role - to assume. A Role binds a Kubernetes ServiceAccount - with a set of Vault policies. - type: string - secretRef: - description: The required Secret field containing a Kubernetes - ServiceAccount JWT used for authenticating with Vault. - Use of 'ambient credentials' is not supported. - properties: - key: - description: The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - required: - - role - - secretRef - type: object - tokenSecretRef: - description: TokenSecretRef authenticates with Vault by presenting - a token. - properties: - key: - description: The key of the entry in the Secret resource's - `data` field to be used. Some instances of this field - may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - type: object - caBundle: - description: PEM encoded CA bundle used to validate Vault server - certificate. Only used if the Server URL is using HTTPS protocol. - This parameter is ignored for plain HTTP protocol connection. - If not set the system root certificates are used to validate - the TLS connection. - format: byte - type: string - namespace: - description: 'Name of the vault namespace. Namespaces is a set - of features within Vault Enterprise that allows Vault environments - to support Secure Multi-tenancy. e.g: "ns1" More about namespaces - can be found here https://www.vaultproject.io/docs/enterprise/namespaces' - type: string - path: - description: 'Path is the mount path of the Vault PKI backend''s - `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".' - type: string - server: - description: 'Server is the connection address for the Vault server, - e.g: "https://vault.example.com:8200".' - type: string - required: - - auth - - path - - server - type: object - venafi: - description: Venafi configures this issuer to sign certificates using - a Venafi TPP or Venafi Cloud policy zone. - properties: - cloud: - description: Cloud specifies the Venafi cloud configuration settings. - Only one of TPP or Cloud may be specified. - properties: - apiTokenSecretRef: - description: APITokenSecretRef is a secret key selector for - the Venafi Cloud API token. - properties: - key: - description: The key of the entry in the Secret resource's - `data` field to be used. Some instances of this field - may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - url: - description: URL is the base URL for Venafi Cloud. Defaults - to "https://api.venafi.cloud/v1". - type: string - required: - - apiTokenSecretRef - type: object - tpp: - description: TPP specifies Trust Protection Platform configuration - settings. Only one of TPP or Cloud may be specified. - properties: - caBundle: - description: CABundle is a PEM encoded TLS certificate to - use to verify connections to the TPP instance. If specified, - system roots will not be used and the issuing CA for the - TPP instance must be verifiable using the provided root. - If not specified, the connection will be verified using - the cert-manager system root certificates. - format: byte - type: string - credentialsRef: - description: CredentialsRef is a reference to a Secret containing - the username and password for the TPP server. The secret - must contain two keys, 'username' and 'password'. - properties: - name: - description: 'Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - url: - description: 'URL is the base URL for the vedsdk endpoint - of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".' - type: string - required: - - credentialsRef - - url - type: object - zone: - description: Zone is the Venafi Policy Zone to use for this issuer. - All requests made to the Venafi platform will be restricted - by the named zone policy. This field is required. - type: string - required: - - zone - type: object - type: object - status: - description: Status of the Issuer. This is set and managed automatically. - properties: - acme: - description: ACME specific status options. This field should only - be set if the Issuer is configured to use an ACME server to issue - certificates. - properties: - lastRegisteredEmail: - description: LastRegisteredEmail is the email associated with - the latest registered ACME account, in order to track changes - made to registered account associated with the Issuer - type: string - uri: - description: URI is the unique account identifier, which can also - be used to retrieve account details from the CA - type: string - type: object - conditions: - description: List of status conditions to indicate the status of a - CertificateRequest. Known condition types are `Ready`. - items: - description: IssuerCondition contains condition information for - an Issuer. - properties: - lastTransitionTime: - description: LastTransitionTime is the timestamp corresponding - to the last status change of this condition. - format: date-time - type: string - message: - description: Message is a human readable description of the - details of the last transition, complementing reason. - type: string - reason: - description: Reason is a brief machine readable explanation - for the condition's last transition. - type: string - status: - description: Status of the condition, one of ('True', 'False', - 'Unknown'). - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: Type of the condition, known values are ('Ready'). - type: string - required: - - status - - type - type: object - type: array - type: object - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - priority: 1 - type: string - - description: CreationTimestamp is a timestamp representing the server time when - this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha3 - schema: - openAPIV3Schema: - description: An Issuer represents a certificate issuing authority which can - be referenced as part of `issuerRef` fields. It is scoped to a single namespace - and can therefore only be referenced by resources within the same namespace. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Desired state of the Issuer resource. - properties: - acme: - description: ACME configures this issuer to communicate with a RFC8555 - (ACME) server to obtain signed x509 certificates. - properties: - disableAccountKeyGeneration: - description: Enables or disables generating a new ACME account - key. If true, the Issuer resource will *not* request a new account - but will expect the account key to be supplied via an existing - secret. If false, the cert-manager system will generate a new - ACME account key for the Issuer. Defaults to false. - type: boolean - email: - description: Email is the email address to be associated with - the ACME account. This field is optional, but it is strongly - recommended to be set. It will be used to contact you in case - of issues with your account or certificates, including expiry - notification emails. This field may be updated after the account - is initially registered. - type: string - externalAccountBinding: - description: ExternalAccountBinding is a reference to a CA external - account of the ACME server. If set, upon registration cert-manager - will attempt to associate the given external account credentials - with the registered ACME account. - properties: - keyAlgorithm: - description: keyAlgorithm is the MAC key algorithm that the - key is used for. Valid values are "HS256", "HS384" and "HS512". - enum: - - HS256 - - HS384 - - HS512 - type: string - keyID: - description: keyID is the ID of the CA key that the External - Account is bound to. - type: string - keySecretRef: - description: keySecretRef is a Secret Key Selector referencing - a data item in a Kubernetes Secret which holds the symmetric - MAC key of the External Account Binding. The `key` is the - index string that is paired with the key data in the Secret - and should not be confused with the key data itself, or - indeed with the External Account Binding keyID above. The - secret key stored in the Secret **must** be un-padded, base64 - URL encoded data. - properties: - key: - description: The key of the entry in the Secret resource's - `data` field to be used. Some instances of this field - may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - required: - - keyAlgorithm - - keyID - - keySecretRef - type: object - preferredChain: - description: 'PreferredChain is the chain to use if the ACME server - outputs multiple. PreferredChain is no guarantee that this one - gets delivered by the ACME endpoint. For example, for Let''s - Encrypt''s DST crosssign you would use: "DST Root CA X3" or - "ISRG Root X1" for the newer Let''s Encrypt root CA. This value - picks the first certificate bundle in the ACME alternative chains - that has a certificate with this value as its issuer''s CN' - maxLength: 64 - type: string - privateKeySecretRef: - description: PrivateKey is the name of a Kubernetes Secret resource - that will be used to store the automatically generated ACME - account private key. Optionally, a `key` may be specified to - select a specific entry within the named Secret resource. If - `key` is not specified, a default of `tls.key` will be used. - properties: - key: - description: The key of the entry in the Secret resource's - `data` field to be used. Some instances of this field may - be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More - info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - server: - description: 'Server is the URL used to access the ACME server''s - ''directory'' endpoint. For example, for Let''s Encrypt''s staging - endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". - Only ACME v2 endpoints (i.e. RFC 8555) are supported.' - type: string - skipTLSVerify: - description: Enables or disables validation of the ACME server - TLS certificate. If true, requests to the ACME server will not - have their TLS certificate validated (i.e. insecure connections - will be allowed). Only enable this option in development environments. - The cert-manager system installed roots will be used to verify - connections to the ACME server if this is false. Defaults to - false. - type: boolean - solvers: - description: 'Solvers is a list of challenge solvers that will - be used to solve ACME challenges for the matching domains. Solver - configurations must be provided in order to obtain certificates - from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/' - items: - description: Configures an issuer to solve challenges using - the specified options. Only one of HTTP01 or DNS01 may be - provided. - properties: - dns01: - description: Configures cert-manager to attempt to complete - authorizations by performing the DNS01 challenge flow. + required: + - accessTokenSecretRef + - clientSecretSecretRef + - clientTokenSecretRef + - serviceConsumerDomain properties: - acmedns: - description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) - API to manage DNS01 challenge records. + accessTokenSecretRef: + description: |- + A reference to a specific 'key' within a Secret resource. + In some instances, `key` is a required field. + type: object + required: + - name properties: - accountSecretRef: - description: A reference to a specific 'key' within - a Secret resource. In some instances, `key` is - a required field. - properties: - key: - description: The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - host: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. + Some instances of this field may be defaulted, in others it may be + required. type: string + name: + description: |- + Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + clientSecretSecretRef: + description: |- + A reference to a specific 'key' within a Secret resource. + In some instances, `key` is a required field. + type: object required: - - accountSecretRef - - host + - name + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. + Some instances of this field may be defaulted, in others it may be + required. + type: string + name: + description: |- + Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + clientTokenSecretRef: + description: |- + A reference to a specific 'key' within a Secret resource. + In some instances, `key` is a required field. type: object - akamai: - description: Use the Akamai DNS zone management API - to manage DNS01 challenge records. + required: + - name properties: - accessTokenSecretRef: - description: A reference to a specific 'key' within - a Secret resource. In some instances, `key` is - a required field. - properties: - key: - description: The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - clientSecretSecretRef: - description: A reference to a specific 'key' within - a Secret resource. In some instances, `key` is - a required field. - properties: - key: - description: The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - clientTokenSecretRef: - description: A reference to a specific 'key' within - a Secret resource. In some instances, `key` is - a required field. - properties: - key: - description: The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - serviceConsumerDomain: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. + Some instances of this field may be defaulted, in others it may be + required. type: string + name: + description: |- + Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + serviceConsumerDomain: + type: string + azureDNS: + description: Use the Microsoft Azure DNS API to manage DNS01 challenge records. + type: object + required: + - resourceGroupName + - subscriptionID + properties: + clientID: + description: |- + Auth: Azure Service Principal: + The ClientID of the Azure Service Principal used to authenticate with Azure DNS. + If set, ClientSecret and TenantID must also be set. + type: string + clientSecretSecretRef: + description: |- + Auth: Azure Service Principal: + A reference to a Secret containing the password associated with the Service Principal. + If set, ClientID and TenantID must also be set. + type: object required: - - accessTokenSecretRef - - clientSecretSecretRef - - clientTokenSecretRef - - serviceConsumerDomain + - name + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. + Some instances of this field may be defaulted, in others it may be + required. + type: string + name: + description: |- + Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + environment: + description: name of the Azure environment (default AzurePublicCloud) + type: string + enum: + - AzurePublicCloud + - AzureChinaCloud + - AzureGermanCloud + - AzureUSGovernmentCloud + hostedZoneName: + description: name of the DNS zone that should be used + type: string + managedIdentity: + description: |- + Auth: Azure Workload Identity or Azure Managed Service Identity: + Settings to enable Azure Workload Identity or Azure Managed Service Identity + If set, ClientID, ClientSecret and TenantID must not be set. type: object - azuredns: - description: Use the Microsoft Azure DNS API to manage - DNS01 challenge records. properties: clientID: - description: if both this and ClientSecret are left - unset MSI will be used + description: client ID of the managed identity, can not be used at the same time as resourceID type: string - clientSecretSecretRef: - description: if both this and ClientID are left - unset MSI will be used - properties: - key: - description: The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - environment: - enum: - - AzurePublicCloud - - AzureChinaCloud - - AzureGermanCloud - - AzureUSGovernmentCloud + resourceID: + description: |- + resource ID of the managed identity, can not be used at the same time as clientID + Cannot be used for Azure Managed Service Identity type: string - hostedZoneName: + resourceGroupName: + description: resource group the DNS zone is located in + type: string + subscriptionID: + description: ID of the Azure subscription + type: string + tenantID: + description: |- + Auth: Azure Service Principal: + The TenantID of the Azure Service Principal used to authenticate with Azure DNS. + If set, ClientID and ClientSecret must also be set. + type: string + cloudDNS: + description: Use the Google Cloud DNS API to manage DNS01 challenge records. + type: object + required: + - project + properties: + hostedZoneName: + description: |- + HostedZoneName is an optional field that tells cert-manager in which + Cloud DNS zone the challenge record has to be created. + If left empty cert-manager will automatically choose a zone. + type: string + project: + type: string + serviceAccountSecretRef: + description: |- + A reference to a specific 'key' within a Secret resource. + In some instances, `key` is a required field. + type: object + required: + - name + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. + Some instances of this field may be defaulted, in others it may be + required. type: string - resourceGroupName: + name: + description: |- + Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string - subscriptionID: + cloudflare: + description: Use the Cloudflare API to manage DNS01 challenge records. + type: object + properties: + apiKeySecretRef: + description: |- + API key to use to authenticate with Cloudflare. + Note: using an API token to authenticate is now the recommended method + as it allows greater control of permissions. + type: object + required: + - name + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. + Some instances of this field may be defaulted, in others it may be + required. type: string - tenantID: - description: when specifying ClientID and ClientSecret - then this field is also needed + name: + description: |- + Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string - required: - - resourceGroupName - - subscriptionID + apiTokenSecretRef: + description: API token used to authenticate with Cloudflare. type: object - clouddns: - description: Use the Google Cloud DNS API to manage - DNS01 challenge records. + required: + - name properties: - hostedZoneName: - description: HostedZoneName is an optional field - that tells cert-manager in which Cloud DNS zone - the challenge record has to be created. If left - empty cert-manager will automatically choose a - zone. + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. + Some instances of this field may be defaulted, in others it may be + required. type: string - project: + name: + description: |- + Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string - serviceAccountSecretRef: - description: A reference to a specific 'key' within - a Secret resource. In some instances, `key` is - a required field. - properties: - key: - description: The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - required: - - project + email: + description: Email of the account, only required when using API key based authentication. + type: string + cnameStrategy: + description: |- + CNAMEStrategy configures how the DNS01 provider should handle CNAME + records when found in DNS zones. + type: string + enum: + - None + - Follow + digitalocean: + description: Use the DigitalOcean DNS API to manage DNS01 challenge records. + type: object + required: + - tokenSecretRef + properties: + tokenSecretRef: + description: |- + A reference to a specific 'key' within a Secret resource. + In some instances, `key` is a required field. type: object - cloudflare: - description: Use the Cloudflare API to manage DNS01 - challenge records. + required: + - name properties: - apiKeySecretRef: - description: 'API key to use to authenticate with - Cloudflare. Note: using an API token to authenticate - is now the recommended method as it allows greater - control of permissions.' - properties: - key: - description: The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - apiTokenSecretRef: - description: API token used to authenticate with - Cloudflare. - properties: - key: - description: The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - email: - description: Email of the account, only required - when using API key based authentication. + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. + Some instances of this field may be defaulted, in others it may be + required. type: string - type: object - cnameStrategy: - description: CNAMEStrategy configures how the DNS01 - provider should handle CNAME records when found in - DNS zones. - enum: - - None - - Follow + name: + description: |- + Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + rfc2136: + description: |- + Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) + to manage DNS01 challenge records. + type: object + required: + - nameserver + properties: + nameserver: + description: |- + The IP address or hostname of an authoritative DNS server supporting + RFC2136 in the form host:port. If the host is an IPv6 address it must be + enclosed in square brackets (e.g [2001:db8::1]) ; port is optional. + This field is required. type: string - digitalocean: - description: Use the DigitalOcean DNS API to manage - DNS01 challenge records. - properties: - tokenSecretRef: - description: A reference to a specific 'key' within - a Secret resource. In some instances, `key` is - a required field. - properties: - key: - description: The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - required: - - tokenSecretRef + tsigAlgorithm: + description: |- + The TSIG Algorithm configured in the DNS supporting RFC2136. Used only + when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. + Supported values are (case-insensitive): ``HMACMD5`` (default), + ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``. + type: string + tsigKeyName: + description: |- + The TSIG Key name configured in the DNS. + If ``tsigSecretSecretRef`` is defined, this field is required. + type: string + tsigSecretSecretRef: + description: |- + The name of the secret containing the TSIG value. + If ``tsigKeyName`` is defined, this field is required. type: object - rfc2136: - description: Use RFC2136 ("Dynamic Updates in the Domain - Name System") (https://datatracker.ietf.org/doc/rfc2136/) - to manage DNS01 challenge records. + required: + - name properties: - nameserver: - description: The IP address or hostname of an authoritative - DNS server supporting RFC2136 in the form host:port. - If the host is an IPv6 address it must be enclosed - in square brackets (e.g [2001:db8::1]) ; port - is optional. This field is required. + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. + Some instances of this field may be defaulted, in others it may be + required. type: string - tsigAlgorithm: - description: 'The TSIG Algorithm configured in the - DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` - and ``tsigKeyName`` are defined. Supported values - are (case-insensitive): ``HMACMD5`` (default), - ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.' - type: string - tsigKeyName: - description: The TSIG Key name configured in the - DNS. If ``tsigSecretSecretRef`` is defined, this - field is required. + name: + description: |- + Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string - tsigSecretSecretRef: - description: The name of the secret containing the - TSIG value. If ``tsigKeyName`` is defined, this - field is required. - properties: - key: - description: The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - required: - - nameserver + route53: + description: Use the AWS Route53 API to manage DNS01 challenge records. + type: object + required: + - region + properties: + accessKeyID: + description: |- + The AccessKeyID is used for authentication. + Cannot be set when SecretAccessKeyID is set. + If neither the Access Key nor Key ID are set, we fall-back to using env + vars, shared credentials file or AWS Instance metadata, + see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials + type: string + accessKeyIDSecretRef: + description: |- + The SecretAccessKey is used for authentication. If set, pull the AWS + access key ID from a key within a Kubernetes Secret. + Cannot be set when AccessKeyID is set. + If neither the Access Key nor Key ID are set, we fall-back to using env + vars, shared credentials file or AWS Instance metadata, + see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials type: object - route53: - description: Use the AWS Route53 API to manage DNS01 - challenge records. + required: + - name properties: - accessKeyID: - description: 'The AccessKeyID is used for authentication. - If not set we fall-back to using env vars, shared - credentials file or AWS Instance metadata see: - https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' - type: string - hostedZoneID: - description: If set, the provider will manage only - this zone in Route53 and will not do an lookup - using the route53:ListHostedZonesByName api call. + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. + Some instances of this field may be defaulted, in others it may be + required. type: string - region: - description: Always set the region when using AccessKeyID - and SecretAccessKey - type: string - role: - description: Role is a Role ARN which the Route53 - provider will assume using either the explicit - credentials AccessKeyID/SecretAccessKey or the - inferred credentials from environment variables, - shared credentials file or AWS Instance metadata + name: + description: |- + Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication. - If not set we fall-back to using env vars, shared - credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials - properties: - key: - description: The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object + auth: + description: Auth configures how cert-manager authenticates. + type: object required: - - region + - kubernetes + properties: + kubernetes: + description: |- + Kubernetes authenticates with Route53 using AssumeRoleWithWebIdentity + by passing a bound ServiceAccount token. + type: object + required: + - serviceAccountRef + properties: + serviceAccountRef: + description: |- + A reference to a service account that will be used to request a bound + token (also known as "projected token"). To use this field, you must + configure an RBAC rule to let cert-manager request a token. + type: object + required: + - name + properties: + audiences: + description: |- + TokenAudiences is an optional list of audiences to include in the + token passed to AWS. The default token consisting of the issuer's namespace + and name is always included. + If unset the audience defaults to `sts.amazonaws.com`. + type: array + items: + type: string + name: + description: Name of the ServiceAccount used to request a token. + type: string + hostedZoneID: + description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call. + type: string + region: + description: Always set the region when using AccessKeyID and SecretAccessKey + type: string + role: + description: |- + Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey + or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata + type: string + secretAccessKeySecretRef: + description: |- + The SecretAccessKey is used for authentication. + If neither the Access Key nor Key ID are set, we fall-back to using env + vars, shared credentials file or AWS Instance metadata, + see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials type: object - webhook: - description: Configure an external webhook based DNS01 - challenge solver to manage DNS01 challenge records. + required: + - name properties: - config: - description: Additional configuration that should - be passed to the webhook apiserver when challenges - are processed. This can contain arbitrary JSON - data. Secret values should not be specified in - this stanza. If secret values are needed (e.g. - credentials for a DNS service), you should use - a SecretKeySelector to reference a Secret resource. - For details on the schema of this field, consult - the webhook provider implementation's documentation. - x-kubernetes-preserve-unknown-fields: true - groupName: - description: The API group name that should be used - when POSTing ChallengePayload resources to the - webhook apiserver. This should be the same as - the GroupName specified in the webhook provider - implementation. - type: string - solverName: - description: The name of the solver to use, as defined - in the webhook provider implementation. This will - typically be the name of the provider, e.g. 'cloudflare'. + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. + Some instances of this field may be defaulted, in others it may be + required. type: string - required: - - groupName - - solverName + name: + description: |- + Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + webhook: + description: |- + Configure an external webhook based DNS01 challenge solver to manage + DNS01 challenge records. + type: object + required: + - groupName + - solverName + properties: + config: + description: |- + Additional configuration that should be passed to the webhook apiserver + when challenges are processed. + This can contain arbitrary JSON data. + Secret values should not be specified in this stanza. + If secret values are needed (e.g. credentials for a DNS service), you + should use a SecretKeySelector to reference a Secret resource. + For details on the schema of this field, consult the webhook provider + implementation's documentation. + x-kubernetes-preserve-unknown-fields: true + groupName: + description: |- + The API group name that should be used when POSTing ChallengePayload + resources to the webhook apiserver. + This should be the same as the GroupName specified in the webhook + provider implementation. + type: string + solverName: + description: |- + The name of the solver to use, as defined in the webhook provider + implementation. + This will typically be the name of the provider, e.g. 'cloudflare'. + type: string + http01: + description: |- + Configures cert-manager to attempt to complete authorizations by + performing the HTTP01 challenge flow. + It is not possible to obtain certificates for wildcard domain names + (e.g. `*.example.com`) using the HTTP01 challenge mechanism. + type: object + properties: + gatewayHTTPRoute: + description: |- + The Gateway API is a sig-network community API that models service networking + in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will + create HTTPRoutes with the specified labels in the same namespace as the challenge. + This solver is experimental, and fields / behaviour may change in the future. + type: object + properties: + labels: + description: |- + Custom labels that will be applied to HTTPRoutes created by cert-manager + while solving HTTP-01 challenges. type: object + additionalProperties: + type: string + parentRefs: + description: |- + When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute. + cert-manager needs to know which parentRefs should be used when creating + the HTTPRoute. Usually, the parentRef references a Gateway. See: + https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways + type: array + items: + description: |- + ParentReference identifies an API object (usually a Gateway) that can be considered + a parent of this resource (usually a route). There are two kinds of parent resources + with "Core" support: + + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + + This API may be extended in the future to support additional kinds of parent + resources. + + + The API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid. + type: object + required: + - name + properties: + group: + description: |- + Group is the group of the referent. + When unspecified, "gateway.networking.k8s.io" is inferred. + To set the core API group (such as for a "Service" kind referent), + Group must be explicitly set to "" (empty string). + + + Support: Core + type: string + default: gateway.networking.k8s.io + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + kind: + description: |- + Kind is kind of the referent. + + + There are two kinds of parent resources with "Core" support: + + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + + Support for other resources is Implementation-Specific. + type: string + default: Gateway + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + name: + description: |- + Name is the name of the referent. + + + Support: Core + type: string + maxLength: 253 + minLength: 1 + namespace: + description: |- + Namespace is the namespace of the referent. When unspecified, this refers + to the local namespace of the Route. + + + Note that there are specific rules for ParentRefs which cross namespace + boundaries. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example: + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable any other kind of cross-namespace reference. + + + + ParentRefs from a Route to a Service in the same namespace are "producer" + routes, which apply default routing rules to inbound connections from + any namespace to the Service. + + + ParentRefs from a Route to a Service in a different namespace are + "consumer" routes, and these routing rules are only applied to outbound + connections originating from the same namespace as the Route, for which + the intended destination of the connections are a Service targeted as a + ParentRef of the Route. + + + + Support: Core + type: string + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + port: + description: |- + Port is the network port this Route targets. It can be interpreted + differently based on the type of parent resource. + + + When the parent resource is a Gateway, this targets all listeners + listening on the specified port that also support this kind of Route(and + select this Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to a specific port + as opposed to a listener(s) whose port(s) may be changed. When both Port + and SectionName are specified, the name and port of the selected listener + must match both specified values. + + + + When the parent resource is a Service, this targets a specific port in the + Service spec. When both Port (experimental) and SectionName are specified, + the name and port of the selected port must match both specified values. + + + + Implementations MAY choose to support other parent resources. + Implementations supporting other types of parent resources MUST clearly + document how/if Port is interpreted. + + + For the purpose of status, an attachment is considered successful as + long as the parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + + + Support: Extended + type: integer + format: int32 + maximum: 65535 + minimum: 1 + sectionName: + description: |- + SectionName is the name of a section within the target resource. In the + following resources, SectionName is interpreted as the following: + + + * Gateway: Listener name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + * Service: Port name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + + + Implementations MAY choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName is + interpreted. + + + When unspecified (empty string), this will reference the entire resource. + For the purpose of status, an attachment is considered successful if at + least one section in the parent resource accepts it. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, the + Route MUST be considered detached from the Gateway. + + + Support: Core + type: string + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + serviceType: + description: |- + Optional service type for Kubernetes solver service. Supported values + are NodePort or ClusterIP. If unset, defaults to NodePort. + type: string + ingress: + description: |- + The ingress based HTTP01 challenge solver will solve challenges by + creating or modifying Ingress resources in order to route requests for + '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are + provisioned by cert-manager for each Challenge to be completed. type: object - http01: - description: Configures cert-manager to attempt to complete - authorizations by performing the HTTP01 challenge flow. - It is not possible to obtain certificates for wildcard - domain names (e.g. `*.example.com`) using the HTTP01 challenge - mechanism. properties: - ingress: - description: The ingress based HTTP01 challenge solver - will solve challenges by creating or modifying Ingress - resources in order to route requests for '/.well-known/acme-challenge/XYZ' - to 'challenge solver' pods that are provisioned by - cert-manager for each Challenge to be completed. + class: + description: |- + This field configures the annotation `kubernetes.io/ingress.class` when + creating Ingress resources to solve ACME challenges that use this + challenge solver. Only one of `class`, `name` or `ingressClassName` may + be specified. + type: string + ingressClassName: + description: |- + This field configures the field `ingressClassName` on the created Ingress + resources used to solve ACME challenges that use this challenge solver. + This is the recommended way of configuring the ingress class. Only one of + `class`, `name` or `ingressClassName` may be specified. + type: string + ingressTemplate: + description: |- + Optional ingress template used to configure the ACME challenge solver + ingress used for HTTP01 challenges. + type: object properties: - class: - description: The ingress class to use when creating - Ingress resources to solve ACME challenges that - use this challenge solver. Only one of 'class' - or 'name' may be specified. - type: string - ingressTemplate: - description: Optional ingress template used to configure - the ACME challenge solver ingress used for HTTP01 - challenges + metadata: + description: |- + ObjectMeta overrides for the ingress used to solve HTTP01 challenges. + Only the 'labels' and 'annotations' fields may be set. + If labels or annotations overlap with in-built values, the values here + will override the in-built values. + type: object properties: - metadata: - description: ObjectMeta overrides for the ingress - used to solve HTTP01 challenges. Only the - 'labels' and 'annotations' fields may be set. - If labels or annotations overlap with in-built - values, the values here will override the - in-built values. - properties: - annotations: - additionalProperties: - type: string - description: Annotations that should be - added to the created ACME HTTP01 solver - ingress. - type: object - labels: - additionalProperties: - type: string - description: Labels that should be added - to the created ACME HTTP01 solver ingress. - type: object + annotations: + description: Annotations that should be added to the created ACME HTTP01 solver ingress. + type: object + additionalProperties: + type: string + labels: + description: Labels that should be added to the created ACME HTTP01 solver ingress. type: object + additionalProperties: + type: string + name: + description: |- + The name of the ingress resource that should have ACME challenge solving + routes inserted into it in order to solve HTTP01 challenges. + This is typically used in conjunction with ingress controllers like + ingress-gce, which maintains a 1:1 mapping between external IPs and + ingress resources. Only one of `class`, `name` or `ingressClassName` may + be specified. + type: string + podTemplate: + description: |- + Optional pod template used to configure the ACME challenge solver pods + used for HTTP01 challenges. + type: object + properties: + metadata: + description: |- + ObjectMeta overrides for the pod used to solve HTTP01 challenges. + Only the 'labels' and 'annotations' fields may be set. + If labels or annotations overlap with in-built values, the values here + will override the in-built values. type: object - name: - description: The name of the ingress resource that - should have ACME challenge solving routes inserted - into it in order to solve HTTP01 challenges. This - is typically used in conjunction with ingress - controllers like ingress-gce, which maintains - a 1:1 mapping between external IPs and ingress - resources. - type: string - podTemplate: - description: Optional pod template used to configure - the ACME challenge solver pods used for HTTP01 - challenges properties: - metadata: - description: ObjectMeta overrides for the pod - used to solve HTTP01 challenges. Only the - 'labels' and 'annotations' fields may be set. - If labels or annotations overlap with in-built - values, the values here will override the - in-built values. - properties: - annotations: - additionalProperties: - type: string - description: Annotations that should be - added to the create ACME HTTP01 solver - pods. - type: object - labels: - additionalProperties: - type: string - description: Labels that should be added - to the created ACME HTTP01 solver pods. - type: object + annotations: + description: Annotations that should be added to the create ACME HTTP01 solver pods. + type: object + additionalProperties: + type: string + labels: + description: Labels that should be added to the created ACME HTTP01 solver pods. + type: object + additionalProperties: + type: string + spec: + description: |- + PodSpec defines overrides for the HTTP01 challenge solver pod. + Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields. + All other fields will be ignored. + type: object + properties: + affinity: + description: If specified, the pod's scheduling constraints type: object - spec: - description: PodSpec defines overrides for the - HTTP01 challenge solver pod. Only the 'priorityClassName', - 'nodeSelector', 'affinity', 'serviceAccountName' - and 'tolerations' fields are supported currently. - All other fields will be ignored. properties: - affinity: - description: If specified, the pod's scheduling - constraints + nodeAffinity: + description: Describes node affinity scheduling rules for the pod. + type: object properties: - nodeAffinity: - description: Describes node affinity - scheduling rules for the pod. + preferredDuringSchedulingIgnoredDuringExecution: + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node matches the corresponding matchExpressions; the + node(s) with the highest sum are the most preferred. + type: array + items: + description: |- + An empty preferred scheduling term matches all objects with implicit weight 0 + (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). + type: object + required: + - preference + - weight + properties: + preference: + description: A node selector term, associated with the corresponding weight. + type: object + properties: + matchExpressions: + description: A list of node selector requirements by node's labels. + type: array + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: The label key that the selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + type: array + items: + type: string + x-kubernetes-list-type: atomic + x-kubernetes-list-type: atomic + matchFields: + description: A list of node selector requirements by node's fields. + type: array + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: The label key that the selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + type: array + items: + type: string + x-kubernetes-list-type: atomic + x-kubernetes-list-type: atomic + x-kubernetes-map-type: atomic + weight: + description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. + type: integer + format: int32 + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to an update), the system + may or may not try to eventually evict the pod from its node. + type: object + required: + - nodeSelectorTerms properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will - prefer to schedule pods to nodes - that satisfy the affinity expressions - specified by this field, but it - may choose a node that violates - one or more of the expressions. - The node that is most preferred - is the one with the greatest sum - of weights, i.e. for each node - that meets all of the scheduling - requirements (resource request, - requiredDuringScheduling affinity - expressions, etc.), compute a - sum by iterating through the elements - of this field and adding "weight" - to the sum if the node matches - the corresponding matchExpressions; - the node(s) with the highest sum - are the most preferred. + nodeSelectorTerms: + description: Required. A list of node selector terms. The terms are ORed. + type: array items: - description: An empty preferred - scheduling term matches all - objects with implicit weight - 0 (i.e. it's a no-op). A null - preferred scheduling term matches - no objects (i.e. is also a no-op). + description: |- + A null or empty node selector term matches no objects. The requirements of + them are ANDed. + The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. + type: object properties: - preference: - description: A node selector - term, associated with the - corresponding weight. - properties: - matchExpressions: - description: A list of - node selector requirements - by node's labels. - items: - description: A node - selector requirement - is a selector that - contains values, a - key, and an operator - that relates the key - and values. - properties: - key: - description: The - label key that - the selector applies - to. - type: string - operator: - description: Represents - a key's relationship - to a set of values. - Valid operators - are In, NotIn, - Exists, DoesNotExist. - Gt, and Lt. - type: string - values: - description: An - array of string - values. If the - operator is In - or NotIn, the - values array must - be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. - If the operator - is Gt or Lt, the - values array must - have a single - element, which - will be interpreted - as an integer. - This array is - replaced during - a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchFields: - description: A list of - node selector requirements - by node's fields. - items: - description: A node - selector requirement - is a selector that - contains values, a - key, and an operator - that relates the key - and values. - properties: - key: - description: The - label key that - the selector applies - to. - type: string - operator: - description: Represents - a key's relationship - to a set of values. - Valid operators - are In, NotIn, - Exists, DoesNotExist. - Gt, and Lt. - type: string - values: - description: An - array of string - values. If the - operator is In - or NotIn, the - values array must - be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. - If the operator - is Gt or Lt, the - values array must - have a single - element, which - will be interpreted - as an integer. - This array is - replaced during - a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - type: object - weight: - description: Weight associated - with matching the corresponding - nodeSelectorTerm, in the - range 1-100. - format: int32 - type: integer - required: - - preference - - weight + matchExpressions: + description: A list of node selector requirements by node's labels. + type: array + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: The label key that the selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + type: array + items: + type: string + x-kubernetes-list-type: atomic + x-kubernetes-list-type: atomic + matchFields: + description: A list of node selector requirements by node's fields. + type: array + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: The label key that the selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + type: array + items: + type: string + x-kubernetes-list-type: atomic + x-kubernetes-list-type: atomic + x-kubernetes-map-type: atomic + x-kubernetes-list-type: atomic + x-kubernetes-map-type: atomic + podAffinity: + description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). + type: object + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. + type: array + items: + description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) + type: object + required: + - podAffinityTerm + - weight + properties: + podAffinityTerm: + description: Required. A pod affinity term, associated with the corresponding weight. type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements - specified by this field are not - met at scheduling time, the pod - will not be scheduled onto the - node. If the affinity requirements - specified by this field cease - to be met at some point during - pod execution (e.g. due to an - update), the system may or may - not try to eventually evict the - pod from its node. - properties: - nodeSelectorTerms: - description: Required. A list - of node selector terms. The - terms are ORed. - items: - description: A null or empty - node selector term matches - no objects. The requirements - of them are ANDed. The TopologySelectorTerm - type implements a subset - of the NodeSelectorTerm. + required: + - topologyKey + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + type: object properties: matchExpressions: - description: A list of - node selector requirements - by node's labels. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + type: array items: - description: A node - selector requirement - is a selector that - contains values, a - key, and an operator - that relates the key - and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + type: object + required: + - key + - operator properties: key: - description: The - label key that - the selector applies - to. + description: key is the label key that the selector applies to. type: string operator: - description: Represents - a key's relationship - to a set of values. - Valid operators - are In, NotIn, - Exists, DoesNotExist. - Gt, and Lt. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: An - array of string - values. If the - operator is In - or NotIn, the - values array must - be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. - If the operator - is Gt or Lt, the - values array must - have a single - element, which - will be interpreted - as an integer. - This array is - replaced during - a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + type: array items: type: string - type: array - required: - - key - - operator - type: object + x-kubernetes-list-type: atomic + x-kubernetes-list-type: atomic + matchLabels: + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + additionalProperties: + type: string + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + type: array + items: + type: string + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + type: array + items: + type: string + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + type: object + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. type: array - matchFields: - description: A list of - node selector requirements - by node's fields. items: - description: A node - selector requirement - is a selector that - contains values, a - key, and an operator - that relates the key - and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + type: object + required: + - key + - operator properties: key: - description: The - label key that - the selector applies - to. + description: key is the label key that the selector applies to. type: string operator: - description: Represents - a key's relationship - to a set of values. - Valid operators - are In, NotIn, - Exists, DoesNotExist. - Gt, and Lt. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: An - array of string - values. If the - operator is In - or NotIn, the - values array must - be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. - If the operator - is Gt or Lt, the - values array must - have a single - element, which - will be interpreted - as an integer. - This array is - replaced during - a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + type: array items: type: string - type: array - required: - - key - - operator - type: object - type: array + x-kubernetes-list-type: atomic + x-kubernetes-list-type: atomic + matchLabels: + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + additionalProperties: + type: string + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + type: array + items: + type: string + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + weight: + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. + type: integer + format: int32 + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. + type: array + items: + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running + type: object + required: + - topologyKey + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + type: object + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + type: array + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + type: array + items: + type: string + x-kubernetes-list-type: atomic + x-kubernetes-list-type: atomic + matchLabels: + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object - type: array - required: - - nodeSelectorTerms - type: object - type: object - podAffinity: - description: Describes pod affinity - scheduling rules (e.g. co-locate this - pod in the same node, zone, etc. as - some other pod(s)). - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will - prefer to schedule pods to nodes - that satisfy the affinity expressions - specified by this field, but it - may choose a node that violates - one or more of the expressions. - The node that is most preferred - is the one with the greatest sum - of weights, i.e. for each node - that meets all of the scheduling - requirements (resource request, - requiredDuringScheduling affinity - expressions, etc.), compute a - sum by iterating through the elements - of this field and adding "weight" - to the sum if the node has pods - which matches the corresponding - podAffinityTerm; the node(s) with - the highest sum are the most preferred. - items: - description: The weights of all - of the matched WeightedPodAffinityTerm - fields are added per-node to - find the most preferred node(s) + additionalProperties: + type: string + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + type: array + items: + type: string + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + type: array + items: + type: string + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + type: object properties: - podAffinityTerm: - description: Required. A pod - affinity term, associated - with the corresponding weight. - properties: - labelSelector: - description: A label query - over a set of resources, - in this case pods. - properties: - matchExpressions: - description: matchExpressions - is a list of label - selector requirements. - The requirements - are ANDed. - items: - description: A label - selector requirement - is a selector - that contains - values, a key, - and an operator - that relates the - key and values. - properties: - key: - description: key - is the label - key that the - selector applies - to. - type: string - operator: - description: operator - represents - a key's relationship - to a set of - values. Valid - operators - are In, NotIn, - Exists and - DoesNotExist. - type: string - values: - description: values - is an array - of string - values. If - the operator - is In or NotIn, - the values - array must - be non-empty. - If the operator - is Exists - or DoesNotExist, - the values - array must - be empty. - This array - is replaced - during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels - is a map of {key,value} - pairs. A single - {key,value} in the - matchLabels map - is equivalent to - an element of matchExpressions, - whose key field - is "key", the operator - is "In", and the - values array contains - only "value". The - requirements are - ANDed. - type: object - type: object - namespaces: - description: namespaces - specifies which namespaces - the labelSelector applies - to (matches against); - null or empty list means - "this pod's namespace" - items: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + type: array + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: key is the label key that the selector applies to. type: string - type: array - topologyKey: - description: This pod - should be co-located - (affinity) or not co-located - (anti-affinity) with - the pods matching the - labelSelector in the - specified namespaces, - where co-located is - defined as running on - a node whose value of - the label with key topologyKey - matches that of any - node on which any of - the selected pods is - running. Empty topologyKey - is not allowed. - type: string - required: - - topologyKey + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + type: array + items: + type: string + x-kubernetes-list-type: atomic + x-kubernetes-list-type: atomic + matchLabels: + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object - weight: - description: weight associated - with matching the corresponding - podAffinityTerm, in the - range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight + additionalProperties: + type: string + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + type: array + items: + type: string + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + x-kubernetes-list-type: atomic + podAntiAffinity: + description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). + type: object + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the anti-affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling anti-affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. + type: array + items: + description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) + type: object + required: + - podAffinityTerm + - weight + properties: + podAffinityTerm: + description: Required. A pod affinity term, associated with the corresponding weight. type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements - specified by this field are not - met at scheduling time, the pod - will not be scheduled onto the - node. If the affinity requirements - specified by this field cease - to be met at some point during - pod execution (e.g. due to a pod - label update), the system may - or may not try to eventually evict - the pod from its node. When there - are multiple elements, the lists - of nodes corresponding to each - podAffinityTerm are intersected, - i.e. all terms must be satisfied. - items: - description: Defines a set of - pods (namely those matching - the labelSelector relative to - the given namespace(s)) that - this pod should be co-located - (affinity) or not co-located - (anti-affinity) with, where - co-located is defined as running - on a node whose value of the - label with key - matches that of any node on - which a pod of the set of pods - is running + required: + - topologyKey properties: labelSelector: - description: A label query - over a set of resources, - in this case pods. + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + type: object properties: matchExpressions: - description: matchExpressions - is a list of label selector - requirements. The requirements - are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + type: array items: - description: A label - selector requirement - is a selector that - contains values, a - key, and an operator - that relates the key - and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + type: object + required: + - key + - operator properties: key: - description: key - is the label key - that the selector - applies to. + description: key is the label key that the selector applies to. type: string operator: - description: operator - represents a key's - relationship to - a set of values. - Valid operators - are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values - is an array of - string values. - If the operator - is In or NotIn, - the values array - must be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. - This array is - replaced during - a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + type: array items: type: string - type: array - required: - - key - - operator - type: object - type: array + x-kubernetes-list-type: atomic + x-kubernetes-list-type: atomic matchLabels: + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object additionalProperties: type: string - description: matchLabels - is a map of {key,value} - pairs. A single {key,value} - in the matchLabels map - is equivalent to an - element of matchExpressions, - whose key field is "key", - the operator is "In", - and the values array - contains only "value". - The requirements are - ANDed. - type: object - type: object - namespaces: - description: namespaces specifies - which namespaces the labelSelector - applies to (matches against); - null or empty list means - "this pod's namespace" + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + type: array items: type: string + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. type: array - topologyKey: - description: This pod should - be co-located (affinity) - or not co-located (anti-affinity) - with the pods matching the - labelSelector in the specified - namespaces, where co-located - is defined as running on - a node whose value of the - label with key topologyKey - matches that of any node - on which any of the selected - pods is running. Empty topologyKey - is not allowed. - type: string - required: - - topologyKey - type: object - type: array - type: object - podAntiAffinity: - description: Describes pod anti-affinity - scheduling rules (e.g. avoid putting - this pod in the same node, zone, etc. - as some other pod(s)). - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will - prefer to schedule pods to nodes - that satisfy the anti-affinity - expressions specified by this - field, but it may choose a node - that violates one or more of the - expressions. The node that is - most preferred is the one with - the greatest sum of weights, i.e. - for each node that meets all of - the scheduling requirements (resource - request, requiredDuringScheduling - anti-affinity expressions, etc.), - compute a sum by iterating through - the elements of this field and - adding "weight" to the sum if - the node has pods which matches - the corresponding podAffinityTerm; - the node(s) with the highest sum - are the most preferred. - items: - description: The weights of all - of the matched WeightedPodAffinityTerm - fields are added per-node to - find the most preferred node(s) - properties: - podAffinityTerm: - description: Required. A pod - affinity term, associated - with the corresponding weight. - properties: - labelSelector: - description: A label query - over a set of resources, - in this case pods. - properties: - matchExpressions: - description: matchExpressions - is a list of label - selector requirements. - The requirements - are ANDed. - items: - description: A label - selector requirement - is a selector - that contains - values, a key, - and an operator - that relates the - key and values. - properties: - key: - description: key - is the label - key that the - selector applies - to. - type: string - operator: - description: operator - represents - a key's relationship - to a set of - values. Valid - operators - are In, NotIn, - Exists and - DoesNotExist. - type: string - values: - description: values - is an array - of string - values. If - the operator - is In or NotIn, - the values - array must - be non-empty. - If the operator - is Exists - or DoesNotExist, - the values - array must - be empty. - This array - is replaced - during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels - is a map of {key,value} - pairs. A single - {key,value} in the - matchLabels map - is equivalent to - an element of matchExpressions, - whose key field - is "key", the operator - is "In", and the - values array contains - only "value". The - requirements are - ANDed. - type: object - type: object - namespaces: - description: namespaces - specifies which namespaces - the labelSelector applies - to (matches against); - null or empty list means - "this pod's namespace" - items: - type: string - type: array - topologyKey: - description: This pod - should be co-located - (affinity) or not co-located - (anti-affinity) with - the pods matching the - labelSelector in the - specified namespaces, - where co-located is - defined as running on - a node whose value of - the label with key topologyKey - matches that of any - node on which any of - the selected pods is - running. Empty topologyKey - is not allowed. - type: string - required: - - topologyKey + items: + type: string + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. type: object - weight: - description: weight associated - with matching the corresponding - podAffinityTerm, in the - range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - description: If the anti-affinity - requirements specified by this - field are not met at scheduling - time, the pod will not be scheduled - onto the node. If the anti-affinity - requirements specified by this - field cease to be met at some - point during pod execution (e.g. - due to a pod label update), the - system may or may not try to eventually - evict the pod from its node. When - there are multiple elements, the - lists of nodes corresponding to - each podAffinityTerm are intersected, - i.e. all terms must be satisfied. - items: - description: Defines a set of - pods (namely those matching - the labelSelector relative to - the given namespace(s)) that - this pod should be co-located - (affinity) or not co-located - (anti-affinity) with, where - co-located is defined as running - on a node whose value of the - label with key - matches that of any node on - which a pod of the set of pods - is running - properties: - labelSelector: - description: A label query - over a set of resources, - in this case pods. properties: matchExpressions: - description: matchExpressions - is a list of label selector - requirements. The requirements - are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + type: array items: - description: A label - selector requirement - is a selector that - contains values, a - key, and an operator - that relates the key - and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + type: object + required: + - key + - operator properties: key: - description: key - is the label key - that the selector - applies to. + description: key is the label key that the selector applies to. type: string operator: - description: operator - represents a key's - relationship to - a set of values. - Valid operators - are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values - is an array of - string values. - If the operator - is In or NotIn, - the values array - must be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. - This array is - replaced during - a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + type: array items: type: string - type: array - required: - - key - - operator - type: object - type: array + x-kubernetes-list-type: atomic + x-kubernetes-list-type: atomic matchLabels: + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object additionalProperties: type: string - description: matchLabels - is a map of {key,value} - pairs. A single {key,value} - in the matchLabels map - is equivalent to an - element of matchExpressions, - whose key field is "key", - the operator is "In", - and the values array - contains only "value". - The requirements are - ANDed. - type: object - type: object + x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies - which namespaces the labelSelector - applies to (matches against); - null or empty list means - "this pod's namespace" + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + type: array items: type: string - type: array + x-kubernetes-list-type: atomic topologyKey: - description: This pod should - be co-located (affinity) - or not co-located (anti-affinity) - with the pods matching the - labelSelector in the specified - namespaces, where co-located - is defined as running on - a node whose value of the - label with key topologyKey - matches that of any node - on which any of the selected - pods is running. Empty topologyKey - is not allowed. + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. type: string - required: - - topologyKey + weight: + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. + type: integer + format: int32 + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: |- + If the anti-affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the anti-affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. + type: array + items: + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running + type: object + required: + - topologyKey + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. type: object - type: array - type: object - type: object - nodeSelector: - additionalProperties: + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + type: array + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + type: array + items: + type: string + x-kubernetes-list-type: atomic + x-kubernetes-list-type: atomic + matchLabels: + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + additionalProperties: + type: string + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + type: array + items: + type: string + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + type: array + items: + type: string + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + type: object + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + type: array + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + type: array + items: + type: string + x-kubernetes-list-type: atomic + x-kubernetes-list-type: atomic + matchLabels: + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + additionalProperties: + type: string + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + type: array + items: + type: string + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + x-kubernetes-list-type: atomic + imagePullSecrets: + description: If specified, the pod's imagePullSecrets + type: array + items: + description: |- + LocalObjectReference contains enough information to let you locate the + referenced object inside the same namespace. + type: object + properties: + name: + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. type: string - description: 'NodeSelector is a selector - which must be true for the pod to fit - on a node. Selector which must match a - node''s labels for the pod to be scheduled - on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' - type: object - priorityClassName: - description: If specified, the pod's priorityClassName. - type: string - serviceAccountName: - description: If specified, the pod's service - account - type: string - tolerations: - description: If specified, the pod's tolerations. - items: - description: The pod this Toleration is - attached to tolerates any taint that - matches the triple - using the matching operator . - properties: - effect: - description: Effect indicates the - taint effect to match. Empty means - match all taint effects. When specified, - allowed values are NoSchedule, PreferNoSchedule - and NoExecute. - type: string - key: - description: Key is the taint key - that the toleration applies to. - Empty means match all taint keys. - If the key is empty, operator must - be Exists; this combination means - to match all values and all keys. - type: string - operator: - description: Operator represents a - key's relationship to the value. - Valid operators are Exists and Equal. - Defaults to Equal. Exists is equivalent - to wildcard for value, so that a - pod can tolerate all taints of a - particular category. - type: string - tolerationSeconds: - description: TolerationSeconds represents - the period of time the toleration - (which must be of effect NoExecute, - otherwise this field is ignored) - tolerates the taint. By default, - it is not set, which means tolerate - the taint forever (do not evict). - Zero and negative values will be - treated as 0 (evict immediately) - by the system. - format: int64 - type: integer - value: - description: Value is the taint value - the toleration matches to. If the - operator is Exists, the value should - be empty, otherwise just a regular - string. - type: string - type: object - type: array + default: "" + x-kubernetes-map-type: atomic + nodeSelector: + description: |- + NodeSelector is a selector which must be true for the pod to fit on a node. + Selector which must match a node's labels for the pod to be scheduled on that node. + More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ type: object - type: object - serviceType: - description: Optional service type for Kubernetes - solver service - type: string - type: object - type: object - selector: - description: Selector selects a set of DNSNames on the Certificate - resource that should be solved using this challenge solver. - If not specified, the solver will be treated as the 'default' - solver with the lowest priority, i.e. if any other solver - has a more specific match, it will be used instead. - properties: - dnsNames: - description: List of DNSNames that this solver will - be used to solve. If specified and a match is found, - a dnsNames selector will take precedence over a dnsZones - selector. If multiple solvers match with the same - dnsNames value, the solver with the most matching - labels in matchLabels will be selected. If neither - has more matches, the solver defined earlier in the - list will be selected. - items: - type: string - type: array - dnsZones: - description: List of DNSZones that this solver will - be used to solve. The most specific DNS zone match - specified here will take precedence over other DNS - zone matches, so a solver specifying sys.example.com - will be selected over one specifying example.com for - the domain www.sys.example.com. If multiple solvers - match with the same dnsZones value, the solver with - the most matching labels in matchLabels will be selected. - If neither has more matches, the solver defined earlier - in the list will be selected. - items: - type: string - type: array - matchLabels: - additionalProperties: - type: string - description: A label selector that is used to refine - the set of certificate's that this challenge solver - will apply to. - type: object - type: object - type: object - type: array - required: - - privateKeySecretRef - - server - type: object - ca: - description: CA configures this issuer to sign certificates using - a signing CA keypair stored in a Secret resource. This is used to - build internal PKIs that are managed by cert-manager. - properties: - crlDistributionPoints: - description: The CRL distribution points is an X.509 v3 certificate - extension which identifies the location of the CRL from which - the revocation of this certificate can be checked. If not set, - certificates will be issued without distribution points set. - items: - type: string - type: array - secretName: - description: SecretName is the name of the secret used to sign - Certificates issued by this Issuer. - type: string - required: - - secretName - type: object - selfSigned: - description: SelfSigned configures this issuer to 'self sign' certificates - using the private key used to create the CertificateRequest object. - properties: - crlDistributionPoints: - description: The CRL distribution points is an X.509 v3 certificate - extension which identifies the location of the CRL from which - the revocation of this certificate can be checked. If not set - certificate will be issued without CDP. Values are strings. - items: - type: string - type: array - type: object - vault: - description: Vault configures this issuer to sign certificates using - a HashiCorp Vault PKI backend. - properties: - auth: - description: Auth configures how cert-manager authenticates with - the Vault server. - properties: - appRole: - description: AppRole authenticates with Vault using the App - Role auth mechanism, with the role and secret stored in - a Kubernetes Secret resource. - properties: - path: - description: 'Path where the App Role authentication backend - is mounted in Vault, e.g: "approle"' - type: string - roleId: - description: RoleID configured in the App Role authentication - backend when setting up the authentication backend in - Vault. - type: string - secretRef: - description: Reference to a key in a Secret that contains - the App Role secret used to authenticate with Vault. - The `key` field must be specified and denotes which - entry within the Secret resource is used as the app - role secret. - properties: - key: - description: The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - required: - - path - - roleId - - secretRef - type: object - kubernetes: - description: Kubernetes authenticates with Vault by passing - the ServiceAccount token stored in the named Secret resource - to the Vault server. - properties: - mountPath: - description: The Vault mountPath here is the mount path - to use when authenticating with Vault. For example, - setting a value to `/v1/auth/foo`, will use the path - `/v1/auth/foo/login` to authenticate with Vault. If - unspecified, the default value "/v1/auth/kubernetes" - will be used. - type: string - role: - description: A required field containing the Vault Role - to assume. A Role binds a Kubernetes ServiceAccount - with a set of Vault policies. - type: string - secretRef: - description: The required Secret field containing a Kubernetes - ServiceAccount JWT used for authenticating with Vault. - Use of 'ambient credentials' is not supported. - properties: - key: - description: The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - required: - - role - - secretRef - type: object - tokenSecretRef: - description: TokenSecretRef authenticates with Vault by presenting - a token. - properties: - key: - description: The key of the entry in the Secret resource's - `data` field to be used. Some instances of this field - may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - type: object - caBundle: - description: PEM encoded CA bundle used to validate Vault server - certificate. Only used if the Server URL is using HTTPS protocol. - This parameter is ignored for plain HTTP protocol connection. - If not set the system root certificates are used to validate - the TLS connection. - format: byte - type: string - namespace: - description: 'Name of the vault namespace. Namespaces is a set - of features within Vault Enterprise that allows Vault environments - to support Secure Multi-tenancy. e.g: "ns1" More about namespaces - can be found here https://www.vaultproject.io/docs/enterprise/namespaces' - type: string - path: - description: 'Path is the mount path of the Vault PKI backend''s - `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".' - type: string - server: - description: 'Server is the connection address for the Vault server, - e.g: "https://vault.example.com:8200".' - type: string - required: - - auth - - path - - server - type: object - venafi: - description: Venafi configures this issuer to sign certificates using - a Venafi TPP or Venafi Cloud policy zone. - properties: - cloud: - description: Cloud specifies the Venafi cloud configuration settings. - Only one of TPP or Cloud may be specified. - properties: - apiTokenSecretRef: - description: APITokenSecretRef is a secret key selector for - the Venafi Cloud API token. - properties: - key: - description: The key of the entry in the Secret resource's - `data` field to be used. Some instances of this field - may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - url: - description: URL is the base URL for Venafi Cloud. Defaults - to "https://api.venafi.cloud/v1". - type: string - required: - - apiTokenSecretRef - type: object - tpp: - description: TPP specifies Trust Protection Platform configuration - settings. Only one of TPP or Cloud may be specified. - properties: - caBundle: - description: CABundle is a PEM encoded TLS certificate to - use to verify connections to the TPP instance. If specified, - system roots will not be used and the issuing CA for the - TPP instance must be verifiable using the provided root. - If not specified, the connection will be verified using - the cert-manager system root certificates. - format: byte - type: string - credentialsRef: - description: CredentialsRef is a reference to a Secret containing - the username and password for the TPP server. The secret - must contain two keys, 'username' and 'password'. - properties: - name: - description: 'Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + additionalProperties: + type: string + priorityClassName: + description: If specified, the pod's priorityClassName. + type: string + serviceAccountName: + description: If specified, the pod's service account + type: string + tolerations: + description: If specified, the pod's tolerations. + type: array + items: + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . + type: object + properties: + effect: + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. + type: string + operator: + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. + type: integer + format: int64 + value: + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. + type: string + serviceType: + description: |- + Optional service type for Kubernetes solver service. Supported values + are NodePort or ClusterIP. If unset, defaults to NodePort. + type: string + selector: + description: |- + Selector selects a set of DNSNames on the Certificate resource that + should be solved using this challenge solver. + If not specified, the solver will be treated as the 'default' solver + with the lowest priority, i.e. if any other solver has a more specific + match, it will be used instead. + type: object + properties: + dnsNames: + description: |- + List of DNSNames that this solver will be used to solve. + If specified and a match is found, a dnsNames selector will take + precedence over a dnsZones selector. + If multiple solvers match with the same dnsNames value, the solver + with the most matching labels in matchLabels will be selected. + If neither has more matches, the solver defined earlier in the list + will be selected. + type: array + items: + type: string + dnsZones: + description: |- + List of DNSZones that this solver will be used to solve. + The most specific DNS zone match specified here will take precedence + over other DNS zone matches, so a solver specifying sys.example.com + will be selected over one specifying example.com for the domain + www.sys.example.com. + If multiple solvers match with the same dnsZones value, the solver + with the most matching labels in matchLabels will be selected. + If neither has more matches, the solver defined earlier in the list + will be selected. + type: array + items: + type: string + matchLabels: + description: |- + A label selector that is used to refine the set of certificate's that + this challenge solver will apply to. + type: object + additionalProperties: type: string - required: - - name - type: object - url: - description: 'URL is the base URL for the vedsdk endpoint - of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".' - type: string - required: - - credentialsRef - - url - type: object - zone: - description: Zone is the Venafi Policy Zone to use for this issuer. - All requests made to the Venafi platform will be restricted - by the named zone policy. This field is required. - type: string - required: - - zone - type: object - type: object - status: - description: Status of the Issuer. This is set and managed automatically. - properties: - acme: - description: ACME specific status options. This field should only - be set if the Issuer is configured to use an ACME server to issue - certificates. - properties: - lastRegisteredEmail: - description: LastRegisteredEmail is the email associated with - the latest registered ACME account, in order to track changes - made to registered account associated with the Issuer - type: string - uri: - description: URI is the unique account identifier, which can also - be used to retrieve account details from the CA - type: string - type: object - conditions: - description: List of status conditions to indicate the status of a - CertificateRequest. Known condition types are `Ready`. - items: - description: IssuerCondition contains condition information for - an Issuer. - properties: - lastTransitionTime: - description: LastTransitionTime is the timestamp corresponding - to the last status change of this condition. - format: date-time - type: string - message: - description: Message is a human readable description of the - details of the last transition, complementing reason. - type: string - reason: - description: Reason is a brief machine readable explanation - for the condition's last transition. - type: string - status: - description: Status of the condition, one of ('True', 'False', - 'Unknown'). - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: Type of the condition, known values are ('Ready'). - type: string - required: - - status - - type + token: + description: |- + The ACME challenge token for this challenge. + This is the raw value returned from the ACME server. + type: string + type: + description: |- + The type of ACME challenge this resource represents. + One of "HTTP-01" or "DNS-01". + type: string + enum: + - HTTP-01 + - DNS-01 + url: + description: |- + The URL of the ACME Challenge resource for this challenge. + This can be used to lookup details about the status of this challenge. + type: string + wildcard: + description: |- + wildcard will be true if this challenge is for a wildcard identifier, + for example '*.example.com'. + type: boolean + status: + type: object + properties: + presented: + description: |- + presented will be set to true if the challenge values for this challenge + are currently 'presented'. + This *does not* imply the self check is passing. Only that the values + have been 'submitted' for the appropriate challenge mechanism (i.e. the + DNS01 TXT record has been presented, or the HTTP01 configuration has been + configured). + type: boolean + processing: + description: |- + Used to denote whether this challenge should be processed or not. + This field will only be set to true by the 'scheduling' component. + It will only be set to false by the 'challenges' controller, after the + challenge has reached a final state or timed out. + If this field is set to false, the challenge controller will not take + any more action. + type: boolean + reason: + description: |- + Contains human readable information on why the Challenge is in the + current state. + type: string + state: + description: |- + Contains the current 'state' of the challenge. + If not set, the state of the challenge is unknown. + type: string + enum: + - valid + - ready + - pending + - processing + - invalid + - expired + - errored + served: true + storage: true + subresources: + status: {} + +# END crd +--- +# Source: cert-manager/templates/crds.yaml +# START crd +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: clusterissuers.cert-manager.io + # START annotations + annotations: + helm.sh/resource-policy: keep + # END annotations + labels: + app: 'cert-manager' + app.kubernetes.io/name: 'cert-manager' + app.kubernetes.io/instance: 'cert-manager' + # Generated labels + app.kubernetes.io/version: "v1.15.1" +spec: + group: cert-manager.io + names: + kind: ClusterIssuer + listKind: ClusterIssuerList + plural: clusterissuers + singular: clusterissuer + categories: + - cert-manager + scope: Cluster + versions: + - name: v1 + subresources: + status: {} + additionalPrinterColumns: + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + priority: 1 + type: string + - jsonPath: .metadata.creationTimestamp + description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + name: Age + type: date + schema: + openAPIV3Schema: + description: |- + A ClusterIssuer represents a certificate issuing authority which can be + referenced as part of `issuerRef` fields. + It is similar to an Issuer, however it is cluster-scoped and therefore can + be referenced by resources that exist in *any* namespace, not just the same + namespace as the referent. + type: object + required: + - spec + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Desired state of the ClusterIssuer resource. + type: object + properties: + acme: + description: |- + ACME configures this issuer to communicate with a RFC8555 (ACME) server + to obtain signed x509 certificates. type: object - type: array - type: object - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - priority: 1 - type: string - - description: CreationTimestamp is a timestamp representing the server time when - this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - description: An Issuer represents a certificate issuing authority which can - be referenced as part of `issuerRef` fields. It is scoped to a single namespace - and can therefore only be referenced by resources within the same namespace. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Desired state of the Issuer resource. - properties: - acme: - description: ACME configures this issuer to communicate with a RFC8555 - (ACME) server to obtain signed x509 certificates. - properties: - disableAccountKeyGeneration: - description: Enables or disables generating a new ACME account - key. If true, the Issuer resource will *not* request a new account - but will expect the account key to be supplied via an existing - secret. If false, the cert-manager system will generate a new - ACME account key for the Issuer. Defaults to false. - type: boolean - email: - description: Email is the email address to be associated with - the ACME account. This field is optional, but it is strongly - recommended to be set. It will be used to contact you in case - of issues with your account or certificates, including expiry - notification emails. This field may be updated after the account - is initially registered. - type: string - externalAccountBinding: - description: ExternalAccountBinding is a reference to a CA external - account of the ACME server. If set, upon registration cert-manager - will attempt to associate the given external account credentials - with the registered ACME account. - properties: - keyAlgorithm: - description: keyAlgorithm is the MAC key algorithm that the - key is used for. Valid values are "HS256", "HS384" and "HS512". - enum: - - HS256 - - HS384 - - HS512 - type: string - keyID: - description: keyID is the ID of the CA key that the External - Account is bound to. - type: string - keySecretRef: - description: keySecretRef is a Secret Key Selector referencing - a data item in a Kubernetes Secret which holds the symmetric - MAC key of the External Account Binding. The `key` is the - index string that is paired with the key data in the Secret - and should not be confused with the key data itself, or - indeed with the External Account Binding keyID above. The - secret key stored in the Secret **must** be un-padded, base64 - URL encoded data. - properties: - key: - description: The key of the entry in the Secret resource's - `data` field to be used. Some instances of this field - may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - required: - - keyAlgorithm - - keyID - - keySecretRef - type: object - preferredChain: - description: 'PreferredChain is the chain to use if the ACME server - outputs multiple. PreferredChain is no guarantee that this one - gets delivered by the ACME endpoint. For example, for Let''s - Encrypt''s DST crosssign you would use: "DST Root CA X3" or - "ISRG Root X1" for the newer Let''s Encrypt root CA. This value - picks the first certificate bundle in the ACME alternative chains - that has a certificate with this value as its issuer''s CN' - maxLength: 64 - type: string - privateKeySecretRef: - description: PrivateKey is the name of a Kubernetes Secret resource - that will be used to store the automatically generated ACME - account private key. Optionally, a `key` may be specified to - select a specific entry within the named Secret resource. If - `key` is not specified, a default of `tls.key` will be used. - properties: - key: - description: The key of the entry in the Secret resource's - `data` field to be used. Some instances of this field may - be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More - info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - server: - description: 'Server is the URL used to access the ACME server''s - ''directory'' endpoint. For example, for Let''s Encrypt''s staging - endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". - Only ACME v2 endpoints (i.e. RFC 8555) are supported.' - type: string - skipTLSVerify: - description: Enables or disables validation of the ACME server - TLS certificate. If true, requests to the ACME server will not - have their TLS certificate validated (i.e. insecure connections - will be allowed). Only enable this option in development environments. - The cert-manager system installed roots will be used to verify - connections to the ACME server if this is false. Defaults to - false. - type: boolean - solvers: - description: 'Solvers is a list of challenge solvers that will - be used to solve ACME challenges for the matching domains. Solver - configurations must be provided in order to obtain certificates - from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/' - items: - description: Configures an issuer to solve challenges using - the specified options. Only one of HTTP01 or DNS01 may be - provided. + required: + - privateKeySecretRef + - server + properties: + caBundle: + description: |- + Base64-encoded bundle of PEM CAs which can be used to validate the certificate + chain presented by the ACME server. + Mutually exclusive with SkipTLSVerify; prefer using CABundle to prevent various + kinds of security vulnerabilities. + If CABundle and SkipTLSVerify are unset, the system certificate bundle inside + the container is used to validate the TLS connection. + type: string + format: byte + disableAccountKeyGeneration: + description: |- + Enables or disables generating a new ACME account key. + If true, the Issuer resource will *not* request a new account but will expect + the account key to be supplied via an existing secret. + If false, the cert-manager system will generate a new ACME account key + for the Issuer. + Defaults to false. + type: boolean + email: + description: |- + Email is the email address to be associated with the ACME account. + This field is optional, but it is strongly recommended to be set. + It will be used to contact you in case of issues with your account or + certificates, including expiry notification emails. + This field may be updated after the account is initially registered. + type: string + enableDurationFeature: + description: |- + Enables requesting a Not After date on certificates that matches the + duration of the certificate. This is not supported by all ACME servers + like Let's Encrypt. If set to true when the ACME server does not support + it, it will create an error on the Order. + Defaults to false. + type: boolean + externalAccountBinding: + description: |- + ExternalAccountBinding is a reference to a CA external account of the ACME + server. + If set, upon registration cert-manager will attempt to associate the given + external account credentials with the registered ACME account. + type: object + required: + - keyID + - keySecretRef properties: - dns01: - description: Configures cert-manager to attempt to complete - authorizations by performing the DNS01 challenge flow. + keyAlgorithm: + description: |- + Deprecated: keyAlgorithm field exists for historical compatibility + reasons and should not be used. The algorithm is now hardcoded to HS256 + in golang/x/crypto/acme. + type: string + enum: + - HS256 + - HS384 + - HS512 + keyID: + description: keyID is the ID of the CA key that the External Account is bound to. + type: string + keySecretRef: + description: |- + keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes + Secret which holds the symmetric MAC key of the External Account Binding. + The `key` is the index string that is paired with the key data in the + Secret and should not be confused with the key data itself, or indeed with + the External Account Binding keyID above. + The secret key stored in the Secret **must** be un-padded, base64 URL + encoded data. + type: object + required: + - name properties: - acmeDNS: - description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) - API to manage DNS01 challenge records. - properties: - accountSecretRef: - description: A reference to a specific 'key' within - a Secret resource. In some instances, `key` is - a required field. - properties: - key: - description: The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - host: - type: string - required: - - accountSecretRef - - host - type: object - akamai: - description: Use the Akamai DNS zone management API - to manage DNS01 challenge records. - properties: - accessTokenSecretRef: - description: A reference to a specific 'key' within - a Secret resource. In some instances, `key` is - a required field. - properties: - key: - description: The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - clientSecretSecretRef: - description: A reference to a specific 'key' within - a Secret resource. In some instances, `key` is - a required field. - properties: - key: - description: The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - clientTokenSecretRef: - description: A reference to a specific 'key' within - a Secret resource. In some instances, `key` is - a required field. - properties: - key: - description: The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - serviceConsumerDomain: - type: string - required: - - accessTokenSecretRef - - clientSecretSecretRef - - clientTokenSecretRef - - serviceConsumerDomain - type: object - azureDNS: - description: Use the Microsoft Azure DNS API to manage - DNS01 challenge records. - properties: - clientID: - description: if both this and ClientSecret are left - unset MSI will be used - type: string - clientSecretSecretRef: - description: if both this and ClientID are left - unset MSI will be used - properties: - key: - description: The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - environment: - enum: - - AzurePublicCloud - - AzureChinaCloud - - AzureGermanCloud - - AzureUSGovernmentCloud - type: string - hostedZoneName: - type: string - resourceGroupName: - type: string - subscriptionID: - type: string - tenantID: - description: when specifying ClientID and ClientSecret - then this field is also needed - type: string - required: - - resourceGroupName - - subscriptionID - type: object - cloudDNS: - description: Use the Google Cloud DNS API to manage - DNS01 challenge records. - properties: - hostedZoneName: - description: HostedZoneName is an optional field - that tells cert-manager in which Cloud DNS zone - the challenge record has to be created. If left - empty cert-manager will automatically choose a - zone. - type: string - project: - type: string - serviceAccountSecretRef: - description: A reference to a specific 'key' within - a Secret resource. In some instances, `key` is - a required field. - properties: - key: - description: The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - required: - - project - type: object - cloudflare: - description: Use the Cloudflare API to manage DNS01 - challenge records. - properties: - apiKeySecretRef: - description: 'API key to use to authenticate with - Cloudflare. Note: using an API token to authenticate - is now the recommended method as it allows greater - control of permissions.' - properties: - key: - description: The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - apiTokenSecretRef: - description: API token used to authenticate with - Cloudflare. - properties: - key: - description: The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - email: - description: Email of the account, only required - when using API key based authentication. - type: string - type: object - cnameStrategy: - description: CNAMEStrategy configures how the DNS01 - provider should handle CNAME records when found in - DNS zones. - enum: - - None - - Follow + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. + Some instances of this field may be defaulted, in others it may be + required. type: string - digitalocean: - description: Use the DigitalOcean DNS API to manage - DNS01 challenge records. - properties: - tokenSecretRef: - description: A reference to a specific 'key' within - a Secret resource. In some instances, `key` is - a required field. - properties: - key: - description: The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - required: - - tokenSecretRef - type: object - rfc2136: - description: Use RFC2136 ("Dynamic Updates in the Domain - Name System") (https://datatracker.ietf.org/doc/rfc2136/) - to manage DNS01 challenge records. - properties: - nameserver: - description: The IP address or hostname of an authoritative - DNS server supporting RFC2136 in the form host:port. - If the host is an IPv6 address it must be enclosed - in square brackets (e.g [2001:db8::1]) ; port - is optional. This field is required. - type: string - tsigAlgorithm: - description: 'The TSIG Algorithm configured in the - DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` - and ``tsigKeyName`` are defined. Supported values - are (case-insensitive): ``HMACMD5`` (default), - ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.' - type: string - tsigKeyName: - description: The TSIG Key name configured in the - DNS. If ``tsigSecretSecretRef`` is defined, this - field is required. - type: string - tsigSecretSecretRef: - description: The name of the secret containing the - TSIG value. If ``tsigKeyName`` is defined, this - field is required. - properties: - key: - description: The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - required: - - nameserver - type: object - route53: - description: Use the AWS Route53 API to manage DNS01 - challenge records. - properties: - accessKeyID: - description: 'The AccessKeyID is used for authentication. - If not set we fall-back to using env vars, shared - credentials file or AWS Instance metadata see: - https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' - type: string - hostedZoneID: - description: If set, the provider will manage only - this zone in Route53 and will not do an lookup - using the route53:ListHostedZonesByName api call. - type: string - region: - description: Always set the region when using AccessKeyID - and SecretAccessKey - type: string - role: - description: Role is a Role ARN which the Route53 - provider will assume using either the explicit - credentials AccessKeyID/SecretAccessKey or the - inferred credentials from environment variables, - shared credentials file or AWS Instance metadata - type: string - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication. - If not set we fall-back to using env vars, shared - credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials - properties: - key: - description: The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + name: + description: |- + Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + preferredChain: + description: |- + PreferredChain is the chain to use if the ACME server outputs multiple. + PreferredChain is no guarantee that this one gets delivered by the ACME + endpoint. + For example, for Let's Encrypt's DST crosssign you would use: + "DST Root CA X3" or "ISRG Root X1" for the newer Let's Encrypt root CA. + This value picks the first certificate bundle in the combined set of + ACME default and alternative chains that has a root-most certificate with + this value as its issuer's commonname. + type: string + maxLength: 64 + privateKeySecretRef: + description: |- + PrivateKey is the name of a Kubernetes Secret resource that will be used to + store the automatically generated ACME account private key. + Optionally, a `key` may be specified to select a specific entry within + the named Secret resource. + If `key` is not specified, a default of `tls.key` will be used. + type: object + required: + - name + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. + Some instances of this field may be defaulted, in others it may be + required. + type: string + name: + description: |- + Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + server: + description: |- + Server is the URL used to access the ACME server's 'directory' endpoint. + For example, for Let's Encrypt's staging endpoint, you would use: + "https://acme-staging-v02.api.letsencrypt.org/directory". + Only ACME v2 endpoints (i.e. RFC 8555) are supported. + type: string + skipTLSVerify: + description: |- + INSECURE: Enables or disables validation of the ACME server TLS certificate. + If true, requests to the ACME server will not have the TLS certificate chain + validated. + Mutually exclusive with CABundle; prefer using CABundle to prevent various + kinds of security vulnerabilities. + Only enable this option in development environments. + If CABundle and SkipTLSVerify are unset, the system certificate bundle inside + the container is used to validate the TLS connection. + Defaults to false. + type: boolean + solvers: + description: |- + Solvers is a list of challenge solvers that will be used to solve + ACME challenges for the matching domains. + Solver configurations must be provided in order to obtain certificates + from an ACME server. + For more information, see: https://cert-manager.io/docs/configuration/acme/ + type: array + items: + description: |- + An ACMEChallengeSolver describes how to solve ACME challenges for the issuer it is part of. + A selector may be provided to use different solving strategies for different DNS names. + Only one of HTTP01 or DNS01 must be provided. + type: object + properties: + dns01: + description: |- + Configures cert-manager to attempt to complete authorizations by + performing the DNS01 challenge flow. + type: object + properties: + acmeDNS: + description: |- + Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage + DNS01 challenge records. + type: object + required: + - accountSecretRef + - host + properties: + accountSecretRef: + description: |- + A reference to a specific 'key' within a Secret resource. + In some instances, `key` is a required field. + type: object + required: + - name + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. + Some instances of this field may be defaulted, in others it may be + required. + type: string + name: + description: |- + Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + host: + type: string + akamai: + description: Use the Akamai DNS zone management API to manage DNS01 challenge records. + type: object + required: + - accessTokenSecretRef + - clientSecretSecretRef + - clientTokenSecretRef + - serviceConsumerDomain + properties: + accessTokenSecretRef: + description: |- + A reference to a specific 'key' within a Secret resource. + In some instances, `key` is a required field. + type: object + required: + - name + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. + Some instances of this field may be defaulted, in others it may be + required. + type: string + name: + description: |- + Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + clientSecretSecretRef: + description: |- + A reference to a specific 'key' within a Secret resource. + In some instances, `key` is a required field. + type: object + required: + - name + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. + Some instances of this field may be defaulted, in others it may be + required. + type: string + name: + description: |- + Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + clientTokenSecretRef: + description: |- + A reference to a specific 'key' within a Secret resource. + In some instances, `key` is a required field. + type: object + required: + - name + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. + Some instances of this field may be defaulted, in others it may be + required. + type: string + name: + description: |- + Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + serviceConsumerDomain: + type: string + azureDNS: + description: Use the Microsoft Azure DNS API to manage DNS01 challenge records. + type: object + required: + - resourceGroupName + - subscriptionID + properties: + clientID: + description: |- + Auth: Azure Service Principal: + The ClientID of the Azure Service Principal used to authenticate with Azure DNS. + If set, ClientSecret and TenantID must also be set. + type: string + clientSecretSecretRef: + description: |- + Auth: Azure Service Principal: + A reference to a Secret containing the password associated with the Service Principal. + If set, ClientID and TenantID must also be set. + type: object + required: + - name + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. + Some instances of this field may be defaulted, in others it may be + required. + type: string + name: + description: |- + Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + environment: + description: name of the Azure environment (default AzurePublicCloud) + type: string + enum: + - AzurePublicCloud + - AzureChinaCloud + - AzureGermanCloud + - AzureUSGovernmentCloud + hostedZoneName: + description: name of the DNS zone that should be used + type: string + managedIdentity: + description: |- + Auth: Azure Workload Identity or Azure Managed Service Identity: + Settings to enable Azure Workload Identity or Azure Managed Service Identity + If set, ClientID, ClientSecret and TenantID must not be set. + type: object + properties: + clientID: + description: client ID of the managed identity, can not be used at the same time as resourceID + type: string + resourceID: + description: |- + resource ID of the managed identity, can not be used at the same time as clientID + Cannot be used for Azure Managed Service Identity + type: string + resourceGroupName: + description: resource group the DNS zone is located in + type: string + subscriptionID: + description: ID of the Azure subscription + type: string + tenantID: + description: |- + Auth: Azure Service Principal: + The TenantID of the Azure Service Principal used to authenticate with Azure DNS. + If set, ClientID and ClientSecret must also be set. + type: string + cloudDNS: + description: Use the Google Cloud DNS API to manage DNS01 challenge records. + type: object + required: + - project + properties: + hostedZoneName: + description: |- + HostedZoneName is an optional field that tells cert-manager in which + Cloud DNS zone the challenge record has to be created. + If left empty cert-manager will automatically choose a zone. + type: string + project: + type: string + serviceAccountSecretRef: + description: |- + A reference to a specific 'key' within a Secret resource. + In some instances, `key` is a required field. + type: object + required: + - name + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. + Some instances of this field may be defaulted, in others it may be + required. + type: string + name: + description: |- + Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + cloudflare: + description: Use the Cloudflare API to manage DNS01 challenge records. + type: object + properties: + apiKeySecretRef: + description: |- + API key to use to authenticate with Cloudflare. + Note: using an API token to authenticate is now the recommended method + as it allows greater control of permissions. + type: object + required: + - name + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. + Some instances of this field may be defaulted, in others it may be + required. + type: string + name: + description: |- + Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + apiTokenSecretRef: + description: API token used to authenticate with Cloudflare. + type: object + required: + - name + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. + Some instances of this field may be defaulted, in others it may be + required. + type: string + name: + description: |- + Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + email: + description: Email of the account, only required when using API key based authentication. + type: string + cnameStrategy: + description: |- + CNAMEStrategy configures how the DNS01 provider should handle CNAME + records when found in DNS zones. + type: string + enum: + - None + - Follow + digitalocean: + description: Use the DigitalOcean DNS API to manage DNS01 challenge records. + type: object + required: + - tokenSecretRef + properties: + tokenSecretRef: + description: |- + A reference to a specific 'key' within a Secret resource. + In some instances, `key` is a required field. + type: object + required: + - name + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. + Some instances of this field may be defaulted, in others it may be + required. + type: string + name: + description: |- + Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + rfc2136: + description: |- + Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) + to manage DNS01 challenge records. + type: object + required: + - nameserver + properties: + nameserver: + description: |- + The IP address or hostname of an authoritative DNS server supporting + RFC2136 in the form host:port. If the host is an IPv6 address it must be + enclosed in square brackets (e.g [2001:db8::1]) ; port is optional. + This field is required. + type: string + tsigAlgorithm: + description: |- + The TSIG Algorithm configured in the DNS supporting RFC2136. Used only + when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. + Supported values are (case-insensitive): ``HMACMD5`` (default), + ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``. + type: string + tsigKeyName: + description: |- + The TSIG Key name configured in the DNS. + If ``tsigSecretSecretRef`` is defined, this field is required. + type: string + tsigSecretSecretRef: + description: |- + The name of the secret containing the TSIG value. + If ``tsigKeyName`` is defined, this field is required. + type: object + required: + - name + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. + Some instances of this field may be defaulted, in others it may be + required. + type: string + name: + description: |- + Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + route53: + description: Use the AWS Route53 API to manage DNS01 challenge records. + type: object + required: + - region + properties: + accessKeyID: + description: |- + The AccessKeyID is used for authentication. + Cannot be set when SecretAccessKeyID is set. + If neither the Access Key nor Key ID are set, we fall-back to using env + vars, shared credentials file or AWS Instance metadata, + see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials + type: string + accessKeyIDSecretRef: + description: |- + The SecretAccessKey is used for authentication. If set, pull the AWS + access key ID from a key within a Kubernetes Secret. + Cannot be set when AccessKeyID is set. + If neither the Access Key nor Key ID are set, we fall-back to using env + vars, shared credentials file or AWS Instance metadata, + see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials + type: object + required: + - name + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. + Some instances of this field may be defaulted, in others it may be + required. + type: string + name: + description: |- + Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + auth: + description: Auth configures how cert-manager authenticates. + type: object + required: + - kubernetes + properties: + kubernetes: + description: |- + Kubernetes authenticates with Route53 using AssumeRoleWithWebIdentity + by passing a bound ServiceAccount token. + type: object + required: + - serviceAccountRef + properties: + serviceAccountRef: + description: |- + A reference to a service account that will be used to request a bound + token (also known as "projected token"). To use this field, you must + configure an RBAC rule to let cert-manager request a token. + type: object + required: + - name + properties: + audiences: + description: |- + TokenAudiences is an optional list of audiences to include in the + token passed to AWS. The default token consisting of the issuer's namespace + and name is always included. + If unset the audience defaults to `sts.amazonaws.com`. + type: array + items: + type: string + name: + description: Name of the ServiceAccount used to request a token. + type: string + hostedZoneID: + description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call. + type: string + region: + description: Always set the region when using AccessKeyID and SecretAccessKey + type: string + role: + description: |- + Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey + or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata + type: string + secretAccessKeySecretRef: + description: |- + The SecretAccessKey is used for authentication. + If neither the Access Key nor Key ID are set, we fall-back to using env + vars, shared credentials file or AWS Instance metadata, + see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials + type: object + required: + - name + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. + Some instances of this field may be defaulted, in others it may be + required. + type: string + name: + description: |- + Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + webhook: + description: |- + Configure an external webhook based DNS01 challenge solver to manage + DNS01 challenge records. + type: object + required: + - groupName + - solverName + properties: + config: + description: |- + Additional configuration that should be passed to the webhook apiserver + when challenges are processed. + This can contain arbitrary JSON data. + Secret values should not be specified in this stanza. + If secret values are needed (e.g. credentials for a DNS service), you + should use a SecretKeySelector to reference a Secret resource. + For details on the schema of this field, consult the webhook provider + implementation's documentation. + x-kubernetes-preserve-unknown-fields: true + groupName: + description: |- + The API group name that should be used when POSTing ChallengePayload + resources to the webhook apiserver. + This should be the same as the GroupName specified in the webhook + provider implementation. + type: string + solverName: + description: |- + The name of the solver to use, as defined in the webhook provider + implementation. + This will typically be the name of the provider, e.g. 'cloudflare'. + type: string + http01: + description: |- + Configures cert-manager to attempt to complete authorizations by + performing the HTTP01 challenge flow. + It is not possible to obtain certificates for wildcard domain names + (e.g. `*.example.com`) using the HTTP01 challenge mechanism. + type: object + properties: + gatewayHTTPRoute: + description: |- + The Gateway API is a sig-network community API that models service networking + in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will + create HTTPRoutes with the specified labels in the same namespace as the challenge. + This solver is experimental, and fields / behaviour may change in the future. + type: object + properties: + labels: + description: |- + Custom labels that will be applied to HTTPRoutes created by cert-manager + while solving HTTP-01 challenges. + type: object + additionalProperties: type: string - required: - - name - type: object - required: - - region - type: object - webhook: - description: Configure an external webhook based DNS01 - challenge solver to manage DNS01 challenge records. - properties: - config: - description: Additional configuration that should - be passed to the webhook apiserver when challenges - are processed. This can contain arbitrary JSON - data. Secret values should not be specified in - this stanza. If secret values are needed (e.g. - credentials for a DNS service), you should use - a SecretKeySelector to reference a Secret resource. - For details on the schema of this field, consult - the webhook provider implementation's documentation. - x-kubernetes-preserve-unknown-fields: true - groupName: - description: The API group name that should be used - when POSTing ChallengePayload resources to the - webhook apiserver. This should be the same as - the GroupName specified in the webhook provider - implementation. - type: string - solverName: - description: The name of the solver to use, as defined - in the webhook provider implementation. This will - typically be the name of the provider, e.g. 'cloudflare'. - type: string - required: - - groupName - - solverName - type: object - type: object - http01: - description: Configures cert-manager to attempt to complete - authorizations by performing the HTTP01 challenge flow. - It is not possible to obtain certificates for wildcard - domain names (e.g. `*.example.com`) using the HTTP01 challenge - mechanism. - properties: - ingress: - description: The ingress based HTTP01 challenge solver - will solve challenges by creating or modifying Ingress - resources in order to route requests for '/.well-known/acme-challenge/XYZ' - to 'challenge solver' pods that are provisioned by - cert-manager for each Challenge to be completed. - properties: - class: - description: The ingress class to use when creating - Ingress resources to solve ACME challenges that - use this challenge solver. Only one of 'class' - or 'name' may be specified. - type: string - ingressTemplate: - description: Optional ingress template used to configure - the ACME challenge solver ingress used for HTTP01 - challenges - properties: - metadata: - description: ObjectMeta overrides for the ingress - used to solve HTTP01 challenges. Only the - 'labels' and 'annotations' fields may be set. - If labels or annotations overlap with in-built - values, the values here will override the - in-built values. - properties: - annotations: - additionalProperties: - type: string - description: Annotations that should be - added to the created ACME HTTP01 solver - ingress. - type: object - labels: - additionalProperties: - type: string - description: Labels that should be added - to the created ACME HTTP01 solver ingress. - type: object - type: object - type: object - name: - description: The name of the ingress resource that - should have ACME challenge solving routes inserted - into it in order to solve HTTP01 challenges. This - is typically used in conjunction with ingress - controllers like ingress-gce, which maintains - a 1:1 mapping between external IPs and ingress - resources. - type: string - podTemplate: - description: Optional pod template used to configure - the ACME challenge solver pods used for HTTP01 - challenges - properties: - metadata: - description: ObjectMeta overrides for the pod - used to solve HTTP01 challenges. Only the - 'labels' and 'annotations' fields may be set. - If labels or annotations overlap with in-built - values, the values here will override the - in-built values. - properties: - annotations: - additionalProperties: - type: string - description: Annotations that should be - added to the create ACME HTTP01 solver - pods. - type: object - labels: - additionalProperties: - type: string - description: Labels that should be added - to the created ACME HTTP01 solver pods. - type: object + parentRefs: + description: |- + When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute. + cert-manager needs to know which parentRefs should be used when creating + the HTTPRoute. Usually, the parentRef references a Gateway. See: + https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways + type: array + items: + description: |- + ParentReference identifies an API object (usually a Gateway) that can be considered + a parent of this resource (usually a route). There are two kinds of parent resources + with "Core" support: + + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + + This API may be extended in the future to support additional kinds of parent + resources. + + + The API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid. type: object - spec: - description: PodSpec defines overrides for the - HTTP01 challenge solver pod. Only the 'priorityClassName', - 'nodeSelector', 'affinity', 'serviceAccountName' - and 'tolerations' fields are supported currently. - All other fields will be ignored. + required: + - name properties: - affinity: - description: If specified, the pod's scheduling - constraints - properties: - nodeAffinity: - description: Describes node affinity - scheduling rules for the pod. - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will - prefer to schedule pods to nodes - that satisfy the affinity expressions - specified by this field, but it - may choose a node that violates - one or more of the expressions. - The node that is most preferred - is the one with the greatest sum - of weights, i.e. for each node - that meets all of the scheduling - requirements (resource request, - requiredDuringScheduling affinity - expressions, etc.), compute a - sum by iterating through the elements - of this field and adding "weight" - to the sum if the node matches - the corresponding matchExpressions; - the node(s) with the highest sum - are the most preferred. - items: - description: An empty preferred - scheduling term matches all - objects with implicit weight - 0 (i.e. it's a no-op). A null - preferred scheduling term matches - no objects (i.e. is also a no-op). + group: + description: |- + Group is the group of the referent. + When unspecified, "gateway.networking.k8s.io" is inferred. + To set the core API group (such as for a "Service" kind referent), + Group must be explicitly set to "" (empty string). + + + Support: Core + type: string + default: gateway.networking.k8s.io + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + kind: + description: |- + Kind is kind of the referent. + + + There are two kinds of parent resources with "Core" support: + + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + + Support for other resources is Implementation-Specific. + type: string + default: Gateway + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + name: + description: |- + Name is the name of the referent. + + + Support: Core + type: string + maxLength: 253 + minLength: 1 + namespace: + description: |- + Namespace is the namespace of the referent. When unspecified, this refers + to the local namespace of the Route. + + + Note that there are specific rules for ParentRefs which cross namespace + boundaries. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example: + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable any other kind of cross-namespace reference. + + + + ParentRefs from a Route to a Service in the same namespace are "producer" + routes, which apply default routing rules to inbound connections from + any namespace to the Service. + + + ParentRefs from a Route to a Service in a different namespace are + "consumer" routes, and these routing rules are only applied to outbound + connections originating from the same namespace as the Route, for which + the intended destination of the connections are a Service targeted as a + ParentRef of the Route. + + + + Support: Core + type: string + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + port: + description: |- + Port is the network port this Route targets. It can be interpreted + differently based on the type of parent resource. + + + When the parent resource is a Gateway, this targets all listeners + listening on the specified port that also support this kind of Route(and + select this Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to a specific port + as opposed to a listener(s) whose port(s) may be changed. When both Port + and SectionName are specified, the name and port of the selected listener + must match both specified values. + + + + When the parent resource is a Service, this targets a specific port in the + Service spec. When both Port (experimental) and SectionName are specified, + the name and port of the selected port must match both specified values. + + + + Implementations MAY choose to support other parent resources. + Implementations supporting other types of parent resources MUST clearly + document how/if Port is interpreted. + + + For the purpose of status, an attachment is considered successful as + long as the parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + + + Support: Extended + type: integer + format: int32 + maximum: 65535 + minimum: 1 + sectionName: + description: |- + SectionName is the name of a section within the target resource. In the + following resources, SectionName is interpreted as the following: + + + * Gateway: Listener name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + * Service: Port name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + + + Implementations MAY choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName is + interpreted. + + + When unspecified (empty string), this will reference the entire resource. + For the purpose of status, an attachment is considered successful if at + least one section in the parent resource accepts it. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, the + Route MUST be considered detached from the Gateway. + + + Support: Core + type: string + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + serviceType: + description: |- + Optional service type for Kubernetes solver service. Supported values + are NodePort or ClusterIP. If unset, defaults to NodePort. + type: string + ingress: + description: |- + The ingress based HTTP01 challenge solver will solve challenges by + creating or modifying Ingress resources in order to route requests for + '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are + provisioned by cert-manager for each Challenge to be completed. + type: object + properties: + class: + description: |- + This field configures the annotation `kubernetes.io/ingress.class` when + creating Ingress resources to solve ACME challenges that use this + challenge solver. Only one of `class`, `name` or `ingressClassName` may + be specified. + type: string + ingressClassName: + description: |- + This field configures the field `ingressClassName` on the created Ingress + resources used to solve ACME challenges that use this challenge solver. + This is the recommended way of configuring the ingress class. Only one of + `class`, `name` or `ingressClassName` may be specified. + type: string + ingressTemplate: + description: |- + Optional ingress template used to configure the ACME challenge solver + ingress used for HTTP01 challenges. + type: object + properties: + metadata: + description: |- + ObjectMeta overrides for the ingress used to solve HTTP01 challenges. + Only the 'labels' and 'annotations' fields may be set. + If labels or annotations overlap with in-built values, the values here + will override the in-built values. + type: object + properties: + annotations: + description: Annotations that should be added to the created ACME HTTP01 solver ingress. + type: object + additionalProperties: + type: string + labels: + description: Labels that should be added to the created ACME HTTP01 solver ingress. + type: object + additionalProperties: + type: string + name: + description: |- + The name of the ingress resource that should have ACME challenge solving + routes inserted into it in order to solve HTTP01 challenges. + This is typically used in conjunction with ingress controllers like + ingress-gce, which maintains a 1:1 mapping between external IPs and + ingress resources. Only one of `class`, `name` or `ingressClassName` may + be specified. + type: string + podTemplate: + description: |- + Optional pod template used to configure the ACME challenge solver pods + used for HTTP01 challenges. + type: object + properties: + metadata: + description: |- + ObjectMeta overrides for the pod used to solve HTTP01 challenges. + Only the 'labels' and 'annotations' fields may be set. + If labels or annotations overlap with in-built values, the values here + will override the in-built values. + type: object + properties: + annotations: + description: Annotations that should be added to the create ACME HTTP01 solver pods. + type: object + additionalProperties: + type: string + labels: + description: Labels that should be added to the created ACME HTTP01 solver pods. + type: object + additionalProperties: + type: string + spec: + description: |- + PodSpec defines overrides for the HTTP01 challenge solver pod. + Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields. + All other fields will be ignored. + type: object + properties: + affinity: + description: If specified, the pod's scheduling constraints + type: object + properties: + nodeAffinity: + description: Describes node affinity scheduling rules for the pod. + type: object + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node matches the corresponding matchExpressions; the + node(s) with the highest sum are the most preferred. + type: array + items: + description: |- + An empty preferred scheduling term matches all objects with implicit weight 0 + (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). + type: object + required: + - preference + - weight + properties: + preference: + description: A node selector term, associated with the corresponding weight. + type: object + properties: + matchExpressions: + description: A list of node selector requirements by node's labels. + type: array + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: The label key that the selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + type: array + items: + type: string + x-kubernetes-list-type: atomic + x-kubernetes-list-type: atomic + matchFields: + description: A list of node selector requirements by node's fields. + type: array + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: The label key that the selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + type: array + items: + type: string + x-kubernetes-list-type: atomic + x-kubernetes-list-type: atomic + x-kubernetes-map-type: atomic + weight: + description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. + type: integer + format: int32 + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to an update), the system + may or may not try to eventually evict the pod from its node. + type: object + required: + - nodeSelectorTerms properties: - preference: - description: A node selector - term, associated with the - corresponding weight. - properties: - matchExpressions: - description: A list of - node selector requirements - by node's labels. - items: - description: A node - selector requirement - is a selector that - contains values, a - key, and an operator - that relates the key - and values. - properties: - key: - description: The - label key that - the selector applies - to. - type: string - operator: - description: Represents - a key's relationship - to a set of values. - Valid operators - are In, NotIn, - Exists, DoesNotExist. - Gt, and Lt. - type: string - values: - description: An - array of string - values. If the - operator is In - or NotIn, the - values array must - be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. - If the operator - is Gt or Lt, the - values array must - have a single - element, which - will be interpreted - as an integer. - This array is - replaced during - a strategic merge - patch. - items: + nodeSelectorTerms: + description: Required. A list of node selector terms. The terms are ORed. + type: array + items: + description: |- + A null or empty node selector term matches no objects. The requirements of + them are ANDed. + The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. + type: object + properties: + matchExpressions: + description: A list of node selector requirements by node's labels. + type: array + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: The label key that the selector applies to. type: string - type: array - required: - - key - - operator + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + type: array + items: + type: string + x-kubernetes-list-type: atomic + x-kubernetes-list-type: atomic + matchFields: + description: A list of node selector requirements by node's fields. + type: array + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: The label key that the selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + type: array + items: + type: string + x-kubernetes-list-type: atomic + x-kubernetes-list-type: atomic + x-kubernetes-map-type: atomic + x-kubernetes-list-type: atomic + x-kubernetes-map-type: atomic + podAffinity: + description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). + type: object + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. + type: array + items: + description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) + type: object + required: + - podAffinityTerm + - weight + properties: + podAffinityTerm: + description: Required. A pod affinity term, associated with the corresponding weight. + type: object + required: + - topologyKey + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. type: object - type: array - matchFields: - description: A list of - node selector requirements - by node's fields. - items: - description: A node - selector requirement - is a selector that - contains values, a - key, and an operator - that relates the key - and values. properties: - key: - description: The - label key that - the selector applies - to. - type: string - operator: - description: Represents - a key's relationship - to a set of values. - Valid operators - are In, NotIn, - Exists, DoesNotExist. - Gt, and Lt. - type: string - values: - description: An - array of string - values. If the - operator is In - or NotIn, the - values array must - be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. - If the operator - is Gt or Lt, the - values array must - have a single - element, which - will be interpreted - as an integer. - This array is - replaced during - a strategic merge - patch. + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + type: array items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + type: array + items: + type: string + x-kubernetes-list-type: atomic + x-kubernetes-list-type: atomic + matchLabels: + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + additionalProperties: type: string - type: array - required: - - key - - operator + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + type: array + items: + type: string + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + type: array + items: + type: string + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. type: object - type: array - type: object - weight: - description: Weight associated - with matching the corresponding - nodeSelectorTerm, in the - range 1-100. - format: int32 - type: integer - required: - - preference - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements - specified by this field are not - met at scheduling time, the pod - will not be scheduled onto the - node. If the affinity requirements - specified by this field cease - to be met at some point during - pod execution (e.g. due to an - update), the system may or may - not try to eventually evict the - pod from its node. - properties: - nodeSelectorTerms: - description: Required. A list - of node selector terms. The - terms are ORed. - items: - description: A null or empty - node selector term matches - no objects. The requirements - of them are ANDed. The TopologySelectorTerm - type implements a subset - of the NodeSelectorTerm. - properties: - matchExpressions: - description: A list of - node selector requirements - by node's labels. - items: - description: A node - selector requirement - is a selector that - contains values, a - key, and an operator - that relates the key - and values. properties: - key: - description: The - label key that - the selector applies - to. - type: string - operator: - description: Represents - a key's relationship - to a set of values. - Valid operators - are In, NotIn, - Exists, DoesNotExist. - Gt, and Lt. - type: string - values: - description: An - array of string - values. If the - operator is In - or NotIn, the - values array must - be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. - If the operator - is Gt or Lt, the - values array must - have a single - element, which - will be interpreted - as an integer. - This array is - replaced during - a strategic merge - patch. + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + type: array items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + type: array + items: + type: string + x-kubernetes-list-type: atomic + x-kubernetes-list-type: atomic + matchLabels: + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + additionalProperties: type: string - type: array - required: - - key - - operator + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + type: array + items: + type: string + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + weight: + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. + type: integer + format: int32 + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. + type: array + items: + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running + type: object + required: + - topologyKey + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + type: object + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + type: array + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + type: array + items: + type: string + x-kubernetes-list-type: atomic + x-kubernetes-list-type: atomic + matchLabels: + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + additionalProperties: + type: string + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + type: array + items: + type: string + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + type: array + items: + type: string + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + type: object + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + type: array + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + type: array + items: + type: string + x-kubernetes-list-type: atomic + x-kubernetes-list-type: atomic + matchLabels: + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + additionalProperties: + type: string + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + type: array + items: + type: string + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + x-kubernetes-list-type: atomic + podAntiAffinity: + description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). + type: object + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the anti-affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling anti-affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. + type: array + items: + description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) + type: object + required: + - podAffinityTerm + - weight + properties: + podAffinityTerm: + description: Required. A pod affinity term, associated with the corresponding weight. + type: object + required: + - topologyKey + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. type: object - type: array - matchFields: - description: A list of - node selector requirements - by node's fields. - items: - description: A node - selector requirement - is a selector that - contains values, a - key, and an operator - that relates the key - and values. properties: - key: - description: The - label key that - the selector applies - to. - type: string - operator: - description: Represents - a key's relationship - to a set of values. - Valid operators - are In, NotIn, - Exists, DoesNotExist. - Gt, and Lt. - type: string - values: - description: An - array of string - values. If the - operator is In - or NotIn, the - values array must - be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. - If the operator - is Gt or Lt, the - values array must - have a single - element, which - will be interpreted - as an integer. - This array is - replaced during - a strategic merge - patch. + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + type: array items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + type: array + items: + type: string + x-kubernetes-list-type: atomic + x-kubernetes-list-type: atomic + matchLabels: + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + additionalProperties: type: string - type: array - required: - - key - - operator + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + type: array + items: + type: string + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + type: array + items: + type: string + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. type: object - type: array - type: object - type: array - required: - - nodeSelectorTerms - type: object - type: object - podAffinity: - description: Describes pod affinity - scheduling rules (e.g. co-locate this - pod in the same node, zone, etc. as - some other pod(s)). - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will - prefer to schedule pods to nodes - that satisfy the affinity expressions - specified by this field, but it - may choose a node that violates - one or more of the expressions. - The node that is most preferred - is the one with the greatest sum - of weights, i.e. for each node - that meets all of the scheduling - requirements (resource request, - requiredDuringScheduling affinity - expressions, etc.), compute a - sum by iterating through the elements - of this field and adding "weight" - to the sum if the node has pods - which matches the corresponding - podAffinityTerm; the node(s) with - the highest sum are the most preferred. - items: - description: The weights of all - of the matched WeightedPodAffinityTerm - fields are added per-node to - find the most preferred node(s) - properties: - podAffinityTerm: - description: Required. A pod - affinity term, associated - with the corresponding weight. - properties: - labelSelector: - description: A label query - over a set of resources, - in this case pods. - properties: - matchExpressions: - description: matchExpressions - is a list of label - selector requirements. - The requirements - are ANDed. - items: - description: A label - selector requirement - is a selector - that contains - values, a key, - and an operator - that relates the - key and values. - properties: - key: - description: key - is the label - key that the - selector applies - to. - type: string - operator: - description: operator - represents - a key's relationship - to a set of - values. Valid - operators - are In, NotIn, - Exists and - DoesNotExist. - type: string - values: - description: values - is an array - of string - values. If - the operator - is In or NotIn, - the values - array must - be non-empty. - If the operator - is Exists - or DoesNotExist, - the values - array must - be empty. - This array - is replaced - during a strategic - merge patch. - items: + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + type: array + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: key is the label key that the selector applies to. type: string - type: array - required: - - key - - operator + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + type: array + items: + type: string + x-kubernetes-list-type: atomic + x-kubernetes-list-type: atomic + matchLabels: + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels - is a map of {key,value} - pairs. A single - {key,value} in the - matchLabels map - is equivalent to - an element of matchExpressions, - whose key field - is "key", the operator - is "In", and the - values array contains - only "value". The - requirements are - ANDed. - type: object - type: object - namespaces: - description: namespaces - specifies which namespaces - the labelSelector applies - to (matches against); - null or empty list means - "this pod's namespace" - items: + additionalProperties: + type: string + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + type: array + items: + type: string + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. type: string - type: array - topologyKey: - description: This pod - should be co-located - (affinity) or not co-located - (anti-affinity) with - the pods matching the - labelSelector in the - specified namespaces, - where co-located is - defined as running on - a node whose value of - the label with key topologyKey - matches that of any - node on which any of - the selected pods is - running. Empty topologyKey - is not allowed. - type: string - required: + weight: + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. + type: integer + format: int32 + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: |- + If the anti-affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the anti-affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. + type: array + items: + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running + type: object + required: - topologyKey - type: object - weight: - description: weight associated - with matching the corresponding - podAffinityTerm, in the - range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements - specified by this field are not - met at scheduling time, the pod - will not be scheduled onto the - node. If the affinity requirements - specified by this field cease - to be met at some point during - pod execution (e.g. due to a pod - label update), the system may - or may not try to eventually evict - the pod from its node. When there - are multiple elements, the lists - of nodes corresponding to each - podAffinityTerm are intersected, - i.e. all terms must be satisfied. - items: - description: Defines a set of - pods (namely those matching - the labelSelector relative to - the given namespace(s)) that - this pod should be co-located - (affinity) or not co-located - (anti-affinity) with, where - co-located is defined as running - on a node whose value of the - label with key - matches that of any node on - which a pod of the set of pods - is running - properties: - labelSelector: - description: A label query - over a set of resources, - in this case pods. - properties: - matchExpressions: - description: matchExpressions - is a list of label selector - requirements. The requirements - are ANDed. - items: - description: A label - selector requirement - is a selector that - contains values, a - key, and an operator - that relates the key - and values. - properties: - key: - description: key - is the label key - that the selector - applies to. - type: string - operator: - description: operator - represents a key's - relationship to - a set of values. - Valid operators - are In, NotIn, - Exists and DoesNotExist. - type: string - values: - description: values - is an array of - string values. - If the operator - is In or NotIn, - the values array - must be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. - This array is - replaced during - a strategic merge - patch. - items: + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + type: object + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + type: array + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: key is the label key that the selector applies to. type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels - is a map of {key,value} - pairs. A single {key,value} - in the matchLabels map - is equivalent to an - element of matchExpressions, - whose key field is "key", - the operator is "In", - and the values array - contains only "value". - The requirements are - ANDed. - type: object - type: object - namespaces: - description: namespaces specifies - which namespaces the labelSelector - applies to (matches against); - null or empty list means - "this pod's namespace" - items: - type: string - type: array - topologyKey: - description: This pod should - be co-located (affinity) - or not co-located (anti-affinity) - with the pods matching the - labelSelector in the specified - namespaces, where co-located - is defined as running on - a node whose value of the - label with key topologyKey - matches that of any node - on which any of the selected - pods is running. Empty topologyKey - is not allowed. - type: string - required: - - topologyKey - type: object - type: array - type: object - podAntiAffinity: - description: Describes pod anti-affinity - scheduling rules (e.g. avoid putting - this pod in the same node, zone, etc. - as some other pod(s)). - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will - prefer to schedule pods to nodes - that satisfy the anti-affinity - expressions specified by this - field, but it may choose a node - that violates one or more of the - expressions. The node that is - most preferred is the one with - the greatest sum of weights, i.e. - for each node that meets all of - the scheduling requirements (resource - request, requiredDuringScheduling - anti-affinity expressions, etc.), - compute a sum by iterating through - the elements of this field and - adding "weight" to the sum if - the node has pods which matches - the corresponding podAffinityTerm; - the node(s) with the highest sum - are the most preferred. - items: - description: The weights of all - of the matched WeightedPodAffinityTerm - fields are added per-node to - find the most preferred node(s) - properties: - podAffinityTerm: - description: Required. A pod - affinity term, associated - with the corresponding weight. - properties: - labelSelector: - description: A label query - over a set of resources, - in this case pods. - properties: - matchExpressions: - description: matchExpressions - is a list of label - selector requirements. - The requirements - are ANDed. - items: - description: A label - selector requirement - is a selector - that contains - values, a key, - and an operator - that relates the - key and values. - properties: - key: - description: key - is the label - key that the - selector applies - to. - type: string - operator: - description: operator - represents - a key's relationship - to a set of - values. Valid - operators - are In, NotIn, - Exists and - DoesNotExist. + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + type: array + items: type: string - values: - description: values - is an array - of string - values. If - the operator - is In or NotIn, - the values - array must - be non-empty. - If the operator - is Exists - or DoesNotExist, - the values - array must - be empty. - This array - is replaced - during a strategic - merge patch. - items: - type: string - type: array - required: + x-kubernetes-list-type: atomic + x-kubernetes-list-type: atomic + matchLabels: + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + additionalProperties: + type: string + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + type: array + items: + type: string + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + type: array + items: + type: string + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + type: object + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + type: array + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + type: object + required: - key - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels - is a map of {key,value} - pairs. A single - {key,value} in the - matchLabels map - is equivalent to - an element of matchExpressions, - whose key field - is "key", the operator - is "In", and the - values array contains - only "value". The - requirements are - ANDed. - type: object - type: object - namespaces: - description: namespaces - specifies which namespaces - the labelSelector applies - to (matches against); - null or empty list means - "this pod's namespace" - items: - type: string - type: array - topologyKey: - description: This pod - should be co-located - (affinity) or not co-located - (anti-affinity) with - the pods matching the - labelSelector in the - specified namespaces, - where co-located is - defined as running on - a node whose value of - the label with key topologyKey - matches that of any - node on which any of - the selected pods is - running. Empty topologyKey - is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: weight associated - with matching the corresponding - podAffinityTerm, in the - range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - description: If the anti-affinity - requirements specified by this - field are not met at scheduling - time, the pod will not be scheduled - onto the node. If the anti-affinity - requirements specified by this - field cease to be met at some - point during pod execution (e.g. - due to a pod label update), the - system may or may not try to eventually - evict the pod from its node. When - there are multiple elements, the - lists of nodes corresponding to - each podAffinityTerm are intersected, - i.e. all terms must be satisfied. - items: - description: Defines a set of - pods (namely those matching - the labelSelector relative to - the given namespace(s)) that - this pod should be co-located - (affinity) or not co-located - (anti-affinity) with, where - co-located is defined as running - on a node whose value of the - label with key - matches that of any node on - which a pod of the set of pods - is running - properties: - labelSelector: - description: A label query - over a set of resources, - in this case pods. - properties: - matchExpressions: - description: matchExpressions - is a list of label selector - requirements. The requirements - are ANDed. - items: - description: A label - selector requirement - is a selector that - contains values, a - key, and an operator - that relates the key - and values. - properties: - key: - description: key - is the label key - that the selector - applies to. - type: string - operator: - description: operator - represents a key's - relationship to - a set of values. - Valid operators - are In, NotIn, - Exists and DoesNotExist. - type: string - values: - description: values - is an array of - string values. - If the operator - is In or NotIn, - the values array - must be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. - This array is - replaced during - a strategic merge - patch. - items: + properties: + key: + description: key is the label key that the selector applies to. type: string - type: array - required: - - key - - operator + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + type: array + items: + type: string + x-kubernetes-list-type: atomic + x-kubernetes-list-type: atomic + matchLabels: + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels - is a map of {key,value} - pairs. A single {key,value} - in the matchLabels map - is equivalent to an - element of matchExpressions, - whose key field is "key", - the operator is "In", - and the values array - contains only "value". - The requirements are - ANDed. - type: object - type: object - namespaces: - description: namespaces specifies - which namespaces the labelSelector - applies to (matches against); - null or empty list means - "this pod's namespace" - items: + additionalProperties: + type: string + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + type: array + items: + type: string + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. type: string - type: array - topologyKey: - description: This pod should - be co-located (affinity) - or not co-located (anti-affinity) - with the pods matching the - labelSelector in the specified - namespaces, where co-located - is defined as running on - a node whose value of the - label with key topologyKey - matches that of any node - on which any of the selected - pods is running. Empty topologyKey - is not allowed. - type: string - required: - - topologyKey - type: object - type: array + x-kubernetes-list-type: atomic + imagePullSecrets: + description: If specified, the pod's imagePullSecrets + type: array + items: + description: |- + LocalObjectReference contains enough information to let you locate the + referenced object inside the same namespace. type: object - type: object - nodeSelector: - additionalProperties: - type: string - description: 'NodeSelector is a selector - which must be true for the pod to fit - on a node. Selector which must match a - node''s labels for the pod to be scheduled - on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' - type: object - priorityClassName: - description: If specified, the pod's priorityClassName. - type: string - serviceAccountName: - description: If specified, the pod's service - account - type: string - tolerations: - description: If specified, the pod's tolerations. - items: - description: The pod this Toleration is - attached to tolerates any taint that - matches the triple - using the matching operator . - properties: - effect: - description: Effect indicates the - taint effect to match. Empty means - match all taint effects. When specified, - allowed values are NoSchedule, PreferNoSchedule - and NoExecute. - type: string - key: - description: Key is the taint key - that the toleration applies to. - Empty means match all taint keys. - If the key is empty, operator must - be Exists; this combination means - to match all values and all keys. - type: string - operator: - description: Operator represents a - key's relationship to the value. - Valid operators are Exists and Equal. - Defaults to Equal. Exists is equivalent - to wildcard for value, so that a - pod can tolerate all taints of a - particular category. - type: string - tolerationSeconds: - description: TolerationSeconds represents - the period of time the toleration - (which must be of effect NoExecute, - otherwise this field is ignored) - tolerates the taint. By default, - it is not set, which means tolerate - the taint forever (do not evict). - Zero and negative values will be - treated as 0 (evict immediately) - by the system. - format: int64 - type: integer - value: - description: Value is the taint value - the toleration matches to. If the - operator is Exists, the value should - be empty, otherwise just a regular - string. - type: string + properties: + name: + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + default: "" + x-kubernetes-map-type: atomic + nodeSelector: + description: |- + NodeSelector is a selector which must be true for the pod to fit on a node. + Selector which must match a node's labels for the pod to be scheduled on that node. + More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ type: object - type: array - type: object - type: object - serviceType: - description: Optional service type for Kubernetes - solver service - type: string - type: object - type: object - selector: - description: Selector selects a set of DNSNames on the Certificate - resource that should be solved using this challenge solver. - If not specified, the solver will be treated as the 'default' - solver with the lowest priority, i.e. if any other solver - has a more specific match, it will be used instead. - properties: - dnsNames: - description: List of DNSNames that this solver will - be used to solve. If specified and a match is found, - a dnsNames selector will take precedence over a dnsZones - selector. If multiple solvers match with the same - dnsNames value, the solver with the most matching - labels in matchLabels will be selected. If neither - has more matches, the solver defined earlier in the - list will be selected. - items: - type: string - type: array - dnsZones: - description: List of DNSZones that this solver will - be used to solve. The most specific DNS zone match - specified here will take precedence over other DNS - zone matches, so a solver specifying sys.example.com - will be selected over one specifying example.com for - the domain www.sys.example.com. If multiple solvers - match with the same dnsZones value, the solver with - the most matching labels in matchLabels will be selected. - If neither has more matches, the solver defined earlier - in the list will be selected. - items: - type: string - type: array - matchLabels: - additionalProperties: - type: string - description: A label selector that is used to refine - the set of certificate's that this challenge solver - will apply to. - type: object - type: object - type: object - type: array - required: - - privateKeySecretRef - - server - type: object - ca: - description: CA configures this issuer to sign certificates using - a signing CA keypair stored in a Secret resource. This is used to - build internal PKIs that are managed by cert-manager. - properties: - crlDistributionPoints: - description: The CRL distribution points is an X.509 v3 certificate - extension which identifies the location of the CRL from which - the revocation of this certificate can be checked. If not set, - certificates will be issued without distribution points set. - items: - type: string - type: array - secretName: - description: SecretName is the name of the secret used to sign - Certificates issued by this Issuer. - type: string - required: - - secretName - type: object - selfSigned: - description: SelfSigned configures this issuer to 'self sign' certificates - using the private key used to create the CertificateRequest object. - properties: - crlDistributionPoints: - description: The CRL distribution points is an X.509 v3 certificate - extension which identifies the location of the CRL from which - the revocation of this certificate can be checked. If not set - certificate will be issued without CDP. Values are strings. - items: - type: string - type: array - type: object - vault: - description: Vault configures this issuer to sign certificates using - a HashiCorp Vault PKI backend. - properties: - auth: - description: Auth configures how cert-manager authenticates with - the Vault server. - properties: - appRole: - description: AppRole authenticates with Vault using the App - Role auth mechanism, with the role and secret stored in - a Kubernetes Secret resource. - properties: - path: - description: 'Path where the App Role authentication backend - is mounted in Vault, e.g: "approle"' - type: string - roleId: - description: RoleID configured in the App Role authentication - backend when setting up the authentication backend in - Vault. - type: string - secretRef: - description: Reference to a key in a Secret that contains - the App Role secret used to authenticate with Vault. - The `key` field must be specified and denotes which - entry within the Secret resource is used as the app - role secret. - properties: - key: - description: The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name + additionalProperties: + type: string + priorityClassName: + description: If specified, the pod's priorityClassName. + type: string + serviceAccountName: + description: If specified, the pod's service account + type: string + tolerations: + description: If specified, the pod's tolerations. + type: array + items: + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . + type: object + properties: + effect: + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. + type: string + operator: + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. + type: integer + format: int64 + value: + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. + type: string + serviceType: + description: |- + Optional service type for Kubernetes solver service. Supported values + are NodePort or ClusterIP. If unset, defaults to NodePort. + type: string + selector: + description: |- + Selector selects a set of DNSNames on the Certificate resource that + should be solved using this challenge solver. + If not specified, the solver will be treated as the 'default' solver + with the lowest priority, i.e. if any other solver has a more specific + match, it will be used instead. type: object - required: - - path - - roleId - - secretRef - type: object - kubernetes: - description: Kubernetes authenticates with Vault by passing - the ServiceAccount token stored in the named Secret resource - to the Vault server. - properties: - mountPath: - description: The Vault mountPath here is the mount path - to use when authenticating with Vault. For example, - setting a value to `/v1/auth/foo`, will use the path - `/v1/auth/foo/login` to authenticate with Vault. If - unspecified, the default value "/v1/auth/kubernetes" - will be used. - type: string - role: - description: A required field containing the Vault Role - to assume. A Role binds a Kubernetes ServiceAccount - with a set of Vault policies. - type: string - secretRef: - description: The required Secret field containing a Kubernetes - ServiceAccount JWT used for authenticating with Vault. - Use of 'ambient credentials' is not supported. properties: - key: - description: The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - required: - - role - - secretRef - type: object - tokenSecretRef: - description: TokenSecretRef authenticates with Vault by presenting - a token. - properties: - key: - description: The key of the entry in the Secret resource's - `data` field to be used. Some instances of this field - may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - type: object - caBundle: - description: PEM encoded CA bundle used to validate Vault server - certificate. Only used if the Server URL is using HTTPS protocol. - This parameter is ignored for plain HTTP protocol connection. - If not set the system root certificates are used to validate - the TLS connection. - format: byte - type: string - namespace: - description: 'Name of the vault namespace. Namespaces is a set - of features within Vault Enterprise that allows Vault environments - to support Secure Multi-tenancy. e.g: "ns1" More about namespaces - can be found here https://www.vaultproject.io/docs/enterprise/namespaces' - type: string - path: - description: 'Path is the mount path of the Vault PKI backend''s - `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".' - type: string - server: - description: 'Server is the connection address for the Vault server, - e.g: "https://vault.example.com:8200".' - type: string - required: - - auth - - path - - server - type: object - venafi: - description: Venafi configures this issuer to sign certificates using - a Venafi TPP or Venafi Cloud policy zone. - properties: - cloud: - description: Cloud specifies the Venafi cloud configuration settings. - Only one of TPP or Cloud may be specified. - properties: - apiTokenSecretRef: - description: APITokenSecretRef is a secret key selector for - the Venafi Cloud API token. - properties: - key: - description: The key of the entry in the Secret resource's - `data` field to be used. Some instances of this field - may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - url: - description: URL is the base URL for Venafi Cloud. Defaults - to "https://api.venafi.cloud/v1". - type: string - required: - - apiTokenSecretRef - type: object - tpp: - description: TPP specifies Trust Protection Platform configuration - settings. Only one of TPP or Cloud may be specified. - properties: - caBundle: - description: CABundle is a PEM encoded TLS certificate to - use to verify connections to the TPP instance. If specified, - system roots will not be used and the issuing CA for the - TPP instance must be verifiable using the provided root. - If not specified, the connection will be verified using - the cert-manager system root certificates. - format: byte - type: string - credentialsRef: - description: CredentialsRef is a reference to a Secret containing - the username and password for the TPP server. The secret - must contain two keys, 'username' and 'password'. - properties: - name: - description: 'Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - url: - description: 'URL is the base URL for the vedsdk endpoint - of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".' - type: string - required: - - credentialsRef - - url - type: object - zone: - description: Zone is the Venafi Policy Zone to use for this issuer. - All requests made to the Venafi platform will be restricted - by the named zone policy. This field is required. - type: string - required: - - zone - type: object - type: object - status: - description: Status of the Issuer. This is set and managed automatically. - properties: - acme: - description: ACME specific status options. This field should only - be set if the Issuer is configured to use an ACME server to issue - certificates. - properties: - lastRegisteredEmail: - description: LastRegisteredEmail is the email associated with - the latest registered ACME account, in order to track changes - made to registered account associated with the Issuer - type: string - uri: - description: URI is the unique account identifier, which can also - be used to retrieve account details from the CA - type: string - type: object - conditions: - description: List of status conditions to indicate the status of a - CertificateRequest. Known condition types are `Ready`. - items: - description: IssuerCondition contains condition information for - an Issuer. - properties: - lastTransitionTime: - description: LastTransitionTime is the timestamp corresponding - to the last status change of this condition. - format: date-time - type: string - message: - description: Message is a human readable description of the - details of the last transition, complementing reason. - type: string - reason: - description: Reason is a brief machine readable explanation - for the condition's last transition. - type: string - status: - description: Status of the condition, one of ('True', 'False', - 'Unknown'). - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: Type of the condition, known values are ('Ready'). - type: string - required: - - status - - type + dnsNames: + description: |- + List of DNSNames that this solver will be used to solve. + If specified and a match is found, a dnsNames selector will take + precedence over a dnsZones selector. + If multiple solvers match with the same dnsNames value, the solver + with the most matching labels in matchLabels will be selected. + If neither has more matches, the solver defined earlier in the list + will be selected. + type: array + items: + type: string + dnsZones: + description: |- + List of DNSZones that this solver will be used to solve. + The most specific DNS zone match specified here will take precedence + over other DNS zone matches, so a solver specifying sys.example.com + will be selected over one specifying example.com for the domain + www.sys.example.com. + If multiple solvers match with the same dnsZones value, the solver + with the most matching labels in matchLabels will be selected. + If neither has more matches, the solver defined earlier in the list + will be selected. + type: array + items: + type: string + matchLabels: + description: |- + A label selector that is used to refine the set of certificate's that + this challenge solver will apply to. + type: object + additionalProperties: + type: string + ca: + description: |- + CA configures this issuer to sign certificates using a signing CA keypair + stored in a Secret resource. + This is used to build internal PKIs that are managed by cert-manager. type: object - type: array - type: object - required: - - spec - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - priority: 1 - type: string - - description: CreationTimestamp is a timestamp representing the server time when - this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - description: An Issuer represents a certificate issuing authority which can - be referenced as part of `issuerRef` fields. It is scoped to a single namespace - and can therefore only be referenced by resources within the same namespace. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Desired state of the Issuer resource. - properties: - acme: - description: ACME configures this issuer to communicate with a RFC8555 - (ACME) server to obtain signed x509 certificates. - properties: - disableAccountKeyGeneration: - description: Enables or disables generating a new ACME account - key. If true, the Issuer resource will *not* request a new account - but will expect the account key to be supplied via an existing - secret. If false, the cert-manager system will generate a new - ACME account key for the Issuer. Defaults to false. - type: boolean - email: - description: Email is the email address to be associated with - the ACME account. This field is optional, but it is strongly - recommended to be set. It will be used to contact you in case - of issues with your account or certificates, including expiry - notification emails. This field may be updated after the account - is initially registered. - type: string - externalAccountBinding: - description: ExternalAccountBinding is a reference to a CA external - account of the ACME server. If set, upon registration cert-manager - will attempt to associate the given external account credentials - with the registered ACME account. - properties: - keyAlgorithm: - description: keyAlgorithm is the MAC key algorithm that the - key is used for. Valid values are "HS256", "HS384" and "HS512". - enum: - - HS256 - - HS384 - - HS512 + required: + - secretName + properties: + crlDistributionPoints: + description: |- + The CRL distribution points is an X.509 v3 certificate extension which identifies + the location of the CRL from which the revocation of this certificate can be checked. + If not set, certificates will be issued without distribution points set. + type: array + items: type: string - keyID: - description: keyID is the ID of the CA key that the External - Account is bound to. + issuingCertificateURLs: + description: |- + IssuingCertificateURLs is a list of URLs which this issuer should embed into certificates + it creates. See https://www.rfc-editor.org/rfc/rfc5280#section-4.2.2.1 for more details. + As an example, such a URL might be "http://ca.domain.com/ca.crt". + type: array + items: type: string - keySecretRef: - description: keySecretRef is a Secret Key Selector referencing - a data item in a Kubernetes Secret which holds the symmetric - MAC key of the External Account Binding. The `key` is the - index string that is paired with the key data in the Secret - and should not be confused with the key data itself, or - indeed with the External Account Binding keyID above. The - secret key stored in the Secret **must** be un-padded, base64 - URL encoded data. - properties: - key: - description: The key of the entry in the Secret resource's - `data` field to be used. Some instances of this field - may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - required: - - keyAlgorithm - - keyID - - keySecretRef - type: object - preferredChain: - description: 'PreferredChain is the chain to use if the ACME server - outputs multiple. PreferredChain is no guarantee that this one - gets delivered by the ACME endpoint. For example, for Let''s - Encrypt''s DST crosssign you would use: "DST Root CA X3" or - "ISRG Root X1" for the newer Let''s Encrypt root CA. This value - picks the first certificate bundle in the ACME alternative chains - that has a certificate with this value as its issuer''s CN' - maxLength: 64 - type: string - privateKeySecretRef: - description: PrivateKey is the name of a Kubernetes Secret resource - that will be used to store the automatically generated ACME - account private key. Optionally, a `key` may be specified to - select a specific entry within the named Secret resource. If - `key` is not specified, a default of `tls.key` will be used. - properties: - key: - description: The key of the entry in the Secret resource's - `data` field to be used. Some instances of this field may - be defaulted, in others it may be required. + ocspServers: + description: |- + The OCSP server list is an X.509 v3 extension that defines a list of + URLs of OCSP responders. The OCSP responders can be queried for the + revocation status of an issued certificate. If not set, the + certificate will be issued with no OCSP servers set. For example, an + OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org". + type: array + items: type: string - name: - description: 'Name of the resource being referred to. More - info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + secretName: + description: |- + SecretName is the name of the secret used to sign Certificates issued + by this Issuer. + type: string + selfSigned: + description: |- + SelfSigned configures this issuer to 'self sign' certificates using the + private key used to create the CertificateRequest object. + type: object + properties: + crlDistributionPoints: + description: |- + The CRL distribution points is an X.509 v3 certificate extension which identifies + the location of the CRL from which the revocation of this certificate can be checked. + If not set certificate will be issued without CDP. Values are strings. + type: array + items: type: string - required: - - name - type: object - server: - description: 'Server is the URL used to access the ACME server''s - ''directory'' endpoint. For example, for Let''s Encrypt''s staging - endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". - Only ACME v2 endpoints (i.e. RFC 8555) are supported.' - type: string - skipTLSVerify: - description: Enables or disables validation of the ACME server - TLS certificate. If true, requests to the ACME server will not - have their TLS certificate validated (i.e. insecure connections - will be allowed). Only enable this option in development environments. - The cert-manager system installed roots will be used to verify - connections to the ACME server if this is false. Defaults to - false. - type: boolean - solvers: - description: 'Solvers is a list of challenge solvers that will - be used to solve ACME challenges for the matching domains. Solver - configurations must be provided in order to obtain certificates - from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/' - items: - description: Configures an issuer to solve challenges using - the specified options. Only one of HTTP01 or DNS01 may be - provided. + vault: + description: |- + Vault configures this issuer to sign certificates using a HashiCorp Vault + PKI backend. + type: object + required: + - auth + - path + - server + properties: + auth: + description: Auth configures how cert-manager authenticates with the Vault server. + type: object properties: - dns01: - description: Configures cert-manager to attempt to complete - authorizations by performing the DNS01 challenge flow. + appRole: + description: |- + AppRole authenticates with Vault using the App Role auth mechanism, + with the role and secret stored in a Kubernetes Secret resource. + type: object + required: + - path + - roleId + - secretRef properties: - acmeDNS: - description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) - API to manage DNS01 challenge records. - properties: - accountSecretRef: - description: A reference to a specific 'key' within - a Secret resource. In some instances, `key` is - a required field. - properties: - key: - description: The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - host: - type: string - required: - - accountSecretRef - - host + path: + description: |- + Path where the App Role authentication backend is mounted in Vault, e.g: + "approle" + type: string + roleId: + description: |- + RoleID configured in the App Role authentication backend when setting + up the authentication backend in Vault. + type: string + secretRef: + description: |- + Reference to a key in a Secret that contains the App Role secret used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role secret. type: object - akamai: - description: Use the Akamai DNS zone management API - to manage DNS01 challenge records. - properties: - accessTokenSecretRef: - description: A reference to a specific 'key' within - a Secret resource. In some instances, `key` is - a required field. - properties: - key: - description: The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - clientSecretSecretRef: - description: A reference to a specific 'key' within - a Secret resource. In some instances, `key` is - a required field. - properties: - key: - description: The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - clientTokenSecretRef: - description: A reference to a specific 'key' within - a Secret resource. In some instances, `key` is - a required field. - properties: - key: - description: The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - serviceConsumerDomain: - type: string required: - - accessTokenSecretRef - - clientSecretSecretRef - - clientTokenSecretRef - - serviceConsumerDomain - type: object - azureDNS: - description: Use the Microsoft Azure DNS API to manage - DNS01 challenge records. + - name properties: - clientID: - description: if both this and ClientSecret are left - unset MSI will be used - type: string - clientSecretSecretRef: - description: if both this and ClientID are left - unset MSI will be used - properties: - key: - description: The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - environment: - enum: - - AzurePublicCloud - - AzureChinaCloud - - AzureGermanCloud - - AzureUSGovernmentCloud - type: string - hostedZoneName: - type: string - resourceGroupName: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. + Some instances of this field may be defaulted, in others it may be + required. type: string - subscriptionID: - type: string - tenantID: - description: when specifying ClientID and ClientSecret - then this field is also needed - type: string - required: - - resourceGroupName - - subscriptionID + name: + description: |- + Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + kubernetes: + description: |- + Kubernetes authenticates with Vault by passing the ServiceAccount + token stored in the named Secret resource to the Vault server. + type: object + required: + - role + properties: + mountPath: + description: |- + The Vault mountPath here is the mount path to use when authenticating with + Vault. For example, setting a value to `/v1/auth/foo`, will use the path + `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the + default value "/v1/auth/kubernetes" will be used. + type: string + role: + description: |- + A required field containing the Vault Role to assume. A Role binds a + Kubernetes ServiceAccount with a set of Vault policies. + type: string + secretRef: + description: |- + The required Secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Vault. Use of 'ambient credentials' is not + supported. type: object - cloudDNS: - description: Use the Google Cloud DNS API to manage - DNS01 challenge records. - properties: - hostedZoneName: - description: HostedZoneName is an optional field - that tells cert-manager in which Cloud DNS zone - the challenge record has to be created. If left - empty cert-manager will automatically choose a - zone. - type: string - project: - type: string - serviceAccountSecretRef: - description: A reference to a specific 'key' within - a Secret resource. In some instances, `key` is - a required field. - properties: - key: - description: The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object required: - - project - type: object - cloudflare: - description: Use the Cloudflare API to manage DNS01 - challenge records. + - name properties: - apiKeySecretRef: - description: 'API key to use to authenticate with - Cloudflare. Note: using an API token to authenticate - is now the recommended method as it allows greater - control of permissions.' - properties: - key: - description: The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - apiTokenSecretRef: - description: API token used to authenticate with - Cloudflare. - properties: - key: - description: The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - email: - description: Email of the account, only required - when using API key based authentication. + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. + Some instances of this field may be defaulted, in others it may be + required. type: string + name: + description: |- + Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + serviceAccountRef: + description: |- + A reference to a service account that will be used to request a bound + token (also known as "projected token"). Compared to using "secretRef", + using this field means that you don't rely on statically bound tokens. To + use this field, you must configure an RBAC rule to let cert-manager + request a token. type: object - cnameStrategy: - description: CNAMEStrategy configures how the DNS01 - provider should handle CNAME records when found in - DNS zones. - enum: - - None - - Follow - type: string - digitalocean: - description: Use the DigitalOcean DNS API to manage - DNS01 challenge records. - properties: - tokenSecretRef: - description: A reference to a specific 'key' within - a Secret resource. In some instances, `key` is - a required field. - properties: - key: - description: The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - required: - - tokenSecretRef - type: object - rfc2136: - description: Use RFC2136 ("Dynamic Updates in the Domain - Name System") (https://datatracker.ietf.org/doc/rfc2136/) - to manage DNS01 challenge records. - properties: - nameserver: - description: The IP address or hostname of an authoritative - DNS server supporting RFC2136 in the form host:port. - If the host is an IPv6 address it must be enclosed - in square brackets (e.g [2001:db8::1]) ; port - is optional. This field is required. - type: string - tsigAlgorithm: - description: 'The TSIG Algorithm configured in the - DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` - and ``tsigKeyName`` are defined. Supported values - are (case-insensitive): ``HMACMD5`` (default), - ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.' - type: string - tsigKeyName: - description: The TSIG Key name configured in the - DNS. If ``tsigSecretSecretRef`` is defined, this - field is required. - type: string - tsigSecretSecretRef: - description: The name of the secret containing the - TSIG value. If ``tsigKeyName`` is defined, this - field is required. - properties: - key: - description: The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object required: - - nameserver - type: object - route53: - description: Use the AWS Route53 API to manage DNS01 - challenge records. + - name properties: - accessKeyID: - description: 'The AccessKeyID is used for authentication. - If not set we fall-back to using env vars, shared - credentials file or AWS Instance metadata see: - https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' - type: string - hostedZoneID: - description: If set, the provider will manage only - this zone in Route53 and will not do an lookup - using the route53:ListHostedZonesByName api call. - type: string - region: - description: Always set the region when using AccessKeyID - and SecretAccessKey - type: string - role: - description: Role is a Role ARN which the Route53 - provider will assume using either the explicit - credentials AccessKeyID/SecretAccessKey or the - inferred credentials from environment variables, - shared credentials file or AWS Instance metadata + audiences: + description: |- + TokenAudiences is an optional list of extra audiences to include in the token passed to Vault. The default token + consisting of the issuer's namespace and name is always included. + type: array + items: + type: string + name: + description: Name of the ServiceAccount used to request a token. type: string - secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication. - If not set we fall-back to using env vars, shared - credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials - properties: - key: - description: The key of the entry in the Secret - resource's `data` field to be used. Some instances - of this field may be defaulted, in others - it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + tokenSecretRef: + description: TokenSecretRef authenticates with Vault by presenting a token. + type: object + required: + - name + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. + Some instances of this field may be defaulted, in others it may be + required. + type: string + name: + description: |- + Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + caBundle: + description: |- + Base64-encoded bundle of PEM CAs which will be used to validate the certificate + chain presented by Vault. Only used if using HTTPS to connect to Vault and + ignored for HTTP connections. + Mutually exclusive with CABundleSecretRef. + If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in + the cert-manager controller container is used to validate the TLS connection. + type: string + format: byte + caBundleSecretRef: + description: |- + Reference to a Secret containing a bundle of PEM-encoded CAs to use when + verifying the certificate chain presented by Vault when using HTTPS. + Mutually exclusive with CABundle. + If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in + the cert-manager controller container is used to validate the TLS connection. + If no key for the Secret is specified, cert-manager will default to 'ca.crt'. + type: object + required: + - name + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. + Some instances of this field may be defaulted, in others it may be + required. + type: string + name: + description: |- + Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + clientCertSecretRef: + description: |- + Reference to a Secret containing a PEM-encoded Client Certificate to use when the + Vault server requires mTLS. + type: object + required: + - name + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. + Some instances of this field may be defaulted, in others it may be + required. + type: string + name: + description: |- + Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + clientKeySecretRef: + description: |- + Reference to a Secret containing a PEM-encoded Client Private Key to use when the + Vault server requires mTLS. + type: object + required: + - name + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. + Some instances of this field may be defaulted, in others it may be + required. + type: string + name: + description: |- + Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + namespace: + description: |- + Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1" + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces + type: string + path: + description: |- + Path is the mount path of the Vault PKI backend's `sign` endpoint, e.g: + "my_pki_mount/sign/my-role-name". + type: string + server: + description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' + type: string + venafi: + description: |- + Venafi configures this issuer to sign certificates using a Venafi TPP + or Venafi Cloud policy zone. + type: object + required: + - zone + properties: + cloud: + description: |- + Cloud specifies the Venafi cloud configuration settings. + Only one of TPP or Cloud may be specified. + type: object + required: + - apiTokenSecretRef + properties: + apiTokenSecretRef: + description: APITokenSecretRef is a secret key selector for the Venafi Cloud API token. + type: object + required: + - name + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. + Some instances of this field may be defaulted, in others it may be + required. + type: string + name: + description: |- + Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + url: + description: |- + URL is the base URL for Venafi Cloud. + Defaults to "https://api.venafi.cloud/v1". + type: string + tpp: + description: |- + TPP specifies Trust Protection Platform configuration settings. + Only one of TPP or Cloud may be specified. + type: object + required: + - credentialsRef + - url + properties: + caBundle: + description: |- + Base64-encoded bundle of PEM CAs which will be used to validate the certificate + chain presented by the TPP server. Only used if using HTTPS; ignored for HTTP. + If undefined, the certificate bundle in the cert-manager controller container + is used to validate the chain. + type: string + format: byte + credentialsRef: + description: |- + CredentialsRef is a reference to a Secret containing the username and + password for the TPP server. + The secret must contain two keys, 'username' and 'password'. + type: object + required: + - name + properties: + name: + description: |- + Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + url: + description: |- + URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, + for example: "https://tpp.example.com/vedsdk". + type: string + zone: + description: |- + Zone is the Venafi Policy Zone to use for this issuer. + All requests made to the Venafi platform will be restricted by the named + zone policy. + This field is required. + type: string + status: + description: Status of the ClusterIssuer. This is set and managed automatically. + type: object + properties: + acme: + description: |- + ACME specific status options. + This field should only be set if the Issuer is configured to use an ACME + server to issue certificates. + type: object + properties: + lastPrivateKeyHash: + description: |- + LastPrivateKeyHash is a hash of the private key associated with the latest + registered ACME account, in order to track changes made to registered account + associated with the Issuer + type: string + lastRegisteredEmail: + description: |- + LastRegisteredEmail is the email associated with the latest registered + ACME account, in order to track changes made to registered account + associated with the Issuer + type: string + uri: + description: |- + URI is the unique account identifier, which can also be used to retrieve + account details from the CA + type: string + conditions: + description: |- + List of status conditions to indicate the status of a CertificateRequest. + Known condition types are `Ready`. + type: array + items: + description: IssuerCondition contains condition information for an Issuer. + type: object + required: + - status + - type + properties: + lastTransitionTime: + description: |- + LastTransitionTime is the timestamp corresponding to the last status + change of this condition. + type: string + format: date-time + message: + description: |- + Message is a human readable description of the details of the last + transition, complementing reason. + type: string + observedGeneration: + description: |- + If set, this represents the .metadata.generation that the condition was + set based upon. + For instance, if .metadata.generation is currently 12, but the + .status.condition[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the Issuer. + type: integer + format: int64 + reason: + description: |- + Reason is a brief machine readable explanation for the condition's last + transition. + type: string + status: + description: Status of the condition, one of (`True`, `False`, `Unknown`). + type: string + enum: + - "True" + - "False" + - Unknown + type: + description: Type of the condition, known values are (`Ready`). + type: string + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + served: true + storage: true + +# END crd +--- +# Source: cert-manager/templates/crds.yaml +# START crd +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: issuers.cert-manager.io + # START annotations + annotations: + helm.sh/resource-policy: keep + # END annotations + labels: + app: 'cert-manager' + app.kubernetes.io/name: 'cert-manager' + app.kubernetes.io/instance: 'cert-manager' + app.kubernetes.io/component: "crds" + # Generated labels + app.kubernetes.io/version: "v1.15.1" +spec: + group: cert-manager.io + names: + kind: Issuer + listKind: IssuerList + plural: issuers + singular: issuer + categories: + - cert-manager + scope: Namespaced + versions: + - name: v1 + subresources: + status: {} + additionalPrinterColumns: + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + priority: 1 + type: string + - jsonPath: .metadata.creationTimestamp + description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + name: Age + type: date + schema: + openAPIV3Schema: + description: |- + An Issuer represents a certificate issuing authority which can be + referenced as part of `issuerRef` fields. + It is scoped to a single namespace and can therefore only be referenced by + resources within the same namespace. + type: object + required: + - spec + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Desired state of the Issuer resource. + type: object + properties: + acme: + description: |- + ACME configures this issuer to communicate with a RFC8555 (ACME) server + to obtain signed x509 certificates. + type: object + required: + - privateKeySecretRef + - server + properties: + caBundle: + description: |- + Base64-encoded bundle of PEM CAs which can be used to validate the certificate + chain presented by the ACME server. + Mutually exclusive with SkipTLSVerify; prefer using CABundle to prevent various + kinds of security vulnerabilities. + If CABundle and SkipTLSVerify are unset, the system certificate bundle inside + the container is used to validate the TLS connection. + type: string + format: byte + disableAccountKeyGeneration: + description: |- + Enables or disables generating a new ACME account key. + If true, the Issuer resource will *not* request a new account but will expect + the account key to be supplied via an existing secret. + If false, the cert-manager system will generate a new ACME account key + for the Issuer. + Defaults to false. + type: boolean + email: + description: |- + Email is the email address to be associated with the ACME account. + This field is optional, but it is strongly recommended to be set. + It will be used to contact you in case of issues with your account or + certificates, including expiry notification emails. + This field may be updated after the account is initially registered. + type: string + enableDurationFeature: + description: |- + Enables requesting a Not After date on certificates that matches the + duration of the certificate. This is not supported by all ACME servers + like Let's Encrypt. If set to true when the ACME server does not support + it, it will create an error on the Order. + Defaults to false. + type: boolean + externalAccountBinding: + description: |- + ExternalAccountBinding is a reference to a CA external account of the ACME + server. + If set, upon registration cert-manager will attempt to associate the given + external account credentials with the registered ACME account. + type: object + required: + - keyID + - keySecretRef + properties: + keyAlgorithm: + description: |- + Deprecated: keyAlgorithm field exists for historical compatibility + reasons and should not be used. The algorithm is now hardcoded to HS256 + in golang/x/crypto/acme. + type: string + enum: + - HS256 + - HS384 + - HS512 + keyID: + description: keyID is the ID of the CA key that the External Account is bound to. + type: string + keySecretRef: + description: |- + keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes + Secret which holds the symmetric MAC key of the External Account Binding. + The `key` is the index string that is paired with the key data in the + Secret and should not be confused with the key data itself, or indeed with + the External Account Binding keyID above. + The secret key stored in the Secret **must** be un-padded, base64 URL + encoded data. + type: object + required: + - name + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. + Some instances of this field may be defaulted, in others it may be + required. + type: string + name: + description: |- + Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + preferredChain: + description: |- + PreferredChain is the chain to use if the ACME server outputs multiple. + PreferredChain is no guarantee that this one gets delivered by the ACME + endpoint. + For example, for Let's Encrypt's DST crosssign you would use: + "DST Root CA X3" or "ISRG Root X1" for the newer Let's Encrypt root CA. + This value picks the first certificate bundle in the combined set of + ACME default and alternative chains that has a root-most certificate with + this value as its issuer's commonname. + type: string + maxLength: 64 + privateKeySecretRef: + description: |- + PrivateKey is the name of a Kubernetes Secret resource that will be used to + store the automatically generated ACME account private key. + Optionally, a `key` may be specified to select a specific entry within + the named Secret resource. + If `key` is not specified, a default of `tls.key` will be used. + type: object + required: + - name + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. + Some instances of this field may be defaulted, in others it may be + required. + type: string + name: + description: |- + Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + server: + description: |- + Server is the URL used to access the ACME server's 'directory' endpoint. + For example, for Let's Encrypt's staging endpoint, you would use: + "https://acme-staging-v02.api.letsencrypt.org/directory". + Only ACME v2 endpoints (i.e. RFC 8555) are supported. + type: string + skipTLSVerify: + description: |- + INSECURE: Enables or disables validation of the ACME server TLS certificate. + If true, requests to the ACME server will not have the TLS certificate chain + validated. + Mutually exclusive with CABundle; prefer using CABundle to prevent various + kinds of security vulnerabilities. + Only enable this option in development environments. + If CABundle and SkipTLSVerify are unset, the system certificate bundle inside + the container is used to validate the TLS connection. + Defaults to false. + type: boolean + solvers: + description: |- + Solvers is a list of challenge solvers that will be used to solve + ACME challenges for the matching domains. + Solver configurations must be provided in order to obtain certificates + from an ACME server. + For more information, see: https://cert-manager.io/docs/configuration/acme/ + type: array + items: + description: |- + An ACMEChallengeSolver describes how to solve ACME challenges for the issuer it is part of. + A selector may be provided to use different solving strategies for different DNS names. + Only one of HTTP01 or DNS01 must be provided. + type: object + properties: + dns01: + description: |- + Configures cert-manager to attempt to complete authorizations by + performing the DNS01 challenge flow. + type: object + properties: + acmeDNS: + description: |- + Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage + DNS01 challenge records. + type: object + required: + - accountSecretRef + - host + properties: + accountSecretRef: + description: |- + A reference to a specific 'key' within a Secret resource. + In some instances, `key` is a required field. + type: object + required: + - name + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. + Some instances of this field may be defaulted, in others it may be + required. + type: string + name: + description: |- + Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + host: + type: string + akamai: + description: Use the Akamai DNS zone management API to manage DNS01 challenge records. + type: object + required: + - accessTokenSecretRef + - clientSecretSecretRef + - clientTokenSecretRef + - serviceConsumerDomain + properties: + accessTokenSecretRef: + description: |- + A reference to a specific 'key' within a Secret resource. + In some instances, `key` is a required field. + type: object + required: + - name + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. + Some instances of this field may be defaulted, in others it may be + required. + type: string + name: + description: |- + Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + clientSecretSecretRef: + description: |- + A reference to a specific 'key' within a Secret resource. + In some instances, `key` is a required field. + type: object + required: + - name + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. + Some instances of this field may be defaulted, in others it may be + required. + type: string + name: + description: |- + Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + clientTokenSecretRef: + description: |- + A reference to a specific 'key' within a Secret resource. + In some instances, `key` is a required field. + type: object + required: + - name + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. + Some instances of this field may be defaulted, in others it may be + required. + type: string + name: + description: |- + Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + serviceConsumerDomain: + type: string + azureDNS: + description: Use the Microsoft Azure DNS API to manage DNS01 challenge records. + type: object + required: + - resourceGroupName + - subscriptionID + properties: + clientID: + description: |- + Auth: Azure Service Principal: + The ClientID of the Azure Service Principal used to authenticate with Azure DNS. + If set, ClientSecret and TenantID must also be set. + type: string + clientSecretSecretRef: + description: |- + Auth: Azure Service Principal: + A reference to a Secret containing the password associated with the Service Principal. + If set, ClientID and TenantID must also be set. + type: object + required: + - name + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. + Some instances of this field may be defaulted, in others it may be + required. + type: string + name: + description: |- + Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + environment: + description: name of the Azure environment (default AzurePublicCloud) + type: string + enum: + - AzurePublicCloud + - AzureChinaCloud + - AzureGermanCloud + - AzureUSGovernmentCloud + hostedZoneName: + description: name of the DNS zone that should be used + type: string + managedIdentity: + description: |- + Auth: Azure Workload Identity or Azure Managed Service Identity: + Settings to enable Azure Workload Identity or Azure Managed Service Identity + If set, ClientID, ClientSecret and TenantID must not be set. + type: object + properties: + clientID: + description: client ID of the managed identity, can not be used at the same time as resourceID + type: string + resourceID: + description: |- + resource ID of the managed identity, can not be used at the same time as clientID + Cannot be used for Azure Managed Service Identity + type: string + resourceGroupName: + description: resource group the DNS zone is located in + type: string + subscriptionID: + description: ID of the Azure subscription + type: string + tenantID: + description: |- + Auth: Azure Service Principal: + The TenantID of the Azure Service Principal used to authenticate with Azure DNS. + If set, ClientID and ClientSecret must also be set. + type: string + cloudDNS: + description: Use the Google Cloud DNS API to manage DNS01 challenge records. + type: object + required: + - project + properties: + hostedZoneName: + description: |- + HostedZoneName is an optional field that tells cert-manager in which + Cloud DNS zone the challenge record has to be created. + If left empty cert-manager will automatically choose a zone. + type: string + project: + type: string + serviceAccountSecretRef: + description: |- + A reference to a specific 'key' within a Secret resource. + In some instances, `key` is a required field. + type: object + required: + - name + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. + Some instances of this field may be defaulted, in others it may be + required. + type: string + name: + description: |- + Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + cloudflare: + description: Use the Cloudflare API to manage DNS01 challenge records. + type: object + properties: + apiKeySecretRef: + description: |- + API key to use to authenticate with Cloudflare. + Note: using an API token to authenticate is now the recommended method + as it allows greater control of permissions. + type: object + required: + - name + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. + Some instances of this field may be defaulted, in others it may be + required. + type: string + name: + description: |- + Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + apiTokenSecretRef: + description: API token used to authenticate with Cloudflare. + type: object + required: + - name + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. + Some instances of this field may be defaulted, in others it may be + required. + type: string + name: + description: |- + Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + email: + description: Email of the account, only required when using API key based authentication. + type: string + cnameStrategy: + description: |- + CNAMEStrategy configures how the DNS01 provider should handle CNAME + records when found in DNS zones. + type: string + enum: + - None + - Follow + digitalocean: + description: Use the DigitalOcean DNS API to manage DNS01 challenge records. + type: object + required: + - tokenSecretRef + properties: + tokenSecretRef: + description: |- + A reference to a specific 'key' within a Secret resource. + In some instances, `key` is a required field. + type: object + required: + - name + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. + Some instances of this field may be defaulted, in others it may be + required. + type: string + name: + description: |- + Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + rfc2136: + description: |- + Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) + to manage DNS01 challenge records. + type: object + required: + - nameserver + properties: + nameserver: + description: |- + The IP address or hostname of an authoritative DNS server supporting + RFC2136 in the form host:port. If the host is an IPv6 address it must be + enclosed in square brackets (e.g [2001:db8::1]) ; port is optional. + This field is required. + type: string + tsigAlgorithm: + description: |- + The TSIG Algorithm configured in the DNS supporting RFC2136. Used only + when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. + Supported values are (case-insensitive): ``HMACMD5`` (default), + ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``. + type: string + tsigKeyName: + description: |- + The TSIG Key name configured in the DNS. + If ``tsigSecretSecretRef`` is defined, this field is required. + type: string + tsigSecretSecretRef: + description: |- + The name of the secret containing the TSIG value. + If ``tsigKeyName`` is defined, this field is required. + type: object + required: + - name + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. + Some instances of this field may be defaulted, in others it may be + required. + type: string + name: + description: |- + Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + route53: + description: Use the AWS Route53 API to manage DNS01 challenge records. + type: object + required: + - region + properties: + accessKeyID: + description: |- + The AccessKeyID is used for authentication. + Cannot be set when SecretAccessKeyID is set. + If neither the Access Key nor Key ID are set, we fall-back to using env + vars, shared credentials file or AWS Instance metadata, + see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials + type: string + accessKeyIDSecretRef: + description: |- + The SecretAccessKey is used for authentication. If set, pull the AWS + access key ID from a key within a Kubernetes Secret. + Cannot be set when AccessKeyID is set. + If neither the Access Key nor Key ID are set, we fall-back to using env + vars, shared credentials file or AWS Instance metadata, + see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials + type: object + required: + - name + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. + Some instances of this field may be defaulted, in others it may be + required. + type: string + name: + description: |- + Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + auth: + description: Auth configures how cert-manager authenticates. + type: object + required: + - kubernetes + properties: + kubernetes: + description: |- + Kubernetes authenticates with Route53 using AssumeRoleWithWebIdentity + by passing a bound ServiceAccount token. + type: object + required: + - serviceAccountRef + properties: + serviceAccountRef: + description: |- + A reference to a service account that will be used to request a bound + token (also known as "projected token"). To use this field, you must + configure an RBAC rule to let cert-manager request a token. + type: object + required: + - name + properties: + audiences: + description: |- + TokenAudiences is an optional list of audiences to include in the + token passed to AWS. The default token consisting of the issuer's namespace + and name is always included. + If unset the audience defaults to `sts.amazonaws.com`. + type: array + items: + type: string + name: + description: Name of the ServiceAccount used to request a token. + type: string + hostedZoneID: + description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call. + type: string + region: + description: Always set the region when using AccessKeyID and SecretAccessKey + type: string + role: + description: |- + Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey + or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata + type: string + secretAccessKeySecretRef: + description: |- + The SecretAccessKey is used for authentication. + If neither the Access Key nor Key ID are set, we fall-back to using env + vars, shared credentials file or AWS Instance metadata, + see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials + type: object + required: + - name + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. + Some instances of this field may be defaulted, in others it may be + required. + type: string + name: + description: |- + Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + webhook: + description: |- + Configure an external webhook based DNS01 challenge solver to manage + DNS01 challenge records. + type: object + required: + - groupName + - solverName + properties: + config: + description: |- + Additional configuration that should be passed to the webhook apiserver + when challenges are processed. + This can contain arbitrary JSON data. + Secret values should not be specified in this stanza. + If secret values are needed (e.g. credentials for a DNS service), you + should use a SecretKeySelector to reference a Secret resource. + For details on the schema of this field, consult the webhook provider + implementation's documentation. + x-kubernetes-preserve-unknown-fields: true + groupName: + description: |- + The API group name that should be used when POSTing ChallengePayload + resources to the webhook apiserver. + This should be the same as the GroupName specified in the webhook + provider implementation. + type: string + solverName: + description: |- + The name of the solver to use, as defined in the webhook provider + implementation. + This will typically be the name of the provider, e.g. 'cloudflare'. + type: string + http01: + description: |- + Configures cert-manager to attempt to complete authorizations by + performing the HTTP01 challenge flow. + It is not possible to obtain certificates for wildcard domain names + (e.g. `*.example.com`) using the HTTP01 challenge mechanism. + type: object + properties: + gatewayHTTPRoute: + description: |- + The Gateway API is a sig-network community API that models service networking + in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will + create HTTPRoutes with the specified labels in the same namespace as the challenge. + This solver is experimental, and fields / behaviour may change in the future. + type: object + properties: + labels: + description: |- + Custom labels that will be applied to HTTPRoutes created by cert-manager + while solving HTTP-01 challenges. + type: object + additionalProperties: type: string - required: - - name - type: object - required: - - region - type: object - webhook: - description: Configure an external webhook based DNS01 - challenge solver to manage DNS01 challenge records. - properties: - config: - description: Additional configuration that should - be passed to the webhook apiserver when challenges - are processed. This can contain arbitrary JSON - data. Secret values should not be specified in - this stanza. If secret values are needed (e.g. - credentials for a DNS service), you should use - a SecretKeySelector to reference a Secret resource. - For details on the schema of this field, consult - the webhook provider implementation's documentation. - x-kubernetes-preserve-unknown-fields: true - groupName: - description: The API group name that should be used - when POSTing ChallengePayload resources to the - webhook apiserver. This should be the same as - the GroupName specified in the webhook provider - implementation. - type: string - solverName: - description: The name of the solver to use, as defined - in the webhook provider implementation. This will - typically be the name of the provider, e.g. 'cloudflare'. - type: string - required: - - groupName - - solverName - type: object - type: object - http01: - description: Configures cert-manager to attempt to complete - authorizations by performing the HTTP01 challenge flow. - It is not possible to obtain certificates for wildcard - domain names (e.g. `*.example.com`) using the HTTP01 challenge - mechanism. - properties: - ingress: - description: The ingress based HTTP01 challenge solver - will solve challenges by creating or modifying Ingress - resources in order to route requests for '/.well-known/acme-challenge/XYZ' - to 'challenge solver' pods that are provisioned by - cert-manager for each Challenge to be completed. - properties: - class: - description: The ingress class to use when creating - Ingress resources to solve ACME challenges that - use this challenge solver. Only one of 'class' - or 'name' may be specified. - type: string - ingressTemplate: - description: Optional ingress template used to configure - the ACME challenge solver ingress used for HTTP01 - challenges - properties: - metadata: - description: ObjectMeta overrides for the ingress - used to solve HTTP01 challenges. Only the - 'labels' and 'annotations' fields may be set. - If labels or annotations overlap with in-built - values, the values here will override the - in-built values. - properties: - annotations: - additionalProperties: - type: string - description: Annotations that should be - added to the created ACME HTTP01 solver - ingress. - type: object - labels: - additionalProperties: - type: string - description: Labels that should be added - to the created ACME HTTP01 solver ingress. - type: object - type: object - type: object - name: - description: The name of the ingress resource that - should have ACME challenge solving routes inserted - into it in order to solve HTTP01 challenges. This - is typically used in conjunction with ingress - controllers like ingress-gce, which maintains - a 1:1 mapping between external IPs and ingress - resources. - type: string - podTemplate: - description: Optional pod template used to configure - the ACME challenge solver pods used for HTTP01 - challenges - properties: - metadata: - description: ObjectMeta overrides for the pod - used to solve HTTP01 challenges. Only the - 'labels' and 'annotations' fields may be set. - If labels or annotations overlap with in-built - values, the values here will override the - in-built values. - properties: - annotations: - additionalProperties: - type: string - description: Annotations that should be - added to the create ACME HTTP01 solver - pods. - type: object - labels: - additionalProperties: - type: string - description: Labels that should be added - to the created ACME HTTP01 solver pods. - type: object + parentRefs: + description: |- + When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute. + cert-manager needs to know which parentRefs should be used when creating + the HTTPRoute. Usually, the parentRef references a Gateway. See: + https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways + type: array + items: + description: |- + ParentReference identifies an API object (usually a Gateway) that can be considered + a parent of this resource (usually a route). There are two kinds of parent resources + with "Core" support: + + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + + This API may be extended in the future to support additional kinds of parent + resources. + + + The API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid. type: object - spec: - description: PodSpec defines overrides for the - HTTP01 challenge solver pod. Only the 'priorityClassName', - 'nodeSelector', 'affinity', 'serviceAccountName' - and 'tolerations' fields are supported currently. - All other fields will be ignored. + required: + - name properties: - affinity: - description: If specified, the pod's scheduling - constraints - properties: - nodeAffinity: - description: Describes node affinity - scheduling rules for the pod. - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will - prefer to schedule pods to nodes - that satisfy the affinity expressions - specified by this field, but it - may choose a node that violates - one or more of the expressions. - The node that is most preferred - is the one with the greatest sum - of weights, i.e. for each node - that meets all of the scheduling - requirements (resource request, - requiredDuringScheduling affinity - expressions, etc.), compute a - sum by iterating through the elements - of this field and adding "weight" - to the sum if the node matches - the corresponding matchExpressions; - the node(s) with the highest sum - are the most preferred. - items: - description: An empty preferred - scheduling term matches all - objects with implicit weight - 0 (i.e. it's a no-op). A null - preferred scheduling term matches - no objects (i.e. is also a no-op). + group: + description: |- + Group is the group of the referent. + When unspecified, "gateway.networking.k8s.io" is inferred. + To set the core API group (such as for a "Service" kind referent), + Group must be explicitly set to "" (empty string). + + + Support: Core + type: string + default: gateway.networking.k8s.io + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + kind: + description: |- + Kind is kind of the referent. + + + There are two kinds of parent resources with "Core" support: + + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + + Support for other resources is Implementation-Specific. + type: string + default: Gateway + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + name: + description: |- + Name is the name of the referent. + + + Support: Core + type: string + maxLength: 253 + minLength: 1 + namespace: + description: |- + Namespace is the namespace of the referent. When unspecified, this refers + to the local namespace of the Route. + + + Note that there are specific rules for ParentRefs which cross namespace + boundaries. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example: + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable any other kind of cross-namespace reference. + + + + ParentRefs from a Route to a Service in the same namespace are "producer" + routes, which apply default routing rules to inbound connections from + any namespace to the Service. + + + ParentRefs from a Route to a Service in a different namespace are + "consumer" routes, and these routing rules are only applied to outbound + connections originating from the same namespace as the Route, for which + the intended destination of the connections are a Service targeted as a + ParentRef of the Route. + + + + Support: Core + type: string + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + port: + description: |- + Port is the network port this Route targets. It can be interpreted + differently based on the type of parent resource. + + + When the parent resource is a Gateway, this targets all listeners + listening on the specified port that also support this kind of Route(and + select this Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to a specific port + as opposed to a listener(s) whose port(s) may be changed. When both Port + and SectionName are specified, the name and port of the selected listener + must match both specified values. + + + + When the parent resource is a Service, this targets a specific port in the + Service spec. When both Port (experimental) and SectionName are specified, + the name and port of the selected port must match both specified values. + + + + Implementations MAY choose to support other parent resources. + Implementations supporting other types of parent resources MUST clearly + document how/if Port is interpreted. + + + For the purpose of status, an attachment is considered successful as + long as the parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + + + Support: Extended + type: integer + format: int32 + maximum: 65535 + minimum: 1 + sectionName: + description: |- + SectionName is the name of a section within the target resource. In the + following resources, SectionName is interpreted as the following: + + + * Gateway: Listener name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + * Service: Port name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + + + Implementations MAY choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName is + interpreted. + + + When unspecified (empty string), this will reference the entire resource. + For the purpose of status, an attachment is considered successful if at + least one section in the parent resource accepts it. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, the + Route MUST be considered detached from the Gateway. + + + Support: Core + type: string + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + serviceType: + description: |- + Optional service type for Kubernetes solver service. Supported values + are NodePort or ClusterIP. If unset, defaults to NodePort. + type: string + ingress: + description: |- + The ingress based HTTP01 challenge solver will solve challenges by + creating or modifying Ingress resources in order to route requests for + '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are + provisioned by cert-manager for each Challenge to be completed. + type: object + properties: + class: + description: |- + This field configures the annotation `kubernetes.io/ingress.class` when + creating Ingress resources to solve ACME challenges that use this + challenge solver. Only one of `class`, `name` or `ingressClassName` may + be specified. + type: string + ingressClassName: + description: |- + This field configures the field `ingressClassName` on the created Ingress + resources used to solve ACME challenges that use this challenge solver. + This is the recommended way of configuring the ingress class. Only one of + `class`, `name` or `ingressClassName` may be specified. + type: string + ingressTemplate: + description: |- + Optional ingress template used to configure the ACME challenge solver + ingress used for HTTP01 challenges. + type: object + properties: + metadata: + description: |- + ObjectMeta overrides for the ingress used to solve HTTP01 challenges. + Only the 'labels' and 'annotations' fields may be set. + If labels or annotations overlap with in-built values, the values here + will override the in-built values. + type: object + properties: + annotations: + description: Annotations that should be added to the created ACME HTTP01 solver ingress. + type: object + additionalProperties: + type: string + labels: + description: Labels that should be added to the created ACME HTTP01 solver ingress. + type: object + additionalProperties: + type: string + name: + description: |- + The name of the ingress resource that should have ACME challenge solving + routes inserted into it in order to solve HTTP01 challenges. + This is typically used in conjunction with ingress controllers like + ingress-gce, which maintains a 1:1 mapping between external IPs and + ingress resources. Only one of `class`, `name` or `ingressClassName` may + be specified. + type: string + podTemplate: + description: |- + Optional pod template used to configure the ACME challenge solver pods + used for HTTP01 challenges. + type: object + properties: + metadata: + description: |- + ObjectMeta overrides for the pod used to solve HTTP01 challenges. + Only the 'labels' and 'annotations' fields may be set. + If labels or annotations overlap with in-built values, the values here + will override the in-built values. + type: object + properties: + annotations: + description: Annotations that should be added to the create ACME HTTP01 solver pods. + type: object + additionalProperties: + type: string + labels: + description: Labels that should be added to the created ACME HTTP01 solver pods. + type: object + additionalProperties: + type: string + spec: + description: |- + PodSpec defines overrides for the HTTP01 challenge solver pod. + Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields. + All other fields will be ignored. + type: object + properties: + affinity: + description: If specified, the pod's scheduling constraints + type: object + properties: + nodeAffinity: + description: Describes node affinity scheduling rules for the pod. + type: object + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node matches the corresponding matchExpressions; the + node(s) with the highest sum are the most preferred. + type: array + items: + description: |- + An empty preferred scheduling term matches all objects with implicit weight 0 + (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). + type: object + required: + - preference + - weight + properties: + preference: + description: A node selector term, associated with the corresponding weight. + type: object + properties: + matchExpressions: + description: A list of node selector requirements by node's labels. + type: array + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: The label key that the selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + type: array + items: + type: string + x-kubernetes-list-type: atomic + x-kubernetes-list-type: atomic + matchFields: + description: A list of node selector requirements by node's fields. + type: array + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: The label key that the selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + type: array + items: + type: string + x-kubernetes-list-type: atomic + x-kubernetes-list-type: atomic + x-kubernetes-map-type: atomic + weight: + description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. + type: integer + format: int32 + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to an update), the system + may or may not try to eventually evict the pod from its node. + type: object + required: + - nodeSelectorTerms properties: - preference: - description: A node selector - term, associated with the - corresponding weight. - properties: - matchExpressions: - description: A list of - node selector requirements - by node's labels. - items: - description: A node - selector requirement - is a selector that - contains values, a - key, and an operator - that relates the key - and values. - properties: - key: - description: The - label key that - the selector applies - to. - type: string - operator: - description: Represents - a key's relationship - to a set of values. - Valid operators - are In, NotIn, - Exists, DoesNotExist. - Gt, and Lt. - type: string - values: - description: An - array of string - values. If the - operator is In - or NotIn, the - values array must - be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. - If the operator - is Gt or Lt, the - values array must - have a single - element, which - will be interpreted - as an integer. - This array is - replaced during - a strategic merge - patch. - items: + nodeSelectorTerms: + description: Required. A list of node selector terms. The terms are ORed. + type: array + items: + description: |- + A null or empty node selector term matches no objects. The requirements of + them are ANDed. + The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. + type: object + properties: + matchExpressions: + description: A list of node selector requirements by node's labels. + type: array + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: The label key that the selector applies to. type: string - type: array - required: - - key - - operator + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + type: array + items: + type: string + x-kubernetes-list-type: atomic + x-kubernetes-list-type: atomic + matchFields: + description: A list of node selector requirements by node's fields. + type: array + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: The label key that the selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + type: array + items: + type: string + x-kubernetes-list-type: atomic + x-kubernetes-list-type: atomic + x-kubernetes-map-type: atomic + x-kubernetes-list-type: atomic + x-kubernetes-map-type: atomic + podAffinity: + description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). + type: object + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. + type: array + items: + description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) + type: object + required: + - podAffinityTerm + - weight + properties: + podAffinityTerm: + description: Required. A pod affinity term, associated with the corresponding weight. + type: object + required: + - topologyKey + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. type: object - type: array - matchFields: - description: A list of - node selector requirements - by node's fields. - items: - description: A node - selector requirement - is a selector that - contains values, a - key, and an operator - that relates the key - and values. properties: - key: - description: The - label key that - the selector applies - to. - type: string - operator: - description: Represents - a key's relationship - to a set of values. - Valid operators - are In, NotIn, - Exists, DoesNotExist. - Gt, and Lt. - type: string - values: - description: An - array of string - values. If the - operator is In - or NotIn, the - values array must - be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. - If the operator - is Gt or Lt, the - values array must - have a single - element, which - will be interpreted - as an integer. - This array is - replaced during - a strategic merge - patch. + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + type: array items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + type: array + items: + type: string + x-kubernetes-list-type: atomic + x-kubernetes-list-type: atomic + matchLabels: + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + additionalProperties: type: string - type: array - required: - - key - - operator + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + type: array + items: + type: string + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + type: array + items: + type: string + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. type: object - type: array - type: object - weight: - description: Weight associated - with matching the corresponding - nodeSelectorTerm, in the - range 1-100. - format: int32 - type: integer - required: - - preference - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements - specified by this field are not - met at scheduling time, the pod - will not be scheduled onto the - node. If the affinity requirements - specified by this field cease - to be met at some point during - pod execution (e.g. due to an - update), the system may or may - not try to eventually evict the - pod from its node. - properties: - nodeSelectorTerms: - description: Required. A list - of node selector terms. The - terms are ORed. - items: - description: A null or empty - node selector term matches - no objects. The requirements - of them are ANDed. The TopologySelectorTerm - type implements a subset - of the NodeSelectorTerm. - properties: - matchExpressions: - description: A list of - node selector requirements - by node's labels. - items: - description: A node - selector requirement - is a selector that - contains values, a - key, and an operator - that relates the key - and values. properties: - key: - description: The - label key that - the selector applies - to. - type: string - operator: - description: Represents - a key's relationship - to a set of values. - Valid operators - are In, NotIn, - Exists, DoesNotExist. - Gt, and Lt. - type: string - values: - description: An - array of string - values. If the - operator is In - or NotIn, the - values array must - be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. - If the operator - is Gt or Lt, the - values array must - have a single - element, which - will be interpreted - as an integer. - This array is - replaced during - a strategic merge - patch. + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + type: array items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + type: array + items: + type: string + x-kubernetes-list-type: atomic + x-kubernetes-list-type: atomic + matchLabels: + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + additionalProperties: + type: string + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + type: array + items: + type: string + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + weight: + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. + type: integer + format: int32 + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. + type: array + items: + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running + type: object + required: + - topologyKey + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + type: object + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + type: array + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + type: array + items: + type: string + x-kubernetes-list-type: atomic + x-kubernetes-list-type: atomic + matchLabels: + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + additionalProperties: + type: string + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + type: array + items: + type: string + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + type: array + items: + type: string + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + type: object + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + type: array + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: key is the label key that the selector applies to. type: string - type: array - required: - - key - - operator + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + type: array + items: + type: string + x-kubernetes-list-type: atomic + x-kubernetes-list-type: atomic + matchLabels: + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + additionalProperties: + type: string + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + type: array + items: + type: string + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + x-kubernetes-list-type: atomic + podAntiAffinity: + description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). + type: object + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the anti-affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling anti-affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. + type: array + items: + description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) + type: object + required: + - podAffinityTerm + - weight + properties: + podAffinityTerm: + description: Required. A pod affinity term, associated with the corresponding weight. + type: object + required: + - topologyKey + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. type: object - type: array - matchFields: - description: A list of - node selector requirements - by node's fields. - items: - description: A node - selector requirement - is a selector that - contains values, a - key, and an operator - that relates the key - and values. properties: - key: - description: The - label key that - the selector applies - to. - type: string - operator: - description: Represents - a key's relationship - to a set of values. - Valid operators - are In, NotIn, - Exists, DoesNotExist. - Gt, and Lt. - type: string - values: - description: An - array of string - values. If the - operator is In - or NotIn, the - values array must - be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. - If the operator - is Gt or Lt, the - values array must - have a single - element, which - will be interpreted - as an integer. - This array is - replaced during - a strategic merge - patch. + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + type: array items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + type: array + items: + type: string + x-kubernetes-list-type: atomic + x-kubernetes-list-type: atomic + matchLabels: + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + additionalProperties: type: string - type: array - required: - - key - - operator + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + type: array + items: + type: string + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + type: array + items: + type: string + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. type: object - type: array - type: object - type: array - required: - - nodeSelectorTerms - type: object - type: object - podAffinity: - description: Describes pod affinity - scheduling rules (e.g. co-locate this - pod in the same node, zone, etc. as - some other pod(s)). - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will - prefer to schedule pods to nodes - that satisfy the affinity expressions - specified by this field, but it - may choose a node that violates - one or more of the expressions. - The node that is most preferred - is the one with the greatest sum - of weights, i.e. for each node - that meets all of the scheduling - requirements (resource request, - requiredDuringScheduling affinity - expressions, etc.), compute a - sum by iterating through the elements - of this field and adding "weight" - to the sum if the node has pods - which matches the corresponding - podAffinityTerm; the node(s) with - the highest sum are the most preferred. - items: - description: The weights of all - of the matched WeightedPodAffinityTerm - fields are added per-node to - find the most preferred node(s) - properties: - podAffinityTerm: - description: Required. A pod - affinity term, associated - with the corresponding weight. - properties: - labelSelector: - description: A label query - over a set of resources, - in this case pods. - properties: - matchExpressions: - description: matchExpressions - is a list of label - selector requirements. - The requirements - are ANDed. - items: - description: A label - selector requirement - is a selector - that contains - values, a key, - and an operator - that relates the - key and values. - properties: - key: - description: key - is the label - key that the - selector applies - to. - type: string - operator: - description: operator - represents - a key's relationship - to a set of - values. Valid - operators - are In, NotIn, - Exists and - DoesNotExist. - type: string - values: - description: values - is an array - of string - values. If - the operator - is In or NotIn, - the values - array must - be non-empty. - If the operator - is Exists - or DoesNotExist, - the values - array must - be empty. - This array - is replaced - during a strategic - merge patch. - items: + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + type: array + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: key is the label key that the selector applies to. type: string - type: array - required: - - key - - operator + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + type: array + items: + type: string + x-kubernetes-list-type: atomic + x-kubernetes-list-type: atomic + matchLabels: + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels - is a map of {key,value} - pairs. A single - {key,value} in the - matchLabels map - is equivalent to - an element of matchExpressions, - whose key field - is "key", the operator - is "In", and the - values array contains - only "value". The - requirements are - ANDed. - type: object - type: object - namespaces: - description: namespaces - specifies which namespaces - the labelSelector applies - to (matches against); - null or empty list means - "this pod's namespace" - items: + additionalProperties: + type: string + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + type: array + items: + type: string + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. type: string - type: array - topologyKey: - description: This pod - should be co-located - (affinity) or not co-located - (anti-affinity) with - the pods matching the - labelSelector in the - specified namespaces, - where co-located is - defined as running on - a node whose value of - the label with key topologyKey - matches that of any - node on which any of - the selected pods is - running. Empty topologyKey - is not allowed. - type: string - required: + weight: + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. + type: integer + format: int32 + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: |- + If the anti-affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the anti-affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. + type: array + items: + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running + type: object + required: - topologyKey - type: object - weight: - description: weight associated - with matching the corresponding - podAffinityTerm, in the - range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements - specified by this field are not - met at scheduling time, the pod - will not be scheduled onto the - node. If the affinity requirements - specified by this field cease - to be met at some point during - pod execution (e.g. due to a pod - label update), the system may - or may not try to eventually evict - the pod from its node. When there - are multiple elements, the lists - of nodes corresponding to each - podAffinityTerm are intersected, - i.e. all terms must be satisfied. - items: - description: Defines a set of - pods (namely those matching - the labelSelector relative to - the given namespace(s)) that - this pod should be co-located - (affinity) or not co-located - (anti-affinity) with, where - co-located is defined as running - on a node whose value of the - label with key - matches that of any node on - which a pod of the set of pods - is running - properties: - labelSelector: - description: A label query - over a set of resources, - in this case pods. - properties: - matchExpressions: - description: matchExpressions - is a list of label selector - requirements. The requirements - are ANDed. - items: - description: A label - selector requirement - is a selector that - contains values, a - key, and an operator - that relates the key - and values. - properties: - key: - description: key - is the label key - that the selector - applies to. - type: string - operator: - description: operator - represents a key's - relationship to - a set of values. - Valid operators - are In, NotIn, - Exists and DoesNotExist. - type: string - values: - description: values - is an array of - string values. - If the operator - is In or NotIn, - the values array - must be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. - This array is - replaced during - a strategic merge - patch. - items: + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + type: object + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + type: array + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + type: object + required: + - key + - operator + properties: + key: + description: key is the label key that the selector applies to. type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels - is a map of {key,value} - pairs. A single {key,value} - in the matchLabels map - is equivalent to an - element of matchExpressions, - whose key field is "key", - the operator is "In", - and the values array - contains only "value". - The requirements are - ANDed. - type: object - type: object - namespaces: - description: namespaces specifies - which namespaces the labelSelector - applies to (matches against); - null or empty list means - "this pod's namespace" - items: - type: string - type: array - topologyKey: - description: This pod should - be co-located (affinity) - or not co-located (anti-affinity) - with the pods matching the - labelSelector in the specified - namespaces, where co-located - is defined as running on - a node whose value of the - label with key topologyKey - matches that of any node - on which any of the selected - pods is running. Empty topologyKey - is not allowed. - type: string - required: - - topologyKey - type: object - type: array - type: object - podAntiAffinity: - description: Describes pod anti-affinity - scheduling rules (e.g. avoid putting - this pod in the same node, zone, etc. - as some other pod(s)). - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will - prefer to schedule pods to nodes - that satisfy the anti-affinity - expressions specified by this - field, but it may choose a node - that violates one or more of the - expressions. The node that is - most preferred is the one with - the greatest sum of weights, i.e. - for each node that meets all of - the scheduling requirements (resource - request, requiredDuringScheduling - anti-affinity expressions, etc.), - compute a sum by iterating through - the elements of this field and - adding "weight" to the sum if - the node has pods which matches - the corresponding podAffinityTerm; - the node(s) with the highest sum - are the most preferred. - items: - description: The weights of all - of the matched WeightedPodAffinityTerm - fields are added per-node to - find the most preferred node(s) - properties: - podAffinityTerm: - description: Required. A pod - affinity term, associated - with the corresponding weight. - properties: - labelSelector: - description: A label query - over a set of resources, - in this case pods. - properties: - matchExpressions: - description: matchExpressions - is a list of label - selector requirements. - The requirements - are ANDed. - items: - description: A label - selector requirement - is a selector - that contains - values, a key, - and an operator - that relates the - key and values. - properties: - key: - description: key - is the label - key that the - selector applies - to. - type: string - operator: - description: operator - represents - a key's relationship - to a set of - values. Valid - operators - are In, NotIn, - Exists and - DoesNotExist. + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + type: array + items: type: string - values: - description: values - is an array - of string - values. If - the operator - is In or NotIn, - the values - array must - be non-empty. - If the operator - is Exists - or DoesNotExist, - the values - array must - be empty. - This array - is replaced - during a strategic - merge patch. - items: - type: string - type: array - required: + x-kubernetes-list-type: atomic + x-kubernetes-list-type: atomic + matchLabels: + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + additionalProperties: + type: string + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + type: array + items: + type: string + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + type: array + items: + type: string + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + type: object + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + type: array + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + type: object + required: - key - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels - is a map of {key,value} - pairs. A single - {key,value} in the - matchLabels map - is equivalent to - an element of matchExpressions, - whose key field - is "key", the operator - is "In", and the - values array contains - only "value". The - requirements are - ANDed. - type: object - type: object - namespaces: - description: namespaces - specifies which namespaces - the labelSelector applies - to (matches against); - null or empty list means - "this pod's namespace" - items: - type: string - type: array - topologyKey: - description: This pod - should be co-located - (affinity) or not co-located - (anti-affinity) with - the pods matching the - labelSelector in the - specified namespaces, - where co-located is - defined as running on - a node whose value of - the label with key topologyKey - matches that of any - node on which any of - the selected pods is - running. Empty topologyKey - is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: weight associated - with matching the corresponding - podAffinityTerm, in the - range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - description: If the anti-affinity - requirements specified by this - field are not met at scheduling - time, the pod will not be scheduled - onto the node. If the anti-affinity - requirements specified by this - field cease to be met at some - point during pod execution (e.g. - due to a pod label update), the - system may or may not try to eventually - evict the pod from its node. When - there are multiple elements, the - lists of nodes corresponding to - each podAffinityTerm are intersected, - i.e. all terms must be satisfied. - items: - description: Defines a set of - pods (namely those matching - the labelSelector relative to - the given namespace(s)) that - this pod should be co-located - (affinity) or not co-located - (anti-affinity) with, where - co-located is defined as running - on a node whose value of the - label with key - matches that of any node on - which a pod of the set of pods - is running - properties: - labelSelector: - description: A label query - over a set of resources, - in this case pods. - properties: - matchExpressions: - description: matchExpressions - is a list of label selector - requirements. The requirements - are ANDed. - items: - description: A label - selector requirement - is a selector that - contains values, a - key, and an operator - that relates the key - and values. - properties: - key: - description: key - is the label key - that the selector - applies to. - type: string - operator: - description: operator - represents a key's - relationship to - a set of values. - Valid operators - are In, NotIn, - Exists and DoesNotExist. - type: string - values: - description: values - is an array of - string values. - If the operator - is In or NotIn, - the values array - must be non-empty. - If the operator - is Exists or DoesNotExist, - the values array - must be empty. - This array is - replaced during - a strategic merge - patch. - items: + properties: + key: + description: key is the label key that the selector applies to. type: string - type: array - required: - - key - - operator + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + type: array + items: + type: string + x-kubernetes-list-type: atomic + x-kubernetes-list-type: atomic + matchLabels: + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels - is a map of {key,value} - pairs. A single {key,value} - in the matchLabels map - is equivalent to an - element of matchExpressions, - whose key field is "key", - the operator is "In", - and the values array - contains only "value". - The requirements are - ANDed. - type: object - type: object - namespaces: - description: namespaces specifies - which namespaces the labelSelector - applies to (matches against); - null or empty list means - "this pod's namespace" - items: + additionalProperties: + type: string + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + type: array + items: + type: string + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. type: string - type: array - topologyKey: - description: This pod should - be co-located (affinity) - or not co-located (anti-affinity) - with the pods matching the - labelSelector in the specified - namespaces, where co-located - is defined as running on - a node whose value of the - label with key topologyKey - matches that of any node - on which any of the selected - pods is running. Empty topologyKey - is not allowed. - type: string - required: - - topologyKey - type: object - type: array + x-kubernetes-list-type: atomic + imagePullSecrets: + description: If specified, the pod's imagePullSecrets + type: array + items: + description: |- + LocalObjectReference contains enough information to let you locate the + referenced object inside the same namespace. type: object - type: object - nodeSelector: - additionalProperties: - type: string - description: 'NodeSelector is a selector - which must be true for the pod to fit - on a node. Selector which must match a - node''s labels for the pod to be scheduled - on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' - type: object - priorityClassName: - description: If specified, the pod's priorityClassName. - type: string - serviceAccountName: - description: If specified, the pod's service - account - type: string - tolerations: - description: If specified, the pod's tolerations. - items: - description: The pod this Toleration is - attached to tolerates any taint that - matches the triple - using the matching operator . - properties: - effect: - description: Effect indicates the - taint effect to match. Empty means - match all taint effects. When specified, - allowed values are NoSchedule, PreferNoSchedule - and NoExecute. - type: string - key: - description: Key is the taint key - that the toleration applies to. - Empty means match all taint keys. - If the key is empty, operator must - be Exists; this combination means - to match all values and all keys. - type: string - operator: - description: Operator represents a - key's relationship to the value. - Valid operators are Exists and Equal. - Defaults to Equal. Exists is equivalent - to wildcard for value, so that a - pod can tolerate all taints of a - particular category. - type: string - tolerationSeconds: - description: TolerationSeconds represents - the period of time the toleration - (which must be of effect NoExecute, - otherwise this field is ignored) - tolerates the taint. By default, - it is not set, which means tolerate - the taint forever (do not evict). - Zero and negative values will be - treated as 0 (evict immediately) - by the system. - format: int64 - type: integer - value: - description: Value is the taint value - the toleration matches to. If the - operator is Exists, the value should - be empty, otherwise just a regular - string. - type: string + properties: + name: + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + default: "" + x-kubernetes-map-type: atomic + nodeSelector: + description: |- + NodeSelector is a selector which must be true for the pod to fit on a node. + Selector which must match a node's labels for the pod to be scheduled on that node. + More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ type: object - type: array - type: object - type: object - serviceType: - description: Optional service type for Kubernetes - solver service + additionalProperties: + type: string + priorityClassName: + description: If specified, the pod's priorityClassName. + type: string + serviceAccountName: + description: If specified, the pod's service account + type: string + tolerations: + description: If specified, the pod's tolerations. + type: array + items: + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . + type: object + properties: + effect: + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. + type: string + operator: + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. + type: integer + format: int64 + value: + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. + type: string + serviceType: + description: |- + Optional service type for Kubernetes solver service. Supported values + are NodePort or ClusterIP. If unset, defaults to NodePort. + type: string + selector: + description: |- + Selector selects a set of DNSNames on the Certificate resource that + should be solved using this challenge solver. + If not specified, the solver will be treated as the 'default' solver + with the lowest priority, i.e. if any other solver has a more specific + match, it will be used instead. + type: object + properties: + dnsNames: + description: |- + List of DNSNames that this solver will be used to solve. + If specified and a match is found, a dnsNames selector will take + precedence over a dnsZones selector. + If multiple solvers match with the same dnsNames value, the solver + with the most matching labels in matchLabels will be selected. + If neither has more matches, the solver defined earlier in the list + will be selected. + type: array + items: + type: string + dnsZones: + description: |- + List of DNSZones that this solver will be used to solve. + The most specific DNS zone match specified here will take precedence + over other DNS zone matches, so a solver specifying sys.example.com + will be selected over one specifying example.com for the domain + www.sys.example.com. + If multiple solvers match with the same dnsZones value, the solver + with the most matching labels in matchLabels will be selected. + If neither has more matches, the solver defined earlier in the list + will be selected. + type: array + items: + type: string + matchLabels: + description: |- + A label selector that is used to refine the set of certificate's that + this challenge solver will apply to. + type: object + additionalProperties: type: string + ca: + description: |- + CA configures this issuer to sign certificates using a signing CA keypair + stored in a Secret resource. + This is used to build internal PKIs that are managed by cert-manager. + type: object + required: + - secretName + properties: + crlDistributionPoints: + description: |- + The CRL distribution points is an X.509 v3 certificate extension which identifies + the location of the CRL from which the revocation of this certificate can be checked. + If not set, certificates will be issued without distribution points set. + type: array + items: + type: string + issuingCertificateURLs: + description: |- + IssuingCertificateURLs is a list of URLs which this issuer should embed into certificates + it creates. See https://www.rfc-editor.org/rfc/rfc5280#section-4.2.2.1 for more details. + As an example, such a URL might be "http://ca.domain.com/ca.crt". + type: array + items: + type: string + ocspServers: + description: |- + The OCSP server list is an X.509 v3 extension that defines a list of + URLs of OCSP responders. The OCSP responders can be queried for the + revocation status of an issued certificate. If not set, the + certificate will be issued with no OCSP servers set. For example, an + OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org". + type: array + items: + type: string + secretName: + description: |- + SecretName is the name of the secret used to sign Certificates issued + by this Issuer. + type: string + selfSigned: + description: |- + SelfSigned configures this issuer to 'self sign' certificates using the + private key used to create the CertificateRequest object. + type: object + properties: + crlDistributionPoints: + description: |- + The CRL distribution points is an X.509 v3 certificate extension which identifies + the location of the CRL from which the revocation of this certificate can be checked. + If not set certificate will be issued without CDP. Values are strings. + type: array + items: + type: string + vault: + description: |- + Vault configures this issuer to sign certificates using a HashiCorp Vault + PKI backend. + type: object + required: + - auth + - path + - server + properties: + auth: + description: Auth configures how cert-manager authenticates with the Vault server. + type: object + properties: + appRole: + description: |- + AppRole authenticates with Vault using the App Role auth mechanism, + with the role and secret stored in a Kubernetes Secret resource. + type: object + required: + - path + - roleId + - secretRef + properties: + path: + description: |- + Path where the App Role authentication backend is mounted in Vault, e.g: + "approle" + type: string + roleId: + description: |- + RoleID configured in the App Role authentication backend when setting + up the authentication backend in Vault. + type: string + secretRef: + description: |- + Reference to a key in a Secret that contains the App Role secret used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role secret. + type: object + required: + - name + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. + Some instances of this field may be defaulted, in others it may be + required. + type: string + name: + description: |- + Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + kubernetes: + description: |- + Kubernetes authenticates with Vault by passing the ServiceAccount + token stored in the named Secret resource to the Vault server. + type: object + required: + - role + properties: + mountPath: + description: |- + The Vault mountPath here is the mount path to use when authenticating with + Vault. For example, setting a value to `/v1/auth/foo`, will use the path + `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the + default value "/v1/auth/kubernetes" will be used. + type: string + role: + description: |- + A required field containing the Vault Role to assume. A Role binds a + Kubernetes ServiceAccount with a set of Vault policies. + type: string + secretRef: + description: |- + The required Secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Vault. Use of 'ambient credentials' is not + supported. + type: object + required: + - name + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. + Some instances of this field may be defaulted, in others it may be + required. + type: string + name: + description: |- + Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + serviceAccountRef: + description: |- + A reference to a service account that will be used to request a bound + token (also known as "projected token"). Compared to using "secretRef", + using this field means that you don't rely on statically bound tokens. To + use this field, you must configure an RBAC rule to let cert-manager + request a token. type: object + required: + - name + properties: + audiences: + description: |- + TokenAudiences is an optional list of extra audiences to include in the token passed to Vault. The default token + consisting of the issuer's namespace and name is always included. + type: array + items: + type: string + name: + description: Name of the ServiceAccount used to request a token. + type: string + tokenSecretRef: + description: TokenSecretRef authenticates with Vault by presenting a token. + type: object + required: + - name + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. + Some instances of this field may be defaulted, in others it may be + required. + type: string + name: + description: |- + Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + caBundle: + description: |- + Base64-encoded bundle of PEM CAs which will be used to validate the certificate + chain presented by Vault. Only used if using HTTPS to connect to Vault and + ignored for HTTP connections. + Mutually exclusive with CABundleSecretRef. + If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in + the cert-manager controller container is used to validate the TLS connection. + type: string + format: byte + caBundleSecretRef: + description: |- + Reference to a Secret containing a bundle of PEM-encoded CAs to use when + verifying the certificate chain presented by Vault when using HTTPS. + Mutually exclusive with CABundle. + If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in + the cert-manager controller container is used to validate the TLS connection. + If no key for the Secret is specified, cert-manager will default to 'ca.crt'. + type: object + required: + - name + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. + Some instances of this field may be defaulted, in others it may be + required. + type: string + name: + description: |- + Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + clientCertSecretRef: + description: |- + Reference to a Secret containing a PEM-encoded Client Certificate to use when the + Vault server requires mTLS. + type: object + required: + - name + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. + Some instances of this field may be defaulted, in others it may be + required. + type: string + name: + description: |- + Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + clientKeySecretRef: + description: |- + Reference to a Secret containing a PEM-encoded Client Private Key to use when the + Vault server requires mTLS. + type: object + required: + - name + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. + Some instances of this field may be defaulted, in others it may be + required. + type: string + name: + description: |- + Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + namespace: + description: |- + Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1" + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces + type: string + path: + description: |- + Path is the mount path of the Vault PKI backend's `sign` endpoint, e.g: + "my_pki_mount/sign/my-role-name". + type: string + server: + description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' + type: string + venafi: + description: |- + Venafi configures this issuer to sign certificates using a Venafi TPP + or Venafi Cloud policy zone. + type: object + required: + - zone + properties: + cloud: + description: |- + Cloud specifies the Venafi cloud configuration settings. + Only one of TPP or Cloud may be specified. + type: object + required: + - apiTokenSecretRef + properties: + apiTokenSecretRef: + description: APITokenSecretRef is a secret key selector for the Venafi Cloud API token. type: object - selector: - description: Selector selects a set of DNSNames on the Certificate - resource that should be solved using this challenge solver. - If not specified, the solver will be treated as the 'default' - solver with the lowest priority, i.e. if any other solver - has a more specific match, it will be used instead. + required: + - name properties: - dnsNames: - description: List of DNSNames that this solver will - be used to solve. If specified and a match is found, - a dnsNames selector will take precedence over a dnsZones - selector. If multiple solvers match with the same - dnsNames value, the solver with the most matching - labels in matchLabels will be selected. If neither - has more matches, the solver defined earlier in the - list will be selected. - items: - type: string - type: array - dnsZones: - description: List of DNSZones that this solver will - be used to solve. The most specific DNS zone match - specified here will take precedence over other DNS - zone matches, so a solver specifying sys.example.com - will be selected over one specifying example.com for - the domain www.sys.example.com. If multiple solvers - match with the same dnsZones value, the solver with - the most matching labels in matchLabels will be selected. - If neither has more matches, the solver defined earlier - in the list will be selected. - items: - type: string - type: array - matchLabels: - additionalProperties: - type: string - description: A label selector that is used to refine - the set of certificate's that this challenge solver - will apply to. - type: object - type: object + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. + Some instances of this field may be defaulted, in others it may be + required. + type: string + name: + description: |- + Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + url: + description: |- + URL is the base URL for Venafi Cloud. + Defaults to "https://api.venafi.cloud/v1". + type: string + tpp: + description: |- + TPP specifies Trust Protection Platform configuration settings. + Only one of TPP or Cloud may be specified. type: object - type: array - required: - - privateKeySecretRef - - server - type: object - ca: - description: CA configures this issuer to sign certificates using - a signing CA keypair stored in a Secret resource. This is used to - build internal PKIs that are managed by cert-manager. - properties: - crlDistributionPoints: - description: The CRL distribution points is an X.509 v3 certificate - extension which identifies the location of the CRL from which - the revocation of this certificate can be checked. If not set, - certificates will be issued without distribution points set. - items: - type: string - type: array - secretName: - description: SecretName is the name of the secret used to sign - Certificates issued by this Issuer. - type: string - required: - - secretName - type: object - selfSigned: - description: SelfSigned configures this issuer to 'self sign' certificates - using the private key used to create the CertificateRequest object. - properties: - crlDistributionPoints: - description: The CRL distribution points is an X.509 v3 certificate - extension which identifies the location of the CRL from which - the revocation of this certificate can be checked. If not set - certificate will be issued without CDP. Values are strings. - items: - type: string - type: array - type: object - vault: - description: Vault configures this issuer to sign certificates using - a HashiCorp Vault PKI backend. - properties: - auth: - description: Auth configures how cert-manager authenticates with - the Vault server. - properties: - appRole: - description: AppRole authenticates with Vault using the App - Role auth mechanism, with the role and secret stored in - a Kubernetes Secret resource. - properties: - path: - description: 'Path where the App Role authentication backend - is mounted in Vault, e.g: "approle"' - type: string - roleId: - description: RoleID configured in the App Role authentication - backend when setting up the authentication backend in - Vault. - type: string - secretRef: - description: Reference to a key in a Secret that contains - the App Role secret used to authenticate with Vault. - The `key` field must be specified and denotes which - entry within the Secret resource is used as the app - role secret. - properties: - key: - description: The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - required: - - path - - roleId - - secretRef - type: object - kubernetes: - description: Kubernetes authenticates with Vault by passing - the ServiceAccount token stored in the named Secret resource - to the Vault server. - properties: - mountPath: - description: The Vault mountPath here is the mount path - to use when authenticating with Vault. For example, - setting a value to `/v1/auth/foo`, will use the path - `/v1/auth/foo/login` to authenticate with Vault. If - unspecified, the default value "/v1/auth/kubernetes" - will be used. - type: string - role: - description: A required field containing the Vault Role - to assume. A Role binds a Kubernetes ServiceAccount - with a set of Vault policies. - type: string - secretRef: - description: The required Secret field containing a Kubernetes - ServiceAccount JWT used for authenticating with Vault. - Use of 'ambient credentials' is not supported. - properties: - key: - description: The key of the entry in the Secret resource's - `data` field to be used. Some instances of this - field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred - to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: + required: + - credentialsRef + - url + properties: + caBundle: + description: |- + Base64-encoded bundle of PEM CAs which will be used to validate the certificate + chain presented by the TPP server. Only used if using HTTPS; ignored for HTTP. + If undefined, the certificate bundle in the cert-manager controller container + is used to validate the chain. + type: string + format: byte + credentialsRef: + description: |- + CredentialsRef is a reference to a Secret containing the username and + password for the TPP server. + The secret must contain two keys, 'username' and 'password'. + type: object + required: - name - type: object - required: - - role - - secretRef - type: object - tokenSecretRef: - description: TokenSecretRef authenticates with Vault by presenting - a token. - properties: - key: - description: The key of the entry in the Secret resource's - `data` field to be used. Some instances of this field - may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object + properties: + name: + description: |- + Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + url: + description: |- + URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, + for example: "https://tpp.example.com/vedsdk". + type: string + zone: + description: |- + Zone is the Venafi Policy Zone to use for this issuer. + All requests made to the Venafi platform will be restricted by the named + zone policy. + This field is required. + type: string + status: + description: Status of the Issuer. This is set and managed automatically. + type: object + properties: + acme: + description: |- + ACME specific status options. + This field should only be set if the Issuer is configured to use an ACME + server to issue certificates. + type: object + properties: + lastPrivateKeyHash: + description: |- + LastPrivateKeyHash is a hash of the private key associated with the latest + registered ACME account, in order to track changes made to registered account + associated with the Issuer + type: string + lastRegisteredEmail: + description: |- + LastRegisteredEmail is the email associated with the latest registered + ACME account, in order to track changes made to registered account + associated with the Issuer + type: string + uri: + description: |- + URI is the unique account identifier, which can also be used to retrieve + account details from the CA + type: string + conditions: + description: |- + List of status conditions to indicate the status of a CertificateRequest. + Known condition types are `Ready`. + type: array + items: + description: IssuerCondition contains condition information for an Issuer. type: object - caBundle: - description: PEM encoded CA bundle used to validate Vault server - certificate. Only used if the Server URL is using HTTPS protocol. - This parameter is ignored for plain HTTP protocol connection. - If not set the system root certificates are used to validate - the TLS connection. - format: byte - type: string - namespace: - description: 'Name of the vault namespace. Namespaces is a set - of features within Vault Enterprise that allows Vault environments - to support Secure Multi-tenancy. e.g: "ns1" More about namespaces - can be found here https://www.vaultproject.io/docs/enterprise/namespaces' - type: string - path: - description: 'Path is the mount path of the Vault PKI backend''s - `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".' - type: string - server: - description: 'Server is the connection address for the Vault server, - e.g: "https://vault.example.com:8200".' - type: string - required: - - auth - - path - - server - type: object - venafi: - description: Venafi configures this issuer to sign certificates using - a Venafi TPP or Venafi Cloud policy zone. - properties: - cloud: - description: Cloud specifies the Venafi cloud configuration settings. - Only one of TPP or Cloud may be specified. - properties: - apiTokenSecretRef: - description: APITokenSecretRef is a secret key selector for - the Venafi Cloud API token. - properties: - key: - description: The key of the entry in the Secret resource's - `data` field to be used. Some instances of this field - may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - url: - description: URL is the base URL for Venafi Cloud. Defaults - to "https://api.venafi.cloud/v1". - type: string required: - - apiTokenSecretRef - type: object - tpp: - description: TPP specifies Trust Protection Platform configuration - settings. Only one of TPP or Cloud may be specified. + - status + - type properties: - caBundle: - description: CABundle is a PEM encoded TLS certificate to - use to verify connections to the TPP instance. If specified, - system roots will not be used and the issuing CA for the - TPP instance must be verifiable using the provided root. - If not specified, the connection will be verified using - the cert-manager system root certificates. - format: byte + lastTransitionTime: + description: |- + LastTransitionTime is the timestamp corresponding to the last status + change of this condition. type: string - credentialsRef: - description: CredentialsRef is a reference to a Secret containing - the username and password for the TPP server. The secret - must contain two keys, 'username' and 'password'. - properties: - name: - description: 'Name of the resource being referred to. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - name - type: object - url: - description: 'URL is the base URL for the vedsdk endpoint - of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".' + format: date-time + message: + description: |- + Message is a human readable description of the details of the last + transition, complementing reason. type: string - required: - - credentialsRef - - url - type: object - zone: - description: Zone is the Venafi Policy Zone to use for this issuer. - All requests made to the Venafi platform will be restricted - by the named zone policy. This field is required. - type: string - required: - - zone - type: object - type: object - status: - description: Status of the Issuer. This is set and managed automatically. - properties: - acme: - description: ACME specific status options. This field should only - be set if the Issuer is configured to use an ACME server to issue - certificates. - properties: - lastRegisteredEmail: - description: LastRegisteredEmail is the email associated with - the latest registered ACME account, in order to track changes - made to registered account associated with the Issuer - type: string - uri: - description: URI is the unique account identifier, which can also - be used to retrieve account details from the CA - type: string - type: object - conditions: - description: List of status conditions to indicate the status of a - CertificateRequest. Known condition types are `Ready`. - items: - description: IssuerCondition contains condition information for - an Issuer. - properties: - lastTransitionTime: - description: LastTransitionTime is the timestamp corresponding - to the last status change of this condition. - format: date-time - type: string - message: - description: Message is a human readable description of the - details of the last transition, complementing reason. - type: string - reason: - description: Reason is a brief machine readable explanation - for the condition's last transition. - type: string - status: - description: Status of the condition, one of ('True', 'False', - 'Unknown'). - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: Type of the condition, known values are ('Ready'). - type: string - required: - - status - - type - type: object - type: array - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] + observedGeneration: + description: |- + If set, this represents the .metadata.generation that the condition was + set based upon. + For instance, if .metadata.generation is currently 12, but the + .status.condition[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the Issuer. + type: integer + format: int64 + reason: + description: |- + Reason is a brief machine readable explanation for the condition's last + transition. + type: string + status: + description: Status of the condition, one of (`True`, `False`, `Unknown`). + type: string + enum: + - "True" + - "False" + - Unknown + type: + description: Type of the condition, known values are (`Ready`). + type: string + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + served: true + storage: true + +# END crd --- +# Source: cert-manager/templates/crds.yaml +# START crd apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: + name: orders.acme.cert-manager.io + # START annotations annotations: - cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca + helm.sh/resource-policy: keep + # END annotations labels: - app: cert-manager - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/name: cert-manager - name: orders.acme.cert-manager.io + app: 'cert-manager' + app.kubernetes.io/name: 'cert-manager' + app.kubernetes.io/instance: 'cert-manager' + app.kubernetes.io/component: "crds" + # Generated labels + app.kubernetes.io/version: "v1.15.1" spec: - conversion: - strategy: Webhook - webhook: - clientConfig: - service: - name: cert-manager-webhook - namespace: cert-manager - path: /convert - conversionReviewVersions: - - v1 - - v1beta1 group: acme.cert-manager.io names: kind: Order listKind: OrderList plural: orders singular: order + categories: + - cert-manager + - cert-manager-acme scope: Namespaced versions: - - additionalPrinterColumns: - - jsonPath: .status.state - name: State - type: string - - jsonPath: .spec.issuerRef.name - name: Issuer - priority: 1 - type: string - - jsonPath: .status.reason - name: Reason - priority: 1 - type: string - - description: CreationTimestamp is a timestamp representing the server time when - this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha2 - schema: - openAPIV3Schema: - description: Order is a type to represent an Order with an ACME server - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - properties: - commonName: - description: CommonName is the common name as specified on the DER - encoded CSR. If specified, this value must also be present in `dnsNames`. - This field must match the corresponding field on the DER encoded - CSR. - type: string - csr: - description: Certificate signing request bytes in DER encoding. This - will be used when finalizing the order. This field must be set on - the order. - format: byte - type: string - dnsNames: - description: DNSNames is a list of DNS names that should be included - as part of the Order validation process. This field must match the - corresponding field on the DER encoded CSR. - items: + - name: v1 + subresources: + status: {} + additionalPrinterColumns: + - jsonPath: .status.state + name: State + type: string + - jsonPath: .spec.issuerRef.name + name: Issuer + priority: 1 + type: string + - jsonPath: .status.reason + name: Reason + priority: 1 + type: string + - jsonPath: .metadata.creationTimestamp + description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + name: Age + type: date + schema: + openAPIV3Schema: + description: Order is a type to represent an Order with an ACME server + type: object + required: + - metadata + - spec + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + type: object + required: + - issuerRef + - request + properties: + commonName: + description: |- + CommonName is the common name as specified on the DER encoded CSR. + If specified, this value must also be present in `dnsNames` or `ipAddresses`. + This field must match the corresponding field on the DER encoded CSR. type: string - type: array - issuerRef: - description: IssuerRef references a properly configured ACME-type - Issuer which should be used to create this Order. If the Issuer - does not exist, processing will be retried. If the Issuer is not - an 'ACME' Issuer, an error will be returned and the Order will be - marked as failed. - properties: - group: - description: Group of the resource being referred to. - type: string - kind: - description: Kind of the resource being referred to. - type: string - name: - description: Name of the resource being referred to. - type: string - required: - - name - type: object - required: - - csr - - dnsNames - - issuerRef - type: object - status: - properties: - authorizations: - description: Authorizations contains data returned from the ACME server - on what authorizations must be completed in order to validate the - DNS names specified on the Order. - items: - description: ACMEAuthorization contains data returned from the ACME - server on an authorization that must be completed in order validate - a DNS name on an ACME Order resource. - properties: - challenges: - description: Challenges specifies the challenge types offered - by the ACME server. One of these challenge types will be selected - when validating the DNS name and an appropriate Challenge - resource will be created to perform the ACME challenge process. - items: - description: Challenge specifies a challenge offered by the - ACME server for an Order. An appropriate Challenge resource - can be created to perform the ACME challenge process. - properties: - token: - description: Token is the token that must be presented - for this challenge. This is used to compute the 'key' - that must also be presented. - type: string - type: - description: Type is the type of challenge being offered, - e.g. 'http-01', 'dns-01', 'tls-sni-01', etc. This is - the raw value retrieved from the ACME server. Only 'http-01' - and 'dns-01' are supported by cert-manager, other values - will be ignored. - type: string - url: - description: URL is the URL of this challenge. It can - be used to retrieve additional metadata about the Challenge - from the ACME server. - type: string - required: - - token - - type - - url - type: object - type: array - identifier: - description: Identifier is the DNS name to be validated as part - of this authorization - type: string - initialState: - description: InitialState is the initial state of the ACME authorization - when first fetched from the ACME server. If an Authorization - is already 'valid', the Order controller will not create a - Challenge resource for the authorization. This will occur - when working with an ACME server that enables 'authz reuse' - (such as Let's Encrypt's production endpoint). If not set - and 'identifier' is set, the state is assumed to be pending - and a Challenge will be created. - enum: - - valid - - ready - - pending - - processing - - invalid - - expired - - errored - type: string - url: - description: URL is the URL of the Authorization that must be - completed - type: string - wildcard: - description: Wildcard will be true if this authorization is - for a wildcard DNS name. If this is true, the identifier will - be the *non-wildcard* version of the DNS name. For example, - if '*.example.com' is the DNS name being validated, this field - will be 'true' and the 'identifier' field will be 'example.com'. - type: boolean - required: - - url - type: object - type: array - certificate: - description: Certificate is a copy of the PEM encoded certificate - for this Order. This field will be populated after the order has - been successfully finalized with the ACME server, and the order - has transitioned to the 'valid' state. - format: byte - type: string - failureTime: - description: FailureTime stores the time that this order failed. This - is used to influence garbage collection and back-off. - format: date-time - type: string - finalizeURL: - description: FinalizeURL of the Order. This is used to obtain certificates - for this order once it has been completed. - type: string - reason: - description: Reason optionally provides more information about a why - the order is in the current state. - type: string - state: - description: State contains the current state of this Order resource. - States 'success' and 'expired' are 'final' - enum: - - valid - - ready - - pending - - processing - - invalid - - expired - - errored - type: string - url: - description: URL of the Order. This will initially be empty when the - resource is first created. The Order controller will populate this - field when the Order is first processed. This field will be immutable - after it is initially set. - type: string - type: object - required: - - metadata - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .status.state - name: State - type: string - - jsonPath: .spec.issuerRef.name - name: Issuer - priority: 1 - type: string - - jsonPath: .status.reason - name: Reason - priority: 1 - type: string - - description: CreationTimestamp is a timestamp representing the server time when - this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha3 - schema: - openAPIV3Schema: - description: Order is a type to represent an Order with an ACME server - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - properties: - commonName: - description: CommonName is the common name as specified on the DER - encoded CSR. If specified, this value must also be present in `dnsNames`. - This field must match the corresponding field on the DER encoded - CSR. - type: string - csr: - description: Certificate signing request bytes in DER encoding. This - will be used when finalizing the order. This field must be set on - the order. - format: byte - type: string - dnsNames: - description: DNSNames is a list of DNS names that should be included - as part of the Order validation process. This field must match the - corresponding field on the DER encoded CSR. - items: + dnsNames: + description: |- + DNSNames is a list of DNS names that should be included as part of the Order + validation process. + This field must match the corresponding field on the DER encoded CSR. + type: array + items: + type: string + duration: + description: |- + Duration is the duration for the not after date for the requested certificate. + this is set on order creation as pe the ACME spec. type: string - type: array - issuerRef: - description: IssuerRef references a properly configured ACME-type - Issuer which should be used to create this Order. If the Issuer - does not exist, processing will be retried. If the Issuer is not - an 'ACME' Issuer, an error will be returned and the Order will be - marked as failed. - properties: - group: - description: Group of the resource being referred to. - type: string - kind: - description: Kind of the resource being referred to. - type: string - name: - description: Name of the resource being referred to. - type: string - required: - - name - type: object - required: - - csr - - dnsNames - - issuerRef - type: object - status: - properties: - authorizations: - description: Authorizations contains data returned from the ACME server - on what authorizations must be completed in order to validate the - DNS names specified on the Order. - items: - description: ACMEAuthorization contains data returned from the ACME - server on an authorization that must be completed in order validate - a DNS name on an ACME Order resource. - properties: - challenges: - description: Challenges specifies the challenge types offered - by the ACME server. One of these challenge types will be selected - when validating the DNS name and an appropriate Challenge - resource will be created to perform the ACME challenge process. - items: - description: Challenge specifies a challenge offered by the - ACME server for an Order. An appropriate Challenge resource - can be created to perform the ACME challenge process. - properties: - token: - description: Token is the token that must be presented - for this challenge. This is used to compute the 'key' - that must also be presented. - type: string - type: - description: Type is the type of challenge being offered, - e.g. 'http-01', 'dns-01', 'tls-sni-01', etc. This is - the raw value retrieved from the ACME server. Only 'http-01' - and 'dns-01' are supported by cert-manager, other values - will be ignored. - type: string - url: - description: URL is the URL of this challenge. It can - be used to retrieve additional metadata about the Challenge - from the ACME server. - type: string - required: - - token - - type - - url - type: object - type: array - identifier: - description: Identifier is the DNS name to be validated as part - of this authorization - type: string - initialState: - description: InitialState is the initial state of the ACME authorization - when first fetched from the ACME server. If an Authorization - is already 'valid', the Order controller will not create a - Challenge resource for the authorization. This will occur - when working with an ACME server that enables 'authz reuse' - (such as Let's Encrypt's production endpoint). If not set - and 'identifier' is set, the state is assumed to be pending - and a Challenge will be created. - enum: - - valid - - ready - - pending - - processing - - invalid - - expired - - errored - type: string - url: - description: URL is the URL of the Authorization that must be - completed - type: string - wildcard: - description: Wildcard will be true if this authorization is - for a wildcard DNS name. If this is true, the identifier will - be the *non-wildcard* version of the DNS name. For example, - if '*.example.com' is the DNS name being validated, this field - will be 'true' and the 'identifier' field will be 'example.com'. - type: boolean - required: - - url + ipAddresses: + description: |- + IPAddresses is a list of IP addresses that should be included as part of the Order + validation process. + This field must match the corresponding field on the DER encoded CSR. + type: array + items: + type: string + issuerRef: + description: |- + IssuerRef references a properly configured ACME-type Issuer which should + be used to create this Order. + If the Issuer does not exist, processing will be retried. + If the Issuer is not an 'ACME' Issuer, an error will be returned and the + Order will be marked as failed. type: object - type: array - certificate: - description: Certificate is a copy of the PEM encoded certificate - for this Order. This field will be populated after the order has - been successfully finalized with the ACME server, and the order - has transitioned to the 'valid' state. - format: byte - type: string - failureTime: - description: FailureTime stores the time that this order failed. This - is used to influence garbage collection and back-off. - format: date-time - type: string - finalizeURL: - description: FinalizeURL of the Order. This is used to obtain certificates - for this order once it has been completed. - type: string - reason: - description: Reason optionally provides more information about a why - the order is in the current state. - type: string - state: - description: State contains the current state of this Order resource. - States 'success' and 'expired' are 'final' - enum: - - valid - - ready - - pending - - processing - - invalid - - expired - - errored - type: string - url: - description: URL of the Order. This will initially be empty when the - resource is first created. The Order controller will populate this - field when the Order is first processed. This field will be immutable - after it is initially set. - type: string - type: object - required: - - metadata - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .status.state - name: State - type: string - - jsonPath: .spec.issuerRef.name - name: Issuer - priority: 1 - type: string - - jsonPath: .status.reason - name: Reason - priority: 1 - type: string - - description: CreationTimestamp is a timestamp representing the server time when - this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - description: Order is a type to represent an Order with an ACME server - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - properties: - commonName: - description: CommonName is the common name as specified on the DER - encoded CSR. If specified, this value must also be present in `dnsNames`. - This field must match the corresponding field on the DER encoded - CSR. - type: string - dnsNames: - description: DNSNames is a list of DNS names that should be included - as part of the Order validation process. This field must match the - corresponding field on the DER encoded CSR. - items: - type: string - type: array - issuerRef: - description: IssuerRef references a properly configured ACME-type - Issuer which should be used to create this Order. If the Issuer - does not exist, processing will be retried. If the Issuer is not - an 'ACME' Issuer, an error will be returned and the Order will be - marked as failed. - properties: - group: - description: Group of the resource being referred to. - type: string - kind: - description: Kind of the resource being referred to. - type: string - name: - description: Name of the resource being referred to. - type: string - required: - - name - type: object - request: - description: Certificate signing request bytes in DER encoding. This - will be used when finalizing the order. This field must be set on - the order. - format: byte - type: string - required: - - dnsNames - - issuerRef - - request - type: object - status: - properties: - authorizations: - description: Authorizations contains data returned from the ACME server - on what authorizations must be completed in order to validate the - DNS names specified on the Order. - items: - description: ACMEAuthorization contains data returned from the ACME - server on an authorization that must be completed in order validate - a DNS name on an ACME Order resource. - properties: - challenges: - description: Challenges specifies the challenge types offered - by the ACME server. One of these challenge types will be selected - when validating the DNS name and an appropriate Challenge - resource will be created to perform the ACME challenge process. - items: - description: Challenge specifies a challenge offered by the - ACME server for an Order. An appropriate Challenge resource - can be created to perform the ACME challenge process. - properties: - token: - description: Token is the token that must be presented - for this challenge. This is used to compute the 'key' - that must also be presented. - type: string - type: - description: Type is the type of challenge being offered, - e.g. 'http-01', 'dns-01', 'tls-sni-01', etc. This is - the raw value retrieved from the ACME server. Only 'http-01' - and 'dns-01' are supported by cert-manager, other values - will be ignored. - type: string - url: - description: URL is the URL of this challenge. It can - be used to retrieve additional metadata about the Challenge - from the ACME server. - type: string - required: - - token - - type - - url - type: object - type: array - identifier: - description: Identifier is the DNS name to be validated as part - of this authorization - type: string - initialState: - description: InitialState is the initial state of the ACME authorization - when first fetched from the ACME server. If an Authorization - is already 'valid', the Order controller will not create a - Challenge resource for the authorization. This will occur - when working with an ACME server that enables 'authz reuse' - (such as Let's Encrypt's production endpoint). If not set - and 'identifier' is set, the state is assumed to be pending - and a Challenge will be created. - enum: - - valid - - ready - - pending - - processing - - invalid - - expired - - errored - type: string - url: - description: URL is the URL of the Authorization that must be - completed - type: string - wildcard: - description: Wildcard will be true if this authorization is - for a wildcard DNS name. If this is true, the identifier will - be the *non-wildcard* version of the DNS name. For example, - if '*.example.com' is the DNS name being validated, this field - will be 'true' and the 'identifier' field will be 'example.com'. - type: boolean required: - - url - type: object - type: array - certificate: - description: Certificate is a copy of the PEM encoded certificate - for this Order. This field will be populated after the order has - been successfully finalized with the ACME server, and the order - has transitioned to the 'valid' state. - format: byte - type: string - failureTime: - description: FailureTime stores the time that this order failed. This - is used to influence garbage collection and back-off. - format: date-time - type: string - finalizeURL: - description: FinalizeURL of the Order. This is used to obtain certificates - for this order once it has been completed. - type: string - reason: - description: Reason optionally provides more information about a why - the order is in the current state. - type: string - state: - description: State contains the current state of this Order resource. - States 'success' and 'expired' are 'final' - enum: - - valid - - ready - - pending - - processing - - invalid - - expired - - errored - type: string - url: - description: URL of the Order. This will initially be empty when the - resource is first created. The Order controller will populate this - field when the Order is first processed. This field will be immutable - after it is initially set. - type: string - type: object - required: - - metadata - - spec - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .status.state - name: State - type: string - - jsonPath: .spec.issuerRef.name - name: Issuer - priority: 1 - type: string - - jsonPath: .status.reason - name: Reason - priority: 1 - type: string - - description: CreationTimestamp is a timestamp representing the server time when - this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - description: Order is a type to represent an Order with an ACME server - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - properties: - commonName: - description: CommonName is the common name as specified on the DER - encoded CSR. If specified, this value must also be present in `dnsNames`. - This field must match the corresponding field on the DER encoded - CSR. - type: string - dnsNames: - description: DNSNames is a list of DNS names that should be included - as part of the Order validation process. This field must match the - corresponding field on the DER encoded CSR. - items: - type: string - type: array - issuerRef: - description: IssuerRef references a properly configured ACME-type - Issuer which should be used to create this Order. If the Issuer - does not exist, processing will be retried. If the Issuer is not - an 'ACME' Issuer, an error will be returned and the Order will be - marked as failed. - properties: - group: - description: Group of the resource being referred to. - type: string - kind: - description: Kind of the resource being referred to. - type: string - name: - description: Name of the resource being referred to. - type: string - required: - - name - type: object - request: - description: Certificate signing request bytes in DER encoding. This - will be used when finalizing the order. This field must be set on - the order. - format: byte - type: string - required: - - dnsNames - - issuerRef - - request - type: object - status: - properties: - authorizations: - description: Authorizations contains data returned from the ACME server - on what authorizations must be completed in order to validate the - DNS names specified on the Order. - items: - description: ACMEAuthorization contains data returned from the ACME - server on an authorization that must be completed in order validate - a DNS name on an ACME Order resource. + - name properties: - challenges: - description: Challenges specifies the challenge types offered - by the ACME server. One of these challenge types will be selected - when validating the DNS name and an appropriate Challenge - resource will be created to perform the ACME challenge process. - items: - description: Challenge specifies a challenge offered by the - ACME server for an Order. An appropriate Challenge resource - can be created to perform the ACME challenge process. - properties: - token: - description: Token is the token that must be presented - for this challenge. This is used to compute the 'key' - that must also be presented. - type: string - type: - description: Type is the type of challenge being offered, - e.g. 'http-01', 'dns-01', 'tls-sni-01', etc. This is - the raw value retrieved from the ACME server. Only 'http-01' - and 'dns-01' are supported by cert-manager, other values - will be ignored. - type: string - url: - description: URL is the URL of this challenge. It can - be used to retrieve additional metadata about the Challenge - from the ACME server. - type: string - required: - - token - - type - - url - type: object - type: array - identifier: - description: Identifier is the DNS name to be validated as part - of this authorization + group: + description: Group of the resource being referred to. type: string - initialState: - description: InitialState is the initial state of the ACME authorization - when first fetched from the ACME server. If an Authorization - is already 'valid', the Order controller will not create a - Challenge resource for the authorization. This will occur - when working with an ACME server that enables 'authz reuse' - (such as Let's Encrypt's production endpoint). If not set - and 'identifier' is set, the state is assumed to be pending - and a Challenge will be created. - enum: - - valid - - ready - - pending - - processing - - invalid - - expired - - errored + kind: + description: Kind of the resource being referred to. type: string - url: - description: URL is the URL of the Authorization that must be - completed + name: + description: Name of the resource being referred to. type: string - wildcard: - description: Wildcard will be true if this authorization is - for a wildcard DNS name. If this is true, the identifier will - be the *non-wildcard* version of the DNS name. For example, - if '*.example.com' is the DNS name being validated, this field - will be 'true' and the 'identifier' field will be 'example.com'. - type: boolean - required: - - url - type: object - type: array - certificate: - description: Certificate is a copy of the PEM encoded certificate - for this Order. This field will be populated after the order has - been successfully finalized with the ACME server, and the order - has transitioned to the 'valid' state. - format: byte - type: string - failureTime: - description: FailureTime stores the time that this order failed. This - is used to influence garbage collection and back-off. - format: date-time - type: string - finalizeURL: - description: FinalizeURL of the Order. This is used to obtain certificates - for this order once it has been completed. - type: string - reason: - description: Reason optionally provides more information about a why - the order is in the current state. - type: string - state: - description: State contains the current state of this Order resource. - States 'success' and 'expired' are 'final' - enum: - - valid - - ready - - pending - - processing - - invalid - - expired - - errored - type: string - url: - description: URL of the Order. This will initially be empty when the - resource is first created. The Order controller will populate this - field when the Order is first processed. This field will be immutable - after it is initially set. - type: string - type: object - required: - - metadata - - spec - type: object - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] + request: + description: |- + Certificate signing request bytes in DER encoding. + This will be used when finalizing the order. + This field must be set on the order. + type: string + format: byte + status: + type: object + properties: + authorizations: + description: |- + Authorizations contains data returned from the ACME server on what + authorizations must be completed in order to validate the DNS names + specified on the Order. + type: array + items: + description: |- + ACMEAuthorization contains data returned from the ACME server on an + authorization that must be completed in order validate a DNS name on an ACME + Order resource. + type: object + required: + - url + properties: + challenges: + description: |- + Challenges specifies the challenge types offered by the ACME server. + One of these challenge types will be selected when validating the DNS + name and an appropriate Challenge resource will be created to perform + the ACME challenge process. + type: array + items: + description: |- + Challenge specifies a challenge offered by the ACME server for an Order. + An appropriate Challenge resource can be created to perform the ACME + challenge process. + type: object + required: + - token + - type + - url + properties: + token: + description: |- + Token is the token that must be presented for this challenge. + This is used to compute the 'key' that must also be presented. + type: string + type: + description: |- + Type is the type of challenge being offered, e.g. 'http-01', 'dns-01', + 'tls-sni-01', etc. + This is the raw value retrieved from the ACME server. + Only 'http-01' and 'dns-01' are supported by cert-manager, other values + will be ignored. + type: string + url: + description: |- + URL is the URL of this challenge. It can be used to retrieve additional + metadata about the Challenge from the ACME server. + type: string + identifier: + description: Identifier is the DNS name to be validated as part of this authorization + type: string + initialState: + description: |- + InitialState is the initial state of the ACME authorization when first + fetched from the ACME server. + If an Authorization is already 'valid', the Order controller will not + create a Challenge resource for the authorization. This will occur when + working with an ACME server that enables 'authz reuse' (such as Let's + Encrypt's production endpoint). + If not set and 'identifier' is set, the state is assumed to be pending + and a Challenge will be created. + type: string + enum: + - valid + - ready + - pending + - processing + - invalid + - expired + - errored + url: + description: URL is the URL of the Authorization that must be completed + type: string + wildcard: + description: |- + Wildcard will be true if this authorization is for a wildcard DNS name. + If this is true, the identifier will be the *non-wildcard* version of + the DNS name. + For example, if '*.example.com' is the DNS name being validated, this + field will be 'true' and the 'identifier' field will be 'example.com'. + type: boolean + certificate: + description: |- + Certificate is a copy of the PEM encoded certificate for this Order. + This field will be populated after the order has been successfully + finalized with the ACME server, and the order has transitioned to the + 'valid' state. + type: string + format: byte + failureTime: + description: |- + FailureTime stores the time that this order failed. + This is used to influence garbage collection and back-off. + type: string + format: date-time + finalizeURL: + description: |- + FinalizeURL of the Order. + This is used to obtain certificates for this order once it has been completed. + type: string + reason: + description: |- + Reason optionally provides more information about a why the order is in + the current state. + type: string + state: + description: |- + State contains the current state of this Order resource. + States 'success' and 'expired' are 'final' + type: string + enum: + - valid + - ready + - pending + - processing + - invalid + - expired + - errored + url: + description: |- + URL of the Order. + This will initially be empty when the resource is first created. + The Order controller will populate this field when the Order is first processed. + This field will be immutable after it is initially set. + type: string + served: true + storage: true + +# END crd + --- +# Source: cert-manager/templates/cainjector-serviceaccount.yaml apiVersion: v1 -kind: Namespace +kind: ServiceAccount +automountServiceAccountToken: true metadata: - name: cert-manager + name: cert-manager-cainjector + namespace: cert-manager + labels: + app: cainjector + app.kubernetes.io/name: cainjector + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: "cainjector" + app.kubernetes.io/version: "v1.15.1" --- +# Source: cert-manager/templates/serviceaccount.yaml apiVersion: v1 kind: ServiceAccount +automountServiceAccountToken: true metadata: + name: cert-manager + namespace: cert-manager labels: - app: cainjector - app.kubernetes.io/component: cainjector + app: cert-manager + app.kubernetes.io/name: cert-manager app.kubernetes.io/instance: cert-manager - app.kubernetes.io/name: cainjector - name: cert-manager-cainjector - namespace: cert-manager + app.kubernetes.io/component: "controller" + app.kubernetes.io/version: "v1.15.1" --- +# Source: cert-manager/templates/webhook-serviceaccount.yaml apiVersion: v1 kind: ServiceAccount +automountServiceAccountToken: true +metadata: + name: cert-manager-webhook + namespace: cert-manager + labels: + app: webhook + app.kubernetes.io/name: webhook + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: "webhook" + app.kubernetes.io/version: "v1.15.1" +--- +# Source: cert-manager/templates/cainjector-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cert-manager-cainjector + labels: + app: cainjector + app.kubernetes.io/name: cainjector + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: "cainjector" + app.kubernetes.io/version: "v1.15.1" +rules: + - apiGroups: ["cert-manager.io"] + resources: ["certificates"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["get", "create", "update", "patch"] + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: ["apiregistration.k8s.io"] + resources: ["apiservices"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "list", "watch", "update", "patch"] +--- +# Source: cert-manager/templates/rbac.yaml +# Issuer controller role +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole metadata: + name: cert-manager-controller-issuers labels: app: cert-manager - app.kubernetes.io/component: controller + app.kubernetes.io/name: cert-manager app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: "controller" + app.kubernetes.io/version: "v1.15.1" +rules: + - apiGroups: ["cert-manager.io"] + resources: ["issuers", "issuers/status"] + verbs: ["update", "patch"] + - apiGroups: ["cert-manager.io"] + resources: ["issuers"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch", "create", "update", "delete"] + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] +--- +# Source: cert-manager/templates/rbac.yaml +# ClusterIssuer controller role +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cert-manager-controller-clusterissuers + labels: + app: cert-manager app.kubernetes.io/name: cert-manager - name: cert-manager - namespace: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: "controller" + app.kubernetes.io/version: "v1.15.1" +rules: + - apiGroups: ["cert-manager.io"] + resources: ["clusterissuers", "clusterissuers/status"] + verbs: ["update", "patch"] + - apiGroups: ["cert-manager.io"] + resources: ["clusterissuers"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch", "create", "update", "delete"] + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] --- -apiVersion: v1 -kind: ServiceAccount +# Source: cert-manager/templates/rbac.yaml +# Certificates controller role +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole metadata: + name: cert-manager-controller-certificates labels: - app: webhook - app.kubernetes.io/component: webhook + app: cert-manager + app.kubernetes.io/name: cert-manager app.kubernetes.io/instance: cert-manager - app.kubernetes.io/name: webhook - name: cert-manager-webhook - namespace: cert-manager + app.kubernetes.io/component: "controller" + app.kubernetes.io/version: "v1.15.1" +rules: + - apiGroups: ["cert-manager.io"] + resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"] + verbs: ["update", "patch"] + - apiGroups: ["cert-manager.io"] + resources: ["certificates", "certificaterequests", "clusterissuers", "issuers"] + verbs: ["get", "list", "watch"] + # We require these rules to support users with the OwnerReferencesPermissionEnforcement + # admission controller enabled: + # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement + - apiGroups: ["cert-manager.io"] + resources: ["certificates/finalizers", "certificaterequests/finalizers"] + verbs: ["update"] + - apiGroups: ["acme.cert-manager.io"] + resources: ["orders"] + verbs: ["create", "delete", "get", "list", "watch"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch", "create", "update", "delete", "patch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] --- +# Source: cert-manager/templates/rbac.yaml +# Orders controller role apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: + name: cert-manager-controller-orders labels: - app: cainjector - app.kubernetes.io/component: cainjector + app: cert-manager + app.kubernetes.io/name: cert-manager app.kubernetes.io/instance: cert-manager - app.kubernetes.io/name: cainjector - name: cert-manager-cainjector + app.kubernetes.io/component: "controller" + app.kubernetes.io/version: "v1.15.1" rules: -- apiGroups: - - cert-manager.io - resources: - - certificates - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - secrets - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - events - verbs: - - get - - create - - update - - patch -- apiGroups: - - admissionregistration.k8s.io - resources: - - validatingwebhookconfigurations - - mutatingwebhookconfigurations - verbs: - - get - - list - - watch - - update -- apiGroups: - - apiregistration.k8s.io - resources: - - apiservices - verbs: - - get - - list - - watch - - update -- apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions - verbs: - - get - - list - - watch - - update -- apiGroups: - - auditregistration.k8s.io - resources: - - auditsinks - verbs: - - get - - list - - watch - - update + - apiGroups: ["acme.cert-manager.io"] + resources: ["orders", "orders/status"] + verbs: ["update", "patch"] + - apiGroups: ["acme.cert-manager.io"] + resources: ["orders", "challenges"] + verbs: ["get", "list", "watch"] + - apiGroups: ["cert-manager.io"] + resources: ["clusterissuers", "issuers"] + verbs: ["get", "list", "watch"] + - apiGroups: ["acme.cert-manager.io"] + resources: ["challenges"] + verbs: ["create", "delete"] + # We require these rules to support users with the OwnerReferencesPermissionEnforcement + # admission controller enabled: + # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement + - apiGroups: ["acme.cert-manager.io"] + resources: ["orders/finalizers"] + verbs: ["update"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] --- +# Source: cert-manager/templates/rbac.yaml +# Challenges controller role apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: + name: cert-manager-controller-challenges labels: app: cert-manager - app.kubernetes.io/component: controller - app.kubernetes.io/instance: cert-manager app.kubernetes.io/name: cert-manager - name: cert-manager-controller-issuers + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: "controller" + app.kubernetes.io/version: "v1.15.1" rules: -- apiGroups: - - cert-manager.io - resources: - - issuers - - issuers/status - verbs: - - update -- apiGroups: - - cert-manager.io - resources: - - issuers - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - secrets - verbs: - - get - - list - - watch - - create - - update - - delete -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch + # Use to update challenge resource status + - apiGroups: ["acme.cert-manager.io"] + resources: ["challenges", "challenges/status"] + verbs: ["update", "patch"] + # Used to watch challenge resources + - apiGroups: ["acme.cert-manager.io"] + resources: ["challenges"] + verbs: ["get", "list", "watch"] + # Used to watch challenges, issuer and clusterissuer resources + - apiGroups: ["cert-manager.io"] + resources: ["issuers", "clusterissuers"] + verbs: ["get", "list", "watch"] + # Need to be able to retrieve ACME account private key to complete challenges + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch"] + # Used to create events + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] + # HTTP01 rules + - apiGroups: [""] + resources: ["pods", "services"] + verbs: ["get", "list", "watch", "create", "delete"] + - apiGroups: ["networking.k8s.io"] + resources: ["ingresses"] + verbs: ["get", "list", "watch", "create", "delete", "update"] + - apiGroups: [ "gateway.networking.k8s.io" ] + resources: [ "httproutes" ] + verbs: ["get", "list", "watch", "create", "delete", "update"] + # We require the ability to specify a custom hostname when we are creating + # new ingress resources. + # See: https://github.com/openshift/origin/blob/21f191775636f9acadb44fa42beeb4f75b255532/pkg/route/apiserver/admission/ingress_admission.go#L84-L148 + - apiGroups: ["route.openshift.io"] + resources: ["routes/custom-host"] + verbs: ["create"] + # We require these rules to support users with the OwnerReferencesPermissionEnforcement + # admission controller enabled: + # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement + - apiGroups: ["acme.cert-manager.io"] + resources: ["challenges/finalizers"] + verbs: ["update"] + # DNS01 rules (duplicated above) + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch"] --- +# Source: cert-manager/templates/rbac.yaml +# ingress-shim controller role apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: + name: cert-manager-controller-ingress-shim labels: app: cert-manager - app.kubernetes.io/component: controller - app.kubernetes.io/instance: cert-manager app.kubernetes.io/name: cert-manager - name: cert-manager-controller-clusterissuers + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: "controller" + app.kubernetes.io/version: "v1.15.1" rules: -- apiGroups: - - cert-manager.io - resources: - - clusterissuers - - clusterissuers/status - verbs: - - update -- apiGroups: - - cert-manager.io - resources: - - clusterissuers - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - secrets - verbs: - - get - - list - - watch - - create - - update - - delete -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch + - apiGroups: ["cert-manager.io"] + resources: ["certificates", "certificaterequests"] + verbs: ["create", "update", "delete"] + - apiGroups: ["cert-manager.io"] + resources: ["certificates", "certificaterequests", "issuers", "clusterissuers"] + verbs: ["get", "list", "watch"] + - apiGroups: ["networking.k8s.io"] + resources: ["ingresses"] + verbs: ["get", "list", "watch"] + # We require these rules to support users with the OwnerReferencesPermissionEnforcement + # admission controller enabled: + # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement + - apiGroups: ["networking.k8s.io"] + resources: ["ingresses/finalizers"] + verbs: ["update"] + - apiGroups: ["gateway.networking.k8s.io"] + resources: ["gateways", "httproutes"] + verbs: ["get", "list", "watch"] + - apiGroups: ["gateway.networking.k8s.io"] + resources: ["gateways/finalizers", "httproutes/finalizers"] + verbs: ["update"] + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] --- +# Source: cert-manager/templates/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: + name: cert-manager-cluster-view labels: app: cert-manager - app.kubernetes.io/component: controller - app.kubernetes.io/instance: cert-manager app.kubernetes.io/name: cert-manager - name: cert-manager-controller-certificates + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: "controller" + app.kubernetes.io/version: "v1.15.1" + rbac.authorization.k8s.io/aggregate-to-cluster-reader: "true" rules: -- apiGroups: - - cert-manager.io - resources: - - certificates - - certificates/status - - certificaterequests - - certificaterequests/status - verbs: - - update -- apiGroups: - - cert-manager.io - resources: - - certificates - - certificaterequests - - clusterissuers - - issuers - verbs: - - get - - list - - watch -- apiGroups: - - cert-manager.io - resources: - - certificates/finalizers - - certificaterequests/finalizers - verbs: - - update -- apiGroups: - - acme.cert-manager.io - resources: - - orders - verbs: - - create - - delete - - get - - list - - watch -- apiGroups: - - "" - resources: - - secrets - verbs: - - get - - list - - watch - - create - - update - - delete -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch + - apiGroups: ["cert-manager.io"] + resources: ["clusterissuers"] + verbs: ["get", "list", "watch"] --- +# Source: cert-manager/templates/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: + name: cert-manager-view labels: app: cert-manager - app.kubernetes.io/component: controller - app.kubernetes.io/instance: cert-manager app.kubernetes.io/name: cert-manager - name: cert-manager-controller-orders + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: "controller" + app.kubernetes.io/version: "v1.15.1" + rbac.authorization.k8s.io/aggregate-to-view: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-cluster-reader: "true" rules: -- apiGroups: - - acme.cert-manager.io - resources: - - orders - - orders/status - verbs: - - update -- apiGroups: - - acme.cert-manager.io - resources: - - orders - - challenges - verbs: - - get - - list - - watch -- apiGroups: - - cert-manager.io - resources: - - clusterissuers - - issuers - verbs: - - get - - list - - watch -- apiGroups: - - acme.cert-manager.io - resources: - - challenges - verbs: - - create - - delete -- apiGroups: - - acme.cert-manager.io - resources: - - orders/finalizers - verbs: - - update -- apiGroups: - - "" - resources: - - secrets - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch + - apiGroups: ["cert-manager.io"] + resources: ["certificates", "certificaterequests", "issuers"] + verbs: ["get", "list", "watch"] + - apiGroups: ["acme.cert-manager.io"] + resources: ["challenges", "orders"] + verbs: ["get", "list", "watch"] --- +# Source: cert-manager/templates/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: + name: cert-manager-edit labels: app: cert-manager - app.kubernetes.io/component: controller - app.kubernetes.io/instance: cert-manager app.kubernetes.io/name: cert-manager - name: cert-manager-controller-challenges + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: "controller" + app.kubernetes.io/version: "v1.15.1" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + rbac.authorization.k8s.io/aggregate-to-admin: "true" rules: -- apiGroups: - - acme.cert-manager.io - resources: - - challenges - - challenges/status - verbs: - - update -- apiGroups: - - acme.cert-manager.io - resources: - - challenges - verbs: - - get - - list - - watch -- apiGroups: - - cert-manager.io - resources: - - issuers - - clusterissuers - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - secrets - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch -- apiGroups: - - "" - resources: - - pods - - services - verbs: - - get - - list - - watch - - create - - delete -- apiGroups: - - extensions - resources: - - ingresses - verbs: - - get - - list - - watch - - create - - delete - - update -- apiGroups: - - route.openshift.io - resources: - - routes/custom-host - verbs: - - create -- apiGroups: - - acme.cert-manager.io - resources: - - challenges/finalizers - verbs: - - update -- apiGroups: - - "" - resources: - - secrets - verbs: - - get - - list - - watch + - apiGroups: ["cert-manager.io"] + resources: ["certificates", "certificaterequests", "issuers"] + verbs: ["create", "delete", "deletecollection", "patch", "update"] + - apiGroups: ["cert-manager.io"] + resources: ["certificates/status"] + verbs: ["update"] + - apiGroups: ["acme.cert-manager.io"] + resources: ["challenges", "orders"] + verbs: ["create", "delete", "deletecollection", "patch", "update"] --- +# Source: cert-manager/templates/rbac.yaml +# Permission to approve CertificateRequests referencing cert-manager.io Issuers and ClusterIssuers apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: + name: cert-manager-controller-approve:cert-manager-io labels: app: cert-manager - app.kubernetes.io/component: controller - app.kubernetes.io/instance: cert-manager app.kubernetes.io/name: cert-manager - name: cert-manager-controller-ingress-shim + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: "cert-manager" + app.kubernetes.io/version: "v1.15.1" rules: -- apiGroups: - - cert-manager.io - resources: - - certificates - - certificaterequests - verbs: - - create - - update - - delete -- apiGroups: - - cert-manager.io - resources: - - certificates - - certificaterequests - - issuers - - clusterissuers - verbs: - - get - - list - - watch -- apiGroups: - - extensions - resources: - - ingresses - verbs: - - get - - list - - watch -- apiGroups: - - extensions - resources: - - ingresses/finalizers - verbs: - - update -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch + - apiGroups: ["cert-manager.io"] + resources: ["signers"] + verbs: ["approve"] + resourceNames: + - "issuers.cert-manager.io/*" + - "clusterissuers.cert-manager.io/*" --- +# Source: cert-manager/templates/rbac.yaml +# Permission to: +# - Update and sign CertificatSigningeRequests referencing cert-manager.io Issuers and ClusterIssuers +# - Perform SubjectAccessReviews to test whether users are able to reference Namespaced Issuers apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: + name: cert-manager-controller-certificatesigningrequests labels: app: cert-manager - app.kubernetes.io/component: controller - app.kubernetes.io/instance: cert-manager app.kubernetes.io/name: cert-manager - rbac.authorization.k8s.io/aggregate-to-admin: "true" - rbac.authorization.k8s.io/aggregate-to-edit: "true" - rbac.authorization.k8s.io/aggregate-to-view: "true" - name: cert-manager-view + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: "cert-manager" + app.kubernetes.io/version: "v1.15.1" rules: -- apiGroups: - - cert-manager.io - resources: - - certificates - - certificaterequests - - issuers - verbs: - - get - - list - - watch + - apiGroups: ["certificates.k8s.io"] + resources: ["certificatesigningrequests"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["certificates.k8s.io"] + resources: ["certificatesigningrequests/status"] + verbs: ["update", "patch"] + - apiGroups: ["certificates.k8s.io"] + resources: ["signers"] + resourceNames: ["issuers.cert-manager.io/*", "clusterissuers.cert-manager.io/*"] + verbs: ["sign"] + - apiGroups: ["authorization.k8s.io"] + resources: ["subjectaccessreviews"] + verbs: ["create"] --- +# Source: cert-manager/templates/webhook-rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: + name: cert-manager-webhook:subjectaccessreviews labels: - app: cert-manager - app.kubernetes.io/component: controller + app: webhook + app.kubernetes.io/name: webhook app.kubernetes.io/instance: cert-manager - app.kubernetes.io/name: cert-manager - rbac.authorization.k8s.io/aggregate-to-admin: "true" - rbac.authorization.k8s.io/aggregate-to-edit: "true" - name: cert-manager-edit + app.kubernetes.io/component: "webhook" + app.kubernetes.io/version: "v1.15.1" rules: -- apiGroups: - - cert-manager.io - resources: - - certificates - - certificaterequests - - issuers - verbs: - - create - - delete - - deletecollection - - patch - - update + - apiGroups: ["authorization.k8s.io"] + resources: ["subjectaccessreviews"] + verbs: ["create"] --- +# Source: cert-manager/templates/cainjector-rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: + name: cert-manager-cainjector labels: app: cainjector - app.kubernetes.io/component: cainjector - app.kubernetes.io/instance: cert-manager app.kubernetes.io/name: cainjector - name: cert-manager-cainjector + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: "cainjector" + app.kubernetes.io/version: "v1.15.1" roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cert-manager-cainjector subjects: -- kind: ServiceAccount - name: cert-manager-cainjector - namespace: cert-manager + - name: cert-manager-cainjector + namespace: cert-manager + kind: ServiceAccount --- +# Source: cert-manager/templates/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: + name: cert-manager-controller-issuers labels: app: cert-manager - app.kubernetes.io/component: controller - app.kubernetes.io/instance: cert-manager app.kubernetes.io/name: cert-manager - name: cert-manager-controller-issuers + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: "controller" + app.kubernetes.io/version: "v1.15.1" roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cert-manager-controller-issuers subjects: -- kind: ServiceAccount - name: cert-manager - namespace: cert-manager + - name: cert-manager + namespace: cert-manager + kind: ServiceAccount --- +# Source: cert-manager/templates/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: + name: cert-manager-controller-clusterissuers labels: app: cert-manager - app.kubernetes.io/component: controller - app.kubernetes.io/instance: cert-manager app.kubernetes.io/name: cert-manager - name: cert-manager-controller-clusterissuers + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: "controller" + app.kubernetes.io/version: "v1.15.1" roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cert-manager-controller-clusterissuers subjects: -- kind: ServiceAccount - name: cert-manager - namespace: cert-manager + - name: cert-manager + namespace: cert-manager + kind: ServiceAccount --- +# Source: cert-manager/templates/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: + name: cert-manager-controller-certificates labels: app: cert-manager - app.kubernetes.io/component: controller - app.kubernetes.io/instance: cert-manager app.kubernetes.io/name: cert-manager - name: cert-manager-controller-certificates + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: "controller" + app.kubernetes.io/version: "v1.15.1" roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cert-manager-controller-certificates subjects: -- kind: ServiceAccount - name: cert-manager - namespace: cert-manager + - name: cert-manager + namespace: cert-manager + kind: ServiceAccount --- +# Source: cert-manager/templates/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: + name: cert-manager-controller-orders labels: app: cert-manager - app.kubernetes.io/component: controller - app.kubernetes.io/instance: cert-manager app.kubernetes.io/name: cert-manager - name: cert-manager-controller-orders + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: "controller" + app.kubernetes.io/version: "v1.15.1" roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cert-manager-controller-orders subjects: -- kind: ServiceAccount - name: cert-manager - namespace: cert-manager + - name: cert-manager + namespace: cert-manager + kind: ServiceAccount --- +# Source: cert-manager/templates/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: + name: cert-manager-controller-challenges labels: app: cert-manager - app.kubernetes.io/component: controller - app.kubernetes.io/instance: cert-manager app.kubernetes.io/name: cert-manager - name: cert-manager-controller-challenges + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: "controller" + app.kubernetes.io/version: "v1.15.1" roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cert-manager-controller-challenges subjects: -- kind: ServiceAccount - name: cert-manager - namespace: cert-manager + - name: cert-manager + namespace: cert-manager + kind: ServiceAccount --- +# Source: cert-manager/templates/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: + name: cert-manager-controller-ingress-shim labels: app: cert-manager - app.kubernetes.io/component: controller - app.kubernetes.io/instance: cert-manager app.kubernetes.io/name: cert-manager - name: cert-manager-controller-ingress-shim + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: "controller" + app.kubernetes.io/version: "v1.15.1" roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cert-manager-controller-ingress-shim subjects: -- kind: ServiceAccount - name: cert-manager - namespace: cert-manager + - name: cert-manager + namespace: cert-manager + kind: ServiceAccount --- +# Source: cert-manager/templates/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 -kind: Role +kind: ClusterRoleBinding metadata: + name: cert-manager-controller-approve:cert-manager-io labels: - app: cainjector - app.kubernetes.io/component: cainjector + app: cert-manager + app.kubernetes.io/name: cert-manager app.kubernetes.io/instance: cert-manager - app.kubernetes.io/name: cainjector + app.kubernetes.io/component: "cert-manager" + app.kubernetes.io/version: "v1.15.1" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cert-manager-controller-approve:cert-manager-io +subjects: + - name: cert-manager + namespace: cert-manager + kind: ServiceAccount +--- +# Source: cert-manager/templates/rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: cert-manager-controller-certificatesigningrequests + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: "cert-manager" + app.kubernetes.io/version: "v1.15.1" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cert-manager-controller-certificatesigningrequests +subjects: + - name: cert-manager + namespace: cert-manager + kind: ServiceAccount +--- +# Source: cert-manager/templates/webhook-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: cert-manager-webhook:subjectaccessreviews + labels: + app: webhook + app.kubernetes.io/name: webhook + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: "webhook" + app.kubernetes.io/version: "v1.15.1" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cert-manager-webhook:subjectaccessreviews +subjects: + - apiGroup: "" + kind: ServiceAccount + name: cert-manager-webhook + namespace: cert-manager +--- +# Source: cert-manager/templates/cainjector-rbac.yaml +# leader election rules +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: name: cert-manager-cainjector:leaderelection namespace: kube-system + labels: + app: cainjector + app.kubernetes.io/name: cainjector + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: "cainjector" + app.kubernetes.io/version: "v1.15.1" rules: -- apiGroups: - - "" - resourceNames: - - cert-manager-cainjector-leader-election - - cert-manager-cainjector-leader-election-core - resources: - - configmaps - verbs: - - get - - update - - patch -- apiGroups: - - "" - resources: - - configmaps - verbs: - - create + # Used for leader election by the controller + # cert-manager-cainjector-leader-election is used by the CertificateBased injector controller + # see cmd/cainjector/start.go#L113 + # cert-manager-cainjector-leader-election-core is used by the SecretBased injector controller + # see cmd/cainjector/start.go#L137 + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + resourceNames: ["cert-manager-cainjector-leader-election", "cert-manager-cainjector-leader-election-core"] + verbs: ["get", "update", "patch"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["create"] --- +# Source: cert-manager/templates/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: + name: cert-manager:leaderelection + namespace: kube-system labels: app: cert-manager - app.kubernetes.io/component: controller - app.kubernetes.io/instance: cert-manager app.kubernetes.io/name: cert-manager - name: cert-manager:leaderelection - namespace: kube-system + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: "controller" + app.kubernetes.io/version: "v1.15.1" rules: -- apiGroups: - - "" - resourceNames: - - cert-manager-controller - resources: - - configmaps - verbs: - - get - - update - - patch -- apiGroups: - - "" - resources: - - configmaps - verbs: - - create + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + resourceNames: ["cert-manager-controller"] + verbs: ["get", "update", "patch"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["create"] --- +# Source: cert-manager/templates/webhook-rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: + name: cert-manager-webhook:dynamic-serving + namespace: cert-manager labels: app: webhook - app.kubernetes.io/component: webhook - app.kubernetes.io/instance: cert-manager app.kubernetes.io/name: webhook - name: cert-manager-webhook:dynamic-serving - namespace: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: "webhook" + app.kubernetes.io/version: "v1.15.1" rules: -- apiGroups: - - "" - resourceNames: - - cert-manager-webhook-ca - resources: - - secrets - verbs: - - get - - list - - watch - - update -- apiGroups: - - "" - resources: - - secrets - verbs: - - create + - apiGroups: [""] + resources: ["secrets"] + resourceNames: + - 'cert-manager-webhook-ca' + verbs: ["get", "list", "watch", "update"] + # It's not possible to grant CREATE permission on a single resourceName. + - apiGroups: [""] + resources: ["secrets"] + verbs: ["create"] --- +# Source: cert-manager/templates/cainjector-rbac.yaml +# grant cert-manager permission to manage the leaderelection configmap in the +# leader election namespace apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: + name: cert-manager-cainjector:leaderelection + namespace: kube-system labels: app: cainjector - app.kubernetes.io/component: cainjector - app.kubernetes.io/instance: cert-manager app.kubernetes.io/name: cainjector - name: cert-manager-cainjector:leaderelection - namespace: kube-system + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: "cainjector" + app.kubernetes.io/version: "v1.15.1" roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: cert-manager-cainjector:leaderelection subjects: -- kind: ServiceAccount - name: cert-manager-cainjector - namespace: cert-manager + - kind: ServiceAccount + name: cert-manager-cainjector + namespace: cert-manager --- +# Source: cert-manager/templates/rbac.yaml +# grant cert-manager permission to manage the leaderelection configmap in the +# leader election namespace apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: + name: cert-manager:leaderelection + namespace: kube-system labels: app: cert-manager - app.kubernetes.io/component: controller - app.kubernetes.io/instance: cert-manager app.kubernetes.io/name: cert-manager - name: cert-manager:leaderelection - namespace: kube-system + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: "controller" + app.kubernetes.io/version: "v1.15.1" roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: cert-manager:leaderelection subjects: -- apiGroup: "" - kind: ServiceAccount - name: cert-manager - namespace: cert-manager + - apiGroup: "" + kind: ServiceAccount + name: cert-manager + namespace: cert-manager --- +# Source: cert-manager/templates/webhook-rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: + name: cert-manager-webhook:dynamic-serving + namespace: cert-manager labels: app: webhook - app.kubernetes.io/component: webhook - app.kubernetes.io/instance: cert-manager app.kubernetes.io/name: webhook - name: cert-manager-webhook:dynamic-serving - namespace: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: "webhook" + app.kubernetes.io/version: "v1.15.1" roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: cert-manager-webhook:dynamic-serving subjects: -- apiGroup: "" - kind: ServiceAccount - name: cert-manager-webhook - namespace: cert-manager + - apiGroup: "" + kind: ServiceAccount + name: cert-manager-webhook + namespace: cert-manager --- +# Source: cert-manager/templates/service.yaml apiVersion: v1 kind: Service metadata: + name: cert-manager + namespace: cert-manager labels: app: cert-manager - app.kubernetes.io/component: controller - app.kubernetes.io/instance: cert-manager app.kubernetes.io/name: cert-manager - name: cert-manager - namespace: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: "controller" + app.kubernetes.io/version: "v1.15.1" spec: + type: ClusterIP ports: - - port: 9402 - protocol: TCP - targetPort: 9402 + - protocol: TCP + port: 9402 + name: tcp-prometheus-servicemonitor + targetPort: 9402 selector: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: cert-manager app.kubernetes.io/name: cert-manager - type: ClusterIP + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: "controller" --- +# Source: cert-manager/templates/webhook-service.yaml apiVersion: v1 kind: Service metadata: + name: cert-manager-webhook + namespace: cert-manager labels: app: webhook - app.kubernetes.io/component: webhook - app.kubernetes.io/instance: cert-manager app.kubernetes.io/name: webhook - name: cert-manager-webhook - namespace: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: "webhook" + app.kubernetes.io/version: "v1.15.1" spec: + type: ClusterIP ports: - - name: https - port: 443 - targetPort: 10250 + - name: https + port: 443 + protocol: TCP + targetPort: "https" selector: - app.kubernetes.io/component: webhook - app.kubernetes.io/instance: cert-manager app.kubernetes.io/name: webhook - type: ClusterIP + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: "webhook" --- +# Source: cert-manager/templates/cainjector-deployment.yaml apiVersion: apps/v1 kind: Deployment metadata: + name: cert-manager-cainjector + namespace: cert-manager labels: app: cainjector - app.kubernetes.io/component: cainjector - app.kubernetes.io/instance: cert-manager app.kubernetes.io/name: cainjector - name: cert-manager-cainjector - namespace: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: "cainjector" + app.kubernetes.io/version: "v1.15.1" spec: replicas: 1 selector: matchLabels: - app.kubernetes.io/component: cainjector - app.kubernetes.io/instance: cert-manager app.kubernetes.io/name: cainjector + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: "cainjector" template: metadata: labels: app: cainjector - app.kubernetes.io/component: cainjector - app.kubernetes.io/instance: cert-manager app.kubernetes.io/name: cainjector + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: "cainjector" + app.kubernetes.io/version: "v1.15.1" spec: - containers: - - args: - - --v=2 - - --leader-election-namespace=kube-system - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - image: quay.io/jetstack/cert-manager-cainjector:v1.0.2 - imagePullPolicy: IfNotPresent - name: cert-manager - resources: {} serviceAccountName: cert-manager-cainjector + enableServiceLinks: false + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + containers: + - name: cert-manager-cainjector + image: "quay.io/jetstack/cert-manager-cainjector:v1.15.1" + imagePullPolicy: IfNotPresent + args: + - --v=2 + - --leader-election-namespace=kube-system + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + nodeSelector: + kubernetes.io/os: linux --- +# Source: cert-manager/templates/deployment.yaml apiVersion: apps/v1 kind: Deployment metadata: + name: cert-manager + namespace: cert-manager labels: app: cert-manager - app.kubernetes.io/component: controller - app.kubernetes.io/instance: cert-manager app.kubernetes.io/name: cert-manager - name: cert-manager - namespace: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: "controller" + app.kubernetes.io/version: "v1.15.1" spec: replicas: 1 selector: matchLabels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: cert-manager app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: "controller" template: metadata: - annotations: - prometheus.io/path: /metrics - prometheus.io/port: "9402" - prometheus.io/scrape: "true" labels: app: cert-manager - app.kubernetes.io/component: controller - app.kubernetes.io/instance: cert-manager app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: "controller" + app.kubernetes.io/version: "v1.15.1" + annotations: + prometheus.io/path: "/metrics" + prometheus.io/scrape: 'true' + prometheus.io/port: '9402' spec: - containers: - - args: - - --v=2 - - --cluster-resource-namespace=$(POD_NAMESPACE) - - --leader-election-namespace=kube-system - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - image: quay.io/jetstack/cert-manager-controller:v1.0.2 - imagePullPolicy: IfNotPresent - name: cert-manager - ports: - - containerPort: 9402 - protocol: TCP - resources: {} serviceAccountName: cert-manager + enableServiceLinks: false + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + containers: + - name: cert-manager-controller + image: "quay.io/jetstack/cert-manager-controller:v1.15.1" + imagePullPolicy: IfNotPresent + args: + - --v=2 + - --cluster-resource-namespace=$(POD_NAMESPACE) + - --leader-election-namespace=kube-system + - --acme-http01-solver-image=quay.io/jetstack/cert-manager-acmesolver:v1.15.1 + - --max-concurrent-challenges=60 + ports: + - containerPort: 9402 + name: http-metrics + protocol: TCP + - containerPort: 9403 + name: http-healthz + protocol: TCP + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + # LivenessProbe settings are based on those used for the Kubernetes + # controller-manager. See: + # https://github.com/kubernetes/kubernetes/blob/806b30170c61a38fedd54cc9ede4cd6275a1ad3b/cmd/kubeadm/app/util/staticpod/utils.go#L241-L245 + livenessProbe: + httpGet: + port: http-healthz + path: /livez + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 15 + successThreshold: 1 + failureThreshold: 8 + nodeSelector: + kubernetes.io/os: linux --- +# Source: cert-manager/templates/webhook-deployment.yaml apiVersion: apps/v1 kind: Deployment metadata: + name: cert-manager-webhook + namespace: cert-manager labels: app: webhook - app.kubernetes.io/component: webhook - app.kubernetes.io/instance: cert-manager app.kubernetes.io/name: webhook - name: cert-manager-webhook - namespace: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: "webhook" + app.kubernetes.io/version: "v1.15.1" spec: replicas: 1 selector: matchLabels: - app.kubernetes.io/component: webhook - app.kubernetes.io/instance: cert-manager app.kubernetes.io/name: webhook + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: "webhook" template: metadata: labels: app: webhook - app.kubernetes.io/component: webhook - app.kubernetes.io/instance: cert-manager app.kubernetes.io/name: webhook + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: "webhook" + app.kubernetes.io/version: "v1.15.1" spec: - containers: - - args: - - --v=2 - - --secure-port=10250 - - --dynamic-serving-ca-secret-namespace=$(POD_NAMESPACE) - - --dynamic-serving-ca-secret-name=cert-manager-webhook-ca - - --dynamic-serving-dns-names=cert-manager-webhook,cert-manager-webhook.cert-manager,cert-manager-webhook.cert-manager.svc - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - image: quay.io/jetstack/cert-manager-webhook:v1.0.2 - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 3 - httpGet: - path: /livez - port: 6080 - scheme: HTTP - initialDelaySeconds: 60 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 1 - name: cert-manager - ports: - - containerPort: 10250 - name: https - readinessProbe: - failureThreshold: 3 - httpGet: - path: /healthz - port: 6080 - scheme: HTTP - initialDelaySeconds: 5 - periodSeconds: 5 - successThreshold: 1 - timeoutSeconds: 1 - resources: {} serviceAccountName: cert-manager-webhook + enableServiceLinks: false + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + containers: + - name: cert-manager-webhook + image: "quay.io/jetstack/cert-manager-webhook:v1.15.1" + imagePullPolicy: IfNotPresent + args: + - --v=2 + - --secure-port=10250 + - --dynamic-serving-ca-secret-namespace=$(POD_NAMESPACE) + - --dynamic-serving-ca-secret-name=cert-manager-webhook-ca + - --dynamic-serving-dns-names=cert-manager-webhook + - --dynamic-serving-dns-names=cert-manager-webhook.$(POD_NAMESPACE) + - --dynamic-serving-dns-names=cert-manager-webhook.$(POD_NAMESPACE).svc + + ports: + - name: https + protocol: TCP + containerPort: 10250 + - name: healthcheck + protocol: TCP + containerPort: 6080 + livenessProbe: + httpGet: + path: /livez + port: 6080 + scheme: HTTP + initialDelaySeconds: 60 + periodSeconds: 10 + timeoutSeconds: 1 + successThreshold: 1 + failureThreshold: 3 + readinessProbe: + httpGet: + path: /healthz + port: 6080 + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + successThreshold: 1 + failureThreshold: 3 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + nodeSelector: + kubernetes.io/os: linux +--- +# Source: cert-manager/templates/crds.yaml +# +# START crd +--- +# Source: cert-manager/templates/crds.yaml +# START crd +--- +# Source: cert-manager/templates/crds.yaml +# START crd +--- +# Source: cert-manager/templates/crds.yaml +# START crd --- +# Source: cert-manager/templates/crds.yaml +# START crd +--- +# Source: cert-manager/templates/crds.yaml +# START crd +--- +# Source: cert-manager/templates/webhook-mutating-webhook.yaml apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: - annotations: - cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca + name: cert-manager-webhook labels: app: webhook - app.kubernetes.io/component: webhook - app.kubernetes.io/instance: cert-manager app.kubernetes.io/name: webhook - name: cert-manager-webhook + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: "webhook" + app.kubernetes.io/version: "v1.15.1" + annotations: + cert-manager.io/inject-ca-from-secret: "cert-manager/cert-manager-webhook-ca" webhooks: -- admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - name: cert-manager-webhook - namespace: cert-manager - path: /mutate - failurePolicy: Fail - name: webhook.cert-manager.io - rules: - - apiGroups: - - cert-manager.io - - acme.cert-manager.io - apiVersions: - - '*' - operations: - - CREATE - - UPDATE - resources: - - '*/*' - sideEffects: None + - name: webhook.cert-manager.io + rules: + - apiGroups: + - "cert-manager.io" + apiVersions: + - "v1" + operations: + - CREATE + resources: + - "certificaterequests" + admissionReviewVersions: ["v1"] + # This webhook only accepts v1 cert-manager resources. + # Equivalent matchPolicy ensures that non-v1 resource requests are sent to + # this webhook (after the resources have been converted to v1). + matchPolicy: Equivalent + timeoutSeconds: 30 + failurePolicy: Fail + # Only include 'sideEffects' field in Kubernetes 1.12+ + sideEffects: None + clientConfig: + service: + name: cert-manager-webhook + namespace: cert-manager + path: /mutate --- +# Source: cert-manager/templates/webhook-validating-webhook.yaml apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: - annotations: - cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca + name: cert-manager-webhook labels: app: webhook - app.kubernetes.io/component: webhook - app.kubernetes.io/instance: cert-manager app.kubernetes.io/name: webhook - name: cert-manager-webhook + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: "webhook" + app.kubernetes.io/version: "v1.15.1" + annotations: + cert-manager.io/inject-ca-from-secret: "cert-manager/cert-manager-webhook-ca" webhooks: -- admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - name: cert-manager-webhook - namespace: cert-manager - path: /validate - failurePolicy: Fail - name: webhook.cert-manager.io - namespaceSelector: - matchExpressions: - - key: cert-manager.io/disable-validation - operator: NotIn - values: - - "true" - - key: name - operator: NotIn - values: - - cert-manager - rules: - - apiGroups: - - cert-manager.io - - acme.cert-manager.io - apiVersions: - - '*' - operations: - - CREATE - - UPDATE - resources: - - '*/*' - sideEffects: None - + - name: webhook.cert-manager.io + namespaceSelector: + matchExpressions: + - key: cert-manager.io/disable-validation + operator: NotIn + values: + - "true" + rules: + - apiGroups: + - "cert-manager.io" + - "acme.cert-manager.io" + apiVersions: + - "v1" + operations: + - CREATE + - UPDATE + resources: + - "*/*" + admissionReviewVersions: ["v1"] + # This webhook only accepts v1 cert-manager resources. + # Equivalent matchPolicy ensures that non-v1 resource requests are sent to + # this webhook (after the resources have been converted to v1). + matchPolicy: Equivalent + timeoutSeconds: 30 + failurePolicy: Fail + sideEffects: None + clientConfig: + service: + name: cert-manager-webhook + namespace: cert-manager + path: /validate \ No newline at end of file