From 1d8beb75635a79a21a8510a7412479657339b001 Mon Sep 17 00:00:00 2001
From: paulfantom <pawel@krupa.net.pl>
Date: Tue, 7 Jan 2025 19:38:08 +0100
Subject: [PATCH] cert-manager: migrate to helm chart

Signed-off-by: paulfantom <pawel@krupa.net.pl>
---
 base/cert-manager/Makefile                    |   12 -
 base/cert-manager/VERSION                     |    1 -
 .../configs => issuers}/cloudflare-auth.yaml  |    0
 .../issuer-dns-cloudflare.yaml}               |    0
 .../issuer-http-prod.yaml}                    |    0
 base/cert-manager/kustomization.yaml          |   16 +
 base/cert-manager/kustomizeconfig.yaml        |    8 +
 base/cert-manager/manifests/cert-manager.yaml | 9350 -----------------
 .../manifests/configs/servicemonitor.yaml     |   14 -
 .../configs => }/prometheusrule.yaml          |    0
 base/cert-manager/release.yaml                |   32 +
 base/cert-manager/repository.yaml             |    7 +
 base/cert-manager/values.yaml                 |   71 +
 base/flux-apps/cert-manager.yaml              |    2 +-
 14 files changed, 135 insertions(+), 9378 deletions(-)
 delete mode 100644 base/cert-manager/Makefile
 delete mode 100644 base/cert-manager/VERSION
 rename base/cert-manager/{manifests/configs => issuers}/cloudflare-auth.yaml (100%)
 rename base/cert-manager/{manifests/configs/issuer_cloudflare.yaml => issuers/issuer-dns-cloudflare.yaml} (100%)
 rename base/cert-manager/{manifests/configs/issuer_prod.yaml => issuers/issuer-http-prod.yaml} (100%)
 create mode 100644 base/cert-manager/kustomization.yaml
 create mode 100644 base/cert-manager/kustomizeconfig.yaml
 delete mode 100644 base/cert-manager/manifests/cert-manager.yaml
 delete mode 100644 base/cert-manager/manifests/configs/servicemonitor.yaml
 rename base/cert-manager/{manifests/configs => }/prometheusrule.yaml (100%)
 create mode 100644 base/cert-manager/release.yaml
 create mode 100644 base/cert-manager/repository.yaml
 create mode 100644 base/cert-manager/values.yaml

diff --git a/base/cert-manager/Makefile b/base/cert-manager/Makefile
deleted file mode 100644
index 9c24f45f4..000000000
--- a/base/cert-manager/Makefile
+++ /dev/null
@@ -1,12 +0,0 @@
-.PHONY: generate
-generate: manifests/cert-manager.yaml
-
-VERSION=$(shell cat VERSION | cut -d' ' -f1 | tail -n1)
-manifests/cert-manager.yaml:
-	wget -O manifests/cert-manager.yaml https://github.com/cert-manager/cert-manager/releases/download/v$(VERSION)/cert-manager.yaml
-
-.PHONY: version-update
-version-update:  ## Upgrade component version and image
-	curl --retry 5 --silent --fail -H "Authorization: token $$GITHUB_TOKEN" "https://api.github.com/repos/cert-manager/cert-manager/releases/latest" 2>/dev/null | jq '.tag_name' | tr -d '"v' | tee > VERSION
-	@echo "cert-manager to $(VERSION)" >> "$(shell git rev-parse --show-toplevel)/.version-changelog"
-	if ! git diff-index --quiet HEAD .; then $(MAKE) --always-make generate; fi
diff --git a/base/cert-manager/VERSION b/base/cert-manager/VERSION
deleted file mode 100644
index 63e799cf4..000000000
--- a/base/cert-manager/VERSION
+++ /dev/null
@@ -1 +0,0 @@
-1.14.1
diff --git a/base/cert-manager/manifests/configs/cloudflare-auth.yaml b/base/cert-manager/issuers/cloudflare-auth.yaml
similarity index 100%
rename from base/cert-manager/manifests/configs/cloudflare-auth.yaml
rename to base/cert-manager/issuers/cloudflare-auth.yaml
diff --git a/base/cert-manager/manifests/configs/issuer_cloudflare.yaml b/base/cert-manager/issuers/issuer-dns-cloudflare.yaml
similarity index 100%
rename from base/cert-manager/manifests/configs/issuer_cloudflare.yaml
rename to base/cert-manager/issuers/issuer-dns-cloudflare.yaml
diff --git a/base/cert-manager/manifests/configs/issuer_prod.yaml b/base/cert-manager/issuers/issuer-http-prod.yaml
similarity index 100%
rename from base/cert-manager/manifests/configs/issuer_prod.yaml
rename to base/cert-manager/issuers/issuer-http-prod.yaml
diff --git a/base/cert-manager/kustomization.yaml b/base/cert-manager/kustomization.yaml
new file mode 100644
index 000000000..8f36e7e1f
--- /dev/null
+++ b/base/cert-manager/kustomization.yaml
@@ -0,0 +1,16 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: cert-manager
+resources:
+  - repository.yaml
+  - release.yaml
+  - prometheusrule.yaml
+  - issuers/cloudflare-auth.yaml
+  - issuers/issuer-dns-cloudflare.yaml
+  - issuers/issuer-http-prod.yaml
+configMapGenerator:
+  - name: values
+    files:
+      - values.yaml=values.yaml
+configurations:
+  - kustomizeconfig.yaml
diff --git a/base/cert-manager/kustomizeconfig.yaml b/base/cert-manager/kustomizeconfig.yaml
new file mode 100644
index 000000000..cf934c6cb
--- /dev/null
+++ b/base/cert-manager/kustomizeconfig.yaml
@@ -0,0 +1,8 @@
+# Kustomize config for enabling HelmRelease values from
+# ConfigMaps and Secrets generated by Kustomize
+nameReference:
+- kind: ConfigMap
+  version: v1
+  fieldSpecs:
+  - path: spec/valuesFrom/name
+    kind: HelmRelease
diff --git a/base/cert-manager/manifests/cert-manager.yaml b/base/cert-manager/manifests/cert-manager.yaml
deleted file mode 100644
index 5e452bee8..000000000
--- a/base/cert-manager/manifests/cert-manager.yaml
+++ /dev/null
@@ -1,9350 +0,0 @@
-# Copyright 2022 The cert-manager Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: cert-manager
-
----
-# Source: cert-manager/templates/crds.yaml
-#
-# START crd
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  name: certificaterequests.cert-manager.io
-  # START annotations
-  annotations:
-    helm.sh/resource-policy: keep
-  # END annotations
-  labels:
-    app: 'cert-manager'
-    app.kubernetes.io/name: 'cert-manager'
-    app.kubernetes.io/instance: 'cert-manager'
-    # Generated labels
-    app.kubernetes.io/version: "v1.15.3"
-spec:
-  group: cert-manager.io
-  names:
-    kind: CertificateRequest
-    listKind: CertificateRequestList
-    plural: certificaterequests
-    shortNames:
-      - cr
-      - crs
-    singular: certificaterequest
-    categories:
-      - cert-manager
-  scope: Namespaced
-  versions:
-    - name: v1
-      subresources:
-        status: {}
-      additionalPrinterColumns:
-        - jsonPath: .status.conditions[?(@.type=="Approved")].status
-          name: Approved
-          type: string
-        - jsonPath: .status.conditions[?(@.type=="Denied")].status
-          name: Denied
-          type: string
-        - jsonPath: .status.conditions[?(@.type=="Ready")].status
-          name: Ready
-          type: string
-        - jsonPath: .spec.issuerRef.name
-          name: Issuer
-          type: string
-        - jsonPath: .spec.username
-          name: Requestor
-          type: string
-        - jsonPath: .status.conditions[?(@.type=="Ready")].message
-          name: Status
-          priority: 1
-          type: string
-        - jsonPath: .metadata.creationTimestamp
-          description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
-          name: Age
-          type: date
-      schema:
-        openAPIV3Schema:
-          description: |-
-            A CertificateRequest is used to request a signed certificate from one of the
-            configured issuers.
-
-
-            All fields within the CertificateRequest's `spec` are immutable after creation.
-            A CertificateRequest will either succeed or fail, as denoted by its `Ready` status
-            condition and its `status.failureTime` field.
-
-
-            A CertificateRequest is a one-shot resource, meaning it represents a single
-            point in time request for a certificate and cannot be re-used.
-          type: object
-          properties:
-            apiVersion:
-              description: |-
-                APIVersion defines the versioned schema of this representation of an object.
-                Servers should convert recognized schemas to the latest internal value, and
-                may reject unrecognized values.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-              type: string
-            kind:
-              description: |-
-                Kind is a string value representing the REST resource this object represents.
-                Servers may infer this from the endpoint the client submits requests to.
-                Cannot be updated.
-                In CamelCase.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: |-
-                Specification of the desired state of the CertificateRequest resource.
-                https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
-              type: object
-              required:
-                - issuerRef
-                - request
-              properties:
-                duration:
-                  description: |-
-                    Requested 'duration' (i.e. lifetime) of the Certificate. Note that the
-                    issuer may choose to ignore the requested duration, just like any other
-                    requested attribute.
-                  type: string
-                extra:
-                  description: |-
-                    Extra contains extra attributes of the user that created the CertificateRequest.
-                    Populated by the cert-manager webhook on creation and immutable.
-                  type: object
-                  additionalProperties:
-                    type: array
-                    items:
-                      type: string
-                groups:
-                  description: |-
-                    Groups contains group membership of the user that created the CertificateRequest.
-                    Populated by the cert-manager webhook on creation and immutable.
-                  type: array
-                  items:
-                    type: string
-                  x-kubernetes-list-type: atomic
-                isCA:
-                  description: |-
-                    Requested basic constraints isCA value. Note that the issuer may choose
-                    to ignore the requested isCA value, just like any other requested attribute.
-
-
-                    NOTE: If the CSR in the `Request` field has a BasicConstraints extension,
-                    it must have the same isCA value as specified here.
-
-
-                    If true, this will automatically add the `cert sign` usage to the list
-                    of requested `usages`.
-                  type: boolean
-                issuerRef:
-                  description: |-
-                    Reference to the issuer responsible for issuing the certificate.
-                    If the issuer is namespace-scoped, it must be in the same namespace
-                    as the Certificate. If the issuer is cluster-scoped, it can be used
-                    from any namespace.
-
-
-                    The `name` field of the reference must always be specified.
-                  type: object
-                  required:
-                    - name
-                  properties:
-                    group:
-                      description: Group of the resource being referred to.
-                      type: string
-                    kind:
-                      description: Kind of the resource being referred to.
-                      type: string
-                    name:
-                      description: Name of the resource being referred to.
-                      type: string
-                request:
-                  description: |-
-                    The PEM-encoded X.509 certificate signing request to be submitted to the
-                    issuer for signing.
-
-
-                    If the CSR has a BasicConstraints extension, its isCA attribute must
-                    match the `isCA` value of this CertificateRequest.
-                    If the CSR has a KeyUsage extension, its key usages must match the
-                    key usages in the `usages` field of this CertificateRequest.
-                    If the CSR has a ExtKeyUsage extension, its extended key usages
-                    must match the extended key usages in the `usages` field of this
-                    CertificateRequest.
-                  type: string
-                  format: byte
-                uid:
-                  description: |-
-                    UID contains the uid of the user that created the CertificateRequest.
-                    Populated by the cert-manager webhook on creation and immutable.
-                  type: string
-                usages:
-                  description: |-
-                    Requested key usages and extended key usages.
-
-
-                    NOTE: If the CSR in the `Request` field has uses the KeyUsage or
-                    ExtKeyUsage extension, these extensions must have the same values
-                    as specified here without any additional values.
-
-
-                    If unset, defaults to `digital signature` and `key encipherment`.
-                  type: array
-                  items:
-                    description: |-
-                      KeyUsage specifies valid usage contexts for keys.
-                      See:
-                      https://tools.ietf.org/html/rfc5280#section-4.2.1.3
-                      https://tools.ietf.org/html/rfc5280#section-4.2.1.12
-
-
-                      Valid KeyUsage values are as follows:
-                      "signing",
-                      "digital signature",
-                      "content commitment",
-                      "key encipherment",
-                      "key agreement",
-                      "data encipherment",
-                      "cert sign",
-                      "crl sign",
-                      "encipher only",
-                      "decipher only",
-                      "any",
-                      "server auth",
-                      "client auth",
-                      "code signing",
-                      "email protection",
-                      "s/mime",
-                      "ipsec end system",
-                      "ipsec tunnel",
-                      "ipsec user",
-                      "timestamping",
-                      "ocsp signing",
-                      "microsoft sgc",
-                      "netscape sgc"
-                    type: string
-                    enum:
-                      - signing
-                      - digital signature
-                      - content commitment
-                      - key encipherment
-                      - key agreement
-                      - data encipherment
-                      - cert sign
-                      - crl sign
-                      - encipher only
-                      - decipher only
-                      - any
-                      - server auth
-                      - client auth
-                      - code signing
-                      - email protection
-                      - s/mime
-                      - ipsec end system
-                      - ipsec tunnel
-                      - ipsec user
-                      - timestamping
-                      - ocsp signing
-                      - microsoft sgc
-                      - netscape sgc
-                username:
-                  description: |-
-                    Username contains the name of the user that created the CertificateRequest.
-                    Populated by the cert-manager webhook on creation and immutable.
-                  type: string
-            status:
-              description: |-
-                Status of the CertificateRequest.
-                This is set and managed automatically.
-                Read-only.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
-              type: object
-              properties:
-                ca:
-                  description: |-
-                    The PEM encoded X.509 certificate of the signer, also known as the CA
-                    (Certificate Authority).
-                    This is set on a best-effort basis by different issuers.
-                    If not set, the CA is assumed to be unknown/not available.
-                  type: string
-                  format: byte
-                certificate:
-                  description: |-
-                    The PEM encoded X.509 certificate resulting from the certificate
-                    signing request.
-                    If not set, the CertificateRequest has either not been completed or has
-                    failed. More information on failure can be found by checking the
-                    `conditions` field.
-                  type: string
-                  format: byte
-                conditions:
-                  description: |-
-                    List of status conditions to indicate the status of a CertificateRequest.
-                    Known condition types are `Ready`, `InvalidRequest`, `Approved` and `Denied`.
-                  type: array
-                  items:
-                    description: CertificateRequestCondition contains condition information for a CertificateRequest.
-                    type: object
-                    required:
-                      - status
-                      - type
-                    properties:
-                      lastTransitionTime:
-                        description: |-
-                          LastTransitionTime is the timestamp corresponding to the last status
-                          change of this condition.
-                        type: string
-                        format: date-time
-                      message:
-                        description: |-
-                          Message is a human readable description of the details of the last
-                          transition, complementing reason.
-                        type: string
-                      reason:
-                        description: |-
-                          Reason is a brief machine readable explanation for the condition's last
-                          transition.
-                        type: string
-                      status:
-                        description: Status of the condition, one of (`True`, `False`, `Unknown`).
-                        type: string
-                        enum:
-                          - "True"
-                          - "False"
-                          - Unknown
-                      type:
-                        description: |-
-                          Type of the condition, known values are (`Ready`, `InvalidRequest`,
-                          `Approved`, `Denied`).
-                        type: string
-                  x-kubernetes-list-map-keys:
-                    - type
-                  x-kubernetes-list-type: map
-                failureTime:
-                  description: |-
-                    FailureTime stores the time that this CertificateRequest failed. This is
-                    used to influence garbage collection and back-off.
-                  type: string
-                  format: date-time
-      served: true
-      storage: true
-
-# END crd
----
-# Source: cert-manager/templates/crds.yaml
-# START crd
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  name: certificates.cert-manager.io
-  # START annotations
-  annotations:
-    helm.sh/resource-policy: keep
-  # END annotations
-  labels:
-    app: 'cert-manager'
-    app.kubernetes.io/name: 'cert-manager'
-    app.kubernetes.io/instance: 'cert-manager'
-    # Generated labels
-    app.kubernetes.io/version: "v1.15.3"
-spec:
-  group: cert-manager.io
-  names:
-    kind: Certificate
-    listKind: CertificateList
-    plural: certificates
-    shortNames:
-      - cert
-      - certs
-    singular: certificate
-    categories:
-      - cert-manager
-  scope: Namespaced
-  versions:
-    - name: v1
-      subresources:
-        status: {}
-      additionalPrinterColumns:
-        - jsonPath: .status.conditions[?(@.type=="Ready")].status
-          name: Ready
-          type: string
-        - jsonPath: .spec.secretName
-          name: Secret
-          type: string
-        - jsonPath: .spec.issuerRef.name
-          name: Issuer
-          priority: 1
-          type: string
-        - jsonPath: .status.conditions[?(@.type=="Ready")].message
-          name: Status
-          priority: 1
-          type: string
-        - jsonPath: .metadata.creationTimestamp
-          description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
-          name: Age
-          type: date
-      schema:
-        openAPIV3Schema:
-          description: |-
-            A Certificate resource should be created to ensure an up to date and signed
-            X.509 certificate is stored in the Kubernetes Secret resource named in `spec.secretName`.
-
-
-            The stored certificate will be renewed before it expires (as configured by `spec.renewBefore`).
-          type: object
-          properties:
-            apiVersion:
-              description: |-
-                APIVersion defines the versioned schema of this representation of an object.
-                Servers should convert recognized schemas to the latest internal value, and
-                may reject unrecognized values.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-              type: string
-            kind:
-              description: |-
-                Kind is a string value representing the REST resource this object represents.
-                Servers may infer this from the endpoint the client submits requests to.
-                Cannot be updated.
-                In CamelCase.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: |-
-                Specification of the desired state of the Certificate resource.
-                https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
-              type: object
-              required:
-                - issuerRef
-                - secretName
-              properties:
-                additionalOutputFormats:
-                  description: |-
-                    Defines extra output formats of the private key and signed certificate chain
-                    to be written to this Certificate's target Secret.
-
-
-                    This is a Beta Feature enabled by default. It can be disabled with the
-                    `--feature-gates=AdditionalCertificateOutputFormats=false` option set on both
-                    the controller and webhook components.
-                  type: array
-                  items:
-                    description: |-
-                      CertificateAdditionalOutputFormat defines an additional output format of a
-                      Certificate resource. These contain supplementary data formats of the signed
-                      certificate chain and paired private key.
-                    type: object
-                    required:
-                      - type
-                    properties:
-                      type:
-                        description: |-
-                          Type is the name of the format type that should be written to the
-                          Certificate's target Secret.
-                        type: string
-                        enum:
-                          - DER
-                          - CombinedPEM
-                commonName:
-                  description: |-
-                    Requested common name X509 certificate subject attribute.
-                    More info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6
-                    NOTE: TLS clients will ignore this value when any subject alternative name is
-                    set (see https://tools.ietf.org/html/rfc6125#section-6.4.4).
-
-
-                    Should have a length of 64 characters or fewer to avoid generating invalid CSRs.
-                    Cannot be set if the `literalSubject` field is set.
-                  type: string
-                dnsNames:
-                  description: Requested DNS subject alternative names.
-                  type: array
-                  items:
-                    type: string
-                duration:
-                  description: |-
-                    Requested 'duration' (i.e. lifetime) of the Certificate. Note that the
-                    issuer may choose to ignore the requested duration, just like any other
-                    requested attribute.
-
-
-                    If unset, this defaults to 90 days.
-                    Minimum accepted duration is 1 hour.
-                    Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration.
-                  type: string
-                emailAddresses:
-                  description: Requested email subject alternative names.
-                  type: array
-                  items:
-                    type: string
-                encodeUsagesInRequest:
-                  description: |-
-                    Whether the KeyUsage and ExtKeyUsage extensions should be set in the encoded CSR.
-
-
-                    This option defaults to true, and should only be disabled if the target
-                    issuer does not support CSRs with these X509 KeyUsage/ ExtKeyUsage extensions.
-                  type: boolean
-                ipAddresses:
-                  description: Requested IP address subject alternative names.
-                  type: array
-                  items:
-                    type: string
-                isCA:
-                  description: |-
-                    Requested basic constraints isCA value.
-                    The isCA value is used to set the `isCA` field on the created CertificateRequest
-                    resources. Note that the issuer may choose to ignore the requested isCA value, just
-                    like any other requested attribute.
-
-
-                    If true, this will automatically add the `cert sign` usage to the list
-                    of requested `usages`.
-                  type: boolean
-                issuerRef:
-                  description: |-
-                    Reference to the issuer responsible for issuing the certificate.
-                    If the issuer is namespace-scoped, it must be in the same namespace
-                    as the Certificate. If the issuer is cluster-scoped, it can be used
-                    from any namespace.
-
-
-                    The `name` field of the reference must always be specified.
-                  type: object
-                  required:
-                    - name
-                  properties:
-                    group:
-                      description: Group of the resource being referred to.
-                      type: string
-                    kind:
-                      description: Kind of the resource being referred to.
-                      type: string
-                    name:
-                      description: Name of the resource being referred to.
-                      type: string
-                keystores:
-                  description: Additional keystore output formats to be stored in the Certificate's Secret.
-                  type: object
-                  properties:
-                    jks:
-                      description: |-
-                        JKS configures options for storing a JKS keystore in the
-                        `spec.secretName` Secret resource.
-                      type: object
-                      required:
-                        - create
-                        - passwordSecretRef
-                      properties:
-                        alias:
-                          description: |-
-                            Alias specifies the alias of the key in the keystore, required by the JKS format.
-                            If not provided, the default alias `certificate` will be used.
-                          type: string
-                        create:
-                          description: |-
-                            Create enables JKS keystore creation for the Certificate.
-                            If true, a file named `keystore.jks` will be created in the target
-                            Secret resource, encrypted using the password stored in
-                            `passwordSecretRef`.
-                            The keystore file will be updated immediately.
-                            If the issuer provided a CA certificate, a file named `truststore.jks`
-                            will also be created in the target Secret resource, encrypted using the
-                            password stored in `passwordSecretRef`
-                            containing the issuing Certificate Authority
-                          type: boolean
-                        passwordSecretRef:
-                          description: |-
-                            PasswordSecretRef is a reference to a key in a Secret resource
-                            containing the password used to encrypt the JKS keystore.
-                          type: object
-                          required:
-                            - name
-                          properties:
-                            key:
-                              description: |-
-                                The key of the entry in the Secret resource's `data` field to be used.
-                                Some instances of this field may be defaulted, in others it may be
-                                required.
-                              type: string
-                            name:
-                              description: |-
-                                Name of the resource being referred to.
-                                More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                              type: string
-                    pkcs12:
-                      description: |-
-                        PKCS12 configures options for storing a PKCS12 keystore in the
-                        `spec.secretName` Secret resource.
-                      type: object
-                      required:
-                        - create
-                        - passwordSecretRef
-                      properties:
-                        create:
-                          description: |-
-                            Create enables PKCS12 keystore creation for the Certificate.
-                            If true, a file named `keystore.p12` will be created in the target
-                            Secret resource, encrypted using the password stored in
-                            `passwordSecretRef`.
-                            The keystore file will be updated immediately.
-                            If the issuer provided a CA certificate, a file named `truststore.p12` will
-                            also be created in the target Secret resource, encrypted using the
-                            password stored in `passwordSecretRef` containing the issuing Certificate
-                            Authority
-                          type: boolean
-                        passwordSecretRef:
-                          description: |-
-                            PasswordSecretRef is a reference to a key in a Secret resource
-                            containing the password used to encrypt the PKCS12 keystore.
-                          type: object
-                          required:
-                            - name
-                          properties:
-                            key:
-                              description: |-
-                                The key of the entry in the Secret resource's `data` field to be used.
-                                Some instances of this field may be defaulted, in others it may be
-                                required.
-                              type: string
-                            name:
-                              description: |-
-                                Name of the resource being referred to.
-                                More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                              type: string
-                        profile:
-                          description: |-
-                            Profile specifies the key and certificate encryption algorithms and the HMAC algorithm
-                            used to create the PKCS12 keystore. Default value is `LegacyRC2` for backward compatibility.
-
-
-                            If provided, allowed values are:
-                            `LegacyRC2`: Deprecated. Not supported by default in OpenSSL 3 or Java 20.
-                            `LegacyDES`: Less secure algorithm. Use this option for maximal compatibility.
-                            `Modern2023`: Secure algorithm. Use this option in case you have to always use secure algorithms
-                            (eg. because of company policy). Please note that the security of the algorithm is not that important
-                            in reality, because the unencrypted certificate and private key are also stored in the Secret.
-                          type: string
-                          enum:
-                            - LegacyRC2
-                            - LegacyDES
-                            - Modern2023
-                literalSubject:
-                  description: |-
-                    Requested X.509 certificate subject, represented using the LDAP "String
-                    Representation of a Distinguished Name" [1].
-                    Important: the LDAP string format also specifies the order of the attributes
-                    in the subject, this is important when issuing certs for LDAP authentication.
-                    Example: `CN=foo,DC=corp,DC=example,DC=com`
-                    More info [1]: https://datatracker.ietf.org/doc/html/rfc4514
-                    More info: https://github.com/cert-manager/cert-manager/issues/3203
-                    More info: https://github.com/cert-manager/cert-manager/issues/4424
-
-
-                    Cannot be set if the `subject` or `commonName` field is set.
-                  type: string
-                nameConstraints:
-                  description: |-
-                    x.509 certificate NameConstraint extension which MUST NOT be used in a non-CA certificate.
-                    More Info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10
-
-
-                    This is an Alpha Feature and is only enabled with the
-                    `--feature-gates=NameConstraints=true` option set on both
-                    the controller and webhook components.
-                  type: object
-                  properties:
-                    critical:
-                      description: if true then the name constraints are marked critical.
-                      type: boolean
-                    excluded:
-                      description: |-
-                        Excluded contains the constraints which must be disallowed. Any name matching a
-                        restriction in the excluded field is invalid regardless
-                        of information appearing in the permitted
-                      type: object
-                      properties:
-                        dnsDomains:
-                          description: DNSDomains is a list of DNS domains that are permitted or excluded.
-                          type: array
-                          items:
-                            type: string
-                        emailAddresses:
-                          description: EmailAddresses is a list of Email Addresses that are permitted or excluded.
-                          type: array
-                          items:
-                            type: string
-                        ipRanges:
-                          description: |-
-                            IPRanges is a list of IP Ranges that are permitted or excluded.
-                            This should be a valid CIDR notation.
-                          type: array
-                          items:
-                            type: string
-                        uriDomains:
-                          description: URIDomains is a list of URI domains that are permitted or excluded.
-                          type: array
-                          items:
-                            type: string
-                    permitted:
-                      description: Permitted contains the constraints in which the names must be located.
-                      type: object
-                      properties:
-                        dnsDomains:
-                          description: DNSDomains is a list of DNS domains that are permitted or excluded.
-                          type: array
-                          items:
-                            type: string
-                        emailAddresses:
-                          description: EmailAddresses is a list of Email Addresses that are permitted or excluded.
-                          type: array
-                          items:
-                            type: string
-                        ipRanges:
-                          description: |-
-                            IPRanges is a list of IP Ranges that are permitted or excluded.
-                            This should be a valid CIDR notation.
-                          type: array
-                          items:
-                            type: string
-                        uriDomains:
-                          description: URIDomains is a list of URI domains that are permitted or excluded.
-                          type: array
-                          items:
-                            type: string
-                otherNames:
-                  description: |-
-                    `otherNames` is an escape hatch for SAN that allows any type. We currently restrict the support to string like otherNames, cf RFC 5280 p 37
-                    Any UTF8 String valued otherName can be passed with by setting the keys oid: x.x.x.x and UTF8Value: somevalue for `otherName`.
-                    Most commonly this would be UPN set with oid: 1.3.6.1.4.1.311.20.2.3
-                    You should ensure that any OID passed is valid for the UTF8String type as we do not explicitly validate this.
-                  type: array
-                  items:
-                    type: object
-                    properties:
-                      oid:
-                        description: |-
-                          OID is the object identifier for the otherName SAN.
-                          The object identifier must be expressed as a dotted string, for
-                          example, "1.2.840.113556.1.4.221".
-                        type: string
-                      utf8Value:
-                        description: |-
-                          utf8Value is the string value of the otherName SAN.
-                          The utf8Value accepts any valid UTF8 string to set as value for the otherName SAN.
-                        type: string
-                privateKey:
-                  description: |-
-                    Private key options. These include the key algorithm and size, the used
-                    encoding and the rotation policy.
-                  type: object
-                  properties:
-                    algorithm:
-                      description: |-
-                        Algorithm is the private key algorithm of the corresponding private key
-                        for this certificate.
-
-
-                        If provided, allowed values are either `RSA`, `ECDSA` or `Ed25519`.
-                        If `algorithm` is specified and `size` is not provided,
-                        key size of 2048 will be used for `RSA` key algorithm and
-                        key size of 256 will be used for `ECDSA` key algorithm.
-                        key size is ignored when using the `Ed25519` key algorithm.
-                      type: string
-                      enum:
-                        - RSA
-                        - ECDSA
-                        - Ed25519
-                    encoding:
-                      description: |-
-                        The private key cryptography standards (PKCS) encoding for this
-                        certificate's private key to be encoded in.
-
-
-                        If provided, allowed values are `PKCS1` and `PKCS8` standing for PKCS#1
-                        and PKCS#8, respectively.
-                        Defaults to `PKCS1` if not specified.
-                      type: string
-                      enum:
-                        - PKCS1
-                        - PKCS8
-                    rotationPolicy:
-                      description: |-
-                        RotationPolicy controls how private keys should be regenerated when a
-                        re-issuance is being processed.
-
-
-                        If set to `Never`, a private key will only be generated if one does not
-                        already exist in the target `spec.secretName`. If one does exists but it
-                        does not have the correct algorithm or size, a warning will be raised
-                        to await user intervention.
-                        If set to `Always`, a private key matching the specified requirements
-                        will be generated whenever a re-issuance occurs.
-                        Default is `Never` for backward compatibility.
-                      type: string
-                      enum:
-                        - Never
-                        - Always
-                    size:
-                      description: |-
-                        Size is the key bit size of the corresponding private key for this certificate.
-
-
-                        If `algorithm` is set to `RSA`, valid values are `2048`, `4096` or `8192`,
-                        and will default to `2048` if not specified.
-                        If `algorithm` is set to `ECDSA`, valid values are `256`, `384` or `521`,
-                        and will default to `256` if not specified.
-                        If `algorithm` is set to `Ed25519`, Size is ignored.
-                        No other values are allowed.
-                      type: integer
-                renewBefore:
-                  description: |-
-                    How long before the currently issued certificate's expiry cert-manager should
-                    renew the certificate. For example, if a certificate is valid for 60 minutes,
-                    and `renewBefore=10m`, cert-manager will begin to attempt to renew the certificate
-                    50 minutes after it was issued (i.e. when there are 10 minutes remaining until
-                    the certificate is no longer valid).
-
-
-                    NOTE: The actual lifetime of the issued certificate is used to determine the
-                    renewal time. If an issuer returns a certificate with a different lifetime than
-                    the one requested, cert-manager will use the lifetime of the issued certificate.
-
-
-                    If unset, this defaults to 1/3 of the issued certificate's lifetime.
-                    Minimum accepted value is 5 minutes.
-                    Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration.
-                  type: string
-                revisionHistoryLimit:
-                  description: |-
-                    The maximum number of CertificateRequest revisions that are maintained in
-                    the Certificate's history. Each revision represents a single `CertificateRequest`
-                    created by this Certificate, either when it was created, renewed, or Spec
-                    was changed. Revisions will be removed by oldest first if the number of
-                    revisions exceeds this number.
-
-
-                    If set, revisionHistoryLimit must be a value of `1` or greater.
-                    If unset (`nil`), revisions will not be garbage collected.
-                    Default value is `nil`.
-                  type: integer
-                  format: int32
-                secretName:
-                  description: |-
-                    Name of the Secret resource that will be automatically created and
-                    managed by this Certificate resource. It will be populated with a
-                    private key and certificate, signed by the denoted issuer. The Secret
-                    resource lives in the same namespace as the Certificate resource.
-                  type: string
-                secretTemplate:
-                  description: |-
-                    Defines annotations and labels to be copied to the Certificate's Secret.
-                    Labels and annotations on the Secret will be changed as they appear on the
-                    SecretTemplate when added or removed. SecretTemplate annotations are added
-                    in conjunction with, and cannot overwrite, the base set of annotations
-                    cert-manager sets on the Certificate's Secret.
-                  type: object
-                  properties:
-                    annotations:
-                      description: Annotations is a key value map to be copied to the target Kubernetes Secret.
-                      type: object
-                      additionalProperties:
-                        type: string
-                    labels:
-                      description: Labels is a key value map to be copied to the target Kubernetes Secret.
-                      type: object
-                      additionalProperties:
-                        type: string
-                subject:
-                  description: |-
-                    Requested set of X509 certificate subject attributes.
-                    More info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6
-
-
-                    The common name attribute is specified separately in the `commonName` field.
-                    Cannot be set if the `literalSubject` field is set.
-                  type: object
-                  properties:
-                    countries:
-                      description: Countries to be used on the Certificate.
-                      type: array
-                      items:
-                        type: string
-                    localities:
-                      description: Cities to be used on the Certificate.
-                      type: array
-                      items:
-                        type: string
-                    organizationalUnits:
-                      description: Organizational Units to be used on the Certificate.
-                      type: array
-                      items:
-                        type: string
-                    organizations:
-                      description: Organizations to be used on the Certificate.
-                      type: array
-                      items:
-                        type: string
-                    postalCodes:
-                      description: Postal codes to be used on the Certificate.
-                      type: array
-                      items:
-                        type: string
-                    provinces:
-                      description: State/Provinces to be used on the Certificate.
-                      type: array
-                      items:
-                        type: string
-                    serialNumber:
-                      description: Serial number to be used on the Certificate.
-                      type: string
-                    streetAddresses:
-                      description: Street addresses to be used on the Certificate.
-                      type: array
-                      items:
-                        type: string
-                uris:
-                  description: Requested URI subject alternative names.
-                  type: array
-                  items:
-                    type: string
-                usages:
-                  description: |-
-                    Requested key usages and extended key usages.
-                    These usages are used to set the `usages` field on the created CertificateRequest
-                    resources. If `encodeUsagesInRequest` is unset or set to `true`, the usages
-                    will additionally be encoded in the `request` field which contains the CSR blob.
-
-
-                    If unset, defaults to `digital signature` and `key encipherment`.
-                  type: array
-                  items:
-                    description: |-
-                      KeyUsage specifies valid usage contexts for keys.
-                      See:
-                      https://tools.ietf.org/html/rfc5280#section-4.2.1.3
-                      https://tools.ietf.org/html/rfc5280#section-4.2.1.12
-
-
-                      Valid KeyUsage values are as follows:
-                      "signing",
-                      "digital signature",
-                      "content commitment",
-                      "key encipherment",
-                      "key agreement",
-                      "data encipherment",
-                      "cert sign",
-                      "crl sign",
-                      "encipher only",
-                      "decipher only",
-                      "any",
-                      "server auth",
-                      "client auth",
-                      "code signing",
-                      "email protection",
-                      "s/mime",
-                      "ipsec end system",
-                      "ipsec tunnel",
-                      "ipsec user",
-                      "timestamping",
-                      "ocsp signing",
-                      "microsoft sgc",
-                      "netscape sgc"
-                    type: string
-                    enum:
-                      - signing
-                      - digital signature
-                      - content commitment
-                      - key encipherment
-                      - key agreement
-                      - data encipherment
-                      - cert sign
-                      - crl sign
-                      - encipher only
-                      - decipher only
-                      - any
-                      - server auth
-                      - client auth
-                      - code signing
-                      - email protection
-                      - s/mime
-                      - ipsec end system
-                      - ipsec tunnel
-                      - ipsec user
-                      - timestamping
-                      - ocsp signing
-                      - microsoft sgc
-                      - netscape sgc
-            status:
-              description: |-
-                Status of the Certificate.
-                This is set and managed automatically.
-                Read-only.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
-              type: object
-              properties:
-                conditions:
-                  description: |-
-                    List of status conditions to indicate the status of certificates.
-                    Known condition types are `Ready` and `Issuing`.
-                  type: array
-                  items:
-                    description: CertificateCondition contains condition information for an Certificate.
-                    type: object
-                    required:
-                      - status
-                      - type
-                    properties:
-                      lastTransitionTime:
-                        description: |-
-                          LastTransitionTime is the timestamp corresponding to the last status
-                          change of this condition.
-                        type: string
-                        format: date-time
-                      message:
-                        description: |-
-                          Message is a human readable description of the details of the last
-                          transition, complementing reason.
-                        type: string
-                      observedGeneration:
-                        description: |-
-                          If set, this represents the .metadata.generation that the condition was
-                          set based upon.
-                          For instance, if .metadata.generation is currently 12, but the
-                          .status.condition[x].observedGeneration is 9, the condition is out of date
-                          with respect to the current state of the Certificate.
-                        type: integer
-                        format: int64
-                      reason:
-                        description: |-
-                          Reason is a brief machine readable explanation for the condition's last
-                          transition.
-                        type: string
-                      status:
-                        description: Status of the condition, one of (`True`, `False`, `Unknown`).
-                        type: string
-                        enum:
-                          - "True"
-                          - "False"
-                          - Unknown
-                      type:
-                        description: Type of the condition, known values are (`Ready`, `Issuing`).
-                        type: string
-                  x-kubernetes-list-map-keys:
-                    - type
-                  x-kubernetes-list-type: map
-                failedIssuanceAttempts:
-                  description: |-
-                    The number of continuous failed issuance attempts up till now. This
-                    field gets removed (if set) on a successful issuance and gets set to
-                    1 if unset and an issuance has failed. If an issuance has failed, the
-                    delay till the next issuance will be calculated using formula
-                    time.Hour * 2 ^ (failedIssuanceAttempts - 1).
-                  type: integer
-                lastFailureTime:
-                  description: |-
-                    LastFailureTime is set only if the lastest issuance for this
-                    Certificate failed and contains the time of the failure. If an
-                    issuance has failed, the delay till the next issuance will be
-                    calculated using formula time.Hour * 2 ^ (failedIssuanceAttempts -
-                    1). If the latest issuance has succeeded this field will be unset.
-                  type: string
-                  format: date-time
-                nextPrivateKeySecretName:
-                  description: |-
-                    The name of the Secret resource containing the private key to be used
-                    for the next certificate iteration.
-                    The keymanager controller will automatically set this field if the
-                    `Issuing` condition is set to `True`.
-                    It will automatically unset this field when the Issuing condition is
-                    not set or False.
-                  type: string
-                notAfter:
-                  description: |-
-                    The expiration time of the certificate stored in the secret named
-                    by this resource in `spec.secretName`.
-                  type: string
-                  format: date-time
-                notBefore:
-                  description: |-
-                    The time after which the certificate stored in the secret named
-                    by this resource in `spec.secretName` is valid.
-                  type: string
-                  format: date-time
-                renewalTime:
-                  description: |-
-                    RenewalTime is the time at which the certificate will be next
-                    renewed.
-                    If not set, no upcoming renewal is scheduled.
-                  type: string
-                  format: date-time
-                revision:
-                  description: |-
-                    The current 'revision' of the certificate as issued.
-
-
-                    When a CertificateRequest resource is created, it will have the
-                    `cert-manager.io/certificate-revision` set to one greater than the
-                    current value of this field.
-
-
-                    Upon issuance, this field will be set to the value of the annotation
-                    on the CertificateRequest resource used to issue the certificate.
-
-
-                    Persisting the value on the CertificateRequest resource allows the
-                    certificates controller to know whether a request is part of an old
-                    issuance or if it is part of the ongoing revision's issuance by
-                    checking if the revision value in the annotation is greater than this
-                    field.
-                  type: integer
-      served: true
-      storage: true
-
-# END crd
----
-# Source: cert-manager/templates/crds.yaml
-# START crd
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  name: challenges.acme.cert-manager.io
-  # START annotations
-  annotations:
-    helm.sh/resource-policy: keep
-  # END annotations
-  labels:
-    app: 'cert-manager'
-    app.kubernetes.io/name: 'cert-manager'
-    app.kubernetes.io/instance: 'cert-manager'
-    # Generated labels
-    app.kubernetes.io/version: "v1.15.3"
-spec:
-  group: acme.cert-manager.io
-  names:
-    kind: Challenge
-    listKind: ChallengeList
-    plural: challenges
-    singular: challenge
-    categories:
-      - cert-manager
-      - cert-manager-acme
-  scope: Namespaced
-  versions:
-    - additionalPrinterColumns:
-        - jsonPath: .status.state
-          name: State
-          type: string
-        - jsonPath: .spec.dnsName
-          name: Domain
-          type: string
-        - jsonPath: .status.reason
-          name: Reason
-          priority: 1
-          type: string
-        - description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
-          jsonPath: .metadata.creationTimestamp
-          name: Age
-          type: date
-      name: v1
-      schema:
-        openAPIV3Schema:
-          description: Challenge is a type to represent a Challenge request with an ACME server
-          type: object
-          required:
-            - metadata
-            - spec
-          properties:
-            apiVersion:
-              description: |-
-                APIVersion defines the versioned schema of this representation of an object.
-                Servers should convert recognized schemas to the latest internal value, and
-                may reject unrecognized values.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-              type: string
-            kind:
-              description: |-
-                Kind is a string value representing the REST resource this object represents.
-                Servers may infer this from the endpoint the client submits requests to.
-                Cannot be updated.
-                In CamelCase.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-              type: string
-            metadata:
-              type: object
-            spec:
-              type: object
-              required:
-                - authorizationURL
-                - dnsName
-                - issuerRef
-                - key
-                - solver
-                - token
-                - type
-                - url
-              properties:
-                authorizationURL:
-                  description: |-
-                    The URL to the ACME Authorization resource that this
-                    challenge is a part of.
-                  type: string
-                dnsName:
-                  description: |-
-                    dnsName is the identifier that this challenge is for, e.g. example.com.
-                    If the requested DNSName is a 'wildcard', this field MUST be set to the
-                    non-wildcard domain, e.g. for `*.example.com`, it must be `example.com`.
-                  type: string
-                issuerRef:
-                  description: |-
-                    References a properly configured ACME-type Issuer which should
-                    be used to create this Challenge.
-                    If the Issuer does not exist, processing will be retried.
-                    If the Issuer is not an 'ACME' Issuer, an error will be returned and the
-                    Challenge will be marked as failed.
-                  type: object
-                  required:
-                    - name
-                  properties:
-                    group:
-                      description: Group of the resource being referred to.
-                      type: string
-                    kind:
-                      description: Kind of the resource being referred to.
-                      type: string
-                    name:
-                      description: Name of the resource being referred to.
-                      type: string
-                key:
-                  description: |-
-                    The ACME challenge key for this challenge
-                    For HTTP01 challenges, this is the value that must be responded with to
-                    complete the HTTP01 challenge in the format:
-                    `<private key JWK thumbprint>.<key from acme server for challenge>`.
-                    For DNS01 challenges, this is the base64 encoded SHA256 sum of the
-                    `<private key JWK thumbprint>.<key from acme server for challenge>`
-                    text that must be set as the TXT record content.
-                  type: string
-                solver:
-                  description: |-
-                    Contains the domain solving configuration that should be used to
-                    solve this challenge resource.
-                  type: object
-                  properties:
-                    dns01:
-                      description: |-
-                        Configures cert-manager to attempt to complete authorizations by
-                        performing the DNS01 challenge flow.
-                      type: object
-                      properties:
-                        acmeDNS:
-                          description: |-
-                            Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage
-                            DNS01 challenge records.
-                          type: object
-                          required:
-                            - accountSecretRef
-                            - host
-                          properties:
-                            accountSecretRef:
-                              description: |-
-                                A reference to a specific 'key' within a Secret resource.
-                                In some instances, `key` is a required field.
-                              type: object
-                              required:
-                                - name
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used.
-                                    Some instances of this field may be defaulted, in others it may be
-                                    required.
-                                  type: string
-                                name:
-                                  description: |-
-                                    Name of the resource being referred to.
-                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                                  type: string
-                            host:
-                              type: string
-                        akamai:
-                          description: Use the Akamai DNS zone management API to manage DNS01 challenge records.
-                          type: object
-                          required:
-                            - accessTokenSecretRef
-                            - clientSecretSecretRef
-                            - clientTokenSecretRef
-                            - serviceConsumerDomain
-                          properties:
-                            accessTokenSecretRef:
-                              description: |-
-                                A reference to a specific 'key' within a Secret resource.
-                                In some instances, `key` is a required field.
-                              type: object
-                              required:
-                                - name
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used.
-                                    Some instances of this field may be defaulted, in others it may be
-                                    required.
-                                  type: string
-                                name:
-                                  description: |-
-                                    Name of the resource being referred to.
-                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                                  type: string
-                            clientSecretSecretRef:
-                              description: |-
-                                A reference to a specific 'key' within a Secret resource.
-                                In some instances, `key` is a required field.
-                              type: object
-                              required:
-                                - name
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used.
-                                    Some instances of this field may be defaulted, in others it may be
-                                    required.
-                                  type: string
-                                name:
-                                  description: |-
-                                    Name of the resource being referred to.
-                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                                  type: string
-                            clientTokenSecretRef:
-                              description: |-
-                                A reference to a specific 'key' within a Secret resource.
-                                In some instances, `key` is a required field.
-                              type: object
-                              required:
-                                - name
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used.
-                                    Some instances of this field may be defaulted, in others it may be
-                                    required.
-                                  type: string
-                                name:
-                                  description: |-
-                                    Name of the resource being referred to.
-                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                                  type: string
-                            serviceConsumerDomain:
-                              type: string
-                        azureDNS:
-                          description: Use the Microsoft Azure DNS API to manage DNS01 challenge records.
-                          type: object
-                          required:
-                            - resourceGroupName
-                            - subscriptionID
-                          properties:
-                            clientID:
-                              description: |-
-                                Auth: Azure Service Principal:
-                                The ClientID of the Azure Service Principal used to authenticate with Azure DNS.
-                                If set, ClientSecret and TenantID must also be set.
-                              type: string
-                            clientSecretSecretRef:
-                              description: |-
-                                Auth: Azure Service Principal:
-                                A reference to a Secret containing the password associated with the Service Principal.
-                                If set, ClientID and TenantID must also be set.
-                              type: object
-                              required:
-                                - name
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used.
-                                    Some instances of this field may be defaulted, in others it may be
-                                    required.
-                                  type: string
-                                name:
-                                  description: |-
-                                    Name of the resource being referred to.
-                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                                  type: string
-                            environment:
-                              description: name of the Azure environment (default AzurePublicCloud)
-                              type: string
-                              enum:
-                                - AzurePublicCloud
-                                - AzureChinaCloud
-                                - AzureGermanCloud
-                                - AzureUSGovernmentCloud
-                            hostedZoneName:
-                              description: name of the DNS zone that should be used
-                              type: string
-                            managedIdentity:
-                              description: |-
-                                Auth: Azure Workload Identity or Azure Managed Service Identity:
-                                Settings to enable Azure Workload Identity or Azure Managed Service Identity
-                                If set, ClientID, ClientSecret and TenantID must not be set.
-                              type: object
-                              properties:
-                                clientID:
-                                  description: client ID of the managed identity, can not be used at the same time as resourceID
-                                  type: string
-                                resourceID:
-                                  description: |-
-                                    resource ID of the managed identity, can not be used at the same time as clientID
-                                    Cannot be used for Azure Managed Service Identity
-                                  type: string
-                            resourceGroupName:
-                              description: resource group the DNS zone is located in
-                              type: string
-                            subscriptionID:
-                              description: ID of the Azure subscription
-                              type: string
-                            tenantID:
-                              description: |-
-                                Auth: Azure Service Principal:
-                                The TenantID of the Azure Service Principal used to authenticate with Azure DNS.
-                                If set, ClientID and ClientSecret must also be set.
-                              type: string
-                        cloudDNS:
-                          description: Use the Google Cloud DNS API to manage DNS01 challenge records.
-                          type: object
-                          required:
-                            - project
-                          properties:
-                            hostedZoneName:
-                              description: |-
-                                HostedZoneName is an optional field that tells cert-manager in which
-                                Cloud DNS zone the challenge record has to be created.
-                                If left empty cert-manager will automatically choose a zone.
-                              type: string
-                            project:
-                              type: string
-                            serviceAccountSecretRef:
-                              description: |-
-                                A reference to a specific 'key' within a Secret resource.
-                                In some instances, `key` is a required field.
-                              type: object
-                              required:
-                                - name
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used.
-                                    Some instances of this field may be defaulted, in others it may be
-                                    required.
-                                  type: string
-                                name:
-                                  description: |-
-                                    Name of the resource being referred to.
-                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                                  type: string
-                        cloudflare:
-                          description: Use the Cloudflare API to manage DNS01 challenge records.
-                          type: object
-                          properties:
-                            apiKeySecretRef:
-                              description: |-
-                                API key to use to authenticate with Cloudflare.
-                                Note: using an API token to authenticate is now the recommended method
-                                as it allows greater control of permissions.
-                              type: object
-                              required:
-                                - name
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used.
-                                    Some instances of this field may be defaulted, in others it may be
-                                    required.
-                                  type: string
-                                name:
-                                  description: |-
-                                    Name of the resource being referred to.
-                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                                  type: string
-                            apiTokenSecretRef:
-                              description: API token used to authenticate with Cloudflare.
-                              type: object
-                              required:
-                                - name
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used.
-                                    Some instances of this field may be defaulted, in others it may be
-                                    required.
-                                  type: string
-                                name:
-                                  description: |-
-                                    Name of the resource being referred to.
-                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                                  type: string
-                            email:
-                              description: Email of the account, only required when using API key based authentication.
-                              type: string
-                        cnameStrategy:
-                          description: |-
-                            CNAMEStrategy configures how the DNS01 provider should handle CNAME
-                            records when found in DNS zones.
-                          type: string
-                          enum:
-                            - None
-                            - Follow
-                        digitalocean:
-                          description: Use the DigitalOcean DNS API to manage DNS01 challenge records.
-                          type: object
-                          required:
-                            - tokenSecretRef
-                          properties:
-                            tokenSecretRef:
-                              description: |-
-                                A reference to a specific 'key' within a Secret resource.
-                                In some instances, `key` is a required field.
-                              type: object
-                              required:
-                                - name
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used.
-                                    Some instances of this field may be defaulted, in others it may be
-                                    required.
-                                  type: string
-                                name:
-                                  description: |-
-                                    Name of the resource being referred to.
-                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                                  type: string
-                        rfc2136:
-                          description: |-
-                            Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/)
-                            to manage DNS01 challenge records.
-                          type: object
-                          required:
-                            - nameserver
-                          properties:
-                            nameserver:
-                              description: |-
-                                The IP address or hostname of an authoritative DNS server supporting
-                                RFC2136 in the form host:port. If the host is an IPv6 address it must be
-                                enclosed in square brackets (e.g [2001:db8::1]) ; port is optional.
-                                This field is required.
-                              type: string
-                            tsigAlgorithm:
-                              description: |-
-                                The TSIG Algorithm configured in the DNS supporting RFC2136. Used only
-                                when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined.
-                                Supported values are (case-insensitive): ``HMACMD5`` (default),
-                                ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.
-                              type: string
-                            tsigKeyName:
-                              description: |-
-                                The TSIG Key name configured in the DNS.
-                                If ``tsigSecretSecretRef`` is defined, this field is required.
-                              type: string
-                            tsigSecretSecretRef:
-                              description: |-
-                                The name of the secret containing the TSIG value.
-                                If ``tsigKeyName`` is defined, this field is required.
-                              type: object
-                              required:
-                                - name
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used.
-                                    Some instances of this field may be defaulted, in others it may be
-                                    required.
-                                  type: string
-                                name:
-                                  description: |-
-                                    Name of the resource being referred to.
-                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                                  type: string
-                        route53:
-                          description: Use the AWS Route53 API to manage DNS01 challenge records.
-                          type: object
-                          required:
-                            - region
-                          properties:
-                            accessKeyID:
-                              description: |-
-                                The AccessKeyID is used for authentication.
-                                Cannot be set when SecretAccessKeyID is set.
-                                If neither the Access Key nor Key ID are set, we fall-back to using env
-                                vars, shared credentials file or AWS Instance metadata,
-                                see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
-                              type: string
-                            accessKeyIDSecretRef:
-                              description: |-
-                                The SecretAccessKey is used for authentication. If set, pull the AWS
-                                access key ID from a key within a Kubernetes Secret.
-                                Cannot be set when AccessKeyID is set.
-                                If neither the Access Key nor Key ID are set, we fall-back to using env
-                                vars, shared credentials file or AWS Instance metadata,
-                                see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
-                              type: object
-                              required:
-                                - name
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used.
-                                    Some instances of this field may be defaulted, in others it may be
-                                    required.
-                                  type: string
-                                name:
-                                  description: |-
-                                    Name of the resource being referred to.
-                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                                  type: string
-                            auth:
-                              description: Auth configures how cert-manager authenticates.
-                              type: object
-                              required:
-                                - kubernetes
-                              properties:
-                                kubernetes:
-                                  description: |-
-                                    Kubernetes authenticates with Route53 using AssumeRoleWithWebIdentity
-                                    by passing a bound ServiceAccount token.
-                                  type: object
-                                  required:
-                                    - serviceAccountRef
-                                  properties:
-                                    serviceAccountRef:
-                                      description: |-
-                                        A reference to a service account that will be used to request a bound
-                                        token (also known as "projected token"). To use this field, you must
-                                        configure an RBAC rule to let cert-manager request a token.
-                                      type: object
-                                      required:
-                                        - name
-                                      properties:
-                                        audiences:
-                                          description: |-
-                                            TokenAudiences is an optional list of audiences to include in the
-                                            token passed to AWS. The default token consisting of the issuer's namespace
-                                            and name is always included.
-                                            If unset the audience defaults to `sts.amazonaws.com`.
-                                          type: array
-                                          items:
-                                            type: string
-                                        name:
-                                          description: Name of the ServiceAccount used to request a token.
-                                          type: string
-                            hostedZoneID:
-                              description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
-                              type: string
-                            region:
-                              description: Always set the region when using AccessKeyID and SecretAccessKey
-                              type: string
-                            role:
-                              description: |-
-                                Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey
-                                or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
-                              type: string
-                            secretAccessKeySecretRef:
-                              description: |-
-                                The SecretAccessKey is used for authentication.
-                                If neither the Access Key nor Key ID are set, we fall-back to using env
-                                vars, shared credentials file or AWS Instance metadata,
-                                see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
-                              type: object
-                              required:
-                                - name
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used.
-                                    Some instances of this field may be defaulted, in others it may be
-                                    required.
-                                  type: string
-                                name:
-                                  description: |-
-                                    Name of the resource being referred to.
-                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                                  type: string
-                        webhook:
-                          description: |-
-                            Configure an external webhook based DNS01 challenge solver to manage
-                            DNS01 challenge records.
-                          type: object
-                          required:
-                            - groupName
-                            - solverName
-                          properties:
-                            config:
-                              description: |-
-                                Additional configuration that should be passed to the webhook apiserver
-                                when challenges are processed.
-                                This can contain arbitrary JSON data.
-                                Secret values should not be specified in this stanza.
-                                If secret values are needed (e.g. credentials for a DNS service), you
-                                should use a SecretKeySelector to reference a Secret resource.
-                                For details on the schema of this field, consult the webhook provider
-                                implementation's documentation.
-                              x-kubernetes-preserve-unknown-fields: true
-                            groupName:
-                              description: |-
-                                The API group name that should be used when POSTing ChallengePayload
-                                resources to the webhook apiserver.
-                                This should be the same as the GroupName specified in the webhook
-                                provider implementation.
-                              type: string
-                            solverName:
-                              description: |-
-                                The name of the solver to use, as defined in the webhook provider
-                                implementation.
-                                This will typically be the name of the provider, e.g. 'cloudflare'.
-                              type: string
-                    http01:
-                      description: |-
-                        Configures cert-manager to attempt to complete authorizations by
-                        performing the HTTP01 challenge flow.
-                        It is not possible to obtain certificates for wildcard domain names
-                        (e.g. `*.example.com`) using the HTTP01 challenge mechanism.
-                      type: object
-                      properties:
-                        gatewayHTTPRoute:
-                          description: |-
-                            The Gateway API is a sig-network community API that models service networking
-                            in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will
-                            create HTTPRoutes with the specified labels in the same namespace as the challenge.
-                            This solver is experimental, and fields / behaviour may change in the future.
-                          type: object
-                          properties:
-                            labels:
-                              description: |-
-                                Custom labels that will be applied to HTTPRoutes created by cert-manager
-                                while solving HTTP-01 challenges.
-                              type: object
-                              additionalProperties:
-                                type: string
-                            parentRefs:
-                              description: |-
-                                When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute.
-                                cert-manager needs to know which parentRefs should be used when creating
-                                the HTTPRoute. Usually, the parentRef references a Gateway. See:
-                                https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways
-                              type: array
-                              items:
-                                description: |-
-                                  ParentReference identifies an API object (usually a Gateway) that can be considered
-                                  a parent of this resource (usually a route). There are two kinds of parent resources
-                                  with "Core" support:
-
-
-                                  * Gateway (Gateway conformance profile)
-                                  * Service (Mesh conformance profile, ClusterIP Services only)
-
-
-                                  This API may be extended in the future to support additional kinds of parent
-                                  resources.
-
-
-                                  The API object must be valid in the cluster; the Group and Kind must
-                                  be registered in the cluster for this reference to be valid.
-                                type: object
-                                required:
-                                  - name
-                                properties:
-                                  group:
-                                    description: |-
-                                      Group is the group of the referent.
-                                      When unspecified, "gateway.networking.k8s.io" is inferred.
-                                      To set the core API group (such as for a "Service" kind referent),
-                                      Group must be explicitly set to "" (empty string).
-
-
-                                      Support: Core
-                                    type: string
-                                    default: gateway.networking.k8s.io
-                                    maxLength: 253
-                                    pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
-                                  kind:
-                                    description: |-
-                                      Kind is kind of the referent.
-
-
-                                      There are two kinds of parent resources with "Core" support:
-
-
-                                      * Gateway (Gateway conformance profile)
-                                      * Service (Mesh conformance profile, ClusterIP Services only)
-
-
-                                      Support for other resources is Implementation-Specific.
-                                    type: string
-                                    default: Gateway
-                                    maxLength: 63
-                                    minLength: 1
-                                    pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
-                                  name:
-                                    description: |-
-                                      Name is the name of the referent.
-
-
-                                      Support: Core
-                                    type: string
-                                    maxLength: 253
-                                    minLength: 1
-                                  namespace:
-                                    description: |-
-                                      Namespace is the namespace of the referent. When unspecified, this refers
-                                      to the local namespace of the Route.
-
-
-                                      Note that there are specific rules for ParentRefs which cross namespace
-                                      boundaries. Cross-namespace references are only valid if they are explicitly
-                                      allowed by something in the namespace they are referring to. For example:
-                                      Gateway has the AllowedRoutes field, and ReferenceGrant provides a
-                                      generic way to enable any other kind of cross-namespace reference.
-
-
-                                      <gateway:experimental:description>
-                                      ParentRefs from a Route to a Service in the same namespace are "producer"
-                                      routes, which apply default routing rules to inbound connections from
-                                      any namespace to the Service.
-
-
-                                      ParentRefs from a Route to a Service in a different namespace are
-                                      "consumer" routes, and these routing rules are only applied to outbound
-                                      connections originating from the same namespace as the Route, for which
-                                      the intended destination of the connections are a Service targeted as a
-                                      ParentRef of the Route.
-                                      </gateway:experimental:description>
-
-
-                                      Support: Core
-                                    type: string
-                                    maxLength: 63
-                                    minLength: 1
-                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
-                                  port:
-                                    description: |-
-                                      Port is the network port this Route targets. It can be interpreted
-                                      differently based on the type of parent resource.
-
-
-                                      When the parent resource is a Gateway, this targets all listeners
-                                      listening on the specified port that also support this kind of Route(and
-                                      select this Route). It's not recommended to set `Port` unless the
-                                      networking behaviors specified in a Route must apply to a specific port
-                                      as opposed to a listener(s) whose port(s) may be changed. When both Port
-                                      and SectionName are specified, the name and port of the selected listener
-                                      must match both specified values.
-
-
-                                      <gateway:experimental:description>
-                                      When the parent resource is a Service, this targets a specific port in the
-                                      Service spec. When both Port (experimental) and SectionName are specified,
-                                      the name and port of the selected port must match both specified values.
-                                      </gateway:experimental:description>
-
-
-                                      Implementations MAY choose to support other parent resources.
-                                      Implementations supporting other types of parent resources MUST clearly
-                                      document how/if Port is interpreted.
-
-
-                                      For the purpose of status, an attachment is considered successful as
-                                      long as the parent resource accepts it partially. For example, Gateway
-                                      listeners can restrict which Routes can attach to them by Route kind,
-                                      namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
-                                      from the referencing Route, the Route MUST be considered successfully
-                                      attached. If no Gateway listeners accept attachment from this Route,
-                                      the Route MUST be considered detached from the Gateway.
-
-
-                                      Support: Extended
-                                    type: integer
-                                    format: int32
-                                    maximum: 65535
-                                    minimum: 1
-                                  sectionName:
-                                    description: |-
-                                      SectionName is the name of a section within the target resource. In the
-                                      following resources, SectionName is interpreted as the following:
-
-
-                                      * Gateway: Listener name. When both Port (experimental) and SectionName
-                                      are specified, the name and port of the selected listener must match
-                                      both specified values.
-                                      * Service: Port name. When both Port (experimental) and SectionName
-                                      are specified, the name and port of the selected listener must match
-                                      both specified values.
-
-
-                                      Implementations MAY choose to support attaching Routes to other resources.
-                                      If that is the case, they MUST clearly document how SectionName is
-                                      interpreted.
-
-
-                                      When unspecified (empty string), this will reference the entire resource.
-                                      For the purpose of status, an attachment is considered successful if at
-                                      least one section in the parent resource accepts it. For example, Gateway
-                                      listeners can restrict which Routes can attach to them by Route kind,
-                                      namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
-                                      the referencing Route, the Route MUST be considered successfully
-                                      attached. If no Gateway listeners accept attachment from this Route, the
-                                      Route MUST be considered detached from the Gateway.
-
-
-                                      Support: Core
-                                    type: string
-                                    maxLength: 253
-                                    minLength: 1
-                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
-                            serviceType:
-                              description: |-
-                                Optional service type for Kubernetes solver service. Supported values
-                                are NodePort or ClusterIP. If unset, defaults to NodePort.
-                              type: string
-                        ingress:
-                          description: |-
-                            The ingress based HTTP01 challenge solver will solve challenges by
-                            creating or modifying Ingress resources in order to route requests for
-                            '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are
-                            provisioned by cert-manager for each Challenge to be completed.
-                          type: object
-                          properties:
-                            class:
-                              description: |-
-                                This field configures the annotation `kubernetes.io/ingress.class` when
-                                creating Ingress resources to solve ACME challenges that use this
-                                challenge solver. Only one of `class`, `name` or `ingressClassName` may
-                                be specified.
-                              type: string
-                            ingressClassName:
-                              description: |-
-                                This field configures the field `ingressClassName` on the created Ingress
-                                resources used to solve ACME challenges that use this challenge solver.
-                                This is the recommended way of configuring the ingress class. Only one of
-                                `class`, `name` or `ingressClassName` may be specified.
-                              type: string
-                            ingressTemplate:
-                              description: |-
-                                Optional ingress template used to configure the ACME challenge solver
-                                ingress used for HTTP01 challenges.
-                              type: object
-                              properties:
-                                metadata:
-                                  description: |-
-                                    ObjectMeta overrides for the ingress used to solve HTTP01 challenges.
-                                    Only the 'labels' and 'annotations' fields may be set.
-                                    If labels or annotations overlap with in-built values, the values here
-                                    will override the in-built values.
-                                  type: object
-                                  properties:
-                                    annotations:
-                                      description: Annotations that should be added to the created ACME HTTP01 solver ingress.
-                                      type: object
-                                      additionalProperties:
-                                        type: string
-                                    labels:
-                                      description: Labels that should be added to the created ACME HTTP01 solver ingress.
-                                      type: object
-                                      additionalProperties:
-                                        type: string
-                            name:
-                              description: |-
-                                The name of the ingress resource that should have ACME challenge solving
-                                routes inserted into it in order to solve HTTP01 challenges.
-                                This is typically used in conjunction with ingress controllers like
-                                ingress-gce, which maintains a 1:1 mapping between external IPs and
-                                ingress resources. Only one of `class`, `name` or `ingressClassName` may
-                                be specified.
-                              type: string
-                            podTemplate:
-                              description: |-
-                                Optional pod template used to configure the ACME challenge solver pods
-                                used for HTTP01 challenges.
-                              type: object
-                              properties:
-                                metadata:
-                                  description: |-
-                                    ObjectMeta overrides for the pod used to solve HTTP01 challenges.
-                                    Only the 'labels' and 'annotations' fields may be set.
-                                    If labels or annotations overlap with in-built values, the values here
-                                    will override the in-built values.
-                                  type: object
-                                  properties:
-                                    annotations:
-                                      description: Annotations that should be added to the create ACME HTTP01 solver pods.
-                                      type: object
-                                      additionalProperties:
-                                        type: string
-                                    labels:
-                                      description: Labels that should be added to the created ACME HTTP01 solver pods.
-                                      type: object
-                                      additionalProperties:
-                                        type: string
-                                spec:
-                                  description: |-
-                                    PodSpec defines overrides for the HTTP01 challenge solver pod.
-                                    Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields.
-                                    All other fields will be ignored.
-                                  type: object
-                                  properties:
-                                    affinity:
-                                      description: If specified, the pod's scheduling constraints
-                                      type: object
-                                      properties:
-                                        nodeAffinity:
-                                          description: Describes node affinity scheduling rules for the pod.
-                                          type: object
-                                          properties:
-                                            preferredDuringSchedulingIgnoredDuringExecution:
-                                              description: |-
-                                                The scheduler will prefer to schedule pods to nodes that satisfy
-                                                the affinity expressions specified by this field, but it may choose
-                                                a node that violates one or more of the expressions. The node that is
-                                                most preferred is the one with the greatest sum of weights, i.e.
-                                                for each node that meets all of the scheduling requirements (resource
-                                                request, requiredDuringScheduling affinity expressions, etc.),
-                                                compute a sum by iterating through the elements of this field and adding
-                                                "weight" to the sum if the node matches the corresponding matchExpressions; the
-                                                node(s) with the highest sum are the most preferred.
-                                              type: array
-                                              items:
-                                                description: |-
-                                                  An empty preferred scheduling term matches all objects with implicit weight 0
-                                                  (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
-                                                type: object
-                                                required:
-                                                  - preference
-                                                  - weight
-                                                properties:
-                                                  preference:
-                                                    description: A node selector term, associated with the corresponding weight.
-                                                    type: object
-                                                    properties:
-                                                      matchExpressions:
-                                                        description: A list of node selector requirements by node's labels.
-                                                        type: array
-                                                        items:
-                                                          description: |-
-                                                            A node selector requirement is a selector that contains values, a key, and an operator
-                                                            that relates the key and values.
-                                                          type: object
-                                                          required:
-                                                            - key
-                                                            - operator
-                                                          properties:
-                                                            key:
-                                                              description: The label key that the selector applies to.
-                                                              type: string
-                                                            operator:
-                                                              description: |-
-                                                                Represents a key's relationship to a set of values.
-                                                                Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
-                                                              type: string
-                                                            values:
-                                                              description: |-
-                                                                An array of string values. If the operator is In or NotIn,
-                                                                the values array must be non-empty. If the operator is Exists or DoesNotExist,
-                                                                the values array must be empty. If the operator is Gt or Lt, the values
-                                                                array must have a single element, which will be interpreted as an integer.
-                                                                This array is replaced during a strategic merge patch.
-                                                              type: array
-                                                              items:
-                                                                type: string
-                                                              x-kubernetes-list-type: atomic
-                                                        x-kubernetes-list-type: atomic
-                                                      matchFields:
-                                                        description: A list of node selector requirements by node's fields.
-                                                        type: array
-                                                        items:
-                                                          description: |-
-                                                            A node selector requirement is a selector that contains values, a key, and an operator
-                                                            that relates the key and values.
-                                                          type: object
-                                                          required:
-                                                            - key
-                                                            - operator
-                                                          properties:
-                                                            key:
-                                                              description: The label key that the selector applies to.
-                                                              type: string
-                                                            operator:
-                                                              description: |-
-                                                                Represents a key's relationship to a set of values.
-                                                                Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
-                                                              type: string
-                                                            values:
-                                                              description: |-
-                                                                An array of string values. If the operator is In or NotIn,
-                                                                the values array must be non-empty. If the operator is Exists or DoesNotExist,
-                                                                the values array must be empty. If the operator is Gt or Lt, the values
-                                                                array must have a single element, which will be interpreted as an integer.
-                                                                This array is replaced during a strategic merge patch.
-                                                              type: array
-                                                              items:
-                                                                type: string
-                                                              x-kubernetes-list-type: atomic
-                                                        x-kubernetes-list-type: atomic
-                                                    x-kubernetes-map-type: atomic
-                                                  weight:
-                                                    description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
-                                                    type: integer
-                                                    format: int32
-                                              x-kubernetes-list-type: atomic
-                                            requiredDuringSchedulingIgnoredDuringExecution:
-                                              description: |-
-                                                If the affinity requirements specified by this field are not met at
-                                                scheduling time, the pod will not be scheduled onto the node.
-                                                If the affinity requirements specified by this field cease to be met
-                                                at some point during pod execution (e.g. due to an update), the system
-                                                may or may not try to eventually evict the pod from its node.
-                                              type: object
-                                              required:
-                                                - nodeSelectorTerms
-                                              properties:
-                                                nodeSelectorTerms:
-                                                  description: Required. A list of node selector terms. The terms are ORed.
-                                                  type: array
-                                                  items:
-                                                    description: |-
-                                                      A null or empty node selector term matches no objects. The requirements of
-                                                      them are ANDed.
-                                                      The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
-                                                    type: object
-                                                    properties:
-                                                      matchExpressions:
-                                                        description: A list of node selector requirements by node's labels.
-                                                        type: array
-                                                        items:
-                                                          description: |-
-                                                            A node selector requirement is a selector that contains values, a key, and an operator
-                                                            that relates the key and values.
-                                                          type: object
-                                                          required:
-                                                            - key
-                                                            - operator
-                                                          properties:
-                                                            key:
-                                                              description: The label key that the selector applies to.
-                                                              type: string
-                                                            operator:
-                                                              description: |-
-                                                                Represents a key's relationship to a set of values.
-                                                                Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
-                                                              type: string
-                                                            values:
-                                                              description: |-
-                                                                An array of string values. If the operator is In or NotIn,
-                                                                the values array must be non-empty. If the operator is Exists or DoesNotExist,
-                                                                the values array must be empty. If the operator is Gt or Lt, the values
-                                                                array must have a single element, which will be interpreted as an integer.
-                                                                This array is replaced during a strategic merge patch.
-                                                              type: array
-                                                              items:
-                                                                type: string
-                                                              x-kubernetes-list-type: atomic
-                                                        x-kubernetes-list-type: atomic
-                                                      matchFields:
-                                                        description: A list of node selector requirements by node's fields.
-                                                        type: array
-                                                        items:
-                                                          description: |-
-                                                            A node selector requirement is a selector that contains values, a key, and an operator
-                                                            that relates the key and values.
-                                                          type: object
-                                                          required:
-                                                            - key
-                                                            - operator
-                                                          properties:
-                                                            key:
-                                                              description: The label key that the selector applies to.
-                                                              type: string
-                                                            operator:
-                                                              description: |-
-                                                                Represents a key's relationship to a set of values.
-                                                                Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
-                                                              type: string
-                                                            values:
-                                                              description: |-
-                                                                An array of string values. If the operator is In or NotIn,
-                                                                the values array must be non-empty. If the operator is Exists or DoesNotExist,
-                                                                the values array must be empty. If the operator is Gt or Lt, the values
-                                                                array must have a single element, which will be interpreted as an integer.
-                                                                This array is replaced during a strategic merge patch.
-                                                              type: array
-                                                              items:
-                                                                type: string
-                                                              x-kubernetes-list-type: atomic
-                                                        x-kubernetes-list-type: atomic
-                                                    x-kubernetes-map-type: atomic
-                                                  x-kubernetes-list-type: atomic
-                                              x-kubernetes-map-type: atomic
-                                        podAffinity:
-                                          description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
-                                          type: object
-                                          properties:
-                                            preferredDuringSchedulingIgnoredDuringExecution:
-                                              description: |-
-                                                The scheduler will prefer to schedule pods to nodes that satisfy
-                                                the affinity expressions specified by this field, but it may choose
-                                                a node that violates one or more of the expressions. The node that is
-                                                most preferred is the one with the greatest sum of weights, i.e.
-                                                for each node that meets all of the scheduling requirements (resource
-                                                request, requiredDuringScheduling affinity expressions, etc.),
-                                                compute a sum by iterating through the elements of this field and adding
-                                                "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
-                                                node(s) with the highest sum are the most preferred.
-                                              type: array
-                                              items:
-                                                description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
-                                                type: object
-                                                required:
-                                                  - podAffinityTerm
-                                                  - weight
-                                                properties:
-                                                  podAffinityTerm:
-                                                    description: Required. A pod affinity term, associated with the corresponding weight.
-                                                    type: object
-                                                    required:
-                                                      - topologyKey
-                                                    properties:
-                                                      labelSelector:
-                                                        description: |-
-                                                          A label query over a set of resources, in this case pods.
-                                                          If it's null, this PodAffinityTerm matches with no Pods.
-                                                        type: object
-                                                        properties:
-                                                          matchExpressions:
-                                                            description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
-                                                            type: array
-                                                            items:
-                                                              description: |-
-                                                                A label selector requirement is a selector that contains values, a key, and an operator that
-                                                                relates the key and values.
-                                                              type: object
-                                                              required:
-                                                                - key
-                                                                - operator
-                                                              properties:
-                                                                key:
-                                                                  description: key is the label key that the selector applies to.
-                                                                  type: string
-                                                                operator:
-                                                                  description: |-
-                                                                    operator represents a key's relationship to a set of values.
-                                                                    Valid operators are In, NotIn, Exists and DoesNotExist.
-                                                                  type: string
-                                                                values:
-                                                                  description: |-
-                                                                    values is an array of string values. If the operator is In or NotIn,
-                                                                    the values array must be non-empty. If the operator is Exists or DoesNotExist,
-                                                                    the values array must be empty. This array is replaced during a strategic
-                                                                    merge patch.
-                                                                  type: array
-                                                                  items:
-                                                                    type: string
-                                                                  x-kubernetes-list-type: atomic
-                                                            x-kubernetes-list-type: atomic
-                                                          matchLabels:
-                                                            description: |-
-                                                              matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
-                                                              map is equivalent to an element of matchExpressions, whose key field is "key", the
-                                                              operator is "In", and the values array contains only "value". The requirements are ANDed.
-                                                            type: object
-                                                            additionalProperties:
-                                                              type: string
-                                                        x-kubernetes-map-type: atomic
-                                                      matchLabelKeys:
-                                                        description: |-
-                                                          MatchLabelKeys is a set of pod label keys to select which pods will
-                                                          be taken into consideration. The keys are used to lookup values from the
-                                                          incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
-                                                          to select the group of existing pods which pods will be taken into consideration
-                                                          for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
-                                                          pod labels will be ignored. The default value is empty.
-                                                          The same key is forbidden to exist in both matchLabelKeys and labelSelector.
-                                                          Also, matchLabelKeys cannot be set when labelSelector isn't set.
-                                                          This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
-                                                        type: array
-                                                        items:
-                                                          type: string
-                                                        x-kubernetes-list-type: atomic
-                                                      mismatchLabelKeys:
-                                                        description: |-
-                                                          MismatchLabelKeys is a set of pod label keys to select which pods will
-                                                          be taken into consideration. The keys are used to lookup values from the
-                                                          incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
-                                                          to select the group of existing pods which pods will be taken into consideration
-                                                          for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
-                                                          pod labels will be ignored. The default value is empty.
-                                                          The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
-                                                          Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
-                                                          This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
-                                                        type: array
-                                                        items:
-                                                          type: string
-                                                        x-kubernetes-list-type: atomic
-                                                      namespaceSelector:
-                                                        description: |-
-                                                          A label query over the set of namespaces that the term applies to.
-                                                          The term is applied to the union of the namespaces selected by this field
-                                                          and the ones listed in the namespaces field.
-                                                          null selector and null or empty namespaces list means "this pod's namespace".
-                                                          An empty selector ({}) matches all namespaces.
-                                                        type: object
-                                                        properties:
-                                                          matchExpressions:
-                                                            description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
-                                                            type: array
-                                                            items:
-                                                              description: |-
-                                                                A label selector requirement is a selector that contains values, a key, and an operator that
-                                                                relates the key and values.
-                                                              type: object
-                                                              required:
-                                                                - key
-                                                                - operator
-                                                              properties:
-                                                                key:
-                                                                  description: key is the label key that the selector applies to.
-                                                                  type: string
-                                                                operator:
-                                                                  description: |-
-                                                                    operator represents a key's relationship to a set of values.
-                                                                    Valid operators are In, NotIn, Exists and DoesNotExist.
-                                                                  type: string
-                                                                values:
-                                                                  description: |-
-                                                                    values is an array of string values. If the operator is In or NotIn,
-                                                                    the values array must be non-empty. If the operator is Exists or DoesNotExist,
-                                                                    the values array must be empty. This array is replaced during a strategic
-                                                                    merge patch.
-                                                                  type: array
-                                                                  items:
-                                                                    type: string
-                                                                  x-kubernetes-list-type: atomic
-                                                            x-kubernetes-list-type: atomic
-                                                          matchLabels:
-                                                            description: |-
-                                                              matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
-                                                              map is equivalent to an element of matchExpressions, whose key field is "key", the
-                                                              operator is "In", and the values array contains only "value". The requirements are ANDed.
-                                                            type: object
-                                                            additionalProperties:
-                                                              type: string
-                                                        x-kubernetes-map-type: atomic
-                                                      namespaces:
-                                                        description: |-
-                                                          namespaces specifies a static list of namespace names that the term applies to.
-                                                          The term is applied to the union of the namespaces listed in this field
-                                                          and the ones selected by namespaceSelector.
-                                                          null or empty namespaces list and null namespaceSelector means "this pod's namespace".
-                                                        type: array
-                                                        items:
-                                                          type: string
-                                                        x-kubernetes-list-type: atomic
-                                                      topologyKey:
-                                                        description: |-
-                                                          This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
-                                                          the labelSelector in the specified namespaces, where co-located is defined as running on a node
-                                                          whose value of the label with key topologyKey matches that of any node on which any of the
-                                                          selected pods is running.
-                                                          Empty topologyKey is not allowed.
-                                                        type: string
-                                                  weight:
-                                                    description: |-
-                                                      weight associated with matching the corresponding podAffinityTerm,
-                                                      in the range 1-100.
-                                                    type: integer
-                                                    format: int32
-                                              x-kubernetes-list-type: atomic
-                                            requiredDuringSchedulingIgnoredDuringExecution:
-                                              description: |-
-                                                If the affinity requirements specified by this field are not met at
-                                                scheduling time, the pod will not be scheduled onto the node.
-                                                If the affinity requirements specified by this field cease to be met
-                                                at some point during pod execution (e.g. due to a pod label update), the
-                                                system may or may not try to eventually evict the pod from its node.
-                                                When there are multiple elements, the lists of nodes corresponding to each
-                                                podAffinityTerm are intersected, i.e. all terms must be satisfied.
-                                              type: array
-                                              items:
-                                                description: |-
-                                                  Defines a set of pods (namely those matching the labelSelector
-                                                  relative to the given namespace(s)) that this pod should be
-                                                  co-located (affinity) or not co-located (anti-affinity) with,
-                                                  where co-located is defined as running on a node whose value of
-                                                  the label with key <topologyKey> matches that of any node on which
-                                                  a pod of the set of pods is running
-                                                type: object
-                                                required:
-                                                  - topologyKey
-                                                properties:
-                                                  labelSelector:
-                                                    description: |-
-                                                      A label query over a set of resources, in this case pods.
-                                                      If it's null, this PodAffinityTerm matches with no Pods.
-                                                    type: object
-                                                    properties:
-                                                      matchExpressions:
-                                                        description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
-                                                        type: array
-                                                        items:
-                                                          description: |-
-                                                            A label selector requirement is a selector that contains values, a key, and an operator that
-                                                            relates the key and values.
-                                                          type: object
-                                                          required:
-                                                            - key
-                                                            - operator
-                                                          properties:
-                                                            key:
-                                                              description: key is the label key that the selector applies to.
-                                                              type: string
-                                                            operator:
-                                                              description: |-
-                                                                operator represents a key's relationship to a set of values.
-                                                                Valid operators are In, NotIn, Exists and DoesNotExist.
-                                                              type: string
-                                                            values:
-                                                              description: |-
-                                                                values is an array of string values. If the operator is In or NotIn,
-                                                                the values array must be non-empty. If the operator is Exists or DoesNotExist,
-                                                                the values array must be empty. This array is replaced during a strategic
-                                                                merge patch.
-                                                              type: array
-                                                              items:
-                                                                type: string
-                                                              x-kubernetes-list-type: atomic
-                                                        x-kubernetes-list-type: atomic
-                                                      matchLabels:
-                                                        description: |-
-                                                          matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
-                                                          map is equivalent to an element of matchExpressions, whose key field is "key", the
-                                                          operator is "In", and the values array contains only "value". The requirements are ANDed.
-                                                        type: object
-                                                        additionalProperties:
-                                                          type: string
-                                                    x-kubernetes-map-type: atomic
-                                                  matchLabelKeys:
-                                                    description: |-
-                                                      MatchLabelKeys is a set of pod label keys to select which pods will
-                                                      be taken into consideration. The keys are used to lookup values from the
-                                                      incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
-                                                      to select the group of existing pods which pods will be taken into consideration
-                                                      for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
-                                                      pod labels will be ignored. The default value is empty.
-                                                      The same key is forbidden to exist in both matchLabelKeys and labelSelector.
-                                                      Also, matchLabelKeys cannot be set when labelSelector isn't set.
-                                                      This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
-                                                    type: array
-                                                    items:
-                                                      type: string
-                                                    x-kubernetes-list-type: atomic
-                                                  mismatchLabelKeys:
-                                                    description: |-
-                                                      MismatchLabelKeys is a set of pod label keys to select which pods will
-                                                      be taken into consideration. The keys are used to lookup values from the
-                                                      incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
-                                                      to select the group of existing pods which pods will be taken into consideration
-                                                      for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
-                                                      pod labels will be ignored. The default value is empty.
-                                                      The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
-                                                      Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
-                                                      This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
-                                                    type: array
-                                                    items:
-                                                      type: string
-                                                    x-kubernetes-list-type: atomic
-                                                  namespaceSelector:
-                                                    description: |-
-                                                      A label query over the set of namespaces that the term applies to.
-                                                      The term is applied to the union of the namespaces selected by this field
-                                                      and the ones listed in the namespaces field.
-                                                      null selector and null or empty namespaces list means "this pod's namespace".
-                                                      An empty selector ({}) matches all namespaces.
-                                                    type: object
-                                                    properties:
-                                                      matchExpressions:
-                                                        description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
-                                                        type: array
-                                                        items:
-                                                          description: |-
-                                                            A label selector requirement is a selector that contains values, a key, and an operator that
-                                                            relates the key and values.
-                                                          type: object
-                                                          required:
-                                                            - key
-                                                            - operator
-                                                          properties:
-                                                            key:
-                                                              description: key is the label key that the selector applies to.
-                                                              type: string
-                                                            operator:
-                                                              description: |-
-                                                                operator represents a key's relationship to a set of values.
-                                                                Valid operators are In, NotIn, Exists and DoesNotExist.
-                                                              type: string
-                                                            values:
-                                                              description: |-
-                                                                values is an array of string values. If the operator is In or NotIn,
-                                                                the values array must be non-empty. If the operator is Exists or DoesNotExist,
-                                                                the values array must be empty. This array is replaced during a strategic
-                                                                merge patch.
-                                                              type: array
-                                                              items:
-                                                                type: string
-                                                              x-kubernetes-list-type: atomic
-                                                        x-kubernetes-list-type: atomic
-                                                      matchLabels:
-                                                        description: |-
-                                                          matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
-                                                          map is equivalent to an element of matchExpressions, whose key field is "key", the
-                                                          operator is "In", and the values array contains only "value". The requirements are ANDed.
-                                                        type: object
-                                                        additionalProperties:
-                                                          type: string
-                                                    x-kubernetes-map-type: atomic
-                                                  namespaces:
-                                                    description: |-
-                                                      namespaces specifies a static list of namespace names that the term applies to.
-                                                      The term is applied to the union of the namespaces listed in this field
-                                                      and the ones selected by namespaceSelector.
-                                                      null or empty namespaces list and null namespaceSelector means "this pod's namespace".
-                                                    type: array
-                                                    items:
-                                                      type: string
-                                                    x-kubernetes-list-type: atomic
-                                                  topologyKey:
-                                                    description: |-
-                                                      This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
-                                                      the labelSelector in the specified namespaces, where co-located is defined as running on a node
-                                                      whose value of the label with key topologyKey matches that of any node on which any of the
-                                                      selected pods is running.
-                                                      Empty topologyKey is not allowed.
-                                                    type: string
-                                              x-kubernetes-list-type: atomic
-                                        podAntiAffinity:
-                                          description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
-                                          type: object
-                                          properties:
-                                            preferredDuringSchedulingIgnoredDuringExecution:
-                                              description: |-
-                                                The scheduler will prefer to schedule pods to nodes that satisfy
-                                                the anti-affinity expressions specified by this field, but it may choose
-                                                a node that violates one or more of the expressions. The node that is
-                                                most preferred is the one with the greatest sum of weights, i.e.
-                                                for each node that meets all of the scheduling requirements (resource
-                                                request, requiredDuringScheduling anti-affinity expressions, etc.),
-                                                compute a sum by iterating through the elements of this field and adding
-                                                "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
-                                                node(s) with the highest sum are the most preferred.
-                                              type: array
-                                              items:
-                                                description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
-                                                type: object
-                                                required:
-                                                  - podAffinityTerm
-                                                  - weight
-                                                properties:
-                                                  podAffinityTerm:
-                                                    description: Required. A pod affinity term, associated with the corresponding weight.
-                                                    type: object
-                                                    required:
-                                                      - topologyKey
-                                                    properties:
-                                                      labelSelector:
-                                                        description: |-
-                                                          A label query over a set of resources, in this case pods.
-                                                          If it's null, this PodAffinityTerm matches with no Pods.
-                                                        type: object
-                                                        properties:
-                                                          matchExpressions:
-                                                            description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
-                                                            type: array
-                                                            items:
-                                                              description: |-
-                                                                A label selector requirement is a selector that contains values, a key, and an operator that
-                                                                relates the key and values.
-                                                              type: object
-                                                              required:
-                                                                - key
-                                                                - operator
-                                                              properties:
-                                                                key:
-                                                                  description: key is the label key that the selector applies to.
-                                                                  type: string
-                                                                operator:
-                                                                  description: |-
-                                                                    operator represents a key's relationship to a set of values.
-                                                                    Valid operators are In, NotIn, Exists and DoesNotExist.
-                                                                  type: string
-                                                                values:
-                                                                  description: |-
-                                                                    values is an array of string values. If the operator is In or NotIn,
-                                                                    the values array must be non-empty. If the operator is Exists or DoesNotExist,
-                                                                    the values array must be empty. This array is replaced during a strategic
-                                                                    merge patch.
-                                                                  type: array
-                                                                  items:
-                                                                    type: string
-                                                                  x-kubernetes-list-type: atomic
-                                                            x-kubernetes-list-type: atomic
-                                                          matchLabels:
-                                                            description: |-
-                                                              matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
-                                                              map is equivalent to an element of matchExpressions, whose key field is "key", the
-                                                              operator is "In", and the values array contains only "value". The requirements are ANDed.
-                                                            type: object
-                                                            additionalProperties:
-                                                              type: string
-                                                        x-kubernetes-map-type: atomic
-                                                      matchLabelKeys:
-                                                        description: |-
-                                                          MatchLabelKeys is a set of pod label keys to select which pods will
-                                                          be taken into consideration. The keys are used to lookup values from the
-                                                          incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
-                                                          to select the group of existing pods which pods will be taken into consideration
-                                                          for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
-                                                          pod labels will be ignored. The default value is empty.
-                                                          The same key is forbidden to exist in both matchLabelKeys and labelSelector.
-                                                          Also, matchLabelKeys cannot be set when labelSelector isn't set.
-                                                          This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
-                                                        type: array
-                                                        items:
-                                                          type: string
-                                                        x-kubernetes-list-type: atomic
-                                                      mismatchLabelKeys:
-                                                        description: |-
-                                                          MismatchLabelKeys is a set of pod label keys to select which pods will
-                                                          be taken into consideration. The keys are used to lookup values from the
-                                                          incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
-                                                          to select the group of existing pods which pods will be taken into consideration
-                                                          for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
-                                                          pod labels will be ignored. The default value is empty.
-                                                          The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
-                                                          Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
-                                                          This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
-                                                        type: array
-                                                        items:
-                                                          type: string
-                                                        x-kubernetes-list-type: atomic
-                                                      namespaceSelector:
-                                                        description: |-
-                                                          A label query over the set of namespaces that the term applies to.
-                                                          The term is applied to the union of the namespaces selected by this field
-                                                          and the ones listed in the namespaces field.
-                                                          null selector and null or empty namespaces list means "this pod's namespace".
-                                                          An empty selector ({}) matches all namespaces.
-                                                        type: object
-                                                        properties:
-                                                          matchExpressions:
-                                                            description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
-                                                            type: array
-                                                            items:
-                                                              description: |-
-                                                                A label selector requirement is a selector that contains values, a key, and an operator that
-                                                                relates the key and values.
-                                                              type: object
-                                                              required:
-                                                                - key
-                                                                - operator
-                                                              properties:
-                                                                key:
-                                                                  description: key is the label key that the selector applies to.
-                                                                  type: string
-                                                                operator:
-                                                                  description: |-
-                                                                    operator represents a key's relationship to a set of values.
-                                                                    Valid operators are In, NotIn, Exists and DoesNotExist.
-                                                                  type: string
-                                                                values:
-                                                                  description: |-
-                                                                    values is an array of string values. If the operator is In or NotIn,
-                                                                    the values array must be non-empty. If the operator is Exists or DoesNotExist,
-                                                                    the values array must be empty. This array is replaced during a strategic
-                                                                    merge patch.
-                                                                  type: array
-                                                                  items:
-                                                                    type: string
-                                                                  x-kubernetes-list-type: atomic
-                                                            x-kubernetes-list-type: atomic
-                                                          matchLabels:
-                                                            description: |-
-                                                              matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
-                                                              map is equivalent to an element of matchExpressions, whose key field is "key", the
-                                                              operator is "In", and the values array contains only "value". The requirements are ANDed.
-                                                            type: object
-                                                            additionalProperties:
-                                                              type: string
-                                                        x-kubernetes-map-type: atomic
-                                                      namespaces:
-                                                        description: |-
-                                                          namespaces specifies a static list of namespace names that the term applies to.
-                                                          The term is applied to the union of the namespaces listed in this field
-                                                          and the ones selected by namespaceSelector.
-                                                          null or empty namespaces list and null namespaceSelector means "this pod's namespace".
-                                                        type: array
-                                                        items:
-                                                          type: string
-                                                        x-kubernetes-list-type: atomic
-                                                      topologyKey:
-                                                        description: |-
-                                                          This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
-                                                          the labelSelector in the specified namespaces, where co-located is defined as running on a node
-                                                          whose value of the label with key topologyKey matches that of any node on which any of the
-                                                          selected pods is running.
-                                                          Empty topologyKey is not allowed.
-                                                        type: string
-                                                  weight:
-                                                    description: |-
-                                                      weight associated with matching the corresponding podAffinityTerm,
-                                                      in the range 1-100.
-                                                    type: integer
-                                                    format: int32
-                                              x-kubernetes-list-type: atomic
-                                            requiredDuringSchedulingIgnoredDuringExecution:
-                                              description: |-
-                                                If the anti-affinity requirements specified by this field are not met at
-                                                scheduling time, the pod will not be scheduled onto the node.
-                                                If the anti-affinity requirements specified by this field cease to be met
-                                                at some point during pod execution (e.g. due to a pod label update), the
-                                                system may or may not try to eventually evict the pod from its node.
-                                                When there are multiple elements, the lists of nodes corresponding to each
-                                                podAffinityTerm are intersected, i.e. all terms must be satisfied.
-                                              type: array
-                                              items:
-                                                description: |-
-                                                  Defines a set of pods (namely those matching the labelSelector
-                                                  relative to the given namespace(s)) that this pod should be
-                                                  co-located (affinity) or not co-located (anti-affinity) with,
-                                                  where co-located is defined as running on a node whose value of
-                                                  the label with key <topologyKey> matches that of any node on which
-                                                  a pod of the set of pods is running
-                                                type: object
-                                                required:
-                                                  - topologyKey
-                                                properties:
-                                                  labelSelector:
-                                                    description: |-
-                                                      A label query over a set of resources, in this case pods.
-                                                      If it's null, this PodAffinityTerm matches with no Pods.
-                                                    type: object
-                                                    properties:
-                                                      matchExpressions:
-                                                        description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
-                                                        type: array
-                                                        items:
-                                                          description: |-
-                                                            A label selector requirement is a selector that contains values, a key, and an operator that
-                                                            relates the key and values.
-                                                          type: object
-                                                          required:
-                                                            - key
-                                                            - operator
-                                                          properties:
-                                                            key:
-                                                              description: key is the label key that the selector applies to.
-                                                              type: string
-                                                            operator:
-                                                              description: |-
-                                                                operator represents a key's relationship to a set of values.
-                                                                Valid operators are In, NotIn, Exists and DoesNotExist.
-                                                              type: string
-                                                            values:
-                                                              description: |-
-                                                                values is an array of string values. If the operator is In or NotIn,
-                                                                the values array must be non-empty. If the operator is Exists or DoesNotExist,
-                                                                the values array must be empty. This array is replaced during a strategic
-                                                                merge patch.
-                                                              type: array
-                                                              items:
-                                                                type: string
-                                                              x-kubernetes-list-type: atomic
-                                                        x-kubernetes-list-type: atomic
-                                                      matchLabels:
-                                                        description: |-
-                                                          matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
-                                                          map is equivalent to an element of matchExpressions, whose key field is "key", the
-                                                          operator is "In", and the values array contains only "value". The requirements are ANDed.
-                                                        type: object
-                                                        additionalProperties:
-                                                          type: string
-                                                    x-kubernetes-map-type: atomic
-                                                  matchLabelKeys:
-                                                    description: |-
-                                                      MatchLabelKeys is a set of pod label keys to select which pods will
-                                                      be taken into consideration. The keys are used to lookup values from the
-                                                      incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
-                                                      to select the group of existing pods which pods will be taken into consideration
-                                                      for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
-                                                      pod labels will be ignored. The default value is empty.
-                                                      The same key is forbidden to exist in both matchLabelKeys and labelSelector.
-                                                      Also, matchLabelKeys cannot be set when labelSelector isn't set.
-                                                      This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
-                                                    type: array
-                                                    items:
-                                                      type: string
-                                                    x-kubernetes-list-type: atomic
-                                                  mismatchLabelKeys:
-                                                    description: |-
-                                                      MismatchLabelKeys is a set of pod label keys to select which pods will
-                                                      be taken into consideration. The keys are used to lookup values from the
-                                                      incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
-                                                      to select the group of existing pods which pods will be taken into consideration
-                                                      for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
-                                                      pod labels will be ignored. The default value is empty.
-                                                      The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
-                                                      Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
-                                                      This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
-                                                    type: array
-                                                    items:
-                                                      type: string
-                                                    x-kubernetes-list-type: atomic
-                                                  namespaceSelector:
-                                                    description: |-
-                                                      A label query over the set of namespaces that the term applies to.
-                                                      The term is applied to the union of the namespaces selected by this field
-                                                      and the ones listed in the namespaces field.
-                                                      null selector and null or empty namespaces list means "this pod's namespace".
-                                                      An empty selector ({}) matches all namespaces.
-                                                    type: object
-                                                    properties:
-                                                      matchExpressions:
-                                                        description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
-                                                        type: array
-                                                        items:
-                                                          description: |-
-                                                            A label selector requirement is a selector that contains values, a key, and an operator that
-                                                            relates the key and values.
-                                                          type: object
-                                                          required:
-                                                            - key
-                                                            - operator
-                                                          properties:
-                                                            key:
-                                                              description: key is the label key that the selector applies to.
-                                                              type: string
-                                                            operator:
-                                                              description: |-
-                                                                operator represents a key's relationship to a set of values.
-                                                                Valid operators are In, NotIn, Exists and DoesNotExist.
-                                                              type: string
-                                                            values:
-                                                              description: |-
-                                                                values is an array of string values. If the operator is In or NotIn,
-                                                                the values array must be non-empty. If the operator is Exists or DoesNotExist,
-                                                                the values array must be empty. This array is replaced during a strategic
-                                                                merge patch.
-                                                              type: array
-                                                              items:
-                                                                type: string
-                                                              x-kubernetes-list-type: atomic
-                                                        x-kubernetes-list-type: atomic
-                                                      matchLabels:
-                                                        description: |-
-                                                          matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
-                                                          map is equivalent to an element of matchExpressions, whose key field is "key", the
-                                                          operator is "In", and the values array contains only "value". The requirements are ANDed.
-                                                        type: object
-                                                        additionalProperties:
-                                                          type: string
-                                                    x-kubernetes-map-type: atomic
-                                                  namespaces:
-                                                    description: |-
-                                                      namespaces specifies a static list of namespace names that the term applies to.
-                                                      The term is applied to the union of the namespaces listed in this field
-                                                      and the ones selected by namespaceSelector.
-                                                      null or empty namespaces list and null namespaceSelector means "this pod's namespace".
-                                                    type: array
-                                                    items:
-                                                      type: string
-                                                    x-kubernetes-list-type: atomic
-                                                  topologyKey:
-                                                    description: |-
-                                                      This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
-                                                      the labelSelector in the specified namespaces, where co-located is defined as running on a node
-                                                      whose value of the label with key topologyKey matches that of any node on which any of the
-                                                      selected pods is running.
-                                                      Empty topologyKey is not allowed.
-                                                    type: string
-                                              x-kubernetes-list-type: atomic
-                                    imagePullSecrets:
-                                      description: If specified, the pod's imagePullSecrets
-                                      type: array
-                                      items:
-                                        description: |-
-                                          LocalObjectReference contains enough information to let you locate the
-                                          referenced object inside the same namespace.
-                                        type: object
-                                        properties:
-                                          name:
-                                            description: |-
-                                              Name of the referent.
-                                              This field is effectively required, but due to backwards compatibility is
-                                              allowed to be empty. Instances of this type with an empty value here are
-                                              almost certainly wrong.
-                                              TODO: Add other useful fields. apiVersion, kind, uid?
-                                              More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                                              TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
-                                            type: string
-                                            default: ""
-                                        x-kubernetes-map-type: atomic
-                                    nodeSelector:
-                                      description: |-
-                                        NodeSelector is a selector which must be true for the pod to fit on a node.
-                                        Selector which must match a node's labels for the pod to be scheduled on that node.
-                                        More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
-                                      type: object
-                                      additionalProperties:
-                                        type: string
-                                    priorityClassName:
-                                      description: If specified, the pod's priorityClassName.
-                                      type: string
-                                    serviceAccountName:
-                                      description: If specified, the pod's service account
-                                      type: string
-                                    tolerations:
-                                      description: If specified, the pod's tolerations.
-                                      type: array
-                                      items:
-                                        description: |-
-                                          The pod this Toleration is attached to tolerates any taint that matches
-                                          the triple <key,value,effect> using the matching operator <operator>.
-                                        type: object
-                                        properties:
-                                          effect:
-                                            description: |-
-                                              Effect indicates the taint effect to match. Empty means match all taint effects.
-                                              When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
-                                            type: string
-                                          key:
-                                            description: |-
-                                              Key is the taint key that the toleration applies to. Empty means match all taint keys.
-                                              If the key is empty, operator must be Exists; this combination means to match all values and all keys.
-                                            type: string
-                                          operator:
-                                            description: |-
-                                              Operator represents a key's relationship to the value.
-                                              Valid operators are Exists and Equal. Defaults to Equal.
-                                              Exists is equivalent to wildcard for value, so that a pod can
-                                              tolerate all taints of a particular category.
-                                            type: string
-                                          tolerationSeconds:
-                                            description: |-
-                                              TolerationSeconds represents the period of time the toleration (which must be
-                                              of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
-                                              it is not set, which means tolerate the taint forever (do not evict). Zero and
-                                              negative values will be treated as 0 (evict immediately) by the system.
-                                            type: integer
-                                            format: int64
-                                          value:
-                                            description: |-
-                                              Value is the taint value the toleration matches to.
-                                              If the operator is Exists, the value should be empty, otherwise just a regular string.
-                                            type: string
-                            serviceType:
-                              description: |-
-                                Optional service type for Kubernetes solver service. Supported values
-                                are NodePort or ClusterIP. If unset, defaults to NodePort.
-                              type: string
-                    selector:
-                      description: |-
-                        Selector selects a set of DNSNames on the Certificate resource that
-                        should be solved using this challenge solver.
-                        If not specified, the solver will be treated as the 'default' solver
-                        with the lowest priority, i.e. if any other solver has a more specific
-                        match, it will be used instead.
-                      type: object
-                      properties:
-                        dnsNames:
-                          description: |-
-                            List of DNSNames that this solver will be used to solve.
-                            If specified and a match is found, a dnsNames selector will take
-                            precedence over a dnsZones selector.
-                            If multiple solvers match with the same dnsNames value, the solver
-                            with the most matching labels in matchLabels will be selected.
-                            If neither has more matches, the solver defined earlier in the list
-                            will be selected.
-                          type: array
-                          items:
-                            type: string
-                        dnsZones:
-                          description: |-
-                            List of DNSZones that this solver will be used to solve.
-                            The most specific DNS zone match specified here will take precedence
-                            over other DNS zone matches, so a solver specifying sys.example.com
-                            will be selected over one specifying example.com for the domain
-                            www.sys.example.com.
-                            If multiple solvers match with the same dnsZones value, the solver
-                            with the most matching labels in matchLabels will be selected.
-                            If neither has more matches, the solver defined earlier in the list
-                            will be selected.
-                          type: array
-                          items:
-                            type: string
-                        matchLabels:
-                          description: |-
-                            A label selector that is used to refine the set of certificate's that
-                            this challenge solver will apply to.
-                          type: object
-                          additionalProperties:
-                            type: string
-                token:
-                  description: |-
-                    The ACME challenge token for this challenge.
-                    This is the raw value returned from the ACME server.
-                  type: string
-                type:
-                  description: |-
-                    The type of ACME challenge this resource represents.
-                    One of "HTTP-01" or "DNS-01".
-                  type: string
-                  enum:
-                    - HTTP-01
-                    - DNS-01
-                url:
-                  description: |-
-                    The URL of the ACME Challenge resource for this challenge.
-                    This can be used to lookup details about the status of this challenge.
-                  type: string
-                wildcard:
-                  description: |-
-                    wildcard will be true if this challenge is for a wildcard identifier,
-                    for example '*.example.com'.
-                  type: boolean
-            status:
-              type: object
-              properties:
-                presented:
-                  description: |-
-                    presented will be set to true if the challenge values for this challenge
-                    are currently 'presented'.
-                    This *does not* imply the self check is passing. Only that the values
-                    have been 'submitted' for the appropriate challenge mechanism (i.e. the
-                    DNS01 TXT record has been presented, or the HTTP01 configuration has been
-                    configured).
-                  type: boolean
-                processing:
-                  description: |-
-                    Used to denote whether this challenge should be processed or not.
-                    This field will only be set to true by the 'scheduling' component.
-                    It will only be set to false by the 'challenges' controller, after the
-                    challenge has reached a final state or timed out.
-                    If this field is set to false, the challenge controller will not take
-                    any more action.
-                  type: boolean
-                reason:
-                  description: |-
-                    Contains human readable information on why the Challenge is in the
-                    current state.
-                  type: string
-                state:
-                  description: |-
-                    Contains the current 'state' of the challenge.
-                    If not set, the state of the challenge is unknown.
-                  type: string
-                  enum:
-                    - valid
-                    - ready
-                    - pending
-                    - processing
-                    - invalid
-                    - expired
-                    - errored
-      served: true
-      storage: true
-      subresources:
-        status: {}
-
-# END crd
----
-# Source: cert-manager/templates/crds.yaml
-# START crd
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  name: clusterissuers.cert-manager.io
-  # START annotations
-  annotations:
-    helm.sh/resource-policy: keep
-  # END annotations
-  labels:
-    app: 'cert-manager'
-    app.kubernetes.io/name: 'cert-manager'
-    app.kubernetes.io/instance: 'cert-manager'
-    # Generated labels
-    app.kubernetes.io/version: "v1.15.3"
-spec:
-  group: cert-manager.io
-  names:
-    kind: ClusterIssuer
-    listKind: ClusterIssuerList
-    plural: clusterissuers
-    singular: clusterissuer
-    categories:
-      - cert-manager
-  scope: Cluster
-  versions:
-    - name: v1
-      subresources:
-        status: {}
-      additionalPrinterColumns:
-        - jsonPath: .status.conditions[?(@.type=="Ready")].status
-          name: Ready
-          type: string
-        - jsonPath: .status.conditions[?(@.type=="Ready")].message
-          name: Status
-          priority: 1
-          type: string
-        - jsonPath: .metadata.creationTimestamp
-          description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
-          name: Age
-          type: date
-      schema:
-        openAPIV3Schema:
-          description: |-
-            A ClusterIssuer represents a certificate issuing authority which can be
-            referenced as part of `issuerRef` fields.
-            It is similar to an Issuer, however it is cluster-scoped and therefore can
-            be referenced by resources that exist in *any* namespace, not just the same
-            namespace as the referent.
-          type: object
-          required:
-            - spec
-          properties:
-            apiVersion:
-              description: |-
-                APIVersion defines the versioned schema of this representation of an object.
-                Servers should convert recognized schemas to the latest internal value, and
-                may reject unrecognized values.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-              type: string
-            kind:
-              description: |-
-                Kind is a string value representing the REST resource this object represents.
-                Servers may infer this from the endpoint the client submits requests to.
-                Cannot be updated.
-                In CamelCase.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: Desired state of the ClusterIssuer resource.
-              type: object
-              properties:
-                acme:
-                  description: |-
-                    ACME configures this issuer to communicate with a RFC8555 (ACME) server
-                    to obtain signed x509 certificates.
-                  type: object
-                  required:
-                    - privateKeySecretRef
-                    - server
-                  properties:
-                    caBundle:
-                      description: |-
-                        Base64-encoded bundle of PEM CAs which can be used to validate the certificate
-                        chain presented by the ACME server.
-                        Mutually exclusive with SkipTLSVerify; prefer using CABundle to prevent various
-                        kinds of security vulnerabilities.
-                        If CABundle and SkipTLSVerify are unset, the system certificate bundle inside
-                        the container is used to validate the TLS connection.
-                      type: string
-                      format: byte
-                    disableAccountKeyGeneration:
-                      description: |-
-                        Enables or disables generating a new ACME account key.
-                        If true, the Issuer resource will *not* request a new account but will expect
-                        the account key to be supplied via an existing secret.
-                        If false, the cert-manager system will generate a new ACME account key
-                        for the Issuer.
-                        Defaults to false.
-                      type: boolean
-                    email:
-                      description: |-
-                        Email is the email address to be associated with the ACME account.
-                        This field is optional, but it is strongly recommended to be set.
-                        It will be used to contact you in case of issues with your account or
-                        certificates, including expiry notification emails.
-                        This field may be updated after the account is initially registered.
-                      type: string
-                    enableDurationFeature:
-                      description: |-
-                        Enables requesting a Not After date on certificates that matches the
-                        duration of the certificate. This is not supported by all ACME servers
-                        like Let's Encrypt. If set to true when the ACME server does not support
-                        it, it will create an error on the Order.
-                        Defaults to false.
-                      type: boolean
-                    externalAccountBinding:
-                      description: |-
-                        ExternalAccountBinding is a reference to a CA external account of the ACME
-                        server.
-                        If set, upon registration cert-manager will attempt to associate the given
-                        external account credentials with the registered ACME account.
-                      type: object
-                      required:
-                        - keyID
-                        - keySecretRef
-                      properties:
-                        keyAlgorithm:
-                          description: |-
-                            Deprecated: keyAlgorithm field exists for historical compatibility
-                            reasons and should not be used. The algorithm is now hardcoded to HS256
-                            in golang/x/crypto/acme.
-                          type: string
-                          enum:
-                            - HS256
-                            - HS384
-                            - HS512
-                        keyID:
-                          description: keyID is the ID of the CA key that the External Account is bound to.
-                          type: string
-                        keySecretRef:
-                          description: |-
-                            keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes
-                            Secret which holds the symmetric MAC key of the External Account Binding.
-                            The `key` is the index string that is paired with the key data in the
-                            Secret and should not be confused with the key data itself, or indeed with
-                            the External Account Binding keyID above.
-                            The secret key stored in the Secret **must** be un-padded, base64 URL
-                            encoded data.
-                          type: object
-                          required:
-                            - name
-                          properties:
-                            key:
-                              description: |-
-                                The key of the entry in the Secret resource's `data` field to be used.
-                                Some instances of this field may be defaulted, in others it may be
-                                required.
-                              type: string
-                            name:
-                              description: |-
-                                Name of the resource being referred to.
-                                More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                              type: string
-                    preferredChain:
-                      description: |-
-                        PreferredChain is the chain to use if the ACME server outputs multiple.
-                        PreferredChain is no guarantee that this one gets delivered by the ACME
-                        endpoint.
-                        For example, for Let's Encrypt's DST crosssign you would use:
-                        "DST Root CA X3" or "ISRG Root X1" for the newer Let's Encrypt root CA.
-                        This value picks the first certificate bundle in the combined set of
-                        ACME default and alternative chains that has a root-most certificate with
-                        this value as its issuer's commonname.
-                      type: string
-                      maxLength: 64
-                    privateKeySecretRef:
-                      description: |-
-                        PrivateKey is the name of a Kubernetes Secret resource that will be used to
-                        store the automatically generated ACME account private key.
-                        Optionally, a `key` may be specified to select a specific entry within
-                        the named Secret resource.
-                        If `key` is not specified, a default of `tls.key` will be used.
-                      type: object
-                      required:
-                        - name
-                      properties:
-                        key:
-                          description: |-
-                            The key of the entry in the Secret resource's `data` field to be used.
-                            Some instances of this field may be defaulted, in others it may be
-                            required.
-                          type: string
-                        name:
-                          description: |-
-                            Name of the resource being referred to.
-                            More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                          type: string
-                    server:
-                      description: |-
-                        Server is the URL used to access the ACME server's 'directory' endpoint.
-                        For example, for Let's Encrypt's staging endpoint, you would use:
-                        "https://acme-staging-v02.api.letsencrypt.org/directory".
-                        Only ACME v2 endpoints (i.e. RFC 8555) are supported.
-                      type: string
-                    skipTLSVerify:
-                      description: |-
-                        INSECURE: Enables or disables validation of the ACME server TLS certificate.
-                        If true, requests to the ACME server will not have the TLS certificate chain
-                        validated.
-                        Mutually exclusive with CABundle; prefer using CABundle to prevent various
-                        kinds of security vulnerabilities.
-                        Only enable this option in development environments.
-                        If CABundle and SkipTLSVerify are unset, the system certificate bundle inside
-                        the container is used to validate the TLS connection.
-                        Defaults to false.
-                      type: boolean
-                    solvers:
-                      description: |-
-                        Solvers is a list of challenge solvers that will be used to solve
-                        ACME challenges for the matching domains.
-                        Solver configurations must be provided in order to obtain certificates
-                        from an ACME server.
-                        For more information, see: https://cert-manager.io/docs/configuration/acme/
-                      type: array
-                      items:
-                        description: |-
-                          An ACMEChallengeSolver describes how to solve ACME challenges for the issuer it is part of.
-                          A selector may be provided to use different solving strategies for different DNS names.
-                          Only one of HTTP01 or DNS01 must be provided.
-                        type: object
-                        properties:
-                          dns01:
-                            description: |-
-                              Configures cert-manager to attempt to complete authorizations by
-                              performing the DNS01 challenge flow.
-                            type: object
-                            properties:
-                              acmeDNS:
-                                description: |-
-                                  Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage
-                                  DNS01 challenge records.
-                                type: object
-                                required:
-                                  - accountSecretRef
-                                  - host
-                                properties:
-                                  accountSecretRef:
-                                    description: |-
-                                      A reference to a specific 'key' within a Secret resource.
-                                      In some instances, `key` is a required field.
-                                    type: object
-                                    required:
-                                      - name
-                                    properties:
-                                      key:
-                                        description: |-
-                                          The key of the entry in the Secret resource's `data` field to be used.
-                                          Some instances of this field may be defaulted, in others it may be
-                                          required.
-                                        type: string
-                                      name:
-                                        description: |-
-                                          Name of the resource being referred to.
-                                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                                        type: string
-                                  host:
-                                    type: string
-                              akamai:
-                                description: Use the Akamai DNS zone management API to manage DNS01 challenge records.
-                                type: object
-                                required:
-                                  - accessTokenSecretRef
-                                  - clientSecretSecretRef
-                                  - clientTokenSecretRef
-                                  - serviceConsumerDomain
-                                properties:
-                                  accessTokenSecretRef:
-                                    description: |-
-                                      A reference to a specific 'key' within a Secret resource.
-                                      In some instances, `key` is a required field.
-                                    type: object
-                                    required:
-                                      - name
-                                    properties:
-                                      key:
-                                        description: |-
-                                          The key of the entry in the Secret resource's `data` field to be used.
-                                          Some instances of this field may be defaulted, in others it may be
-                                          required.
-                                        type: string
-                                      name:
-                                        description: |-
-                                          Name of the resource being referred to.
-                                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                                        type: string
-                                  clientSecretSecretRef:
-                                    description: |-
-                                      A reference to a specific 'key' within a Secret resource.
-                                      In some instances, `key` is a required field.
-                                    type: object
-                                    required:
-                                      - name
-                                    properties:
-                                      key:
-                                        description: |-
-                                          The key of the entry in the Secret resource's `data` field to be used.
-                                          Some instances of this field may be defaulted, in others it may be
-                                          required.
-                                        type: string
-                                      name:
-                                        description: |-
-                                          Name of the resource being referred to.
-                                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                                        type: string
-                                  clientTokenSecretRef:
-                                    description: |-
-                                      A reference to a specific 'key' within a Secret resource.
-                                      In some instances, `key` is a required field.
-                                    type: object
-                                    required:
-                                      - name
-                                    properties:
-                                      key:
-                                        description: |-
-                                          The key of the entry in the Secret resource's `data` field to be used.
-                                          Some instances of this field may be defaulted, in others it may be
-                                          required.
-                                        type: string
-                                      name:
-                                        description: |-
-                                          Name of the resource being referred to.
-                                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                                        type: string
-                                  serviceConsumerDomain:
-                                    type: string
-                              azureDNS:
-                                description: Use the Microsoft Azure DNS API to manage DNS01 challenge records.
-                                type: object
-                                required:
-                                  - resourceGroupName
-                                  - subscriptionID
-                                properties:
-                                  clientID:
-                                    description: |-
-                                      Auth: Azure Service Principal:
-                                      The ClientID of the Azure Service Principal used to authenticate with Azure DNS.
-                                      If set, ClientSecret and TenantID must also be set.
-                                    type: string
-                                  clientSecretSecretRef:
-                                    description: |-
-                                      Auth: Azure Service Principal:
-                                      A reference to a Secret containing the password associated with the Service Principal.
-                                      If set, ClientID and TenantID must also be set.
-                                    type: object
-                                    required:
-                                      - name
-                                    properties:
-                                      key:
-                                        description: |-
-                                          The key of the entry in the Secret resource's `data` field to be used.
-                                          Some instances of this field may be defaulted, in others it may be
-                                          required.
-                                        type: string
-                                      name:
-                                        description: |-
-                                          Name of the resource being referred to.
-                                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                                        type: string
-                                  environment:
-                                    description: name of the Azure environment (default AzurePublicCloud)
-                                    type: string
-                                    enum:
-                                      - AzurePublicCloud
-                                      - AzureChinaCloud
-                                      - AzureGermanCloud
-                                      - AzureUSGovernmentCloud
-                                  hostedZoneName:
-                                    description: name of the DNS zone that should be used
-                                    type: string
-                                  managedIdentity:
-                                    description: |-
-                                      Auth: Azure Workload Identity or Azure Managed Service Identity:
-                                      Settings to enable Azure Workload Identity or Azure Managed Service Identity
-                                      If set, ClientID, ClientSecret and TenantID must not be set.
-                                    type: object
-                                    properties:
-                                      clientID:
-                                        description: client ID of the managed identity, can not be used at the same time as resourceID
-                                        type: string
-                                      resourceID:
-                                        description: |-
-                                          resource ID of the managed identity, can not be used at the same time as clientID
-                                          Cannot be used for Azure Managed Service Identity
-                                        type: string
-                                  resourceGroupName:
-                                    description: resource group the DNS zone is located in
-                                    type: string
-                                  subscriptionID:
-                                    description: ID of the Azure subscription
-                                    type: string
-                                  tenantID:
-                                    description: |-
-                                      Auth: Azure Service Principal:
-                                      The TenantID of the Azure Service Principal used to authenticate with Azure DNS.
-                                      If set, ClientID and ClientSecret must also be set.
-                                    type: string
-                              cloudDNS:
-                                description: Use the Google Cloud DNS API to manage DNS01 challenge records.
-                                type: object
-                                required:
-                                  - project
-                                properties:
-                                  hostedZoneName:
-                                    description: |-
-                                      HostedZoneName is an optional field that tells cert-manager in which
-                                      Cloud DNS zone the challenge record has to be created.
-                                      If left empty cert-manager will automatically choose a zone.
-                                    type: string
-                                  project:
-                                    type: string
-                                  serviceAccountSecretRef:
-                                    description: |-
-                                      A reference to a specific 'key' within a Secret resource.
-                                      In some instances, `key` is a required field.
-                                    type: object
-                                    required:
-                                      - name
-                                    properties:
-                                      key:
-                                        description: |-
-                                          The key of the entry in the Secret resource's `data` field to be used.
-                                          Some instances of this field may be defaulted, in others it may be
-                                          required.
-                                        type: string
-                                      name:
-                                        description: |-
-                                          Name of the resource being referred to.
-                                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                                        type: string
-                              cloudflare:
-                                description: Use the Cloudflare API to manage DNS01 challenge records.
-                                type: object
-                                properties:
-                                  apiKeySecretRef:
-                                    description: |-
-                                      API key to use to authenticate with Cloudflare.
-                                      Note: using an API token to authenticate is now the recommended method
-                                      as it allows greater control of permissions.
-                                    type: object
-                                    required:
-                                      - name
-                                    properties:
-                                      key:
-                                        description: |-
-                                          The key of the entry in the Secret resource's `data` field to be used.
-                                          Some instances of this field may be defaulted, in others it may be
-                                          required.
-                                        type: string
-                                      name:
-                                        description: |-
-                                          Name of the resource being referred to.
-                                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                                        type: string
-                                  apiTokenSecretRef:
-                                    description: API token used to authenticate with Cloudflare.
-                                    type: object
-                                    required:
-                                      - name
-                                    properties:
-                                      key:
-                                        description: |-
-                                          The key of the entry in the Secret resource's `data` field to be used.
-                                          Some instances of this field may be defaulted, in others it may be
-                                          required.
-                                        type: string
-                                      name:
-                                        description: |-
-                                          Name of the resource being referred to.
-                                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                                        type: string
-                                  email:
-                                    description: Email of the account, only required when using API key based authentication.
-                                    type: string
-                              cnameStrategy:
-                                description: |-
-                                  CNAMEStrategy configures how the DNS01 provider should handle CNAME
-                                  records when found in DNS zones.
-                                type: string
-                                enum:
-                                  - None
-                                  - Follow
-                              digitalocean:
-                                description: Use the DigitalOcean DNS API to manage DNS01 challenge records.
-                                type: object
-                                required:
-                                  - tokenSecretRef
-                                properties:
-                                  tokenSecretRef:
-                                    description: |-
-                                      A reference to a specific 'key' within a Secret resource.
-                                      In some instances, `key` is a required field.
-                                    type: object
-                                    required:
-                                      - name
-                                    properties:
-                                      key:
-                                        description: |-
-                                          The key of the entry in the Secret resource's `data` field to be used.
-                                          Some instances of this field may be defaulted, in others it may be
-                                          required.
-                                        type: string
-                                      name:
-                                        description: |-
-                                          Name of the resource being referred to.
-                                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                                        type: string
-                              rfc2136:
-                                description: |-
-                                  Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/)
-                                  to manage DNS01 challenge records.
-                                type: object
-                                required:
-                                  - nameserver
-                                properties:
-                                  nameserver:
-                                    description: |-
-                                      The IP address or hostname of an authoritative DNS server supporting
-                                      RFC2136 in the form host:port. If the host is an IPv6 address it must be
-                                      enclosed in square brackets (e.g [2001:db8::1]) ; port is optional.
-                                      This field is required.
-                                    type: string
-                                  tsigAlgorithm:
-                                    description: |-
-                                      The TSIG Algorithm configured in the DNS supporting RFC2136. Used only
-                                      when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined.
-                                      Supported values are (case-insensitive): ``HMACMD5`` (default),
-                                      ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.
-                                    type: string
-                                  tsigKeyName:
-                                    description: |-
-                                      The TSIG Key name configured in the DNS.
-                                      If ``tsigSecretSecretRef`` is defined, this field is required.
-                                    type: string
-                                  tsigSecretSecretRef:
-                                    description: |-
-                                      The name of the secret containing the TSIG value.
-                                      If ``tsigKeyName`` is defined, this field is required.
-                                    type: object
-                                    required:
-                                      - name
-                                    properties:
-                                      key:
-                                        description: |-
-                                          The key of the entry in the Secret resource's `data` field to be used.
-                                          Some instances of this field may be defaulted, in others it may be
-                                          required.
-                                        type: string
-                                      name:
-                                        description: |-
-                                          Name of the resource being referred to.
-                                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                                        type: string
-                              route53:
-                                description: Use the AWS Route53 API to manage DNS01 challenge records.
-                                type: object
-                                required:
-                                  - region
-                                properties:
-                                  accessKeyID:
-                                    description: |-
-                                      The AccessKeyID is used for authentication.
-                                      Cannot be set when SecretAccessKeyID is set.
-                                      If neither the Access Key nor Key ID are set, we fall-back to using env
-                                      vars, shared credentials file or AWS Instance metadata,
-                                      see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
-                                    type: string
-                                  accessKeyIDSecretRef:
-                                    description: |-
-                                      The SecretAccessKey is used for authentication. If set, pull the AWS
-                                      access key ID from a key within a Kubernetes Secret.
-                                      Cannot be set when AccessKeyID is set.
-                                      If neither the Access Key nor Key ID are set, we fall-back to using env
-                                      vars, shared credentials file or AWS Instance metadata,
-                                      see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
-                                    type: object
-                                    required:
-                                      - name
-                                    properties:
-                                      key:
-                                        description: |-
-                                          The key of the entry in the Secret resource's `data` field to be used.
-                                          Some instances of this field may be defaulted, in others it may be
-                                          required.
-                                        type: string
-                                      name:
-                                        description: |-
-                                          Name of the resource being referred to.
-                                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                                        type: string
-                                  auth:
-                                    description: Auth configures how cert-manager authenticates.
-                                    type: object
-                                    required:
-                                      - kubernetes
-                                    properties:
-                                      kubernetes:
-                                        description: |-
-                                          Kubernetes authenticates with Route53 using AssumeRoleWithWebIdentity
-                                          by passing a bound ServiceAccount token.
-                                        type: object
-                                        required:
-                                          - serviceAccountRef
-                                        properties:
-                                          serviceAccountRef:
-                                            description: |-
-                                              A reference to a service account that will be used to request a bound
-                                              token (also known as "projected token"). To use this field, you must
-                                              configure an RBAC rule to let cert-manager request a token.
-                                            type: object
-                                            required:
-                                              - name
-                                            properties:
-                                              audiences:
-                                                description: |-
-                                                  TokenAudiences is an optional list of audiences to include in the
-                                                  token passed to AWS. The default token consisting of the issuer's namespace
-                                                  and name is always included.
-                                                  If unset the audience defaults to `sts.amazonaws.com`.
-                                                type: array
-                                                items:
-                                                  type: string
-                                              name:
-                                                description: Name of the ServiceAccount used to request a token.
-                                                type: string
-                                  hostedZoneID:
-                                    description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
-                                    type: string
-                                  region:
-                                    description: Always set the region when using AccessKeyID and SecretAccessKey
-                                    type: string
-                                  role:
-                                    description: |-
-                                      Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey
-                                      or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
-                                    type: string
-                                  secretAccessKeySecretRef:
-                                    description: |-
-                                      The SecretAccessKey is used for authentication.
-                                      If neither the Access Key nor Key ID are set, we fall-back to using env
-                                      vars, shared credentials file or AWS Instance metadata,
-                                      see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
-                                    type: object
-                                    required:
-                                      - name
-                                    properties:
-                                      key:
-                                        description: |-
-                                          The key of the entry in the Secret resource's `data` field to be used.
-                                          Some instances of this field may be defaulted, in others it may be
-                                          required.
-                                        type: string
-                                      name:
-                                        description: |-
-                                          Name of the resource being referred to.
-                                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                                        type: string
-                              webhook:
-                                description: |-
-                                  Configure an external webhook based DNS01 challenge solver to manage
-                                  DNS01 challenge records.
-                                type: object
-                                required:
-                                  - groupName
-                                  - solverName
-                                properties:
-                                  config:
-                                    description: |-
-                                      Additional configuration that should be passed to the webhook apiserver
-                                      when challenges are processed.
-                                      This can contain arbitrary JSON data.
-                                      Secret values should not be specified in this stanza.
-                                      If secret values are needed (e.g. credentials for a DNS service), you
-                                      should use a SecretKeySelector to reference a Secret resource.
-                                      For details on the schema of this field, consult the webhook provider
-                                      implementation's documentation.
-                                    x-kubernetes-preserve-unknown-fields: true
-                                  groupName:
-                                    description: |-
-                                      The API group name that should be used when POSTing ChallengePayload
-                                      resources to the webhook apiserver.
-                                      This should be the same as the GroupName specified in the webhook
-                                      provider implementation.
-                                    type: string
-                                  solverName:
-                                    description: |-
-                                      The name of the solver to use, as defined in the webhook provider
-                                      implementation.
-                                      This will typically be the name of the provider, e.g. 'cloudflare'.
-                                    type: string
-                          http01:
-                            description: |-
-                              Configures cert-manager to attempt to complete authorizations by
-                              performing the HTTP01 challenge flow.
-                              It is not possible to obtain certificates for wildcard domain names
-                              (e.g. `*.example.com`) using the HTTP01 challenge mechanism.
-                            type: object
-                            properties:
-                              gatewayHTTPRoute:
-                                description: |-
-                                  The Gateway API is a sig-network community API that models service networking
-                                  in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will
-                                  create HTTPRoutes with the specified labels in the same namespace as the challenge.
-                                  This solver is experimental, and fields / behaviour may change in the future.
-                                type: object
-                                properties:
-                                  labels:
-                                    description: |-
-                                      Custom labels that will be applied to HTTPRoutes created by cert-manager
-                                      while solving HTTP-01 challenges.
-                                    type: object
-                                    additionalProperties:
-                                      type: string
-                                  parentRefs:
-                                    description: |-
-                                      When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute.
-                                      cert-manager needs to know which parentRefs should be used when creating
-                                      the HTTPRoute. Usually, the parentRef references a Gateway. See:
-                                      https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways
-                                    type: array
-                                    items:
-                                      description: |-
-                                        ParentReference identifies an API object (usually a Gateway) that can be considered
-                                        a parent of this resource (usually a route). There are two kinds of parent resources
-                                        with "Core" support:
-
-
-                                        * Gateway (Gateway conformance profile)
-                                        * Service (Mesh conformance profile, ClusterIP Services only)
-
-
-                                        This API may be extended in the future to support additional kinds of parent
-                                        resources.
-
-
-                                        The API object must be valid in the cluster; the Group and Kind must
-                                        be registered in the cluster for this reference to be valid.
-                                      type: object
-                                      required:
-                                        - name
-                                      properties:
-                                        group:
-                                          description: |-
-                                            Group is the group of the referent.
-                                            When unspecified, "gateway.networking.k8s.io" is inferred.
-                                            To set the core API group (such as for a "Service" kind referent),
-                                            Group must be explicitly set to "" (empty string).
-
-
-                                            Support: Core
-                                          type: string
-                                          default: gateway.networking.k8s.io
-                                          maxLength: 253
-                                          pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
-                                        kind:
-                                          description: |-
-                                            Kind is kind of the referent.
-
-
-                                            There are two kinds of parent resources with "Core" support:
-
-
-                                            * Gateway (Gateway conformance profile)
-                                            * Service (Mesh conformance profile, ClusterIP Services only)
-
-
-                                            Support for other resources is Implementation-Specific.
-                                          type: string
-                                          default: Gateway
-                                          maxLength: 63
-                                          minLength: 1
-                                          pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
-                                        name:
-                                          description: |-
-                                            Name is the name of the referent.
-
-
-                                            Support: Core
-                                          type: string
-                                          maxLength: 253
-                                          minLength: 1
-                                        namespace:
-                                          description: |-
-                                            Namespace is the namespace of the referent. When unspecified, this refers
-                                            to the local namespace of the Route.
-
-
-                                            Note that there are specific rules for ParentRefs which cross namespace
-                                            boundaries. Cross-namespace references are only valid if they are explicitly
-                                            allowed by something in the namespace they are referring to. For example:
-                                            Gateway has the AllowedRoutes field, and ReferenceGrant provides a
-                                            generic way to enable any other kind of cross-namespace reference.
-
-
-                                            <gateway:experimental:description>
-                                            ParentRefs from a Route to a Service in the same namespace are "producer"
-                                            routes, which apply default routing rules to inbound connections from
-                                            any namespace to the Service.
-
-
-                                            ParentRefs from a Route to a Service in a different namespace are
-                                            "consumer" routes, and these routing rules are only applied to outbound
-                                            connections originating from the same namespace as the Route, for which
-                                            the intended destination of the connections are a Service targeted as a
-                                            ParentRef of the Route.
-                                            </gateway:experimental:description>
-
-
-                                            Support: Core
-                                          type: string
-                                          maxLength: 63
-                                          minLength: 1
-                                          pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
-                                        port:
-                                          description: |-
-                                            Port is the network port this Route targets. It can be interpreted
-                                            differently based on the type of parent resource.
-
-
-                                            When the parent resource is a Gateway, this targets all listeners
-                                            listening on the specified port that also support this kind of Route(and
-                                            select this Route). It's not recommended to set `Port` unless the
-                                            networking behaviors specified in a Route must apply to a specific port
-                                            as opposed to a listener(s) whose port(s) may be changed. When both Port
-                                            and SectionName are specified, the name and port of the selected listener
-                                            must match both specified values.
-
-
-                                            <gateway:experimental:description>
-                                            When the parent resource is a Service, this targets a specific port in the
-                                            Service spec. When both Port (experimental) and SectionName are specified,
-                                            the name and port of the selected port must match both specified values.
-                                            </gateway:experimental:description>
-
-
-                                            Implementations MAY choose to support other parent resources.
-                                            Implementations supporting other types of parent resources MUST clearly
-                                            document how/if Port is interpreted.
-
-
-                                            For the purpose of status, an attachment is considered successful as
-                                            long as the parent resource accepts it partially. For example, Gateway
-                                            listeners can restrict which Routes can attach to them by Route kind,
-                                            namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
-                                            from the referencing Route, the Route MUST be considered successfully
-                                            attached. If no Gateway listeners accept attachment from this Route,
-                                            the Route MUST be considered detached from the Gateway.
-
-
-                                            Support: Extended
-                                          type: integer
-                                          format: int32
-                                          maximum: 65535
-                                          minimum: 1
-                                        sectionName:
-                                          description: |-
-                                            SectionName is the name of a section within the target resource. In the
-                                            following resources, SectionName is interpreted as the following:
-
-
-                                            * Gateway: Listener name. When both Port (experimental) and SectionName
-                                            are specified, the name and port of the selected listener must match
-                                            both specified values.
-                                            * Service: Port name. When both Port (experimental) and SectionName
-                                            are specified, the name and port of the selected listener must match
-                                            both specified values.
-
-
-                                            Implementations MAY choose to support attaching Routes to other resources.
-                                            If that is the case, they MUST clearly document how SectionName is
-                                            interpreted.
-
-
-                                            When unspecified (empty string), this will reference the entire resource.
-                                            For the purpose of status, an attachment is considered successful if at
-                                            least one section in the parent resource accepts it. For example, Gateway
-                                            listeners can restrict which Routes can attach to them by Route kind,
-                                            namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
-                                            the referencing Route, the Route MUST be considered successfully
-                                            attached. If no Gateway listeners accept attachment from this Route, the
-                                            Route MUST be considered detached from the Gateway.
-
-
-                                            Support: Core
-                                          type: string
-                                          maxLength: 253
-                                          minLength: 1
-                                          pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
-                                  serviceType:
-                                    description: |-
-                                      Optional service type for Kubernetes solver service. Supported values
-                                      are NodePort or ClusterIP. If unset, defaults to NodePort.
-                                    type: string
-                              ingress:
-                                description: |-
-                                  The ingress based HTTP01 challenge solver will solve challenges by
-                                  creating or modifying Ingress resources in order to route requests for
-                                  '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are
-                                  provisioned by cert-manager for each Challenge to be completed.
-                                type: object
-                                properties:
-                                  class:
-                                    description: |-
-                                      This field configures the annotation `kubernetes.io/ingress.class` when
-                                      creating Ingress resources to solve ACME challenges that use this
-                                      challenge solver. Only one of `class`, `name` or `ingressClassName` may
-                                      be specified.
-                                    type: string
-                                  ingressClassName:
-                                    description: |-
-                                      This field configures the field `ingressClassName` on the created Ingress
-                                      resources used to solve ACME challenges that use this challenge solver.
-                                      This is the recommended way of configuring the ingress class. Only one of
-                                      `class`, `name` or `ingressClassName` may be specified.
-                                    type: string
-                                  ingressTemplate:
-                                    description: |-
-                                      Optional ingress template used to configure the ACME challenge solver
-                                      ingress used for HTTP01 challenges.
-                                    type: object
-                                    properties:
-                                      metadata:
-                                        description: |-
-                                          ObjectMeta overrides for the ingress used to solve HTTP01 challenges.
-                                          Only the 'labels' and 'annotations' fields may be set.
-                                          If labels or annotations overlap with in-built values, the values here
-                                          will override the in-built values.
-                                        type: object
-                                        properties:
-                                          annotations:
-                                            description: Annotations that should be added to the created ACME HTTP01 solver ingress.
-                                            type: object
-                                            additionalProperties:
-                                              type: string
-                                          labels:
-                                            description: Labels that should be added to the created ACME HTTP01 solver ingress.
-                                            type: object
-                                            additionalProperties:
-                                              type: string
-                                  name:
-                                    description: |-
-                                      The name of the ingress resource that should have ACME challenge solving
-                                      routes inserted into it in order to solve HTTP01 challenges.
-                                      This is typically used in conjunction with ingress controllers like
-                                      ingress-gce, which maintains a 1:1 mapping between external IPs and
-                                      ingress resources. Only one of `class`, `name` or `ingressClassName` may
-                                      be specified.
-                                    type: string
-                                  podTemplate:
-                                    description: |-
-                                      Optional pod template used to configure the ACME challenge solver pods
-                                      used for HTTP01 challenges.
-                                    type: object
-                                    properties:
-                                      metadata:
-                                        description: |-
-                                          ObjectMeta overrides for the pod used to solve HTTP01 challenges.
-                                          Only the 'labels' and 'annotations' fields may be set.
-                                          If labels or annotations overlap with in-built values, the values here
-                                          will override the in-built values.
-                                        type: object
-                                        properties:
-                                          annotations:
-                                            description: Annotations that should be added to the create ACME HTTP01 solver pods.
-                                            type: object
-                                            additionalProperties:
-                                              type: string
-                                          labels:
-                                            description: Labels that should be added to the created ACME HTTP01 solver pods.
-                                            type: object
-                                            additionalProperties:
-                                              type: string
-                                      spec:
-                                        description: |-
-                                          PodSpec defines overrides for the HTTP01 challenge solver pod.
-                                          Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields.
-                                          All other fields will be ignored.
-                                        type: object
-                                        properties:
-                                          affinity:
-                                            description: If specified, the pod's scheduling constraints
-                                            type: object
-                                            properties:
-                                              nodeAffinity:
-                                                description: Describes node affinity scheduling rules for the pod.
-                                                type: object
-                                                properties:
-                                                  preferredDuringSchedulingIgnoredDuringExecution:
-                                                    description: |-
-                                                      The scheduler will prefer to schedule pods to nodes that satisfy
-                                                      the affinity expressions specified by this field, but it may choose
-                                                      a node that violates one or more of the expressions. The node that is
-                                                      most preferred is the one with the greatest sum of weights, i.e.
-                                                      for each node that meets all of the scheduling requirements (resource
-                                                      request, requiredDuringScheduling affinity expressions, etc.),
-                                                      compute a sum by iterating through the elements of this field and adding
-                                                      "weight" to the sum if the node matches the corresponding matchExpressions; the
-                                                      node(s) with the highest sum are the most preferred.
-                                                    type: array
-                                                    items:
-                                                      description: |-
-                                                        An empty preferred scheduling term matches all objects with implicit weight 0
-                                                        (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
-                                                      type: object
-                                                      required:
-                                                        - preference
-                                                        - weight
-                                                      properties:
-                                                        preference:
-                                                          description: A node selector term, associated with the corresponding weight.
-                                                          type: object
-                                                          properties:
-                                                            matchExpressions:
-                                                              description: A list of node selector requirements by node's labels.
-                                                              type: array
-                                                              items:
-                                                                description: |-
-                                                                  A node selector requirement is a selector that contains values, a key, and an operator
-                                                                  that relates the key and values.
-                                                                type: object
-                                                                required:
-                                                                  - key
-                                                                  - operator
-                                                                properties:
-                                                                  key:
-                                                                    description: The label key that the selector applies to.
-                                                                    type: string
-                                                                  operator:
-                                                                    description: |-
-                                                                      Represents a key's relationship to a set of values.
-                                                                      Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
-                                                                    type: string
-                                                                  values:
-                                                                    description: |-
-                                                                      An array of string values. If the operator is In or NotIn,
-                                                                      the values array must be non-empty. If the operator is Exists or DoesNotExist,
-                                                                      the values array must be empty. If the operator is Gt or Lt, the values
-                                                                      array must have a single element, which will be interpreted as an integer.
-                                                                      This array is replaced during a strategic merge patch.
-                                                                    type: array
-                                                                    items:
-                                                                      type: string
-                                                                    x-kubernetes-list-type: atomic
-                                                              x-kubernetes-list-type: atomic
-                                                            matchFields:
-                                                              description: A list of node selector requirements by node's fields.
-                                                              type: array
-                                                              items:
-                                                                description: |-
-                                                                  A node selector requirement is a selector that contains values, a key, and an operator
-                                                                  that relates the key and values.
-                                                                type: object
-                                                                required:
-                                                                  - key
-                                                                  - operator
-                                                                properties:
-                                                                  key:
-                                                                    description: The label key that the selector applies to.
-                                                                    type: string
-                                                                  operator:
-                                                                    description: |-
-                                                                      Represents a key's relationship to a set of values.
-                                                                      Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
-                                                                    type: string
-                                                                  values:
-                                                                    description: |-
-                                                                      An array of string values. If the operator is In or NotIn,
-                                                                      the values array must be non-empty. If the operator is Exists or DoesNotExist,
-                                                                      the values array must be empty. If the operator is Gt or Lt, the values
-                                                                      array must have a single element, which will be interpreted as an integer.
-                                                                      This array is replaced during a strategic merge patch.
-                                                                    type: array
-                                                                    items:
-                                                                      type: string
-                                                                    x-kubernetes-list-type: atomic
-                                                              x-kubernetes-list-type: atomic
-                                                          x-kubernetes-map-type: atomic
-                                                        weight:
-                                                          description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
-                                                          type: integer
-                                                          format: int32
-                                                    x-kubernetes-list-type: atomic
-                                                  requiredDuringSchedulingIgnoredDuringExecution:
-                                                    description: |-
-                                                      If the affinity requirements specified by this field are not met at
-                                                      scheduling time, the pod will not be scheduled onto the node.
-                                                      If the affinity requirements specified by this field cease to be met
-                                                      at some point during pod execution (e.g. due to an update), the system
-                                                      may or may not try to eventually evict the pod from its node.
-                                                    type: object
-                                                    required:
-                                                      - nodeSelectorTerms
-                                                    properties:
-                                                      nodeSelectorTerms:
-                                                        description: Required. A list of node selector terms. The terms are ORed.
-                                                        type: array
-                                                        items:
-                                                          description: |-
-                                                            A null or empty node selector term matches no objects. The requirements of
-                                                            them are ANDed.
-                                                            The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
-                                                          type: object
-                                                          properties:
-                                                            matchExpressions:
-                                                              description: A list of node selector requirements by node's labels.
-                                                              type: array
-                                                              items:
-                                                                description: |-
-                                                                  A node selector requirement is a selector that contains values, a key, and an operator
-                                                                  that relates the key and values.
-                                                                type: object
-                                                                required:
-                                                                  - key
-                                                                  - operator
-                                                                properties:
-                                                                  key:
-                                                                    description: The label key that the selector applies to.
-                                                                    type: string
-                                                                  operator:
-                                                                    description: |-
-                                                                      Represents a key's relationship to a set of values.
-                                                                      Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
-                                                                    type: string
-                                                                  values:
-                                                                    description: |-
-                                                                      An array of string values. If the operator is In or NotIn,
-                                                                      the values array must be non-empty. If the operator is Exists or DoesNotExist,
-                                                                      the values array must be empty. If the operator is Gt or Lt, the values
-                                                                      array must have a single element, which will be interpreted as an integer.
-                                                                      This array is replaced during a strategic merge patch.
-                                                                    type: array
-                                                                    items:
-                                                                      type: string
-                                                                    x-kubernetes-list-type: atomic
-                                                              x-kubernetes-list-type: atomic
-                                                            matchFields:
-                                                              description: A list of node selector requirements by node's fields.
-                                                              type: array
-                                                              items:
-                                                                description: |-
-                                                                  A node selector requirement is a selector that contains values, a key, and an operator
-                                                                  that relates the key and values.
-                                                                type: object
-                                                                required:
-                                                                  - key
-                                                                  - operator
-                                                                properties:
-                                                                  key:
-                                                                    description: The label key that the selector applies to.
-                                                                    type: string
-                                                                  operator:
-                                                                    description: |-
-                                                                      Represents a key's relationship to a set of values.
-                                                                      Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
-                                                                    type: string
-                                                                  values:
-                                                                    description: |-
-                                                                      An array of string values. If the operator is In or NotIn,
-                                                                      the values array must be non-empty. If the operator is Exists or DoesNotExist,
-                                                                      the values array must be empty. If the operator is Gt or Lt, the values
-                                                                      array must have a single element, which will be interpreted as an integer.
-                                                                      This array is replaced during a strategic merge patch.
-                                                                    type: array
-                                                                    items:
-                                                                      type: string
-                                                                    x-kubernetes-list-type: atomic
-                                                              x-kubernetes-list-type: atomic
-                                                          x-kubernetes-map-type: atomic
-                                                        x-kubernetes-list-type: atomic
-                                                    x-kubernetes-map-type: atomic
-                                              podAffinity:
-                                                description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
-                                                type: object
-                                                properties:
-                                                  preferredDuringSchedulingIgnoredDuringExecution:
-                                                    description: |-
-                                                      The scheduler will prefer to schedule pods to nodes that satisfy
-                                                      the affinity expressions specified by this field, but it may choose
-                                                      a node that violates one or more of the expressions. The node that is
-                                                      most preferred is the one with the greatest sum of weights, i.e.
-                                                      for each node that meets all of the scheduling requirements (resource
-                                                      request, requiredDuringScheduling affinity expressions, etc.),
-                                                      compute a sum by iterating through the elements of this field and adding
-                                                      "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
-                                                      node(s) with the highest sum are the most preferred.
-                                                    type: array
-                                                    items:
-                                                      description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
-                                                      type: object
-                                                      required:
-                                                        - podAffinityTerm
-                                                        - weight
-                                                      properties:
-                                                        podAffinityTerm:
-                                                          description: Required. A pod affinity term, associated with the corresponding weight.
-                                                          type: object
-                                                          required:
-                                                            - topologyKey
-                                                          properties:
-                                                            labelSelector:
-                                                              description: |-
-                                                                A label query over a set of resources, in this case pods.
-                                                                If it's null, this PodAffinityTerm matches with no Pods.
-                                                              type: object
-                                                              properties:
-                                                                matchExpressions:
-                                                                  description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
-                                                                  type: array
-                                                                  items:
-                                                                    description: |-
-                                                                      A label selector requirement is a selector that contains values, a key, and an operator that
-                                                                      relates the key and values.
-                                                                    type: object
-                                                                    required:
-                                                                      - key
-                                                                      - operator
-                                                                    properties:
-                                                                      key:
-                                                                        description: key is the label key that the selector applies to.
-                                                                        type: string
-                                                                      operator:
-                                                                        description: |-
-                                                                          operator represents a key's relationship to a set of values.
-                                                                          Valid operators are In, NotIn, Exists and DoesNotExist.
-                                                                        type: string
-                                                                      values:
-                                                                        description: |-
-                                                                          values is an array of string values. If the operator is In or NotIn,
-                                                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
-                                                                          the values array must be empty. This array is replaced during a strategic
-                                                                          merge patch.
-                                                                        type: array
-                                                                        items:
-                                                                          type: string
-                                                                        x-kubernetes-list-type: atomic
-                                                                  x-kubernetes-list-type: atomic
-                                                                matchLabels:
-                                                                  description: |-
-                                                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
-                                                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
-                                                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
-                                                                  type: object
-                                                                  additionalProperties:
-                                                                    type: string
-                                                              x-kubernetes-map-type: atomic
-                                                            matchLabelKeys:
-                                                              description: |-
-                                                                MatchLabelKeys is a set of pod label keys to select which pods will
-                                                                be taken into consideration. The keys are used to lookup values from the
-                                                                incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
-                                                                to select the group of existing pods which pods will be taken into consideration
-                                                                for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
-                                                                pod labels will be ignored. The default value is empty.
-                                                                The same key is forbidden to exist in both matchLabelKeys and labelSelector.
-                                                                Also, matchLabelKeys cannot be set when labelSelector isn't set.
-                                                                This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
-                                                              type: array
-                                                              items:
-                                                                type: string
-                                                              x-kubernetes-list-type: atomic
-                                                            mismatchLabelKeys:
-                                                              description: |-
-                                                                MismatchLabelKeys is a set of pod label keys to select which pods will
-                                                                be taken into consideration. The keys are used to lookup values from the
-                                                                incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
-                                                                to select the group of existing pods which pods will be taken into consideration
-                                                                for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
-                                                                pod labels will be ignored. The default value is empty.
-                                                                The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
-                                                                Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
-                                                                This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
-                                                              type: array
-                                                              items:
-                                                                type: string
-                                                              x-kubernetes-list-type: atomic
-                                                            namespaceSelector:
-                                                              description: |-
-                                                                A label query over the set of namespaces that the term applies to.
-                                                                The term is applied to the union of the namespaces selected by this field
-                                                                and the ones listed in the namespaces field.
-                                                                null selector and null or empty namespaces list means "this pod's namespace".
-                                                                An empty selector ({}) matches all namespaces.
-                                                              type: object
-                                                              properties:
-                                                                matchExpressions:
-                                                                  description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
-                                                                  type: array
-                                                                  items:
-                                                                    description: |-
-                                                                      A label selector requirement is a selector that contains values, a key, and an operator that
-                                                                      relates the key and values.
-                                                                    type: object
-                                                                    required:
-                                                                      - key
-                                                                      - operator
-                                                                    properties:
-                                                                      key:
-                                                                        description: key is the label key that the selector applies to.
-                                                                        type: string
-                                                                      operator:
-                                                                        description: |-
-                                                                          operator represents a key's relationship to a set of values.
-                                                                          Valid operators are In, NotIn, Exists and DoesNotExist.
-                                                                        type: string
-                                                                      values:
-                                                                        description: |-
-                                                                          values is an array of string values. If the operator is In or NotIn,
-                                                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
-                                                                          the values array must be empty. This array is replaced during a strategic
-                                                                          merge patch.
-                                                                        type: array
-                                                                        items:
-                                                                          type: string
-                                                                        x-kubernetes-list-type: atomic
-                                                                  x-kubernetes-list-type: atomic
-                                                                matchLabels:
-                                                                  description: |-
-                                                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
-                                                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
-                                                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
-                                                                  type: object
-                                                                  additionalProperties:
-                                                                    type: string
-                                                              x-kubernetes-map-type: atomic
-                                                            namespaces:
-                                                              description: |-
-                                                                namespaces specifies a static list of namespace names that the term applies to.
-                                                                The term is applied to the union of the namespaces listed in this field
-                                                                and the ones selected by namespaceSelector.
-                                                                null or empty namespaces list and null namespaceSelector means "this pod's namespace".
-                                                              type: array
-                                                              items:
-                                                                type: string
-                                                              x-kubernetes-list-type: atomic
-                                                            topologyKey:
-                                                              description: |-
-                                                                This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
-                                                                the labelSelector in the specified namespaces, where co-located is defined as running on a node
-                                                                whose value of the label with key topologyKey matches that of any node on which any of the
-                                                                selected pods is running.
-                                                                Empty topologyKey is not allowed.
-                                                              type: string
-                                                        weight:
-                                                          description: |-
-                                                            weight associated with matching the corresponding podAffinityTerm,
-                                                            in the range 1-100.
-                                                          type: integer
-                                                          format: int32
-                                                    x-kubernetes-list-type: atomic
-                                                  requiredDuringSchedulingIgnoredDuringExecution:
-                                                    description: |-
-                                                      If the affinity requirements specified by this field are not met at
-                                                      scheduling time, the pod will not be scheduled onto the node.
-                                                      If the affinity requirements specified by this field cease to be met
-                                                      at some point during pod execution (e.g. due to a pod label update), the
-                                                      system may or may not try to eventually evict the pod from its node.
-                                                      When there are multiple elements, the lists of nodes corresponding to each
-                                                      podAffinityTerm are intersected, i.e. all terms must be satisfied.
-                                                    type: array
-                                                    items:
-                                                      description: |-
-                                                        Defines a set of pods (namely those matching the labelSelector
-                                                        relative to the given namespace(s)) that this pod should be
-                                                        co-located (affinity) or not co-located (anti-affinity) with,
-                                                        where co-located is defined as running on a node whose value of
-                                                        the label with key <topologyKey> matches that of any node on which
-                                                        a pod of the set of pods is running
-                                                      type: object
-                                                      required:
-                                                        - topologyKey
-                                                      properties:
-                                                        labelSelector:
-                                                          description: |-
-                                                            A label query over a set of resources, in this case pods.
-                                                            If it's null, this PodAffinityTerm matches with no Pods.
-                                                          type: object
-                                                          properties:
-                                                            matchExpressions:
-                                                              description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
-                                                              type: array
-                                                              items:
-                                                                description: |-
-                                                                  A label selector requirement is a selector that contains values, a key, and an operator that
-                                                                  relates the key and values.
-                                                                type: object
-                                                                required:
-                                                                  - key
-                                                                  - operator
-                                                                properties:
-                                                                  key:
-                                                                    description: key is the label key that the selector applies to.
-                                                                    type: string
-                                                                  operator:
-                                                                    description: |-
-                                                                      operator represents a key's relationship to a set of values.
-                                                                      Valid operators are In, NotIn, Exists and DoesNotExist.
-                                                                    type: string
-                                                                  values:
-                                                                    description: |-
-                                                                      values is an array of string values. If the operator is In or NotIn,
-                                                                      the values array must be non-empty. If the operator is Exists or DoesNotExist,
-                                                                      the values array must be empty. This array is replaced during a strategic
-                                                                      merge patch.
-                                                                    type: array
-                                                                    items:
-                                                                      type: string
-                                                                    x-kubernetes-list-type: atomic
-                                                              x-kubernetes-list-type: atomic
-                                                            matchLabels:
-                                                              description: |-
-                                                                matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
-                                                                map is equivalent to an element of matchExpressions, whose key field is "key", the
-                                                                operator is "In", and the values array contains only "value". The requirements are ANDed.
-                                                              type: object
-                                                              additionalProperties:
-                                                                type: string
-                                                          x-kubernetes-map-type: atomic
-                                                        matchLabelKeys:
-                                                          description: |-
-                                                            MatchLabelKeys is a set of pod label keys to select which pods will
-                                                            be taken into consideration. The keys are used to lookup values from the
-                                                            incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
-                                                            to select the group of existing pods which pods will be taken into consideration
-                                                            for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
-                                                            pod labels will be ignored. The default value is empty.
-                                                            The same key is forbidden to exist in both matchLabelKeys and labelSelector.
-                                                            Also, matchLabelKeys cannot be set when labelSelector isn't set.
-                                                            This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
-                                                          type: array
-                                                          items:
-                                                            type: string
-                                                          x-kubernetes-list-type: atomic
-                                                        mismatchLabelKeys:
-                                                          description: |-
-                                                            MismatchLabelKeys is a set of pod label keys to select which pods will
-                                                            be taken into consideration. The keys are used to lookup values from the
-                                                            incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
-                                                            to select the group of existing pods which pods will be taken into consideration
-                                                            for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
-                                                            pod labels will be ignored. The default value is empty.
-                                                            The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
-                                                            Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
-                                                            This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
-                                                          type: array
-                                                          items:
-                                                            type: string
-                                                          x-kubernetes-list-type: atomic
-                                                        namespaceSelector:
-                                                          description: |-
-                                                            A label query over the set of namespaces that the term applies to.
-                                                            The term is applied to the union of the namespaces selected by this field
-                                                            and the ones listed in the namespaces field.
-                                                            null selector and null or empty namespaces list means "this pod's namespace".
-                                                            An empty selector ({}) matches all namespaces.
-                                                          type: object
-                                                          properties:
-                                                            matchExpressions:
-                                                              description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
-                                                              type: array
-                                                              items:
-                                                                description: |-
-                                                                  A label selector requirement is a selector that contains values, a key, and an operator that
-                                                                  relates the key and values.
-                                                                type: object
-                                                                required:
-                                                                  - key
-                                                                  - operator
-                                                                properties:
-                                                                  key:
-                                                                    description: key is the label key that the selector applies to.
-                                                                    type: string
-                                                                  operator:
-                                                                    description: |-
-                                                                      operator represents a key's relationship to a set of values.
-                                                                      Valid operators are In, NotIn, Exists and DoesNotExist.
-                                                                    type: string
-                                                                  values:
-                                                                    description: |-
-                                                                      values is an array of string values. If the operator is In or NotIn,
-                                                                      the values array must be non-empty. If the operator is Exists or DoesNotExist,
-                                                                      the values array must be empty. This array is replaced during a strategic
-                                                                      merge patch.
-                                                                    type: array
-                                                                    items:
-                                                                      type: string
-                                                                    x-kubernetes-list-type: atomic
-                                                              x-kubernetes-list-type: atomic
-                                                            matchLabels:
-                                                              description: |-
-                                                                matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
-                                                                map is equivalent to an element of matchExpressions, whose key field is "key", the
-                                                                operator is "In", and the values array contains only "value". The requirements are ANDed.
-                                                              type: object
-                                                              additionalProperties:
-                                                                type: string
-                                                          x-kubernetes-map-type: atomic
-                                                        namespaces:
-                                                          description: |-
-                                                            namespaces specifies a static list of namespace names that the term applies to.
-                                                            The term is applied to the union of the namespaces listed in this field
-                                                            and the ones selected by namespaceSelector.
-                                                            null or empty namespaces list and null namespaceSelector means "this pod's namespace".
-                                                          type: array
-                                                          items:
-                                                            type: string
-                                                          x-kubernetes-list-type: atomic
-                                                        topologyKey:
-                                                          description: |-
-                                                            This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
-                                                            the labelSelector in the specified namespaces, where co-located is defined as running on a node
-                                                            whose value of the label with key topologyKey matches that of any node on which any of the
-                                                            selected pods is running.
-                                                            Empty topologyKey is not allowed.
-                                                          type: string
-                                                    x-kubernetes-list-type: atomic
-                                              podAntiAffinity:
-                                                description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
-                                                type: object
-                                                properties:
-                                                  preferredDuringSchedulingIgnoredDuringExecution:
-                                                    description: |-
-                                                      The scheduler will prefer to schedule pods to nodes that satisfy
-                                                      the anti-affinity expressions specified by this field, but it may choose
-                                                      a node that violates one or more of the expressions. The node that is
-                                                      most preferred is the one with the greatest sum of weights, i.e.
-                                                      for each node that meets all of the scheduling requirements (resource
-                                                      request, requiredDuringScheduling anti-affinity expressions, etc.),
-                                                      compute a sum by iterating through the elements of this field and adding
-                                                      "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
-                                                      node(s) with the highest sum are the most preferred.
-                                                    type: array
-                                                    items:
-                                                      description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
-                                                      type: object
-                                                      required:
-                                                        - podAffinityTerm
-                                                        - weight
-                                                      properties:
-                                                        podAffinityTerm:
-                                                          description: Required. A pod affinity term, associated with the corresponding weight.
-                                                          type: object
-                                                          required:
-                                                            - topologyKey
-                                                          properties:
-                                                            labelSelector:
-                                                              description: |-
-                                                                A label query over a set of resources, in this case pods.
-                                                                If it's null, this PodAffinityTerm matches with no Pods.
-                                                              type: object
-                                                              properties:
-                                                                matchExpressions:
-                                                                  description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
-                                                                  type: array
-                                                                  items:
-                                                                    description: |-
-                                                                      A label selector requirement is a selector that contains values, a key, and an operator that
-                                                                      relates the key and values.
-                                                                    type: object
-                                                                    required:
-                                                                      - key
-                                                                      - operator
-                                                                    properties:
-                                                                      key:
-                                                                        description: key is the label key that the selector applies to.
-                                                                        type: string
-                                                                      operator:
-                                                                        description: |-
-                                                                          operator represents a key's relationship to a set of values.
-                                                                          Valid operators are In, NotIn, Exists and DoesNotExist.
-                                                                        type: string
-                                                                      values:
-                                                                        description: |-
-                                                                          values is an array of string values. If the operator is In or NotIn,
-                                                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
-                                                                          the values array must be empty. This array is replaced during a strategic
-                                                                          merge patch.
-                                                                        type: array
-                                                                        items:
-                                                                          type: string
-                                                                        x-kubernetes-list-type: atomic
-                                                                  x-kubernetes-list-type: atomic
-                                                                matchLabels:
-                                                                  description: |-
-                                                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
-                                                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
-                                                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
-                                                                  type: object
-                                                                  additionalProperties:
-                                                                    type: string
-                                                              x-kubernetes-map-type: atomic
-                                                            matchLabelKeys:
-                                                              description: |-
-                                                                MatchLabelKeys is a set of pod label keys to select which pods will
-                                                                be taken into consideration. The keys are used to lookup values from the
-                                                                incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
-                                                                to select the group of existing pods which pods will be taken into consideration
-                                                                for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
-                                                                pod labels will be ignored. The default value is empty.
-                                                                The same key is forbidden to exist in both matchLabelKeys and labelSelector.
-                                                                Also, matchLabelKeys cannot be set when labelSelector isn't set.
-                                                                This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
-                                                              type: array
-                                                              items:
-                                                                type: string
-                                                              x-kubernetes-list-type: atomic
-                                                            mismatchLabelKeys:
-                                                              description: |-
-                                                                MismatchLabelKeys is a set of pod label keys to select which pods will
-                                                                be taken into consideration. The keys are used to lookup values from the
-                                                                incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
-                                                                to select the group of existing pods which pods will be taken into consideration
-                                                                for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
-                                                                pod labels will be ignored. The default value is empty.
-                                                                The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
-                                                                Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
-                                                                This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
-                                                              type: array
-                                                              items:
-                                                                type: string
-                                                              x-kubernetes-list-type: atomic
-                                                            namespaceSelector:
-                                                              description: |-
-                                                                A label query over the set of namespaces that the term applies to.
-                                                                The term is applied to the union of the namespaces selected by this field
-                                                                and the ones listed in the namespaces field.
-                                                                null selector and null or empty namespaces list means "this pod's namespace".
-                                                                An empty selector ({}) matches all namespaces.
-                                                              type: object
-                                                              properties:
-                                                                matchExpressions:
-                                                                  description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
-                                                                  type: array
-                                                                  items:
-                                                                    description: |-
-                                                                      A label selector requirement is a selector that contains values, a key, and an operator that
-                                                                      relates the key and values.
-                                                                    type: object
-                                                                    required:
-                                                                      - key
-                                                                      - operator
-                                                                    properties:
-                                                                      key:
-                                                                        description: key is the label key that the selector applies to.
-                                                                        type: string
-                                                                      operator:
-                                                                        description: |-
-                                                                          operator represents a key's relationship to a set of values.
-                                                                          Valid operators are In, NotIn, Exists and DoesNotExist.
-                                                                        type: string
-                                                                      values:
-                                                                        description: |-
-                                                                          values is an array of string values. If the operator is In or NotIn,
-                                                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
-                                                                          the values array must be empty. This array is replaced during a strategic
-                                                                          merge patch.
-                                                                        type: array
-                                                                        items:
-                                                                          type: string
-                                                                        x-kubernetes-list-type: atomic
-                                                                  x-kubernetes-list-type: atomic
-                                                                matchLabels:
-                                                                  description: |-
-                                                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
-                                                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
-                                                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
-                                                                  type: object
-                                                                  additionalProperties:
-                                                                    type: string
-                                                              x-kubernetes-map-type: atomic
-                                                            namespaces:
-                                                              description: |-
-                                                                namespaces specifies a static list of namespace names that the term applies to.
-                                                                The term is applied to the union of the namespaces listed in this field
-                                                                and the ones selected by namespaceSelector.
-                                                                null or empty namespaces list and null namespaceSelector means "this pod's namespace".
-                                                              type: array
-                                                              items:
-                                                                type: string
-                                                              x-kubernetes-list-type: atomic
-                                                            topologyKey:
-                                                              description: |-
-                                                                This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
-                                                                the labelSelector in the specified namespaces, where co-located is defined as running on a node
-                                                                whose value of the label with key topologyKey matches that of any node on which any of the
-                                                                selected pods is running.
-                                                                Empty topologyKey is not allowed.
-                                                              type: string
-                                                        weight:
-                                                          description: |-
-                                                            weight associated with matching the corresponding podAffinityTerm,
-                                                            in the range 1-100.
-                                                          type: integer
-                                                          format: int32
-                                                    x-kubernetes-list-type: atomic
-                                                  requiredDuringSchedulingIgnoredDuringExecution:
-                                                    description: |-
-                                                      If the anti-affinity requirements specified by this field are not met at
-                                                      scheduling time, the pod will not be scheduled onto the node.
-                                                      If the anti-affinity requirements specified by this field cease to be met
-                                                      at some point during pod execution (e.g. due to a pod label update), the
-                                                      system may or may not try to eventually evict the pod from its node.
-                                                      When there are multiple elements, the lists of nodes corresponding to each
-                                                      podAffinityTerm are intersected, i.e. all terms must be satisfied.
-                                                    type: array
-                                                    items:
-                                                      description: |-
-                                                        Defines a set of pods (namely those matching the labelSelector
-                                                        relative to the given namespace(s)) that this pod should be
-                                                        co-located (affinity) or not co-located (anti-affinity) with,
-                                                        where co-located is defined as running on a node whose value of
-                                                        the label with key <topologyKey> matches that of any node on which
-                                                        a pod of the set of pods is running
-                                                      type: object
-                                                      required:
-                                                        - topologyKey
-                                                      properties:
-                                                        labelSelector:
-                                                          description: |-
-                                                            A label query over a set of resources, in this case pods.
-                                                            If it's null, this PodAffinityTerm matches with no Pods.
-                                                          type: object
-                                                          properties:
-                                                            matchExpressions:
-                                                              description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
-                                                              type: array
-                                                              items:
-                                                                description: |-
-                                                                  A label selector requirement is a selector that contains values, a key, and an operator that
-                                                                  relates the key and values.
-                                                                type: object
-                                                                required:
-                                                                  - key
-                                                                  - operator
-                                                                properties:
-                                                                  key:
-                                                                    description: key is the label key that the selector applies to.
-                                                                    type: string
-                                                                  operator:
-                                                                    description: |-
-                                                                      operator represents a key's relationship to a set of values.
-                                                                      Valid operators are In, NotIn, Exists and DoesNotExist.
-                                                                    type: string
-                                                                  values:
-                                                                    description: |-
-                                                                      values is an array of string values. If the operator is In or NotIn,
-                                                                      the values array must be non-empty. If the operator is Exists or DoesNotExist,
-                                                                      the values array must be empty. This array is replaced during a strategic
-                                                                      merge patch.
-                                                                    type: array
-                                                                    items:
-                                                                      type: string
-                                                                    x-kubernetes-list-type: atomic
-                                                              x-kubernetes-list-type: atomic
-                                                            matchLabels:
-                                                              description: |-
-                                                                matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
-                                                                map is equivalent to an element of matchExpressions, whose key field is "key", the
-                                                                operator is "In", and the values array contains only "value". The requirements are ANDed.
-                                                              type: object
-                                                              additionalProperties:
-                                                                type: string
-                                                          x-kubernetes-map-type: atomic
-                                                        matchLabelKeys:
-                                                          description: |-
-                                                            MatchLabelKeys is a set of pod label keys to select which pods will
-                                                            be taken into consideration. The keys are used to lookup values from the
-                                                            incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
-                                                            to select the group of existing pods which pods will be taken into consideration
-                                                            for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
-                                                            pod labels will be ignored. The default value is empty.
-                                                            The same key is forbidden to exist in both matchLabelKeys and labelSelector.
-                                                            Also, matchLabelKeys cannot be set when labelSelector isn't set.
-                                                            This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
-                                                          type: array
-                                                          items:
-                                                            type: string
-                                                          x-kubernetes-list-type: atomic
-                                                        mismatchLabelKeys:
-                                                          description: |-
-                                                            MismatchLabelKeys is a set of pod label keys to select which pods will
-                                                            be taken into consideration. The keys are used to lookup values from the
-                                                            incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
-                                                            to select the group of existing pods which pods will be taken into consideration
-                                                            for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
-                                                            pod labels will be ignored. The default value is empty.
-                                                            The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
-                                                            Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
-                                                            This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
-                                                          type: array
-                                                          items:
-                                                            type: string
-                                                          x-kubernetes-list-type: atomic
-                                                        namespaceSelector:
-                                                          description: |-
-                                                            A label query over the set of namespaces that the term applies to.
-                                                            The term is applied to the union of the namespaces selected by this field
-                                                            and the ones listed in the namespaces field.
-                                                            null selector and null or empty namespaces list means "this pod's namespace".
-                                                            An empty selector ({}) matches all namespaces.
-                                                          type: object
-                                                          properties:
-                                                            matchExpressions:
-                                                              description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
-                                                              type: array
-                                                              items:
-                                                                description: |-
-                                                                  A label selector requirement is a selector that contains values, a key, and an operator that
-                                                                  relates the key and values.
-                                                                type: object
-                                                                required:
-                                                                  - key
-                                                                  - operator
-                                                                properties:
-                                                                  key:
-                                                                    description: key is the label key that the selector applies to.
-                                                                    type: string
-                                                                  operator:
-                                                                    description: |-
-                                                                      operator represents a key's relationship to a set of values.
-                                                                      Valid operators are In, NotIn, Exists and DoesNotExist.
-                                                                    type: string
-                                                                  values:
-                                                                    description: |-
-                                                                      values is an array of string values. If the operator is In or NotIn,
-                                                                      the values array must be non-empty. If the operator is Exists or DoesNotExist,
-                                                                      the values array must be empty. This array is replaced during a strategic
-                                                                      merge patch.
-                                                                    type: array
-                                                                    items:
-                                                                      type: string
-                                                                    x-kubernetes-list-type: atomic
-                                                              x-kubernetes-list-type: atomic
-                                                            matchLabels:
-                                                              description: |-
-                                                                matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
-                                                                map is equivalent to an element of matchExpressions, whose key field is "key", the
-                                                                operator is "In", and the values array contains only "value". The requirements are ANDed.
-                                                              type: object
-                                                              additionalProperties:
-                                                                type: string
-                                                          x-kubernetes-map-type: atomic
-                                                        namespaces:
-                                                          description: |-
-                                                            namespaces specifies a static list of namespace names that the term applies to.
-                                                            The term is applied to the union of the namespaces listed in this field
-                                                            and the ones selected by namespaceSelector.
-                                                            null or empty namespaces list and null namespaceSelector means "this pod's namespace".
-                                                          type: array
-                                                          items:
-                                                            type: string
-                                                          x-kubernetes-list-type: atomic
-                                                        topologyKey:
-                                                          description: |-
-                                                            This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
-                                                            the labelSelector in the specified namespaces, where co-located is defined as running on a node
-                                                            whose value of the label with key topologyKey matches that of any node on which any of the
-                                                            selected pods is running.
-                                                            Empty topologyKey is not allowed.
-                                                          type: string
-                                                    x-kubernetes-list-type: atomic
-                                          imagePullSecrets:
-                                            description: If specified, the pod's imagePullSecrets
-                                            type: array
-                                            items:
-                                              description: |-
-                                                LocalObjectReference contains enough information to let you locate the
-                                                referenced object inside the same namespace.
-                                              type: object
-                                              properties:
-                                                name:
-                                                  description: |-
-                                                    Name of the referent.
-                                                    This field is effectively required, but due to backwards compatibility is
-                                                    allowed to be empty. Instances of this type with an empty value here are
-                                                    almost certainly wrong.
-                                                    TODO: Add other useful fields. apiVersion, kind, uid?
-                                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                                                    TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
-                                                  type: string
-                                                  default: ""
-                                              x-kubernetes-map-type: atomic
-                                          nodeSelector:
-                                            description: |-
-                                              NodeSelector is a selector which must be true for the pod to fit on a node.
-                                              Selector which must match a node's labels for the pod to be scheduled on that node.
-                                              More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
-                                            type: object
-                                            additionalProperties:
-                                              type: string
-                                          priorityClassName:
-                                            description: If specified, the pod's priorityClassName.
-                                            type: string
-                                          serviceAccountName:
-                                            description: If specified, the pod's service account
-                                            type: string
-                                          tolerations:
-                                            description: If specified, the pod's tolerations.
-                                            type: array
-                                            items:
-                                              description: |-
-                                                The pod this Toleration is attached to tolerates any taint that matches
-                                                the triple <key,value,effect> using the matching operator <operator>.
-                                              type: object
-                                              properties:
-                                                effect:
-                                                  description: |-
-                                                    Effect indicates the taint effect to match. Empty means match all taint effects.
-                                                    When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
-                                                  type: string
-                                                key:
-                                                  description: |-
-                                                    Key is the taint key that the toleration applies to. Empty means match all taint keys.
-                                                    If the key is empty, operator must be Exists; this combination means to match all values and all keys.
-                                                  type: string
-                                                operator:
-                                                  description: |-
-                                                    Operator represents a key's relationship to the value.
-                                                    Valid operators are Exists and Equal. Defaults to Equal.
-                                                    Exists is equivalent to wildcard for value, so that a pod can
-                                                    tolerate all taints of a particular category.
-                                                  type: string
-                                                tolerationSeconds:
-                                                  description: |-
-                                                    TolerationSeconds represents the period of time the toleration (which must be
-                                                    of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
-                                                    it is not set, which means tolerate the taint forever (do not evict). Zero and
-                                                    negative values will be treated as 0 (evict immediately) by the system.
-                                                  type: integer
-                                                  format: int64
-                                                value:
-                                                  description: |-
-                                                    Value is the taint value the toleration matches to.
-                                                    If the operator is Exists, the value should be empty, otherwise just a regular string.
-                                                  type: string
-                                  serviceType:
-                                    description: |-
-                                      Optional service type for Kubernetes solver service. Supported values
-                                      are NodePort or ClusterIP. If unset, defaults to NodePort.
-                                    type: string
-                          selector:
-                            description: |-
-                              Selector selects a set of DNSNames on the Certificate resource that
-                              should be solved using this challenge solver.
-                              If not specified, the solver will be treated as the 'default' solver
-                              with the lowest priority, i.e. if any other solver has a more specific
-                              match, it will be used instead.
-                            type: object
-                            properties:
-                              dnsNames:
-                                description: |-
-                                  List of DNSNames that this solver will be used to solve.
-                                  If specified and a match is found, a dnsNames selector will take
-                                  precedence over a dnsZones selector.
-                                  If multiple solvers match with the same dnsNames value, the solver
-                                  with the most matching labels in matchLabels will be selected.
-                                  If neither has more matches, the solver defined earlier in the list
-                                  will be selected.
-                                type: array
-                                items:
-                                  type: string
-                              dnsZones:
-                                description: |-
-                                  List of DNSZones that this solver will be used to solve.
-                                  The most specific DNS zone match specified here will take precedence
-                                  over other DNS zone matches, so a solver specifying sys.example.com
-                                  will be selected over one specifying example.com for the domain
-                                  www.sys.example.com.
-                                  If multiple solvers match with the same dnsZones value, the solver
-                                  with the most matching labels in matchLabels will be selected.
-                                  If neither has more matches, the solver defined earlier in the list
-                                  will be selected.
-                                type: array
-                                items:
-                                  type: string
-                              matchLabels:
-                                description: |-
-                                  A label selector that is used to refine the set of certificate's that
-                                  this challenge solver will apply to.
-                                type: object
-                                additionalProperties:
-                                  type: string
-                ca:
-                  description: |-
-                    CA configures this issuer to sign certificates using a signing CA keypair
-                    stored in a Secret resource.
-                    This is used to build internal PKIs that are managed by cert-manager.
-                  type: object
-                  required:
-                    - secretName
-                  properties:
-                    crlDistributionPoints:
-                      description: |-
-                        The CRL distribution points is an X.509 v3 certificate extension which identifies
-                        the location of the CRL from which the revocation of this certificate can be checked.
-                        If not set, certificates will be issued without distribution points set.
-                      type: array
-                      items:
-                        type: string
-                    issuingCertificateURLs:
-                      description: |-
-                        IssuingCertificateURLs is a list of URLs which this issuer should embed into certificates
-                        it creates. See https://www.rfc-editor.org/rfc/rfc5280#section-4.2.2.1 for more details.
-                        As an example, such a URL might be "http://ca.domain.com/ca.crt".
-                      type: array
-                      items:
-                        type: string
-                    ocspServers:
-                      description: |-
-                        The OCSP server list is an X.509 v3 extension that defines a list of
-                        URLs of OCSP responders. The OCSP responders can be queried for the
-                        revocation status of an issued certificate. If not set, the
-                        certificate will be issued with no OCSP servers set. For example, an
-                        OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org".
-                      type: array
-                      items:
-                        type: string
-                    secretName:
-                      description: |-
-                        SecretName is the name of the secret used to sign Certificates issued
-                        by this Issuer.
-                      type: string
-                selfSigned:
-                  description: |-
-                    SelfSigned configures this issuer to 'self sign' certificates using the
-                    private key used to create the CertificateRequest object.
-                  type: object
-                  properties:
-                    crlDistributionPoints:
-                      description: |-
-                        The CRL distribution points is an X.509 v3 certificate extension which identifies
-                        the location of the CRL from which the revocation of this certificate can be checked.
-                        If not set certificate will be issued without CDP. Values are strings.
-                      type: array
-                      items:
-                        type: string
-                vault:
-                  description: |-
-                    Vault configures this issuer to sign certificates using a HashiCorp Vault
-                    PKI backend.
-                  type: object
-                  required:
-                    - auth
-                    - path
-                    - server
-                  properties:
-                    auth:
-                      description: Auth configures how cert-manager authenticates with the Vault server.
-                      type: object
-                      properties:
-                        appRole:
-                          description: |-
-                            AppRole authenticates with Vault using the App Role auth mechanism,
-                            with the role and secret stored in a Kubernetes Secret resource.
-                          type: object
-                          required:
-                            - path
-                            - roleId
-                            - secretRef
-                          properties:
-                            path:
-                              description: |-
-                                Path where the App Role authentication backend is mounted in Vault, e.g:
-                                "approle"
-                              type: string
-                            roleId:
-                              description: |-
-                                RoleID configured in the App Role authentication backend when setting
-                                up the authentication backend in Vault.
-                              type: string
-                            secretRef:
-                              description: |-
-                                Reference to a key in a Secret that contains the App Role secret used
-                                to authenticate with Vault.
-                                The `key` field must be specified and denotes which entry within the Secret
-                                resource is used as the app role secret.
-                              type: object
-                              required:
-                                - name
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used.
-                                    Some instances of this field may be defaulted, in others it may be
-                                    required.
-                                  type: string
-                                name:
-                                  description: |-
-                                    Name of the resource being referred to.
-                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                                  type: string
-                        kubernetes:
-                          description: |-
-                            Kubernetes authenticates with Vault by passing the ServiceAccount
-                            token stored in the named Secret resource to the Vault server.
-                          type: object
-                          required:
-                            - role
-                          properties:
-                            mountPath:
-                              description: |-
-                                The Vault mountPath here is the mount path to use when authenticating with
-                                Vault. For example, setting a value to `/v1/auth/foo`, will use the path
-                                `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the
-                                default value "/v1/auth/kubernetes" will be used.
-                              type: string
-                            role:
-                              description: |-
-                                A required field containing the Vault Role to assume. A Role binds a
-                                Kubernetes ServiceAccount with a set of Vault policies.
-                              type: string
-                            secretRef:
-                              description: |-
-                                The required Secret field containing a Kubernetes ServiceAccount JWT used
-                                for authenticating with Vault. Use of 'ambient credentials' is not
-                                supported.
-                              type: object
-                              required:
-                                - name
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used.
-                                    Some instances of this field may be defaulted, in others it may be
-                                    required.
-                                  type: string
-                                name:
-                                  description: |-
-                                    Name of the resource being referred to.
-                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                                  type: string
-                            serviceAccountRef:
-                              description: |-
-                                A reference to a service account that will be used to request a bound
-                                token (also known as "projected token"). Compared to using "secretRef",
-                                using this field means that you don't rely on statically bound tokens. To
-                                use this field, you must configure an RBAC rule to let cert-manager
-                                request a token.
-                              type: object
-                              required:
-                                - name
-                              properties:
-                                audiences:
-                                  description: |-
-                                    TokenAudiences is an optional list of extra audiences to include in the token passed to Vault. The default token
-                                    consisting of the issuer's namespace and name is always included.
-                                  type: array
-                                  items:
-                                    type: string
-                                name:
-                                  description: Name of the ServiceAccount used to request a token.
-                                  type: string
-                        tokenSecretRef:
-                          description: TokenSecretRef authenticates with Vault by presenting a token.
-                          type: object
-                          required:
-                            - name
-                          properties:
-                            key:
-                              description: |-
-                                The key of the entry in the Secret resource's `data` field to be used.
-                                Some instances of this field may be defaulted, in others it may be
-                                required.
-                              type: string
-                            name:
-                              description: |-
-                                Name of the resource being referred to.
-                                More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                              type: string
-                    caBundle:
-                      description: |-
-                        Base64-encoded bundle of PEM CAs which will be used to validate the certificate
-                        chain presented by Vault. Only used if using HTTPS to connect to Vault and
-                        ignored for HTTP connections.
-                        Mutually exclusive with CABundleSecretRef.
-                        If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in
-                        the cert-manager controller container is used to validate the TLS connection.
-                      type: string
-                      format: byte
-                    caBundleSecretRef:
-                      description: |-
-                        Reference to a Secret containing a bundle of PEM-encoded CAs to use when
-                        verifying the certificate chain presented by Vault when using HTTPS.
-                        Mutually exclusive with CABundle.
-                        If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in
-                        the cert-manager controller container is used to validate the TLS connection.
-                        If no key for the Secret is specified, cert-manager will default to 'ca.crt'.
-                      type: object
-                      required:
-                        - name
-                      properties:
-                        key:
-                          description: |-
-                            The key of the entry in the Secret resource's `data` field to be used.
-                            Some instances of this field may be defaulted, in others it may be
-                            required.
-                          type: string
-                        name:
-                          description: |-
-                            Name of the resource being referred to.
-                            More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                          type: string
-                    clientCertSecretRef:
-                      description: |-
-                        Reference to a Secret containing a PEM-encoded Client Certificate to use when the
-                        Vault server requires mTLS.
-                      type: object
-                      required:
-                        - name
-                      properties:
-                        key:
-                          description: |-
-                            The key of the entry in the Secret resource's `data` field to be used.
-                            Some instances of this field may be defaulted, in others it may be
-                            required.
-                          type: string
-                        name:
-                          description: |-
-                            Name of the resource being referred to.
-                            More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                          type: string
-                    clientKeySecretRef:
-                      description: |-
-                        Reference to a Secret containing a PEM-encoded Client Private Key to use when the
-                        Vault server requires mTLS.
-                      type: object
-                      required:
-                        - name
-                      properties:
-                        key:
-                          description: |-
-                            The key of the entry in the Secret resource's `data` field to be used.
-                            Some instances of this field may be defaulted, in others it may be
-                            required.
-                          type: string
-                        name:
-                          description: |-
-                            Name of the resource being referred to.
-                            More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                          type: string
-                    namespace:
-                      description: |-
-                        Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1"
-                        More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
-                      type: string
-                    path:
-                      description: |-
-                        Path is the mount path of the Vault PKI backend's `sign` endpoint, e.g:
-                        "my_pki_mount/sign/my-role-name".
-                      type: string
-                    server:
-                      description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
-                      type: string
-                venafi:
-                  description: |-
-                    Venafi configures this issuer to sign certificates using a Venafi TPP
-                    or Venafi Cloud policy zone.
-                  type: object
-                  required:
-                    - zone
-                  properties:
-                    cloud:
-                      description: |-
-                        Cloud specifies the Venafi cloud configuration settings.
-                        Only one of TPP or Cloud may be specified.
-                      type: object
-                      required:
-                        - apiTokenSecretRef
-                      properties:
-                        apiTokenSecretRef:
-                          description: APITokenSecretRef is a secret key selector for the Venafi Cloud API token.
-                          type: object
-                          required:
-                            - name
-                          properties:
-                            key:
-                              description: |-
-                                The key of the entry in the Secret resource's `data` field to be used.
-                                Some instances of this field may be defaulted, in others it may be
-                                required.
-                              type: string
-                            name:
-                              description: |-
-                                Name of the resource being referred to.
-                                More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                              type: string
-                        url:
-                          description: |-
-                            URL is the base URL for Venafi Cloud.
-                            Defaults to "https://api.venafi.cloud/v1".
-                          type: string
-                    tpp:
-                      description: |-
-                        TPP specifies Trust Protection Platform configuration settings.
-                        Only one of TPP or Cloud may be specified.
-                      type: object
-                      required:
-                        - credentialsRef
-                        - url
-                      properties:
-                        caBundle:
-                          description: |-
-                            Base64-encoded bundle of PEM CAs which will be used to validate the certificate
-                            chain presented by the TPP server. Only used if using HTTPS; ignored for HTTP.
-                            If undefined, the certificate bundle in the cert-manager controller container
-                            is used to validate the chain.
-                          type: string
-                          format: byte
-                        credentialsRef:
-                          description: |-
-                            CredentialsRef is a reference to a Secret containing the username and
-                            password for the TPP server.
-                            The secret must contain two keys, 'username' and 'password'.
-                          type: object
-                          required:
-                            - name
-                          properties:
-                            name:
-                              description: |-
-                                Name of the resource being referred to.
-                                More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                              type: string
-                        url:
-                          description: |-
-                            URL is the base URL for the vedsdk endpoint of the Venafi TPP instance,
-                            for example: "https://tpp.example.com/vedsdk".
-                          type: string
-                    zone:
-                      description: |-
-                        Zone is the Venafi Policy Zone to use for this issuer.
-                        All requests made to the Venafi platform will be restricted by the named
-                        zone policy.
-                        This field is required.
-                      type: string
-            status:
-              description: Status of the ClusterIssuer. This is set and managed automatically.
-              type: object
-              properties:
-                acme:
-                  description: |-
-                    ACME specific status options.
-                    This field should only be set if the Issuer is configured to use an ACME
-                    server to issue certificates.
-                  type: object
-                  properties:
-                    lastPrivateKeyHash:
-                      description: |-
-                        LastPrivateKeyHash is a hash of the private key associated with the latest
-                        registered ACME account, in order to track changes made to registered account
-                        associated with the Issuer
-                      type: string
-                    lastRegisteredEmail:
-                      description: |-
-                        LastRegisteredEmail is the email associated with the latest registered
-                        ACME account, in order to track changes made to registered account
-                        associated with the  Issuer
-                      type: string
-                    uri:
-                      description: |-
-                        URI is the unique account identifier, which can also be used to retrieve
-                        account details from the CA
-                      type: string
-                conditions:
-                  description: |-
-                    List of status conditions to indicate the status of a CertificateRequest.
-                    Known condition types are `Ready`.
-                  type: array
-                  items:
-                    description: IssuerCondition contains condition information for an Issuer.
-                    type: object
-                    required:
-                      - status
-                      - type
-                    properties:
-                      lastTransitionTime:
-                        description: |-
-                          LastTransitionTime is the timestamp corresponding to the last status
-                          change of this condition.
-                        type: string
-                        format: date-time
-                      message:
-                        description: |-
-                          Message is a human readable description of the details of the last
-                          transition, complementing reason.
-                        type: string
-                      observedGeneration:
-                        description: |-
-                          If set, this represents the .metadata.generation that the condition was
-                          set based upon.
-                          For instance, if .metadata.generation is currently 12, but the
-                          .status.condition[x].observedGeneration is 9, the condition is out of date
-                          with respect to the current state of the Issuer.
-                        type: integer
-                        format: int64
-                      reason:
-                        description: |-
-                          Reason is a brief machine readable explanation for the condition's last
-                          transition.
-                        type: string
-                      status:
-                        description: Status of the condition, one of (`True`, `False`, `Unknown`).
-                        type: string
-                        enum:
-                          - "True"
-                          - "False"
-                          - Unknown
-                      type:
-                        description: Type of the condition, known values are (`Ready`).
-                        type: string
-                  x-kubernetes-list-map-keys:
-                    - type
-                  x-kubernetes-list-type: map
-      served: true
-      storage: true
-
-# END crd
----
-# Source: cert-manager/templates/crds.yaml
-# START crd
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  name: issuers.cert-manager.io
-  # START annotations
-  annotations:
-    helm.sh/resource-policy: keep
-  # END annotations
-  labels:
-    app: 'cert-manager'
-    app.kubernetes.io/name: 'cert-manager'
-    app.kubernetes.io/instance: 'cert-manager'
-    app.kubernetes.io/component: "crds"
-    # Generated labels
-    app.kubernetes.io/version: "v1.15.3"
-spec:
-  group: cert-manager.io
-  names:
-    kind: Issuer
-    listKind: IssuerList
-    plural: issuers
-    singular: issuer
-    categories:
-      - cert-manager
-  scope: Namespaced
-  versions:
-    - name: v1
-      subresources:
-        status: {}
-      additionalPrinterColumns:
-        - jsonPath: .status.conditions[?(@.type=="Ready")].status
-          name: Ready
-          type: string
-        - jsonPath: .status.conditions[?(@.type=="Ready")].message
-          name: Status
-          priority: 1
-          type: string
-        - jsonPath: .metadata.creationTimestamp
-          description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
-          name: Age
-          type: date
-      schema:
-        openAPIV3Schema:
-          description: |-
-            An Issuer represents a certificate issuing authority which can be
-            referenced as part of `issuerRef` fields.
-            It is scoped to a single namespace and can therefore only be referenced by
-            resources within the same namespace.
-          type: object
-          required:
-            - spec
-          properties:
-            apiVersion:
-              description: |-
-                APIVersion defines the versioned schema of this representation of an object.
-                Servers should convert recognized schemas to the latest internal value, and
-                may reject unrecognized values.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-              type: string
-            kind:
-              description: |-
-                Kind is a string value representing the REST resource this object represents.
-                Servers may infer this from the endpoint the client submits requests to.
-                Cannot be updated.
-                In CamelCase.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: Desired state of the Issuer resource.
-              type: object
-              properties:
-                acme:
-                  description: |-
-                    ACME configures this issuer to communicate with a RFC8555 (ACME) server
-                    to obtain signed x509 certificates.
-                  type: object
-                  required:
-                    - privateKeySecretRef
-                    - server
-                  properties:
-                    caBundle:
-                      description: |-
-                        Base64-encoded bundle of PEM CAs which can be used to validate the certificate
-                        chain presented by the ACME server.
-                        Mutually exclusive with SkipTLSVerify; prefer using CABundle to prevent various
-                        kinds of security vulnerabilities.
-                        If CABundle and SkipTLSVerify are unset, the system certificate bundle inside
-                        the container is used to validate the TLS connection.
-                      type: string
-                      format: byte
-                    disableAccountKeyGeneration:
-                      description: |-
-                        Enables or disables generating a new ACME account key.
-                        If true, the Issuer resource will *not* request a new account but will expect
-                        the account key to be supplied via an existing secret.
-                        If false, the cert-manager system will generate a new ACME account key
-                        for the Issuer.
-                        Defaults to false.
-                      type: boolean
-                    email:
-                      description: |-
-                        Email is the email address to be associated with the ACME account.
-                        This field is optional, but it is strongly recommended to be set.
-                        It will be used to contact you in case of issues with your account or
-                        certificates, including expiry notification emails.
-                        This field may be updated after the account is initially registered.
-                      type: string
-                    enableDurationFeature:
-                      description: |-
-                        Enables requesting a Not After date on certificates that matches the
-                        duration of the certificate. This is not supported by all ACME servers
-                        like Let's Encrypt. If set to true when the ACME server does not support
-                        it, it will create an error on the Order.
-                        Defaults to false.
-                      type: boolean
-                    externalAccountBinding:
-                      description: |-
-                        ExternalAccountBinding is a reference to a CA external account of the ACME
-                        server.
-                        If set, upon registration cert-manager will attempt to associate the given
-                        external account credentials with the registered ACME account.
-                      type: object
-                      required:
-                        - keyID
-                        - keySecretRef
-                      properties:
-                        keyAlgorithm:
-                          description: |-
-                            Deprecated: keyAlgorithm field exists for historical compatibility
-                            reasons and should not be used. The algorithm is now hardcoded to HS256
-                            in golang/x/crypto/acme.
-                          type: string
-                          enum:
-                            - HS256
-                            - HS384
-                            - HS512
-                        keyID:
-                          description: keyID is the ID of the CA key that the External Account is bound to.
-                          type: string
-                        keySecretRef:
-                          description: |-
-                            keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes
-                            Secret which holds the symmetric MAC key of the External Account Binding.
-                            The `key` is the index string that is paired with the key data in the
-                            Secret and should not be confused with the key data itself, or indeed with
-                            the External Account Binding keyID above.
-                            The secret key stored in the Secret **must** be un-padded, base64 URL
-                            encoded data.
-                          type: object
-                          required:
-                            - name
-                          properties:
-                            key:
-                              description: |-
-                                The key of the entry in the Secret resource's `data` field to be used.
-                                Some instances of this field may be defaulted, in others it may be
-                                required.
-                              type: string
-                            name:
-                              description: |-
-                                Name of the resource being referred to.
-                                More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                              type: string
-                    preferredChain:
-                      description: |-
-                        PreferredChain is the chain to use if the ACME server outputs multiple.
-                        PreferredChain is no guarantee that this one gets delivered by the ACME
-                        endpoint.
-                        For example, for Let's Encrypt's DST crosssign you would use:
-                        "DST Root CA X3" or "ISRG Root X1" for the newer Let's Encrypt root CA.
-                        This value picks the first certificate bundle in the combined set of
-                        ACME default and alternative chains that has a root-most certificate with
-                        this value as its issuer's commonname.
-                      type: string
-                      maxLength: 64
-                    privateKeySecretRef:
-                      description: |-
-                        PrivateKey is the name of a Kubernetes Secret resource that will be used to
-                        store the automatically generated ACME account private key.
-                        Optionally, a `key` may be specified to select a specific entry within
-                        the named Secret resource.
-                        If `key` is not specified, a default of `tls.key` will be used.
-                      type: object
-                      required:
-                        - name
-                      properties:
-                        key:
-                          description: |-
-                            The key of the entry in the Secret resource's `data` field to be used.
-                            Some instances of this field may be defaulted, in others it may be
-                            required.
-                          type: string
-                        name:
-                          description: |-
-                            Name of the resource being referred to.
-                            More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                          type: string
-                    server:
-                      description: |-
-                        Server is the URL used to access the ACME server's 'directory' endpoint.
-                        For example, for Let's Encrypt's staging endpoint, you would use:
-                        "https://acme-staging-v02.api.letsencrypt.org/directory".
-                        Only ACME v2 endpoints (i.e. RFC 8555) are supported.
-                      type: string
-                    skipTLSVerify:
-                      description: |-
-                        INSECURE: Enables or disables validation of the ACME server TLS certificate.
-                        If true, requests to the ACME server will not have the TLS certificate chain
-                        validated.
-                        Mutually exclusive with CABundle; prefer using CABundle to prevent various
-                        kinds of security vulnerabilities.
-                        Only enable this option in development environments.
-                        If CABundle and SkipTLSVerify are unset, the system certificate bundle inside
-                        the container is used to validate the TLS connection.
-                        Defaults to false.
-                      type: boolean
-                    solvers:
-                      description: |-
-                        Solvers is a list of challenge solvers that will be used to solve
-                        ACME challenges for the matching domains.
-                        Solver configurations must be provided in order to obtain certificates
-                        from an ACME server.
-                        For more information, see: https://cert-manager.io/docs/configuration/acme/
-                      type: array
-                      items:
-                        description: |-
-                          An ACMEChallengeSolver describes how to solve ACME challenges for the issuer it is part of.
-                          A selector may be provided to use different solving strategies for different DNS names.
-                          Only one of HTTP01 or DNS01 must be provided.
-                        type: object
-                        properties:
-                          dns01:
-                            description: |-
-                              Configures cert-manager to attempt to complete authorizations by
-                              performing the DNS01 challenge flow.
-                            type: object
-                            properties:
-                              acmeDNS:
-                                description: |-
-                                  Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage
-                                  DNS01 challenge records.
-                                type: object
-                                required:
-                                  - accountSecretRef
-                                  - host
-                                properties:
-                                  accountSecretRef:
-                                    description: |-
-                                      A reference to a specific 'key' within a Secret resource.
-                                      In some instances, `key` is a required field.
-                                    type: object
-                                    required:
-                                      - name
-                                    properties:
-                                      key:
-                                        description: |-
-                                          The key of the entry in the Secret resource's `data` field to be used.
-                                          Some instances of this field may be defaulted, in others it may be
-                                          required.
-                                        type: string
-                                      name:
-                                        description: |-
-                                          Name of the resource being referred to.
-                                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                                        type: string
-                                  host:
-                                    type: string
-                              akamai:
-                                description: Use the Akamai DNS zone management API to manage DNS01 challenge records.
-                                type: object
-                                required:
-                                  - accessTokenSecretRef
-                                  - clientSecretSecretRef
-                                  - clientTokenSecretRef
-                                  - serviceConsumerDomain
-                                properties:
-                                  accessTokenSecretRef:
-                                    description: |-
-                                      A reference to a specific 'key' within a Secret resource.
-                                      In some instances, `key` is a required field.
-                                    type: object
-                                    required:
-                                      - name
-                                    properties:
-                                      key:
-                                        description: |-
-                                          The key of the entry in the Secret resource's `data` field to be used.
-                                          Some instances of this field may be defaulted, in others it may be
-                                          required.
-                                        type: string
-                                      name:
-                                        description: |-
-                                          Name of the resource being referred to.
-                                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                                        type: string
-                                  clientSecretSecretRef:
-                                    description: |-
-                                      A reference to a specific 'key' within a Secret resource.
-                                      In some instances, `key` is a required field.
-                                    type: object
-                                    required:
-                                      - name
-                                    properties:
-                                      key:
-                                        description: |-
-                                          The key of the entry in the Secret resource's `data` field to be used.
-                                          Some instances of this field may be defaulted, in others it may be
-                                          required.
-                                        type: string
-                                      name:
-                                        description: |-
-                                          Name of the resource being referred to.
-                                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                                        type: string
-                                  clientTokenSecretRef:
-                                    description: |-
-                                      A reference to a specific 'key' within a Secret resource.
-                                      In some instances, `key` is a required field.
-                                    type: object
-                                    required:
-                                      - name
-                                    properties:
-                                      key:
-                                        description: |-
-                                          The key of the entry in the Secret resource's `data` field to be used.
-                                          Some instances of this field may be defaulted, in others it may be
-                                          required.
-                                        type: string
-                                      name:
-                                        description: |-
-                                          Name of the resource being referred to.
-                                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                                        type: string
-                                  serviceConsumerDomain:
-                                    type: string
-                              azureDNS:
-                                description: Use the Microsoft Azure DNS API to manage DNS01 challenge records.
-                                type: object
-                                required:
-                                  - resourceGroupName
-                                  - subscriptionID
-                                properties:
-                                  clientID:
-                                    description: |-
-                                      Auth: Azure Service Principal:
-                                      The ClientID of the Azure Service Principal used to authenticate with Azure DNS.
-                                      If set, ClientSecret and TenantID must also be set.
-                                    type: string
-                                  clientSecretSecretRef:
-                                    description: |-
-                                      Auth: Azure Service Principal:
-                                      A reference to a Secret containing the password associated with the Service Principal.
-                                      If set, ClientID and TenantID must also be set.
-                                    type: object
-                                    required:
-                                      - name
-                                    properties:
-                                      key:
-                                        description: |-
-                                          The key of the entry in the Secret resource's `data` field to be used.
-                                          Some instances of this field may be defaulted, in others it may be
-                                          required.
-                                        type: string
-                                      name:
-                                        description: |-
-                                          Name of the resource being referred to.
-                                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                                        type: string
-                                  environment:
-                                    description: name of the Azure environment (default AzurePublicCloud)
-                                    type: string
-                                    enum:
-                                      - AzurePublicCloud
-                                      - AzureChinaCloud
-                                      - AzureGermanCloud
-                                      - AzureUSGovernmentCloud
-                                  hostedZoneName:
-                                    description: name of the DNS zone that should be used
-                                    type: string
-                                  managedIdentity:
-                                    description: |-
-                                      Auth: Azure Workload Identity or Azure Managed Service Identity:
-                                      Settings to enable Azure Workload Identity or Azure Managed Service Identity
-                                      If set, ClientID, ClientSecret and TenantID must not be set.
-                                    type: object
-                                    properties:
-                                      clientID:
-                                        description: client ID of the managed identity, can not be used at the same time as resourceID
-                                        type: string
-                                      resourceID:
-                                        description: |-
-                                          resource ID of the managed identity, can not be used at the same time as clientID
-                                          Cannot be used for Azure Managed Service Identity
-                                        type: string
-                                  resourceGroupName:
-                                    description: resource group the DNS zone is located in
-                                    type: string
-                                  subscriptionID:
-                                    description: ID of the Azure subscription
-                                    type: string
-                                  tenantID:
-                                    description: |-
-                                      Auth: Azure Service Principal:
-                                      The TenantID of the Azure Service Principal used to authenticate with Azure DNS.
-                                      If set, ClientID and ClientSecret must also be set.
-                                    type: string
-                              cloudDNS:
-                                description: Use the Google Cloud DNS API to manage DNS01 challenge records.
-                                type: object
-                                required:
-                                  - project
-                                properties:
-                                  hostedZoneName:
-                                    description: |-
-                                      HostedZoneName is an optional field that tells cert-manager in which
-                                      Cloud DNS zone the challenge record has to be created.
-                                      If left empty cert-manager will automatically choose a zone.
-                                    type: string
-                                  project:
-                                    type: string
-                                  serviceAccountSecretRef:
-                                    description: |-
-                                      A reference to a specific 'key' within a Secret resource.
-                                      In some instances, `key` is a required field.
-                                    type: object
-                                    required:
-                                      - name
-                                    properties:
-                                      key:
-                                        description: |-
-                                          The key of the entry in the Secret resource's `data` field to be used.
-                                          Some instances of this field may be defaulted, in others it may be
-                                          required.
-                                        type: string
-                                      name:
-                                        description: |-
-                                          Name of the resource being referred to.
-                                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                                        type: string
-                              cloudflare:
-                                description: Use the Cloudflare API to manage DNS01 challenge records.
-                                type: object
-                                properties:
-                                  apiKeySecretRef:
-                                    description: |-
-                                      API key to use to authenticate with Cloudflare.
-                                      Note: using an API token to authenticate is now the recommended method
-                                      as it allows greater control of permissions.
-                                    type: object
-                                    required:
-                                      - name
-                                    properties:
-                                      key:
-                                        description: |-
-                                          The key of the entry in the Secret resource's `data` field to be used.
-                                          Some instances of this field may be defaulted, in others it may be
-                                          required.
-                                        type: string
-                                      name:
-                                        description: |-
-                                          Name of the resource being referred to.
-                                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                                        type: string
-                                  apiTokenSecretRef:
-                                    description: API token used to authenticate with Cloudflare.
-                                    type: object
-                                    required:
-                                      - name
-                                    properties:
-                                      key:
-                                        description: |-
-                                          The key of the entry in the Secret resource's `data` field to be used.
-                                          Some instances of this field may be defaulted, in others it may be
-                                          required.
-                                        type: string
-                                      name:
-                                        description: |-
-                                          Name of the resource being referred to.
-                                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                                        type: string
-                                  email:
-                                    description: Email of the account, only required when using API key based authentication.
-                                    type: string
-                              cnameStrategy:
-                                description: |-
-                                  CNAMEStrategy configures how the DNS01 provider should handle CNAME
-                                  records when found in DNS zones.
-                                type: string
-                                enum:
-                                  - None
-                                  - Follow
-                              digitalocean:
-                                description: Use the DigitalOcean DNS API to manage DNS01 challenge records.
-                                type: object
-                                required:
-                                  - tokenSecretRef
-                                properties:
-                                  tokenSecretRef:
-                                    description: |-
-                                      A reference to a specific 'key' within a Secret resource.
-                                      In some instances, `key` is a required field.
-                                    type: object
-                                    required:
-                                      - name
-                                    properties:
-                                      key:
-                                        description: |-
-                                          The key of the entry in the Secret resource's `data` field to be used.
-                                          Some instances of this field may be defaulted, in others it may be
-                                          required.
-                                        type: string
-                                      name:
-                                        description: |-
-                                          Name of the resource being referred to.
-                                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                                        type: string
-                              rfc2136:
-                                description: |-
-                                  Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/)
-                                  to manage DNS01 challenge records.
-                                type: object
-                                required:
-                                  - nameserver
-                                properties:
-                                  nameserver:
-                                    description: |-
-                                      The IP address or hostname of an authoritative DNS server supporting
-                                      RFC2136 in the form host:port. If the host is an IPv6 address it must be
-                                      enclosed in square brackets (e.g [2001:db8::1]) ; port is optional.
-                                      This field is required.
-                                    type: string
-                                  tsigAlgorithm:
-                                    description: |-
-                                      The TSIG Algorithm configured in the DNS supporting RFC2136. Used only
-                                      when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined.
-                                      Supported values are (case-insensitive): ``HMACMD5`` (default),
-                                      ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.
-                                    type: string
-                                  tsigKeyName:
-                                    description: |-
-                                      The TSIG Key name configured in the DNS.
-                                      If ``tsigSecretSecretRef`` is defined, this field is required.
-                                    type: string
-                                  tsigSecretSecretRef:
-                                    description: |-
-                                      The name of the secret containing the TSIG value.
-                                      If ``tsigKeyName`` is defined, this field is required.
-                                    type: object
-                                    required:
-                                      - name
-                                    properties:
-                                      key:
-                                        description: |-
-                                          The key of the entry in the Secret resource's `data` field to be used.
-                                          Some instances of this field may be defaulted, in others it may be
-                                          required.
-                                        type: string
-                                      name:
-                                        description: |-
-                                          Name of the resource being referred to.
-                                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                                        type: string
-                              route53:
-                                description: Use the AWS Route53 API to manage DNS01 challenge records.
-                                type: object
-                                required:
-                                  - region
-                                properties:
-                                  accessKeyID:
-                                    description: |-
-                                      The AccessKeyID is used for authentication.
-                                      Cannot be set when SecretAccessKeyID is set.
-                                      If neither the Access Key nor Key ID are set, we fall-back to using env
-                                      vars, shared credentials file or AWS Instance metadata,
-                                      see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
-                                    type: string
-                                  accessKeyIDSecretRef:
-                                    description: |-
-                                      The SecretAccessKey is used for authentication. If set, pull the AWS
-                                      access key ID from a key within a Kubernetes Secret.
-                                      Cannot be set when AccessKeyID is set.
-                                      If neither the Access Key nor Key ID are set, we fall-back to using env
-                                      vars, shared credentials file or AWS Instance metadata,
-                                      see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
-                                    type: object
-                                    required:
-                                      - name
-                                    properties:
-                                      key:
-                                        description: |-
-                                          The key of the entry in the Secret resource's `data` field to be used.
-                                          Some instances of this field may be defaulted, in others it may be
-                                          required.
-                                        type: string
-                                      name:
-                                        description: |-
-                                          Name of the resource being referred to.
-                                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                                        type: string
-                                  auth:
-                                    description: Auth configures how cert-manager authenticates.
-                                    type: object
-                                    required:
-                                      - kubernetes
-                                    properties:
-                                      kubernetes:
-                                        description: |-
-                                          Kubernetes authenticates with Route53 using AssumeRoleWithWebIdentity
-                                          by passing a bound ServiceAccount token.
-                                        type: object
-                                        required:
-                                          - serviceAccountRef
-                                        properties:
-                                          serviceAccountRef:
-                                            description: |-
-                                              A reference to a service account that will be used to request a bound
-                                              token (also known as "projected token"). To use this field, you must
-                                              configure an RBAC rule to let cert-manager request a token.
-                                            type: object
-                                            required:
-                                              - name
-                                            properties:
-                                              audiences:
-                                                description: |-
-                                                  TokenAudiences is an optional list of audiences to include in the
-                                                  token passed to AWS. The default token consisting of the issuer's namespace
-                                                  and name is always included.
-                                                  If unset the audience defaults to `sts.amazonaws.com`.
-                                                type: array
-                                                items:
-                                                  type: string
-                                              name:
-                                                description: Name of the ServiceAccount used to request a token.
-                                                type: string
-                                  hostedZoneID:
-                                    description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
-                                    type: string
-                                  region:
-                                    description: Always set the region when using AccessKeyID and SecretAccessKey
-                                    type: string
-                                  role:
-                                    description: |-
-                                      Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey
-                                      or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
-                                    type: string
-                                  secretAccessKeySecretRef:
-                                    description: |-
-                                      The SecretAccessKey is used for authentication.
-                                      If neither the Access Key nor Key ID are set, we fall-back to using env
-                                      vars, shared credentials file or AWS Instance metadata,
-                                      see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
-                                    type: object
-                                    required:
-                                      - name
-                                    properties:
-                                      key:
-                                        description: |-
-                                          The key of the entry in the Secret resource's `data` field to be used.
-                                          Some instances of this field may be defaulted, in others it may be
-                                          required.
-                                        type: string
-                                      name:
-                                        description: |-
-                                          Name of the resource being referred to.
-                                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                                        type: string
-                              webhook:
-                                description: |-
-                                  Configure an external webhook based DNS01 challenge solver to manage
-                                  DNS01 challenge records.
-                                type: object
-                                required:
-                                  - groupName
-                                  - solverName
-                                properties:
-                                  config:
-                                    description: |-
-                                      Additional configuration that should be passed to the webhook apiserver
-                                      when challenges are processed.
-                                      This can contain arbitrary JSON data.
-                                      Secret values should not be specified in this stanza.
-                                      If secret values are needed (e.g. credentials for a DNS service), you
-                                      should use a SecretKeySelector to reference a Secret resource.
-                                      For details on the schema of this field, consult the webhook provider
-                                      implementation's documentation.
-                                    x-kubernetes-preserve-unknown-fields: true
-                                  groupName:
-                                    description: |-
-                                      The API group name that should be used when POSTing ChallengePayload
-                                      resources to the webhook apiserver.
-                                      This should be the same as the GroupName specified in the webhook
-                                      provider implementation.
-                                    type: string
-                                  solverName:
-                                    description: |-
-                                      The name of the solver to use, as defined in the webhook provider
-                                      implementation.
-                                      This will typically be the name of the provider, e.g. 'cloudflare'.
-                                    type: string
-                          http01:
-                            description: |-
-                              Configures cert-manager to attempt to complete authorizations by
-                              performing the HTTP01 challenge flow.
-                              It is not possible to obtain certificates for wildcard domain names
-                              (e.g. `*.example.com`) using the HTTP01 challenge mechanism.
-                            type: object
-                            properties:
-                              gatewayHTTPRoute:
-                                description: |-
-                                  The Gateway API is a sig-network community API that models service networking
-                                  in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will
-                                  create HTTPRoutes with the specified labels in the same namespace as the challenge.
-                                  This solver is experimental, and fields / behaviour may change in the future.
-                                type: object
-                                properties:
-                                  labels:
-                                    description: |-
-                                      Custom labels that will be applied to HTTPRoutes created by cert-manager
-                                      while solving HTTP-01 challenges.
-                                    type: object
-                                    additionalProperties:
-                                      type: string
-                                  parentRefs:
-                                    description: |-
-                                      When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute.
-                                      cert-manager needs to know which parentRefs should be used when creating
-                                      the HTTPRoute. Usually, the parentRef references a Gateway. See:
-                                      https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways
-                                    type: array
-                                    items:
-                                      description: |-
-                                        ParentReference identifies an API object (usually a Gateway) that can be considered
-                                        a parent of this resource (usually a route). There are two kinds of parent resources
-                                        with "Core" support:
-
-
-                                        * Gateway (Gateway conformance profile)
-                                        * Service (Mesh conformance profile, ClusterIP Services only)
-
-
-                                        This API may be extended in the future to support additional kinds of parent
-                                        resources.
-
-
-                                        The API object must be valid in the cluster; the Group and Kind must
-                                        be registered in the cluster for this reference to be valid.
-                                      type: object
-                                      required:
-                                        - name
-                                      properties:
-                                        group:
-                                          description: |-
-                                            Group is the group of the referent.
-                                            When unspecified, "gateway.networking.k8s.io" is inferred.
-                                            To set the core API group (such as for a "Service" kind referent),
-                                            Group must be explicitly set to "" (empty string).
-
-
-                                            Support: Core
-                                          type: string
-                                          default: gateway.networking.k8s.io
-                                          maxLength: 253
-                                          pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
-                                        kind:
-                                          description: |-
-                                            Kind is kind of the referent.
-
-
-                                            There are two kinds of parent resources with "Core" support:
-
-
-                                            * Gateway (Gateway conformance profile)
-                                            * Service (Mesh conformance profile, ClusterIP Services only)
-
-
-                                            Support for other resources is Implementation-Specific.
-                                          type: string
-                                          default: Gateway
-                                          maxLength: 63
-                                          minLength: 1
-                                          pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
-                                        name:
-                                          description: |-
-                                            Name is the name of the referent.
-
-
-                                            Support: Core
-                                          type: string
-                                          maxLength: 253
-                                          minLength: 1
-                                        namespace:
-                                          description: |-
-                                            Namespace is the namespace of the referent. When unspecified, this refers
-                                            to the local namespace of the Route.
-
-
-                                            Note that there are specific rules for ParentRefs which cross namespace
-                                            boundaries. Cross-namespace references are only valid if they are explicitly
-                                            allowed by something in the namespace they are referring to. For example:
-                                            Gateway has the AllowedRoutes field, and ReferenceGrant provides a
-                                            generic way to enable any other kind of cross-namespace reference.
-
-
-                                            <gateway:experimental:description>
-                                            ParentRefs from a Route to a Service in the same namespace are "producer"
-                                            routes, which apply default routing rules to inbound connections from
-                                            any namespace to the Service.
-
-
-                                            ParentRefs from a Route to a Service in a different namespace are
-                                            "consumer" routes, and these routing rules are only applied to outbound
-                                            connections originating from the same namespace as the Route, for which
-                                            the intended destination of the connections are a Service targeted as a
-                                            ParentRef of the Route.
-                                            </gateway:experimental:description>
-
-
-                                            Support: Core
-                                          type: string
-                                          maxLength: 63
-                                          minLength: 1
-                                          pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
-                                        port:
-                                          description: |-
-                                            Port is the network port this Route targets. It can be interpreted
-                                            differently based on the type of parent resource.
-
-
-                                            When the parent resource is a Gateway, this targets all listeners
-                                            listening on the specified port that also support this kind of Route(and
-                                            select this Route). It's not recommended to set `Port` unless the
-                                            networking behaviors specified in a Route must apply to a specific port
-                                            as opposed to a listener(s) whose port(s) may be changed. When both Port
-                                            and SectionName are specified, the name and port of the selected listener
-                                            must match both specified values.
-
-
-                                            <gateway:experimental:description>
-                                            When the parent resource is a Service, this targets a specific port in the
-                                            Service spec. When both Port (experimental) and SectionName are specified,
-                                            the name and port of the selected port must match both specified values.
-                                            </gateway:experimental:description>
-
-
-                                            Implementations MAY choose to support other parent resources.
-                                            Implementations supporting other types of parent resources MUST clearly
-                                            document how/if Port is interpreted.
-
-
-                                            For the purpose of status, an attachment is considered successful as
-                                            long as the parent resource accepts it partially. For example, Gateway
-                                            listeners can restrict which Routes can attach to them by Route kind,
-                                            namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
-                                            from the referencing Route, the Route MUST be considered successfully
-                                            attached. If no Gateway listeners accept attachment from this Route,
-                                            the Route MUST be considered detached from the Gateway.
-
-
-                                            Support: Extended
-                                          type: integer
-                                          format: int32
-                                          maximum: 65535
-                                          minimum: 1
-                                        sectionName:
-                                          description: |-
-                                            SectionName is the name of a section within the target resource. In the
-                                            following resources, SectionName is interpreted as the following:
-
-
-                                            * Gateway: Listener name. When both Port (experimental) and SectionName
-                                            are specified, the name and port of the selected listener must match
-                                            both specified values.
-                                            * Service: Port name. When both Port (experimental) and SectionName
-                                            are specified, the name and port of the selected listener must match
-                                            both specified values.
-
-
-                                            Implementations MAY choose to support attaching Routes to other resources.
-                                            If that is the case, they MUST clearly document how SectionName is
-                                            interpreted.
-
-
-                                            When unspecified (empty string), this will reference the entire resource.
-                                            For the purpose of status, an attachment is considered successful if at
-                                            least one section in the parent resource accepts it. For example, Gateway
-                                            listeners can restrict which Routes can attach to them by Route kind,
-                                            namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
-                                            the referencing Route, the Route MUST be considered successfully
-                                            attached. If no Gateway listeners accept attachment from this Route, the
-                                            Route MUST be considered detached from the Gateway.
-
-
-                                            Support: Core
-                                          type: string
-                                          maxLength: 253
-                                          minLength: 1
-                                          pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
-                                  serviceType:
-                                    description: |-
-                                      Optional service type for Kubernetes solver service. Supported values
-                                      are NodePort or ClusterIP. If unset, defaults to NodePort.
-                                    type: string
-                              ingress:
-                                description: |-
-                                  The ingress based HTTP01 challenge solver will solve challenges by
-                                  creating or modifying Ingress resources in order to route requests for
-                                  '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are
-                                  provisioned by cert-manager for each Challenge to be completed.
-                                type: object
-                                properties:
-                                  class:
-                                    description: |-
-                                      This field configures the annotation `kubernetes.io/ingress.class` when
-                                      creating Ingress resources to solve ACME challenges that use this
-                                      challenge solver. Only one of `class`, `name` or `ingressClassName` may
-                                      be specified.
-                                    type: string
-                                  ingressClassName:
-                                    description: |-
-                                      This field configures the field `ingressClassName` on the created Ingress
-                                      resources used to solve ACME challenges that use this challenge solver.
-                                      This is the recommended way of configuring the ingress class. Only one of
-                                      `class`, `name` or `ingressClassName` may be specified.
-                                    type: string
-                                  ingressTemplate:
-                                    description: |-
-                                      Optional ingress template used to configure the ACME challenge solver
-                                      ingress used for HTTP01 challenges.
-                                    type: object
-                                    properties:
-                                      metadata:
-                                        description: |-
-                                          ObjectMeta overrides for the ingress used to solve HTTP01 challenges.
-                                          Only the 'labels' and 'annotations' fields may be set.
-                                          If labels or annotations overlap with in-built values, the values here
-                                          will override the in-built values.
-                                        type: object
-                                        properties:
-                                          annotations:
-                                            description: Annotations that should be added to the created ACME HTTP01 solver ingress.
-                                            type: object
-                                            additionalProperties:
-                                              type: string
-                                          labels:
-                                            description: Labels that should be added to the created ACME HTTP01 solver ingress.
-                                            type: object
-                                            additionalProperties:
-                                              type: string
-                                  name:
-                                    description: |-
-                                      The name of the ingress resource that should have ACME challenge solving
-                                      routes inserted into it in order to solve HTTP01 challenges.
-                                      This is typically used in conjunction with ingress controllers like
-                                      ingress-gce, which maintains a 1:1 mapping between external IPs and
-                                      ingress resources. Only one of `class`, `name` or `ingressClassName` may
-                                      be specified.
-                                    type: string
-                                  podTemplate:
-                                    description: |-
-                                      Optional pod template used to configure the ACME challenge solver pods
-                                      used for HTTP01 challenges.
-                                    type: object
-                                    properties:
-                                      metadata:
-                                        description: |-
-                                          ObjectMeta overrides for the pod used to solve HTTP01 challenges.
-                                          Only the 'labels' and 'annotations' fields may be set.
-                                          If labels or annotations overlap with in-built values, the values here
-                                          will override the in-built values.
-                                        type: object
-                                        properties:
-                                          annotations:
-                                            description: Annotations that should be added to the create ACME HTTP01 solver pods.
-                                            type: object
-                                            additionalProperties:
-                                              type: string
-                                          labels:
-                                            description: Labels that should be added to the created ACME HTTP01 solver pods.
-                                            type: object
-                                            additionalProperties:
-                                              type: string
-                                      spec:
-                                        description: |-
-                                          PodSpec defines overrides for the HTTP01 challenge solver pod.
-                                          Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields.
-                                          All other fields will be ignored.
-                                        type: object
-                                        properties:
-                                          affinity:
-                                            description: If specified, the pod's scheduling constraints
-                                            type: object
-                                            properties:
-                                              nodeAffinity:
-                                                description: Describes node affinity scheduling rules for the pod.
-                                                type: object
-                                                properties:
-                                                  preferredDuringSchedulingIgnoredDuringExecution:
-                                                    description: |-
-                                                      The scheduler will prefer to schedule pods to nodes that satisfy
-                                                      the affinity expressions specified by this field, but it may choose
-                                                      a node that violates one or more of the expressions. The node that is
-                                                      most preferred is the one with the greatest sum of weights, i.e.
-                                                      for each node that meets all of the scheduling requirements (resource
-                                                      request, requiredDuringScheduling affinity expressions, etc.),
-                                                      compute a sum by iterating through the elements of this field and adding
-                                                      "weight" to the sum if the node matches the corresponding matchExpressions; the
-                                                      node(s) with the highest sum are the most preferred.
-                                                    type: array
-                                                    items:
-                                                      description: |-
-                                                        An empty preferred scheduling term matches all objects with implicit weight 0
-                                                        (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
-                                                      type: object
-                                                      required:
-                                                        - preference
-                                                        - weight
-                                                      properties:
-                                                        preference:
-                                                          description: A node selector term, associated with the corresponding weight.
-                                                          type: object
-                                                          properties:
-                                                            matchExpressions:
-                                                              description: A list of node selector requirements by node's labels.
-                                                              type: array
-                                                              items:
-                                                                description: |-
-                                                                  A node selector requirement is a selector that contains values, a key, and an operator
-                                                                  that relates the key and values.
-                                                                type: object
-                                                                required:
-                                                                  - key
-                                                                  - operator
-                                                                properties:
-                                                                  key:
-                                                                    description: The label key that the selector applies to.
-                                                                    type: string
-                                                                  operator:
-                                                                    description: |-
-                                                                      Represents a key's relationship to a set of values.
-                                                                      Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
-                                                                    type: string
-                                                                  values:
-                                                                    description: |-
-                                                                      An array of string values. If the operator is In or NotIn,
-                                                                      the values array must be non-empty. If the operator is Exists or DoesNotExist,
-                                                                      the values array must be empty. If the operator is Gt or Lt, the values
-                                                                      array must have a single element, which will be interpreted as an integer.
-                                                                      This array is replaced during a strategic merge patch.
-                                                                    type: array
-                                                                    items:
-                                                                      type: string
-                                                                    x-kubernetes-list-type: atomic
-                                                              x-kubernetes-list-type: atomic
-                                                            matchFields:
-                                                              description: A list of node selector requirements by node's fields.
-                                                              type: array
-                                                              items:
-                                                                description: |-
-                                                                  A node selector requirement is a selector that contains values, a key, and an operator
-                                                                  that relates the key and values.
-                                                                type: object
-                                                                required:
-                                                                  - key
-                                                                  - operator
-                                                                properties:
-                                                                  key:
-                                                                    description: The label key that the selector applies to.
-                                                                    type: string
-                                                                  operator:
-                                                                    description: |-
-                                                                      Represents a key's relationship to a set of values.
-                                                                      Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
-                                                                    type: string
-                                                                  values:
-                                                                    description: |-
-                                                                      An array of string values. If the operator is In or NotIn,
-                                                                      the values array must be non-empty. If the operator is Exists or DoesNotExist,
-                                                                      the values array must be empty. If the operator is Gt or Lt, the values
-                                                                      array must have a single element, which will be interpreted as an integer.
-                                                                      This array is replaced during a strategic merge patch.
-                                                                    type: array
-                                                                    items:
-                                                                      type: string
-                                                                    x-kubernetes-list-type: atomic
-                                                              x-kubernetes-list-type: atomic
-                                                          x-kubernetes-map-type: atomic
-                                                        weight:
-                                                          description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
-                                                          type: integer
-                                                          format: int32
-                                                    x-kubernetes-list-type: atomic
-                                                  requiredDuringSchedulingIgnoredDuringExecution:
-                                                    description: |-
-                                                      If the affinity requirements specified by this field are not met at
-                                                      scheduling time, the pod will not be scheduled onto the node.
-                                                      If the affinity requirements specified by this field cease to be met
-                                                      at some point during pod execution (e.g. due to an update), the system
-                                                      may or may not try to eventually evict the pod from its node.
-                                                    type: object
-                                                    required:
-                                                      - nodeSelectorTerms
-                                                    properties:
-                                                      nodeSelectorTerms:
-                                                        description: Required. A list of node selector terms. The terms are ORed.
-                                                        type: array
-                                                        items:
-                                                          description: |-
-                                                            A null or empty node selector term matches no objects. The requirements of
-                                                            them are ANDed.
-                                                            The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
-                                                          type: object
-                                                          properties:
-                                                            matchExpressions:
-                                                              description: A list of node selector requirements by node's labels.
-                                                              type: array
-                                                              items:
-                                                                description: |-
-                                                                  A node selector requirement is a selector that contains values, a key, and an operator
-                                                                  that relates the key and values.
-                                                                type: object
-                                                                required:
-                                                                  - key
-                                                                  - operator
-                                                                properties:
-                                                                  key:
-                                                                    description: The label key that the selector applies to.
-                                                                    type: string
-                                                                  operator:
-                                                                    description: |-
-                                                                      Represents a key's relationship to a set of values.
-                                                                      Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
-                                                                    type: string
-                                                                  values:
-                                                                    description: |-
-                                                                      An array of string values. If the operator is In or NotIn,
-                                                                      the values array must be non-empty. If the operator is Exists or DoesNotExist,
-                                                                      the values array must be empty. If the operator is Gt or Lt, the values
-                                                                      array must have a single element, which will be interpreted as an integer.
-                                                                      This array is replaced during a strategic merge patch.
-                                                                    type: array
-                                                                    items:
-                                                                      type: string
-                                                                    x-kubernetes-list-type: atomic
-                                                              x-kubernetes-list-type: atomic
-                                                            matchFields:
-                                                              description: A list of node selector requirements by node's fields.
-                                                              type: array
-                                                              items:
-                                                                description: |-
-                                                                  A node selector requirement is a selector that contains values, a key, and an operator
-                                                                  that relates the key and values.
-                                                                type: object
-                                                                required:
-                                                                  - key
-                                                                  - operator
-                                                                properties:
-                                                                  key:
-                                                                    description: The label key that the selector applies to.
-                                                                    type: string
-                                                                  operator:
-                                                                    description: |-
-                                                                      Represents a key's relationship to a set of values.
-                                                                      Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
-                                                                    type: string
-                                                                  values:
-                                                                    description: |-
-                                                                      An array of string values. If the operator is In or NotIn,
-                                                                      the values array must be non-empty. If the operator is Exists or DoesNotExist,
-                                                                      the values array must be empty. If the operator is Gt or Lt, the values
-                                                                      array must have a single element, which will be interpreted as an integer.
-                                                                      This array is replaced during a strategic merge patch.
-                                                                    type: array
-                                                                    items:
-                                                                      type: string
-                                                                    x-kubernetes-list-type: atomic
-                                                              x-kubernetes-list-type: atomic
-                                                          x-kubernetes-map-type: atomic
-                                                        x-kubernetes-list-type: atomic
-                                                    x-kubernetes-map-type: atomic
-                                              podAffinity:
-                                                description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
-                                                type: object
-                                                properties:
-                                                  preferredDuringSchedulingIgnoredDuringExecution:
-                                                    description: |-
-                                                      The scheduler will prefer to schedule pods to nodes that satisfy
-                                                      the affinity expressions specified by this field, but it may choose
-                                                      a node that violates one or more of the expressions. The node that is
-                                                      most preferred is the one with the greatest sum of weights, i.e.
-                                                      for each node that meets all of the scheduling requirements (resource
-                                                      request, requiredDuringScheduling affinity expressions, etc.),
-                                                      compute a sum by iterating through the elements of this field and adding
-                                                      "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
-                                                      node(s) with the highest sum are the most preferred.
-                                                    type: array
-                                                    items:
-                                                      description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
-                                                      type: object
-                                                      required:
-                                                        - podAffinityTerm
-                                                        - weight
-                                                      properties:
-                                                        podAffinityTerm:
-                                                          description: Required. A pod affinity term, associated with the corresponding weight.
-                                                          type: object
-                                                          required:
-                                                            - topologyKey
-                                                          properties:
-                                                            labelSelector:
-                                                              description: |-
-                                                                A label query over a set of resources, in this case pods.
-                                                                If it's null, this PodAffinityTerm matches with no Pods.
-                                                              type: object
-                                                              properties:
-                                                                matchExpressions:
-                                                                  description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
-                                                                  type: array
-                                                                  items:
-                                                                    description: |-
-                                                                      A label selector requirement is a selector that contains values, a key, and an operator that
-                                                                      relates the key and values.
-                                                                    type: object
-                                                                    required:
-                                                                      - key
-                                                                      - operator
-                                                                    properties:
-                                                                      key:
-                                                                        description: key is the label key that the selector applies to.
-                                                                        type: string
-                                                                      operator:
-                                                                        description: |-
-                                                                          operator represents a key's relationship to a set of values.
-                                                                          Valid operators are In, NotIn, Exists and DoesNotExist.
-                                                                        type: string
-                                                                      values:
-                                                                        description: |-
-                                                                          values is an array of string values. If the operator is In or NotIn,
-                                                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
-                                                                          the values array must be empty. This array is replaced during a strategic
-                                                                          merge patch.
-                                                                        type: array
-                                                                        items:
-                                                                          type: string
-                                                                        x-kubernetes-list-type: atomic
-                                                                  x-kubernetes-list-type: atomic
-                                                                matchLabels:
-                                                                  description: |-
-                                                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
-                                                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
-                                                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
-                                                                  type: object
-                                                                  additionalProperties:
-                                                                    type: string
-                                                              x-kubernetes-map-type: atomic
-                                                            matchLabelKeys:
-                                                              description: |-
-                                                                MatchLabelKeys is a set of pod label keys to select which pods will
-                                                                be taken into consideration. The keys are used to lookup values from the
-                                                                incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
-                                                                to select the group of existing pods which pods will be taken into consideration
-                                                                for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
-                                                                pod labels will be ignored. The default value is empty.
-                                                                The same key is forbidden to exist in both matchLabelKeys and labelSelector.
-                                                                Also, matchLabelKeys cannot be set when labelSelector isn't set.
-                                                                This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
-                                                              type: array
-                                                              items:
-                                                                type: string
-                                                              x-kubernetes-list-type: atomic
-                                                            mismatchLabelKeys:
-                                                              description: |-
-                                                                MismatchLabelKeys is a set of pod label keys to select which pods will
-                                                                be taken into consideration. The keys are used to lookup values from the
-                                                                incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
-                                                                to select the group of existing pods which pods will be taken into consideration
-                                                                for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
-                                                                pod labels will be ignored. The default value is empty.
-                                                                The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
-                                                                Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
-                                                                This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
-                                                              type: array
-                                                              items:
-                                                                type: string
-                                                              x-kubernetes-list-type: atomic
-                                                            namespaceSelector:
-                                                              description: |-
-                                                                A label query over the set of namespaces that the term applies to.
-                                                                The term is applied to the union of the namespaces selected by this field
-                                                                and the ones listed in the namespaces field.
-                                                                null selector and null or empty namespaces list means "this pod's namespace".
-                                                                An empty selector ({}) matches all namespaces.
-                                                              type: object
-                                                              properties:
-                                                                matchExpressions:
-                                                                  description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
-                                                                  type: array
-                                                                  items:
-                                                                    description: |-
-                                                                      A label selector requirement is a selector that contains values, a key, and an operator that
-                                                                      relates the key and values.
-                                                                    type: object
-                                                                    required:
-                                                                      - key
-                                                                      - operator
-                                                                    properties:
-                                                                      key:
-                                                                        description: key is the label key that the selector applies to.
-                                                                        type: string
-                                                                      operator:
-                                                                        description: |-
-                                                                          operator represents a key's relationship to a set of values.
-                                                                          Valid operators are In, NotIn, Exists and DoesNotExist.
-                                                                        type: string
-                                                                      values:
-                                                                        description: |-
-                                                                          values is an array of string values. If the operator is In or NotIn,
-                                                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
-                                                                          the values array must be empty. This array is replaced during a strategic
-                                                                          merge patch.
-                                                                        type: array
-                                                                        items:
-                                                                          type: string
-                                                                        x-kubernetes-list-type: atomic
-                                                                  x-kubernetes-list-type: atomic
-                                                                matchLabels:
-                                                                  description: |-
-                                                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
-                                                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
-                                                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
-                                                                  type: object
-                                                                  additionalProperties:
-                                                                    type: string
-                                                              x-kubernetes-map-type: atomic
-                                                            namespaces:
-                                                              description: |-
-                                                                namespaces specifies a static list of namespace names that the term applies to.
-                                                                The term is applied to the union of the namespaces listed in this field
-                                                                and the ones selected by namespaceSelector.
-                                                                null or empty namespaces list and null namespaceSelector means "this pod's namespace".
-                                                              type: array
-                                                              items:
-                                                                type: string
-                                                              x-kubernetes-list-type: atomic
-                                                            topologyKey:
-                                                              description: |-
-                                                                This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
-                                                                the labelSelector in the specified namespaces, where co-located is defined as running on a node
-                                                                whose value of the label with key topologyKey matches that of any node on which any of the
-                                                                selected pods is running.
-                                                                Empty topologyKey is not allowed.
-                                                              type: string
-                                                        weight:
-                                                          description: |-
-                                                            weight associated with matching the corresponding podAffinityTerm,
-                                                            in the range 1-100.
-                                                          type: integer
-                                                          format: int32
-                                                    x-kubernetes-list-type: atomic
-                                                  requiredDuringSchedulingIgnoredDuringExecution:
-                                                    description: |-
-                                                      If the affinity requirements specified by this field are not met at
-                                                      scheduling time, the pod will not be scheduled onto the node.
-                                                      If the affinity requirements specified by this field cease to be met
-                                                      at some point during pod execution (e.g. due to a pod label update), the
-                                                      system may or may not try to eventually evict the pod from its node.
-                                                      When there are multiple elements, the lists of nodes corresponding to each
-                                                      podAffinityTerm are intersected, i.e. all terms must be satisfied.
-                                                    type: array
-                                                    items:
-                                                      description: |-
-                                                        Defines a set of pods (namely those matching the labelSelector
-                                                        relative to the given namespace(s)) that this pod should be
-                                                        co-located (affinity) or not co-located (anti-affinity) with,
-                                                        where co-located is defined as running on a node whose value of
-                                                        the label with key <topologyKey> matches that of any node on which
-                                                        a pod of the set of pods is running
-                                                      type: object
-                                                      required:
-                                                        - topologyKey
-                                                      properties:
-                                                        labelSelector:
-                                                          description: |-
-                                                            A label query over a set of resources, in this case pods.
-                                                            If it's null, this PodAffinityTerm matches with no Pods.
-                                                          type: object
-                                                          properties:
-                                                            matchExpressions:
-                                                              description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
-                                                              type: array
-                                                              items:
-                                                                description: |-
-                                                                  A label selector requirement is a selector that contains values, a key, and an operator that
-                                                                  relates the key and values.
-                                                                type: object
-                                                                required:
-                                                                  - key
-                                                                  - operator
-                                                                properties:
-                                                                  key:
-                                                                    description: key is the label key that the selector applies to.
-                                                                    type: string
-                                                                  operator:
-                                                                    description: |-
-                                                                      operator represents a key's relationship to a set of values.
-                                                                      Valid operators are In, NotIn, Exists and DoesNotExist.
-                                                                    type: string
-                                                                  values:
-                                                                    description: |-
-                                                                      values is an array of string values. If the operator is In or NotIn,
-                                                                      the values array must be non-empty. If the operator is Exists or DoesNotExist,
-                                                                      the values array must be empty. This array is replaced during a strategic
-                                                                      merge patch.
-                                                                    type: array
-                                                                    items:
-                                                                      type: string
-                                                                    x-kubernetes-list-type: atomic
-                                                              x-kubernetes-list-type: atomic
-                                                            matchLabels:
-                                                              description: |-
-                                                                matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
-                                                                map is equivalent to an element of matchExpressions, whose key field is "key", the
-                                                                operator is "In", and the values array contains only "value". The requirements are ANDed.
-                                                              type: object
-                                                              additionalProperties:
-                                                                type: string
-                                                          x-kubernetes-map-type: atomic
-                                                        matchLabelKeys:
-                                                          description: |-
-                                                            MatchLabelKeys is a set of pod label keys to select which pods will
-                                                            be taken into consideration. The keys are used to lookup values from the
-                                                            incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
-                                                            to select the group of existing pods which pods will be taken into consideration
-                                                            for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
-                                                            pod labels will be ignored. The default value is empty.
-                                                            The same key is forbidden to exist in both matchLabelKeys and labelSelector.
-                                                            Also, matchLabelKeys cannot be set when labelSelector isn't set.
-                                                            This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
-                                                          type: array
-                                                          items:
-                                                            type: string
-                                                          x-kubernetes-list-type: atomic
-                                                        mismatchLabelKeys:
-                                                          description: |-
-                                                            MismatchLabelKeys is a set of pod label keys to select which pods will
-                                                            be taken into consideration. The keys are used to lookup values from the
-                                                            incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
-                                                            to select the group of existing pods which pods will be taken into consideration
-                                                            for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
-                                                            pod labels will be ignored. The default value is empty.
-                                                            The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
-                                                            Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
-                                                            This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
-                                                          type: array
-                                                          items:
-                                                            type: string
-                                                          x-kubernetes-list-type: atomic
-                                                        namespaceSelector:
-                                                          description: |-
-                                                            A label query over the set of namespaces that the term applies to.
-                                                            The term is applied to the union of the namespaces selected by this field
-                                                            and the ones listed in the namespaces field.
-                                                            null selector and null or empty namespaces list means "this pod's namespace".
-                                                            An empty selector ({}) matches all namespaces.
-                                                          type: object
-                                                          properties:
-                                                            matchExpressions:
-                                                              description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
-                                                              type: array
-                                                              items:
-                                                                description: |-
-                                                                  A label selector requirement is a selector that contains values, a key, and an operator that
-                                                                  relates the key and values.
-                                                                type: object
-                                                                required:
-                                                                  - key
-                                                                  - operator
-                                                                properties:
-                                                                  key:
-                                                                    description: key is the label key that the selector applies to.
-                                                                    type: string
-                                                                  operator:
-                                                                    description: |-
-                                                                      operator represents a key's relationship to a set of values.
-                                                                      Valid operators are In, NotIn, Exists and DoesNotExist.
-                                                                    type: string
-                                                                  values:
-                                                                    description: |-
-                                                                      values is an array of string values. If the operator is In or NotIn,
-                                                                      the values array must be non-empty. If the operator is Exists or DoesNotExist,
-                                                                      the values array must be empty. This array is replaced during a strategic
-                                                                      merge patch.
-                                                                    type: array
-                                                                    items:
-                                                                      type: string
-                                                                    x-kubernetes-list-type: atomic
-                                                              x-kubernetes-list-type: atomic
-                                                            matchLabels:
-                                                              description: |-
-                                                                matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
-                                                                map is equivalent to an element of matchExpressions, whose key field is "key", the
-                                                                operator is "In", and the values array contains only "value". The requirements are ANDed.
-                                                              type: object
-                                                              additionalProperties:
-                                                                type: string
-                                                          x-kubernetes-map-type: atomic
-                                                        namespaces:
-                                                          description: |-
-                                                            namespaces specifies a static list of namespace names that the term applies to.
-                                                            The term is applied to the union of the namespaces listed in this field
-                                                            and the ones selected by namespaceSelector.
-                                                            null or empty namespaces list and null namespaceSelector means "this pod's namespace".
-                                                          type: array
-                                                          items:
-                                                            type: string
-                                                          x-kubernetes-list-type: atomic
-                                                        topologyKey:
-                                                          description: |-
-                                                            This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
-                                                            the labelSelector in the specified namespaces, where co-located is defined as running on a node
-                                                            whose value of the label with key topologyKey matches that of any node on which any of the
-                                                            selected pods is running.
-                                                            Empty topologyKey is not allowed.
-                                                          type: string
-                                                    x-kubernetes-list-type: atomic
-                                              podAntiAffinity:
-                                                description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
-                                                type: object
-                                                properties:
-                                                  preferredDuringSchedulingIgnoredDuringExecution:
-                                                    description: |-
-                                                      The scheduler will prefer to schedule pods to nodes that satisfy
-                                                      the anti-affinity expressions specified by this field, but it may choose
-                                                      a node that violates one or more of the expressions. The node that is
-                                                      most preferred is the one with the greatest sum of weights, i.e.
-                                                      for each node that meets all of the scheduling requirements (resource
-                                                      request, requiredDuringScheduling anti-affinity expressions, etc.),
-                                                      compute a sum by iterating through the elements of this field and adding
-                                                      "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
-                                                      node(s) with the highest sum are the most preferred.
-                                                    type: array
-                                                    items:
-                                                      description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
-                                                      type: object
-                                                      required:
-                                                        - podAffinityTerm
-                                                        - weight
-                                                      properties:
-                                                        podAffinityTerm:
-                                                          description: Required. A pod affinity term, associated with the corresponding weight.
-                                                          type: object
-                                                          required:
-                                                            - topologyKey
-                                                          properties:
-                                                            labelSelector:
-                                                              description: |-
-                                                                A label query over a set of resources, in this case pods.
-                                                                If it's null, this PodAffinityTerm matches with no Pods.
-                                                              type: object
-                                                              properties:
-                                                                matchExpressions:
-                                                                  description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
-                                                                  type: array
-                                                                  items:
-                                                                    description: |-
-                                                                      A label selector requirement is a selector that contains values, a key, and an operator that
-                                                                      relates the key and values.
-                                                                    type: object
-                                                                    required:
-                                                                      - key
-                                                                      - operator
-                                                                    properties:
-                                                                      key:
-                                                                        description: key is the label key that the selector applies to.
-                                                                        type: string
-                                                                      operator:
-                                                                        description: |-
-                                                                          operator represents a key's relationship to a set of values.
-                                                                          Valid operators are In, NotIn, Exists and DoesNotExist.
-                                                                        type: string
-                                                                      values:
-                                                                        description: |-
-                                                                          values is an array of string values. If the operator is In or NotIn,
-                                                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
-                                                                          the values array must be empty. This array is replaced during a strategic
-                                                                          merge patch.
-                                                                        type: array
-                                                                        items:
-                                                                          type: string
-                                                                        x-kubernetes-list-type: atomic
-                                                                  x-kubernetes-list-type: atomic
-                                                                matchLabels:
-                                                                  description: |-
-                                                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
-                                                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
-                                                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
-                                                                  type: object
-                                                                  additionalProperties:
-                                                                    type: string
-                                                              x-kubernetes-map-type: atomic
-                                                            matchLabelKeys:
-                                                              description: |-
-                                                                MatchLabelKeys is a set of pod label keys to select which pods will
-                                                                be taken into consideration. The keys are used to lookup values from the
-                                                                incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
-                                                                to select the group of existing pods which pods will be taken into consideration
-                                                                for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
-                                                                pod labels will be ignored. The default value is empty.
-                                                                The same key is forbidden to exist in both matchLabelKeys and labelSelector.
-                                                                Also, matchLabelKeys cannot be set when labelSelector isn't set.
-                                                                This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
-                                                              type: array
-                                                              items:
-                                                                type: string
-                                                              x-kubernetes-list-type: atomic
-                                                            mismatchLabelKeys:
-                                                              description: |-
-                                                                MismatchLabelKeys is a set of pod label keys to select which pods will
-                                                                be taken into consideration. The keys are used to lookup values from the
-                                                                incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
-                                                                to select the group of existing pods which pods will be taken into consideration
-                                                                for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
-                                                                pod labels will be ignored. The default value is empty.
-                                                                The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
-                                                                Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
-                                                                This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
-                                                              type: array
-                                                              items:
-                                                                type: string
-                                                              x-kubernetes-list-type: atomic
-                                                            namespaceSelector:
-                                                              description: |-
-                                                                A label query over the set of namespaces that the term applies to.
-                                                                The term is applied to the union of the namespaces selected by this field
-                                                                and the ones listed in the namespaces field.
-                                                                null selector and null or empty namespaces list means "this pod's namespace".
-                                                                An empty selector ({}) matches all namespaces.
-                                                              type: object
-                                                              properties:
-                                                                matchExpressions:
-                                                                  description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
-                                                                  type: array
-                                                                  items:
-                                                                    description: |-
-                                                                      A label selector requirement is a selector that contains values, a key, and an operator that
-                                                                      relates the key and values.
-                                                                    type: object
-                                                                    required:
-                                                                      - key
-                                                                      - operator
-                                                                    properties:
-                                                                      key:
-                                                                        description: key is the label key that the selector applies to.
-                                                                        type: string
-                                                                      operator:
-                                                                        description: |-
-                                                                          operator represents a key's relationship to a set of values.
-                                                                          Valid operators are In, NotIn, Exists and DoesNotExist.
-                                                                        type: string
-                                                                      values:
-                                                                        description: |-
-                                                                          values is an array of string values. If the operator is In or NotIn,
-                                                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
-                                                                          the values array must be empty. This array is replaced during a strategic
-                                                                          merge patch.
-                                                                        type: array
-                                                                        items:
-                                                                          type: string
-                                                                        x-kubernetes-list-type: atomic
-                                                                  x-kubernetes-list-type: atomic
-                                                                matchLabels:
-                                                                  description: |-
-                                                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
-                                                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
-                                                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
-                                                                  type: object
-                                                                  additionalProperties:
-                                                                    type: string
-                                                              x-kubernetes-map-type: atomic
-                                                            namespaces:
-                                                              description: |-
-                                                                namespaces specifies a static list of namespace names that the term applies to.
-                                                                The term is applied to the union of the namespaces listed in this field
-                                                                and the ones selected by namespaceSelector.
-                                                                null or empty namespaces list and null namespaceSelector means "this pod's namespace".
-                                                              type: array
-                                                              items:
-                                                                type: string
-                                                              x-kubernetes-list-type: atomic
-                                                            topologyKey:
-                                                              description: |-
-                                                                This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
-                                                                the labelSelector in the specified namespaces, where co-located is defined as running on a node
-                                                                whose value of the label with key topologyKey matches that of any node on which any of the
-                                                                selected pods is running.
-                                                                Empty topologyKey is not allowed.
-                                                              type: string
-                                                        weight:
-                                                          description: |-
-                                                            weight associated with matching the corresponding podAffinityTerm,
-                                                            in the range 1-100.
-                                                          type: integer
-                                                          format: int32
-                                                    x-kubernetes-list-type: atomic
-                                                  requiredDuringSchedulingIgnoredDuringExecution:
-                                                    description: |-
-                                                      If the anti-affinity requirements specified by this field are not met at
-                                                      scheduling time, the pod will not be scheduled onto the node.
-                                                      If the anti-affinity requirements specified by this field cease to be met
-                                                      at some point during pod execution (e.g. due to a pod label update), the
-                                                      system may or may not try to eventually evict the pod from its node.
-                                                      When there are multiple elements, the lists of nodes corresponding to each
-                                                      podAffinityTerm are intersected, i.e. all terms must be satisfied.
-                                                    type: array
-                                                    items:
-                                                      description: |-
-                                                        Defines a set of pods (namely those matching the labelSelector
-                                                        relative to the given namespace(s)) that this pod should be
-                                                        co-located (affinity) or not co-located (anti-affinity) with,
-                                                        where co-located is defined as running on a node whose value of
-                                                        the label with key <topologyKey> matches that of any node on which
-                                                        a pod of the set of pods is running
-                                                      type: object
-                                                      required:
-                                                        - topologyKey
-                                                      properties:
-                                                        labelSelector:
-                                                          description: |-
-                                                            A label query over a set of resources, in this case pods.
-                                                            If it's null, this PodAffinityTerm matches with no Pods.
-                                                          type: object
-                                                          properties:
-                                                            matchExpressions:
-                                                              description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
-                                                              type: array
-                                                              items:
-                                                                description: |-
-                                                                  A label selector requirement is a selector that contains values, a key, and an operator that
-                                                                  relates the key and values.
-                                                                type: object
-                                                                required:
-                                                                  - key
-                                                                  - operator
-                                                                properties:
-                                                                  key:
-                                                                    description: key is the label key that the selector applies to.
-                                                                    type: string
-                                                                  operator:
-                                                                    description: |-
-                                                                      operator represents a key's relationship to a set of values.
-                                                                      Valid operators are In, NotIn, Exists and DoesNotExist.
-                                                                    type: string
-                                                                  values:
-                                                                    description: |-
-                                                                      values is an array of string values. If the operator is In or NotIn,
-                                                                      the values array must be non-empty. If the operator is Exists or DoesNotExist,
-                                                                      the values array must be empty. This array is replaced during a strategic
-                                                                      merge patch.
-                                                                    type: array
-                                                                    items:
-                                                                      type: string
-                                                                    x-kubernetes-list-type: atomic
-                                                              x-kubernetes-list-type: atomic
-                                                            matchLabels:
-                                                              description: |-
-                                                                matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
-                                                                map is equivalent to an element of matchExpressions, whose key field is "key", the
-                                                                operator is "In", and the values array contains only "value". The requirements are ANDed.
-                                                              type: object
-                                                              additionalProperties:
-                                                                type: string
-                                                          x-kubernetes-map-type: atomic
-                                                        matchLabelKeys:
-                                                          description: |-
-                                                            MatchLabelKeys is a set of pod label keys to select which pods will
-                                                            be taken into consideration. The keys are used to lookup values from the
-                                                            incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
-                                                            to select the group of existing pods which pods will be taken into consideration
-                                                            for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
-                                                            pod labels will be ignored. The default value is empty.
-                                                            The same key is forbidden to exist in both matchLabelKeys and labelSelector.
-                                                            Also, matchLabelKeys cannot be set when labelSelector isn't set.
-                                                            This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
-                                                          type: array
-                                                          items:
-                                                            type: string
-                                                          x-kubernetes-list-type: atomic
-                                                        mismatchLabelKeys:
-                                                          description: |-
-                                                            MismatchLabelKeys is a set of pod label keys to select which pods will
-                                                            be taken into consideration. The keys are used to lookup values from the
-                                                            incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
-                                                            to select the group of existing pods which pods will be taken into consideration
-                                                            for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
-                                                            pod labels will be ignored. The default value is empty.
-                                                            The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
-                                                            Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
-                                                            This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
-                                                          type: array
-                                                          items:
-                                                            type: string
-                                                          x-kubernetes-list-type: atomic
-                                                        namespaceSelector:
-                                                          description: |-
-                                                            A label query over the set of namespaces that the term applies to.
-                                                            The term is applied to the union of the namespaces selected by this field
-                                                            and the ones listed in the namespaces field.
-                                                            null selector and null or empty namespaces list means "this pod's namespace".
-                                                            An empty selector ({}) matches all namespaces.
-                                                          type: object
-                                                          properties:
-                                                            matchExpressions:
-                                                              description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
-                                                              type: array
-                                                              items:
-                                                                description: |-
-                                                                  A label selector requirement is a selector that contains values, a key, and an operator that
-                                                                  relates the key and values.
-                                                                type: object
-                                                                required:
-                                                                  - key
-                                                                  - operator
-                                                                properties:
-                                                                  key:
-                                                                    description: key is the label key that the selector applies to.
-                                                                    type: string
-                                                                  operator:
-                                                                    description: |-
-                                                                      operator represents a key's relationship to a set of values.
-                                                                      Valid operators are In, NotIn, Exists and DoesNotExist.
-                                                                    type: string
-                                                                  values:
-                                                                    description: |-
-                                                                      values is an array of string values. If the operator is In or NotIn,
-                                                                      the values array must be non-empty. If the operator is Exists or DoesNotExist,
-                                                                      the values array must be empty. This array is replaced during a strategic
-                                                                      merge patch.
-                                                                    type: array
-                                                                    items:
-                                                                      type: string
-                                                                    x-kubernetes-list-type: atomic
-                                                              x-kubernetes-list-type: atomic
-                                                            matchLabels:
-                                                              description: |-
-                                                                matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
-                                                                map is equivalent to an element of matchExpressions, whose key field is "key", the
-                                                                operator is "In", and the values array contains only "value". The requirements are ANDed.
-                                                              type: object
-                                                              additionalProperties:
-                                                                type: string
-                                                          x-kubernetes-map-type: atomic
-                                                        namespaces:
-                                                          description: |-
-                                                            namespaces specifies a static list of namespace names that the term applies to.
-                                                            The term is applied to the union of the namespaces listed in this field
-                                                            and the ones selected by namespaceSelector.
-                                                            null or empty namespaces list and null namespaceSelector means "this pod's namespace".
-                                                          type: array
-                                                          items:
-                                                            type: string
-                                                          x-kubernetes-list-type: atomic
-                                                        topologyKey:
-                                                          description: |-
-                                                            This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
-                                                            the labelSelector in the specified namespaces, where co-located is defined as running on a node
-                                                            whose value of the label with key topologyKey matches that of any node on which any of the
-                                                            selected pods is running.
-                                                            Empty topologyKey is not allowed.
-                                                          type: string
-                                                    x-kubernetes-list-type: atomic
-                                          imagePullSecrets:
-                                            description: If specified, the pod's imagePullSecrets
-                                            type: array
-                                            items:
-                                              description: |-
-                                                LocalObjectReference contains enough information to let you locate the
-                                                referenced object inside the same namespace.
-                                              type: object
-                                              properties:
-                                                name:
-                                                  description: |-
-                                                    Name of the referent.
-                                                    This field is effectively required, but due to backwards compatibility is
-                                                    allowed to be empty. Instances of this type with an empty value here are
-                                                    almost certainly wrong.
-                                                    TODO: Add other useful fields. apiVersion, kind, uid?
-                                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                                                    TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
-                                                  type: string
-                                                  default: ""
-                                              x-kubernetes-map-type: atomic
-                                          nodeSelector:
-                                            description: |-
-                                              NodeSelector is a selector which must be true for the pod to fit on a node.
-                                              Selector which must match a node's labels for the pod to be scheduled on that node.
-                                              More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
-                                            type: object
-                                            additionalProperties:
-                                              type: string
-                                          priorityClassName:
-                                            description: If specified, the pod's priorityClassName.
-                                            type: string
-                                          serviceAccountName:
-                                            description: If specified, the pod's service account
-                                            type: string
-                                          tolerations:
-                                            description: If specified, the pod's tolerations.
-                                            type: array
-                                            items:
-                                              description: |-
-                                                The pod this Toleration is attached to tolerates any taint that matches
-                                                the triple <key,value,effect> using the matching operator <operator>.
-                                              type: object
-                                              properties:
-                                                effect:
-                                                  description: |-
-                                                    Effect indicates the taint effect to match. Empty means match all taint effects.
-                                                    When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
-                                                  type: string
-                                                key:
-                                                  description: |-
-                                                    Key is the taint key that the toleration applies to. Empty means match all taint keys.
-                                                    If the key is empty, operator must be Exists; this combination means to match all values and all keys.
-                                                  type: string
-                                                operator:
-                                                  description: |-
-                                                    Operator represents a key's relationship to the value.
-                                                    Valid operators are Exists and Equal. Defaults to Equal.
-                                                    Exists is equivalent to wildcard for value, so that a pod can
-                                                    tolerate all taints of a particular category.
-                                                  type: string
-                                                tolerationSeconds:
-                                                  description: |-
-                                                    TolerationSeconds represents the period of time the toleration (which must be
-                                                    of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
-                                                    it is not set, which means tolerate the taint forever (do not evict). Zero and
-                                                    negative values will be treated as 0 (evict immediately) by the system.
-                                                  type: integer
-                                                  format: int64
-                                                value:
-                                                  description: |-
-                                                    Value is the taint value the toleration matches to.
-                                                    If the operator is Exists, the value should be empty, otherwise just a regular string.
-                                                  type: string
-                                  serviceType:
-                                    description: |-
-                                      Optional service type for Kubernetes solver service. Supported values
-                                      are NodePort or ClusterIP. If unset, defaults to NodePort.
-                                    type: string
-                          selector:
-                            description: |-
-                              Selector selects a set of DNSNames on the Certificate resource that
-                              should be solved using this challenge solver.
-                              If not specified, the solver will be treated as the 'default' solver
-                              with the lowest priority, i.e. if any other solver has a more specific
-                              match, it will be used instead.
-                            type: object
-                            properties:
-                              dnsNames:
-                                description: |-
-                                  List of DNSNames that this solver will be used to solve.
-                                  If specified and a match is found, a dnsNames selector will take
-                                  precedence over a dnsZones selector.
-                                  If multiple solvers match with the same dnsNames value, the solver
-                                  with the most matching labels in matchLabels will be selected.
-                                  If neither has more matches, the solver defined earlier in the list
-                                  will be selected.
-                                type: array
-                                items:
-                                  type: string
-                              dnsZones:
-                                description: |-
-                                  List of DNSZones that this solver will be used to solve.
-                                  The most specific DNS zone match specified here will take precedence
-                                  over other DNS zone matches, so a solver specifying sys.example.com
-                                  will be selected over one specifying example.com for the domain
-                                  www.sys.example.com.
-                                  If multiple solvers match with the same dnsZones value, the solver
-                                  with the most matching labels in matchLabels will be selected.
-                                  If neither has more matches, the solver defined earlier in the list
-                                  will be selected.
-                                type: array
-                                items:
-                                  type: string
-                              matchLabels:
-                                description: |-
-                                  A label selector that is used to refine the set of certificate's that
-                                  this challenge solver will apply to.
-                                type: object
-                                additionalProperties:
-                                  type: string
-                ca:
-                  description: |-
-                    CA configures this issuer to sign certificates using a signing CA keypair
-                    stored in a Secret resource.
-                    This is used to build internal PKIs that are managed by cert-manager.
-                  type: object
-                  required:
-                    - secretName
-                  properties:
-                    crlDistributionPoints:
-                      description: |-
-                        The CRL distribution points is an X.509 v3 certificate extension which identifies
-                        the location of the CRL from which the revocation of this certificate can be checked.
-                        If not set, certificates will be issued without distribution points set.
-                      type: array
-                      items:
-                        type: string
-                    issuingCertificateURLs:
-                      description: |-
-                        IssuingCertificateURLs is a list of URLs which this issuer should embed into certificates
-                        it creates. See https://www.rfc-editor.org/rfc/rfc5280#section-4.2.2.1 for more details.
-                        As an example, such a URL might be "http://ca.domain.com/ca.crt".
-                      type: array
-                      items:
-                        type: string
-                    ocspServers:
-                      description: |-
-                        The OCSP server list is an X.509 v3 extension that defines a list of
-                        URLs of OCSP responders. The OCSP responders can be queried for the
-                        revocation status of an issued certificate. If not set, the
-                        certificate will be issued with no OCSP servers set. For example, an
-                        OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org".
-                      type: array
-                      items:
-                        type: string
-                    secretName:
-                      description: |-
-                        SecretName is the name of the secret used to sign Certificates issued
-                        by this Issuer.
-                      type: string
-                selfSigned:
-                  description: |-
-                    SelfSigned configures this issuer to 'self sign' certificates using the
-                    private key used to create the CertificateRequest object.
-                  type: object
-                  properties:
-                    crlDistributionPoints:
-                      description: |-
-                        The CRL distribution points is an X.509 v3 certificate extension which identifies
-                        the location of the CRL from which the revocation of this certificate can be checked.
-                        If not set certificate will be issued without CDP. Values are strings.
-                      type: array
-                      items:
-                        type: string
-                vault:
-                  description: |-
-                    Vault configures this issuer to sign certificates using a HashiCorp Vault
-                    PKI backend.
-                  type: object
-                  required:
-                    - auth
-                    - path
-                    - server
-                  properties:
-                    auth:
-                      description: Auth configures how cert-manager authenticates with the Vault server.
-                      type: object
-                      properties:
-                        appRole:
-                          description: |-
-                            AppRole authenticates with Vault using the App Role auth mechanism,
-                            with the role and secret stored in a Kubernetes Secret resource.
-                          type: object
-                          required:
-                            - path
-                            - roleId
-                            - secretRef
-                          properties:
-                            path:
-                              description: |-
-                                Path where the App Role authentication backend is mounted in Vault, e.g:
-                                "approle"
-                              type: string
-                            roleId:
-                              description: |-
-                                RoleID configured in the App Role authentication backend when setting
-                                up the authentication backend in Vault.
-                              type: string
-                            secretRef:
-                              description: |-
-                                Reference to a key in a Secret that contains the App Role secret used
-                                to authenticate with Vault.
-                                The `key` field must be specified and denotes which entry within the Secret
-                                resource is used as the app role secret.
-                              type: object
-                              required:
-                                - name
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used.
-                                    Some instances of this field may be defaulted, in others it may be
-                                    required.
-                                  type: string
-                                name:
-                                  description: |-
-                                    Name of the resource being referred to.
-                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                                  type: string
-                        kubernetes:
-                          description: |-
-                            Kubernetes authenticates with Vault by passing the ServiceAccount
-                            token stored in the named Secret resource to the Vault server.
-                          type: object
-                          required:
-                            - role
-                          properties:
-                            mountPath:
-                              description: |-
-                                The Vault mountPath here is the mount path to use when authenticating with
-                                Vault. For example, setting a value to `/v1/auth/foo`, will use the path
-                                `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the
-                                default value "/v1/auth/kubernetes" will be used.
-                              type: string
-                            role:
-                              description: |-
-                                A required field containing the Vault Role to assume. A Role binds a
-                                Kubernetes ServiceAccount with a set of Vault policies.
-                              type: string
-                            secretRef:
-                              description: |-
-                                The required Secret field containing a Kubernetes ServiceAccount JWT used
-                                for authenticating with Vault. Use of 'ambient credentials' is not
-                                supported.
-                              type: object
-                              required:
-                                - name
-                              properties:
-                                key:
-                                  description: |-
-                                    The key of the entry in the Secret resource's `data` field to be used.
-                                    Some instances of this field may be defaulted, in others it may be
-                                    required.
-                                  type: string
-                                name:
-                                  description: |-
-                                    Name of the resource being referred to.
-                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                                  type: string
-                            serviceAccountRef:
-                              description: |-
-                                A reference to a service account that will be used to request a bound
-                                token (also known as "projected token"). Compared to using "secretRef",
-                                using this field means that you don't rely on statically bound tokens. To
-                                use this field, you must configure an RBAC rule to let cert-manager
-                                request a token.
-                              type: object
-                              required:
-                                - name
-                              properties:
-                                audiences:
-                                  description: |-
-                                    TokenAudiences is an optional list of extra audiences to include in the token passed to Vault. The default token
-                                    consisting of the issuer's namespace and name is always included.
-                                  type: array
-                                  items:
-                                    type: string
-                                name:
-                                  description: Name of the ServiceAccount used to request a token.
-                                  type: string
-                        tokenSecretRef:
-                          description: TokenSecretRef authenticates with Vault by presenting a token.
-                          type: object
-                          required:
-                            - name
-                          properties:
-                            key:
-                              description: |-
-                                The key of the entry in the Secret resource's `data` field to be used.
-                                Some instances of this field may be defaulted, in others it may be
-                                required.
-                              type: string
-                            name:
-                              description: |-
-                                Name of the resource being referred to.
-                                More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                              type: string
-                    caBundle:
-                      description: |-
-                        Base64-encoded bundle of PEM CAs which will be used to validate the certificate
-                        chain presented by Vault. Only used if using HTTPS to connect to Vault and
-                        ignored for HTTP connections.
-                        Mutually exclusive with CABundleSecretRef.
-                        If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in
-                        the cert-manager controller container is used to validate the TLS connection.
-                      type: string
-                      format: byte
-                    caBundleSecretRef:
-                      description: |-
-                        Reference to a Secret containing a bundle of PEM-encoded CAs to use when
-                        verifying the certificate chain presented by Vault when using HTTPS.
-                        Mutually exclusive with CABundle.
-                        If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in
-                        the cert-manager controller container is used to validate the TLS connection.
-                        If no key for the Secret is specified, cert-manager will default to 'ca.crt'.
-                      type: object
-                      required:
-                        - name
-                      properties:
-                        key:
-                          description: |-
-                            The key of the entry in the Secret resource's `data` field to be used.
-                            Some instances of this field may be defaulted, in others it may be
-                            required.
-                          type: string
-                        name:
-                          description: |-
-                            Name of the resource being referred to.
-                            More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                          type: string
-                    clientCertSecretRef:
-                      description: |-
-                        Reference to a Secret containing a PEM-encoded Client Certificate to use when the
-                        Vault server requires mTLS.
-                      type: object
-                      required:
-                        - name
-                      properties:
-                        key:
-                          description: |-
-                            The key of the entry in the Secret resource's `data` field to be used.
-                            Some instances of this field may be defaulted, in others it may be
-                            required.
-                          type: string
-                        name:
-                          description: |-
-                            Name of the resource being referred to.
-                            More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                          type: string
-                    clientKeySecretRef:
-                      description: |-
-                        Reference to a Secret containing a PEM-encoded Client Private Key to use when the
-                        Vault server requires mTLS.
-                      type: object
-                      required:
-                        - name
-                      properties:
-                        key:
-                          description: |-
-                            The key of the entry in the Secret resource's `data` field to be used.
-                            Some instances of this field may be defaulted, in others it may be
-                            required.
-                          type: string
-                        name:
-                          description: |-
-                            Name of the resource being referred to.
-                            More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                          type: string
-                    namespace:
-                      description: |-
-                        Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1"
-                        More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
-                      type: string
-                    path:
-                      description: |-
-                        Path is the mount path of the Vault PKI backend's `sign` endpoint, e.g:
-                        "my_pki_mount/sign/my-role-name".
-                      type: string
-                    server:
-                      description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
-                      type: string
-                venafi:
-                  description: |-
-                    Venafi configures this issuer to sign certificates using a Venafi TPP
-                    or Venafi Cloud policy zone.
-                  type: object
-                  required:
-                    - zone
-                  properties:
-                    cloud:
-                      description: |-
-                        Cloud specifies the Venafi cloud configuration settings.
-                        Only one of TPP or Cloud may be specified.
-                      type: object
-                      required:
-                        - apiTokenSecretRef
-                      properties:
-                        apiTokenSecretRef:
-                          description: APITokenSecretRef is a secret key selector for the Venafi Cloud API token.
-                          type: object
-                          required:
-                            - name
-                          properties:
-                            key:
-                              description: |-
-                                The key of the entry in the Secret resource's `data` field to be used.
-                                Some instances of this field may be defaulted, in others it may be
-                                required.
-                              type: string
-                            name:
-                              description: |-
-                                Name of the resource being referred to.
-                                More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                              type: string
-                        url:
-                          description: |-
-                            URL is the base URL for Venafi Cloud.
-                            Defaults to "https://api.venafi.cloud/v1".
-                          type: string
-                    tpp:
-                      description: |-
-                        TPP specifies Trust Protection Platform configuration settings.
-                        Only one of TPP or Cloud may be specified.
-                      type: object
-                      required:
-                        - credentialsRef
-                        - url
-                      properties:
-                        caBundle:
-                          description: |-
-                            Base64-encoded bundle of PEM CAs which will be used to validate the certificate
-                            chain presented by the TPP server. Only used if using HTTPS; ignored for HTTP.
-                            If undefined, the certificate bundle in the cert-manager controller container
-                            is used to validate the chain.
-                          type: string
-                          format: byte
-                        credentialsRef:
-                          description: |-
-                            CredentialsRef is a reference to a Secret containing the username and
-                            password for the TPP server.
-                            The secret must contain two keys, 'username' and 'password'.
-                          type: object
-                          required:
-                            - name
-                          properties:
-                            name:
-                              description: |-
-                                Name of the resource being referred to.
-                                More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                              type: string
-                        url:
-                          description: |-
-                            URL is the base URL for the vedsdk endpoint of the Venafi TPP instance,
-                            for example: "https://tpp.example.com/vedsdk".
-                          type: string
-                    zone:
-                      description: |-
-                        Zone is the Venafi Policy Zone to use for this issuer.
-                        All requests made to the Venafi platform will be restricted by the named
-                        zone policy.
-                        This field is required.
-                      type: string
-            status:
-              description: Status of the Issuer. This is set and managed automatically.
-              type: object
-              properties:
-                acme:
-                  description: |-
-                    ACME specific status options.
-                    This field should only be set if the Issuer is configured to use an ACME
-                    server to issue certificates.
-                  type: object
-                  properties:
-                    lastPrivateKeyHash:
-                      description: |-
-                        LastPrivateKeyHash is a hash of the private key associated with the latest
-                        registered ACME account, in order to track changes made to registered account
-                        associated with the Issuer
-                      type: string
-                    lastRegisteredEmail:
-                      description: |-
-                        LastRegisteredEmail is the email associated with the latest registered
-                        ACME account, in order to track changes made to registered account
-                        associated with the  Issuer
-                      type: string
-                    uri:
-                      description: |-
-                        URI is the unique account identifier, which can also be used to retrieve
-                        account details from the CA
-                      type: string
-                conditions:
-                  description: |-
-                    List of status conditions to indicate the status of a CertificateRequest.
-                    Known condition types are `Ready`.
-                  type: array
-                  items:
-                    description: IssuerCondition contains condition information for an Issuer.
-                    type: object
-                    required:
-                      - status
-                      - type
-                    properties:
-                      lastTransitionTime:
-                        description: |-
-                          LastTransitionTime is the timestamp corresponding to the last status
-                          change of this condition.
-                        type: string
-                        format: date-time
-                      message:
-                        description: |-
-                          Message is a human readable description of the details of the last
-                          transition, complementing reason.
-                        type: string
-                      observedGeneration:
-                        description: |-
-                          If set, this represents the .metadata.generation that the condition was
-                          set based upon.
-                          For instance, if .metadata.generation is currently 12, but the
-                          .status.condition[x].observedGeneration is 9, the condition is out of date
-                          with respect to the current state of the Issuer.
-                        type: integer
-                        format: int64
-                      reason:
-                        description: |-
-                          Reason is a brief machine readable explanation for the condition's last
-                          transition.
-                        type: string
-                      status:
-                        description: Status of the condition, one of (`True`, `False`, `Unknown`).
-                        type: string
-                        enum:
-                          - "True"
-                          - "False"
-                          - Unknown
-                      type:
-                        description: Type of the condition, known values are (`Ready`).
-                        type: string
-                  x-kubernetes-list-map-keys:
-                    - type
-                  x-kubernetes-list-type: map
-      served: true
-      storage: true
-
-# END crd
----
-# Source: cert-manager/templates/crds.yaml
-# START crd
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  name: orders.acme.cert-manager.io
-  # START annotations
-  annotations:
-    helm.sh/resource-policy: keep
-  # END annotations
-  labels:
-    app: 'cert-manager'
-    app.kubernetes.io/name: 'cert-manager'
-    app.kubernetes.io/instance: 'cert-manager'
-    app.kubernetes.io/component: "crds"
-    # Generated labels
-    app.kubernetes.io/version: "v1.15.3"
-spec:
-  group: acme.cert-manager.io
-  names:
-    kind: Order
-    listKind: OrderList
-    plural: orders
-    singular: order
-    categories:
-      - cert-manager
-      - cert-manager-acme
-  scope: Namespaced
-  versions:
-    - name: v1
-      subresources:
-        status: {}
-      additionalPrinterColumns:
-        - jsonPath: .status.state
-          name: State
-          type: string
-        - jsonPath: .spec.issuerRef.name
-          name: Issuer
-          priority: 1
-          type: string
-        - jsonPath: .status.reason
-          name: Reason
-          priority: 1
-          type: string
-        - jsonPath: .metadata.creationTimestamp
-          description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
-          name: Age
-          type: date
-      schema:
-        openAPIV3Schema:
-          description: Order is a type to represent an Order with an ACME server
-          type: object
-          required:
-            - metadata
-            - spec
-          properties:
-            apiVersion:
-              description: |-
-                APIVersion defines the versioned schema of this representation of an object.
-                Servers should convert recognized schemas to the latest internal value, and
-                may reject unrecognized values.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-              type: string
-            kind:
-              description: |-
-                Kind is a string value representing the REST resource this object represents.
-                Servers may infer this from the endpoint the client submits requests to.
-                Cannot be updated.
-                In CamelCase.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-              type: string
-            metadata:
-              type: object
-            spec:
-              type: object
-              required:
-                - issuerRef
-                - request
-              properties:
-                commonName:
-                  description: |-
-                    CommonName is the common name as specified on the DER encoded CSR.
-                    If specified, this value must also be present in `dnsNames` or `ipAddresses`.
-                    This field must match the corresponding field on the DER encoded CSR.
-                  type: string
-                dnsNames:
-                  description: |-
-                    DNSNames is a list of DNS names that should be included as part of the Order
-                    validation process.
-                    This field must match the corresponding field on the DER encoded CSR.
-                  type: array
-                  items:
-                    type: string
-                duration:
-                  description: |-
-                    Duration is the duration for the not after date for the requested certificate.
-                    this is set on order creation as pe the ACME spec.
-                  type: string
-                ipAddresses:
-                  description: |-
-                    IPAddresses is a list of IP addresses that should be included as part of the Order
-                    validation process.
-                    This field must match the corresponding field on the DER encoded CSR.
-                  type: array
-                  items:
-                    type: string
-                issuerRef:
-                  description: |-
-                    IssuerRef references a properly configured ACME-type Issuer which should
-                    be used to create this Order.
-                    If the Issuer does not exist, processing will be retried.
-                    If the Issuer is not an 'ACME' Issuer, an error will be returned and the
-                    Order will be marked as failed.
-                  type: object
-                  required:
-                    - name
-                  properties:
-                    group:
-                      description: Group of the resource being referred to.
-                      type: string
-                    kind:
-                      description: Kind of the resource being referred to.
-                      type: string
-                    name:
-                      description: Name of the resource being referred to.
-                      type: string
-                request:
-                  description: |-
-                    Certificate signing request bytes in DER encoding.
-                    This will be used when finalizing the order.
-                    This field must be set on the order.
-                  type: string
-                  format: byte
-            status:
-              type: object
-              properties:
-                authorizations:
-                  description: |-
-                    Authorizations contains data returned from the ACME server on what
-                    authorizations must be completed in order to validate the DNS names
-                    specified on the Order.
-                  type: array
-                  items:
-                    description: |-
-                      ACMEAuthorization contains data returned from the ACME server on an
-                      authorization that must be completed in order validate a DNS name on an ACME
-                      Order resource.
-                    type: object
-                    required:
-                      - url
-                    properties:
-                      challenges:
-                        description: |-
-                          Challenges specifies the challenge types offered by the ACME server.
-                          One of these challenge types will be selected when validating the DNS
-                          name and an appropriate Challenge resource will be created to perform
-                          the ACME challenge process.
-                        type: array
-                        items:
-                          description: |-
-                            Challenge specifies a challenge offered by the ACME server for an Order.
-                            An appropriate Challenge resource can be created to perform the ACME
-                            challenge process.
-                          type: object
-                          required:
-                            - token
-                            - type
-                            - url
-                          properties:
-                            token:
-                              description: |-
-                                Token is the token that must be presented for this challenge.
-                                This is used to compute the 'key' that must also be presented.
-                              type: string
-                            type:
-                              description: |-
-                                Type is the type of challenge being offered, e.g. 'http-01', 'dns-01',
-                                'tls-sni-01', etc.
-                                This is the raw value retrieved from the ACME server.
-                                Only 'http-01' and 'dns-01' are supported by cert-manager, other values
-                                will be ignored.
-                              type: string
-                            url:
-                              description: |-
-                                URL is the URL of this challenge. It can be used to retrieve additional
-                                metadata about the Challenge from the ACME server.
-                              type: string
-                      identifier:
-                        description: Identifier is the DNS name to be validated as part of this authorization
-                        type: string
-                      initialState:
-                        description: |-
-                          InitialState is the initial state of the ACME authorization when first
-                          fetched from the ACME server.
-                          If an Authorization is already 'valid', the Order controller will not
-                          create a Challenge resource for the authorization. This will occur when
-                          working with an ACME server that enables 'authz reuse' (such as Let's
-                          Encrypt's production endpoint).
-                          If not set and 'identifier' is set, the state is assumed to be pending
-                          and a Challenge will be created.
-                        type: string
-                        enum:
-                          - valid
-                          - ready
-                          - pending
-                          - processing
-                          - invalid
-                          - expired
-                          - errored
-                      url:
-                        description: URL is the URL of the Authorization that must be completed
-                        type: string
-                      wildcard:
-                        description: |-
-                          Wildcard will be true if this authorization is for a wildcard DNS name.
-                          If this is true, the identifier will be the *non-wildcard* version of
-                          the DNS name.
-                          For example, if '*.example.com' is the DNS name being validated, this
-                          field will be 'true' and the 'identifier' field will be 'example.com'.
-                        type: boolean
-                certificate:
-                  description: |-
-                    Certificate is a copy of the PEM encoded certificate for this Order.
-                    This field will be populated after the order has been successfully
-                    finalized with the ACME server, and the order has transitioned to the
-                    'valid' state.
-                  type: string
-                  format: byte
-                failureTime:
-                  description: |-
-                    FailureTime stores the time that this order failed.
-                    This is used to influence garbage collection and back-off.
-                  type: string
-                  format: date-time
-                finalizeURL:
-                  description: |-
-                    FinalizeURL of the Order.
-                    This is used to obtain certificates for this order once it has been completed.
-                  type: string
-                reason:
-                  description: |-
-                    Reason optionally provides more information about a why the order is in
-                    the current state.
-                  type: string
-                state:
-                  description: |-
-                    State contains the current state of this Order resource.
-                    States 'success' and 'expired' are 'final'
-                  type: string
-                  enum:
-                    - valid
-                    - ready
-                    - pending
-                    - processing
-                    - invalid
-                    - expired
-                    - errored
-                url:
-                  description: |-
-                    URL of the Order.
-                    This will initially be empty when the resource is first created.
-                    The Order controller will populate this field when the Order is first processed.
-                    This field will be immutable after it is initially set.
-                  type: string
-      served: true
-      storage: true
-
-# END crd
-
----
-# Source: cert-manager/templates/cainjector-serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-automountServiceAccountToken: true
-metadata:
-  name: cert-manager-cainjector
-  namespace: cert-manager
-  labels:
-    app: cainjector
-    app.kubernetes.io/name: cainjector
-    app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/component: "cainjector"
-    app.kubernetes.io/version: "v1.15.3"
----
-# Source: cert-manager/templates/serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-automountServiceAccountToken: true
-metadata:
-  name: cert-manager
-  namespace: cert-manager
-  labels:
-    app: cert-manager
-    app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/component: "controller"
-    app.kubernetes.io/version: "v1.15.3"
----
-# Source: cert-manager/templates/webhook-serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-automountServiceAccountToken: true
-metadata:
-  name: cert-manager-webhook
-  namespace: cert-manager
-  labels:
-    app: webhook
-    app.kubernetes.io/name: webhook
-    app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/component: "webhook"
-    app.kubernetes.io/version: "v1.15.3"
----
-# Source: cert-manager/templates/cainjector-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: cert-manager-cainjector
-  labels:
-    app: cainjector
-    app.kubernetes.io/name: cainjector
-    app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/component: "cainjector"
-    app.kubernetes.io/version: "v1.15.3"
-rules:
-  - apiGroups: ["cert-manager.io"]
-    resources: ["certificates"]
-    verbs: ["get", "list", "watch"]
-  - apiGroups: [""]
-    resources: ["secrets"]
-    verbs: ["get", "list", "watch"]
-  - apiGroups: [""]
-    resources: ["events"]
-    verbs: ["get", "create", "update", "patch"]
-  - apiGroups: ["admissionregistration.k8s.io"]
-    resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
-    verbs: ["get", "list", "watch", "update", "patch"]
-  - apiGroups: ["apiregistration.k8s.io"]
-    resources: ["apiservices"]
-    verbs: ["get", "list", "watch", "update", "patch"]
-  - apiGroups: ["apiextensions.k8s.io"]
-    resources: ["customresourcedefinitions"]
-    verbs: ["get", "list", "watch", "update", "patch"]
----
-# Source: cert-manager/templates/rbac.yaml
-# Issuer controller role
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: cert-manager-controller-issuers
-  labels:
-    app: cert-manager
-    app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/component: "controller"
-    app.kubernetes.io/version: "v1.15.3"
-rules:
-  - apiGroups: ["cert-manager.io"]
-    resources: ["issuers", "issuers/status"]
-    verbs: ["update", "patch"]
-  - apiGroups: ["cert-manager.io"]
-    resources: ["issuers"]
-    verbs: ["get", "list", "watch"]
-  - apiGroups: [""]
-    resources: ["secrets"]
-    verbs: ["get", "list", "watch", "create", "update", "delete"]
-  - apiGroups: [""]
-    resources: ["events"]
-    verbs: ["create", "patch"]
----
-# Source: cert-manager/templates/rbac.yaml
-# ClusterIssuer controller role
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: cert-manager-controller-clusterissuers
-  labels:
-    app: cert-manager
-    app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/component: "controller"
-    app.kubernetes.io/version: "v1.15.3"
-rules:
-  - apiGroups: ["cert-manager.io"]
-    resources: ["clusterissuers", "clusterissuers/status"]
-    verbs: ["update", "patch"]
-  - apiGroups: ["cert-manager.io"]
-    resources: ["clusterissuers"]
-    verbs: ["get", "list", "watch"]
-  - apiGroups: [""]
-    resources: ["secrets"]
-    verbs: ["get", "list", "watch", "create", "update", "delete"]
-  - apiGroups: [""]
-    resources: ["events"]
-    verbs: ["create", "patch"]
----
-# Source: cert-manager/templates/rbac.yaml
-# Certificates controller role
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: cert-manager-controller-certificates
-  labels:
-    app: cert-manager
-    app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/component: "controller"
-    app.kubernetes.io/version: "v1.15.3"
-rules:
-  - apiGroups: ["cert-manager.io"]
-    resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"]
-    verbs: ["update", "patch"]
-  - apiGroups: ["cert-manager.io"]
-    resources: ["certificates", "certificaterequests", "clusterissuers", "issuers"]
-    verbs: ["get", "list", "watch"]
-  # We require these rules to support users with the OwnerReferencesPermissionEnforcement
-  # admission controller enabled:
-  # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
-  - apiGroups: ["cert-manager.io"]
-    resources: ["certificates/finalizers", "certificaterequests/finalizers"]
-    verbs: ["update"]
-  - apiGroups: ["acme.cert-manager.io"]
-    resources: ["orders"]
-    verbs: ["create", "delete", "get", "list", "watch"]
-  - apiGroups: [""]
-    resources: ["secrets"]
-    verbs: ["get", "list", "watch", "create", "update", "delete", "patch"]
-  - apiGroups: [""]
-    resources: ["events"]
-    verbs: ["create", "patch"]
----
-# Source: cert-manager/templates/rbac.yaml
-# Orders controller role
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: cert-manager-controller-orders
-  labels:
-    app: cert-manager
-    app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/component: "controller"
-    app.kubernetes.io/version: "v1.15.3"
-rules:
-  - apiGroups: ["acme.cert-manager.io"]
-    resources: ["orders", "orders/status"]
-    verbs: ["update", "patch"]
-  - apiGroups: ["acme.cert-manager.io"]
-    resources: ["orders", "challenges"]
-    verbs: ["get", "list", "watch"]
-  - apiGroups: ["cert-manager.io"]
-    resources: ["clusterissuers", "issuers"]
-    verbs: ["get", "list", "watch"]
-  - apiGroups: ["acme.cert-manager.io"]
-    resources: ["challenges"]
-    verbs: ["create", "delete"]
-  # We require these rules to support users with the OwnerReferencesPermissionEnforcement
-  # admission controller enabled:
-  # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
-  - apiGroups: ["acme.cert-manager.io"]
-    resources: ["orders/finalizers"]
-    verbs: ["update"]
-  - apiGroups: [""]
-    resources: ["secrets"]
-    verbs: ["get", "list", "watch"]
-  - apiGroups: [""]
-    resources: ["events"]
-    verbs: ["create", "patch"]
----
-# Source: cert-manager/templates/rbac.yaml
-# Challenges controller role
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: cert-manager-controller-challenges
-  labels:
-    app: cert-manager
-    app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/component: "controller"
-    app.kubernetes.io/version: "v1.15.3"
-rules:
-  # Use to update challenge resource status
-  - apiGroups: ["acme.cert-manager.io"]
-    resources: ["challenges", "challenges/status"]
-    verbs: ["update", "patch"]
-  # Used to watch challenge resources
-  - apiGroups: ["acme.cert-manager.io"]
-    resources: ["challenges"]
-    verbs: ["get", "list", "watch"]
-  # Used to watch challenges, issuer and clusterissuer resources
-  - apiGroups: ["cert-manager.io"]
-    resources: ["issuers", "clusterissuers"]
-    verbs: ["get", "list", "watch"]
-  # Need to be able to retrieve ACME account private key to complete challenges
-  - apiGroups: [""]
-    resources: ["secrets"]
-    verbs: ["get", "list", "watch"]
-  # Used to create events
-  - apiGroups: [""]
-    resources: ["events"]
-    verbs: ["create", "patch"]
-  # HTTP01 rules
-  - apiGroups: [""]
-    resources: ["pods", "services"]
-    verbs: ["get", "list", "watch", "create", "delete"]
-  - apiGroups: ["networking.k8s.io"]
-    resources: ["ingresses"]
-    verbs: ["get", "list", "watch", "create", "delete", "update"]
-  - apiGroups: [ "gateway.networking.k8s.io" ]
-    resources: [ "httproutes" ]
-    verbs: ["get", "list", "watch", "create", "delete", "update"]
-  # We require the ability to specify a custom hostname when we are creating
-  # new ingress resources.
-  # See: https://github.com/openshift/origin/blob/21f191775636f9acadb44fa42beeb4f75b255532/pkg/route/apiserver/admission/ingress_admission.go#L84-L148
-  - apiGroups: ["route.openshift.io"]
-    resources: ["routes/custom-host"]
-    verbs: ["create"]
-  # We require these rules to support users with the OwnerReferencesPermissionEnforcement
-  # admission controller enabled:
-  # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
-  - apiGroups: ["acme.cert-manager.io"]
-    resources: ["challenges/finalizers"]
-    verbs: ["update"]
-  # DNS01 rules (duplicated above)
-  - apiGroups: [""]
-    resources: ["secrets"]
-    verbs: ["get", "list", "watch"]
----
-# Source: cert-manager/templates/rbac.yaml
-# ingress-shim controller role
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: cert-manager-controller-ingress-shim
-  labels:
-    app: cert-manager
-    app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/component: "controller"
-    app.kubernetes.io/version: "v1.15.3"
-rules:
-  - apiGroups: ["cert-manager.io"]
-    resources: ["certificates", "certificaterequests"]
-    verbs: ["create", "update", "delete"]
-  - apiGroups: ["cert-manager.io"]
-    resources: ["certificates", "certificaterequests", "issuers", "clusterissuers"]
-    verbs: ["get", "list", "watch"]
-  - apiGroups: ["networking.k8s.io"]
-    resources: ["ingresses"]
-    verbs: ["get", "list", "watch"]
-  # We require these rules to support users with the OwnerReferencesPermissionEnforcement
-  # admission controller enabled:
-  # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
-  - apiGroups: ["networking.k8s.io"]
-    resources: ["ingresses/finalizers"]
-    verbs: ["update"]
-  - apiGroups: ["gateway.networking.k8s.io"]
-    resources: ["gateways", "httproutes"]
-    verbs: ["get", "list", "watch"]
-  - apiGroups: ["gateway.networking.k8s.io"]
-    resources: ["gateways/finalizers", "httproutes/finalizers"]
-    verbs: ["update"]
-  - apiGroups: [""]
-    resources: ["events"]
-    verbs: ["create", "patch"]
----
-# Source: cert-manager/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: cert-manager-cluster-view
-  labels:
-    app: cert-manager
-    app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/component: "controller"
-    app.kubernetes.io/version: "v1.15.3"
-    rbac.authorization.k8s.io/aggregate-to-cluster-reader: "true"
-rules:
-  - apiGroups: ["cert-manager.io"]
-    resources: ["clusterissuers"]
-    verbs: ["get", "list", "watch"]
----
-# Source: cert-manager/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: cert-manager-view
-  labels:
-    app: cert-manager
-    app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/component: "controller"
-    app.kubernetes.io/version: "v1.15.3"
-    rbac.authorization.k8s.io/aggregate-to-view: "true"
-    rbac.authorization.k8s.io/aggregate-to-edit: "true"
-    rbac.authorization.k8s.io/aggregate-to-admin: "true"
-    rbac.authorization.k8s.io/aggregate-to-cluster-reader: "true"
-rules:
-  - apiGroups: ["cert-manager.io"]
-    resources: ["certificates", "certificaterequests", "issuers"]
-    verbs: ["get", "list", "watch"]
-  - apiGroups: ["acme.cert-manager.io"]
-    resources: ["challenges", "orders"]
-    verbs: ["get", "list", "watch"]
----
-# Source: cert-manager/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: cert-manager-edit
-  labels:
-    app: cert-manager
-    app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/component: "controller"
-    app.kubernetes.io/version: "v1.15.3"
-    rbac.authorization.k8s.io/aggregate-to-edit: "true"
-    rbac.authorization.k8s.io/aggregate-to-admin: "true"
-rules:
-  - apiGroups: ["cert-manager.io"]
-    resources: ["certificates", "certificaterequests", "issuers"]
-    verbs: ["create", "delete", "deletecollection", "patch", "update"]
-  - apiGroups: ["cert-manager.io"]
-    resources: ["certificates/status"]
-    verbs: ["update"]
-  - apiGroups: ["acme.cert-manager.io"]
-    resources: ["challenges", "orders"]
-    verbs: ["create", "delete", "deletecollection", "patch", "update"]
----
-# Source: cert-manager/templates/rbac.yaml
-# Permission to approve CertificateRequests referencing cert-manager.io Issuers and ClusterIssuers
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: cert-manager-controller-approve:cert-manager-io
-  labels:
-    app: cert-manager
-    app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/component: "cert-manager"
-    app.kubernetes.io/version: "v1.15.3"
-rules:
-  - apiGroups: ["cert-manager.io"]
-    resources: ["signers"]
-    verbs: ["approve"]
-    resourceNames:
-    - "issuers.cert-manager.io/*"
-    - "clusterissuers.cert-manager.io/*"
----
-# Source: cert-manager/templates/rbac.yaml
-# Permission to:
-# - Update and sign CertificatSigningeRequests referencing cert-manager.io Issuers and ClusterIssuers
-# - Perform SubjectAccessReviews to test whether users are able to reference Namespaced Issuers
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: cert-manager-controller-certificatesigningrequests
-  labels:
-    app: cert-manager
-    app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/component: "cert-manager"
-    app.kubernetes.io/version: "v1.15.3"
-rules:
-  - apiGroups: ["certificates.k8s.io"]
-    resources: ["certificatesigningrequests"]
-    verbs: ["get", "list", "watch", "update"]
-  - apiGroups: ["certificates.k8s.io"]
-    resources: ["certificatesigningrequests/status"]
-    verbs: ["update", "patch"]
-  - apiGroups: ["certificates.k8s.io"]
-    resources: ["signers"]
-    resourceNames: ["issuers.cert-manager.io/*", "clusterissuers.cert-manager.io/*"]
-    verbs: ["sign"]
-  - apiGroups: ["authorization.k8s.io"]
-    resources: ["subjectaccessreviews"]
-    verbs: ["create"]
----
-# Source: cert-manager/templates/webhook-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: cert-manager-webhook:subjectaccessreviews
-  labels:
-    app: webhook
-    app.kubernetes.io/name: webhook
-    app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/component: "webhook"
-    app.kubernetes.io/version: "v1.15.3"
-rules:
-- apiGroups: ["authorization.k8s.io"]
-  resources: ["subjectaccessreviews"]
-  verbs: ["create"]
----
-# Source: cert-manager/templates/cainjector-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: cert-manager-cainjector
-  labels:
-    app: cainjector
-    app.kubernetes.io/name: cainjector
-    app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/component: "cainjector"
-    app.kubernetes.io/version: "v1.15.3"
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: cert-manager-cainjector
-subjects:
-  - name: cert-manager-cainjector
-    namespace: cert-manager
-    kind: ServiceAccount
----
-# Source: cert-manager/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: cert-manager-controller-issuers
-  labels:
-    app: cert-manager
-    app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/component: "controller"
-    app.kubernetes.io/version: "v1.15.3"
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: cert-manager-controller-issuers
-subjects:
-  - name: cert-manager
-    namespace: cert-manager
-    kind: ServiceAccount
----
-# Source: cert-manager/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: cert-manager-controller-clusterissuers
-  labels:
-    app: cert-manager
-    app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/component: "controller"
-    app.kubernetes.io/version: "v1.15.3"
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: cert-manager-controller-clusterissuers
-subjects:
-  - name: cert-manager
-    namespace: cert-manager
-    kind: ServiceAccount
----
-# Source: cert-manager/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: cert-manager-controller-certificates
-  labels:
-    app: cert-manager
-    app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/component: "controller"
-    app.kubernetes.io/version: "v1.15.3"
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: cert-manager-controller-certificates
-subjects:
-  - name: cert-manager
-    namespace: cert-manager
-    kind: ServiceAccount
----
-# Source: cert-manager/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: cert-manager-controller-orders
-  labels:
-    app: cert-manager
-    app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/component: "controller"
-    app.kubernetes.io/version: "v1.15.3"
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: cert-manager-controller-orders
-subjects:
-  - name: cert-manager
-    namespace: cert-manager
-    kind: ServiceAccount
----
-# Source: cert-manager/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: cert-manager-controller-challenges
-  labels:
-    app: cert-manager
-    app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/component: "controller"
-    app.kubernetes.io/version: "v1.15.3"
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: cert-manager-controller-challenges
-subjects:
-  - name: cert-manager
-    namespace: cert-manager
-    kind: ServiceAccount
----
-# Source: cert-manager/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: cert-manager-controller-ingress-shim
-  labels:
-    app: cert-manager
-    app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/component: "controller"
-    app.kubernetes.io/version: "v1.15.3"
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: cert-manager-controller-ingress-shim
-subjects:
-  - name: cert-manager
-    namespace: cert-manager
-    kind: ServiceAccount
----
-# Source: cert-manager/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: cert-manager-controller-approve:cert-manager-io
-  labels:
-    app: cert-manager
-    app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/component: "cert-manager"
-    app.kubernetes.io/version: "v1.15.3"
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: cert-manager-controller-approve:cert-manager-io
-subjects:
-  - name: cert-manager
-    namespace: cert-manager
-    kind: ServiceAccount
----
-# Source: cert-manager/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: cert-manager-controller-certificatesigningrequests
-  labels:
-    app: cert-manager
-    app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/component: "cert-manager"
-    app.kubernetes.io/version: "v1.15.3"
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: cert-manager-controller-certificatesigningrequests
-subjects:
-  - name: cert-manager
-    namespace: cert-manager
-    kind: ServiceAccount
----
-# Source: cert-manager/templates/webhook-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: cert-manager-webhook:subjectaccessreviews
-  labels:
-    app: webhook
-    app.kubernetes.io/name: webhook
-    app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/component: "webhook"
-    app.kubernetes.io/version: "v1.15.3"
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: cert-manager-webhook:subjectaccessreviews
-subjects:
-- apiGroup: ""
-  kind: ServiceAccount
-  name: cert-manager-webhook
-  namespace: cert-manager
----
-# Source: cert-manager/templates/cainjector-rbac.yaml
-# leader election rules
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: cert-manager-cainjector:leaderelection
-  namespace: kube-system
-  labels:
-    app: cainjector
-    app.kubernetes.io/name: cainjector
-    app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/component: "cainjector"
-    app.kubernetes.io/version: "v1.15.3"
-rules:
-  # Used for leader election by the controller
-  # cert-manager-cainjector-leader-election is used by the CertificateBased injector controller
-  #   see cmd/cainjector/start.go#L113
-  # cert-manager-cainjector-leader-election-core is used by the SecretBased injector controller
-  #   see cmd/cainjector/start.go#L137
-  - apiGroups: ["coordination.k8s.io"]
-    resources: ["leases"]
-    resourceNames: ["cert-manager-cainjector-leader-election", "cert-manager-cainjector-leader-election-core"]
-    verbs: ["get", "update", "patch"]
-  - apiGroups: ["coordination.k8s.io"]
-    resources: ["leases"]
-    verbs: ["create"]
----
-# Source: cert-manager/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: cert-manager:leaderelection
-  namespace: kube-system
-  labels:
-    app: cert-manager
-    app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/component: "controller"
-    app.kubernetes.io/version: "v1.15.3"
-rules:
-  - apiGroups: ["coordination.k8s.io"]
-    resources: ["leases"]
-    resourceNames: ["cert-manager-controller"]
-    verbs: ["get", "update", "patch"]
-  - apiGroups: ["coordination.k8s.io"]
-    resources: ["leases"]
-    verbs: ["create"]
----
-# Source: cert-manager/templates/webhook-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: cert-manager-webhook:dynamic-serving
-  namespace: cert-manager
-  labels:
-    app: webhook
-    app.kubernetes.io/name: webhook
-    app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/component: "webhook"
-    app.kubernetes.io/version: "v1.15.3"
-rules:
-- apiGroups: [""]
-  resources: ["secrets"]
-  resourceNames:
-  - 'cert-manager-webhook-ca'
-  verbs: ["get", "list", "watch", "update"]
-# It's not possible to grant CREATE permission on a single resourceName.
-- apiGroups: [""]
-  resources: ["secrets"]
-  verbs: ["create"]
----
-# Source: cert-manager/templates/cainjector-rbac.yaml
-# grant cert-manager permission to manage the leaderelection configmap in the
-# leader election namespace
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: cert-manager-cainjector:leaderelection
-  namespace: kube-system
-  labels:
-    app: cainjector
-    app.kubernetes.io/name: cainjector
-    app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/component: "cainjector"
-    app.kubernetes.io/version: "v1.15.3"
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: cert-manager-cainjector:leaderelection
-subjects:
-  - kind: ServiceAccount
-    name: cert-manager-cainjector
-    namespace: cert-manager
----
-# Source: cert-manager/templates/rbac.yaml
-# grant cert-manager permission to manage the leaderelection configmap in the
-# leader election namespace
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: cert-manager:leaderelection
-  namespace: kube-system
-  labels:
-    app: cert-manager
-    app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/component: "controller"
-    app.kubernetes.io/version: "v1.15.3"
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: cert-manager:leaderelection
-subjects:
-  - apiGroup: ""
-    kind: ServiceAccount
-    name: cert-manager
-    namespace: cert-manager
----
-# Source: cert-manager/templates/webhook-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: cert-manager-webhook:dynamic-serving
-  namespace: cert-manager
-  labels:
-    app: webhook
-    app.kubernetes.io/name: webhook
-    app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/component: "webhook"
-    app.kubernetes.io/version: "v1.15.3"
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: cert-manager-webhook:dynamic-serving
-subjects:
-- apiGroup: ""
-  kind: ServiceAccount
-  name: cert-manager-webhook
-  namespace: cert-manager
----
-# Source: cert-manager/templates/service.yaml
-apiVersion: v1
-kind: Service
-metadata:
-  name: cert-manager
-  namespace: cert-manager
-  labels:
-    app: cert-manager
-    app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/component: "controller"
-    app.kubernetes.io/version: "v1.15.3"
-spec:
-  type: ClusterIP
-  ports:
-  - protocol: TCP
-    port: 9402
-    name: tcp-prometheus-servicemonitor
-    targetPort: 9402
-  selector:
-    app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/component: "controller"
----
-# Source: cert-manager/templates/webhook-service.yaml
-apiVersion: v1
-kind: Service
-metadata:
-  name: cert-manager-webhook
-  namespace: cert-manager
-  labels:
-    app: webhook
-    app.kubernetes.io/name: webhook
-    app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/component: "webhook"
-    app.kubernetes.io/version: "v1.15.3"
-spec:
-  type: ClusterIP
-  ports:
-  - name: https
-    port: 443
-    protocol: TCP
-    targetPort: "https"
-  selector:
-    app.kubernetes.io/name: webhook
-    app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/component: "webhook"
----
-# Source: cert-manager/templates/cainjector-deployment.yaml
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: cert-manager-cainjector
-  namespace: cert-manager
-  labels:
-    app: cainjector
-    app.kubernetes.io/name: cainjector
-    app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/component: "cainjector"
-    app.kubernetes.io/version: "v1.15.3"
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: cainjector
-      app.kubernetes.io/instance: cert-manager
-      app.kubernetes.io/component: "cainjector"
-  template:
-    metadata:
-      labels:
-        app: cainjector
-        app.kubernetes.io/name: cainjector
-        app.kubernetes.io/instance: cert-manager
-        app.kubernetes.io/component: "cainjector"
-        app.kubernetes.io/version: "v1.15.3"
-    spec:
-      serviceAccountName: cert-manager-cainjector
-      enableServiceLinks: false
-      securityContext:
-        runAsNonRoot: true
-        seccompProfile:
-          type: RuntimeDefault
-      containers:
-        - name: cert-manager-cainjector
-          image: "quay.io/jetstack/cert-manager-cainjector:v1.15.3"
-          imagePullPolicy: IfNotPresent
-          args:
-          - --v=2
-          - --leader-election-namespace=kube-system
-          env:
-          - name: POD_NAMESPACE
-            valueFrom:
-              fieldRef:
-                fieldPath: metadata.namespace
-          securityContext:
-            allowPrivilegeEscalation: false
-            capabilities:
-              drop:
-              - ALL
-            readOnlyRootFilesystem: true
-      nodeSelector:
-        kubernetes.io/os: linux
----
-# Source: cert-manager/templates/deployment.yaml
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: cert-manager
-  namespace: cert-manager
-  labels:
-    app: cert-manager
-    app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/component: "controller"
-    app.kubernetes.io/version: "v1.15.3"
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: cert-manager
-      app.kubernetes.io/instance: cert-manager
-      app.kubernetes.io/component: "controller"
-  template:
-    metadata:
-      labels:
-        app: cert-manager
-        app.kubernetes.io/name: cert-manager
-        app.kubernetes.io/instance: cert-manager
-        app.kubernetes.io/component: "controller"
-        app.kubernetes.io/version: "v1.15.3"
-      annotations:
-        prometheus.io/path: "/metrics"
-        prometheus.io/scrape: 'true'
-        prometheus.io/port: '9402'
-    spec:
-      serviceAccountName: cert-manager
-      enableServiceLinks: false
-      securityContext:
-        runAsNonRoot: true
-        seccompProfile:
-          type: RuntimeDefault
-      containers:
-        - name: cert-manager-controller
-          image: "quay.io/jetstack/cert-manager-controller:v1.15.3"
-          imagePullPolicy: IfNotPresent
-          args:
-          - --v=2
-          - --cluster-resource-namespace=$(POD_NAMESPACE)
-          - --leader-election-namespace=kube-system
-          - --acme-http01-solver-image=quay.io/jetstack/cert-manager-acmesolver:v1.15.3
-          - --max-concurrent-challenges=60
-          ports:
-          - containerPort: 9402
-            name: http-metrics
-            protocol: TCP
-          - containerPort: 9403
-            name: http-healthz
-            protocol: TCP
-          securityContext:
-            allowPrivilegeEscalation: false
-            capabilities:
-              drop:
-              - ALL
-            readOnlyRootFilesystem: true
-          env:
-          - name: POD_NAMESPACE
-            valueFrom:
-              fieldRef:
-                fieldPath: metadata.namespace
-          # LivenessProbe settings are based on those used for the Kubernetes
-          # controller-manager. See:
-          # https://github.com/kubernetes/kubernetes/blob/806b30170c61a38fedd54cc9ede4cd6275a1ad3b/cmd/kubeadm/app/util/staticpod/utils.go#L241-L245
-          livenessProbe:
-            httpGet:
-              port: http-healthz
-              path: /livez
-              scheme: HTTP
-            initialDelaySeconds: 10
-            periodSeconds: 10
-            timeoutSeconds: 15
-            successThreshold: 1
-            failureThreshold: 8
-      nodeSelector:
-        kubernetes.io/os: linux
----
-# Source: cert-manager/templates/webhook-deployment.yaml
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: cert-manager-webhook
-  namespace: cert-manager
-  labels:
-    app: webhook
-    app.kubernetes.io/name: webhook
-    app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/component: "webhook"
-    app.kubernetes.io/version: "v1.15.3"
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: webhook
-      app.kubernetes.io/instance: cert-manager
-      app.kubernetes.io/component: "webhook"
-  template:
-    metadata:
-      labels:
-        app: webhook
-        app.kubernetes.io/name: webhook
-        app.kubernetes.io/instance: cert-manager
-        app.kubernetes.io/component: "webhook"
-        app.kubernetes.io/version: "v1.15.3"
-    spec:
-      serviceAccountName: cert-manager-webhook
-      enableServiceLinks: false
-      securityContext:
-        runAsNonRoot: true
-        seccompProfile:
-          type: RuntimeDefault
-      containers:
-        - name: cert-manager-webhook
-          image: "quay.io/jetstack/cert-manager-webhook:v1.15.3"
-          imagePullPolicy: IfNotPresent
-          args:
-          - --v=2
-          - --secure-port=10250
-          - --dynamic-serving-ca-secret-namespace=$(POD_NAMESPACE)
-          - --dynamic-serving-ca-secret-name=cert-manager-webhook-ca
-          - --dynamic-serving-dns-names=cert-manager-webhook
-          - --dynamic-serving-dns-names=cert-manager-webhook.$(POD_NAMESPACE)
-          - --dynamic-serving-dns-names=cert-manager-webhook.$(POD_NAMESPACE).svc
-          
-          ports:
-          - name: https
-            protocol: TCP
-            containerPort: 10250
-          - name: healthcheck
-            protocol: TCP
-            containerPort: 6080
-          livenessProbe:
-            httpGet:
-              path: /livez
-              port: 6080
-              scheme: HTTP
-            initialDelaySeconds: 60
-            periodSeconds: 10
-            timeoutSeconds: 1
-            successThreshold: 1
-            failureThreshold: 3
-          readinessProbe:
-            httpGet:
-              path: /healthz
-              port: 6080
-              scheme: HTTP
-            initialDelaySeconds: 5
-            periodSeconds: 5
-            timeoutSeconds: 1
-            successThreshold: 1
-            failureThreshold: 3
-          securityContext:
-            allowPrivilegeEscalation: false
-            capabilities:
-              drop:
-              - ALL
-            readOnlyRootFilesystem: true
-          env:
-          - name: POD_NAMESPACE
-            valueFrom:
-              fieldRef:
-                fieldPath: metadata.namespace
-      nodeSelector:
-        kubernetes.io/os: linux
----
-# Source: cert-manager/templates/crds.yaml
-#
-# START crd
----
-# Source: cert-manager/templates/crds.yaml
-# START crd
----
-# Source: cert-manager/templates/crds.yaml
-# START crd
----
-# Source: cert-manager/templates/crds.yaml
-# START crd
----
-# Source: cert-manager/templates/crds.yaml
-# START crd
----
-# Source: cert-manager/templates/crds.yaml
-# START crd
----
-# Source: cert-manager/templates/webhook-mutating-webhook.yaml
-apiVersion: admissionregistration.k8s.io/v1
-kind: MutatingWebhookConfiguration
-metadata:
-  name: cert-manager-webhook
-  labels:
-    app: webhook
-    app.kubernetes.io/name: webhook
-    app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/component: "webhook"
-    app.kubernetes.io/version: "v1.15.3"
-  annotations:
-    cert-manager.io/inject-ca-from-secret: "cert-manager/cert-manager-webhook-ca"
-webhooks:
-  - name: webhook.cert-manager.io
-    rules:
-      - apiGroups:
-          - "cert-manager.io"
-        apiVersions:
-          - "v1"
-        operations:
-          - CREATE
-        resources:
-          - "certificaterequests"
-    admissionReviewVersions: ["v1"]
-    # This webhook only accepts v1 cert-manager resources.
-    # Equivalent matchPolicy ensures that non-v1 resource requests are sent to
-    # this webhook (after the resources have been converted to v1).
-    matchPolicy: Equivalent
-    timeoutSeconds: 30
-    failurePolicy: Fail
-    # Only include 'sideEffects' field in Kubernetes 1.12+
-    sideEffects: None
-    clientConfig:
-      service:
-        name: cert-manager-webhook
-        namespace: cert-manager
-        path: /mutate
----
-# Source: cert-manager/templates/webhook-validating-webhook.yaml
-apiVersion: admissionregistration.k8s.io/v1
-kind: ValidatingWebhookConfiguration
-metadata:
-  name: cert-manager-webhook
-  labels:
-    app: webhook
-    app.kubernetes.io/name: webhook
-    app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/component: "webhook"
-    app.kubernetes.io/version: "v1.15.3"
-  annotations:
-    cert-manager.io/inject-ca-from-secret: "cert-manager/cert-manager-webhook-ca"
-webhooks:
-  - name: webhook.cert-manager.io
-    namespaceSelector:
-      matchExpressions:
-      - key: cert-manager.io/disable-validation
-        operator: NotIn
-        values:
-        - "true"
-    rules:
-      - apiGroups:
-          - "cert-manager.io"
-          - "acme.cert-manager.io"
-        apiVersions:
-          - "v1"
-        operations:
-          - CREATE
-          - UPDATE
-        resources:
-          - "*/*"
-    admissionReviewVersions: ["v1"]
-    # This webhook only accepts v1 cert-manager resources.
-    # Equivalent matchPolicy ensures that non-v1 resource requests are sent to
-    # this webhook (after the resources have been converted to v1).
-    matchPolicy: Equivalent
-    timeoutSeconds: 30
-    failurePolicy: Fail
-    sideEffects: None
-    clientConfig:
-      service:
-        name: cert-manager-webhook
-        namespace: cert-manager
-        path: /validate
diff --git a/base/cert-manager/manifests/configs/servicemonitor.yaml b/base/cert-manager/manifests/configs/servicemonitor.yaml
deleted file mode 100644
index dc580e9ed..000000000
--- a/base/cert-manager/manifests/configs/servicemonitor.yaml
+++ /dev/null
@@ -1,14 +0,0 @@
----
-apiVersion: monitoring.coreos.com/v1
-kind: ServiceMonitor
-metadata:
-  name: cert-manager
-  namespace: cert-manager
-spec:
-  endpoints:
-  - interval: 60s
-    targetPort: 9402
-    honorLabels: true
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: cert-manager
diff --git a/base/cert-manager/manifests/configs/prometheusrule.yaml b/base/cert-manager/prometheusrule.yaml
similarity index 100%
rename from base/cert-manager/manifests/configs/prometheusrule.yaml
rename to base/cert-manager/prometheusrule.yaml
diff --git a/base/cert-manager/release.yaml b/base/cert-manager/release.yaml
new file mode 100644
index 000000000..447e8866e
--- /dev/null
+++ b/base/cert-manager/release.yaml
@@ -0,0 +1,32 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta2
+kind: HelmRelease
+metadata:
+  name: cert-manager
+spec:
+  chart:
+    spec:
+      chart: cert-manager
+      version: "v1.16.2"
+      sourceRef:
+        kind: HelmRepository
+        name: jetstack
+        namespace: cert-manager
+      interval: 5m
+      valuesFile: values.yaml
+  interval: 5m
+  timeout: 2m
+  install:
+    timeout: 10m
+    disableWait: false
+    crds: CreateReplace
+    createNamespace: true
+    remediation:
+      retries: 3
+  upgrade:
+    timeout: 10m
+    disableWait: false
+    crds: CreateReplace
+  valuesFrom:
+    - kind: ConfigMap
+      name: values
diff --git a/base/cert-manager/repository.yaml b/base/cert-manager/repository.yaml
new file mode 100644
index 000000000..6d7d8b3e9
--- /dev/null
+++ b/base/cert-manager/repository.yaml
@@ -0,0 +1,7 @@
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: jetstack
+spec:
+  interval: 5m
+  url: https://charts.jetstack.io
diff --git a/base/cert-manager/values.yaml b/base/cert-manager/values.yaml
new file mode 100644
index 000000000..70ca1cbee
--- /dev/null
+++ b/base/cert-manager/values.yaml
@@ -0,0 +1,71 @@
+# Reference documentation: https://artifacthub.io/packages/helm/cert-manager/cert-manager
+
+  installCRDs: false
+
+  prometheus:
+    enabled: true
+    servicemonitor:
+      enabled: true
+      honorLabels: true
+  resources:
+    limits:
+      cpu: 50m
+      memory: 150Mi
+    requests:
+      cpu: 3m
+      memory: 60Mi
+
+  tolerations:
+    - key: "node-role.kubernetes.io/control-plane"
+      operator: "Exists"
+      effect: "NoSchedule"
+  affinity:
+    nodeAffinity:
+      preferredDuringSchedulingIgnoredDuringExecution:
+      - weight: 1
+        preference:
+          matchExpressions:
+          - key: node-role.kubernetes.io/control-plane
+            operator: Exists
+
+  webhook:
+    resources:
+      limits:
+        cpu: 10m
+        memory: 64Mi
+      requests:
+        cpu: 3m
+        memory: 32Mi
+    tolerations:
+      - key: "node-role.kubernetes.io/control-plane"
+        operator: "Exists"
+        effect: "NoSchedule"
+    affinity:
+      nodeAffinity:
+        preferredDuringSchedulingIgnoredDuringExecution:
+        - weight: 1
+          preference:
+            matchExpressions:
+            - key: node-role.kubernetes.io/control-plane
+              operator: Exists
+
+  cainjector:
+    resources:
+      limits:
+        cpu: 15m
+        memory: 550Mi
+      requests:
+        cpu: 5m
+        memory: 130Mi
+    tolerations:
+      - key: "node-role.kubernetes.io/control-plane"
+        operator: "Exists"
+        effect: "NoSchedule"
+    affinity:
+      nodeAffinity:
+        preferredDuringSchedulingIgnoredDuringExecution:
+        - weight: 1
+          preference:
+            matchExpressions:
+            - key: node-role.kubernetes.io/control-plane
+              operator: Exists
diff --git a/base/flux-apps/cert-manager.yaml b/base/flux-apps/cert-manager.yaml
index 7e5ab36ba..0ea4cff92 100644
--- a/base/flux-apps/cert-manager.yaml
+++ b/base/flux-apps/cert-manager.yaml
@@ -6,7 +6,7 @@ metadata:
 spec:
   force: true
   interval: 30m0s
-  path: ./base/cert-manager/manifests
+  path: ./base/cert-manager
   prune: false
   sourceRef:
     kind: GitRepository